xploitscan-shared-rules 1.7.4 → 1.8.1

package/dist/index.cjs

@@ -162,11 +162,13 @@ __export(index_exports, {
   largeBundleImport: () => largeBundleImport,
   llmCallNoMaxTokens: () => llmCallNoMaxTokens,
   llmOutputAsHTML: () => llmOutputAsHTML,
+  llmOutputToSink: () => llmOutputToSink,
   llmPromptInjection: () => llmPromptInjection,
   llmSystemPromptInjection: () => llmSystemPromptInjection,
   logInjection: () => logInjection,
   magicNumbers: () => magicNumbers,
   massAssignment: () => massAssignment,
+  middlewareMatcherExcludesApi: () => middlewareMatcherExcludesApi,
   missingAIRateLimit: () => missingAIRateLimit,
   missingAuthMiddleware: () => missingAuthMiddleware,
   missingAuthRateLimit: () => missingAuthRateLimit,
@@ -217,6 +219,7 @@ __export(index_exports, {
   secretInCLIArgument: () => secretInCLIArgument,
   secretInErrorResponse: () => secretInErrorResponse,
   secretInHTMLAttribute: () => secretInHTMLAttribute,
+  secretInLLMPrompt: () => secretInLLMPrompt,
   secretInURLParam: () => secretInURLParam,
   secretLoggedToConsole: () => secretLoggedToConsole,
   secretsInCI: () => secretsInCI,
@@ -253,6 +256,7 @@ __export(index_exports, {
   weakHashing: () => weakHashing,
   weakPasswordRequirements: () => weakPasswordRequirements,
   weakRSAKeySize: () => weakRSAKeySize,
+  webhookMissingIdempotency: () => webhookMissingIdempotency,
   webhookSignatureVerification: () => webhookSignatureVerification,
   xssVulnerability: () => xssVulnerability,
   xxeVulnerability: () => xxeVulnerability
@@ -478,7 +482,11 @@ var RULE_IMPACTS = {
   VC203: "An LLM call without max_tokens lets attackers craft inputs that maximize output length, generating expensive responses on every request \u2014 denial-of-wallet that drains your monthly budget or trips rate limits for legitimate users.",
   VC204: "Without a query depth limit, attackers send 100-level-deep nested queries that explode in resolver and DB cost. The server walks every level, the database does too, and a single crafted query takes the service down.",
   VC205: "Even with a depth limit, queries like users(first:1000){posts(first:1000){comments(first:1000)}} are only three levels deep but resolve a billion items. Without complexity analysis, attackers DoS your GraphQL with a single request.",
-  VC206: "Apollo Server's csrfPrevention guards against cross-site form-style requests against GraphQL mutations. Disabling it lets any website trigger mutations in a logged-in user's browser \u2014 buying, deleting, or transferring on the victim's behalf."
+  VC206: "Apollo Server's csrfPrevention guards against cross-site form-style requests against GraphQL mutations. Disabling it lets any website trigger mutations in a logged-in user's browser \u2014 buying, deleting, or transferring on the victim's behalf.",
+  VC207: "Model output is attacker-influenceable via prompt injection. Feeding it into eval, new Function, a shell command, a raw SQL string, or a filesystem path turns a crafted or hallucinated response into remote code execution, command injection, SQL injection, or path traversal \u2014 your most dangerous sinks, driven by untrusted text.",
+  VC208: "Interpolating a secret into a prompt ships your API key, token, or password to a third-party model provider, where it persists in their request logs and training-eligible data. A credential that leaves your infrastructure in prompt text should be considered compromised and rotated.",
+  VC209: "Webhooks are delivered at-least-once. Without de-duplicating on the event id, a retried or replayed delivery re-runs the side effect \u2014 a customer is charged twice, a record is duplicated, or an entitlement is granted again. Stripe and Svix both retry on any non-2xx, so this fires in normal operation, not just under attack.",
+  VC210: "If your auth middleware skips /api, those routes run with no gate unless each one re-checks auth itself. It is the most common way a Next.js app ends up with publicly callable API routes that everyone assumed the middleware was protecting."
 };
 
 // src/exposure.ts
@@ -3946,9 +3954,9 @@ var xxeVulnerability = {
         ));
       }
     }
-    if (!/parseXml\s*\(/.test(content)) return matches;
+    if (!/parseXml\s*\(/.test(content)) return filterSilenced(matches, content, "VC081");
     const ctx = tryParse(content, filePath);
-    if (!ctx) return matches;
+    if (!ctx) return filterSilenced(matches, content, "VC081");
     visitCalls(
       ctx.parsed,
       (callee) => isCalleeNamed(callee, "parseXml") || isCalleeNamed(callee, "parseXML"),
@@ -3972,7 +3980,7 @@ var xxeVulnerability = {
         );
       }
     );
-    return matches;
+    return filterSilenced(matches, content, "VC081");
   }
 };
 var ssti = {
@@ -4001,7 +4009,7 @@ var ssti = {
       ));
     }
     if (!/(?:\.compile|\.render|renderString|render_template_string)\s*\(/.test(content)) {
-      return matches;
+      return filterSilenced(matches, content, "VC082");
     }
     const ctx = tryParse(content, filePath);
     if (!ctx) return matches;
@@ -4040,7 +4048,7 @@ var ssti = {
         );
       }
     );
-    return matches;
+    return filterSilenced(matches, content, "VC082");
   }
 };
 var javaDeserialization = {
@@ -4361,7 +4369,7 @@ var commandInjection = {
         matches.push(m);
       }
     }
-    return matches;
+    return filterSilenced(matches, content, "VC094");
   }
 };
 var corsLocalhost = {
@@ -4663,8 +4671,18 @@ var complianceMap = {
   // no query depth limit
   VC205: { owasp: "A04:2021", cwe: "CWE-770" },
   // no query complexity limit
-  VC206: { owasp: "A01:2021", cwe: "CWE-352" }
+  VC206: { owasp: "A01:2021", cwe: "CWE-352" },
   // Apollo csrfPrevention: false
+  // VC207–VC208: AI/LLM data-flow
+  VC207: { owasp: "A03:2021", cwe: "CWE-94" },
+  // model output → code/cmd/query/fs sink
+  VC208: { owasp: "A09:2021", cwe: "CWE-532" },
+  // secret interpolated into LLM prompt
+  // VC209–VC210: advisory heuristics
+  VC209: { owasp: "A04:2021", cwe: "CWE-799" },
+  // webhook missing idempotency
+  VC210: { owasp: "A01:2021", cwe: "CWE-862" }
+  // middleware matcher excludes /api
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -7046,7 +7064,7 @@ var llmPromptInjection = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC198");
   }
 };
 var llmSystemPromptInjection = {
@@ -7083,7 +7101,7 @@ var llmSystemPromptInjection = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC199");
   }
 };
 var llmOutputAsHTML = {
@@ -7127,7 +7145,7 @@ var llmOutputAsHTML = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC200");
   }
 };
 var vectorStoreQueryNoUserFilter = {
@@ -7359,6 +7377,127 @@ var graphqlCSRFDisabled = {
     return findings;
   }
 };
+var LLM_OUTPUT_SHAPE = "(?:choices\\s*\\[\\s*\\d*\\s*\\]?\\s*\\.\\s*message(?:\\s*\\.\\s*content)?|completion(?:\\.text|\\.content)?|message\\s*\\.\\s*content|content_block|delta\\s*\\.\\s*text|generated_text|output_text)";
+var llmOutputToSink = {
+  id: "VC207",
+  title: "AI/LLM: model output passed to a code, command, query, or file sink",
+  severity: "critical",
+  category: "Injection",
+  description: "Passing model output into eval(), new Function(), a shell command, a raw SQL string, or a filesystem path treats the model's response as trusted code. A prompt-injected or hallucinated response then becomes RCE, command injection, SQL injection, or path traversal \u2014 the model is an attacker-influenced input wired straight into your most dangerous sinks.",
+  check(content, filePath) {
+    if (!LLM_FILE_RE.test(filePath)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!fileUsesLLMSDK(content)) return [];
+    const sinkGroups = [
+      "eval",
+      "new\\s+Function",
+      "(?:child_process\\s*\\.\\s*)?(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)",
+      "(?:\\$queryRawUnsafe|\\$executeRawUnsafe|\\.\\s*(?:query|execute|raw))",
+      "(?:fs\\s*\\.\\s*)?(?:readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream|unlink|unlinkSync|rm|rmSync)"
+    ];
+    const matches = [];
+    for (const sink of sinkGroups) {
+      const re = new RegExp(`\\b${sink}\\s*\\([^;\\n]{0,120}${LLM_OUTPUT_SHAPE}`, "g");
+      matches.push(...findMatches(
+        content,
+        re,
+        llmOutputToSink,
+        filePath,
+        () => "Never pass model output into eval / new Function / a shell command / a raw SQL string / a filesystem path. Treat it as untrusted input: constrain it to a JSON schema or an allowlist, and use parameterized queries and safe path APIs. If this is a reviewed, sandboxed use, add an inline `// VC207-OK: <reason>` comment to silence."
+      ));
+    }
+    return filterSilenced(matches, content, "VC207");
+  }
+};
+var secretInLLMPrompt = {
+  id: "VC208",
+  title: "AI/LLM: secret or credential interpolated into a model prompt",
+  severity: "high",
+  category: "Information Leakage",
+  description: "Interpolating an environment secret (API key, token, password) into a prompt sends your credential to a third-party model provider, where it can land in their request logs and training-eligible data. Secrets should never be part of prompt text \u2014 pass only the data the model needs to reason about.",
+  check(content, filePath) {
+    if (!LLM_FILE_RE.test(filePath)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!fileUsesLLMSDK(content)) return [];
+    const SECRET_ENV = /\$\{\s*process\.env\.[A-Z0-9_]*(?:KEY|SECRET|TOKEN|PASSWORD|PASSWD|CREDENTIAL|PRIVATE)[A-Z0-9_]*\s*\}/;
+    const PROMPT_CTX = /\b(?:prompt|content|system|user|assistant|messages|instructions?|systemPrompt|userPrompt)\b/i;
+    const lines = content.split("\n");
+    const matches = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!SECRET_ENV.test(line)) continue;
+      const trimmed = line.trimStart();
+      if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("#")) continue;
+      const prev = i > 0 ? lines[i - 1] : "";
+      if (!PROMPT_CTX.test(line) && !PROMPT_CTX.test(prev)) continue;
+      matches.push({
+        rule: "VC208",
+        title: secretInLLMPrompt.title,
+        severity: "high",
+        category: "Information Leakage",
+        file: filePath,
+        line: i + 1,
+        snippet: getSnippet(content, i + 1),
+        fix: "Don't put credentials in prompt text \u2014 they get sent to (and logged by) the model provider. Pass only the data the model needs; keep secrets in headers/SDK config. If this env var is genuinely non-sensitive despite its name, add an inline `// VC208-OK: <reason>` comment."
+      });
+    }
+    return filterSilenced(matches, content, "VC208");
+  }
+};
+var webhookMissingIdempotency = {
+  id: "VC209",
+  title: "Webhook handler without idempotency / replay protection",
+  severity: "low",
+  category: "Logic",
+  description: "Payment and event webhooks (Stripe, Svix, GitHub, ...) are delivered at-least-once. A handler that performs a side effect (create / charge / grant) without de-duplicating on the event ID can double-process a retried or replayed delivery \u2014 double charges, duplicate records, repeated entitlement grants.",
+  check(content, filePath) {
+    if (!/\.(js|ts|jsx|tsx)$/.test(filePath)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!/constructEvent|new\s+Webhook\s*\(|svix|verifyHeader|x-signature|stripe-signature/i.test(content)) return [];
+    if (!/\.(?:create|update|upsert|insert|delete)\s*\(|INSERT\s+INTO|charges?\.create|subscriptions?\.create|\bgrant|entitlement/i.test(content)) return [];
+    if (/idempoten|event\.id|evt\.id|delivery_?id|alreadyProcessed|processedEvents|ON\s+CONFLICT|INSERT\s+OR\s+IGNORE|\bseen\b|\bprocessed\b/i.test(content)) return [];
+    const m = content.match(/constructEvent|new\s+Webhook\s*\(|verifyHeader/i);
+    if (!m || m.index === void 0) return [];
+    const line = content.substring(0, m.index).split("\n").length;
+    return filterSilenced([{
+      rule: "VC209",
+      title: webhookMissingIdempotency.title,
+      severity: "low",
+      category: "Logic",
+      file: filePath,
+      line,
+      snippet: getSnippet(content, line),
+      fix: "De-duplicate webhook deliveries: persist each event id and skip if already seen, or use a DB unique constraint (INSERT ... ON CONFLICT DO NOTHING). Webhooks are at-least-once \u2014 assume retries. If dedup is handled elsewhere, add an inline `// VC209-OK: <reason>` comment."
+    }], content, "VC209");
+  }
+};
+var middlewareMatcherExcludesApi = {
+  id: "VC210",
+  title: "Auth middleware matcher excludes API routes",
+  severity: "info",
+  category: "Authorization",
+  description: "A Next.js middleware that performs authentication but whose config.matcher excludes /api means API routes bypass the middleware entirely. Unless each API route authenticates on its own, they're unprotected. This is an advisory to verify per-route auth \u2014 not a confirmed vulnerability.",
+  check(content, filePath) {
+    if (!/middleware\.(ts|js|mjs)$/.test(filePath)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!/clerkMiddleware|authMiddleware|getToken|getServerSession|NextResponse\.redirect|withAuth|next-auth|\bauth\s*\(/i.test(content)) return [];
+    if (!/matcher\s*:/.test(content)) return [];
+    if (!/\(\?!\s*[^)]*\bapi\b/.test(content)) return [];
+    const m = content.match(/matcher\s*:/);
+    if (!m || m.index === void 0) return [];
+    const line = content.substring(0, m.index).split("\n").length;
+    return filterSilenced([{
+      rule: "VC210",
+      title: middlewareMatcherExcludesApi.title,
+      severity: "info",
+      category: "Authorization",
+      file: filePath,
+      line,
+      snippet: getSnippet(content, line),
+      fix: "Your middleware's matcher excludes /api, so API routes skip it. Either include /api in the matcher, or confirm every API route authenticates on its own (auth() / requireUser / getServerSession). If routes self-authenticate by design, add an inline `// VC210-OK: <reason>` comment."
+    }], content, "VC210");
+  }
+};
 var secretInURLParam = {
   id: "VC146",
   title: "Secret Passed in URL Query Parameter",
@@ -8078,6 +8217,12 @@ var allCustomRules = [
   vectorStoreQueryNoUserFilter,
   vectorStoreUpsertNoMetadata,
   llmCallNoMaxTokens,
+  // VC207–VC208: AI/LLM data-flow rules
+  llmOutputToSink,
+  secretInLLMPrompt,
+  // VC209–VC210: advisory heuristics
+  webhookMissingIdempotency,
+  middlewareMatcherExcludesApi,
   // VC204–VC206: GraphQL server hardening
   graphqlNoDepthLimit,
   graphqlNoComplexityLimit,
@@ -8564,11 +8709,13 @@ function scanEntropy(files) {
   largeBundleImport,
   llmCallNoMaxTokens,
   llmOutputAsHTML,
+  llmOutputToSink,
   llmPromptInjection,
   llmSystemPromptInjection,
   logInjection,
   magicNumbers,
   massAssignment,
+  middlewareMatcherExcludesApi,
   missingAIRateLimit,
   missingAuthMiddleware,
   missingAuthRateLimit,
@@ -8619,6 +8766,7 @@ function scanEntropy(files) {
   secretInCLIArgument,
   secretInErrorResponse,
   secretInHTMLAttribute,
+  secretInLLMPrompt,
   secretInURLParam,
   secretLoggedToConsole,
   secretsInCI,
@@ -8655,6 +8803,7 @@ function scanEntropy(files) {
   weakHashing,
   weakPasswordRequirements,
   weakRSAKeySize,
+  webhookMissingIdempotency,
   webhookSignatureVerification,
   xssVulnerability,
   xxeVulnerability