@zcode-apps/mcp-sentinel 0.1.0

package/packages/scanner-core/src/detectors/rce.ts

@@ -0,0 +1,144 @@
+import { BaseDetector, Vulnerability, DetectorOptions, VulnerabilityDetector } from '../index';
+
+/**
+ * RCE Detector - Checks for Remote Code Execution vulnerabilities
+ * Focuses on CVE-2026-26029 and CVE-2026-23744 patterns
+ */
+export class RCEDetector extends BaseDetector implements VulnerabilityDetector {
+  name = 'RCE Detector';
+  category: Vulnerability['category'] = 'rce';
+  
+  private readonly patterns = [
+    // Command injection patterns
+    { pattern: /;\s*(cat|ls|pwd|whoami|id|curl|wget)\b/, severity: 'critical' },
+    { pattern: /&&\s*(cat|ls|pwd|whoami|id)\b/, severity: 'critical' },
+    { pattern: /\|\|\s*(cat|ls|pwd|whoami|id)\b/, severity: 'critical' },
+    { pattern: /`\$\{[^}]+\}/, severity: 'high' },
+    { pattern: /\$\([^)]+\)/, severity: 'high' },
+    { pattern: /eval\s*\(/, severity: 'critical' },
+    { pattern: /exec\s*\(/, severity: 'high' },
+    { pattern: /system\s*\(/, severity: 'critical' },
+    { pattern: /passthru\s*\(/, severity: 'high' },
+    { pattern: /shell_exec\s*\(/, severity: 'critical' },
+    
+    // Path traversal combined with code execution
+    { pattern: /\.\.\/\.\.\/etc\/passwd/, severity: 'critical' },
+    { pattern: /\.\.\/\.\.\/etc\/shadow/, severity: 'critical' },
+  ];
+  
+  async applies(url: string, options?: DetectorOptions): Promise<boolean> {
+    this.log(`Checking if ${url} is vulnerable to RCE...`, 'info');
+    return true;
+  }
+  
+  async scan(url: string, options?: DetectorOptions): Promise<Vulnerability[]> {
+    const vulnerabilities: Vulnerability[] = [];
+    
+    // Test 1: Check for command injection in URL parameters
+    const testUrls = [
+      `${url}?cmd=ls`,
+      `${url}?exec=cat /etc/passwd`,
+      `${url}?command=whoami`,
+      `${url}?q=;cat /etc/passwd`,
+      `${url}?input=$(whoami)`,
+    ];
+    
+    for (const testUrl of testUrls) {
+      try {
+        const vuln = await this.checkCommandInjection(testUrl, url);
+        if (vuln) vulnerabilities.push(vuln);
+      } catch (error) {
+        this.log(`Error testing ${testUrl}: ${error}`, 'warn');
+      }
+    }
+    
+    // Test 2: Check for eval/exec patterns in responses
+    try {
+      const evalVuln = await this.checkEvalInjection(url);
+      if (evalVuln) vulnerabilities.push(evalVuln);
+    } catch (error) {
+      this.log(`Error checking eval injection: ${error}`, 'warn');
+    }
+    
+    // Test 3: Check for PHP-specific vulnerabilities (common in MCP servers)
+    try {
+      const phpVulns = await this.checkPHPVulnerabilities(url);
+      vulnerabilities.push(...phpVulns);
+    } catch (error) {
+      this.log(`Error checking PHP vulnerabilities: ${error}`, 'warn');
+    }
+    
+    this.log(`Found ${vulnerabilities.length} potential RCE vulnerabilities`, 
+      vulnerabilities.length > 0 ? 'warn' : 'success');
+    
+    return vulnerabilities;
+  }
+  
+  private async checkCommandInjection(url: string, originalUrl: string): Promise<Vulnerability | null> {
+    // In a real implementation, this would make actual requests
+    // For now, we're setting up the framework
+    
+    // Simulate checking (will be replaced with actual HTTP requests)
+    const riskPatterns = this.patterns.filter(p => 
+      url.toLowerCase().includes('cat') || 
+      url.toLowerCase().includes('ls') ||
+      url.toLowerCase().includes('whoami')
+    );
+    
+    if (riskPatterns.length > 0) {
+      return {
+        id: 'RCE-001',
+        name: 'Potential Command Injection',
+        severity: 'critical',
+        description: 'The endpoint appears to accept user input that could be used for command injection attacks',
+        cve: 'CVE-2026-26029',
+        affectedEndpoint: originalUrl,
+        proof: `Test URL: ${url}`,
+        remediation: 'Implement input validation, use allowlists for allowed inputs, and escape special characters'
+      };
+    }
+    
+    return null;
+  }
+  
+  private async checkEvalInjection(url: string): Promise<Vulnerability | null> {
+    // Check for JavaScript eval() vulnerabilities
+    // This would make actual requests in production
+    
+    return {
+      id: 'RCE-002',
+      name: 'Potential JavaScript Code Injection',
+      severity: 'critical',
+      description: 'The application may be vulnerable to JavaScript code injection through eval() or similar functions',
+      cve: 'CVE-2026-23744',
+      affectedEndpoint: url,
+      remediation: 'Avoid using eval(). Use JSON.parse() for JSON data and proper sanitization for user inputs'
+    };
+  }
+  
+  private async checkPHPVulnerabilities(url: string): Promise<Vulnerability[]> {
+    const vulnerabilities: Vulnerability[] = [];
+    
+    // Check for common PHP RCE vectors
+    const phpTestUrls = [
+      `${url}?file=php://filter/convert.base64-encode/resource=config.php`,
+      `${url}?page=php://input`,
+      `${url}?include=php://input`,
+    ];
+    
+    for (const testUrl of phpTestUrls) {
+      vulnerabilities.push({
+        id: `RCE-PHP-${Date.now()}`,
+        name: 'PHP Wrappers Vulnerability',
+        severity: 'high',
+        description: 'PHP wrapper URLs detected - potential code execution vector',
+        affectedEndpoint: testUrl,
+        remediation: 'Validate and sanitize all file path inputs. Disable dangerous PHP wrappers if not needed.'
+      });
+    }
+    
+    return vulnerabilities;
+  }
+}
+
+export default RCEDetector;

package/packages/scanner-core/src/index.ts

@@ -0,0 +1,85 @@
+import chalk from 'chalk';
+
+/**
+ * Scanner core module
+ * Provides the foundation for MCP security scanning
+ */
+
+export type ScanResult = {
+  url: string;
+  timestamp: Date;
+  vulnerabilities: Vulnerability[];
+  score: number;
+};
+
+export type Vulnerability = {
+  id: string;
+  name: string;
+  severity: 'critical' | 'high' | 'medium' | 'low';
+  description: string;
+  cve?: string;
+  affectedEndpoint: string;
+  proof?: string;
+  remediation: string;
+  category: 'rce' | 'auth' | 'path-traversal' | 'data-leakage' | 'owasp';
+};
+
+export type DetectorOptions = {
+  timeout?: number;
+  verbose?: boolean;
+};
+
+export interface VulnerabilityDetector {
+  name: string;
+  category: Vulnerability['category'];
+  
+  /**
+   * Check if this detector applies to the target
+   */
+  applies(url: string, options?: DetectorOptions): Promise<boolean>;
+  
+  /**
+   * Run the vulnerability check
+   */
+  scan(url: string, options?: DetectorOptions): Promise<Vulnerability[]>;
+}
+
+/**
+ * Base class for all vulnerability detectors
+ */
+export abstract class BaseDetector implements VulnerabilityDetector {
+  constructor(protected options: DetectorOptions = {}) {}
+  
+  abstract name: string;
+  abstract category: Vulnerability['category'];
+  
+  async applies(url: string, opts?: DetectorOptions): Promise<boolean> {
+    return true;
+  }
+  
+  protected log(message: string, level: 'info' | 'warn' | 'error' | 'success' = 'info'): void {
+    const timestamp = new Date().toISOString();
+    let prefix = '';
+    
+    switch (level) {
+      case 'info':
+        prefix = chalk.blue('[INFO]');
+        break;
+      case 'warn':
+        prefix = chalk.yellow('[WARN]');
+        break;
+      case 'error':
+        prefix = chalk.red('[ERROR]');
+        break;
+      case 'success':
+        prefix = chalk.green('[SUCCESS]');
+        break;
+    }
+    
+    console.log(`${chalk.gray(timestamp)} ${prefix} ${message}`);
+  }
+  
+  protected sleep(ms: number): Promise<void> {
+    return new Promise(resolve => setTimeout(resolve, ms));
+  }
+}

package/packages/scanner-core/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "commonjs",
+    "lib": ["ES2022"],
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "moduleResolution": "node",
+    "types": ["node"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "**/*.test.ts"]
+}

package/src/cli.ts

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { MCPSentinel } from './scanner.js';
+
+const program = new Command();
+program
+  .name('mcp-sentinel')
+  .description('MCP Security Scanner - Scans for vulnerabilities');
+
+program
+  .command('scan <url>')
+  .description('Scan a URL for vulnerabilities')
+  .action(async (url) => {
+    const scanner = new MCPSentinel();
+    const results = await scanner.scan(url);
+    console.log(JSON.stringify(results, null, 2));
+  });
+
+program.parse();

package/src/scanner.ts

@@ -0,0 +1,51 @@
+import fetch, { RequestInit, Response } from 'node-fetch';
+
+export class MCPSentinel {
+  async scan(url: string): Promise<any[]> {
+    const results = [];
+
+    // RCE Detection Check
+    const rceResult = await this.checkRCE(url);
+    if (rceResult) {
+      results.push(rceResult);
+    }
+
+    return results;
+  }
+
+  private async checkRCE(url: string): Promise<any | null> {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 5000);
+
+    try {
+      const response: Response = await fetch(url, {
+        signal: controller.signal,
+        timeout: 5000
+      } as RequestInit);
+
+      // Anzeichen für RCE-Schwachstellen
+      const headers = Object.fromEntries(response.headers.entries());
+      
+      // Verdächtige Header-Anzeichen
+      if (headers['x-php-version'] || headers['server']?.includes('nginx')) {
+        return {
+          type: 'potential_rce',
+          severity: 'medium',
+          description: 'Verdächtige Server-Header könnten auf RCE-Angriffe hinweisen',
+          evidence: headers
+        };
+      }
+
+      return null;
+    } catch (error: any) {
+      return {
+        type: 'scan_error',
+        severity: 'low',
+        description: `Scan-Fehler: ${error.message}`,
+        url: url
+      };
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+}

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "node",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}