@sparkleideas/browser 3.0.0-alpha.3

package/src/infrastructure/security-integration.ts

@@ -0,0 +1,528 @@
+/**
+ * @sparkleideas/browser - Security Integration
+ * AIDefence integration for URL validation, PII detection, and threat scanning
+ */
+
+import { z } from 'zod';
+
+// ============================================================================
+// Security Types
+// ============================================================================
+
+export interface ThreatScanResult {
+  safe: boolean;
+  threats: Threat[];
+  pii: PIIMatch[];
+  score: number; // 0-1 (1 = safe)
+  scanDuration: number;
+}
+
+export interface Threat {
+  type: ThreatType;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  description: string;
+  location?: string;
+  mitigation?: string;
+}
+
+export type ThreatType =
+  | 'xss'
+  | 'injection'
+  | 'phishing'
+  | 'malware'
+  | 'data-exfiltration'
+  | 'credential-theft'
+  | 'insecure-protocol'
+  | 'suspicious-redirect'
+  | 'blocked-domain';
+
+export interface PIIMatch {
+  type: PIIType;
+  value: string;
+  masked: string;
+  location: string;
+  confidence: number;
+}
+
+export type PIIType =
+  | 'email'
+  | 'phone'
+  | 'ssn'
+  | 'credit-card'
+  | 'api-key'
+  | 'password'
+  | 'address'
+  | 'name';
+
+export interface SecurityConfig {
+  enableUrlValidation: boolean;
+  enablePIIDetection: boolean;
+  enableThreatScanning: boolean;
+  blockedDomains: string[];
+  allowedDomains: string[];
+  maxRedirects: number;
+  requireHttps: boolean;
+  piiMaskingEnabled: boolean;
+}
+
+// ============================================================================
+// Validation Schemas
+// ============================================================================
+
+export const URLValidationSchema = z.string().url().refine(
+  (url) => {
+    try {
+      const parsed = new URL(url);
+      return ['http:', 'https:'].includes(parsed.protocol);
+    } catch {
+      return false;
+    }
+  },
+  { message: 'Invalid URL or unsupported protocol' }
+);
+
+// ============================================================================
+// PII Detection Patterns
+// ============================================================================
+
+const PII_PATTERNS: Record<PIIType, RegExp> = {
+  email: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+  phone: /\b(\+?1[-.\s]?)?(\(?\d{3}\)?[-.\s]?)?\d{3}[-.\s]?\d{4}\b/g,
+  ssn: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g,
+  'credit-card': /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
+  'api-key': /\b(?:sk[-_]|api[-_]?key[-_]?|token[-_]?)[a-zA-Z0-9]{20,}\b/gi,
+  password: /(?:password|passwd|pwd)[\s:=]+[^\s]{6,}/gi,
+  address: /\b\d+\s+[\w\s]+(?:street|st|avenue|ave|road|rd|boulevard|blvd|drive|dr|lane|ln|way|court|ct)\b/gi,
+  name: /(?:^|\s)(?:Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z]+\s+[A-Z][a-z]+(?:\s|$)/g,
+};
+
+// ============================================================================
+// Known Threats
+// ============================================================================
+
+const PHISHING_INDICATORS = [
+  'login-verify',
+  'account-update',
+  'security-alert',
+  'verify-account',
+  'suspended-account',
+  'confirm-identity',
+  'unusual-activity',
+];
+
+const SUSPICIOUS_TLDs = ['.tk', '.ml', '.ga', '.cf', '.gq', '.xyz', '.top', '.work', '.click'];
+
+const BLOCKED_DOMAINS_DEFAULT = [
+  'bit.ly', // URL shorteners (can hide malicious URLs)
+  'tinyurl.com',
+  'goo.gl',
+  't.co',
+  // Add more as needed
+];
+
+// ============================================================================
+// Security Scanner Class
+// ============================================================================
+
+export class BrowserSecurityScanner {
+  private config: SecurityConfig;
+
+  constructor(config: Partial<SecurityConfig> = {}) {
+    this.config = {
+      enableUrlValidation: true,
+      enablePIIDetection: true,
+      enableThreatScanning: true,
+      blockedDomains: [...BLOCKED_DOMAINS_DEFAULT],
+      allowedDomains: [],
+      maxRedirects: 5,
+      requireHttps: true,
+      piiMaskingEnabled: true,
+      ...config,
+    };
+  }
+
+  /**
+   * Full security scan of a URL before navigation
+   */
+  async scanUrl(url: string): Promise<ThreatScanResult> {
+    const startTime = Date.now();
+    const threats: Threat[] = [];
+    const pii: PIIMatch[] = [];
+
+    // Validate URL format
+    if (this.config.enableUrlValidation) {
+      const urlThreats = this.validateUrl(url);
+      threats.push(...urlThreats);
+    }
+
+    // Check for blocked domains
+    if (this.isBlockedDomain(url)) {
+      threats.push({
+        type: 'blocked-domain',
+        severity: 'high',
+        description: 'This domain is on the blocked list',
+        location: url,
+        mitigation: 'Use the original URL instead of a shortener',
+      });
+    }
+
+    // Check for phishing indicators
+    if (this.config.enableThreatScanning) {
+      const phishingThreats = this.detectPhishing(url);
+      threats.push(...phishingThreats);
+    }
+
+    // Calculate safety score
+    const score = this.calculateSafetyScore(threats);
+
+    return {
+      safe: score >= 0.7 && !threats.some((t) => t.severity === 'critical'),
+      threats,
+      pii,
+      score,
+      scanDuration: Date.now() - startTime,
+    };
+  }
+
+  /**
+   * Scan content for PII before filling forms
+   */
+  scanContent(content: string, context: string = 'unknown'): ThreatScanResult {
+    const startTime = Date.now();
+    const threats: Threat[] = [];
+    const pii: PIIMatch[] = [];
+
+    if (!this.config.enablePIIDetection) {
+      return { safe: true, threats, pii, score: 1, scanDuration: Date.now() - startTime };
+    }
+
+    // Detect PII in content
+    for (const [type, pattern] of Object.entries(PII_PATTERNS) as [PIIType, RegExp][]) {
+      const matches = content.matchAll(new RegExp(pattern.source, pattern.flags));
+      for (const match of matches) {
+        const value = match[0];
+        pii.push({
+          type,
+          value,
+          masked: this.maskPII(value, type),
+          location: context,
+          confidence: this.calculatePIIConfidence(value, type),
+        });
+      }
+    }
+
+    // Add threat if sensitive PII found
+    const sensitivePII = pii.filter((p) => ['ssn', 'credit-card', 'api-key', 'password'].includes(p.type));
+    if (sensitivePII.length > 0) {
+      threats.push({
+        type: 'data-exfiltration',
+        severity: 'high',
+        description: `Sensitive data detected: ${sensitivePII.map((p) => p.type).join(', ')}`,
+        location: context,
+        mitigation: 'Consider masking or removing sensitive data before processing',
+      });
+    }
+
+    const score = this.calculateSafetyScore(threats);
+
+    return {
+      safe: score >= 0.7,
+      threats,
+      pii,
+      score,
+      scanDuration: Date.now() - startTime,
+    };
+  }
+
+  /**
+   * Validate input before filling a form field
+   */
+  validateInput(value: string, fieldType: string): ThreatScanResult {
+    const threats: Threat[] = [];
+    const pii: PIIMatch[] = [];
+
+    // Check for injection patterns
+    if (this.containsInjection(value)) {
+      threats.push({
+        type: 'injection',
+        severity: 'critical',
+        description: 'Potential injection attack detected in input',
+        location: fieldType,
+        mitigation: 'Sanitize input before submission',
+      });
+    }
+
+    // Check for XSS
+    if (this.containsXSS(value)) {
+      threats.push({
+        type: 'xss',
+        severity: 'critical',
+        description: 'Potential XSS attack detected in input',
+        location: fieldType,
+        mitigation: 'Escape HTML entities before submission',
+      });
+    }
+
+    // Detect PII in input
+    const contentScan = this.scanContent(value, fieldType);
+    pii.push(...contentScan.pii);
+
+    const score = this.calculateSafetyScore(threats);
+
+    return {
+      safe: score >= 0.7,
+      threats,
+      pii,
+      score,
+      scanDuration: 0,
+    };
+  }
+
+  /**
+   * Sanitize input by removing detected threats
+   */
+  sanitizeInput(value: string): string {
+    let sanitized = value;
+
+    // Escape HTML entities
+    sanitized = sanitized
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;');
+
+    // Remove script tags
+    sanitized = sanitized.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '');
+
+    // Remove event handlers
+    sanitized = sanitized.replace(/\s*on\w+\s*=\s*["'][^"']*["']/gi, '');
+
+    return sanitized;
+  }
+
+  /**
+   * Mask PII for safe logging/display
+   */
+  maskPII(value: string, type: PIIType): string {
+    if (!this.config.piiMaskingEnabled) return value;
+
+    switch (type) {
+      case 'email': {
+        const [local, domain] = value.split('@');
+        return `${local[0]}${'*'.repeat(Math.min(local.length - 1, 5))}@${domain}`;
+      }
+      case 'phone':
+        return value.replace(/\d(?=\d{4})/g, '*');
+      case 'ssn':
+        return '***-**-' + value.slice(-4);
+      case 'credit-card':
+        return '**** **** **** ' + value.replace(/\D/g, '').slice(-4);
+      case 'api-key':
+        return value.slice(0, 8) + '*'.repeat(Math.min(value.length - 8, 20));
+      case 'password':
+        return '********';
+      default:
+        return '*'.repeat(value.length);
+    }
+  }
+
+  // Private helpers
+
+  private validateUrl(url: string): Threat[] {
+    const threats: Threat[] = [];
+
+    try {
+      const parsed = new URL(url);
+
+      // Check HTTPS requirement
+      if (this.config.requireHttps && parsed.protocol !== 'https:') {
+        threats.push({
+          type: 'insecure-protocol',
+          severity: 'medium',
+          description: 'URL uses insecure HTTP protocol',
+          location: url,
+          mitigation: 'Use HTTPS for secure communication',
+        });
+      }
+
+      // Check for suspicious TLDs
+      if (SUSPICIOUS_TLDs.some((tld) => parsed.hostname.endsWith(tld))) {
+        threats.push({
+          type: 'phishing',
+          severity: 'medium',
+          description: 'URL uses a suspicious top-level domain',
+          location: parsed.hostname,
+          mitigation: 'Verify the legitimacy of this domain',
+        });
+      }
+
+      // Check for IP address in URL (often suspicious)
+      if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(parsed.hostname)) {
+        threats.push({
+          type: 'suspicious-redirect',
+          severity: 'medium',
+          description: 'URL points to an IP address instead of a domain',
+          location: parsed.hostname,
+          mitigation: 'Legitimate sites typically use domain names',
+        });
+      }
+    } catch {
+      threats.push({
+        type: 'malware',
+        severity: 'high',
+        description: 'Invalid URL format',
+        location: url,
+      });
+    }
+
+    return threats;
+  }
+
+  private isBlockedDomain(url: string): boolean {
+    try {
+      const parsed = new URL(url);
+      const hostname = parsed.hostname.toLowerCase();
+
+      // Check allowed domains first
+      if (
+        this.config.allowedDomains.length > 0 &&
+        this.config.allowedDomains.some((d) => hostname.includes(d.toLowerCase()))
+      ) {
+        return false;
+      }
+
+      // Check blocked domains
+      return this.config.blockedDomains.some((d) => hostname.includes(d.toLowerCase()));
+    } catch {
+      return false;
+    }
+  }
+
+  private detectPhishing(url: string): Threat[] {
+    const threats: Threat[] = [];
+    const urlLower = url.toLowerCase();
+
+    // Check for phishing indicators in URL
+    for (const indicator of PHISHING_INDICATORS) {
+      if (urlLower.includes(indicator)) {
+        threats.push({
+          type: 'phishing',
+          severity: 'high',
+          description: `URL contains phishing indicator: ${indicator}`,
+          location: url,
+          mitigation: 'Verify this is a legitimate request from the service',
+        });
+        break;
+      }
+    }
+
+    // Check for lookalike domains (typosquatting)
+    const commonDomains = ['google', 'facebook', 'amazon', 'microsoft', 'apple', 'paypal', 'bank'];
+    for (const domain of commonDomains) {
+      const pattern = new RegExp(`${domain.split('').join('[^a-z]?')}`, 'i');
+      if (pattern.test(urlLower) && !urlLower.includes(`.${domain}.`)) {
+        const parsed = new URL(url);
+        if (!parsed.hostname.includes(domain)) {
+          threats.push({
+            type: 'phishing',
+            severity: 'high',
+            description: `URL may be impersonating ${domain}`,
+            location: url,
+            mitigation: 'Verify you are on the official domain',
+          });
+        }
+      }
+    }
+
+    return threats;
+  }
+
+  private containsInjection(value: string): boolean {
+    const injectionPatterns = [
+      /['";]/,
+      /--/,
+      /\/\*/,
+      /\bOR\b.*\b=\b/i,
+      /\bAND\b.*\b=\b/i,
+      /\bUNION\b.*\bSELECT\b/i,
+      /\bDROP\b.*\bTABLE\b/i,
+      /\bINSERT\b.*\bINTO\b/i,
+    ];
+
+    return injectionPatterns.some((pattern) => pattern.test(value));
+  }
+
+  private containsXSS(value: string): boolean {
+    const xssPatterns = [
+      /<script[^>]*>/i,
+      /javascript:/i,
+      /\bon\w+\s*=/i,
+      /<img[^>]+onerror/i,
+      /<svg[^>]+onload/i,
+      /data:text\/html/i,
+    ];
+
+    return xssPatterns.some((pattern) => pattern.test(value));
+  }
+
+  private calculateSafetyScore(threats: Threat[]): number {
+    if (threats.length === 0) return 1;
+
+    const severityWeights = { low: 0.1, medium: 0.25, high: 0.4, critical: 0.6 };
+    let penalty = 0;
+
+    for (const threat of threats) {
+      penalty += severityWeights[threat.severity];
+    }
+
+    return Math.max(0, 1 - penalty);
+  }
+
+  private calculatePIIConfidence(value: string, type: PIIType): number {
+    // Basic confidence calculation based on pattern match quality
+    switch (type) {
+      case 'email':
+        return value.includes('.') && value.includes('@') ? 0.95 : 0.7;
+      case 'ssn':
+        return /^\d{3}-\d{2}-\d{4}$/.test(value) ? 0.95 : 0.8;
+      case 'credit-card':
+        return value.replace(/\D/g, '').length === 16 ? 0.9 : 0.7;
+      case 'api-key':
+        return value.length > 30 ? 0.85 : 0.6;
+      default:
+        return 0.7;
+    }
+  }
+}
+
+// ============================================================================
+// Factory Functions
+// ============================================================================
+
+let defaultScanner: BrowserSecurityScanner | null = null;
+
+export function getSecurityScanner(config?: Partial<SecurityConfig>): BrowserSecurityScanner {
+  if (!defaultScanner || config) {
+    defaultScanner = new BrowserSecurityScanner(config);
+  }
+  return defaultScanner;
+}
+
+/**
+ * Quick check if a URL is safe to navigate
+ */
+export async function isUrlSafe(url: string): Promise<boolean> {
+  const scanner = getSecurityScanner();
+  const result = await scanner.scanUrl(url);
+  return result.safe;
+}
+
+/**
+ * Quick check if content contains PII
+ */
+export function containsPII(content: string): boolean {
+  const scanner = getSecurityScanner();
+  const result = scanner.scanContent(content);
+  return result.pii.length > 0;
+}