npm - @bryan-thompson/inspector-assessment-client - Versions diffs - 1.26.5 → 1.26.7 - Mend

@bryan-thompson/inspector-assessment-client 1.26.5 → 1.26.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts ADDED Viewed

@@ -0,0 +1,349 @@
+/**
+ * Security Pattern Library
+ * Single source of truth for all regex patterns used in security analysis
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Consolidates 16 pattern collections, eliminates duplicates
+ */
+/**
+ * Patterns to detect HTTP error responses (4xx/5xx)
+ * Used by: isHttpErrorResponse(), analyzeComputedMathResult()
+ */
+export declare const HTTP_ERROR_PATTERNS: {
+    /** Full pattern: status code + context (e.g., "404 not found") */
+    readonly statusWithContext: RegExp;
+    /** Simple pattern: status code at start (e.g., "404: ...") */
+    readonly statusAtStart: RegExp;
+    /** Short "not found" responses */
+    readonly notFound: RegExp;
+    /** JSON status field pattern */
+    readonly jsonStatus: RegExp;
+};
+/**
+ * Patterns for MCP protocol validation errors
+ * These indicate proper input rejection (SAFE behavior)
+ * Used by: isMCPValidationError()
+ */
+export declare const VALIDATION_ERROR_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Patterns indicating actual code/command execution
+ * Used by: hasExecutionEvidence()
+ */
+export declare const EXECUTION_INDICATORS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Patterns for detecting execution artifacts in response
+ * Used by: detectExecutionArtifacts()
+ */
+export declare const EXECUTION_ARTIFACT_PATTERNS: {
+    /** Always indicates execution */
+    readonly alwaysExecution: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+    /** Context-sensitive - only count if no echoed payload */
+    readonly contextSensitive: readonly [RegExp, RegExp, RegExp];
+};
+/**
+ * Patterns for connection/server errors
+ * Used by: isConnectionError(), isConnectionErrorFromException()
+ */
+export declare const CONNECTION_ERROR_PATTERNS: {
+    /** Unambiguous connection errors */
+    readonly unambiguous: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+    /** Only apply when response starts with MCP error prefix */
+    readonly contextual: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+    /** MCP error prefix pattern */
+    readonly mcpPrefix: RegExp;
+};
+/**
+ * Patterns for error classification
+ * Used by: classifyError(), classifyErrorFromException()
+ */
+export declare const ERROR_CLASSIFICATION_PATTERNS: {
+    readonly connection: RegExp;
+    readonly server: RegExp;
+    readonly protocol: RegExp;
+};
+/**
+ * Status patterns indicating safe response handling
+ * Used by: isReflectionResponse()
+ */
+export declare const STATUS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Reflection patterns indicating safe data handling
+ * Used by: isReflectionResponse()
+ */
+export declare const REFLECTION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Fail-open authentication patterns (VULNERABLE)
+ * Used by: analyzeAuthBypassResponse()
+ */
+export declare const AUTH_FAIL_OPEN_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "auth_type: fail-open (CVE-2025-52882)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "auth_status: bypassed";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "access granted despite failure";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "authentication skipped";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "fail-open pattern detected";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "auth bypassed";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "authentication bypassed";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "vulnerable flag with auth context";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "auth succeeded with null token";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "granted without valid token";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "action performed indicator";
+}];
+/**
+ * Fail-closed authentication patterns (SAFE)
+ * Used by: analyzeAuthBypassResponse()
+ */
+export declare const AUTH_FAIL_CLOSED_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "auth_type: fail-closed (secure)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "auth_status: denied";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "access denied";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "authentication failed";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "fail-closed pattern detected";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "status: blocked";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "invalid token rejection";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "token required";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "unauthorized response";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "denial reason provided";
+}];
+/**
+ * Patterns indicating vulnerable shared state authorization
+ * Detects cross-tool privilege escalation via shared mutable state
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export declare const STATE_AUTH_VULNERABLE_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "admin_mode enabled in response";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool hints at cross-tool state dependency";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Explicit cross-tool state dependency";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Cross-tool privilege escalation detected";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Elevated privileges granted";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Admin mode activated (state modifier)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Response hints at config_modifier for admin_mode";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool depends on config_modifier for authorization";
+}];
+/**
+ * Patterns indicating safe independent authorization
+ * Detects tools that use per-request authentication (secure)
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export declare const STATE_AUTH_SAFE_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "Tool explicitly states it doesn't use shared state";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool requires independent per-request auth";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Independent authorization required";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool confirms it does not use shared state";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Request stored for admin review (no auto-execution)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Per-request authentication enforced";
+}];
+/**
+ * Response pattern structure for chain exploitation analysis
+ */
+export interface ChainResponsePattern {
+    pattern: RegExp;
+    weight: number;
+    category: string;
+    description: string;
+}
+/**
+ * Patterns indicating vulnerable chain execution behavior
+ * - Arbitrary tool invocation without allowlist
+ * - Output injection via template substitution
+ * - Recursive/circular chain execution
+ * - Missing depth limits
+ * - State poisoning between steps
+ *
+ * Used by: analyzeChainExploitation()
+ */
+export declare const CHAIN_EXPLOIT_VULNERABLE_PATTERNS: ChainResponsePattern[];
+/**
+ * Patterns indicating safe/hardened chain handling
+ * - Tool allowlist validation
+ * - No execution (validation only)
+ * - Depth limits enforced
+ * - Output injection blocked
+ *
+ * Used by: analyzeChainExploitation()
+ */
+/**
+ * Threshold for confirming vulnerable chain execution behavior.
+ * Value of 1.5 requires ~2 weighted pattern matches to confirm vulnerability.
+ *
+ * Derived from A/B testing against vulnerable-mcp/hardened-mcp testbed:
+ * - vulnerable-mcp: typical scores 2.0-4.0 for vulnerable chains
+ * - hardened-mcp: typical scores 0.0-0.8 for safe chains
+ *
+ * Setting at 1.5 provides margin against false positives while
+ * maintaining detection of genuine vulnerabilities.
+ */
+export declare const CHAIN_VULNERABLE_THRESHOLD = 1.5;
+/**
+ * Threshold for confirming safe/hardened chain behavior.
+ * Value of 1.0 requires 1+ weighted safe pattern matches.
+ *
+ * Derived from A/B testing:
+ * - hardened-mcp: typical scores 1.5-3.0 for safe chains
+ * - vulnerable-mcp: typical scores 0.0-0.5 for safe patterns
+ */
+export declare const CHAIN_SAFE_THRESHOLD = 1;
+/**
+ * Maps vulnerability categories to detection patterns.
+ * Used by analyzeChainExploitation() for category classification.
+ *
+ * Extracted from inline patterns to maintain single source of truth.
+ */
+export declare const CHAIN_CATEGORY_PATTERNS: Record<string, {
+    pattern: RegExp;
+    category: string;
+}[]>;
+/**
+ * Detect vulnerability categories from response text.
+ * Returns array of detected category names.
+ */
+export declare function detectVulnerabilityCategories(responseText: string): string[];
+export declare const CHAIN_EXPLOIT_SAFE_PATTERNS: ChainResponsePattern[];
+/**
+ * Patterns indicating search result responses
+ * Used by: isSearchResultResponse()
+ */
+export declare const SEARCH_RESULT_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Patterns indicating creation/modification responses
+ * Used by: isCreationResponse()
+ */
+export declare const CREATION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Patterns for echoed injection payloads
+ * Used by: containsEchoedInjectionPayload()
+ */
+export declare const ECHOED_PAYLOAD_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Fallback execution detection patterns
+ * Used by: analyzeInjectionResponse()
+ */
+export declare const FALLBACK_EXECUTION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Text-based validation rejection patterns
+ * Used by: isValidationRejection()
+ */
+export declare const TEXT_REJECTION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Result field rejection patterns (for JSON responses)
+ * Used by: isValidationRejection()
+ */
+export declare const RESULT_REJECTION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Ambiguous validation pattern strings (for confidence calculation)
+ * Used by: isValidationPattern()
+ */
+export declare const AMBIGUOUS_VALIDATION_PATTERNS: readonly ["type.*error", "invalid.*type", "error", "invalid", "failed", "negative.*not.*allowed", "must.*be.*positive", "invalid.*value", "overflow", "out.*of.*range"];
+/**
+ * Patterns for identifying structured data tools
+ * Used by: isStructuredDataTool()
+ */
+export declare const DATA_TOOL_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Read-only tool name patterns
+ * Used by: analyzeComputedMathResult()
+ */
+export declare const READ_ONLY_TOOL_NAME_PATTERN: RegExp;
+/**
+ * Simple math expression pattern
+ * Used by: isComputedMathResult(), analyzeComputedMathResult()
+ */
+export declare const SIMPLE_MATH_PATTERN: RegExp;
+/**
+ * Computational language indicators
+ * Used by: analyzeComputedMathResult()
+ */
+export declare const COMPUTATIONAL_INDICATORS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Common data field names that often contain numeric values
+ * Used by: isCoincidentalNumericInStructuredData()
+ */
+export declare const STRUCTURED_DATA_FIELD_NAMES: readonly ["count", "total", "records", "page", "limit", "offset", "id", "status", "code", "version", "index", "size", "employees", "items", "results", "entries", "length", "pages", "rows", "columns", "width", "height", "timestamp", "duration", "amount", "price", "quantity"];
+/**
+ * Structured data indicators for confidence calculation
+ * Used by: calculateConfidence()
+ */
+export declare const STRUCTURED_DATA_INDICATORS: {
+    readonly fieldPatterns: RegExp;
+    readonly bulletPattern: RegExp;
+    readonly jsonPattern: RegExp;
+    readonly numericMetadataPattern: RegExp;
+};
+/**
+ * Check if any pattern in array matches text
+ */
+export declare function matchesAny(patterns: readonly RegExp[], text: string): boolean;
+/**
+ * Check if HTTP error pattern matches
+ */
+export declare function isHttpError(text: string): boolean;
+/**
+ * Check if response has MCP error prefix
+ */
+export declare function hasMcpErrorPrefix(text: string): boolean;
+//# sourceMappingURL=SecurityPatternLibrary.d.ts.map

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD"}