@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/ai-agent-tools.ts

@@ -124,6 +124,50 @@ function hasTenantContextVerification(context: string): boolean {
   return tenantContextPatterns.some(p => p.test(context))
 }
 
+/**
+ * Check if this is an MCP file with proper security controls
+ * MCP files with sanitization and authorization should be downgraded
+ */
+function isMCPFileWithSafePatterns(content: string, filePath: string): boolean {
+  // Check if this is an MCP file
+  const mcpPatterns = [
+    /McpServer/i,
+    /@modelcontextprotocol/i,
+    /server\.tool\s*\(/i,
+    /@server\.tool/i,
+    /\/mcp\//i,
+  ]
+
+  if (!mcpPatterns.some(p => p.test(content) || p.test(filePath))) {
+    return false
+  }
+
+  // Check for content sanitization patterns
+  const sanitizationPatterns = [
+    /sanitize|DOMPurify|purify/i,
+    /escapeHtml|escape_html/i,
+    /validateSchema|schema\.parse|safeParse/i,
+    /ALLOWED_TAGS/i,
+    /filterHtml|cleanHtml/i,
+  ]
+
+  // Check for authorization patterns
+  const authorizationPatterns = [
+    /if\s*\([^)]*ownerId\s*[!=]==?/i,
+    /if\s*\([^)]*userId\s*[!=]==?/i,
+    /if\s*\([^)]*tenantId\s*[!=]==?/i,
+    /throw.*Error.*(?:auth|Forbidden|Unauthorized)/i,
+    /Not\s*authorized/i,
+    /checkPermission|hasPermission|isAuthorized/i,
+  ]
+
+  const hasSanitization = sanitizationPatterns.some(p => p.test(content))
+  const hasAuthorization = authorizationPatterns.some(p => p.test(content))
+
+  // MCP file with BOTH sanitization AND authorization is safe
+  return hasSanitization && hasAuthorization
+}
+
 /**
  * Patterns indicating strong/verified restrictions (actual implementation)
  */
@@ -412,6 +456,197 @@ const OVERPERMISSIVE_TOOL_PATTERNS: ToolPattern[] = [
   },
 ]
 
+// ============================================================================
+// Phase 2: Excessive Agency Detection
+// ============================================================================
+
+interface ExcessiveAgencyPattern {
+  name: string
+  pattern: RegExp
+  baseSeverity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+  framework?: 'crewai' | 'autogen' | 'langchain' | 'generic'
+}
+
+/**
+ * Check if agent has proper iteration limits
+ */
+function hasIterationLimits(context: string): boolean {
+  const limitPatterns = [
+    /maxIterations\s*[:=]\s*\d{1,2}\b/i,  // 1-99
+    /max_iterations\s*[:=]\s*\d{1,2}\b/i,
+    /iteration_limit\s*[:=]\s*\d{1,2}\b/i,
+    /max_steps\s*[:=]\s*\d{1,2}\b/i,
+  ]
+  return limitPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if agent has timeout configured
+ */
+function hasTimeoutConfigured(context: string): boolean {
+  const timeoutPatterns = [
+    /timeout\s*[:=]\s*[1-9]\d*/i,  // Positive number
+    /max_execution_time\s*[:=]\s*[1-9]/i,
+    /execution_timeout\s*[:=]\s*[1-9]/i,
+  ]
+  return timeoutPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if human-in-the-loop is enabled
+ */
+function hasHumanInLoop(context: string): boolean {
+  const humanPatterns = [
+    /humanInLoop\s*[:=]\s*true/i,
+    /human_in_loop\s*[:=]\s*True/i,
+    /requireApproval\s*[:=]\s*true/i,
+    /require_approval\s*[:=]\s*True/i,
+    /human_input_mode\s*[:=]\s*['"`](?:ALWAYS|TERMINATE)['"`]/i,
+    /confirm_before\s*[:=]\s*true/i,
+  ]
+  return humanPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if Docker is configured for code execution
+ */
+function hasDockerConfigured(context: string): boolean {
+  const dockerPatterns = [
+    /use_docker\s*[:=]\s*True/i,
+    /docker\s*[:=]\s*true/i,
+    /container\s*[:=]\s*true/i,
+    /sandboxed\s*[:=]\s*true/i,
+  ]
+  return dockerPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if budget/cost limits are configured
+ */
+function hasBudgetLimits(context: string): boolean {
+  const budgetPatterns = [
+    /budgetLimit|budget_limit/i,
+    /costLimit|cost_limit/i,
+    /max_cost|maxCost/i,
+    /spending_limit/i,
+    /token_limit|tokenLimit/i,
+  ]
+  return budgetPatterns.some(p => p.test(context))
+}
+
+/**
+ * Excessive agency patterns for unbounded agent autonomy
+ */
+const EXCESSIVE_AGENCY_PATTERNS: ExcessiveAgencyPattern[] = [
+  // ========== Generic Unbounded Loops ==========
+  {
+    name: 'Unbounded agent loop',
+    pattern: /while\s*\(\s*(?:true|1|True)\s*\)[\s\S]{0,100}(?:agent|step|run|execute|iterate)/gi,
+    baseSeverity: 'high',
+    description: 'Agent runs in an unbounded loop without explicit termination condition. This can lead to infinite execution, resource exhaustion, or runaway costs.',
+    suggestedFix: 'Add maxIterations limit: while (iterations < maxIterations) { ... }. Consider adding timeout and cost limits.',
+    framework: 'generic',
+  },
+  {
+    name: 'No iteration limit configured',
+    pattern: /maxIterations\s*[:=]\s*(?:-1|null|undefined|None|Infinity|float\s*\(\s*['"`]inf)/gi,
+    baseSeverity: 'high',
+    description: 'Agent configured with no iteration limit. This allows unbounded execution which can consume excessive resources.',
+    suggestedFix: 'Set a reasonable iteration limit: maxIterations: 10 (adjust based on your use case).',
+    framework: 'generic',
+  },
+  {
+    name: 'No timeout configured',
+    pattern: /timeout\s*[:=]\s*(?:-1|0|null|undefined|None|false|False)/gi,
+    baseSeverity: 'medium',
+    description: 'Agent timeout is disabled or set to zero. Long-running agents can hang indefinitely.',
+    suggestedFix: 'Configure a reasonable timeout: timeout: 300000 (5 minutes). Adjust based on expected execution time.',
+    framework: 'generic',
+  },
+  {
+    name: 'Auto-approve without human oversight',
+    pattern: /(?:autoApprove|auto_approve)\s*[:=]\s*(?:true|True)/gi,
+    baseSeverity: 'high',
+    description: 'Agent auto-approves actions without human review. Combined with destructive capabilities, this is dangerous.',
+    suggestedFix: 'Enable human-in-the-loop for sensitive operations: autoApprove: false, or implement approval workflows for destructive actions.',
+    framework: 'generic',
+  },
+  {
+    name: 'Human-in-loop disabled',
+    pattern: /(?:humanInLoop|human_in_loop)\s*[:=]\s*(?:false|False)/gi,
+    baseSeverity: 'medium',
+    description: 'Human oversight is explicitly disabled. The agent can take actions without human review.',
+    suggestedFix: 'Enable human-in-the-loop for sensitive operations: humanInLoop: true. Add confirmation prompts for destructive actions.',
+    framework: 'generic',
+  },
+
+  // ========== CrewAI Specific ==========
+  {
+    name: 'CrewAI unsafe code execution mode',
+    pattern: /code_execution_mode\s*[:=]\s*['"`]unsafe['"`]/gi,
+    baseSeverity: 'critical',
+    description: 'CrewAI agent configured with unsafe code execution mode. This allows arbitrary code execution without sandboxing.',
+    suggestedFix: 'Use safe mode: code_execution_mode="safe". This runs code in a restricted environment.',
+    framework: 'crewai',
+  },
+  {
+    name: 'CrewAI code execution without Docker',
+    pattern: /allow_code_execution\s*[:=]\s*True(?![\s\S]{0,50}use_docker\s*[:=]\s*True)/gi,
+    baseSeverity: 'high',
+    description: 'CrewAI agent allows code execution without Docker containerization. Code runs directly on the host system.',
+    suggestedFix: 'Enable Docker for code execution: Agent(..., allow_code_execution=True, code_execution_config={"use_docker": True})',
+    framework: 'crewai',
+  },
+
+  // ========== AutoGen Specific ==========
+  {
+    name: 'AutoGen use_docker=False',
+    pattern: /(?:code_execution_config|LocalCommandLineCodeExecutor)\s*[\s\S]{0,50}use_docker\s*[:=]\s*False/gi,
+    baseSeverity: 'critical',
+    description: 'AutoGen code execution configured without Docker. Code executes directly on the host, enabling full system access.',
+    suggestedFix: 'Use Docker: code_execution_config={"use_docker": True}. Or use DockerCommandLineCodeExecutor for sandboxed execution.',
+    framework: 'autogen',
+  },
+  {
+    name: 'AutoGen NEVER human input mode',
+    pattern: /human_input_mode\s*[:=]\s*['"`]NEVER['"`]/gi,
+    baseSeverity: 'high',
+    description: 'AutoGen agent configured to never request human input. Agent can execute indefinitely without human oversight.',
+    suggestedFix: 'Use "ALWAYS" or "TERMINATE" for human_input_mode. "TERMINATE" allows agent to complete but requests input on termination.',
+    framework: 'autogen',
+  },
+  {
+    name: 'AutoGen UserProxyAgent without reply limit',
+    pattern: /UserProxyAgent\s*\((?![^)]*max_consecutive_auto_reply)[^)]*\)/gi,
+    baseSeverity: 'medium',
+    description: 'AutoGen UserProxyAgent without max_consecutive_auto_reply limit. Agent can auto-reply indefinitely.',
+    suggestedFix: 'Add reply limit: UserProxyAgent(..., max_consecutive_auto_reply=10). Adjust limit based on expected conversation length.',
+    framework: 'autogen',
+  },
+
+  // ========== LangChain Specific ==========
+  {
+    name: 'LangChain AgentExecutor without limits',
+    pattern: /AgentExecutor\s*\([^)]*(?!max_iterations)[^)]*\)/gi,
+    baseSeverity: 'medium',
+    description: 'LangChain AgentExecutor without max_iterations. Agent can loop indefinitely on complex tasks.',
+    suggestedFix: 'Set iteration limit: AgentExecutor(..., max_iterations=15). Add early_stopping_method="generate" to gracefully stop.',
+    framework: 'langchain',
+  },
+
+  // ========== Overpermissioned Agents ==========
+  {
+    name: 'Agent with excessive tools',
+    pattern: /tools\s*[:=]\s*\[(?:[^\]]*,){10,}[^\]]*\]/gi,
+    baseSeverity: 'medium',
+    description: 'Agent configured with more than 10 tools. Overpermissioned agents have larger attack surface if compromised via prompt injection.',
+    suggestedFix: 'Follow principle of least privilege. Split into specialized agents with focused tool sets. Remove unused tools.',
+    framework: 'generic',
+  },
+]
+
 /**
  * Patterns for missing authorization in tools
  */
@@ -506,6 +741,8 @@ export function detectAIAgentTools(
 
       // Calculate severity
       let severity = pattern.baseSeverity
+      const isMCPSafe = isMCPFileWithSafePatterns(content, filePath)
+
       if (isTestFile) {
         severity = 'info'
       } else if (isExample) {
@@ -515,6 +752,9 @@ export function detectAIAgentTools(
         // Library code - tool definitions are intentionally flexible
         // Consumers add restrictions when they use the tools
         severity = 'info'
+      } else if (isMCPSafe) {
+        // MCP file with proper security controls (sanitization + authorization)
+        severity = 'info'
       } else if (hasPartialMitigation || hasUserContext || hasTenantContext) {
         // Partial mitigation - downgrade
         if (severity === 'critical') severity = 'high'
@@ -532,6 +772,8 @@ export function detectAIAgentTools(
         description += ' (In example/demo directory - not production code.)'
       } else if (isLibrary) {
         description += ' (Library code - tool definitions are generic; consumers add restrictions.)'
+      } else if (isMCPSafe) {
+        description += ' (MCP file with sanitization and authorization controls detected.)'
       }
 
       vulnerabilities.push({
@@ -597,5 +839,99 @@ export function detectAIAgentTools(
     }
   }
 
+  // Scan for excessive agency patterns (Phase 2)
+  for (const pattern of EXCESSIVE_AGENCY_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Get surrounding context for mitigation checks
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for mitigations
+      let isMitigated = false
+      let isPartiallyMitigated = false
+      let description = pattern.description
+
+      // Check iteration limits
+      if (hasIterationLimits(context)) {
+        isPartiallyMitigated = true
+        description += ' (Iteration limits detected nearby.)'
+      }
+
+      // Check timeout configuration
+      if (hasTimeoutConfigured(context)) {
+        isPartiallyMitigated = true
+        description += ' (Timeout configured.)'
+      }
+
+      // Check human-in-the-loop
+      if (hasHumanInLoop(context)) {
+        isPartiallyMitigated = true
+        description += ' (Human-in-loop enabled.)'
+      }
+
+      // Check Docker for code execution patterns
+      if (pattern.framework === 'crewai' || pattern.framework === 'autogen') {
+        if (hasDockerConfigured(context)) {
+          isMitigated = true
+          description += ' (Docker containerization detected.)'
+        }
+      }
+
+      // Check budget limits
+      if (hasBudgetLimits(context)) {
+        isPartiallyMitigated = true
+        description += ' (Budget limits configured.)'
+      }
+
+      // Calculate severity
+      let severity = pattern.baseSeverity
+      const isMCPSafe = isMCPFileWithSafePatterns(content, filePath)
+
+      if (isMitigated) {
+        severity = 'info'
+      } else if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      } else if (isPartiallyMitigated) {
+        // Downgrade if partial mitigations present
+        if (severity === 'critical') severity = 'high'
+        else if (severity === 'high') severity = 'medium'
+        else if (severity === 'medium') severity = 'low'
+      }
+
+      // Skip fully mitigated or info-level in non-agent files
+      if (isMitigated && severity === 'info') continue
+
+      vulnerabilities.push({
+        id: `ai-agency-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'info' ? 'low' : 'medium',
+        layer: 2,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+      })
+    }
+  }
+
   return vulnerabilities
 }

package/src/layer2/ai-endpoint-protection.ts

@@ -136,6 +136,12 @@ function isBYOKEndpoint(content: string): boolean {
     // Headers with user's key
     /headers\[['"`]x-openai-key['"`]\]/i,
     /headers\[['"`]x-api-key['"`]\]/i,
+    // Destructuring from request body
+    /const\s*\{\s*[^}]*apiKey[^}]*\}\s*=\s*await\s*(?:request|req)\.json\(\)/i,
+    /const\s*\{\s*[^}]*api_key[^}]*\}\s*=\s*await\s*(?:request|req)\.json\(\)/i,
+    // OpenAI/Anthropic client with user-provided key
+    /new\s+OpenAI\s*\(\s*\{\s*apiKey\s*[,}]/i,
+    /new\s+Anthropic\s*\(\s*\{\s*apiKey\s*[,}]/i,
   ]
   return byokPatterns.some(p => p.test(content))
 }
@@ -327,10 +333,17 @@ export function detectAIEndpointProtection(
         notes.push('Missing authentication and rate limiting')
       }
 
-      // BYOK endpoints have lower risk
+      // BYOK endpoints have lower risk - user provides own API key
       if (isByok && severity !== 'info') {
-        severity = severity === 'high' ? 'medium' : (severity === 'medium' ? 'low' : severity)
-        notes.push('BYOK endpoint - user provides API key')
+        // BYOK with auth = info (user pays for own usage, access controlled)
+        // BYOK without auth = low (potential abuse but user still pays)
+        if (handlerHasAuth || fileHasAuth) {
+          severity = 'info'
+          notes.push('BYOK endpoint with authentication - user pays for their own usage')
+        } else {
+          severity = 'low'
+          notes.push('BYOK endpoint without auth - potential abuse but user provides API key')
+        }
       }
 
       // Downgrade test files