npm - cipher-security - Versions diffs - 2.0.0 - Mend

cipher-security 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

package/bin/cipher.js +566 -0
package/lib/api/billing.js +321 -0
package/lib/api/compliance.js +693 -0
package/lib/api/controls.js +1401 -0
package/lib/api/index.js +49 -0
package/lib/api/marketplace.js +467 -0
package/lib/api/openai-proxy.js +383 -0
package/lib/api/server.js +685 -0
package/lib/autonomous/feedback-loop.js +554 -0
package/lib/autonomous/framework.js +512 -0
package/lib/autonomous/index.js +97 -0
package/lib/autonomous/leaderboard.js +594 -0
package/lib/autonomous/modes/architect.js +412 -0
package/lib/autonomous/modes/blue.js +386 -0
package/lib/autonomous/modes/incident.js +684 -0
package/lib/autonomous/modes/privacy.js +369 -0
package/lib/autonomous/modes/purple.js +294 -0
package/lib/autonomous/modes/recon.js +250 -0
package/lib/autonomous/parallel.js +587 -0
package/lib/autonomous/researcher.js +583 -0
package/lib/autonomous/runner.js +955 -0
package/lib/autonomous/scheduler.js +615 -0
package/lib/autonomous/task-parser.js +127 -0
package/lib/autonomous/validators/forensic.js +266 -0
package/lib/autonomous/validators/osint.js +216 -0
package/lib/autonomous/validators/privacy.js +296 -0
package/lib/autonomous/validators/purple.js +298 -0
package/lib/autonomous/validators/sigma.js +248 -0
package/lib/autonomous/validators/threat-model.js +363 -0
package/lib/benchmark/agent.js +119 -0
package/lib/benchmark/baselines.js +43 -0
package/lib/benchmark/builder.js +143 -0
package/lib/benchmark/config.js +35 -0
package/lib/benchmark/coordinator.js +91 -0
package/lib/benchmark/index.js +20 -0
package/lib/benchmark/llm.js +58 -0
package/lib/benchmark/models.js +137 -0
package/lib/benchmark/reporter.js +103 -0
package/lib/benchmark/runner.js +103 -0
package/lib/benchmark/sandbox.js +96 -0
package/lib/benchmark/scorer.js +32 -0
package/lib/benchmark/solver.js +166 -0
package/lib/benchmark/tools.js +62 -0
package/lib/bot/bot.js +238 -0
package/lib/brand.js +105 -0
package/lib/commands.js +100 -0
package/lib/complexity.js +377 -0
package/lib/config.js +213 -0
package/lib/gateway/client.js +309 -0
package/lib/gateway/commands.js +991 -0
package/lib/gateway/config-validate.js +109 -0
package/lib/gateway/gateway.js +367 -0
package/lib/gateway/index.js +62 -0
package/lib/gateway/mode.js +309 -0
package/lib/gateway/plugins.js +222 -0
package/lib/gateway/prompt.js +214 -0
package/lib/mcp/server.js +262 -0
package/lib/memory/compressor.js +425 -0
package/lib/memory/engine.js +763 -0
package/lib/memory/evolution.js +668 -0
package/lib/memory/index.js +58 -0
package/lib/memory/orchestrator.js +506 -0
package/lib/memory/retriever.js +515 -0
package/lib/memory/synthesizer.js +333 -0
package/lib/pipeline/async-scanner.js +510 -0
package/lib/pipeline/binary-analysis.js +1043 -0
package/lib/pipeline/dom-xss-scanner.js +435 -0
package/lib/pipeline/github-actions.js +792 -0
package/lib/pipeline/index.js +124 -0
package/lib/pipeline/osint.js +498 -0
package/lib/pipeline/sarif.js +373 -0
package/lib/pipeline/scanner.js +880 -0
package/lib/pipeline/template-manager.js +525 -0
package/lib/pipeline/xss-scanner.js +353 -0
package/lib/setup-wizard.js +288 -0
package/package.json +31 -0

package/lib/pipeline/dom-xss-scanner.js ADDED Viewed

@@ -0,0 +1,435 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+/**
+ * Runtime DOM XSS scanner using Playwright headless browser.
+ *
+ * Complements the static XSS scanner (xss-scanner.js) by executing JavaScript
+ * in a real browser context to detect XSS that only manifests at runtime.
+ *
+ * Playwright is an OPTIONAL dependency — scanner gracefully degrades when
+ * it's not installed. Do NOT add playwright to package.json.
+ *
+ * Ported from pipeline/dom_xss_scanner.py (390 LOC Python).
+ */
+import { URL } from 'node:url';
+// ---------------------------------------------------------------------------
+// Payloads
+// ---------------------------------------------------------------------------
+/** @type {Array<[string, string, string]>} [label, payload, detection] */
+const XSS_PAYLOADS = Object.freeze([
+  ['script-alert', '<script>alert("CIPHER-XSS-1")</script>', 'dialog'],
+  ['img-onerror', '<img src=x onerror=alert("CIPHER-XSS-2")>', 'dialog'],
+  ['svg-onload', '<svg/onload=alert("CIPHER-XSS-3")>', 'dialog'],
+  ['body-onload', '<body onload=alert("CIPHER-XSS-4")>', 'dialog'],
+  ['event-handler', '" onfocus=alert("CIPHER-XSS-5") autofocus="', 'dialog'],
+  ['javascript-uri', 'javascript:alert("CIPHER-XSS-6")', 'dialog'],
+  ['template-literal', '${alert("CIPHER-XSS-7")}', 'dialog'],
+  ['iframe-srcdoc', '<iframe srcdoc="<script>alert(\'CIPHER-XSS-8\')</script>">', 'dialog'],
+]);
+/** @type {Array<[string, string]>} [label, payload] */
+const URL_PAYLOADS = Object.freeze([
+  ['reflected-script', '<script>alert("CIPHER-XSS-R1")</script>'],
+  ['reflected-img', '<img src=x onerror=alert("CIPHER-XSS-R2")>'],
+  ['reflected-svg', '<svg/onload=alert("CIPHER-XSS-R3")>'],
+  ['hash-injection', '#<img src=x onerror=alert("CIPHER-XSS-R4")>'],
+]);
+// Common parameter names to test when URL has no existing params
+const COMMON_PARAMS = ['q', 'search', 'query', 'id', 'name', 'page', 'url', 'redirect', 'next', 'callback'];
+// ---------------------------------------------------------------------------
+// Data classes
+// ---------------------------------------------------------------------------
+class DOMXSSFinding {
+  /**
+   * @param {object} opts
+   * @param {string} opts.url
+   * @param {string} opts.vector  input | url-param | fragment | form
+   * @param {string} opts.inputName
+   * @param {string} opts.payload
+   * @param {string} opts.payloadLabel
+   * @param {boolean} [opts.confirmed=true]
+   * @param {string} [opts.reproduction='']
+   */
+  constructor(opts) {
+    this.url = opts.url;
+    this.vector = opts.vector;
+    this.inputName = opts.inputName;
+    this.payload = opts.payload;
+    this.payloadLabel = opts.payloadLabel;
+    this.confirmed = opts.confirmed !== false;
+    this.reproduction = opts.reproduction ?? '';
+  }
+  toDict() {
+    return {
+      url: this.url,
+      vector: this.vector,
+      input: this.inputName,
+      payload_label: this.payloadLabel,
+      confirmed: this.confirmed,
+      reproduction: this.reproduction,
+    };
+  }
+}
+class DOMXSSScanResult {
+  /**
+   * @param {object} opts
+   * @param {string} opts.target
+   * @param {number} [opts.pagesTested=0]
+   * @param {number} [opts.inputsTested=0]
+   * @param {number} [opts.paramsTested=0]
+   * @param {DOMXSSFinding[]} [opts.findings=[]]
+   * @param {string[]} [opts.errors=[]]
+   */
+  constructor(opts) {
+    this.target = opts.target;
+    this.pagesTested = opts.pagesTested ?? 0;
+    this.inputsTested = opts.inputsTested ?? 0;
+    this.paramsTested = opts.paramsTested ?? 0;
+    this.findings = opts.findings ?? [];
+    this.errors = opts.errors ?? [];
+  }
+  toDict() {
+    return {
+      target: this.target,
+      pages_tested: this.pagesTested,
+      inputs_tested: this.inputsTested,
+      params_tested: this.paramsTested,
+      findings: this.findings.map((f) => f.toDict()),
+      confirmed_xss: this.findings.length,
+      errors: this.errors,
+    };
+  }
+  summary() {
+    if (this.findings.length > 0) {
+      return (
+        `${this.findings.length} confirmed DOM XSS in ${this.target} ` +
+        `(${this.inputsTested} inputs, ${this.paramsTested} params tested)`
+      );
+    }
+    return `No DOM XSS found in ${this.target} (${this.inputsTested} inputs tested)`;
+  }
+}
+// ---------------------------------------------------------------------------
+// DOMXSSScanner
+// ---------------------------------------------------------------------------
+class DOMXSSScanner {
+  /**
+   * @param {object} [opts]
+   * @param {boolean} [opts.headless=true]
+   * @param {number} [opts.timeout=5000]
+   */
+  constructor(opts = {}) {
+    this._headless = opts.headless !== false;
+    this._timeout = opts.timeout ?? 5000;
+  }
+  /**
+   * Check if Playwright is available.
+   * @returns {Promise<boolean>}
+   */
+  async available() {
+    try {
+      await import('playwright');
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Scan a URL for DOM XSS vulnerabilities.
+   * @param {string} url
+   * @param {object} [opts]
+   * @param {boolean} [opts.testParams=true]
+   * @param {boolean} [opts.testInputs=true]
+   * @param {boolean} [opts.testForms=true]
+   * @returns {Promise<DOMXSSScanResult>}
+   */
+  async scanUrl(url, opts = {}) {
+    const testParams = opts.testParams !== false;
+    const testInputs = opts.testInputs !== false;
+    const testForms = opts.testForms !== false;
+    let pw;
+    try {
+      pw = await import('playwright');
+    } catch {
+      return new DOMXSSScanResult({
+        target: url,
+        errors: ['Playwright not installed — run: npm install playwright && npx playwright install chromium'],
+      });
+    }
+    const result = new DOMXSSScanResult({ target: url });
+    try {
+      const browser = await pw.chromium.launch({ headless: this._headless });
+      const context = await browser.newContext({
+        ignoreHTTPSErrors: true,
+        javaScriptEnabled: true,
+      });
+      if (testParams) {
+        await this._testUrlParams(context, url, result);
+      }
+      if (testInputs) {
+        await this._testInputFields(context, url, result);
+      }
+      if (testForms) {
+        await this._testForms(context, url, result);
+      }
+      result.pagesTested++;
+      await context.close();
+      await browser.close();
+    } catch (err) {
+      result.errors.push(`Scanner error: ${err.message}`);
+    }
+    return result;
+  }
+  /**
+   * Inject payloads into URL query parameters.
+   * @private
+   */
+  async _testUrlParams(context, url, result) {
+    const parsed = new URL(url);
+    const params = parsed.searchParams;
+    if ([...params.keys()].length === 0) {
+      // Try common parameter names
+      for (const paramName of COMMON_PARAMS) {
+        for (const [label, payload] of URL_PAYLOADS) {
+          result.paramsTested++;
+          const injected = new URL(url);
+          injected.searchParams.set(paramName, payload);
+          const finding = await this._checkUrlXss(
+            context, injected.toString(), 'url-param', paramName, label, payload,
+          );
+          if (finding) {
+            result.findings.push(finding);
+            return; // One confirmed finding is enough
+          }
+        }
+      }
+    } else {
+      for (const paramName of params.keys()) {
+        for (const [label, payload] of URL_PAYLOADS) {
+          result.paramsTested++;
+          const injected = new URL(url);
+          injected.searchParams.set(paramName, payload);
+          const finding = await this._checkUrlXss(
+            context, injected.toString(), 'url-param', paramName, label, payload,
+          );
+          if (finding) {
+            result.findings.push(finding);
+            break; // Move to next param
+          }
+        }
+      }
+    }
+    // Test fragment injection
+    for (const [label, payload] of URL_PAYLOADS) {
+      if (label.startsWith('hash')) {
+        result.paramsTested++;
+        const injected = `${url}${payload}`;
+        const finding = await this._checkUrlXss(
+          context, injected, 'fragment', '#', label, payload,
+        );
+        if (finding) {
+          result.findings.push(finding);
+        }
+      }
+    }
+  }
+  /**
+   * Inject payloads into input fields on the page.
+   * @private
+   */
+  async _testInputFields(context, url, result) {
+    const page = await context.newPage();
+    const dialogs = [];
+    page.on('dialog', async (d) => {
+      dialogs.push(d.message());
+      await d.accept();
+    });
+    try {
+      await page.goto(url, { waitUntil: 'networkidle', timeout: this._timeout * 2 });
+    } catch (err) {
+      result.errors.push(`Navigation failed: ${err.message}`);
+      await page.close();
+      return;
+    }
+    const inputs = await page.$$(
+      "input[type='text'], input[type='search'], input:not([type]), textarea, [contenteditable='true']",
+    );
+    for (const inp of inputs) {
+      const inputName =
+        (await inp.getAttribute('name')) ||
+        (await inp.getAttribute('id')) ||
+        (await inp.getAttribute('placeholder')) ||
+        'unnamed';
+      for (const [label, payload] of XSS_PAYLOADS) {
+        result.inputsTested++;
+        dialogs.length = 0;
+        try {
+          await inp.fill('');
+          await inp.fill(payload);
+          await inp.dispatchEvent('change');
+          await inp.dispatchEvent('blur');
+          await page.waitForTimeout(500);
+          if (dialogs.some((d) => d.includes('CIPHER-XSS'))) {
+            result.findings.push(
+              new DOMXSSFinding({
+                url,
+                vector: 'input',
+                inputName,
+                payload,
+                payloadLabel: label,
+                reproduction: `Fill input '${inputName}' with: ${payload}`,
+              }),
+            );
+            break; // One payload per input
+          }
+        } catch {
+          continue;
+        }
+      }
+    }
+    await page.close();
+  }
+  /**
+   * Test form submissions with XSS payloads.
+   * @private
+   */
+  async _testForms(context, url, result) {
+    const page = await context.newPage();
+    const dialogs = [];
+    page.on('dialog', async (d) => {
+      dialogs.push(d.message());
+      await d.accept();
+    });
+    try {
+      await page.goto(url, { waitUntil: 'networkidle', timeout: this._timeout * 2 });
+    } catch {
+      await page.close();
+      return;
+    }
+    const forms = await page.$$('form');
+    for (const form of forms) {
+      const formInputs = await form.$$(
+        "input[type='text'], input:not([type]), textarea",
+      );
+      if (formInputs.length === 0) continue;
+      const payload = XSS_PAYLOADS[0][1]; // script-alert
+      dialogs.length = 0;
+      try {
+        for (const fi of formInputs) {
+          await fi.fill(payload);
+        }
+        const submitBtn = await form.$("button[type='submit'], input[type='submit']");
+        if (submitBtn) {
+          await submitBtn.click();
+        } else {
+          await form.dispatchEvent('submit');
+        }
+        await page.waitForTimeout(1000);
+        if (dialogs.some((d) => d.includes('CIPHER-XSS'))) {
+          const formId =
+            (await form.getAttribute('id')) ||
+            (await form.getAttribute('action')) ||
+            'form';
+          result.findings.push(
+            new DOMXSSFinding({
+              url,
+              vector: 'form',
+              inputName: formId,
+              payload,
+              payloadLabel: 'form-submit',
+              reproduction: `Submit form '${formId}' with XSS in all text inputs`,
+            }),
+          );
+        }
+      } catch {
+        continue;
+      }
+    }
+    await page.close();
+  }
+  /**
+   * Navigate to an injected URL and check for XSS execution.
+   * @private
+   */
+  async _checkUrlXss(context, url, vector, paramName, label, payload) {
+    const page = await context.newPage();
+    const dialogs = [];
+    page.on('dialog', async (d) => {
+      dialogs.push(d.message());
+      await d.accept();
+    });
+    try {
+      await page.goto(url, { waitUntil: 'networkidle', timeout: this._timeout });
+      await page.waitForTimeout(500);
+    } catch {
+      // Navigation errors are expected for some payloads
+    } finally {
+      await page.close();
+    }
+    if (dialogs.some((d) => d.includes('CIPHER-XSS'))) {
+      return new DOMXSSFinding({
+        url,
+        vector,
+        inputName: paramName,
+        payload,
+        payloadLabel: label,
+        reproduction: `Navigate to: ${url}`,
+      });
+    }
+    return null;
+  }
+}
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+export {
+  // Payloads (for testing/inspection)
+  XSS_PAYLOADS,
+  URL_PAYLOADS,
+  // Data classes
+  DOMXSSFinding,
+  DOMXSSScanResult,
+  // Scanner
+  DOMXSSScanner,
+};