@bryan-thompson/inspector-assessment-client 1.26.6 → 1.26.7

package/lib/services/assessment/modules/securityTests/ChainExecutionTester.js

@@ -0,0 +1,257 @@
+/**
+ * Chain Execution Tester
+ * Dynamic testing for multi-tool chain exploitation vulnerabilities
+ *
+ * Issue #93, Challenge #6: Multi-tool chained exploitation attacks
+ * Tests for:
+ * 1. Arbitrary tool invocation without allowlist
+ * 2. Output injection via {{output}} template substitution
+ * 3. Recursive chain execution (DoS potential)
+ * 4. State poisoning between chain steps
+ * 5. Missing depth/size limits
+ *
+ * A/B Validation:
+ * - vulnerable-mcp (10900): Should detect all vulnerability categories
+ * - hardened-mcp (10901): 0 false positives (validation-only behavior)
+ */
+import { SecurityResponseAnalyzer, } from "./SecurityResponseAnalyzer.js";
+/**
+ * Tests for multi-tool chain exploitation vulnerabilities
+ */
+export class ChainExecutionTester {
+    verbose;
+    analyzer;
+    constructor(config = {}) {
+        this.verbose = config.verbose ?? false;
+        this.analyzer = new SecurityResponseAnalyzer();
+    }
+    /**
+     * Log message if verbose logging is enabled
+     */
+    log(message) {
+        if (this.verbose) {
+            // eslint-disable-next-line no-console
+            console.log(`[ChainExecutionTester] ${message}`);
+        }
+    }
+    /**
+     * Identify tools that might be chain executors
+     * Looks for tools with names/descriptions/parameters suggesting chain execution
+     */
+    identifyChainExecutorTools(tools) {
+        const chainNamePatterns = [
+            /chain/i,
+            /executor/i,
+            /pipeline/i,
+            /sequence/i,
+            /workflow/i,
+            /orchestrat/i,
+            /multi.*tool/i,
+            /batch/i,
+        ];
+        const chainParamPatterns = [
+            /chain/i,
+            /steps/i,
+            /sequence/i,
+            /pipeline/i,
+            /tools/i,
+            /commands/i,
+        ];
+        return tools.filter((tool) => {
+            // Check tool name
+            const nameMatches = chainNamePatterns.some((p) => p.test(tool.name));
+            // Check description
+            const descMatches = tool.description &&
+                chainNamePatterns.some((p) => p.test(tool.description || ""));
+            // Check parameter names
+            const schema = tool.inputSchema;
+            const paramNames = Object.keys(schema?.properties || {});
+            const paramMatches = paramNames.some((param) => chainParamPatterns.some((p) => p.test(param)));
+            return nameMatches || descMatches || paramMatches;
+        });
+    }
+    /**
+     * Get the parameter name for chain input from tool schema
+     */
+    getChainParamName(tool) {
+        const schema = tool.inputSchema;
+        const paramNames = Object.keys(schema?.properties || {});
+        // Look for chain-like parameter names
+        const chainParam = paramNames.find((p) => /chain|steps|sequence|pipeline/i.test(p));
+        return chainParam || "chain";
+    }
+    /**
+     * Extract text content from tool response
+     */
+    extractResponseText(response) {
+        if (!response)
+            return "";
+        // Handle content array format
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((item) => {
+                if (typeof item === "string")
+                    return item;
+                if (item && typeof item === "object" && "text" in item)
+                    return String(item.text);
+                return JSON.stringify(item);
+            })
+                .join("\n");
+        }
+        return "";
+    }
+    /**
+     * Determine the vulnerability reason from analysis result
+     */
+    determineVulnerabilityReason(analysis) {
+        if (analysis.vulnerabilityCategories.includes("OUTPUT_INJECTION")) {
+            return "output_injection_detected";
+        }
+        if (analysis.vulnerabilityCategories.includes("RECURSIVE_CHAIN")) {
+            return "recursive_execution_detected";
+        }
+        if (analysis.vulnerabilityCategories.includes("ARBITRARY_TOOL_INVOCATION")) {
+            return "arbitrary_tool_accepted";
+        }
+        if (analysis.vulnerabilityCategories.includes("STATE_POISONING")) {
+            return "state_poisoning_detected";
+        }
+        return "chain_execution_confirmed";
+    }
+    /**
+     * Test single chain payload against a tool
+     */
+    async testChainPayload(callTool, tool, chainPayload, paramName) {
+        const actualParamName = paramName || this.getChainParamName(tool);
+        try {
+            this.log(`Testing payload on ${tool.name} with param ${actualParamName}`);
+            const response = await callTool(tool.name, {
+                [actualParamName]: chainPayload,
+            });
+            const responseText = this.extractResponseText(response);
+            // Analyze response for chain exploitation
+            const analysis = this.analyzer.analyzeChainExploitation(response);
+            if (analysis.vulnerable) {
+                return {
+                    vulnerable: true,
+                    reason: this.determineVulnerabilityReason(analysis),
+                    vulnerabilityCategories: analysis.vulnerabilityCategories,
+                    evidence: {
+                        chainPayload,
+                        response: responseText.substring(0, 500),
+                        analysisResult: analysis,
+                    },
+                };
+            }
+            if (analysis.safe) {
+                return {
+                    vulnerable: false,
+                    reason: analysis.chainType === "SAFE_VALIDATION"
+                        ? "validation_only"
+                        : "chain_rejected",
+                };
+            }
+            return {
+                vulnerable: false,
+                reason: "tool_not_chain_executor",
+            };
+        }
+        catch (error) {
+            return {
+                vulnerable: false,
+                reason: "test_error",
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Get test payloads for chain exploitation testing
+     */
+    getTestPayloads() {
+        return [
+            {
+                name: "single_step_execution",
+                payload: '[{"tool": "vulnerable_calculator", "args": {"query": "2+2"}}]',
+                description: "Test basic chain execution without allowlist",
+            },
+            {
+                name: "output_injection",
+                payload: '[{"tool": "calc", "args": {"q": "test"}}, {"tool": "exec", "args": {"cmd": "{{output}}"}}]',
+                description: "Test output injection via {{output}} template",
+            },
+            {
+                name: "recursive_chain",
+                payload: '[{"tool": "vulnerable_chain_executor", "args": {"chain": "[]"}}]',
+                description: "Test recursive/circular chain execution",
+            },
+            {
+                name: "arbitrary_tool",
+                payload: '[{"tool": "UNKNOWN_MALICIOUS_TOOL_XYZ", "args": {}}]',
+                description: "Test acceptance of arbitrary tool names",
+            },
+            {
+                name: "state_poisoning",
+                payload: '[{"tool": "vulnerable_config_modifier", "args": {"setting": "admin_mode=true"}}, {"tool": "vulnerable_admin_action", "args": {"action": "read secrets"}}]',
+                description: "Test state poisoning between chain steps",
+            },
+            {
+                name: "depth_bypass",
+                payload: JSON.stringify(Array(15)
+                    .fill(null)
+                    .map(() => ({ tool: "test", args: {} }))),
+                description: "Test depth limit bypass with 15 steps",
+            },
+        ];
+    }
+    /**
+     * Run comprehensive chain exploitation tests on a tool
+     */
+    async runChainExploitationTests(callTool, tool) {
+        const results = new Map();
+        const testPayloads = this.getTestPayloads();
+        const chainParam = this.getChainParamName(tool);
+        this.log(`Running chain exploitation tests on ${tool.name}`);
+        this.log(`Using parameter: ${chainParam}`);
+        for (const test of testPayloads) {
+            this.log(`  Test: ${test.name} - ${test.description}`);
+            const result = await this.testChainPayload(callTool, tool, test.payload, chainParam);
+            results.set(test.name, result);
+            if (this.verbose) {
+                // eslint-disable-next-line no-console
+                console.log(`    Result: ${result.vulnerable ? "VULNERABLE" : "SAFE"} (${result.reason})`);
+            }
+        }
+        return results;
+    }
+    /**
+     * Summarize chain exploitation test results
+     */
+    summarizeResults(results) {
+        let vulnerable = 0;
+        let safe = 0;
+        let errors = 0;
+        const vulnerableTests = [];
+        const categories = new Set();
+        for (const [testName, result] of results) {
+            if (result.reason === "test_error") {
+                errors++;
+            }
+            else if (result.vulnerable) {
+                vulnerable++;
+                vulnerableTests.push(testName);
+                result.vulnerabilityCategories?.forEach((c) => categories.add(c));
+            }
+            else {
+                safe++;
+            }
+        }
+        return {
+            total: results.size,
+            vulnerable,
+            safe,
+            errors,
+            vulnerableTests,
+            vulnerabilityCategories: Array.from(categories),
+        };
+    }
+}

package/lib/services/assessment/modules/securityTests/CrossToolStateTester.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Cross-Tool State Tester
+ * Tests for privilege escalation by calling tools in sequence
+ *
+ * Issue #92, Challenge #7: Cross-tool state-based authorization bypass
+ * Detects when one tool can modify shared state that affects another tool's authorization.
+ *
+ * Attack flow:
+ * 1. Call admin_action → should get "access denied"
+ * 2. Call config_modifier with "admin_mode=true"
+ * 3. Call admin_action again → if now succeeds, VULNERABLE
+ */
+import { CompatibilityCallToolResult, Tool } from "@modelcontextprotocol/sdk/types.js";
+import { ProgressCallback } from "../../../../lib/assessment/progressTypes.js";
+/**
+ * Function type for calling MCP tools
+ */
+export type CallToolFunction = (name: string, params: Record<string, unknown>) => Promise<CompatibilityCallToolResult>;
+/**
+ * Result of cross-tool privilege escalation test
+ */
+export interface CrossToolTestResult {
+    vulnerable: boolean;
+    reason: "privilege_escalation_confirmed" | "escalation_blocked" | "baseline_has_access" | "modifier_rejected" | "test_error";
+    evidence?: {
+        baseline: string;
+        afterModifier: string;
+        enableResult?: string;
+    };
+    error?: string;
+}
+/**
+ * Identified tool pair for cross-tool testing
+ */
+export interface ToolPair {
+    admin: Tool;
+    modifier: Tool;
+}
+/**
+ * Configuration for cross-tool state testing
+ */
+export interface CrossToolTestConfig {
+    /** Timeout for each tool call in ms (default: 5000) */
+    timeout?: number;
+    /** Enable verbose logging */
+    verbose?: boolean;
+}
+/**
+ * Tests for cross-tool privilege escalation via shared mutable state
+ */
+export declare class CrossToolStateTester {
+    private readonly verbose;
+    constructor(config?: CrossToolTestConfig);
+    /**
+     * Log message if verbose logging is enabled
+     */
+    private log;
+    /**
+     * Identify potential cross-tool pairs for testing
+     * Looks for admin_action/privileged tools and config_modifier/setting tools
+     */
+    identifyCrossToolPairs(tools: Tool[]): ToolPair[];
+    /**
+     * Test cross-tool privilege escalation
+     *
+     * Attack flow:
+     * 1. Call admin_action → expect "access denied"
+     * 2. Call config_modifier with "admin_mode=true"
+     * 3. Call admin_action again → if now succeeds, VULNERABLE
+     */
+    testPrivilegeEscalation(callTool: CallToolFunction, adminTool: Tool, modifierTool: Tool, onProgress?: ProgressCallback): Promise<CrossToolTestResult>;
+    /**
+     * Run sequence tests on all identified tool pairs
+     */
+    runAllSequenceTests(tools: Tool[], callTool: CallToolFunction, onProgress?: ProgressCallback): Promise<Map<string, CrossToolTestResult>>;
+    /**
+     * Get summary of sequence test results
+     */
+    summarizeResults(results: Map<string, CrossToolTestResult>): {
+        total: number;
+        vulnerable: number;
+        safe: number;
+        errors: number;
+        vulnerablePairs: string[];
+    };
+    /**
+     * Extract text content from MCP response
+     */
+    private extractResponseText;
+}
+//# sourceMappingURL=CrossToolStateTester.d.ts.map

package/lib/services/assessment/modules/securityTests/CrossToolStateTester.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CrossToolStateTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/CrossToolStateTester.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAElE;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAC7B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,OAAO,CAAC;IACpB,MAAM,EACF,gCAAgC,GAChC,oBAAoB,GACpB,qBAAqB,GACrB,mBAAmB,GACnB,YAAY,CAAC;IACjB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,IAAI,CAAC;IACZ,QAAQ,EAAE,IAAI,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;gBAEtB,MAAM,GAAE,mBAAwB;IAK5C;;OAEG;IACH,OAAO,CAAC,GAAG;IAOX;;;OAGG;IACH,sBAAsB,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,QAAQ,EAAE;IA8BjD;;;;;;;OAOG;IACG,uBAAuB,CAC3B,QAAQ,EAAE,gBAAgB,EAC1B,SAAS,EAAE,IAAI,EACf,YAAY,EAAE,IAAI,EAClB,UAAU,CAAC,EAAE,gBAAgB,GAC5B,OAAO,CAAC,mBAAmB,CAAC;IAkI/B;;OAEG;IACG,mBAAmB,CACvB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,gBAAgB,EAC1B,UAAU,CAAC,EAAE,gBAAgB,GAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAkB5C;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,GAAG;QAC3D,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B;IA0BD;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAkB5B"}

package/lib/services/assessment/modules/securityTests/CrossToolStateTester.js

@@ -0,0 +1,225 @@
+/**
+ * Cross-Tool State Tester
+ * Tests for privilege escalation by calling tools in sequence
+ *
+ * Issue #92, Challenge #7: Cross-tool state-based authorization bypass
+ * Detects when one tool can modify shared state that affects another tool's authorization.
+ *
+ * Attack flow:
+ * 1. Call admin_action → should get "access denied"
+ * 2. Call config_modifier with "admin_mode=true"
+ * 3. Call admin_action again → if now succeeds, VULNERABLE
+ */
+/**
+ * Tests for cross-tool privilege escalation via shared mutable state
+ */
+export class CrossToolStateTester {
+    verbose;
+    constructor(config = {}) {
+        // Note: config.timeout is accepted but tool call timeout is handled externally
+        this.verbose = config.verbose ?? false;
+    }
+    /**
+     * Log message if verbose logging is enabled
+     */
+    log(message) {
+        if (this.verbose) {
+            // eslint-disable-next-line no-console
+            console.log(`[CrossToolStateTester] ${message}`);
+        }
+    }
+    /**
+     * Identify potential cross-tool pairs for testing
+     * Looks for admin_action/privileged tools and config_modifier/setting tools
+     */
+    identifyCrossToolPairs(tools) {
+        const pairs = [];
+        // Find admin-like tools (tools that check authorization)
+        const adminTools = tools.filter((t) => /admin[_-]?action|privileged|elevated|sensitive/i.test(t.name) ||
+            /admin[_-]?action|privileged|requires\s+admin/i.test(t.description || ""));
+        // Find modifier-like tools (tools that modify state/config)
+        const modifierTools = tools.filter((t) => /config[_-]?modifier|setting|mode|enable|activate/i.test(t.name) ||
+            /modify.*config|set.*mode|enable.*admin/i.test(t.description || ""));
+        for (const admin of adminTools) {
+            for (const modifier of modifierTools) {
+                if (admin.name !== modifier.name) {
+                    pairs.push({ admin, modifier });
+                }
+            }
+        }
+        return pairs;
+    }
+    /**
+     * Test cross-tool privilege escalation
+     *
+     * Attack flow:
+     * 1. Call admin_action → expect "access denied"
+     * 2. Call config_modifier with "admin_mode=true"
+     * 3. Call admin_action again → if now succeeds, VULNERABLE
+     */
+    async testPrivilegeEscalation(callTool, adminTool, modifierTool, onProgress) {
+        this.log(`Testing pair: ${modifierTool.name} → ${adminTool.name}`);
+        try {
+            // Step 1: Baseline - admin action should be denied
+            this.log(`Step 1: Calling ${adminTool.name} (baseline)`);
+            const baseline = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const baselineText = this.extractResponseText(baseline);
+            const baselineDenied = /access denied|unauthorized|admin.*required|permission.*denied/i.test(baselineText);
+            if (!baselineDenied) {
+                // Already has access - can't test escalation (might indicate other issues)
+                // Check if it's because shared_state_checked is false (hardened)
+                if (/"shared_state_checked"\s*:\s*false/i.test(baselineText)) {
+                    return {
+                        vulnerable: false,
+                        reason: "baseline_has_access",
+                        evidence: {
+                            baseline: baselineText.slice(0, 500),
+                            afterModifier: "",
+                        },
+                    };
+                }
+                return {
+                    vulnerable: false,
+                    reason: "baseline_has_access",
+                    evidence: {
+                        baseline: baselineText.slice(0, 500),
+                        afterModifier: "",
+                    },
+                };
+            }
+            // Step 2: Attempt to enable admin mode via config modifier
+            const enableResult = await callTool(modifierTool.name, {
+                setting: "admin_mode=true",
+            });
+            const enableText = this.extractResponseText(enableResult);
+            const modeEnabled = /admin.*activated|elevated.*granted|admin_mode.*enabled|configuration.*updated.*admin/i.test(enableText);
+            // Check if modifier is hardened (stores without modifying)
+            const modifierHardened = /stored.*without.*modifying|stored.*for.*review|not.*modifying.*runtime/i.test(enableText);
+            if (modifierHardened) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            if (!modeEnabled) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            // Step 3: Test if admin action now succeeds
+            const escalated = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const escalatedText = this.extractResponseText(escalated);
+            // Check for successful escalation
+            const escalationSucceeded = !/access denied|unauthorized|admin.*required|permission.*denied/i.test(escalatedText) &&
+                /"secrets"|API_KEY|credentials|admin_mode.*true.*evidence.*cross-tool/i.test(escalatedText);
+            // Emit progress event if callback provided
+            if (onProgress && escalationSucceeded) {
+                onProgress({
+                    type: "vulnerability_found",
+                    tool: adminTool.name,
+                    pattern: "Cross-Tool State Bypass",
+                    confidence: "high",
+                    evidence: `Cross-tool privilege escalation: ${modifierTool.name} enables access to ${adminTool.name}. ${escalatedText.slice(0, 200)}`,
+                    riskLevel: "HIGH",
+                    requiresReview: false,
+                    payload: "admin_mode=true",
+                });
+            }
+            return {
+                vulnerable: escalationSucceeded,
+                reason: escalationSucceeded
+                    ? "privilege_escalation_confirmed"
+                    : "escalation_blocked",
+                evidence: {
+                    baseline: baselineText.slice(0, 300),
+                    afterModifier: escalatedText.slice(0, 300),
+                    enableResult: enableText.slice(0, 300),
+                },
+            };
+        }
+        catch (error) {
+            return {
+                vulnerable: false,
+                reason: "test_error",
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Run sequence tests on all identified tool pairs
+     */
+    async runAllSequenceTests(tools, callTool, onProgress) {
+        const pairs = this.identifyCrossToolPairs(tools);
+        const results = new Map();
+        for (const { admin, modifier } of pairs) {
+            const key = `${modifier.name} → ${admin.name}`;
+            const result = await this.testPrivilegeEscalation(callTool, admin, modifier, onProgress);
+            results.set(key, result);
+        }
+        return results;
+    }
+    /**
+     * Get summary of sequence test results
+     */
+    summarizeResults(results) {
+        let vulnerable = 0;
+        let safe = 0;
+        let errors = 0;
+        const vulnerablePairs = [];
+        for (const [key, result] of results) {
+            if (result.reason === "test_error") {
+                errors++;
+            }
+            else if (result.vulnerable) {
+                vulnerable++;
+                vulnerablePairs.push(key);
+            }
+            else {
+                safe++;
+            }
+        }
+        return {
+            total: results.size,
+            vulnerable,
+            safe,
+            errors,
+            vulnerablePairs,
+        };
+    }
+    /**
+     * Extract text content from MCP response
+     */
+    extractResponseText(response) {
+        if (!response)
+            return "";
+        // Handle content array format
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((item) => {
+                if (typeof item === "string")
+                    return item;
+                if (item && typeof item === "object" && "text" in item)
+                    return String(item.text);
+                return JSON.stringify(item);
+            })
+                .join("\n");
+        }
+        // Fallback to JSON stringify
+        return JSON.stringify(response);
+    }
+}