cipher-shield 1.0.0

package/src/modules/aiScanner.js

@@ -0,0 +1,482 @@
+/**
+ * AI Security Scanner v2.1
+ *
+ * Advanced AI-powered payload analysis using Google Gemini and OpenAI.
+ * Performs deep inspection of request payloads for malicious intent,
+ * injection attacks, and security threats.
+ *
+ * @module aiScanner
+ * @version 1.0.0
+ */
+
+const { GoogleGenerativeAI } = require('@google/generative-ai');
+const OpenAI = require('openai');
+
+/**
+ * Default configuration constants
+ */
+const DEFAULT_CONFIG = Object.freeze({
+  REQUEST_TIMEOUT: 10000,
+  MAX_PAYLOAD_SIZE: 10000,
+  MAX_RETRIES: 2,
+  CACHE_TTL: 300000,
+  SENSITIVE_FIELDS: Object.freeze([
+    'password', 'token', 'secret', 'apikey', 'api_key',
+    'authorization', 'auth', 'bearer', 'jwt', 'session',
+    'credit_card', 'card_number', 'cvv', 'pin'
+  ])
+});
+
+/**
+ * AI system prompt for consistent threat analysis
+ */
+const SYSTEM_PROMPT = Object.freeze(`You are a cybersecurity analyst specializing in web application security.
+
+Analyze the following JSON payload for potential security threats including:
+- SQL injection attempts
+- Cross-site scripting (XSS)
+- Command injection
+- Path traversal attacks
+- Server-side request forgery (SSRF)
+- Deserialization attacks
+- Phishing or social engineering attempts
+- Obfuscated malicious code
+- Suspicious encoding or evasion techniques
+
+IMPORTANT: Focus on the SECURITY IMPLICATIONS, not the content appropriateness.
+
+Return ONLY valid JSON with this exact structure:
+{
+  "safe": boolean,
+  "threatLevel": number (0-10, where 0=no threat, 10=maximum threat),
+  "reason": "brief explanation of findings"
+}
+
+Do not include any other text or formatting.`);
+
+/**
+ * Simple in-memory cache for AI responses
+ */
+const responseCache = new Map();
+const cacheTimestamps = new Map();
+
+/**
+ * Performance tracking statistics
+ */
+let stats = {
+  totalScans: 0,
+  cacheHits: 0,
+  apiCalls: 0,
+  errors: 0,
+  averageResponseTime: 0,
+  lastScanTime: 0
+};
+
+/**
+ * Generates secure cache key for payload with integrity validation
+ * @private
+ * @param {Object} payload - Request payload
+ * @returns {string} Secure cache key
+ */
+function generateCacheKey(payload) {
+  const sortedJson = JSON.stringify(payload, Object.keys(payload).sort());
+  return require('crypto').createHash('sha256').update(sortedJson).digest('hex');
+}
+
+/**
+ * Checks cache for existing AI analysis with integrity validation
+ * @private
+ * @param {string} cacheKey - Cache key
+ * @returns {Object|null} Validated cached result or null
+ */
+function getCachedResult(cacheKey) {
+  const cached = responseCache.get(cacheKey);
+  const timestamp = cacheTimestamps.get(cacheKey);
+
+  if (!cached || !timestamp) {
+    return null;
+  }
+
+  if ((Date.now() - timestamp) > DEFAULT_CONFIG.CACHE_TTL) {
+    responseCache.delete(cacheKey);
+    cacheTimestamps.delete(cacheKey);
+    return null;
+  }
+
+  if (!isValidCachedResponse(cached)) {
+    responseCache.delete(cacheKey);
+    cacheTimestamps.delete(cacheKey);
+    return null;
+  }
+
+  stats.cacheHits++;
+  return cached;
+}
+
+/**
+ * Validates cached response structure to prevent cache poisoning
+ * @private
+ * @param {Object} response - Cached response to validate
+ * @returns {boolean} True if response is valid
+ */
+function isValidCachedResponse(response) {
+  return response &&
+         typeof response.safe === 'boolean' &&
+         typeof response.threatLevel === 'number' &&
+         response.threatLevel >= 0 && response.threatLevel <= 10 &&
+         typeof response.reason === 'string' &&
+         response.reason.length > 0 &&
+         response.reason.length < 500;
+}
+
+/**
+ * Stores result in cache
+ * @private
+ * @param {string} cacheKey - Cache key
+ * @param {Object} result - AI analysis result
+ */
+function setCachedResult(cacheKey, result) {
+  responseCache.set(cacheKey, result);
+  cacheTimestamps.set(cacheKey, Date.now());
+}
+
+/**
+ * Masks sensitive fields in payload before AI analysis
+ * @param {*} obj - Object, array, or primitive to sanitize
+ * @returns {*} Sanitized copy with sensitive fields masked
+ */
+function maskSensitiveFields(obj) {
+  if (obj === null || typeof obj !== 'object') {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(maskSensitiveFields);
+  }
+
+  const sanitized = {};
+
+  for (const [key, value] of Object.entries(obj)) {
+    const isSensitive = DEFAULT_CONFIG.SENSITIVE_FIELDS.some(field =>
+      key.toLowerCase().includes(field.toLowerCase())
+    );
+
+    if (isSensitive) {
+      sanitized[key] = '***REDACTED***';
+    } else {
+      sanitized[key] = maskSensitiveFields(value);
+    }
+  }
+
+  return sanitized;
+}
+
+/**
+ * Validates payload structure to prevent malformed data attacks
+ * @private
+ * @param {Object} payload - Payload to validate
+ * @returns {boolean} True if payload structure is valid
+ */
+function isValidPayload(payload) {
+  if (payload.__proto__ !== Object.prototype || payload.constructor !== Object) {
+    return false;
+  }
+
+  try {
+    JSON.stringify(payload);
+  } catch (error) {
+    return false;
+  }
+
+  const maxDepth = 10;
+  function checkDepth(obj, depth = 0) {
+    if (depth > maxDepth) return false;
+    if (typeof obj === 'object' && obj !== null) {
+      for (const key in obj) {
+        if (!checkDepth(obj[key], depth + 1)) return false;
+      }
+    }
+    return true;
+  }
+
+  return checkDepth(payload);
+}
+
+/**
+ * Checks for obvious attack patterns that don't need AI analysis
+ * @private
+ * @param {Object} payload - Payload to check
+ * @returns {boolean} True if attack patterns detected
+ */
+function containsAttackPatterns(payload) {
+  const payloadStr = JSON.stringify(payload).toLowerCase();
+
+  const attackPatterns = [
+    /\bunion\s+select\b/i,           // SQL injection
+    /\bscript\b.*\bsrc\b/i,          // XSS with script tags
+    /\bon\w+\s*=/i,                  // Event handlers (XSS)
+    /\bjavascript:/i,                // JavaScript URLs
+    /\bdata:\s*text\/html/i,         // Data URLs
+    /\beval\s*\(/i,                  // Code injection
+    /\bexec\s*\(/i,                  // Command injection
+    /<\s*script[^>]*>.*<\s*\/\s*script\s*>/i, // Script tags
+    /\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE)\b.*\bFROM\b/i, // SQL keywords
+    /\$\{.*\}/g,                     // Template injection
+    /process\.env|process\.argv|require\s*\(/i, // Node.js injection
+    /__proto__|constructor|prototype/i // Prototype pollution
+  ];
+
+  return attackPatterns.some(pattern => pattern.test(payloadStr));
+}
+function parseAIResponse(aiText) {
+  if (!aiText || typeof aiText !== 'string') {
+    throw new Error('Empty or invalid AI response');
+  }
+
+  let cleanedText = aiText.trim();
+
+  if (cleanedText.startsWith('```json')) {
+    cleanedText = cleanedText.replace(/```json\n?/g, '').replace(/```\n?/g, '');
+  } else if (cleanedText.startsWith('```')) {
+    cleanedText = cleanedText.replace(/```\n?/g, '');
+  }
+
+  let aiResult;
+  try {
+    aiResult = JSON.parse(cleanedText);
+
+    if (aiResult === null || typeof aiResult !== 'object') {
+      throw new Error('AI response must be a valid object');
+    }
+
+    if ('__proto__' in aiResult || 'constructor' in aiResult || 'prototype' in aiResult) {
+      throw new Error('AI response contains prototype pollution attempt');
+    }
+
+  } catch (parseError) {
+    throw new Error(`Failed to parse AI response as JSON: ${parseError.message}`);
+  }
+
+  if (typeof aiResult.safe !== 'boolean') {
+    throw new Error('AI response missing required "safe" boolean field');
+  }
+
+  if (typeof aiResult.threatLevel !== 'number' ||
+      aiResult.threatLevel < 0 || aiResult.threatLevel > 10) {
+    throw new Error('AI response "threatLevel" must be a number between 0-10');
+  }
+
+  return {
+    safe: aiResult.safe,
+    threatLevel: aiResult.threatLevel,
+    reason: aiResult.reason || 'No reason provided'
+  };
+}
+
+/**
+ * Scans payload using Google Gemini AI
+ * @private
+ * @param {Object} sanitizedPayload - Payload with sensitive data masked
+ * @param {Object} geminiConfig - Gemini configuration
+ * @returns {Promise<Object>} Scan result
+ */
+async function scanWithGemini(sanitizedPayload, geminiConfig) {
+  const genAI = new GoogleGenerativeAI(geminiConfig.apiKey);
+  const model = genAI.getGenerativeModel({
+    model: geminiConfig.model || 'gemini-2.5-flash'
+  });
+
+  const prompt = `${SYSTEM_PROMPT}\n\nPayload to analyze:\n${JSON.stringify(sanitizedPayload, null, 2)}`;
+
+  const timeoutPromise = new Promise((_, reject) => {
+    setTimeout(() => reject(new Error('Gemini API request timeout')), DEFAULT_CONFIG.REQUEST_TIMEOUT);
+  });
+
+  const apiPromise = model.generateContent({
+    contents: [{ role: 'user', parts: [{ text: prompt }] }],
+    generationConfig: {
+      temperature: 0.1,
+      maxOutputTokens: 500,
+      topP: 1,
+      topK: 1
+    }
+  });
+
+  const result = await Promise.race([apiPromise, timeoutPromise]);
+  const response = await result.response;
+  const aiText = response.text();
+
+  if (!aiText) {
+    throw new Error('Empty response from Gemini API');
+  }
+
+  return parseAIResponse(aiText);
+}
+
+/**
+ * Scans payload using OpenAI
+ * @private
+ * @param {Object} sanitizedPayload - Payload with sensitive data masked
+ * @param {Object} openaiConfig - OpenAI configuration
+ * @returns {Promise<Object>} Scan result
+ */
+async function scanWithOpenAI(sanitizedPayload, openaiConfig) {
+  const openai = new OpenAI({
+    apiKey: openaiConfig.apiKey,
+    organization: openaiConfig.organization || undefined,
+    timeout: DEFAULT_CONFIG.REQUEST_TIMEOUT,
+    maxRetries: DEFAULT_CONFIG.MAX_RETRIES
+  });
+
+  const userPrompt = `Payload to analyze:\n${JSON.stringify(sanitizedPayload, null, 2)}`;
+
+  const completion = await openai.chat.completions.create({
+    model: openaiConfig.model || 'gpt-4o-mini',
+    messages: [
+      { role: 'system', content: SYSTEM_PROMPT },
+      { role: 'user', content: userPrompt }
+    ],
+    temperature: 0.1,
+    max_tokens: 500,
+    response_format: { type: 'json_object' }
+  });
+
+  const aiText = completion.choices[0]?.message?.content;
+
+  if (!aiText) {
+    throw new Error('Empty response from OpenAI API');
+  }
+
+  return parseAIResponse(aiText);
+}
+
+/**
+ * Main AI scanning function with caching and error handling
+ *
+ * @param {Object} payload - Request body/payload to analyze
+ * @param {Object} aiConfig - AI provider configuration
+ * @returns {Promise<Object>} Scan result with safe, threatLevel, and reason
+ * @throws {Error} If AI provider is unsupported or API call fails
+ */
+async function scan(payload, aiConfig) {
+  const startTime = process.hrtime.bigint();
+  stats.totalScans++;
+
+  try {
+    if (!payload || typeof payload !== 'object') {
+      return { safe: true, threatLevel: 0, reason: 'No payload to scan' };
+    }
+
+    if (!isValidPayload(payload)) {
+      return { safe: false, threatLevel: 2, reason: 'Invalid payload structure' };
+    }
+
+    const payloadSize = JSON.stringify(payload).length;
+    if (payloadSize > DEFAULT_CONFIG.MAX_PAYLOAD_SIZE) {
+      return { safe: false, threatLevel: 3, reason: 'Payload size exceeds security limits' };
+    }
+
+    if (containsAttackPatterns(payload)) {
+      return { safe: false, threatLevel: 8, reason: 'Detected obvious attack patterns' };
+    }
+
+    const cacheKey = generateCacheKey(payload);
+    const cachedResult = getCachedResult(cacheKey);
+    if (cachedResult) {
+      return cachedResult;
+    }
+
+    const sanitizedPayload = maskSensitiveFields(payload);
+    let result;
+
+    if (aiConfig.provider === 'gemini') {
+      if (!aiConfig.gemini?.apiKey) {
+        throw new Error('Gemini API key is required');
+      }
+      result = await scanWithGemini(sanitizedPayload, aiConfig.gemini);
+    } else if (aiConfig.provider === 'openai') {
+      if (!aiConfig.openai?.apiKey) {
+        throw new Error('OpenAI API key is required');
+      }
+      result = await scanWithOpenAI(sanitizedPayload, aiConfig.openai);
+    } else {
+      throw new Error(`Unsupported AI provider: ${aiConfig.provider}. Use 'gemini' or 'openai'`);
+    }
+
+    setCachedResult(cacheKey, result);
+    stats.apiCalls++;
+
+    const scanTime = Number(process.hrtime.bigint() - startTime) / 1000000;
+    stats.lastScanTime = scanTime;
+    stats.averageResponseTime = ((stats.averageResponseTime * (stats.apiCalls - 1)) + scanTime) / stats.apiCalls;
+
+    return result;
+
+  } catch (error) {
+    stats.errors++;
+    throw new Error(`AI scan failed: ${error.message}`);
+  }
+}
+
+/**
+ * Retrieves AI scanner performance statistics
+ * @returns {Object} Performance statistics
+ */
+function getStats() {
+  return {
+    ...stats,
+    cacheHitRate: stats.totalScans > 0 ? (stats.cacheHits / stats.totalScans * 100).toFixed(1) : 0,
+    config: DEFAULT_CONFIG
+  };
+}
+
+/**
+ * Clears the response cache
+ * @returns {number} Number of cached entries cleared
+ */
+function clearCache() {
+  const cacheSize = responseCache.size;
+  responseCache.clear();
+  cacheTimestamps.clear();
+  return cacheSize;
+}
+
+/**
+ * Validates AI configuration parameters
+ * @param {Object} aiConfig - AI configuration to validate
+ * @returns {Object} Validation result with valid boolean and errors array
+ */
+function validateConfig(aiConfig) {
+  const errors = [];
+
+  if (!aiConfig || typeof aiConfig !== 'object') {
+    errors.push('AI configuration must be an object');
+    return { valid: false, errors };
+  }
+
+  if (!['gemini', 'openai'].includes(aiConfig.provider)) {
+    errors.push('Provider must be either "gemini" or "openai"');
+  }
+
+  if (aiConfig.provider === 'gemini' && !aiConfig.gemini?.apiKey) {
+    errors.push('Gemini API key is required when using Gemini provider');
+  }
+
+  if (aiConfig.provider === 'openai' && !aiConfig.openai?.apiKey) {
+    errors.push('OpenAI API key is required when using OpenAI provider');
+  }
+
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+
+module.exports = {
+  scan,
+  maskSensitiveFields,
+  getStats,
+  clearCache,
+  validateConfig,
+  DEFAULT_CONFIG
+};