xploitscan-shared-rules 1.6.2 → 1.7.2

package/dist/index.cjs

@@ -887,6 +887,17 @@ function isInsideFixMessage(content, matchIndex) {
   const lineText = content.substring(lineStart, content.indexOf("\n", matchIndex));
   return /(?:fix|description|message|suggestion|hint|help|example|doc|comment)\s*[:=(]/i.test(lineText) || /return\s*["'`].*\b(?:Use|Replace|Add|Move|Set|Enable|Disable|Never|Don't|Do not|Instead)\b/i.test(lineText);
 }
+function isInlineSilenced(content, matchIndex, ruleId) {
+  const lines = content.split("\n");
+  const matchLineNum = content.substring(0, matchIndex).split("\n").length - 1;
+  const matchLine = lines[matchLineNum] ?? "";
+  const prevLine = matchLineNum > 0 ? lines[matchLineNum - 1] ?? "" : "";
+  const marker = new RegExp(
+    `(?://|/\\*|#)\\s*(?:${ruleId}|scanner)-OK\\b`,
+    "i"
+  );
+  return marker.test(matchLine) || marker.test(prevLine);
+}
 function findMatches(content, pattern, rule, filePath, fixTemplate) {
   const matches = [];
   const lines = content.split("\n");
@@ -1015,6 +1026,16 @@ var hardcodedSecrets = {
           const secretMatch = lineText.match(/[:=]\s*["'`]([^"'`]*)["'`]/);
           if (secretMatch && secretMatch[1].length < floor) continue;
         }
+        if (pi === 6) {
+          const valMatch = lineText.match(/[:=]\s*["'`]([^"'`]+)["'`]/);
+          const nameMatch = lineText.match(/\b([A-Z][A-Z0-9_]*_(?:SECRET|TOKEN|KEY|PASSWORD|PASSWD))\b/);
+          if (valMatch && nameMatch) {
+            const value = valMatch[1];
+            const isKeySuffix = nameMatch[1].endsWith("_KEY");
+            const isKebabIdentifier = value.length < 40 && /^[a-z0-9]+(-[a-z0-9]+)+$/.test(value);
+            if (isKeySuffix && isKebabIdentifier) continue;
+          }
+        }
         matches.push(rm);
       }
     }
@@ -1204,11 +1225,19 @@ var sqlInjection = {
       // The older `[^"']*` class bailed out at the first inner quote and
       // missed every realistic SQL-containing concat.
       /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')\s*\+/gi,
-      // Direct variable interpolation in a SQL verb context
-      /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
+      // Direct variable interpolation in a SQL string literal. Requires the
+      // verb to START a quoted/backtick literal AND be followed — within the
+      // same literal — by a SQL structural keyword (FROM/SET/WHERE/…), then a
+      // `${` interpolation. The structural keyword is what distinguishes a
+      // real query from ordinary prose: the previous pattern matched any
+      // SELECT/UPDATE/… word anywhere on a line followed by `${`, so UI copy
+      // like `UPDATE your profile settings ${name}` flagged as a CRITICAL SQL
+      // injection. Real queries ("SELECT … FROM …", "UPDATE … SET …") always
+      // carry a second structural keyword; sentences almost never do.
+      /["'`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[^"'`\n]*\b(?:FROM|INTO|SET|VALUES|WHERE|JOIN|RETURNING)\b[^"'`\n]*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
-    const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
+    const usesParams = /\?\s*,|\?[^?,;]{1,20}\?|\$\d+|:[\w]+|\bprepare\b|\bplaceholders?\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
       const raw = findMatches(
@@ -1251,6 +1280,7 @@ var xssVulnerability = {
       // {@html} in Svelte
       /\{@html\s/g
     ];
+    const allLines = content.split("\n");
     const matches = [];
     for (const pattern of patterns) {
       const raw = findMatches(
@@ -1258,12 +1288,18 @@ var xssVulnerability = {
         pattern,
         xssVulnerability,
         filePath,
-        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
+        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput). If this site is intentional (JSON-LD structured data, a const boot script, a sandboxed preview), add an inline `// VC007-OK: <reason>` comment above the line to silence."
       );
       for (const m of raw) {
-        const lineText = content.split("\n")[m.line - 1] || "";
+        const lineText = allLines[m.line - 1] || "";
         if (/\.innerHTML\s*=\s*['"]/.test(lineText) && !/\$\{/.test(lineText)) continue;
         if (/\.innerHTML\s*=\s*['"][^'"]*['"]\s*$/.test(lineText)) continue;
+        if (/dangerouslySetInnerHTML/.test(lineText)) {
+          const windowText = allLines.slice(m.line - 1, m.line + 2).join("\n");
+          if (/JSON\.stringify/i.test(windowText)) continue;
+          const lineStartIdx = allLines.slice(0, m.line - 1).reduce((acc, l) => acc + l.length + 1, 0);
+          if (isInlineSilenced(content, lineStartIdx, "VC007")) continue;
+        }
         matches.push(m);
       }
     }
@@ -1539,23 +1575,35 @@ var unvalidatedRedirect = {
   check(content, filePath) {
     if (isTestFile(filePath)) return [];
     if (/isAllowedRedirect|validateRedirect|isSafeRedirect|allowedDomains|trustedDomains|whitelist.*url|allowlist.*url/i.test(content)) return [];
-    const patterns = [
-      /window\.location\s*=\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.href\s*=\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.assign\s*\(\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.replace\s*\(\s*(?!["'`]https?:\/\/)/g,
-      /res\.redirect\s*\(\s*(?:req\.|params\.|query\.)/gi
-    ];
     const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unvalidatedRedirect,
-        filePath,
-        () => "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly."
-      ));
+    const navPattern = /(?:window\.location(?:\.href)?\s*=\s*|window\.location\.(?:assign|replace)\s*\(\s*)([^;\n)]+)/g;
+    let m;
+    while ((m = navPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const value = m[1].trim();
+      const hasInterpolation = /\$\{/.test(value);
+      const isPureLiteral = /^["'`][^"'`]*["'`]$/.test(value);
+      if (!hasInterpolation && isPureLiteral) continue;
+      if (isInlineSilenced(content, m.index, "VC016")) continue;
+      const line = content.substring(0, m.index).split("\n").length;
+      matches.push({
+        rule: "VC016",
+        title: unvalidatedRedirect.title,
+        severity: "high",
+        category: "Injection",
+        file: filePath,
+        line,
+        snippet: getSnippet(content, line),
+        fix: "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly. If the target is a hardcoded/internal path you control, add an inline `// VC016-OK: <reason>` comment to silence."
+      });
     }
+    matches.push(...findMatches(
+      content,
+      /res\.redirect\s*\(\s*(?:req\.|params\.|query\.)/gi,
+      unvalidatedRedirect,
+      filePath,
+      () => "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly."
+    ));
     return matches;
   }
 };
@@ -3299,6 +3347,7 @@ var dangerousInnerHTML = {
     let m;
     while ((m = re.exec(content)) !== null) {
       if (isCommentLine(content, m.index)) continue;
+      if (isInlineSilenced(content, m.index, "VC063")) continue;
       const value = m[1].trim();
       if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
       if (/^["'`][^$]*["'`]$/.test(value)) continue;
@@ -3312,7 +3361,7 @@ var dangerousInnerHTML = {
         file: filePath,
         line: lineNum,
         snippet: getSnippet(content, lineNum),
-        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify. If this site is intentional (server-built template, nonce-attribute boot script, etc.), add an inline `// VC063-OK: <reason>` comment above the line to silence."
       });
     }
     return findings;
@@ -7314,6 +7363,7 @@ var secretInURLParam = {
       while ((m = re.exec(content)) !== null) {
         if (isCommentLine(content, m.index)) continue;
         if (isInsideFixMessage(content, m.index)) continue;
+        if (isInlineSilenced(content, m.index, "VC146")) continue;
         const lineNum = content.substring(0, m.index).split("\n").length;
         findings.push({
           rule: "VC146",
@@ -7323,7 +7373,7 @@ var secretInURLParam = {
           file: filePath,
           line: lineNum,
           snippet: getSnippet(content, lineNum),
-          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers."
+          fix: "Pass secrets in the Authorization header (Bearer token) or request body, never in URL parameters. URL parameters are logged in server access logs, browser history, and referrer headers. If this finding is legitimate (magic-link / claim-token flow), add an inline `// VC146-OK: <reason>` comment above the line to silence it."
         });
       }
     }
@@ -7514,10 +7564,14 @@ var webhookSignatureVerification = {
   check(content, filePath) {
     if (!filePath.match(/\.(js|ts|jsx|tsx)$/)) return [];
     if (isTestFile(filePath)) return [];
-    if (!/\/api\/|\/webhook/i.test(filePath)) return [];
+    if (!/webhook/i.test(filePath)) return [];
     if (!/export\s+(?:async\s+)?function\s+POST/i.test(content)) return [];
     const services = [
-      { name: "Clerk", content: /clerk/i, events: /user\.created|user\.updated|user\.deleted|session\./i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
+      // Tightened Clerk events: require the specific subevent suffix
+      // rather than bare `session.`. The bare-prefix version matched
+      // Stripe Checkout `session.url`, which has nothing to do with
+      // Clerk webhooks.
+      { name: "Clerk", content: /clerk/i, events: /user\.(created|updated|deleted)|session\.(created|removed|ended|revoked)/i, verify: /svix|Webhook\(\)\.verify|webhook-id|wh_secret/i },
       { name: "GitHub", content: /github/i, events: /push|pull_request|issues|installation/i, verify: /createHmac|x-hub-signature|verify.*signature|GITHUB_WEBHOOK_SECRET/i },
       { name: "Resend", content: /resend/i, events: /email\.sent|email\.delivered|email\.bounced/i, verify: /svix|webhook.*verify|x-webhook-signature|RESEND_WEBHOOK_SECRET/i },
       { name: "SendGrid", content: /sendgrid/i, events: /inbound.*parse|event.*webhook/i, verify: /EventWebhook|x-twilio-email|verifySignature|SENDGRID_WEBHOOK_VERIFICATION/i },
@@ -8269,11 +8323,20 @@ var SAFE_PATTERNS = [
   /^'sha\d+-/,
   /^nonce-/i,
   // Embedded data URIs
-  /^data:[a-z]+\//i
+  /^data:[a-z]+\//i,
+  // Sentry DSN — a publishable, client-side ingest key (it ships to the
+  // browser), not a secret. Shape: https://<hash>@o<orgid>.ingest.<region.>
+  // sentry.io/<projectid>. The generic URL allowlist above deliberately
+  // excludes anything with an `@`, so the DSN would otherwise fire.
+  /^https?:\/\/[0-9a-f]+@o\d+\.ingest\.[a-z0-9.]*sentry\.io\//i,
+  // HTTP security-header directive values (HSTS, etc.) — `max-age=63072000;
+  // includeSubDomains; preload`. Config strings a security scanner actively
+  // tells users to add; never secrets.
+  /^max-age=\d+/i
 ];
 var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
 var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
-var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|locale|translation|copy|prose|markdown|slug|handle)/i;
+var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|chars|alphabet|locale|translation|copy|prose|markdown|slug|handle)/i;
 var HASH_LIKE_VAR_NAMES = /(?:^|[^a-z])(?:hash|digest|checksum|fingerprint|etag|crc|md5|sha1|sha256|sha512|contenthash|buildid|revision|commit|sri|integrity|cacheKey|fileHash|assetId|versionId)(?:$|[^a-z])/i;
 var HASH_PREFIX_RE = /^(?:sha\d+|md5|crc32|base64|bcrypt|argon2|pbkdf2|blake2b?)[:_]/i;
 var SECRET_VAR_NAMES = /(?:^|[^a-z])(?:key|secret|token|password|passwd|pwd|api[_-]?key|auth|credential|private|signing|bearer|access[_-]?token|refresh[_-]?token|session[_-]?id)(?:$|[^a-z])/i;
@@ -8307,6 +8370,7 @@ function scanEntropy(files) {
       let match;
       while ((match = stringPattern.exec(line)) !== null) {
         const value = match[2];
+        if (value.includes("${")) continue;
         if (SAFE_PATTERNS.some((p) => p.test(value))) continue;
         if (HASH_PREFIX_RE.test(value)) continue;
         const beforeAssign = line.substring(0, match.index);