xploitscan-shared-rules 1.7.2 → 1.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +16 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +16 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -2142,9 +2142,15 @@ var insecureDeserialization = {
|
|
|
2142
2142
|
() => "Never deserialize untrusted data. Use JSON instead of pickle/Marshal/unserialize. For YAML, use yaml.safe_load(). Validate and sanitize all input before deserialization."
|
|
2143
2143
|
));
|
|
2144
2144
|
}
|
|
2145
|
+
const isJsTs = /\.(jsx?|tsx?|mjs|cjs)$/.test(filePath);
|
|
2145
2146
|
return matches.filter((m) => {
|
|
2146
2147
|
if (!/yaml\.load\s*\(/.test(m.snippet ?? "")) return true;
|
|
2147
2148
|
const lineText = (m.snippet ?? "").toLowerCase();
|
|
2149
|
+
if (isJsTs) {
|
|
2150
|
+
const ctxLines = content.split("\n").slice(m.line - 1, m.line + 2).join("\n");
|
|
2151
|
+
if (/default_full_schema|\bfull_schema\b/i.test(ctxLines)) return true;
|
|
2152
|
+
return false;
|
|
2153
|
+
}
|
|
2148
2154
|
if (/safe_schema|failsafe_schema|safe_load|safeloader/.test(lineText)) {
|
|
2149
2155
|
return false;
|
|
2150
2156
|
}
|
|
@@ -3912,7 +3918,11 @@ var xxeVulnerability = {
|
|
|
3912
3918
|
const patterns = [
|
|
3913
3919
|
/\.parseXm?l\s*\(/gi,
|
|
3914
3920
|
// catches parseXml (libxmljs) AND parseXML
|
|
3915
|
-
|
|
3921
|
+
// NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
|
|
3922
|
+
// Per the HTML/XML spec, DOMParser.parseFromString does not resolve
|
|
3923
|
+
// external entities, so it is not an XXE sink — flagging it produced a
|
|
3924
|
+
// critical false positive on ordinary client-side XML/HTML parsing.
|
|
3925
|
+
// Real XXE sinks (libxmljs parseXml with noent, etree, SAX) remain below.
|
|
3916
3926
|
/etree\.parse\s*\(/g,
|
|
3917
3927
|
/lxml\.etree/g,
|
|
3918
3928
|
/SAXParserFactory/g,
|
|
@@ -7083,7 +7093,11 @@ var llmOutputAsHTML = {
|
|
|
7083
7093
|
const findings = [];
|
|
7084
7094
|
const patterns = [
|
|
7085
7095
|
// dangerouslySetInnerHTML with .choices[0].message.content / .text / etc.
|
|
7086
|
-
|
|
7096
|
+
// NOTE: a bare `text` token used to be in this alternation and matched
|
|
7097
|
+
// any `.text` property (e.g. `post.text`) in a file that merely imported
|
|
7098
|
+
// an LLM SDK — a high-severity false positive. Only LLM-specific shapes
|
|
7099
|
+
// remain (delta.text / output_text / generated_text are qualified).
|
|
7100
|
+
/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:\s*[^}]*\b(?:choices\[\d*\]?\.message|completion|response|message\.content|content_block|delta\.text|generated_text|output_text)\b/g,
|
|
7087
7101
|
// .innerHTML = response.choices[0].message.content
|
|
7088
7102
|
/\.innerHTML\s*=\s*[^;]*\b(?:choices\[\d*\]?\.message|completion|response\.message|message\.content|delta\.text|generated_text|output_text)\b/g
|
|
7089
7103
|
];
|