npm - @feardread/fear - Versions diffs - 1.0.1 - Mend

@feardread/fear 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/FEAR.js +459 -0
package/FEARServer.js +280 -0
package/controllers/agent.js +438 -0
package/controllers/auth/index.js +345 -0
package/controllers/auth/token.js +50 -0
package/controllers/blog.js +105 -0
package/controllers/brand.js +10 -0
package/controllers/cart.js +425 -0
package/controllers/category.js +9 -0
package/controllers/coupon.js +63 -0
package/controllers/crud/crud.js +508 -0
package/controllers/crud/index.js +36 -0
package/controllers/email.js +34 -0
package/controllers/enquiry.js +65 -0
package/controllers/events.js +9 -0
package/controllers/order.js +125 -0
package/controllers/payment.js +31 -0
package/controllers/product.js +147 -0
package/controllers/review.js +247 -0
package/controllers/tag.js +10 -0
package/controllers/task.js +10 -0
package/controllers/upload.js +41 -0
package/controllers/user.js +401 -0
package/index.js +7 -0
package/libs/agent/index.js +561 -0
package/libs/agent/modules/ai/ai.js +285 -0
package/libs/agent/modules/ai/chat.js +518 -0
package/libs/agent/modules/ai/config.js +688 -0
package/libs/agent/modules/ai/operations.js +787 -0
package/libs/agent/modules/analyze/api.js +546 -0
package/libs/agent/modules/analyze/dorks.js +395 -0
package/libs/agent/modules/ccard/README.md +454 -0
package/libs/agent/modules/ccard/audit.js +479 -0
package/libs/agent/modules/ccard/checker.js +674 -0
package/libs/agent/modules/ccard/payment-processors.json +16 -0
package/libs/agent/modules/ccard/validator.js +629 -0
package/libs/agent/modules/code/analyzer.js +303 -0
package/libs/agent/modules/code/jquery.js +1093 -0
package/libs/agent/modules/code/react.js +1536 -0
package/libs/agent/modules/code/refactor.js +499 -0
package/libs/agent/modules/crypto/exchange.js +564 -0
package/libs/agent/modules/net/proxy.js +409 -0
package/libs/agent/modules/security/cve.js +442 -0
package/libs/agent/modules/security/monitor.js +360 -0
package/libs/agent/modules/security/scanner.js +300 -0
package/libs/agent/modules/security/vulnerability.js +506 -0
package/libs/agent/modules/security/web.js +465 -0
package/libs/agent/modules/utils/browser.js +492 -0
package/libs/agent/modules/utils/colorizer.js +285 -0
package/libs/agent/modules/utils/manager.js +478 -0
package/libs/cloud/index.js +228 -0
package/libs/config/db.js +21 -0
package/libs/config/validator.js +82 -0
package/libs/db/index.js +318 -0
package/libs/emailer/imap.js +126 -0
package/libs/emailer/info.js +41 -0
package/libs/emailer/smtp.js +77 -0
package/libs/handler/async.js +3 -0
package/libs/handler/error.js +66 -0
package/libs/handler/index.js +161 -0
package/libs/logger/index.js +49 -0
package/libs/logger/morgan.js +24 -0
package/libs/passport/passport.js +109 -0
package/libs/search/api.js +384 -0
package/libs/search/features.js +219 -0
package/libs/search/service.js +64 -0
package/libs/swagger/config.js +18 -0
package/libs/swagger/index.js +35 -0
package/libs/validator/index.js +254 -0
package/models/blog.js +31 -0
package/models/brand.js +12 -0
package/models/cart.js +14 -0
package/models/category.js +11 -0
package/models/coupon.js +9 -0
package/models/customer.js +0 -0
package/models/enquiry.js +29 -0
package/models/events.js +13 -0
package/models/order.js +94 -0
package/models/product.js +32 -0
package/models/review.js +14 -0
package/models/tag.js +10 -0
package/models/task.js +11 -0
package/models/user.js +68 -0
package/package.json +12 -0
package/routes/agent.js +615 -0
package/routes/auth.js +13 -0
package/routes/blog.js +19 -0
package/routes/brand.js +15 -0
package/routes/cart.js +105 -0
package/routes/category.js +16 -0
package/routes/coupon.js +15 -0
package/routes/enquiry.js +14 -0
package/routes/events.js +16 -0
package/routes/mail.js +170 -0
package/routes/order.js +19 -0
package/routes/product.js +22 -0
package/routes/review.js +11 -0
package/routes/task.js +12 -0
package/routes/user.js +17 -0

package/libs/agent/modules/security/vulnerability.js ADDED Viewed

@@ -0,0 +1,506 @@
+// modules/vulnerability-assessment.js - Vulnerability Assessment & Testing
+const https = require('https');
+const http = require('http');
+const { URL } = require('url');
+const fs = require('fs').promises;
+const net = require('net');
+const colorizer = require('../utils/colorizer');
+const VulnerabilityAssessment = function() {}
+VulnerabilityAssessment.prototype = {
+  assess(args) {
+    const url = args[0];
+    const testType = args[1] || 'all';
+    if (!url) {
+      console.log(colorizer.error('Usage: vuln-assess <url> [test-type]'));
+      console.log(colorizer.info('Available tests:'));
+      console.log(colorizer.dim('  sql-injection       - Test for SQL injection'));
+      console.log(colorizer.dim('  xss                 - Test for Cross-Site Scripting'));
+      console.log(colorizer.dim('  directory-traversal - Test for path traversal'));
+      console.log(colorizer.dim('  command-injection   - Test for OS command injection'));
+      console.log(colorizer.dim('  xxe                 - Test for XML External Entity'));
+      console.log(colorizer.dim('  ssrf                - Test for Server-Side Request Forgery'));
+      console.log(colorizer.dim('  open-redirect       - Test for open redirect'));
+      console.log(colorizer.dim('  csrf                - Test for CSRF vulnerabilities'));
+      console.log(colorizer.dim('  all                 - Run all tests (default)'));
+      console.log(colorizer.warning('WARNING: Only test systems you own or have permission to test!\n'));
+      return Promise.resolve();
+    }
+    console.log(colorizer.header('Vulnerability Assessment'));
+    console.log(colorizer.separator());
+    console.log(colorizer.cyan('Target: ') + colorizer.bright(url));
+    console.log(colorizer.cyan('Test Type: ') + colorizer.yellow(testType));
+    console.log(colorizer.warning('Only testing systems with authorization!'));
+    console.log();
+    this.results = [];
+    const testFunc = this.vulnerabilityTests[testType];
+    if (!testFunc) {
+      console.log(colorizer.error('Unknown test type: ' + testType + '\n'));
+      return Promise.resolve();
+    }
+    return testFunc(url)
+      .then(() => {
+        this.displayResults();
+      })
+      .catch(err => {
+        console.log(colorizer.error('Assessment failed: ' + err.message + '\n'));
+      });
+  },
+  testSQLInjection(url) {
+    console.log(colorizer.section('Testing for SQL Injection'));
+    const payloads = [
+      "' OR '1'='1",
+      "1' OR '1'='1' --",
+      "admin'--",
+      "' UNION SELECT NULL--",
+      "1' AND 1=1--",
+      "1' AND 1=2--"
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'id', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          const indicators = [
+            'SQL syntax',
+            'mysql_fetch',
+            'ORA-',
+            'PostgreSQL',
+            'SQLite',
+            'Microsoft SQL',
+            'syntax error'
+          ];
+          const vulnerable = indicators.some(indicator =>
+            response.body && response.body.toLowerCase().includes(indicator.toLowerCase())
+          );
+          if (vulnerable) {
+            this.addResult('SQL Injection', 'CRITICAL', 'Vulnerable',
+              'SQL error messages detected in response', testUrl);
+            console.log(colorizer.critical('VULNERABLE - SQL error detected with payload: ' + payload));
+          } else if (response.statusCode >= 500) {
+            this.addResult('SQL Injection', 'HIGH', 'Possible',
+              'Server error (500) with SQL payload', testUrl);
+            console.log(colorizer.high('POSSIBLE - Server error with payload: ' + payload));
+          }
+        })
+        .catch(() => {
+          // Connection errors are expected with some payloads
+        });
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('SQL Injection test complete'));
+      });
+  },
+  testXSS(url) {
+    console.log(colorizer.section('Testing for Cross-Site Scripting (XSS)'));
+    const payloads = [
+      '<script>alert(1)</script>',
+      '"><script>alert(1)</script>',
+      '<img src=x onerror=alert(1)>',
+      '<svg onload=alert(1)>',
+      'javascript:alert(1)'
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'q', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          if (response.body && response.body.includes(payload)) {
+            this.addResult('XSS', 'HIGH', 'Vulnerable',
+              'Unescaped payload reflected in response', testUrl);
+            console.log(colorizer.high('VULNERABLE - Payload reflected: ' + payload.substring(0, 50)));
+          }
+        })
+        .catch(() => {});
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('XSS test complete'));
+      });
+  },
+  testDirectoryTraversal(url) {
+    console.log(colorizer.section('Testing for Directory Traversal'));
+    const payloads = [
+      '../../../etc/passwd',
+      '..\\..\\..\\windows\\system.ini',
+      '....//....//....//etc/passwd',
+      '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd'
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'file', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          const indicators = [
+            'root:',
+            '[extensions]',
+            'for 16-bit app support'
+          ];
+          const vulnerable = indicators.some(indicator =>
+            response.body && response.body.includes(indicator)
+          );
+          if (vulnerable) {
+            this.addResult('Directory Traversal', 'CRITICAL', 'Vulnerable',
+              'System file contents detected in response', testUrl);
+            console.log(colorizer.critical('VULNERABLE - System file accessed with: ' + payload));
+          }
+        })
+        .catch(() => {});
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('Directory Traversal test complete'));
+      });
+  },
+  testCommandInjection(url) {
+    console.log(colorizer.section('Testing for Command Injection'));
+    const payloads = [
+      '; ls -la',
+      '| whoami',
+      '`whoami`',
+      '$(whoami)',
+      '& dir'
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'cmd', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          const indicators = [
+            'total ',
+            'drwx',
+            'Directory of',
+            'Volume Serial Number'
+          ];
+          const vulnerable = indicators.some(indicator =>
+            response.body && response.body.includes(indicator)
+          );
+          if (vulnerable) {
+            this.addResult('Command Injection', 'CRITICAL', 'Vulnerable',
+              'Command output detected in response', testUrl);
+            console.log(colorizer.critical('VULNERABLE - Command executed: ' + payload));
+          }
+        })
+        .catch(() => {});
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('Command Injection test complete'));
+      });
+  },
+  testXXE(url) {
+    console.log(colorizer.section('Testing for XML External Entity (XXE)'));
+    const payload = '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]><root>&test;</root>';
+    return this.makeRequest(url, 'POST', payload, {
+      'Content-Type': 'application/xml'
+    })
+      .then(response => {
+        if (response.body && response.body.includes('root:')) {
+          this.addResult('XXE', 'CRITICAL', 'Vulnerable',
+            'External entity processed and file contents returned', url);
+          console.log(colorizer.critical('VULNERABLE - XXE injection successful'));
+        } else {
+          console.log(colorizer.success('No XXE vulnerability detected'));
+        }
+      })
+      .catch(() => {
+        console.log(colorizer.info('XXE test completed (endpoint may not accept XML)'));
+      });
+  },
+  testSSRF(url) {
+    console.log(colorizer.section('Testing for Server-Side Request Forgery (SSRF)'));
+    const payloads = [
+      'http://localhost:8080',
+      'http://127.0.0.1:22',
+      'http://169.254.169.254/latest/meta-data/',
+      'file:///etc/passwd'
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'url', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          if (response.statusCode === 200 && response.body && response.body.length > 100) {
+            this.addResult('SSRF', 'HIGH', 'Possible',
+              'Server made request to internal resource', testUrl);
+            console.log(colorizer.high('POSSIBLE - Internal request to: ' + payload));
+          }
+        })
+        .catch(() => {});
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('SSRF test complete'));
+      });
+  },
+  testOpenRedirect(url) {
+    console.log(colorizer.section('Testing for Open Redirect'));
+    const payloads = [
+      'https://evil.com',
+      '//evil.com',
+      '/\\evil.com',
+      'https://example.com@evil.com'
+    ];
+    const promises = payloads.map(payload => {
+      const testUrl = this.appendParam(url, 'redirect', payload);
+      return this.makeRequest(testUrl)
+        .then(response => {
+          if (response.statusCode >= 300 && response.statusCode < 400) {
+            const location = response.headers.location || '';
+            if (location.includes('evil.com')) {
+              this.addResult('Open Redirect', 'MEDIUM', 'Vulnerable',
+                'Redirects to attacker-controlled domain', testUrl);
+              console.log(colorizer.medium('VULNERABLE - Redirects to: ' + location));
+            }
+          }
+        })
+        .catch(() => {});
+    });
+    return Promise.all(promises)
+      .then(() => {
+        console.log(colorizer.success('Open Redirect test complete'));
+      });
+  },
+  testCSRF(url) {
+    console.log(colorizer.section('Testing for CSRF Protection'));
+    return this.makeRequest(url)
+      .then(response => {
+        const hasCSRFToken = response.body && (
+          response.body.includes('csrf') ||
+          response.body.includes('_token') ||
+          response.body.includes('authenticity_token')
+        );
+        const hasSameSite = response.headers['set-cookie'] &&
+          response.headers['set-cookie'].some(cookie =>
+            cookie.toLowerCase().includes('samesite')
+          );
+        if (!hasCSRFToken && !hasSameSite) {
+          this.addResult('CSRF', 'MEDIUM', 'Vulnerable',
+            'No CSRF tokens or SameSite cookies detected', url);
+          console.log(colorizer.medium('VULNERABLE - No CSRF protection detected'));
+        } else {
+          console.log(colorizer.success('CSRF protection appears to be in place'));
+        }
+      })
+      .catch(() => {
+        console.log(colorizer.info('CSRF test completed'));
+      });
+  },
+  runAllTests(url) {
+    console.log(colorizer.bright('Running comprehensive vulnerability assessment...\n'));
+    return this.testSQLInjection(url)
+      .then(() => this.testXSS(url))
+      .then(() => this.testDirectoryTraversal(url))
+      .then(() => this.testCommandInjection(url))
+      .then(() => this.testXXE(url))
+      .then(() => this.testSSRF(url))
+      .then(() => this.testOpenRedirect(url))
+      .then(() => this.testCSRF(url));
+  },
+  makeRequest(url, method = 'GET', body = null, customHeaders = {}) {
+    return new Promise((resolve, reject) => {
+      const parsedUrl = new URL(url);
+      const lib = parsedUrl.protocol === 'https:' ? https : http;
+      const options = {
+        hostname: parsedUrl.hostname,
+        port: parsedUrl.port,
+        path: parsedUrl.pathname + parsedUrl.search,
+        method: method,
+        headers: {
+          'User-Agent': 'Security-Assessment-Tool/2.3',
+          'Accept': '*/*',
+          ...customHeaders
+        },
+        timeout: 5000,
+        rejectUnauthorized: false
+      };
+      if (body) {
+        options.headers['Content-Length'] = Buffer.byteLength(body);
+      }
+      const req = lib.request(options, res => {
+        let data = '';
+        res.on('data', chunk => {
+          data += chunk.toString();
+        });
+        res.on('end', () => {
+          resolve({
+            statusCode: res.statusCode,
+            headers: res.headers,
+            body: data
+          });
+        });
+      });
+      req.on('error', err => {
+        reject(err);
+      });
+      req.on('timeout', () => {
+        req.destroy();
+        reject(new Error('Timeout'));
+      });
+      if (body) {
+        req.write(body);
+      }
+      req.end();
+    });
+  },
+  appendParam(url, key, value) {
+    const separator = url.includes('?') ? '&' : '?';
+    return url + separator + key + '=' + encodeURIComponent(value);
+  },
+  addResult(vulnerability, severity, status, description, url) {
+    this.results.push({
+      vulnerability,
+      severity,
+      status,
+      description,
+      url,
+      timestamp: new Date().toISOString()
+    });
+  },
+  displayResults() {
+    console.log(colorizer.header('Assessment Results'));
+    console.log(colorizer.separator());
+    if (this.results.length === 0) {
+      console.log(colorizer.success('No vulnerabilities detected!\n'));
+      return;
+    }
+    const critical = this.results.filter(r => r.severity === 'CRITICAL');
+    const high = this.results.filter(r => r.severity === 'HIGH');
+    const medium = this.results.filter(r => r.severity === 'MEDIUM');
+    const low = this.results.filter(r => r.severity === 'LOW');
+    if (critical.length > 0) {
+      console.log(colorizer.section('CRITICAL Vulnerabilities'));
+      critical.forEach(r => {
+        console.log(colorizer.critical(r.vulnerability + ' - ' + r.status));
+        console.log(colorizer.dim('  ' + r.description));
+        console.log(colorizer.dim('  URL: ' + r.url.substring(0, 80)));
+      });
+    }
+    if (high.length > 0) {
+      console.log(colorizer.section('HIGH Vulnerabilities'));
+      high.forEach(r => {
+        console.log(colorizer.high(r.vulnerability + ' - ' + r.status));
+        console.log(colorizer.dim('  ' + r.description));
+        console.log(colorizer.dim('  URL: ' + r.url.substring(0, 80)));
+      });
+    }
+    if (medium.length > 0) {
+      console.log(colorizer.section('MEDIUM Vulnerabilities'));
+      medium.forEach(r => {
+        console.log(colorizer.medium(r.vulnerability + ' - ' + r.status));
+        console.log(colorizer.dim('  ' + r.description));
+        console.log(colorizer.dim('  URL: ' + r.url.substring(0, 80)));
+      });
+    }
+    console.log(colorizer.section('Summary'));
+    console.log(colorizer.dim('  Total Vulnerabilities: ' + this.results.length));
+    console.log(colorizer.critical('  Critical: ' + critical.length));
+    console.log(colorizer.high('  High: ' + high.length));
+    console.log(colorizer.medium('  Medium: ' + medium.length));
+    console.log(colorizer.low('  Low: ' + low.length));
+    const score = this.calculateRiskScore(critical.length, high.length, medium.length, low.length);
+    console.log(colorizer.section('Risk Score: ' +
+      (score >= 80 ? colorizer.red(score) :
+       score >= 50 ? colorizer.yellow(score) :
+       colorizer.green(score)) + '/100'));
+    console.log();
+  },
+  calculateRiskScore(critical, high, medium, low) {
+    return Math.min(100, (critical * 30) + (high * 20) + (medium * 10) + (low * 5));
+  },
+  exportResults(args) {
+    const filename = args[0] || 'vulnerability-assessment-' + Date.now() + '.json';
+    const report = {
+      timestamp: new Date().toISOString(),
+      results: this.results,
+      summary: {
+        total: this.results.length,
+        critical: this.results.filter(r => r.severity === 'CRITICAL').length,
+        high: this.results.filter(r => r.severity === 'HIGH').length,
+        medium: this.results.filter(r => r.severity === 'MEDIUM').length,
+        low: this.results.filter(r => r.severity === 'LOW').length
+      },
+      riskScore: this.calculateRiskScore(
+        this.results.filter(r => r.severity === 'CRITICAL').length,
+        this.results.filter(r => r.severity === 'HIGH').length,
+        this.results.filter(r => r.severity === 'MEDIUM').length,
+        this.results.filter(r => r.severity === 'LOW').length
+      )
+    };
+    return fs.writeFile(filename, JSON.stringify(report, null, 2))
+      .then(() => {
+        console.log(colorizer.success('Assessment report exported to: ' + filename + '\n'));
+      })
+      .catch(err => {
+        console.log(colorizer.error('Export failed: ' + err.message + '\n'));
+      });
+  }
+};
+module.exports = VulnerabilityAssessment;