@avi770/testteam 1.2.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +29 -1
- package/README.md +53 -6
- package/agents/24-signup-onboarding-tester.ts +429 -0
- package/agents/25-crud-flow-tester.ts +302 -0
- package/agents/26-form-validator.ts +297 -0
- package/agents/27-search-filter-tester.ts +326 -0
- package/agents/28-navigation-routing-tester.ts +425 -0
- package/agents/29-responsive-interaction-tester.ts +350 -0
- package/agents/30-multi-user-scenario-tester.ts +319 -0
- package/agents/31-load-tester.ts +134 -0
- package/agents/32-memory-leak-detector.ts +194 -0
- package/agents/33-bundle-analyzer.ts +132 -0
- package/agents/34-xss-scanner.ts +191 -0
- package/agents/35-csrf-tester.ts +82 -0
- package/agents/36-auth-fuzzer.ts +194 -0
- package/agents/37-dependency-scanner.ts +176 -0
- package/agents/38-secrets-scanner.ts +137 -0
- package/agents/39-api-contract-tester.ts +199 -0
- package/agents/40-rate-limit-tester.ts +94 -0
- package/agents/41-api-pagination-tester.ts +97 -0
- package/agents/42-graphql-tester.ts +222 -0
- package/agents/43-data-consistency-checker.ts +205 -0
- package/agents/44-backup-recovery-tester.ts +152 -0
- package/agents/45-data-privacy-scanner.ts +125 -0
- package/agents/46-seo-auditor.ts +294 -0
- package/agents/47-social-preview-tester.ts +232 -0
- package/agents/48-lighthouse-auditor.ts +213 -0
- package/agents/49-i18n-tester.ts +198 -0
- package/agents/50-timezone-tester.ts +173 -0
- package/agents/51-error-recovery-tester.ts +155 -0
- package/agents/52-offline-mode-tester.ts +180 -0
- package/agents/53-graceful-degradation-tester.ts +156 -0
- package/agents/54-websocket-tester.ts +151 -0
- package/agents/55-realtime-sync-tester.ts +194 -0
- package/agents/56-file-upload-tester.ts +194 -0
- package/agents/57-export-tester.ts +174 -0
- package/agents/58-payment-flow-tester.ts +183 -0
- package/agents/59-ssl-tls-auditor.ts +141 -0
- package/agents/60-dns-cdn-tester.ts +117 -0
- package/agents/61-docker-health-checker.ts +111 -0
- package/agents/62-env-config-validator.ts +152 -0
- package/agents/63-log-quality-auditor.ts +136 -0
- package/agents/64-analytics-tracker-tester.ts +165 -0
- package/agents/65-gdpr-compliance-tester.ts +215 -0
- package/agents/66-soc2-control-validator.ts +210 -0
- package/agents/67-wcag-aaa-tester.ts +241 -0
- package/agents/68-dead-code-detector.ts +135 -0
- package/agents/69-type-safety-auditor.ts +164 -0
- package/agents/70-complexity-analyzer.ts +179 -0
- package/agents/__tests__/24-signup-onboarding-tester.test.ts +274 -0
- package/agents/__tests__/25-crud-flow-tester.test.ts +322 -0
- package/agents/__tests__/26-form-validator.test.ts +345 -0
- package/agents/__tests__/27-search-filter-tester.test.ts +311 -0
- package/agents/__tests__/28-navigation-routing-tester.test.ts +328 -0
- package/agents/__tests__/29-responsive-interaction-tester.test.ts +297 -0
- package/agents/__tests__/30-multi-user-scenario-tester.test.ts +328 -0
- package/agents/__tests__/31-load-tester.test.ts +189 -0
- package/agents/__tests__/32-memory-leak-detector.test.ts +251 -0
- package/agents/__tests__/33-bundle-analyzer.test.ts +237 -0
- package/agents/__tests__/34-xss-scanner.test.ts +258 -0
- package/agents/__tests__/35-csrf-tester.test.ts +200 -0
- package/agents/__tests__/36-auth-fuzzer.test.ts +214 -0
- package/agents/__tests__/37-dependency-scanner.test.ts +266 -0
- package/agents/__tests__/38-secrets-scanner.test.ts +224 -0
- package/agents/__tests__/39-api-contract-tester.test.ts +312 -0
- package/agents/__tests__/40-rate-limit-tester.test.ts +192 -0
- package/agents/__tests__/41-api-pagination-tester.test.ts +198 -0
- package/agents/__tests__/42-graphql-tester.test.ts +252 -0
- package/agents/__tests__/43-data-consistency-checker.test.ts +232 -0
- package/agents/__tests__/44-backup-recovery-tester.test.ts +222 -0
- package/agents/__tests__/45-data-privacy-scanner.test.ts +223 -0
- package/agents/__tests__/46-seo-auditor.test.ts +261 -0
- package/agents/__tests__/47-social-preview-tester.test.ts +245 -0
- package/agents/__tests__/48-lighthouse-auditor.test.ts +276 -0
- package/agents/__tests__/49-i18n-tester.test.ts +201 -0
- package/agents/__tests__/50-timezone-tester.test.ts +172 -0
- package/agents/__tests__/51-error-recovery-tester.test.ts +162 -0
- package/agents/__tests__/52-offline-mode-tester.test.ts +164 -0
- package/agents/__tests__/53-graceful-degradation-tester.test.ts +168 -0
- package/agents/__tests__/54-websocket-tester.test.ts +157 -0
- package/agents/__tests__/55-realtime-sync-tester.test.ts +181 -0
- package/agents/__tests__/56-file-upload-tester.test.ts +172 -0
- package/agents/__tests__/57-export-tester.test.ts +169 -0
- package/agents/__tests__/58-payment-flow-tester.test.ts +182 -0
- package/agents/__tests__/59-ssl-tls-auditor.test.ts +179 -0
- package/agents/__tests__/60-dns-cdn-tester.test.ts +176 -0
- package/agents/__tests__/61-docker-health-checker.test.ts +150 -0
- package/agents/__tests__/62-env-config-validator.test.ts +166 -0
- package/agents/__tests__/63-log-quality-auditor.test.ts +175 -0
- package/agents/__tests__/64-analytics-tracker-tester.test.ts +158 -0
- package/agents/__tests__/65-gdpr-compliance-tester.test.ts +174 -0
- package/agents/__tests__/66-soc2-control-validator.test.ts +183 -0
- package/agents/__tests__/67-wcag-aaa-tester.test.ts +190 -0
- package/agents/__tests__/68-dead-code-detector.test.ts +174 -0
- package/agents/__tests__/69-type-safety-auditor.test.ts +173 -0
- package/agents/__tests__/70-complexity-analyzer.test.ts +177 -0
- package/agents/__tests__/registry.test.ts +13 -13
- package/agents/registry.ts +146 -5
- package/core/__tests__/integration.test.ts +4 -4
- package/core/__tests__/orchestrator.test.ts +17 -16
- package/core/license.ts +208 -211
- package/core/orchestrator.ts +6 -4
- package/dist/agents/24-signup-onboarding-tester.d.ts +35 -0
- package/dist/agents/24-signup-onboarding-tester.d.ts.map +1 -0
- package/dist/agents/24-signup-onboarding-tester.js +357 -0
- package/dist/agents/24-signup-onboarding-tester.js.map +1 -0
- package/dist/agents/25-crud-flow-tester.d.ts +11 -0
- package/dist/agents/25-crud-flow-tester.d.ts.map +1 -0
- package/dist/agents/25-crud-flow-tester.js +253 -0
- package/dist/agents/25-crud-flow-tester.js.map +1 -0
- package/dist/agents/26-form-validator.d.ts +12 -0
- package/dist/agents/26-form-validator.d.ts.map +1 -0
- package/dist/agents/26-form-validator.js +257 -0
- package/dist/agents/26-form-validator.js.map +1 -0
- package/dist/agents/27-search-filter-tester.d.ts +20 -0
- package/dist/agents/27-search-filter-tester.d.ts.map +1 -0
- package/dist/agents/27-search-filter-tester.js +267 -0
- package/dist/agents/27-search-filter-tester.js.map +1 -0
- package/dist/agents/28-navigation-routing-tester.d.ts +32 -0
- package/dist/agents/28-navigation-routing-tester.d.ts.map +1 -0
- package/dist/agents/28-navigation-routing-tester.js +363 -0
- package/dist/agents/28-navigation-routing-tester.js.map +1 -0
- package/dist/agents/29-responsive-interaction-tester.d.ts +26 -0
- package/dist/agents/29-responsive-interaction-tester.d.ts.map +1 -0
- package/dist/agents/29-responsive-interaction-tester.js +272 -0
- package/dist/agents/29-responsive-interaction-tester.js.map +1 -0
- package/dist/agents/30-multi-user-scenario-tester.d.ts +24 -0
- package/dist/agents/30-multi-user-scenario-tester.d.ts.map +1 -0
- package/dist/agents/30-multi-user-scenario-tester.js +254 -0
- package/dist/agents/30-multi-user-scenario-tester.js.map +1 -0
- package/dist/agents/31-load-tester.d.ts +12 -0
- package/dist/agents/31-load-tester.d.ts.map +1 -0
- package/dist/agents/31-load-tester.js +110 -0
- package/dist/agents/31-load-tester.js.map +1 -0
- package/dist/agents/32-memory-leak-detector.d.ts +12 -0
- package/dist/agents/32-memory-leak-detector.d.ts.map +1 -0
- package/dist/agents/32-memory-leak-detector.js +167 -0
- package/dist/agents/32-memory-leak-detector.js.map +1 -0
- package/dist/agents/33-bundle-analyzer.d.ts +10 -0
- package/dist/agents/33-bundle-analyzer.d.ts.map +1 -0
- package/dist/agents/33-bundle-analyzer.js +111 -0
- package/dist/agents/33-bundle-analyzer.js.map +1 -0
- package/dist/agents/34-xss-scanner.d.ts +11 -0
- package/dist/agents/34-xss-scanner.d.ts.map +1 -0
- package/dist/agents/34-xss-scanner.js +164 -0
- package/dist/agents/34-xss-scanner.js.map +1 -0
- package/dist/agents/35-csrf-tester.d.ts +11 -0
- package/dist/agents/35-csrf-tester.d.ts.map +1 -0
- package/dist/agents/35-csrf-tester.js +70 -0
- package/dist/agents/35-csrf-tester.js.map +1 -0
- package/dist/agents/36-auth-fuzzer.d.ts +13 -0
- package/dist/agents/36-auth-fuzzer.d.ts.map +1 -0
- package/dist/agents/36-auth-fuzzer.js +163 -0
- package/dist/agents/36-auth-fuzzer.js.map +1 -0
- package/dist/agents/37-dependency-scanner.d.ts +11 -0
- package/dist/agents/37-dependency-scanner.d.ts.map +1 -0
- package/dist/agents/37-dependency-scanner.js +139 -0
- package/dist/agents/37-dependency-scanner.js.map +1 -0
- package/dist/agents/38-secrets-scanner.d.ts +11 -0
- package/dist/agents/38-secrets-scanner.d.ts.map +1 -0
- package/dist/agents/38-secrets-scanner.js +116 -0
- package/dist/agents/38-secrets-scanner.js.map +1 -0
- package/dist/agents/39-api-contract-tester.d.ts +12 -0
- package/dist/agents/39-api-contract-tester.d.ts.map +1 -0
- package/dist/agents/39-api-contract-tester.js +142 -0
- package/dist/agents/39-api-contract-tester.js.map +1 -0
- package/dist/agents/40-rate-limit-tester.d.ts +12 -0
- package/dist/agents/40-rate-limit-tester.d.ts.map +1 -0
- package/dist/agents/40-rate-limit-tester.js +79 -0
- package/dist/agents/40-rate-limit-tester.js.map +1 -0
- package/dist/agents/41-api-pagination-tester.d.ts +12 -0
- package/dist/agents/41-api-pagination-tester.d.ts.map +1 -0
- package/dist/agents/41-api-pagination-tester.js +79 -0
- package/dist/agents/41-api-pagination-tester.js.map +1 -0
- package/dist/agents/42-graphql-tester.d.ts +13 -0
- package/dist/agents/42-graphql-tester.d.ts.map +1 -0
- package/dist/agents/42-graphql-tester.js +187 -0
- package/dist/agents/42-graphql-tester.js.map +1 -0
- package/dist/agents/43-data-consistency-checker.d.ts +11 -0
- package/dist/agents/43-data-consistency-checker.d.ts.map +1 -0
- package/dist/agents/43-data-consistency-checker.js +176 -0
- package/dist/agents/43-data-consistency-checker.js.map +1 -0
- package/dist/agents/44-backup-recovery-tester.d.ts +11 -0
- package/dist/agents/44-backup-recovery-tester.d.ts.map +1 -0
- package/dist/agents/44-backup-recovery-tester.js +128 -0
- package/dist/agents/44-backup-recovery-tester.js.map +1 -0
- package/dist/agents/45-data-privacy-scanner.d.ts +11 -0
- package/dist/agents/45-data-privacy-scanner.d.ts.map +1 -0
- package/dist/agents/45-data-privacy-scanner.js +100 -0
- package/dist/agents/45-data-privacy-scanner.js.map +1 -0
- package/dist/agents/46-seo-auditor.d.ts +12 -0
- package/dist/agents/46-seo-auditor.d.ts.map +1 -0
- package/dist/agents/46-seo-auditor.js +275 -0
- package/dist/agents/46-seo-auditor.js.map +1 -0
- package/dist/agents/47-social-preview-tester.d.ts +11 -0
- package/dist/agents/47-social-preview-tester.d.ts.map +1 -0
- package/dist/agents/47-social-preview-tester.js +219 -0
- package/dist/agents/47-social-preview-tester.js.map +1 -0
- package/dist/agents/48-lighthouse-auditor.d.ts +11 -0
- package/dist/agents/48-lighthouse-auditor.d.ts.map +1 -0
- package/dist/agents/48-lighthouse-auditor.js +192 -0
- package/dist/agents/48-lighthouse-auditor.js.map +1 -0
- package/dist/agents/49-i18n-tester.d.ts +13 -0
- package/dist/agents/49-i18n-tester.d.ts.map +1 -0
- package/dist/agents/49-i18n-tester.js +172 -0
- package/dist/agents/49-i18n-tester.js.map +1 -0
- package/dist/agents/50-timezone-tester.d.ts +11 -0
- package/dist/agents/50-timezone-tester.d.ts.map +1 -0
- package/dist/agents/50-timezone-tester.js +152 -0
- package/dist/agents/50-timezone-tester.js.map +1 -0
- package/dist/agents/51-error-recovery-tester.d.ts +11 -0
- package/dist/agents/51-error-recovery-tester.d.ts.map +1 -0
- package/dist/agents/51-error-recovery-tester.js +134 -0
- package/dist/agents/51-error-recovery-tester.js.map +1 -0
- package/dist/agents/52-offline-mode-tester.d.ts +12 -0
- package/dist/agents/52-offline-mode-tester.d.ts.map +1 -0
- package/dist/agents/52-offline-mode-tester.js +161 -0
- package/dist/agents/52-offline-mode-tester.js.map +1 -0
- package/dist/agents/53-graceful-degradation-tester.d.ts +12 -0
- package/dist/agents/53-graceful-degradation-tester.d.ts.map +1 -0
- package/dist/agents/53-graceful-degradation-tester.js +130 -0
- package/dist/agents/53-graceful-degradation-tester.js.map +1 -0
- package/dist/agents/54-websocket-tester.d.ts +10 -0
- package/dist/agents/54-websocket-tester.d.ts.map +1 -0
- package/dist/agents/54-websocket-tester.js +132 -0
- package/dist/agents/54-websocket-tester.js.map +1 -0
- package/dist/agents/55-realtime-sync-tester.d.ts +11 -0
- package/dist/agents/55-realtime-sync-tester.d.ts.map +1 -0
- package/dist/agents/55-realtime-sync-tester.js +175 -0
- package/dist/agents/55-realtime-sync-tester.js.map +1 -0
- package/dist/agents/56-file-upload-tester.d.ts +12 -0
- package/dist/agents/56-file-upload-tester.d.ts.map +1 -0
- package/dist/agents/56-file-upload-tester.js +166 -0
- package/dist/agents/56-file-upload-tester.js.map +1 -0
- package/dist/agents/57-export-tester.d.ts +11 -0
- package/dist/agents/57-export-tester.d.ts.map +1 -0
- package/dist/agents/57-export-tester.js +155 -0
- package/dist/agents/57-export-tester.js.map +1 -0
- package/dist/agents/58-payment-flow-tester.d.ts +11 -0
- package/dist/agents/58-payment-flow-tester.d.ts.map +1 -0
- package/dist/agents/58-payment-flow-tester.js +159 -0
- package/dist/agents/58-payment-flow-tester.js.map +1 -0
- package/dist/agents/59-ssl-tls-auditor.d.ts +10 -0
- package/dist/agents/59-ssl-tls-auditor.d.ts.map +1 -0
- package/dist/agents/59-ssl-tls-auditor.js +132 -0
- package/dist/agents/59-ssl-tls-auditor.js.map +1 -0
- package/dist/agents/60-dns-cdn-tester.d.ts +10 -0
- package/dist/agents/60-dns-cdn-tester.d.ts.map +1 -0
- package/dist/agents/60-dns-cdn-tester.js +105 -0
- package/dist/agents/60-dns-cdn-tester.js.map +1 -0
- package/dist/agents/61-docker-health-checker.d.ts +10 -0
- package/dist/agents/61-docker-health-checker.d.ts.map +1 -0
- package/dist/agents/61-docker-health-checker.js +95 -0
- package/dist/agents/61-docker-health-checker.js.map +1 -0
- package/dist/agents/62-env-config-validator.d.ts +10 -0
- package/dist/agents/62-env-config-validator.d.ts.map +1 -0
- package/dist/agents/62-env-config-validator.js +132 -0
- package/dist/agents/62-env-config-validator.js.map +1 -0
- package/dist/agents/63-log-quality-auditor.d.ts +9 -0
- package/dist/agents/63-log-quality-auditor.d.ts.map +1 -0
- package/dist/agents/63-log-quality-auditor.js +121 -0
- package/dist/agents/63-log-quality-auditor.js.map +1 -0
- package/dist/agents/64-analytics-tracker-tester.d.ts +10 -0
- package/dist/agents/64-analytics-tracker-tester.d.ts.map +1 -0
- package/dist/agents/64-analytics-tracker-tester.js +146 -0
- package/dist/agents/64-analytics-tracker-tester.js.map +1 -0
- package/dist/agents/65-gdpr-compliance-tester.d.ts +13 -0
- package/dist/agents/65-gdpr-compliance-tester.d.ts.map +1 -0
- package/dist/agents/65-gdpr-compliance-tester.js +186 -0
- package/dist/agents/65-gdpr-compliance-tester.js.map +1 -0
- package/dist/agents/66-soc2-control-validator.d.ts +14 -0
- package/dist/agents/66-soc2-control-validator.d.ts.map +1 -0
- package/dist/agents/66-soc2-control-validator.js +178 -0
- package/dist/agents/66-soc2-control-validator.js.map +1 -0
- package/dist/agents/67-wcag-aaa-tester.d.ts +13 -0
- package/dist/agents/67-wcag-aaa-tester.d.ts.map +1 -0
- package/dist/agents/67-wcag-aaa-tester.js +207 -0
- package/dist/agents/67-wcag-aaa-tester.js.map +1 -0
- package/dist/agents/68-dead-code-detector.d.ts +9 -0
- package/dist/agents/68-dead-code-detector.d.ts.map +1 -0
- package/dist/agents/68-dead-code-detector.js +116 -0
- package/dist/agents/68-dead-code-detector.js.map +1 -0
- package/dist/agents/69-type-safety-auditor.d.ts +9 -0
- package/dist/agents/69-type-safety-auditor.d.ts.map +1 -0
- package/dist/agents/69-type-safety-auditor.js +148 -0
- package/dist/agents/69-type-safety-auditor.js.map +1 -0
- package/dist/agents/70-complexity-analyzer.d.ts +10 -0
- package/dist/agents/70-complexity-analyzer.d.ts.map +1 -0
- package/dist/agents/70-complexity-analyzer.js +154 -0
- package/dist/agents/70-complexity-analyzer.js.map +1 -0
- package/dist/agents/registry.d.ts +3 -3
- package/dist/agents/registry.d.ts.map +1 -1
- package/dist/agents/registry.js +146 -5
- package/dist/agents/registry.js.map +1 -1
- package/dist/core/license.js +2 -5
- package/dist/core/license.js.map +1 -1
- package/dist/core/orchestrator.d.ts.map +1 -1
- package/dist/core/orchestrator.js +6 -4
- package/dist/core/orchestrator.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class CsrfTesterAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 35;
|
|
5
|
+
readonly agentName = "CSRF Tester";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private discoverEndpoints;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=35-csrf-tester.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"35-csrf-tester.d.ts","sourceRoot":"","sources":["../../agents/35-csrf-tester.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAYzC,qBAAa,eAAgB,SAAQ,SAAS;IAC5C,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,iBAAiB;IACnC,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IAmD7C,OAAO,CAAC,iBAAiB;CAO1B"}
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
import { BaseAgent } from './base-agent';
|
|
2
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
3
|
+
/** Common POST endpoints to test for CSRF protection. */
|
|
4
|
+
const DEFAULT_POST_ENDPOINTS = [
|
|
5
|
+
'/api/auth/login',
|
|
6
|
+
'/api/tasks',
|
|
7
|
+
'/api/clients',
|
|
8
|
+
];
|
|
9
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
10
|
+
export class CsrfTesterAgent extends BaseAgent {
|
|
11
|
+
agentId = 35;
|
|
12
|
+
agentName = 'CSRF Tester';
|
|
13
|
+
baseUrl = '';
|
|
14
|
+
async preFlight() {
|
|
15
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
16
|
+
this.baseUrl = env.baseUrl;
|
|
17
|
+
}
|
|
18
|
+
async execute() {
|
|
19
|
+
const findings = [];
|
|
20
|
+
const endpoints = this.discoverEndpoints();
|
|
21
|
+
for (const endpoint of endpoints) {
|
|
22
|
+
const url = `${this.baseUrl}${endpoint}`;
|
|
23
|
+
try {
|
|
24
|
+
const response = await Promise.race([
|
|
25
|
+
fetch(url, {
|
|
26
|
+
method: 'POST',
|
|
27
|
+
headers: { 'Content-Type': 'application/json' },
|
|
28
|
+
body: JSON.stringify({ test: 'csrf-probe' }),
|
|
29
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
30
|
+
}),
|
|
31
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('CSRF test timeout')), REQUEST_TIMEOUT_MS)),
|
|
32
|
+
]);
|
|
33
|
+
if (response.status === 200 || response.status === 201) {
|
|
34
|
+
findings.push({
|
|
35
|
+
id: `${this.agentId}-no-csrf-${endpoint.replace(/\//g, '_')}`,
|
|
36
|
+
type: 'code-bug-security',
|
|
37
|
+
severity: 'high',
|
|
38
|
+
agentId: this.agentId,
|
|
39
|
+
module: 'csrf-tester',
|
|
40
|
+
description: `Endpoint ${endpoint} accepts POST requests without CSRF protection (status ${response.status})`,
|
|
41
|
+
});
|
|
42
|
+
}
|
|
43
|
+
this.addEvidence({
|
|
44
|
+
type: 'log',
|
|
45
|
+
path: `csrf-test-${endpoint.replace(/\//g, '_')}`,
|
|
46
|
+
description: `POST ${endpoint} without auth/CSRF headers: status=${response.status}`,
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
catch (error) {
|
|
50
|
+
findings.push({
|
|
51
|
+
id: `${this.agentId}-request-failed-${endpoint.replace(/\//g, '_')}`,
|
|
52
|
+
type: 'infra-issue',
|
|
53
|
+
severity: 'low',
|
|
54
|
+
agentId: this.agentId,
|
|
55
|
+
module: 'csrf-tester',
|
|
56
|
+
description: `Failed to test endpoint ${endpoint}: ${error instanceof Error ? error.message : String(error)}`,
|
|
57
|
+
});
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
return findings;
|
|
61
|
+
}
|
|
62
|
+
discoverEndpoints() {
|
|
63
|
+
if (this.config.modules && this.config.modules.length > 0) {
|
|
64
|
+
const moduleEndpoints = this.config.modules.map(m => `/api${m.route}`);
|
|
65
|
+
return [...new Set([...DEFAULT_POST_ENDPOINTS, ...moduleEndpoints])];
|
|
66
|
+
}
|
|
67
|
+
return [...DEFAULT_POST_ENDPOINTS];
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
//# sourceMappingURL=35-csrf-tester.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"35-csrf-tester.js","sourceRoot":"","sources":["../../agents/35-csrf-tester.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,yDAAyD;AACzD,MAAM,sBAAsB,GAAG;IAC7B,iBAAiB;IACjB,YAAY;IACZ,cAAc;CACN,CAAC;AAEX,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,MAAM,OAAO,eAAgB,SAAQ,SAAS;IACnC,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,aAAa,CAAC;IAC3B,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE3C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,QAAQ,EAAE,CAAC;YAEzC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAClC,KAAK,CAAC,GAAG,EAAE;wBACT,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;wBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;wBAC5C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;qBAChD,CAAC;oBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAC7E;iBACF,CAAa,CAAC;gBAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,YAAY,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;wBAC7D,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,aAAa;wBACrB,WAAW,EAAE,YAAY,QAAQ,0DAA0D,QAAQ,CAAC,MAAM,GAAG;qBAC9G,CAAC,CAAC;gBACL,CAAC;gBAED,IAAI,CAAC,WAAW,CAAC;oBACf,IAAI,EAAE,KAAK;oBACX,IAAI,EAAE,aAAa,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;oBACjD,WAAW,EAAE,QAAQ,QAAQ,sCAAsC,QAAQ,CAAC,MAAM,EAAE;iBACrF,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,mBAAmB,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;oBACpE,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,KAAK;oBACf,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,MAAM,EAAE,aAAa;oBACrB,WAAW,EAAE,2BAA2B,QAAQ,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;iBAC9G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB;QACvB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,sBAAsB,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,CAAC,GAAG,sBAAsB,CAAC,CAAC;IACrC,CAAC;CACF"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class AuthFuzzerAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 36;
|
|
5
|
+
readonly agentName = "Auth Fuzzer";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private testSqlInjection;
|
|
10
|
+
private testAccountLockout;
|
|
11
|
+
private testJwtAlgNone;
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=36-auth-fuzzer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"36-auth-fuzzer.d.ts","sourceRoot":"","sources":["../../agents/36-auth-fuzzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAMzC,qBAAa,eAAgB,SAAQ,SAAS;IAC5C,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,iBAAiB;IACnC,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAkB/B,gBAAgB;YAkDhB,kBAAkB;YAmDlB,cAAc;CAyD7B"}
|
|
@@ -0,0 +1,163 @@
|
|
|
1
|
+
import { BaseAgent } from './base-agent';
|
|
2
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
3
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
4
|
+
const LOCKOUT_ATTEMPTS = 10;
|
|
5
|
+
export class AuthFuzzerAgent extends BaseAgent {
|
|
6
|
+
agentId = 36;
|
|
7
|
+
agentName = 'Auth Fuzzer';
|
|
8
|
+
baseUrl = '';
|
|
9
|
+
async preFlight() {
|
|
10
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
11
|
+
this.baseUrl = env.baseUrl;
|
|
12
|
+
}
|
|
13
|
+
async execute() {
|
|
14
|
+
const findings = [];
|
|
15
|
+
// Test 1: SQL injection in login
|
|
16
|
+
const sqlInjectionFindings = await this.testSqlInjection();
|
|
17
|
+
findings.push(...sqlInjectionFindings);
|
|
18
|
+
// Test 2: Account lockout
|
|
19
|
+
const lockoutFindings = await this.testAccountLockout();
|
|
20
|
+
findings.push(...lockoutFindings);
|
|
21
|
+
// Test 3: JWT alg:none bypass
|
|
22
|
+
const jwtFindings = await this.testJwtAlgNone();
|
|
23
|
+
findings.push(...jwtFindings);
|
|
24
|
+
return findings;
|
|
25
|
+
}
|
|
26
|
+
async testSqlInjection() {
|
|
27
|
+
const findings = [];
|
|
28
|
+
const loginUrl = `${this.baseUrl}/api/auth/login`;
|
|
29
|
+
try {
|
|
30
|
+
const response = await Promise.race([
|
|
31
|
+
fetch(loginUrl, {
|
|
32
|
+
method: 'POST',
|
|
33
|
+
headers: { 'Content-Type': 'application/json' },
|
|
34
|
+
body: JSON.stringify({
|
|
35
|
+
email: "' OR 1=1 --",
|
|
36
|
+
password: 'anything',
|
|
37
|
+
}),
|
|
38
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
39
|
+
}),
|
|
40
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
41
|
+
]);
|
|
42
|
+
if (response.status === 200 || response.status === 201) {
|
|
43
|
+
findings.push({
|
|
44
|
+
id: `${this.agentId}-sql-injection-login`,
|
|
45
|
+
type: 'code-bug-security',
|
|
46
|
+
severity: 'critical',
|
|
47
|
+
agentId: this.agentId,
|
|
48
|
+
module: 'auth-fuzzer',
|
|
49
|
+
description: `SQL injection in login succeeded — endpoint returned ${response.status} for malicious email input`,
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
this.addEvidence({
|
|
53
|
+
type: 'log',
|
|
54
|
+
path: 'sql-injection-test',
|
|
55
|
+
description: `SQL injection login test: status=${response.status}`,
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
catch (error) {
|
|
59
|
+
findings.push({
|
|
60
|
+
id: `${this.agentId}-sql-injection-error`,
|
|
61
|
+
type: 'infra-issue',
|
|
62
|
+
severity: 'low',
|
|
63
|
+
agentId: this.agentId,
|
|
64
|
+
module: 'auth-fuzzer',
|
|
65
|
+
description: `SQL injection test failed to execute: ${error instanceof Error ? error.message : String(error)}`,
|
|
66
|
+
});
|
|
67
|
+
}
|
|
68
|
+
return findings;
|
|
69
|
+
}
|
|
70
|
+
async testAccountLockout() {
|
|
71
|
+
const findings = [];
|
|
72
|
+
const loginUrl = `${this.baseUrl}/api/auth/login`;
|
|
73
|
+
let got429 = false;
|
|
74
|
+
for (let i = 0; i < LOCKOUT_ATTEMPTS; i++) {
|
|
75
|
+
try {
|
|
76
|
+
const response = await Promise.race([
|
|
77
|
+
fetch(loginUrl, {
|
|
78
|
+
method: 'POST',
|
|
79
|
+
headers: { 'Content-Type': 'application/json' },
|
|
80
|
+
body: JSON.stringify({
|
|
81
|
+
email: 'lockout-test@example.com',
|
|
82
|
+
password: `wrong-password-${i}`,
|
|
83
|
+
}),
|
|
84
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
85
|
+
}),
|
|
86
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
87
|
+
]);
|
|
88
|
+
if (response.status === 429) {
|
|
89
|
+
got429 = true;
|
|
90
|
+
break;
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
catch {
|
|
94
|
+
// Request failed — continue testing
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
if (!got429) {
|
|
98
|
+
findings.push({
|
|
99
|
+
id: `${this.agentId}-no-lockout`,
|
|
100
|
+
type: 'code-bug-security',
|
|
101
|
+
severity: 'medium',
|
|
102
|
+
agentId: this.agentId,
|
|
103
|
+
module: 'auth-fuzzer',
|
|
104
|
+
description: `No account lockout after ${LOCKOUT_ATTEMPTS} failed login attempts — no 429 response received`,
|
|
105
|
+
});
|
|
106
|
+
}
|
|
107
|
+
this.addEvidence({
|
|
108
|
+
type: 'log',
|
|
109
|
+
path: 'lockout-test',
|
|
110
|
+
description: `Account lockout test: ${got429 ? 'lockout triggered' : 'no lockout detected'} after ${LOCKOUT_ATTEMPTS} attempts`,
|
|
111
|
+
});
|
|
112
|
+
return findings;
|
|
113
|
+
}
|
|
114
|
+
async testJwtAlgNone() {
|
|
115
|
+
const findings = [];
|
|
116
|
+
// Create a JWT with alg: "none"
|
|
117
|
+
const header = Buffer.from(JSON.stringify({ alg: 'none', typ: 'JWT' })).toString('base64url');
|
|
118
|
+
const payload = Buffer.from(JSON.stringify({ sub: '1', email: 'admin@test.com', role: 'admin', iat: Math.floor(Date.now() / 1000) })).toString('base64url');
|
|
119
|
+
const fakeJwt = `${header}.${payload}.`;
|
|
120
|
+
// Try accessing a protected endpoint
|
|
121
|
+
const protectedUrl = `${this.baseUrl}/api/tasks`;
|
|
122
|
+
try {
|
|
123
|
+
const response = await Promise.race([
|
|
124
|
+
fetch(protectedUrl, {
|
|
125
|
+
method: 'GET',
|
|
126
|
+
headers: {
|
|
127
|
+
'Authorization': `Bearer ${fakeJwt}`,
|
|
128
|
+
'Content-Type': 'application/json',
|
|
129
|
+
},
|
|
130
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
131
|
+
}),
|
|
132
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
133
|
+
]);
|
|
134
|
+
if (response.status === 200) {
|
|
135
|
+
findings.push({
|
|
136
|
+
id: `${this.agentId}-jwt-alg-none`,
|
|
137
|
+
type: 'code-bug-security',
|
|
138
|
+
severity: 'critical',
|
|
139
|
+
agentId: this.agentId,
|
|
140
|
+
module: 'auth-fuzzer',
|
|
141
|
+
description: `Protected endpoint accepts JWT with alg:"none" — authentication bypass vulnerability`,
|
|
142
|
+
});
|
|
143
|
+
}
|
|
144
|
+
this.addEvidence({
|
|
145
|
+
type: 'log',
|
|
146
|
+
path: 'jwt-alg-none-test',
|
|
147
|
+
description: `JWT alg:none test: status=${response.status}`,
|
|
148
|
+
});
|
|
149
|
+
}
|
|
150
|
+
catch (error) {
|
|
151
|
+
findings.push({
|
|
152
|
+
id: `${this.agentId}-jwt-test-error`,
|
|
153
|
+
type: 'infra-issue',
|
|
154
|
+
severity: 'low',
|
|
155
|
+
agentId: this.agentId,
|
|
156
|
+
module: 'auth-fuzzer',
|
|
157
|
+
description: `JWT alg:none test failed to execute: ${error instanceof Error ? error.message : String(error)}`,
|
|
158
|
+
});
|
|
159
|
+
}
|
|
160
|
+
return findings;
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
//# sourceMappingURL=36-auth-fuzzer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"36-auth-fuzzer.js","sourceRoot":"","sources":["../../agents/36-auth-fuzzer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAE5B,MAAM,OAAO,eAAgB,SAAQ,SAAS;IACnC,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,aAAa,CAAC;IAC3B,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,iCAAiC;QACjC,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,CAAC;QAEvC,0BAA0B;QAC1B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;QAElC,8BAA8B;QAC9B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAChD,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;QAE9B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,gBAAgB;QAC5B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,iBAAiB,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,QAAQ,EAAE;oBACd,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,KAAK,EAAE,aAAa;wBACpB,QAAQ,EAAE,UAAU;qBACrB,CAAC;oBACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,sBAAsB;oBACzC,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,MAAM,EAAE,aAAa;oBACrB,WAAW,EAAE,wDAAwD,QAAQ,CAAC,MAAM,4BAA4B;iBACjH,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,oBAAoB;gBAC1B,WAAW,EAAE,oCAAoC,QAAQ,CAAC,MAAM,EAAE;aACnE,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,sBAAsB;gBACzC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE,yCAAyC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aAC/G,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,kBAAkB;QAC9B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,iBAAiB,CAAC;QAClD,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,gBAAgB,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAClC,KAAK,CAAC,QAAQ,EAAE;wBACd,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;wBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,KAAK,EAAE,0BAA0B;4BACjC,QAAQ,EAAE,kBAAkB,CAAC,EAAE;yBAChC,CAAC;wBACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;qBAChD,CAAC;oBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;iBACF,CAAa,CAAC;gBAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,MAAM,GAAG,IAAI,CAAC;oBACd,MAAM;gBACR,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,aAAa;gBAChC,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE,4BAA4B,gBAAgB,mDAAmD;aAC7G,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,WAAW,CAAC;YACf,IAAI,EAAE,KAAK;YACX,IAAI,EAAE,cAAc;YACpB,WAAW,EAAE,yBAAyB,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,qBAAqB,UAAU,gBAAgB,WAAW;SAChI,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC9F,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CACzB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,CACzG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,MAAM,IAAI,OAAO,GAAG,CAAC;QAExC,qCAAqC;QACrC,MAAM,YAAY,GAAG,GAAG,IAAI,CAAC,OAAO,YAAY,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,YAAY,EAAE;oBAClB,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,eAAe,EAAE,UAAU,OAAO,EAAE;wBACpC,cAAc,EAAE,kBAAkB;qBACnC;oBACD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,eAAe;oBAClC,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,MAAM,EAAE,aAAa;oBACrB,WAAW,EAAE,sFAAsF;iBACpG,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,mBAAmB;gBACzB,WAAW,EAAE,6BAA6B,QAAQ,CAAC,MAAM,EAAE;aAC5D,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,iBAAiB;gBACpC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aAC9G,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class DependencyScannerAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 37;
|
|
5
|
+
readonly agentName = "Dependency Scanner";
|
|
6
|
+
protected preFlight(): Promise<void>;
|
|
7
|
+
protected execute(): Promise<Finding[]>;
|
|
8
|
+
private runAudit;
|
|
9
|
+
private runOutdated;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=37-dependency-scanner.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"37-dependency-scanner.d.ts","sourceRoot":"","sources":["../../agents/37-dependency-scanner.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAiCzC,qBAAa,sBAAuB,SAAQ,SAAS;IACnD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,wBAAwB;cAE1B,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAI1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAe/B,QAAQ;YAuDR,WAAW;CA6D1B"}
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
import { execFile } from 'node:child_process';
|
|
2
|
+
import { promisify } from 'node:util';
|
|
3
|
+
import { BaseAgent } from './base-agent';
|
|
4
|
+
const execFileAsync = promisify(execFile);
|
|
5
|
+
const SEVERITY_MAP = {
|
|
6
|
+
critical: 'critical',
|
|
7
|
+
high: 'high',
|
|
8
|
+
moderate: 'medium',
|
|
9
|
+
low: 'low',
|
|
10
|
+
info: 'low',
|
|
11
|
+
};
|
|
12
|
+
export class DependencyScannerAgent extends BaseAgent {
|
|
13
|
+
agentId = 37;
|
|
14
|
+
agentName = 'Dependency Scanner';
|
|
15
|
+
async preFlight() {
|
|
16
|
+
// No special pre-conditions
|
|
17
|
+
}
|
|
18
|
+
async execute() {
|
|
19
|
+
const findings = [];
|
|
20
|
+
const projectRoot = this.config.projectRoot ?? process.cwd();
|
|
21
|
+
// Run npm audit
|
|
22
|
+
const auditFindings = await this.runAudit(projectRoot);
|
|
23
|
+
findings.push(...auditFindings);
|
|
24
|
+
// Run npm outdated
|
|
25
|
+
const outdatedFindings = await this.runOutdated(projectRoot);
|
|
26
|
+
findings.push(...outdatedFindings);
|
|
27
|
+
return findings;
|
|
28
|
+
}
|
|
29
|
+
async runAudit(projectRoot) {
|
|
30
|
+
const findings = [];
|
|
31
|
+
try {
|
|
32
|
+
let stdout;
|
|
33
|
+
try {
|
|
34
|
+
const result = await execFileAsync('npm', ['audit', '--json'], {
|
|
35
|
+
cwd: projectRoot,
|
|
36
|
+
timeout: 60_000,
|
|
37
|
+
});
|
|
38
|
+
stdout = result.stdout;
|
|
39
|
+
}
|
|
40
|
+
catch (execError) {
|
|
41
|
+
// npm audit exits non-zero when vulnerabilities are found
|
|
42
|
+
const err = execError;
|
|
43
|
+
if (err.stdout) {
|
|
44
|
+
stdout = err.stdout;
|
|
45
|
+
}
|
|
46
|
+
else {
|
|
47
|
+
throw execError;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
const report = JSON.parse(stdout);
|
|
51
|
+
const vulnerabilities = report.vulnerabilities ?? {};
|
|
52
|
+
for (const [name, vuln] of Object.entries(vulnerabilities)) {
|
|
53
|
+
const severity = SEVERITY_MAP[vuln.severity] ?? 'medium';
|
|
54
|
+
findings.push({
|
|
55
|
+
id: `${this.agentId}-vuln-${name}`,
|
|
56
|
+
type: 'code-bug-security',
|
|
57
|
+
severity,
|
|
58
|
+
agentId: this.agentId,
|
|
59
|
+
module: 'dependency-scanner',
|
|
60
|
+
description: `Vulnerability in ${name}: ${vuln.title ?? vuln.severity} (${vuln.url ?? 'no URL'})`,
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
this.addEvidence({
|
|
64
|
+
type: 'report',
|
|
65
|
+
path: 'npm-audit',
|
|
66
|
+
description: `npm audit found ${Object.keys(vulnerabilities).length} vulnerable packages`,
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
catch (error) {
|
|
70
|
+
findings.push({
|
|
71
|
+
id: `${this.agentId}-audit-error`,
|
|
72
|
+
type: 'infra-issue',
|
|
73
|
+
severity: 'medium',
|
|
74
|
+
agentId: this.agentId,
|
|
75
|
+
module: 'dependency-scanner',
|
|
76
|
+
description: `npm audit failed: ${error instanceof Error ? error.message : String(error)}`,
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
return findings;
|
|
80
|
+
}
|
|
81
|
+
async runOutdated(projectRoot) {
|
|
82
|
+
const findings = [];
|
|
83
|
+
try {
|
|
84
|
+
let stdout;
|
|
85
|
+
try {
|
|
86
|
+
const result = await execFileAsync('npm', ['outdated', '--json'], {
|
|
87
|
+
cwd: projectRoot,
|
|
88
|
+
timeout: 60_000,
|
|
89
|
+
});
|
|
90
|
+
stdout = result.stdout;
|
|
91
|
+
}
|
|
92
|
+
catch (execError) {
|
|
93
|
+
// npm outdated exits non-zero when there are outdated packages
|
|
94
|
+
const err = execError;
|
|
95
|
+
if (err.stdout) {
|
|
96
|
+
stdout = err.stdout;
|
|
97
|
+
}
|
|
98
|
+
else {
|
|
99
|
+
throw execError;
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
if (!stdout || stdout.trim() === '') {
|
|
103
|
+
return findings;
|
|
104
|
+
}
|
|
105
|
+
const outdated = JSON.parse(stdout);
|
|
106
|
+
for (const [name, info] of Object.entries(outdated)) {
|
|
107
|
+
const currentMajor = parseInt(info.current.split('.')[0], 10);
|
|
108
|
+
const latestMajor = parseInt(info.latest.split('.')[0], 10);
|
|
109
|
+
if (latestMajor - currentMajor >= 1) {
|
|
110
|
+
findings.push({
|
|
111
|
+
id: `${this.agentId}-outdated-${name}`,
|
|
112
|
+
type: 'test-bug',
|
|
113
|
+
severity: 'low',
|
|
114
|
+
agentId: this.agentId,
|
|
115
|
+
module: 'dependency-scanner',
|
|
116
|
+
description: `Package ${name} is ${latestMajor - currentMajor} major version(s) behind: current=${info.current}, latest=${info.latest}`,
|
|
117
|
+
});
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
this.addEvidence({
|
|
121
|
+
type: 'report',
|
|
122
|
+
path: 'npm-outdated',
|
|
123
|
+
description: `npm outdated found ${Object.keys(outdated).length} outdated packages`,
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
catch (error) {
|
|
127
|
+
findings.push({
|
|
128
|
+
id: `${this.agentId}-outdated-error`,
|
|
129
|
+
type: 'infra-issue',
|
|
130
|
+
severity: 'low',
|
|
131
|
+
agentId: this.agentId,
|
|
132
|
+
module: 'dependency-scanner',
|
|
133
|
+
description: `npm outdated failed: ${error instanceof Error ? error.message : String(error)}`,
|
|
134
|
+
});
|
|
135
|
+
}
|
|
136
|
+
return findings;
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
//# sourceMappingURL=37-dependency-scanner.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"37-dependency-scanner.js","sourceRoot":"","sources":["../../agents/37-dependency-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAuB1C,MAAM,YAAY,GAAgB;IAChC,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,QAAQ,EAAE,QAAQ;IAClB,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,KAAK;CACZ,CAAC;AAEF,MAAM,OAAO,sBAAuB,SAAQ,SAAS;IAC1C,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,oBAAoB,CAAC;IAEhC,KAAK,CAAC,SAAS;QACvB,4BAA4B;IAC9B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAE7D,gBAAgB;QAChB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;QAEhC,mBAAmB;QACnB,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;QAEnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,WAAmB;QACxC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,IAAI,MAAc,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE;oBAC7D,GAAG,EAAE,WAAW;oBAChB,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACzB,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACnB,0DAA0D;gBAC1D,MAAM,GAAG,GAAG,SAAiD,CAAC;gBAC9D,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;oBACf,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC;qBAAM,CAAC;oBACN,MAAM,SAAS,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;YAErD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;gBAC3D,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC;gBACzD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,SAAS,IAAI,EAAE;oBAClC,IAAI,EAAE,mBAAmB;oBACzB,QAAQ;oBACR,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,MAAM,EAAE,oBAAoB;oBAC5B,WAAW,EAAE,oBAAoB,IAAI,KAAK,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,GAAG,IAAI,QAAQ,GAAG;iBAClG,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,WAAW;gBACjB,WAAW,EAAE,mBAAmB,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,sBAAsB;aAC1F,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,cAAc;gBACjC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,qBAAqB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,WAAmB;QAC3C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,IAAI,MAAc,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE;oBAChE,GAAG,EAAE,WAAW;oBAChB,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACzB,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACnB,+DAA+D;gBAC/D,MAAM,GAAG,GAAG,SAAiD,CAAC;gBAC9D,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;oBACf,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC;qBAAM,CAAC;oBACN,MAAM,SAAS,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACpC,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,QAAQ,GAAkC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAEnE,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9D,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAE5D,IAAI,WAAW,GAAG,YAAY,IAAI,CAAC,EAAE,CAAC;oBACpC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,aAAa,IAAI,EAAE;wBACtC,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,oBAAoB;wBAC5B,WAAW,EAAE,WAAW,IAAI,OAAO,WAAW,GAAG,YAAY,qCAAqC,IAAI,CAAC,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE;qBACxI,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,cAAc;gBACpB,WAAW,EAAE,sBAAsB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,oBAAoB;aACpF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,iBAAiB;gBACpC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aAC9F,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class SecretsScannerAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 38;
|
|
5
|
+
readonly agentName = "Secrets Scanner";
|
|
6
|
+
protected preFlight(): Promise<void>;
|
|
7
|
+
protected execute(): Promise<Finding[]>;
|
|
8
|
+
private collectFiles;
|
|
9
|
+
private scanFile;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=38-secrets-scanner.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"38-secrets-scanner.d.ts","sourceRoot":"","sources":["../../agents/38-secrets-scanner.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAuBzC,qBAAa,mBAAoB,SAAQ,SAAS;IAChD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,qBAAqB;cAEvB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAI1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAoC/B,YAAY;YAkCZ,QAAQ;CAgCvB"}
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
import { readdir, readFile, stat } from 'node:fs/promises';
|
|
2
|
+
import { join, extname } from 'node:path';
|
|
3
|
+
import { BaseAgent } from './base-agent';
|
|
4
|
+
/** File extensions to scan for secrets. */
|
|
5
|
+
const SCANNABLE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.json', '.env']);
|
|
6
|
+
/** Maximum file size to scan (1MB). */
|
|
7
|
+
const MAX_FILE_SIZE = 1024 * 1024;
|
|
8
|
+
/** Directories to skip. */
|
|
9
|
+
const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'out', 'coverage', '.next']);
|
|
10
|
+
const SECRET_PATTERNS = [
|
|
11
|
+
{ name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/g },
|
|
12
|
+
{ name: 'Stripe Live Key', regex: /sk_live_[a-zA-Z0-9]+/g },
|
|
13
|
+
{ name: 'Hardcoded Password', regex: /password\s*[:=]\s*['"][^'"]+/gi },
|
|
14
|
+
{ name: 'Private Key', regex: /-----BEGIN.*PRIVATE KEY-----/g },
|
|
15
|
+
];
|
|
16
|
+
export class SecretsScannerAgent extends BaseAgent {
|
|
17
|
+
agentId = 38;
|
|
18
|
+
agentName = 'Secrets Scanner';
|
|
19
|
+
async preFlight() {
|
|
20
|
+
// No special pre-conditions
|
|
21
|
+
}
|
|
22
|
+
async execute() {
|
|
23
|
+
const findings = [];
|
|
24
|
+
const projectRoot = this.config.projectRoot ?? process.cwd();
|
|
25
|
+
let scannedFiles = 0;
|
|
26
|
+
let totalMatches = 0;
|
|
27
|
+
try {
|
|
28
|
+
const files = await this.collectFiles(projectRoot);
|
|
29
|
+
scannedFiles = files.length;
|
|
30
|
+
for (const filePath of files) {
|
|
31
|
+
const fileFindings = await this.scanFile(filePath);
|
|
32
|
+
totalMatches += fileFindings.length;
|
|
33
|
+
findings.push(...fileFindings);
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
catch (error) {
|
|
37
|
+
findings.push({
|
|
38
|
+
id: `${this.agentId}-scan-error`,
|
|
39
|
+
type: 'infra-issue',
|
|
40
|
+
severity: 'medium',
|
|
41
|
+
agentId: this.agentId,
|
|
42
|
+
module: 'secrets-scanner',
|
|
43
|
+
description: `Failed to scan project files: ${error instanceof Error ? error.message : String(error)}`,
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
this.addEvidence({
|
|
47
|
+
type: 'report',
|
|
48
|
+
path: 'secrets-scan',
|
|
49
|
+
description: `Scanned ${scannedFiles} files, found ${totalMatches} potential secrets`,
|
|
50
|
+
});
|
|
51
|
+
return findings;
|
|
52
|
+
}
|
|
53
|
+
async collectFiles(dir, depth = 0) {
|
|
54
|
+
if (depth > 5)
|
|
55
|
+
return [];
|
|
56
|
+
const files = [];
|
|
57
|
+
try {
|
|
58
|
+
const entries = await readdir(dir, { withFileTypes: true });
|
|
59
|
+
for (const entry of entries) {
|
|
60
|
+
if (SKIP_DIRS.has(entry.name))
|
|
61
|
+
continue;
|
|
62
|
+
const fullPath = join(dir, entry.name);
|
|
63
|
+
if (entry.isDirectory()) {
|
|
64
|
+
const subFiles = await this.collectFiles(fullPath, depth + 1);
|
|
65
|
+
files.push(...subFiles);
|
|
66
|
+
}
|
|
67
|
+
else if (entry.isFile() && SCANNABLE_EXTENSIONS.has(extname(entry.name))) {
|
|
68
|
+
try {
|
|
69
|
+
const fileStat = await stat(fullPath);
|
|
70
|
+
if (fileStat.size <= MAX_FILE_SIZE) {
|
|
71
|
+
files.push(fullPath);
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
catch {
|
|
75
|
+
// Skip inaccessible files
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
catch {
|
|
81
|
+
// Skip inaccessible directories
|
|
82
|
+
}
|
|
83
|
+
return files;
|
|
84
|
+
}
|
|
85
|
+
async scanFile(filePath) {
|
|
86
|
+
const findings = [];
|
|
87
|
+
try {
|
|
88
|
+
const content = await readFile(filePath, 'utf-8');
|
|
89
|
+
const lines = content.split('\n');
|
|
90
|
+
for (const pattern of SECRET_PATTERNS) {
|
|
91
|
+
for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
|
|
92
|
+
const line = lines[lineIdx];
|
|
93
|
+
// Reset regex lastIndex for global patterns
|
|
94
|
+
pattern.regex.lastIndex = 0;
|
|
95
|
+
if (pattern.regex.test(line)) {
|
|
96
|
+
findings.push({
|
|
97
|
+
id: `${this.agentId}-secret-${pattern.name.replace(/\s/g, '-').toLowerCase()}-${filePath.replace(/[\\/]/g, '_')}-L${lineIdx + 1}`,
|
|
98
|
+
type: 'code-bug-security',
|
|
99
|
+
severity: 'high',
|
|
100
|
+
agentId: this.agentId,
|
|
101
|
+
module: 'secrets-scanner',
|
|
102
|
+
file: filePath,
|
|
103
|
+
line: lineIdx + 1,
|
|
104
|
+
description: `Potential ${pattern.name} found in ${filePath} at line ${lineIdx + 1}`,
|
|
105
|
+
});
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
catch {
|
|
111
|
+
// Skip unreadable files
|
|
112
|
+
}
|
|
113
|
+
return findings;
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
//# sourceMappingURL=38-secrets-scanner.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"38-secrets-scanner.js","sourceRoot":"","sources":["../../agents/38-secrets-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,2CAA2C;AAC3C,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAE9E,uCAAuC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,IAAI,CAAC;AAElC,2BAA2B;AAC3B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;AAOxF,MAAM,eAAe,GAAoB;IACvC,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACtD,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAC3D,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACvE,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,+BAA+B,EAAE;CAChE,CAAC;AAEF,MAAM,OAAO,mBAAoB,SAAQ,SAAS;IACvC,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,iBAAiB,CAAC;IAE7B,KAAK,CAAC,SAAS;QACvB,4BAA4B;IAC9B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAE7D,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACnD,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;YAE5B,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;gBAC7B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACnD,YAAY,IAAI,YAAY,CAAC,MAAM,CAAC;gBACpC,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,aAAa;gBAChC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aACvG,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,WAAW,CAAC;YACf,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,cAAc;YACpB,WAAW,EAAE,WAAW,YAAY,iBAAiB,YAAY,oBAAoB;SACtF,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,GAAW,EAAE,KAAK,GAAG,CAAC;QAC/C,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAEzB,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YAE5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBAEvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;oBACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;oBAC9D,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBAC1B,CAAC;qBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC3E,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;wBACtC,IAAI,QAAQ,CAAC,IAAI,IAAI,aAAa,EAAE,CAAC;4BACnC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBACvB,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,0BAA0B;oBAC5B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,QAAgB;QACrC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC5B,4CAA4C;oBAC5C,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;oBAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,WAAW,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,KAAK,OAAO,GAAG,CAAC,EAAE;4BACjI,IAAI,EAAE,mBAAmB;4BACzB,QAAQ,EAAE,MAAM;4BAChB,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,MAAM,EAAE,iBAAiB;4BACzB,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,OAAO,GAAG,CAAC;4BACjB,WAAW,EAAE,aAAa,OAAO,CAAC,IAAI,aAAa,QAAQ,YAAY,OAAO,GAAG,CAAC,EAAE;yBACrF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class ApiContractTesterAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 39;
|
|
5
|
+
readonly agentName = "API Contract Tester";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private testEndpoint;
|
|
10
|
+
private validateSchema;
|
|
11
|
+
}
|
|
12
|
+
//# sourceMappingURL=39-api-contract-tester.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"39-api-contract-tester.d.ts","sourceRoot":"","sources":["../../agents/39-api-contract-tester.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AA0BzC,qBAAa,sBAAuB,SAAQ,SAAS;IACnD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,yBAAyB;IAC3C,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YA4D/B,YAAY;IAqD1B,OAAO,CAAC,cAAc;CA8CvB"}
|