@bryan-thompson/inspector-assessment-client 1.26.7 → 1.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/dist/assets/{OAuthCallback-CCWVtjr7.js → OAuthCallback-JnKCxulS.js} +1 -1
  2. package/dist/assets/{OAuthDebugCallback-DqbXfUi4.js → OAuthDebugCallback-C2zSlEIQ.js} +1 -1
  3. package/dist/assets/{index-CsDJSSWq.js → index-C3xZdIFQ.js} +77 -39
  4. package/dist/index.html +1 -1
  5. package/lib/lib/assessment/configTypes.d.ts +1 -0
  6. package/lib/lib/assessment/configTypes.d.ts.map +1 -1
  7. package/lib/lib/assessment/configTypes.js +10 -0
  8. package/lib/lib/assessment/extendedTypes.d.ts +74 -0
  9. package/lib/lib/assessment/extendedTypes.d.ts.map +1 -1
  10. package/lib/lib/assessment/resultTypes.d.ts +3 -1
  11. package/lib/lib/assessment/resultTypes.d.ts.map +1 -1
  12. package/lib/lib/securityPatterns.d.ts +7 -2
  13. package/lib/lib/securityPatterns.d.ts.map +1 -1
  14. package/lib/lib/securityPatterns.js +204 -2
  15. package/lib/services/assessment/AssessmentOrchestrator.d.ts +1 -0
  16. package/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
  17. package/lib/services/assessment/AssessmentOrchestrator.js +31 -1
  18. package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +25 -0
  19. package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -1
  20. package/lib/services/assessment/modules/ErrorHandlingAssessor.js +119 -5
  21. package/lib/services/assessment/modules/FileModularizationAssessor.d.ts +87 -0
  22. package/lib/services/assessment/modules/FileModularizationAssessor.d.ts.map +1 -0
  23. package/lib/services/assessment/modules/FileModularizationAssessor.js +475 -0
  24. package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts +27 -0
  25. package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map +1 -1
  26. package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js +50 -0
  27. package/lib/services/assessment/modules/securityTests/SecurityPayloadGenerator.d.ts.map +1 -1
  28. package/lib/services/assessment/modules/securityTests/SecurityPayloadGenerator.js +13 -0
  29. package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts +14 -0
  30. package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
  31. package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +45 -0
  32. package/package.json +1 -1
package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js CHANGED
@@ -321,6 +321,51 @@ export class SecurityResponseAnalyzer {
321
321
  },
322
322
  };
323
323
  }
324
+ /**
325
+ * Check for secret leakage in response (Issue #103, Challenge #9)
326
+ * Scans for credential patterns regardless of payload type.
327
+ *
328
+ * This method detects when tools inadvertently expose:
329
+ * - API keys (AWS, OpenAI, GitHub, GitLab, Slack)
330
+ * - Database connection strings with credentials
331
+ * - Environment variable values
332
+ * - Partial key previews
333
+ */
334
+ checkSecretLeakage(response) {
335
+ const responseText = this.extractResponseContent(response);
336
+ const patterns = [
337
+ { regex: /AKIA[A-Z0-9]{16}/, name: "AWS Access Key" },
338
+ { regex: /sk-[a-zA-Z0-9]{20,}/, name: "OpenAI API Key" },
339
+ { regex: /ghp_[a-zA-Z0-9]{36}/, name: "GitHub PAT" },
340
+ { regex: /glpat-[a-zA-Z0-9]{20}/, name: "GitLab PAT" },
341
+ { regex: /xox[baprs]-[a-zA-Z0-9-]+/, name: "Slack Token" },
342
+ {
343
+ regex: /(postgresql|mysql|mongodb|redis|mssql):\/\/[^:]+:[^@]+@/i,
344
+ name: "Connection String with Credentials",
345
+ },
346
+ {
347
+ regex: /(api[_-]?key|secret|password|credential)[^\s]*[:=]\s*["']?[a-zA-Z0-9_-]{10,}/i,
348
+ name: "Credential Assignment",
349
+ },
350
+ {
351
+ regex: /(SECRET_TOKEN|DATABASE_URL|API_KEY|PRIVATE_KEY|DB_PASSWORD)[^\s]*[:=]/i,
352
+ name: "Environment Variable Leakage",
353
+ },
354
+ {
355
+ regex: /api_key_preview|key_fragment|partial_key/i,
356
+ name: "Partial Key Exposure",
357
+ },
358
+ ];
359
+ for (const { regex, name } of patterns) {
360
+ if (regex.test(responseText)) {
361
+ return {
362
+ detected: true,
363
+ evidence: `${name} pattern found in response`,
364
+ };
365
+ }
366
+ }
367
+ return { detected: false };
368
+ }
324
369
  /**
325
370
  * Check if response indicates connection/server failure
326
371
  */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bryan-thompson/inspector-assessment-client",
3
- "version": "1.26.7",
3
+ "version": "1.28.0",
4
4
  "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
5
5
  "license": "MIT",
6
6
  "author": "Bryan Thompson <bryan@triepod.ai>",