@oculum/scanner 1.0.9 → 1.0.11

package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts

@@ -86,6 +86,145 @@ export async function chromaUnscopedQuery(query: string) {
   })
   return results
 }
+`,
+        language: 'typescript',
+        size: 1800,
+      },
+    },
+    // AI Detection Roadmap Phase 1: Enhanced RAG Detection
+    {
+      name: 'RAG Safety - Corpus Poisoning True Positives',
+      expectFindings: true,
+      expectedCategories: ['ai_rag_corpus_poisoning'],
+      description: 'User uploads directly embedded without sanitization',
+      file: {
+        path: 'src/api/rag/upload-handler.ts',
+        content: `
+import { Pinecone } from '@pinecone-database/pinecone'
+import { OpenAI } from 'openai'
+
+const pinecone = new Pinecone()
+const openai = new OpenAI()
+
+// Dangerous: User upload embedded directly without sanitization
+export async function handleDocumentUpload(req: Request) {
+  const { userId, document } = await req.json()
+
+  // Direct embedding of user content - no sanitization!
+  const embedding = await openai.embeddings.create({
+    model: 'text-embedding-3-small',
+    input: document.content  // Raw user content embedded
+  })
+
+  const index = pinecone.index('knowledge-base')
+  await index.upsert([{
+    id: document.id,
+    values: embedding.data[0].embedding,
+    metadata: { userId, content: document.content }
+  }])
+
+  return { success: true }
+}
+
+// Dangerous: External content fetched and embedded without validation
+export async function indexExternalContent(url: string) {
+  const response = await fetch(url)
+  const content = await response.text()
+
+  // External content embedded without sanitization
+  const embedding = await createEmbedding(content)
+  await vectorStore.addDocument({ content, embedding })
+}
+
+// Dangerous: User-provided PDF indexed without scanning
+export async function indexUploadedPdf(pdfBuffer: Buffer, userId: string) {
+  const pdfText = await pdfParser.parse(pdfBuffer)
+
+  // PDF content could contain injection instructions
+  await addToCorpus(pdfText, { userId })
+}
+
+// Dangerous: Slack messages indexed without filtering
+export async function indexSlackChannel(channelId: string) {
+  const messages = await slack.getMessages(channelId)
+
+  // User messages embedded - could contain injections
+  for (const msg of messages) {
+    await embedDocument(msg.text, { author: msg.user })
+  }
+}
+`,
+        language: 'typescript',
+        size: 1500,
+      },
+    },
+    {
+      name: 'RAG Safety - PII Leakage True Positives',
+      expectFindings: true,
+      expectedCategories: ['ai_rag_pii_leakage'],
+      description: 'PII fields exposed in RAG retrieval responses',
+      file: {
+        path: 'src/api/rag/search-handler.ts',
+        content: `
+import { VectorStore } from 'langchain/vectorstores'
+
+// Dangerous: PII fields in embedded documents
+export async function indexUserProfile(user: User) {
+  const doc = {
+    content: user.bio,
+    metadata: {
+      userId: user.id,
+      email: user.email,           // PII in metadata!
+      ssn: user.ssn,               // Highly sensitive PII!
+      phoneNumber: user.phone,     // PII in metadata!
+      fullName: user.fullName,     // PII in metadata!
+      dateOfBirth: user.dob,       // PII in metadata!
+      address: user.homeAddress,   // PII in metadata!
+    }
+  }
+
+  await vectorStore.addDocument(doc)
+}
+
+// Dangerous: Returning PII in retrieval response
+export async function searchDocuments(query: string) {
+  const results = await vectorStore.similaritySearch(query)
+
+  // Returning full metadata including PII
+  return results.map(doc => ({
+    content: doc.pageContent,
+    email: doc.metadata.email,     // PII in response!
+    phone: doc.metadata.phone,     // PII in response!
+    ssn: doc.metadata.ssn,         // PII in response!
+    author: doc.metadata.fullName, // PII in response!
+  }))
+}
+
+// Dangerous: Medical records embedded with patient info
+export async function indexMedicalRecords(records: MedicalRecord[]) {
+  for (const record of records) {
+    await embedDocument(record.diagnosis, {
+      patientName: record.patientName,    // PHI!
+      patientDob: record.dateOfBirth,     // PHI!
+      patientSsn: record.ssn,             // PHI!
+      insuranceId: record.insuranceNumber // PHI!
+    })
+  }
+}
+
+// Dangerous: Credit card info in indexed data
+export async function indexTransactions(transactions: Transaction[]) {
+  for (const tx of transactions) {
+    await vectorStore.addDocument({
+      content: tx.description,
+      metadata: {
+        cardNumber: tx.cardLastFour,  // PCI data!
+        cvv: tx.cvv,                   // PCI data - CRITICAL!
+        accountNumber: tx.accountNum,  // Financial PII!
+      }
+    })
+  }
+}
 `,
         language: 'typescript',
         size: 1800,

package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts

@@ -67,6 +67,13 @@ export async function POST(request: Request) {
       name: 'BYOK - False Negatives',
       expectFindings: false,
       description: 'Secure BYOK patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'ai_endpoint_unprotected',
+          maxCount: 1,
+          reason: 'BYOK with auth but missing rate limiting is info-level (user pays for own usage)',
+        },
+      ],
       file: {
         path: 'src/api/ai/byok-transient.ts',
         content: `

package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts

@@ -83,6 +83,69 @@ export async function handleError(error: any) {
         size: 1400,
       },
     },
+    {
+      name: 'Data Exposure - More Response Patterns',
+      expectFindings: true,
+      expectedCategories: ['data_exposure'],
+      description: 'Additional data exposure patterns in responses that MUST be detected',
+      file: {
+        path: 'src/api/admin/route.ts',
+        content: `
+import { NextResponse } from 'next/server'
+
+// Full error object in response - HIGH
+export async function fetchResource() {
+  try {
+    const data = await db.resource.findMany()
+    return NextResponse.json(data)
+  } catch (error) {
+    return NextResponse.json(error)  // Full error object exposed!
+  }
+}
+
+// Error spread in response - HIGH
+export async function updateResource() {
+  try {
+    await db.resource.update({ where: { id: 1 }, data: {} })
+  } catch (err) {
+    return NextResponse.json({ ...err, timestamp: Date.now() })  // Error spread!
+  }
+}
+
+// Stack trace in API response - HIGH
+export async function processRequest() {
+  try {
+    await doSomething()
+  } catch (error) {
+    return NextResponse.json({
+      error: error.stack,  // Stack trace exposed!
+      details: 'Internal error'
+    })
+  }
+}
+
+// Detailed error info in response - MEDIUM
+export async function handleWebhook() {
+  try {
+    await processWebhook()
+  } catch (err) {
+    return res.status(500).json({
+      details: err.details,  // Internal details exposed
+      internal: err.message
+    })
+  }
+}
+
+// User object in response (may contain sensitive fields) - LOW
+export async function getProfile(userId: string) {
+  const user = await db.user.findUnique({ where: { id: userId } })
+  return NextResponse.json({ user })  // May expose sensitive fields
+}
+`,
+        language: 'typescript',
+        size: 1100,
+      },
+    },
   ],
   
   falseNegatives: [

package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts

@@ -0,0 +1,221 @@
+/**
+ * Excessive Agency Test Fixtures
+ * Tests for detecting unbounded agent autonomy risks
+ * AI Detection Roadmap Phase 2
+ */
+
+import type { TestGroup } from '../../types'
+
+export const excessiveAgencyTests: TestGroup = {
+  name: 'Excessive Agency Detection',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of unbounded AI agent execution and missing human oversight',
+
+  truePositives: [
+    {
+      name: 'Excessive Agency - Unbounded Loops',
+      expectFindings: true,
+      expectedCategories: ['ai_excessive_agency'],
+      description: 'Unbounded agent execution patterns that MUST be detected',
+      file: {
+        path: 'src/agents/unbounded-agent.ts',
+        content: `
+import { Agent } from '@langchain/agents'
+
+// Unbounded while loop - HIGH
+async function runAgentForever(agent: Agent) {
+  while (true) {
+    await agent.step()  // No termination condition!
+  }
+}
+
+// No iteration limit - HIGH
+const agentConfig = {
+  maxIterations: -1,  // Unbounded!
+  tools: [searchTool, calculatorTool],
+}
+
+// Timeout disabled - MEDIUM
+const runtimeConfig = {
+  timeout: 0,  // No timeout!
+  maxIterations: 10,
+}
+
+// Another timeout disabled pattern - MEDIUM
+const config2 = {
+  timeout: null,  // Disabled
+}
+
+// Auto-approve without oversight - HIGH
+const autoAgent = {
+  autoApprove: true,  // No human review!
+  tools: [deleteFileTool, sendEmailTool],
+}
+
+// Human-in-loop disabled - MEDIUM
+const unsupervisedAgent = {
+  humanInLoop: false,  // Explicitly disabled
+  capabilities: ['code_execution', 'file_write'],
+}
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+    {
+      name: 'Excessive Agency - CrewAI Unsafe',
+      expectFindings: true,
+      expectedCategories: ['ai_excessive_agency'],
+      description: 'CrewAI unsafe code execution patterns that MUST be detected',
+      file: {
+        path: 'src/agents/crewai-unsafe.py',
+        content: `
+from crewai import Agent, Task, Crew
+
+# CrewAI unsafe code execution mode - CRITICAL
+agent = Agent(
+    role="Code Executor",
+    goal="Execute user code",
+    code_execution_mode="unsafe"  # CRITICAL: No sandboxing!
+)
+
+# CrewAI code execution without Docker - HIGH
+dangerous_agent = Agent(
+    role="Script Runner",
+    allow_code_execution=True,  # HIGH: Runs on host without Docker
+    code_execution_config={
+        "timeout": 60,
+    }
+)
+`,
+        language: 'python',
+        size: 400,
+      },
+    },
+    {
+      name: 'Excessive Agency - AutoGen Unsafe',
+      expectFindings: true,
+      expectedCategories: ['ai_excessive_agency'],
+      description: 'AutoGen unsafe patterns that MUST be detected',
+      file: {
+        path: 'src/agents/autogen-unsafe.py',
+        content: `
+from autogen import UserProxyAgent, AssistantAgent
+from autogen.code_utils import LocalCommandLineCodeExecutor
+
+# AutoGen use_docker=False - CRITICAL
+code_executor = LocalCommandLineCodeExecutor(
+    work_dir="workspace",
+    use_docker=False  # CRITICAL: Executes directly on host!
+)
+
+# Another use_docker=False pattern
+config = {
+    "code_execution_config": {
+        "use_docker": False,  # CRITICAL
+        "work_dir": "workspace",
+    }
+}
+
+# AutoGen NEVER human input - HIGH
+proxy = UserProxyAgent(
+    name="user_proxy",
+    human_input_mode="NEVER",  # HIGH: No human oversight
+    code_execution_config=config,
+)
+
+# UserProxyAgent without reply limit - MEDIUM
+unlimited_proxy = UserProxyAgent(
+    name="unlimited_proxy",
+    human_input_mode="TERMINATE",
+    # Missing max_consecutive_auto_reply!
+)
+`,
+        language: 'python',
+        size: 600,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Excessive Agency - Safe Patterns',
+      expectFindings: false,
+      description: 'Safe agent patterns with proper limits that should NOT be flagged',
+      file: {
+        path: 'src/agents/safe-agent.ts',
+        content: `
+import { Agent } from '@langchain/agents'
+
+// Bounded iteration loop - SAFE
+async function runAgentWithLimits(agent: Agent) {
+  const maxIterations = 10
+  for (let i = 0; i < maxIterations; i++) {
+    const result = await agent.step()
+    if (result.done) break
+  }
+}
+
+// Proper configuration - SAFE
+const safeConfig = {
+  maxIterations: 15,  // Bounded
+  timeout: 300000,    // 5 minute timeout
+  humanInLoop: true,  // Human oversight
+  budgetLimit: 100,   // Cost limit
+}
+
+// Human approval required - SAFE
+const reviewedAgent = {
+  requireApproval: true,
+  tools: [searchTool],
+}
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+    {
+      name: 'Excessive Agency - Safe CrewAI/AutoGen',
+      expectFindings: false,
+      description: 'Safe CrewAI and AutoGen patterns that should NOT be flagged',
+      file: {
+        path: 'src/agents/safe-frameworks.py',
+        content: `
+from crewai import Agent
+from autogen import UserProxyAgent
+from autogen.code_utils import DockerCommandLineCodeExecutor
+
+# CrewAI with safe mode - SAFE
+safe_crewai_agent = Agent(
+    role="Safe Executor",
+    code_execution_mode="safe"  # SAFE: Sandboxed execution
+)
+
+# AutoGen with Docker - SAFE
+docker_executor = DockerCommandLineCodeExecutor(
+    image="python:3.10-slim",
+    timeout=60,
+)
+
+# AutoGen with human input - SAFE
+supervised_proxy = UserProxyAgent(
+    name="supervised",
+    human_input_mode="ALWAYS",  # SAFE: Human oversight
+    max_consecutive_auto_reply=5,  # SAFE: Limited replies
+)
+
+# Config with Docker enabled - SAFE
+safe_config = {
+    "code_execution_config": {
+        "use_docker": True,  # SAFE
+        "timeout": 60,
+    }
+}
+`,
+        language: 'python',
+        size: 600,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/index.ts

@@ -21,6 +21,12 @@ export { logicGatesTests } from './logic-gates'
 export { sensitiveVariablesTests } from './variables'
 export { riskyImportsTests } from './risky-imports'
 export { frameworkChecksTests } from './framework-checks'
+// AI Detection Roadmap Phase 1
+export { aiPackageHallucinationTests } from './ai-package-hallucination'
+export { aiMcpSecurityTests } from './ai-mcp-security'
+// AI Detection Roadmap Phase 2
+export { modelSupplyChainTests } from './model-supply-chain'
+export { excessiveAgencyTests } from './excessive-agency'
 
 import type { TestGroup } from '../../types'
 import { dangerousFunctionsTests } from './dangerous-functions'
@@ -41,6 +47,12 @@ import { logicGatesTests } from './logic-gates'
 import { sensitiveVariablesTests } from './variables'
 import { riskyImportsTests } from './risky-imports'
 import { frameworkChecksTests } from './framework-checks'
+// AI Detection Roadmap Phase 1
+import { aiPackageHallucinationTests } from './ai-package-hallucination'
+import { aiMcpSecurityTests } from './ai-mcp-security'
+// AI Detection Roadmap Phase 2
+import { modelSupplyChainTests } from './model-supply-chain'
+import { excessiveAgencyTests } from './excessive-agency'
 
 /**
  * All Layer 2 test groups
@@ -64,4 +76,10 @@ export const layer2TestGroups: TestGroup[] = [
   sensitiveVariablesTests,
   riskyImportsTests,
   frameworkChecksTests,
+  // AI Detection Roadmap Phase 1
+  aiPackageHallucinationTests,
+  aiMcpSecurityTests,
+  // AI Detection Roadmap Phase 2
+  modelSupplyChainTests,
+  excessiveAgencyTests,
 ]

package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts

@@ -0,0 +1,204 @@
+/**
+ * Model Supply Chain Security Test Fixtures
+ * Tests for detecting unsafe model loading and supply chain risks
+ * AI Detection Roadmap Phase 2
+ */
+
+import type { TestGroup } from '../../types'
+
+export const modelSupplyChainTests: TestGroup = {
+  name: 'Model Supply Chain Security',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of unsafe model loading patterns that can lead to RCE',
+
+  truePositives: [
+    {
+      name: 'Model Supply Chain - Pickle RCE',
+      expectFindings: true,
+      expectedCategories: ['ai_unsafe_model_load'],
+      description: 'Unsafe pickle/joblib deserialization that MUST be detected',
+      file: {
+        path: 'src/ml/model_loader.py',
+        content: `
+import pickle
+import joblib
+import torch
+
+# Pickle deserialization - CRITICAL RCE risk
+def load_user_model(model_path):
+    """Load a model file uploaded by user"""
+    with open(model_path, 'rb') as f:
+        model = pickle.load(f)  # CRITICAL: Arbitrary code execution
+    return model
+
+# Joblib deserialization - CRITICAL RCE risk
+def load_sklearn_model(model_path):
+    """Load sklearn model from user upload"""
+    model = joblib.load(model_path)  # CRITICAL: Uses pickle internally
+    return model
+
+# Torch.load without weights_only - HIGH
+def load_pytorch_model(checkpoint_path):
+    """Load PyTorch checkpoint"""
+    checkpoint = torch.load(checkpoint_path)  # HIGH: Can execute code
+    return checkpoint['model']
+`,
+        language: 'python',
+        size: 600,
+      },
+    },
+    {
+      name: 'Model Supply Chain - Unverified Sources',
+      expectFindings: true,
+      expectedCategories: ['ai_unverified_model', 'ai_unsafe_model_load'],
+      description: 'Models loaded from untrusted sources that MUST be detected',
+      file: {
+        path: 'src/ml/download_model.py',
+        content: `
+from transformers import AutoModelForCausalLM, AutoTokenizer
+import urllib.request
+
+# Model from HTTP URL - HIGH (no integrity verification)
+def load_from_url():
+    model = AutoModelForCausalLM.from_pretrained("http://malicious-server.com/model")
+    return model
+
+# trust_remote_code=True - HIGH (executes arbitrary code)
+def load_with_remote_code():
+    model = AutoModelForCausalLM.from_pretrained(
+        "unknown-org/untrusted-model",
+        trust_remote_code=True  # HIGH: Executes arbitrary Python
+    )
+    return model
+
+# Model download without checksum - MEDIUM
+def download_raw_model():
+    urllib.request.urlretrieve(
+        "https://example.com/model.pth",  # No checksum verification
+        "model.pth"
+    )
+`,
+        language: 'python',
+        size: 500,
+      },
+    },
+    {
+      name: 'Model Supply Chain - Unsafe Fine-tuning',
+      expectFindings: true,
+      expectedCategories: ['ai_unsafe_finetuning'],
+      description: 'Unsafe fine-tuning on user data that MUST be detected',
+      file: {
+        path: 'src/ml/finetune.py',
+        content: `
+from transformers import Trainer, TrainingArguments
+
+# Training on user uploads - HIGH (data poisoning risk)
+def finetune_on_user_data(user_uploads):
+    """Fine-tune model on user-uploaded data"""
+    training_args = TrainingArguments(
+        output_dir="./results",
+        num_train_epochs=3,
+    )
+    trainer = Trainer(
+        model=model,
+        args=training_args,
+        train_dataset=user_uploads,  # HIGH: Unvalidated user data
+    )
+    trainer.train()  # Training on untrusted data
+`,
+        language: 'python',
+        size: 400,
+      },
+    },
+    {
+      name: 'Model Supply Chain - Unverified Downloads',
+      expectFindings: true,
+      expectedCategories: ['ai_unverified_model'],
+      description: 'Model downloads without integrity verification that MUST be detected',
+      file: {
+        path: 'src/ml/model_downloader.py',
+        content: `
+import requests
+import wget
+from transformers import AutoModelForCausalLM
+
+# Direct model download without checksum - MEDIUM
+def download_model_unsafe():
+    # Using requests to download model file
+    response = requests.get("https://random-server.com/model.pth")
+    with open("model.pth", "wb") as f:
+        f.write(response.content)  # No integrity check!
+
+# wget without verification - MEDIUM
+def download_with_wget():
+    wget.download("http://untrusted-host.com/model.bin", "model.bin")
+
+# Model from HTTP (not HTTPS) - HIGH
+def load_from_http():
+    model = AutoModelForCausalLM.from_pretrained("http://insecure-host.com/models/gpt")
+    return model
+
+# Model from unknown Hugging Face org - MEDIUM (no integrity pin)
+def load_unknown_model():
+    # No revision pin - could be modified by repo owner
+    model = AutoModelForCausalLM.from_pretrained("random-unknown-user/suspicious-model")
+    return model
+`,
+        language: 'python',
+        size: 700,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Model Supply Chain - Safe Patterns',
+      expectFindings: false,
+      description: 'Safe model loading patterns that should NOT be flagged',
+      file: {
+        path: 'src/ml/safe_model_loader.py',
+        content: `
+import torch
+from safetensors.torch import load_file
+from transformers import AutoModelForCausalLM
+import hashlib
+
+# SafeTensors - SAFE (no code execution)
+def load_safe_model(model_path):
+    """Load model using SafeTensors format"""
+    state_dict = load_file(model_path)
+    model.load_state_dict(state_dict)
+    return model
+
+# torch.load with weights_only - SAFE
+def load_pytorch_safe(checkpoint_path):
+    """Load PyTorch checkpoint safely"""
+    checkpoint = torch.load(checkpoint_path, weights_only=True)
+    return checkpoint
+
+# Model from trusted source with verification - SAFE
+def load_from_huggingface():
+    """Load from official Hugging Face repo with pinned revision"""
+    model = AutoModelForCausalLM.from_pretrained(
+        "meta-llama/Llama-2-7b",
+        revision="a1b2c3d4e5f6"  # Pinned to specific commit
+    )
+    return model
+
+# Model with checksum verification - SAFE
+def load_with_verification(model_path, expected_sha256):
+    """Load model after verifying checksum"""
+    with open(model_path, 'rb') as f:
+        file_hash = hashlib.sha256(f.read()).hexdigest()
+    if file_hash != expected_sha256:
+        raise ValueError("Checksum mismatch!")
+    # Safe to load after verification
+    return torch.load(model_path, weights_only=True)
+`,
+        language: 'python',
+        size: 800,
+      },
+    },
+  ],
+}