xploitscan-shared-rules 1.7.3 → 1.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -637,6 +637,12 @@ function isInlineSilenced(content, matchIndex, ruleId) {
637
637
  );
638
638
  return marker.test(matchLine) || marker.test(prevLine);
639
639
  }
640
+ function filterSilenced(matches, content, ruleId) {
641
+ if (matches.length === 0) return matches;
642
+ const lines = content.split("\n");
643
+ const lineStartIndex = (line) => lines.slice(0, line - 1).reduce((acc, l) => acc + l.length + 1, 0);
644
+ return matches.filter((m) => !isInlineSilenced(content, lineStartIndex(m.line), ruleId));
645
+ }
640
646
  function findMatches(content, pattern, rule, filePath, fixTemplate) {
641
647
  const matches = [];
642
648
  const lines = content.split("\n");
@@ -3920,10 +3926,10 @@ var sensitiveURLParams = {
3920
3926
  p,
3921
3927
  sensitiveURLParams,
3922
3928
  filePath,
3923
- () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead."
3929
+ () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead. If this value is intentionally URL-safe (e.g. a one-time, server-verified reference like a Stripe checkout session_id), add an inline `// VC088-OK: <reason>` comment to silence."
3924
3930
  ));
3925
3931
  }
3926
- return matches;
3932
+ return filterSilenced(matches, content, "VC088");
3927
3933
  }
3928
3934
  };
3929
3935
  var missingContentDisposition = {