npm - @bryan-thompson/inspector-assessment-client - Versions diffs - 1.35.1 → 1.35.3 - Mend

@bryan-thompson/inspector-assessment-client 1.35.1 → 1.35.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js CHANGED Viewed

@@ -51,6 +51,75 @@ export const VALIDATION_ERROR_PATTERNS = [
     /field.*required/i,
 ];
 // =============================================================================
+// ERROR CONTEXT PATTERNS (Issue #146)
+// =============================================================================
+/**
+ * Issue #146: Error context patterns indicating operation failure
+ * Used to detect when payload appears in error message (likely false positive)
+ * These patterns indicate the server rejected/failed the operation
+ */
+export const ERROR_CONTEXT_PATTERNS = [
+    /failed\s+to\s+(?:get|read|load|access|process|fetch|retrieve|find)/i,
+    /error:\s+response\s+status:\s+\d{3}/i,
+    /(?:could\s+not|cannot|unable\s+to)\s+(?:find|locate|access|read|get|load)/i,
+    /\b(?:not\s+found|doesn['']t\s+exist|no\s+such|does\s+not\s+exist)\b/i,
+    /error\s+(?:loading|reading|processing|fetching|accessing)/i,
+    /(?:operation|request)\s+failed/i,
+    /invalid\s+(?:path|file|resource|input|parameter)/i,
+    /\b(?:rejected|refused|denied)\b/i,
+    /(?:resource|file|path)\s+(?:is\s+)?(?:invalid|not\s+allowed)/i,
+    /access\s+(?:denied|forbidden)/i,
+    /permission\s+denied/i,
+    /\b(?:4\d{2}|5\d{2})\s*(?:error|not\s+found|bad\s+request|unauthorized|forbidden)/i,
+];
+/**
+ * Issue #146: Success context patterns indicating operation completion
+ * Used to confirm operation actually executed (high confidence vulnerability)
+ * These patterns indicate the server processed and returned results
+ */
+export const SUCCESS_CONTEXT_PATTERNS = [
+    /(?:successfully|completed)\s+(?:read|loaded|accessed|executed|retrieved)/i,
+    /file\s+contents?:/i,
+    /data\s+retrieved/i,
+    /execution\s+result:/i,
+    /\boutput:/i,
+    /\bresults?:/i,
+    /returned\s+(?:data|content|results)/i,
+    /read\s+\d+\s+bytes/i,
+    /fetched\s+(?:from|data)/i,
+];
+/**
+ * Issue #146: Check if payload appears in error context (likely false positive)
+ * @param responseText The full response text from the tool
+ * @param payload The payload that was sent to the tool
+ * @returns true if payload is reflected in an error context
+ */
+export function isPayloadInErrorContext(responseText, payload) {
+    // Check if response contains error patterns
+    const hasErrorContext = ERROR_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+    // Check if payload is reflected in the response
+    const payloadReflected = responseText
+        .toLowerCase()
+        .includes(payload.toLowerCase());
+    return hasErrorContext && payloadReflected;
+}
+/**
+ * Issue #146: Check if response indicates successful operation (high confidence)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation succeeded
+ */
+export function hasSuccessContext(responseText) {
+    return SUCCESS_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+}
+/**
+ * Issue #146: Check if response indicates failed operation (error context)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation failed
+ */
+export function hasErrorContext(responseText) {
+    return ERROR_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+}
+// =============================================================================
 // EXECUTION EVIDENCE PATTERNS
 // =============================================================================
 /**
@@ -985,6 +1054,111 @@ export const OUTPUT_INJECTION_PATTERNS = {
     canaryMarkers: [/SENTINEL_OUTPUT_MARKER_\d+/],
 };
 // =============================================================================
+// EXCESSIVE PERMISSIONS SCOPE PATTERNS (Issue #144, Challenge #22)
+// =============================================================================
+/**
+ * Patterns indicating scope violation in tool response
+ * Detects when tools exceed their declared annotations at runtime
+ * CWE-250: Execution with Unnecessary Privileges
+ * CWE-269: Improper Privilege Management
+ */
+export const SCOPE_VIOLATION_PATTERNS = [
+    {
+        pattern: /"scope_violation"\s*:\s*true/i,
+        evidence: "scope_violation: true (tool exceeded declared scope)",
+    },
+    {
+        pattern: /"scope_escalation"\s*:\s*true/i,
+        evidence: "scope_escalation: true (privilege escalation via input)",
+    },
+    {
+        pattern: /"actual_scope"\s*:\s*"(write|delete|execute|network)"/i,
+        evidence: "actual_scope indicates privileged operation",
+    },
+    {
+        pattern: /"privileged_data"\s*:/i,
+        evidence: "privileged_data exposed in response",
+    },
+    {
+        pattern: /"system_secrets"\s*:/i,
+        evidence: "system_secrets leaked in response",
+    },
+    {
+        pattern: /admin[\s_-]?mode[\s_-]?activated/i,
+        evidence: "Admin mode activated via keyword trigger",
+    },
+];
+/**
+ * Patterns indicating safe scope enforcement (hardened behavior)
+ * Used to confirm tools properly reject privileged actions
+ */
+export const SCOPE_ENFORCED_PATTERNS = [
+    {
+        pattern: /"scope_enforced"\s*:\s*true/i,
+        evidence: "scope_enforced: true (safe)",
+    },
+    {
+        pattern: /"blocked"\s*:\s*true/i,
+        evidence: "Action blocked by allowlist",
+    },
+    {
+        pattern: /action.*not.*in.*allowlist/i,
+        evidence: "Allowlist enforcement",
+    },
+    {
+        pattern: /"rejection_reason"\s*:\s*"action_not_in_allowlist"/i,
+        evidence: "Explicit rejection: action not in allowlist",
+    },
+    {
+        pattern: /"escalation_attempted"\s*:\s*false/i,
+        evidence: "No escalation attempted (safe)",
+    },
+    {
+        pattern: /"allowed_actions"\s*:\s*\[/i,
+        evidence: "Allowlist defined and enforced",
+    },
+];
+/**
+ * Privileged actions that should be blocked by readOnlyHint=True tools
+ */
+export const PRIVILEGED_ACTIONS = [
+    "write",
+    "write_file",
+    "delete",
+    "delete_data",
+    "execute",
+    "execute_command",
+    "network",
+    "network_request",
+    "modify",
+    "modify_config",
+    "admin",
+    "environment_access",
+];
+/**
+ * Escalation keywords that may trigger hidden privilege escalation
+ */
+export const ESCALATION_KEYWORDS = [
+    "admin",
+    "sudo",
+    "elevate",
+    "root",
+    "superuser",
+    "privilege",
+];
+/**
+ * Check if response contains scope violation indicators (Issue #144)
+ */
+export function hasScopeViolation(text) {
+    return SCOPE_VIOLATION_PATTERNS.some(({ pattern }) => pattern.test(text));
+}
+/**
+ * Check if response contains scope enforcement indicators (Issue #144)
+ */
+export function hasScopeEnforcement(text) {
+    return SCOPE_ENFORCED_PATTERNS.some(({ pattern }) => pattern.test(text));
+}
+// =============================================================================
 // HELPER FUNCTIONS
 // =============================================================================
 /**

package/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;~~IA6P9B~~;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}
1	+ {"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyR9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}

package/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js CHANGED Viewed

@@ -437,6 +437,19 @@ export class SecurityPayloadTester {
                     cryptoFailureEvidence: cryptoResult.evidence,
                 };
             }
+            // Issue #144: Analyze excessive permissions scope patterns for Challenge #22
+            let excessivePermissionsFields = {};
+            if (attackName === "Excessive Permissions Scope") {
+                const scopeResult = this.responseAnalyzer.analyzeExcessivePermissionsResponse(response);
+                excessivePermissionsFields = {
+                    excessivePermissionsDetected: scopeResult.detected,
+                    scopeViolationType: scopeResult.violationType,
+                    scopeActual: scopeResult.actualScope,
+                    scopeTriggerPayload: scopeResult.triggerPayload,
+                    scopeCweIds: scopeResult.cweIds,
+                    excessivePermissionsEvidence: scopeResult.evidence,
+                };
+            }
             return {
                 testName: attackName,
                 description: payload.description,
@@ -459,6 +472,8 @@ export class SecurityPayloadTester {
                 ...sessionManagementFields,
                 // Issue #112: Cryptographic failure detection fields (Challenge #13)
                 ...cryptoFailureFields,
+                // Issue #144: Excessive permissions scope detection fields (Challenge #22)
+                ...excessivePermissionsFields,
                 ...confidenceResult,
             };
         }

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts CHANGED Viewed

@@ -96,6 +96,20 @@ export interface CryptoFailureResult {
     cweIds: string[];
     evidence?: string;
 }
+/**
+ * Result of excessive permissions scope analysis (Issue #144, Challenge #22)
+ * Detects when tools exceed their declared annotation scope:
+ * - CWE-250: Execution with Unnecessary Privileges (scope violation)
+ * - CWE-269: Improper Privilege Management (scope escalation)
+ */
+export interface ExcessivePermissionsScopeResult {
+    detected: boolean;
+    violationType: "SCOPE_VIOLATION" | "SCOPE_ESCALATION" | "SAFE" | "UNKNOWN";
+    actualScope?: string;
+    triggerPayload?: string;
+    cweIds: string[];
+    evidence?: string;
+}
 /**
  * Chain execution type classification (Issue #93, Challenge #6)
  */
@@ -362,6 +376,32 @@ export declare class SecurityResponseAnalyzer {
      * Handles: Evidence pattern matching, fallback injection analysis
      */
     private checkVulnerabilityEvidence;
+    /**
+     * Issue #146: Classify vulnerability context to reduce false positives
+     * Distinguishes between actual execution and payload reflection in errors
+     *
+     * Context classification:
+     * - CONFIRMED: Operation succeeded, payload was actually executed (HIGH risk)
+     * - LIKELY_FALSE_POSITIVE: Operation failed, payload just reflected in error (LOW risk)
+     * - SUSPECTED: Ambiguous case requiring manual review (MEDIUM risk)
+     *
+     * @param vulnResult The vulnerability analysis result from checkVulnerabilityEvidence
+     * @param responseText The full response text (lowercase)
+     * @param payload The security payload that was tested
+     * @returns Updated AnalysisResult with context classification
+     */
+    private classifyVulnerabilityContext;
+    /**
+     * Analyze response for excessive permissions scope violations (Issue #144, Challenge #22)
+     * Detects when tools exceed their declared annotation scope:
+     * - scope_violation: Tool performed privileged action despite restrictive annotations
+     * - scope_escalation: Keyword triggered hidden admin/privilege mode
+     * - scope_enforced: Tool properly blocked the privileged action (safe)
+     *
+     * CWE-250: Execution with Unnecessary Privileges
+     * CWE-269: Improper Privilege Management
+     */
+    analyzeExcessivePermissionsResponse(response: CompatibilityCallToolResult): ExcessivePermissionsScopeResult;
     /**
      * Analyze injection response (fallback logic)
      */

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;~~AAYxE~~,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;~~IAqBjB~~;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;~~IAsFnB~~;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;~~IAmGvB~~;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;IAqPtB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;~~IA0DlC~~;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}
1	+ {"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAyBxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,iBAAiB,GACjB,kBAAkB,GAClB,MAAM,GACN,SAAS,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqCjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAoBnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmCvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;IAqPtB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,4BAA4B;IA8CpC;;;;;;;;;OASG;IACH,mCAAmC,CACjC,QAAQ,EAAE,2BAA2B,GACpC,+BAA+B;IA6ElC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js CHANGED Viewed

@@ -20,7 +20,15 @@ import { MathAnalyzer } from "./MathAnalyzer.js";
 import { SafeResponseDetector } from "./SafeResponseDetector.js";
 import { ConfidenceScorer } from "./ConfidenceScorer.js";
 // Import pattern library for chain exploitation analysis
-import { CHAIN_EXPLOIT_VULNERABLE_PATTERNS, CHAIN_EXPLOIT_SAFE_PATTERNS, CHAIN_VULNERABLE_THRESHOLD, CHAIN_SAFE_THRESHOLD, detectVulnerabilityCategories, } from "./SecurityPatternLibrary.js";
+import { CHAIN_EXPLOIT_VULNERABLE_PATTERNS, CHAIN_EXPLOIT_SAFE_PATTERNS, CHAIN_VULNERABLE_THRESHOLD, CHAIN_SAFE_THRESHOLD, detectVulnerabilityCategories,
+// Issue #144: Excessive permissions scope patterns (Challenge #22)
+SCOPE_VIOLATION_PATTERNS, SCOPE_ENFORCED_PATTERNS,
+// Issue #146: Error context patterns for false positive reduction
+isPayloadInErrorContext, hasSuccessContext, hasErrorContext,
+// Issue #75: Auth bypass patterns (CVE-2025-52882)
+AUTH_FAIL_OPEN_PATTERNS, AUTH_FAIL_CLOSED_PATTERNS,
+// Issue #92: State-based auth patterns (Challenge #7)
+STATE_AUTH_VULNERABLE_PATTERNS, STATE_AUTH_SAFE_PATTERNS, } from "./SecurityPatternLibrary.js";
 /**
  * Analyzes tool responses for security vulnerabilities
  * Distinguishes between safe reflection and actual execution
@@ -64,7 +72,13 @@ export class SecurityResponseAnalyzer {
         if (behaviorResult)
             return behaviorResult;
         // Check 3: Vulnerability evidence matching
-        return this.checkVulnerabilityEvidence(response, payload, responseText);
+        const vulnResult = this.checkVulnerabilityEvidence(response, payload, responseText);
+        // Issue #146: If vulnerable, classify execution context to reduce false positives
+        // This distinguishes between actual execution and payload reflection in errors
+        if (vulnResult.isVulnerable) {
+            return this.classifyVulnerabilityContext(vulnResult, responseText, payload);
+        }
+        return vulnResult;
     }
     /**
      * Calculate confidence level and manual review requirements
@@ -78,77 +92,14 @@ export class SecurityResponseAnalyzer {
      */
     analyzeAuthBypassResponse(response) {
         const responseText = this.extractResponseContent(response);
-        // Fail-open indicators (VULNERABLE - CVE-2025-52882 pattern)
-        const failOpenPatterns = [
-            {
-                pattern: /"auth_type"\s*:\s*"fail-open"/i,
-                evidence: "auth_type: fail-open (CVE-2025-52882)",
-            },
-            {
-                pattern: /"auth_status"\s*:\s*"bypassed"/i,
-                evidence: "auth_status: bypassed",
-            },
-            {
-                pattern: /access.*granted.*despite/i,
-                evidence: "access granted despite failure",
-            },
-            {
-                pattern: /authentication.*skipped/i,
-                evidence: "authentication skipped",
-            },
-            { pattern: /fail[\s-]?open/i, evidence: "fail-open pattern detected" },
-            { pattern: /bypassed.*auth/i, evidence: "auth bypassed" },
-            {
-                pattern: /authentication.*bypassed/i,
-                evidence: "authentication bypassed",
-            },
-            {
-                pattern: /"vulnerable"\s*:\s*true[^}]*(?:"auth_status"|"auth_type"|"auth_error")|(?:"auth_status"|"auth_type"|"auth_error")[^}]*"vulnerable"\s*:\s*true/i,
-                evidence: "vulnerable flag with auth context",
-            },
-            {
-                pattern: /auth.*succeeded.*null/i,
-                evidence: "auth succeeded with null token",
-            },
-            {
-                pattern: /granted.*without.*valid/i,
-                evidence: "granted without valid token",
-            },
-            {
-                pattern: /"action_performed"/i,
-                evidence: "action performed indicator",
-            },
-        ];
-        // Fail-closed indicators (SAFE - proper auth handling)
-        const failClosedPatterns = [
-            {
-                pattern: /"auth_type"\s*:\s*"fail-closed"/i,
-                evidence: "auth_type: fail-closed (secure)",
-            },
-            {
-                pattern: /"auth_status"\s*:\s*"denied"/i,
-                evidence: "auth_status: denied",
-            },
-            { pattern: /access.*denied/i, evidence: "access denied" },
-            { pattern: /authentication.*failed/i, evidence: "authentication failed" },
-            {
-                pattern: /fail[\s-]?closed/i,
-                evidence: "fail-closed pattern detected",
-            },
-            { pattern: /"status"\s*:\s*"blocked"/i, evidence: "status: blocked" },
-            { pattern: /invalid.*token/i, evidence: "invalid token rejection" },
-            { pattern: /token.*required/i, evidence: "token required" },
-            { pattern: /unauthorized/i, evidence: "unauthorized response" },
-            { pattern: /"denial_reason"/i, evidence: "denial reason provided" },
-        ];
         // Check for fail-open (vulnerable) patterns first
-        for (const { pattern, evidence } of failOpenPatterns) {
+        for (const { pattern, evidence } of AUTH_FAIL_OPEN_PATTERNS) {
             if (pattern.test(responseText)) {
                 return { detected: true, failureMode: "FAIL_OPEN", evidence };
             }
         }
         // Check for fail-closed (safe) patterns
-        for (const { pattern, evidence } of failClosedPatterns) {
+        for (const { pattern, evidence } of AUTH_FAIL_CLOSED_PATTERNS) {
             if (pattern.test(responseText)) {
                 return { detected: false, failureMode: "FAIL_CLOSED", evidence };
             }
@@ -167,70 +118,8 @@ export class SecurityResponseAnalyzer {
      */
     analyzeStateBasedAuthBypass(response) {
         const responseText = this.extractResponseContent(response);
-        // Vulnerable patterns - shared state authorization (Challenge #7)
-        const vulnerablePatterns = [
-            {
-                pattern: /"admin_mode"\s*:\s*true/i,
-                evidence: "admin_mode enabled in response",
-            },
-            {
-                pattern: /hint.*use\s+config_modifier/i,
-                evidence: "Tool hints at cross-tool state dependency",
-            },
-            {
-                pattern: /admin_mode.*set\s+by.*another\s+tool/i,
-                evidence: "Explicit cross-tool state dependency",
-            },
-            {
-                pattern: /"evidence".*cross-tool.*privilege/i,
-                evidence: "Cross-tool privilege escalation detected",
-            },
-            {
-                pattern: /elevated\s+privileges?\s+granted/i,
-                evidence: "Elevated privileges granted",
-            },
-            {
-                pattern: /admin\s+mode\s+activated/i,
-                evidence: "Admin mode activated (state modifier)",
-            },
-            {
-                pattern: /"hint".*config_modifier.*admin_mode/i,
-                evidence: "Response hints at config_modifier for admin_mode",
-            },
-            {
-                pattern: /Use\s+config_modifier.*enable.*admin_mode/i,
-                evidence: "Tool depends on config_modifier for authorization",
-            },
-        ];
-        // Safe patterns - independent authorization (secure)
-        const safePatterns = [
-            {
-                pattern: /"shared_state_checked"\s*:\s*false/i,
-                evidence: "Tool explicitly states it doesn't use shared state",
-            },
-            {
-                pattern: /"independent_auth_required"\s*:\s*true/i,
-                evidence: "Tool requires independent per-request auth",
-            },
-            {
-                pattern: /requires\s+independent\s+authorization/i,
-                evidence: "Independent authorization required",
-            },
-            {
-                pattern: /(?:not|does\s+not|doesn't)\s+(?:use\s+)?shared\s+state/i,
-                evidence: "Tool confirms it does not use shared state",
-            },
-            {
-                pattern: /stored.*for.*admin.*review/i,
-                evidence: "Request stored for admin review (no auto-execution)",
-            },
-            {
-                pattern: /per-request\s+auth/i,
-                evidence: "Per-request authentication enforced",
-            },
-        ];
         // Check vulnerable patterns first (SHARED_STATE)
-        for (const { pattern, evidence } of vulnerablePatterns) {
+        for (const { pattern, evidence } of STATE_AUTH_VULNERABLE_PATTERNS) {
             if (pattern.test(responseText)) {
                 return {
                     vulnerable: true,
@@ -241,7 +130,7 @@ export class SecurityResponseAnalyzer {
             }
         }
         // Check safe patterns (INDEPENDENT)
-        for (const { pattern, evidence } of safePatterns) {
+        for (const { pattern, evidence } of STATE_AUTH_SAFE_PATTERNS) {
             if (pattern.test(responseText)) {
                 return {
                     vulnerable: false,
@@ -1230,6 +1119,129 @@ export class SecurityResponseAnalyzer {
         // Fall back to injection response analysis
         return this.analyzeInjectionResponse(response);
     }
+    // ============================================================================
+    // Issue #146: Execution Context Classification (False Positive Reduction)
+    // ============================================================================
+    /**
+     * Issue #146: Classify vulnerability context to reduce false positives
+     * Distinguishes between actual execution and payload reflection in errors
+     *
+     * Context classification:
+     * - CONFIRMED: Operation succeeded, payload was actually executed (HIGH risk)
+     * - LIKELY_FALSE_POSITIVE: Operation failed, payload just reflected in error (LOW risk)
+     * - SUSPECTED: Ambiguous case requiring manual review (MEDIUM risk)
+     *
+     * @param vulnResult The vulnerability analysis result from checkVulnerabilityEvidence
+     * @param responseText The full response text (lowercase)
+     * @param payload The security payload that was tested
+     * @returns Updated AnalysisResult with context classification
+     */
+    classifyVulnerabilityContext(vulnResult, responseText, payload) {
+        // Use pattern library helpers to detect context
+        const hasError = hasErrorContext(responseText);
+        const hasSuccess = hasSuccessContext(responseText);
+        const payloadInError = isPayloadInErrorContext(responseText, payload.payload);
+        // CONFIRMED: Success patterns present, no error patterns
+        // This indicates the operation actually executed and returned results
+        if (hasSuccess && !hasError) {
+            return {
+                ...vulnResult,
+                evidence: `${vulnResult.evidence} [Context: CONFIRMED - operation succeeded]`,
+            };
+        }
+        // LIKELY_FALSE_POSITIVE: Error context with payload reflection
+        // The server rejected the operation but echoed the payload in the error message
+        if (payloadInError && hasError) {
+            return {
+                isVulnerable: false,
+                evidence: `Operation failed with error containing reflected payload. ` +
+                    `Original detection: ${vulnResult.evidence} ` +
+                    `[Context: LIKELY_FALSE_POSITIVE - payload reflected in error message, not executed]`,
+            };
+        }
+        // SUSPECTED: Ambiguous (neither clear success nor clear error)
+        // Mark as requiring manual review
+        return {
+            ...vulnResult,
+            evidence: `${vulnResult.evidence} [Context: SUSPECTED - requires manual review]`,
+        };
+    }
+    // ============================================================================
+    // Issue #144: Excessive Permissions Scope Analysis (Challenge #22)
+    // ============================================================================
+    /**
+     * Analyze response for excessive permissions scope violations (Issue #144, Challenge #22)
+     * Detects when tools exceed their declared annotation scope:
+     * - scope_violation: Tool performed privileged action despite restrictive annotations
+     * - scope_escalation: Keyword triggered hidden admin/privilege mode
+     * - scope_enforced: Tool properly blocked the privileged action (safe)
+     *
+     * CWE-250: Execution with Unnecessary Privileges
+     * CWE-269: Improper Privilege Management
+     */
+    analyzeExcessivePermissionsResponse(response) {
+        const responseText = this.extractResponseContent(response);
+        const cweIds = [];
+        // Check for safe/hardened patterns first (scope enforced)
+        for (const { pattern, evidence } of SCOPE_ENFORCED_PATTERNS) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: false,
+                    violationType: "SAFE",
+                    cweIds: [],
+                    evidence,
+                };
+            }
+        }
+        // Check for scope violation patterns
+        for (const { pattern, evidence } of SCOPE_VIOLATION_PATTERNS) {
+            if (pattern.test(responseText)) {
+                // Determine specific violation type based on pattern
+                if (/"scope_escalation"\s*:\s*true/i.test(responseText)) {
+                    // Scope escalation - keyword-triggered privilege escalation
+                    cweIds.push("CWE-269");
+                    // Extract trigger keyword if present
+                    const keywordMatch = responseText.match(/"trigger_keyword"\s*:\s*"([^"]+)"/i);
+                    const triggerPayload = keywordMatch?.[1];
+                    return {
+                        detected: true,
+                        violationType: "SCOPE_ESCALATION",
+                        triggerPayload,
+                        cweIds,
+                        evidence,
+                    };
+                }
+                if (/"scope_violation"\s*:\s*true/i.test(responseText)) {
+                    // Scope violation - action exceeded declared scope
+                    cweIds.push("CWE-250", "CWE-269");
+                    // Extract actual scope if present
+                    const scopeMatch = responseText.match(/"actual_scope"\s*:\s*"([^"]+)"/i);
+                    const actualScope = scopeMatch?.[1];
+                    return {
+                        detected: true,
+                        violationType: "SCOPE_VIOLATION",
+                        actualScope,
+                        cweIds,
+                        evidence,
+                    };
+                }
+                // Generic detection (privileged_data, system_secrets, admin_mode_activated)
+                cweIds.push("CWE-250", "CWE-269");
+                return {
+                    detected: true,
+                    violationType: "SCOPE_VIOLATION",
+                    cweIds,
+                    evidence,
+                };
+            }
+        }
+        // No scope violation or enforcement detected
+        return {
+            detected: false,
+            violationType: "UNKNOWN",
+            cweIds: [],
+        };
+    }
     /**
      * Analyze injection response (fallback logic)
      */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.35.1",
+  "version": "1.35.3",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",