@oculum/scanner 1.0.0

package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts

@@ -0,0 +1,418 @@
+/**
+ * AI Endpoint Protection Test Fixtures
+ * Tests for detecting unprotected AI/LLM endpoints
+ */
+
+import type { TestGroup } from '../../types'
+
+export const aiEndpointProtectionTests: TestGroup = {
+  name: 'AI Endpoint Protection',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of AI endpoints without proper authentication or rate limiting',
+
+  truePositives: [
+    {
+      name: 'AI Endpoints - True Positives',
+      expectFindings: true,
+      expectedCategories: ['ai_endpoint_unprotected'],
+      description: 'Unprotected AI endpoints that MUST be detected',
+      file: {
+        path: 'src/app/api/chat/route.ts',
+        content: `
+import { OpenAI } from 'openai'
+import { NextResponse } from 'next/server'
+
+const openai = new OpenAI()
+
+// Next.js App Router - NO AUTH, NO RATE LIMIT - HIGH
+export async function POST(request: Request) {
+  const { messages } = await request.json()
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages,
+  })
+
+  return NextResponse.json({ result: completion.choices[0].message })
+}
+`,
+        language: 'typescript',
+        size: 400,
+      },
+    },
+    {
+      name: 'Express AI Route - No Protection',
+      expectFindings: true,
+      expectedCategories: ['ai_endpoint_unprotected'],
+      description: 'Express route with AI calls but no auth or rate limiting',
+      file: {
+        path: 'src/routes/api/generate.ts',
+        content: `
+import express from 'express'
+import Anthropic from '@anthropic-ai/sdk'
+
+const router = express.Router()
+const anthropic = new Anthropic()
+
+// Express route - NO AUTH, NO RATE LIMIT - HIGH
+router.post('/generate', async (req, res) => {
+  const { prompt } = req.body
+
+  const message = await anthropic.messages.create({
+    model: 'claude-3-opus-20240229',
+    max_tokens: 1024,
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  res.json({ response: message.content })
+})
+
+export default router
+`,
+        language: 'typescript',
+        size: 450,
+      },
+    },
+    {
+      name: 'Next.js Pages API - No Protection',
+      expectFindings: true,
+      expectedCategories: ['ai_endpoint_unprotected'],
+      description: 'Next.js Pages API route with AI calls but no protection',
+      file: {
+        path: 'src/pages/api/completion.ts',
+        content: `
+import type { NextApiRequest, NextApiResponse } from 'next'
+import OpenAI from 'openai'
+
+const openai = new OpenAI()
+
+// Next.js Pages API - NO AUTH - HIGH
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  if (req.method !== 'POST') {
+    return res.status(405).json({ error: 'Method not allowed' })
+  }
+
+  const { prompt } = req.body
+
+  const response = await openai.chat.completions.create({
+    model: 'gpt-3.5-turbo',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  res.json({ result: response.choices[0].message.content })
+}
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+    {
+      name: 'Vercel AI SDK - No Protection',
+      expectFindings: true,
+      expectedCategories: ['ai_endpoint_unprotected'],
+      description: 'Vercel AI SDK endpoint without auth or rate limiting',
+      file: {
+        path: 'src/app/api/stream/route.ts',
+        content: `
+import { streamText } from 'ai'
+import { openai } from '@ai-sdk/openai'
+
+// Vercel AI SDK - NO AUTH, NO RATE LIMIT - HIGH
+export async function POST(req: Request) {
+  const { messages } = await req.json()
+
+  const result = await streamText({
+    model: openai('gpt-4'),
+    messages,
+  })
+
+  return result.toDataStreamResponse()
+}
+`,
+        language: 'typescript',
+        size: 300,
+      },
+    },
+    {
+      name: 'Auth Only - Missing Rate Limit',
+      expectFindings: true,
+      expectedCategories: ['ai_endpoint_unprotected'],
+      description: 'AI endpoint with auth but missing rate limiting - LOW severity',
+      file: {
+        path: 'src/app/api/ask/route.ts',
+        content: `
+import { OpenAI } from 'openai'
+import { NextResponse } from 'next/server'
+import { getServerSession } from 'next-auth'
+
+const openai = new OpenAI()
+
+// Has auth but no rate limiting - LOW
+export async function POST(request: Request) {
+  const session = await getServerSession()
+  if (!session) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { prompt } = await request.json()
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  return NextResponse.json({ result: completion.choices[0].message })
+}
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'AI Endpoints - False Negatives',
+      expectFindings: false,
+      description: 'Properly protected AI endpoints that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 2,
+          reason: 'Protected endpoints may still generate info-level findings for documentation',
+        },
+        {
+          category: 'dangerous_function',
+          maxCount: 1,
+          reason: 'Request body parsing may trigger info-level schema validation suggestions',
+        },
+      ],
+      file: {
+        path: 'src/app/api/protected-chat/route.ts',
+        content: `
+import { OpenAI } from 'openai'
+import { NextResponse } from 'next/server'
+import { getServerSession } from 'next-auth'
+import { rateLimit } from '@/lib/rate-limit'
+
+const openai = new OpenAI()
+const limiter = rateLimit({ limit: 10, window: 60 })
+
+// Has both auth AND rate limiting - SAFE
+export async function POST(request: Request) {
+  // Auth check
+  const session = await getServerSession()
+  if (!session) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  // Rate limit check
+  const { success } = await limiter.check(session.user.id)
+  if (!success) {
+    return NextResponse.json({ error: 'Too Many Requests' }, { status: 429 })
+  }
+
+  const { prompt } = await request.json()
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  return NextResponse.json({ result: completion.choices[0].message })
+}
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+    {
+      name: 'BYOK Endpoint - User API Key',
+      expectFindings: false,
+      description: 'Bring Your Own Key endpoint should be downgraded',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 1,
+          reason: 'BYOK endpoints have lower risk but may still generate info findings',
+        },
+        {
+          category: 'dangerous_function',
+          maxCount: 1,
+          reason: 'Request body parsing may trigger info-level schema validation suggestions',
+        },
+        {
+          category: 'missing_auth',
+          maxCount: 1,
+          reason: 'BYOK pattern detected as form of implicit auth at low severity',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 1,
+          reason: 'BYOK detection at low severity when transient usage',
+        },
+      ],
+      file: {
+        path: 'src/app/api/byok-chat/route.ts',
+        content: `
+import OpenAI from 'openai'
+import { NextResponse } from 'next/server'
+
+// BYOK endpoint - user provides their own key - LOWER RISK
+export async function POST(request: Request) {
+  const { prompt, userApiKey } = await request.json()
+
+  if (!userApiKey) {
+    return NextResponse.json({ error: 'API key required' }, { status: 400 })
+  }
+
+  // User's own key - they pay for their own usage
+  const openai = new OpenAI({ apiKey: userApiKey })
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  return NextResponse.json({ result: completion.choices[0].message })
+}
+`,
+        language: 'typescript',
+        size: 550,
+      },
+    },
+    {
+      name: 'Internal Admin Route',
+      expectFindings: false,
+      description: 'Internal/admin routes should be downgraded',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 1,
+          reason: 'Internal routes are treated as lower risk',
+        },
+        {
+          category: 'dangerous_function',
+          maxCount: 1,
+          reason: 'Request body parsing may trigger info-level schema validation suggestions',
+        },
+        {
+          category: 'missing_auth',
+          maxCount: 1,
+          reason: 'Internal secret check detected at low severity',
+        },
+      ],
+      file: {
+        path: 'src/app/api/internal/ai-admin/route.ts',
+        content: `
+import { OpenAI } from 'openai'
+import { NextResponse } from 'next/server'
+
+const openai = new OpenAI()
+
+// Internal route - network-level protection assumed - INFO
+export async function POST(request: Request) {
+  // Check internal secret
+  const internalSecret = request.headers.get('x-internal-secret')
+  if (internalSecret !== process.env.INTERNAL_SECRET) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  const { prompt } = await request.json()
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  return NextResponse.json({ result: completion.choices[0].message })
+}
+`,
+        language: 'typescript',
+        size: 550,
+      },
+    },
+    {
+      name: 'Express with Middleware',
+      expectFindings: false,
+      description: 'Express route with auth and rate limit middleware',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 1,
+          reason: 'Protected routes may generate info findings',
+        },
+      ],
+      file: {
+        path: 'src/routes/api/protected-generate.ts',
+        content: `
+import express from 'express'
+import { OpenAI } from 'openai'
+import { authMiddleware } from '@/middleware/auth'
+import { rateLimiter } from '@/middleware/rate-limit'
+
+const router = express.Router()
+const openai = new OpenAI()
+
+// Express with proper middleware chain - SAFE
+router.post('/generate', authMiddleware, rateLimiter, async (req, res) => {
+  const { prompt } = req.body
+  const userId = req.user.id
+
+  const completion = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }],
+  })
+
+  res.json({ result: completion.choices[0].message })
+})
+
+export default router
+`,
+        language: 'typescript',
+        size: 550,
+      },
+    },
+    {
+      name: 'Fastify with Hooks',
+      expectFindings: false,
+      description: 'Fastify route with preHandler hooks for auth and rate limiting',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 1,
+          reason: 'Protected routes may generate info findings',
+        },
+      ],
+      file: {
+        path: 'src/routes/api/fastify-chat.ts',
+        content: `
+import Anthropic from '@anthropic-ai/sdk'
+import { authenticate, rateLimit } from '@/hooks'
+
+const anthropic = new Anthropic()
+
+// Fastify with preHandler hooks - SAFE
+fastify.post('/chat', {
+  preHandler: [authenticate, rateLimit],
+  handler: async (request, reply) => {
+    const { prompt } = request.body
+    const userId = request.user.id
+
+    const message = await anthropic.messages.create({
+      model: 'claude-3-opus-20240229',
+      max_tokens: 1024,
+      messages: [{ role: 'user', content: prompt }],
+    })
+
+    return { response: message.content }
+  }
+})
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts

@@ -0,0 +1,189 @@
+/**
+ * AI Execution Sinks Test Fixtures
+ * Tests for detecting unsafe execution of LLM-generated code
+ */
+
+import type { TestGroup } from '../../types'
+
+export const aiExecutionSinksTests: TestGroup = {
+  name: 'AI Execution Sinks',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of unsafe execution of LLM-generated code, SQL, and commands',
+  
+  truePositives: [
+    {
+      name: 'AI Execution Sinks - True Positives',
+      expectFindings: true,
+      expectedCategories: ['ai_unsafe_execution', 'dangerous_function'],
+      description: 'AI execution sink patterns that MUST be detected',
+      file: {
+        path: 'src/api/ai/code-executor.ts',
+        content: `
+import OpenAI from 'openai'
+import { exec } from 'child_process'
+
+const openai = new OpenAI()
+
+// LLM output to eval() - CRITICAL
+export async function executeAICode(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }]
+  })
+
+  const code = response.choices[0].message.content
+  return eval(code)  // CRITICAL: AI output executed directly!
+}
+
+// LLM output to Function() - CRITICAL
+export async function createAIFunction(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: \`Generate a JS function: \${prompt}\` }]
+  })
+
+  return new Function(response.choices[0].message.content)
+}
+
+// LLM output to exec() - CRITICAL (Command Injection)
+export async function executeAICommand(task: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: \`Generate a shell command to: \${task}\` }]
+  })
+
+  const command = response.choices[0].message.content
+  exec(command, (err, stdout) => console.log(stdout))  // CRITICAL!
+}
+
+// LLM output to SQL query - CRITICAL (SQL Injection)
+export async function executeAIQuery(userQuestion: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{
+      role: 'system',
+      content: 'Convert natural language to SQL'
+    }, {
+      role: 'user',
+      content: userQuestion
+    }]
+  })
+
+  const sql = response.choices[0].message.content
+  return db.query(sql)  // CRITICAL: AI-generated SQL executed directly!
+}
+
+// LLM output to innerHTML - HIGH (XSS)
+export async function renderAIContent(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }]
+  })
+
+  document.getElementById('content').innerHTML = response.choices[0].message.content
+}
+
+// LLM output to file system write - HIGH
+export async function generateAndSaveFile(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }]
+  })
+
+  const filename = response.choices[0].message.content.split('\\n')[0]
+  const content = response.choices[0].message.content.split('\\n').slice(1).join('\\n')
+  fs.writeFileSync(filename, content)  // AI controls filename!
+}
+`,
+        language: 'typescript',
+        size: 2200,
+      },
+    },
+  ],
+  
+  falseNegatives: [
+    {
+      name: 'AI Execution Sinks - False Negatives',
+      expectFindings: false,
+      description: 'Safe AI output handling patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'dangerous_function',
+          maxCount: 2,
+          reason: 'SQL query with whitelist validation and sandboxed VM execution generate info-level findings',
+        },
+        {
+          category: 'suspicious_package',
+          maxCount: 1,
+          reason: 'vm2 is a security sandbox package, info-level only',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 2,
+          reason: 'AI console.log debugging is info-level operational finding',
+        },
+      ],
+      file: {
+        path: 'src/api/ai/safe-executor.ts',
+        content: `
+import OpenAI from 'openai'
+import { VM } from 'vm2'
+
+const openai = new OpenAI()
+
+// LLM output for display only - SAFE
+export async function getAIResponse(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }]
+  })
+
+  // Only used for display, not execution
+  console.log(response.choices[0].message.content)
+  return { message: response.choices[0].message.content }
+}
+
+// LLM output with sandboxed execution - SAFE (Medium at most)
+export async function executeSandboxed(prompt: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: prompt }]
+  })
+
+  const vm = new VM({
+    timeout: 1000,
+    sandbox: {}
+  })
+  return vm.run(response.choices[0].message.content)
+}
+
+// LLM output with parameterized SQL - SAFE
+export async function safeAIQuery(userQuestion: string) {
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{
+      role: 'system',
+      content: 'Return ONLY column names for the SELECT clause, comma-separated'
+    }, {
+      role: 'user',
+      content: userQuestion
+    }]
+  })
+
+  const columns = response.choices[0].message.content
+  // Whitelist validation
+  const allowedColumns = ['id', 'name', 'email', 'created_at']
+  const requestedColumns = columns.split(',').map(c => c.trim())
+  const safeColumns = requestedColumns.filter(c => allowedColumns.includes(c))
+
+  // Parameterized query with validated columns
+  return db.query(\`SELECT \${safeColumns.join(', ')} FROM users WHERE id = $1\`, [userId])
+}
+`,
+        language: 'typescript',
+        size: 1500,
+      },
+    },
+  ],
+}