xploitscan-shared-rules 1.0.0 → 1.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 VibeCheck
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.cjs

@@ -158,6 +158,7 @@ __export(index_exports, {
   regexDos: () => regexDos,
   runCustomRules: () => runCustomRules,
   s3BucketNoEncryption: () => s3BucketNoEncryption,
+  scanEntropy: () => scanEntropy,
   secretInBundleConfig: () => secretInBundleConfig,
   secretInCLIArgument: () => secretInCLIArgument,
   secretInErrorResponse: () => secretInErrorResponse,
@@ -471,26 +472,42 @@ var sqlInjection = {
   description: "String concatenation or template literals in SQL queries allow attackers to execute arbitrary database commands.",
   check(content, filePath) {
     const patterns = [
-      // Template literals in SQL
-      /(?:query|execute|raw|sql)\s*\(\s*`[^`]*\$\{/gi,
-      // String concatenation in SQL
-      /(?:query|execute)\s*\(\s*["'][^"']*["']\s*\+/gi,
-      // Direct variable interpolation
+      // Template literal passed as first arg to query/execute/raw/sql/
+      // queryRaw/queryRawUnsafe/execute. Examples that SHOULD fire:
+      //   db.query(`SELECT ... ${x}`)
+      //   prisma.$queryRawUnsafe(`... ${x}`)
+      //   knex.raw(`... ${x}`)
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*`[^`]*\$\{/gi,
+      // String concatenation in SQL — now includes raw() and sql() and
+      // Drizzle's sql.raw() / Prisma's $queryRawUnsafe() variants. Previous
+      // version only covered query()/execute() and missed knex.raw("..." + x).
+      //
+      // The string literal part uses a proper "quoted string" regex that
+      // allows the opposite quote type inside (common in SQL — "WHERE x = 'a'").
+      // The older `[^"']*` class bailed out at the first inner quote and
+      // missed every realistic SQL-containing concat.
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')\s*\+/gi,
+      // Direct variable interpolation in a SQL verb context
       /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
     const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          sqlInjection,
-          filePath,
-          () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
-        )
+      const raw = findMatches(
+        content,
+        pattern,
+        sqlInjection,
+        filePath,
+        () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
       );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/\bPrisma\.sql\s*`/.test(lineText)) continue;
+        if (/\bsql\s*`/.test(lineText) && !/\bsql\.raw\s*\(/.test(lineText)) continue;
+        if (/\$queryRaw\s*\(\s*Prisma\.sql|\$executeRaw\s*\(\s*Prisma\.sql/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -3031,13 +3048,22 @@ var commandInjection = {
       // Node.js — require standalone exec/execSync, not db.exec() or conn.exec()
       /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
       /child_process.*exec\s*\(\s*(?!["'`])/g,
+      // spawn / execFile / exec with shell: true AND a template literal
+      // first arg. `shell: true` converts the first argument into a string
+      // passed to `/bin/sh -c`, so any ${} interpolation is a shell injection
+      // opportunity. Without shell: true, spawn/execFile are safe because
+      // the command and args are kept separate. Previously this class of
+      // bug was missed — the "hasSafe" skip below assumed any spawn in the
+      // file was fine, which is the opposite of true with shell: true.
+      /(?<![.\w])(?:spawn|spawnSync|execFile|execFileSync|exec|execSync)\s*\(\s*`[^`]*\$\{[\s\S]*?shell\s*:\s*(?:true|["'][^"']+["'])/gi,
       // Python
       /os\.system\s*\(\s*(?!["'`].*["'`]\s*\))/g,
       /subprocess\.(?:call|run|Popen)\s*\([^)]*shell\s*=\s*True/gi,
       // Ruby
       /system\s*\(\s*["'].*#\{/g
     ];
-    const hasSafe = /execFile|spawn|escapeshellarg|shlex\.quote|shellEscape/i.test(content);
+    const hasShellTrue = /shell\s*:\s*(?:true|["'][^"']+["'])/i.test(content);
+    const hasSafe = !hasShellTrue && /execFile|spawn|escapeshellarg|shlex\.quote|shellEscape/i.test(content);
     if (hasSafe) return [];
     for (const p of patterns) {
       const raw = findMatches(
@@ -4538,7 +4564,7 @@ var hardcodedSupabaseServiceRole = {
     if (isTestFile(filePath)) return [];
     if (!SECRET_FILE_EXT.test(filePath)) return [];
     if (LOCK_FILE_RE.test(filePath)) return [];
-    const pattern = /(?:service[_-]?role[_-]?key|SUPABASE_SERVICE_ROLE_KEY|supabaseServiceRole)\s*[:=]\s*["'`](eyJ[A-Za-z0-9_\-]{50,})["'`]/gi;
+    const pattern = /(?:service[_-]?role[_-]?key|SUPABASE_SERVICE_ROLE_KEY|supabaseServiceRole)\s*[:=]\s*["'`](eyJ[A-Za-z0-9_\-.]{50,})["'`]/gi;
     const findings = [];
     let m;
     while ((m = pattern.exec(content)) !== null) {
@@ -5424,6 +5450,163 @@ async function filterFalsePositives(findings, fileContents) {
     totalBefore
   };
 }
+
+// src/entropy-scanner.ts
+function shannonEntropy(str) {
+  const freq = {};
+  for (const ch of str) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var SAFE_PATTERNS = [
+  // UUIDs (v1-v5)
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
+  // Git commit hashes (long and short)
+  /^[0-9a-f]{40}$/i,
+  /^[0-9a-f]{7,8}$/i,
+  // Hex colors
+  /^#?[0-9a-fA-F]{3,8}$/,
+  // Small base64 (< 20 chars can't be a real key anyway)
+  /^[A-Za-z0-9+/]{1,19}={0,2}$/,
+  // Package versions
+  /^\d+\.\d+\.\d+/,
+  // Integrity-hash prefix (sha256-, sha512-, ...)
+  /^sha\d+-/i,
+  // URLs without credentials in them
+  /^https?:\/\/[^:@]*$/,
+  /^https?:\/\/registry\.npmjs\.org\//,
+  /^https?:\/\/registry\.yarnpkg\.com\//,
+  // Full package integrity hash (sha512-[base64]=)
+  /^sha\d+-[A-Za-z0-9+/=]+$/,
+  // Package tarball URLs
+  /\.tgz$/,
+  /registry.*\/-\/.*\.tgz$/,
+  // ISO dates / times
+  /^\d{4}-\d{2}-\d{2}/,
+  // Locale tags
+  /^[a-z]{2}-[A-Z]{2}$/,
+  // Text encodings
+  /^utf-?8|ascii|latin|iso-8859/i,
+  // MIME types
+  /^(?:application|text|image|audio|video)\//,
+  // CSS keyword values
+  /^(?:inherit|none|auto|block|flex|grid|absolute|relative|fixed|px|em|rem|%)/,
+  // Developer-placeholder tokens
+  /^(?:test|example|sample|demo|placeholder|temp|tmp|foo|bar|baz|lorem|ipsum)/i,
+  // XML / DTD markers
+  /DTD|DOCTYPE|w3\.org|apple\.com\/DTDs/i,
+  /xmlns|schema|xsd|xsi/i,
+  // NEW — added in Wave 3.2 for context-aware FP reduction
+  // ──────────────────────────────────────────────────────
+  // Tailwind JIT / CSS-in-JS class-name fingerprints, e.g. "css-2kx3yr8",
+  // "tw-abc12def", "jss-1a2b3c4d". Typically prefix + 6-12 hex-ish chars.
+  /^(?:css|tw|jss|emotion|styled|mui|chakra)-[a-z0-9]{4,14}$/i,
+  // SVG path data — starts with a path command letter followed by coords.
+  // These can get very long and high-entropy but are never secrets.
+  /^[MmLlHhVvCcSsQqTtAaZz][\d.,\s\-MmLlHhVvCcSsQqTtAaZz]{10,}$/,
+  // Next.js / Vite / webpack content-addressed asset filenames, e.g.
+  // "main.4e5f6a78.js", "chunk-2a3b.js", "_next/static/chunks/pages-xyz".
+  /\.[0-9a-f]{6,16}\.(?:js|css|mjs|woff2?|ttf|png|jpg|svg)(?:\?.*)?$/i,
+  /^_next\//,
+  // Publishable / client-side keys from common vendors. Flagged by their
+  // own service-specific rules if they look wrong, but entropy should NOT
+  // double-flag these. They are designed to ship to the browser.
+  /^pk_(?:live|test|[a-z0-9]+)_/,
+  // Stripe / Clerk publishable
+  /^NEXT_PUBLIC_|^VITE_|^REACT_APP_/,
+  // Build-time public env vars
+  /^pub_/,
+  // Segment etc.
+  /^ey[A-Za-z0-9_-]+\.ey[A-Za-z0-9_-]+\./,
+  // JWT header.payload prefix — don't flag solely on entropy
+  // Content-Security-Policy hashes / nonces in HTML/JSON
+  /^'sha\d+-/,
+  /^nonce-/i,
+  // Embedded data URIs
+  /^data:[a-z]+\//i
+];
+var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
+var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
+var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|locale|translation|copy|prose|markdown|slug|handle)/i;
+var HASH_LIKE_VAR_NAMES = /(?:^|[^a-z])(?:hash|digest|checksum|fingerprint|etag|crc|md5|sha1|sha256|sha512|contenthash|buildid|revision|commit|sri|integrity|cacheKey|fileHash|assetId|versionId)(?:$|[^a-z])/i;
+var HASH_PREFIX_RE = /^(?:sha\d+|md5|crc32|base64|bcrypt|argon2|pbkdf2|blake2b?)[:_]/i;
+var SECRET_VAR_NAMES = /(?:^|[^a-z])(?:key|secret|token|password|passwd|pwd|api[_-]?key|auth|credential|private|signing|bearer|access[_-]?token|refresh[_-]?token|session[_-]?id)(?:$|[^a-z])/i;
+function getSnippet2(content, line) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 2);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const prefix = lineNum === line ? ">" : " ";
+    return `${prefix} ${String(lineNum).padStart(5)} | ${l}`;
+  }).join("\n");
+}
+function scanEntropy(files) {
+  const findings = [];
+  for (const { path: filePath, content } of files) {
+    if (SKIP_FILES.test(filePath)) continue;
+    if (SKIP_FILENAMES.test(filePath)) continue;
+    const basename = filePath.split("/").pop() || "";
+    if (SKIP_FILENAMES.test(basename)) continue;
+    if (filePath.includes("node_modules")) continue;
+    if (filePath.includes(".min.")) continue;
+    if (/pro-rules-bundle|\.bundle\.|\.chunk\./i.test(filePath)) continue;
+    if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const trimmed = line.trimStart();
+      if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+      const stringPattern = /(?:[:=]\s*)(["'`])([^"'`\n]{20,120})\1/g;
+      let match;
+      while ((match = stringPattern.exec(line)) !== null) {
+        const value = match[2];
+        if (SAFE_PATTERNS.some((p) => p.test(value))) continue;
+        if (HASH_PREFIX_RE.test(value)) continue;
+        const beforeAssign = line.substring(0, match.index);
+        if (SAFE_VAR_NAMES.test(beforeAssign)) continue;
+        if (/^https?:\/\/[^:@]*$/.test(value)) continue;
+        if ((value.match(/\s/g) || []).length > 2) continue;
+        const isHex = /^[0-9a-fA-F]+$/.test(value);
+        const isBase64 = /^[A-Za-z0-9+/]+=*$/.test(value);
+        let threshold = 4;
+        if (isHex) threshold = 3;
+        else if (isBase64) threshold = 4.5;
+        if (value.length < 20) continue;
+        const entropy = shannonEntropy(value);
+        if (entropy < threshold) continue;
+        const varName = beforeAssign.match(/(\w+)\s*[:=]\s*$/)?.[1] || "";
+        if (HASH_LIKE_VAR_NAMES.test(varName) && (isHex || isBase64)) continue;
+        const isLikelySecret = SECRET_VAR_NAMES.test(varName);
+        if (entropy < 4.5 && !isLikelySecret) continue;
+        const masked = value.substring(0, 6) + "..." + value.substring(value.length - 4);
+        findings.push({
+          id: `ENTROPY-${filePath}:${i + 1}`,
+          rule: "ENTROPY",
+          severity: isLikelySecret ? "critical" : "high",
+          title: "High-Entropy String Detected (Possible Secret)",
+          description: `Found a high-entropy string (${entropy.toFixed(1)} bits) that may be a hardcoded secret or API key: "${masked}"`,
+          file: filePath,
+          line: i + 1,
+          snippet: getSnippet2(content, i + 1),
+          fix: "If this is a secret, move it to an environment variable. If it's not a secret (e.g., hash, encoded data), add it to .xploitscanignore.",
+          category: "Secrets",
+          source: "custom",
+          owasp: "A02:2021",
+          cwe: "CWE-798"
+        });
+      }
+    }
+  }
+  return findings;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   allCustomRules,
@@ -5554,6 +5737,7 @@ async function filterFalsePositives(findings, fileContents) {
   regexDos,
   runCustomRules,
   s3BucketNoEncryption,
+  scanEntropy,
   secretInBundleConfig,
   secretInCLIArgument,
   secretInErrorResponse,