npm - xploitscan-shared-rules - Versions diffs - 1.3.0 → 1.5.0 - Mend

xploitscan-shared-rules 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -51,6 +51,61 @@ interface CustomRule {
  */
 declare function getSnippet(content: string, line: number, contextLines?: number): string;
+/**
+ * Real-world consequence descriptions for VC### rules.
+ *
+ * Surfaced in the scan results UI ("Impact:" line) and in the AI summary
+ * email so users understand *why* a finding matters, not just what it is.
+ *
+ * Lives in shared-rules so the CLI, the web API, the standalone API, and any
+ * future surface read the same copy. Previously this map was duplicated
+ * inline inside both API entrypoints — the kind of place the
+ * `totalRules: 158` drift bug came from.
+ *
+ * Adding a rule? Add its impact string here so it shows up everywhere at
+ * once. If a rule has no entry, the UI falls back to the rule description.
+ */
+declare const RULE_IMPACTS: Record<string, string>;
+/**
+ * Heuristic for classifying a source file's exposure surface.
+ *
+ * Used in scan results to label findings as `public`, `internal`, or
+ * `unknown` so the UI can prioritize the public-facing ones (a hardcoded
+ * key in an API route is much worse than the same key in a config file
+ * that never ships to production). Scanners attach this to every finding
+ * via a `match.exposure` field.
+ *
+ * Lives in shared-rules so the web API and the standalone API can't drift
+ * apart on what counts as "public" vs "internal" — historically there
+ * were two divergent copies in those two files (different regexes, even
+ * different bug fixes shipped at different times). After this
+ * consolidation the heuristic has exactly one definition.
+ *
+ * The categories:
+ *
+ *   - `public`    : path looks like it serves end-user traffic
+ *                   (Next.js API routes, Express/Hono routes, Rails
+ *                   controllers, serverless function entrypoints, app-
+ *                   router pages, view templates).
+ *   - `internal`  : path looks like helper / lib code that's reachable
+ *                   from public surfaces but isn't itself a request
+ *                   handler.
+ *   - `unknown`   : everything else (test files, scripts, build output,
+ *                   ambiguous paths). The scanner deliberately doesn't
+ *                   guess here — wrong "public" labels are a worse UX
+ *                   than honest "unknown".
+ *
+ * The Next.js `pages/(?!api/)` lookahead is intentionally exact: it
+ * excludes only the literal `pages/api/` directory from being
+ * double-classified as public-page (it's already public-route on the
+ * line above), without wrongly excluding things like `pages/apikey/...`
+ * or `pages/admin/...`. (Macroscope #325 / vibecheck-api#4 caught a
+ * regression where this lookahead was too permissive.)
+ */
+type Exposure = "public" | "internal" | "unknown";
+declare function classifyExposure(filePath: string): Exposure;
 declare const hardcodedSecrets: CustomRule;
 declare const exposedEnvFile: CustomRule;
 declare const missingAuthMiddleware: CustomRule;
@@ -451,4 +506,4 @@ declare function getObjectProperty(node: ObjectExpression, key: string): {
 /** Does this CallExpression spread an expression `matcher` returns true for? */
 declare function callSpreads(call: CallExpression, matcher: (node: Node) => boolean): boolean;
-export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type FilteredFinding, type Finding, type GradeResult, type ParsedFile, type RuleMatch, type SecurityGrade, type Severity, type TaintMap, allCustomRules, allRules, androidDebuggable, blockingMainThread, buildTaintMap, calculateGrade, callSpreads, callbackHell, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, dockerfileADDInsteadOfCOPY, dockerfileMissingHealthcheck, dockerfileUnverifiedShellPipe, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getObjectProperty, getSnippet, ghaExpressionInjection, ghaPermissionsWriteAll, ghaPullRequestTargetCheckout, ghaThirdPartyActionWithSecrets, githubActionsInjection, graphqlCSRFDisabled, graphqlIntrospection, graphqlNoComplexityLimit, graphqlNoDepthLimit, hardcodedAlgoliaAdminKey, hardcodedAnthropicKey, hardcodedCloudflareToken, hardcodedCohereKey, hardcodedDatadogKey, hardcodedDiscordToken, hardcodedEncryptionKey, hardcodedFastlyToken, hardcodedFireworksKey, hardcodedFlyToken, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedGroqKey, hardcodedHighlightKey, hardcodedIPAllowlist, hardcodedIntercomToken, hardcodedJWTSecret, hardcodedLinearKey, hardcodedLogtailToken, hardcodedLoopsKey, hardcodedMailgunKey, hardcodedMistralKey, hardcodedNetlifyToken, hardcodedNotionKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedPlivoToken, hardcodedPostmarkKey, hardcodedQdrantKey, hardcodedRailwayToken, hardcodedReplicateKey, hardcodedResendKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedSentryAuthToken, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTogetherKey, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hardcodedWeaviateKey, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, isCalleeNamed, isMethodCall, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, llmCallNoMaxTokens, llmOutputAsHTML, llmPromptInjection, llmSystemPromptInjection, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, parseFile, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, pyDjangoAllowedHostsWildcard, pyDjangoMarkSafe, pyJWTDecodeWeakConfig, pyJinja2AutoescapeOff, pyParamikoAutoAdd, pyRequestsVerifyFalse, pyTempfileMktemp, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, scanEntropy, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vectorStoreQueryNoUserFilter, vectorStoreUpsertNoMetadata, visitBinary, visitCalls, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };
+export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type Exposure, type FilteredFinding, type Finding, type GradeResult, type ParsedFile, RULE_IMPACTS, type RuleMatch, type SecurityGrade, type Severity, type TaintMap, allCustomRules, allRules, androidDebuggable, blockingMainThread, buildTaintMap, calculateGrade, callSpreads, callbackHell, classifyExposure, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, dockerfileADDInsteadOfCOPY, dockerfileMissingHealthcheck, dockerfileUnverifiedShellPipe, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getObjectProperty, getSnippet, ghaExpressionInjection, ghaPermissionsWriteAll, ghaPullRequestTargetCheckout, ghaThirdPartyActionWithSecrets, githubActionsInjection, graphqlCSRFDisabled, graphqlIntrospection, graphqlNoComplexityLimit, graphqlNoDepthLimit, hardcodedAlgoliaAdminKey, hardcodedAnthropicKey, hardcodedCloudflareToken, hardcodedCohereKey, hardcodedDatadogKey, hardcodedDiscordToken, hardcodedEncryptionKey, hardcodedFastlyToken, hardcodedFireworksKey, hardcodedFlyToken, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedGroqKey, hardcodedHighlightKey, hardcodedIPAllowlist, hardcodedIntercomToken, hardcodedJWTSecret, hardcodedLinearKey, hardcodedLogtailToken, hardcodedLoopsKey, hardcodedMailgunKey, hardcodedMistralKey, hardcodedNetlifyToken, hardcodedNotionKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedPlivoToken, hardcodedPostmarkKey, hardcodedQdrantKey, hardcodedRailwayToken, hardcodedReplicateKey, hardcodedResendKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedSentryAuthToken, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTogetherKey, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hardcodedWeaviateKey, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, isCalleeNamed, isMethodCall, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, llmCallNoMaxTokens, llmOutputAsHTML, llmPromptInjection, llmSystemPromptInjection, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, parseFile, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, pyDjangoAllowedHostsWildcard, pyDjangoMarkSafe, pyJWTDecodeWeakConfig, pyJinja2AutoescapeOff, pyParamikoAutoAdd, pyRequestsVerifyFalse, pyTempfileMktemp, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, scanEntropy, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vectorStoreQueryNoUserFilter, vectorStoreUpsertNoMetadata, visitBinary, visitCalls, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };

package/dist/index.d.ts CHANGED Viewed

@@ -51,6 +51,61 @@ interface CustomRule {
  */
 declare function getSnippet(content: string, line: number, contextLines?: number): string;
+/**
+ * Real-world consequence descriptions for VC### rules.
+ *
+ * Surfaced in the scan results UI ("Impact:" line) and in the AI summary
+ * email so users understand *why* a finding matters, not just what it is.
+ *
+ * Lives in shared-rules so the CLI, the web API, the standalone API, and any
+ * future surface read the same copy. Previously this map was duplicated
+ * inline inside both API entrypoints — the kind of place the
+ * `totalRules: 158` drift bug came from.
+ *
+ * Adding a rule? Add its impact string here so it shows up everywhere at
+ * once. If a rule has no entry, the UI falls back to the rule description.
+ */
+declare const RULE_IMPACTS: Record<string, string>;
+/**
+ * Heuristic for classifying a source file's exposure surface.
+ *
+ * Used in scan results to label findings as `public`, `internal`, or
+ * `unknown` so the UI can prioritize the public-facing ones (a hardcoded
+ * key in an API route is much worse than the same key in a config file
+ * that never ships to production). Scanners attach this to every finding
+ * via a `match.exposure` field.
+ *
+ * Lives in shared-rules so the web API and the standalone API can't drift
+ * apart on what counts as "public" vs "internal" — historically there
+ * were two divergent copies in those two files (different regexes, even
+ * different bug fixes shipped at different times). After this
+ * consolidation the heuristic has exactly one definition.
+ *
+ * The categories:
+ *
+ *   - `public`    : path looks like it serves end-user traffic
+ *                   (Next.js API routes, Express/Hono routes, Rails
+ *                   controllers, serverless function entrypoints, app-
+ *                   router pages, view templates).
+ *   - `internal`  : path looks like helper / lib code that's reachable
+ *                   from public surfaces but isn't itself a request
+ *                   handler.
+ *   - `unknown`   : everything else (test files, scripts, build output,
+ *                   ambiguous paths). The scanner deliberately doesn't
+ *                   guess here — wrong "public" labels are a worse UX
+ *                   than honest "unknown".
+ *
+ * The Next.js `pages/(?!api/)` lookahead is intentionally exact: it
+ * excludes only the literal `pages/api/` directory from being
+ * double-classified as public-page (it's already public-route on the
+ * line above), without wrongly excluding things like `pages/apikey/...`
+ * or `pages/admin/...`. (Macroscope #325 / vibecheck-api#4 caught a
+ * regression where this lookahead was too permissive.)
+ */
+type Exposure = "public" | "internal" | "unknown";
+declare function classifyExposure(filePath: string): Exposure;
 declare const hardcodedSecrets: CustomRule;
 declare const exposedEnvFile: CustomRule;
 declare const missingAuthMiddleware: CustomRule;
@@ -451,4 +506,4 @@ declare function getObjectProperty(node: ObjectExpression, key: string): {
 /** Does this CallExpression spread an expression `matcher` returns true for? */
 declare function callSpreads(call: CallExpression, matcher: (node: Node) => boolean): boolean;
-export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type FilteredFinding, type Finding, type GradeResult, type ParsedFile, type RuleMatch, type SecurityGrade, type Severity, type TaintMap, allCustomRules, allRules, androidDebuggable, blockingMainThread, buildTaintMap, calculateGrade, callSpreads, callbackHell, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, dockerfileADDInsteadOfCOPY, dockerfileMissingHealthcheck, dockerfileUnverifiedShellPipe, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getObjectProperty, getSnippet, ghaExpressionInjection, ghaPermissionsWriteAll, ghaPullRequestTargetCheckout, ghaThirdPartyActionWithSecrets, githubActionsInjection, graphqlCSRFDisabled, graphqlIntrospection, graphqlNoComplexityLimit, graphqlNoDepthLimit, hardcodedAlgoliaAdminKey, hardcodedAnthropicKey, hardcodedCloudflareToken, hardcodedCohereKey, hardcodedDatadogKey, hardcodedDiscordToken, hardcodedEncryptionKey, hardcodedFastlyToken, hardcodedFireworksKey, hardcodedFlyToken, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedGroqKey, hardcodedHighlightKey, hardcodedIPAllowlist, hardcodedIntercomToken, hardcodedJWTSecret, hardcodedLinearKey, hardcodedLogtailToken, hardcodedLoopsKey, hardcodedMailgunKey, hardcodedMistralKey, hardcodedNetlifyToken, hardcodedNotionKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedPlivoToken, hardcodedPostmarkKey, hardcodedQdrantKey, hardcodedRailwayToken, hardcodedReplicateKey, hardcodedResendKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedSentryAuthToken, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTogetherKey, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hardcodedWeaviateKey, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, isCalleeNamed, isMethodCall, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, llmCallNoMaxTokens, llmOutputAsHTML, llmPromptInjection, llmSystemPromptInjection, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, parseFile, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, pyDjangoAllowedHostsWildcard, pyDjangoMarkSafe, pyJWTDecodeWeakConfig, pyJinja2AutoescapeOff, pyParamikoAutoAdd, pyRequestsVerifyFalse, pyTempfileMktemp, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, scanEntropy, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vectorStoreQueryNoUserFilter, vectorStoreUpsertNoMetadata, visitBinary, visitCalls, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };
+export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type Exposure, type FilteredFinding, type Finding, type GradeResult, type ParsedFile, RULE_IMPACTS, type RuleMatch, type SecurityGrade, type Severity, type TaintMap, allCustomRules, allRules, androidDebuggable, blockingMainThread, buildTaintMap, calculateGrade, callSpreads, callbackHell, classifyExposure, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, dockerfileADDInsteadOfCOPY, dockerfileMissingHealthcheck, dockerfileUnverifiedShellPipe, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getObjectProperty, getSnippet, ghaExpressionInjection, ghaPermissionsWriteAll, ghaPullRequestTargetCheckout, ghaThirdPartyActionWithSecrets, githubActionsInjection, graphqlCSRFDisabled, graphqlIntrospection, graphqlNoComplexityLimit, graphqlNoDepthLimit, hardcodedAlgoliaAdminKey, hardcodedAnthropicKey, hardcodedCloudflareToken, hardcodedCohereKey, hardcodedDatadogKey, hardcodedDiscordToken, hardcodedEncryptionKey, hardcodedFastlyToken, hardcodedFireworksKey, hardcodedFlyToken, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedGroqKey, hardcodedHighlightKey, hardcodedIPAllowlist, hardcodedIntercomToken, hardcodedJWTSecret, hardcodedLinearKey, hardcodedLogtailToken, hardcodedLoopsKey, hardcodedMailgunKey, hardcodedMistralKey, hardcodedNetlifyToken, hardcodedNotionKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedPlivoToken, hardcodedPostmarkKey, hardcodedQdrantKey, hardcodedRailwayToken, hardcodedReplicateKey, hardcodedResendKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedSentryAuthToken, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTogetherKey, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hardcodedWeaviateKey, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, isCalleeNamed, isMethodCall, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, llmCallNoMaxTokens, llmOutputAsHTML, llmPromptInjection, llmSystemPromptInjection, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, parseFile, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, pyDjangoAllowedHostsWildcard, pyDjangoMarkSafe, pyJWTDecodeWeakConfig, pyJinja2AutoescapeOff, pyParamikoAutoAdd, pyRequestsVerifyFalse, pyTempfileMktemp, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, scanEntropy, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vectorStoreQueryNoUserFilter, vectorStoreUpsertNoMetadata, visitBinary, visitCalls, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };

package/dist/index.js CHANGED Viewed

@@ -10,6 +10,42 @@ function getSnippet(content, line, contextLines = 2) {
   }).join("\n");
 }
+// src/rule-impacts.ts
+var RULE_IMPACTS = {
+  VC001: "An attacker who finds this key in your source code or client bundle can use your API with your credentials, potentially reading or modifying user data and racking up usage charges.",
+  VC002: "If this .env file is committed to git, anyone with repo access (including public repos) can extract your database passwords, API keys, and other secrets.",
+  VC003: "This API endpoint has no authentication check. Anyone on the internet can call it directly, potentially accessing or modifying data without permission.",
+  VC004: "The service_role key bypasses all Row Level Security policies. If exposed client-side, any user can read, modify, or delete any row in your database.",
+  VC005: "Without webhook signature verification, an attacker can send fake payment events to your endpoint \u2014 granting free access, duplicating orders, or corrupting billing data.",
+  VC006: "An attacker can inject malicious SQL through user input, potentially dumping your entire database, modifying records, or deleting tables.",
+  VC007: "An attacker can inject JavaScript that runs in other users' browsers, stealing session cookies, redirecting to phishing pages, or performing actions as the victim.",
+  VC008: "Without rate limiting, an attacker can flood your API with requests causing denial of service, brute-force attacks, or excessive cloud billing.",
+  VC009: "With CORS set to allow all origins, any website can make authenticated requests to your API from a user's browser, enabling cross-site data theft.",
+  VC010: "Hiding UI elements without server-side checks means an attacker can call your API directly and bypass the restriction entirely.",
+  VC011: "The NEXT_PUBLIC_ prefix exposes this value in the browser bundle. If it's a secret, anyone viewing your site's JavaScript can extract it."
+};
+// src/exposure.ts
+function classifyExposure(filePath) {
+  if (/(?:\/api\/|pages\/api\/|routes?\/|controllers?\/|endpoints?\/|server\.|app\/.*route\.)/.test(
+    filePath
+  )) {
+    return "public";
+  }
+  if (/(?:app\/.*page\.|pages\/(?!api\/)|views?\/|templates?\/)/.test(filePath)) {
+    return "public";
+  }
+  if (/(?:lib\/|utils?\/|helpers?\/|services?\/|models?\/|hooks?\/)/.test(
+    filePath
+  )) {
+    return "internal";
+  }
+  if (/(?:middleware|config|constants?)/.test(filePath)) {
+    return "internal";
+  }
+  return "unknown";
+}
 // src/ast/parse.ts
 import { parse } from "@babel/parser";
 var MAX_CACHE = 256;
@@ -7817,6 +7853,7 @@ function scanEntropy(files) {
   return findings;
 }
 export {
+  RULE_IMPACTS,
   allCustomRules,
   allRules,
   androidDebuggable,
@@ -7825,6 +7862,7 @@ export {
   calculateGrade,
   callSpreads,
   callbackHell,
+  classifyExposure,
   clickjacking,
   clientComponentSecret,
   clientSideAuth,