xploitscan-shared-rules 1.3.0 → 1.5.0

package/dist/index.cjs

@@ -30,6 +30,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  RULE_IMPACTS: () => RULE_IMPACTS,
   allCustomRules: () => allCustomRules,
   allRules: () => allRules,
   androidDebuggable: () => androidDebuggable,
@@ -38,6 +39,7 @@ __export(index_exports, {
   calculateGrade: () => calculateGrade,
   callSpreads: () => callSpreads,
   callbackHell: () => callbackHell,
+  classifyExposure: () => classifyExposure,
   clickjacking: () => clickjacking,
   clientComponentSecret: () => clientComponentSecret,
   clientSideAuth: () => clientSideAuth,
@@ -269,6 +271,42 @@ function getSnippet(content, line, contextLines = 2) {
   }).join("\n");
 }
 
+// src/rule-impacts.ts
+var RULE_IMPACTS = {
+  VC001: "An attacker who finds this key in your source code or client bundle can use your API with your credentials, potentially reading or modifying user data and racking up usage charges.",
+  VC002: "If this .env file is committed to git, anyone with repo access (including public repos) can extract your database passwords, API keys, and other secrets.",
+  VC003: "This API endpoint has no authentication check. Anyone on the internet can call it directly, potentially accessing or modifying data without permission.",
+  VC004: "The service_role key bypasses all Row Level Security policies. If exposed client-side, any user can read, modify, or delete any row in your database.",
+  VC005: "Without webhook signature verification, an attacker can send fake payment events to your endpoint \u2014 granting free access, duplicating orders, or corrupting billing data.",
+  VC006: "An attacker can inject malicious SQL through user input, potentially dumping your entire database, modifying records, or deleting tables.",
+  VC007: "An attacker can inject JavaScript that runs in other users' browsers, stealing session cookies, redirecting to phishing pages, or performing actions as the victim.",
+  VC008: "Without rate limiting, an attacker can flood your API with requests causing denial of service, brute-force attacks, or excessive cloud billing.",
+  VC009: "With CORS set to allow all origins, any website can make authenticated requests to your API from a user's browser, enabling cross-site data theft.",
+  VC010: "Hiding UI elements without server-side checks means an attacker can call your API directly and bypass the restriction entirely.",
+  VC011: "The NEXT_PUBLIC_ prefix exposes this value in the browser bundle. If it's a secret, anyone viewing your site's JavaScript can extract it."
+};
+
+// src/exposure.ts
+function classifyExposure(filePath) {
+  if (/(?:\/api\/|pages\/api\/|routes?\/|controllers?\/|endpoints?\/|server\.|app\/.*route\.)/.test(
+    filePath
+  )) {
+    return "public";
+  }
+  if (/(?:app\/.*page\.|pages\/(?!api\/)|views?\/|templates?\/)/.test(filePath)) {
+    return "public";
+  }
+  if (/(?:lib\/|utils?\/|helpers?\/|services?\/|models?\/|hooks?\/)/.test(
+    filePath
+  )) {
+    return "internal";
+  }
+  if (/(?:middleware|config|constants?)/.test(filePath)) {
+    return "internal";
+  }
+  return "unknown";
+}
+
 // src/ast/parse.ts
 var import_parser = require("@babel/parser");
 var MAX_CACHE = 256;
@@ -8077,6 +8115,7 @@ function scanEntropy(files) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  RULE_IMPACTS,
   allCustomRules,
   allRules,
   androidDebuggable,
@@ -8085,6 +8124,7 @@ function scanEntropy(files) {
   calculateGrade,
   callSpreads,
   callbackHell,
+  classifyExposure,
   clickjacking,
   clientComponentSecret,
   clientSideAuth,