npm - xploitscan-shared-rules - Versions diffs - 1.8.0 → 1.9.0 - Mend

xploitscan-shared-rules 1.8.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -329,8 +329,69 @@ var TAINTED_REQUEST_OBJECTS = /* @__PURE__ */ new Set([
   "event"
   // Lambda
 ]);
+var FS_READ_METHODS = /* @__PURE__ */ new Set(["readFile", "readFileSync"]);
+var PARSE_OBJECTS = /* @__PURE__ */ new Set([
+  "JSON",
+  "csv",
+  "papa",
+  "Papa",
+  "yaml",
+  "YAML",
+  "toml",
+  "qs",
+  "querystring"
+]);
+var PARSE_BARE = /* @__PURE__ */ new Set(["parse", "parseSync"]);
+var ARRAY_ELEMENT_METHODS = /* @__PURE__ */ new Set([
+  "map",
+  "filter",
+  "forEach",
+  "find",
+  "findIndex",
+  "flatMap",
+  "some",
+  "every"
+]);
+var ARRAY_REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+function callPreservesTaint(node, rec) {
+  const callee = node.callee;
+  const anyArgTainted = () => node.arguments.some((a) => a.type !== "SpreadElement" && rec(a));
+  if (callee.type === "MemberExpression" && callee.property.type === "Identifier") {
+    const pname = callee.property.name;
+    if (FS_READ_METHODS.has(pname)) return anyArgTainted();
+    if (pname === "parse" || pname === "parseSync") {
+      const obj = callee.object;
+      if (obj.type === "Identifier" && PARSE_OBJECTS.has(obj.name)) return anyArgTainted();
+    }
+  }
+  if (callee.type === "Identifier") {
+    if (FS_READ_METHODS.has(callee.name)) return anyArgTainted();
+    if (PARSE_BARE.has(callee.name)) return anyArgTainted();
+  }
+  return false;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
+  function markPatternTainted(target) {
+    if (target.type === "Identifier") {
+      tainted.add(target.name);
+    } else if (target.type === "ObjectPattern") {
+      for (const prop of target.properties) {
+        if (prop.type === "ObjectProperty" && prop.value.type === "Identifier") {
+          tainted.add(prop.value.name);
+        } else if (prop.type === "RestElement" && prop.argument.type === "Identifier") {
+          tainted.add(prop.argument.name);
+        }
+      }
+    } else if (target.type === "ArrayPattern") {
+      for (const el of target.elements) {
+        if (el && el.type === "Identifier") tainted.add(el.name);
+        else if (el && el.type === "RestElement" && el.argument.type === "Identifier") {
+          tainted.add(el.argument.name);
+        }
+      }
+    }
+  }
   function reachesRequestIdent(node) {
     if (!node) return false;
     if (node.type === "Identifier") return TAINTED_REQUEST_OBJECTS.has(node.name);
@@ -401,6 +462,7 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
+      if (callPreservesTaint(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -421,6 +483,16 @@ function buildTaintMap(parsed) {
     if (node.type === "AwaitExpression") {
       return exprIsTainted(node.argument);
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && exprIsTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && exprIsTainted(p.argument)
+      );
+    }
     return false;
   }
   traverse(parsed.ast, {
@@ -455,6 +527,32 @@ function buildTaintMap(parsed) {
       if (exprIsTainted(node.right)) {
         tainted.add(node.left.name);
       }
+    },
+    // for (const row of <tainted>) → row tainted (and destructured names).
+    ForOfStatement(path) {
+      const node = path.node;
+      if (node.type !== "ForOfStatement") return;
+      if (!exprIsTainted(node.right)) return;
+      const decl = node.left;
+      const target = decl.type === "VariableDeclaration" && decl.declarations[0] ? decl.declarations[0].id : decl;
+      markPatternTainted(target);
+    },
+    // Array-iteration element taint: <tainted>.map((row) => …) marks `row`
+    // tainted inside the callback. Gated on the receiver already being
+    // tainted, so this never originates taint.
+    CallExpression(path) {
+      const node = path.node;
+      if (node.type !== "CallExpression") return;
+      const callee = node.callee;
+      if (callee.type !== "MemberExpression" || callee.property.type !== "Identifier") return;
+      const method = callee.property.name;
+      const isReduce = ARRAY_REDUCE_METHODS.has(method);
+      if (!ARRAY_ELEMENT_METHODS.has(method) && !isReduce) return;
+      if (!exprIsTainted(callee.object)) return;
+      const cb = node.arguments[0];
+      if (!cb || cb.type !== "ArrowFunctionExpression" && cb.type !== "FunctionExpression") return;
+      const elemParam = cb.params[isReduce ? 1 : 0];
+      if (elemParam) markPatternTainted(elemParam);
     }
   });
   const isTainted = (node) => {
@@ -480,6 +578,7 @@ function buildTaintMap(parsed) {
       return isTainted(node.object);
     }
     if (node.type === "CallExpression") {
+      if (callPreservesTaint(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -497,6 +596,16 @@ function buildTaintMap(parsed) {
         }
       }
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && isTainted(p.argument)
+      );
+    }
     return false;
   };
   return {
@@ -3689,9 +3798,9 @@ var xxeVulnerability = {
         ));
       }
     }
-    if (!/parseXml\s*\(/.test(content)) return matches;
+    if (!/parseXml\s*\(/.test(content)) return filterSilenced(matches, content, "VC081");
     const ctx = tryParse(content, filePath);
-    if (!ctx) return matches;
+    if (!ctx) return filterSilenced(matches, content, "VC081");
     visitCalls(
       ctx.parsed,
       (callee) => isCalleeNamed(callee, "parseXml") || isCalleeNamed(callee, "parseXML"),
@@ -3715,7 +3824,7 @@ var xxeVulnerability = {
         );
       }
     );
-    return matches;
+    return filterSilenced(matches, content, "VC081");
   }
 };
 var ssti = {
@@ -3744,7 +3853,7 @@ var ssti = {
       ));
     }
     if (!/(?:\.compile|\.render|renderString|render_template_string)\s*\(/.test(content)) {
-      return matches;
+      return filterSilenced(matches, content, "VC082");
     }
     const ctx = tryParse(content, filePath);
     if (!ctx) return matches;
@@ -3783,7 +3892,7 @@ var ssti = {
         );
       }
     );
-    return matches;
+    return filterSilenced(matches, content, "VC082");
   }
 };
 var javaDeserialization = {
@@ -4104,7 +4213,7 @@ var commandInjection = {
         matches.push(m);
       }
     }
-    return matches;
+    return filterSilenced(matches, content, "VC094");
   }
 };
 var corsLocalhost = {
@@ -6799,7 +6908,7 @@ var llmPromptInjection = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC198");
   }
 };
 var llmSystemPromptInjection = {
@@ -6836,7 +6945,7 @@ var llmSystemPromptInjection = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC199");
   }
 };
 var llmOutputAsHTML = {
@@ -6880,7 +6989,7 @@ var llmOutputAsHTML = {
         });
       }
     }
-    return findings;
+    return filterSilenced(findings, content, "VC200");
   }
 };
 var vectorStoreQueryNoUserFilter = {