xploitscan-shared-rules 1.7.2 → 1.7.4

package/dist/index.cjs

@@ -898,6 +898,12 @@ function isInlineSilenced(content, matchIndex, ruleId) {
   );
   return marker.test(matchLine) || marker.test(prevLine);
 }
+function filterSilenced(matches, content, ruleId) {
+  if (matches.length === 0) return matches;
+  const lines = content.split("\n");
+  const lineStartIndex = (line) => lines.slice(0, line - 1).reduce((acc, l) => acc + l.length + 1, 0);
+  return matches.filter((m) => !isInlineSilenced(content, lineStartIndex(m.line), ruleId));
+}
 function findMatches(content, pattern, rule, filePath, fixTemplate) {
   const matches = [];
   const lines = content.split("\n");
@@ -2142,9 +2148,15 @@ var insecureDeserialization = {
         () => "Never deserialize untrusted data. Use JSON instead of pickle/Marshal/unserialize. For YAML, use yaml.safe_load(). Validate and sanitize all input before deserialization."
       ));
     }
+    const isJsTs = /\.(jsx?|tsx?|mjs|cjs)$/.test(filePath);
     return matches.filter((m) => {
       if (!/yaml\.load\s*\(/.test(m.snippet ?? "")) return true;
       const lineText = (m.snippet ?? "").toLowerCase();
+      if (isJsTs) {
+        const ctxLines = content.split("\n").slice(m.line - 1, m.line + 2).join("\n");
+        if (/default_full_schema|\bfull_schema\b/i.test(ctxLines)) return true;
+        return false;
+      }
       if (/safe_schema|failsafe_schema|safe_load|safeloader/.test(lineText)) {
         return false;
       }
@@ -3912,7 +3924,11 @@ var xxeVulnerability = {
     const patterns = [
       /\.parseXm?l\s*\(/gi,
       // catches parseXml (libxmljs) AND parseXML
-      /new\s+DOMParser\s*\(\)/g,
+      // NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
+      // Per the HTML/XML spec, DOMParser.parseFromString does not resolve
+      // external entities, so it is not an XXE sink — flagging it produced a
+      // critical false positive on ordinary client-side XML/HTML parsing.
+      // Real XXE sinks (libxmljs parseXml with noent, etree, SAX) remain below.
       /etree\.parse\s*\(/g,
       /lxml\.etree/g,
       /SAXParserFactory/g,
@@ -4171,10 +4187,10 @@ var sensitiveURLParams = {
         p,
         sensitiveURLParams,
         filePath,
-        () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead."
+        () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead. If this value is intentionally URL-safe (e.g. a one-time, server-verified reference like a Stripe checkout session_id), add an inline `// VC088-OK: <reason>` comment to silence."
       ));
     }
-    return matches;
+    return filterSilenced(matches, content, "VC088");
   }
 };
 var missingContentDisposition = {
@@ -7083,7 +7099,11 @@ var llmOutputAsHTML = {
     const findings = [];
     const patterns = [
       // dangerouslySetInnerHTML with .choices[0].message.content / .text / etc.
-      /dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:\s*[^}]*\b(?:choices\[\d*\]?\.message|completion|response|message\.content|content_block|delta\.text|generated_text|output_text|text)\b/g,
+      // NOTE: a bare `text` token used to be in this alternation and matched
+      // any `.text` property (e.g. `post.text`) in a file that merely imported
+      // an LLM SDK — a high-severity false positive. Only LLM-specific shapes
+      // remain (delta.text / output_text / generated_text are qualified).
+      /dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:\s*[^}]*\b(?:choices\[\d*\]?\.message|completion|response|message\.content|content_block|delta\.text|generated_text|output_text)\b/g,
       // .innerHTML = response.choices[0].message.content
       /\.innerHTML\s*=\s*[^;]*\b(?:choices\[\d*\]?\.message|completion|response\.message|message\.content|delta\.text|generated_text|output_text)\b/g
     ];