Skip to content

Add Vue/Svelte/Nuxt frontend security rule pack#238

Open
seonghobae wants to merge 1 commit into
developfrom
vue-svelte-rules
Open

Add Vue/Svelte/Nuxt frontend security rule pack#238
seonghobae wants to merge 1 commit into
developfrom
vue-svelte-rules

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

React's dangerouslySetInnerHTML was already covered by the built-in and YAML rules, but Vue, Svelte, and Nuxt apps were a blind spot. This adds a six-rule, high-precision frontend pack in scanner/rules/vue-svelte.yml:

Rule Severity What it catches
vue-v-html-usage HIGH v-html raw-HTML XSS sink in .vue templates (the Vue equivalent of dangerouslySetInnerHTML)
svelte-html-tag-usage HIGH Svelte raw HTML tag injection in .svelte templates
nuxt-public-env-secret CRITICAL Secret-named NUXT_PUBLIC_ env vars — Nuxt embeds every runtimeConfig.public value in the client bundle
vite-env-secret-exposed CRITICAL Secret-named VITE_ vars in .env* files — Vite statically inlines them into client JS
sveltekit-private-env-in-client HIGH $env/static/private / $env/dynamic/private imports inside .svelte components
sveltekit-csrf-origin-check-disabled HIGH checkOrigin disabled in svelte.config.* (CSRF against form actions)

All rules use the supported pattern-regex subset, languages: [generic], per-rule paths.include scoping (**/*.vue, **/*.svelte, **/.env*, **/svelte.config.*), and CWE/OWASP tags.

Precision

  • Each rule has multiple positive and negative fixtures in tests/test_vue_svelte_rules.py (e.g. data-v-html= attributes, {@const}/{@render} tags, $env/*/public imports, and non-secret VITE_/NUXT_PUBLIC_ names do not fire).
  • Path scoping is asserted via _path_allowed_by_rule, plus end-to-end _scan_file runs over a vulnerable fixture project (all six rules fire on the right files) and a clean fixture project (zero findings from this pack).
  • Secret-shaped fixture strings are assembled at runtime so no literal client-exposed secret names live in the repo.

Verification

  • pytest -q: 237 passed (15 new).
  • Repo self-scan: the new rules produce zero findings on this repository; deploy gate stays green (0 critical / 0 high blockers).

🤖 Generated with Claude Code

https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3

Six high-precision rules in scanner/rules/vue-svelte.yml covering the
Vue/Svelte ecosystem blind spot (React was already covered):

- vue-v-html-usage (HIGH): v-html raw HTML XSS sink in .vue templates
- svelte-html-tag-usage (HIGH): raw HTML tag injection in .svelte
- nuxt-public-env-secret (CRITICAL): secret-named NUXT_PUBLIC_ env vars
  shipped to the client bundle
- vite-env-secret-exposed (CRITICAL): secret-named VITE_ env vars in
  .env* files inlined into the client bundle
- sveltekit-private-env-in-client (HIGH): $env/*/private imports inside
  .svelte components
- sveltekit-csrf-origin-check-disabled (HIGH): checkOrigin disabled in
  svelte.config

Each rule is path-scoped (.vue/.svelte/.env*/svelte.config.*) and tagged
with CWE/OWASP. tests/test_vue_svelte_rules.py verifies positive and
negative precision per rule, severities, path scoping, and end-to-end
scans of vulnerable and clean fixture projects (secret-shaped fixtures
assembled at runtime). Full suite passes; repo self-scan stays clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
@seonghobae seonghobae enabled auto-merge (squash) July 6, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant