UNPKG

vibesec

Version:

Security scanner for AI-generated code - detects vulnerabilities in vibe-coded projects

github.com/ferg-cod3s/vibesec-bun-poc

ferg-cod3s/vibesec-bun-poc

127 lines (117 loc) 4.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Path Traversal Security Rules # Detects directory traversal attacks that allow access to files outside intended directories rules: - id: path-traversal-fs-operations name: Path Traversal in File Operations description: User input used in file paths without sanitization allows access to arbitrary files severity: critical category: injection languages: - javascript - typescript enabled: true patterns: - regex: "fs\\.(readFile|writeFile|readFileSync|writeFileSync|unlink|unlinkSync)\\s*\\([^,)]*\\$\\{.*\\}" flags: gi - regex: "fs\\.(readFile|writeFile|readFileSync|writeFileSync)\\s*\\(\\s*req\\.(body|query|params)\\." flags: gi - regex: "path\\.join\\s*\\([^)]*req\\.(body|query|params)\\.[^)]*\\)" flags: gi - regex: "\\.\\.\\/.*req\\.(body|query|params)" flags: gi fix: template: | Sanitize and validate file paths. Use path.resolve() and check if result is within allowed directory. Before: fs.readFile(`./uploads/${req.params.filename}`, ...); After: const path = require('path'); const filename = path.basename(req.params.filename); // Remove directory components const filepath = path.resolve('./uploads', filename); if (!filepath.startsWith(path.resolve('./uploads'))) { throw new Error('Invalid path'); } fs.readFile(filepath, ...); references: - https://owasp.org/www-community/attacks/Path_Traversal - https://cwe.mitre.org/data/definitions/22.html metadata: cwe: CWE-22 owasp: "A01:2021" tags: - path-traversal - directory-traversal - file-access - id: path-traversal-python name: Path Traversal in Python description: User input in file operations without validation in Python severity: critical category: injection languages: - python enabled: true patterns: - regex: "open\\s*\\(\\s*f[\"'].*\\{.*\\}.*[\"']" flags: gi - regex: "open\\s*\\(.*request\\.(args|form|json)\\." flags: gi - regex: "os\\.path\\.join\\s*\\([^)]*request\\.(args|form|json)" flags: gi - regex: "pathlib\\.Path\\s*\\([^)]*request\\.(args|form|json)" flags: gi fix: template: | Use pathlib and validate paths stay within allowed directories. Before: with open(f"./uploads/{user_file}") as f: After: from pathlib import Path base_dir = Path("./uploads").resolve() filepath = (base_dir / user_file).resolve() if not filepath.is_relative_to(base_dir): raise ValueError("Invalid path") with open(filepath) as f: references: - https://owasp.org/www-community/attacks/Path_Traversal - https://cwe.mitre.org/data/definitions/22.html metadata: cwe: CWE-22 owasp: "A01:2021" tags: - path-traversal - python - file-access - id: unsafe-file-download name: Unsafe File Download description: Allowing users to specify arbitrary file paths for downloads severity: high category: injection languages: - javascript - typescript enabled: true patterns: - regex: "res\\.download\\s*\\([^,)]*req\\.(body|query|params)" flags: gi - regex: "res\\.sendFile\\s*\\([^,)]*req\\.(body|query|params)" flags: gi fix: template: | Validate file paths against a whitelist or ensure they're within allowed directory. Before: res.download(req.query.file); After: const allowedFiles = ['report.pdf', 'data.csv']; const filename = path.basename(req.query.file); if (!allowedFiles.includes(filename)) { return res.status(403).send('Forbidden'); } res.download(path.join('./downloads', filename)); references: - https://owasp.org/www-community/attacks/Path_Traversal metadata: cwe: CWE-22 owasp: "A01:2021" tags: - path-traversal - file-download