npm - xploitscan-shared-rules - Versions diffs - 1.13.1 → 1.14.0 - Mend

xploitscan-shared-rules 1.13.1 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -97,6 +97,7 @@ __export(index_exports, {
   hardcodedAnthropicKey: () => hardcodedAnthropicKey,
   hardcodedCloudflareToken: () => hardcodedCloudflareToken,
   hardcodedCohereKey: () => hardcodedCohereKey,
+  hardcodedCreditCard: () => hardcodedCreditCard,
   hardcodedDatadogKey: () => hardcodedDatadogKey,
   hardcodedDiscordToken: () => hardcodedDiscordToken,
   hardcodedEncryptionKey: () => hardcodedEncryptionKey,
@@ -126,6 +127,7 @@ __export(index_exports, {
   hardcodedRailwayToken: () => hardcodedRailwayToken,
   hardcodedReplicateKey: () => hardcodedReplicateKey,
   hardcodedResendKey: () => hardcodedResendKey,
+  hardcodedSSN: () => hardcodedSSN,
   hardcodedSecrets: () => hardcodedSecrets,
   hardcodedSendGridKey: () => hardcodedSendGridKey,
   hardcodedSentryAuthToken: () => hardcodedSentryAuthToken,
@@ -521,7 +523,9 @@ var RULE_IMPACTS = {
   VC207: "Model output is attacker-influenceable via prompt injection. Feeding it into eval, new Function, a shell command, a raw SQL string, or a filesystem path turns a crafted or hallucinated response into remote code execution, command injection, SQL injection, or path traversal \u2014 your most dangerous sinks, driven by untrusted text.",
   VC208: "Interpolating a secret into a prompt ships your API key, token, or password to a third-party model provider, where it persists in their request logs and training-eligible data. A credential that leaves your infrastructure in prompt text should be considered compromised and rotated.",
   VC209: "Webhooks are delivered at-least-once. Without de-duplicating on the event id, a retried or replayed delivery re-runs the side effect \u2014 a customer is charged twice, a record is duplicated, or an entitlement is granted again. Stripe and Svix both retry on any non-2xx, so this fires in normal operation, not just under attack.",
-  VC210: "If your auth middleware skips /api, those routes run with no gate unless each one re-checks auth itself. It is the most common way a Next.js app ends up with publicly callable API routes that everyone assumed the middleware was protecting."
+  VC210: "If your auth middleware skips /api, those routes run with no gate unless each one re-checks auth itself. It is the most common way a Next.js app ends up with publicly callable API routes that everyone assumed the middleware was protecting.",
+  VC211: "A real credit card number in source is cardholder data sitting in git history, CI logs, and every backup \u2014 a direct PCI-DSS violation. Anyone with repo access can read it, and it cannot be un-leaked once committed; the card must be treated as compromised.",
+  VC212: "A hardcoded Social Security Number is regulated PII permanently embedded in your git history and backups. It exposes a real person to identity theft, and its presence in source can trigger breach-notification and privacy-law obligations the moment the repo is accessed."
 };
 // src/exposure.ts
@@ -5062,8 +5066,13 @@ var complianceMap = {
   // VC209–VC210: advisory heuristics
   VC209: { owasp: "A04:2021", cwe: "CWE-799" },
   // webhook missing idempotency
-  VC210: { owasp: "A01:2021", cwe: "CWE-862" }
+  VC210: { owasp: "A01:2021", cwe: "CWE-862" },
   // middleware matcher excludes /api
+  // VC211–VC212: hardcoded sensitive personal data (PII) in source
+  VC211: { owasp: "A02:2021", cwe: "CWE-540" },
+  // hardcoded credit card number
+  VC212: { owasp: "A02:2021", cwe: "CWE-540" }
+  // hardcoded US SSN
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -7888,6 +7897,113 @@ var middlewareMatcherExcludesApi = {
     }], content, "VC210");
   }
 };
+function passesLuhn(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) {
+      d *= 2;
+      if (d > 9) d -= 9;
+    }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+function looksLikeIssuerCard(d) {
+  if (/^4/.test(d) && (d.length === 13 || d.length === 16 || d.length === 19)) return true;
+  if (/^5[1-5]/.test(d) && d.length === 16) return true;
+  if (/^2(2[2-9]|[3-6]\d|7[01]|720)/.test(d) && d.length === 16) return true;
+  if (/^3[47]/.test(d) && d.length === 15) return true;
+  if (/^(6011|65|64[4-9])/.test(d) && d.length === 16) return true;
+  return false;
+}
+var TEST_CARD_NUMBERS = /* @__PURE__ */ new Set([
+  "4242424242424242",
+  "4111111111111111",
+  "4012888888881881",
+  "4000056655665556",
+  "4000000000000002",
+  "4000000000009995",
+  "5555555555554444",
+  "5200828282828210",
+  "5105105105105100",
+  "2223003122003222",
+  "378282246310005",
+  "371449635398431",
+  "6011111111111117",
+  "6011000990139424",
+  "3056930009020004",
+  "38520000023237"
+]);
+var hardcodedCreditCard = {
+  id: "VC211",
+  title: "Hardcoded credit card number",
+  severity: "high",
+  category: "Information Leakage",
+  description: "A literal credit card number (Luhn-valid, with a real issuer prefix, and not a known network test card) appears in source. Cardholder data does not belong in code \u2014 it lands in git history, logs, and backups, and is a PCI-DSS violation. Use your processor's published test cards for tests, and tokenize real cards.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    const findings = [];
+    const pattern = /(?<![\d.])\d[\d -]{11,21}\d(?![\d.])/g;
+    let m;
+    while ((m = pattern.exec(content)) !== null) {
+      const digits = m[0].replace(/[ -]/g, "");
+      if (digits.length < 13 || digits.length > 19) continue;
+      if (TEST_CARD_NUMBERS.has(digits)) continue;
+      if (!looksLikeIssuerCard(digits)) continue;
+      if (!passesLuhn(digits)) continue;
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = lineNumberAt(content, m.index);
+      findings.push({
+        rule: "VC211",
+        title: hardcodedCreditCard.title,
+        severity: "high",
+        category: "Information Leakage",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Never store a real card number in source. Tokenize through your payment processor (Stripe, Braintree) and keep only the returned token. For tests, use the processor's published test cards (e.g. Stripe's 4242 4242 4242 4242)."
+      });
+    }
+    return findings;
+  }
+};
+var hardcodedSSN = {
+  id: "VC212",
+  title: "Hardcoded US Social Security Number",
+  severity: "high",
+  category: "Information Leakage",
+  description: "A value in SSN format (NNN-NN-NNNN) is assigned to an SSN-named field in source. Social Security Numbers are regulated PII; a literal one leaks into git history, logs, and backups. Store SSNs encrypted at rest and load test data from generated fakes, never a code literal.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    const findings = [];
+    const pattern = /(?:ssn|social[_-]?sec(?:urity)?(?:[_-]?(?:no|num|number))?|taxpayer[_-]?id)\b["']?\s*[:=]\s*["']?(\d{3}-\d{2}-\d{4})/gi;
+    let m;
+    while ((m = pattern.exec(content)) !== null) {
+      const ssn = m[1];
+      const [area, group, serial] = ssn.split("-");
+      if (area === "000" || area === "666" || Number(area) >= 900) continue;
+      if (group === "00" || serial === "0000") continue;
+      if (ssn === "123-45-6789") continue;
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = lineNumberAt(content, m.index);
+      findings.push({
+        rule: "VC212",
+        title: hardcodedSSN.title,
+        severity: "high",
+        category: "Information Leakage",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Don't hardcode SSNs. Generate fake values for tests (a faker/factory), and store real SSNs with application-level encryption or in a secrets vault \u2014 never as a code literal."
+      });
+    }
+    return findings;
+  }
+};
 var secretInURLParam = {
   id: "VC146",
   title: "Secret Passed in URL Query Parameter",
@@ -8616,7 +8732,10 @@ var allCustomRules = [
   // VC204–VC206: GraphQL server hardening
   graphqlNoDepthLimit,
   graphqlNoComplexityLimit,
-  graphqlCSRFDisabled
+  graphqlCSRFDisabled,
+  // VC211–VC212: hardcoded sensitive personal data (PII)
+  hardcodedCreditCard,
+  hardcodedSSN
 ];
 function runCustomRules(content, filePath, disabledRules = [], tier = "free", extraRules = []) {
   const findings = [];
@@ -9045,6 +9164,7 @@ function scanEntropy(files) {
   hardcodedAnthropicKey,
   hardcodedCloudflareToken,
   hardcodedCohereKey,
+  hardcodedCreditCard,
   hardcodedDatadogKey,
   hardcodedDiscordToken,
   hardcodedEncryptionKey,
@@ -9074,6 +9194,7 @@ function scanEntropy(files) {
   hardcodedRailwayToken,
   hardcodedReplicateKey,
   hardcodedResendKey,
+  hardcodedSSN,
   hardcodedSecrets,
   hardcodedSendGridKey,
   hardcodedSentryAuthToken,