@kirrosh/zond 0.22.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +811 -0
- package/README.md +59 -6
- package/package.json +9 -7
- package/src/CLAUDE.md +112 -0
- package/src/cli/argv.ts +122 -0
- package/src/cli/commands/add-api.ts +146 -0
- package/src/cli/commands/api/annotate/idempotency.ts +59 -0
- package/src/cli/commands/api/annotate/index.ts +880 -0
- package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
- package/src/cli/commands/api/annotate/overlay.ts +206 -0
- package/src/cli/commands/api/annotate/pagination.ts +64 -0
- package/src/cli/commands/api/annotate/prompts.ts +220 -0
- package/src/cli/commands/api/annotate/readback.ts +58 -0
- package/src/cli/commands/api/annotate/resources.ts +91 -0
- package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
- package/src/cli/commands/audit.ts +786 -0
- package/src/cli/commands/catalog.ts +35 -0
- package/src/cli/commands/check.ts +361 -0
- package/src/cli/commands/checks.ts +1072 -0
- package/src/cli/commands/ci-init.ts +43 -0
- package/src/cli/commands/clean.ts +212 -0
- package/src/cli/commands/cleanup.ts +236 -0
- package/src/cli/commands/completions.ts +16 -0
- package/src/cli/commands/coverage.ts +823 -132
- package/src/cli/commands/db.ts +486 -12
- package/src/cli/commands/describe.ts +37 -2
- package/src/cli/commands/discover.ts +1356 -0
- package/src/cli/commands/doctor.ts +661 -0
- package/src/cli/commands/fixtures.ts +402 -0
- package/src/cli/commands/generate.ts +438 -47
- package/src/cli/commands/init/bootstrap.ts +34 -2
- package/src/cli/commands/{init.ts → init/index.ts} +99 -5
- package/src/cli/commands/init/skills.ts +99 -3
- package/src/cli/commands/init/templates/agents.md +77 -64
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
- package/src/cli/commands/init/templates/skills/zond.md +802 -125
- package/src/cli/commands/init/templates/zond-config.yml +8 -9
- package/src/cli/commands/prepare-fixtures.ts +97 -0
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +594 -0
- package/src/cli/commands/probe/security.ts +537 -0
- package/src/cli/commands/probe/static.ts +255 -0
- package/src/cli/commands/probe/webhooks.ts +163 -0
- package/src/cli/commands/probe.ts +535 -0
- package/src/cli/commands/reference.ts +87 -0
- package/src/cli/commands/refresh-api.ts +227 -0
- package/src/cli/commands/remove-api.ts +150 -0
- package/src/cli/commands/report-bundle.ts +310 -0
- package/src/cli/commands/report.ts +241 -0
- package/src/cli/commands/request.ts +495 -4
- package/src/cli/commands/run.ts +870 -53
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/commands/session.ts +244 -0
- package/src/cli/commands/use.ts +18 -1
- package/src/cli/index.ts +20 -3
- package/src/cli/json-envelope.ts +92 -3
- package/src/cli/json-schemas.ts +314 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +199 -635
- package/src/cli/resolve.ts +105 -0
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +114 -0
- package/src/cli/util/api-context.ts +85 -0
- package/src/cli/version.ts +5 -0
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/_crud-helpers.ts +133 -0
- package/src/core/checks/checks/_negative_mutator.ts +133 -0
- package/src/core/checks/checks/_readback-helpers.ts +133 -0
- package/src/core/checks/checks/content_type_conformance.ts +39 -0
- package/src/core/checks/checks/cross_call_references.ts +147 -0
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
- package/src/core/checks/checks/idempotency_replay.ts +242 -0
- package/src/core/checks/checks/ignored_auth.ts +254 -0
- package/src/core/checks/checks/index.ts +68 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
- package/src/core/checks/checks/missing_required_header.ts +40 -0
- package/src/core/checks/checks/negative_data_rejection.ts +148 -0
- package/src/core/checks/checks/not_a_server_error.ts +35 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
- package/src/core/checks/checks/pagination_invariants.ts +419 -0
- package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
- package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
- package/src/core/checks/checks/response_headers_conformance.ts +74 -0
- package/src/core/checks/checks/response_schema_conformance.ts +30 -0
- package/src/core/checks/checks/status_code_conformance.ts +132 -0
- package/src/core/checks/checks/unsupported_method.ts +63 -0
- package/src/core/checks/checks/use_after_free.ts +78 -0
- package/src/core/checks/index.ts +30 -0
- package/src/core/checks/mode.ts +82 -0
- package/src/core/checks/recommended-action.ts +68 -0
- package/src/core/checks/registry.ts +78 -0
- package/src/core/checks/runner.ts +1461 -0
- package/src/core/checks/sarif.ts +230 -0
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/stateful.ts +121 -0
- package/src/core/checks/types.ts +305 -0
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +251 -0
- package/src/core/context/current.ts +22 -6
- package/src/core/context/session.ts +78 -0
- package/src/core/coverage/loader.ts +216 -0
- package/src/core/coverage/reasons.ts +300 -0
- package/src/core/diagnostics/db-analysis.ts +293 -59
- package/src/core/diagnostics/failure-class.ts +140 -0
- package/src/core/diagnostics/failure-hints.ts +88 -89
- package/src/core/diagnostics/spec-pointer.ts +99 -0
- package/src/core/diagnostics/suggested-fixes.ts +155 -0
- package/src/core/exporter/case-study/index.ts +270 -0
- package/src/core/exporter/curl.ts +40 -0
- package/src/core/exporter/exporter.ts +48 -0
- package/src/core/exporter/html-report/escape.ts +24 -0
- package/src/core/exporter/html-report/index.ts +479 -0
- package/src/core/exporter/html-report/script.ts +100 -0
- package/src/core/exporter/html-report/styles.ts +408 -0
- package/src/core/generator/chunker.ts +38 -19
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/data-factory.ts +586 -22
- package/src/core/generator/describe.ts +1 -1
- package/src/core/generator/fixtures-builder.ts +332 -0
- package/src/core/generator/index.ts +5 -5
- package/src/core/generator/openapi-reader.ts +135 -7
- package/src/core/generator/path-param-disambig.ts +140 -0
- package/src/core/generator/resources-builder.ts +898 -0
- package/src/core/generator/schema-utils.ts +33 -3
- package/src/core/generator/serializer.ts +103 -13
- package/src/core/generator/suite-generator.ts +583 -122
- package/src/core/generator/types.ts +14 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +28 -0
- package/src/core/lint/config.ts +96 -0
- package/src/core/lint/format.ts +42 -0
- package/src/core/lint/index.ts +94 -0
- package/src/core/lint/reporter.ts +128 -0
- package/src/core/lint/rules/consistency.ts +158 -0
- package/src/core/lint/rules/heuristics.ts +97 -0
- package/src/core/lint/rules/strictness.ts +109 -0
- package/src/core/lint/types.ts +96 -0
- package/src/core/lint/walker.ts +248 -0
- package/src/core/meta/meta-store.ts +6 -73
- package/src/core/output/README.md +73 -0
- package/src/core/output/index.ts +13 -0
- package/src/core/output/run.ts +91 -0
- package/src/core/output/types.ts +122 -0
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/env-interpolation.ts +104 -0
- package/src/core/parser/filter.ts +57 -0
- package/src/core/parser/schema.ts +129 -4
- package/src/core/parser/types.ts +19 -1
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +58 -12
- package/src/core/probe/bootstrap.ts +34 -0
- package/src/core/probe/dry-run-envelope.ts +61 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe-class.ts +198 -0
- package/src/core/probe/mass-assignment-probe.ts +27 -0
- package/src/core/probe/mass-assignment-template.ts +240 -0
- package/src/core/probe/method-probe.ts +43 -76
- package/src/core/probe/method-shared.ts +69 -0
- package/src/core/probe/negative-probe.ts +183 -149
- package/src/core/probe/orphan-tracker.ts +188 -0
- package/src/core/probe/path-discovery.ts +439 -0
- package/src/core/probe/probe-harness.ts +119 -0
- package/src/core/probe/registry.ts +89 -0
- package/src/core/probe/runner.ts +136 -0
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +207 -0
- package/src/core/probe/security-probe.ts +32 -0
- package/src/core/probe/shared.ts +531 -0
- package/src/core/probe/static-probe-class.ts +125 -0
- package/src/core/probe/types.ts +165 -0
- package/src/core/probe/verdict-aggregator.ts +33 -0
- package/src/core/probe/webhooks-probe.ts +282 -0
- package/src/core/reporter/console.ts +41 -2
- package/src/core/reporter/index.ts +2 -3
- package/src/core/reporter/json.ts +11 -1
- package/src/core/reporter/junit.ts +27 -12
- package/src/core/reporter/ndjson.ts +37 -0
- package/src/core/reporter/types.ts +3 -0
- package/src/core/runner/assertions.ts +59 -2
- package/src/core/runner/async-pool.ts +108 -0
- package/src/core/runner/auth-path.ts +8 -0
- package/src/core/runner/ci-context.ts +72 -0
- package/src/core/runner/executor.ts +265 -36
- package/src/core/runner/form-encode.ts +41 -0
- package/src/core/runner/http-client.ts +112 -2
- package/src/core/runner/learn-drift.ts +293 -0
- package/src/core/runner/preflight-vars.ts +153 -0
- package/src/core/runner/progress-tracker.ts +73 -0
- package/src/core/runner/rate-limiter.ts +87 -33
- package/src/core/runner/run-kind.ts +45 -0
- package/src/core/runner/schema-validator.ts +308 -0
- package/src/core/runner/send-request.ts +158 -20
- package/src/core/runner/types.ts +44 -0
- package/src/core/secrets/registry.ts +164 -0
- package/src/core/secrets/secrets-file.ts +115 -0
- package/src/core/selectors/operation-filter.ts +144 -0
- package/src/core/setup-api.ts +457 -20
- package/src/core/severity/category.ts +94 -0
- package/src/core/severity/index.ts +58 -0
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/layers.ts +154 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/format-eta.ts +21 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/utils.ts +5 -1
- package/src/core/workspace/config.ts +129 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/manifest.ts +283 -0
- package/src/core/workspace/output-rotation.ts +62 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/core/workspace/triage-path.ts +87 -0
- package/src/db/lint-runs.ts +47 -0
- package/src/db/migrate.ts +128 -0
- package/src/db/migrations/0001_run_kind.sql +25 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/migrations/sql.d.ts +4 -0
- package/src/db/queries/collections.ts +133 -0
- package/src/db/queries/coverage.ts +9 -0
- package/src/db/queries/dashboard.ts +59 -0
- package/src/db/queries/results.ts +216 -0
- package/src/db/queries/runs.ts +289 -0
- package/src/db/queries/sessions.ts +42 -0
- package/src/db/queries/settings.ts +28 -0
- package/src/db/queries/types.ts +172 -0
- package/src/db/queries.ts +75 -802
- package/src/db/schema.ts +178 -50
- package/src/cli/commands/export.ts +0 -144
- package/src/cli/commands/guide.ts +0 -127
- package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
- package/src/cli/commands/probe-methods.ts +0 -108
- package/src/cli/commands/probe-validation.ts +0 -124
- package/src/cli/commands/serve.ts +0 -114
- package/src/cli/commands/sync.ts +0 -268
- package/src/cli/commands/update.ts +0 -189
- package/src/cli/commands/validate.ts +0 -34
- package/src/core/diagnostics/render-md.ts +0 -112
- package/src/core/exporter/postman.ts +0 -963
- package/src/core/generator/guide-builder.ts +0 -253
- package/src/core/meta/types.ts +0 -19
- package/src/core/parser/index.ts +0 -21
- package/src/core/runner/execute-run.ts +0 -132
- package/src/core/runner/index.ts +0 -12
- package/src/core/sync/spec-differ.ts +0 -38
- package/src/web/data/collection-state.ts +0 -362
- package/src/web/routes/api.ts +0 -314
- package/src/web/routes/dashboard.ts +0 -350
- package/src/web/routes/runs.ts +0 -64
- package/src/web/schemas.ts +0 -121
- package/src/web/server.ts +0 -134
- package/src/web/static/htmx.min.cjs +0 -1
- package/src/web/static/style.css +0 -1148
- package/src/web/views/endpoints-tab.ts +0 -174
- package/src/web/views/explorer-tab.ts +0 -402
- package/src/web/views/health-strip.ts +0 -92
- package/src/web/views/layout.ts +0 -48
- package/src/web/views/results.ts +0 -210
- package/src/web/views/runs-tab.ts +0 -126
- package/src/web/views/suites-tab.ts +0 -181
|
@@ -0,0 +1,219 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `cursor_boundary_fuzzing` (ARV-273) — fuzz cursor/page-token style
|
|
3
|
+
* query parameters on list endpoints with malformed values. The server
|
|
4
|
+
* is expected to reject with 400/422 (or 401/403 if the path is auth-
|
|
5
|
+
* gated). A 5xx response on *any* well-formed cursor value is a real
|
|
6
|
+
* bug (Stripe `/v1/billing/alerts` was found this way during the m-22
|
|
7
|
+
* Stripe scan).
|
|
8
|
+
*
|
|
9
|
+
* Detection rule: parameter `name` matches a small set of conventional
|
|
10
|
+
* cursor names (cursor / starting_after / ending_before / after /
|
|
11
|
+
* before / page_token / next_token / continuation), parameter is
|
|
12
|
+
* `in: "query"`, and schema type is string (or untyped — many SDKs
|
|
13
|
+
* leave the cursor schema open).
|
|
14
|
+
*
|
|
15
|
+
* Mutation vectors (7): empty string, numeric, "null", very-long
|
|
16
|
+
* string (200 chars), valid-shape-wrong-resource (Stripe-id), SQL-
|
|
17
|
+
* shaped (`' OR 1=1--`), JSON-shaped (`{"foo":"bar"}`).
|
|
18
|
+
*
|
|
19
|
+
* Severity ladder:
|
|
20
|
+
* - any 5xx → HIGH (server should never crash on bad cursor)
|
|
21
|
+
* - any 2xx/204 → LOW (server silently tolerates a malformed cursor)
|
|
22
|
+
* - 4xx other than 4xx-expected → no finding (server rejected — good)
|
|
23
|
+
* - 401/403 only → skip (auth-gated, not the check's concern)
|
|
24
|
+
*
|
|
25
|
+
* Why not done by `negative_data_rejection`: that check mutates one
|
|
26
|
+
* value per case based on the declared schema (string → integer,
|
|
27
|
+
* integer overflow, etc.). Cursor fuzzing is a *cross-API convention*
|
|
28
|
+
* fuzz family that does not derive from schema type; we know these
|
|
29
|
+
* are cursor-shaped strings and we know the standard malformations
|
|
30
|
+
* that crash naive cursor parsers.
|
|
31
|
+
*/
|
|
32
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
33
|
+
import type { CrudStatefulCheck } from "../stateful.ts";
|
|
34
|
+
import type { CheckOutcome, Severity } from "../types.ts";
|
|
35
|
+
import { fillPathParams } from "./_crud-helpers.ts";
|
|
36
|
+
import { buildUrl as buildUrlBase } from "../../util/url.ts";
|
|
37
|
+
import { MAX_REQUESTS_SKIP_REASON } from "../../runner/executor.ts";
|
|
38
|
+
|
|
39
|
+
const CURSOR_PARAM_NAME_RE = /^(cursor|starting_after|ending_before|after|before|page_token|next_token|continuation)$/i;
|
|
40
|
+
|
|
41
|
+
interface MutationVector {
|
|
42
|
+
label: string;
|
|
43
|
+
value: string;
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
const MUTATION_VECTORS: readonly MutationVector[] = [
|
|
47
|
+
{ label: "empty", value: "" },
|
|
48
|
+
{ label: "numeric", value: "12345" },
|
|
49
|
+
{ label: "null-literal", value: "null" },
|
|
50
|
+
{ label: "very-long", value: "a".repeat(200) },
|
|
51
|
+
{ label: "wrong-resource-id", value: "cus_invalid_zzz" },
|
|
52
|
+
{ label: "sql-shaped", value: "' OR 1=1--" },
|
|
53
|
+
{ label: "json-shaped", value: '{"foo":"bar"}' },
|
|
54
|
+
];
|
|
55
|
+
|
|
56
|
+
function isCursorParam(p: OpenAPIV3.ParameterObject): boolean {
|
|
57
|
+
if (p.in !== "query") return false;
|
|
58
|
+
if (!CURSOR_PARAM_NAME_RE.test(p.name)) return false;
|
|
59
|
+
const schema = p.schema as OpenAPIV3.SchemaObject | undefined;
|
|
60
|
+
if (!schema) return true;
|
|
61
|
+
// Accept untyped schemas (many specs leave cursor open) and string.
|
|
62
|
+
if (!schema.type) return true;
|
|
63
|
+
return schema.type === "string";
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
function buildUrl(
|
|
67
|
+
base: string,
|
|
68
|
+
path: string,
|
|
69
|
+
pathVars: Record<string, string> | undefined,
|
|
70
|
+
cursorParam: string,
|
|
71
|
+
cursorValue: string,
|
|
72
|
+
): string {
|
|
73
|
+
return buildUrlBase(base, fillPathParams(path, pathVars), { [cursorParam]: cursorValue });
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
interface VectorOutcome {
|
|
77
|
+
param: string;
|
|
78
|
+
vector: string;
|
|
79
|
+
status: number;
|
|
80
|
+
body_excerpt?: string;
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
function excerpt(s: string | undefined, n: number): string | undefined {
|
|
84
|
+
if (!s) return undefined;
|
|
85
|
+
const trimmed = s.length > n ? s.slice(0, n) + "…" : s;
|
|
86
|
+
return trimmed;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
export const cursorBoundaryFuzzing: CrudStatefulCheck = {
|
|
90
|
+
id: "cursor_boundary_fuzzing",
|
|
91
|
+
// Per-finding severity overrides via outcome.severity: 5xx → high, 2xx → low.
|
|
92
|
+
// Declared baseline 'low' so it doesn't dominate per-check gating tables.
|
|
93
|
+
severity: "low",
|
|
94
|
+
defaultExpected:
|
|
95
|
+
"Cursor-style query params (cursor / starting_after / page_token / …) must reject malformed values with 4xx, never 5xx",
|
|
96
|
+
references: [{ id: "ARV-273" }],
|
|
97
|
+
phase: "crud",
|
|
98
|
+
applies(g) {
|
|
99
|
+
if (!g.list) return false;
|
|
100
|
+
// ARV-310: cursor fuzzing is only meaningful on a paginating GET list.
|
|
101
|
+
// A create/mutation endpoint that happens to carry a cursor-shaped query
|
|
102
|
+
// param (or a mis-grouped POST bound as `list`) must not trip this check.
|
|
103
|
+
if (g.list.method.toUpperCase() !== "GET") return false;
|
|
104
|
+
return g.list.parameters.some(isCursorParam);
|
|
105
|
+
},
|
|
106
|
+
async run(g, h): Promise<CheckOutcome> {
|
|
107
|
+
if (h.bootstrapCleanupFailed) {
|
|
108
|
+
return { kind: "skip", reason: "bootstrap-cleanup failed — stateful checks paused" };
|
|
109
|
+
}
|
|
110
|
+
const list = g.list!;
|
|
111
|
+
const cursorParams = list.parameters.filter(isCursorParam);
|
|
112
|
+
if (cursorParams.length === 0) {
|
|
113
|
+
return { kind: "skip", reason: "no cursor-style query params on list endpoint" };
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
const baseHeaders = { Accept: "application/json", ...h.authHeaders };
|
|
117
|
+
const serverErrors: VectorOutcome[] = [];
|
|
118
|
+
const silentAccepts: VectorOutcome[] = [];
|
|
119
|
+
let totalAttempted = 0;
|
|
120
|
+
let allAuthGated = true;
|
|
121
|
+
|
|
122
|
+
let budgetExhausted = false;
|
|
123
|
+
outer: for (const param of cursorParams) {
|
|
124
|
+
for (const vec of MUTATION_VECTORS) {
|
|
125
|
+
const url = buildUrl(h.baseUrl, list.path, h.pathVars, param.name, vec.value);
|
|
126
|
+
let resp;
|
|
127
|
+
try {
|
|
128
|
+
resp = await h.send({ method: "GET", url, headers: baseHeaders });
|
|
129
|
+
} catch (err) {
|
|
130
|
+
// ARV-308: distinguish budget exhaustion (every subsequent
|
|
131
|
+
// mutation will throw the same MAX_REQUESTS_SKIP_REASON and
|
|
132
|
+
// wasn't dispatched on the wire) from real per-request
|
|
133
|
+
// network errors (genuine connection problems, where we
|
|
134
|
+
// should keep fuzzing the remaining vectors). The earlier
|
|
135
|
+
// `catch {}` swallowed both as "network errors", which
|
|
136
|
+
// misreported the run on Stripe — budget had simply run out
|
|
137
|
+
// before this check got its turn, but the summary blamed
|
|
138
|
+
// the network and the 500 finding never surfaced.
|
|
139
|
+
if (err instanceof Error && err.message === MAX_REQUESTS_SKIP_REASON) {
|
|
140
|
+
budgetExhausted = true;
|
|
141
|
+
break outer;
|
|
142
|
+
}
|
|
143
|
+
continue;
|
|
144
|
+
}
|
|
145
|
+
totalAttempted += 1;
|
|
146
|
+
const status = resp.status;
|
|
147
|
+
if (status !== 401 && status !== 403) allAuthGated = false;
|
|
148
|
+
if (status >= 500 && status < 600) {
|
|
149
|
+
serverErrors.push({
|
|
150
|
+
param: param.name,
|
|
151
|
+
vector: vec.label,
|
|
152
|
+
status,
|
|
153
|
+
body_excerpt: excerpt(resp.body, 240),
|
|
154
|
+
});
|
|
155
|
+
} else if (status >= 200 && status < 300) {
|
|
156
|
+
silentAccepts.push({
|
|
157
|
+
param: param.name,
|
|
158
|
+
vector: vec.label,
|
|
159
|
+
status,
|
|
160
|
+
});
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
if (totalAttempted === 0) {
|
|
166
|
+
// ARV-308: dedicated reason for budget exhaustion so the run
|
|
167
|
+
// summary shows the real cause (and an actionable fix — raise
|
|
168
|
+
// --max-requests / --budget) instead of blaming the network.
|
|
169
|
+
if (budgetExhausted) {
|
|
170
|
+
return { kind: "skip", reason: MAX_REQUESTS_SKIP_REASON };
|
|
171
|
+
}
|
|
172
|
+
return { kind: "skip", reason: "no mutations dispatched (network errors on every probe)" };
|
|
173
|
+
}
|
|
174
|
+
if (allAuthGated) {
|
|
175
|
+
return { kind: "skip", reason: "endpoint auth-gated for all probes (401/403 only)" };
|
|
176
|
+
}
|
|
177
|
+
if (serverErrors.length > 0) {
|
|
178
|
+
const sev: Severity = "high";
|
|
179
|
+
const first = serverErrors[0]!;
|
|
180
|
+
return {
|
|
181
|
+
kind: "fail",
|
|
182
|
+
severity: sev,
|
|
183
|
+
// ARV-310: attribute to the GET list actually probed, not the group's
|
|
184
|
+
// POST create.
|
|
185
|
+
operation: { path: list.path, method: "GET", operationId: list.operationId },
|
|
186
|
+
message:
|
|
187
|
+
`Server returned ${first.status} on ${first.vector} cursor (${first.param}) — ${serverErrors.length}/${totalAttempted} mutation(s) hit 5xx`,
|
|
188
|
+
evidence: {
|
|
189
|
+
resource: g.resource,
|
|
190
|
+
list_path: list.path,
|
|
191
|
+
kind: "server_error_on_bad_cursor",
|
|
192
|
+
cursor_params: cursorParams.map((p) => p.name),
|
|
193
|
+
attempted: totalAttempted,
|
|
194
|
+
server_errors: serverErrors,
|
|
195
|
+
},
|
|
196
|
+
};
|
|
197
|
+
}
|
|
198
|
+
if (silentAccepts.length > 0) {
|
|
199
|
+
return {
|
|
200
|
+
kind: "fail",
|
|
201
|
+
severity: "low",
|
|
202
|
+
// ARV-310: attribute to the GET list actually probed, not the group's
|
|
203
|
+
// POST create.
|
|
204
|
+
operation: { path: list.path, method: "GET", operationId: list.operationId },
|
|
205
|
+
message:
|
|
206
|
+
`Server returned 2xx on ${silentAccepts.length}/${totalAttempted} malformed cursor mutation(s) — likely silent tolerance of bad input`,
|
|
207
|
+
evidence: {
|
|
208
|
+
resource: g.resource,
|
|
209
|
+
list_path: list.path,
|
|
210
|
+
kind: "silent_accept_on_bad_cursor",
|
|
211
|
+
cursor_params: cursorParams.map((p) => p.name),
|
|
212
|
+
attempted: totalAttempted,
|
|
213
|
+
accepts: silentAccepts,
|
|
214
|
+
},
|
|
215
|
+
};
|
|
216
|
+
}
|
|
217
|
+
return { kind: "pass" };
|
|
218
|
+
},
|
|
219
|
+
};
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `ensure_resource_availability` (m-15 ARV-3) — create a resource via
|
|
3
|
+
* POST, then GET by id; the read must succeed (2xx). Catches lost-
|
|
4
|
+
* write bugs where the create returns 201 but the resource never
|
|
5
|
+
* actually appears in storage.
|
|
6
|
+
*/
|
|
7
|
+
import type { CrudStatefulCheck } from "../stateful.ts";
|
|
8
|
+
import { extractIdFromCreateResponse, fillPathWithId, fillPathParams, serializeCheckBody, resolveCreateBody } from "./_crud-helpers.ts";
|
|
9
|
+
|
|
10
|
+
export const ensureResourceAvailability: CrudStatefulCheck = {
|
|
11
|
+
id: "ensure_resource_availability",
|
|
12
|
+
severity: "medium",
|
|
13
|
+
defaultExpected: "GET on a freshly-created resource must succeed (2xx)",
|
|
14
|
+
references: [{ id: "CWE-924" }],
|
|
15
|
+
phase: "crud",
|
|
16
|
+
applies(g) {
|
|
17
|
+
return Boolean(g.create && g.read);
|
|
18
|
+
},
|
|
19
|
+
async run(g, h) {
|
|
20
|
+
if (h.bootstrapCleanupFailed) {
|
|
21
|
+
return { kind: "skip", reason: "bootstrap-cleanup failed — security checks paused (ARV-3 AC #6)" };
|
|
22
|
+
}
|
|
23
|
+
const create = g.create!;
|
|
24
|
+
const read = g.read!;
|
|
25
|
+
const baseHeaders = { Accept: "application/json", ...h.authHeaders };
|
|
26
|
+
// ARV-191: form-urlencoded vs JSON dispatch — Stripe-style APIs
|
|
27
|
+
// declare x-www-form-urlencoded; JSON.stringify would yield "400
|
|
28
|
+
// missing param" the broken-baseline guard then silently swallows.
|
|
29
|
+
// ARV-187: prefer LLM-authored seed_body over generator.
|
|
30
|
+
const seedBody = h.resourceConfigs?.get(g.resource)?.seedBody;
|
|
31
|
+
const generated = resolveCreateBody(create, seedBody) ?? {};
|
|
32
|
+
const { body, contentType } = serializeCheckBody(
|
|
33
|
+
create,
|
|
34
|
+
generated,
|
|
35
|
+
h.pathVars,
|
|
36
|
+
seedBody?.contentType,
|
|
37
|
+
);
|
|
38
|
+
const createResp = await h.send({
|
|
39
|
+
method: "POST",
|
|
40
|
+
url: `${h.baseUrl.replace(/\/+$/, "")}${fillPathParams(create.path, h.pathVars)}`,
|
|
41
|
+
headers: { ...baseHeaders, "Content-Type": contentType },
|
|
42
|
+
body,
|
|
43
|
+
});
|
|
44
|
+
if (createResp.status < 200 || createResp.status >= 300) {
|
|
45
|
+
return { kind: "skip", reason: `create returned ${createResp.status} — broken-baseline guard` };
|
|
46
|
+
}
|
|
47
|
+
const id = extractIdFromCreateResponse(createResp.body_parsed ?? createResp.body, g.idParam);
|
|
48
|
+
if (id == null) return { kind: "skip", reason: "could not extract id from create response" };
|
|
49
|
+
|
|
50
|
+
const readResp = await h.send({
|
|
51
|
+
method: "GET",
|
|
52
|
+
url: `${h.baseUrl.replace(/\/+$/, "")}${fillPathWithId(fillPathParams(read.path, h.pathVars), g.idParam, id)}`,
|
|
53
|
+
headers: baseHeaders,
|
|
54
|
+
});
|
|
55
|
+
if (readResp.status >= 200 && readResp.status < 300) return { kind: "pass" };
|
|
56
|
+
return {
|
|
57
|
+
kind: "fail",
|
|
58
|
+
message: `GET on freshly-created resource ${id} returned ${readResp.status}`,
|
|
59
|
+
evidence: { resource: g.resource, id, create_status: createResp.status, read_status: readResp.status },
|
|
60
|
+
};
|
|
61
|
+
},
|
|
62
|
+
};
|
|
@@ -0,0 +1,242 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `idempotency_replay` (m-20 ARV-170) — Idempotency-Key honor probe.
|
|
3
|
+
*
|
|
4
|
+
* For each CRUD group with create+delete where idempotency is opted-in
|
|
5
|
+
* (either via `.api-resources.yaml` `idempotency:` block or by the
|
|
6
|
+
* create endpoint declaring an `Idempotency-Key` header parameter),
|
|
7
|
+
* POST the same body twice with the same key. The server must:
|
|
8
|
+
*
|
|
9
|
+
* 1. return the *same* resource id on both calls (id1 == id2 — no
|
|
10
|
+
* duplicate created), AND
|
|
11
|
+
* 2. return bit-identical responses modulo a small allow-list of
|
|
12
|
+
* timestamp / request-id fields (R1 == R2).
|
|
13
|
+
*
|
|
14
|
+
* Severity policy: HIGH. The two failure classes share one finding —
|
|
15
|
+
* the runner doesn't support per-finding severity downgrade and
|
|
16
|
+
* `duplicate_resource` is the dominant signal anyway. `non_bit_identical`
|
|
17
|
+
* piggybacks via finding.evidence.kind so consumers can split the
|
|
18
|
+
* digest if they care.
|
|
19
|
+
*
|
|
20
|
+
* Anti-FP guards:
|
|
21
|
+
* • Skip when the second POST gets a 429 / 409 / 5xx — replay rate
|
|
22
|
+
* limiting and locking races confuse the verdict.
|
|
23
|
+
* • Skip when either POST fails the broken-baseline check (non-2xx).
|
|
24
|
+
* • Cleanup tolerates missing DELETE wiring — emits a warning via
|
|
25
|
+
* `cleanup_warning` in evidence.
|
|
26
|
+
*
|
|
27
|
+
* Auto-detect fallback: if no yaml block exists but the create endpoint
|
|
28
|
+
* declares an `Idempotency-Key` header in its `parameters[]`, the check
|
|
29
|
+
* runs with default settings. Explicit yaml wins — it lets the user
|
|
30
|
+
* override the header name and customize the ignore list.
|
|
31
|
+
*/
|
|
32
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
33
|
+
import type { CrudStatefulCheck } from "../stateful.ts";
|
|
34
|
+
import type { IdempotencyConfig } from "../../generator/resources-builder.ts";
|
|
35
|
+
import { extractIdFromCreateResponse, fillPathWithId, fillPathParams, serializeCheckBody, resolveCreateBody } from "./_crud-helpers.ts";
|
|
36
|
+
|
|
37
|
+
/** Default header name used when yaml omits it and we're running on
|
|
38
|
+
* spec-detected idempotency support. Matches the Stripe / Resend
|
|
39
|
+
* convention; specs that use a different casing should declare it
|
|
40
|
+
* explicitly. */
|
|
41
|
+
const DEFAULT_HEADER = "Idempotency-Key";
|
|
42
|
+
|
|
43
|
+
/** Baseline response fields stripped before bit-identical compare.
|
|
44
|
+
* Mirrors the readback-diff baseline minus a few read-shape-specific
|
|
45
|
+
* ones (livemode, _links). Timestamps + request-id + etag cover the
|
|
46
|
+
* common "every replay has a new request_id" surface. */
|
|
47
|
+
const DEFAULT_IGNORE_RESPONSE: ReadonlySet<string> = new Set([
|
|
48
|
+
"created",
|
|
49
|
+
"created_at",
|
|
50
|
+
"createdAt",
|
|
51
|
+
"updated",
|
|
52
|
+
"updated_at",
|
|
53
|
+
"updatedAt",
|
|
54
|
+
"request_id",
|
|
55
|
+
"requestId",
|
|
56
|
+
"x_request_id",
|
|
57
|
+
"etag",
|
|
58
|
+
"_etag",
|
|
59
|
+
]);
|
|
60
|
+
|
|
61
|
+
function safeParse(v: unknown): unknown {
|
|
62
|
+
if (typeof v !== "string") return v;
|
|
63
|
+
try {
|
|
64
|
+
return JSON.parse(v);
|
|
65
|
+
} catch {
|
|
66
|
+
return v;
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
function detectSpecHeader(create: { parameters: OpenAPIV3.ParameterObject[] }): string | null {
|
|
71
|
+
for (const p of create.parameters) {
|
|
72
|
+
if (p.in !== "header") continue;
|
|
73
|
+
if (p.name.toLowerCase() === "idempotency-key") return p.name;
|
|
74
|
+
}
|
|
75
|
+
return null;
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
function resolveConfig(
|
|
79
|
+
cfg: IdempotencyConfig | undefined,
|
|
80
|
+
create: { parameters: OpenAPIV3.ParameterObject[] },
|
|
81
|
+
): { header: string; ignore: ReadonlySet<string> } | null {
|
|
82
|
+
if (cfg) {
|
|
83
|
+
const header = cfg.header ?? DEFAULT_HEADER;
|
|
84
|
+
const ignore = cfg.ignoreResponseFields
|
|
85
|
+
? new Set<string>([...DEFAULT_IGNORE_RESPONSE, ...cfg.ignoreResponseFields])
|
|
86
|
+
: DEFAULT_IGNORE_RESPONSE;
|
|
87
|
+
return { header, ignore };
|
|
88
|
+
}
|
|
89
|
+
const detected = detectSpecHeader(create);
|
|
90
|
+
if (detected) return { header: detected, ignore: DEFAULT_IGNORE_RESPONSE };
|
|
91
|
+
return null;
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
/** Shallow object diff with field-level ignore. Returns the list of
|
|
95
|
+
* keys whose values differ (or whose presence differs) between a and
|
|
96
|
+
* b, excluding ignored fields. Both inputs treated as `{}` when not
|
|
97
|
+
* object-shaped. */
|
|
98
|
+
function diffFields(a: unknown, b: unknown, ignore: ReadonlySet<string>): string[] {
|
|
99
|
+
const av = (a && typeof a === "object" && !Array.isArray(a)) ? (a as Record<string, unknown>) : {};
|
|
100
|
+
const bv = (b && typeof b === "object" && !Array.isArray(b)) ? (b as Record<string, unknown>) : {};
|
|
101
|
+
const keys = new Set<string>([...Object.keys(av), ...Object.keys(bv)]);
|
|
102
|
+
const diffs: string[] = [];
|
|
103
|
+
for (const k of keys) {
|
|
104
|
+
if (ignore.has(k)) continue;
|
|
105
|
+
const sa = JSON.stringify(av[k] ?? null);
|
|
106
|
+
const sb = JSON.stringify(bv[k] ?? null);
|
|
107
|
+
if (sa !== sb) diffs.push(k);
|
|
108
|
+
}
|
|
109
|
+
return diffs;
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
function generateKey(): string {
|
|
113
|
+
return crypto.randomUUID();
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
export const idempotencyReplay: CrudStatefulCheck = {
|
|
117
|
+
id: "idempotency_replay",
|
|
118
|
+
severity: "high",
|
|
119
|
+
defaultExpected: "Two POSTs with the same Idempotency-Key must return the same resource id and bit-identical responses",
|
|
120
|
+
references: [{ id: "ARV-170" }, { id: "stripe-idempotent-requests" }],
|
|
121
|
+
phase: "crud",
|
|
122
|
+
applies(g) {
|
|
123
|
+
return Boolean(g.create);
|
|
124
|
+
},
|
|
125
|
+
async run(g, h) {
|
|
126
|
+
if (h.bootstrapCleanupFailed) {
|
|
127
|
+
return { kind: "skip", reason: "bootstrap-cleanup failed — stateful checks paused" };
|
|
128
|
+
}
|
|
129
|
+
const create = g.create!;
|
|
130
|
+
|
|
131
|
+
const cfg = h.resourceConfigs?.get(g.resource)?.idempotency;
|
|
132
|
+
const resolved = resolveConfig(cfg, create);
|
|
133
|
+
if (!resolved) {
|
|
134
|
+
return { kind: "skip", reason: "no idempotency config and no Idempotency-Key parameter in spec" };
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
const seedBody = h.resourceConfigs?.get(g.resource)?.seedBody;
|
|
138
|
+
if (!create.requestBodySchema && !seedBody) {
|
|
139
|
+
return { kind: "skip", reason: "create has no requestBody schema and no seed_body — nothing to replay" };
|
|
140
|
+
}
|
|
141
|
+
const writeBody = resolveCreateBody(create, seedBody);
|
|
142
|
+
if (writeBody == null) {
|
|
143
|
+
return { kind: "skip", reason: "could not produce a create body (no seed_body, generator returned non-object)" };
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
const key = generateKey();
|
|
147
|
+
// ARV-191: form-urlencoded vs JSON dispatch — Stripe-style APIs
|
|
148
|
+
// honor Idempotency-Key but expect x-www-form-urlencoded payloads;
|
|
149
|
+
// JSON.stringify would yield broken-baseline 400s on every replay.
|
|
150
|
+
const { body: bodyStr, contentType } = serializeCheckBody(create, writeBody, h.pathVars, seedBody?.contentType);
|
|
151
|
+
const baseHeaders = {
|
|
152
|
+
Accept: "application/json",
|
|
153
|
+
"Content-Type": contentType,
|
|
154
|
+
[resolved.header]: key,
|
|
155
|
+
...h.authHeaders,
|
|
156
|
+
};
|
|
157
|
+
const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPathParams(create.path, h.pathVars)}`;
|
|
158
|
+
|
|
159
|
+
// 1st POST
|
|
160
|
+
const r1 = await h.send({ method: "POST", url, headers: baseHeaders, body: bodyStr });
|
|
161
|
+
if (r1.status < 200 || r1.status >= 300) {
|
|
162
|
+
return { kind: "skip", reason: `1st create returned ${r1.status} — broken-baseline guard` };
|
|
163
|
+
}
|
|
164
|
+
const body1 = r1.body_parsed ?? safeParse(r1.body);
|
|
165
|
+
const id1 = extractIdFromCreateResponse(body1, g.idParam);
|
|
166
|
+
if (id1 == null) return { kind: "skip", reason: "could not extract id from 1st create response" };
|
|
167
|
+
|
|
168
|
+
// 2nd POST — same body, same key
|
|
169
|
+
const r2 = await h.send({ method: "POST", url, headers: baseHeaders, body: bodyStr });
|
|
170
|
+
if (r2.status === 429 || r2.status === 409) {
|
|
171
|
+
// Cleanup r1 before bailing — we did create something.
|
|
172
|
+
await tryCleanup(g, h, id1);
|
|
173
|
+
return { kind: "skip", reason: `2nd create returned ${r2.status} — rate-limit/conflict, replay verdict ambiguous` };
|
|
174
|
+
}
|
|
175
|
+
if (r2.status < 200 || r2.status >= 300) {
|
|
176
|
+
await tryCleanup(g, h, id1);
|
|
177
|
+
return { kind: "skip", reason: `2nd create returned ${r2.status} — broken-baseline guard` };
|
|
178
|
+
}
|
|
179
|
+
const body2 = r2.body_parsed ?? safeParse(r2.body);
|
|
180
|
+
const id2 = extractIdFromCreateResponse(body2, g.idParam);
|
|
181
|
+
|
|
182
|
+
// Verdict
|
|
183
|
+
const duplicate = id2 != null && String(id1) !== String(id2);
|
|
184
|
+
const diffs = duplicate ? [] : diffFields(body1, body2, resolved.ignore);
|
|
185
|
+
const nonBitIdentical = !duplicate && diffs.length > 0;
|
|
186
|
+
|
|
187
|
+
// Cleanup. If duplicate, both ids need to go.
|
|
188
|
+
const cleanupWarn: string[] = [];
|
|
189
|
+
const okCleanup1 = await tryCleanup(g, h, id1);
|
|
190
|
+
if (!okCleanup1) cleanupWarn.push(`failed to DELETE id=${id1}`);
|
|
191
|
+
if (duplicate && id2 != null) {
|
|
192
|
+
const okCleanup2 = await tryCleanup(g, h, id2);
|
|
193
|
+
if (!okCleanup2) cleanupWarn.push(`failed to DELETE id=${id2}`);
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
if (!duplicate && !nonBitIdentical) {
|
|
197
|
+
return { kind: "pass" };
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
const kind = duplicate && nonBitIdentical
|
|
201
|
+
? "both"
|
|
202
|
+
: duplicate ? "duplicate_resource" : "non_bit_identical";
|
|
203
|
+
const message = duplicate
|
|
204
|
+
? `Idempotency-Key not honored on ${g.resource}: replay produced a new resource (id1=${id1}, id2=${id2})`
|
|
205
|
+
: `Idempotency-Key replay on ${g.resource} is not bit-identical (${diffs.length} field(s) differ): ${diffs.slice(0, 5).join(", ")}`;
|
|
206
|
+
|
|
207
|
+
return {
|
|
208
|
+
kind: "fail",
|
|
209
|
+
message,
|
|
210
|
+
evidence: {
|
|
211
|
+
resource: g.resource,
|
|
212
|
+
kind,
|
|
213
|
+
header: resolved.header,
|
|
214
|
+
key,
|
|
215
|
+
id1,
|
|
216
|
+
id2,
|
|
217
|
+
diff_fields: diffs,
|
|
218
|
+
...(cleanupWarn.length > 0 ? { cleanup_warning: cleanupWarn } : {}),
|
|
219
|
+
},
|
|
220
|
+
};
|
|
221
|
+
},
|
|
222
|
+
};
|
|
223
|
+
|
|
224
|
+
async function tryCleanup(
|
|
225
|
+
g: { delete?: { path: string }; idParam: string },
|
|
226
|
+
h: import("../stateful.ts").StatefulHarness,
|
|
227
|
+
id: string | number,
|
|
228
|
+
): Promise<boolean> {
|
|
229
|
+
if (!g.delete) return false;
|
|
230
|
+
const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPathWithId(fillPathParams(g.delete.path, h.pathVars), g.idParam, id)}`;
|
|
231
|
+
try {
|
|
232
|
+
const resp = await h.send({
|
|
233
|
+
method: "DELETE",
|
|
234
|
+
url,
|
|
235
|
+
headers: { Accept: "application/json", ...h.authHeaders },
|
|
236
|
+
});
|
|
237
|
+
// 404 = already gone (good); 2xx = deleted; anything else = failure.
|
|
238
|
+
return resp.status === 404 || (resp.status >= 200 && resp.status < 300);
|
|
239
|
+
} catch {
|
|
240
|
+
return false;
|
|
241
|
+
}
|
|
242
|
+
}
|