UNPKG

vibesec

Version:

Security scanner for AI-generated code - detects vulnerabilities in vibe-coded projects

github.com/ferg-cod3s/vibesec-bun-poc

ferg-cod3s/vibesec-bun-poc

148 lines (132 loc) 5.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Authentication & Authorization Security Rules # These rules detect common authentication and authorization vulnerabilities # in AI-generated code that may skip security best practices rules: - id: weak-password-validation severity: high category: auth name: Weak Password Validation description: Password validation is missing or insufficiently strict patterns: - "password\\.length\\s*[<>=!]+\\s*[1-6]" - "len\\(password\\)\\s*[<>=!]+\\s*[1-6]" - "if.*password.*length.*[<>=!]\\s*[1-6]" - "password\\s*==\\s*[\"'][^\"']{1,6}[\"']" risk: Weak password requirements allow users to create easily guessable passwords, making accounts vulnerable to brute-force attacks fix: | Implement strong password requirements: minimum 12 characters, mix of uppercase, lowercase, numbers, and special characters Before: if (password.length < 6) { return false; } After: if (password.length < 12 || !/[A-Z]/.test(password) || !/[a-z]/.test(password) || !/[0-9]/.test(password) || !/[^A-Za-z0-9]/.test(password)) { return false; } references: - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy - https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html cwe: CWE-521 owasp: OWASP A7:2021 - id: missing-rate-limiting severity: critical category: auth name: Missing Rate Limiting on Authentication description: Authentication endpoints lack rate limiting, allowing brute-force attacks patterns: - "@app\\.route\\([\"'].*login[\"'].*\\).*\\n.*def\\s+\\w+\\([^)]*\\):\\s*\\n(?!.*rate_limit)" - "app\\.(get|post)\\([\"'].*login[\"'].*\\)(?!.*rateLimit)" - "router\\.(get|post)\\([\"'].*login[\"'].*\\)(?!.*rateLimit)" - "def\\s+(login|signin|authenticate)\\([^)]*\\):(?!.*@limiter)" risk: Without rate limiting, attackers can attempt unlimited authentication attempts, enabling brute-force and credential stuffing attacks fix: | Implement rate limiting on authentication endpoints using middleware or decorators Before: app.post('/login', async (req, res) => { const user = await authenticate(req.body); }); After: const rateLimit = require('express-rate-limit'); const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // limit each IP to 5 requests per windowMs message: 'Too many login attempts, please try again later' }); app.post('/login', loginLimiter, async (req, res) => { const user = await authenticate(req.body); }); references: - https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks - https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html cwe: CWE-307 owasp: OWASP A7:2021 - id: insecure-session-config severity: high category: auth name: Insecure Session Configuration description: Session cookies lack security flags (httpOnly, secure, sameSite) patterns: - "session\\([^)]*\\)(?!.*httpOnly)" - "cookie\\([^)]*\\)(?!.*httpOnly)" - "set_cookie\\([^)]*\\)(?!.*httponly)" - "SESSION_COOKIE_SECURE\\s*=\\s*False" - "SESSION_COOKIE_HTTPONLY\\s*=\\s*False" - "SESSION_COOKIE_SAMESITE\\s*=\\s*None" risk: Sessions without security flags are vulnerable to XSS attacks (no httpOnly), interception (no secure), and CSRF attacks (no sameSite) fix: | Always set httpOnly, secure, and sameSite flags on session cookies Before: res.cookie('sessionId', token); After: res.cookie('sessionId', token, { httpOnly: true, // Prevents JavaScript access secure: true, // HTTPS only sameSite: 'strict' // CSRF protection }); Python/Flask: app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SECURE'] = True app.config['SESSION_COOKIE_SAMESITE'] = 'Strict' references: - https://owasp.org/www-community/controls/SecureCookieAttribute - https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html cwe: CWE-614 owasp: OWASP A5:2021 - id: missing-jwt-verification severity: critical category: auth name: JWT Token Used Without Verification description: JWT tokens are decoded without signature verification patterns: - "jwt\\.decode\\([^)]*verify\\s*=\\s*False" - "jwt\\.decode\\([^)]*\\)(?!.*verify)" - "jsonwebtoken\\.decode\\([^)]*\\)(?!.*verify)" - "JWT\\.decode\\([^)]*options.*verify:\\s*false" risk: Unverified JWT tokens can be forged by attackers, allowing authentication bypass and privilege escalation fix: | Always verify JWT signatures and validate claims Before: const decoded = jwt.decode(token); // OR decoded = jwt.decode(token, verify=False) After: const decoded = jwt.verify(token, SECRET_KEY, { algorithms: ['HS256'], issuer: 'your-app', audience: 'your-api' }); Python: decoded = jwt.decode( token, SECRET_KEY, algorithms=['HS256'], verify=True, audience='your-api' ) references: - https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ - https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html cwe: CWE-347 owasp: OWASP A2:2021