@bryan-thompson/inspector-assessment 1.6.0 → 1.7.1

package/client/lib/services/assessment/modules/SecurityAssessor.d.ts

@@ -0,0 +1,176 @@
+/**
+ * Security Assessor Module
+ * Tests for backend API security vulnerabilities using 8 focused patterns
+ * - Critical Injection (3): Command, SQL, Path Traversal
+ * - Input Validation (3): Type Safety, Boundary Testing, Required Fields
+ * - Protocol Compliance (2): MCP Error Format, Timeout Handling
+ */
+import { SecurityAssessment } from "../../../lib/assessmentTypes.js";
+import { BaseAssessor } from "./BaseAssessor.js";
+import { AssessmentContext } from "../AssessmentOrchestrator.js";
+export declare class SecurityAssessor extends BaseAssessor {
+    assess(context: AssessmentContext): Promise<SecurityAssessment>;
+    /**
+     * Select tools for testing based on configuration
+     */
+    private selectToolsForTesting;
+    /**
+     * Run comprehensive security tests (advanced mode)
+     * Tests selected tools with ALL 8 security patterns using diverse payloads
+     * Includes injection tests, validation tests, and protocol compliance checks
+     */
+    private runUniversalSecurityTests;
+    /**
+     * Run basic security tests (fast mode)
+     * Tests only 3 critical injection patterns with 1 generic payload each
+     * Used when enableDomainTesting = false
+     */
+    private runBasicSecurityTests;
+    /**
+     * Test tool with a specific payload
+     */
+    private testPayload;
+    /**
+     * Check if response indicates connection/server failure
+     * Returns true if test couldn't complete due to infrastructure issues
+     *
+     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
+     */
+    private isConnectionError;
+    /**
+     * Check if caught exception indicates connection/server failure
+     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
+     */
+    private isConnectionErrorFromException;
+    /**
+     * Classify error type for reporting
+     */
+    private classifyError;
+    /**
+     * Classify error type from caught exception
+     */
+    private classifyErrorFromException;
+    /**
+     * Analyze response with evidence-based detection
+     * CRITICAL: Distinguish between safe reflection and actual execution
+     */
+    private analyzeResponse;
+    /**
+     * Check if tool explicitly rejected input with validation error (SAFE)
+     * Returns true if tool properly rejected invalid input (SECURE)
+     *
+     * Distinguishes between:
+     * - SAFE: {"valid": false, "errors": ["Input too long"]} (rejection)
+     * - VULNERABLE: {"result": "deleted 5 rows"} (execution)
+     */
+    private isValidationRejection;
+    /**
+     * Check if response is an MCP validation error (safe rejection)
+     * Returns true if tool rejected input before processing (SECURE)
+     *
+     * Validation errors indicate proper input sanitization and are NOT vulnerabilities.
+     * Examples:
+     * - MCP error -32602 (JSON-RPC Invalid params standard)
+     * - "parameter validation failed: invalid url"
+     * - "schema validation error: must be a string"
+     */
+    private isMCPValidationError;
+    /**
+     * Check if evidence pattern is ambiguous (can match both validation and execution)
+     * These patterns appear in BOTH:
+     * - Secure validation errors: "parameter validation failed: invalid type"
+     * - Vulnerable execution errors: "SQL executed: type error in result"
+     */
+    private isValidationPattern;
+    /**
+     * Check if response contains evidence of actual execution
+     * Returns true only if malicious input was actually PROCESSED/EXECUTED
+     *
+     * Distinguishes between:
+     * - SECURE: "Parameter validation failed: invalid type" (rejected BEFORE execution)
+     * - VULNERABLE: "SQL executed: syntax error" (error DURING execution)
+     */
+    private hasExecutionEvidence;
+    /**
+     * Perform additional security checks
+     */
+    private performAdditionalSecurityChecks;
+    /**
+     * Determine overall risk level
+     */
+    private determineOverallRiskLevel;
+    /**
+     * Determine security status based on confidence levels
+     */
+    private determineSecurityStatus;
+    /**
+     * Generate security explanation
+     */
+    private generateSecurityExplanation;
+    /**
+     * Calculate confidence level and manual review requirements
+     * Detects ambiguous patterns that need human verification
+     */
+    private calculateConfidence;
+    /**
+     * Check if tool is a structured data tool (search, lookup, retrieval)
+     * These tools naturally echo input patterns in their results
+     */
+    private isStructuredDataTool;
+    /**
+     * Check if response is just reflection (safe)
+     * Expanded to catch more reflection patterns including echo, repeat, display
+     * IMPROVED: Bidirectional patterns, safety indicators, and two-layer defense
+     *
+     * CRITICAL: This check distinguishes between:
+     * - SAFE: Tool stores/echoes malicious input as data (reflection)
+     * - VULNERABLE: Tool executes malicious input and returns results (execution)
+     *
+     * Two-layer defense:
+     * Layer 1: Match reflection/status patterns
+     * Layer 2: Verify NO execution evidence (defense-in-depth)
+     */
+    private isReflectionResponse;
+    /**
+     * Detect execution artifacts in response
+     * Returns true if response contains evidence of actual code execution
+     *
+     * HIGH confidence: System files, commands, directory listings
+     * MEDIUM confidence: Contextual patterns (root alone, paths)
+     */
+    private detectExecutionArtifacts;
+    /**
+     * Analyze injection response (existing logic)
+     * Note: payload parameter unused after refactoring to two-layer defense
+     */
+    private analyzeInjectionResponse;
+    /**
+     * Extract response content
+     */
+    private extractResponseContent;
+    /**
+     * Check if tool has input parameters
+     */
+    private hasInputParameters;
+    private createTestParameters;
+    /**
+     * Check if tool is an API wrapper (safe data-passing tool)
+     */
+    private isApiWrapper;
+    /**
+     * Check if attack is an execution-based test
+     * These tests assume the tool executes input as code, which doesn't apply to API wrappers
+     */
+    private isExecutionTest;
+    /**
+     * Check if response is returning search results
+     * Search tools return query results as data, not execute them
+     */
+    private isSearchResultResponse;
+    /**
+     * Check if response is from a creation/modification operation
+     * CRUD tools create/modify resources, not execute code
+     */
+    private isCreationResponse;
+}
+//# sourceMappingURL=SecurityAssessor.d.ts.map

package/client/lib/services/assessment/modules/SecurityAssessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAS9D,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuFrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;;OAIG;YACW,yBAAyB;IA+FvC;;;;OAIG;YACW,qBAAqB;IAwGnC;;OAEG;YACW,WAAW;IA2HzB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAkDzB;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAmDtC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAgClC;;;OAGG;IACH,OAAO,CAAC,eAAe;IA6HvB;;;;;;;OAOG;IACH,OAAO,CAAC,qBAAqB;IAiE7B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuI3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oBAAoB;IAiM5B;;;;;;OAMG;IACH,OAAO,CAAC,wBAAwB;IAiDhC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,oBAAoB;IAoE5B;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAmB3B"}