npm - xploitscan-shared-rules - Versions diffs - 1.6.1 → 1.7.0 - Mend

xploitscan-shared-rules 1.6.1 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -887,6 +887,17 @@ function isInsideFixMessage(content, matchIndex) {
   const lineText = content.substring(lineStart, content.indexOf("\n", matchIndex));
   return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=(]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
 }
+function isInlineSilenced(content, matchIndex, ruleId) {
+  const lines = content.split("\n");
+  const matchLineNum = content.substring(0, matchIndex).split("\n").length - 1;
+  const matchLine = lines[matchLineNum] ?? "";
+  const prevLine = matchLineNum > 0 ? lines[matchLineNum - 1] ?? "" : "";
+  const marker = new RegExp(
+    `(?://|/\\*|#)\\s*(?:${ruleId}|scanner)-OK\\b`,
+    "i"
+  );
+  return marker.test(matchLine) || marker.test(prevLine);
+}
 function findMatches(content, pattern, rule, filePath, fixTemplate) {
   const matches = [];
   const lines = content.split("\n");
@@ -1015,6 +1026,16 @@ var hardcodedSecrets = {
           const secretMatch = lineText.match(/[:=]\s*["'`]([^"'`]*)["'`]/);
           if (secretMatch && secretMatch[1].length < floor) continue;
         }
+        if (pi === 6) {
+          const valMatch = lineText.match(/[:=]\s*["'`]([^"'`]+)["'`]/);
+          const nameMatch = lineText.match(/\b([A-Z][A-Z0-9_]*_(?:SECRET|TOKEN|KEY|PASSWORD|PASSWD))\b/);
+          if (valMatch && nameMatch) {
+            const value = valMatch[1];
+            const isKeySuffix = nameMatch[1].endsWith("_KEY");
+            const isKebabIdentifier = value.length < 40 && /^[a-z0-9]+(-[a-z0-9]+)+$/.test(value);
+            if (isKeySuffix && isKebabIdentifier) continue;
+          }
+        }
         matches.push(rm);
       }
     }
@@ -1208,7 +1229,7 @@ var sqlInjection = {
       /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
-    const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
+    const usesParams = /\?\s*,|\?[^?,;]{1,20}\?|\$\d+|:[\w]+|\bprepare\b|\bplaceholders?\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
       const raw = findMatches(
@@ -3299,6 +3320,7 @@ var dangerousInnerHTML = {
     let m;
     while ((m = re.exec(content)) !== null) {
       if (isCommentLine(content, m.index)) continue;
+      if (isInlineSilenced(content, m.index, "VC063")) continue;
       const value = m[1].trim();
       if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
       if (/^["'`][^$]*["'`]$/.test(value)) continue;
@@ -3312,7 +3334,7 @@ var dangerousInnerHTML = {
         file: filePath,
         line: lineNum,
         snippet: getSnippet(content, lineNum),
-        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify. If this site is intentional (server-built template, nonce-attribute boot script, etc.), add an inline `// VC063-OK: <reason>` comment above the line to silence."
       });
     }
     return findings;
@@ -4604,7 +4626,12 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. This is a code-hygiene
+  // signal (leaked debug logs, occasionally PII), not a security
+  // vulnerability in the OWASP sense. Was inflating severity counts
+  // on real codebases (11+ hits on vibecheck's own scan), drowning
+  // the actual security signal.
+  severity: "info",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
@@ -4627,7 +4654,11 @@ var consoleLogProduction = {
 var syncFileOps = {
   id: "VC098",
   title: "Synchronous File Operations",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Performance-
+  // category rule (see below) — it's a perf concern, not a security
+  // one, so it shouldn't have been at "medium" alongside actual
+  // security findings. The severity scale should reflect risk class.
+  severity: "info",
   category: "Performance",
   description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
   check(content, filePath) {
@@ -4664,7 +4695,9 @@ var eventListenerLeak = {
 var nPlusOneQuery = {
   id: "VC100",
   title: "N+1 Query Pattern Detected",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Performance pattern,
+  // not a security issue — same rationale as VC098.
+  severity: "info",
   category: "Performance",
   description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
   check(content, filePath) {
@@ -4749,7 +4782,11 @@ var todoLeftInCode = {
 var emptyCatchBlock = {
   id: "VC104",
   title: "Empty Catch Block",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Code-Quality
+  // category — empty catch blocks are a maintainability concern, not a
+  // security vulnerability. Worth flagging, not worth counting as a
+  // security "medium" alongside actual SQL-injection / XSS findings.
+  severity: "info",
   category: "Code Quality",
   description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
@@ -4783,7 +4820,11 @@ var callbackHell = {
 var magicNumbers = {
   id: "VC106",
   title: "Magic Numbers in Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. Already a Code-Quality
+  // category — magic numbers are a style/readability concern, not a
+  // security vulnerability. Was the single noisiest rule on the
+  // vibecheck self-scan (44 hits) drowning real security signal.
+  severity: "info",
   category: "Code Quality",
   description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
   check(content, filePath) {
@@ -7295,6 +7336,7 @@ var secretInURLParam = {
       while ((m = re.exec(content)) !== null) {
         if (isCommentLine(content, m.index)) continue;
         if (isInsideFixMessage(content, m.index)) continue;
+        if (isInlineSilenced(content, m.index, "VC146")) continue;
         const lineNum = content.substring(0, m.index).split("\n").length;
         findings.push({
           rule: "VC146",
@@ -7304,7 +7346,7 @@ var secretInURLParam = {
           file: filePath,
           line: lineNum,
           snippet: getSnippet(content, lineNum),
-          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers."
+          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers. If this finding is legitimate (magic-link / claim-token flow), add an inline `// VC146-OK: <reason>` comment above the line to silence it."
         });
       }
     }
@@ -7495,10 +7537,14 @@ var webhookSignatureVerification = {
   check(content, filePath) {
     if (!filePath.match(/\.(js|ts|jsx|tsx)$/)) return [];
     if (isTestFile(filePath)) return [];
-    if (!/\/api\/|\/webhook/i.test(filePath)) return [];
+    if (!/webhook/i.test(filePath)) return [];
     if (!/export\s+(?:async\s+)?function\s+POST/i.test(content)) return [];
     const services = [
-      { name: "Clerk", content: /clerk/i, events: /user\.created|user\.updated|user\.deleted|session\./i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
+      // Tightened Clerk events: require the specific subevent suffix
+      // rather than bare `session.`. The bare-prefix version matched
+      // Stripe Checkout `session.url`, which has nothing to do with
+      // Clerk webhooks.
+      { name: "Clerk", content: /clerk/i, events: /user\.(created|updated|deleted)|session\.(created|removed|ended|revoked)/i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
       { name: "GitHub", content: /github/i, events: /push|pull_request|issues|installation/i, verify: /createHmac|x-hub-signature|verify.*signature|GITHUB_WEBHOOK_SECRET/i },
       { name: "Resend", content: /resend/i, events: /email\.sent|email\.delivered|email\.bounced/i, verify: /svix|webhook.*verify|x-webhook-signature|RESEND_WEBHOOK_SECRET/i },
       { name: "SendGrid", content: /sendgrid/i, events: /inbound.*parse|event.*webhook/i, verify: /EventWebhook|x-twilio-email|verifySignature|SENDGRID_WEBHOOK_VERIFICATION/i },