@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/permissions/idor-prover.js

@@ -1,205 +1,205 @@
-/**
- * IDOR Prover
- * Detects Insecure Direct Object Reference vulnerabilities
- * Tests if User A can access User B's resources
- */
-
-"use strict";
-
-const crypto = require("crypto");
-
-function sha256(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
-}
-
-/**
- * Detect potential IDOR routes from auth model
- */
-function detectIDORCandidates(authModel) {
-  const candidates = [];
-
-  for (const route of authModel.routes) {
-    // Look for patterns like /users/:id, /invoices/:id, /orders/:id
-    const idorPatterns = [
-      /\/users\/:[^/]+/i,
-      /\/accounts\/:[^/]+/i,
-      /\/profiles\/:[^/]+/i,
-      /\/invoices\/:[^/]+/i,
-      /\/orders\/:[^/]+/i,
-      /\/documents\/:[^/]+/i,
-      /\/files\/:[^/]+/i,
-      /\/projects\/:[^/]+/i,
-      /\/teams\/:[^/]+/i,
-      /\/organizations\/:[^/]+/i
-    ];
-
-    for (const pattern of idorPatterns) {
-      if (pattern.test(route.path)) {
-        candidates.push({
-          path: route.path,
-          method: route.method,
-          handler: route.handler,
-          paramName: extractParamName(route.path),
-          resourceType: extractResourceType(route.path)
-        });
-        break;
-      }
-    }
-  }
-
-  return candidates;
-}
-
-function extractParamName(path) {
-  const match = path.match(/:([^/]+)/);
-  return match ? match[1] : "id";
-}
-
-function extractResourceType(path) {
-  const parts = path.split("/").filter(Boolean);
-  for (let i = 0; i < parts.length; i++) {
-    if (parts[i].startsWith(":") && i > 0) {
-      return parts[i - 1];
-    }
-  }
-  return "resource";
-}
-
-/**
- * Build IDOR test plan
- */
-function buildIDORTestPlan(candidates, options = {}) {
-  const plan = {
-    version: "1.0.0",
-    generatedAt: new Date().toISOString(),
-    tests: [],
-    safeMode: options.safe !== false
-  };
-
-  for (const candidate of candidates) {
-    const test = {
-      id: `idor_${sha256(candidate.path)}`,
-      route: candidate.path,
-      method: candidate.method,
-      resourceType: candidate.resourceType,
-      paramName: candidate.paramName,
-      steps: [
-        {
-          description: `Login as User A`,
-          action: "auth",
-          role: "user_a"
-        },
-        {
-          description: `Access own resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_A_ID')}`,
-          action: "request",
-          path: candidate.path,
-          param: "USER_A_ID",
-          expectStatus: [200, 201]
-        },
-        {
-          description: `Attempt to access User B's resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_B_ID')}`,
-          action: "request", 
-          path: candidate.path,
-          param: "USER_B_ID",
-          expectStatus: [403, 404]
-        }
-      ],
-      violation: {
-        condition: "step[2].status === 200",
-        severity: "BLOCK",
-        type: "idor",
-        message: `User A can access User B's ${candidate.resourceType}`
-      }
-    };
-
-    plan.tests.push(test);
-  }
-
-  return plan;
-}
-
-/**
- * Execute IDOR test (requires browser context)
- */
-async function executeIDORTest(page, test, users) {
-  const result = {
-    testId: test.id,
-    route: test.route,
-    passed: true,
-    steps: [],
-    violation: null
-  };
-
-  // This is a placeholder - actual implementation requires:
-  // 1. Two test user accounts
-  // 2. Known resource IDs for each user
-  // 3. Ability to switch between sessions
-
-  if (!users?.userA || !users?.userB) {
-    result.skipped = true;
-    result.reason = "IDOR tests require two configured test users";
-    return result;
-  }
-
-  // Step 1: Login as User A
-  // Step 2: Access own resource - should succeed
-  // Step 3: Access User B's resource - should fail
-
-  // For now, return a template result
-  result.steps = test.steps.map((step, i) => ({
-    ...step,
-    executed: false,
-    reason: "IDOR testing requires explicit --idor --safe flag and user configuration"
-  }));
-
-  return result;
-}
-
-/**
- * Format IDOR test plan for display
- */
-function formatIDORPlan(plan) {
-  const lines = [];
-
-  lines.push("# IDOR Test Plan\n");
-  lines.push(`Generated: ${plan.generatedAt}`);
-  lines.push(`Safe Mode: ${plan.safeMode ? "Yes" : "No"}`);
-  lines.push(`Tests: ${plan.tests.length}\n`);
-
-  if (plan.tests.length === 0) {
-    lines.push("No IDOR candidates detected.\n");
-    return lines.join("\n");
-  }
-
-  lines.push("## Candidates\n");
-
-  for (const test of plan.tests) {
-    lines.push(`### ${test.resourceType}: ${test.route}`);
-    lines.push(`Method: ${test.method}`);
-    lines.push(`Parameter: ${test.paramName}\n`);
-
-    lines.push("**Test Steps:**");
-    for (const step of test.steps) {
-      lines.push(`1. ${step.description}`);
-    }
-
-    lines.push("\n**Violation Condition:**");
-    lines.push(`If ${test.violation.condition}: ${test.violation.message}\n`);
-  }
-
-  lines.push("---\n");
-  lines.push("⚠️ **Safety Notice**");
-  lines.push("IDOR tests modify data access patterns. Only run on:");
-  lines.push("- Local development environments");
-  lines.push("- Staging with explicit consent");
-  lines.push("- With dedicated test accounts\n");
-
-  return lines.join("\n");
-}
-
-module.exports = {
-  detectIDORCandidates,
-  buildIDORTestPlan,
-  executeIDORTest,
-  formatIDORPlan
-};
+/**
+ * IDOR Prover
+ * Detects Insecure Direct Object Reference vulnerabilities
+ * Tests if User A can access User B's resources
+ */
+
+"use strict";
+
+const crypto = require("crypto");
+
+function sha256(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+
+/**
+ * Detect potential IDOR routes from auth model
+ */
+function detectIDORCandidates(authModel) {
+  const candidates = [];
+
+  for (const route of authModel.routes) {
+    // Look for patterns like /users/:id, /invoices/:id, /orders/:id
+    const idorPatterns = [
+      /\/users\/:[^/]+/i,
+      /\/accounts\/:[^/]+/i,
+      /\/profiles\/:[^/]+/i,
+      /\/invoices\/:[^/]+/i,
+      /\/orders\/:[^/]+/i,
+      /\/documents\/:[^/]+/i,
+      /\/files\/:[^/]+/i,
+      /\/projects\/:[^/]+/i,
+      /\/teams\/:[^/]+/i,
+      /\/organizations\/:[^/]+/i
+    ];
+
+    for (const pattern of idorPatterns) {
+      if (pattern.test(route.path)) {
+        candidates.push({
+          path: route.path,
+          method: route.method,
+          handler: route.handler,
+          paramName: extractParamName(route.path),
+          resourceType: extractResourceType(route.path)
+        });
+        break;
+      }
+    }
+  }
+
+  return candidates;
+}
+
+function extractParamName(path) {
+  const match = path.match(/:([^/]+)/);
+  return match ? match[1] : "id";
+}
+
+function extractResourceType(path) {
+  const parts = path.split("/").filter(Boolean);
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i].startsWith(":") && i > 0) {
+      return parts[i - 1];
+    }
+  }
+  return "resource";
+}
+
+/**
+ * Build IDOR test plan
+ */
+function buildIDORTestPlan(candidates, options = {}) {
+  const plan = {
+    version: "1.0.0",
+    generatedAt: new Date().toISOString(),
+    tests: [],
+    safeMode: options.safe !== false
+  };
+
+  for (const candidate of candidates) {
+    const test = {
+      id: `idor_${sha256(candidate.path)}`,
+      route: candidate.path,
+      method: candidate.method,
+      resourceType: candidate.resourceType,
+      paramName: candidate.paramName,
+      steps: [
+        {
+          description: `Login as User A`,
+          action: "auth",
+          role: "user_a"
+        },
+        {
+          description: `Access own resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_A_ID')}`,
+          action: "request",
+          path: candidate.path,
+          param: "USER_A_ID",
+          expectStatus: [200, 201]
+        },
+        {
+          description: `Attempt to access User B's resource: ${candidate.path.replace(`:${candidate.paramName}`, 'USER_B_ID')}`,
+          action: "request", 
+          path: candidate.path,
+          param: "USER_B_ID",
+          expectStatus: [403, 404]
+        }
+      ],
+      violation: {
+        condition: "step[2].status === 200",
+        severity: "BLOCK",
+        type: "idor",
+        message: `User A can access User B's ${candidate.resourceType}`
+      }
+    };
+
+    plan.tests.push(test);
+  }
+
+  return plan;
+}
+
+/**
+ * Execute IDOR test (requires browser context)
+ */
+async function executeIDORTest(page, test, users) {
+  const result = {
+    testId: test.id,
+    route: test.route,
+    passed: true,
+    steps: [],
+    violation: null
+  };
+
+  // This is a placeholder - actual implementation requires:
+  // 1. Two test user accounts
+  // 2. Known resource IDs for each user
+  // 3. Ability to switch between sessions
+
+  if (!users?.userA || !users?.userB) {
+    result.skipped = true;
+    result.reason = "IDOR tests require two configured test users";
+    return result;
+  }
+
+  // Step 1: Login as User A
+  // Step 2: Access own resource - should succeed
+  // Step 3: Access User B's resource - should fail
+
+  // For now, return a template result
+  result.steps = test.steps.map((step, i) => ({
+    ...step,
+    executed: false,
+    reason: "IDOR testing requires explicit --idor --safe flag and user configuration"
+  }));
+
+  return result;
+}
+
+/**
+ * Format IDOR test plan for display
+ */
+function formatIDORPlan(plan) {
+  const lines = [];
+
+  lines.push("# IDOR Test Plan\n");
+  lines.push(`Generated: ${plan.generatedAt}`);
+  lines.push(`Safe Mode: ${plan.safeMode ? "Yes" : "No"}`);
+  lines.push(`Tests: ${plan.tests.length}\n`);
+
+  if (plan.tests.length === 0) {
+    lines.push("No IDOR candidates detected.\n");
+    return lines.join("\n");
+  }
+
+  lines.push("## Candidates\n");
+
+  for (const test of plan.tests) {
+    lines.push(`### ${test.resourceType}: ${test.route}`);
+    lines.push(`Method: ${test.method}`);
+    lines.push(`Parameter: ${test.paramName}\n`);
+
+    lines.push("**Test Steps:**");
+    for (const step of test.steps) {
+      lines.push(`1. ${step.description}`);
+    }
+
+    lines.push("\n**Violation Condition:**");
+    lines.push(`If ${test.violation.condition}: ${test.violation.message}\n`);
+  }
+
+  lines.push("---\n");
+  lines.push("⚠️ **Safety Notice**");
+  lines.push("IDOR tests modify data access patterns. Only run on:");
+  lines.push("- Local development environments");
+  lines.push("- Staging with explicit consent");
+  lines.push("- With dedicated test accounts\n");
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  detectIDORCandidates,
+  buildIDORTestPlan,
+  executeIDORTest,
+  formatIDORPlan
+};

package/bin/runners/lib/permissions/index.js

@@ -1,45 +1,45 @@
-/**
- * Permissions Module Index
- * Exports all permission verification functionality
- */
-
-"use strict";
-
-const { 
-  extractAuthModel, 
-  extractRolePatterns, 
-  inferRoles, 
-  buildRouteAuthMap 
-} = require("./auth-model");
-
-const { 
-  buildAuthZMatrix, 
-  detectViolations, 
-  formatMatrix 
-} = require("./matrix-builder");
-
-const { 
-  detectIDORCandidates, 
-  buildIDORTestPlan, 
-  executeIDORTest, 
-  formatIDORPlan 
-} = require("./idor-prover");
-
-module.exports = {
-  // Auth model extraction
-  extractAuthModel,
-  extractRolePatterns,
-  inferRoles,
-  buildRouteAuthMap,
-  
-  // AuthZ matrix
-  buildAuthZMatrix,
-  detectViolations,
-  formatMatrix,
-  
-  // IDOR detection
-  detectIDORCandidates,
-  buildIDORTestPlan,
-  executeIDORTest,
-  formatIDORPlan
-};
+/**
+ * Permissions Module Index
+ * Exports all permission verification functionality
+ */
+
+"use strict";
+
+const { 
+  extractAuthModel, 
+  extractRolePatterns, 
+  inferRoles, 
+  buildRouteAuthMap 
+} = require("./auth-model");
+
+const { 
+  buildAuthZMatrix, 
+  detectViolations, 
+  formatMatrix 
+} = require("./matrix-builder");
+
+const { 
+  detectIDORCandidates, 
+  buildIDORTestPlan, 
+  executeIDORTest, 
+  formatIDORPlan 
+} = require("./idor-prover");
+
+module.exports = {
+  // Auth model extraction
+  extractAuthModel,
+  extractRolePatterns,
+  inferRoles,
+  buildRouteAuthMap,
+  
+  // AuthZ matrix
+  buildAuthZMatrix,
+  detectViolations,
+  formatMatrix,
+  
+  // IDOR detection
+  detectIDORCandidates,
+  buildIDORTestPlan,
+  executeIDORTest,
+  formatIDORPlan
+};