xploitscan-shared-rules 1.1.0 → 1.2.1

package/dist/index.cjs

@@ -472,26 +472,42 @@ var sqlInjection = {
   description: "String concatenation or template literals in SQL queries allow attackers to execute arbitrary database commands.",
   check(content, filePath) {
     const patterns = [
-      // Template literals in SQL
-      /(?:query|execute|raw|sql)\s*\(\s*`[^`]*\$\{/gi,
-      // String concatenation in SQL
-      /(?:query|execute)\s*\(\s*["'][^"']*["']\s*\+/gi,
-      // Direct variable interpolation
+      // Template literal passed as first arg to query/execute/raw/sql/
+      // queryRaw/queryRawUnsafe/execute. Examples that SHOULD fire:
+      //   db.query(`SELECT ... ${x}`)
+      //   prisma.$queryRawUnsafe(`... ${x}`)
+      //   knex.raw(`... ${x}`)
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*`[^`]*\$\{/gi,
+      // String concatenation in SQL — now includes raw() and sql() and
+      // Drizzle's sql.raw() / Prisma's $queryRawUnsafe() variants. Previous
+      // version only covered query()/execute() and missed knex.raw("..." + x).
+      //
+      // The string literal part uses a proper "quoted string" regex that
+      // allows the opposite quote type inside (common in SQL — "WHERE x = 'a'").
+      // The older `[^"']*` class bailed out at the first inner quote and
+      // missed every realistic SQL-containing concat.
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')\s*\+/gi,
+      // Direct variable interpolation in a SQL verb context
       /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
     const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          sqlInjection,
-          filePath,
-          () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
-        )
+      const raw = findMatches(
+        content,
+        pattern,
+        sqlInjection,
+        filePath,
+        () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
       );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/\bPrisma\.sql\s*`/.test(lineText)) continue;
+        if (/\bsql\s*`/.test(lineText) && !/\bsql\.raw\s*\(/.test(lineText)) continue;
+        if (/\$queryRaw\s*\(\s*Prisma\.sql|\$executeRaw\s*\(\s*Prisma\.sql/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -2617,7 +2633,7 @@ function calculateGrade(findings, _totalFiles) {
   else if (medium >= 1) grade = capGrade("A");
   let summary;
   if (critical > 0) {
-    summary = `${critical} critical ${critical === 1 ? "vulnerability" : "vulnerabilities"} require immediate attention.`;
+    summary = `${critical} critical ${critical === 1 ? "vulnerability requires" : "vulnerabilities require"} immediate attention.`;
   } else if (high >= 3) {
     summary = `${high} high-severity issues require urgent attention.`;
   } else if (high > 0) {
@@ -3032,13 +3048,22 @@ var commandInjection = {
       // Node.js — require standalone exec/execSync, not db.exec() or conn.exec()
       /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
       /child_process.*exec\s*\(\s*(?!["'`])/g,
+      // spawn / execFile / exec with shell: true AND a template literal
+      // first arg. `shell: true` converts the first argument into a string
+      // passed to `/bin/sh -c`, so any ${} interpolation is a shell injection
+      // opportunity. Without shell: true, spawn/execFile are safe because
+      // the command and args are kept separate. Previously this class of
+      // bug was missed — the "hasSafe" skip below assumed any spawn in the
+      // file was fine, which is the opposite of true with shell: true.
+      /(?<![.\w])(?:spawn|spawnSync|execFile|execFileSync|exec|execSync)\s*\(\s*`[^`]*\$\{[\s\S]*?shell\s*:\s*(?:true|["'][^"']+["'])/gi,
       // Python
       /os\.system\s*\(\s*(?!["'`].*["'`]\s*\))/g,
       /subprocess\.(?:call|run|Popen)\s*\([^)]*shell\s*=\s*True/gi,
       // Ruby
       /system\s*\(\s*["'].*#\{/g
     ];
-    const hasSafe = /execFile|spawn|escapeshellarg|shlex\.quote|shellEscape/i.test(content);
+    const hasShellTrue = /shell\s*:\s*(?:true|["'][^"']+["'])/i.test(content);
+    const hasSafe = !hasShellTrue && /execFile|spawn|escapeshellarg|shlex\.quote|shellEscape/i.test(content);
     if (hasSafe) return [];
     for (const p of patterns) {
       const raw = findMatches(
@@ -4539,7 +4564,7 @@ var hardcodedSupabaseServiceRole = {
     if (isTestFile(filePath)) return [];
     if (!SECRET_FILE_EXT.test(filePath)) return [];
     if (LOCK_FILE_RE.test(filePath)) return [];
-    const pattern = /(?:service[_-]?role[_-]?key|SUPABASE_SERVICE_ROLE_KEY|supabaseServiceRole)\s*[:=]\s*["'`](eyJ[A-Za-z0-9_\-]{50,})["'`]/gi;
+    const pattern = /(?:service[_-]?role[_-]?key|SUPABASE_SERVICE_ROLE_KEY|supabaseServiceRole)\s*[:=]\s*["'`](eyJ[A-Za-z0-9_\-.]{50,})["'`]/gi;
     const findings = [];
     let m;
     while ((m = pattern.exec(content)) !== null) {