clawsec 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +560 -0
- package/dist/bin/clawsec.d.ts +7 -0
- package/dist/bin/clawsec.d.ts.map +1 -0
- package/dist/bin/clawsec.js +12 -0
- package/dist/bin/clawsec.js.map +1 -0
- package/dist/src/actions/block.d.ts +22 -0
- package/dist/src/actions/block.d.ts.map +1 -0
- package/dist/src/actions/block.js +83 -0
- package/dist/src/actions/block.js.map +1 -0
- package/dist/src/actions/confirm.d.ts +35 -0
- package/dist/src/actions/confirm.d.ts.map +1 -0
- package/dist/src/actions/confirm.js +156 -0
- package/dist/src/actions/confirm.js.map +1 -0
- package/dist/src/actions/executor.d.ts +64 -0
- package/dist/src/actions/executor.d.ts.map +1 -0
- package/dist/src/actions/executor.js +114 -0
- package/dist/src/actions/executor.js.map +1 -0
- package/dist/src/actions/index.d.ts +13 -0
- package/dist/src/actions/index.d.ts.map +1 -0
- package/dist/src/actions/index.js +15 -0
- package/dist/src/actions/index.js.map +1 -0
- package/dist/src/actions/log.d.ts +19 -0
- package/dist/src/actions/log.d.ts.map +1 -0
- package/dist/src/actions/log.js +63 -0
- package/dist/src/actions/log.js.map +1 -0
- package/dist/src/actions/types.d.ts +85 -0
- package/dist/src/actions/types.d.ts.map +1 -0
- package/dist/src/actions/types.js +78 -0
- package/dist/src/actions/types.js.map +1 -0
- package/dist/src/actions/warn.d.ts +22 -0
- package/dist/src/actions/warn.d.ts.map +1 -0
- package/dist/src/actions/warn.js +84 -0
- package/dist/src/actions/warn.js.map +1 -0
- package/dist/src/approval/agent-confirm.d.ts +104 -0
- package/dist/src/approval/agent-confirm.d.ts.map +1 -0
- package/dist/src/approval/agent-confirm.js +173 -0
- package/dist/src/approval/agent-confirm.js.map +1 -0
- package/dist/src/approval/index.d.ts +14 -0
- package/dist/src/approval/index.d.ts.map +1 -0
- package/dist/src/approval/index.js +9 -0
- package/dist/src/approval/index.js.map +1 -0
- package/dist/src/approval/native.d.ts +56 -0
- package/dist/src/approval/native.d.ts.map +1 -0
- package/dist/src/approval/native.js +196 -0
- package/dist/src/approval/native.js.map +1 -0
- package/dist/src/approval/store.d.ts +88 -0
- package/dist/src/approval/store.d.ts.map +1 -0
- package/dist/src/approval/store.js +192 -0
- package/dist/src/approval/store.js.map +1 -0
- package/dist/src/approval/types.d.ts +119 -0
- package/dist/src/approval/types.d.ts.map +1 -0
- package/dist/src/approval/types.js +6 -0
- package/dist/src/approval/types.js.map +1 -0
- package/dist/src/approval/webhook.d.ts +170 -0
- package/dist/src/approval/webhook.d.ts.map +1 -0
- package/dist/src/approval/webhook.js +362 -0
- package/dist/src/approval/webhook.js.map +1 -0
- package/dist/src/cli/commands/audit.d.ts +43 -0
- package/dist/src/cli/commands/audit.d.ts.map +1 -0
- package/dist/src/cli/commands/audit.js +115 -0
- package/dist/src/cli/commands/audit.js.map +1 -0
- package/dist/src/cli/commands/feedback.d.ts +27 -0
- package/dist/src/cli/commands/feedback.d.ts.map +1 -0
- package/dist/src/cli/commands/feedback.js +228 -0
- package/dist/src/cli/commands/feedback.js.map +1 -0
- package/dist/src/cli/commands/index.d.ts +11 -0
- package/dist/src/cli/commands/index.d.ts.map +1 -0
- package/dist/src/cli/commands/index.js +13 -0
- package/dist/src/cli/commands/index.js.map +1 -0
- package/dist/src/cli/commands/status.d.ts +20 -0
- package/dist/src/cli/commands/status.d.ts.map +1 -0
- package/dist/src/cli/commands/status.js +122 -0
- package/dist/src/cli/commands/status.js.map +1 -0
- package/dist/src/cli/commands/test.d.ts +23 -0
- package/dist/src/cli/commands/test.d.ts.map +1 -0
- package/dist/src/cli/commands/test.js +134 -0
- package/dist/src/cli/commands/test.js.map +1 -0
- package/dist/src/cli/commands/types.d.ts +81 -0
- package/dist/src/cli/commands/types.d.ts.map +1 -0
- package/dist/src/cli/commands/types.js +6 -0
- package/dist/src/cli/commands/types.js.map +1 -0
- package/dist/src/cli/index.d.ts +17 -0
- package/dist/src/cli/index.d.ts.map +1 -0
- package/dist/src/cli/index.js +267 -0
- package/dist/src/cli/index.js.map +1 -0
- package/dist/src/config/defaults.d.ts +20 -0
- package/dist/src/config/defaults.d.ts.map +1 -0
- package/dist/src/config/defaults.js +123 -0
- package/dist/src/config/defaults.js.map +1 -0
- package/dist/src/config/index.d.ts +8 -0
- package/dist/src/config/index.d.ts.map +1 -0
- package/dist/src/config/index.js +41 -0
- package/dist/src/config/index.js.map +1 -0
- package/dist/src/config/loader.d.ts +99 -0
- package/dist/src/config/loader.d.ts.map +1 -0
- package/dist/src/config/loader.js +242 -0
- package/dist/src/config/loader.js.map +1 -0
- package/dist/src/config/schema.d.ts +627 -0
- package/dist/src/config/schema.d.ts.map +1 -0
- package/dist/src/config/schema.js +585 -0
- package/dist/src/config/schema.js.map +1 -0
- package/dist/src/detectors/destructive/cloud-detector.d.ts +51 -0
- package/dist/src/detectors/destructive/cloud-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/cloud-detector.js +556 -0
- package/dist/src/detectors/destructive/cloud-detector.js.map +1 -0
- package/dist/src/detectors/destructive/code-detector.d.ts +59 -0
- package/dist/src/detectors/destructive/code-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/code-detector.js +558 -0
- package/dist/src/detectors/destructive/code-detector.js.map +1 -0
- package/dist/src/detectors/destructive/index.d.ts +54 -0
- package/dist/src/detectors/destructive/index.d.ts.map +1 -0
- package/dist/src/detectors/destructive/index.js +168 -0
- package/dist/src/detectors/destructive/index.js.map +1 -0
- package/dist/src/detectors/destructive/shell-detector.d.ts +43 -0
- package/dist/src/detectors/destructive/shell-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/shell-detector.js +302 -0
- package/dist/src/detectors/destructive/shell-detector.js.map +1 -0
- package/dist/src/detectors/destructive/types.d.ts +143 -0
- package/dist/src/detectors/destructive/types.d.ts.map +1 -0
- package/dist/src/detectors/destructive/types.js +6 -0
- package/dist/src/detectors/destructive/types.js.map +1 -0
- package/dist/src/detectors/exfiltration/cloud-detector.d.ts +51 -0
- package/dist/src/detectors/exfiltration/cloud-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/cloud-detector.js +427 -0
- package/dist/src/detectors/exfiltration/cloud-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/http-detector.d.ts +47 -0
- package/dist/src/detectors/exfiltration/http-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/http-detector.js +429 -0
- package/dist/src/detectors/exfiltration/http-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/index.d.ts +44 -0
- package/dist/src/detectors/exfiltration/index.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/index.js +118 -0
- package/dist/src/detectors/exfiltration/index.js.map +1 -0
- package/dist/src/detectors/exfiltration/network-detector.d.ts +55 -0
- package/dist/src/detectors/exfiltration/network-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/network-detector.js +504 -0
- package/dist/src/detectors/exfiltration/network-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/types.d.ts +139 -0
- package/dist/src/detectors/exfiltration/types.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/types.js +6 -0
- package/dist/src/detectors/exfiltration/types.js.map +1 -0
- package/dist/src/detectors/purchase/domain-detector.d.ts +44 -0
- package/dist/src/detectors/purchase/domain-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/domain-detector.js +296 -0
- package/dist/src/detectors/purchase/domain-detector.js.map +1 -0
- package/dist/src/detectors/purchase/form-detector.d.ts +27 -0
- package/dist/src/detectors/purchase/form-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/form-detector.js +344 -0
- package/dist/src/detectors/purchase/form-detector.js.map +1 -0
- package/dist/src/detectors/purchase/index.d.ts +65 -0
- package/dist/src/detectors/purchase/index.d.ts.map +1 -0
- package/dist/src/detectors/purchase/index.js +216 -0
- package/dist/src/detectors/purchase/index.js.map +1 -0
- package/dist/src/detectors/purchase/spend-tracker.d.ts +132 -0
- package/dist/src/detectors/purchase/spend-tracker.d.ts.map +1 -0
- package/dist/src/detectors/purchase/spend-tracker.js +313 -0
- package/dist/src/detectors/purchase/spend-tracker.js.map +1 -0
- package/dist/src/detectors/purchase/types.d.ts +139 -0
- package/dist/src/detectors/purchase/types.d.ts.map +1 -0
- package/dist/src/detectors/purchase/types.js +6 -0
- package/dist/src/detectors/purchase/types.js.map +1 -0
- package/dist/src/detectors/purchase/url-detector.d.ts +31 -0
- package/dist/src/detectors/purchase/url-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/url-detector.js +292 -0
- package/dist/src/detectors/purchase/url-detector.js.map +1 -0
- package/dist/src/detectors/secrets/api-key-detector.d.ts +30 -0
- package/dist/src/detectors/secrets/api-key-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/api-key-detector.js +297 -0
- package/dist/src/detectors/secrets/api-key-detector.js.map +1 -0
- package/dist/src/detectors/secrets/index.d.ts +43 -0
- package/dist/src/detectors/secrets/index.d.ts.map +1 -0
- package/dist/src/detectors/secrets/index.js +261 -0
- package/dist/src/detectors/secrets/index.js.map +1 -0
- package/dist/src/detectors/secrets/pii-detector.d.ts +54 -0
- package/dist/src/detectors/secrets/pii-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/pii-detector.js +286 -0
- package/dist/src/detectors/secrets/pii-detector.js.map +1 -0
- package/dist/src/detectors/secrets/token-detector.d.ts +51 -0
- package/dist/src/detectors/secrets/token-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/token-detector.js +233 -0
- package/dist/src/detectors/secrets/token-detector.js.map +1 -0
- package/dist/src/detectors/secrets/types.d.ts +157 -0
- package/dist/src/detectors/secrets/types.d.ts.map +1 -0
- package/dist/src/detectors/secrets/types.js +6 -0
- package/dist/src/detectors/secrets/types.js.map +1 -0
- package/dist/src/detectors/website/category-detector.d.ts +22 -0
- package/dist/src/detectors/website/category-detector.d.ts.map +1 -0
- package/dist/src/detectors/website/category-detector.js +162 -0
- package/dist/src/detectors/website/category-detector.js.map +1 -0
- package/dist/src/detectors/website/index.d.ts +53 -0
- package/dist/src/detectors/website/index.d.ts.map +1 -0
- package/dist/src/detectors/website/index.js +232 -0
- package/dist/src/detectors/website/index.js.map +1 -0
- package/dist/src/detectors/website/pattern-matcher.d.ts +33 -0
- package/dist/src/detectors/website/pattern-matcher.d.ts.map +1 -0
- package/dist/src/detectors/website/pattern-matcher.js +121 -0
- package/dist/src/detectors/website/pattern-matcher.js.map +1 -0
- package/dist/src/detectors/website/types.d.ts +105 -0
- package/dist/src/detectors/website/types.d.ts.map +1 -0
- package/dist/src/detectors/website/types.js +6 -0
- package/dist/src/detectors/website/types.js.map +1 -0
- package/dist/src/engine/analyzer.d.ts +87 -0
- package/dist/src/engine/analyzer.d.ts.map +1 -0
- package/dist/src/engine/analyzer.js +427 -0
- package/dist/src/engine/analyzer.js.map +1 -0
- package/dist/src/engine/cache.d.ts +80 -0
- package/dist/src/engine/cache.d.ts.map +1 -0
- package/dist/src/engine/cache.js +167 -0
- package/dist/src/engine/cache.js.map +1 -0
- package/dist/src/engine/index.d.ts +11 -0
- package/dist/src/engine/index.d.ts.map +1 -0
- package/dist/src/engine/index.js +11 -0
- package/dist/src/engine/index.js.map +1 -0
- package/dist/src/engine/llm-client.d.ts +210 -0
- package/dist/src/engine/llm-client.d.ts.map +1 -0
- package/dist/src/engine/llm-client.js +506 -0
- package/dist/src/engine/llm-client.js.map +1 -0
- package/dist/src/engine/types.d.ts +163 -0
- package/dist/src/engine/types.d.ts.map +1 -0
- package/dist/src/engine/types.js +21 -0
- package/dist/src/engine/types.js.map +1 -0
- package/dist/src/feedback/index.d.ts +9 -0
- package/dist/src/feedback/index.d.ts.map +1 -0
- package/dist/src/feedback/index.js +8 -0
- package/dist/src/feedback/index.js.map +1 -0
- package/dist/src/feedback/learner.d.ts +222 -0
- package/dist/src/feedback/learner.d.ts.map +1 -0
- package/dist/src/feedback/learner.js +401 -0
- package/dist/src/feedback/learner.js.map +1 -0
- package/dist/src/feedback/store.d.ts +113 -0
- package/dist/src/feedback/store.d.ts.map +1 -0
- package/dist/src/feedback/store.js +228 -0
- package/dist/src/feedback/store.js.map +1 -0
- package/dist/src/feedback/types.d.ts +126 -0
- package/dist/src/feedback/types.d.ts.map +1 -0
- package/dist/src/feedback/types.js +6 -0
- package/dist/src/feedback/types.js.map +1 -0
- package/dist/src/hooks/before-agent-start/handler.d.ts +37 -0
- package/dist/src/hooks/before-agent-start/handler.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/handler.js +109 -0
- package/dist/src/hooks/before-agent-start/handler.js.map +1 -0
- package/dist/src/hooks/before-agent-start/index.d.ts +8 -0
- package/dist/src/hooks/before-agent-start/index.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/index.js +7 -0
- package/dist/src/hooks/before-agent-start/index.js.map +1 -0
- package/dist/src/hooks/before-agent-start/prompts.d.ts +48 -0
- package/dist/src/hooks/before-agent-start/prompts.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/prompts.js +103 -0
- package/dist/src/hooks/before-agent-start/prompts.js.map +1 -0
- package/dist/src/hooks/before-tool-call/handler.d.ts +42 -0
- package/dist/src/hooks/before-tool-call/handler.d.ts.map +1 -0
- package/dist/src/hooks/before-tool-call/handler.js +226 -0
- package/dist/src/hooks/before-tool-call/handler.js.map +1 -0
- package/dist/src/hooks/before-tool-call/index.d.ts +7 -0
- package/dist/src/hooks/before-tool-call/index.d.ts.map +1 -0
- package/dist/src/hooks/before-tool-call/index.js +6 -0
- package/dist/src/hooks/before-tool-call/index.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/filter.d.ts +72 -0
- package/dist/src/hooks/tool-result-persist/filter.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/filter.js +305 -0
- package/dist/src/hooks/tool-result-persist/filter.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/handler.d.ts +49 -0
- package/dist/src/hooks/tool-result-persist/handler.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/handler.js +217 -0
- package/dist/src/hooks/tool-result-persist/handler.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/index.d.ts +11 -0
- package/dist/src/hooks/tool-result-persist/index.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/index.js +11 -0
- package/dist/src/hooks/tool-result-persist/index.js.map +1 -0
- package/dist/src/index.d.ts +256 -0
- package/dist/src/index.d.ts.map +1 -0
- package/dist/src/index.js +222 -0
- package/dist/src/index.js.map +1 -0
- package/dist/src/notifications/discord.d.ts +10 -0
- package/dist/src/notifications/discord.d.ts.map +1 -0
- package/dist/src/notifications/discord.js +218 -0
- package/dist/src/notifications/discord.js.map +1 -0
- package/dist/src/notifications/index.d.ts +37 -0
- package/dist/src/notifications/index.d.ts.map +1 -0
- package/dist/src/notifications/index.js +68 -0
- package/dist/src/notifications/index.js.map +1 -0
- package/dist/src/notifications/slack.d.ts +10 -0
- package/dist/src/notifications/slack.d.ts.map +1 -0
- package/dist/src/notifications/slack.js +218 -0
- package/dist/src/notifications/slack.js.map +1 -0
- package/dist/src/notifications/telegram.d.ts +10 -0
- package/dist/src/notifications/telegram.d.ts.map +1 -0
- package/dist/src/notifications/telegram.js +242 -0
- package/dist/src/notifications/telegram.js.map +1 -0
- package/dist/src/notifications/types.d.ts +119 -0
- package/dist/src/notifications/types.d.ts.map +1 -0
- package/dist/src/notifications/types.js +6 -0
- package/dist/src/notifications/types.js.map +1 -0
- package/dist/src/proxy/index.d.ts +8 -0
- package/dist/src/proxy/index.d.ts.map +1 -0
- package/dist/src/proxy/index.js +9 -0
- package/dist/src/proxy/index.js.map +1 -0
- package/dist/src/proxy/middleware.d.ts +55 -0
- package/dist/src/proxy/middleware.d.ts.map +1 -0
- package/dist/src/proxy/middleware.js +215 -0
- package/dist/src/proxy/middleware.js.map +1 -0
- package/dist/src/proxy/server.d.ts +57 -0
- package/dist/src/proxy/server.d.ts.map +1 -0
- package/dist/src/proxy/server.js +298 -0
- package/dist/src/proxy/server.js.map +1 -0
- package/dist/src/proxy/types.d.ts +136 -0
- package/dist/src/proxy/types.d.ts.map +1 -0
- package/dist/src/proxy/types.js +6 -0
- package/dist/src/proxy/types.js.map +1 -0
- package/dist/src/sanitization/index.d.ts +10 -0
- package/dist/src/sanitization/index.d.ts.map +1 -0
- package/dist/src/sanitization/index.js +9 -0
- package/dist/src/sanitization/index.js.map +1 -0
- package/dist/src/sanitization/patterns.d.ts +51 -0
- package/dist/src/sanitization/patterns.d.ts.map +1 -0
- package/dist/src/sanitization/patterns.js +266 -0
- package/dist/src/sanitization/patterns.js.map +1 -0
- package/dist/src/sanitization/scanner.d.ts +29 -0
- package/dist/src/sanitization/scanner.d.ts.map +1 -0
- package/dist/src/sanitization/scanner.js +328 -0
- package/dist/src/sanitization/scanner.js.map +1 -0
- package/dist/src/sanitization/types.d.ts +57 -0
- package/dist/src/sanitization/types.d.ts.map +1 -0
- package/dist/src/sanitization/types.js +5 -0
- package/dist/src/sanitization/types.js.map +1 -0
- package/openclaw.plugin.json +114 -0
- package/package.json +63 -0
- package/rules/builtin/README.md +139 -0
- package/rules/builtin/ai-services.yaml +70 -0
- package/rules/builtin/api-keys.yaml +64 -0
- package/rules/builtin/authentication.yaml +56 -0
- package/rules/builtin/aws-security.yaml +57 -0
- package/rules/builtin/azure-security.yaml +58 -0
- package/rules/builtin/cicd-security.yaml +64 -0
- package/rules/builtin/cloud-storage.yaml +64 -0
- package/rules/builtin/container-registry.yaml +55 -0
- package/rules/builtin/crypto-wallets.yaml +71 -0
- package/rules/builtin/database-nosql.yaml +58 -0
- package/rules/builtin/database-sql.yaml +62 -0
- package/rules/builtin/development-env.yaml +67 -0
- package/rules/builtin/docker.yaml +57 -0
- package/rules/builtin/filesystem.yaml +71 -0
- package/rules/builtin/financial-pci.yaml +61 -0
- package/rules/builtin/gcp-security.yaml +57 -0
- package/rules/builtin/git-operations.yaml +68 -0
- package/rules/builtin/healthcare-hipaa.yaml +64 -0
- package/rules/builtin/kubernetes.yaml +60 -0
- package/rules/builtin/messaging-services.yaml +53 -0
- package/rules/builtin/minimal.yaml +47 -0
- package/rules/builtin/mobile-development.yaml +61 -0
- package/rules/builtin/monitoring.yaml +63 -0
- package/rules/builtin/network-security.yaml +57 -0
- package/rules/builtin/package-managers.yaml +74 -0
- package/rules/builtin/payment-processing.yaml +66 -0
- package/rules/builtin/pii-protection.yaml +48 -0
- package/rules/builtin/production-strict.yaml +55 -0
- package/rules/builtin/secrets-management.yaml +63 -0
- package/rules/builtin/serverless.yaml +74 -0
- package/rules/builtin/ssh-security.yaml +66 -0
- package/rules/builtin/terraform.yaml +51 -0
- package/rules/builtin/web-security.yaml +62 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/detectors/destructive/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAC;AAEjE;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,mDAAmD;IACnD,QAAQ,EAAE,OAAO,CAAC;IAClB,gCAAgC;IAChC,QAAQ,EAAE,aAAa,CAAC;IACxB,sCAAsC;IACtC,QAAQ,EAAE,QAAQ,CAAC;IACnB,mCAAmC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,QAAQ,CAAC,EAAE;QACT,2CAA2C;QAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,oCAAoC;QACpC,IAAI,EAAE,eAAe,CAAC;QACtB,oEAAoE;QACpE,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,oDAAoD;QACpD,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,6CAA6C;IAC7C,QAAQ,EAAE,QAAQ,CAAC;IACnB,4DAA4D;IAC5D,MAAM,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,KAAK,CAAC,EAAE;QACN,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IACF,0CAA0C;IAC1C,KAAK,CAAC,EAAE;QACN,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IACF,uCAAuC;IACvC,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;CACxE;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,0BAA0B,GAAG,IAAI,CAAC;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mDAAmD;IACnD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/detectors/destructive/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Cloud Upload Detector
|
|
3
|
+
* Detects cloud storage uploads that could be data exfiltration
|
|
4
|
+
*/
|
|
5
|
+
import type { CloudUploadMatchResult, DetectionContext, ExfiltrationDetectionResult, SubDetector } from './types.js';
|
|
6
|
+
import type { Severity } from '../../config/index.js';
|
|
7
|
+
/**
|
|
8
|
+
* Match AWS S3 upload commands
|
|
9
|
+
*/
|
|
10
|
+
export declare function matchAwsS3Upload(command: string): CloudUploadMatchResult;
|
|
11
|
+
/**
|
|
12
|
+
* Match GCP Storage upload commands
|
|
13
|
+
*/
|
|
14
|
+
export declare function matchGcpUpload(command: string): CloudUploadMatchResult;
|
|
15
|
+
/**
|
|
16
|
+
* Match Azure Storage upload commands
|
|
17
|
+
*/
|
|
18
|
+
export declare function matchAzureUpload(command: string): CloudUploadMatchResult;
|
|
19
|
+
/**
|
|
20
|
+
* Match Rclone upload commands
|
|
21
|
+
*/
|
|
22
|
+
export declare function matchRcloneUpload(command: string): CloudUploadMatchResult;
|
|
23
|
+
/**
|
|
24
|
+
* Match other cloud upload commands
|
|
25
|
+
*/
|
|
26
|
+
export declare function matchOtherCloudUpload(command: string): CloudUploadMatchResult;
|
|
27
|
+
/**
|
|
28
|
+
* Match cloud SDK upload patterns in code
|
|
29
|
+
*/
|
|
30
|
+
export declare function matchCloudSdkUpload(code: string): CloudUploadMatchResult;
|
|
31
|
+
/**
|
|
32
|
+
* Comprehensive cloud upload matching
|
|
33
|
+
*/
|
|
34
|
+
export declare function matchCloudUpload(text: string): CloudUploadMatchResult;
|
|
35
|
+
/**
|
|
36
|
+
* Cloud upload detector class
|
|
37
|
+
*/
|
|
38
|
+
export declare class CloudUploadDetector implements SubDetector {
|
|
39
|
+
private severity;
|
|
40
|
+
constructor(severity?: Severity);
|
|
41
|
+
/**
|
|
42
|
+
* Extract text content from tool context
|
|
43
|
+
*/
|
|
44
|
+
private extractContent;
|
|
45
|
+
detect(context: DetectionContext): ExfiltrationDetectionResult | null;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Create a cloud upload detector with the given severity
|
|
49
|
+
*/
|
|
50
|
+
export declare function createCloudUploadDetector(severity?: Severity): CloudUploadDetector;
|
|
51
|
+
//# sourceMappingURL=cloud-detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cloud-detector.d.ts","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/cloud-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,sBAAsB,EACtB,gBAAgB,EAChB,2BAA2B,EAC3B,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAiLtD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAgBxE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAgBtE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAgBxE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAgBzE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAgB7E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,sBAAsB,CAyBxE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,sBAAsB,CAsCrE;AAED;;GAEG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,QAAQ,CAAW;gBAEf,QAAQ,GAAE,QAAiB;IAIvC;;OAEG;IACH,OAAO,CAAC,cAAc;IA6CtB,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,2BAA2B,GAAG,IAAI;CAuCtE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,GAAE,QAAiB,GAAG,mBAAmB,CAE1F"}
|
|
@@ -0,0 +1,427 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Cloud Upload Detector
|
|
3
|
+
* Detects cloud storage uploads that could be data exfiltration
|
|
4
|
+
*/
|
|
5
|
+
/**
|
|
6
|
+
* AWS S3 upload patterns
|
|
7
|
+
* Detects uploads TO S3 (not downloads FROM S3)
|
|
8
|
+
*/
|
|
9
|
+
const AWS_S3_UPLOAD_PATTERNS = [
|
|
10
|
+
// aws s3 cp local_file s3://bucket
|
|
11
|
+
{
|
|
12
|
+
pattern: /\baws\s+s3\s+cp\s+(?!s3:\/\/)([^\s]+)\s+(s3:\/\/[^\s]+)/i,
|
|
13
|
+
operation: 's3 cp',
|
|
14
|
+
description: 'AWS S3 upload',
|
|
15
|
+
},
|
|
16
|
+
// aws s3 mv local_file s3://bucket
|
|
17
|
+
{
|
|
18
|
+
pattern: /\baws\s+s3\s+mv\s+(?!s3:\/\/)([^\s]+)\s+(s3:\/\/[^\s]+)/i,
|
|
19
|
+
operation: 's3 mv',
|
|
20
|
+
description: 'AWS S3 move/upload',
|
|
21
|
+
},
|
|
22
|
+
// aws s3 sync local_dir s3://bucket
|
|
23
|
+
{
|
|
24
|
+
pattern: /\baws\s+s3\s+sync\s+(?!s3:\/\/)([^\s]+)\s+(s3:\/\/[^\s]+)/i,
|
|
25
|
+
operation: 's3 sync',
|
|
26
|
+
description: 'AWS S3 sync upload',
|
|
27
|
+
},
|
|
28
|
+
// aws s3api put-object
|
|
29
|
+
{
|
|
30
|
+
pattern: /\baws\s+s3api\s+put-object\s+[^|;]*--bucket\s+([^\s]+)[^|;]*--key\s+([^\s]+)/i,
|
|
31
|
+
operation: 's3api put-object',
|
|
32
|
+
description: 'AWS S3 API upload',
|
|
33
|
+
},
|
|
34
|
+
// aws s3api put-object (alternate order)
|
|
35
|
+
{
|
|
36
|
+
pattern: /\baws\s+s3api\s+put-object\s+[^|;]*--key\s+([^\s]+)[^|;]*--bucket\s+([^\s]+)/i,
|
|
37
|
+
operation: 's3api put-object',
|
|
38
|
+
description: 'AWS S3 API upload',
|
|
39
|
+
},
|
|
40
|
+
];
|
|
41
|
+
/**
|
|
42
|
+
* GCP Storage upload patterns
|
|
43
|
+
*/
|
|
44
|
+
const GCP_UPLOAD_PATTERNS = [
|
|
45
|
+
// gsutil cp local_file gs://bucket
|
|
46
|
+
{
|
|
47
|
+
pattern: /\bgsutil\s+(?:-m\s+)?cp\s+(?:-[rRn]\s+)*(?!gs:\/\/)([^\s]+)\s+(gs:\/\/[^\s]+)/i,
|
|
48
|
+
operation: 'gsutil cp',
|
|
49
|
+
description: 'GCP Storage upload',
|
|
50
|
+
},
|
|
51
|
+
// gsutil mv local_file gs://bucket
|
|
52
|
+
{
|
|
53
|
+
pattern: /\bgsutil\s+(?:-m\s+)?mv\s+(?!gs:\/\/)([^\s]+)\s+(gs:\/\/[^\s]+)/i,
|
|
54
|
+
operation: 'gsutil mv',
|
|
55
|
+
description: 'GCP Storage move/upload',
|
|
56
|
+
},
|
|
57
|
+
// gsutil rsync local_dir gs://bucket
|
|
58
|
+
{
|
|
59
|
+
pattern: /\bgsutil\s+(?:-m\s+)?rsync\s+(?:-[rRdC]\s+)*(?!gs:\/\/)([^\s]+)\s+(gs:\/\/[^\s]+)/i,
|
|
60
|
+
operation: 'gsutil rsync',
|
|
61
|
+
description: 'GCP Storage rsync upload',
|
|
62
|
+
},
|
|
63
|
+
// gcloud storage cp
|
|
64
|
+
{
|
|
65
|
+
pattern: /\bgcloud\s+storage\s+cp\s+(?:-[rR]\s+)*(?!gs:\/\/)([^\s]+)\s+(gs:\/\/[^\s]+)/i,
|
|
66
|
+
operation: 'gcloud storage cp',
|
|
67
|
+
description: 'GCP Storage upload',
|
|
68
|
+
},
|
|
69
|
+
];
|
|
70
|
+
/**
|
|
71
|
+
* Azure Storage upload patterns
|
|
72
|
+
*/
|
|
73
|
+
const AZURE_UPLOAD_PATTERNS = [
|
|
74
|
+
// azcopy copy local_file https://account.blob.core.windows.net
|
|
75
|
+
{
|
|
76
|
+
pattern: /\bazcopy\s+copy\s+(?!https?:\/\/)([^\s]+)\s+(https:\/\/[^\s]*blob\.core\.windows\.net[^\s]*)/i,
|
|
77
|
+
operation: 'azcopy copy',
|
|
78
|
+
description: 'Azure Blob upload',
|
|
79
|
+
},
|
|
80
|
+
// azcopy sync local_dir https://account.blob.core.windows.net
|
|
81
|
+
{
|
|
82
|
+
pattern: /\bazcopy\s+sync\s+(?!https?:\/\/)([^\s]+)\s+(https:\/\/[^\s]*blob\.core\.windows\.net[^\s]*)/i,
|
|
83
|
+
operation: 'azcopy sync',
|
|
84
|
+
description: 'Azure Blob sync upload',
|
|
85
|
+
},
|
|
86
|
+
// az storage blob upload
|
|
87
|
+
{
|
|
88
|
+
pattern: /\baz\s+storage\s+blob\s+upload\s+[^|;]*(?:--file|-f)\s+([^\s]+)/i,
|
|
89
|
+
operation: 'az storage blob upload',
|
|
90
|
+
description: 'Azure CLI blob upload',
|
|
91
|
+
},
|
|
92
|
+
// az storage blob upload-batch
|
|
93
|
+
{
|
|
94
|
+
pattern: /\baz\s+storage\s+blob\s+upload-batch\s+[^|;]*(?:--source|-s)\s+([^\s]+)/i,
|
|
95
|
+
operation: 'az storage blob upload-batch',
|
|
96
|
+
description: 'Azure CLI batch upload',
|
|
97
|
+
},
|
|
98
|
+
];
|
|
99
|
+
/**
|
|
100
|
+
* Rclone upload patterns
|
|
101
|
+
*/
|
|
102
|
+
const RCLONE_UPLOAD_PATTERNS = [
|
|
103
|
+
// rclone copy local remote:path
|
|
104
|
+
{
|
|
105
|
+
pattern: /\brclone\s+(?:copy|sync|move)\s+(?![\w-]+:)([^\s]+)\s+([\w-]+:[^\s]*)/i,
|
|
106
|
+
operation: 'rclone',
|
|
107
|
+
description: 'Rclone cloud upload',
|
|
108
|
+
},
|
|
109
|
+
// rclone copyto local remote:path
|
|
110
|
+
{
|
|
111
|
+
pattern: /\brclone\s+copyto\s+(?![\w-]+:)([^\s]+)\s+([\w-]+:[^\s]*)/i,
|
|
112
|
+
operation: 'rclone copyto',
|
|
113
|
+
description: 'Rclone cloud upload',
|
|
114
|
+
},
|
|
115
|
+
];
|
|
116
|
+
/**
|
|
117
|
+
* Other cloud upload patterns (DigitalOcean Spaces, Backblaze B2, etc.)
|
|
118
|
+
*/
|
|
119
|
+
const OTHER_CLOUD_PATTERNS = [
|
|
120
|
+
// s3cmd put (S3-compatible)
|
|
121
|
+
{
|
|
122
|
+
pattern: /\bs3cmd\s+put\s+([^\s]+)\s+(s3:\/\/[^\s]+)/i,
|
|
123
|
+
operation: 's3cmd put',
|
|
124
|
+
description: 'S3-compatible upload',
|
|
125
|
+
},
|
|
126
|
+
// mc (MinIO client) cp
|
|
127
|
+
{
|
|
128
|
+
pattern: /\bmc\s+cp\s+(?![\w-]+\/)([^\s]+)\s+([\w-]+\/[^\s]+)/i,
|
|
129
|
+
operation: 'mc cp',
|
|
130
|
+
description: 'MinIO client upload',
|
|
131
|
+
},
|
|
132
|
+
// b2 upload-file (Backblaze B2)
|
|
133
|
+
{
|
|
134
|
+
pattern: /\bb2\s+(?:upload-file|upload_file)\s+([^\s]+)\s+([^\s]+)/i,
|
|
135
|
+
operation: 'b2 upload',
|
|
136
|
+
description: 'Backblaze B2 upload',
|
|
137
|
+
},
|
|
138
|
+
];
|
|
139
|
+
/**
|
|
140
|
+
* SDK/Code patterns for cloud uploads
|
|
141
|
+
*/
|
|
142
|
+
const CLOUD_SDK_PATTERNS = [
|
|
143
|
+
// AWS SDK - S3 upload (Python boto3)
|
|
144
|
+
{
|
|
145
|
+
pattern: /\.upload_file\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*["'`]([^"'`]+)["'`]/i,
|
|
146
|
+
operation: 'boto3 upload_file',
|
|
147
|
+
description: 'AWS SDK upload',
|
|
148
|
+
},
|
|
149
|
+
// AWS SDK - S3 put_object
|
|
150
|
+
{
|
|
151
|
+
pattern: /\.put_object\s*\([^)]*Bucket\s*=\s*["'`]([^"'`]+)["'`]/i,
|
|
152
|
+
operation: 'boto3 put_object',
|
|
153
|
+
description: 'AWS SDK put_object',
|
|
154
|
+
},
|
|
155
|
+
// GCP SDK - upload_from_filename
|
|
156
|
+
{
|
|
157
|
+
pattern: /\.upload_from_filename\s*\(\s*["'`]([^"'`]+)["'`]/i,
|
|
158
|
+
operation: 'gcp upload_from_filename',
|
|
159
|
+
description: 'GCP SDK upload',
|
|
160
|
+
},
|
|
161
|
+
// Azure SDK - upload_blob
|
|
162
|
+
{
|
|
163
|
+
pattern: /\.upload_blob\s*\(/i,
|
|
164
|
+
operation: 'azure upload_blob',
|
|
165
|
+
description: 'Azure SDK upload',
|
|
166
|
+
},
|
|
167
|
+
// JavaScript AWS SDK - upload/putObject
|
|
168
|
+
{
|
|
169
|
+
pattern: /\b(?:s3|S3)\s*\.\s*(?:upload|putObject)\s*\(/i,
|
|
170
|
+
operation: 'aws-sdk upload',
|
|
171
|
+
description: 'AWS JavaScript SDK upload',
|
|
172
|
+
},
|
|
173
|
+
];
|
|
174
|
+
/**
|
|
175
|
+
* Match AWS S3 upload commands
|
|
176
|
+
*/
|
|
177
|
+
export function matchAwsS3Upload(command) {
|
|
178
|
+
for (const { pattern, operation } of AWS_S3_UPLOAD_PATTERNS) {
|
|
179
|
+
const match = command.match(pattern);
|
|
180
|
+
if (match) {
|
|
181
|
+
return {
|
|
182
|
+
matched: true,
|
|
183
|
+
command,
|
|
184
|
+
provider: 'aws',
|
|
185
|
+
operation,
|
|
186
|
+
dataSource: match[1],
|
|
187
|
+
destination: match[2],
|
|
188
|
+
confidence: 0.95,
|
|
189
|
+
};
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
return { matched: false, confidence: 0 };
|
|
193
|
+
}
|
|
194
|
+
/**
|
|
195
|
+
* Match GCP Storage upload commands
|
|
196
|
+
*/
|
|
197
|
+
export function matchGcpUpload(command) {
|
|
198
|
+
for (const { pattern, operation } of GCP_UPLOAD_PATTERNS) {
|
|
199
|
+
const match = command.match(pattern);
|
|
200
|
+
if (match) {
|
|
201
|
+
return {
|
|
202
|
+
matched: true,
|
|
203
|
+
command,
|
|
204
|
+
provider: 'gcp',
|
|
205
|
+
operation,
|
|
206
|
+
dataSource: match[1],
|
|
207
|
+
destination: match[2],
|
|
208
|
+
confidence: 0.95,
|
|
209
|
+
};
|
|
210
|
+
}
|
|
211
|
+
}
|
|
212
|
+
return { matched: false, confidence: 0 };
|
|
213
|
+
}
|
|
214
|
+
/**
|
|
215
|
+
* Match Azure Storage upload commands
|
|
216
|
+
*/
|
|
217
|
+
export function matchAzureUpload(command) {
|
|
218
|
+
for (const { pattern, operation } of AZURE_UPLOAD_PATTERNS) {
|
|
219
|
+
const match = command.match(pattern);
|
|
220
|
+
if (match) {
|
|
221
|
+
return {
|
|
222
|
+
matched: true,
|
|
223
|
+
command,
|
|
224
|
+
provider: 'azure',
|
|
225
|
+
operation,
|
|
226
|
+
dataSource: match[1],
|
|
227
|
+
destination: match[2] || 'Azure Blob Storage',
|
|
228
|
+
confidence: 0.95,
|
|
229
|
+
};
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
return { matched: false, confidence: 0 };
|
|
233
|
+
}
|
|
234
|
+
/**
|
|
235
|
+
* Match Rclone upload commands
|
|
236
|
+
*/
|
|
237
|
+
export function matchRcloneUpload(command) {
|
|
238
|
+
for (const { pattern, operation } of RCLONE_UPLOAD_PATTERNS) {
|
|
239
|
+
const match = command.match(pattern);
|
|
240
|
+
if (match) {
|
|
241
|
+
return {
|
|
242
|
+
matched: true,
|
|
243
|
+
command,
|
|
244
|
+
provider: 'rclone',
|
|
245
|
+
operation,
|
|
246
|
+
dataSource: match[1],
|
|
247
|
+
destination: match[2],
|
|
248
|
+
confidence: 0.9,
|
|
249
|
+
};
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
return { matched: false, confidence: 0 };
|
|
253
|
+
}
|
|
254
|
+
/**
|
|
255
|
+
* Match other cloud upload commands
|
|
256
|
+
*/
|
|
257
|
+
export function matchOtherCloudUpload(command) {
|
|
258
|
+
for (const { pattern, operation } of OTHER_CLOUD_PATTERNS) {
|
|
259
|
+
const match = command.match(pattern);
|
|
260
|
+
if (match) {
|
|
261
|
+
return {
|
|
262
|
+
matched: true,
|
|
263
|
+
command,
|
|
264
|
+
provider: 's3-compatible',
|
|
265
|
+
operation,
|
|
266
|
+
dataSource: match[1],
|
|
267
|
+
destination: match[2],
|
|
268
|
+
confidence: 0.9,
|
|
269
|
+
};
|
|
270
|
+
}
|
|
271
|
+
}
|
|
272
|
+
return { matched: false, confidence: 0 };
|
|
273
|
+
}
|
|
274
|
+
/**
|
|
275
|
+
* Match cloud SDK upload patterns in code
|
|
276
|
+
*/
|
|
277
|
+
export function matchCloudSdkUpload(code) {
|
|
278
|
+
for (const { pattern, operation } of CLOUD_SDK_PATTERNS) {
|
|
279
|
+
const match = code.match(pattern);
|
|
280
|
+
if (match) {
|
|
281
|
+
let provider = 'unknown';
|
|
282
|
+
if (operation.includes('boto3') || operation.includes('aws')) {
|
|
283
|
+
provider = 'aws';
|
|
284
|
+
}
|
|
285
|
+
else if (operation.includes('gcp')) {
|
|
286
|
+
provider = 'gcp';
|
|
287
|
+
}
|
|
288
|
+
else if (operation.includes('azure')) {
|
|
289
|
+
provider = 'azure';
|
|
290
|
+
}
|
|
291
|
+
return {
|
|
292
|
+
matched: true,
|
|
293
|
+
command: code,
|
|
294
|
+
provider,
|
|
295
|
+
operation,
|
|
296
|
+
dataSource: match[1] || undefined,
|
|
297
|
+
destination: match[2] || undefined,
|
|
298
|
+
confidence: 0.85,
|
|
299
|
+
};
|
|
300
|
+
}
|
|
301
|
+
}
|
|
302
|
+
return { matched: false, confidence: 0 };
|
|
303
|
+
}
|
|
304
|
+
/**
|
|
305
|
+
* Comprehensive cloud upload matching
|
|
306
|
+
*/
|
|
307
|
+
export function matchCloudUpload(text) {
|
|
308
|
+
// Try AWS S3
|
|
309
|
+
const awsResult = matchAwsS3Upload(text);
|
|
310
|
+
if (awsResult.matched) {
|
|
311
|
+
return awsResult;
|
|
312
|
+
}
|
|
313
|
+
// Try GCP Storage
|
|
314
|
+
const gcpResult = matchGcpUpload(text);
|
|
315
|
+
if (gcpResult.matched) {
|
|
316
|
+
return gcpResult;
|
|
317
|
+
}
|
|
318
|
+
// Try Azure Storage
|
|
319
|
+
const azureResult = matchAzureUpload(text);
|
|
320
|
+
if (azureResult.matched) {
|
|
321
|
+
return azureResult;
|
|
322
|
+
}
|
|
323
|
+
// Try Rclone
|
|
324
|
+
const rcloneResult = matchRcloneUpload(text);
|
|
325
|
+
if (rcloneResult.matched) {
|
|
326
|
+
return rcloneResult;
|
|
327
|
+
}
|
|
328
|
+
// Try other S3-compatible
|
|
329
|
+
const otherResult = matchOtherCloudUpload(text);
|
|
330
|
+
if (otherResult.matched) {
|
|
331
|
+
return otherResult;
|
|
332
|
+
}
|
|
333
|
+
// Try SDK patterns
|
|
334
|
+
const sdkResult = matchCloudSdkUpload(text);
|
|
335
|
+
if (sdkResult.matched) {
|
|
336
|
+
return sdkResult;
|
|
337
|
+
}
|
|
338
|
+
return { matched: false, confidence: 0 };
|
|
339
|
+
}
|
|
340
|
+
/**
|
|
341
|
+
* Cloud upload detector class
|
|
342
|
+
*/
|
|
343
|
+
export class CloudUploadDetector {
|
|
344
|
+
severity;
|
|
345
|
+
constructor(severity = 'high') {
|
|
346
|
+
this.severity = severity;
|
|
347
|
+
}
|
|
348
|
+
/**
|
|
349
|
+
* Extract text content from tool context
|
|
350
|
+
*/
|
|
351
|
+
extractContent(context) {
|
|
352
|
+
const input = context.toolInput;
|
|
353
|
+
// Direct command field
|
|
354
|
+
if (typeof input.command === 'string') {
|
|
355
|
+
return input.command;
|
|
356
|
+
}
|
|
357
|
+
// Shell/bash command field
|
|
358
|
+
if (typeof input.shell === 'string') {
|
|
359
|
+
return input.shell;
|
|
360
|
+
}
|
|
361
|
+
if (typeof input.bash === 'string') {
|
|
362
|
+
return input.bash;
|
|
363
|
+
}
|
|
364
|
+
// Script field
|
|
365
|
+
if (typeof input.script === 'string') {
|
|
366
|
+
return input.script;
|
|
367
|
+
}
|
|
368
|
+
// Code field
|
|
369
|
+
if (typeof input.code === 'string') {
|
|
370
|
+
return input.code;
|
|
371
|
+
}
|
|
372
|
+
// Text content
|
|
373
|
+
if (typeof input.text === 'string') {
|
|
374
|
+
return input.text;
|
|
375
|
+
}
|
|
376
|
+
// Content field
|
|
377
|
+
if (typeof input.content === 'string') {
|
|
378
|
+
return input.content;
|
|
379
|
+
}
|
|
380
|
+
// Body field
|
|
381
|
+
if (typeof input.body === 'string') {
|
|
382
|
+
return input.body;
|
|
383
|
+
}
|
|
384
|
+
return null;
|
|
385
|
+
}
|
|
386
|
+
detect(context) {
|
|
387
|
+
const content = this.extractContent(context);
|
|
388
|
+
if (!content) {
|
|
389
|
+
return null;
|
|
390
|
+
}
|
|
391
|
+
const result = matchCloudUpload(content);
|
|
392
|
+
if (!result.matched) {
|
|
393
|
+
return null;
|
|
394
|
+
}
|
|
395
|
+
const providerNames = {
|
|
396
|
+
aws: 'AWS S3',
|
|
397
|
+
gcp: 'Google Cloud Storage',
|
|
398
|
+
azure: 'Azure Blob Storage',
|
|
399
|
+
rclone: 'Cloud (via rclone)',
|
|
400
|
+
's3-compatible': 'S3-compatible storage',
|
|
401
|
+
unknown: 'Cloud storage',
|
|
402
|
+
};
|
|
403
|
+
const providerName = providerNames[result.provider || 'unknown'] || result.provider;
|
|
404
|
+
const destInfo = result.destination ? ` to ${result.destination}` : '';
|
|
405
|
+
const srcInfo = result.dataSource ? ` (source: ${result.dataSource})` : '';
|
|
406
|
+
return {
|
|
407
|
+
detected: true,
|
|
408
|
+
category: 'exfiltration',
|
|
409
|
+
severity: this.severity,
|
|
410
|
+
confidence: result.confidence,
|
|
411
|
+
reason: `Cloud upload detected: ${result.operation} via ${providerName}${destInfo}${srcInfo}`,
|
|
412
|
+
metadata: {
|
|
413
|
+
method: 'cloud',
|
|
414
|
+
destination: result.destination,
|
|
415
|
+
dataSource: result.dataSource,
|
|
416
|
+
command: result.command,
|
|
417
|
+
},
|
|
418
|
+
};
|
|
419
|
+
}
|
|
420
|
+
}
|
|
421
|
+
/**
|
|
422
|
+
* Create a cloud upload detector with the given severity
|
|
423
|
+
*/
|
|
424
|
+
export function createCloudUploadDetector(severity = 'high') {
|
|
425
|
+
return new CloudUploadDetector(severity);
|
|
426
|
+
}
|
|
427
|
+
//# sourceMappingURL=cloud-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cloud-detector.js","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/cloud-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH;;;GAGG;AACH,MAAM,sBAAsB,GAAG;IAC7B,mCAAmC;IACnC;QACE,OAAO,EAAE,0DAA0D;QACnE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,eAAe;KAC7B;IACD,mCAAmC;IACnC;QACE,OAAO,EAAE,0DAA0D;QACnE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,oBAAoB;KAClC;IACD,oCAAoC;IACpC;QACE,OAAO,EAAE,4DAA4D;QACrE,SAAS,EAAE,SAAS;QACpB,WAAW,EAAE,oBAAoB;KAClC;IACD,uBAAuB;IACvB;QACE,OAAO,EAAE,+EAA+E;QACxF,SAAS,EAAE,kBAAkB;QAC7B,WAAW,EAAE,mBAAmB;KACjC;IACD,yCAAyC;IACzC;QACE,OAAO,EAAE,+EAA+E;QACxF,SAAS,EAAE,kBAAkB;QAC7B,WAAW,EAAE,mBAAmB;KACjC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,mCAAmC;IACnC;QACE,OAAO,EAAE,gFAAgF;QACzF,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,oBAAoB;KAClC;IACD,mCAAmC;IACnC;QACE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,yBAAyB;KACvC;IACD,qCAAqC;IACrC;QACE,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,cAAc;QACzB,WAAW,EAAE,0BAA0B;KACxC;IACD,oBAAoB;IACpB;QACE,OAAO,EAAE,+EAA+E;QACxF,SAAS,EAAE,mBAAmB;QAC9B,WAAW,EAAE,oBAAoB;KAClC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAG;IAC5B,+DAA+D;IAC/D;QACE,OAAO,EAAE,+FAA+F;QACxG,SAAS,EAAE,aAAa;QACxB,WAAW,EAAE,mBAAmB;KACjC;IACD,8DAA8D;IAC9D;QACE,OAAO,EAAE,+FAA+F;QACxG,SAAS,EAAE,aAAa;QACxB,WAAW,EAAE,wBAAwB;KACtC;IACD,yBAAyB;IACzB;QACE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,wBAAwB;QACnC,WAAW,EAAE,uBAAuB;KACrC;IACD,+BAA+B;IAC/B;QACE,OAAO,EAAE,0EAA0E;QACnF,SAAS,EAAE,8BAA8B;QACzC,WAAW,EAAE,wBAAwB;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG;IAC7B,gCAAgC;IAChC;QACE,OAAO,EAAE,wEAAwE;QACjF,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,qBAAqB;KACnC;IACD,kCAAkC;IAClC;QACE,OAAO,EAAE,4DAA4D;QACrE,SAAS,EAAE,eAAe;QAC1B,WAAW,EAAE,qBAAqB;KACnC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,oBAAoB,GAAG;IAC3B,4BAA4B;IAC5B;QACE,OAAO,EAAE,6CAA6C;QACtD,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,sBAAsB;KACpC;IACD,uBAAuB;IACvB;QACE,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,qBAAqB;KACnC;IACD,gCAAgC;IAChC;QACE,OAAO,EAAE,2DAA2D;QACpE,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,qBAAqB;KACnC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,qCAAqC;IACrC;QACE,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,mBAAmB;QAC9B,WAAW,EAAE,gBAAgB;KAC9B;IACD,0BAA0B;IAC1B;QACE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,kBAAkB;QAC7B,WAAW,EAAE,oBAAoB;KAClC;IACD,iCAAiC;IACjC;QACE,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,0BAA0B;QACrC,WAAW,EAAE,gBAAgB;KAC9B;IACD,0BAA0B;IAC1B;QACE,OAAO,EAAE,qBAAqB;QAC9B,SAAS,EAAE,mBAAmB;QAC9B,WAAW,EAAE,kBAAkB;KAChC;IACD,wCAAwC;IACxC;QACE,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,gBAAgB;QAC3B,WAAW,EAAE,2BAA2B;KACzC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,sBAAsB,EAAE,CAAC;QAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,QAAQ,EAAE,KAAK;gBACf,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;gBACpB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACzD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,QAAQ,EAAE,KAAK;gBACf,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;gBACpB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,qBAAqB,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,QAAQ,EAAE,OAAO;gBACjB,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;gBACpB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,oBAAoB;gBAC7C,UAAU,EAAE,IAAI;aACjB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,sBAAsB,EAAE,CAAC;QAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,QAAQ,EAAE,QAAQ;gBAClB,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;gBACpB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,GAAG;aAChB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,oBAAoB,EAAE,CAAC;QAC1D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,QAAQ,EAAE,eAAe;gBACzB,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;gBACpB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,GAAG;aAChB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,kBAAkB,EAAE,CAAC;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,QAAQ,GAAG,SAAS,CAAC;YACzB,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,QAAQ,GAAG,KAAK,CAAC;YACnB,CAAC;iBAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACrC,QAAQ,GAAG,KAAK,CAAC;YACnB,CAAC;iBAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,QAAQ,GAAG,OAAO,CAAC;YACrB,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,IAAI;gBACb,QAAQ;gBACR,SAAS;gBACT,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS;gBACjC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS;gBAClC,UAAU,EAAE,IAAI;aACjB,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,aAAa;IACb,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,kBAAkB;IAClB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,oBAAoB;IACpB,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC3C,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,aAAa;IACb,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,mBAAmB;IACnB,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAC5C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,mBAAmB;IACtB,QAAQ,CAAW;IAE3B,YAAY,WAAqB,MAAM;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,OAAyB;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC;QAEhC,uBAAuB;QACvB,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC,OAAO,CAAC;QACvB,CAAC;QAED,2BAA2B;QAC3B,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,KAAK,CAAC,KAAK,CAAC;QACrB,CAAC;QAED,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,eAAe;QACf,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC,MAAM,CAAC;QACtB,CAAC;QAED,aAAa;QACb,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,eAAe;QACf,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,gBAAgB;QAChB,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC,OAAO,CAAC;QACvB,CAAC;QAED,aAAa;QACb,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,OAAyB;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,sBAAsB;YAC3B,KAAK,EAAE,oBAAoB;YAC3B,MAAM,EAAE,oBAAoB;YAC5B,eAAe,EAAE,uBAAuB;YACxC,OAAO,EAAE,eAAe;SACzB,CAAC;QAEF,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,QAAQ,IAAI,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC;QACpF,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAE3E,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,cAAc;YACxB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,0BAA0B,MAAM,CAAC,SAAS,QAAQ,YAAY,GAAG,QAAQ,GAAG,OAAO,EAAE;YAC7F,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO;gBACf,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB;SACF,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,WAAqB,MAAM;IACnE,OAAO,IAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* HTTP Exfiltration Detector
|
|
3
|
+
* Detects HTTP POST/PUT requests that send data to external destinations
|
|
4
|
+
*/
|
|
5
|
+
import type { HttpMatchResult, DetectionContext, ExfiltrationDetectionResult, SubDetector } from './types.js';
|
|
6
|
+
import type { Severity } from '../../config/index.js';
|
|
7
|
+
/**
|
|
8
|
+
* Match curl POST/PUT commands
|
|
9
|
+
*/
|
|
10
|
+
export declare function matchCurlCommand(command: string): HttpMatchResult;
|
|
11
|
+
/**
|
|
12
|
+
* Match wget POST commands
|
|
13
|
+
*/
|
|
14
|
+
export declare function matchWgetCommand(command: string): HttpMatchResult;
|
|
15
|
+
/**
|
|
16
|
+
* Match httpie commands
|
|
17
|
+
*/
|
|
18
|
+
export declare function matchHttpieCommand(command: string): HttpMatchResult;
|
|
19
|
+
/**
|
|
20
|
+
* Match HTTP client library patterns in code
|
|
21
|
+
*/
|
|
22
|
+
export declare function matchCodeHttpPattern(code: string): HttpMatchResult;
|
|
23
|
+
/**
|
|
24
|
+
* Match encoded exfiltration patterns
|
|
25
|
+
*/
|
|
26
|
+
export declare function matchEncodedExfiltration(command: string): HttpMatchResult;
|
|
27
|
+
/**
|
|
28
|
+
* Comprehensive HTTP exfiltration matching
|
|
29
|
+
*/
|
|
30
|
+
export declare function matchHttpExfiltration(text: string): HttpMatchResult;
|
|
31
|
+
/**
|
|
32
|
+
* HTTP exfiltration detector class
|
|
33
|
+
*/
|
|
34
|
+
export declare class HttpDetector implements SubDetector {
|
|
35
|
+
private severity;
|
|
36
|
+
constructor(severity?: Severity);
|
|
37
|
+
/**
|
|
38
|
+
* Extract text content from tool context
|
|
39
|
+
*/
|
|
40
|
+
private extractContent;
|
|
41
|
+
detect(context: DetectionContext): ExfiltrationDetectionResult | null;
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Create an HTTP detector with the given severity
|
|
45
|
+
*/
|
|
46
|
+
export declare function createHttpDetector(severity?: Severity): HttpDetector;
|
|
47
|
+
//# sourceMappingURL=http-detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"http-detector.d.ts","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/http-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,2BAA2B,EAC3B,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAmOtD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAgBjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAgBjE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAenE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAmBlE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAgBzE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAgCnE;AAED;;GAEG;AACH,qBAAa,YAAa,YAAW,WAAW;IAC9C,OAAO,CAAC,QAAQ,CAAW;gBAEf,QAAQ,GAAE,QAAiB;IAIvC;;OAEG;IACH,OAAO,CAAC,cAAc;IA6CtB,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,2BAA2B,GAAG,IAAI;CA6BtE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,GAAE,QAAiB,GAAG,YAAY,CAE5E"}
|