@bryan-thompson/inspector-assessment-client 1.25.4 → 1.25.6

package/lib/services/assessment/modules/ResourceAssessor.js

@@ -447,8 +447,11 @@ export class ResourceAssessor extends BaseAssessor {
                         traversalResult.securityIssues.push(`Path traversal vulnerability: successfully accessed ${testUri}`);
                     }
                 }
-                catch {
+                catch (error) {
                     // Expected - path traversal should be rejected
+                    this.logger.debug(`Path traversal correctly rejected for ${testUri}`, {
+                        error: error instanceof Error ? error.message : String(error),
+                    });
                     traversalResult.accessible = false;
                 }
                 results.push(traversalResult);
@@ -469,7 +472,10 @@ export class ResourceAssessor extends BaseAssessor {
             // Allow relative paths
             return !uri.includes("..") || uri.startsWith("/");
         }
-        catch {
+        catch (error) {
+            this.logger.debug(`URI validation failed for: ${uri}`, {
+                error: error instanceof Error ? error.message : String(error),
+            });
             return false;
         }
     }

package/lib/services/assessment/modules/SecurityAssessor.d.ts

@@ -19,109 +19,14 @@ import { SecurityAssessment } from "../../../lib/assessmentTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";
 import { AssessmentContext } from "../AssessmentOrchestrator.js";
 export declare class SecurityAssessor extends BaseAssessor {
-    private languageGenerator;
+    private payloadTester;
+    private payloadGenerator;
+    constructor(config: import("../../../lib/assessment/configTypes.js").AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<SecurityAssessment>;
     /**
      * Select tools for testing based on configuration
      */
     private selectToolsForTesting;
-    /**
-     * Run comprehensive security tests (advanced mode)
-     * Tests selected tools with ALL 23 security patterns using diverse payloads
-     * Includes injection tests, validation tests, and protocol compliance checks
-     */
-    private runUniversalSecurityTests;
-    /**
-     * Run basic security tests (fast mode)
-     * Tests only 3 critical injection patterns with 1 generic payload each
-     * Used when enableDomainTesting = false
-     */
-    private runBasicSecurityTests;
-    /**
-     * Test tool with a specific payload
-     */
-    private testPayload;
-    /**
-     * Check if response indicates connection/server failure
-     * Returns true if test couldn't complete due to infrastructure issues
-     *
-     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
-     */
-    private isConnectionError;
-    /**
-     * Check if caught exception indicates connection/server failure
-     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
-     */
-    private isConnectionErrorFromException;
-    /**
-     * Classify error type for reporting
-     */
-    private classifyError;
-    /**
-     * Classify error type from caught exception
-     */
-    private classifyErrorFromException;
-    /**
-     * Analyze response with evidence-based detection
-     * CRITICAL: Distinguish between safe reflection and actual execution
-     */
-    private analyzeResponse;
-    /**
-     * Check if tool explicitly rejected input with validation error (SAFE)
-     * Returns true if tool properly rejected invalid input (SECURE)
-     *
-     * Distinguishes between:
-     * - SAFE: {"valid": false, "errors": ["Input too long"]} (rejection)
-     * - VULNERABLE: {"result": "deleted 5 rows"} (execution)
-     */
-    private isValidationRejection;
-    /**
-     * Check if response is an MCP validation error (safe rejection)
-     * Returns true if tool rejected input before processing (SECURE)
-     *
-     * Validation errors indicate proper input sanitization and are NOT vulnerabilities.
-     * Examples:
-     * - MCP error -32602 (JSON-RPC Invalid params standard)
-     * - "parameter validation failed: invalid url"
-     * - "schema validation error: must be a string"
-     */
-    private isMCPValidationError;
-    /**
-     * Check if response is an HTTP error (Issue #26)
-     * HTTP 4xx/5xx error responses indicate tool rejection, not vulnerability.
-     *
-     * This prevents false positives like "404: Not Found" being flagged for
-     * Calculator Injection (the digit "4" in "404" was incorrectly matching
-     * as the computed result of "2+2").
-     */
-    private isHttpErrorResponse;
-    /**
-     * Check if evidence pattern is ambiguous (can match both validation and execution)
-     * These patterns appear in BOTH:
-     * - Secure validation errors: "parameter validation failed: invalid type"
-     * - Vulnerable execution errors: "SQL executed: type error in result"
-     */
-    private isValidationPattern;
-    /**
-     * Check if response contains evidence of actual execution
-     * Returns true only if malicious input was actually PROCESSED/EXECUTED
-     *
-     * Distinguishes between:
-     * - SECURE: "Parameter validation failed: invalid type" (rejected BEFORE execution)
-     * - VULNERABLE: "SQL executed: syntax error" (error DURING execution)
-     */
-    private hasExecutionEvidence;
-    /**
-     * Check if a math expression payload was computed (execution evidence)
-     * Returns true if the response contains the computed result but NOT the original expression.
-     *
-     * This is key evidence of execution:
-     * - VULNERABLE: payload "15*37+100" → response contains "655" (computed result)
-     * - SAFE: payload "15*37+100" → response contains "15*37+100" (echoed, not computed)
-     *
-     * Added for Issue #14: False positives on safe input reflection
-     */
-    private isComputedMathResult;
     /**
      * Perform additional security checks
      */
@@ -138,78 +43,5 @@ export declare class SecurityAssessor extends BaseAssessor {
      * Generate security explanation
      */
     private generateSecurityExplanation;
-    /**
-     * Calculate confidence level and manual review requirements
-     * Detects ambiguous patterns that need human verification
-     */
-    private calculateConfidence;
-    /**
-     * Check if tool is a structured data tool (search, lookup, retrieval)
-     * These tools naturally echo input patterns in their results
-     */
-    private isStructuredDataTool;
-    /**
-     * Check if response is just reflection (safe)
-     * Expanded to catch more reflection patterns including echo, repeat, display
-     * IMPROVED: Bidirectional patterns, safety indicators, and two-layer defense
-     *
-     * CRITICAL: This check distinguishes between:
-     * - SAFE: Tool stores/echoes malicious input as data (reflection)
-     * - VULNERABLE: Tool executes malicious input and returns results (execution)
-     *
-     * Two-layer defense:
-     * Layer 1: Match reflection/status patterns
-     * Layer 2: Verify NO execution evidence (defense-in-depth)
-     */
-    private isReflectionResponse;
-    /**
-     * Detect execution artifacts in response
-     * Returns true if response contains evidence of actual code execution
-     *
-     * HIGH confidence: System files, commands, directory listings
-     * MEDIUM confidence: Contextual patterns (root alone, paths)
-     *
-     * IMPORTANT: Excludes patterns that appear within echoed injection payloads
-     * (e.g., /etc/passwd within an XXE entity definition is NOT execution evidence)
-     */
-    private detectExecutionArtifacts;
-    /**
-     * Check if response contains echoed injection payload patterns
-     * These indicate the tool is safely echoing/storing input rather than executing it
-     */
-    private containsEchoedInjectionPayload;
-    /**
-     * Analyze injection response (existing logic)
-     * Note: payload parameter unused after refactoring to two-layer defense
-     */
-    private analyzeInjectionResponse;
-    /**
-     * Extract response content
-     */
-    private extractResponseContent;
-    /**
-     * Check if tool has input parameters
-     */
-    private hasInputParameters;
-    private createTestParameters;
-    /**
-     * Check if tool is an API wrapper (safe data-passing tool)
-     */
-    private isApiWrapper;
-    /**
-     * Check if attack is an execution-based test
-     * These tests assume the tool executes input as code, which doesn't apply to API wrappers
-     */
-    private isExecutionTest;
-    /**
-     * Check if response is returning search results
-     * Search tools return query results as data, not execute them
-     */
-    private isSearchResultResponse;
-    /**
-     * Check if response is from a creation/modification operation
-     * CRUD tools create/modify resources, not execute code
-     */
-    private isCreationResponse;
 }
 //# sourceMappingURL=SecurityAssessor.d.ts.map

package/lib/services/assessment/modules/SecurityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAc9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,iBAAiB,CAAuC;IAC1D,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuFrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;;OAIG;YACW,yBAAyB;IA2KvC;;;;OAIG;YACW,qBAAqB;IA4JnC;;OAEG;YACW,WAAW;IA4HzB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAgDzB;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAiDtC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAgClC;;;OAGG;IACH,OAAO,CAAC,eAAe;IAkJvB;;;;;;;OAOG;IACH,OAAO,CAAC,qBAAqB;IAiE7B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IA8F5B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuI3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oBAAoB;IAwN5B;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAwDhC;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAuBtC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,oBAAoB;IAoH5B;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAmB3B"}
+{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAU9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,gBAAgB,CAA2B;gBAGjD,MAAM,EAAE,OAAO,8BAA8B,EAAE,uBAAuB;IA8BlE,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA2FrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;CAiEpC"}