@bryan-thompson/inspector-assessment-client 1.30.1 → 1.31.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/{OAuthCallback-BbE88qbF.js → OAuthCallback-CXcl26vR.js} +1 -1
- package/dist/assets/{OAuthDebugCallback-CfRYq1JG.js → OAuthDebugCallback-J9s4SF_c.js} +1 -1
- package/dist/assets/{index-cHhcEXbr.css → index-BoUA5OL1.css} +3 -0
- package/dist/assets/{index-CsUB73MT.js → index-_HAw2b2G.js} +3746 -115
- package/dist/index.html +2 -2
- package/lib/lib/assessment/configTypes.d.ts +6 -0
- package/lib/lib/assessment/configTypes.d.ts.map +1 -1
- package/lib/lib/assessment/extendedTypes.d.ts +74 -0
- package/lib/lib/assessment/extendedTypes.d.ts.map +1 -1
- package/lib/lib/assessment/resultTypes.d.ts +3 -1
- package/lib/lib/assessment/resultTypes.d.ts.map +1 -1
- package/lib/lib/assessment/sharedSchemas.d.ts +140 -0
- package/lib/lib/assessment/sharedSchemas.d.ts.map +1 -0
- package/lib/lib/assessment/sharedSchemas.js +113 -0
- package/lib/lib/securityPatterns.d.ts.map +1 -1
- package/lib/lib/securityPatterns.js +2 -2
- package/lib/services/assessment/AssessmentOrchestrator.d.ts +1 -0
- package/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
- package/lib/services/assessment/AssessmentOrchestrator.js +34 -1
- package/lib/services/assessment/ResponseValidator.d.ts +10 -0
- package/lib/services/assessment/ResponseValidator.d.ts.map +1 -1
- package/lib/services/assessment/ResponseValidator.js +30 -6
- package/lib/services/assessment/config/performanceConfig.d.ts +2 -0
- package/lib/services/assessment/config/performanceConfig.d.ts.map +1 -1
- package/lib/services/assessment/config/performanceConfig.js +5 -33
- package/lib/services/assessment/config/performanceConfigSchemas.d.ts +111 -0
- package/lib/services/assessment/config/performanceConfigSchemas.d.ts.map +1 -0
- package/lib/services/assessment/config/performanceConfigSchemas.js +123 -0
- package/lib/services/assessment/modules/ConformanceAssessor.d.ts +60 -0
- package/lib/services/assessment/modules/ConformanceAssessor.d.ts.map +1 -0
- package/lib/services/assessment/modules/ConformanceAssessor.js +308 -0
- package/lib/services/assessment/modules/ResourceAssessor.d.ts +14 -0
- package/lib/services/assessment/modules/ResourceAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/ResourceAssessor.js +221 -0
- package/lib/services/assessment/modules/TemporalAssessor.d.ts +14 -0
- package/lib/services/assessment/modules/TemporalAssessor.d.ts.map +1 -1
- package/lib/services/assessment/modules/TemporalAssessor.js +29 -1
- package/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts +9 -0
- package/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts.map +1 -1
- package/lib/services/assessment/modules/annotations/AlignmentChecker.js +97 -5
- package/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.d.ts +6 -4
- package/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.d.ts.map +1 -1
- package/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.js +58 -0
- package/lib/services/assessment/modules/annotations/index.d.ts +1 -1
- package/lib/services/assessment/modules/annotations/index.d.ts.map +1 -1
- package/lib/services/assessment/modules/annotations/index.js +2 -1
- package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
- package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +3 -3
- package/lib/services/assessment/responseValidatorSchemas.d.ts +751 -0
- package/lib/services/assessment/responseValidatorSchemas.d.ts.map +1 -0
- package/lib/services/assessment/responseValidatorSchemas.js +244 -0
- package/package.json +1 -1
|
@@ -7,6 +7,7 @@
|
|
|
7
7
|
import type { Tool } from "@modelcontextprotocol/sdk/types.js";
|
|
8
8
|
import type { ToolAnnotationResult, AssessmentStatus, ToolParamProgress, AnnotationSource } from "../../../../lib/assessmentTypes.js";
|
|
9
9
|
import type { CompiledPatterns, ServerPersistenceContext } from "../../config/annotationPatterns.js";
|
|
10
|
+
import { type PoisoningScanResult } from "./DescriptionPoisoningDetector.js";
|
|
10
11
|
/**
|
|
11
12
|
* Extracted annotation structure from a tool
|
|
12
13
|
*/
|
|
@@ -50,6 +51,14 @@ export declare function extractExtendedMetadata(tool: Tool): ToolAnnotationResul
|
|
|
50
51
|
* Extract parameters from tool input schema
|
|
51
52
|
*/
|
|
52
53
|
export declare function extractToolParams(schema: unknown): ToolParamProgress[];
|
|
54
|
+
/**
|
|
55
|
+
* Scan all description fields in tool input schema for poisoning patterns
|
|
56
|
+
* Issue #119, Challenge #15: Input schema description poisoning detection
|
|
57
|
+
*
|
|
58
|
+
* Malicious actors may embed hidden instructions in parameter descriptions
|
|
59
|
+
* rather than the main tool description to evade detection.
|
|
60
|
+
*/
|
|
61
|
+
export declare function scanInputSchemaDescriptions(tool: Tool): PoisoningScanResult;
|
|
53
62
|
/**
|
|
54
63
|
* Assess a single tool's annotations
|
|
55
64
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AlignmentChecker.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AlignmentChecker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EAEhB,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EACV,gBAAgB,EAChB,wBAAwB,EACzB,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"AlignmentChecker.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AlignmentChecker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EAEhB,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EACV,gBAAgB,EAChB,wBAAwB,EACzB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,gCAAgC,CAAC;AAoExC;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,kBAAkB,EAAE;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,oBAAoB,CA8DnE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,IAAI,GACT,oBAAoB,CAAC,kBAAkB,CAAC,CA6D1C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,iBAAiB,EAAE,CAqBtE;AAED;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CAmD3E;AAqCD;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,IAAI,EACV,gBAAgB,EAAE,gBAAgB,EAClC,kBAAkB,CAAC,EAAE,wBAAwB,GAC5C,oBAAoB,CA0JtB;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,gBAAgB,CA8BlB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,sBAAsB,CA2BxB"}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
*
|
|
5
5
|
* Extracted from ToolAnnotationAssessor.ts as part of Issue #105 refactoring.
|
|
6
6
|
*/
|
|
7
|
-
import { scanDescriptionForPoisoning } from "./DescriptionPoisoningDetector.js";
|
|
7
|
+
import { scanDescriptionForPoisoning, } from "./DescriptionPoisoningDetector.js";
|
|
8
8
|
import { detectAnnotationDeception, isActionableConfidence, } from "./AnnotationDeceptionDetector.js";
|
|
9
9
|
import { inferBehavior } from "./BehaviorInference.js";
|
|
10
10
|
/**
|
|
@@ -144,6 +144,85 @@ export function extractToolParams(schema) {
|
|
|
144
144
|
return param;
|
|
145
145
|
});
|
|
146
146
|
}
|
|
147
|
+
/**
|
|
148
|
+
* Scan all description fields in tool input schema for poisoning patterns
|
|
149
|
+
* Issue #119, Challenge #15: Input schema description poisoning detection
|
|
150
|
+
*
|
|
151
|
+
* Malicious actors may embed hidden instructions in parameter descriptions
|
|
152
|
+
* rather than the main tool description to evade detection.
|
|
153
|
+
*/
|
|
154
|
+
export function scanInputSchemaDescriptions(tool) {
|
|
155
|
+
const allMatches = [];
|
|
156
|
+
const schema = tool.inputSchema;
|
|
157
|
+
if (!schema || !schema.properties) {
|
|
158
|
+
return { detected: false, patterns: [], riskLevel: "NONE" };
|
|
159
|
+
}
|
|
160
|
+
const properties = schema.properties;
|
|
161
|
+
for (const [propName, propDef] of Object.entries(properties)) {
|
|
162
|
+
const propDescription = propDef.description;
|
|
163
|
+
if (!propDescription)
|
|
164
|
+
continue;
|
|
165
|
+
// Create a fake tool to reuse existing scanner
|
|
166
|
+
const fakeTool = {
|
|
167
|
+
name: `${tool.name}.inputSchema.properties.${propName}`,
|
|
168
|
+
description: propDescription,
|
|
169
|
+
inputSchema: { type: "object", properties: {} },
|
|
170
|
+
};
|
|
171
|
+
const result = scanDescriptionForPoisoning(fakeTool);
|
|
172
|
+
if (result.detected) {
|
|
173
|
+
// Prefix evidence with property location for clear identification
|
|
174
|
+
for (const match of result.patterns) {
|
|
175
|
+
allMatches.push({
|
|
176
|
+
...match,
|
|
177
|
+
evidence: `[inputSchema.properties.${propName}.description] ${match.evidence}`,
|
|
178
|
+
});
|
|
179
|
+
}
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
// Calculate overall risk level
|
|
183
|
+
let riskLevel = "NONE";
|
|
184
|
+
if (allMatches.some((m) => m.severity === "HIGH")) {
|
|
185
|
+
riskLevel = "HIGH";
|
|
186
|
+
}
|
|
187
|
+
else if (allMatches.some((m) => m.severity === "MEDIUM")) {
|
|
188
|
+
riskLevel = "MEDIUM";
|
|
189
|
+
}
|
|
190
|
+
else if (allMatches.length > 0) {
|
|
191
|
+
riskLevel = "LOW";
|
|
192
|
+
}
|
|
193
|
+
return {
|
|
194
|
+
detected: allMatches.length > 0,
|
|
195
|
+
patterns: allMatches,
|
|
196
|
+
riskLevel,
|
|
197
|
+
};
|
|
198
|
+
}
|
|
199
|
+
/**
|
|
200
|
+
* Merge two poisoning scan results, combining patterns and taking highest risk
|
|
201
|
+
*/
|
|
202
|
+
function mergePoisoningScanResults(primary, secondary) {
|
|
203
|
+
const combinedPatterns = [...primary.patterns, ...secondary.patterns];
|
|
204
|
+
let riskLevel = "NONE";
|
|
205
|
+
if (primary.riskLevel === "HIGH" ||
|
|
206
|
+
secondary.riskLevel === "HIGH" ||
|
|
207
|
+
combinedPatterns.some((m) => m.severity === "HIGH")) {
|
|
208
|
+
riskLevel = "HIGH";
|
|
209
|
+
}
|
|
210
|
+
else if (primary.riskLevel === "MEDIUM" ||
|
|
211
|
+
secondary.riskLevel === "MEDIUM" ||
|
|
212
|
+
combinedPatterns.some((m) => m.severity === "MEDIUM")) {
|
|
213
|
+
riskLevel = "MEDIUM";
|
|
214
|
+
}
|
|
215
|
+
else if (combinedPatterns.length > 0) {
|
|
216
|
+
riskLevel = "LOW";
|
|
217
|
+
}
|
|
218
|
+
return {
|
|
219
|
+
detected: combinedPatterns.length > 0,
|
|
220
|
+
patterns: combinedPatterns,
|
|
221
|
+
riskLevel,
|
|
222
|
+
// Keep lengthWarning from primary (tool description) if present
|
|
223
|
+
lengthWarning: primary.lengthWarning,
|
|
224
|
+
};
|
|
225
|
+
}
|
|
147
226
|
/**
|
|
148
227
|
* Assess a single tool's annotations
|
|
149
228
|
*/
|
|
@@ -215,11 +294,24 @@ export function assessSingleTool(tool, compiledPatterns, persistenceContext) {
|
|
|
215
294
|
alignmentStatus = "MISALIGNED";
|
|
216
295
|
}
|
|
217
296
|
}
|
|
218
|
-
// Scan for description poisoning
|
|
219
|
-
const
|
|
297
|
+
// Scan for description poisoning (tool.description)
|
|
298
|
+
const toolDescriptionPoisoning = scanDescriptionForPoisoning(tool);
|
|
299
|
+
// Issue #119, Challenge #15: Also scan input schema property descriptions
|
|
300
|
+
// Malicious actors may hide instructions in parameter descriptions
|
|
301
|
+
const schemaPoisoning = scanInputSchemaDescriptions(tool);
|
|
302
|
+
// Merge results from both scans
|
|
303
|
+
const descriptionPoisoning = mergePoisoningScanResults(toolDescriptionPoisoning, schemaPoisoning);
|
|
220
304
|
if (descriptionPoisoning.detected) {
|
|
221
|
-
|
|
222
|
-
|
|
305
|
+
// Differentiate between tool description and schema description poisoning in issues
|
|
306
|
+
const toolDescPatterns = toolDescriptionPoisoning.patterns.map((p) => p.name);
|
|
307
|
+
const schemaPatterns = schemaPoisoning.patterns.map((p) => p.name);
|
|
308
|
+
if (toolDescPatterns.length > 0) {
|
|
309
|
+
issues.push(`Tool description contains suspicious patterns: ${toolDescPatterns.join(", ")}`);
|
|
310
|
+
}
|
|
311
|
+
if (schemaPatterns.length > 0) {
|
|
312
|
+
issues.push(`Input schema property descriptions contain suspicious patterns: ${schemaPatterns.join(", ")}`);
|
|
313
|
+
}
|
|
314
|
+
recommendations.push(`Review ${tool.name} description and parameter descriptions for potential prompt injection or hidden instructions`);
|
|
223
315
|
}
|
|
224
316
|
// Extract extended metadata (Issue #54)
|
|
225
317
|
const extendedMetadata = extractExtendedMetadata(tool);
|
|
@@ -28,6 +28,12 @@ export interface PoisoningScanResult {
|
|
|
28
28
|
evidence: string;
|
|
29
29
|
}>;
|
|
30
30
|
riskLevel: "NONE" | "LOW" | "MEDIUM" | "HIGH";
|
|
31
|
+
/** Length warning for suspiciously long descriptions (Issue #119, Challenge #15) */
|
|
32
|
+
lengthWarning?: {
|
|
33
|
+
length: number;
|
|
34
|
+
threshold: number;
|
|
35
|
+
isExcessive: boolean;
|
|
36
|
+
};
|
|
31
37
|
}
|
|
32
38
|
/**
|
|
33
39
|
* Description poisoning patterns for detecting malicious tool descriptions
|
|
@@ -35,9 +41,5 @@ export interface PoisoningScanResult {
|
|
|
35
41
|
* delimiter injection, encoding bypass, and typoglycemia/evasion patterns
|
|
36
42
|
*/
|
|
37
43
|
export declare const DESCRIPTION_POISONING_PATTERNS: PoisoningPattern[];
|
|
38
|
-
/**
|
|
39
|
-
* Scan tool description for poisoning patterns
|
|
40
|
-
* Detects hidden instructions, override commands, concealment, and exfiltration attempts
|
|
41
|
-
*/
|
|
42
44
|
export declare function scanDescriptionForPoisoning(tool: Tool): PoisoningScanResult;
|
|
43
45
|
//# sourceMappingURL=DescriptionPoisoningDetector.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DescriptionPoisoningDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/DescriptionPoisoningDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"DescriptionPoisoningDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/DescriptionPoisoningDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC9C,oFAAoF;IACpF,aAAa,CAAC,EAAE;QACd,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;CACH;AAED;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,gBAAgB,EAwT5D,CAAC;AASF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CAoE3E"}
|
|
@@ -268,14 +268,71 @@ export const DESCRIPTION_POISONING_PATTERNS = [
|
|
|
268
268
|
severity: "HIGH",
|
|
269
269
|
category: "state_dependency",
|
|
270
270
|
},
|
|
271
|
+
// Zero-width character obfuscation (Issue #119, Challenge #15)
|
|
272
|
+
// These invisible characters can hide instructions from human review
|
|
273
|
+
{
|
|
274
|
+
name: "zero_width_space",
|
|
275
|
+
pattern: /\u200B/g, // U+200B Zero Width Space
|
|
276
|
+
severity: "HIGH",
|
|
277
|
+
category: "obfuscation",
|
|
278
|
+
},
|
|
279
|
+
{
|
|
280
|
+
name: "zero_width_joiner",
|
|
281
|
+
pattern: /\u200D/g, // U+200D Zero Width Joiner
|
|
282
|
+
severity: "HIGH",
|
|
283
|
+
category: "obfuscation",
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
name: "zero_width_non_joiner",
|
|
287
|
+
pattern: /\u200C/g, // U+200C Zero Width Non-Joiner
|
|
288
|
+
severity: "HIGH",
|
|
289
|
+
category: "obfuscation",
|
|
290
|
+
},
|
|
291
|
+
{
|
|
292
|
+
name: "word_joiner",
|
|
293
|
+
pattern: /\u2060/g, // U+2060 Word Joiner
|
|
294
|
+
severity: "HIGH",
|
|
295
|
+
category: "obfuscation",
|
|
296
|
+
},
|
|
297
|
+
{
|
|
298
|
+
name: "byte_order_mark",
|
|
299
|
+
pattern: /\uFEFF/g, // U+FEFF Byte Order Mark (when not at start)
|
|
300
|
+
severity: "MEDIUM",
|
|
301
|
+
category: "obfuscation",
|
|
302
|
+
},
|
|
303
|
+
{
|
|
304
|
+
name: "multiple_zero_width_chars",
|
|
305
|
+
pattern: /[\u200B\u200C\u200D\u2060\uFEFF]{2,}/g, // Multiple consecutive zero-width chars
|
|
306
|
+
severity: "HIGH",
|
|
307
|
+
category: "obfuscation",
|
|
308
|
+
},
|
|
271
309
|
];
|
|
272
310
|
/**
|
|
273
311
|
* Scan tool description for poisoning patterns
|
|
274
312
|
* Detects hidden instructions, override commands, concealment, and exfiltration attempts
|
|
275
313
|
*/
|
|
314
|
+
// Description length threshold for suspicious descriptions (Issue #119, Challenge #15)
|
|
315
|
+
const DESCRIPTION_LENGTH_WARNING_THRESHOLD = 500;
|
|
276
316
|
export function scanDescriptionForPoisoning(tool) {
|
|
277
317
|
const description = tool.description || "";
|
|
278
318
|
const matches = [];
|
|
319
|
+
// Length-based heuristic (Issue #119, Challenge #15)
|
|
320
|
+
// Excessively long descriptions may be used to hide malicious content
|
|
321
|
+
let lengthWarning;
|
|
322
|
+
if (description.length > DESCRIPTION_LENGTH_WARNING_THRESHOLD) {
|
|
323
|
+
lengthWarning = {
|
|
324
|
+
length: description.length,
|
|
325
|
+
threshold: DESCRIPTION_LENGTH_WARNING_THRESHOLD,
|
|
326
|
+
isExcessive: true,
|
|
327
|
+
};
|
|
328
|
+
matches.push({
|
|
329
|
+
name: "excessive_description_length",
|
|
330
|
+
pattern: `length > ${DESCRIPTION_LENGTH_WARNING_THRESHOLD}`,
|
|
331
|
+
severity: "MEDIUM",
|
|
332
|
+
category: "suspicious_length",
|
|
333
|
+
evidence: `Description is ${description.length} characters (threshold: ${DESCRIPTION_LENGTH_WARNING_THRESHOLD})`,
|
|
334
|
+
});
|
|
335
|
+
}
|
|
279
336
|
for (const patternDef of DESCRIPTION_POISONING_PATTERNS) {
|
|
280
337
|
// Create a fresh regex to reset lastIndex
|
|
281
338
|
const regex = new RegExp(patternDef.pattern.source, patternDef.pattern.flags);
|
|
@@ -309,5 +366,6 @@ export function scanDescriptionForPoisoning(tool) {
|
|
|
309
366
|
detected: matches.length > 0,
|
|
310
367
|
patterns: matches,
|
|
311
368
|
riskLevel,
|
|
369
|
+
lengthWarning,
|
|
312
370
|
};
|
|
313
371
|
}
|
|
@@ -16,7 +16,7 @@ export { analyzeDescription, hasReadOnlyIndicators, hasDestructiveIndicators, ha
|
|
|
16
16
|
export { analyzeInputSchema, analyzeOutputSchema, hasBulkOperationIndicators, hasPaginationParameters, hasForceFlags, INPUT_READONLY_PATTERNS, INPUT_DESTRUCTIVE_PATTERNS, INPUT_WRITE_PATTERNS, OUTPUT_READONLY_PATTERNS, OUTPUT_DESTRUCTIVE_PATTERNS, OUTPUT_WRITE_PATTERNS, type JSONSchema, } from "./SchemaAnalyzer.js";
|
|
17
17
|
export { detectArchitecture, hasDatabaseToolPatterns, extractDatabasesFromDependencies, type Tool as ArchitectureTool, type ArchitectureContext, } from "./ArchitectureDetector.js";
|
|
18
18
|
export { type ClaudeInference, type EnhancedToolAnnotationResult, } from "./types.js";
|
|
19
|
-
export { extractAnnotations, extractExtendedMetadata, extractToolParams, assessSingleTool, determineAnnotationStatus, calculateMetrics, type ExtractedAnnotations, type AlignmentMetricsResult, } from "./AlignmentChecker.js";
|
|
19
|
+
export { extractAnnotations, extractExtendedMetadata, extractToolParams, scanInputSchemaDescriptions, assessSingleTool, determineAnnotationStatus, calculateMetrics, type ExtractedAnnotations, type AlignmentMetricsResult, } from "./AlignmentChecker.js";
|
|
20
20
|
export { generateExplanation, generateEnhancedExplanation, generateRecommendations, generateEnhancedRecommendations, } from "./ExplanationGenerator.js";
|
|
21
21
|
export { emitAnnotationEvents, emitMismatchEvent } from "./EventEmitter.js";
|
|
22
22
|
export { enhanceWithClaudeInference, createPatternBasedInference, } from "./ClaudeIntegration.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,8BAA8B,EAC9B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,+BAA+B,EAC/B,4BAA4B,EAC5B,kCAAkC,EAClC,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,gCAAgC,EAChC,KAAK,IAAI,IAAI,gBAAgB,EAC7B,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,4BAA4B,GAClC,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,8BAA8B,EAC9B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,+BAA+B,EAC/B,4BAA4B,EAC5B,kCAAkC,EAClC,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,gCAAgC,EAChC,KAAK,IAAI,IAAI,gBAAgB,EAC7B,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,4BAA4B,GAClC,MAAM,SAAS,CAAC;AAIjB,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,iBAAiB,EACjB,2BAA2B,EAC3B,gBAAgB,EAChB,yBAAyB,EACzB,gBAAgB,EAChB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,GAC5B,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGzE,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC"}
|
|
@@ -19,7 +19,8 @@ export { analyzeInputSchema, analyzeOutputSchema, hasBulkOperationIndicators, ha
|
|
|
19
19
|
// Issue #57: Architecture Detector
|
|
20
20
|
export { detectArchitecture, hasDatabaseToolPatterns, extractDatabasesFromDependencies, } from "./ArchitectureDetector.js";
|
|
21
21
|
// Issue #105: Alignment Checker
|
|
22
|
-
|
|
22
|
+
// Issue #119: Added scanInputSchemaDescriptions for Challenge #15
|
|
23
|
+
export { extractAnnotations, extractExtendedMetadata, extractToolParams, scanInputSchemaDescriptions, assessSingleTool, determineAnnotationStatus, calculateMetrics, } from "./AlignmentChecker.js";
|
|
23
24
|
// Issue #105: Explanation Generator
|
|
24
25
|
export { generateExplanation, generateEnhancedExplanation, generateRecommendations, generateEnhancedRecommendations, } from "./ExplanationGenerator.js";
|
|
25
26
|
// Issue #105: Event Emitter
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmGvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;
|
|
1
|
+
{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmGvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;IAqPtB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IA0DlC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}
|
|
@@ -815,9 +815,9 @@ export class SecurityResponseAnalyzer {
|
|
|
815
815
|
// CWE-326: Weak Key Length
|
|
816
816
|
const weakKeyPatterns = [
|
|
817
817
|
{
|
|
818
|
-
// Match
|
|
819
|
-
pattern: /"key_length"\s*:\s*[1-9](?!\d)/i,
|
|
820
|
-
evidence: "key_length <
|
|
818
|
+
// Match key_length 1-15 bytes (< 16 bytes = weak for AES-128/HMAC)
|
|
819
|
+
pattern: /"key_length"\s*:\s*(?:[1-9]|1[0-5])(?!\d)/i,
|
|
820
|
+
evidence: "key_length < 16 bytes (weak key)",
|
|
821
821
|
},
|
|
822
822
|
{
|
|
823
823
|
pattern: /"key_secure"\s*:\s*false/i,
|