xploitscan-shared-rules 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +17 -0
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +17 -1
- package/dist/index.d.ts +17 -1
- package/dist/index.js +16 -0
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -30,6 +30,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
30
30
|
// src/index.ts
|
|
31
31
|
var index_exports = {};
|
|
32
32
|
__export(index_exports, {
|
|
33
|
+
RULE_IMPACTS: () => RULE_IMPACTS,
|
|
33
34
|
allCustomRules: () => allCustomRules,
|
|
34
35
|
allRules: () => allRules,
|
|
35
36
|
androidDebuggable: () => androidDebuggable,
|
|
@@ -269,6 +270,21 @@ function getSnippet(content, line, contextLines = 2) {
|
|
|
269
270
|
}).join("\n");
|
|
270
271
|
}
|
|
271
272
|
|
|
273
|
+
// src/rule-impacts.ts
|
|
274
|
+
var RULE_IMPACTS = {
|
|
275
|
+
VC001: "An attacker who finds this key in your source code or client bundle can use your API with your credentials, potentially reading or modifying user data and racking up usage charges.",
|
|
276
|
+
VC002: "If this .env file is committed to git, anyone with repo access (including public repos) can extract your database passwords, API keys, and other secrets.",
|
|
277
|
+
VC003: "This API endpoint has no authentication check. Anyone on the internet can call it directly, potentially accessing or modifying data without permission.",
|
|
278
|
+
VC004: "The service_role key bypasses all Row Level Security policies. If exposed client-side, any user can read, modify, or delete any row in your database.",
|
|
279
|
+
VC005: "Without webhook signature verification, an attacker can send fake payment events to your endpoint \u2014 granting free access, duplicating orders, or corrupting billing data.",
|
|
280
|
+
VC006: "An attacker can inject malicious SQL through user input, potentially dumping your entire database, modifying records, or deleting tables.",
|
|
281
|
+
VC007: "An attacker can inject JavaScript that runs in other users' browsers, stealing session cookies, redirecting to phishing pages, or performing actions as the victim.",
|
|
282
|
+
VC008: "Without rate limiting, an attacker can flood your API with requests causing denial of service, brute-force attacks, or excessive cloud billing.",
|
|
283
|
+
VC009: "With CORS set to allow all origins, any website can make authenticated requests to your API from a user's browser, enabling cross-site data theft.",
|
|
284
|
+
VC010: "Hiding UI elements without server-side checks means an attacker can call your API directly and bypass the restriction entirely.",
|
|
285
|
+
VC011: "The NEXT_PUBLIC_ prefix exposes this value in the browser bundle. If it's a secret, anyone viewing your site's JavaScript can extract it."
|
|
286
|
+
};
|
|
287
|
+
|
|
272
288
|
// src/ast/parse.ts
|
|
273
289
|
var import_parser = require("@babel/parser");
|
|
274
290
|
var MAX_CACHE = 256;
|
|
@@ -8077,6 +8093,7 @@ function scanEntropy(files) {
|
|
|
8077
8093
|
}
|
|
8078
8094
|
// Annotate the CommonJS export names for ESM import in node:
|
|
8079
8095
|
0 && (module.exports = {
|
|
8096
|
+
RULE_IMPACTS,
|
|
8080
8097
|
allCustomRules,
|
|
8081
8098
|
allRules,
|
|
8082
8099
|
androidDebuggable,
|