xploitscan-shared-rules 1.10.0 → 1.11.1

package/dist/index.js

@@ -815,9 +815,12 @@ var SERVER_SIDE_PATH_RE = new RegExp(
   ].join("|"),
   "i"
 );
-function isServerSideFile(filePath) {
+var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b/;
+function isServerSideFile(filePath, content) {
   if (isTestFile(filePath)) return false;
-  return SERVER_SIDE_PATH_RE.test(filePath);
+  if (SERVER_SIDE_PATH_RE.test(filePath)) return true;
+  if (content && SERVER_SIDE_CONTENT_RE.test(content)) return true;
+  return false;
 }
 var CONFIG_FILE_PATTERN = new RegExp(
   [
@@ -838,7 +841,7 @@ function isCommentLine(content, matchIndex) {
 function isInsideFixMessage(content, matchIndex) {
   const lineStart = content.lastIndexOf("\n", matchIndex - 1) + 1;
   const lineText = content.substring(lineStart, content.indexOf("\n", matchIndex));
-  return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=(]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
+  return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=]\s*["'`]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
 }
 function isInlineSilenced(content, matchIndex, ruleId) {
   const lines = content.split("\n");
@@ -1030,7 +1033,7 @@ var missingAuthMiddleware = {
   category: "Authentication",
   description: "API routes without authentication checks allow unauthorized access.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const routePatterns = [
       // Express/Hono style
       /\.(get|post|put|patch|delete)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?:async\s+)?\(?(?:req|c|ctx)/gi,
@@ -2348,7 +2351,7 @@ var exposedStackTraces = {
   category: "Information Leakage",
   description: "Returning error.stack or detailed error messages in API responses reveals internal code paths, file structure, and dependencies to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       // Sending stack trace in response
@@ -2446,7 +2449,7 @@ var ssrfVulnerability = {
   category: "Injection",
   description: "Fetching URLs from user input without validation allows attackers to access internal services, cloud metadata endpoints (169.254.169.254), and private networks.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
     if (hasValidation) return [];
@@ -2503,7 +2506,7 @@ var massAssignment = {
   category: "Authorization",
   description: "Spreading or assigning request body directly into database models allows attackers to set fields they shouldn't (e.g., isAdmin, role, verified).",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /pick\(|omit\(|allowedFields|sanitize|whitelist|permit|strong_params/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2655,7 +2658,7 @@ var logInjection = {
   category: "Injection",
   description: "Logging unsanitized user input allows attackers to forge log entries, inject malicious content, or exploit log aggregation systems via newlines and special characters.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /replace\s*\(\s*\/\[?\\r\\n\]|sanitizeLog|stripNewlines|sanitizeForLog/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2721,7 +2724,7 @@ var weakPasswordRequirements = {
     if (!/(?:password|passwd|pwd)/i.test(content)) return [];
     const isPasswordContext = /(?:register|signup|sign.up|createUser|create.user|changePassword|resetPassword|set.password|validatePassword|validate.password|passwordPolicy|password.policy)/i.test(
       content
-    ) || isServerSideFile(filePath);
+    ) || isServerSideFile(filePath, content);
     const matches = [];
     if (isPasswordContext) {
       const weakThresholdPatterns = [
@@ -3875,8 +3878,8 @@ var xxeVulnerability = {
     if (!/xml|parseXml|parseXML|DOMParser|SAXParser|etree|lxml|libxml/i.test(content)) return [];
     const matches = [];
     const patterns = [
-      /\.parseXm?l\s*\(/gi,
-      // catches parseXml (libxmljs) AND parseXML
+      /\.parseXm?l(?:String)?\s*\(/gi,
+      // parseXml / parseXML / parseXmlString (libxmljs)
       // NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
       // Per the HTML/XML spec, DOMParser.parseFromString does not resolve
       // external entities, so it is not an XXE sink — flagging it produced a
@@ -4062,7 +4065,7 @@ var exposedAdminRoutes = {
   category: "Information Leakage",
   description: "Routes like /admin, /debug, /phpinfo, or /actuator without authentication expose sensitive controls and information to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       /[.'"]\s*(?:get|use|all)\s*\(\s*["'`]\/(?:admin|debug|_debug|__debug__|phpinfo|actuator|graphiql|playground|swagger|reset|seed|test|dev|mock)["'`]/gi
@@ -4154,7 +4157,7 @@ var missingContentDisposition = {
   description: "File download endpoints without Content-Disposition headers may render files inline, leading to XSS if the file contains HTML/JS.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file|pipe|createReadStream)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     if (/Content-Disposition|attachment|download/i.test(content)) return [];
     return findMatches(
       content,
@@ -4251,7 +4254,7 @@ var unprotectedDownload = {
   description: "File download endpoints that accept user-controlled filenames without path validation allow directory traversal to read arbitrary files.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
       const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
@@ -4280,7 +4283,7 @@ var commandInjection = {
     const matches = [];
     const patterns = [
       // Node.js — require standalone exec/execSync, not db.exec() or conn.exec()
-      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
+      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*["']\s*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
       /child_process.*exec\s*\(\s*(?!["'`])/g,
       // spawn / execFile / exec with shell: true AND a template literal
       // first arg. `shell: true` converts the first argument into a string