xploitscan 1.0.8 → 1.0.10

package/README.md

@@ -5,7 +5,7 @@
 
 **Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
 
-Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 131 security rules. Plain-English results. Copy-paste fixes.
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 151 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -17,7 +17,7 @@ No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-131 rules across 15+ categories:
+151 rules across 15+ categories:
 
 | Category | Examples | Rules |
 |----------|---------|-------|
@@ -130,7 +130,7 @@ Scan via the web at [xploitscan.com](https://xploitscan.com):
 - SOC2/ISO27001 compliance mapping
 - Slack and Discord webhook notifications
 
-**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 131 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 151 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
 
 ## Supported Languages
 

package/dist/index.js

@@ -398,7 +398,12 @@ var missingAuthMiddleware = {
       // Next.js API routes
       /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|PATCH|DELETE)\s*\(/gi
     ];
-    if (filePath.includes("test") || filePath.includes("spec") || filePath.includes("mock")) return [];
+    if (isTestFile(filePath)) return [];
+    if (filePath.match(/\.(md|txt|rst|html|css|json|yaml|yml)$/)) return [];
+    const isAuthRoute = /\/auth\/|\/login|\/signup|\/register|\/logout|\/password\/|\/forgot|\/reset/i.test(filePath);
+    if (isAuthRoute) return [];
+    const isWebhookRoute = /\/webhook/i.test(filePath);
+    if (isWebhookRoute) return [];
     const authPatterns = [
       /auth/i,
       /session/i,
@@ -409,6 +414,8 @@ var missingAuthMiddleware = {
       /currentUser/i,
       /isAuthenticated/i,
       /requireAuth/i,
+      /requireUser/i,
+      /requireUserForApi/i,
       /clerk/i,
       /supabase\.auth/i,
       /getServerSession/i,
@@ -420,7 +427,10 @@ var missingAuthMiddleware = {
       /withAuth/i,
       /passport/i,
       /firebase\.auth/i,
-      /cognito/i
+      /cognito/i,
+      /verifyCronSecret/i,
+      /verifySecret/i,
+      /checkApiKey/i
     ];
     const hasAuth = authPatterns.some((p) => p.test(content));
     if (hasAuth) return [];
@@ -482,18 +492,33 @@ var stripeWebhookUnprotected = {
   category: "Payment Security",
   description: "Stripe webhook endpoints without signature verification allow attackers to fake payment events.",
   check(content, filePath) {
-    if (!/stripe|webhook/i.test(content)) return [];
-    const hasWebhookRoute = /webhook/i.test(filePath) || /(?:post|handler).*webhook/i.test(content);
-    if (!hasWebhookRoute) return [];
-    const hasVerification = /constructEvent|verifyHeader|stripe-signature|webhook_secret/i.test(content);
-    if (hasVerification) return [];
-    return findMatches(
-      content,
-      /webhook/gi,
-      stripeWebhookUnprotected,
-      filePath,
-      () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
-    );
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!/stripe/i.test(content)) return [];
+    const hasStripeWebhookHandler = /(?:stripe.*webhook|webhook.*stripe)/i.test(content) || /(?:checkout\.session\.completed|invoice\.paid|payment_intent|customer\.subscription)/i.test(content);
+    if (!hasStripeWebhookHandler) return [];
+    if (/constructEvent|verifyHeader|stripe[_-]?signature|webhook[_-]?secret|STRIPE_WEBHOOK_SECRET/i.test(content)) return [];
+    const handlerPatterns = [
+      // POST handler that processes Stripe events
+      /export\s+(?:async\s+)?function\s+POST\s*\(/g,
+      // Express-style Stripe webhook route
+      /\.(post|all)\s*\(\s*["'`][^"'`]*(?:stripe|webhook)[^"'`]*["'`]/gi,
+      // Event type checking without prior verification
+      /(?:event\.type|req\.body\.type)\s*===?\s*["'`](?:checkout|invoice|payment|customer)\./g
+    ];
+    const matches = [];
+    for (const pattern of handlerPatterns) {
+      matches.push(
+        ...findMatches(
+          content,
+          pattern,
+          stripeWebhookUnprotected,
+          filePath,
+          () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
+        )
+      );
+    }
+    return matches;
   }
 };
 var sqlInjection = {
@@ -552,15 +577,19 @@ var xssVulnerability = {
     ];
     const matches = [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          xssVulnerability,
-          filePath,
-          () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
-        )
+      const raw = findMatches(
+        content,
+        pattern,
+        xssVulnerability,
+        filePath,
+        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
       );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/\.innerHTML\s*=\s*['"]/.test(lineText) && !/\$\{/.test(lineText)) continue;
+        if (/\.innerHTML\s*=\s*['"][^'"]*['"]\s*$/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -663,13 +692,21 @@ var nextPublicSecret = {
     ];
     const matches = [];
     for (const p of patterns) {
-      matches.push(...findMatches(
+      const raw = findMatches(
         content,
         p,
         nextPublicSecret,
         filePath,
         () => "Remove the NEXT_PUBLIC_ prefix. Only use NEXT_PUBLIC_ for values safe to expose in the browser."
-      ));
+      );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/PUBLISHABLE|ANON_KEY|PUBLIC_KEY/i.test(lineText)) continue;
+        if (/CLERK_PUBLISHABLE/i.test(lineText)) continue;
+        if (/STRIPE_PUBLISHABLE/i.test(lineText)) continue;
+        if (/=\s*["']?\s*$|=\s*["']?pk_(?:test|live)_["']?\s*$/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -741,6 +778,8 @@ var unvalidatedRedirect = {
   category: "Injection",
   description: "Redirecting users to URLs from untrusted input enables phishing attacks.",
   check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (/isAllowedRedirect|validateRedirect|isSafeRedirect|allowedDomains|trustedDomains|whitelist.*url|allowlist.*url/i.test(content)) return [];
     const patterns = [
       /window\.location\s*=\s*(?!["'`]https?:\/\/)/g,
       /window\.location\.href\s*=\s*(?!["'`]https?:\/\/)/g,
@@ -1119,16 +1158,31 @@ var dangerousInnerHTML = {
   description: "Using dangerouslySetInnerHTML without sanitization (DOMPurify) enables XSS attacks. User-controlled content injected as raw HTML can execute arbitrary JavaScript.",
   check(content, filePath) {
     if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (isTestFile(filePath)) return [];
     if (!/dangerouslySetInnerHTML/i.test(content)) return [];
     const hasSanitize = /DOMPurify|sanitize|purify|xss|sanitizeHtml|isomorphic-dompurify/i.test(content);
     if (hasSanitize) return [];
-    return findMatches(
-      content,
-      /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
-      dangerousInnerHTML,
-      filePath,
-      () => "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
-    );
+    const findings = [];
+    const re = /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}/g;
+    let m;
+    while ((m = re.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const value = m[1].trim();
+      if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
+      if (/^["'`][^$]*["'`]$/.test(value)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC063",
+        title: dangerousInnerHTML.title,
+        severity: "critical",
+        category: "Injection",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+      });
+    }
+    return findings;
   }
 };
 function detectFramework(files) {
@@ -1354,21 +1408,24 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "medium",
+  severity: "low",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
-    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
+    if (isTestFile(filePath)) return [];
+    if (/(?:migrate|seed|script|cli|setup|dev)\./i.test(filePath)) return [];
     if (!/console\.log\s*\(/g.test(content)) return [];
     const lines = content.split("\n");
+    const logCount = lines.filter((l) => /console\.log\s*\(/.test(l.trim()) && !l.trim().startsWith("//")).length;
+    if (logCount > 5) return [];
     const matches = [];
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i].trim();
       if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
-        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "low", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a structured logger that can be disabled in production." });
       }
     }
-    return matches.slice(0, 3);
+    return matches.slice(0, 1);
   }
 };
 var todoLeftInCode = {
@@ -2496,6 +2553,8 @@ function scanEntropy(files) {
   for (const { path: filePath, content } of files) {
     if (SKIP_FILES.test(filePath)) continue;
     if (SKIP_FILENAMES.test(filePath)) continue;
+    const basename = filePath.split("/").pop() || "";
+    if (SKIP_FILENAMES.test(basename)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
@@ -3470,9 +3529,9 @@ async function scanCommand(directory, options) {
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {
-      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 131 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 151 rules \u2192") + chalk2.bold(" xploitscan auth login"));
     } else {
-      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 131 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 151 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
     }
     console.log("");
   }