@j3r3mcdev/scoring 1.0.0

package/src/rules/__tests__/rce.rule.test.ts

@@ -0,0 +1,42 @@
+import { RceRule } from "../rce.rules";
+
+describe("RCE Rule", () => {
+  const rule = new RceRule();
+
+  it("détecte un payload RCE", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "http" as const,
+          timestamp: Date.now(),
+          metadata: {},
+          payload: "test; bash -c 'ls'",
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(true);
+    const findings = rule.execute(ctx);
+    expect(findings.length).toBe(1);
+    expect(findings[0].vulnerability).toBe("rce");
+  });
+
+  it("ne détecte rien sur un payload normal", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "http" as const,
+          timestamp: Date.now(),
+          metadata: {},
+          payload: "hello world",
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(false);
+  });
+});

package/src/rules/__tests__/rule-registry.test.ts

@@ -0,0 +1,40 @@
+import { RuleRegistry } from "../rule-registry";
+
+describe("RuleRegistry", () => {
+  beforeEach(() => RuleRegistry.clear());
+
+  test("registers a rule", () => {
+    const rule = {
+      id: "r1",
+      name: "Test",
+      applies: () => false,
+      execute: () => [],
+    };
+
+    RuleRegistry.register(rule);
+
+    expect(RuleRegistry.getAll()).toContain(rule);
+  });
+
+  test("registers multiple rules", () => {
+    const r1 = { id: "r1", name: "A", applies: () => false, execute: () => [] };
+    const r2 = { id: "r2", name: "B", applies: () => false, execute: () => [] };
+
+    RuleRegistry.registerMany([r1, r2]);
+
+    expect(RuleRegistry.getAll()).toHaveLength(2);
+  });
+
+  test("clears registry", () => {
+    RuleRegistry.register({
+      id: "r1",
+      name: "A",
+      applies: () => false,
+      execute: () => [],
+    });
+
+    RuleRegistry.clear();
+
+    expect(RuleRegistry.getAll()).toHaveLength(0);
+  });
+});

package/src/rules/__tests__/ssrf.rule.test.ts

@@ -0,0 +1,42 @@
+import { SsrfRule } from "../ssrf.rules";
+
+describe("SSRF Rule", () => {
+  const rule = new SsrfRule();
+
+  it("détecte un payload SSRF", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "http" as const,
+          timestamp: Date.now(),
+          metadata: {},
+          payload: "http://169.254.169.254/latest/meta-data/",
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(true);
+    const findings = rule.execute(ctx);
+    expect(findings.length).toBe(1);
+    expect(findings[0].vulnerability).toBe("ssrf");
+  });
+
+  it("ne détecte rien sur un payload normal", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "http" as const,
+          timestamp: Date.now(),
+          metadata: {},
+          payload: "https://example.com",
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(false);
+  });
+});

package/src/rules/__tests__/waf.rule.test.ts

@@ -0,0 +1,40 @@
+import { WafRule } from "../waf.rules";
+
+describe("WAF Rule", () => {
+  const rule = new WafRule();
+
+  it("détecte un score WAF élevé", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "waf" as const,
+          timestamp: Date.now(),
+          metadata: { wafScore: 0.9 },
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(true);
+    const findings = rule.execute(ctx);
+    expect(findings.length).toBe(1);
+    expect(findings[0].severity).toBe("critical");
+  });
+
+  it("ignore un score WAF nul", () => {
+    const ctx = {
+      events: [
+        {
+          id: "1",
+          source: "waf" as const,
+          timestamp: Date.now(),
+          metadata: { wafScore: 0 },
+        },
+      ],
+      chains: [],
+    };
+
+    expect(rule.applies(ctx)).toBe(false);
+  });
+});

package/src/rules/base-rule.ts

@@ -0,0 +1,43 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  BASE RULE — Classe abstraite pour toutes les règles
+ *  Fournit des helpers communs et une structure standardisée.
+ * ─────────────────────────────────────────────────────────────
+ */
+export abstract class BaseRule implements Rule {
+  abstract id: string;
+  abstract name: string;
+  description?: string;
+
+  /**
+   * Vérifie si la règle doit s’appliquer au contexte.
+   * Chaque règle doit implémenter sa propre logique.
+   */
+  abstract applies(context: ScoringContext): boolean;
+
+  /**
+   * Exécute la règle et retourne un ou plusieurs findings.
+   */
+  abstract execute(context: ScoringContext): RuleFinding[];
+
+  /**
+   * Helper : sécurise un payload en string.
+   */
+  protected safeString(value: unknown): string {
+    if (typeof value === "string") return value;
+    try {
+      return JSON.stringify(value);
+    } catch {
+      return String(value ?? "");
+    }
+  }
+
+  /**
+   * Helper : teste si un input match au moins un regex.
+   */
+  protected matchAny(input: string, patterns: RegExp[]): boolean {
+    return patterns.some((regex) => regex.test(input));
+  }
+}

package/src/rules/dns.rules.ts

@@ -0,0 +1,50 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+export class DnsRule implements Rule {
+  id = "dns-basic";
+  name = "Basic DNS Anomaly Detection";
+  description =
+    "Détecte des patterns DNS suspects (rebinding, domaines internes, etc.).";
+
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) =>
+        evt.source === "dns" &&
+        typeof evt.payload === "string" &&
+        this.containsDnsAnomaly(evt.payload),
+    );
+  }
+
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (evt.source !== "dns" || typeof evt.payload !== "string") continue;
+
+      if (this.containsDnsAnomaly(evt.payload)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "dns",
+          score: 0.7,
+          severity: "medium",
+          details: `Anomalie DNS détectée : ${evt.payload}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  private containsDnsAnomaly(input: string): boolean {
+    const patterns = [
+      /localhost/i,
+      /127\.0\.0\.1/i,
+      /\[::1\]/i,
+      /internal/i,
+      /corp/i,
+      /localdomain/i,
+    ];
+
+    return patterns.some((regex) => regex.test(input));
+  }
+}

package/src/rules/http.rules.ts

@@ -0,0 +1,72 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  HTTP RULE — Détection d’anomalies HTTP simples
+ *  Version minimaliste, sans heuristique lourde.
+ *  Compatible avec le moteur de scoring.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class HttpRule implements Rule {
+  id = "http-basic";
+  name = "Basic HTTP Anomaly Detection";
+  description =
+    "Détecte des anomalies HTTP simples (méthodes, headers, chemins suspects).";
+
+  /**
+   * La règle s’applique si au moins un event HTTP contient une anomalie.
+   */
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) => evt.source === "http" && this.containsHttpAnomaly(evt),
+    );
+  }
+
+  /**
+   * Retourne un ou plusieurs findings HTTP.
+   */
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (evt.source !== "http") continue;
+
+      if (this.containsHttpAnomaly(evt)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "http",
+          score: 0.6,
+          severity: "medium",
+          details: `Anomalie HTTP détectée sur l’événement ${evt.id}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Détection simple d’anomalies HTTP.
+   */
+  private containsHttpAnomaly(evt: any): boolean {
+    const method = evt.metadata?.method?.toUpperCase?.() ?? "";
+    const path =
+      typeof evt.metadata?.path === "string" ? evt.metadata.path : "";
+    const headers = evt.metadata?.headers ?? {};
+
+    // Méthodes dangereuses
+    if (["TRACE", "TRACK"].includes(method)) return true;
+
+    // Path traversal dans l’URL
+    if (/\/\.\.\//.test(path)) return true;
+
+    // Headers suspects (URL rewriting)
+    if (typeof headers["x-original-url"] === "string") return true;
+    if (typeof headers["x-rewrite-url"] === "string") return true;
+
+    // Double slash anormal
+    if (/\/{2,}/.test(path)) return true;
+
+    return false;
+  }
+}

package/src/rules/index.ts

@@ -0,0 +1,35 @@
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  RULES AUTO-LOAD — Version avancée et stable
+ *  Charge automatiquement toutes les règles du moteur.
+ * ─────────────────────────────────────────────────────────────
+ */
+
+import { RuleRegistry } from "./rule-registry";
+
+// Import de toutes les règles individuelles
+import { XssRule } from "./xss.rules";
+import { SqliRule } from "./sqli.rules";
+import { SsrfRule } from "./ssrf.rules";
+import { LfiRule } from "./lfi.rule";
+import { PathTraversalRule } from "./path-transversal.rule";
+import { DnsRule } from "./dns.rules";
+import { HttpRule } from "./http.rules";
+import { WafRule } from "./waf.rules";
+import { RceRule } from "./rce.rules";
+
+// Enregistrement global
+RuleRegistry.registerMany([
+  new XssRule(),
+  new SqliRule(),
+  new SsrfRule(),
+  new LfiRule(),
+  new PathTraversalRule(),
+  new DnsRule(),
+  new HttpRule(),
+  new WafRule(),
+  new RceRule(),
+]);
+
+// Export optionnel (utile pour debug ou tests)
+export const loadedRules = RuleRegistry.getAll();

package/src/rules/lfi.rule.ts

@@ -0,0 +1,76 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  LFI RULE — Détection simple basée sur les patterns classiques
+ *  Version minimaliste, sans heuristique lourde.
+ *  Compatible avec le moteur de scoring.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class LfiRule implements Rule {
+  id = "lfi-basic";
+  name = "Basic LFI Detection";
+  description =
+    "Détecte les patterns LFI classiques dans les événements normalisés.";
+
+  /**
+   * La règle s’applique si au moins un event contient un payload suspect.
+   */
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) => typeof evt.payload === "string" && this.containsLfi(evt.payload),
+    );
+  }
+
+  /**
+   * Retourne un ou plusieurs findings LFI.
+   */
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (typeof evt.payload !== "string") continue;
+
+      if (this.containsLfi(evt.payload)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "lfi",
+          score: 0.85, // score brut (0 → 1)
+          severity: "high",
+          details: `Payload LFI détecté : ${evt.payload}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Détection simple de patterns LFI.
+   */
+  private containsLfi(input: string): boolean {
+    const patterns = [
+      // Path traversal
+      /\.\.\//i,
+      /\.\.\\/, // Windows
+
+      // Accès à /etc/passwd
+      /\/etc\/passwd/i,
+
+      // Accès à des fichiers sensibles
+      /\/proc\/self/i,
+      /\/proc\/net/i,
+      /\/var\/log/i,
+
+      // Inclusion PHP
+      /php:\/\//i,
+      /data:\/\//i,
+
+      // Encodages
+      /%2e%2e%2f/i, // ../ encodé
+      /%2fetc%2fpasswd/i,
+    ];
+
+    return patterns.some((regex) => regex.test(input));
+  }
+}

package/src/rules/path-transversal.rule.ts

@@ -0,0 +1,65 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  PATH TRAVERSAL RULE — Détection simple des patterns ../
+ *  Version minimaliste, sans heuristique lourde.
+ *  Compatible avec le moteur de scoring.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class PathTraversalRule implements Rule {
+  id = "path-traversal-basic";
+  name = "Basic Path Traversal Detection";
+  description =
+    "Détecte les patterns de Path Traversal dans les événements normalisés.";
+
+  /**
+   * La règle s’applique si au moins un event contient un payload suspect.
+   */
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) =>
+        typeof evt.payload === "string" &&
+        this.containsPathTraversal(evt.payload),
+    );
+  }
+
+  /**
+   * Retourne un ou plusieurs findings Path Traversal.
+   */
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (typeof evt.payload !== "string") continue;
+
+      if (this.containsPathTraversal(evt.payload)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "path_traversal",
+          score: 0.75, // score brut (0 → 1)
+          severity: "medium",
+          details: `Payload Path Traversal détecté : ${evt.payload}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Détection simple de patterns Path Traversal.
+   */
+  private containsPathTraversal(input: string): boolean {
+    const patterns = [
+      /\.\.\//i, // ../
+      /\.\.\\/, // ..\ (Windows)
+      /%2e%2e%2f/i, // ../ encodé
+      /%2e%2e%5c/i, // ..\ encodé
+      /\/etc\/passwd/i,
+      /c:\\windows\\system32/i,
+    ];
+
+    return patterns.some((regex) => regex.test(input));
+  }
+}

package/src/rules/rce.rules.ts

@@ -0,0 +1,73 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  RCE RULE — Détection simple de Remote Code Execution
+ *  Version minimaliste, sans heuristique lourde.
+ *  Compatible avec le moteur de scoring.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class RceRule implements Rule {
+  id = "rce-basic";
+  name = "Basic RCE Detection";
+  description =
+    "Détecte des patterns classiques de Remote Code Execution dans les payloads.";
+
+  /**
+   * La règle s’applique si au moins un event contient un payload suspect.
+   */
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) => typeof evt.payload === "string" && this.containsRce(evt.payload),
+    );
+  }
+
+  /**
+   * Retourne un ou plusieurs findings RCE.
+   */
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (typeof evt.payload !== "string") continue;
+
+      if (this.containsRce(evt.payload)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "rce",
+          score: 0.95, // score brut (0 → 1)
+          severity: "critical",
+          details: `Payload RCE détecté : ${evt.payload}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Détection simple de patterns RCE.
+   */
+  private containsRce(input: string): boolean {
+    const patterns = [
+      // Command injection classiques
+      /;\s*rm\s+-rf\s+/i,
+      /;\s*curl\s+http/i,
+      /;\s*wget\s+http/i,
+      /;\s*nc\s+-e/i,
+      /;\s*bash\s+-c/i,
+
+      // Fonctions dangereuses
+      /system\s*\(/i,
+      /exec\s*\(/i,
+      /shell_exec\s*\(/i,
+      /passthru\s*\(/i,
+
+      // Substitution de commandes
+      /`[^`]+`/i,
+      /\$\([^)]*\)/i,
+    ];
+
+    return patterns.some((regex) => regex.test(input));
+  }
+}

package/src/rules/rule-registry.ts

@@ -0,0 +1,39 @@
+import { Rule } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  RULE REGISTRY — Version avancée, stable
+ *  Gestion centralisée des règles du moteur.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class RuleRegistry {
+  private static rules: Rule[] = [];
+
+  /**
+   * Enregistre une règle unique.
+   */
+  static register(rule: Rule): void {
+    this.rules.push(rule);
+  }
+
+  /**
+   * Enregistre plusieurs règles d'un coup.
+   */
+  static registerMany(rules: Rule[]): void {
+    this.rules.push(...rules);
+  }
+
+  /**
+   * Retourne toutes les règles enregistrées.
+   */
+  static getAll(): Rule[] {
+    return [...this.rules];
+  }
+
+  /**
+   * Vide la registry (utile pour les tests).
+   */
+  static clear(): void {
+    this.rules = [];
+  }
+}

package/src/rules/sqli.rules.ts

@@ -0,0 +1,69 @@
+import { Rule, RuleFinding, ScoringContext } from "../core/scoring-types";
+
+/**
+ * ─────────────────────────────────────────────────────────────
+ *  SQLi RULE — Détection simple basée sur les patterns classiques
+ *  Version minimaliste, sans heuristique lourde.
+ *  Compatible avec le moteur de scoring.
+ * ─────────────────────────────────────────────────────────────
+ */
+export class SqliRule implements Rule {
+  id = "sqli-basic";
+  name = "Basic SQL Injection Detection";
+  description =
+    "Détecte les patterns SQLi classiques dans les événements normalisés.";
+
+  /**
+   * La règle s’applique si au moins un event contient un payload suspect.
+   */
+  applies(context: ScoringContext): boolean {
+    return context.events.some(
+      (evt) =>
+        typeof evt.payload === "string" && this.containsSqli(evt.payload),
+    );
+  }
+
+  /**
+   * Retourne un ou plusieurs findings SQLi.
+   */
+  execute(context: ScoringContext): RuleFinding[] {
+    const findings: RuleFinding[] = [];
+
+    for (const evt of context.events) {
+      if (typeof evt.payload !== "string") continue;
+
+      if (this.containsSqli(evt.payload)) {
+        findings.push({
+          ruleId: this.id,
+          vulnerability: "sqli",
+          score: 0.9, // score brut (0 → 1)
+          severity: "critical",
+          details: `Payload SQLi détecté : ${evt.payload}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Détection simple de patterns SQLi.
+   */
+  private containsSqli(input: string): boolean {
+    const patterns = [
+      /('|%27)\s*or\s*1=1/i,
+      /('|%27)\s*or\s*'1'='1/i,
+      /union\s+select/i,
+      /select\s+\*/i,
+      /insert\s+into/i,
+      /drop\s+table/i,
+      /--/i,
+      /#/i,
+      /sleep\s*\(/i,
+      /benchmark\s*\(/i,
+      /xp_cmdshell/i,
+    ];
+
+    return patterns.some((regex) => regex.test(input));
+  }
+}