xploitscan 1.0.9 → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +31 -14
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -577,15 +577,19 @@ var xssVulnerability = {
|
|
|
577
577
|
];
|
|
578
578
|
const matches = [];
|
|
579
579
|
for (const pattern of patterns) {
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
() => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
|
|
587
|
-
)
|
|
580
|
+
const raw = findMatches(
|
|
581
|
+
content,
|
|
582
|
+
pattern,
|
|
583
|
+
xssVulnerability,
|
|
584
|
+
filePath,
|
|
585
|
+
() => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
|
|
588
586
|
);
|
|
587
|
+
for (const m of raw) {
|
|
588
|
+
const lineText = content.split("\n")[m.line - 1] || "";
|
|
589
|
+
if (/\.innerHTML\s*=\s*['"]/.test(lineText) && !/\$\{/.test(lineText)) continue;
|
|
590
|
+
if (/\.innerHTML\s*=\s*['"][^'"]*['"]\s*$/.test(lineText)) continue;
|
|
591
|
+
matches.push(m);
|
|
592
|
+
}
|
|
589
593
|
}
|
|
590
594
|
return matches;
|
|
591
595
|
}
|
|
@@ -688,13 +692,21 @@ var nextPublicSecret = {
|
|
|
688
692
|
];
|
|
689
693
|
const matches = [];
|
|
690
694
|
for (const p of patterns) {
|
|
691
|
-
|
|
695
|
+
const raw = findMatches(
|
|
692
696
|
content,
|
|
693
697
|
p,
|
|
694
698
|
nextPublicSecret,
|
|
695
699
|
filePath,
|
|
696
700
|
() => "Remove the NEXT_PUBLIC_ prefix. Only use NEXT_PUBLIC_ for values safe to expose in the browser."
|
|
697
|
-
)
|
|
701
|
+
);
|
|
702
|
+
for (const m of raw) {
|
|
703
|
+
const lineText = content.split("\n")[m.line - 1] || "";
|
|
704
|
+
if (/PUBLISHABLE|ANON_KEY|PUBLIC_KEY/i.test(lineText)) continue;
|
|
705
|
+
if (/CLERK_PUBLISHABLE/i.test(lineText)) continue;
|
|
706
|
+
if (/STRIPE_PUBLISHABLE/i.test(lineText)) continue;
|
|
707
|
+
if (/=\s*["']?\s*$|=\s*["']?pk_(?:test|live)_["']?\s*$/.test(lineText)) continue;
|
|
708
|
+
matches.push(m);
|
|
709
|
+
}
|
|
698
710
|
}
|
|
699
711
|
return matches;
|
|
700
712
|
}
|
|
@@ -766,6 +778,8 @@ var unvalidatedRedirect = {
|
|
|
766
778
|
category: "Injection",
|
|
767
779
|
description: "Redirecting users to URLs from untrusted input enables phishing attacks.",
|
|
768
780
|
check(content, filePath) {
|
|
781
|
+
if (isTestFile(filePath)) return [];
|
|
782
|
+
if (/isAllowedRedirect|validateRedirect|isSafeRedirect|allowedDomains|trustedDomains|whitelist.*url|allowlist.*url/i.test(content)) return [];
|
|
769
783
|
const patterns = [
|
|
770
784
|
/window\.location\s*=\s*(?!["'`]https?:\/\/)/g,
|
|
771
785
|
/window\.location\.href\s*=\s*(?!["'`]https?:\/\/)/g,
|
|
@@ -1394,21 +1408,24 @@ var complianceMap = {
|
|
|
1394
1408
|
var consoleLogProduction = {
|
|
1395
1409
|
id: "VC097",
|
|
1396
1410
|
title: "Console.log Left in Production Code",
|
|
1397
|
-
severity: "
|
|
1411
|
+
severity: "low",
|
|
1398
1412
|
category: "Performance",
|
|
1399
1413
|
description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
|
|
1400
1414
|
check(content, filePath) {
|
|
1401
|
-
if (filePath
|
|
1415
|
+
if (isTestFile(filePath)) return [];
|
|
1416
|
+
if (/(?:migrate|seed|script|cli|setup|dev)\./i.test(filePath)) return [];
|
|
1402
1417
|
if (!/console\.log\s*\(/g.test(content)) return [];
|
|
1403
1418
|
const lines = content.split("\n");
|
|
1419
|
+
const logCount = lines.filter((l) => /console\.log\s*\(/.test(l.trim()) && !l.trim().startsWith("//")).length;
|
|
1420
|
+
if (logCount > 5) return [];
|
|
1404
1421
|
const matches = [];
|
|
1405
1422
|
for (let i = 0; i < lines.length; i++) {
|
|
1406
1423
|
const line = lines[i].trim();
|
|
1407
1424
|
if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
|
|
1408
|
-
matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "
|
|
1425
|
+
matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "low", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a structured logger that can be disabled in production." });
|
|
1409
1426
|
}
|
|
1410
1427
|
}
|
|
1411
|
-
return matches.slice(0,
|
|
1428
|
+
return matches.slice(0, 1);
|
|
1412
1429
|
}
|
|
1413
1430
|
};
|
|
1414
1431
|
var todoLeftInCode = {
|