cipher-security 5.0.0

package/lib/pipeline/index.js

@@ -0,0 +1,124 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * CIPHER Pipeline — Security scanning, analysis, and reporting.
+ *
+ * Public API surface for the pipeline module. All downstream consumers
+ * (gateway, API, MCP) import from this barrel.
+ */
+
+// Scanner — foundational data classes and subprocess runners
+export {
+  ScanDomain,
+  PROFILE_CONFIGS,
+  EXT_TAG_MAP,
+  Finding,
+  ScanResult,
+  CrawlResult,
+  PipelineResult,
+  ScanProfile,
+  NucleiRunner,
+  KatanaRunner,
+  ScanPipeline,
+  whichSync,
+} from './scanner.js';
+
+// Async scanner — Promise-based wrappers with concurrency control
+export {
+  AsyncScanStatus,
+  AsyncFinding,
+  AsyncScanResult,
+  AsyncNucleiRunner,
+  AsyncKatanaRunner,
+  AsyncScanManager,
+  Semaphore,
+  asyncScan,
+  severityForProfile,
+} from './async-scanner.js';
+
+// Binary analysis — ELF parsing, security features, ROP gadgets
+export {
+  ELF_MAGIC,
+  SHF_WRITE,
+  SHF_ALLOC,
+  SHF_EXECINSTR,
+  readU16,
+  readU32,
+  readU64,
+  readStr,
+  ELFSection,
+  ELFSymbol,
+  SecurityFeatures,
+  ELFAnalysis,
+  ELFParser,
+  FormatStringFinding,
+  FormatStringScanner,
+  ROPGadget,
+  ROPScanner,
+} from './binary-analysis.js';
+
+// XSS scanner — static pattern detection
+export {
+  SINK_PATTERNS,
+  SOURCE_PATTERNS,
+  TEMPLATE_SINKS,
+  SCANNABLE_EXTENSIONS,
+  XSSFinding,
+  XSSScanResult,
+  XSSScanner,
+} from './xss-scanner.js';
+
+// DOM XSS scanner — dynamic Playwright-based detection
+export {
+  XSS_PAYLOADS,
+  URL_PAYLOADS,
+  DOMXSSFinding,
+  DOMXSSScanResult,
+  DOMXSSScanner,
+} from './dom-xss-scanner.js';
+
+// OSINT — intelligence gathering subprocess wrappers
+export {
+  isPrivateIP,
+  OSINTResult,
+  DomainIntelligence,
+  IPIntelligence,
+  DocumentMetadata,
+  OSINTPipeline,
+} from './osint.js';
+
+// SARIF — Static Analysis Results Interchange Format
+export {
+  SARIF_VERSION,
+  SARIF_SCHEMA,
+  severityToLevel,
+  severityScore,
+  SarifRule,
+  SarifResult,
+  SarifReport,
+} from './sarif.js';
+
+// GitHub Actions — diff analysis, formatting, workflow generation
+export {
+  _getVersion,
+  RiskLevel,
+  SecretType,
+  SEV_EMOJI,
+  SecretFinding,
+  DiffAnalysis,
+  PRReviewResult,
+  SecurityDiffAnalyzer,
+  FindingFormatter,
+  PRSecurityReview,
+  WorkflowGenerator,
+} from './github-actions.js';
+
+// Template manager — Nuclei template management
+export {
+  DEFAULT_TEMPLATE_DIR,
+  TemplateInfo,
+  TemplateCollection,
+  NucleiTemplateManager,
+} from './template-manager.js';

package/lib/pipeline/osint.js

@@ -0,0 +1,498 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * CIPHER OSINT Pipeline — structured OSINT workflows.
+ *
+ * - Domain intelligence and WHOIS enrichment
+ * - IP reputation and classification
+ * - Document metadata extraction (EXIF, PDF)
+ * - Investigation orchestration
+ *
+ * Ported from pipeline/osint.py (322 LOC Python).
+ */
+
+import { execFileSync } from 'node:child_process';
+import dns from 'node:dns';
+import net from 'node:net';
+import { promisify } from 'node:util';
+
+const resolve4 = promisify(dns.resolve4);
+const resolve6 = promisify(dns.resolve6);
+const reversePromise = promisify(dns.reverse);
+
+// ---------------------------------------------------------------------------
+// IP classification helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Check if an IP address is private (RFC 1918 / RFC 4193).
+ *
+ * IPv4: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ * IPv6: ::1, fc00::/7, fe80::/10
+ *
+ * @param {string} ip
+ * @returns {boolean}
+ */
+function isPrivateIP(ip) {
+  const version = net.isIP(ip);
+  if (version === 0) return false;
+
+  if (version === 4) {
+    const parts = ip.split('.').map(Number);
+    if (parts[0] === 10) return true;                                    // 10.0.0.0/8
+    if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true; // 172.16.0.0/12
+    if (parts[0] === 192 && parts[1] === 168) return true;               // 192.168.0.0/16
+    if (parts[0] === 127) return true;                                    // 127.0.0.0/8
+    return false;
+  }
+
+  // IPv6
+  const lower = ip.toLowerCase();
+  if (lower === '::1') return true;
+
+  // Expand the first 16 bits for fc00::/7 and fe80::/10 checks
+  // fc00::/7 covers fc00:: - fdff::
+  // fe80::/10 covers fe80:: - febf::
+  const expanded = _expandIPv6Prefix(lower);
+  if (expanded !== null) {
+    if (expanded >= 0xfc00 && expanded <= 0xfdff) return true; // fc00::/7
+    if (expanded >= 0xfe80 && expanded <= 0xfebf) return true; // fe80::/10
+  }
+
+  return false;
+}
+
+/**
+ * Extract the first 16-bit group from an IPv6 address.
+ * @param {string} ip lowercased IPv6 address
+ * @returns {number|null}
+ */
+function _expandIPv6Prefix(ip) {
+  // Handle :: expansion — we only need the first group
+  const parts = ip.split(':');
+  if (!parts[0]) return 0; // starts with :: (e.g. ::1)
+  const val = parseInt(parts[0], 16);
+  return isNaN(val) ? null : val;
+}
+
+// ---------------------------------------------------------------------------
+// Data class
+// ---------------------------------------------------------------------------
+
+class OSINTResult {
+  /**
+   * @param {object} opts
+   * @param {string} opts.source
+   * @param {string} opts.query
+   * @param {object} [opts.data={}]
+   * @param {string} [opts.confidence='medium'] high | medium | low
+   * @param {string} [opts.timestamp]
+   * @param {string} [opts.collectionMethod='passive'] passive | active
+   */
+  constructor(opts) {
+    this.source = opts.source;
+    this.query = opts.query;
+    this.data = opts.data ?? {};
+    this.confidence = opts.confidence ?? 'medium';
+    this.timestamp = opts.timestamp ?? new Date().toISOString();
+    this.collectionMethod = opts.collectionMethod ?? 'passive';
+  }
+
+  /** @type {boolean} Quick success check — true unless data contains an error. */
+  get success() {
+    return !this.data.error;
+  }
+
+  /** @type {string|null} Error message if present. */
+  get error() {
+    return this.data.error ?? null;
+  }
+
+  toDict() {
+    return {
+      source: this.source,
+      query: this.query,
+      data: this.data,
+      confidence: this.confidence,
+      timestamp: this.timestamp,
+      collection_method: this.collectionMethod,
+    };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Domain Intelligence
+// ---------------------------------------------------------------------------
+
+class DomainIntelligence {
+  /**
+   * Resolve DNS records for a domain (passive).
+   * Uses `dig` subprocess with `dns.resolve` fallback.
+   * @param {string} domain
+   * @returns {OSINTResult}
+   */
+  static dnsLookup(domain) {
+    const data = { domain, records: {} };
+    const rtypes = ['A', 'AAAA', 'MX', 'NS', 'TXT', 'CNAME', 'SOA'];
+    let hasDig = true;
+
+    for (const rtype of rtypes) {
+      if (hasDig) {
+        try {
+          const out = execFileSync('dig', ['+short', domain, rtype], {
+            encoding: 'utf-8',
+            timeout: 10000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+          });
+          const records = out
+            .split('\n')
+            .map((r) => r.trim())
+            .filter(Boolean);
+          if (records.length > 0) {
+            data.records[rtype] = records;
+          }
+        } catch (err) {
+          // If dig doesn't exist (ENOENT), fall through to socket-based fallback
+          if (err.code === 'ENOENT') {
+            hasDig = false;
+            // Fall through to fallback below
+          } else {
+            continue; // timeout or other error — skip this record type
+          }
+        }
+      }
+
+      if (!hasDig) {
+        // Fallback: only A records via dns.resolve (sync not available, use socket)
+        if (rtype === 'A') {
+          try {
+            const { address } = dns.lookup
+              ? (() => {
+                  // Synchronous-ish: use execFileSync to call node
+                  const out = execFileSync(
+                    process.execPath,
+                    ['-e', `const dns=require('dns');dns.resolve4('${domain}',(e,a)=>console.log(JSON.stringify(a||[])))`],
+                    { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] },
+                  );
+                  const ips = JSON.parse(out.trim());
+                  if (ips.length > 0) data.records.A = ips;
+                  return {};
+                })()
+              : {};
+          } catch {
+            // Can't resolve — skip
+          }
+        }
+        break; // No dig = only A records
+      }
+    }
+
+    return new OSINTResult({ source: 'dns', query: domain, data, confidence: 'high' });
+  }
+
+  /**
+   * WHOIS lookup for domain registration info (passive).
+   * @param {string} domain
+   * @returns {OSINTResult}
+   */
+  static whoisLookup(domain) {
+    try {
+      const out = execFileSync('whois', [domain], {
+        encoding: 'utf-8',
+        timeout: 15000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+
+      const data = { domain, raw_length: out.length };
+
+      const patterns = {
+        registrar: /Registrar:\s*(.+)/i,
+        creation_date: /Creat(?:ion|ed) Date:\s*(.+)/i,
+        expiration_date: /(?:Expir(?:ation|y) Date|Registry Expiry Date):\s*(.+)/i,
+        name_servers: /Name Server:\s*(.+)/ig,
+        status: /Status:\s*(.+)/ig,
+        registrant_org: /Registrant Organi[sz]ation:\s*(.+)/i,
+        registrant_country: /Registrant Country:\s*(.+)/i,
+      };
+
+      for (const [key, pattern] of Object.entries(patterns)) {
+        // Use matchAll for patterns with /g, exec for single match
+        if (pattern.global) {
+          const matches = [...out.matchAll(pattern)].map((m) => m[1]);
+          if (matches.length > 0) data[key] = matches.length > 1 ? matches : matches[0];
+        } else {
+          const m = pattern.exec(out);
+          if (m) data[key] = m[1];
+        }
+      }
+
+      return new OSINTResult({ source: 'whois', query: domain, data, confidence: 'high' });
+    } catch (err) {
+      const errMsg = err.code === 'ENOENT' ? 'whois binary not found' : String(err.message || err);
+      return new OSINTResult({
+        source: 'whois',
+        query: domain,
+        data: { error: errMsg },
+        confidence: 'low',
+      });
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// IP Intelligence
+// ---------------------------------------------------------------------------
+
+class IPIntelligence {
+  /**
+   * Reverse DNS lookup for an IP address.
+   * @param {string} ip
+   * @returns {OSINTResult}
+   */
+  static reverseDns(ip) {
+    try {
+      // Synchronous approach: use execFileSync with node subprocess
+      const out = execFileSync(
+        process.execPath,
+        ['-e', `const dns=require('dns');dns.reverse('${ip}',(e,h)=>console.log(JSON.stringify(e?null:h[0])))`],
+        { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] },
+      );
+      const hostname = JSON.parse(out.trim());
+      return new OSINTResult({
+        source: 'reverse_dns',
+        query: ip,
+        data: { ip, hostname },
+        confidence: hostname ? 'high' : 'low',
+      });
+    } catch {
+      return new OSINTResult({
+        source: 'reverse_dns',
+        query: ip,
+        data: { ip, hostname: null },
+        confidence: 'low',
+      });
+    }
+  }
+
+  /**
+   * Aggregate IP intelligence from available local tools.
+   * @param {string} ip
+   * @returns {OSINTResult}
+   */
+  static ipInfo(ip) {
+    const data = { ip };
+    const version = net.isIP(ip);
+
+    if (version === 0) {
+      data.error = 'Invalid IP address';
+      return new OSINTResult({ source: 'ip_info', query: ip, data, confidence: 'low' });
+    }
+
+    data.version = version;
+    data.is_private = isPrivateIP(ip);
+    data.is_loopback = (version === 4 && ip.startsWith('127.')) || ip === '::1';
+    data.is_multicast = _isMulticast(ip, version);
+
+    // Reverse DNS (best effort)
+    try {
+      const out = execFileSync(
+        process.execPath,
+        ['-e', `const dns=require('dns');dns.reverse('${ip}',(e,h)=>console.log(JSON.stringify(e?null:h?h[0]:null)))`],
+        { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] },
+      );
+      data.hostname = JSON.parse(out.trim());
+    } catch {
+      data.hostname = null;
+    }
+
+    return new OSINTResult({ source: 'ip_info', query: ip, data, confidence: 'high' });
+  }
+}
+
+/**
+ * Check if IP is multicast.
+ * IPv4: 224.0.0.0 - 239.255.255.255
+ * IPv6: ff00::/8
+ * @param {string} ip
+ * @param {number} version
+ * @returns {boolean}
+ */
+function _isMulticast(ip, version) {
+  if (version === 4) {
+    const first = parseInt(ip.split('.')[0], 10);
+    return first >= 224 && first <= 239;
+  }
+  return ip.toLowerCase().startsWith('ff');
+}
+
+// ---------------------------------------------------------------------------
+// Document Metadata
+// ---------------------------------------------------------------------------
+
+class DocumentMetadata {
+  /**
+   * Extract EXIF metadata from an image file.
+   * @param {string} filepath
+   * @returns {OSINTResult}
+   */
+  static extractExif(filepath) {
+    try {
+      const out = execFileSync('exiftool', ['-json', filepath], {
+        encoding: 'utf-8',
+        timeout: 15000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      const metadata = JSON.parse(out);
+      return new OSINTResult({
+        source: 'exif',
+        query: filepath,
+        data: { metadata: Array.isArray(metadata) ? metadata[0] : metadata },
+        confidence: 'high',
+      });
+    } catch (err) {
+      const errMsg = err.code === 'ENOENT' ? 'exiftool not found' : 'Failed to extract EXIF';
+      return new OSINTResult({
+        source: 'exif',
+        query: filepath,
+        data: { error: errMsg },
+        confidence: 'low',
+      });
+    }
+  }
+
+  /**
+   * Extract metadata from a PDF file using pdfinfo.
+   * @param {string} filepath
+   * @returns {OSINTResult}
+   */
+  static extractPdfMetadata(filepath) {
+    try {
+      const out = execFileSync('pdfinfo', [filepath], {
+        encoding: 'utf-8',
+        timeout: 15000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      const data = {};
+      for (const line of out.split('\n')) {
+        const idx = line.indexOf(':');
+        if (idx >= 0) {
+          data[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
+        }
+      }
+      return new OSINTResult({
+        source: 'pdf_metadata',
+        query: filepath,
+        data,
+        confidence: 'high',
+      });
+    } catch (err) {
+      const errMsg = err.code === 'ENOENT' ? 'pdfinfo not found' : 'Failed to extract PDF metadata';
+      return new OSINTResult({
+        source: 'pdf_metadata',
+        query: filepath,
+        data: { error: errMsg },
+        confidence: 'low',
+      });
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// OSINT Pipeline — orchestrator
+// ---------------------------------------------------------------------------
+
+class OSINTPipeline {
+  constructor() {
+    this._results = [];
+  }
+
+  /**
+   * Run full domain investigation pipeline.
+   * @param {string} domain
+   * @returns {OSINTResult[]}
+   */
+  investigateDomain(domain) {
+    const results = [];
+    results.push(DomainIntelligence.dnsLookup(domain));
+    results.push(DomainIntelligence.whoisLookup(domain));
+
+    // Pivot: resolve IPs and investigate them
+    const dnsResult = results[0];
+    const aRecords = dnsResult.data?.records?.A ?? [];
+    for (const ip of aRecords.slice(0, 5)) {
+      results.push(IPIntelligence.ipInfo(ip));
+    }
+
+    this._results.push(...results);
+    return results;
+  }
+
+  /**
+   * Run IP investigation pipeline.
+   * @param {string} ip
+   * @returns {OSINTResult[]}
+   */
+  investigateIp(ip) {
+    const results = [IPIntelligence.ipInfo(ip), IPIntelligence.reverseDns(ip)];
+    this._results.push(...results);
+    return results;
+  }
+
+  /**
+   * Extract metadata from a file.
+   * @param {string} filepath
+   * @returns {OSINTResult}
+   */
+  extractMetadata(filepath) {
+    const result = filepath.toLowerCase().endsWith('.pdf')
+      ? DocumentMetadata.extractPdfMetadata(filepath)
+      : DocumentMetadata.extractExif(filepath);
+    this._results.push(result);
+    return result;
+  }
+
+  /**
+   * Return all investigation results.
+   * @returns {object[]}
+   */
+  getAllResults() {
+    return this._results.map((r) => r.toDict());
+  }
+
+  /**
+   * Investigation summary statistics.
+   * @returns {object}
+   */
+  summary() {
+    const bySource = {};
+    const byConfidence = {};
+    for (const r of this._results) {
+      bySource[r.source] = (bySource[r.source] ?? 0) + 1;
+      byConfidence[r.confidence] = (byConfidence[r.confidence] ?? 0) + 1;
+    }
+    return {
+      total_results: this._results.length,
+      by_source: bySource,
+      by_confidence: byConfidence,
+    };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+
+export {
+  // Helper
+  isPrivateIP,
+  // Data class
+  OSINTResult,
+  // Intelligence modules
+  DomainIntelligence,
+  IPIntelligence,
+  DocumentMetadata,
+  // Pipeline
+  OSINTPipeline,
+};