xploitscan-shared-rules 1.7.2 → 1.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +16 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +16 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1881,9 +1881,15 @@ var insecureDeserialization = {
|
|
|
1881
1881
|
() => "Never deserialize untrusted data. Use JSON instead of pickle/Marshal/unserialize. For YAML, use yaml.safe_load(). Validate and sanitize all input before deserialization."
|
|
1882
1882
|
));
|
|
1883
1883
|
}
|
|
1884
|
+
const isJsTs = /\.(jsx?|tsx?|mjs|cjs)$/.test(filePath);
|
|
1884
1885
|
return matches.filter((m) => {
|
|
1885
1886
|
if (!/yaml\.load\s*\(/.test(m.snippet ?? "")) return true;
|
|
1886
1887
|
const lineText = (m.snippet ?? "").toLowerCase();
|
|
1888
|
+
if (isJsTs) {
|
|
1889
|
+
const ctxLines = content.split("\n").slice(m.line - 1, m.line + 2).join("\n");
|
|
1890
|
+
if (/default_full_schema|\bfull_schema\b/i.test(ctxLines)) return true;
|
|
1891
|
+
return false;
|
|
1892
|
+
}
|
|
1887
1893
|
if (/safe_schema|failsafe_schema|safe_load|safeloader/.test(lineText)) {
|
|
1888
1894
|
return false;
|
|
1889
1895
|
}
|
|
@@ -3651,7 +3657,11 @@ var xxeVulnerability = {
|
|
|
3651
3657
|
const patterns = [
|
|
3652
3658
|
/\.parseXm?l\s*\(/gi,
|
|
3653
3659
|
// catches parseXml (libxmljs) AND parseXML
|
|
3654
|
-
|
|
3660
|
+
// NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
|
|
3661
|
+
// Per the HTML/XML spec, DOMParser.parseFromString does not resolve
|
|
3662
|
+
// external entities, so it is not an XXE sink — flagging it produced a
|
|
3663
|
+
// critical false positive on ordinary client-side XML/HTML parsing.
|
|
3664
|
+
// Real XXE sinks (libxmljs parseXml with noent, etree, SAX) remain below.
|
|
3655
3665
|
/etree\.parse\s*\(/g,
|
|
3656
3666
|
/lxml\.etree/g,
|
|
3657
3667
|
/SAXParserFactory/g,
|
|
@@ -6822,7 +6832,11 @@ var llmOutputAsHTML = {
|
|
|
6822
6832
|
const findings = [];
|
|
6823
6833
|
const patterns = [
|
|
6824
6834
|
// dangerouslySetInnerHTML with .choices[0].message.content / .text / etc.
|
|
6825
|
-
|
|
6835
|
+
// NOTE: a bare `text` token used to be in this alternation and matched
|
|
6836
|
+
// any `.text` property (e.g. `post.text`) in a file that merely imported
|
|
6837
|
+
// an LLM SDK — a high-severity false positive. Only LLM-specific shapes
|
|
6838
|
+
// remain (delta.text / output_text / generated_text are qualified).
|
|
6839
|
+
/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:\s*[^}]*\b(?:choices\[\d*\]?\.message|completion|response|message\.content|content_block|delta\.text|generated_text|output_text)\b/g,
|
|
6826
6840
|
// .innerHTML = response.choices[0].message.content
|
|
6827
6841
|
/\.innerHTML\s*=\s*[^;]*\b(?:choices\[\d*\]?\.message|completion|response\.message|message\.content|delta\.text|generated_text|output_text)\b/g
|
|
6828
6842
|
];
|