@intentsolutionsio/penetration-tester 2.0.0 → 3.0.4

package/skills/checking-http-security-headers/scripts/check_headers.py

@@ -0,0 +1,362 @@
+#!/usr/bin/env python3
+"""HTTP security headers auditor.
+
+Companion to skill `checking-http-security-headers`. Probes the target
+GET response and grades each canonical security header.
+
+Checks performed:
+    1. Strict-Transport-Security — presence, max-age, includeSubDomains, preload
+    2. Content-Security-Policy — presence, unsafe-inline, unsafe-eval,
+       frame-ancestors
+    3. X-Frame-Options — present OR CSP frame-ancestors set
+    4. X-Content-Type-Options:nosniff
+    5. Referrer-Policy — present, not unsafe-url
+    6. Permissions-Policy
+    7. Server: header version disclosure
+    8. Cache-Control on authenticated endpoint
+
+References:
+    MDN — HTTP security headers
+    OWASP Secure Headers Project (https://owasp.org/www-project-secure-headers/)
+    Mozilla Observatory
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+_PLUGIN_ROOT = Path(__file__).resolve().parents[3]
+if str(_PLUGIN_ROOT) not in sys.path:
+    sys.path.insert(0, str(_PLUGIN_ROOT))
+
+from lib.authz_check import require_authorization  # noqa: E402
+from lib.finding import Finding, Severity  # noqa: E402
+from lib.http_client import make_session, safe_get  # noqa: E402
+from lib.report import emit, exit_code  # noqa: E402
+
+SKILL_ID = "checking-http-security-headers"
+
+PRELOAD_MIN_MAX_AGE = 31536000  # 1 year (hstspreload.org requirement)
+
+
+def _check_hsts(headers: dict, target: str, is_https: bool) -> list[Finding]:
+    findings: list[Finding] = []
+    if not is_https:
+        return findings
+    hsts = headers.get("Strict-Transport-Security")
+    if not hsts:
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title="Strict-Transport-Security header missing",
+                severity=Severity.HIGH,
+                target=target,
+                detail=(
+                    "No HSTS header on the HTTPS response. The first time a "
+                    "client visits the site over HTTPS (or any first-visit after "
+                    "their HSTS cache expires), an attacker on the network can "
+                    "rewrite the response to use HTTP — and clients have no "
+                    "pinning to refuse the downgrade."
+                ),
+                remediation=(
+                    "Add: `Strict-Transport-Security: max-age=31536000; "
+                    "includeSubDomains; preload`. nginx: `add_header "
+                    'Strict-Transport-Security "max-age=31536000; '
+                    'includeSubDomains; preload" always;`.'
+                ),
+                cwe_id="CWE-319",
+                owasp_category="A05:2021",
+                references=("https://hstspreload.org/",),
+            )
+        ]
+    # Parse max-age
+    m = re.search(r"max-age\s*=\s*(\d+)", hsts)
+    if m:
+        max_age = int(m.group(1))
+        if max_age < PRELOAD_MIN_MAX_AGE:
+            findings.append(
+                Finding(
+                    skill_id=SKILL_ID,
+                    title=f"HSTS max-age ({max_age}s) below preload threshold",
+                    severity=Severity.MEDIUM,
+                    target=target,
+                    detail=(
+                        f"HSTS max-age is {max_age}s. hstspreload.org requires "
+                        f"≥{PRELOAD_MIN_MAX_AGE}s (1 year) for preload-list "
+                        "submission."
+                    ),
+                    remediation=f"Increase max-age to {PRELOAD_MIN_MAX_AGE}.",
+                )
+            )
+    if "preload" in hsts.lower() and "includesubdomains" not in hsts.lower():
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title="HSTS preload directive without includeSubDomains",
+                severity=Severity.LOW,
+                target=target,
+                detail=("The preload directive requires includeSubDomains per hstspreload.org policy."),
+                remediation="Add `includeSubDomains` to the HSTS header value.",
+            )
+        )
+    return findings
+
+
+def _check_csp(headers: dict, target: str) -> list[Finding]:
+    findings: list[Finding] = []
+    csp = headers.get("Content-Security-Policy") or headers.get("Content-Security-Policy-Report-Only")
+    if not csp:
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title="Content-Security-Policy header missing",
+                severity=Severity.HIGH,
+                target=target,
+                detail=(
+                    "No CSP. The browser will execute any inline script the "
+                    "server (or any injection vector) returns. Reflected and "
+                    "stored XSS classes are unmitigated."
+                ),
+                remediation=(
+                    "Start with a report-only policy: "
+                    "`Content-Security-Policy-Report-Only: default-src 'self'; "
+                    "report-uri /csp-report`. Move to enforcing once violations "
+                    "settle. See references/PLAYBOOK.md § CSP rollout."
+                ),
+                cwe_id="CWE-79",
+                owasp_category="A03:2021",
+            )
+        ]
+    if "'unsafe-inline'" in csp:
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title="CSP includes 'unsafe-inline'",
+                severity=Severity.MEDIUM,
+                target=target,
+                detail=(
+                    "'unsafe-inline' permits inline <script> and onclick= "
+                    "handlers. This is the most common XSS-protection bypass."
+                ),
+                remediation=(
+                    "Replace inline handlers with addEventListener; replace "
+                    "inline styles with classes; if migration is gradual, use "
+                    "nonce-source or hash-source CSP entries per script block."
+                ),
+                cwe_id="CWE-79",
+                owasp_category="A03:2021",
+            )
+        )
+    if "'unsafe-eval'" in csp:
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title="CSP includes 'unsafe-eval'",
+                severity=Severity.MEDIUM,
+                target=target,
+                detail=(
+                    "'unsafe-eval' permits eval(), new Function(), and similar. "
+                    "Most modern frameworks (React/Vue/Angular in production "
+                    "mode) don't need this."
+                ),
+                remediation=(
+                    "Audit dependencies for eval usage; replace or upgrade. "
+                    "Common offenders: older Angular dev mode, older Vue "
+                    "with template-runtime."
+                ),
+            )
+        )
+    return findings
+
+
+def _check_clickjacking(headers: dict, target: str) -> list[Finding]:
+    xfo = headers.get("X-Frame-Options", "").lower()
+    csp = (headers.get("Content-Security-Policy") or "").lower()
+    if xfo or "frame-ancestors" in csp:
+        return []
+    return [
+        Finding(
+            skill_id=SKILL_ID,
+            title="No clickjacking protection (X-Frame-Options + frame-ancestors both absent)",
+            severity=Severity.HIGH,
+            target=target,
+            detail=(
+                "Neither X-Frame-Options nor CSP frame-ancestors is set. The "
+                "page can be embedded in an attacker's iframe and used for "
+                "UI-redress (clickjacking) attacks against authenticated "
+                "users."
+            ),
+            remediation=(
+                "Add `X-Frame-Options: DENY` for pages never embedded, or "
+                "`Content-Security-Policy: frame-ancestors 'self' "
+                "https://embedded-by.example.com` for selective embedding."
+            ),
+            cwe_id="CWE-1021",
+        )
+    ]
+
+
+def _check_nosniff(headers: dict, target: str) -> list[Finding]:
+    if headers.get("X-Content-Type-Options", "").lower() == "nosniff":
+        return []
+    return [
+        Finding(
+            skill_id=SKILL_ID,
+            title="X-Content-Type-Options:nosniff missing",
+            severity=Severity.MEDIUM,
+            target=target,
+            detail=(
+                "Without nosniff, browsers may MIME-sniff a response served "
+                "as text/plain and execute it as JavaScript if it looks "
+                "script-shaped. Closes a class of file-upload XSS."
+            ),
+            remediation="Add `X-Content-Type-Options: nosniff` to every response.",
+            cwe_id="CWE-79",
+        )
+    ]
+
+
+def _check_referrer(headers: dict, target: str) -> list[Finding]:
+    rp = headers.get("Referrer-Policy", "").lower()
+    if not rp:
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title="Referrer-Policy missing",
+                severity=Severity.MEDIUM,
+                target=target,
+                detail=(
+                    "Without a Referrer-Policy, the browser uses no-referrer-"
+                    "when-downgrade by default — internal URLs leak to external "
+                    "sites the user navigates to."
+                ),
+                remediation=("Add `Referrer-Policy: strict-origin-when-cross-origin` (the modern recommendation)."),
+            )
+        ]
+    if rp in ("unsafe-url",):
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title=f"Referrer-Policy:{rp} leaks full URL cross-origin",
+                severity=Severity.MEDIUM,
+                target=target,
+                detail="unsafe-url sends the full URL to every cross-origin destination.",
+                remediation="Change to `strict-origin-when-cross-origin`.",
+            )
+        ]
+    return []
+
+
+def _check_permissions_policy(headers: dict, target: str) -> list[Finding]:
+    if headers.get("Permissions-Policy"):
+        return []
+    return [
+        Finding(
+            skill_id=SKILL_ID,
+            title="Permissions-Policy header missing",
+            severity=Severity.LOW,
+            target=target,
+            detail=(
+                "Without Permissions-Policy, the browser permits the page to "
+                "request all device capabilities (camera, mic, geo, USB, "
+                "serial). On a public-content page these should be denied by "
+                "default."
+            ),
+            remediation=(
+                "Add `Permissions-Policy: camera=(), microphone=(), "
+                "geolocation=(), interest-cohort=()` (deny-all baseline)."
+            ),
+        )
+    ]
+
+
+def _check_server_disclosure(headers: dict, target: str) -> list[Finding]:
+    server = headers.get("Server", "")
+    if re.search(r"\d+\.\d+", server):
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title=f"Server header discloses version: {server}",
+                severity=Severity.LOW,
+                target=target,
+                detail=(
+                    "The Server header includes a version number, letting "
+                    "fingerprinters target known CVEs in that exact version."
+                ),
+                remediation=(
+                    "nginx: `server_tokens off;`. "
+                    "Apache: `ServerTokens Prod`. "
+                    "Caddy: omit version by default (Caddy 2.x doesn't disclose)."
+                ),
+                cwe_id="CWE-200",
+            )
+        ]
+    return []
+
+
+def _check_cache_control(headers: dict, target: str, authenticated: bool) -> list[Finding]:
+    cc = headers.get("Cache-Control", "").lower()
+    if authenticated and ("public" in cc or "max-age" in cc and "private" not in cc and "no-store" not in cc):
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title="Authenticated endpoint allows shared caching",
+                severity=Severity.HIGH,
+                target=target,
+                detail=(
+                    "Authenticated content with public-cacheable Cache-Control "
+                    "can be served by shared caches (CDN, corporate proxy) to "
+                    "different users — one user's authenticated response leaks "
+                    "to another."
+                ),
+                remediation=("Set `Cache-Control: private, no-store` on every authenticated endpoint."),
+                cwe_id="CWE-525",
+            )
+        ]
+    return []
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(description="HTTP security headers auditor")
+    parser.add_argument("url")
+    parser.add_argument("--authorized", action="store_true")
+    parser.add_argument("--output", default=None)
+    parser.add_argument("--format", choices=("json", "jsonl", "markdown"), default="markdown")
+    parser.add_argument("--min-severity", choices=("critical", "high", "medium", "low", "info"), default="info")
+    parser.add_argument("--timeout", type=float, default=10.0)
+    parser.add_argument("--authenticated", action="store_true", help="Apply stricter Cache-Control checks")
+    args = parser.parse_args(argv)
+
+    require_authorization(args.url, args.authorized)
+
+    sess = make_session(timeout=args.timeout)
+    resp = safe_get(sess, args.url, timeout=args.timeout)
+    if resp is None:
+        sys.stderr.write(f"ERROR: target {args.url!r} unreachable\n")
+        return 2
+
+    is_https = args.url.lower().startswith("https://")
+    target = args.url
+
+    findings: list[Finding] = []
+    findings.extend(_check_hsts(dict(resp.headers), target, is_https))
+    findings.extend(_check_csp(dict(resp.headers), target))
+    findings.extend(_check_clickjacking(dict(resp.headers), target))
+    findings.extend(_check_nosniff(dict(resp.headers), target))
+    findings.extend(_check_referrer(dict(resp.headers), target))
+    findings.extend(_check_permissions_policy(dict(resp.headers), target))
+    findings.extend(_check_server_disclosure(dict(resp.headers), target))
+    findings.extend(_check_cache_control(dict(resp.headers), target, args.authenticated))
+
+    floor = Severity(args.min_severity)
+    findings = [f for f in findings if f.severity.numeric >= floor.numeric]
+
+    emit(findings, args.output, args.format, target)
+    return exit_code(findings)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/skills/checking-license-compliance/SKILL.md

@@ -0,0 +1,225 @@
+---
+name: checking-license-compliance
+description: |
+  Audit a project's dependency licenses against an explicit policy
+  (allow-list / deny-list / review-required) and flag incompatibilities
+  before they ship to production. Reads SPDX license identifiers from
+  npm package manifests, Python METADATA / PKG-INFO files, and
+  pyproject.toml; classifies each license by family (permissive,
+  weak-copyleft, strong-copyleft, proprietary, unknown); detects
+  copyleft contamination and SPDX-incompatible license combinations.
+  Use when: pre-release legal review, M&A code-audit due diligence,
+  preparing an OSS attribution NOTICE file, or switching a project's
+  own license.
+  Threshold: any GPL-family license in a project declaring MIT or
+  Apache-2.0; any UNKNOWN-license package; any metadata-vs-source
+  license mismatch.
+  Trigger with: "check licenses", "license compliance audit",
+  "SPDX scan", "GPL contamination check".
+allowed-tools:
+  - Read
+  - Bash(python3:*)
+  - Bash(pip:*)
+  - Bash(npm:*)
+  - Glob
+disallowed-tools:
+  - Bash(rm:*)
+  - Bash(curl:*)
+  - Bash(wget:*)
+  - Write(.env)
+  - Edit(.env)
+version: 3.0.0-dev
+author: Jeremy Longshore <jeremy@intentsolutions.io>
+license: MIT
+compatibility: Designed for Claude Code
+tags:
+  - security
+  - licensing
+  - spdx
+  - compliance
+  - pentest
+---
+
+# Checking License Compliance
+
+## Overview
+
+License compliance is a security concern only in the indirect sense
+that an unintended license obligation can force you to release
+proprietary source code, retroactively invalidate a customer
+contract, or render an M&A transaction infeasible. The cost is
+legal and contractual rather than exploitative — but the
+consequence ladder is real.
+
+The most-stepped-on landmine is **copyleft contamination**:
+unintentionally including a GPL or AGPL-licensed package in a
+codebase the rest of which is permissively licensed (MIT, Apache-2.0,
+BSD). The terms of the GPL family say that any project distributing
+GPL code MUST itself release source under a GPL-compatible license.
+If your `package.json` says MIT and one of your transitive deps is
+GPL-2.0, you may be obligated to either re-license your code or
+remove the dep.
+
+This skill audits the resolved dependency tree against an explicit
+policy file and emits findings for:
+
+- Direct deps with deny-listed licenses
+- Transitive deps with deny-listed licenses
+- Packages with UNKNOWN license metadata (no SPDX identifier)
+- License conflicts between metadata and source headers
+- Combinations of licenses that are mutually incompatible (e.g.
+  GPL-2.0 + Apache-2.0 without a patent grant)
+
+## When the skill produces findings
+
+| Finding | Severity | Threshold | Affected control |
+|---|---|---|---|
+| Strong-copyleft in permissive project | **CRITICAL** | GPL-2.0/3.0, AGPL-3.0, or similar in a project declaring MIT/Apache-2.0/BSD | (legal) |
+| Weak-copyleft requiring source disclosure | **HIGH** | LGPL family in a project where the obligation isn't being met (no source-availability commitment) | (legal) |
+| Custom / non-SPDX license | **HIGH** | License field doesn't match SPDX expression syntax; requires legal review | (legal) |
+| Unknown license | **MEDIUM** | Package has no `license` field, no LICENSE file detected | (legal) |
+| Deny-listed license (per policy) | **HIGH** | Package license is in the explicit deny-list in the policy file | (legal) |
+| Review-required license (per policy) | **MEDIUM** | Package license is in the review-list (e.g. MPL-2.0) | (legal) |
+| Incompatible license combination | **HIGH** | Detected pair of licenses known to conflict (e.g. GPL-2.0-only + Apache-2.0) | (legal) |
+| License declared differently in metadata vs source headers | **MEDIUM** | LICENSE file says one license; per-file SPDX-License-Identifier headers say another | (legal) |
+| Permissive license requiring attribution | **INFO** | MIT/BSD/Apache-2.0 — emit reminder that NOTICE / attribution file should list the package | (informational) |
+
+## Prerequisites
+
+- Python 3.9+
+- Target project with EITHER a `package.json` + `node_modules/`
+  OR a Python project (`pyproject.toml`/`requirements.txt`/
+  installed venv)
+- Policy file at `./.license-policy.json` (auto-detected) or
+  passed via `--policy`. If absent, the skill uses a built-in
+  default policy that flags strong copyleft for permissive parent
+  projects.
+
+## Instructions
+
+### Step 1 — Identify the project's own declared license
+
+The skill reads the project's top-level license from:
+
+- npm: `package.json`'s `license` field
+- Python: `pyproject.toml`'s `[project].license` table OR
+  `setup.cfg`'s `license` field
+
+If the project's own license isn't declared, the skill emits a
+FATAL operational finding — license compliance can't be checked
+without a baseline. Add a `license` field before running.
+
+### Step 2 — Identify policy
+
+The policy file is JSON:
+
+```json
+{
+  "allow": ["MIT", "BSD-3-Clause", "Apache-2.0", "ISC", "BSD-2-Clause"],
+  "deny":  ["GPL-2.0-only", "GPL-3.0-only", "AGPL-3.0-only", "AGPL-3.0-or-later"],
+  "review": ["MPL-2.0", "EPL-2.0", "CDDL-1.0", "LGPL-3.0-or-later"],
+  "project_license": "MIT"
+}
+```
+
+`allow`: licenses that pass without comment.
+`deny`: licenses that produce a finding regardless of project license.
+`review`: licenses that produce a MEDIUM-severity finding for legal review.
+`project_license`: enforced — if the project declares this but a dep is in `deny`, finding is CRITICAL.
+
+### Step 3 — Run the scanner
+
+```bash
+python3 ./scripts/check_licenses.py /path/to/project
+```
+
+Options:
+
+```
+Usage: check_licenses.py PATH [OPTIONS]
+
+Options:
+  --output FILE      Write findings to FILE (default: stdout)
+  --format FMT       json | jsonl | markdown (default: markdown)
+  --min-severity SEV (default: info)
+  --policy FILE      Override default policy
+  --emit-attribution  Also emit an attribution file (NOTICE.md) listing
+                     every permissive-licensed dep that requires attribution
+```
+
+### Step 4 — Interpret findings
+
+CRITICAL findings block release pending legal review. Either remove
+the offending dep, replace it with a permissively-licensed
+alternative, or escalate to legal for a written exception.
+
+HIGH findings require legal sign-off but don't necessarily block
+release if the legal posture (e.g. service-only deployment under
+AGPL) makes the obligation moot.
+
+MEDIUM findings should be reviewed quarterly and either resolved
+or moved into an explicit exception list.
+
+INFO findings are reminders that an attribution / NOTICE file
+should reference these packages.
+
+## Examples
+
+### Example 1 — Pre-release legal gate
+
+```bash
+python3 ./scripts/check_licenses.py . --min-severity high --format json --output license-audit.json
+jq -e '. == []' license-audit.json || { echo "License finding — legal review required"; exit 1; }
+```
+
+### Example 2 — Generate attribution file
+
+```bash
+python3 ./scripts/check_licenses.py . --emit-attribution --format markdown --output NOTICE.md
+```
+
+### Example 3 — M&A due diligence
+
+```bash
+mkdir -p evidence/legal/
+python3 ./scripts/check_licenses.py target-acquisition-codebase/ \
+    --format json \
+    --output evidence/legal/license-audit-$(date +%Y%m%d).json
+```
+
+## Output
+
+JSON / JSONL / Markdown per `lib/report.py`. Exit codes: 0 clean,
+1 high/critical, 2 error.
+
+Each Finding includes:
+
+- `id` — `license-compliance::<package>::<license-id>`
+- `severity` — CRITICAL / HIGH / MEDIUM / LOW / INFO
+- `category` — `license-compliance`
+- `summary` — what's wrong
+- `evidence` — package name, declared license, project license, policy match
+- `references` — SPDX URL for the license, package home page
+
+## Error Handling
+
+- **No project license** → emits an INFO/operational finding
+  recommending the operator add a `license` field, exits 2.
+- **Unparseable policy file** → exits 2 with a parser error message.
+- **Package with malformed license field** → treated as UNKNOWN
+  license, emits MEDIUM finding.
+- **No SPDX identifier in source headers** → emits INFO finding
+  reminding that SPDX header convention catches contamination at
+  the file level.
+
+## Resources
+
+- `references/THEORY.md` — SPDX license expression syntax, family
+  classifications, copyleft propagation theory, common license
+  incompatibilities, when LGPL static linking matters, AGPL
+  service-distribution clauses, public-domain edge cases (CC0 vs
+  unlicense)
+- `references/PLAYBOOK.md` — Default policy templates per project
+  type (proprietary product, OSS library, internal-only tool, SaaS
+  service), attribution file generation, legal-counsel handoff
+  templates, replacing copyleft deps with permissive alternatives