xploitscan 1.0.3 → 1.0.7

package/dist/templates/cursor-security.mdc

@@ -0,0 +1,112 @@
+---
+description: XploitScan security rules for AI-generated code. Apply when writing or modifying any backend, API, auth, payment, or config code.
+globs:
+  - "**/*.js"
+  - "**/*.jsx"
+  - "**/*.ts"
+  - "**/*.tsx"
+  - "**/*.py"
+  - "**/*.go"
+  - "**/*.rb"
+  - "**/*.php"
+  - "**/.env*"
+  - "**/Dockerfile"
+  - "**/docker-compose*.yml"
+alwaysApply: true
+---
+
+# XploitScan Security Rules
+
+These rules cover the most common security mistakes XploitScan finds in AI-generated code (Cursor, Bolt, Lovable, Replit). Follow them when generating new code or modifying existing code. Source: https://xploitscan.com
+
+## 1. Never trust webhook bodies without verifying signatures
+
+When implementing a webhook handler for Stripe, Clerk, GitHub, Resend, SendGrid, or any other provider:
+
+- ALWAYS read the raw request body, not parsed JSON. In Express that means `express.raw({ type: "application/json" })`, not `express.json()`.
+- ALWAYS verify the provider's signature header before using any body fields.
+- For Stripe specifically: use `stripe.webhooks.constructEvent(rawBody, signature, secret)`. Do NOT just `JSON.parse(req.body)` and trust `event.type`. An attacker can send any payload they want.
+- Throw / return 400 if verification fails. Never fall through to processing.
+
+## 2. Never hardcode secrets in source
+
+- Never write API keys, tokens, passwords, JWT secrets, database URLs, or webhook secrets as string literals in any committed file.
+- Never put real secret values in `.env.example` or any committed `.env*` file. Use placeholder values like `your_api_key_here`.
+- All secrets must be read from `process.env.X` (Node) / `os.environ["X"]` (Python) / equivalent at runtime.
+- Service-account keys, Firebase config with API keys, and OAuth client secrets count as secrets.
+
+## 3. Every API route needs an explicit auth check
+
+When generating any HTTP route handler that touches user data, billing, admin, or write operations:
+
+- Verify the caller's identity at the top of the handler (Clerk `auth()`, Supabase `getUser()`, NextAuth `getServerSession()`, etc).
+- Check permissions / role / ownership BEFORE the database query, not after.
+- Routes named `/admin/*`, `/api/internal/*`, `/api/users/[id]/...`, or anything dealing with billing must reject unauthenticated requests with 401.
+- For object access (getting user 123's data), verify `caller.id === resource.userId` — IDOR is the most common vibe-coded vulnerability.
+
+## 4. Never build SQL with string concatenation or template literals
+
+- ALWAYS use parameterized queries / prepared statements / an ORM with bind parameters.
+- Forbidden: `` `SELECT * FROM users WHERE id = ${req.params.id}` ``
+- Required: `db.query('SELECT * FROM users WHERE id = $1', [req.params.id])` or equivalent ORM method.
+- Same rule applies to LIKE patterns, ORDER BY clauses, and column names — escape or whitelist, never interpolate.
+
+## 5. CORS must be specific, never wildcard with credentials
+
+- `Access-Control-Allow-Origin: *` combined with `Access-Control-Allow-Credentials: true` is rejected by browsers but signals you don't understand CORS.
+- Set `origin` to the exact domain(s) your frontend runs on, or use a function that allowlists known domains.
+- For Next.js API routes: never set `Access-Control-Allow-Origin: *` on routes that read cookies or session tokens.
+
+## 6. User-controlled URLs must be validated before fetch / redirect
+
+When implementing a "preview link" feature, "import from URL", "OAuth callback", or any handler that takes a URL parameter and either fetches it or redirects to it:
+
+- Reject any URL whose hostname is in a private CIDR (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `127.0.0.0/8`, `169.254.169.254` AWS metadata).
+- For redirect handlers, allowlist the destination domains. Never blindly redirect to a user-supplied URL.
+- For server-side fetch handlers (SSRF protection), use a library like `ssrf-req-filter` or implement DNS-based validation.
+
+## 7. Never put session tokens or PII in localStorage
+
+- `localStorage.setItem('token', ...)` and `localStorage.setItem('access_token', ...)` are forbidden — XSS can read it.
+- Use HttpOnly secure cookies for session tokens. The browser sends them automatically.
+- The same rule applies to React Native `AsyncStorage` for tokens.
+
+## 8. Never use eval, new Function, or child_process.exec with user input
+
+- `eval(req.body.expr)` is RCE.
+- `new Function(userInput)()` is RCE.
+- `exec("convert " + req.body.filename)` is command injection — use `execFile("convert", [req.body.filename])` or escape with `shell-quote`.
+
+## 9. Set the standard security headers on every response
+
+When generating Express, Next.js, or Hono setup code, include security headers:
+
+- `Content-Security-Policy: default-src 'self'` (and progressively relax for needed sources)
+- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
+- `X-Content-Type-Options: nosniff`
+- `X-Frame-Options: DENY`
+- `Referrer-Policy: strict-origin-when-cross-origin`
+
+For Next.js, set these in `next.config.js` `headers()`. For Express, use `helmet()`.
+
+## 10. dangerouslySetInnerHTML and v-html require sanitization
+
+- Never pass user content to `dangerouslySetInnerHTML` (React) or `v-html` (Vue) without sanitizing.
+- Use `DOMPurify.sanitize(userContent)` first.
+- Better: render markdown via `react-markdown` with default sanitization instead of converting to HTML.
+
+## 11. JWT verification must check signature, not just decode
+
+- `jwt.decode()` does NOT verify the signature — it just parses the payload. Never trust it.
+- Use `jwt.verify(token, secret, { algorithms: ['HS256'] })` and always pin the algorithm. Without `algorithms`, `alg: none` attacks become possible.
+
+## 12. Don't log secrets, tokens, or PII
+
+- `console.log({ user, token })` may leak credentials into Vercel/CloudWatch logs.
+- Strip `password`, `token`, `secret`, `apiKey`, `creditCard`, `ssn`, `authorization` headers, etc., before logging.
+- Same for error messages returned to the client — don't echo back the request body.
+
+---
+
+If you're unsure whether something is safe, scan with XploitScan: `npx xploitscan scan .`
+Full ruleset and explanations: https://xploitscan.com/docs

package/dist/templates/cursorrules-legacy.txt

@@ -0,0 +1,51 @@
+# XploitScan security rules (legacy .cursorrules format)
+# Modern format: .cursor/rules/xploitscan-security.mdc — see https://xploitscan.com/cursor
+
+When generating or modifying any backend, API, auth, payment, config, or DB code, follow these security rules. Source: https://xploitscan.com
+
+1. WEBHOOKS MUST BE SIGNATURE-VERIFIED
+   - Stripe: use stripe.webhooks.constructEvent with the raw body and signature header. Use express.raw, not express.json. Never trust event.type from req.body without verification.
+   - Clerk / GitHub / Resend / SendGrid webhooks: same rule, use the provider's verify function.
+   - Throw / return 400 on verification failure. Never fall through.
+
+2. NO HARDCODED SECRETS
+   - No string literal API keys, tokens, passwords, JWT secrets, DB URLs, or webhook secrets in source.
+   - .env.example must contain placeholder values like "your_api_key_here", never real secrets.
+   - Read all secrets from process.env at runtime.
+
+3. EVERY API ROUTE NEEDS EXPLICIT AUTH
+   - Verify identity at the top of the handler before any DB query.
+   - Check role / permissions / resource ownership before reading or writing.
+   - For object access, verify caller.id === resource.userId (IDOR is the top vibe-coded vulnerability).
+
+4. NO STRING-CONCATENATED SQL
+   - Always use parameterized queries / ORM bind parameters.
+   - Forbidden: `SELECT * FROM users WHERE id = ${id}`
+   - Required: db.query('SELECT * FROM users WHERE id = $1', [id])
+
+5. CORS WILDCARDS WITH CREDENTIALS ARE FORBIDDEN
+   - Never combine Access-Control-Allow-Origin: * with Allow-Credentials: true.
+   - Allowlist exact origins.
+
+6. SSRF: VALIDATE USER-CONTROLLED URLS BEFORE FETCH OR REDIRECT
+   - Reject private CIDRs (10/8, 172.16/12, 192.168/16, 127/8, 169.254.169.254).
+   - Allowlist destinations for redirect handlers.
+
+7. NEVER PUT SESSION TOKENS IN LOCALSTORAGE
+   - Use HttpOnly secure cookies. Same for React Native AsyncStorage.
+
+8. NEVER eval / new Function / exec WITH USER INPUT
+   - Use execFile with arg arrays, not exec with concatenated strings.
+
+9. SET SECURITY HEADERS BY DEFAULT
+   - CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. Use helmet() for Express, headers() in next.config.js.
+
+10. dangerouslySetInnerHTML / v-html REQUIRE DOMPurify
+
+11. JWT.VERIFY, NEVER JWT.DECODE
+    - Always pin algorithms: jwt.verify(token, secret, { algorithms: ['HS256'] })
+
+12. DON'T LOG SECRETS
+    - Strip password, token, secret, apiKey, authorization, ssn, creditCard before any log call.
+
+If unsure, scan with: npx xploitscan scan .

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "xploitscan",
-  "version": "1.0.3",
+  "version": "1.0.7",
   "description": "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.",
   "type": "module",
   "bin": {
@@ -13,6 +13,7 @@
     "dist/chunk-*.js.map",
     "dist/api-*.js",
     "dist/api-*.js.map",
+    "dist/templates/",
     "README.md",
     "LICENSE"
   ],