@avi770/testteam 1.2.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +29 -1
- package/README.md +53 -6
- package/agents/24-signup-onboarding-tester.ts +429 -0
- package/agents/25-crud-flow-tester.ts +302 -0
- package/agents/26-form-validator.ts +297 -0
- package/agents/27-search-filter-tester.ts +326 -0
- package/agents/28-navigation-routing-tester.ts +425 -0
- package/agents/29-responsive-interaction-tester.ts +350 -0
- package/agents/30-multi-user-scenario-tester.ts +319 -0
- package/agents/31-load-tester.ts +134 -0
- package/agents/32-memory-leak-detector.ts +194 -0
- package/agents/33-bundle-analyzer.ts +132 -0
- package/agents/34-xss-scanner.ts +191 -0
- package/agents/35-csrf-tester.ts +82 -0
- package/agents/36-auth-fuzzer.ts +194 -0
- package/agents/37-dependency-scanner.ts +176 -0
- package/agents/38-secrets-scanner.ts +137 -0
- package/agents/39-api-contract-tester.ts +199 -0
- package/agents/40-rate-limit-tester.ts +94 -0
- package/agents/41-api-pagination-tester.ts +97 -0
- package/agents/42-graphql-tester.ts +222 -0
- package/agents/43-data-consistency-checker.ts +205 -0
- package/agents/44-backup-recovery-tester.ts +152 -0
- package/agents/45-data-privacy-scanner.ts +125 -0
- package/agents/46-seo-auditor.ts +294 -0
- package/agents/47-social-preview-tester.ts +232 -0
- package/agents/48-lighthouse-auditor.ts +213 -0
- package/agents/49-i18n-tester.ts +198 -0
- package/agents/50-timezone-tester.ts +173 -0
- package/agents/51-error-recovery-tester.ts +155 -0
- package/agents/52-offline-mode-tester.ts +180 -0
- package/agents/53-graceful-degradation-tester.ts +156 -0
- package/agents/54-websocket-tester.ts +151 -0
- package/agents/55-realtime-sync-tester.ts +194 -0
- package/agents/56-file-upload-tester.ts +194 -0
- package/agents/57-export-tester.ts +174 -0
- package/agents/58-payment-flow-tester.ts +183 -0
- package/agents/59-ssl-tls-auditor.ts +141 -0
- package/agents/60-dns-cdn-tester.ts +117 -0
- package/agents/61-docker-health-checker.ts +111 -0
- package/agents/62-env-config-validator.ts +152 -0
- package/agents/63-log-quality-auditor.ts +136 -0
- package/agents/64-analytics-tracker-tester.ts +165 -0
- package/agents/65-gdpr-compliance-tester.ts +215 -0
- package/agents/66-soc2-control-validator.ts +210 -0
- package/agents/67-wcag-aaa-tester.ts +241 -0
- package/agents/68-dead-code-detector.ts +135 -0
- package/agents/69-type-safety-auditor.ts +164 -0
- package/agents/70-complexity-analyzer.ts +179 -0
- package/agents/__tests__/24-signup-onboarding-tester.test.ts +274 -0
- package/agents/__tests__/25-crud-flow-tester.test.ts +322 -0
- package/agents/__tests__/26-form-validator.test.ts +345 -0
- package/agents/__tests__/27-search-filter-tester.test.ts +311 -0
- package/agents/__tests__/28-navigation-routing-tester.test.ts +328 -0
- package/agents/__tests__/29-responsive-interaction-tester.test.ts +297 -0
- package/agents/__tests__/30-multi-user-scenario-tester.test.ts +328 -0
- package/agents/__tests__/31-load-tester.test.ts +189 -0
- package/agents/__tests__/32-memory-leak-detector.test.ts +251 -0
- package/agents/__tests__/33-bundle-analyzer.test.ts +237 -0
- package/agents/__tests__/34-xss-scanner.test.ts +258 -0
- package/agents/__tests__/35-csrf-tester.test.ts +200 -0
- package/agents/__tests__/36-auth-fuzzer.test.ts +214 -0
- package/agents/__tests__/37-dependency-scanner.test.ts +266 -0
- package/agents/__tests__/38-secrets-scanner.test.ts +224 -0
- package/agents/__tests__/39-api-contract-tester.test.ts +312 -0
- package/agents/__tests__/40-rate-limit-tester.test.ts +192 -0
- package/agents/__tests__/41-api-pagination-tester.test.ts +198 -0
- package/agents/__tests__/42-graphql-tester.test.ts +252 -0
- package/agents/__tests__/43-data-consistency-checker.test.ts +232 -0
- package/agents/__tests__/44-backup-recovery-tester.test.ts +222 -0
- package/agents/__tests__/45-data-privacy-scanner.test.ts +223 -0
- package/agents/__tests__/46-seo-auditor.test.ts +261 -0
- package/agents/__tests__/47-social-preview-tester.test.ts +245 -0
- package/agents/__tests__/48-lighthouse-auditor.test.ts +276 -0
- package/agents/__tests__/49-i18n-tester.test.ts +201 -0
- package/agents/__tests__/50-timezone-tester.test.ts +172 -0
- package/agents/__tests__/51-error-recovery-tester.test.ts +162 -0
- package/agents/__tests__/52-offline-mode-tester.test.ts +164 -0
- package/agents/__tests__/53-graceful-degradation-tester.test.ts +168 -0
- package/agents/__tests__/54-websocket-tester.test.ts +157 -0
- package/agents/__tests__/55-realtime-sync-tester.test.ts +181 -0
- package/agents/__tests__/56-file-upload-tester.test.ts +172 -0
- package/agents/__tests__/57-export-tester.test.ts +169 -0
- package/agents/__tests__/58-payment-flow-tester.test.ts +182 -0
- package/agents/__tests__/59-ssl-tls-auditor.test.ts +179 -0
- package/agents/__tests__/60-dns-cdn-tester.test.ts +176 -0
- package/agents/__tests__/61-docker-health-checker.test.ts +150 -0
- package/agents/__tests__/62-env-config-validator.test.ts +166 -0
- package/agents/__tests__/63-log-quality-auditor.test.ts +175 -0
- package/agents/__tests__/64-analytics-tracker-tester.test.ts +158 -0
- package/agents/__tests__/65-gdpr-compliance-tester.test.ts +174 -0
- package/agents/__tests__/66-soc2-control-validator.test.ts +183 -0
- package/agents/__tests__/67-wcag-aaa-tester.test.ts +190 -0
- package/agents/__tests__/68-dead-code-detector.test.ts +174 -0
- package/agents/__tests__/69-type-safety-auditor.test.ts +173 -0
- package/agents/__tests__/70-complexity-analyzer.test.ts +177 -0
- package/agents/__tests__/registry.test.ts +13 -13
- package/agents/registry.ts +146 -5
- package/core/__tests__/integration.test.ts +4 -4
- package/core/__tests__/orchestrator.test.ts +17 -16
- package/core/license.ts +208 -211
- package/core/orchestrator.ts +6 -4
- package/dist/agents/24-signup-onboarding-tester.d.ts +35 -0
- package/dist/agents/24-signup-onboarding-tester.d.ts.map +1 -0
- package/dist/agents/24-signup-onboarding-tester.js +357 -0
- package/dist/agents/24-signup-onboarding-tester.js.map +1 -0
- package/dist/agents/25-crud-flow-tester.d.ts +11 -0
- package/dist/agents/25-crud-flow-tester.d.ts.map +1 -0
- package/dist/agents/25-crud-flow-tester.js +253 -0
- package/dist/agents/25-crud-flow-tester.js.map +1 -0
- package/dist/agents/26-form-validator.d.ts +12 -0
- package/dist/agents/26-form-validator.d.ts.map +1 -0
- package/dist/agents/26-form-validator.js +257 -0
- package/dist/agents/26-form-validator.js.map +1 -0
- package/dist/agents/27-search-filter-tester.d.ts +20 -0
- package/dist/agents/27-search-filter-tester.d.ts.map +1 -0
- package/dist/agents/27-search-filter-tester.js +267 -0
- package/dist/agents/27-search-filter-tester.js.map +1 -0
- package/dist/agents/28-navigation-routing-tester.d.ts +32 -0
- package/dist/agents/28-navigation-routing-tester.d.ts.map +1 -0
- package/dist/agents/28-navigation-routing-tester.js +363 -0
- package/dist/agents/28-navigation-routing-tester.js.map +1 -0
- package/dist/agents/29-responsive-interaction-tester.d.ts +26 -0
- package/dist/agents/29-responsive-interaction-tester.d.ts.map +1 -0
- package/dist/agents/29-responsive-interaction-tester.js +272 -0
- package/dist/agents/29-responsive-interaction-tester.js.map +1 -0
- package/dist/agents/30-multi-user-scenario-tester.d.ts +24 -0
- package/dist/agents/30-multi-user-scenario-tester.d.ts.map +1 -0
- package/dist/agents/30-multi-user-scenario-tester.js +254 -0
- package/dist/agents/30-multi-user-scenario-tester.js.map +1 -0
- package/dist/agents/31-load-tester.d.ts +12 -0
- package/dist/agents/31-load-tester.d.ts.map +1 -0
- package/dist/agents/31-load-tester.js +110 -0
- package/dist/agents/31-load-tester.js.map +1 -0
- package/dist/agents/32-memory-leak-detector.d.ts +12 -0
- package/dist/agents/32-memory-leak-detector.d.ts.map +1 -0
- package/dist/agents/32-memory-leak-detector.js +167 -0
- package/dist/agents/32-memory-leak-detector.js.map +1 -0
- package/dist/agents/33-bundle-analyzer.d.ts +10 -0
- package/dist/agents/33-bundle-analyzer.d.ts.map +1 -0
- package/dist/agents/33-bundle-analyzer.js +111 -0
- package/dist/agents/33-bundle-analyzer.js.map +1 -0
- package/dist/agents/34-xss-scanner.d.ts +11 -0
- package/dist/agents/34-xss-scanner.d.ts.map +1 -0
- package/dist/agents/34-xss-scanner.js +164 -0
- package/dist/agents/34-xss-scanner.js.map +1 -0
- package/dist/agents/35-csrf-tester.d.ts +11 -0
- package/dist/agents/35-csrf-tester.d.ts.map +1 -0
- package/dist/agents/35-csrf-tester.js +70 -0
- package/dist/agents/35-csrf-tester.js.map +1 -0
- package/dist/agents/36-auth-fuzzer.d.ts +13 -0
- package/dist/agents/36-auth-fuzzer.d.ts.map +1 -0
- package/dist/agents/36-auth-fuzzer.js +163 -0
- package/dist/agents/36-auth-fuzzer.js.map +1 -0
- package/dist/agents/37-dependency-scanner.d.ts +11 -0
- package/dist/agents/37-dependency-scanner.d.ts.map +1 -0
- package/dist/agents/37-dependency-scanner.js +139 -0
- package/dist/agents/37-dependency-scanner.js.map +1 -0
- package/dist/agents/38-secrets-scanner.d.ts +11 -0
- package/dist/agents/38-secrets-scanner.d.ts.map +1 -0
- package/dist/agents/38-secrets-scanner.js +116 -0
- package/dist/agents/38-secrets-scanner.js.map +1 -0
- package/dist/agents/39-api-contract-tester.d.ts +12 -0
- package/dist/agents/39-api-contract-tester.d.ts.map +1 -0
- package/dist/agents/39-api-contract-tester.js +142 -0
- package/dist/agents/39-api-contract-tester.js.map +1 -0
- package/dist/agents/40-rate-limit-tester.d.ts +12 -0
- package/dist/agents/40-rate-limit-tester.d.ts.map +1 -0
- package/dist/agents/40-rate-limit-tester.js +79 -0
- package/dist/agents/40-rate-limit-tester.js.map +1 -0
- package/dist/agents/41-api-pagination-tester.d.ts +12 -0
- package/dist/agents/41-api-pagination-tester.d.ts.map +1 -0
- package/dist/agents/41-api-pagination-tester.js +79 -0
- package/dist/agents/41-api-pagination-tester.js.map +1 -0
- package/dist/agents/42-graphql-tester.d.ts +13 -0
- package/dist/agents/42-graphql-tester.d.ts.map +1 -0
- package/dist/agents/42-graphql-tester.js +187 -0
- package/dist/agents/42-graphql-tester.js.map +1 -0
- package/dist/agents/43-data-consistency-checker.d.ts +11 -0
- package/dist/agents/43-data-consistency-checker.d.ts.map +1 -0
- package/dist/agents/43-data-consistency-checker.js +176 -0
- package/dist/agents/43-data-consistency-checker.js.map +1 -0
- package/dist/agents/44-backup-recovery-tester.d.ts +11 -0
- package/dist/agents/44-backup-recovery-tester.d.ts.map +1 -0
- package/dist/agents/44-backup-recovery-tester.js +128 -0
- package/dist/agents/44-backup-recovery-tester.js.map +1 -0
- package/dist/agents/45-data-privacy-scanner.d.ts +11 -0
- package/dist/agents/45-data-privacy-scanner.d.ts.map +1 -0
- package/dist/agents/45-data-privacy-scanner.js +100 -0
- package/dist/agents/45-data-privacy-scanner.js.map +1 -0
- package/dist/agents/46-seo-auditor.d.ts +12 -0
- package/dist/agents/46-seo-auditor.d.ts.map +1 -0
- package/dist/agents/46-seo-auditor.js +275 -0
- package/dist/agents/46-seo-auditor.js.map +1 -0
- package/dist/agents/47-social-preview-tester.d.ts +11 -0
- package/dist/agents/47-social-preview-tester.d.ts.map +1 -0
- package/dist/agents/47-social-preview-tester.js +219 -0
- package/dist/agents/47-social-preview-tester.js.map +1 -0
- package/dist/agents/48-lighthouse-auditor.d.ts +11 -0
- package/dist/agents/48-lighthouse-auditor.d.ts.map +1 -0
- package/dist/agents/48-lighthouse-auditor.js +192 -0
- package/dist/agents/48-lighthouse-auditor.js.map +1 -0
- package/dist/agents/49-i18n-tester.d.ts +13 -0
- package/dist/agents/49-i18n-tester.d.ts.map +1 -0
- package/dist/agents/49-i18n-tester.js +172 -0
- package/dist/agents/49-i18n-tester.js.map +1 -0
- package/dist/agents/50-timezone-tester.d.ts +11 -0
- package/dist/agents/50-timezone-tester.d.ts.map +1 -0
- package/dist/agents/50-timezone-tester.js +152 -0
- package/dist/agents/50-timezone-tester.js.map +1 -0
- package/dist/agents/51-error-recovery-tester.d.ts +11 -0
- package/dist/agents/51-error-recovery-tester.d.ts.map +1 -0
- package/dist/agents/51-error-recovery-tester.js +134 -0
- package/dist/agents/51-error-recovery-tester.js.map +1 -0
- package/dist/agents/52-offline-mode-tester.d.ts +12 -0
- package/dist/agents/52-offline-mode-tester.d.ts.map +1 -0
- package/dist/agents/52-offline-mode-tester.js +161 -0
- package/dist/agents/52-offline-mode-tester.js.map +1 -0
- package/dist/agents/53-graceful-degradation-tester.d.ts +12 -0
- package/dist/agents/53-graceful-degradation-tester.d.ts.map +1 -0
- package/dist/agents/53-graceful-degradation-tester.js +130 -0
- package/dist/agents/53-graceful-degradation-tester.js.map +1 -0
- package/dist/agents/54-websocket-tester.d.ts +10 -0
- package/dist/agents/54-websocket-tester.d.ts.map +1 -0
- package/dist/agents/54-websocket-tester.js +132 -0
- package/dist/agents/54-websocket-tester.js.map +1 -0
- package/dist/agents/55-realtime-sync-tester.d.ts +11 -0
- package/dist/agents/55-realtime-sync-tester.d.ts.map +1 -0
- package/dist/agents/55-realtime-sync-tester.js +175 -0
- package/dist/agents/55-realtime-sync-tester.js.map +1 -0
- package/dist/agents/56-file-upload-tester.d.ts +12 -0
- package/dist/agents/56-file-upload-tester.d.ts.map +1 -0
- package/dist/agents/56-file-upload-tester.js +166 -0
- package/dist/agents/56-file-upload-tester.js.map +1 -0
- package/dist/agents/57-export-tester.d.ts +11 -0
- package/dist/agents/57-export-tester.d.ts.map +1 -0
- package/dist/agents/57-export-tester.js +155 -0
- package/dist/agents/57-export-tester.js.map +1 -0
- package/dist/agents/58-payment-flow-tester.d.ts +11 -0
- package/dist/agents/58-payment-flow-tester.d.ts.map +1 -0
- package/dist/agents/58-payment-flow-tester.js +159 -0
- package/dist/agents/58-payment-flow-tester.js.map +1 -0
- package/dist/agents/59-ssl-tls-auditor.d.ts +10 -0
- package/dist/agents/59-ssl-tls-auditor.d.ts.map +1 -0
- package/dist/agents/59-ssl-tls-auditor.js +132 -0
- package/dist/agents/59-ssl-tls-auditor.js.map +1 -0
- package/dist/agents/60-dns-cdn-tester.d.ts +10 -0
- package/dist/agents/60-dns-cdn-tester.d.ts.map +1 -0
- package/dist/agents/60-dns-cdn-tester.js +105 -0
- package/dist/agents/60-dns-cdn-tester.js.map +1 -0
- package/dist/agents/61-docker-health-checker.d.ts +10 -0
- package/dist/agents/61-docker-health-checker.d.ts.map +1 -0
- package/dist/agents/61-docker-health-checker.js +95 -0
- package/dist/agents/61-docker-health-checker.js.map +1 -0
- package/dist/agents/62-env-config-validator.d.ts +10 -0
- package/dist/agents/62-env-config-validator.d.ts.map +1 -0
- package/dist/agents/62-env-config-validator.js +132 -0
- package/dist/agents/62-env-config-validator.js.map +1 -0
- package/dist/agents/63-log-quality-auditor.d.ts +9 -0
- package/dist/agents/63-log-quality-auditor.d.ts.map +1 -0
- package/dist/agents/63-log-quality-auditor.js +121 -0
- package/dist/agents/63-log-quality-auditor.js.map +1 -0
- package/dist/agents/64-analytics-tracker-tester.d.ts +10 -0
- package/dist/agents/64-analytics-tracker-tester.d.ts.map +1 -0
- package/dist/agents/64-analytics-tracker-tester.js +146 -0
- package/dist/agents/64-analytics-tracker-tester.js.map +1 -0
- package/dist/agents/65-gdpr-compliance-tester.d.ts +13 -0
- package/dist/agents/65-gdpr-compliance-tester.d.ts.map +1 -0
- package/dist/agents/65-gdpr-compliance-tester.js +186 -0
- package/dist/agents/65-gdpr-compliance-tester.js.map +1 -0
- package/dist/agents/66-soc2-control-validator.d.ts +14 -0
- package/dist/agents/66-soc2-control-validator.d.ts.map +1 -0
- package/dist/agents/66-soc2-control-validator.js +178 -0
- package/dist/agents/66-soc2-control-validator.js.map +1 -0
- package/dist/agents/67-wcag-aaa-tester.d.ts +13 -0
- package/dist/agents/67-wcag-aaa-tester.d.ts.map +1 -0
- package/dist/agents/67-wcag-aaa-tester.js +207 -0
- package/dist/agents/67-wcag-aaa-tester.js.map +1 -0
- package/dist/agents/68-dead-code-detector.d.ts +9 -0
- package/dist/agents/68-dead-code-detector.d.ts.map +1 -0
- package/dist/agents/68-dead-code-detector.js +116 -0
- package/dist/agents/68-dead-code-detector.js.map +1 -0
- package/dist/agents/69-type-safety-auditor.d.ts +9 -0
- package/dist/agents/69-type-safety-auditor.d.ts.map +1 -0
- package/dist/agents/69-type-safety-auditor.js +148 -0
- package/dist/agents/69-type-safety-auditor.js.map +1 -0
- package/dist/agents/70-complexity-analyzer.d.ts +10 -0
- package/dist/agents/70-complexity-analyzer.d.ts.map +1 -0
- package/dist/agents/70-complexity-analyzer.js +154 -0
- package/dist/agents/70-complexity-analyzer.js.map +1 -0
- package/dist/agents/registry.d.ts +3 -3
- package/dist/agents/registry.d.ts.map +1 -1
- package/dist/agents/registry.js +146 -5
- package/dist/agents/registry.js.map +1 -1
- package/dist/core/license.js +2 -5
- package/dist/core/license.js.map +1 -1
- package/dist/core/orchestrator.d.ts.map +1 -1
- package/dist/core/orchestrator.js +6 -4
- package/dist/core/orchestrator.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1,142 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import { join } from 'node:path';
|
|
3
|
+
import { BaseAgent } from './base-agent';
|
|
4
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
5
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
6
|
+
export class ApiContractTesterAgent extends BaseAgent {
|
|
7
|
+
agentId = 39;
|
|
8
|
+
agentName = 'API Contract Tester';
|
|
9
|
+
baseUrl = '';
|
|
10
|
+
async preFlight() {
|
|
11
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
12
|
+
this.baseUrl = env.baseUrl;
|
|
13
|
+
}
|
|
14
|
+
async execute() {
|
|
15
|
+
const findings = [];
|
|
16
|
+
const projectRoot = this.config.projectRoot ?? process.cwd();
|
|
17
|
+
// Try to find OpenAPI spec
|
|
18
|
+
const specPaths = [
|
|
19
|
+
join(projectRoot, 'openapi.json'),
|
|
20
|
+
join(projectRoot, 'swagger.json'),
|
|
21
|
+
join(projectRoot, 'docs', 'openapi.json'),
|
|
22
|
+
join(projectRoot, 'docs', 'swagger.json'),
|
|
23
|
+
];
|
|
24
|
+
let spec = null;
|
|
25
|
+
let specPath = '';
|
|
26
|
+
for (const path of specPaths) {
|
|
27
|
+
try {
|
|
28
|
+
const content = await readFile(path, 'utf-8');
|
|
29
|
+
spec = JSON.parse(content);
|
|
30
|
+
specPath = path;
|
|
31
|
+
break;
|
|
32
|
+
}
|
|
33
|
+
catch {
|
|
34
|
+
// File not found — try next
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
if (!spec) {
|
|
38
|
+
findings.push({
|
|
39
|
+
id: `${this.agentId}-no-spec`,
|
|
40
|
+
type: 'infra-issue',
|
|
41
|
+
severity: 'low',
|
|
42
|
+
agentId: this.agentId,
|
|
43
|
+
module: 'api-contract-tester',
|
|
44
|
+
description: 'No OpenAPI/Swagger spec found — cannot validate API contracts',
|
|
45
|
+
});
|
|
46
|
+
return findings;
|
|
47
|
+
}
|
|
48
|
+
this.addEvidence({
|
|
49
|
+
type: 'report',
|
|
50
|
+
path: specPath,
|
|
51
|
+
description: `Using OpenAPI spec from ${specPath}`,
|
|
52
|
+
});
|
|
53
|
+
const paths = spec.paths ?? {};
|
|
54
|
+
for (const [path, methods] of Object.entries(paths)) {
|
|
55
|
+
for (const [method, definition] of Object.entries(methods)) {
|
|
56
|
+
if (method.startsWith('x-') || method === 'parameters')
|
|
57
|
+
continue;
|
|
58
|
+
const httpMethod = method.toUpperCase();
|
|
59
|
+
if (!['GET', 'POST', 'PUT', 'DELETE', 'PATCH'].includes(httpMethod))
|
|
60
|
+
continue;
|
|
61
|
+
const contractFindings = await this.testEndpoint(path, httpMethod, definition);
|
|
62
|
+
findings.push(...contractFindings);
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return findings;
|
|
66
|
+
}
|
|
67
|
+
async testEndpoint(path, method, definition) {
|
|
68
|
+
const findings = [];
|
|
69
|
+
const url = `${this.baseUrl}${path}`;
|
|
70
|
+
try {
|
|
71
|
+
const response = await Promise.race([
|
|
72
|
+
fetch(url, {
|
|
73
|
+
method,
|
|
74
|
+
headers: { 'Content-Type': 'application/json' },
|
|
75
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
76
|
+
}),
|
|
77
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
78
|
+
]);
|
|
79
|
+
const statusStr = String(response.status);
|
|
80
|
+
const responseDef = definition.responses?.[statusStr] ?? definition.responses?.['200'];
|
|
81
|
+
if (!responseDef) {
|
|
82
|
+
return findings;
|
|
83
|
+
}
|
|
84
|
+
const jsonContent = responseDef.content?.['application/json'];
|
|
85
|
+
if (!jsonContent?.schema) {
|
|
86
|
+
return findings;
|
|
87
|
+
}
|
|
88
|
+
let body;
|
|
89
|
+
const contentType = response.headers.get('content-type') ?? '';
|
|
90
|
+
if (contentType.includes('application/json')) {
|
|
91
|
+
body = await response.json();
|
|
92
|
+
}
|
|
93
|
+
else {
|
|
94
|
+
return findings;
|
|
95
|
+
}
|
|
96
|
+
const schemaFindings = this.validateSchema(body, jsonContent.schema, `${method} ${path}`);
|
|
97
|
+
findings.push(...schemaFindings);
|
|
98
|
+
}
|
|
99
|
+
catch {
|
|
100
|
+
// Request failed — endpoint may not be reachable
|
|
101
|
+
}
|
|
102
|
+
return findings;
|
|
103
|
+
}
|
|
104
|
+
validateSchema(body, schema, context) {
|
|
105
|
+
const findings = [];
|
|
106
|
+
if (schema.type === 'object' && schema.properties && typeof body === 'object' && body !== null) {
|
|
107
|
+
const record = body;
|
|
108
|
+
// Check required fields
|
|
109
|
+
for (const field of schema.required ?? []) {
|
|
110
|
+
if (!(field in record)) {
|
|
111
|
+
findings.push({
|
|
112
|
+
id: `${this.agentId}-missing-field-${context.replace(/\s/g, '-')}-${field}`,
|
|
113
|
+
type: 'test-bug',
|
|
114
|
+
severity: 'medium',
|
|
115
|
+
agentId: this.agentId,
|
|
116
|
+
module: 'api-contract-tester',
|
|
117
|
+
description: `Missing required field "${field}" in response for ${context}`,
|
|
118
|
+
});
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
// Check types of present fields
|
|
122
|
+
for (const [field, fieldSchema] of Object.entries(schema.properties)) {
|
|
123
|
+
if (field in record && fieldSchema.type) {
|
|
124
|
+
const actualType = Array.isArray(record[field]) ? 'array' : typeof record[field];
|
|
125
|
+
const expectedType = fieldSchema.type === 'integer' ? 'number' : fieldSchema.type;
|
|
126
|
+
if (actualType !== expectedType && record[field] !== null) {
|
|
127
|
+
findings.push({
|
|
128
|
+
id: `${this.agentId}-wrong-type-${context.replace(/\s/g, '-')}-${field}`,
|
|
129
|
+
type: 'test-bug',
|
|
130
|
+
severity: 'high',
|
|
131
|
+
agentId: this.agentId,
|
|
132
|
+
module: 'api-contract-tester',
|
|
133
|
+
description: `Wrong type for field "${field}" in ${context}: expected ${expectedType}, got ${actualType}`,
|
|
134
|
+
});
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
return findings;
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
//# sourceMappingURL=39-api-contract-tester.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"39-api-contract-tester.js","sourceRoot":"","sources":["../../agents/39-api-contract-tester.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAuBlC,MAAM,OAAO,sBAAuB,SAAQ,SAAS;IAC1C,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,qBAAqB,CAAC;IACnC,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAE7D,2BAA2B;QAC3B,MAAM,SAAS,GAAG;YAChB,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC;YACjC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC;YACjC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,cAAc,CAAC;YACzC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,cAAc,CAAC;SAC1C,CAAC;QAEF,IAAI,IAAI,GAAuB,IAAI,CAAC;QACpC,IAAI,QAAQ,GAAG,EAAE,CAAC;QAElB,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBAC9C,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAgB,CAAC;gBAC1C,QAAQ,GAAG,IAAI,CAAC;gBAChB,MAAM;YACR,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,UAAU;gBAC7B,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,qBAAqB;gBAC7B,WAAW,EAAE,+DAA+D;aAC7E,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,WAAW,CAAC;YACf,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,2BAA2B,QAAQ,EAAE;SACnD,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAE/B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,KAAK,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3D,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,MAAM,KAAK,YAAY;oBAAE,SAAS;gBACjE,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBACxC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAE9E,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;gBAC/E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,IAAY,EACZ,MAAc,EACd,UAA+B;QAE/B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,GAAG,EAAE;oBACT,MAAM;oBACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,WAAW,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC;YAEvF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,kBAAkB,CAAC,CAAC;YAC9D,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;gBACzB,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,IAAI,IAAa,CAAC;YAClB,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;YAC/D,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC7C,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,CACxC,IAAI,EACJ,WAAW,CAAC,MAAM,EAClB,GAAG,MAAM,IAAI,IAAI,EAAE,CACpB,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;QACnD,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,cAAc,CACpB,IAAa,EACb,MAAqB,EACrB,OAAe;QAEf,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC/F,MAAM,MAAM,GAAG,IAA+B,CAAC;YAE/C,wBAAwB;YACxB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,kBAAkB,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,KAAK,EAAE;wBAC3E,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,qBAAqB;wBAC7B,WAAW,EAAE,2BAA2B,KAAK,qBAAqB,OAAO,EAAE;qBAC5E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,gCAAgC;YAChC,KAAK,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrE,IAAI,KAAK,IAAI,MAAM,IAAI,WAAW,CAAC,IAAI,EAAE,CAAC;oBACxC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;oBACjF,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC;oBAElF,IAAI,UAAU,KAAK,YAAY,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;wBAC1D,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,eAAe,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,KAAK,EAAE;4BACxE,IAAI,EAAE,UAAU;4BAChB,QAAQ,EAAE,MAAM;4BAChB,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,MAAM,EAAE,qBAAqB;4BAC7B,WAAW,EAAE,yBAAyB,KAAK,QAAQ,OAAO,cAAc,YAAY,SAAS,UAAU,EAAE;yBAC1G,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class RateLimitTesterAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 40;
|
|
5
|
+
readonly agentName = "Rate Limit Tester";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private discoverEndpoints;
|
|
10
|
+
private testRateLimit;
|
|
11
|
+
}
|
|
12
|
+
//# sourceMappingURL=40-rate-limit-tester.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"40-rate-limit-tester.d.ts","sourceRoot":"","sources":["../../agents/40-rate-limit-tester.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAazC,qBAAa,oBAAqB,SAAQ,SAAS;IACjD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,uBAAuB;IACzC,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IAY7C,OAAO,CAAC,iBAAiB;YAOX,aAAa;CAkD5B"}
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
import { BaseAgent } from './base-agent';
|
|
2
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
3
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
4
|
+
const RAPID_REQUEST_COUNT = 50;
|
|
5
|
+
/** Default endpoints to test for rate limiting. */
|
|
6
|
+
const DEFAULT_ENDPOINTS = [
|
|
7
|
+
'/api/auth/login',
|
|
8
|
+
'/api/tasks',
|
|
9
|
+
'/api/clients',
|
|
10
|
+
];
|
|
11
|
+
export class RateLimitTesterAgent extends BaseAgent {
|
|
12
|
+
agentId = 40;
|
|
13
|
+
agentName = 'Rate Limit Tester';
|
|
14
|
+
baseUrl = '';
|
|
15
|
+
async preFlight() {
|
|
16
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
17
|
+
this.baseUrl = env.baseUrl;
|
|
18
|
+
}
|
|
19
|
+
async execute() {
|
|
20
|
+
const findings = [];
|
|
21
|
+
const endpoints = this.discoverEndpoints();
|
|
22
|
+
for (const endpoint of endpoints) {
|
|
23
|
+
const endpointFindings = await this.testRateLimit(endpoint);
|
|
24
|
+
findings.push(...endpointFindings);
|
|
25
|
+
}
|
|
26
|
+
return findings;
|
|
27
|
+
}
|
|
28
|
+
discoverEndpoints() {
|
|
29
|
+
if (this.config.modules && this.config.modules.length > 0) {
|
|
30
|
+
return this.config.modules.map(m => `/api${m.route}`);
|
|
31
|
+
}
|
|
32
|
+
return [...DEFAULT_ENDPOINTS];
|
|
33
|
+
}
|
|
34
|
+
async testRateLimit(endpoint) {
|
|
35
|
+
const findings = [];
|
|
36
|
+
const url = `${this.baseUrl}${endpoint}`;
|
|
37
|
+
let got429 = false;
|
|
38
|
+
let successCount = 0;
|
|
39
|
+
let errorCount = 0;
|
|
40
|
+
const promises = Array.from({ length: RAPID_REQUEST_COUNT }, async () => {
|
|
41
|
+
try {
|
|
42
|
+
const response = await Promise.race([
|
|
43
|
+
fetch(url, {
|
|
44
|
+
method: 'GET',
|
|
45
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
46
|
+
}),
|
|
47
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
48
|
+
]);
|
|
49
|
+
if (response.status === 429) {
|
|
50
|
+
got429 = true;
|
|
51
|
+
}
|
|
52
|
+
else {
|
|
53
|
+
successCount++;
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
catch {
|
|
57
|
+
errorCount++;
|
|
58
|
+
}
|
|
59
|
+
});
|
|
60
|
+
await Promise.all(promises);
|
|
61
|
+
if (!got429) {
|
|
62
|
+
findings.push({
|
|
63
|
+
id: `${this.agentId}-no-rate-limit-${endpoint.replace(/\//g, '_')}`,
|
|
64
|
+
type: 'code-bug-security',
|
|
65
|
+
severity: 'medium',
|
|
66
|
+
agentId: this.agentId,
|
|
67
|
+
module: 'rate-limit-tester',
|
|
68
|
+
description: `No rate limiting on endpoint ${endpoint} — sent ${RAPID_REQUEST_COUNT} rapid requests with no 429 response`,
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
this.addEvidence({
|
|
72
|
+
type: 'log',
|
|
73
|
+
path: `rate-limit-${endpoint.replace(/\//g, '_')}`,
|
|
74
|
+
description: `Rate limit test for ${endpoint}: 429=${got429}, successes=${successCount}, errors=${errorCount}`,
|
|
75
|
+
});
|
|
76
|
+
return findings;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
//# sourceMappingURL=40-rate-limit-tester.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"40-rate-limit-tester.js","sourceRoot":"","sources":["../../agents/40-rate-limit-tester.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,mDAAmD;AACnD,MAAM,iBAAiB,GAAG;IACxB,iBAAiB;IACjB,YAAY;IACZ,cAAc;CACN,CAAC;AAEX,MAAM,OAAO,oBAAqB,SAAQ,SAAS;IACxC,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,mBAAmB,CAAC;IACjC,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE3C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB;QACvB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,CAAC,GAAG,iBAAiB,CAAC,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,QAAgB;QAC1C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,QAAQ,EAAE,CAAC;QACzC,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,mBAAmB,EAAE,EAAE,KAAK,IAAI,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAClC,KAAK,CAAC,GAAG,EAAE;wBACT,MAAM,EAAE,KAAK;wBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;qBAChD,CAAC;oBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;iBACF,CAAa,CAAC;gBAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,MAAM,GAAG,IAAI,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,YAAY,EAAE,CAAC;gBACjB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU,EAAE,CAAC;YACf,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE5B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,kBAAkB,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;gBACnE,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,mBAAmB;gBAC3B,WAAW,EAAE,gCAAgC,QAAQ,WAAW,mBAAmB,sCAAsC;aAC1H,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,WAAW,CAAC;YACf,IAAI,EAAE,KAAK;YACX,IAAI,EAAE,cAAc,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE;YAClD,WAAW,EAAE,uBAAuB,QAAQ,SAAS,MAAM,eAAe,YAAY,YAAY,UAAU,EAAE;SAC/G,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class ApiPaginationTesterAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 41;
|
|
5
|
+
readonly agentName = "API Pagination Tester";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private discoverListEndpoints;
|
|
10
|
+
private testPagination;
|
|
11
|
+
}
|
|
12
|
+
//# sourceMappingURL=41-api-pagination-tester.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"41-api-pagination-tester.d.ts","sourceRoot":"","sources":["../../agents/41-api-pagination-tester.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAczC,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,2BAA2B;IAC7C,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IAc7C,OAAO,CAAC,qBAAqB;YAOf,cAAc;CAkD7B"}
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
import { BaseAgent } from './base-agent';
|
|
2
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
3
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
4
|
+
/** Edge-case pagination parameters to test. */
|
|
5
|
+
const PAGINATION_TESTS = [
|
|
6
|
+
{ param: 'page=0', description: 'page=0 (zero-indexed edge case)' },
|
|
7
|
+
{ param: 'page=-1', description: 'page=-1 (negative page)' },
|
|
8
|
+
{ param: 'page=99999', description: 'page=99999 (very high page)' },
|
|
9
|
+
{ param: 'limit=0', description: 'limit=0 (zero limit)' },
|
|
10
|
+
{ param: 'limit=10000', description: 'limit=10000 (excessively high limit)' },
|
|
11
|
+
];
|
|
12
|
+
export class ApiPaginationTesterAgent extends BaseAgent {
|
|
13
|
+
agentId = 41;
|
|
14
|
+
agentName = 'API Pagination Tester';
|
|
15
|
+
baseUrl = '';
|
|
16
|
+
async preFlight() {
|
|
17
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
18
|
+
this.baseUrl = env.baseUrl;
|
|
19
|
+
}
|
|
20
|
+
async execute() {
|
|
21
|
+
const findings = [];
|
|
22
|
+
const endpoints = this.discoverListEndpoints();
|
|
23
|
+
for (const endpoint of endpoints) {
|
|
24
|
+
for (const test of PAGINATION_TESTS) {
|
|
25
|
+
const testFindings = await this.testPagination(endpoint, test.param, test.description);
|
|
26
|
+
findings.push(...testFindings);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
return findings;
|
|
30
|
+
}
|
|
31
|
+
discoverListEndpoints() {
|
|
32
|
+
if (this.config.modules && this.config.modules.length > 0) {
|
|
33
|
+
return this.config.modules.map(m => `/api${m.route}`);
|
|
34
|
+
}
|
|
35
|
+
return ['/api/tasks', '/api/clients'];
|
|
36
|
+
}
|
|
37
|
+
async testPagination(endpoint, queryParam, description) {
|
|
38
|
+
const findings = [];
|
|
39
|
+
const url = `${this.baseUrl}${endpoint}?${queryParam}`;
|
|
40
|
+
try {
|
|
41
|
+
const response = await Promise.race([
|
|
42
|
+
fetch(url, {
|
|
43
|
+
method: 'GET',
|
|
44
|
+
headers: { 'Content-Type': 'application/json' },
|
|
45
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
46
|
+
}),
|
|
47
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
48
|
+
]);
|
|
49
|
+
// Check for server errors (crashes)
|
|
50
|
+
if (response.status >= 500) {
|
|
51
|
+
findings.push({
|
|
52
|
+
id: `${this.agentId}-crash-${endpoint.replace(/\//g, '_')}-${queryParam.replace(/[=&]/g, '_')}`,
|
|
53
|
+
type: 'code-bug-logic',
|
|
54
|
+
severity: 'high',
|
|
55
|
+
agentId: this.agentId,
|
|
56
|
+
module: 'api-pagination-tester',
|
|
57
|
+
description: `Endpoint ${endpoint} returned ${response.status} for ${description} — server crash on edge-case pagination`,
|
|
58
|
+
});
|
|
59
|
+
}
|
|
60
|
+
this.addEvidence({
|
|
61
|
+
type: 'log',
|
|
62
|
+
path: `pagination-${endpoint.replace(/\//g, '_')}-${queryParam.replace(/[=&]/g, '_')}`,
|
|
63
|
+
description: `${endpoint}?${queryParam}: status=${response.status}`,
|
|
64
|
+
});
|
|
65
|
+
}
|
|
66
|
+
catch (error) {
|
|
67
|
+
findings.push({
|
|
68
|
+
id: `${this.agentId}-error-${endpoint.replace(/\//g, '_')}-${queryParam.replace(/[=&]/g, '_')}`,
|
|
69
|
+
type: 'infra-issue',
|
|
70
|
+
severity: 'low',
|
|
71
|
+
agentId: this.agentId,
|
|
72
|
+
module: 'api-pagination-tester',
|
|
73
|
+
description: `Failed to test ${endpoint} with ${description}: ${error instanceof Error ? error.message : String(error)}`,
|
|
74
|
+
});
|
|
75
|
+
}
|
|
76
|
+
return findings;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
//# sourceMappingURL=41-api-pagination-tester.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"41-api-pagination-tester.js","sourceRoot":"","sources":["../../agents/41-api-pagination-tester.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,+CAA+C;AAC/C,MAAM,gBAAgB,GAAG;IACvB,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,iCAAiC,EAAE;IACnE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,yBAAyB,EAAE;IAC5D,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,6BAA6B,EAAE;IACnE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,sBAAsB,EAAE;IACzD,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,sCAAsC,EAAE;CACrE,CAAC;AAEX,MAAM,OAAO,wBAAyB,SAAQ,SAAS;IAC5C,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,uBAAuB,CAAC;IACrC,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAE/C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;gBACpC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACvF,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,qBAAqB;QAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;IACxC,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,QAAgB,EAChB,UAAkB,EAClB,WAAmB;QAEnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,QAAQ,IAAI,UAAU,EAAE,CAAC;QAEvD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,GAAG,EAAE;oBACT,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,oCAAoC;YACpC,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,UAAU,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBAC/F,IAAI,EAAE,gBAAgB;oBACtB,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,MAAM,EAAE,uBAAuB;oBAC/B,WAAW,EAAE,YAAY,QAAQ,aAAa,QAAQ,CAAC,MAAM,QAAQ,WAAW,yCAAyC;iBAC1H,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,cAAc,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBACtF,WAAW,EAAE,GAAG,QAAQ,IAAI,UAAU,YAAY,QAAQ,CAAC,MAAM,EAAE;aACpE,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,UAAU,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBAC/F,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,uBAAuB;gBAC/B,WAAW,EAAE,kBAAkB,QAAQ,SAAS,WAAW,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aACzH,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class GraphqlTesterAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 42;
|
|
5
|
+
readonly agentName = "GraphQL Tester";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private testIntrospection;
|
|
10
|
+
private testQueryDepth;
|
|
11
|
+
private testUnauthenticatedAccess;
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=42-graphql-tester.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"42-graphql-tester.d.ts","sourceRoot":"","sources":["../../agents/42-graphql-tester.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAuBzC,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,oBAAoB;IACtC,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAyD/B,iBAAiB;YA0CjB,cAAc;YA2Cd,yBAAyB;CA6CxC"}
|
|
@@ -0,0 +1,187 @@
|
|
|
1
|
+
import { BaseAgent } from './base-agent';
|
|
2
|
+
import { resolveEnvironment } from '../helpers/env-resolver';
|
|
3
|
+
const REQUEST_TIMEOUT_MS = 10_000;
|
|
4
|
+
const GRAPHQL_PATHS = ['/graphql', '/api/graphql'];
|
|
5
|
+
/** Standard introspection query. */
|
|
6
|
+
const INTROSPECTION_QUERY = '{ __schema { types { name } } }';
|
|
7
|
+
/** Deeply nested query (10+ levels). */
|
|
8
|
+
function buildDeepQuery(depth) {
|
|
9
|
+
let query = '{ __typename';
|
|
10
|
+
const openBraces = [];
|
|
11
|
+
for (let i = 0; i < depth; i++) {
|
|
12
|
+
query += ` __type(name: "Query") { name fields { name type { name`;
|
|
13
|
+
openBraces.push(' } }');
|
|
14
|
+
}
|
|
15
|
+
query += openBraces.reverse().join('');
|
|
16
|
+
query += ' }';
|
|
17
|
+
return query;
|
|
18
|
+
}
|
|
19
|
+
export class GraphqlTesterAgent extends BaseAgent {
|
|
20
|
+
agentId = 42;
|
|
21
|
+
agentName = 'GraphQL Tester';
|
|
22
|
+
baseUrl = '';
|
|
23
|
+
async preFlight() {
|
|
24
|
+
const { env } = await resolveEnvironment(this.config, this.phase);
|
|
25
|
+
this.baseUrl = env.baseUrl;
|
|
26
|
+
}
|
|
27
|
+
async execute() {
|
|
28
|
+
const findings = [];
|
|
29
|
+
// Discover GraphQL endpoint
|
|
30
|
+
let graphqlUrl = null;
|
|
31
|
+
for (const path of GRAPHQL_PATHS) {
|
|
32
|
+
const url = `${this.baseUrl}${path}`;
|
|
33
|
+
try {
|
|
34
|
+
const response = await Promise.race([
|
|
35
|
+
fetch(url, {
|
|
36
|
+
method: 'POST',
|
|
37
|
+
headers: { 'Content-Type': 'application/json' },
|
|
38
|
+
body: JSON.stringify({ query: '{ __typename }' }),
|
|
39
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
40
|
+
}),
|
|
41
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
42
|
+
]);
|
|
43
|
+
if (response.status !== 404) {
|
|
44
|
+
graphqlUrl = url;
|
|
45
|
+
break;
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
catch {
|
|
49
|
+
// Path not available
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
if (!graphqlUrl) {
|
|
53
|
+
findings.push({
|
|
54
|
+
id: `${this.agentId}-no-graphql`,
|
|
55
|
+
type: 'infra-issue',
|
|
56
|
+
severity: 'low',
|
|
57
|
+
agentId: this.agentId,
|
|
58
|
+
module: 'graphql-tester',
|
|
59
|
+
description: 'No GraphQL endpoint found at /graphql or /api/graphql',
|
|
60
|
+
});
|
|
61
|
+
return findings;
|
|
62
|
+
}
|
|
63
|
+
// Test 1: Introspection
|
|
64
|
+
const introspectionFindings = await this.testIntrospection(graphqlUrl);
|
|
65
|
+
findings.push(...introspectionFindings);
|
|
66
|
+
// Test 2: Deep query (depth limiting)
|
|
67
|
+
const depthFindings = await this.testQueryDepth(graphqlUrl);
|
|
68
|
+
findings.push(...depthFindings);
|
|
69
|
+
// Test 3: Unauthenticated access
|
|
70
|
+
const authFindings = await this.testUnauthenticatedAccess(graphqlUrl);
|
|
71
|
+
findings.push(...authFindings);
|
|
72
|
+
return findings;
|
|
73
|
+
}
|
|
74
|
+
async testIntrospection(graphqlUrl) {
|
|
75
|
+
const findings = [];
|
|
76
|
+
try {
|
|
77
|
+
const response = await Promise.race([
|
|
78
|
+
fetch(graphqlUrl, {
|
|
79
|
+
method: 'POST',
|
|
80
|
+
headers: { 'Content-Type': 'application/json' },
|
|
81
|
+
body: JSON.stringify({ query: INTROSPECTION_QUERY }),
|
|
82
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
83
|
+
}),
|
|
84
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
85
|
+
]);
|
|
86
|
+
if (response.status === 200) {
|
|
87
|
+
const body = await response.json();
|
|
88
|
+
if (body.data?.__schema) {
|
|
89
|
+
findings.push({
|
|
90
|
+
id: `${this.agentId}-introspection-enabled`,
|
|
91
|
+
type: 'code-bug-security',
|
|
92
|
+
severity: 'medium',
|
|
93
|
+
agentId: this.agentId,
|
|
94
|
+
module: 'graphql-tester',
|
|
95
|
+
description: 'GraphQL introspection is enabled in production — schema is exposed to attackers',
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
this.addEvidence({
|
|
100
|
+
type: 'log',
|
|
101
|
+
path: 'graphql-introspection',
|
|
102
|
+
description: `Introspection query: status=${response.status}`,
|
|
103
|
+
});
|
|
104
|
+
}
|
|
105
|
+
catch {
|
|
106
|
+
// Request failed
|
|
107
|
+
}
|
|
108
|
+
return findings;
|
|
109
|
+
}
|
|
110
|
+
async testQueryDepth(graphqlUrl) {
|
|
111
|
+
const findings = [];
|
|
112
|
+
const deepQuery = buildDeepQuery(10);
|
|
113
|
+
try {
|
|
114
|
+
const response = await Promise.race([
|
|
115
|
+
fetch(graphqlUrl, {
|
|
116
|
+
method: 'POST',
|
|
117
|
+
headers: { 'Content-Type': 'application/json' },
|
|
118
|
+
body: JSON.stringify({ query: deepQuery }),
|
|
119
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
120
|
+
}),
|
|
121
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
122
|
+
]);
|
|
123
|
+
if (response.status === 200) {
|
|
124
|
+
const body = await response.json();
|
|
125
|
+
if (!body.errors) {
|
|
126
|
+
findings.push({
|
|
127
|
+
id: `${this.agentId}-no-depth-limit`,
|
|
128
|
+
type: 'code-bug-security',
|
|
129
|
+
severity: 'high',
|
|
130
|
+
agentId: this.agentId,
|
|
131
|
+
module: 'graphql-tester',
|
|
132
|
+
description: 'No query depth limit on GraphQL endpoint — deeply nested queries (10+ levels) are accepted without error',
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
this.addEvidence({
|
|
137
|
+
type: 'log',
|
|
138
|
+
path: 'graphql-depth',
|
|
139
|
+
description: `Deep query test (10 levels): status=${response.status}`,
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
catch {
|
|
143
|
+
// Request failed
|
|
144
|
+
}
|
|
145
|
+
return findings;
|
|
146
|
+
}
|
|
147
|
+
async testUnauthenticatedAccess(graphqlUrl) {
|
|
148
|
+
const findings = [];
|
|
149
|
+
// Send a query that would typically need auth
|
|
150
|
+
const query = '{ users { id email } }';
|
|
151
|
+
try {
|
|
152
|
+
const response = await Promise.race([
|
|
153
|
+
fetch(graphqlUrl, {
|
|
154
|
+
method: 'POST',
|
|
155
|
+
headers: { 'Content-Type': 'application/json' },
|
|
156
|
+
// No Authorization header
|
|
157
|
+
body: JSON.stringify({ query }),
|
|
158
|
+
signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
|
|
159
|
+
}),
|
|
160
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error('Timeout')), REQUEST_TIMEOUT_MS)),
|
|
161
|
+
]);
|
|
162
|
+
if (response.status === 200) {
|
|
163
|
+
const body = await response.json();
|
|
164
|
+
if (body.data?.users && Array.isArray(body.data.users) && body.data.users.length > 0) {
|
|
165
|
+
findings.push({
|
|
166
|
+
id: `${this.agentId}-no-field-auth`,
|
|
167
|
+
type: 'code-bug-security',
|
|
168
|
+
severity: 'high',
|
|
169
|
+
agentId: this.agentId,
|
|
170
|
+
module: 'graphql-tester',
|
|
171
|
+
description: 'GraphQL returns user data without authentication — field-level authorization is missing',
|
|
172
|
+
});
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
this.addEvidence({
|
|
176
|
+
type: 'log',
|
|
177
|
+
path: 'graphql-unauth',
|
|
178
|
+
description: `Unauthenticated query test: status=${response.status}`,
|
|
179
|
+
});
|
|
180
|
+
}
|
|
181
|
+
catch {
|
|
182
|
+
// Request failed
|
|
183
|
+
}
|
|
184
|
+
return findings;
|
|
185
|
+
}
|
|
186
|
+
}
|
|
187
|
+
//# sourceMappingURL=42-graphql-tester.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"42-graphql-tester.js","sourceRoot":"","sources":["../../agents/42-graphql-tester.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,cAAc,CAAU,CAAC;AAE5D,oCAAoC;AACpC,MAAM,mBAAmB,GAAG,iCAAiC,CAAC;AAE9D,wCAAwC;AACxC,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,KAAK,GAAG,cAAc,CAAC;IAC3B,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,KAAK,IAAI,yDAAyD,CAAC;QACnE,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvC,KAAK,IAAI,IAAI,CAAC;IACd,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,kBAAmB,SAAQ,SAAS;IACtC,OAAO,GAAG,EAAE,CAAC;IACb,SAAS,GAAG,gBAAgB,CAAC;IAC9B,OAAO,GAAG,EAAE,CAAC;IAEX,KAAK,CAAC,SAAS;QACvB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC7B,CAAC;IAES,KAAK,CAAC,OAAO;QACrB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,4BAA4B;QAC5B,IAAI,UAAU,GAAkB,IAAI,CAAC;QAErC,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAClC,KAAK,CAAC,GAAG,EAAE;wBACT,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;wBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;wBACjD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;qBAChD,CAAC;oBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;iBACF,CAAa,CAAC;gBAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,UAAU,GAAG,GAAG,CAAC;oBACjB,MAAM;gBACR,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,aAAa;gBAChC,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,uDAAuD;aACrE,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,wBAAwB;QACxB,MAAM,qBAAqB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,CAAC;QAExC,sCAAsC;QACtC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;QAEhC,iCAAiC;QACjC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,CAAC;QACtE,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QAE/B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,UAAkB;QAChD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,UAAU,EAAE;oBAChB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;oBACpD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuC,CAAC;gBACxE,IAAI,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC;oBACxB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,wBAAwB;wBAC3C,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,gBAAgB;wBACxB,WAAW,EAAE,iFAAiF;qBAC/F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,uBAAuB;gBAC7B,WAAW,EAAE,+BAA+B,QAAQ,CAAC,MAAM,EAAE;aAC9D,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,UAAkB;QAC7C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,cAAc,CAAC,EAAE,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,UAAU,EAAE;oBAChB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;oBAC1C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA4B,CAAC;gBAC7D,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;oBACjB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,iBAAiB;wBACpC,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,gBAAgB;wBACxB,WAAW,EAAE,0GAA0G;qBACxH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,eAAe;gBACrB,WAAW,EAAE,uCAAuC,QAAQ,CAAC,MAAM,EAAE;aACtE,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,yBAAyB,CAAC,UAAkB;QACxD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,8CAA8C;QAC9C,MAAM,KAAK,GAAG,wBAAwB,CAAC;QAEvC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,KAAK,CAAC,UAAU,EAAE;oBAChB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,0BAA0B;oBAC1B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;oBAC/B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;iBAChD,CAAC;gBACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,kBAAkB,CAAC,CACnE;aACF,CAAa,CAAC;YAEf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAsC,CAAC;gBACvE,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACrF,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,gBAAgB;wBACnC,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,MAAM,EAAE,gBAAgB;wBACxB,WAAW,EAAE,yFAAyF;qBACvG,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,CAAC,WAAW,CAAC;gBACf,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,gBAAgB;gBACtB,WAAW,EAAE,sCAAsC,QAAQ,CAAC,MAAM,EAAE;aACrE,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { Finding } from '../core/types';
|
|
2
|
+
import { BaseAgent } from './base-agent';
|
|
3
|
+
export declare class DataConsistencyCheckerAgent extends BaseAgent {
|
|
4
|
+
readonly agentId = 43;
|
|
5
|
+
readonly agentName = "Data Consistency Checker";
|
|
6
|
+
private baseUrl;
|
|
7
|
+
protected preFlight(): Promise<void>;
|
|
8
|
+
protected execute(): Promise<Finding[]>;
|
|
9
|
+
private testCrudConsistency;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=43-data-consistency-checker.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"43-data-consistency-checker.d.ts","sourceRoot":"","sources":["../../agents/43-data-consistency-checker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAMzC,qBAAa,2BAA4B,SAAQ,SAAS;IACxD,QAAQ,CAAC,OAAO,MAAM;IACtB,QAAQ,CAAC,SAAS,8BAA8B;IAChD,OAAO,CAAC,OAAO,CAAM;cAEL,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;cAK1B,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YA0C/B,mBAAmB;CAiJlC"}
|