Add Vue/Svelte/Nuxt frontend security rule pack#238
Open
seonghobae wants to merge 1 commit into
Open
Conversation
Six high-precision rules in scanner/rules/vue-svelte.yml covering the Vue/Svelte ecosystem blind spot (React was already covered): - vue-v-html-usage (HIGH): v-html raw HTML XSS sink in .vue templates - svelte-html-tag-usage (HIGH): raw HTML tag injection in .svelte - nuxt-public-env-secret (CRITICAL): secret-named NUXT_PUBLIC_ env vars shipped to the client bundle - vite-env-secret-exposed (CRITICAL): secret-named VITE_ env vars in .env* files inlined into the client bundle - sveltekit-private-env-in-client (HIGH): $env/*/private imports inside .svelte components - sveltekit-csrf-origin-check-disabled (HIGH): checkOrigin disabled in svelte.config Each rule is path-scoped (.vue/.svelte/.env*/svelte.config.*) and tagged with CWE/OWASP. tests/test_vue_svelte_rules.py verifies positive and negative precision per rule, severities, path scoping, and end-to-end scans of vulnerable and clean fixture projects (secret-shaped fixtures assembled at runtime). Full suite passes; repo self-scan stays clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
React's
dangerouslySetInnerHTMLwas already covered by the built-in and YAML rules, but Vue, Svelte, and Nuxt apps were a blind spot. This adds a six-rule, high-precision frontend pack inscanner/rules/vue-svelte.yml:vue-v-html-usagev-htmlraw-HTML XSS sink in.vuetemplates (the Vue equivalent ofdangerouslySetInnerHTML)svelte-html-tag-usage.sveltetemplatesnuxt-public-env-secretNUXT_PUBLIC_env vars — Nuxt embeds everyruntimeConfig.publicvalue in the client bundlevite-env-secret-exposedVITE_vars in.env*files — Vite statically inlines them into client JSsveltekit-private-env-in-client$env/static/private/$env/dynamic/privateimports inside.sveltecomponentssveltekit-csrf-origin-check-disabledcheckOrigindisabled insvelte.config.*(CSRF against form actions)All rules use the supported
pattern-regexsubset,languages: [generic], per-rulepaths.includescoping (**/*.vue,**/*.svelte,**/.env*,**/svelte.config.*), and CWE/OWASP tags.Precision
tests/test_vue_svelte_rules.py(e.g.data-v-html=attributes,{@const}/{@render}tags,$env/*/publicimports, and non-secretVITE_/NUXT_PUBLIC_names do not fire)._path_allowed_by_rule, plus end-to-end_scan_fileruns over a vulnerable fixture project (all six rules fire on the right files) and a clean fixture project (zero findings from this pack).Verification
pytest -q: 237 passed (15 new).🤖 Generated with Claude Code
https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3