xploitscan-shared-rules 1.10.0 → 1.11.1

package/dist/index.cjs

@@ -1080,9 +1080,12 @@ var SERVER_SIDE_PATH_RE = new RegExp(
   ].join("|"),
   "i"
 );
-function isServerSideFile(filePath) {
+var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b/;
+function isServerSideFile(filePath, content) {
   if (isTestFile(filePath)) return false;
-  return SERVER_SIDE_PATH_RE.test(filePath);
+  if (SERVER_SIDE_PATH_RE.test(filePath)) return true;
+  if (content && SERVER_SIDE_CONTENT_RE.test(content)) return true;
+  return false;
 }
 var CONFIG_FILE_PATTERN = new RegExp(
   [
@@ -1103,7 +1106,7 @@ function isCommentLine(content, matchIndex) {
 function isInsideFixMessage(content, matchIndex) {
   const lineStart = content.lastIndexOf("\n", matchIndex - 1) + 1;
   const lineText = content.substring(lineStart, content.indexOf("\n", matchIndex));
-  return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=(]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
+  return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=]\s*["'`]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
 }
 function isInlineSilenced(content, matchIndex, ruleId) {
   const lines = content.split("\n");
@@ -1295,7 +1298,7 @@ var missingAuthMiddleware = {
   category: "Authentication",
   description: "API routes without authentication checks allow unauthorized access.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const routePatterns = [
       // Express/Hono style
       /\.(get|post|put|patch|delete)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?:async\s+)?\(?(?:req|c|ctx)/gi,
@@ -2613,7 +2616,7 @@ var exposedStackTraces = {
   category: "Information Leakage",
   description: "Returning error.stack or detailed error messages in API responses reveals internal code paths, file structure, and dependencies to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       // Sending stack trace in response
@@ -2711,7 +2714,7 @@ var ssrfVulnerability = {
   category: "Injection",
   description: "Fetching URLs from user input without validation allows attackers to access internal services, cloud metadata endpoints (169.254.169.254), and private networks.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
     if (hasValidation) return [];
@@ -2768,7 +2771,7 @@ var massAssignment = {
   category: "Authorization",
   description: "Spreading or assigning request body directly into database models allows attackers to set fields they shouldn't (e.g., isAdmin, role, verified).",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /pick\(|omit\(|allowedFields|sanitize|whitelist|permit|strong_params/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2920,7 +2923,7 @@ var logInjection = {
   category: "Injection",
   description: "Logging unsanitized user input allows attackers to forge log entries, inject malicious content, or exploit log aggregation systems via newlines and special characters.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /replace\s*\(\s*\/\[?\\r\\n\]|sanitizeLog|stripNewlines|sanitizeForLog/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2986,7 +2989,7 @@ var weakPasswordRequirements = {
     if (!/(?:password|passwd|pwd)/i.test(content)) return [];
     const isPasswordContext = /(?:register|signup|sign.up|createUser|create.user|changePassword|resetPassword|set.password|validatePassword|validate.password|passwordPolicy|password.policy)/i.test(
       content
-    ) || isServerSideFile(filePath);
+    ) || isServerSideFile(filePath, content);
     const matches = [];
     if (isPasswordContext) {
       const weakThresholdPatterns = [
@@ -4140,8 +4143,8 @@ var xxeVulnerability = {
     if (!/xml|parseXml|parseXML|DOMParser|SAXParser|etree|lxml|libxml/i.test(content)) return [];
     const matches = [];
     const patterns = [
-      /\.parseXm?l\s*\(/gi,
-      // catches parseXml (libxmljs) AND parseXML
+      /\.parseXm?l(?:String)?\s*\(/gi,
+      // parseXml / parseXML / parseXmlString (libxmljs)
       // NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
       // Per the HTML/XML spec, DOMParser.parseFromString does not resolve
       // external entities, so it is not an XXE sink — flagging it produced a
@@ -4327,7 +4330,7 @@ var exposedAdminRoutes = {
   category: "Information Leakage",
   description: "Routes like /admin, /debug, /phpinfo, or /actuator without authentication expose sensitive controls and information to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       /[.'"]\s*(?:get|use|all)\s*\(\s*["'`]\/(?:admin|debug|_debug|__debug__|phpinfo|actuator|graphiql|playground|swagger|reset|seed|test|dev|mock)["'`]/gi
@@ -4419,7 +4422,7 @@ var missingContentDisposition = {
   description: "File download endpoints without Content-Disposition headers may render files inline, leading to XSS if the file contains HTML/JS.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file|pipe|createReadStream)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     if (/Content-Disposition|attachment|download/i.test(content)) return [];
     return findMatches(
       content,
@@ -4516,7 +4519,7 @@ var unprotectedDownload = {
   description: "File download endpoints that accept user-controlled filenames without path validation allow directory traversal to read arbitrary files.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
       const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
@@ -4545,7 +4548,7 @@ var commandInjection = {
     const matches = [];
     const patterns = [
       // Node.js — require standalone exec/execSync, not db.exec() or conn.exec()
-      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
+      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*["']\s*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
       /child_process.*exec\s*\(\s*(?!["'`])/g,
       // spawn / execFile / exec with shell: true AND a template literal
       // first arg. `shell: true` converts the first argument into a string