npm - agentic-qe - Versions diffs - 3.8.4 → 3.8.5 - Mend

agentic-qe 3.8.4 → 3.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/dist/shared/security/input-sanitizer.js ADDED Viewed

@@ -0,0 +1,160 @@
+/**
+ * Agentic QE v3 - MCP Security: Input Sanitizer
+ * Implements the Strategy Pattern for input sanitization
+ *
+ * Moved from src/mcp/security/validators/input-sanitizer.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * HTML escape characters mapping
+ */
+export const HTML_ESCAPE_MAP = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;',
+};
+/**
+ * SQL injection patterns to detect and remove
+ */
+export const SQL_INJECTION_PATTERNS = [
+    /('|")\s*;\s*--/i,
+    /'\s*OR\s+'1'\s*=\s*'1/i,
+    /"\s*OR\s+"1"\s*=\s*"1/i,
+    /UNION\s+SELECT/i,
+    /INSERT\s+INTO/i,
+    /DROP\s+TABLE/i,
+    /DELETE\s+FROM/i,
+    /UPDATE\s+.*\s+SET/i,
+    /EXEC(\s+|\()sp_/i,
+    /xp_cmdshell/i,
+];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+export const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
+/**
+ * Dangerous control characters that should be stripped:
+ * - Null byte (\x00): String termination attacks, filter bypass
+ * - Backspace (\x08): Log manipulation
+ * - Bell (\x07): Terminal escape attacks
+ * - Vertical tab (\x0B): Filter bypass
+ * - Form feed (\x0C): Filter bypass
+ * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
+ * - Delete (\x7F): Buffer manipulation
+ */
+export const DANGEROUS_CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+// ============================================================================
+// Input Sanitizer Implementation
+// ============================================================================
+/**
+ * Input Sanitizer Strategy
+ * Sanitizes user input to prevent XSS, SQL injection, and command injection
+ */
+export class InputSanitizer {
+    name = 'input-sanitization';
+    /**
+     * Get the primary risk level this sanitizer addresses
+     */
+    getRiskLevel() {
+        return 'high';
+    }
+    /**
+     * Sanitize input string with configurable options
+     */
+    sanitize(input, options = {}) {
+        const { maxLength = 10000, allowedChars, stripHtml = true, stripSql = true, escapeShell = true, trim = true, stripControlChars = true, } = options;
+        let result = input;
+        // Strip dangerous control characters first (null bytes, escape sequences, etc.)
+        // This must happen early to prevent bypass of later sanitization steps
+        if (stripControlChars) {
+            result = result.replace(DANGEROUS_CONTROL_CHARS, '');
+        }
+        // Trim
+        if (trim) {
+            result = result.trim();
+        }
+        // Max length
+        if (result.length > maxLength) {
+            result = result.substring(0, maxLength);
+        }
+        // Strip HTML
+        if (stripHtml) {
+            result = this.stripHtmlTags(result);
+        }
+        // Strip SQL injection attempts
+        if (stripSql) {
+            for (const pattern of SQL_INJECTION_PATTERNS) {
+                result = result.replace(pattern, '');
+            }
+        }
+        // Escape shell metacharacters
+        if (escapeShell) {
+            result = result.replace(SHELL_METACHARACTERS, '');
+        }
+        // Filter to allowed characters
+        if (allowedChars) {
+            // Filter character by character to respect the provided regex
+            result = result.split('').filter(char => allowedChars.test(char)).join('');
+        }
+        return result;
+    }
+    /**
+     * Escape HTML special characters
+     */
+    escapeHtml(str) {
+        return str.replace(/[&<>"'`=/]/g, char => HTML_ESCAPE_MAP[char] || char);
+    }
+    /**
+     * Strip HTML tags from a string
+     * Handles both complete tags and incomplete/malformed tags to prevent XSS
+     */
+    stripHtmlTags(str) {
+        // Limit input length to prevent ReDoS
+        const MAX_LENGTH = 100000;
+        if (str.length > MAX_LENGTH) {
+            str = str.slice(0, MAX_LENGTH);
+        }
+        let result = str;
+        let prevLength;
+        // Loop until no more changes (handles nested/malformed tags like <script<script>>)
+        do {
+            prevLength = result.length;
+            // Remove complete HTML tags using a non-backtracking approach
+            // Process character by character to avoid regex backtracking
+            let cleaned = '';
+            let inTag = false;
+            for (let i = 0; i < result.length; i++) {
+                const char = result[i];
+                if (char === '<') {
+                    inTag = true;
+                }
+                else if (char === '>' && inTag) {
+                    inTag = false;
+                }
+                else if (!inTag) {
+                    cleaned += char;
+                }
+            }
+            result = cleaned;
+        } while (result.length < prevLength && result.length > 0);
+        // Encode any remaining angle brackets
+        result = result.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+        return result;
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultSanitizer = new InputSanitizer();
+export const sanitizeInput = (input, options) => defaultSanitizer.sanitize(input, options);
+export const escapeHtml = (str) => defaultSanitizer.escapeHtml(str);
+export const stripHtmlTags = (str) => defaultSanitizer.stripHtmlTags(str);
+//# sourceMappingURL=input-sanitizer.js.map

package/dist/shared/security/path-traversal-validator.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Agentic QE v3 - MCP Security: Path Traversal Validator
+ * Implements the Strategy Pattern for path traversal protection
+ *
+ * Moved from src/mcp/security/validators/path-traversal-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { IPathValidationStrategy, PathValidationOptions, PathValidationResult, RiskLevel } from './validators-interfaces.js';
+/**
+ * Path traversal patterns to detect
+ */
+export declare const PATH_TRAVERSAL_PATTERNS: RegExp[];
+/**
+ * Dangerous path components (system directories)
+ */
+export declare const DANGEROUS_PATH_COMPONENTS: RegExp[];
+/**
+ * Path Traversal Validator Strategy
+ * Validates file paths to prevent directory traversal attacks
+ */
+export declare class PathTraversalValidator implements IPathValidationStrategy {
+    readonly name = "path-traversal";
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Validate a file path against traversal attacks
+     */
+    validate(path: string, options?: PathValidationOptions): PathValidationResult;
+    /**
+     * Normalize a path by resolving . and .. components
+     */
+    normalizePath(path: string): string;
+    /**
+     * Safely join path components (strips leading/trailing slashes from all parts)
+     */
+    joinPaths(...paths: string[]): string;
+    /**
+     * Join paths preserving absolute path from first component
+     */
+    joinPathsAbsolute(...paths: string[]): string;
+    /**
+     * Get file extension from path
+     */
+    getExtension(path: string): string | null;
+}
+export declare const validatePath: (path: string, options?: PathValidationOptions) => PathValidationResult;
+export declare const normalizePath: (path: string) => string;
+export declare const joinPaths: (...paths: string[]) => string;
+export declare const joinPathsAbsolute: (...paths: string[]) => string;
+export declare const getExtension: (path: string) => string | null;
+//# sourceMappingURL=path-traversal-validator.d.ts.map

package/dist/shared/security/path-traversal-validator.js ADDED Viewed

@@ -0,0 +1,245 @@
+/**
+ * Agentic QE v3 - MCP Security: Path Traversal Validator
+ * Implements the Strategy Pattern for path traversal protection
+ *
+ * Moved from src/mcp/security/validators/path-traversal-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * Path traversal patterns to detect
+ */
+export const PATH_TRAVERSAL_PATTERNS = [
+    /\.\./, // Basic traversal
+    /%2e%2e/i, // URL encoded ..
+    /%252e%252e/i, // Double URL encoded
+    /\.\.%2f/i, // Mixed encoding
+    /%2f\.\./i, // Forward slash + ..
+    /\.\.%5c/i, // Backslash + ..
+    /\.\.\\/, // Windows backslash traversal
+    /%c0%ae/i, // UTF-8 overlong encoding
+    /%c0%2f/i, // UTF-8 overlong /
+    /%c1%9c/i, // UTF-8 overlong \
+    /\0/, // Null byte injection
+    /%00/i, // URL encoded null
+];
+/**
+ * Dangerous path components (system directories)
+ */
+export const DANGEROUS_PATH_COMPONENTS = [
+    /^\/etc\//i,
+    /^\/proc\//i,
+    /^\/sys\//i,
+    /^\/dev\//i,
+    /^\/root\//i,
+    /^\/home\/.+\/\./i,
+    /^[A-Z]:\\Windows/i,
+    /^[A-Z]:\\System/i,
+    /^[A-Z]:\\Users\\.+\\AppData/i,
+];
+// ============================================================================
+// Path Traversal Validator Implementation
+// ============================================================================
+/**
+ * Path Traversal Validator Strategy
+ * Validates file paths to prevent directory traversal attacks
+ */
+export class PathTraversalValidator {
+    name = 'path-traversal';
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'critical';
+    }
+    /**
+     * Validate a file path against traversal attacks
+     */
+    validate(path, options = {}) {
+        const { basePath = '', allowAbsolute = false, allowedExtensions = [], deniedExtensions = ['.exe', '.bat', '.cmd', '.sh', '.ps1', '.dll', '.so'], maxDepth = 10, maxLength = 4096, } = options;
+        // Check length
+        if (path.length > maxLength) {
+            return {
+                valid: false,
+                error: `Path exceeds maximum length of ${maxLength}`,
+                riskLevel: 'medium',
+            };
+        }
+        // Check for traversal patterns
+        for (const pattern of PATH_TRAVERSAL_PATTERNS) {
+            if (pattern.test(path)) {
+                return {
+                    valid: false,
+                    error: 'Path traversal attempt detected',
+                    riskLevel: 'critical',
+                };
+            }
+        }
+        // Check for absolute paths
+        if (!allowAbsolute && (path.startsWith('/') || /^[A-Z]:/i.test(path))) {
+            return {
+                valid: false,
+                error: 'Absolute paths are not allowed',
+                riskLevel: 'high',
+            };
+        }
+        // Check for dangerous path components
+        for (const pattern of DANGEROUS_PATH_COMPONENTS) {
+            if (pattern.test(path)) {
+                return {
+                    valid: false,
+                    error: 'Access to system paths is not allowed',
+                    riskLevel: 'critical',
+                };
+            }
+        }
+        // Normalize the path
+        const normalizedPath = this.normalizePath(path);
+        // Re-check for traversal after normalization
+        if (normalizedPath.includes('..')) {
+            return {
+                valid: false,
+                error: 'Path traversal detected after normalization',
+                riskLevel: 'critical',
+            };
+        }
+        // Check depth
+        const depth = normalizedPath.split('/').filter(Boolean).length;
+        if (depth > maxDepth) {
+            return {
+                valid: false,
+                error: `Path depth exceeds maximum of ${maxDepth}`,
+                riskLevel: 'low',
+            };
+        }
+        // Check extension
+        const ext = this.getExtension(normalizedPath);
+        if (ext) {
+            const extWithDot = `.${ext.toLowerCase()}`;
+            const extWithoutDot = ext.toLowerCase();
+            // Check denied extensions (support both .exe and exe formats)
+            if (deniedExtensions.length > 0) {
+                const isDenied = deniedExtensions.some(denied => denied.toLowerCase() === extWithDot || denied.toLowerCase() === extWithoutDot);
+                if (isDenied) {
+                    return {
+                        valid: false,
+                        error: `File extension '${ext}' is not allowed`,
+                        riskLevel: 'high',
+                    };
+                }
+            }
+            // Check allowed extensions (support both .ts and ts formats)
+            if (allowedExtensions.length > 0) {
+                const isAllowed = allowedExtensions.some(allowed => allowed.toLowerCase() === extWithDot || allowed.toLowerCase() === extWithoutDot);
+                if (!isAllowed) {
+                    return {
+                        valid: false,
+                        error: `File extension '${ext}' is not in allowed list`,
+                        riskLevel: 'medium',
+                    };
+                }
+            }
+        }
+        // Combine with base path if provided
+        const finalPath = basePath
+            ? this.joinPathsAbsolute(basePath, normalizedPath)
+            : normalizedPath;
+        // Verify final path doesn't escape base (use normalized base for comparison)
+        const normalizedBase = basePath.startsWith('/')
+            ? `/${this.normalizePath(basePath)}`
+            : this.normalizePath(basePath);
+        if (basePath && !finalPath.startsWith(normalizedBase)) {
+            return {
+                valid: false,
+                error: 'Path escapes base directory',
+                riskLevel: 'critical',
+            };
+        }
+        return {
+            valid: true,
+            normalizedPath: finalPath,
+            riskLevel: 'none',
+        };
+    }
+    /**
+     * Normalize a path by resolving . and .. components
+     */
+    normalizePath(path) {
+        // Replace backslashes with forward slashes
+        let normalized = path.replace(/\\/g, '/');
+        // Remove multiple consecutive slashes
+        normalized = normalized.replace(/\/+/g, '/');
+        // Split and resolve
+        const parts = normalized.split('/');
+        const result = [];
+        for (const part of parts) {
+            if (part === '.' || part === '') {
+                continue;
+            }
+            if (part === '..') {
+                // Don't allow going above root
+                if (result.length > 0 && result[result.length - 1] !== '..') {
+                    result.pop();
+                }
+            }
+            else {
+                result.push(part);
+            }
+        }
+        return result.join('/');
+    }
+    /**
+     * Safely join path components (strips leading/trailing slashes from all parts)
+     */
+    joinPaths(...paths) {
+        if (paths.length === 0)
+            return '';
+        return paths
+            .map(p => p.replace(/^\/+|\/+$/g, ''))
+            .filter(Boolean)
+            .join('/');
+    }
+    /**
+     * Join paths preserving absolute path from first component
+     */
+    joinPathsAbsolute(...paths) {
+        if (paths.length === 0)
+            return '';
+        // Check if the first path is absolute
+        const isAbsolute = paths[0].startsWith('/');
+        const result = paths
+            // Use non-backtracking patterns with possessive-like behavior via split/join
+            .map(p => {
+            // Remove leading slashes by splitting and rejoining
+            while (p.startsWith('/'))
+                p = p.slice(1);
+            // Remove trailing slashes
+            while (p.endsWith('/'))
+                p = p.slice(0, -1);
+            return p;
+        })
+            .filter(Boolean)
+            .join('/');
+        // Preserve leading slash for absolute paths
+        return isAbsolute ? `/${result}` : result;
+    }
+    /**
+     * Get file extension from path
+     */
+    getExtension(path) {
+        const match = path.match(/\.([^./\\]+)$/);
+        return match ? match[1] : null;
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new PathTraversalValidator();
+export const validatePath = (path, options) => defaultValidator.validate(path, options);
+export const normalizePath = (path) => defaultValidator.normalizePath(path);
+export const joinPaths = (...paths) => defaultValidator.joinPaths(...paths);
+export const joinPathsAbsolute = (...paths) => defaultValidator.joinPathsAbsolute(...paths);
+export const getExtension = (path) => defaultValidator.getExtension(path);
+//# sourceMappingURL=path-traversal-validator.js.map

package/dist/shared/security/regex-safety-validator.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Agentic QE v3 - MCP Security: Regex Safety Validator
+ * Implements the Strategy Pattern for ReDoS prevention
+ *
+ * Moved from src/mcp/security/validators/regex-safety-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { IRegexValidationStrategy, RegexSafetyResult, RegexValidationOptions, RiskLevel, ValidationResult } from './validators-interfaces.js';
+/**
+ * Patterns that can cause ReDoS (Regular Expression Denial of Service)
+ */
+export declare const REDOS_PATTERNS: RegExp[];
+/**
+ * Count nested quantifier depth in a regex pattern
+ */
+export declare function countQuantifierNesting(pattern: string): number;
+/**
+ * Check for exponential backtracking potential
+ */
+export declare function hasExponentialBacktracking(pattern: string): boolean;
+/**
+ * Regex Safety Validator Strategy
+ * Validates regex patterns to prevent ReDoS attacks
+ */
+export declare class RegexSafetyValidator implements IRegexValidationStrategy {
+    readonly name = "regex-safety";
+    private maxComplexity;
+    constructor(maxComplexity?: number);
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Validate a regex pattern (IValidationStrategy interface)
+     */
+    validate(pattern: string, options?: RegexValidationOptions): ValidationResult;
+    /**
+     * Check if a regex pattern is safe from ReDoS
+     */
+    isRegexSafe(pattern: string, maxComplexity?: number): RegexSafetyResult;
+    /**
+     * Escape special regex characters in a string
+     */
+    escapeRegex(str: string): string;
+    /**
+     * Create a safe regex with validation
+     */
+    createSafeRegex(pattern: string, flags?: string, maxLength?: number): RegExp | null;
+}
+export declare const isRegexSafe: (pattern: string) => RegexSafetyResult;
+export declare const escapeRegex: (str: string) => string;
+export declare const createSafeRegex: (pattern: string, flags?: string, maxLength?: number) => RegExp | null;
+//# sourceMappingURL=regex-safety-validator.d.ts.map