@bryan-thompson/inspector-assessment 1.26.6 → 1.26.7

package/client/lib/services/assessment/modules/securityTests/CrossToolStateTester.js

@@ -0,0 +1,225 @@
+/**
+ * Cross-Tool State Tester
+ * Tests for privilege escalation by calling tools in sequence
+ *
+ * Issue #92, Challenge #7: Cross-tool state-based authorization bypass
+ * Detects when one tool can modify shared state that affects another tool's authorization.
+ *
+ * Attack flow:
+ * 1. Call admin_action → should get "access denied"
+ * 2. Call config_modifier with "admin_mode=true"
+ * 3. Call admin_action again → if now succeeds, VULNERABLE
+ */
+/**
+ * Tests for cross-tool privilege escalation via shared mutable state
+ */
+export class CrossToolStateTester {
+    verbose;
+    constructor(config = {}) {
+        // Note: config.timeout is accepted but tool call timeout is handled externally
+        this.verbose = config.verbose ?? false;
+    }
+    /**
+     * Log message if verbose logging is enabled
+     */
+    log(message) {
+        if (this.verbose) {
+            // eslint-disable-next-line no-console
+            console.log(`[CrossToolStateTester] ${message}`);
+        }
+    }
+    /**
+     * Identify potential cross-tool pairs for testing
+     * Looks for admin_action/privileged tools and config_modifier/setting tools
+     */
+    identifyCrossToolPairs(tools) {
+        const pairs = [];
+        // Find admin-like tools (tools that check authorization)
+        const adminTools = tools.filter((t) => /admin[_-]?action|privileged|elevated|sensitive/i.test(t.name) ||
+            /admin[_-]?action|privileged|requires\s+admin/i.test(t.description || ""));
+        // Find modifier-like tools (tools that modify state/config)
+        const modifierTools = tools.filter((t) => /config[_-]?modifier|setting|mode|enable|activate/i.test(t.name) ||
+            /modify.*config|set.*mode|enable.*admin/i.test(t.description || ""));
+        for (const admin of adminTools) {
+            for (const modifier of modifierTools) {
+                if (admin.name !== modifier.name) {
+                    pairs.push({ admin, modifier });
+                }
+            }
+        }
+        return pairs;
+    }
+    /**
+     * Test cross-tool privilege escalation
+     *
+     * Attack flow:
+     * 1. Call admin_action → expect "access denied"
+     * 2. Call config_modifier with "admin_mode=true"
+     * 3. Call admin_action again → if now succeeds, VULNERABLE
+     */
+    async testPrivilegeEscalation(callTool, adminTool, modifierTool, onProgress) {
+        this.log(`Testing pair: ${modifierTool.name} → ${adminTool.name}`);
+        try {
+            // Step 1: Baseline - admin action should be denied
+            this.log(`Step 1: Calling ${adminTool.name} (baseline)`);
+            const baseline = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const baselineText = this.extractResponseText(baseline);
+            const baselineDenied = /access denied|unauthorized|admin.*required|permission.*denied/i.test(baselineText);
+            if (!baselineDenied) {
+                // Already has access - can't test escalation (might indicate other issues)
+                // Check if it's because shared_state_checked is false (hardened)
+                if (/"shared_state_checked"\s*:\s*false/i.test(baselineText)) {
+                    return {
+                        vulnerable: false,
+                        reason: "baseline_has_access",
+                        evidence: {
+                            baseline: baselineText.slice(0, 500),
+                            afterModifier: "",
+                        },
+                    };
+                }
+                return {
+                    vulnerable: false,
+                    reason: "baseline_has_access",
+                    evidence: {
+                        baseline: baselineText.slice(0, 500),
+                        afterModifier: "",
+                    },
+                };
+            }
+            // Step 2: Attempt to enable admin mode via config modifier
+            const enableResult = await callTool(modifierTool.name, {
+                setting: "admin_mode=true",
+            });
+            const enableText = this.extractResponseText(enableResult);
+            const modeEnabled = /admin.*activated|elevated.*granted|admin_mode.*enabled|configuration.*updated.*admin/i.test(enableText);
+            // Check if modifier is hardened (stores without modifying)
+            const modifierHardened = /stored.*without.*modifying|stored.*for.*review|not.*modifying.*runtime/i.test(enableText);
+            if (modifierHardened) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            if (!modeEnabled) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            // Step 3: Test if admin action now succeeds
+            const escalated = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const escalatedText = this.extractResponseText(escalated);
+            // Check for successful escalation
+            const escalationSucceeded = !/access denied|unauthorized|admin.*required|permission.*denied/i.test(escalatedText) &&
+                /"secrets"|API_KEY|credentials|admin_mode.*true.*evidence.*cross-tool/i.test(escalatedText);
+            // Emit progress event if callback provided
+            if (onProgress && escalationSucceeded) {
+                onProgress({
+                    type: "vulnerability_found",
+                    tool: adminTool.name,
+                    pattern: "Cross-Tool State Bypass",
+                    confidence: "high",
+                    evidence: `Cross-tool privilege escalation: ${modifierTool.name} enables access to ${adminTool.name}. ${escalatedText.slice(0, 200)}`,
+                    riskLevel: "HIGH",
+                    requiresReview: false,
+                    payload: "admin_mode=true",
+                });
+            }
+            return {
+                vulnerable: escalationSucceeded,
+                reason: escalationSucceeded
+                    ? "privilege_escalation_confirmed"
+                    : "escalation_blocked",
+                evidence: {
+                    baseline: baselineText.slice(0, 300),
+                    afterModifier: escalatedText.slice(0, 300),
+                    enableResult: enableText.slice(0, 300),
+                },
+            };
+        }
+        catch (error) {
+            return {
+                vulnerable: false,
+                reason: "test_error",
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Run sequence tests on all identified tool pairs
+     */
+    async runAllSequenceTests(tools, callTool, onProgress) {
+        const pairs = this.identifyCrossToolPairs(tools);
+        const results = new Map();
+        for (const { admin, modifier } of pairs) {
+            const key = `${modifier.name} → ${admin.name}`;
+            const result = await this.testPrivilegeEscalation(callTool, admin, modifier, onProgress);
+            results.set(key, result);
+        }
+        return results;
+    }
+    /**
+     * Get summary of sequence test results
+     */
+    summarizeResults(results) {
+        let vulnerable = 0;
+        let safe = 0;
+        let errors = 0;
+        const vulnerablePairs = [];
+        for (const [key, result] of results) {
+            if (result.reason === "test_error") {
+                errors++;
+            }
+            else if (result.vulnerable) {
+                vulnerable++;
+                vulnerablePairs.push(key);
+            }
+            else {
+                safe++;
+            }
+        }
+        return {
+            total: results.size,
+            vulnerable,
+            safe,
+            errors,
+            vulnerablePairs,
+        };
+    }
+    /**
+     * Extract text content from MCP response
+     */
+    extractResponseText(response) {
+        if (!response)
+            return "";
+        // Handle content array format
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((item) => {
+                if (typeof item === "string")
+                    return item;
+                if (item && typeof item === "object" && "text" in item)
+                    return String(item.text);
+                return JSON.stringify(item);
+            })
+                .join("\n");
+        }
+        // Fallback to JSON stringify
+        return JSON.stringify(response);
+    }
+}

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts

@@ -144,6 +144,126 @@ export declare const AUTH_FAIL_CLOSED_PATTERNS: readonly [{
     readonly pattern: RegExp;
     readonly evidence: "denial reason provided";
 }];
+/**
+ * Patterns indicating vulnerable shared state authorization
+ * Detects cross-tool privilege escalation via shared mutable state
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export declare const STATE_AUTH_VULNERABLE_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "admin_mode enabled in response";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool hints at cross-tool state dependency";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Explicit cross-tool state dependency";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Cross-tool privilege escalation detected";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Elevated privileges granted";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Admin mode activated (state modifier)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Response hints at config_modifier for admin_mode";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool depends on config_modifier for authorization";
+}];
+/**
+ * Patterns indicating safe independent authorization
+ * Detects tools that use per-request authentication (secure)
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export declare const STATE_AUTH_SAFE_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "Tool explicitly states it doesn't use shared state";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool requires independent per-request auth";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Independent authorization required";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Tool confirms it does not use shared state";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Request stored for admin review (no auto-execution)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Per-request authentication enforced";
+}];
+/**
+ * Response pattern structure for chain exploitation analysis
+ */
+export interface ChainResponsePattern {
+    pattern: RegExp;
+    weight: number;
+    category: string;
+    description: string;
+}
+/**
+ * Patterns indicating vulnerable chain execution behavior
+ * - Arbitrary tool invocation without allowlist
+ * - Output injection via template substitution
+ * - Recursive/circular chain execution
+ * - Missing depth limits
+ * - State poisoning between steps
+ *
+ * Used by: analyzeChainExploitation()
+ */
+export declare const CHAIN_EXPLOIT_VULNERABLE_PATTERNS: ChainResponsePattern[];
+/**
+ * Patterns indicating safe/hardened chain handling
+ * - Tool allowlist validation
+ * - No execution (validation only)
+ * - Depth limits enforced
+ * - Output injection blocked
+ *
+ * Used by: analyzeChainExploitation()
+ */
+/**
+ * Threshold for confirming vulnerable chain execution behavior.
+ * Value of 1.5 requires ~2 weighted pattern matches to confirm vulnerability.
+ *
+ * Derived from A/B testing against vulnerable-mcp/hardened-mcp testbed:
+ * - vulnerable-mcp: typical scores 2.0-4.0 for vulnerable chains
+ * - hardened-mcp: typical scores 0.0-0.8 for safe chains
+ *
+ * Setting at 1.5 provides margin against false positives while
+ * maintaining detection of genuine vulnerabilities.
+ */
+export declare const CHAIN_VULNERABLE_THRESHOLD = 1.5;
+/**
+ * Threshold for confirming safe/hardened chain behavior.
+ * Value of 1.0 requires 1+ weighted safe pattern matches.
+ *
+ * Derived from A/B testing:
+ * - hardened-mcp: typical scores 1.5-3.0 for safe chains
+ * - vulnerable-mcp: typical scores 0.0-0.5 for safe patterns
+ */
+export declare const CHAIN_SAFE_THRESHOLD = 1;
+/**
+ * Maps vulnerability categories to detection patterns.
+ * Used by analyzeChainExploitation() for category classification.
+ *
+ * Extracted from inline patterns to maintain single source of truth.
+ */
+export declare const CHAIN_CATEGORY_PATTERNS: Record<string, {
+    pattern: RegExp;
+    category: string;
+}[]>;
+/**
+ * Detect vulnerability categories from response text.
+ * Returns array of detected category names.
+ */
+export declare function detectVulnerabilityCategories(responseText: string): string[];
+export declare const CHAIN_EXPLOIT_SAFE_PATTERNS: ChainResponsePattern[];
 /**
  * Patterns indicating search result responses
  * Used by: isSearchResultResponse()

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD"}
+{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD"}