npm - agentic-qe - Versions diffs - 3.2.2 → 3.2.3 - Mend

agentic-qe 3.2.2 → 3.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/v3/dist/mcp/bundle.js CHANGED Viewed

@@ -21320,6 +21320,310 @@ var TestPrioritizerService = class {
   }
 };
+// src/shared/utils/safe-expression-evaluator.ts
+var PRECEDENCE = {
+  "||": 1,
+  "&&": 2,
+  "===": 3,
+  "!==": 3,
+  "==": 3,
+  "!=": 3,
+  "<": 4,
+  ">": 4,
+  "<=": 4,
+  ">=": 4,
+  "+": 5,
+  "-": 5,
+  "*": 6,
+  "/": 6,
+  "%": 6
+};
+var BINARY_OPERATORS = new Set(Object.keys(PRECEDENCE));
+var UNARY_OPERATORS = /* @__PURE__ */ new Set(["!", "-", "+"]);
+function tokenize(expr) {
+  const tokens = [];
+  let i = 0;
+  while (i < expr.length) {
+    const char = expr[i];
+    if (/\s/.test(char)) {
+      i++;
+      continue;
+    }
+    if (/\d/.test(char) || char === "." && /\d/.test(expr[i + 1])) {
+      let num = "";
+      while (i < expr.length && /[\d.]/.test(expr[i])) {
+        num += expr[i++];
+      }
+      tokens.push({ type: "NUMBER", value: parseFloat(num), raw: num });
+      continue;
+    }
+    if (char === '"' || char === "'") {
+      const quote = char;
+      let str = "";
+      i++;
+      while (i < expr.length && expr[i] !== quote) {
+        if (expr[i] === "\\" && i + 1 < expr.length) {
+          i++;
+          const escaped = expr[i];
+          switch (escaped) {
+            case "n":
+              str += "\n";
+              break;
+            case "t":
+              str += "	";
+              break;
+            case "r":
+              str += "\r";
+              break;
+            default:
+              str += escaped;
+          }
+        } else {
+          str += expr[i];
+        }
+        i++;
+      }
+      i++;
+      tokens.push({ type: "STRING", value: str, raw: `${quote}${str}${quote}` });
+      continue;
+    }
+    if (/[a-zA-Z_$]/.test(char)) {
+      let ident = "";
+      while (i < expr.length && /[a-zA-Z0-9_$]/.test(expr[i])) {
+        ident += expr[i++];
+      }
+      if (ident === "true") {
+        tokens.push({ type: "BOOLEAN", value: true, raw: ident });
+      } else if (ident === "false") {
+        tokens.push({ type: "BOOLEAN", value: false, raw: ident });
+      } else if (ident === "null") {
+        tokens.push({ type: "NULL", value: null, raw: ident });
+      } else if (ident === "undefined") {
+        tokens.push({ type: "UNDEFINED", value: void 0, raw: ident });
+      } else {
+        tokens.push({ type: "IDENTIFIER", value: ident, raw: ident });
+      }
+      continue;
+    }
+    const twoChar = expr.slice(i, i + 2);
+    const threeChar = expr.slice(i, i + 3);
+    if (threeChar === "===" || threeChar === "!==") {
+      tokens.push({ type: "OPERATOR", value: threeChar, raw: threeChar });
+      i += 3;
+      continue;
+    }
+    if (twoChar === "==" || twoChar === "!=" || twoChar === "<=" || twoChar === ">=" || twoChar === "&&" || twoChar === "||") {
+      tokens.push({ type: "OPERATOR", value: twoChar, raw: twoChar });
+      i += 2;
+      continue;
+    }
+    if (char === "(") {
+      tokens.push({ type: "LPAREN", value: "(", raw: "(" });
+      i++;
+      continue;
+    }
+    if (char === ")") {
+      tokens.push({ type: "RPAREN", value: ")", raw: ")" });
+      i++;
+      continue;
+    }
+    if (char === ".") {
+      tokens.push({ type: "DOT", value: ".", raw: "." });
+      i++;
+      continue;
+    }
+    if ("+-*/%<>!".includes(char)) {
+      tokens.push({ type: "OPERATOR", value: char, raw: char });
+      i++;
+      continue;
+    }
+    throw new Error(`Unexpected character at position ${i}: ${char}`);
+  }
+  tokens.push({ type: "EOF", value: "", raw: "" });
+  return tokens;
+}
+var Parser = class {
+  tokens;
+  pos = 0;
+  context;
+  constructor(tokens, context) {
+    this.tokens = tokens;
+    this.context = context;
+  }
+  current() {
+    return this.tokens[this.pos];
+  }
+  advance() {
+    return this.tokens[this.pos++];
+  }
+  expect(type) {
+    const token = this.current();
+    if (token.type !== type) {
+      throw new Error(`Expected ${type}, got ${token.type}`);
+    }
+    return this.advance();
+  }
+  parse() {
+    const result = this.parseExpression(0);
+    if (this.current().type !== "EOF") {
+      throw new Error(`Unexpected token: ${this.current().raw}`);
+    }
+    return result;
+  }
+  parseExpression(minPrecedence) {
+    let left = this.parseUnary();
+    while (true) {
+      const token = this.current();
+      if (token.type !== "OPERATOR" || !BINARY_OPERATORS.has(token.value)) {
+        break;
+      }
+      const precedence = PRECEDENCE[token.value];
+      if (precedence < minPrecedence) {
+        break;
+      }
+      const operator = this.advance().value;
+      const right = this.parseExpression(precedence + 1);
+      left = this.applyBinaryOperator(operator, left, right);
+    }
+    return left;
+  }
+  parseUnary() {
+    const token = this.current();
+    if (token.type === "OPERATOR" && UNARY_OPERATORS.has(token.value)) {
+      const operator = this.advance().value;
+      const operand = this.parseUnary();
+      return this.applyUnaryOperator(operator, operand);
+    }
+    return this.parsePrimary();
+  }
+  parsePrimary() {
+    const token = this.current();
+    switch (token.type) {
+      case "NUMBER":
+      case "STRING":
+      case "BOOLEAN":
+      case "NULL":
+      case "UNDEFINED":
+        this.advance();
+        return token.value;
+      case "IDENTIFIER":
+        return this.parseIdentifier();
+      case "LPAREN":
+        this.advance();
+        const result = this.parseExpression(0);
+        this.expect("RPAREN");
+        return result;
+      default:
+        throw new Error(`Unexpected token: ${token.raw}`);
+    }
+  }
+  parseIdentifier() {
+    let value = this.context;
+    let name = this.advance().value;
+    if (typeof value === "object" && value !== null && name in value) {
+      value = value[name];
+    } else {
+      value = void 0;
+    }
+    while (this.current().type === "DOT") {
+      this.advance();
+      const prop = this.expect("IDENTIFIER").value;
+      if (value !== null && value !== void 0 && typeof value === "object") {
+        value = value[prop];
+      } else {
+        value = void 0;
+      }
+    }
+    return value;
+  }
+  applyBinaryOperator(op, left, right) {
+    switch (op) {
+      case "===":
+        return left === right;
+      case "!==":
+        return left !== right;
+      case "==":
+        return left == right;
+      case "!=":
+        return left != right;
+      case "<":
+        return left < right;
+      case ">":
+        return left > right;
+      case "<=":
+        return left <= right;
+      case ">=":
+        return left >= right;
+      case "&&":
+        return left && right;
+      case "||":
+        return left || right;
+      case "+":
+        return left + right;
+      case "-":
+        return left - right;
+      case "*":
+        return left * right;
+      case "/":
+        return left / right;
+      case "%":
+        return left % right;
+      default:
+        throw new Error(`Unknown operator: ${op}`);
+    }
+  }
+  applyUnaryOperator(op, operand) {
+    switch (op) {
+      case "!":
+        return !operand;
+      case "-":
+        return -operand;
+      case "+":
+        return +operand;
+      default:
+        throw new Error(`Unknown unary operator: ${op}`);
+    }
+  }
+};
+function safeEvaluate(expression, context = {}) {
+  if (!expression || typeof expression !== "string") {
+    throw new Error("Expression must be a non-empty string");
+  }
+  const dangerousPatterns = [
+    /\beval\b/i,
+    /\bFunction\b/,
+    /\bconstructor\b/,
+    /\b__proto__\b/,
+    /\bprototype\b/,
+    /\bimport\b/,
+    /\brequire\b/,
+    /\bprocess\b/,
+    /\bglobal\b/,
+    /\bwindow\b/,
+    /\bdocument\b/,
+    /\[\s*['"`]/,
+    // Computed property access with string
+    /\[.*\]/
+    // Any computed property access
+  ];
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(expression)) {
+      throw new Error(`Expression contains potentially dangerous pattern: ${expression}`);
+    }
+  }
+  const tokens = tokenize(expression.trim());
+  const parser = new Parser(tokens, context);
+  return parser.parse();
+}
+function safeEvaluateBoolean(expression, context = {}, defaultValue = false) {
+  try {
+    return Boolean(safeEvaluate(expression, context));
+  } catch (error) {
+    console.warn(`[SafeEvaluator] Failed to evaluate expression: ${expression}`, error);
+    return defaultValue;
+  }
+}
 // src/integrations/browser/types.ts
 var BrowserError = class _BrowserError extends Error {
   constructor(message, code, tool, cause) {
@@ -24688,18 +24992,13 @@ var E2ETestRunnerService = class {
   }
   /**
    * Evaluate conditional expression
+   * Uses safe expression evaluator to prevent code injection (CVE fix)
    */
   evaluateCondition(condition, context) {
-    try {
-      const evalContext = {
-        ...context.variables,
-        env: process.env
-      };
-      const fn = new Function(...Object.keys(evalContext), `return ${condition}`);
-      return Boolean(fn(...Object.values(evalContext)));
-    } catch {
-      return true;
-    }
+    const evalContext = {
+      ...context.variables
+    };
+    return safeEvaluateBoolean(condition, evalContext, true);
   }
   /**
    * Get browser context options from test case
@@ -75036,7 +75335,7 @@ var CrossDomainEventRouter = class {
    */
   matchEventType(eventType, pattern) {
     if (pattern === "*") return true;
-    const regexPattern = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*");
+    const regexPattern = pattern.replace(/\\/g, "\\\\").replace(/\./g, "\\.").replace(/\*/g, ".*");
     const regex = new RegExp(`^${regexPattern}$`);
     return regex.test(eventType);
   }
@@ -77415,6 +77714,9 @@ init_unified_memory();
 init_real_embeddings();
 import { v4 as uuidv455 } from "uuid";
+// src/integrations/embeddings/index/HNSWIndex.ts
+import { HierarchicalNSW } from "hnswlib-node";
 // src/integrations/agentic-flow/reasoning-bank/pattern-evolution.ts
 init_unified_memory();
 init_real_embeddings();
@@ -81218,6 +81520,7 @@ function createPatternStore(memory, config) {
 }
 // src/learning/token-tracker.ts
+import { randomUUID as randomUUID2 } from "crypto";
 var DEFAULT_COST_CONFIG = {
   costPerInputToken: 3e-3 / 1e3,
   // $3 per 1M input tokens
@@ -81247,7 +81550,7 @@ var TokenMetricsCollectorImpl = class {
   autoSaveTimer = null;
   isDirty = false;
   constructor() {
-    this.sessionId = `session-${Date.now()}-${Math.random().toString(36).substring(7)}`;
+    this.sessionId = `session-${Date.now()}-${randomUUID2().substring(0, 8)}`;
     this.sessionStartTime = Date.now();
     this.costConfig = DEFAULT_COST_CONFIG;
   }
@@ -81537,7 +81840,7 @@ var TokenMetricsCollectorImpl = class {
     this.taskMetrics = [];
     this.agentMetrics.clear();
     this.domainMetrics.clear();
-    this.sessionId = `session-${Date.now()}-${Math.random().toString(36).substring(7)}`;
+    this.sessionId = `session-${Date.now()}-${randomUUID2().substring(0, 8)}`;
     this.sessionStartTime = Date.now();
     this.cacheHits = 0;
     this.earlyExits = 0;
@@ -85454,6 +85757,34 @@ function generateRecommendations3(vulnerabilities, summary) {
 }
 // src/mcp/tools/contract-testing/validate.ts
+function validateHttpUrl(urlString) {
+  try {
+    const url = new URL(urlString);
+    if (!["http:", "https:"].includes(url.protocol)) {
+      return { valid: false, error: `Invalid protocol: ${url.protocol}. Only http/https allowed.` };
+    }
+    const hostname = url.hostname.toLowerCase();
+    const blockedPatterns = [
+      /^localhost$/i,
+      /^127\./,
+      /^10\./,
+      /^172\.(1[6-9]|2[0-9]|3[01])\./,
+      /^192\.168\./,
+      /^0\.0\.0\.0$/,
+      /^\[::1\]$/,
+      /^169\.254\./
+      // Link-local
+    ];
+    for (const pattern of blockedPatterns) {
+      if (pattern.test(hostname)) {
+        return { valid: false, error: `Blocked hostname: ${hostname}. Cannot access internal/private addresses.` };
+      }
+    }
+    return { valid: true };
+  } catch {
+    return { valid: false, error: `Invalid URL format: ${urlString}` };
+  }
+}
 var ContractValidateTool = class extends MCPToolBase {
   config = {
     name: "qe/contracts/validate",
@@ -85739,10 +86070,37 @@ var ContractValidateTool = class extends MCPToolBase {
   async verifyAgainstProvider(providerUrl, consumerName, contractContent, format, contractValidator) {
     const failures = [];
     const warnings = [];
+    const providerValidation = validateHttpUrl(providerUrl);
+    if (!providerValidation.valid) {
+      return {
+        provider: providerUrl,
+        consumer: consumerName,
+        passed: false,
+        failures: [{
+          endpoint: providerUrl,
+          type: "validation-error",
+          expected: "Valid HTTP/HTTPS URL",
+          actual: providerValidation.error || "Invalid URL",
+          message: `Provider URL validation failed: ${providerValidation.error}`
+        }],
+        warnings: []
+      };
+    }
     const contract = this.buildContractFromContent(contractContent, format, consumerName);
     for (const endpoint of contract.endpoints) {
       try {
         const url = `${providerUrl}${endpoint.path}`;
+        const urlValidation = validateHttpUrl(url);
+        if (!urlValidation.valid) {
+          failures.push({
+            endpoint: `${endpoint.method} ${endpoint.path}`,
+            type: "validation-error",
+            expected: "Valid URL",
+            actual: urlValidation.error || "Invalid URL",
+            message: `URL validation failed: ${urlValidation.error}`
+          });
+          continue;
+        }
         const response = await fetch(url, {
           method: endpoint.method === "GET" ? "GET" : "OPTIONS",
           headers: {
@@ -89348,7 +89706,7 @@ var QE_GOALS = [
 // src/planning/goap-planner.ts
 init_unified_persistence();
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 var GOAPPlanner = class {
   db = null;
   persistence = null;
@@ -89403,7 +89761,7 @@ var GOAPPlanner = class {
       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
     `);
     for (const action of allActions) {
-      const id = `action-${Date.now()}-${randomUUID2().slice(0, 8)}`;
+      const id = `action-${Date.now()}-${randomUUID3().slice(0, 8)}`;
       insertAction.run(
         id,
         action.name,
@@ -89421,7 +89779,7 @@ var GOAPPlanner = class {
       VALUES (?, ?, ?, ?, ?, ?)
     `);
     for (const goal of QE_GOALS) {
-      const id = `goal-${Date.now()}-${randomUUID2().slice(0, 8)}`;
+      const id = `goal-${Date.now()}-${randomUUID3().slice(0, 8)}`;
       insertGoal.run(
         id,
         goal.name,
@@ -89453,7 +89811,7 @@ var GOAPPlanner = class {
         this.recordPlanReuse(reusedPlan.id, true);
         return {
           ...reusedPlan,
-          id: `plan-${Date.now()}-${randomUUID2().slice(0, 8)}`,
+          id: `plan-${Date.now()}-${randomUUID3().slice(0, 8)}`,
           initialState: this.cloneState(currentState),
           reusedFrom: reusedPlan.id,
           status: "pending"
@@ -89471,7 +89829,7 @@ var GOAPPlanner = class {
       return null;
     }
     const plan = {
-      id: `plan-${Date.now()}-${randomUUID2().slice(0, 8)}`,
+      id: `plan-${Date.now()}-${randomUUID3().slice(0, 8)}`,
       initialState: this.cloneState(currentState),
       goalState: goal,
       actions: actionSequence,
@@ -89852,7 +90210,7 @@ var GOAPPlanner = class {
    */
   async addAction(action) {
     await this.initialize();
-    const id = `action-${Date.now()}-${randomUUID2().slice(0, 8)}`;
+    const id = `action-${Date.now()}-${randomUUID3().slice(0, 8)}`;
     this.ensureDb().prepare(
       `
       INSERT INTO goap_actions (
@@ -90014,7 +90372,7 @@ var GOAPPlanner = class {
       ) VALUES (?, ?, ?, ?, ?, ?)
     `
     ).run(
-      `sig-${Date.now()}-${randomUUID2().slice(0, 8)}`,
+      `sig-${Date.now()}-${randomUUID3().slice(0, 8)}`,
       plan.id,
       goalHash,
       JSON.stringify(stateVector),
@@ -90098,7 +90456,7 @@ var GOAPPlanner = class {
    */
   async addGoal(goal) {
     await this.initialize();
-    const id = `goal-${Date.now()}-${randomUUID2().slice(0, 8)}`;
+    const id = `goal-${Date.now()}-${randomUUID3().slice(0, 8)}`;
     this.ensureDb().prepare(
       `
       INSERT INTO goap_goals (id, name, description, conditions, priority, qe_domain)
@@ -90188,7 +90546,7 @@ function getSharedGOAPPlanner() {
 // src/planning/plan-executor.ts
 init_unified_memory();
 import Database3 from "better-sqlite3";
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 var DEFAULT_CONFIG53 = {
   maxRetries: 2,
   stepTimeoutMs: 6e4,
@@ -90325,7 +90683,7 @@ var PlanExecutor = class {
   async executeWithCallbacks(plan, onStepStart, onStepComplete, initialState) {
     await this.initialize();
     const startTime = Date.now();
-    const executionId = `exec-${Date.now()}-${randomUUID3().slice(0, 8)}`;
+    const executionId = `exec-${Date.now()}-${randomUUID4().slice(0, 8)}`;
     this.currentExecution = { planId: plan.id, cancelled: false };
     const result = {
       planId: plan.id,
@@ -90337,7 +90695,7 @@ var PlanExecutor = class {
     };
     let currentState = initialState ? this.cloneState(initialState) : this.cloneState(plan.initialState);
     const steps = plan.actions.map((action, index) => ({
-      id: `step-${Date.now()}-${randomUUID3().slice(0, 8)}`,
+      id: `step-${Date.now()}-${randomUUID4().slice(0, 8)}`,
       planId: plan.id,
       action,
       stepOrder: index,
@@ -90861,7 +91219,7 @@ var MockAgentSpawner = class {
   async spawn(agentType, task) {
     await new Promise((resolve5) => setTimeout(resolve5, this.executionDelay));
     const success = Math.random() < this.successRate;
-    const agentId = `mock-agent-${randomUUID3().slice(0, 8)}`;
+    const agentId = `mock-agent-${randomUUID4().slice(0, 8)}`;
     if (success) {
       return {
         agentId,

package/v3/dist/mcp/tools/contract-testing/validate.d.ts CHANGED Viewed

@@ -51,7 +51,7 @@ export interface VerificationResult {
 }
 export interface ContractFailure {
     endpoint: string;
-    type: 'schema-mismatch' | 'status-code-mismatch' | 'missing-endpoint' | 'response-body-mismatch';
+    type: 'schema-mismatch' | 'status-code-mismatch' | 'missing-endpoint' | 'response-body-mismatch' | 'validation-error';
     expected: string;
     actual: string;
     message: string;

package/v3/dist/mcp/tools/contract-testing/validate.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../../src/mcp/tools/contract-testing/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAyC,MAAM,YAAY,CAAC;AAC/G,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAiB5C,MAAM,WAAW,sBAAsB;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IACrD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,eAAe,CAAC,EAAE,cAAc,EAAE,CAAC;IACnC,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,aAAa,EAAE,mBAAmB,CAAC;IACnC,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;CACxC;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,GAAG,eAAe,GAAG,aAAa,GAAG,sBAAsB,GAAG,oBAAoB,CAAC;IAC3G,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAClC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,iBAAiB,GAAG,sBAAsB,GAAG,kBAAkB,GAAG,wBAAwB,CAAC;~~IACjG~~,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IAClC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,WAAW,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;~~AAMD~~,qBAAa,oBAAqB,SAAQ,WAAW,CAAC,sBAAsB,EAAE,sBAAsB,CAAC;IACnG,QAAQ,CAAC,MAAM,EAAE,aAAa,CAO5B;IAEF,OAAO,CAAC,iBAAiB,CAAyC;IAClE,OAAO,CAAC,gBAAgB,CAAwC;YAElD,WAAW;IAenB,OAAO,CACX,MAAM,EAAE,sBAAsB,EAC9B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;IAwL9C,OAAO,CAAC,wBAAwB;IAiGhC,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,4BAA4B;YAYtB,qBAAqB;~~IAqFnC~~,OAAO,CAAC,uBAAuB;CA6DhC"}
1	+ {"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../../src/mcp/tools/contract-testing/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAyC,MAAM,YAAY,CAAC;AAC/G,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAiB5C,MAAM,WAAW,sBAAsB;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IACrD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,eAAe,CAAC,EAAE,cAAc,EAAE,CAAC;IACnC,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,aAAa,EAAE,mBAAmB,CAAC;IACnC,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;CACxC;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,GAAG,eAAe,GAAG,aAAa,GAAG,sBAAsB,GAAG,oBAAoB,CAAC;IAC3G,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAClC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,iBAAiB,GAAG,sBAAsB,GAAG,kBAAkB,GAAG,wBAAwB,GAAG,kBAAkB,CAAC;IACtH,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IAClC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,WAAW,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAgDD,qBAAa,oBAAqB,SAAQ,WAAW,CAAC,sBAAsB,EAAE,sBAAsB,CAAC;IACnG,QAAQ,CAAC,MAAM,EAAE,aAAa,CAO5B;IAEF,OAAO,CAAC,iBAAiB,CAAyC;IAClE,OAAO,CAAC,gBAAgB,CAAwC;YAElD,WAAW;IAenB,OAAO,CACX,MAAM,EAAE,sBAAsB,EAC9B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;IAwL9C,OAAO,CAAC,wBAAwB;IAiGhC,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,4BAA4B;YAYtB,qBAAqB;IAoHnC,OAAO,CAAC,uBAAuB;CA6DhC"}

package/v3/dist/mcp/tools/contract-testing/validate.js CHANGED Viewed

@@ -12,6 +12,43 @@ import { Version } from '../../../shared/value-objects/index.js';
 import { ContractValidatorService } from '../../../domains/contract-testing/services/contract-validator.js';
 import { ApiCompatibilityService } from '../../../domains/contract-testing/services/api-compatibility.js';
 // ============================================================================
+// Security Helpers
+// ============================================================================
+/**
+ * Validate URL to prevent SSRF attacks
+ * Only allows HTTP/HTTPS protocols and rejects potentially malicious patterns
+ */
+function validateHttpUrl(urlString) {
+    try {
+        const url = new URL(urlString);
+        // Only allow HTTP and HTTPS protocols (prevents javascript:, file:, etc.)
+        if (!['http:', 'https:'].includes(url.protocol)) {
+            return { valid: false, error: `Invalid protocol: ${url.protocol}. Only http/https allowed.` };
+        }
+        // Block localhost and private IP ranges (SSRF protection)
+        const hostname = url.hostname.toLowerCase();
+        const blockedPatterns = [
+            /^localhost$/i,
+            /^127\./,
+            /^10\./,
+            /^172\.(1[6-9]|2[0-9]|3[01])\./,
+            /^192\.168\./,
+            /^0\.0\.0\.0$/,
+            /^\[::1\]$/,
+            /^169\.254\./, // Link-local
+        ];
+        for (const pattern of blockedPatterns) {
+            if (pattern.test(hostname)) {
+                return { valid: false, error: `Blocked hostname: ${hostname}. Cannot access internal/private addresses.` };
+            }
+        }
+        return { valid: true };
+    }
+    catch {
+        return { valid: false, error: `Invalid URL format: ${urlString}` };
+    }
+}
+// ============================================================================
 // Tool Implementation
 // ============================================================================
 export class ContractValidateTool extends MCPToolBase {
@@ -292,6 +329,23 @@ export class ContractValidateTool extends MCPToolBase {
     async verifyAgainstProvider(providerUrl, consumerName, contractContent, format, contractValidator) {
         const failures = [];
         const warnings = [];
+        // Validate provider URL first (SSRF protection)
+        const providerValidation = validateHttpUrl(providerUrl);
+        if (!providerValidation.valid) {
+            return {
+                provider: providerUrl,
+                consumer: consumerName,
+                passed: false,
+                failures: [{
+                        endpoint: providerUrl,
+                        type: 'validation-error',
+                        expected: 'Valid HTTP/HTTPS URL',
+                        actual: providerValidation.error || 'Invalid URL',
+                        message: `Provider URL validation failed: ${providerValidation.error}`,
+                    }],
+                warnings: [],
+            };
+        }
         // Build contract and verify
         const contract = this.buildContractFromContent(contractContent, format, consumerName);
         // Validate each endpoint against the provider
@@ -299,6 +353,18 @@ export class ContractValidateTool extends MCPToolBase {
             try {
                 // Construct the full URL
                 const url = `${providerUrl}${endpoint.path}`;
+                // Validate constructed URL (prevents path traversal attacks)
+                const urlValidation = validateHttpUrl(url);
+                if (!urlValidation.valid) {
+                    failures.push({
+                        endpoint: `${endpoint.method} ${endpoint.path}`,
+                        type: 'validation-error',
+                        expected: 'Valid URL',
+                        actual: urlValidation.error || 'Invalid URL',
+                        message: `URL validation failed: ${urlValidation.error}`,
+                    });
+                    continue;
+                }
                 // Make a simple request to verify the endpoint exists
                 const response = await fetch(url, {
                     method: endpoint.method === 'GET' ? 'GET' : 'OPTIONS',