npm - xploitscan-shared-rules - Versions diffs - 1.9.0 → 1.11.0 - Mend

xploitscan-shared-rules 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -635,6 +635,77 @@ function callPreservesTaint(node, rec) {
   }
   return false;
 }
+function isParamDerived(n, p) {
+  if (!n) return false;
+  if (n.type === "Identifier") return n.name === p;
+  if (n.type === "MemberExpression") return isParamDerived(n.object, p);
+  return false;
+}
+function formattedFlow(n, p) {
+  if (!n) return false;
+  switch (n.type) {
+    case "TemplateLiteral":
+      return n.expressions.some(
+        (e) => isParamDerived(e, p) || formattedFlow(e, p)
+      );
+    case "BinaryExpression":
+      if (n.operator !== "+") return false;
+      return isParamDerived(n.left, p) || isParamDerived(n.right, p) || formattedFlow(n.left, p) || formattedFlow(n.right, p);
+    case "ObjectExpression":
+      return n.properties.some(
+        (pr) => pr.type === "SpreadElement" && isParamDerived(pr.argument, p)
+      );
+    case "ArrayExpression":
+      return n.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isParamDerived(el.argument, p)
+      );
+    case "ConditionalExpression":
+      return formattedFlow(n.consequent, p) || formattedFlow(n.alternate, p);
+    case "AwaitExpression":
+      return formattedFlow(n.argument, p);
+    default:
+      return false;
+  }
+}
+function collectReturnArgs(fn) {
+  const out = [];
+  if (fn.type === "ArrowFunctionExpression" && fn.body.type !== "BlockStatement") {
+    out.push(fn.body);
+    return out;
+  }
+  const visit = (n) => {
+    if (!n || typeof n !== "object") return;
+    const node = n;
+    if (typeof node.type !== "string") return;
+    if (node.type === "ReturnStatement") {
+      const arg = node.argument;
+      if (arg) out.push(arg);
+      return;
+    }
+    if (node.type === "FunctionDeclaration" || node.type === "FunctionExpression" || node.type === "ArrowFunctionExpression") {
+      return;
+    }
+    for (const key of Object.keys(node)) {
+      const v = node[key];
+      if (Array.isArray(v)) v.forEach(visit);
+      else visit(v);
+    }
+  };
+  visit(fn.body);
+  return out;
+}
+function computePassthrough(fn) {
+  const params = fn.params ?? [];
+  const returns = collectReturnArgs(fn);
+  const out = /* @__PURE__ */ new Set();
+  for (let i = 0; i < params.length; i++) {
+    const param = params[i];
+    if (param.type !== "Identifier") continue;
+    const name = param.name;
+    if (returns.some((r) => formattedFlow(r, name))) out.add(i);
+  }
+  return out;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
   function markPatternTainted(target) {
@@ -728,6 +799,7 @@ function buildTaintMap(parsed) {
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
       if (callPreservesTaint(node, exprIsTainted)) return true;
+      if (localCallPropagates(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -760,6 +832,34 @@ function buildTaintMap(parsed) {
     }
     return false;
   }
+  const fnPassthrough = /* @__PURE__ */ new Map();
+  const recordFn = (name, fn) => {
+    const pt = computePassthrough(fn);
+    if (pt.size > 0) fnPassthrough.set(name, pt);
+  };
+  traverse(parsed.ast, {
+    FunctionDeclaration(path) {
+      const n = path.node;
+      if (n.type === "FunctionDeclaration" && n.id && n.id.type === "Identifier") {
+        recordFn(n.id.name, n);
+      }
+    },
+    VariableDeclarator(path) {
+      const n = path.node;
+      if (n.type !== "VariableDeclarator" || n.id.type !== "Identifier" || !n.init) return;
+      if (n.init.type === "ArrowFunctionExpression" || n.init.type === "FunctionExpression") {
+        recordFn(n.id.name, n.init);
+      }
+    }
+  });
+  function localCallPropagates(node, rec) {
+    if (node.callee.type !== "Identifier") return false;
+    const pt = fnPassthrough.get(node.callee.name);
+    if (!pt) return false;
+    return node.arguments.some(
+      (a, i) => pt.has(i) && a.type !== "SpreadElement" && rec(a)
+    );
+  }
   traverse(parsed.ast, {
     VariableDeclarator(path) {
       const node = path.node;
@@ -844,6 +944,7 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (callPreservesTaint(node, isTainted)) return true;
+      if (localCallPropagates(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -979,9 +1080,12 @@ var SERVER_SIDE_PATH_RE = new RegExp(
   ].join("|"),
   "i"
 );
-function isServerSideFile(filePath) {
+var SERVER_SIDE_CONTENT_RE = /\b(?:req|request)\.(?:body|query|params|headers|cookies)\b|\b(?:app|router)\.(?:get|post|put|patch|delete|use|all)\s*\(|\bctx\.request\b|\bevent\.(?:body|queryStringParameters|pathParameters)\b|\(\s*req\s*,\s*res\b/;
+function isServerSideFile(filePath, content) {
   if (isTestFile(filePath)) return false;
-  return SERVER_SIDE_PATH_RE.test(filePath);
+  if (SERVER_SIDE_PATH_RE.test(filePath)) return true;
+  if (content && SERVER_SIDE_CONTENT_RE.test(content)) return true;
+  return false;
 }
 var CONFIG_FILE_PATTERN = new RegExp(
   [
@@ -1194,7 +1298,7 @@ var missingAuthMiddleware = {
   category: "Authentication",
   description: "API routes without authentication checks allow unauthorized access.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const routePatterns = [
       // Express/Hono style
       /\.(get|post|put|patch|delete)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?:async\s+)?\(?(?:req|c|ctx)/gi,
@@ -2512,7 +2616,7 @@ var exposedStackTraces = {
   category: "Information Leakage",
   description: "Returning error.stack or detailed error messages in API responses reveals internal code paths, file structure, and dependencies to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       // Sending stack trace in response
@@ -2610,7 +2714,7 @@ var ssrfVulnerability = {
   category: "Injection",
   description: "Fetching URLs from user input without validation allows attackers to access internal services, cloud metadata endpoints (169.254.169.254), and private networks.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
     if (hasValidation) return [];
@@ -2667,7 +2771,7 @@ var massAssignment = {
   category: "Authorization",
   description: "Spreading or assigning request body directly into database models allows attackers to set fields they shouldn't (e.g., isAdmin, role, verified).",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /pick\(|omit\(|allowedFields|sanitize|whitelist|permit|strong_params/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2819,7 +2923,7 @@ var logInjection = {
   category: "Injection",
   description: "Logging unsanitized user input allows attackers to forge log entries, inject malicious content, or exploit log aggregation systems via newlines and special characters.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const hasSanitization = /replace\s*\(\s*\/\[?\\r\\n\]|sanitizeLog|stripNewlines|sanitizeForLog/i.test(content);
     if (hasSanitization) return [];
     const matches = [];
@@ -2885,7 +2989,7 @@ var weakPasswordRequirements = {
     if (!/(?:password|passwd|pwd)/i.test(content)) return [];
     const isPasswordContext = /(?:register|signup|sign.up|createUser|create.user|changePassword|resetPassword|set.password|validatePassword|validate.password|passwordPolicy|password.policy)/i.test(
       content
-    ) || isServerSideFile(filePath);
+    ) || isServerSideFile(filePath, content);
     const matches = [];
     if (isPasswordContext) {
       const weakThresholdPatterns = [
@@ -4039,8 +4143,8 @@ var xxeVulnerability = {
     if (!/xml|parseXml|parseXML|DOMParser|SAXParser|etree|lxml|libxml/i.test(content)) return [];
     const matches = [];
     const patterns = [
-      /\.parseXm?l\s*\(/gi,
-      // catches parseXml (libxmljs) AND parseXML
+      /\.parseXm?l(?:String)?\s*\(/gi,
+      // parseXml / parseXML / parseXmlString (libxmljs)
       // NOTE: the browser `new DOMParser()` is intentionally NOT flagged.
       // Per the HTML/XML spec, DOMParser.parseFromString does not resolve
       // external entities, so it is not an XXE sink — flagging it produced a
@@ -4226,7 +4330,7 @@ var exposedAdminRoutes = {
   category: "Information Leakage",
   description: "Routes like /admin, /debug, /phpinfo, or /actuator without authentication expose sensitive controls and information to attackers.",
   check(content, filePath) {
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     const patterns = [
       /[.'"]\s*(?:get|use|all)\s*\(\s*["'`]\/(?:admin|debug|_debug|__debug__|phpinfo|actuator|graphiql|playground|swagger|reset|seed|test|dev|mock)["'`]/gi
@@ -4318,7 +4422,7 @@ var missingContentDisposition = {
   description: "File download endpoints without Content-Disposition headers may render files inline, leading to XSS if the file contains HTML/JS.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file|pipe|createReadStream)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     if (/Content-Disposition|attachment|download/i.test(content)) return [];
     return findMatches(
       content,
@@ -4415,7 +4519,7 @@ var unprotectedDownload = {
   description: "File download endpoints that accept user-controlled filenames without path validation allow directory traversal to read arbitrary files.",
   check(content, filePath) {
     if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
-    if (!isServerSideFile(filePath)) return [];
+    if (!isServerSideFile(filePath, content)) return [];
     const matches = [];
     if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
       const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
@@ -4444,7 +4548,7 @@ var commandInjection = {
     const matches = [];
     const patterns = [
       // Node.js — require standalone exec/execSync, not db.exec() or conn.exec()
-      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
+      /(?<![.\w])(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*["']\s*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
       /child_process.*exec\s*\(\s*(?!["'`])/g,
       // spawn / execFile / exec with shell: true AND a template literal
       // first arg. `shell: true` converts the first argument into a string