UNPKG

vibe-guard

Version:

🛡️ Vibe-Guard Security Scanner - Catch security issues before they catch you!

github.com/Devjosef/vibe-guard

Devjosef/vibe-guard

91 lines 4.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.InsecureHttpRule = void 0; const types_1 = require("../types"); class InsecureHttpRule extends types_1.BaseRule { constructor() { super(...arguments); this.name = 'insecure-http'; this.description = 'Detects insecure HTTP usage instead of HTTPS'; this.severity = 'medium'; this.httpPatterns = [ // Direct HTTP URLs { pattern: /['"`]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"`\s]+['"`]/gi, type: 'HTTP URL' }, // API endpoints { pattern: /(?:api_url|endpoint|base_url)\s*[:=]\s*['"`]http:\/\/[^'"`\s]+['"`]/gi, type: 'HTTP API Endpoint' }, { pattern: /fetch\s*\(\s*['"`]http:\/\/[^'"`\s]+['"`]/gi, type: 'HTTP Fetch Request' }, { pattern: /axios\.(?:get|post|put|delete)\s*\(\s*['"`]http:\/\/[^'"`\s]+['"`]/gi, type: 'HTTP Axios Request' }, // Configuration { pattern: /(?:protocol|scheme)\s*[:=]\s*['"`]http['"`]/gi, type: 'HTTP Protocol Configuration' }, { pattern: /secure\s*[:=]\s*false/gi, type: 'Insecure Configuration' }, // Express/Node.js specific { pattern: /app\.listen\s*\(\s*\d+\s*,\s*['"`]0\.0\.0\.0['"`]/gi, type: 'HTTP Server Binding' }, { pattern: /createServer\s*\(\s*(?!.*https)/gi, type: 'HTTP Server Creation' }, // Cookie security { pattern: /httpOnly\s*:\s*false/gi, type: 'Insecure Cookie Configuration' }, { pattern: /secure\s*:\s*false/gi, type: 'Insecure Cookie Security' }, // Mixed content { pattern: /src\s*=\s*['"`]http:\/\/[^'"`\s]+['"`]/gi, type: 'Mixed Content Resource' }, { pattern: /href\s*=\s*['"`]http:\/\/[^'"`\s]+['"`]/gi, type: 'Mixed Content Link' }, // Framework specific { pattern: /@RequestMapping.*http:/gi, type: 'HTTP Spring Mapping' }, { pattern: /ALLOWED_HOSTS\s*=\s*\[\s*['"`]\*['"`]/gi, type: 'Permissive Host Configuration' } ]; this.safePatterns = [ /localhost/i, /127\.0\.0\.1/, /0\.0\.0\.0/, /\.local/i, /development/i, /dev/i, /staging/i, /test/i, /mock/i, /example/i, /placeholder/i ]; } check(fileContent) { const issues = []; for (const { pattern, type } of this.httpPatterns) { const matches = this.findMatches(fileContent.content, pattern); for (const { match, line, column, lineContent } of matches) { const matchedText = match[0]; // Skip if it's in a development/test context if (this.isDevelopmentContext(matchedText) || this.isDevelopmentContext(lineContent)) { continue; } // Skip if the file appears to be a test or development file if (this.isTestFile(fileContent.path)) { continue; } issues.push(this.createIssue(fileContent.path, line, column, lineContent, `Insecure ${type} detected: ${this.extractUrl(matchedText)}`, `Use HTTPS instead of HTTP for secure communication. Replace 'http://' with 'https://' and ensure SSL/TLS certificates are properly configured.`)); } } return issues; } isDevelopmentContext(text) { return this.safePatterns.some(pattern => pattern.test(text)); } isTestFile(filePath) { const testPatterns = [ /test/i, /spec/i, /\.test\./i, /\.spec\./i, /__tests__/i, /tests\//i, /spec\//i, /dev/i, /development/i, /local/i ]; return testPatterns.some(pattern => pattern.test(filePath)); } extractUrl(text) { const urlMatch = text.match(/http:\/\/[^'"`\s]+/); return urlMatch ? urlMatch[0] : text; } } exports.InsecureHttpRule = InsecureHttpRule; //# sourceMappingURL=insecure-http.js.map