@kirrosh/zond 0.22.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +811 -0
- package/README.md +59 -6
- package/package.json +9 -7
- package/src/CLAUDE.md +112 -0
- package/src/cli/argv.ts +122 -0
- package/src/cli/commands/add-api.ts +146 -0
- package/src/cli/commands/api/annotate/idempotency.ts +59 -0
- package/src/cli/commands/api/annotate/index.ts +880 -0
- package/src/cli/commands/api/annotate/lifecycle.ts +74 -0
- package/src/cli/commands/api/annotate/overlay.ts +206 -0
- package/src/cli/commands/api/annotate/pagination.ts +64 -0
- package/src/cli/commands/api/annotate/prompts.ts +220 -0
- package/src/cli/commands/api/annotate/readback.ts +58 -0
- package/src/cli/commands/api/annotate/resources.ts +91 -0
- package/src/cli/commands/api/annotate/seed-bodies.ts +61 -0
- package/src/cli/commands/audit.ts +786 -0
- package/src/cli/commands/catalog.ts +35 -0
- package/src/cli/commands/check.ts +361 -0
- package/src/cli/commands/checks.ts +1072 -0
- package/src/cli/commands/ci-init.ts +43 -0
- package/src/cli/commands/clean.ts +212 -0
- package/src/cli/commands/cleanup.ts +236 -0
- package/src/cli/commands/completions.ts +16 -0
- package/src/cli/commands/coverage.ts +823 -132
- package/src/cli/commands/db.ts +486 -12
- package/src/cli/commands/describe.ts +37 -2
- package/src/cli/commands/discover.ts +1356 -0
- package/src/cli/commands/doctor.ts +661 -0
- package/src/cli/commands/fixtures.ts +402 -0
- package/src/cli/commands/generate.ts +438 -47
- package/src/cli/commands/init/bootstrap.ts +34 -2
- package/src/cli/commands/{init.ts → init/index.ts} +99 -5
- package/src/cli/commands/init/skills.ts +99 -3
- package/src/cli/commands/init/templates/agents.md +77 -64
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +621 -0
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +272 -0
- package/src/cli/commands/init/templates/skills/zond.md +802 -125
- package/src/cli/commands/init/templates/zond-config.yml +8 -9
- package/src/cli/commands/prepare-fixtures.ts +97 -0
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +594 -0
- package/src/cli/commands/probe/security.ts +537 -0
- package/src/cli/commands/probe/static.ts +255 -0
- package/src/cli/commands/probe/webhooks.ts +163 -0
- package/src/cli/commands/probe.ts +535 -0
- package/src/cli/commands/reference.ts +87 -0
- package/src/cli/commands/refresh-api.ts +227 -0
- package/src/cli/commands/remove-api.ts +150 -0
- package/src/cli/commands/report-bundle.ts +310 -0
- package/src/cli/commands/report.ts +241 -0
- package/src/cli/commands/request.ts +495 -4
- package/src/cli/commands/run.ts +870 -53
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/commands/session.ts +244 -0
- package/src/cli/commands/use.ts +18 -1
- package/src/cli/index.ts +20 -3
- package/src/cli/json-envelope.ts +92 -3
- package/src/cli/json-schemas.ts +314 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +199 -635
- package/src/cli/resolve.ts +105 -0
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +114 -0
- package/src/cli/util/api-context.ts +85 -0
- package/src/cli/version.ts +5 -0
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/_crud-helpers.ts +133 -0
- package/src/core/checks/checks/_negative_mutator.ts +133 -0
- package/src/core/checks/checks/_readback-helpers.ts +133 -0
- package/src/core/checks/checks/content_type_conformance.ts +39 -0
- package/src/core/checks/checks/cross_call_references.ts +147 -0
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/ensure_resource_availability.ts +62 -0
- package/src/core/checks/checks/idempotency_replay.ts +242 -0
- package/src/core/checks/checks/ignored_auth.ts +254 -0
- package/src/core/checks/checks/index.ts +68 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +416 -0
- package/src/core/checks/checks/missing_required_header.ts +40 -0
- package/src/core/checks/checks/negative_data_rejection.ts +148 -0
- package/src/core/checks/checks/not_a_server_error.ts +35 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +160 -0
- package/src/core/checks/checks/pagination_invariants.ts +419 -0
- package/src/core/checks/checks/positive_data_acceptance.ts +33 -0
- package/src/core/checks/checks/rate_limit_headers_absent.ts +77 -0
- package/src/core/checks/checks/response_headers_conformance.ts +74 -0
- package/src/core/checks/checks/response_schema_conformance.ts +30 -0
- package/src/core/checks/checks/status_code_conformance.ts +132 -0
- package/src/core/checks/checks/unsupported_method.ts +63 -0
- package/src/core/checks/checks/use_after_free.ts +78 -0
- package/src/core/checks/index.ts +30 -0
- package/src/core/checks/mode.ts +82 -0
- package/src/core/checks/recommended-action.ts +68 -0
- package/src/core/checks/registry.ts +78 -0
- package/src/core/checks/runner.ts +1461 -0
- package/src/core/checks/sarif.ts +230 -0
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/stateful.ts +121 -0
- package/src/core/checks/types.ts +305 -0
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +251 -0
- package/src/core/context/current.ts +22 -6
- package/src/core/context/session.ts +78 -0
- package/src/core/coverage/loader.ts +216 -0
- package/src/core/coverage/reasons.ts +300 -0
- package/src/core/diagnostics/db-analysis.ts +293 -59
- package/src/core/diagnostics/failure-class.ts +140 -0
- package/src/core/diagnostics/failure-hints.ts +88 -89
- package/src/core/diagnostics/spec-pointer.ts +99 -0
- package/src/core/diagnostics/suggested-fixes.ts +155 -0
- package/src/core/exporter/case-study/index.ts +270 -0
- package/src/core/exporter/curl.ts +40 -0
- package/src/core/exporter/exporter.ts +48 -0
- package/src/core/exporter/html-report/escape.ts +24 -0
- package/src/core/exporter/html-report/index.ts +479 -0
- package/src/core/exporter/html-report/script.ts +100 -0
- package/src/core/exporter/html-report/styles.ts +408 -0
- package/src/core/generator/chunker.ts +38 -19
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/data-factory.ts +586 -22
- package/src/core/generator/describe.ts +1 -1
- package/src/core/generator/fixtures-builder.ts +332 -0
- package/src/core/generator/index.ts +5 -5
- package/src/core/generator/openapi-reader.ts +135 -7
- package/src/core/generator/path-param-disambig.ts +140 -0
- package/src/core/generator/resources-builder.ts +898 -0
- package/src/core/generator/schema-utils.ts +33 -3
- package/src/core/generator/serializer.ts +103 -13
- package/src/core/generator/suite-generator.ts +583 -122
- package/src/core/generator/types.ts +14 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +28 -0
- package/src/core/lint/config.ts +96 -0
- package/src/core/lint/format.ts +42 -0
- package/src/core/lint/index.ts +94 -0
- package/src/core/lint/reporter.ts +128 -0
- package/src/core/lint/rules/consistency.ts +158 -0
- package/src/core/lint/rules/heuristics.ts +97 -0
- package/src/core/lint/rules/strictness.ts +109 -0
- package/src/core/lint/types.ts +96 -0
- package/src/core/lint/walker.ts +248 -0
- package/src/core/meta/meta-store.ts +6 -73
- package/src/core/output/README.md +73 -0
- package/src/core/output/index.ts +13 -0
- package/src/core/output/run.ts +91 -0
- package/src/core/output/types.ts +122 -0
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/env-interpolation.ts +104 -0
- package/src/core/parser/filter.ts +57 -0
- package/src/core/parser/schema.ts +129 -4
- package/src/core/parser/types.ts +19 -1
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +58 -12
- package/src/core/probe/bootstrap.ts +34 -0
- package/src/core/probe/dry-run-envelope.ts +61 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe-class.ts +198 -0
- package/src/core/probe/mass-assignment-probe.ts +27 -0
- package/src/core/probe/mass-assignment-template.ts +240 -0
- package/src/core/probe/method-probe.ts +43 -76
- package/src/core/probe/method-shared.ts +69 -0
- package/src/core/probe/negative-probe.ts +183 -149
- package/src/core/probe/orphan-tracker.ts +188 -0
- package/src/core/probe/path-discovery.ts +439 -0
- package/src/core/probe/probe-harness.ts +119 -0
- package/src/core/probe/registry.ts +89 -0
- package/src/core/probe/runner.ts +136 -0
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +207 -0
- package/src/core/probe/security-probe.ts +32 -0
- package/src/core/probe/shared.ts +531 -0
- package/src/core/probe/static-probe-class.ts +125 -0
- package/src/core/probe/types.ts +165 -0
- package/src/core/probe/verdict-aggregator.ts +33 -0
- package/src/core/probe/webhooks-probe.ts +282 -0
- package/src/core/reporter/console.ts +41 -2
- package/src/core/reporter/index.ts +2 -3
- package/src/core/reporter/json.ts +11 -1
- package/src/core/reporter/junit.ts +27 -12
- package/src/core/reporter/ndjson.ts +37 -0
- package/src/core/reporter/types.ts +3 -0
- package/src/core/runner/assertions.ts +59 -2
- package/src/core/runner/async-pool.ts +108 -0
- package/src/core/runner/auth-path.ts +8 -0
- package/src/core/runner/ci-context.ts +72 -0
- package/src/core/runner/executor.ts +265 -36
- package/src/core/runner/form-encode.ts +41 -0
- package/src/core/runner/http-client.ts +112 -2
- package/src/core/runner/learn-drift.ts +293 -0
- package/src/core/runner/preflight-vars.ts +153 -0
- package/src/core/runner/progress-tracker.ts +73 -0
- package/src/core/runner/rate-limiter.ts +87 -33
- package/src/core/runner/run-kind.ts +45 -0
- package/src/core/runner/schema-validator.ts +308 -0
- package/src/core/runner/send-request.ts +158 -20
- package/src/core/runner/types.ts +44 -0
- package/src/core/secrets/registry.ts +164 -0
- package/src/core/secrets/secrets-file.ts +115 -0
- package/src/core/selectors/operation-filter.ts +144 -0
- package/src/core/setup-api.ts +457 -20
- package/src/core/severity/category.ts +94 -0
- package/src/core/severity/index.ts +58 -0
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/layers.ts +154 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/format-eta.ts +21 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/utils.ts +5 -1
- package/src/core/workspace/config.ts +129 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/manifest.ts +283 -0
- package/src/core/workspace/output-rotation.ts +62 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/core/workspace/triage-path.ts +87 -0
- package/src/db/lint-runs.ts +47 -0
- package/src/db/migrate.ts +128 -0
- package/src/db/migrations/0001_run_kind.sql +25 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/migrations/sql.d.ts +4 -0
- package/src/db/queries/collections.ts +133 -0
- package/src/db/queries/coverage.ts +9 -0
- package/src/db/queries/dashboard.ts +59 -0
- package/src/db/queries/results.ts +216 -0
- package/src/db/queries/runs.ts +289 -0
- package/src/db/queries/sessions.ts +42 -0
- package/src/db/queries/settings.ts +28 -0
- package/src/db/queries/types.ts +172 -0
- package/src/db/queries.ts +75 -802
- package/src/db/schema.ts +178 -50
- package/src/cli/commands/export.ts +0 -144
- package/src/cli/commands/guide.ts +0 -127
- package/src/cli/commands/init/templates/skills/scenarios.md +0 -97
- package/src/cli/commands/probe-methods.ts +0 -108
- package/src/cli/commands/probe-validation.ts +0 -124
- package/src/cli/commands/serve.ts +0 -114
- package/src/cli/commands/sync.ts +0 -268
- package/src/cli/commands/update.ts +0 -189
- package/src/cli/commands/validate.ts +0 -34
- package/src/core/diagnostics/render-md.ts +0 -112
- package/src/core/exporter/postman.ts +0 -963
- package/src/core/generator/guide-builder.ts +0 -253
- package/src/core/meta/types.ts +0 -19
- package/src/core/parser/index.ts +0 -21
- package/src/core/runner/execute-run.ts +0 -132
- package/src/core/runner/index.ts +0 -12
- package/src/core/sync/spec-differ.ts +0 -38
- package/src/web/data/collection-state.ts +0 -362
- package/src/web/routes/api.ts +0 -314
- package/src/web/routes/dashboard.ts +0 -350
- package/src/web/routes/runs.ts +0 -64
- package/src/web/schemas.ts +0 -121
- package/src/web/server.ts +0 -134
- package/src/web/static/htmx.min.cjs +0 -1
- package/src/web/static/style.css +0 -1148
- package/src/web/views/endpoints-tab.ts +0 -174
- package/src/web/views/explorer-tab.ts +0 -402
- package/src/web/views/health-strip.ts +0 -92
- package/src/web/views/layout.ts +0 -48
- package/src/web/views/results.ts +0 -210
- package/src/web/views/runs-tab.ts +0 -126
- package/src/web/views/suites-tab.ts +0 -181
|
@@ -0,0 +1,254 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `ignored_auth` (m-15 ARV-3, refined in ARV-181) — for every operation
|
|
3
|
+
* that declares a security requirement, send 3 requests:
|
|
4
|
+
*
|
|
5
|
+
* 1. baseline — full real-auth headers,
|
|
6
|
+
* 2. no_auth — drop every auth-shaped header,
|
|
7
|
+
* 3. bogus_auth — replace each auth header value with a malformed-
|
|
8
|
+
* shaped, plausibly-typed bogus.
|
|
9
|
+
*
|
|
10
|
+
* Verdict logic (ARV-181 differential):
|
|
11
|
+
*
|
|
12
|
+
* - baseline 5xx → skip (server unhealthy; nothing we say is trustworthy).
|
|
13
|
+
* - baseline 2xx → strict mode. Any 2xx on no_auth/bogus → HIGH bypass.
|
|
14
|
+
* - baseline 4xx → soft mode. The auth token didn't get a 2xx (wrong
|
|
15
|
+
* permissions, real path-var not provided, etc.), but we can still
|
|
16
|
+
* learn from how the server treats *worse* credentials:
|
|
17
|
+
* · no_auth/bogus returns **strictly better** status (lower 4xx
|
|
18
|
+
* class, or 2xx/3xx) → HIGH bypass. The classic smoking gun
|
|
19
|
+
* is `baseline 403 / no_auth 200`.
|
|
20
|
+
* · same or worse status → pass (auth was checked; the resource
|
|
21
|
+
* simply isn't accessible to anyone).
|
|
22
|
+
*
|
|
23
|
+
* Strictness:
|
|
24
|
+
* - default: no_auth/bogus passes if status is in [400..499] (any 4xx).
|
|
25
|
+
* - --strict-401 (CheckRuntimeOptions.strict401): only 401 passes; any
|
|
26
|
+
* other status — even 403/404 — fails. Mirrors schemathesis V4.
|
|
27
|
+
*
|
|
28
|
+
* Anti-FP guards (kept from ARV-3):
|
|
29
|
+
* - skip operations with `security: []` override (explicitly public),
|
|
30
|
+
* - skip when `bootstrap_cleanup_failed` (data state corrupted),
|
|
31
|
+
* - skip when no auth headers provided to the harness at all.
|
|
32
|
+
*
|
|
33
|
+
* Severity matrix (ARV-286, dispatched per finding via outcome.severity;
|
|
34
|
+
* follow-up to ARV-284 `negative_data_rejection` pattern):
|
|
35
|
+
*
|
|
36
|
+
* Declared severity: 'low' (proof-cap baseline per ARV-250 — single-
|
|
37
|
+
* signal evidence alone caps at LOW; chain evidence elevates to HIGH).
|
|
38
|
+
*
|
|
39
|
+
* Per-finding dispatch:
|
|
40
|
+
*
|
|
41
|
+
* | evidence.variant | severity | rationale |
|
|
42
|
+
* |---------------------------|----------|-----------------------------------|
|
|
43
|
+
* | no_auth | HIGH | baseline 2xx + no-auth 2xx |
|
|
44
|
+
* | bogus_auth | HIGH | baseline 2xx + bogus 2xx |
|
|
45
|
+
* | no_auth_differential | HIGH | broken-baseline + lower bucket |
|
|
46
|
+
* | bogus_auth_differential | HIGH | broken-baseline + lower bucket |
|
|
47
|
+
* | no_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
|
|
48
|
+
* | bogus_auth_strict | MEDIUM | --strict-401 mismatch, no bypass |
|
|
49
|
+
*
|
|
50
|
+
* HIGH variants (bypass + differential) provide chain evidence: both a
|
|
51
|
+
* baseline probe and an auth-stripped probe contribute — two independent
|
|
52
|
+
* signals proving auth is ignored. MEDIUM variants (strict-401
|
|
53
|
+
* conformance) are single-signal: auth is likely enforced (server still
|
|
54
|
+
* rejects), just with the wrong status code (403/404 instead of 401).
|
|
55
|
+
* The agent re-severitizes from the raw evidence.
|
|
56
|
+
*/
|
|
57
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
58
|
+
import type { AuthStatefulCheck } from "../stateful.ts";
|
|
59
|
+
import type { HttpRequest } from "../../runner/types.ts";
|
|
60
|
+
|
|
61
|
+
function buildBogus(name: string, value: string): string {
|
|
62
|
+
// Keep the original prefix so the auth scheme detection at the
|
|
63
|
+
// server still matches (Bearer xxx, Basic xxx). Only the secret
|
|
64
|
+
// payload is replaced.
|
|
65
|
+
if (/^Bearer\s+/i.test(value)) return "Bearer aaaaaaaaaaaa.bbbbbbbbbbbb.cccccccccccc";
|
|
66
|
+
if (/^Basic\s+/i.test(value)) return "Basic " + Buffer.from("zzz:zzz").toString("base64");
|
|
67
|
+
// apiKey / custom header — preserve length-class, replace content.
|
|
68
|
+
return name.toLowerCase().includes("token") ? "ZZZZZZZZZZ" : "bogus-" + "z".repeat(8);
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
/** ARV-181: substitute path placeholders using `h.pathVars` first, then
|
|
72
|
+
* fall back to schema-derived placeholders. Mirrors `fillPathParams`
|
|
73
|
+
* in `runner.ts` (kept inline to avoid a cross-module dependency that
|
|
74
|
+
* would yank generator imports into stateful checks). */
|
|
75
|
+
function fillPath(
|
|
76
|
+
path: string,
|
|
77
|
+
op: { parameters: OpenAPIV3.ParameterObject[] },
|
|
78
|
+
pathVars: Record<string, string> | undefined,
|
|
79
|
+
): string {
|
|
80
|
+
return path.replace(/\{([^}]+)\}/g, (_, name: string) => {
|
|
81
|
+
const real = pathVars?.[name];
|
|
82
|
+
if (typeof real === "string" && real.length > 0) return encodeURIComponent(real);
|
|
83
|
+
const param = op.parameters.find((p) => p.name === name && p.in === "path");
|
|
84
|
+
const schema = param?.schema as OpenAPIV3.SchemaObject | undefined;
|
|
85
|
+
if (schema?.format === "uuid") return "00000000-0000-0000-0000-000000000000";
|
|
86
|
+
if (schema?.type === "integer" || schema?.type === "number") return "1";
|
|
87
|
+
return "x";
|
|
88
|
+
});
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
function isAuthHeaderName(name: string): boolean {
|
|
92
|
+
const n = name.toLowerCase();
|
|
93
|
+
return n === "authorization" || n.startsWith("x-api") || n.includes("token") || n.includes("key");
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
/** ARV-181: classify response status into a single ordering bucket so
|
|
97
|
+
* the differential broken-baseline logic can answer "did stripping
|
|
98
|
+
* auth give a *better* status than baseline?". Lower index = more
|
|
99
|
+
* permissive (worse from auth-enforcement POV). 5xx is its own
|
|
100
|
+
* bucket — never compare across it. */
|
|
101
|
+
function statusBucket(status: number): number {
|
|
102
|
+
if (status >= 200 && status < 400) return 0; // accepted-ish
|
|
103
|
+
if (status === 401) return 3; // canonical "auth required"
|
|
104
|
+
if (status === 403) return 2; // permission denied
|
|
105
|
+
if (status >= 400 && status < 500) return 1; // other 4xx (404, 422, ...)
|
|
106
|
+
return -1; // 5xx / 1xx — incomparable
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
function isAcceptableRejection(status: number, strict401: boolean): boolean {
|
|
110
|
+
if (strict401) return status === 401;
|
|
111
|
+
return status >= 400 && status < 500;
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
export const ignoredAuth: AuthStatefulCheck = {
|
|
115
|
+
id: "ignored_auth",
|
|
116
|
+
/** ARV-286: proof-cap baseline (ARV-250). Bypass findings emit
|
|
117
|
+
* outcome.severity="high" (chain evidence); strict-401 conformance
|
|
118
|
+
* findings emit outcome.severity="medium" (single-signal). */
|
|
119
|
+
severity: "low",
|
|
120
|
+
defaultExpected: "Server must reject requests without (or with bogus) auth credentials with 401/403",
|
|
121
|
+
references: [{ id: "OWASP-API-01" }],
|
|
122
|
+
phase: "auth",
|
|
123
|
+
applies(op) {
|
|
124
|
+
// Anti-FP: explicit `security: []` override means the op is intentionally public.
|
|
125
|
+
if (op.security.length === 0) return false;
|
|
126
|
+
return true;
|
|
127
|
+
},
|
|
128
|
+
async run(op, h) {
|
|
129
|
+
if (h.bootstrapCleanupFailed) {
|
|
130
|
+
return { kind: "skip", reason: "bootstrap-cleanup failed — security checks paused (ARV-3 AC #6)" };
|
|
131
|
+
}
|
|
132
|
+
if (Object.keys(h.authHeaders).length === 0) {
|
|
133
|
+
return { kind: "skip", reason: "no auth headers provided to harness — pass --auth-header" };
|
|
134
|
+
}
|
|
135
|
+
const strict401 = h.options?.strict401 === true;
|
|
136
|
+
const url = `${h.baseUrl.replace(/\/+$/, "")}${fillPath(op.path, op, h.pathVars)}`;
|
|
137
|
+
const method = op.method.toUpperCase();
|
|
138
|
+
const baseHeaders: Record<string, string> = { Accept: "application/json", ...h.authHeaders };
|
|
139
|
+
|
|
140
|
+
// 1. baseline
|
|
141
|
+
const baseReq: HttpRequest = { method, url, headers: baseHeaders };
|
|
142
|
+
const baseline = await h.send(baseReq);
|
|
143
|
+
if (baseline.status >= 500) {
|
|
144
|
+
return { kind: "skip", reason: `baseline returned ${baseline.status} — server-side error, no trustworthy signal` };
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
// 2. no_auth — strip every auth-shaped header
|
|
148
|
+
const noAuthHeaders: Record<string, string> = { ...baseHeaders };
|
|
149
|
+
for (const k of Object.keys(noAuthHeaders)) {
|
|
150
|
+
if (isAuthHeaderName(k)) delete noAuthHeaders[k];
|
|
151
|
+
}
|
|
152
|
+
const noAuth = await h.send({ method, url, headers: noAuthHeaders });
|
|
153
|
+
|
|
154
|
+
// 3. bogus_auth — keep header names, replace values
|
|
155
|
+
const bogusHeaders: Record<string, string> = { ...baseHeaders };
|
|
156
|
+
for (const k of Object.keys(bogusHeaders)) {
|
|
157
|
+
if (isAuthHeaderName(k)) bogusHeaders[k] = buildBogus(k, bogusHeaders[k]!);
|
|
158
|
+
}
|
|
159
|
+
const bogus = await h.send({ method, url, headers: bogusHeaders });
|
|
160
|
+
|
|
161
|
+
const baseBucket = statusBucket(baseline.status);
|
|
162
|
+
const baseIs2xx = baseline.status >= 200 && baseline.status < 300;
|
|
163
|
+
|
|
164
|
+
// ── strict-2xx-baseline branch (legacy path, unchanged semantically) ──
|
|
165
|
+
if (baseIs2xx) {
|
|
166
|
+
if (noAuth.status >= 200 && noAuth.status < 300) {
|
|
167
|
+
return {
|
|
168
|
+
kind: "fail",
|
|
169
|
+
// chain evidence: baseline 2xx + no-auth 2xx → proven bypass
|
|
170
|
+
severity: "high",
|
|
171
|
+
message: `Server accepted request without auth credentials (status ${noAuth.status}) — auth is being ignored`,
|
|
172
|
+
evidence: { variant: "no_auth", baseline_status: baseline.status, no_auth_status: noAuth.status },
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
if (bogus.status >= 200 && bogus.status < 300) {
|
|
176
|
+
return {
|
|
177
|
+
kind: "fail",
|
|
178
|
+
// chain evidence: baseline 2xx + bogus-auth 2xx → credentials not validated
|
|
179
|
+
severity: "high",
|
|
180
|
+
message: `Server accepted request with bogus auth (status ${bogus.status}) — credentials not validated`,
|
|
181
|
+
evidence: { variant: "bogus_auth", baseline_status: baseline.status, bogus_auth_status: bogus.status },
|
|
182
|
+
};
|
|
183
|
+
}
|
|
184
|
+
if (strict401) {
|
|
185
|
+
if (noAuth.status !== 401) {
|
|
186
|
+
return {
|
|
187
|
+
kind: "fail",
|
|
188
|
+
// single-signal: auth is likely enforced (4xx returned), just wrong status code
|
|
189
|
+
severity: "medium",
|
|
190
|
+
message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401)`,
|
|
191
|
+
evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
|
|
192
|
+
};
|
|
193
|
+
}
|
|
194
|
+
if (bogus.status !== 401) {
|
|
195
|
+
return {
|
|
196
|
+
kind: "fail",
|
|
197
|
+
// single-signal: auth is likely enforced (4xx returned), just wrong status code
|
|
198
|
+
severity: "medium",
|
|
199
|
+
message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401)`,
|
|
200
|
+
evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
|
|
201
|
+
};
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
return { kind: "pass" };
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
// ── differential 4xx-baseline branch (ARV-181) ─────────────────────
|
|
208
|
+
if (baseBucket < 0) {
|
|
209
|
+
return { kind: "skip", reason: `baseline returned ${baseline.status} — incomparable status, no trustworthy signal` };
|
|
210
|
+
}
|
|
211
|
+
const noAuthBucket = statusBucket(noAuth.status);
|
|
212
|
+
const bogusBucket = statusBucket(bogus.status);
|
|
213
|
+
|
|
214
|
+
if (noAuthBucket >= 0 && noAuthBucket < baseBucket) {
|
|
215
|
+
return {
|
|
216
|
+
kind: "fail",
|
|
217
|
+
// chain evidence: broken-baseline + lower bucket without auth → smoking gun bypass
|
|
218
|
+
severity: "high",
|
|
219
|
+
message: `Server gave a more permissive status (${noAuth.status}) without auth than with valid auth (${baseline.status}) — possible bypass`,
|
|
220
|
+
evidence: { variant: "no_auth_differential", baseline_status: baseline.status, no_auth_status: noAuth.status },
|
|
221
|
+
};
|
|
222
|
+
}
|
|
223
|
+
if (bogusBucket >= 0 && bogusBucket < baseBucket) {
|
|
224
|
+
return {
|
|
225
|
+
kind: "fail",
|
|
226
|
+
// chain evidence: broken-baseline + lower bucket with bogus token → bypass
|
|
227
|
+
severity: "high",
|
|
228
|
+
message: `Server gave a more permissive status (${bogus.status}) with bogus auth than with valid auth (${baseline.status}) — possible bypass`,
|
|
229
|
+
evidence: { variant: "bogus_auth_differential", baseline_status: baseline.status, bogus_auth_status: bogus.status },
|
|
230
|
+
};
|
|
231
|
+
}
|
|
232
|
+
if (strict401) {
|
|
233
|
+
if (!isAcceptableRejection(noAuth.status, true) && noAuthBucket >= 0) {
|
|
234
|
+
return {
|
|
235
|
+
kind: "fail",
|
|
236
|
+
// single-signal: auth is enforced (server still rejects), wrong status code
|
|
237
|
+
severity: "medium",
|
|
238
|
+
message: `no_auth returned ${noAuth.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
|
|
239
|
+
evidence: { variant: "no_auth_strict", baseline_status: baseline.status, no_auth_status: noAuth.status, strict_401: true },
|
|
240
|
+
};
|
|
241
|
+
}
|
|
242
|
+
if (!isAcceptableRejection(bogus.status, true) && bogusBucket >= 0) {
|
|
243
|
+
return {
|
|
244
|
+
kind: "fail",
|
|
245
|
+
// single-signal: auth is enforced (server still rejects), wrong status code
|
|
246
|
+
severity: "medium",
|
|
247
|
+
message: `bogus_auth returned ${bogus.status}, expected 401 (--strict-401, baseline ${baseline.status})`,
|
|
248
|
+
evidence: { variant: "bogus_auth_strict", baseline_status: baseline.status, bogus_auth_status: bogus.status, strict_401: true },
|
|
249
|
+
};
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
return { kind: "pass" };
|
|
253
|
+
},
|
|
254
|
+
};
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Auto-registers built-in checks at first import. ARV-1 ships with one
|
|
3
|
+
* seed check (`not_a_server_error`); ARV-2/3/4 fill in the remaining
|
|
4
|
+
* 11 conformance/security checks alongside it.
|
|
5
|
+
*
|
|
6
|
+
* Side-effect import is intentional: anywhere the runner or CLI loads
|
|
7
|
+
* `core/checks` it triggers this module and the registry is populated
|
|
8
|
+
* exactly once (Node/Bun ESM module cache guarantees idempotency).
|
|
9
|
+
*/
|
|
10
|
+
import { registerCheck } from "../registry.ts";
|
|
11
|
+
import { registerStatefulCheck } from "../stateful.ts";
|
|
12
|
+
import { notAServerError } from "./not_a_server_error.ts";
|
|
13
|
+
import { statusCodeConformance } from "./status_code_conformance.ts";
|
|
14
|
+
import { contentTypeConformance } from "./content_type_conformance.ts";
|
|
15
|
+
import { responseHeadersConformance } from "./response_headers_conformance.ts";
|
|
16
|
+
import { responseSchemaConformance } from "./response_schema_conformance.ts";
|
|
17
|
+
import { missingRequiredHeader } from "./missing_required_header.ts";
|
|
18
|
+
import { unsupportedMethod } from "./unsupported_method.ts";
|
|
19
|
+
import { ignoredAuth } from "./ignored_auth.ts";
|
|
20
|
+
import { useAfterFree } from "./use_after_free.ts";
|
|
21
|
+
import { ensureResourceAvailability } from "./ensure_resource_availability.ts";
|
|
22
|
+
import { negativeDataRejection } from "./negative_data_rejection.ts";
|
|
23
|
+
import { positiveDataAcceptance } from "./positive_data_acceptance.ts";
|
|
24
|
+
import { crossCallReferences } from "./cross_call_references.ts";
|
|
25
|
+
import { idempotencyReplay } from "./idempotency_replay.ts";
|
|
26
|
+
import { paginationInvariants } from "./pagination_invariants.ts";
|
|
27
|
+
import { lifecycleTransitions } from "./lifecycle_transitions.ts";
|
|
28
|
+
import { openCorsOnSensitive } from "./open_cors_on_sensitive.ts";
|
|
29
|
+
import { rateLimitHeadersAbsent } from "./rate_limit_headers_absent.ts";
|
|
30
|
+
import { cursorBoundaryFuzzing } from "./cursor_boundary_fuzzing.ts";
|
|
31
|
+
|
|
32
|
+
let registered = false;
|
|
33
|
+
|
|
34
|
+
export function registerBuiltinChecks(): void {
|
|
35
|
+
if (registered) return;
|
|
36
|
+
// ARV-1 seed.
|
|
37
|
+
registerCheck(notAServerError);
|
|
38
|
+
// ARV-2 — 6 conformance checks (7 total with the seed).
|
|
39
|
+
registerCheck(statusCodeConformance);
|
|
40
|
+
registerCheck(contentTypeConformance);
|
|
41
|
+
registerCheck(responseHeadersConformance);
|
|
42
|
+
registerCheck(responseSchemaConformance);
|
|
43
|
+
registerCheck(missingRequiredHeader);
|
|
44
|
+
registerCheck(unsupportedMethod);
|
|
45
|
+
// ARV-3 — 3 stateful security checks.
|
|
46
|
+
registerStatefulCheck(ignoredAuth);
|
|
47
|
+
registerStatefulCheck(useAfterFree);
|
|
48
|
+
registerStatefulCheck(ensureResourceAvailability);
|
|
49
|
+
// ARV-4 — 2 data-rejection checks with anti-FP guards.
|
|
50
|
+
registerCheck(negativeDataRejection);
|
|
51
|
+
registerCheck(positiveDataAcceptance);
|
|
52
|
+
// ARV-169 (m-20) — cross-call POST→GET shape-diff probe.
|
|
53
|
+
registerStatefulCheck(crossCallReferences);
|
|
54
|
+
// ARV-170 (m-20) — Idempotency-Key replay probe.
|
|
55
|
+
registerStatefulCheck(idempotencyReplay);
|
|
56
|
+
// ARV-171 (m-20) — cursor pagination invariants.
|
|
57
|
+
registerStatefulCheck(paginationInvariants);
|
|
58
|
+
// ARV-172 (m-20) — declared state-machine + action transitions.
|
|
59
|
+
registerStatefulCheck(lifecycleTransitions);
|
|
60
|
+
// ARV-256 (m-21) — small-team value-add checks.
|
|
61
|
+
registerStatefulCheck(openCorsOnSensitive);
|
|
62
|
+
registerCheck(rateLimitHeadersAbsent);
|
|
63
|
+
// ARV-273 (m-22) — cursor/page-token fuzzing on list endpoints.
|
|
64
|
+
registerStatefulCheck(cursorBoundaryFuzzing);
|
|
65
|
+
registered = true;
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
registerBuiltinChecks();
|