xploitscan 1.0.17 → 1.0.19

package/dist/index.js

@@ -540,26 +540,42 @@ var sqlInjection = {
   description: "String concatenation or template literals in SQL queries allow attackers to execute arbitrary database commands.",
   check(content, filePath) {
     const patterns = [
-      // Template literals in SQL
-      /(?:query|execute|raw|sql)\s*\(\s*`[^`]*\$\{/gi,
-      // String concatenation in SQL
-      /(?:query|execute)\s*\(\s*["'][^"']*["']\s*\+/gi,
-      // Direct variable interpolation
+      // Template literal passed as first arg to query/execute/raw/sql/
+      // queryRaw/queryRawUnsafe/execute. Examples that SHOULD fire:
+      //   db.query(`SELECT ... ${x}`)
+      //   prisma.$queryRawUnsafe(`... ${x}`)
+      //   knex.raw(`... ${x}`)
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*`[^`]*\$\{/gi,
+      // String concatenation in SQL — now includes raw() and sql() and
+      // Drizzle's sql.raw() / Prisma's $queryRawUnsafe() variants. Previous
+      // version only covered query()/execute() and missed knex.raw("..." + x).
+      //
+      // The string literal part uses a proper "quoted string" regex that
+      // allows the opposite quote type inside (common in SQL — "WHERE x = 'a'").
+      // The older `[^"']*` class bailed out at the first inner quote and
+      // missed every realistic SQL-containing concat.
+      /(?:query|execute|raw|sql|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')\s*\+/gi,
+      // Direct variable interpolation in a SQL verb context
       /(?:SELECT|INSERT|UPDATE|DELETE|WHERE)\s+.*\$\{(?!.*parameterized)/gi
     ];
     const matches = [];
     const usesParams = /\?\s*,|\$\d+|:[\w]+|\bprepare\b|\bplaceholder\b/i.test(content);
     if (usesParams) return [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          sqlInjection,
-          filePath,
-          () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
-        )
+      const raw = findMatches(
+        content,
+        pattern,
+        sqlInjection,
+        filePath,
+        () => "Use parameterized queries or prepared statements instead of string interpolation. Example: db.query('SELECT * FROM users WHERE id = ?', [userId])"
       );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/\bPrisma\.sql\s*`/.test(lineText)) continue;
+        if (/\bsql\s*`/.test(lineText) && !/\bsql\.raw\s*\(/.test(lineText)) continue;
+        if (/\$queryRaw\s*\(\s*Prisma\.sql|\$executeRaw\s*\(\s*Prisma\.sql/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -4127,7 +4143,7 @@ async function cursorInstallCommand(opts = {}) {
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.0.8");
+).version("1.0.19");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,