@kirrosh/zond 0.23.0 → 0.26.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +164 -1
- package/README.md +8 -7
- package/package.json +2 -3
- package/src/CLAUDE.md +112 -0
- package/src/cli/commands/add-api.ts +19 -7
- package/src/cli/commands/api/annotate/index.ts +359 -4
- package/src/cli/commands/api/annotate/lifecycle.ts +1 -1
- package/src/cli/commands/api/annotate/overlay.ts +1 -1
- package/src/cli/commands/api/annotate/pagination.ts +10 -6
- package/src/cli/commands/api/annotate/prompts.ts +39 -2
- package/src/cli/commands/audit.ts +360 -54
- package/src/cli/commands/check.ts +15 -2
- package/src/cli/commands/checks.ts +352 -36
- package/src/cli/commands/cleanup.ts +4 -30
- package/src/cli/commands/coverage.ts +275 -57
- package/src/cli/commands/db.ts +311 -8
- package/src/cli/commands/discover.ts +281 -161
- package/src/cli/commands/doctor.ts +57 -3
- package/src/cli/commands/fixtures.ts +1 -1
- package/src/cli/commands/generate.ts +24 -7
- package/src/cli/commands/init/bootstrap.ts +4 -1
- package/src/cli/commands/init/index.ts +2 -2
- package/src/cli/commands/init/skills.ts +43 -0
- package/src/cli/commands/init/templates/agents.md +12 -3
- package/src/cli/commands/init/templates/skills/warm-up-target.md +122 -0
- package/src/cli/commands/init/templates/skills/zond-checks.md +268 -44
- package/src/cli/commands/init/templates/skills/zond-seed.md +114 -0
- package/src/cli/commands/init/templates/skills/zond-triage.md +88 -26
- package/src/cli/commands/init/templates/skills/zond.md +274 -64
- package/src/cli/commands/init/templates/zond-config.yml +1 -1
- package/src/cli/commands/prepare-fixtures.ts +14 -52
- package/src/cli/commands/probe/_seed-bodies.ts +52 -0
- package/src/cli/commands/probe/mass-assignment.ts +101 -10
- package/src/cli/commands/probe/security.ts +95 -12
- package/src/cli/commands/probe/webhooks.ts +2 -0
- package/src/cli/commands/probe.ts +87 -11
- package/src/cli/commands/refresh-api.ts +59 -1
- package/src/cli/commands/report-bundle.ts +3 -11
- package/src/cli/commands/request.ts +116 -0
- package/src/cli/commands/run.ts +33 -5
- package/src/cli/commands/schema-from-runs.ts +128 -0
- package/src/cli/commands/secrets.ts +133 -0
- package/src/cli/json-envelope.ts +0 -20
- package/src/cli/json-schemas.ts +51 -0
- package/src/cli/output.ts +17 -1
- package/src/cli/program.ts +5 -4
- package/src/cli/safe-live.ts +24 -0
- package/src/cli/status-filter.ts +0 -10
- package/src/core/audit/persist.ts +183 -0
- package/src/core/checks/budget.ts +59 -0
- package/src/core/checks/checks/cross_call_references.ts +17 -4
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +219 -0
- package/src/core/checks/checks/idempotency_replay.ts +1 -5
- package/src/core/checks/checks/ignored_auth.ts +44 -1
- package/src/core/checks/checks/index.ts +3 -0
- package/src/core/checks/checks/lifecycle_transitions.ts +169 -26
- package/src/core/checks/checks/negative_data_rejection.ts +119 -16
- package/src/core/checks/checks/not_a_server_error.ts +8 -0
- package/src/core/checks/checks/open_cors_on_sensitive.ts +47 -18
- package/src/core/checks/checks/pagination_invariants.ts +298 -117
- package/src/core/checks/checks/positive_data_acceptance.ts +1 -4
- package/src/core/checks/checks/status_code_conformance.ts +78 -7
- package/src/core/checks/mode.ts +3 -0
- package/src/core/checks/recommended-action.ts +5 -1
- package/src/core/checks/runner.ts +614 -27
- package/src/core/checks/spec-findings.ts +308 -0
- package/src/core/checks/types.ts +117 -1
- package/src/core/checks/zond-extensions.ts +73 -0
- package/src/core/classifier/recommended-action.ts +35 -6
- package/src/core/coverage/loader.ts +31 -0
- package/src/core/diagnostics/db-analysis.ts +200 -106
- package/src/core/diagnostics/failure-class.ts +21 -1
- package/src/core/diagnostics/failure-hints.ts +4 -208
- package/src/core/diagnostics/suggested-fixes.ts +2 -3
- package/src/core/generator/chunker.ts +1 -8
- package/src/core/generator/data-factory.ts +199 -61
- package/src/core/generator/fixtures-builder.ts +38 -31
- package/src/core/generator/index.ts +0 -2
- package/src/core/generator/openapi-reader.ts +98 -4
- package/src/core/generator/path-param-disambig.ts +30 -4
- package/src/core/generator/resources-builder.ts +276 -26
- package/src/core/generator/schema-utils.ts +22 -0
- package/src/core/generator/suite-generator.ts +168 -15
- package/src/core/generator/types.ts +6 -0
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/output/README.md +11 -29
- package/src/core/output/index.ts +1 -1
- package/src/core/output/run.ts +0 -35
- package/src/core/output/types.ts +0 -7
- package/src/core/parser/dynamic-values.ts +160 -0
- package/src/core/parser/variables.ts +0 -0
- package/src/core/probe/dry-run-envelope.ts +4 -0
- package/src/core/probe/mass-assignment/classify.ts +175 -0
- package/src/core/probe/mass-assignment/cleanup.ts +52 -0
- package/src/core/probe/mass-assignment/digest.ts +114 -0
- package/src/core/probe/mass-assignment/orchestrator.ts +459 -0
- package/src/core/probe/mass-assignment/regression.ts +141 -0
- package/src/core/probe/mass-assignment/suspects.ts +92 -0
- package/src/core/probe/mass-assignment/types.ts +135 -0
- package/src/core/probe/mass-assignment-probe.ts +23 -1118
- package/src/core/probe/mass-assignment-template.ts +32 -4
- package/src/core/probe/path-discovery.ts +3 -4
- package/src/core/probe/probe-harness.ts +21 -22
- package/src/core/probe/security/baseline.ts +174 -0
- package/src/core/probe/security/classify.ts +341 -0
- package/src/core/probe/security/cleanup.ts +125 -0
- package/src/core/probe/security/detectors.ts +71 -0
- package/src/core/probe/security/digest.ts +104 -0
- package/src/core/probe/security/orchestrator.ts +398 -0
- package/src/core/probe/security/regression.ts +103 -0
- package/src/core/probe/security/types.ts +151 -0
- package/src/core/probe/security-probe-class.ts +8 -2
- package/src/core/probe/security-probe.ts +28 -1449
- package/src/core/probe/shared.ts +26 -0
- package/src/core/probe/webhooks-probe.ts +5 -7
- package/src/core/runner/assertions.ts +1 -1
- package/src/core/runner/executor.ts +3 -18
- package/src/core/runner/form-encode.ts +8 -18
- package/src/core/runner/http-client.ts +38 -1
- package/src/core/runner/preflight-vars.ts +19 -15
- package/src/core/runner/rate-limiter.ts +11 -29
- package/src/core/runner/run-kind.ts +7 -1
- package/src/core/runner/schema-validator.ts +2 -6
- package/src/core/runner/send-request.ts +11 -6
- package/src/core/runner/types.ts +6 -0
- package/src/core/setup-api.ts +53 -15
- package/src/core/severity/index.ts +0 -63
- package/src/core/spec/infer-schema.ts +102 -0
- package/src/core/spec/merge-specs.ts +156 -0
- package/src/core/spec/schema-from-runs.ts +117 -0
- package/src/core/spec/schema-overlay.ts +130 -0
- package/src/core/util/ajv.ts +13 -0
- package/src/core/util/headers.ts +9 -0
- package/src/core/util/url.ts +24 -0
- package/src/core/workspace/fixture-gap-report.ts +84 -0
- package/src/core/workspace/fixture-gaps.ts +71 -0
- package/src/core/workspace/root.ts +13 -11
- package/src/db/migrate.ts +2 -0
- package/src/db/migrations/0002_run_kind_request.sql +59 -0
- package/src/db/queries/collections.ts +2 -2
- package/src/db/queries/results.ts +88 -0
- package/src/db/queries/runs.ts +56 -2
- package/src/db/queries.ts +3 -0
- package/src/db/schema.ts +7 -7
- package/src/cli/commands/bootstrap.ts +0 -710
- package/src/core/anti-fp/bootstrap.ts +0 -34
- package/src/core/anti-fp/index.ts +0 -33
- package/src/core/anti-fp/registry.ts +0 -44
- package/src/core/anti-fp/rules/baseline-echo.ts +0 -74
- package/src/core/anti-fp/rules/schemathesis/body_negation_becomes_valid.ts +0 -52
- package/src/core/anti-fp/rules/schemathesis/coverage_phase_boundary_positive.ts +0 -38
- package/src/core/anti-fp/rules/schemathesis/has_unverifiable_mutations.ts +0 -35
- package/src/core/anti-fp/rules/schemathesis/index.ts +0 -24
- package/src/core/anti-fp/rules/schemathesis/string_type_mutation_becomes_valid.ts +0 -53
- package/src/core/anti-fp/rules/subscription-gated/index.ts +0 -11
- package/src/core/anti-fp/rules/subscription-gated/paid-plan-403.ts +0 -75
- package/src/core/anti-fp/types.ts +0 -68
- package/src/core/generator/create-body.ts +0 -89
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
import type { EndpointInfo, SecuritySchemeInfo } from "../../generator/types.ts";
|
|
2
|
+
import { executeRequest } from "../../runner/http-client.ts";
|
|
3
|
+
import {
|
|
4
|
+
captureFieldFor,
|
|
5
|
+
findDeleteCounterpart,
|
|
6
|
+
liveAuthHeaders,
|
|
7
|
+
} from "../shared.ts";
|
|
8
|
+
import type { ProbeStepOpts, SecurityVerdict } from "./types.ts";
|
|
9
|
+
import { joinBaseAndPath } from "../../util/url.ts";
|
|
10
|
+
|
|
11
|
+
/**
|
|
12
|
+
* Best-effort DELETE on stateful endpoints after a successful baseline /
|
|
13
|
+
* attack. Handles eventual-consistency retries (round-5) and persists
|
|
14
|
+
* id/deletePath on the verdict so `zond cleanup --orphans` can replay
|
|
15
|
+
* the DELETE without re-running the probe.
|
|
16
|
+
*/
|
|
17
|
+
export async function tryCleanup(
|
|
18
|
+
ep: EndpointInfo,
|
|
19
|
+
allEndpoints: EndpointInfo[],
|
|
20
|
+
schemes: SecuritySchemeInfo[],
|
|
21
|
+
vars: Record<string, string>,
|
|
22
|
+
responseBody: unknown,
|
|
23
|
+
verdict: SecurityVerdict,
|
|
24
|
+
opts: ProbeStepOpts,
|
|
25
|
+
): Promise<void> {
|
|
26
|
+
const delEp = findDeleteCounterpart(ep, allEndpoints);
|
|
27
|
+
if (!delEp) {
|
|
28
|
+
// Surface the gap. Round-4 dogfooding: 3 DSN keys leaked from
|
|
29
|
+
// POST /keys/ silently because the spec didn't expose a DELETE
|
|
30
|
+
// counterpart — flagging it in the digest gives the operator a
|
|
31
|
+
// chance to clean up by hand instead of finding out later.
|
|
32
|
+
accumulateCleanupError(verdict, `no DELETE counterpart for ${ep.method.toUpperCase()} ${ep.path}; possible leaked resource`);
|
|
33
|
+
return;
|
|
34
|
+
}
|
|
35
|
+
const idField = captureFieldFor(ep);
|
|
36
|
+
const id = pickId(responseBody, idField);
|
|
37
|
+
if (!id) {
|
|
38
|
+
accumulateCleanupError(verdict, `cleanup skipped: response had no usable id for ${ep.method.toUpperCase()} ${ep.path}`);
|
|
39
|
+
return;
|
|
40
|
+
}
|
|
41
|
+
// DELETE path has one path-param at the end; replace it with the captured id.
|
|
42
|
+
const concretePath = delEp.path.replace(/\{[^}]+\}/, encodeURIComponent(String(id)));
|
|
43
|
+
const url = joinBaseAndPath(vars["base_url"], concretePath);
|
|
44
|
+
const headers = liveAuthHeaders(delEp, schemes, vars);
|
|
45
|
+
|
|
46
|
+
// TASK-278: stash id + deletePath on the verdict so the orphan tracker
|
|
47
|
+
// (and `zond cleanup --orphans`) can replay this DELETE without re-running
|
|
48
|
+
// the probe. Done before retries so even an aborted run leaves a trace.
|
|
49
|
+
{
|
|
50
|
+
const prior = verdict.cleanup ?? { attempted: false };
|
|
51
|
+
verdict.cleanup = {
|
|
52
|
+
...prior,
|
|
53
|
+
attempted: prior.attempted || true,
|
|
54
|
+
id,
|
|
55
|
+
deletePath: concretePath,
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
// Eventual-consistency retry (round-5 follow-up): POST creates on the
|
|
60
|
+
// write replica, immediate DELETE hits a read replica that hasn't seen
|
|
61
|
+
// the new id yet → 404. Two short backoffs swallow that transient
|
|
62
|
+
// 404; a 404 that survives the backoff is a real leak and lands in
|
|
63
|
+
// verdict.cleanup.error. Only 404 is retried — 5xx, network errors,
|
|
64
|
+
// 401/403 fail fast (the situation isn't going to improve).
|
|
65
|
+
const RETRY_DELAYS_MS = opts.cleanupRetryDelaysMs ?? [200, 1000];
|
|
66
|
+
let lastResp: { status: number } | null = null;
|
|
67
|
+
let lastNetErr: string | null = null;
|
|
68
|
+
for (let attempt = 0; attempt <= RETRY_DELAYS_MS.length; attempt++) {
|
|
69
|
+
if (attempt > 0) await new Promise(r => setTimeout(r, RETRY_DELAYS_MS[attempt - 1]!));
|
|
70
|
+
try {
|
|
71
|
+
const resp = await executeRequest(
|
|
72
|
+
{ method: "DELETE", url, headers },
|
|
73
|
+
{ timeout: opts.timeoutMs ?? 30000, retries: 0 },
|
|
74
|
+
);
|
|
75
|
+
lastResp = { status: resp.status };
|
|
76
|
+
if (resp.status >= 200 && resp.status < 300) {
|
|
77
|
+
const prior = verdict.cleanup ?? { attempted: false };
|
|
78
|
+
verdict.cleanup = {
|
|
79
|
+
attempted: true,
|
|
80
|
+
status: resp.status,
|
|
81
|
+
...(prior.error ? { error: prior.error } : {}),
|
|
82
|
+
...(prior.id !== undefined ? { id: prior.id } : {}),
|
|
83
|
+
...(prior.deletePath ? { deletePath: prior.deletePath } : {}),
|
|
84
|
+
};
|
|
85
|
+
return;
|
|
86
|
+
}
|
|
87
|
+
// Only retry transient 404 (eventual-consistency window).
|
|
88
|
+
if (resp.status !== 404) break;
|
|
89
|
+
} catch (err) {
|
|
90
|
+
lastNetErr = err instanceof Error ? err.message : String(err);
|
|
91
|
+
// Network errors are not retried — they're not transient in the
|
|
92
|
+
// eventual-consistency sense (they're config/connectivity issues).
|
|
93
|
+
break;
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
if (lastNetErr) {
|
|
98
|
+
accumulateCleanupError(verdict, `DELETE ${delEp.path} network error: ${lastNetErr}`);
|
|
99
|
+
} else if (lastResp) {
|
|
100
|
+
const tail = lastResp.status === 404 ? " (persisted across retries — likely real leak)" : "";
|
|
101
|
+
accumulateCleanupError(verdict, `DELETE ${delEp.path} → ${lastResp.status} (id=${id})${tail}`);
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
function accumulateCleanupError(verdict: SecurityVerdict, msg: string): void {
|
|
106
|
+
const prior = verdict.cleanup ?? { attempted: false };
|
|
107
|
+
const errors = prior.error ? `${prior.error} | ${msg}` : msg;
|
|
108
|
+
verdict.cleanup = {
|
|
109
|
+
attempted: true,
|
|
110
|
+
...(prior.status ? { status: prior.status } : {}),
|
|
111
|
+
...(prior.id !== undefined ? { id: prior.id } : {}),
|
|
112
|
+
...(prior.deletePath ? { deletePath: prior.deletePath } : {}),
|
|
113
|
+
error: errors,
|
|
114
|
+
};
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
function pickId(body: unknown, field: string): string | number | undefined {
|
|
118
|
+
if (!body || typeof body !== "object") return undefined;
|
|
119
|
+
const obj = body as Record<string, unknown>;
|
|
120
|
+
for (const key of [field, "id", "slug", "uuid", "key"]) {
|
|
121
|
+
const v = obj[key];
|
|
122
|
+
if (typeof v === "string" || typeof v === "number") return v;
|
|
123
|
+
}
|
|
124
|
+
return undefined;
|
|
125
|
+
}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
import type { OpenAPIV3 } from "openapi-types";
|
|
2
|
+
import type { EndpointInfo } from "../../generator/types.ts";
|
|
3
|
+
import type { SecurityClass, SecurityFieldHit } from "./types.ts";
|
|
4
|
+
|
|
5
|
+
// ARV-310: SSRF only targets URL-shaped field names — url / *_url / *_uri /
|
|
6
|
+
// href / endpoint. Dropped the unanchored `webhook` / `callback` substrings
|
|
7
|
+
// that matched free-text fields (e.g. `callback_message`, and grouped
|
|
8
|
+
// `description` hits) which are not request-forgeable sinks. Schema
|
|
9
|
+
// format=uri|url still qualifies a field regardless of name.
|
|
10
|
+
const SSRF_NAME_RE =
|
|
11
|
+
/(url$|uri$|^href$|^endpoint$)/i;
|
|
12
|
+
// ARV-310: CRLF targets header-reflected / redirect-shaped fields (email
|
|
13
|
+
// Subject, log prefix, redirect targets), NOT free-text body fields. Dropped
|
|
14
|
+
// `^name$` / `^title$` / `^description$` / `^tag$` — those are not header
|
|
15
|
+
// sinks and produced the bulk of the GitHub-scan false positives
|
|
16
|
+
// (name ×37, name,description ×22, title ×9).
|
|
17
|
+
const CRLF_NAME_RE =
|
|
18
|
+
/(^subject$|^message_subject$|prefix$|^location$|^redirect$)/i;
|
|
19
|
+
const OPEN_REDIRECT_NAME_RE =
|
|
20
|
+
/(^redirect$|^next$|^return_to$|^redirect_url$|^redirect_to$|^redirectTo$)/i;
|
|
21
|
+
|
|
22
|
+
function matchesClass(
|
|
23
|
+
cls: SecurityClass,
|
|
24
|
+
name: string,
|
|
25
|
+
schema: OpenAPIV3.SchemaObject,
|
|
26
|
+
): boolean {
|
|
27
|
+
// Skip enum-bounded fields — payload would obviously fail validation
|
|
28
|
+
// and we'd just waste requests on guaranteed-4xx attempts.
|
|
29
|
+
if (Array.isArray(schema.enum) && schema.enum.length > 0) return false;
|
|
30
|
+
if (schema.type !== "string" && schema.type !== undefined) return false;
|
|
31
|
+
switch (cls) {
|
|
32
|
+
case "ssrf":
|
|
33
|
+
return SSRF_NAME_RE.test(name) || schema.format === "uri" || schema.format === "url";
|
|
34
|
+
case "crlf":
|
|
35
|
+
return CRLF_NAME_RE.test(name);
|
|
36
|
+
case "open-redirect":
|
|
37
|
+
return OPEN_REDIRECT_NAME_RE.test(name);
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
export function detectFields(
|
|
42
|
+
ep: EndpointInfo,
|
|
43
|
+
classes: SecurityClass[],
|
|
44
|
+
): SecurityFieldHit[] {
|
|
45
|
+
const out: SecurityFieldHit[] = [];
|
|
46
|
+
const schema = ep.requestBodySchema;
|
|
47
|
+
if (!schema || !schema.properties) return out;
|
|
48
|
+
for (const [name, propSchema] of Object.entries(schema.properties)) {
|
|
49
|
+
const s = propSchema as OpenAPIV3.SchemaObject;
|
|
50
|
+
for (const cls of classes) {
|
|
51
|
+
if (matchesClass(cls, name, s)) out.push({ field: name, class: cls });
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return out;
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
export const PAYLOADS: Record<SecurityClass, string[]> = {
|
|
58
|
+
ssrf: [
|
|
59
|
+
"http://127.0.0.1:80/",
|
|
60
|
+
"http://169.254.169.254/latest/meta-data/",
|
|
61
|
+
"file:///etc/passwd",
|
|
62
|
+
],
|
|
63
|
+
crlf: [
|
|
64
|
+
"zond-safe\r\nX-Zond-Injected: yes",
|
|
65
|
+
"zond-safe%0d%0aX-Zond-Injected: yes",
|
|
66
|
+
],
|
|
67
|
+
"open-redirect": [
|
|
68
|
+
"https://zond-attacker.example.tld",
|
|
69
|
+
"//zond-attacker.example.tld",
|
|
70
|
+
],
|
|
71
|
+
};
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
import type {
|
|
2
|
+
SecurityProbeResult,
|
|
3
|
+
SecuritySeverity,
|
|
4
|
+
SecurityVerdict,
|
|
5
|
+
} from "./types.ts";
|
|
6
|
+
import { encodePathForRepro } from "../shared.ts";
|
|
7
|
+
|
|
8
|
+
/** TASK-154 §N: clip noisy payloads (some SSRF/CRLF/redirect strings are URL-
|
|
9
|
+
* encoded blobs > 60 chars). Keep the leading prefix users recognise plus an
|
|
10
|
+
* ellipsis, so the digest line stays readable. */
|
|
11
|
+
function truncatePayload(payload: string, max: number): string {
|
|
12
|
+
if (payload.length <= max) return payload;
|
|
13
|
+
return payload.slice(0, max - 1) + "…";
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
export function formatSecurityDigest(
|
|
17
|
+
result: SecurityProbeResult,
|
|
18
|
+
specPath: string,
|
|
19
|
+
): string {
|
|
20
|
+
const lines: string[] = [];
|
|
21
|
+
lines.push(`# zond probe-security digest`);
|
|
22
|
+
lines.push("");
|
|
23
|
+
lines.push(`Spec: \`${specPath}\``);
|
|
24
|
+
lines.push(`Classes: ${result.classes.join(", ")}`);
|
|
25
|
+
lines.push(`Endpoints scanned: ${result.totalEndpoints} · probed: ${result.specProbed}`);
|
|
26
|
+
// ARV-140 AC#4: surface the cleanup-feasibility outcome up front so a
|
|
27
|
+
// green run doesn't hide "we attacked 14 leak-prone POSTs anyway".
|
|
28
|
+
if (result.cleanupFeasibility) {
|
|
29
|
+
const f = result.cleanupFeasibility;
|
|
30
|
+
if (f.skippedNoCleanup > 0) {
|
|
31
|
+
lines.push(`Cleanup pre-flight: ${f.skippedNoCleanup} endpoint(s) skipped (no DELETE counterpart). Pass \`--allow-leaks\` to attack anyway.`);
|
|
32
|
+
} else if (f.forcedNoCleanup > 0) {
|
|
33
|
+
lines.push(`Cleanup pre-flight: ${f.forcedNoCleanup} endpoint(s) attacked despite no DELETE counterpart (--allow-leaks).`);
|
|
34
|
+
}
|
|
35
|
+
// ARV-153: surface action-verb POSTs we now attack without a DELETE
|
|
36
|
+
// counterpart so green runs make the recall win visible.
|
|
37
|
+
if (f.actionNoCleanupNeeded > 0) {
|
|
38
|
+
lines.push(`Cleanup pre-flight: ${f.actionNoCleanupNeeded} action POST(s) attacked (no resource created — DELETE counterpart not needed).`);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
lines.push("");
|
|
42
|
+
|
|
43
|
+
// Cleanup failures section is mandatory and goes FIRST when present —
|
|
44
|
+
// round-4 dogfooding: a "green" run (HIGH=0) silently leaked DSN keys
|
|
45
|
+
// and left renamed projects, because cleanup failures were buried in
|
|
46
|
+
// per-verdict objects. Surface them prominently so a green probe is a
|
|
47
|
+
// signal the org is clean, not just that nothing crashed.
|
|
48
|
+
const cleanupFailures = result.verdicts.filter(v => v.cleanup?.error);
|
|
49
|
+
if (cleanupFailures.length > 0) {
|
|
50
|
+
lines.push(`## ⚠️ Cleanup failures (${cleanupFailures.length}) — manual remediation may be required`);
|
|
51
|
+
lines.push("");
|
|
52
|
+
for (const v of cleanupFailures) {
|
|
53
|
+
lines.push(`- **${v.method} ${v.path}** — ${v.cleanup!.error}`);
|
|
54
|
+
// ARV-245 (R-04/F16): paste-ready manual repro when we have a
|
|
55
|
+
// deletePath. Auto-encode the path so operators dealing with
|
|
56
|
+
// CRLF-poisoned ids (round-4 GitHub labels) don't have to remember
|
|
57
|
+
// to percent-encode `\r`/`\n`/spaces themselves.
|
|
58
|
+
const dp = v.cleanup?.deletePath;
|
|
59
|
+
if (dp) {
|
|
60
|
+
const encoded = encodePathForRepro(dp);
|
|
61
|
+
const note = /[\r\n\t ]/.test(dp) ? " (note: id contains whitespace/CRLF — percent-encoded)" : "";
|
|
62
|
+
lines.push(` - Manual repro: \`zond request DELETE ${encoded} --api <name>\`${note}`);
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
lines.push("");
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
const buckets: Record<SecuritySeverity, SecurityVerdict[]> = {
|
|
69
|
+
high: [], medium: [], low: [], info: [], inconclusive: [], "inconclusive-baseline": [], ok: [], skipped: [],
|
|
70
|
+
};
|
|
71
|
+
for (const v of result.verdicts) buckets[v.severity].push(v);
|
|
72
|
+
|
|
73
|
+
const ordered: SecuritySeverity[] = ["high", "inconclusive", "inconclusive-baseline", "medium", "low", "info", "ok", "skipped"];
|
|
74
|
+
const titles: Record<SecuritySeverity, string> = {
|
|
75
|
+
high: "🚨 HIGH — header-reflection / HTML reflection / 5xx",
|
|
76
|
+
medium: "⚠️ MEDIUM — SSRF accept on endpoint declaring delivery (no OOB confirmation)",
|
|
77
|
+
low: "🟡 LOW — storage observed, no dangerous-context reflection (verify manually)",
|
|
78
|
+
info: "· INFO — accepted, no reflection observed (sanitization signal only)",
|
|
79
|
+
inconclusive: "❓ INCONCLUSIVE — could not classify",
|
|
80
|
+
"inconclusive-baseline": "⚠️ INCONCLUSIVE-BASELINE — baseline 4xx, attacks not run",
|
|
81
|
+
ok: "✅ OK — payloads rejected with 4xx",
|
|
82
|
+
skipped: "⏭️ SKIPPED — no detected fields / no body",
|
|
83
|
+
};
|
|
84
|
+
for (const sev of ordered) {
|
|
85
|
+
const list = buckets[sev];
|
|
86
|
+
if (list.length === 0) continue;
|
|
87
|
+
lines.push(`## ${titles[sev]} (${list.length})`);
|
|
88
|
+
lines.push("");
|
|
89
|
+
for (const v of list) {
|
|
90
|
+
const cleanupTag = v.cleanup?.error ? " 🧹 cleanup-failure" : "";
|
|
91
|
+
lines.push(`- **${v.method} ${v.path}**${cleanupTag} — ${v.summary}`);
|
|
92
|
+
for (const f of v.findings) {
|
|
93
|
+
// TASK-154 §N: surface the actual payload that triggered the finding
|
|
94
|
+
// — without it the digest is useless for case-study writing (which
|
|
95
|
+
// SSRF target? which CRLF shape?). Truncate long payloads so the
|
|
96
|
+
// line stays readable.
|
|
97
|
+
const payload = truncatePayload(f.payload, 60);
|
|
98
|
+
lines.push(` - \`${f.field}\` / ${f.class} [\`${payload}\`] → ${f.status} (${f.severity}) — ${f.reason}`);
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
lines.push("");
|
|
102
|
+
}
|
|
103
|
+
return lines.join("\n");
|
|
104
|
+
}
|