npm - agentic-qe - Versions diffs - 3.8.4 → 3.8.6 - Mend

agentic-qe 3.8.4 → 3.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/dist/mcp/security/validators/path-traversal-validator.d.ts CHANGED Viewed

@@ -1,50 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Path Traversal Validator
- * Implements the Strategy Pattern for path traversal protection
- */
-import { IPathValidationStrategy, PathValidationOptions, PathValidationResult, RiskLevel } from './interfaces';
-/**
- * Path traversal patterns to detect
- */
-export declare const PATH_TRAVERSAL_PATTERNS: RegExp[];
-/**
- * Dangerous path components (system directories)
- */
-export declare const DANGEROUS_PATH_COMPONENTS: RegExp[];
-/**
- * Path Traversal Validator Strategy
- * Validates file paths to prevent directory traversal attacks
- */
-export declare class PathTraversalValidator implements IPathValidationStrategy {
-    readonly name = "path-traversal";
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel(): RiskLevel;
-    /**
-     * Validate a file path against traversal attacks
-     */
-    validate(path: string, options?: PathValidationOptions): PathValidationResult;
-    /**
-     * Normalize a path by resolving . and .. components
-     */
-    normalizePath(path: string): string;
-    /**
-     * Safely join path components (strips leading/trailing slashes from all parts)
-     */
-    joinPaths(...paths: string[]): string;
-    /**
-     * Join paths preserving absolute path from first component
-     */
-    joinPathsAbsolute(...paths: string[]): string;
-    /**
-     * Get file extension from path
-     */
-    getExtension(path: string): string | null;
-}
-export declare const validatePath: (path: string, options?: PathValidationOptions) => PathValidationResult;
-export declare const normalizePath: (path: string) => string;
-export declare const joinPaths: (...paths: string[]) => string;
-export declare const joinPathsAbsolute: (...paths: string[]) => string;
-export declare const getExtension: (path: string) => string | null;
+export * from '../../../shared/security/path-traversal-validator.js';
 //# sourceMappingURL=path-traversal-validator.d.ts.map

package/dist/mcp/security/validators/path-traversal-validator.js CHANGED Viewed

@@ -1,242 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Path Traversal Validator
- * Implements the Strategy Pattern for path traversal protection
- */
-// ============================================================================
-// Constants
-// ============================================================================
-/**
- * Path traversal patterns to detect
- */
-export const PATH_TRAVERSAL_PATTERNS = [
-    /\.\./, // Basic traversal
-    /%2e%2e/i, // URL encoded ..
-    /%252e%252e/i, // Double URL encoded
-    /\.\.%2f/i, // Mixed encoding
-    /%2f\.\./i, // Forward slash + ..
-    /\.\.%5c/i, // Backslash + ..
-    /\.\.\\/, // Windows backslash traversal
-    /%c0%ae/i, // UTF-8 overlong encoding
-    /%c0%2f/i, // UTF-8 overlong /
-    /%c1%9c/i, // UTF-8 overlong \
-    /\0/, // Null byte injection
-    /%00/i, // URL encoded null
-];
-/**
- * Dangerous path components (system directories)
- */
-export const DANGEROUS_PATH_COMPONENTS = [
-    /^\/etc\//i,
-    /^\/proc\//i,
-    /^\/sys\//i,
-    /^\/dev\//i,
-    /^\/root\//i,
-    /^\/home\/.+\/\./i,
-    /^[A-Z]:\\Windows/i,
-    /^[A-Z]:\\System/i,
-    /^[A-Z]:\\Users\\.+\\AppData/i,
-];
-// ============================================================================
-// Path Traversal Validator Implementation
-// ============================================================================
-/**
- * Path Traversal Validator Strategy
- * Validates file paths to prevent directory traversal attacks
- */
-export class PathTraversalValidator {
-    name = 'path-traversal';
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel() {
-        return 'critical';
-    }
-    /**
-     * Validate a file path against traversal attacks
-     */
-    validate(path, options = {}) {
-        const { basePath = '', allowAbsolute = false, allowedExtensions = [], deniedExtensions = ['.exe', '.bat', '.cmd', '.sh', '.ps1', '.dll', '.so'], maxDepth = 10, maxLength = 4096, } = options;
-        // Check length
-        if (path.length > maxLength) {
-            return {
-                valid: false,
-                error: `Path exceeds maximum length of ${maxLength}`,
-                riskLevel: 'medium',
-            };
-        }
-        // Check for traversal patterns
-        for (const pattern of PATH_TRAVERSAL_PATTERNS) {
-            if (pattern.test(path)) {
-                return {
-                    valid: false,
-                    error: 'Path traversal attempt detected',
-                    riskLevel: 'critical',
-                };
-            }
-        }
-        // Check for absolute paths
-        if (!allowAbsolute && (path.startsWith('/') || /^[A-Z]:/i.test(path))) {
-            return {
-                valid: false,
-                error: 'Absolute paths are not allowed',
-                riskLevel: 'high',
-            };
-        }
-        // Check for dangerous path components
-        for (const pattern of DANGEROUS_PATH_COMPONENTS) {
-            if (pattern.test(path)) {
-                return {
-                    valid: false,
-                    error: 'Access to system paths is not allowed',
-                    riskLevel: 'critical',
-                };
-            }
-        }
-        // Normalize the path
-        const normalizedPath = this.normalizePath(path);
-        // Re-check for traversal after normalization
-        if (normalizedPath.includes('..')) {
-            return {
-                valid: false,
-                error: 'Path traversal detected after normalization',
-                riskLevel: 'critical',
-            };
-        }
-        // Check depth
-        const depth = normalizedPath.split('/').filter(Boolean).length;
-        if (depth > maxDepth) {
-            return {
-                valid: false,
-                error: `Path depth exceeds maximum of ${maxDepth}`,
-                riskLevel: 'low',
-            };
-        }
-        // Check extension
-        const ext = this.getExtension(normalizedPath);
-        if (ext) {
-            const extWithDot = `.${ext.toLowerCase()}`;
-            const extWithoutDot = ext.toLowerCase();
-            // Check denied extensions (support both .exe and exe formats)
-            if (deniedExtensions.length > 0) {
-                const isDenied = deniedExtensions.some(denied => denied.toLowerCase() === extWithDot || denied.toLowerCase() === extWithoutDot);
-                if (isDenied) {
-                    return {
-                        valid: false,
-                        error: `File extension '${ext}' is not allowed`,
-                        riskLevel: 'high',
-                    };
-                }
-            }
-            // Check allowed extensions (support both .ts and ts formats)
-            if (allowedExtensions.length > 0) {
-                const isAllowed = allowedExtensions.some(allowed => allowed.toLowerCase() === extWithDot || allowed.toLowerCase() === extWithoutDot);
-                if (!isAllowed) {
-                    return {
-                        valid: false,
-                        error: `File extension '${ext}' is not in allowed list`,
-                        riskLevel: 'medium',
-                    };
-                }
-            }
-        }
-        // Combine with base path if provided
-        const finalPath = basePath
-            ? this.joinPathsAbsolute(basePath, normalizedPath)
-            : normalizedPath;
-        // Verify final path doesn't escape base (use normalized base for comparison)
-        const normalizedBase = basePath.startsWith('/')
-            ? `/${this.normalizePath(basePath)}`
-            : this.normalizePath(basePath);
-        if (basePath && !finalPath.startsWith(normalizedBase)) {
-            return {
-                valid: false,
-                error: 'Path escapes base directory',
-                riskLevel: 'critical',
-            };
-        }
-        return {
-            valid: true,
-            normalizedPath: finalPath,
-            riskLevel: 'none',
-        };
-    }
-    /**
-     * Normalize a path by resolving . and .. components
-     */
-    normalizePath(path) {
-        // Replace backslashes with forward slashes
-        let normalized = path.replace(/\\/g, '/');
-        // Remove multiple consecutive slashes
-        normalized = normalized.replace(/\/+/g, '/');
-        // Split and resolve
-        const parts = normalized.split('/');
-        const result = [];
-        for (const part of parts) {
-            if (part === '.' || part === '') {
-                continue;
-            }
-            if (part === '..') {
-                // Don't allow going above root
-                if (result.length > 0 && result[result.length - 1] !== '..') {
-                    result.pop();
-                }
-            }
-            else {
-                result.push(part);
-            }
-        }
-        return result.join('/');
-    }
-    /**
-     * Safely join path components (strips leading/trailing slashes from all parts)
-     */
-    joinPaths(...paths) {
-        if (paths.length === 0)
-            return '';
-        return paths
-            .map(p => p.replace(/^\/+|\/+$/g, ''))
-            .filter(Boolean)
-            .join('/');
-    }
-    /**
-     * Join paths preserving absolute path from first component
-     */
-    joinPathsAbsolute(...paths) {
-        if (paths.length === 0)
-            return '';
-        // Check if the first path is absolute
-        const isAbsolute = paths[0].startsWith('/');
-        const result = paths
-            // Use non-backtracking patterns with possessive-like behavior via split/join
-            .map(p => {
-            // Remove leading slashes by splitting and rejoining
-            while (p.startsWith('/'))
-                p = p.slice(1);
-            // Remove trailing slashes
-            while (p.endsWith('/'))
-                p = p.slice(0, -1);
-            return p;
-        })
-            .filter(Boolean)
-            .join('/');
-        // Preserve leading slash for absolute paths
-        return isAbsolute ? `/${result}` : result;
-    }
-    /**
-     * Get file extension from path
-     */
-    getExtension(path) {
-        const match = path.match(/\.([^./\\]+)$/);
-        return match ? match[1] : null;
-    }
-}
-// ============================================================================
-// Standalone Functions (for backward compatibility)
-// ============================================================================
-const defaultValidator = new PathTraversalValidator();
-export const validatePath = (path, options) => defaultValidator.validate(path, options);
-export const normalizePath = (path) => defaultValidator.normalizePath(path);
-export const joinPaths = (...paths) => defaultValidator.joinPaths(...paths);
-export const joinPathsAbsolute = (...paths) => defaultValidator.joinPathsAbsolute(...paths);
-export const getExtension = (path) => defaultValidator.getExtension(path);
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/path-traversal-validator.js';
 //# sourceMappingURL=path-traversal-validator.js.map

package/dist/mcp/security/validators/regex-safety-validator.d.ts CHANGED Viewed

@@ -1,50 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Regex Safety Validator
- * Implements the Strategy Pattern for ReDoS prevention
- */
-import { IRegexValidationStrategy, RegexSafetyResult, RegexValidationOptions, RiskLevel, ValidationResult } from './interfaces';
-/**
- * Patterns that can cause ReDoS (Regular Expression Denial of Service)
- */
-export declare const REDOS_PATTERNS: RegExp[];
-/**
- * Count nested quantifier depth in a regex pattern
- */
-export declare function countQuantifierNesting(pattern: string): number;
-/**
- * Check for exponential backtracking potential
- */
-export declare function hasExponentialBacktracking(pattern: string): boolean;
-/**
- * Regex Safety Validator Strategy
- * Validates regex patterns to prevent ReDoS attacks
- */
-export declare class RegexSafetyValidator implements IRegexValidationStrategy {
-    readonly name = "regex-safety";
-    private maxComplexity;
-    constructor(maxComplexity?: number);
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel(): RiskLevel;
-    /**
-     * Validate a regex pattern (IValidationStrategy interface)
-     */
-    validate(pattern: string, options?: RegexValidationOptions): ValidationResult;
-    /**
-     * Check if a regex pattern is safe from ReDoS
-     */
-    isRegexSafe(pattern: string, maxComplexity?: number): RegexSafetyResult;
-    /**
-     * Escape special regex characters in a string
-     */
-    escapeRegex(str: string): string;
-    /**
-     * Create a safe regex with validation
-     */
-    createSafeRegex(pattern: string, flags?: string, maxLength?: number): RegExp | null;
-}
-export declare const isRegexSafe: (pattern: string) => RegexSafetyResult;
-export declare const escapeRegex: (str: string) => string;
-export declare const createSafeRegex: (pattern: string, flags?: string, maxLength?: number) => RegExp | null;
+export * from '../../../shared/security/regex-safety-validator.js';
 //# sourceMappingURL=regex-safety-validator.d.ts.map

package/dist/mcp/security/validators/regex-safety-validator.js CHANGED Viewed

@@ -1,183 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Regex Safety Validator
- * Implements the Strategy Pattern for ReDoS prevention
- */
-// ============================================================================
-// Constants
-// ============================================================================
-/**
- * Patterns that can cause ReDoS (Regular Expression Denial of Service)
- */
-export const REDOS_PATTERNS = [
-    /\(\.\*\)\+/, // (.*)+
-    /\(\.\+\)\+/, // (.+)+
-    /\([^)]*\?\)\+/, // (...?)+
-    /\([^)]*\*\)\+/, // (...*)+
-    /\([^)]*\+\)\+/, // (...+)+
-    /\(\[.*?\]\+\)\+/, // ([...]+)+
-    /\(\[.*?\]\*\)\+/, // ([...]*)+
-    /\(\[.*?\]\?\)\+/, // ([...]?)+
-    /\(\[.*?\]\*\)\*/, // ([...]*)*
-    /\.\*\.\*/, // .*.*
-    /\.\+\.\+/, // .+.+
-    /\(\.\|\.\)/, // (.|.)
-];
-/**
- * Maximum allowed regex complexity (nested quantifiers)
- */
-const MAX_REGEX_COMPLEXITY = 3;
-// ============================================================================
-// Helper Functions
-// ============================================================================
-/**
- * Count nested quantifier depth in a regex pattern
- */
-export function countQuantifierNesting(pattern) {
-    let maxDepth = 0;
-    let currentDepth = 0;
-    let inGroup = false;
-    let escaped = false;
-    for (let i = 0; i < pattern.length; i++) {
-        const char = pattern[i];
-        if (escaped) {
-            escaped = false;
-            continue;
-        }
-        if (char === '\\') {
-            escaped = true;
-            continue;
-        }
-        if (char === '(') {
-            inGroup = true;
-            continue;
-        }
-        if (char === ')') {
-            inGroup = false;
-            // Check if followed by quantifier
-            const next = pattern[i + 1];
-            if (next === '*' || next === '+' || next === '?' || next === '{') {
-                currentDepth++;
-                maxDepth = Math.max(maxDepth, currentDepth);
-            }
-            continue;
-        }
-        if ((char === '*' || char === '+' || char === '?') && !inGroup) {
-            currentDepth = 1;
-            maxDepth = Math.max(maxDepth, currentDepth);
-        }
-    }
-    return maxDepth;
-}
-/**
- * Check for exponential backtracking potential
- */
-export function hasExponentialBacktracking(pattern) {
-    // Simplified check for common exponential patterns
-    const dangerous = [
-        /\(\[^\\]*\]\+\)\+/, // ([...]+)+
-        /\(\[^\\]*\]\*\)\*/, // ([...]*)*
-        /\([^)]+\|[^)]+\)\+/, // (a|b)+
-        /\(\.\*\)[*+]/, // (.*)+, (.*)*
-        /\(\.\+\)[*+]/, // (.+)+, (.+)*
-    ];
-    return dangerous.some(d => d.test(pattern));
-}
-// ============================================================================
-// Regex Safety Validator Implementation
-// ============================================================================
-/**
- * Regex Safety Validator Strategy
- * Validates regex patterns to prevent ReDoS attacks
- */
-export class RegexSafetyValidator {
-    name = 'regex-safety';
-    maxComplexity;
-    constructor(maxComplexity = MAX_REGEX_COMPLEXITY) {
-        this.maxComplexity = maxComplexity;
-    }
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel() {
-        return 'high';
-    }
-    /**
-     * Validate a regex pattern (IValidationStrategy interface)
-     */
-    validate(pattern, options = {}) {
-        const { maxLength = 10000, maxComplexity = this.maxComplexity } = options;
-        if (pattern.length > maxLength) {
-            return {
-                valid: false,
-                error: `Pattern exceeds maximum length of ${maxLength}`,
-                riskLevel: 'medium',
-            };
-        }
-        const result = this.isRegexSafe(pattern, maxComplexity);
-        return {
-            valid: result.safe,
-            error: result.error,
-            riskLevel: result.safe ? 'none' : 'high',
-        };
-    }
-    /**
-     * Check if a regex pattern is safe from ReDoS
-     */
-    isRegexSafe(pattern, maxComplexity = this.maxComplexity) {
-        const riskyPatterns = [];
-        // Check for known ReDoS patterns
-        for (const redosPattern of REDOS_PATTERNS) {
-            if (redosPattern.test(pattern)) {
-                riskyPatterns.push(redosPattern.source);
-            }
-        }
-        // Check nesting depth of quantifiers
-        const quantifierDepth = countQuantifierNesting(pattern);
-        if (quantifierDepth > maxComplexity) {
-            riskyPatterns.push(`Quantifier nesting depth: ${quantifierDepth} (max: ${maxComplexity})`);
-        }
-        // Check for exponential backtracking potential
-        if (hasExponentialBacktracking(pattern)) {
-            riskyPatterns.push('Exponential backtracking potential detected');
-        }
-        return {
-            safe: riskyPatterns.length === 0,
-            pattern,
-            escapedPattern: this.escapeRegex(pattern),
-            riskyPatterns,
-            error: riskyPatterns.length > 0 ? 'Pattern may cause ReDoS' : undefined,
-        };
-    }
-    /**
-     * Escape special regex characters in a string
-     */
-    escapeRegex(str) {
-        return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-    }
-    /**
-     * Create a safe regex with validation
-     */
-    createSafeRegex(pattern, flags, maxLength = 10000) {
-        const safety = this.isRegexSafe(pattern);
-        if (!safety.safe) {
-            return null;
-        }
-        if (pattern.length > maxLength) {
-            return null;
-        }
-        try {
-            return new RegExp(pattern, flags);
-        }
-        catch {
-            return null;
-        }
-    }
-}
-// ============================================================================
-// Standalone Functions (for backward compatibility)
-// ============================================================================
-const defaultValidator = new RegexSafetyValidator();
-export const isRegexSafe = (pattern) => defaultValidator.isRegexSafe(pattern);
-export const escapeRegex = (str) => defaultValidator.escapeRegex(str);
-export const createSafeRegex = (pattern, flags, maxLength) => defaultValidator.createSafeRegex(pattern, flags, maxLength);
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/regex-safety-validator.js';
 //# sourceMappingURL=regex-safety-validator.js.map

package/dist/mcp/security/validators/validation-orchestrator.d.ts CHANGED Viewed

@@ -1,66 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Validation Orchestrator
- * Coordinates all validation strategies using the Strategy Pattern
- */
-import { IValidationOrchestrator, IValidationStrategy, ValidationResult, RiskLevel } from './interfaces';
-/**
- * Validation Orchestrator
- * Coordinates multiple validation strategies and provides a unified interface
- */
-export declare class ValidationOrchestrator implements IValidationOrchestrator {
-    private strategies;
-    /**
-     * Create a new orchestrator with default validators
-     */
-    constructor(registerDefaults?: boolean);
-    /**
-     * Register the default validation strategies
-     */
-    private registerDefaultStrategies;
-    /**
-     * Register a validation strategy
-     */
-    registerStrategy(strategy: IValidationStrategy): void;
-    /**
-     * Get a registered strategy by name
-     */
-    getStrategy(name: string): IValidationStrategy | undefined;
-    /**
-     * Get all registered strategy names
-     */
-    getStrategyNames(): string[];
-    /**
-     * Validate using a specific strategy
-     */
-    validateWith<TResult extends ValidationResult>(strategyName: string, input: unknown, options?: unknown): TResult;
-    /**
-     * Run all registered validators on an input
-     * Useful for comprehensive input validation
-     */
-    validateAll(input: unknown): Map<string, ValidationResult>;
-    /**
-     * Check if any validator found issues
-     */
-    hasIssues(results: Map<string, ValidationResult>): boolean;
-    /**
-     * Get the highest risk level from validation results
-     */
-    getHighestRisk(results: Map<string, ValidationResult>): RiskLevel;
-    /**
-     * Get all issues from validation results
-     */
-    getAllIssues(results: Map<string, ValidationResult>): Array<{
-        validator: string;
-        error: string;
-        riskLevel: RiskLevel;
-    }>;
-}
-/**
- * Get the default validation orchestrator instance
- */
-export declare function getOrchestrator(): ValidationOrchestrator;
-/**
- * Create a new validation orchestrator
- */
-export declare function createOrchestrator(registerDefaults?: boolean): ValidationOrchestrator;
+export * from '../../../shared/security/validation-orchestrator.js';
 //# sourceMappingURL=validation-orchestrator.d.ts.map