xploitscan-shared-rules 1.7.3 → 1.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.cjs +8 -2
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +8 -2
  4. package/dist/index.js.map +1 -1
  5. package/package.json +1 -1
package/dist/index.cjs CHANGED
@@ -898,6 +898,12 @@ function isInlineSilenced(content, matchIndex, ruleId) {
898
898
  );
899
899
  return marker.test(matchLine) || marker.test(prevLine);
900
900
  }
901
+ function filterSilenced(matches, content, ruleId) {
902
+ if (matches.length === 0) return matches;
903
+ const lines = content.split("\n");
904
+ const lineStartIndex = (line) => lines.slice(0, line - 1).reduce((acc, l) => acc + l.length + 1, 0);
905
+ return matches.filter((m) => !isInlineSilenced(content, lineStartIndex(m.line), ruleId));
906
+ }
901
907
  function findMatches(content, pattern, rule, filePath, fixTemplate) {
902
908
  const matches = [];
903
909
  const lines = content.split("\n");
@@ -4181,10 +4187,10 @@ var sensitiveURLParams = {
4181
4187
  p,
4182
4188
  sensitiveURLParams,
4183
4189
  filePath,
4184
- () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead."
4190
+ () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead. If this value is intentionally URL-safe (e.g. a one-time, server-verified reference like a Stripe checkout session_id), add an inline `// VC088-OK: <reason>` comment to silence."
4185
4191
  ));
4186
4192
  }
4187
- return matches;
4193
+ return filterSilenced(matches, content, "VC088");
4188
4194
  }
4189
4195
  };
4190
4196
  var missingContentDisposition = {