xploitscan-shared-rules 1.6.2 → 1.7.0

package/dist/index.js

@@ -626,6 +626,17 @@ function isInsideFixMessage(content, matchIndex) {
   const lineText = content.substring(lineStart, content.indexOf("\n", matchIndex));
   return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=(]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
 }
+function isInlineSilenced(content, matchIndex, ruleId) {
+  const lines = content.split("\n");
+  const matchLineNum = content.substring(0, matchIndex).split("\n").length - 1;
+  const matchLine = lines[matchLineNum] ?? "";
+  const prevLine = matchLineNum > 0 ? lines[matchLineNum - 1] ?? "" : "";
+  const marker = new RegExp(
+    `(?://|/\\*|#)\\s*(?:${ruleId}|scanner)-OK\\b`,
+    "i"
+  );
+  return marker.test(matchLine) || marker.test(prevLine);
+}
 function findMatches(content, pattern, rule, filePath, fixTemplate) {
   const matches = [];
   const lines = content.split("\n");
@@ -754,6 +765,16 @@ var hardcodedSecrets = {
           const secretMatch = lineText.match(/[:=]\s*["'`]([^"'`]*)["'`]/);
           if (secretMatch && secretMatch[1].length < floor) continue;
         }
+        if (pi === 6) {
+          const valMatch = lineText.match(/[:=]\s*["'`]([^"'`]+)["'`]/);
+          const nameMatch = lineText.match(/\b([A-Z][A-Z0-9_]*_(?:SECRET|TOKEN|KEY|PASSWORD|PASSWD))\b/);
+          if (valMatch && nameMatch) {
+            const value = valMatch[1];
+            const isKeySuffix = nameMatch[1].endsWith("_KEY");
+            const isKebabIdentifier = value.length < 40 && /^[a-z0-9]+(-[a-z0-9]+)+$/.test(value);
+            if (isKeySuffix && isKebabIdentifier) continue;
+          }
+        }
         matches.push(rm);
       }
     }
@@ -947,7 +968,7 @@ var sqlInjection = {
       /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
-    const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
+    const usesParams = /\?\s*,|\?[^?,;]{1,20}\?|\$\d+|:[\w]+|\bprepare\b|\bplaceholders?\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
       const raw = findMatches(
@@ -3038,6 +3059,7 @@ var dangerousInnerHTML = {
     let m;
     while ((m = re.exec(content)) !== null) {
       if (isCommentLine(content, m.index)) continue;
+      if (isInlineSilenced(content, m.index, "VC063")) continue;
       const value = m[1].trim();
       if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
       if (/^["'`][^$]*["'`]$/.test(value)) continue;
@@ -3051,7 +3073,7 @@ var dangerousInnerHTML = {
         file: filePath,
         line: lineNum,
         snippet: getSnippet(content, lineNum),
-        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify. If this site is intentional (server-built template, nonce-attribute boot script, etc.), add an inline `// VC063-OK: <reason>` comment above the line to silence."
       });
     }
     return findings;
@@ -7053,6 +7075,7 @@ var secretInURLParam = {
       while ((m = re.exec(content)) !== null) {
         if (isCommentLine(content, m.index)) continue;
         if (isInsideFixMessage(content, m.index)) continue;
+        if (isInlineSilenced(content, m.index, "VC146")) continue;
         const lineNum = content.substring(0, m.index).split("\n").length;
         findings.push({
           rule: "VC146",
@@ -7062,7 +7085,7 @@ var secretInURLParam = {
           file: filePath,
           line: lineNum,
           snippet: getSnippet(content, lineNum),
-          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers."
+          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers. If this finding is legitimate (magic-link / claim-token flow), add an inline `// VC146-OK: <reason>` comment above the line to silence it."
         });
       }
     }
@@ -7253,10 +7276,14 @@ var webhookSignatureVerification = {
   check(content, filePath) {
     if (!filePath.match(/\.(js|ts|jsx|tsx)$/)) return [];
     if (isTestFile(filePath)) return [];
-    if (!/\/api\/|\/webhook/i.test(filePath)) return [];
+    if (!/webhook/i.test(filePath)) return [];
     if (!/export\s+(?:async\s+)?function\s+POST/i.test(content)) return [];
     const services = [
-      { name: "Clerk", content: /clerk/i, events: /user\.created|user\.updated|user\.deleted|session\./i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
+      // Tightened Clerk events: require the specific subevent suffix
+      // rather than bare `session.`. The bare-prefix version matched
+      // Stripe Checkout `session.url`, which has nothing to do with
+      // Clerk webhooks.
+      { name: "Clerk", content: /clerk/i, events: /user\.(created|updated|deleted)|session\.(created|removed|ended|revoked)/i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
       { name: "GitHub", content: /github/i, events: /push|pull_request|issues|installation/i, verify: /createHmac|x-hub-signature|verify.*signature|GITHUB_WEBHOOK_SECRET/i },
       { name: "Resend", content: /resend/i, events: /email\.sent|email\.delivered|email\.bounced/i, verify: /svix|webhook.*verify|x-webhook-signature|RESEND_WEBHOOK_SECRET/i },
       { name: "SendGrid", content: /sendgrid/i, events: /inbound.*parse|event.*webhook/i, verify: /EventWebhook|x-twilio-email|verifySignature|SENDGRID_WEBHOOK_VERIFICATION/i },