@mcp-shark/mcp-shark 1.5.13 → 1.7.2

package/core/services/security/aauthSelfTest.js

@@ -0,0 +1,346 @@
+/**
+ * AAuth self-test traffic synthesizer.
+ *
+ * Generates realistic AAuth-shaped HTTP packets and writes them through
+ * mcp-shark's normal audit path (AuditService.logRequestPacket /
+ * logResponsePacket) so they look identical to live captured traffic.
+ *
+ * Strict scope:
+ *   - Pure observability fixture. No real outbound network calls.
+ *   - No cryptographic signing. The Signature/Signature-Input bytes are
+ *     placeholders meant to be visually inspected, not validated.
+ *   - The point is to populate the Traffic, Posture, and Explorer views so
+ *     a developer can see how AAuth signals are surfaced even before any
+ *     production agent integration is in place.
+ */
+
+import { readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+const KNOWN_AGENTS = [
+  { id: 'aauth:demo-agent@example.dev', alg: 'ed25519', keyid: 'demo-key-1' },
+  { id: 'aauth:read-only-agent@example.dev', alg: 'ecdsa-p256-sha256', keyid: 'read-key-1' },
+  { id: 'aauth:writer-agent@example.dev', alg: 'ed25519', keyid: 'writer-key-1' },
+];
+
+const KNOWN_MISSIONS = [
+  'mission:lookup-customer-record',
+  'mission:summarize-incident-2026-04',
+  'mission:reset-staging-database',
+];
+
+const KNOWN_TOOLS = ['lookup_record', 'summarize_incident', 'protected_query', 'echo'];
+
+const ACCESS_MODES = [
+  { mode: 'ps-managed', resource: 'https://api.example.com/records' },
+  { mode: 'identity-based', resource: 'https://api.example.com/profiles' },
+  { mode: 'federated', resource: 'https://api.partner.example.com/exchange' },
+];
+
+const PLACEHOLDER_SIG =
+  'sig1=:MEUCIQDxPLACEHOLDER0000000000000000000000000000000000000000AAAAAAA=:';
+const PLACEHOLDER_KEY_THUMBPRINT = 'sha-256=:AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AAAAAAAA=:';
+
+function pick(list, i) {
+  return list[i % list.length];
+}
+
+function buildSignatureInput(agent) {
+  const created = Math.floor(Date.now() / 1000);
+  return `sig1=("@method" "@target-uri" "host" "content-digest");keyid="${agent.keyid}";alg="${agent.alg}";created=${created}`;
+}
+
+function buildJsonRpcRequest(id, toolName, missionId) {
+  return {
+    jsonrpc: '2.0',
+    id,
+    method: 'tools/call',
+    params: {
+      name: toolName,
+      arguments: { mission: missionId, ts: new Date().toISOString() },
+    },
+  };
+}
+
+function buildJsonRpcResponse(id, toolName) {
+  return {
+    jsonrpc: '2.0',
+    id,
+    result: {
+      content: [{ type: 'text', text: `synthetic ${toolName} response` }],
+    },
+  };
+}
+
+function readMcpsConfigSafely() {
+  try {
+    const p = join(homedir(), '.mcp-shark', 'mcps.json');
+    const raw = readFileSync(p, 'utf8');
+    const parsed = JSON.parse(raw);
+    return parsed && typeof parsed.servers === 'object' ? parsed.servers : {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Auto-detect HTTP MCP upstreams from ~/.mcp-shark/mcps.json. We don't actually
+ * call them — we use the names/URLs to make synthetic packets feel grounded
+ * to the developer ("oh, that's the upstream I configured").
+ */
+export function detectHttpUpstreams() {
+  const servers = readMcpsConfigSafely();
+  const detected = [];
+  for (const [name, def] of Object.entries(servers)) {
+    if (!def || typeof def !== 'object') {
+      continue;
+    }
+    if (def.type === 'http' && typeof def.url === 'string') {
+      detected.push({ name, url: def.url });
+    }
+  }
+  return detected;
+}
+
+const SCENARIOS = [
+  {
+    id: 'signed',
+    label: 'Signed AAuth call',
+    posture: 'signed',
+    buildHeaders(ctx) {
+      return {
+        host: ctx.host,
+        'content-type': 'application/json',
+        'user-agent': 'mcp-shark-self-test/1.0',
+        signature: PLACEHOLDER_SIG,
+        'signature-input': buildSignatureInput(ctx.agent),
+        'signature-key': PLACEHOLDER_KEY_THUMBPRINT,
+        'aauth-agent': ctx.agent.id,
+        'aauth-mission': ctx.mission,
+      };
+    },
+    buildResponseHeaders(ctx) {
+      return {
+        'content-type': 'application/json',
+        signature: PLACEHOLDER_SIG,
+        'signature-input': buildSignatureInput(ctx.agent),
+        'signature-key': PLACEHOLDER_KEY_THUMBPRINT,
+        'aauth-agent': ctx.agent.id,
+        'aauth-mission': ctx.mission,
+      };
+    },
+    statusCode: 200,
+  },
+  {
+    id: 'challenge',
+    label: 'AAuth challenge (401)',
+    posture: 'none-then-aware',
+    buildHeaders(ctx) {
+      return {
+        host: ctx.host,
+        'content-type': 'application/json',
+        'user-agent': 'mcp-shark-self-test/1.0',
+      };
+    },
+    buildResponseHeaders(ctx) {
+      const access = ctx.access;
+      return {
+        'content-type': 'application/json',
+        'aauth-requirement': `mode="${access.mode}"; resource="${access.resource}"; jwks_uri="https://example.com/.well-known/aauth/jwks.json"`,
+        'www-authenticate': `AAuth realm="example", mode="${access.mode}", resource="${access.resource}"`,
+      };
+    },
+    statusCode: 401,
+  },
+  {
+    id: 'bearer',
+    label: 'Bearer token call',
+    posture: 'bearer',
+    buildHeaders(ctx) {
+      return {
+        host: ctx.host,
+        'content-type': 'application/json',
+        'user-agent': 'mcp-shark-self-test/1.0',
+        authorization: 'Bearer demo-token-must-be-rotated-9c4f2a',
+      };
+    },
+    buildResponseHeaders() {
+      return {
+        'content-type': 'application/json',
+        'www-authenticate': 'Bearer realm="example"',
+      };
+    },
+    statusCode: 200,
+  },
+  {
+    id: 'bearer-coexist',
+    label: 'Bearer + AAuth (drift smell)',
+    posture: 'bearer',
+    buildHeaders(ctx) {
+      return {
+        host: ctx.host,
+        'content-type': 'application/json',
+        'user-agent': 'mcp-shark-self-test/1.0',
+        authorization: 'Bearer legacy-token-rotation-required',
+        'signature-input': buildSignatureInput(ctx.agent),
+        signature: PLACEHOLDER_SIG,
+        'aauth-agent': ctx.agent.id,
+      };
+    },
+    buildResponseHeaders() {
+      return { 'content-type': 'application/json' };
+    },
+    statusCode: 200,
+  },
+];
+
+/**
+ * Run a single self-test pass. Synthesizes scenario-driven JSON-RPC traffic
+ * for each detected upstream (or a default placeholder triple if none are
+ * configured) and writes both request and response packets via the audit
+ * service so they appear as normal captured traffic.
+ *
+ * @param {object} deps
+ * @param {object} deps.auditService - mcp-shark AuditService
+ * @param {object} deps.logger - pino-style logger
+ * @param {object} [opts]
+ * @param {number} [opts.rounds=2] - how many rounds (each round runs every scenario once per upstream)
+ * @returns {{
+ *   rounds: number,
+ *   targets: Array<{name:string,url:string}>,
+ *   inserted: number,
+ *   by_scenario: Record<string, number>,
+ *   by_posture: Record<string, number>,
+ *   started_at_iso: string,
+ *   finished_at_iso: string,
+ * }}
+ */
+export function runAauthSelfTest({ auditService, logger }, opts = {}) {
+  const rounds = Math.max(1, Math.min(10, Number(opts.rounds) || 2));
+  const startedAt = new Date();
+
+  let upstreams = detectHttpUpstreams();
+  if (upstreams.length === 0) {
+    upstreams = [
+      { name: 'aauth-signed', url: 'http://127.0.0.1:9701/mcp' },
+      { name: 'aauth-challenge', url: 'http://127.0.0.1:9702/mcp' },
+      { name: 'aauth-bearer', url: 'http://127.0.0.1:9703/mcp' },
+    ];
+  }
+
+  let inserted = 0;
+  const byScenario = {};
+  const byPosture = {};
+  let nextJsonRpcId = Date.now();
+
+  for (let round = 0; round < rounds; round++) {
+    for (let u = 0; u < upstreams.length; u++) {
+      const upstream = upstreams[u];
+      const url = upstream.url;
+      let host;
+      try {
+        host = new URL(url).host;
+      } catch {
+        host = `${upstream.name}.local`;
+      }
+
+      const upstreamScenarios = chooseScenariosForUpstream(upstream.name);
+
+      for (const scenario of upstreamScenarios) {
+        const agent = pick(KNOWN_AGENTS, round + u);
+        const mission = pick(KNOWN_MISSIONS, round + u + scenario.id.length);
+        const access = pick(ACCESS_MODES, round + u);
+        const tool = pick(KNOWN_TOOLS, round + u);
+        const ctx = { agent, mission, access, host, upstream };
+
+        const jsonrpcId = `self-test-${nextJsonRpcId++}`;
+        const reqBody = buildJsonRpcRequest(jsonrpcId, tool, mission);
+        const reqHeaders = scenario.buildHeaders(ctx);
+
+        try {
+          auditService.logRequestPacket({
+            method: 'POST',
+            url,
+            headers: reqHeaders,
+            body: reqBody,
+            userAgent: reqHeaders['user-agent'] || 'mcp-shark-self-test/1.0',
+            remoteAddress: '127.0.0.1',
+          });
+        } catch (err) {
+          logger?.warn?.(
+            { error: err.message, scenario: scenario.id },
+            'self-test request log failed'
+          );
+          continue;
+        }
+
+        const respBody =
+          scenario.statusCode === 401
+            ? {
+                jsonrpc: '2.0',
+                id: jsonrpcId,
+                error: { code: -32001, message: 'AAuth signature required' },
+              }
+            : buildJsonRpcResponse(jsonrpcId, tool);
+        const respHeaders = scenario.buildResponseHeaders(ctx);
+        respHeaders.host = host;
+
+        try {
+          auditService.logResponsePacket({
+            statusCode: scenario.statusCode,
+            headers: respHeaders,
+            body: respBody,
+            jsonrpcId,
+            userAgent: reqHeaders['user-agent'] || 'mcp-shark-self-test/1.0',
+            remoteAddress: '127.0.0.1',
+          });
+        } catch (err) {
+          logger?.warn?.(
+            { error: err.message, scenario: scenario.id },
+            'self-test response log failed'
+          );
+          continue;
+        }
+
+        inserted += 2;
+        byScenario[scenario.id] = (byScenario[scenario.id] || 0) + 1;
+        byPosture[scenario.posture] = (byPosture[scenario.posture] || 0) + 1;
+      }
+    }
+  }
+
+  const finishedAt = new Date();
+  return {
+    rounds,
+    targets: upstreams,
+    inserted,
+    by_scenario: byScenario,
+    by_posture: byPosture,
+    started_at_iso: startedAt.toISOString(),
+    finished_at_iso: finishedAt.toISOString(),
+  };
+}
+
+/**
+ * Pick the scenarios that match an upstream's apparent role. Server names
+ * containing well-known substrings get tailored scenarios so the resulting
+ * graph is intuitive (signed-server → signed scenario). Anything else gets
+ * the full mix.
+ */
+function chooseScenariosForUpstream(name) {
+  const lc = (name || '').toLowerCase();
+  if (lc.includes('signed')) {
+    return SCENARIOS.filter((s) => s.id === 'signed');
+  }
+  if (lc.includes('challenge')) {
+    return SCENARIOS.filter((s) => s.id === 'challenge');
+  }
+  if (lc.includes('bearer') && lc.includes('coexist')) {
+    return SCENARIOS.filter((s) => s.id === 'bearer-coexist');
+  }
+  if (lc.includes('bearer')) {
+    return SCENARIOS.filter((s) => s.id === 'bearer');
+  }
+  return SCENARIOS;
+}

package/core/services/security/index.js

@@ -2,9 +2,10 @@
  * Security services exports
  * All security-related services for OWASP vulnerability detection
  */
-export { StaticRulesService } from './StaticRulesService.js';
+export { StaticRulesService, resetStaticRulesCache } from './StaticRulesService.js';
 export { SecurityDetectionService } from './SecurityDetectionService.js';
 export { TrafficAnalysisService } from './TrafficAnalysisService.js';
+export { TrafficToxicFlowService } from './TrafficToxicFlowService.js';
 export { YaraEngineService } from './YaraEngineService.js';
 export { RulesManagerService } from './RulesManagerService.js';
 export * from './YaraMatchConverter.js';

package/core/services/security/rules/index.js

@@ -1,71 +1,37 @@
 /**
- * Static security rules index
+ * Static security rules index — AUTO-GENERATED
+ * Do not edit manually. Run: npm run generate:rules
+ *
  * Exports all OWASP MCP Top 10 + Agentic Security + General security rules
  */
 
-// MCP OWASP Top 10 Rules
-import * as mcp01 from './scans/mcp01TokenMismanagement.js';
-import * as mcp02 from './scans/mcp02ScopeCreep.js';
-import * as mcp03 from './scans/mcp03ToolPoisoning.js';
-import * as mcp04 from './scans/mcp04SupplyChain.js';
-import * as mcp05 from './scans/mcp05CommandInjection.js';
-import * as mcp06 from './scans/mcp06PromptInjection.js';
-import * as mcp07 from './scans/mcp07InsufficientAuth.js';
-import * as mcp08 from './scans/mcp08LackAudit.js';
-import * as mcp09 from './scans/mcp09ShadowServers.js';
-import * as mcp10 from './scans/mcp10ContextInjection.js';
-
-// Agentic Security Initiative (ASI) Rules
-import * as asi01 from './scans/agentic01GoalHijack.js';
-import * as asi02 from './scans/agentic02ToolMisuse.js';
-import * as asi03 from './scans/agentic03IdentityAbuse.js';
-import * as asi04 from './scans/agentic04SupplyChain.js';
-import * as asi05 from './scans/agentic05RCE.js';
-import * as asi06 from './scans/agentic06MemoryPoisoning.js';
-import * as asi07 from './scans/agentic07InsecureCommunication.js';
-import * as asi08 from './scans/agentic08CascadingFailures.js';
-import * as asi09 from './scans/agentic09TrustExploitation.js';
-import * as asi10 from './scans/agentic10RogueAgent.js';
-
-// General Security Rules
-import * as cmdInj from './scans/commandInjection.js';
-import * as crossServer from './scans/crossServerShadowing.js';
-import * as secrets from './scans/hardcodedSecrets.js';
-import * as nameAmbig from './scans/toolNameAmbiguity.js';
+import * as agentic05RCE from './scans/agentic05RCE.js';
+import * as commandInjection from './scans/commandInjection.js';
+import * as configPermissions from './scans/configPermissions.js';
+import * as crossServerShadowing from './scans/crossServerShadowing.js';
+import * as duplicateToolNames from './scans/duplicateToolNames.js';
+import * as insecureTransport from './scans/insecureTransport.js';
+import * as mcp05CommandInjection from './scans/mcp05CommandInjection.js';
+import * as missingContainment from './scans/missingContainment.js';
+import * as shellEnvInjection from './scans/shellEnvInjection.js';
+import * as toolNameAmbiguity from './scans/toolNameAmbiguity.js';
+import * as unsafeDefaults from './scans/unsafeDefaults.js';
 
 /**
  * All available static rules with their analysis functions
  */
 export const staticRules = {
-  // MCP OWASP Top 10
-  'mcp01-token-mismanagement': mcp01,
-  'mcp02-scope-creep': mcp02,
-  'mcp03-tool-poisoning': mcp03,
-  'mcp04-supply-chain': mcp04,
-  'mcp05-command-injection': mcp05,
-  'mcp06-prompt-injection': mcp06,
-  'mcp07-insufficient-auth': mcp07,
-  'mcp08-lack-audit': mcp08,
-  'mcp09-shadow-servers': mcp09,
-  'mcp10-context-injection': mcp10,
-
-  // Agentic Security Initiative
-  'asi01-goal-hijack': asi01,
-  'asi02-tool-misuse': asi02,
-  'asi03-identity-abuse': asi03,
-  'asi04-supply-chain': asi04,
-  'asi05-rce': asi05,
-  'asi06-memory-poisoning': asi06,
-  'asi07-insecure-communication': asi07,
-  'asi08-cascading-failures': asi08,
-  'asi09-trust-exploitation': asi09,
-  'asi10-rogue-agent': asi10,
-
-  // General Security
-  'command-injection': cmdInj,
-  'cross-server-shadowing': crossServer,
-  'hardcoded-secrets': secrets,
-  'tool-name-ambiguity': nameAmbig,
+  [agentic05RCE.ruleMetadata.id]: agentic05RCE,
+  [commandInjection.ruleMetadata.id]: commandInjection,
+  [configPermissions.ruleMetadata.id]: configPermissions,
+  [crossServerShadowing.ruleMetadata.id]: crossServerShadowing,
+  [duplicateToolNames.ruleMetadata.id]: duplicateToolNames,
+  [insecureTransport.ruleMetadata.id]: insecureTransport,
+  [mcp05CommandInjection.ruleMetadata.id]: mcp05CommandInjection,
+  [missingContainment.ruleMetadata.id]: missingContainment,
+  [shellEnvInjection.ruleMetadata.id]: shellEnvInjection,
+  [toolNameAmbiguity.ruleMetadata.id]: toolNameAmbiguity,
+  [unsafeDefaults.ruleMetadata.id]: unsafeDefaults,
 };
 
 /**

package/core/services/security/rules/scans/configPermissions.js

@@ -0,0 +1,91 @@
+/**
+ * Config File Permissions Check
+ * Detects world-readable MCP config files that may expose secrets.
+ * Only applicable on Unix-like systems.
+ */
+import { createRuleAdapter } from '../utils/adapter.js';
+
+const RULE_ID = 'config-permissions';
+const OWASP_ID = 'MCP01';
+const RECOMMENDATION =
+  'Set config file permissions to 600 (owner read/write only). Run: npx mcp-shark scan --fix';
+
+export function scanConfigPermissions(_mcpData = {}) {
+  return {
+    toolFindings: [],
+    resourceFindings: [],
+    promptFindings: [],
+    notablePatterns: [],
+    recommendations: [RECOMMENDATION],
+  };
+}
+
+/**
+ * Analyze a config file path for permission issues
+ * Called directly by ScanService, not through the adapter
+ * @param {string} configPath - Path to the config file
+ * @param {string} permissions - Octal permission string (e.g., '644')
+ * @returns {Array} Findings
+ */
+export function analyzeConfigPermissions(configPath, permissions) {
+  if (process.platform === 'win32') {
+    return [];
+  }
+  if (!permissions) {
+    return [];
+  }
+
+  const perms = Number.parseInt(permissions, 8);
+  const worldReadable = (perms & 0o004) !== 0;
+  const groupReadable = (perms & 0o040) !== 0;
+
+  const findings = [];
+
+  if (worldReadable) {
+    findings.push({
+      rule_id: RULE_ID,
+      severity: 'high',
+      owasp_id: OWASP_ID,
+      title: `Config file is world-readable (${permissions})`,
+      description: `${configPath} has permissions ${permissions} — any user on this system can read your MCP secrets.`,
+      recommendation: RECOMMENDATION,
+      config_path: configPath,
+      confidence: 'definite',
+      fixable: true,
+      fix_type: 'chmod',
+      fix_data: { oldPerms: permissions },
+    });
+  } else if (groupReadable) {
+    findings.push({
+      rule_id: RULE_ID,
+      severity: 'medium',
+      owasp_id: OWASP_ID,
+      title: `Config file is group-readable (${permissions})`,
+      description: `${configPath} has permissions ${permissions} — group members can read your MCP secrets.`,
+      recommendation: RECOMMENDATION,
+      config_path: configPath,
+      confidence: 'probable',
+      fixable: true,
+      fix_type: 'chmod',
+      fix_data: { oldPerms: permissions },
+    });
+  }
+
+  return findings;
+}
+
+const adapter = createRuleAdapter(scanConfigPermissions, RULE_ID, OWASP_ID, RECOMMENDATION);
+export const analyzeTool = adapter.analyzeTool;
+export const analyzePrompt = adapter.analyzePrompt;
+export const analyzeResource = adapter.analyzeResource;
+export const analyzePacket = adapter.analyzePacket;
+
+export const ruleMetadata = {
+  id: RULE_ID,
+  name: 'Config File Permissions',
+  owasp_id: OWASP_ID,
+  severity: 'high',
+  description: 'Detects world-readable or group-readable MCP configuration files.',
+  source: 'static',
+  type: 'general-security',
+};

package/core/services/security/rules/scans/duplicateToolNames.js

@@ -0,0 +1,85 @@
+/**
+ * Duplicate Tool Names Detection (Config-Level)
+ * Detects tools with identical names across different servers,
+ * which enables cross-server shadowing attacks.
+ * Catalog reference: §1.4 (tool name collision)
+ */
+import { createRuleAdapter } from '../utils/adapter.js';
+
+const RULE_ID = 'duplicate-tool-names';
+const OWASP_ID = 'MCP09';
+const RECOMMENDATION =
+  'Rename tools to be unique across all servers, or isolate conflicting servers into separate agent sessions.';
+
+export function scanDuplicateToolNames(_mcpData = {}) {
+  return {
+    toolFindings: [],
+    resourceFindings: [],
+    promptFindings: [],
+    notablePatterns: [],
+    recommendations: [RECOMMENDATION],
+  };
+}
+
+/**
+ * Analyze all servers for duplicate tool names
+ * Called directly by ScanService with the full server list
+ * @param {Array} servers - Flat array of server objects
+ * @returns {Array} Findings for duplicate tool names
+ */
+export function analyzeAllServerToolNames(servers) {
+  const toolMap = new Map();
+
+  for (const server of servers) {
+    const tools = Array.isArray(server.tools) ? server.tools : [];
+    for (const tool of tools) {
+      const name = typeof tool === 'string' ? tool : tool?.name;
+      if (!name) {
+        continue;
+      }
+      if (!toolMap.has(name)) {
+        toolMap.set(name, []);
+      }
+      toolMap.get(name).push(server.name);
+    }
+  }
+
+  const findings = [];
+  for (const [toolName, serverNames] of toolMap) {
+    if (serverNames.length <= 1) {
+      continue;
+    }
+    const uniqueServers = [...new Set(serverNames)];
+    if (uniqueServers.length <= 1) {
+      continue;
+    }
+
+    findings.push({
+      rule_id: RULE_ID,
+      severity: 'high',
+      owasp_id: OWASP_ID,
+      title: `Duplicate tool "${toolName}" across ${uniqueServers.length} servers`,
+      description: `Tool "${toolName}" exists in ${uniqueServers.join(', ')}. An attacker could shadow one server's tool with another.`,
+      recommendation: RECOMMENDATION,
+      confidence: 'definite',
+    });
+  }
+
+  return findings;
+}
+
+const adapter = createRuleAdapter(scanDuplicateToolNames, RULE_ID, OWASP_ID, RECOMMENDATION);
+export const analyzeTool = adapter.analyzeTool;
+export const analyzePrompt = adapter.analyzePrompt;
+export const analyzeResource = adapter.analyzeResource;
+export const analyzePacket = adapter.analyzePacket;
+
+export const ruleMetadata = {
+  id: RULE_ID,
+  name: 'Duplicate Tool Names',
+  owasp_id: OWASP_ID,
+  severity: 'high',
+  description: 'Detects identical tool names across servers enabling shadowing attacks.',
+  source: 'static',
+  type: 'general-security',
+};