xploitscan 1.0.8 → 1.0.9

package/README.md

@@ -5,7 +5,7 @@
 
 **Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
 
-Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 131 security rules. Plain-English results. Copy-paste fixes.
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 151 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -17,7 +17,7 @@ No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-131 rules across 15+ categories:
+151 rules across 15+ categories:
 
 | Category | Examples | Rules |
 |----------|---------|-------|
@@ -130,7 +130,7 @@ Scan via the web at [xploitscan.com](https://xploitscan.com):
 - SOC2/ISO27001 compliance mapping
 - Slack and Discord webhook notifications
 
-**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 131 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 151 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
 
 ## Supported Languages
 

package/dist/index.js

@@ -398,7 +398,12 @@ var missingAuthMiddleware = {
       // Next.js API routes
       /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|PATCH|DELETE)\s*\(/gi
     ];
-    if (filePath.includes("test") || filePath.includes("spec") || filePath.includes("mock")) return [];
+    if (isTestFile(filePath)) return [];
+    if (filePath.match(/\.(md|txt|rst|html|css|json|yaml|yml)$/)) return [];
+    const isAuthRoute = /\/auth\/|\/login|\/signup|\/register|\/logout|\/password\/|\/forgot|\/reset/i.test(filePath);
+    if (isAuthRoute) return [];
+    const isWebhookRoute = /\/webhook/i.test(filePath);
+    if (isWebhookRoute) return [];
     const authPatterns = [
       /auth/i,
       /session/i,
@@ -409,6 +414,8 @@ var missingAuthMiddleware = {
       /currentUser/i,
       /isAuthenticated/i,
       /requireAuth/i,
+      /requireUser/i,
+      /requireUserForApi/i,
       /clerk/i,
       /supabase\.auth/i,
       /getServerSession/i,
@@ -420,7 +427,10 @@ var missingAuthMiddleware = {
       /withAuth/i,
       /passport/i,
       /firebase\.auth/i,
-      /cognito/i
+      /cognito/i,
+      /verifyCronSecret/i,
+      /verifySecret/i,
+      /checkApiKey/i
     ];
     const hasAuth = authPatterns.some((p) => p.test(content));
     if (hasAuth) return [];
@@ -482,18 +492,33 @@ var stripeWebhookUnprotected = {
   category: "Payment Security",
   description: "Stripe webhook endpoints without signature verification allow attackers to fake payment events.",
   check(content, filePath) {
-    if (!/stripe|webhook/i.test(content)) return [];
-    const hasWebhookRoute = /webhook/i.test(filePath) || /(?:post|handler).*webhook/i.test(content);
-    if (!hasWebhookRoute) return [];
-    const hasVerification = /constructEvent|verifyHeader|stripe-signature|webhook_secret/i.test(content);
-    if (hasVerification) return [];
-    return findMatches(
-      content,
-      /webhook/gi,
-      stripeWebhookUnprotected,
-      filePath,
-      () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
-    );
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!/stripe/i.test(content)) return [];
+    const hasStripeWebhookHandler = /(?:stripe.*webhook|webhook.*stripe)/i.test(content) || /(?:checkout\.session\.completed|invoice\.paid|payment_intent|customer\.subscription)/i.test(content);
+    if (!hasStripeWebhookHandler) return [];
+    if (/constructEvent|verifyHeader|stripe[_-]?signature|webhook[_-]?secret|STRIPE_WEBHOOK_SECRET/i.test(content)) return [];
+    const handlerPatterns = [
+      // POST handler that processes Stripe events
+      /export\s+(?:async\s+)?function\s+POST\s*\(/g,
+      // Express-style Stripe webhook route
+      /\.(post|all)\s*\(\s*["'`][^"'`]*(?:stripe|webhook)[^"'`]*["'`]/gi,
+      // Event type checking without prior verification
+      /(?:event\.type|req\.body\.type)\s*===?\s*["'`](?:checkout|invoice|payment|customer)\./g
+    ];
+    const matches = [];
+    for (const pattern of handlerPatterns) {
+      matches.push(
+        ...findMatches(
+          content,
+          pattern,
+          stripeWebhookUnprotected,
+          filePath,
+          () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
+        )
+      );
+    }
+    return matches;
   }
 };
 var sqlInjection = {
@@ -1119,16 +1144,31 @@ var dangerousInnerHTML = {
   description: "Using dangerouslySetInnerHTML without sanitization (DOMPurify) enables XSS attacks. User-controlled content injected as raw HTML can execute arbitrary JavaScript.",
   check(content, filePath) {
     if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (isTestFile(filePath)) return [];
     if (!/dangerouslySetInnerHTML/i.test(content)) return [];
     const hasSanitize = /DOMPurify|sanitize|purify|xss|sanitizeHtml|isomorphic-dompurify/i.test(content);
     if (hasSanitize) return [];
-    return findMatches(
-      content,
-      /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
-      dangerousInnerHTML,
-      filePath,
-      () => "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
-    );
+    const findings = [];
+    const re = /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}/g;
+    let m;
+    while ((m = re.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const value = m[1].trim();
+      if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
+      if (/^["'`][^$]*["'`]$/.test(value)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC063",
+        title: dangerousInnerHTML.title,
+        severity: "critical",
+        category: "Injection",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+      });
+    }
+    return findings;
   }
 };
 function detectFramework(files) {
@@ -2496,6 +2536,8 @@ function scanEntropy(files) {
   for (const { path: filePath, content } of files) {
     if (SKIP_FILES.test(filePath)) continue;
     if (SKIP_FILENAMES.test(filePath)) continue;
+    const basename = filePath.split("/").pop() || "";
+    if (SKIP_FILENAMES.test(basename)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
@@ -3470,9 +3512,9 @@ async function scanCommand(directory, options) {
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {
-      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 131 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 151 rules \u2192") + chalk2.bold(" xploitscan auth login"));
     } else {
-      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 131 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 151 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
     }
     console.log("");
   }