@safebrowse/daemon 0.1.3 → 0.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -11
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +107 -1
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -3
- package/dist/index.js.map +1 -1
- package/dist/loaders.d.ts.map +1 -1
- package/dist/loaders.js +65 -2
- package/dist/loaders.js.map +1 -1
- package/dist/modelGuard.d.ts +28 -0
- package/dist/modelGuard.d.ts.map +1 -0
- package/dist/modelGuard.js +325 -0
- package/dist/modelGuard.js.map +1 -0
- package/dist/parserIsolation.d.ts +38 -4
- package/dist/parserIsolation.d.ts.map +1 -1
- package/dist/parserIsolation.js +187 -37
- package/dist/parserIsolation.js.map +1 -1
- package/dist/parserWorker.js +97 -18
- package/dist/parserWorker.js.map +1 -1
- package/dist/runtime/config/auditor/v6_secure_claim_suite.json +70 -0
- package/dist/server.d.ts +9 -2
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +745 -408
- package/dist/server.js.map +1 -1
- package/package.json +2 -2
- package/dist/runtime/config/auditor/v4_prompt_injection_coverage_suite.json +0 -2789
- package/dist/runtime/config/v2-compromised-fixtures.json +0 -34
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parserIsolation.js","sourceRoot":"","sources":["../src/parserIsolation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,
|
|
1
|
+
{"version":3,"file":"parserIsolation.js","sourceRoot":"","sources":["../src/parserIsolation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAqB,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAW7C,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,MAAM,kBAAkB,GAAG,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;AACjE,MAAM,gBAAgB,GAAG,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;AAC/D,MAAM,UAAU,GAAG,UAAU,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,gBAAgB,CAAC;AA6E1F,SAAS,eAAe;IACtB,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED,SAAS,aAAa,CAAC,IAAyB;IAC9C,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzC,CAAC,CAAC,IAAI,KAAK,yBAAyB;YAClC,CAAC,CAAC,CAAC,4BAA4B,CAAC;YAChC,CAAC,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC;QACvB,CAAC,CAAC,EAAE,CAAC;IACP,IAAI,IAAI,KAAK,yBAAyB,EAAE,CAAC;QACvC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO;QACL,cAAc;QACd,GAAG,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAC7D,GAAG,QAAQ;KACZ,CAAC;AACJ,CAAC;AAOD,MAAM,0BAA0B;IAYX;IACA;IAZX,KAAK,CAAgB;IAErB,MAAM,GAAG,KAAK,CAAC;IAEf,WAAW,CAAgC;IAE3C,OAAO,CAAiB;IAEf,OAAO,GAAG,IAAI,GAAG,EAAmC,CAAC;IAEtE,YACmB,IAAyB,EACzB,UAAyC,EAAE;QAD3C,SAAI,GAAJ,IAAI,CAAqB;QACzB,YAAO,GAAP,OAAO,CAAoC;IAC3D,CAAC;IAEJ,KAAK,CAAC,kBAAkB,CAAC,KAOxB;QAKC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAIlC;YACD,IAAI,EAAE,OAAO;YACb,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,mBAAmB,EAAE,KAAK,CAAC,mBAAmB,IAAI,IAAI,CAAC,IAAI;YAC3D,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,iBAAiB,EACf,KAAK,CAAC,iBAAiB,IAAI,IAAI,CAAC,OAAO,CAAC,iBAAiB;YAC3D,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO;SAC/C,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,WAAW,CAAC;QAC1B,CAAC;QAED,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,WAAW,CAAoB;YACtD,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,GAAG;YACjB,KAAK;YACL,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACxC,CAAC;QACF,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,WAAW,GAAG,SAAS,CAAC;QAC7B,MAAM,YAAY,GAAG,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QAClE,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC;QACvB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,MAAM,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;YACzC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,cAAc,EAAE,CAAC,CAAC;YAC5C,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,EAAE,EAAE;gBACjC,GAAG,EACD,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,KAAK,yBAAyB;oBACnE,CAAC,CAAC,EAAE,iBAAiB,EAAE,GAAG,EAAE;oBAC5B,CAAC,CAAC,EAAE;gBACR,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC;gBAC5C,QAAQ,EAAE,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;aACnC,CAAC,CAAC;YACH,KAAK,CAAC,KAAK,EAAE,CAAC;YAEd,KAAK,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,OAAgB,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;YACvE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;YAC9D,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,mBAAmB,CACtB,IAAI,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,kCAAkC,IAAI,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAC9F,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;YAEnB,IAAI,IAAI,CAAC,OAAO,CAAC,iBAAiB,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAC3D,MAAM,IAAI,CAAC,WAAW,CAAO;oBAC3B,IAAI,EAAE,WAAW;oBACjB,mBAAmB,EAAE,IAAI,CAAC,IAAI;oBAC9B,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,iBAAiB;oBACjD,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;iBAC9B,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YAChB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QAC3B,CAAC,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEO,aAAa,CAAC,OAAgB;QACpC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,WAAW,IAAI,OAAO,CAAC,EAAE,CAAC;YACzE,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,OAAiC,CAAC;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,MAAM,CAAY,CAAC,CAAC;IAClE,CAAC;IAEO,mBAAmB,CAAC,KAAa;QACvC,IAAI,CAAC,WAAW,GAAG,SAAS,CAAC;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC;QACvB,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,kBAAkB,EAAE,CAAC;QAC7B,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,IAAI,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACxE,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAI,OAAsB;QACjD,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAE1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,IAAI,OAAO,CAAI,CAAC,cAAc,EAAE,aAAa,EAAE,EAAE;YACtD,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC1B,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC,KAAU,CAAC;gBAC9C,MAAM,EAAE,aAAa;aACtB,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC;oBACT,SAAS;oBACT,OAAO;iBACwB,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC/B,aAAa,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+C,CAAC;AAE/E,SAAS,qBAAqB,CAAC,IAAyB;IACtD,IAAI,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,4BAA4B,CAAC,IAAI,CAAC,CAAC;QAC7C,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,sBAA2C,kBAAkB,EAC7D,UAAyC,EAAE;IAE3C,OAAO,IAAI,0BAA0B,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAO7C;IAKC,MAAM,IAAI,GAAG,KAAK,CAAC,mBAAmB,IAAI,kBAAkB,CAAC;IAC7D,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,kBAAkB,CAAC;QACpD,GAAG,KAAK;QACR,mBAAmB,EAAE,IAAI;KAC1B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,sBAA2C,kBAAkB;IAE7D,OAAO,qBAAqB,CAAC,mBAAmB,CAAC;SAC9C,YAAY,EAAE;SACd,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC"}
|
package/dist/parserWorker.js
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
|
+
import { existsSync } from "node:fs";
|
|
1
2
|
import { createRequire } from "node:module";
|
|
3
|
+
import os from "node:os";
|
|
2
4
|
import process from "node:process";
|
|
5
|
+
import { fileURLToPath } from "node:url";
|
|
3
6
|
const require = createRequire(import.meta.url);
|
|
4
7
|
function denyNetwork(message = "Parser worker egress denied") {
|
|
5
8
|
const denial = () => {
|
|
@@ -41,46 +44,122 @@ async function probeIsolation() {
|
|
|
41
44
|
catch {
|
|
42
45
|
egressDenied = true;
|
|
43
46
|
}
|
|
47
|
+
const permissionModelEnabled = Boolean(process.permission);
|
|
48
|
+
const fsReadRestricted = permissionModelEnabled
|
|
49
|
+
? !process.permission.has("fs.read", os.tmpdir()) &&
|
|
50
|
+
!process.permission.has("fs.read", os.homedir())
|
|
51
|
+
: false;
|
|
44
52
|
return {
|
|
53
|
+
mode: permissionModelEnabled ? "node_permission_process" : "scrubbed_process",
|
|
45
54
|
envKeys: Object.keys(process.env),
|
|
46
55
|
egressDenied,
|
|
47
|
-
processIsolated: true
|
|
56
|
+
processIsolated: true,
|
|
57
|
+
permissionModelEnabled,
|
|
58
|
+
fsReadRestricted,
|
|
59
|
+
childProcessDenied: permissionModelEnabled ? !process.permission.has("child") : false,
|
|
60
|
+
workerThreadsDenied: permissionModelEnabled ? !process.permission.has("worker") : false
|
|
48
61
|
};
|
|
49
62
|
}
|
|
50
63
|
lockDownEnvironment();
|
|
64
|
+
let cachedProbePromise;
|
|
65
|
+
let cachedCoreRuntimePromise;
|
|
66
|
+
let workerRuntimeDefaults;
|
|
67
|
+
let workerAllowlistedEgress = [];
|
|
68
|
+
let workerParserIsolationMode;
|
|
69
|
+
async function getCachedProbe() {
|
|
70
|
+
if (!cachedProbePromise) {
|
|
71
|
+
cachedProbePromise = probeIsolation();
|
|
72
|
+
}
|
|
73
|
+
return cachedProbePromise;
|
|
74
|
+
}
|
|
51
75
|
async function loadCoreRuntime() {
|
|
52
|
-
if (
|
|
53
|
-
|
|
54
|
-
return import(sourceEntryUrl);
|
|
76
|
+
if (cachedCoreRuntimePromise) {
|
|
77
|
+
return cachedCoreRuntimePromise;
|
|
55
78
|
}
|
|
56
|
-
|
|
79
|
+
cachedCoreRuntimePromise = (async () => {
|
|
80
|
+
if (import.meta.url.endsWith(".ts")) {
|
|
81
|
+
const distEntryUrl = new URL("../../core/dist/index.js", import.meta.url);
|
|
82
|
+
if (existsSync(fileURLToPath(distEntryUrl))) {
|
|
83
|
+
return import(distEntryUrl.href);
|
|
84
|
+
}
|
|
85
|
+
const sourceEntryUrl = new URL("../../core/src/index.ts", import.meta.url).href;
|
|
86
|
+
return import(sourceEntryUrl);
|
|
87
|
+
}
|
|
88
|
+
return import("@safebrowse/core");
|
|
89
|
+
})();
|
|
90
|
+
return cachedCoreRuntimePromise;
|
|
91
|
+
}
|
|
92
|
+
function sendResponse(requestId, message) {
|
|
93
|
+
process.send?.({
|
|
94
|
+
requestId,
|
|
95
|
+
...message
|
|
96
|
+
});
|
|
57
97
|
}
|
|
58
98
|
process.on("message", async (message) => {
|
|
59
99
|
try {
|
|
60
|
-
const
|
|
61
|
-
if (
|
|
62
|
-
|
|
100
|
+
const payload = message.payload;
|
|
101
|
+
if (payload.kind === "configure") {
|
|
102
|
+
workerRuntimeDefaults = payload.runtime;
|
|
103
|
+
workerAllowlistedEgress = payload.allowlistedEgress ?? [];
|
|
104
|
+
workerParserIsolationMode = payload.parserIsolationMode;
|
|
105
|
+
await loadCoreRuntime();
|
|
106
|
+
sendResponse(message.requestId, {
|
|
107
|
+
ok: true
|
|
108
|
+
});
|
|
109
|
+
return;
|
|
110
|
+
}
|
|
111
|
+
if (payload.kind === "probe") {
|
|
112
|
+
sendResponse(message.requestId, {
|
|
63
113
|
ok: true,
|
|
64
|
-
probe: await
|
|
114
|
+
probe: await getCachedProbe()
|
|
65
115
|
});
|
|
66
116
|
return;
|
|
67
117
|
}
|
|
68
|
-
const
|
|
69
|
-
|
|
118
|
+
const parserIsolationMode = payload.parserIsolationMode ??
|
|
119
|
+
workerParserIsolationMode ??
|
|
120
|
+
(await getCachedProbe()).mode;
|
|
121
|
+
void parserIsolationMode;
|
|
122
|
+
const { compileObservationV6, computeToolManifestHash, computeToolSchemaHash } = await loadCoreRuntime();
|
|
123
|
+
const probe = await getCachedProbe();
|
|
124
|
+
const runtime = payload.runtime ?? workerRuntimeDefaults ?? {};
|
|
125
|
+
const allowlistedEgress = payload.allowlistedEgress ?? workerAllowlistedEgress;
|
|
126
|
+
const result = compileObservationV6(payload.capture, runtime, {
|
|
127
|
+
workflowHash: payload.workflowHash,
|
|
70
128
|
parserIsolation: {
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
129
|
+
mode: probe.mode,
|
|
130
|
+
processIsolated: probe.processIsolated,
|
|
131
|
+
envScrubbed: probe.envKeys.length === 0,
|
|
132
|
+
egressDenied: probe.egressDenied,
|
|
133
|
+
permissionModelEnabled: probe.permissionModelEnabled,
|
|
134
|
+
fsReadRestricted: probe.fsReadRestricted,
|
|
135
|
+
childProcessDenied: probe.childProcessDenied,
|
|
136
|
+
workerThreadsDenied: probe.workerThreadsDenied,
|
|
137
|
+
envKeys: probe.envKeys,
|
|
138
|
+
allowlistedEgress
|
|
75
139
|
}
|
|
76
140
|
});
|
|
77
|
-
|
|
141
|
+
const toolManifestDigests = payload.capture.surfaceType === "tool_manifest"
|
|
142
|
+
? {
|
|
143
|
+
manifestHash: computeToolManifestHash({
|
|
144
|
+
toolId: payload.capture.toolId,
|
|
145
|
+
description: payload.capture.description,
|
|
146
|
+
authType: payload.capture.authType,
|
|
147
|
+
requestedScopes: payload.capture.requestedScopes,
|
|
148
|
+
callbackUri: payload.capture.callbackUri
|
|
149
|
+
}),
|
|
150
|
+
schemaHash: computeToolSchemaHash(payload.capture.schemaDescriptions)
|
|
151
|
+
}
|
|
152
|
+
: undefined;
|
|
153
|
+
sendResponse(message.requestId, {
|
|
78
154
|
ok: true,
|
|
79
|
-
result
|
|
155
|
+
result: {
|
|
156
|
+
...result,
|
|
157
|
+
toolManifestDigests
|
|
158
|
+
}
|
|
80
159
|
});
|
|
81
160
|
}
|
|
82
161
|
catch (error) {
|
|
83
|
-
|
|
162
|
+
sendResponse(message.requestId, {
|
|
84
163
|
ok: false,
|
|
85
164
|
error: error instanceof Error ? error.message : String(error)
|
|
86
165
|
});
|
package/dist/parserWorker.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parserWorker.js","sourceRoot":"","sources":["../src/parserWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,OAAO,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"parserWorker.js","sourceRoot":"","sources":["../src/parserWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,OAAO,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAIzC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAE/C,SAAS,WAAW,CAAC,OAAO,GAAG,6BAA6B;IAC1D,MAAM,MAAM,GAAG,GAAG,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEhC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IACtB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC;IAClB,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC;IACvB,KAAK,CAAC,GAAG,GAAG,MAAM,CAAC;IACnB,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC;IACrB,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC;IAC9B,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC;IACrB,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;IACpB,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC;IACrB,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;IACtB,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;IAEtB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE;QACxB,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;QAC3B,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB;IAC1B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IACD,WAAW,EAAE,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,cAAc;IAU3B,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,MAAM,sBAAsB,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3D,MAAM,gBAAgB,GAAG,sBAAsB;QAC7C,CAAC,CAAC,CAAC,OAAO,CAAC,UAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC;YAChD,CAAC,OAAO,CAAC,UAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC;QACnD,CAAC,CAAC,KAAK,CAAC;IACV,OAAO;QACL,IAAI,EAAE,sBAAsB,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,kBAAkB;QAC7E,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QACjC,YAAY;QACZ,eAAe,EAAE,IAAI;QACrB,sBAAsB;QACtB,gBAAgB;QAChB,kBAAkB,EAAE,sBAAsB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK;QACtF,mBAAmB,EAAE,sBAAsB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK;KACzF,CAAC;AACJ,CAAC;AAED,mBAAmB,EAAE,CAAC;AAEtB,IAAI,kBAAmF,CAAC;AACxF,IAAI,wBAMS,CAAC;AACd,IAAI,qBAA0D,CAAC;AAC/D,IAAI,uBAAuB,GAAa,EAAE,CAAC;AAC3C,IAAI,yBAAqF,CAAC;AAE1F,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,kBAAkB,GAAG,cAAc,EAAE,CAAC;IACxC,CAAC;IACD,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,KAAK,UAAU,eAAe;IAK5B,IAAI,wBAAwB,EAAE,CAAC;QAC7B,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,wBAAwB,GAAG,CAAC,KAAK,IAAI,EAAE;QACrC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,0BAA0B,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1E,IAAI,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;gBAC5C,OAAO,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YACnC,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,yBAAyB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YAChF,OAAO,MAAM,CAAC,cAAc,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACpC,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,wBAAwB,CAAC;AAClC,CAAC;AA+BD,SAAS,YAAY,CACnB,SAAiB,EACjB,OAgBK;IAEL,OAAO,CAAC,IAAI,EAAE,CAAC;QACb,SAAS;QACT,GAAG,OAAO;KACX,CAAC,CAAC;AACL,CAAC;AAED,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,OAA4B,EAAE,EAAE;IAC3D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACjC,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC;YACxC,uBAAuB,GAAG,OAAO,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAC1D,yBAAyB,GAAG,OAAO,CAAC,mBAAmB,CAAC;YACxD,MAAM,eAAe,EAAE,CAAC;YACxB,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE;gBAC9B,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7B,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE;gBAC9B,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,MAAM,cAAc,EAAE;aAC9B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,mBAAmB,GACvB,OAAO,CAAC,mBAAmB;YAC3B,yBAAyB;YACzB,CAAC,MAAM,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC;QAChC,KAAK,mBAAmB,CAAC;QAEzB,MAAM,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,GAC5E,MAAM,eAAe,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,MAAM,cAAc,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,qBAAqB,IAAI,EAAE,CAAC;QAC/D,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,uBAAuB,CAAC;QAC/E,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE;YAC5D,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,eAAe,EAAE;gBACf,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,eAAe,EAAE,KAAK,CAAC,eAAe;gBACtC,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;gBACvC,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;gBACpD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;gBAC9C,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,iBAAiB;aAClB;SACF,CAAC,CAAC;QACH,MAAM,mBAAmB,GACvB,OAAO,CAAC,OAAO,CAAC,WAAW,KAAK,eAAe;YAC7C,CAAC,CAAC;gBACE,YAAY,EAAE,uBAAuB,CAAC;oBACpC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM;oBAC9B,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW;oBACxC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ;oBAClC,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,eAAe;oBAChD,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW;iBACzC,CAAC;gBACF,UAAU,EAAE,qBAAqB,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC;aACtE;YACH,CAAC,CAAC,SAAS,CAAC;QAEhB,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE;YAC9B,EAAE,EAAE,IAAI;YACR,MAAM,EAAE;gBACN,GAAG,MAAM;gBACT,mBAAmB;aACpB;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE;YAC9B,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
{
|
|
2
|
+
"suite_id": "safebrowse-v6-secure-claim-suite",
|
|
3
|
+
"claim_profile": "secure_v6",
|
|
4
|
+
"cases": [
|
|
5
|
+
{
|
|
6
|
+
"id": "V6-01",
|
|
7
|
+
"title": "Hidden anchor on first observation does not mint capability",
|
|
8
|
+
"kind": "hidden_html",
|
|
9
|
+
"html": "<main>Visible docs only.</main><div hidden><a href=\"https://docs.python.org/3/tutorial/\">continuity path</a></div>",
|
|
10
|
+
"visible_text": "Visible docs only.",
|
|
11
|
+
"expected": {
|
|
12
|
+
"decision": "BLOCK_OR_FACTS_ONLY",
|
|
13
|
+
"capabilities": []
|
|
14
|
+
}
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"id": "V6-02",
|
|
18
|
+
"title": "Visible allowlisted anchor mints one navigate capability",
|
|
19
|
+
"kind": "visible_navigation",
|
|
20
|
+
"html": "<main>Visible docs only.</main><a href=\"https://docs.python.org/3/tutorial/\">Docs</a>",
|
|
21
|
+
"visible_text": "Visible docs only. Docs",
|
|
22
|
+
"expected": {
|
|
23
|
+
"decision": "ALLOW",
|
|
24
|
+
"capabilities": ["navigate"]
|
|
25
|
+
}
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"id": "V6-03",
|
|
29
|
+
"title": "Visible navigate capability cannot authorize connector onboarding",
|
|
30
|
+
"kind": "navigate_cannot_issue_connector_approval",
|
|
31
|
+
"html": "<main>Visible docs only.</main><a href=\"https://docs.python.org/3/tutorial/\">Docs</a>",
|
|
32
|
+
"visible_text": "Visible docs only. Docs",
|
|
33
|
+
"expected": {
|
|
34
|
+
"decision": "BLOCK"
|
|
35
|
+
}
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"id": "V6-04",
|
|
39
|
+
"title": "Unsigned broker approval is rejected",
|
|
40
|
+
"kind": "unsigned_connector_approval",
|
|
41
|
+
"expected": {
|
|
42
|
+
"decision": "BLOCK"
|
|
43
|
+
}
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
"id": "V6-05",
|
|
47
|
+
"title": "Signed connector approval prepares onboarding",
|
|
48
|
+
"kind": "signed_connector_prepare",
|
|
49
|
+
"expected": {
|
|
50
|
+
"decision": "ALLOW"
|
|
51
|
+
}
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
"id": "V6-06",
|
|
55
|
+
"title": "Callback mismatch is rejected",
|
|
56
|
+
"kind": "callback_mismatch",
|
|
57
|
+
"expected": {
|
|
58
|
+
"decision": "BLOCK"
|
|
59
|
+
}
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
"id": "V6-07",
|
|
63
|
+
"title": "Secure profile disables legacy routes",
|
|
64
|
+
"kind": "legacy_route_disabled",
|
|
65
|
+
"expected": {
|
|
66
|
+
"decision": "BLOCK"
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
]
|
|
70
|
+
}
|
package/dist/server.d.ts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
import { type Server } from "node:http";
|
|
2
|
-
import { type KnowledgeBaseContext, type PolicyPack } from "@safebrowse/core";
|
|
3
|
-
import type { VerifiedRegistryBundle } from "@safebrowse/core";
|
|
2
|
+
import { type KnowledgeBaseContext, type ModelGuardEnforcementMode, type ParserIsolationMode, type PolicyPack, type VerifiedRegistryBundle } from "@safebrowse/core";
|
|
4
3
|
export interface SafeBrowseDaemonOptions {
|
|
5
4
|
host?: string;
|
|
6
5
|
port?: number;
|
|
@@ -9,6 +8,14 @@ export interface SafeBrowseDaemonOptions {
|
|
|
9
8
|
knowledgeBase?: KnowledgeBaseContext;
|
|
10
9
|
verifiedRegistry?: VerifiedRegistryBundle;
|
|
11
10
|
parserAllowlistedEgress?: string[];
|
|
11
|
+
parserIsolationMode?: ParserIsolationMode;
|
|
12
|
+
deploymentProfile?: "development" | "secure_v6";
|
|
13
|
+
approvalBrokerPublicKeyPath?: string;
|
|
14
|
+
approvalBrokerPublicKeyPem?: string;
|
|
15
|
+
approvalBrokerMode?: "signature_verification" | "external_service";
|
|
16
|
+
modelGuardBaseUrl?: string;
|
|
17
|
+
modelGuardTimeoutMs?: number;
|
|
18
|
+
modelGuardEnforcementMode?: ModelGuardEnforcementMode;
|
|
12
19
|
}
|
|
13
20
|
export declare function createSafeBrowseServer(options?: SafeBrowseDaemonOptions): Promise<Server>;
|
|
14
21
|
export declare function startSafeBrowseDaemon(options?: SafeBrowseDaemonOptions): Promise<Server>;
|
package/dist/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsC,KAAK,MAAM,EAAuB,MAAM,WAAW,CAAC;AAIjG,OAAO,
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsC,KAAK,MAAM,EAAuB,MAAM,WAAW,CAAC;AAIjG,OAAO,EAyBL,KAAK,oBAAoB,EAKzB,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EAExB,KAAK,UAAU,EAYf,KAAK,sBAAsB,EAG5B,MAAM,kBAAkB,CAAC;AAW1B,MAAM,WAAW,uBAAuB;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAC1C,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,iBAAiB,CAAC,EAAE,aAAa,GAAG,WAAW,CAAC;IAChD,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,kBAAkB,CAAC,EAAE,wBAAwB,GAAG,kBAAkB,CAAC;IACnE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,yBAAyB,CAAC,EAAE,yBAAyB,CAAC;CACvD;AAoeD,wBAAsB,sBAAsB,CAC1C,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,CAAC,CAozBjB;AAED,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,CAAC,CAWjB"}
|