npm - xploitscan - Versions diffs - 1.1.10 → 1.2.0 - Mend

xploitscan 1.1.10 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +24 -0
package/dist/{api-62XVZKRV.js → api-4UFZFIDO.js} +2 -2
package/dist/{chunk-GPJLFSUZ.js → chunk-KE2IZNH6.js} +110 -1
package/dist/{chunk-GPJLFSUZ.js.map → chunk-KE2IZNH6.js.map} +1 -1
package/dist/index.js +117 -55
package/dist/index.js.map +1 -1
package/package.json +2 -2
/package/dist/{api-62XVZKRV.js.map → api-4UFZFIDO.js.map} +0 -0

package/README.md CHANGED Viewed

@@ -131,6 +131,30 @@ Create a `.xploitscanrc` file in your project root:
 }
 ```
+### `.xploitscanignore`
+A `.gitignore`-style file in your project root. Plain lines exclude whole
+files from scanning (negate with `!`). A line may also carry a trailing
+rule-ID list to suppress **only those rules** on matching paths while still
+scanning the files for everything else:
+```gitignore
+# Don't scan generated code at all
+generated/**
+# Allow log-injection (VC044) in internal cron scripts only
+scripts/cron/**        VC044
+# Silence two rules across all test files
+**/*.test.ts           VC031, VC043
+# Suppress every rule on a legacy tree (the `scanner` wildcard)
+legacy/**              scanner
+```
+For a single reviewed-and-accepted finding, prefer an inline
+`// VC<id>-OK: <reason>` comment instead of a file- or path-wide rule.
 ## Web Dashboard
 Scan via the web at [xploitscan.com](https://xploitscan.com):

package/dist/{api-62XVZKRV.js → api-4UFZFIDO.js} RENAMED Viewed

@@ -14,7 +14,7 @@ import {
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-GPJLFSUZ.js";
+} from "./chunk-KE2IZNH6.js";
 export {
   checkUsage,
   clearProRulesCache,
@@ -29,4 +29,4 @@ export {
   syncUser,
   uploadScanResults
 };
-//# sourceMappingURL=api-62XVZKRV.js.map
+//# sourceMappingURL=api-4UFZFIDO.js.map

package/dist/{chunk-GPJLFSUZ.js → chunk-KE2IZNH6.js} RENAMED Viewed

@@ -43509,8 +43509,69 @@ var TAINTED_REQUEST_OBJECTS = /* @__PURE__ */ new Set([
   "event"
   // Lambda
 ]);
+var FS_READ_METHODS = /* @__PURE__ */ new Set(["readFile", "readFileSync"]);
+var PARSE_OBJECTS = /* @__PURE__ */ new Set([
+  "JSON",
+  "csv",
+  "papa",
+  "Papa",
+  "yaml",
+  "YAML",
+  "toml",
+  "qs",
+  "querystring"
+]);
+var PARSE_BARE = /* @__PURE__ */ new Set(["parse", "parseSync"]);
+var ARRAY_ELEMENT_METHODS = /* @__PURE__ */ new Set([
+  "map",
+  "filter",
+  "forEach",
+  "find",
+  "findIndex",
+  "flatMap",
+  "some",
+  "every"
+]);
+var ARRAY_REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+function callPreservesTaint(node, rec) {
+  const callee = node.callee;
+  const anyArgTainted = () => node.arguments.some((a) => a.type !== "SpreadElement" && rec(a));
+  if (callee.type === "MemberExpression" && callee.property.type === "Identifier") {
+    const pname = callee.property.name;
+    if (FS_READ_METHODS.has(pname)) return anyArgTainted();
+    if (pname === "parse" || pname === "parseSync") {
+      const obj = callee.object;
+      if (obj.type === "Identifier" && PARSE_OBJECTS.has(obj.name)) return anyArgTainted();
+    }
+  }
+  if (callee.type === "Identifier") {
+    if (FS_READ_METHODS.has(callee.name)) return anyArgTainted();
+    if (PARSE_BARE.has(callee.name)) return anyArgTainted();
+  }
+  return false;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
+  function markPatternTainted(target) {
+    if (target.type === "Identifier") {
+      tainted.add(target.name);
+    } else if (target.type === "ObjectPattern") {
+      for (const prop of target.properties) {
+        if (prop.type === "ObjectProperty" && prop.value.type === "Identifier") {
+          tainted.add(prop.value.name);
+        } else if (prop.type === "RestElement" && prop.argument.type === "Identifier") {
+          tainted.add(prop.argument.name);
+        }
+      }
+    } else if (target.type === "ArrayPattern") {
+      for (const el of target.elements) {
+        if (el && el.type === "Identifier") tainted.add(el.name);
+        else if (el && el.type === "RestElement" && el.argument.type === "Identifier") {
+          tainted.add(el.argument.name);
+        }
+      }
+    }
+  }
   function reachesRequestIdent(node) {
     if (!node) return false;
     if (node.type === "Identifier") return TAINTED_REQUEST_OBJECTS.has(node.name);
@@ -43581,6 +43642,7 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
+      if (callPreservesTaint(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -43601,6 +43663,16 @@ function buildTaintMap(parsed) {
     if (node.type === "AwaitExpression") {
       return exprIsTainted(node.argument);
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && exprIsTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && exprIsTainted(p.argument)
+      );
+    }
     return false;
   }
   traverse(parsed.ast, {
@@ -43635,6 +43707,32 @@ function buildTaintMap(parsed) {
       if (exprIsTainted(node.right)) {
         tainted.add(node.left.name);
       }
+    },
+    // for (const row of <tainted>) → row tainted (and destructured names).
+    ForOfStatement(path) {
+      const node = path.node;
+      if (node.type !== "ForOfStatement") return;
+      if (!exprIsTainted(node.right)) return;
+      const decl = node.left;
+      const target = decl.type === "VariableDeclaration" && decl.declarations[0] ? decl.declarations[0].id : decl;
+      markPatternTainted(target);
+    },
+    // Array-iteration element taint: <tainted>.map((row) => …) marks `row`
+    // tainted inside the callback. Gated on the receiver already being
+    // tainted, so this never originates taint.
+    CallExpression(path) {
+      const node = path.node;
+      if (node.type !== "CallExpression") return;
+      const callee = node.callee;
+      if (callee.type !== "MemberExpression" || callee.property.type !== "Identifier") return;
+      const method = callee.property.name;
+      const isReduce = ARRAY_REDUCE_METHODS.has(method);
+      if (!ARRAY_ELEMENT_METHODS.has(method) && !isReduce) return;
+      if (!exprIsTainted(callee.object)) return;
+      const cb = node.arguments[0];
+      if (!cb || cb.type !== "ArrowFunctionExpression" && cb.type !== "FunctionExpression") return;
+      const elemParam = cb.params[isReduce ? 1 : 0];
+      if (elemParam) markPatternTainted(elemParam);
     }
   });
   const isTainted = (node) => {
@@ -43660,6 +43758,7 @@ function buildTaintMap(parsed) {
       return isTainted(node.object);
     }
     if (node.type === "CallExpression") {
+      if (callPreservesTaint(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -43677,6 +43776,16 @@ function buildTaintMap(parsed) {
         }
       }
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && isTainted(p.argument)
+      );
+    }
     return false;
   };
   return {
@@ -45896,4 +46005,4 @@ export {
   loadCachedProRules,
   clearProRulesCache
 };
-//# sourceMappingURL=chunk-GPJLFSUZ.js.map
+//# sourceMappingURL=chunk-KE2IZNH6.js.map