@bryan-thompson/inspector-assessment-client 1.26.6 → 1.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/{OAuthCallback-CCWVtjr7.js → OAuthCallback-CJWH8Ytw.js} +1 -1
- package/dist/assets/{OAuthDebugCallback-DqbXfUi4.js → OAuthDebugCallback-DL5adXJw.js} +1 -1
- package/dist/assets/{index-CsDJSSWq.js → index-Cu9XzUwB.js} +4 -4
- package/dist/index.html +1 -1
- package/lib/lib/assessment/configTypes.d.ts +2 -0
- package/lib/lib/assessment/configTypes.d.ts.map +1 -1
- package/lib/lib/securityPatterns.d.ts +4 -2
- package/lib/lib/securityPatterns.d.ts.map +1 -1
- package/lib/lib/securityPatterns.js +146 -2
- package/lib/services/assessment/modules/AUPComplianceAssessor.js +9 -9
- package/lib/services/assessment/modules/AuthenticationAssessor.js +4 -4
- package/lib/services/assessment/modules/BaseAssessor.d.ts +0 -14
- package/lib/services/assessment/modules/BaseAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/BaseAssessor.js +1 -33
- package/lib/services/assessment/modules/CrossCapabilitySecurityAssessor.js +1 -1
- package/lib/services/assessment/modules/DeveloperExperienceAssessor.js +1 -1
- package/lib/services/assessment/modules/DocumentationAssessor.js +2 -2
- package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +25 -0
- package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/ErrorHandlingAssessor.js +127 -13
- package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/ExternalAPIScannerAssessor.js +3 -3
- package/lib/services/assessment/modules/FunctionalityAssessor.js +9 -9
- package/lib/services/assessment/modules/MCPSpecComplianceAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/MCPSpecComplianceAssessor.js +12 -12
- package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/ManifestValidationAssessor.js +9 -5
- package/lib/services/assessment/modules/PortabilityAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/PortabilityAssessor.js +3 -3
- package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.js +4 -4
- package/lib/services/assessment/modules/PromptAssessor.js +2 -2
- package/lib/services/assessment/modules/ProtocolComplianceAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/ProtocolComplianceAssessor.js +7 -7
- package/lib/services/assessment/modules/ProtocolConformanceAssessor.js +1 -1
- package/lib/services/assessment/modules/ResourceAssessor.js +1 -1
- package/lib/services/assessment/modules/SecurityAssessor.d.ts +25 -2
- package/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/SecurityAssessor.js +149 -17
- package/lib/services/assessment/modules/TemporalAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/TemporalAssessor.js +10 -10
- package/lib/services/assessment/modules/ToolAnnotationAssessor.js +9 -9
- package/lib/services/assessment/modules/UsabilityAssessor.js +1 -1
- package/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.d.ts.map +1 -1
- package/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.js +37 -0
- package/lib/services/assessment/modules/index.d.ts +3 -0
- package/lib/services/assessment/modules/index.d.ts.map +1 -1
- package/lib/services/assessment/modules/securityTests/ChainExecutionTester.d.ts +104 -0
- package/lib/services/assessment/modules/securityTests/ChainExecutionTester.d.ts.map +1 -0
- package/lib/services/assessment/modules/securityTests/ChainExecutionTester.js +257 -0
- package/lib/services/assessment/modules/securityTests/CrossToolStateTester.d.ts +91 -0
- package/lib/services/assessment/modules/securityTests/CrossToolStateTester.d.ts.map +1 -0
- package/lib/services/assessment/modules/securityTests/CrossToolStateTester.js +225 -0
- package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts +120 -0
- package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map +1 -1
- package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js +338 -0
- package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts +59 -0
- package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
- package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +168 -0
- package/lib/services/assessment/modules/securityTests/index.d.ts +3 -1
- package/lib/services/assessment/modules/securityTests/index.d.ts.map +1 -1
- package/lib/services/assessment/modules/securityTests/index.js +2 -0
- package/package.json +1 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-
|
|
1
|
+
import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-Cu9XzUwB.js";
|
|
2
2
|
const OAuthCallback = ({ onConnect }) => {
|
|
3
3
|
const { toast } = useToast();
|
|
4
4
|
const hasProcessedRef = reactExports.useRef(false);
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-
|
|
1
|
+
import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-Cu9XzUwB.js";
|
|
2
2
|
const OAuthDebugCallback = ({ onConnect }) => {
|
|
3
3
|
reactExports.useEffect(() => {
|
|
4
4
|
let isProcessed = false;
|
|
@@ -16373,7 +16373,7 @@ object({
|
|
|
16373
16373
|
token_type_hint: string().optional()
|
|
16374
16374
|
}).strip();
|
|
16375
16375
|
const name = "@bryan-thompson/inspector-assessment-client";
|
|
16376
|
-
const version$1 = "1.
|
|
16376
|
+
const version$1 = "1.27.0";
|
|
16377
16377
|
const packageJson = {
|
|
16378
16378
|
name,
|
|
16379
16379
|
version: version$1
|
|
@@ -45288,7 +45288,7 @@ const useTheme = () => {
|
|
|
45288
45288
|
[theme, setThemeWithSideEffect]
|
|
45289
45289
|
);
|
|
45290
45290
|
};
|
|
45291
|
-
const version = "1.
|
|
45291
|
+
const version = "1.27.0";
|
|
45292
45292
|
var [createTooltipContext] = createContextScope("Tooltip", [
|
|
45293
45293
|
createPopperScope
|
|
45294
45294
|
]);
|
|
@@ -48845,13 +48845,13 @@ const App = () => {
|
|
|
48845
48845
|
) });
|
|
48846
48846
|
if (window.location.pathname === "/oauth/callback") {
|
|
48847
48847
|
const OAuthCallback = React.lazy(
|
|
48848
|
-
() => __vitePreload(() => import("./OAuthCallback-
|
|
48848
|
+
() => __vitePreload(() => import("./OAuthCallback-CJWH8Ytw.js"), true ? [] : void 0)
|
|
48849
48849
|
);
|
|
48850
48850
|
return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
|
|
48851
48851
|
}
|
|
48852
48852
|
if (window.location.pathname === "/oauth/callback/debug") {
|
|
48853
48853
|
const OAuthDebugCallback = React.lazy(
|
|
48854
|
-
() => __vitePreload(() => import("./OAuthDebugCallback-
|
|
48854
|
+
() => __vitePreload(() => import("./OAuthDebugCallback-DL5adXJw.js"), true ? [] : void 0)
|
|
48855
48855
|
);
|
|
48856
48856
|
return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
|
|
48857
48857
|
}
|
package/dist/index.html
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
<link rel="icon" type="image/svg+xml" href="/mcp.svg" />
|
|
6
6
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
7
7
|
<title>MCP Inspector</title>
|
|
8
|
-
<script type="module" crossorigin src="/assets/index-
|
|
8
|
+
<script type="module" crossorigin src="/assets/index-Cu9XzUwB.js"></script>
|
|
9
9
|
<link rel="stylesheet" crossorigin href="/assets/index-cHhcEXbr.css">
|
|
10
10
|
</head>
|
|
11
11
|
<body>
|
|
@@ -50,6 +50,8 @@ export interface AssessmentConfiguration {
|
|
|
50
50
|
selectedToolsForTesting?: string[];
|
|
51
51
|
securityPatternsToTest?: number;
|
|
52
52
|
enableDomainTesting?: boolean;
|
|
53
|
+
/** Enable cross-tool sequence testing for privilege escalation (Issue #92, default true) */
|
|
54
|
+
enableSequenceTesting?: boolean;
|
|
53
55
|
mcpProtocolVersion?: string;
|
|
54
56
|
enableSourceCodeAnalysis?: boolean;
|
|
55
57
|
patternConfigPath?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAG1C,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;KAC/B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAoCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAqClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAoCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAoC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA+C1C,CAAC"}
|
|
1
|
+
{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAG1C,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4FAA4F;IAC5F,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;KAC/B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAoCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAqClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAoCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAoC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA+C1C,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Backend API Security Patterns
|
|
3
|
-
* Tests MCP server API security with
|
|
3
|
+
* Tests MCP server API security with 26 focused patterns
|
|
4
4
|
*
|
|
5
5
|
* Architecture: Attack-Type with Specific Payloads
|
|
6
6
|
* - Critical Injection (6 patterns): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
|
|
@@ -12,6 +12,8 @@
|
|
|
12
12
|
* - Token Theft (1 pattern): Authentication token leakage
|
|
13
13
|
* - Permission Scope (1 pattern): Privilege escalation and scope bypass
|
|
14
14
|
* - Auth Bypass (1 pattern): Fail-open authentication vulnerabilities (Issue #75)
|
|
15
|
+
* - Cross-Tool State Bypass (1 pattern): Cross-tool privilege escalation via shared state (Issue #92)
|
|
16
|
+
* - Chained Exploitation (1 pattern): Multi-tool chain execution attacks (Issue #93)
|
|
15
17
|
*
|
|
16
18
|
* Scope: Backend API Security ONLY
|
|
17
19
|
* - Tests structured data inputs to API endpoints
|
|
@@ -43,7 +45,7 @@ export interface AttackPattern {
|
|
|
43
45
|
* BACKEND API SECURITY PATTERNS
|
|
44
46
|
* ========================================
|
|
45
47
|
*
|
|
46
|
-
*
|
|
48
|
+
* 26 focused patterns for MCP server API security
|
|
47
49
|
*/
|
|
48
50
|
export declare const SECURITY_ATTACK_PATTERNS: AttackPattern[];
|
|
49
51
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAwjDnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Backend API Security Patterns
|
|
3
|
-
* Tests MCP server API security with
|
|
3
|
+
* Tests MCP server API security with 26 focused patterns
|
|
4
4
|
*
|
|
5
5
|
* Architecture: Attack-Type with Specific Payloads
|
|
6
6
|
* - Critical Injection (6 patterns): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
|
|
@@ -12,6 +12,8 @@
|
|
|
12
12
|
* - Token Theft (1 pattern): Authentication token leakage
|
|
13
13
|
* - Permission Scope (1 pattern): Privilege escalation and scope bypass
|
|
14
14
|
* - Auth Bypass (1 pattern): Fail-open authentication vulnerabilities (Issue #75)
|
|
15
|
+
* - Cross-Tool State Bypass (1 pattern): Cross-tool privilege escalation via shared state (Issue #92)
|
|
16
|
+
* - Chained Exploitation (1 pattern): Multi-tool chain execution attacks (Issue #93)
|
|
15
17
|
*
|
|
16
18
|
* Scope: Backend API Security ONLY
|
|
17
19
|
* - Tests structured data inputs to API endpoints
|
|
@@ -29,7 +31,7 @@
|
|
|
29
31
|
* BACKEND API SECURITY PATTERNS
|
|
30
32
|
* ========================================
|
|
31
33
|
*
|
|
32
|
-
*
|
|
34
|
+
* 26 focused patterns for MCP server API security
|
|
33
35
|
*/
|
|
34
36
|
export const SECURITY_ATTACK_PATTERNS = [
|
|
35
37
|
// ==========================================
|
|
@@ -1315,6 +1317,148 @@ export const SECURITY_ATTACK_PATTERNS = [
|
|
|
1315
1317
|
},
|
|
1316
1318
|
],
|
|
1317
1319
|
},
|
|
1320
|
+
// ==========================================
|
|
1321
|
+
// CROSS-TOOL STATE BYPASS TESTS (Issue #92, Challenge #7)
|
|
1322
|
+
// ==========================================
|
|
1323
|
+
// 25. CROSS-TOOL STATE BYPASS
|
|
1324
|
+
{
|
|
1325
|
+
attackName: "Cross-Tool State Bypass",
|
|
1326
|
+
description: "Tests for privilege escalation via shared mutable state between tools (Challenge #7)",
|
|
1327
|
+
payloads: [
|
|
1328
|
+
// Admin action payloads - tests tools that check shared state
|
|
1329
|
+
{
|
|
1330
|
+
payload: "read secrets",
|
|
1331
|
+
evidence: /(admin_mode.*true.*cross-tool|enabled\s+by.*another\s+tool|"evidence".*privilege.*escalation)/i,
|
|
1332
|
+
riskLevel: "HIGH",
|
|
1333
|
+
description: "Admin action checking shared state for authorization",
|
|
1334
|
+
payloadType: "state_bypass",
|
|
1335
|
+
parameterTypes: ["action", "command", "request", "operation"],
|
|
1336
|
+
},
|
|
1337
|
+
{
|
|
1338
|
+
payload: "delete user admin",
|
|
1339
|
+
evidence: /(admin_mode.*true.*privilege|destructive.*enabled.*cross-tool|"evidence".*state.*dependency)/i,
|
|
1340
|
+
riskLevel: "HIGH",
|
|
1341
|
+
description: "Destructive action via cross-tool state dependency",
|
|
1342
|
+
payloadType: "state_bypass",
|
|
1343
|
+
parameterTypes: ["action", "command", "request"],
|
|
1344
|
+
},
|
|
1345
|
+
{
|
|
1346
|
+
payload: "modify config security=disabled",
|
|
1347
|
+
evidence: /(admin_mode.*enabled.*config|config\s+modification.*admin|privilege.*escalation.*config)/i,
|
|
1348
|
+
riskLevel: "HIGH",
|
|
1349
|
+
description: "Config modification via cross-tool privilege escalation",
|
|
1350
|
+
payloadType: "state_bypass",
|
|
1351
|
+
parameterTypes: ["action", "setting", "config"],
|
|
1352
|
+
},
|
|
1353
|
+
// State modifier payloads - tests tools that modify shared state
|
|
1354
|
+
{
|
|
1355
|
+
payload: "admin_mode=true",
|
|
1356
|
+
evidence: /(admin\s+mode\s+activated|elevated\s+privileges?\s+granted|admin_mode.*enabled)/i,
|
|
1357
|
+
riskLevel: "HIGH",
|
|
1358
|
+
description: "Tool modifies shared state affecting other tools' authorization",
|
|
1359
|
+
payloadType: "state_modifier",
|
|
1360
|
+
parameterTypes: ["setting", "config", "option"],
|
|
1361
|
+
},
|
|
1362
|
+
{
|
|
1363
|
+
payload: "set admin_mode=true",
|
|
1364
|
+
evidence: /(admin\s+mode\s+activated|elevated\s+privileges?\s+granted|configuration.*updated.*admin)/i,
|
|
1365
|
+
riskLevel: "HIGH",
|
|
1366
|
+
description: "Explicit shared state modification request",
|
|
1367
|
+
payloadType: "state_modifier",
|
|
1368
|
+
parameterTypes: ["setting", "config", "option", "input"],
|
|
1369
|
+
},
|
|
1370
|
+
{
|
|
1371
|
+
payload: "enable elevated privileges",
|
|
1372
|
+
evidence: /(elevated.*granted|privilege.*enabled|admin.*activated)/i,
|
|
1373
|
+
riskLevel: "HIGH",
|
|
1374
|
+
description: "Privilege elevation via shared state",
|
|
1375
|
+
payloadType: "state_modifier",
|
|
1376
|
+
parameterTypes: ["setting", "config", "option", "command"],
|
|
1377
|
+
},
|
|
1378
|
+
],
|
|
1379
|
+
},
|
|
1380
|
+
// ==========================================
|
|
1381
|
+
// CHAINED EXPLOITATION TESTS (Issue #93, Challenge #6)
|
|
1382
|
+
// ==========================================
|
|
1383
|
+
// 26. CHAINED EXPLOITATION
|
|
1384
|
+
{
|
|
1385
|
+
attackName: "Chained Exploitation",
|
|
1386
|
+
description: "Tests for multi-tool chain execution allowing arbitrary tool invocation, output injection, and recursive attacks",
|
|
1387
|
+
payloads: [
|
|
1388
|
+
// Single-step chain execution without allowlist
|
|
1389
|
+
{
|
|
1390
|
+
payload: '[{"tool": "vulnerable_calculator", "args": {"query": "2+2"}}]',
|
|
1391
|
+
evidence: /(chain_results|steps_executed|vulnerabilities_triggered|chain.*executed)/i,
|
|
1392
|
+
riskLevel: "HIGH",
|
|
1393
|
+
description: "Single-step chain execution without tool allowlist validation",
|
|
1394
|
+
payloadType: "chain_execution",
|
|
1395
|
+
parameterTypes: ["chain", "steps", "sequence", "pipeline"],
|
|
1396
|
+
},
|
|
1397
|
+
// Output injection via {{output}} template
|
|
1398
|
+
{
|
|
1399
|
+
payload: '[{"tool": "calc", "args": {"q": "2+2"}}, {"tool": "exec", "args": {"cmd": "{{output}}"}}]',
|
|
1400
|
+
evidence: /(output_injection|{{output}}.*substituted|\{\{output\}\}.*replaced|output.*injection.*step)/i,
|
|
1401
|
+
riskLevel: "HIGH",
|
|
1402
|
+
description: "Output injection - raw output flows between chain steps",
|
|
1403
|
+
payloadType: "chain_output_injection",
|
|
1404
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1405
|
+
},
|
|
1406
|
+
// Recursive chain (DoS via self-reference)
|
|
1407
|
+
{
|
|
1408
|
+
payload: '[{"tool": "vulnerable_chain_executor", "args": {"chain": "[]"}}]',
|
|
1409
|
+
evidence: /(recursive_chain|chain_executor.*within.*chain|circular.*chain|self.*referential)/i,
|
|
1410
|
+
riskLevel: "HIGH",
|
|
1411
|
+
description: "Recursive chain execution - DoS via self-referential chains",
|
|
1412
|
+
payloadType: "chain_recursion",
|
|
1413
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1414
|
+
},
|
|
1415
|
+
// Arbitrary tool name acceptance
|
|
1416
|
+
{
|
|
1417
|
+
payload: '[{"tool": "MALICIOUS_TOOL_12345", "args": {}}]',
|
|
1418
|
+
evidence: /(arbitrary.*tool|unknown.*tool.*executed|attempted.*execute.*unknown|accepted.*arbitrary)/i,
|
|
1419
|
+
riskLevel: "HIGH",
|
|
1420
|
+
description: "Chain accepts arbitrary tool names without allowlist",
|
|
1421
|
+
payloadType: "chain_arbitrary_tool",
|
|
1422
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1423
|
+
},
|
|
1424
|
+
// State poisoning via multi-step chain
|
|
1425
|
+
{
|
|
1426
|
+
payload: '[{"tool": "config_modifier", "args": {"setting": "admin=true"}}, {"tool": "admin_action", "args": {"action": "read secrets"}}]',
|
|
1427
|
+
evidence: /(state.*poison|admin_mode.*true.*chain|privilege.*escalation.*chain|config.*modified.*chain)/i,
|
|
1428
|
+
riskLevel: "HIGH",
|
|
1429
|
+
description: "State poisoning - earlier step modifies state affecting later steps",
|
|
1430
|
+
payloadType: "chain_state_poisoning",
|
|
1431
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1432
|
+
},
|
|
1433
|
+
// Depth limit bypass
|
|
1434
|
+
{
|
|
1435
|
+
payload: '[{"tool":"a"},{"tool":"b"},{"tool":"c"},{"tool":"d"},{"tool":"e"},{"tool":"f"},{"tool":"g"},{"tool":"h"},{"tool":"i"},{"tool":"j"},{"tool":"k"},{"tool":"l"}]',
|
|
1436
|
+
evidence: /(steps_executed.*1[0-9]|executed.*beyond.*limit|depth.*limit.*bypassed|no.*depth.*limit)/i,
|
|
1437
|
+
riskLevel: "MEDIUM",
|
|
1438
|
+
description: "Missing or bypassable chain depth limits",
|
|
1439
|
+
payloadType: "chain_depth_bypass",
|
|
1440
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1441
|
+
},
|
|
1442
|
+
// Tool shadowing via chain
|
|
1443
|
+
{
|
|
1444
|
+
payload: '[{"tool": "shadowed_tool_name", "args": {}}]',
|
|
1445
|
+
evidence: /(shadowed.*tool|tool.*poison|shadowed_definition|executed.*shadowed)/i,
|
|
1446
|
+
riskLevel: "HIGH",
|
|
1447
|
+
description: "Chain executes shadowed/poisoned tool definitions",
|
|
1448
|
+
payloadType: "chain_shadowing",
|
|
1449
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1450
|
+
},
|
|
1451
|
+
// Large chain input (unbounded input)
|
|
1452
|
+
{
|
|
1453
|
+
payload: '[{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}}]',
|
|
1454
|
+
evidence: /(steps_executed.*[1-2][0-9]|no.*size.*limit|unbounded.*input|executed.*all.*steps)/i,
|
|
1455
|
+
riskLevel: "MEDIUM",
|
|
1456
|
+
description: "No input size validation on chain definitions",
|
|
1457
|
+
payloadType: "chain_unbounded",
|
|
1458
|
+
parameterTypes: ["chain", "steps", "sequence"],
|
|
1459
|
+
},
|
|
1460
|
+
],
|
|
1461
|
+
},
|
|
1318
1462
|
];
|
|
1319
1463
|
/**
|
|
1320
1464
|
* Get all payloads for an attack type
|
|
@@ -35,7 +35,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
35
35
|
* If Claude semantic analysis is enabled, violations are verified to reduce false positives.
|
|
36
36
|
*/
|
|
37
37
|
async assess(context) {
|
|
38
|
-
this.
|
|
38
|
+
this.logger.info("Starting AUP compliance assessment");
|
|
39
39
|
this.testCount = 0;
|
|
40
40
|
const violations = [];
|
|
41
41
|
const highRiskDomains = [];
|
|
@@ -51,7 +51,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
51
51
|
toolDescriptionMap.set(tool.name, tool.description || "");
|
|
52
52
|
}
|
|
53
53
|
// Scan tool names
|
|
54
|
-
this.
|
|
54
|
+
this.logger.info("Scanning tool names...");
|
|
55
55
|
scannedLocations.toolNames = true;
|
|
56
56
|
for (const tool of context.tools) {
|
|
57
57
|
this.testCount++;
|
|
@@ -66,7 +66,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
66
66
|
}
|
|
67
67
|
}
|
|
68
68
|
// Scan tool descriptions
|
|
69
|
-
this.
|
|
69
|
+
this.logger.info("Scanning tool descriptions...");
|
|
70
70
|
scannedLocations.toolDescriptions = true;
|
|
71
71
|
for (const tool of context.tools) {
|
|
72
72
|
if (tool.description) {
|
|
@@ -83,7 +83,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
83
83
|
}
|
|
84
84
|
// Scan README content
|
|
85
85
|
if (context.readmeContent) {
|
|
86
|
-
this.
|
|
86
|
+
this.logger.info("Scanning README content...");
|
|
87
87
|
scannedLocations.readme = true;
|
|
88
88
|
this.testCount++;
|
|
89
89
|
const readmeViolations = this.scanReadme(context.readmeContent);
|
|
@@ -97,7 +97,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
97
97
|
}
|
|
98
98
|
// Scan source code if available
|
|
99
99
|
if (context.sourceCodeFiles && context.config.enableSourceCodeAnalysis) {
|
|
100
|
-
this.
|
|
100
|
+
this.logger.info("Scanning source code files...");
|
|
101
101
|
scannedLocations.sourceCode = true;
|
|
102
102
|
for (const [filePath, content] of context.sourceCodeFiles) {
|
|
103
103
|
// Skip non-relevant files
|
|
@@ -110,14 +110,14 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
110
110
|
}
|
|
111
111
|
// If Claude semantic analysis is enabled, verify violations to reduce false positives
|
|
112
112
|
if (this.isSemanticAnalysisEnabled() && violations.length > 0) {
|
|
113
|
-
this.
|
|
113
|
+
this.logger.info(`Running semantic analysis on ${violations.length} potential violations...`);
|
|
114
114
|
return await this.runSemanticAnalysis(violations, highRiskDomains, scannedLocations, toolDescriptionMap);
|
|
115
115
|
}
|
|
116
116
|
// Standard assessment without semantic analysis
|
|
117
117
|
const status = this.determineAUPStatus(violations);
|
|
118
118
|
const explanation = this.generateExplanation(violations, highRiskDomains, scannedLocations);
|
|
119
119
|
const recommendations = this.generateRecommendations(violations, highRiskDomains);
|
|
120
|
-
this.
|
|
120
|
+
this.logger.info(`Assessment complete: ${violations.length} violations found, ${highRiskDomains.length} high-risk domains`);
|
|
121
121
|
return {
|
|
122
122
|
violations,
|
|
123
123
|
highRiskDomains,
|
|
@@ -185,7 +185,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
185
185
|
// Low confidence - likely false positive
|
|
186
186
|
else {
|
|
187
187
|
falsePositivesFiltered++;
|
|
188
|
-
this.
|
|
188
|
+
this.logger.info(`Filtered likely false positive: "${violation.matchedText}" - ${analysis.reasoning}`);
|
|
189
189
|
}
|
|
190
190
|
}
|
|
191
191
|
catch (error) {
|
|
@@ -205,7 +205,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
|
|
|
205
205
|
const status = this.determineAUPStatus(confirmedViolations);
|
|
206
206
|
const explanation = this.generateSemanticExplanation(confirmedViolations, flaggedForReview, falsePositivesFiltered, highRiskDomains, scannedLocations);
|
|
207
207
|
const recommendations = this.generateSemanticRecommendations(confirmedViolations, flaggedForReview, highRiskDomains);
|
|
208
|
-
this.
|
|
208
|
+
this.logger.info(`Semantic analysis complete: ${confirmedViolations.length} confirmed, ${flaggedForReview.length} flagged, ${falsePositivesFiltered} filtered`);
|
|
209
209
|
return {
|
|
210
210
|
violations: [...confirmedViolations, ...flaggedForReview],
|
|
211
211
|
confirmedViolations,
|
|
@@ -246,7 +246,7 @@ export class AuthenticationAssessor extends BaseAssessor {
|
|
|
246
246
|
* Run authentication assessment
|
|
247
247
|
*/
|
|
248
248
|
async assess(context) {
|
|
249
|
-
this.
|
|
249
|
+
this.logger.info("Starting authentication assessment");
|
|
250
250
|
this.testCount = 0;
|
|
251
251
|
const oauthIndicators = [];
|
|
252
252
|
const localResourceIndicators = [];
|
|
@@ -323,7 +323,7 @@ export class AuthenticationAssessor extends BaseAssessor {
|
|
|
323
323
|
// Generate additional recommendations from auth config findings
|
|
324
324
|
const authConfigRecommendations = authConfigAnalysis.findings.map((f) => f.recommendation ||
|
|
325
325
|
`Review ${f.type}: ${f.message} (${f.file || "unknown file"})`);
|
|
326
|
-
this.
|
|
326
|
+
this.logger.info(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}, authConfigFindings=${authConfigAnalysis.totalFindings}`);
|
|
327
327
|
return {
|
|
328
328
|
authMethod,
|
|
329
329
|
hasLocalDependencies,
|
|
@@ -594,7 +594,7 @@ export class AuthenticationAssessor extends BaseAssessor {
|
|
|
594
594
|
// Issue #65: Apply file limit to prevent performance issues on large codebases
|
|
595
595
|
let sourceFiles = Array.from(context.sourceCodeFiles);
|
|
596
596
|
if (sourceFiles.length > MAX_FILES) {
|
|
597
|
-
this.
|
|
597
|
+
this.logger.info(`Rate limiting: Analyzing ${MAX_FILES} of ${sourceFiles.length} files`);
|
|
598
598
|
sourceFiles = sourceFiles.slice(0, MAX_FILES);
|
|
599
599
|
}
|
|
600
600
|
for (const [filePath, content] of sourceFiles) {
|
|
@@ -776,7 +776,7 @@ export class AuthenticationAssessor extends BaseAssessor {
|
|
|
776
776
|
}
|
|
777
777
|
catch (error) {
|
|
778
778
|
// Warning 4 fix: Handle malformed files gracefully
|
|
779
|
-
this.
|
|
779
|
+
this.logger.info(`Error analyzing ${filePath}: ${error}`);
|
|
780
780
|
continue;
|
|
781
781
|
}
|
|
782
782
|
}
|
|
@@ -10,7 +10,6 @@ export declare abstract class BaseAssessor<T = unknown> {
|
|
|
10
10
|
protected config: AssessmentConfiguration;
|
|
11
11
|
protected logger: Logger;
|
|
12
12
|
protected testCount: number;
|
|
13
|
-
private deprecationWarningsEmitted;
|
|
14
13
|
constructor(config: AssessmentConfiguration);
|
|
15
14
|
/**
|
|
16
15
|
* Abstract method that each assessor must implement
|
|
@@ -20,19 +19,6 @@ export declare abstract class BaseAssessor<T = unknown> {
|
|
|
20
19
|
* Common method to determine status based on pass rate
|
|
21
20
|
*/
|
|
22
21
|
protected determineStatus(passed: number, total: number, threshold?: number): AssessmentStatus;
|
|
23
|
-
/**
|
|
24
|
-
* Log assessment progress
|
|
25
|
-
* @deprecated Use this.logger.info() directly for structured logging with context. Will be removed in v2.0.0.
|
|
26
|
-
*/
|
|
27
|
-
protected log(message: string): void;
|
|
28
|
-
/**
|
|
29
|
-
* Log error with optional context
|
|
30
|
-
* @deprecated Use this.logger.error() directly for structured logging with context. Will be removed in v2.0.0.
|
|
31
|
-
*
|
|
32
|
-
* @param message - Description of what operation failed
|
|
33
|
-
* @param error - The error that occurred (optional)
|
|
34
|
-
*/
|
|
35
|
-
protected logError(message: string, error?: unknown): void;
|
|
36
22
|
/**
|
|
37
23
|
* Handle an error with logging and structured result
|
|
38
24
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"BaseAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/BaseAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAEjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAwC,MAAM,eAAe,CAAC;AAC7E,OAAO,EAGL,WAAW,EAEZ,MAAM,eAAe,CAAC;AAGvB,8BAAsB,YAAY,CAAC,CAAC,GAAG,OAAO;IAC5C,SAAS,CAAC,MAAM,EAAE,uBAAuB,CAAC;IAC1C,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,CAAK;
|
|
1
|
+
{"version":3,"file":"BaseAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/BaseAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAEjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAwC,MAAM,eAAe,CAAC;AAC7E,OAAO,EAGL,WAAW,EAEZ,MAAM,eAAe,CAAC;AAGvB,8BAAsB,YAAY,CAAC,CAAC,GAAG,OAAO;IAC5C,SAAS,CAAC,MAAM,EAAE,uBAAuB,CAAC;IAC1C,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,CAAK;gBAEpB,MAAM,EAAE,uBAAuB;IAS3C;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,CAAC,CAAC;IAEvD;;OAEG;IACH,SAAS,CAAC,eAAe,CACvB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,SAAS,GAAE,MAAY,GACtB,gBAAgB;IAUnB;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,SAAS,CAAC,WAAW,CAAC,CAAC,SAAS,WAAW,EACzC,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,EACf,QAAQ,GAAE,OAAO,CAAC,CAAC,CAAM,GACxB,CAAC;IAsBJ;;OAEG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;OAEG;IACH,SAAS,CAAC,gBAAgB,CACxB,OAAO,EAAE,MAAM,uBAAuB,CAAC,sBAAsB,CAAC,GAC7D,OAAO;IAIV;;OAEG;cACa,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD;;;;;;;;;;OAUG;cACa,kBAAkB,CAAC,CAAC,EAClC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,SAAS,GAAE,MAAgC,GAC1C,OAAO,CAAC,CAAC,CAAC;IAOb;;OAEG;IACH,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAS9C;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM;IAgBrD;;;;;;OAMG;IACH,SAAS,CAAC,eAAe,CACvB,QAAQ,EAAE,OAAO,EACjB,UAAU,GAAE,OAAe,GAC1B,OAAO;IA+CV;;OAEG;IACH,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,GAAG;QAC7C,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QACvB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;CA2BF"}
|
|
@@ -9,11 +9,6 @@ export class BaseAssessor {
|
|
|
9
9
|
config;
|
|
10
10
|
logger;
|
|
11
11
|
testCount = 0;
|
|
12
|
-
// Track deprecation warnings to emit only once per instance
|
|
13
|
-
deprecationWarningsEmitted = {
|
|
14
|
-
log: false,
|
|
15
|
-
logError: false,
|
|
16
|
-
};
|
|
17
12
|
constructor(config) {
|
|
18
13
|
this.config = config;
|
|
19
14
|
// Create logger from config, using class name as prefix
|
|
@@ -32,33 +27,6 @@ export class BaseAssessor {
|
|
|
32
27
|
return "NEED_MORE_INFO";
|
|
33
28
|
return "FAIL";
|
|
34
29
|
}
|
|
35
|
-
/**
|
|
36
|
-
* Log assessment progress
|
|
37
|
-
* @deprecated Use this.logger.info() directly for structured logging with context. Will be removed in v2.0.0.
|
|
38
|
-
*/
|
|
39
|
-
log(message) {
|
|
40
|
-
if (!this.deprecationWarningsEmitted.log) {
|
|
41
|
-
this.logger.warn("BaseAssessor.log() is deprecated. Use this.logger.info() instead. " +
|
|
42
|
-
"This method will be removed in v2.0.0.");
|
|
43
|
-
this.deprecationWarningsEmitted.log = true;
|
|
44
|
-
}
|
|
45
|
-
this.logger.info(message);
|
|
46
|
-
}
|
|
47
|
-
/**
|
|
48
|
-
* Log error with optional context
|
|
49
|
-
* @deprecated Use this.logger.error() directly for structured logging with context. Will be removed in v2.0.0.
|
|
50
|
-
*
|
|
51
|
-
* @param message - Description of what operation failed
|
|
52
|
-
* @param error - The error that occurred (optional)
|
|
53
|
-
*/
|
|
54
|
-
logError(message, error) {
|
|
55
|
-
if (!this.deprecationWarningsEmitted.logError) {
|
|
56
|
-
this.logger.warn("BaseAssessor.logError() is deprecated. Use this.logger.error() instead. " +
|
|
57
|
-
"This method will be removed in v2.0.0.");
|
|
58
|
-
this.deprecationWarningsEmitted.logError = true;
|
|
59
|
-
}
|
|
60
|
-
this.logger.error(message, error ? { error: String(error) } : undefined);
|
|
61
|
-
}
|
|
62
30
|
/**
|
|
63
31
|
* Handle an error with logging and structured result
|
|
64
32
|
*
|
|
@@ -147,7 +115,7 @@ export class BaseAssessor {
|
|
|
147
115
|
return JSON.parse(text);
|
|
148
116
|
}
|
|
149
117
|
catch (error) {
|
|
150
|
-
this.
|
|
118
|
+
this.logger.error(`Failed to parse JSON: ${text}`, { error });
|
|
151
119
|
return null;
|
|
152
120
|
}
|
|
153
121
|
}
|
|
@@ -65,7 +65,7 @@ export class CrossCapabilitySecurityAssessor extends BaseAssessor {
|
|
|
65
65
|
const tools = context.tools || [];
|
|
66
66
|
const resources = context.resources || [];
|
|
67
67
|
const prompts = context.prompts || [];
|
|
68
|
-
this.
|
|
68
|
+
this.logger.info(`Testing cross-capability security: ${tools.length} tools, ${resources.length} resources, ${prompts.length} prompts`);
|
|
69
69
|
// Test 1: Tool->Resource access patterns
|
|
70
70
|
const toolResourceResults = this.testToolResourceAccess(tools, resources);
|
|
71
71
|
results.push(...toolResourceResults);
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
import { BaseAssessor } from "./BaseAssessor.js";
|
|
16
16
|
export class DeveloperExperienceAssessor extends BaseAssessor {
|
|
17
17
|
async assess(context) {
|
|
18
|
-
this.
|
|
18
|
+
this.logger.info("Starting developer experience assessment");
|
|
19
19
|
const readmeContent = context.readmeContent || "";
|
|
20
20
|
// Assess documentation
|
|
21
21
|
const documentationMetrics = this.analyzeDocumentation(readmeContent, context.tools, "verbose");
|
|
@@ -16,7 +16,7 @@ export class DocumentationAssessor extends BaseAssessor {
|
|
|
16
16
|
});
|
|
17
17
|
}
|
|
18
18
|
async assess(context) {
|
|
19
|
-
this.
|
|
19
|
+
this.logger.info("Starting documentation assessment");
|
|
20
20
|
const readmeContent = context.readmeContent || "";
|
|
21
21
|
const validVerbosityLevels = ["minimal", "standard", "verbose"];
|
|
22
22
|
const configVerbosity = this.config.documentationVerbosity;
|
|
@@ -27,7 +27,7 @@ export class DocumentationAssessor extends BaseAssessor {
|
|
|
27
27
|
verbosity = configVerbosity;
|
|
28
28
|
}
|
|
29
29
|
else {
|
|
30
|
-
this.
|
|
30
|
+
this.logger.info(`Warning: Invalid documentationVerbosity "${configVerbosity}". ` +
|
|
31
31
|
`Valid options: ${validVerbosityLevels.join(", ")}. Using "verbose".`);
|
|
32
32
|
}
|
|
33
33
|
}
|
|
@@ -3,9 +3,13 @@
|
|
|
3
3
|
* Tests error handling and input validation
|
|
4
4
|
*/
|
|
5
5
|
import { ErrorHandlingAssessment } from "../../../lib/assessmentTypes.js";
|
|
6
|
+
import { AssessmentConfiguration } from "../../../lib/assessment/configTypes.js";
|
|
6
7
|
import { BaseAssessor } from "./BaseAssessor.js";
|
|
7
8
|
import { AssessmentContext } from "../AssessmentOrchestrator.js";
|
|
8
9
|
export declare class ErrorHandlingAssessor extends BaseAssessor {
|
|
10
|
+
private executionDetector;
|
|
11
|
+
private safeResponseDetector;
|
|
12
|
+
constructor(config: AssessmentConfiguration);
|
|
9
13
|
assess(context: AssessmentContext): Promise<ErrorHandlingAssessment>;
|
|
10
14
|
private selectToolsForTesting;
|
|
11
15
|
private testToolErrorHandling;
|
|
@@ -17,6 +21,27 @@ export declare class ErrorHandlingAssessor extends BaseAssessor {
|
|
|
17
21
|
private generateWrongTypeParams;
|
|
18
22
|
private generateInvalidValueParams;
|
|
19
23
|
private generateParamsWithValue;
|
|
24
|
+
/**
|
|
25
|
+
* Analyze invalid_values response to determine scoring impact
|
|
26
|
+
* Issue #99: Contextual empty string validation scoring
|
|
27
|
+
*
|
|
28
|
+
* Classifications:
|
|
29
|
+
* - safe_rejection: Tool rejected with error (no penalty)
|
|
30
|
+
* - safe_reflection: Tool stored/echoed without executing (no penalty)
|
|
31
|
+
* - defensive_programming: Tool handled gracefully (no penalty)
|
|
32
|
+
* - execution_detected: Tool executed input (penalty)
|
|
33
|
+
* - unknown: Cannot determine (partial penalty)
|
|
34
|
+
*/
|
|
35
|
+
private analyzeInvalidValuesResponse;
|
|
36
|
+
/**
|
|
37
|
+
* Safely extract response text from various response formats
|
|
38
|
+
*/
|
|
39
|
+
private extractResponseTextSafe;
|
|
40
|
+
/**
|
|
41
|
+
* Check for defensive programming patterns - tool accepted but caused no harm
|
|
42
|
+
* Examples: "Deleted 0 keys", "No results found", "Query returned 0"
|
|
43
|
+
*/
|
|
44
|
+
private isDefensiveProgrammingResponse;
|
|
20
45
|
private calculateMetrics;
|
|
21
46
|
private determineErrorHandlingStatus;
|
|
22
47
|
private generateExplanation;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAK9D,qBAAa,qBAAsB,SAAQ,YAAY;IACrD,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,oBAAoB,CAAuB;gBAEvC,MAAM,EAAE,uBAAuB;IAMrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAiE1E,OAAO,CAAC,qBAAqB;YAuDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,4BAA4B;IAgEpC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAc/B;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAetC,OAAO,CAAC,gBAAgB;IA8GxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}
|