xploitscan-shared-rules 1.7.0 → 1.7.2

package/dist/index.cjs

@@ -1225,8 +1225,16 @@ var sqlInjection = {
       // The older `[^"']*` class bailed out at the first inner quote and
       // missed every realistic SQL-containing concat.
       /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')\s*\+/gi,
-      // Direct variable interpolation in a SQL verb context
-      /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
+      // Direct variable interpolation in a SQL string literal. Requires the
+      // verb to START a quoted/backtick literal AND be followed — within the
+      // same literal — by a SQL structural keyword (FROM/SET/WHERE/…), then a
+      // `${` interpolation. The structural keyword is what distinguishes a
+      // real query from ordinary prose: the previous pattern matched any
+      // SELECT/UPDATE/… word anywhere on a line followed by `${`, so UI copy
+      // like `UPDATE your profile settings ${name}` flagged as a CRITICAL SQL
+      // injection. Real queries ("SELECT … FROM …", "UPDATE … SET …") always
+      // carry a second structural keyword; sentences almost never do.
+      /["'`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[^"'`\n]*\b(?:FROM|INTO|SET|VALUES|WHERE|JOIN|RETURNING)\b[^"'`\n]*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
     const usesParams = /\?\s*,|\?[^?,;]{1,20}\?|\$\d+|:[\w]+|\bprepare\b|\bplaceholders?\b/i.test(content);
@@ -1272,6 +1280,7 @@ var xssVulnerability = {
       // {@html} in Svelte
       /\{@html\s/g
     ];
+    const allLines = content.split("\n");
     const matches = [];
     for (const pattern of patterns) {
       const raw = findMatches(
@@ -1279,12 +1288,18 @@ var xssVulnerability = {
         pattern,
         xssVulnerability,
         filePath,
-        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
+        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput). If this site is intentional (JSON-LD structured data, a const boot script, a sandboxed preview), add an inline `// VC007-OK: <reason>` comment above the line to silence."
       );
       for (const m of raw) {
-        const lineText = content.split("\n")[m.line - 1] || "";
+        const lineText = allLines[m.line - 1] || "";
         if (/\.innerHTML\s*=\s*['"]/.test(lineText) && !/\$\{/.test(lineText)) continue;
         if (/\.innerHTML\s*=\s*['"][^'"]*['"]\s*$/.test(lineText)) continue;
+        if (/dangerouslySetInnerHTML/.test(lineText)) {
+          const windowText = allLines.slice(m.line - 1, m.line + 2).join("\n");
+          if (/JSON\.stringify/i.test(windowText)) continue;
+          const lineStartIdx = allLines.slice(0, m.line - 1).reduce((acc, l) => acc + l.length + 1, 0);
+          if (isInlineSilenced(content, lineStartIdx, "VC007")) continue;
+        }
         matches.push(m);
       }
     }
@@ -1560,23 +1575,35 @@ var unvalidatedRedirect = {
   check(content, filePath) {
     if (isTestFile(filePath)) return [];
     if (/isAllowedRedirect|validateRedirect|isSafeRedirect|allowedDomains|trustedDomains|whitelist.*url|allowlist.*url/i.test(content)) return [];
-    const patterns = [
-      /window\.location\s*=\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.href\s*=\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.assign\s*\(\s*(?!["'`]https?:\/\/)/g,
-      /window\.location\.replace\s*\(\s*(?!["'`]https?:\/\/)/g,
-      /res\.redirect\s*\(\s*(?:req\.|params\.|query\.)/gi
-    ];
     const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unvalidatedRedirect,
-        filePath,
-        () => "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly."
-      ));
+    const navPattern = /(?:window\.location(?:\.href)?\s*=\s*|window\.location\.(?:assign|replace)\s*\(\s*)([^;\n)]+)/g;
+    let m;
+    while ((m = navPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const value = m[1].trim();
+      const hasInterpolation = /\$\{/.test(value);
+      const isPureLiteral = /^["'`][^"'`]*["'`]$/.test(value);
+      if (!hasInterpolation && isPureLiteral) continue;
+      if (isInlineSilenced(content, m.index, "VC016")) continue;
+      const line = content.substring(0, m.index).split("\n").length;
+      matches.push({
+        rule: "VC016",
+        title: unvalidatedRedirect.title,
+        severity: "high",
+        category: "Injection",
+        file: filePath,
+        line,
+        snippet: getSnippet(content, line),
+        fix: "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly. If the target is a hardcoded/internal path you control, add an inline `// VC016-OK: <reason>` comment to silence."
+      });
     }
+    matches.push(...findMatches(
+      content,
+      /res\.redirect\s*\(\s*(?:req\.|params\.|query\.)/gi,
+      unvalidatedRedirect,
+      filePath,
+      () => "Validate redirect URLs against an allowlist of trusted domains. Never redirect to user-supplied URLs directly."
+    ));
     return matches;
   }
 };
@@ -8296,11 +8323,20 @@ var SAFE_PATTERNS = [
   /^'sha\d+-/,
   /^nonce-/i,
   // Embedded data URIs
-  /^data:[a-z]+\//i
+  /^data:[a-z]+\//i,
+  // Sentry DSN — a publishable, client-side ingest key (it ships to the
+  // browser), not a secret. Shape: https://<hash>@o<orgid>.ingest.<region.>
+  // sentry.io/<projectid>. The generic URL allowlist above deliberately
+  // excludes anything with an `@`, so the DSN would otherwise fire.
+  /^https?:\/\/[0-9a-f]+@o\d+\.ingest\.[a-z0-9.]*sentry\.io\//i,
+  // HTTP security-header directive values (HSTS, etc.) — `max-age=63072000;
+  // includeSubDomains; preload`. Config strings a security scanner actively
+  // tells users to add; never secrets.
+  /^max-age=\d+/i
 ];
 var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
 var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
-var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|locale|translation|copy|prose|markdown|slug|handle)/i;
+var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|chars|alphabet|locale|translation|copy|prose|markdown|slug|handle)/i;
 var HASH_LIKE_VAR_NAMES = /(?:^|[^a-z])(?:hash|digest|checksum|fingerprint|etag|crc|md5|sha1|sha256|sha512|contenthash|buildid|revision|commit|sri|integrity|cacheKey|fileHash|assetId|versionId)(?:$|[^a-z])/i;
 var HASH_PREFIX_RE = /^(?:sha\d+|md5|crc32|base64|bcrypt|argon2|pbkdf2|blake2b?)[:_]/i;
 var SECRET_VAR_NAMES = /(?:^|[^a-z])(?:key|secret|token|password|passwd|pwd|api[_-]?key|auth|credential|private|signing|bearer|access[_-]?token|refresh[_-]?token|session[_-]?id)(?:$|[^a-z])/i;
@@ -8334,6 +8370,7 @@ function scanEntropy(files) {
       let match;
       while ((match = stringPattern.exec(line)) !== null) {
         const value = match[2];
+        if (value.includes("${")) continue;
         if (SAFE_PATTERNS.some((p) => p.test(value))) continue;
         if (HASH_PREFIX_RE.test(value)) continue;
         const beforeAssign = line.substring(0, match.index);