jaku.sh 1.0.0

package/src/core/logic/workflow-enforcer.js

@@ -0,0 +1,284 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * WorkflowEnforcer — Tests that multi-step workflows enforce ordering.
+ *
+ * Probes:
+ * - Step skipping (jump to final step)
+ * - Form resubmission (submit same step twice)
+ * - State transition bypass (skip verification)
+ * - Direct access to confirmation pages
+ * - Back-button manipulation
+ */
+export class WorkflowEnforcer {
+    constructor(logger) {
+        this.logger = logger;
+
+        // Common final/sensitive steps
+        this.FINAL_STEP_PATTERNS = [
+            /\/confirm/i, /\/complete/i, /\/finalize/i, /\/success/i,
+            /\/receipt/i, /\/thank/i, /\/done/i, /\/result/i,
+            /step[_-]?(final|last|\d{2})/i,
+        ];
+
+        // Common intermediate steps that shouldn't be skippable
+        this.VERIFICATION_STEPS = [
+            /\/verify/i, /\/validate/i, /\/review/i, /\/otp/i,
+            /\/2fa/i, /\/mfa/i, /\/captcha/i, /\/consent/i,
+        ];
+    }
+
+    /**
+     * Test workflow enforcement.
+     */
+    async enforce(businessContext, surfaceInventory) {
+        const findings = [];
+
+        this.logger?.info?.('Workflow Enforcer: starting tests');
+
+        // 1. Test multi-step flow skipping
+        const flowFindings = await this._testFlowSkipping(businessContext, surfaceInventory);
+        findings.push(...flowFindings);
+
+        // 2. Test direct access to confirmation pages
+        const confirmFindings = await this._testDirectConfirmation(surfaceInventory);
+        findings.push(...confirmFindings);
+
+        // 3. Test verification step bypass
+        const verifyFindings = await this._testVerificationBypass(surfaceInventory);
+        findings.push(...verifyFindings);
+
+        // 4. Test form resubmission
+        const resubFindings = await this._testResubmission(businessContext);
+        findings.push(...resubFindings);
+
+        this.logger?.info?.(`Workflow Enforcer: found ${findings.length} issues`);
+        return findings;
+    }
+
+    /**
+     * Test if multi-step flows can be skipped.
+     */
+    async _testFlowSkipping(businessContext, surfaceInventory) {
+        const findings = [];
+        const flows = businessContext.multiStepFlows || [];
+        const baseUrl = this._getBaseUrl(surfaceInventory);
+        if (!baseUrl) return findings;
+
+        for (const flow of flows) {
+            if (flow.pages.length < 2) continue;
+
+            // Try to access the last step directly without doing previous steps
+            const lastStep = flow.pages[flow.pages.length - 1];
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), 5000);
+
+                const response = await fetch(lastStep, {
+                    method: 'GET',
+                    redirect: 'manual',
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+
+                if (response.status === 200) {
+                    const text = await response.text();
+                    if (text.length > 200 && !this._isRedirectPage(text)) {
+                        findings.push(createFinding({
+                            module: 'logic',
+                            title: 'Workflow Skip: Final Step Accessible Directly',
+                            severity: 'high',
+                            affected_surface: lastStep,
+                            description: `The final step of a multi-step flow (${lastStep}) is accessible without completing previous steps. An attacker can skip validation, payment, or verification steps.`,
+                            reproduction: [
+                                `1. Flow has ${flow.stepCount} steps: ${flow.pages.join(' → ')}`,
+                                `2. Navigate directly to the last step: ${lastStep}`,
+                                `3. The page loads without requiring prior step completion`,
+                            ],
+                            evidence: `Flow steps: ${flow.stepCount}\nDirect access: ${lastStep}\nStatus: ${response.status}`,
+                            remediation: 'Implement server-side session state tracking for multi-step flows. Verify that all previous steps are completed before allowing access to subsequent steps. Store progress in a server-side session, not client-side.',
+                        }));
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Test direct access to confirmation/success pages.
+     */
+    async _testDirectConfirmation(surfaceInventory) {
+        const findings = [];
+        const pages = surfaceInventory.pages || [];
+
+        for (const page of pages) {
+            const url = page.url || page;
+            const isFinalStep = this.FINAL_STEP_PATTERNS.some(p => p.test(url));
+            if (!isFinalStep) continue;
+
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), 5000);
+
+                const response = await fetch(url, {
+                    method: 'GET',
+                    redirect: 'manual',
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+
+                if (response.status === 200) {
+                    const text = await response.text();
+                    if (this._isConfirmationPage(text)) {
+                        findings.push(createFinding({
+                            module: 'logic',
+                            title: 'Workflow Bypass: Confirmation Page Directly Accessible',
+                            severity: 'medium',
+                            affected_surface: url,
+                            description: `Confirmation/success page at ${url} is directly accessible without completing the required workflow. This may allow bypassing payment, verification, or other critical steps.`,
+                            reproduction: [
+                                `1. Navigate directly to ${url}`,
+                                `2. Confirmation page loads without prior flow completion`,
+                            ],
+                            evidence: `URL: ${url}\nStatus: ${response.status}`,
+                            remediation: 'Verify server-side that the workflow was completed before showing confirmation pages. Use session tokens to track step completion.',
+                        }));
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Test if verification steps can be bypassed.
+     */
+    async _testVerificationBypass(surfaceInventory) {
+        const findings = [];
+        const pages = surfaceInventory.pages || [];
+
+        for (const page of pages) {
+            const url = page.url || page;
+            const isVerifyStep = this.VERIFICATION_STEPS.some(p => p.test(url));
+            if (!isVerifyStep) continue;
+
+            // Try to POST to the verification endpoint with empty/dummy data
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), 5000);
+
+                const response = await fetch(url, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ code: '000000', token: 'bypass', verified: true }),
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+
+                if (response.ok) {
+                    const text = await response.text();
+                    if (/success|verified|confirmed|valid/i.test(text)) {
+                        findings.push(createFinding({
+                            module: 'logic',
+                            title: 'Verification Bypass: Step Accepted Without Valid Input',
+                            severity: 'critical',
+                            affected_surface: url,
+                            description: `The verification step at ${url} accepted dummy data (code: "000000", verified: true). This allows bypassing OTP/2FA/captcha verification.`,
+                            reproduction: [
+                                `1. POST to ${url} with {"code": "000000", "verified": true}`,
+                                `2. Server responds with success`,
+                            ],
+                            evidence: `Response contained success indicators`,
+                            remediation: 'Validate verification codes server-side against stored values. Never trust client-supplied "verified" flags. Implement rate limiting on verification attempts.',
+                        }));
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Test form resubmission (idempotency).
+     */
+    async _testResubmission(businessContext) {
+        const findings = [];
+        const paymentForms = (businessContext.domains.payments || [])
+            .filter(s => s.type === 'form' || s.type === 'api');
+
+        for (const surface of paymentForms) {
+            const url = surface.url;
+            if (!url) continue;
+
+            try {
+                const body = { amount: 100, action: 'submit' };
+                const requests = [];
+
+                // Fire same request twice rapidly
+                for (let i = 0; i < 2; i++) {
+                    requests.push(
+                        fetch(url, {
+                            method: 'POST',
+                            headers: { 'Content-Type': 'application/json' },
+                            body: JSON.stringify(body),
+                            signal: AbortSignal.timeout(5000),
+                        }).then(r => ({ status: r.status, ok: r.ok })).catch(() => null)
+                    );
+                }
+
+                const results = await Promise.all(requests);
+                const successes = results.filter(r => r?.ok).length;
+
+                if (successes === 2) {
+                    findings.push(createFinding({
+                        module: 'logic',
+                        title: 'Duplicate Submission: No Idempotency Protection',
+                        severity: 'high',
+                        affected_surface: url,
+                        description: `Payment/transaction endpoint ${url} accepted the same request twice. This could lead to double charges or duplicate orders. No idempotency key or duplicate detection was observed.`,
+                        reproduction: [
+                            `1. Submit a POST to ${url}`,
+                            `2. Immediately submit the identical request again`,
+                            `3. Both requests succeed`,
+                        ],
+                        evidence: `Both requests returned success (${successes}/2 accepted)`,
+                        remediation: 'Implement idempotency keys for payment/transaction endpoints. Use unique request IDs and check for duplicates before processing. Add server-side deduplication with a short TTL cache.',
+                    }));
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    _getBaseUrl(surfaceInventory) {
+        const pages = surfaceInventory.pages || [];
+        if (pages.length === 0) return null;
+        try {
+            const parsed = new URL(pages[0].url || pages[0]);
+            return `${parsed.protocol}//${parsed.host}`;
+        } catch { return null; }
+    }
+
+    _isRedirectPage(text) {
+        return /redirect|location\.href|window\.location/i.test(text) && text.length < 500;
+    }
+
+    _isConfirmationPage(text) {
+        return /thank|success|confirmed|complete|receipt|order.*placed/i.test(text);
+    }
+}
+
+export default WorkflowEnforcer;

package/src/core/performance-checker.js

@@ -0,0 +1,204 @@
+import { chromium } from 'playwright';
+import { createFinding } from '../utils/finding.js';
+
+/**
+ * PerformanceChecker — Measures Core Web Vitals per page and reports regressions.
+ *
+ * Metrics:
+ * - LCP  (Largest Contentful Paint) — Good: <2.5s, Poor: >4s
+ * - CLS  (Cumulative Layout Shift)  — Good: <0.1, Poor: >0.25
+ * - TTFB (Time to First Byte)       — Good: <800ms, Poor: >1800ms
+ * - FCP  (First Contentful Paint)   — Good: <1.8s, Poor: >3s
+ * - TBT  (Total Blocking Time)      — Good: <200ms, Poor: >600ms
+ */
+export class PerformanceChecker {
+    // Google Core Web Vitals thresholds (ms, except CLS which is score)
+    static THRESHOLDS = {
+        LCP: { good: 2500, poor: 4000 },
+        FCP: { good: 1800, poor: 3000 },
+        TTFB: { good: 800, poor: 1800 },
+        TBT: { good: 200, poor: 600 },
+        CLS: { good: 0.1, poor: 0.25 },
+    };
+
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+
+    async check(surfaceInventory) {
+        const findings = [];
+        const pages = surfaceInventory.pages.filter(p => p.status < 400).slice(0, 15);
+
+        if (pages.length === 0) return findings;
+
+        const browser = await chromium.launch({
+            headless: true,
+            args: ['--no-sandbox', '--disable-setuid-sandbox'],
+        });
+
+        try {
+            for (const pageData of pages) {
+                const metrics = await this._measurePage(browser, pageData.url);
+                if (!metrics) continue;
+
+                const issues = this._evaluateMetrics(metrics, pageData.url);
+                findings.push(...issues);
+
+                this.logger?.debug?.(`Performance: ${pageData.url} — LCP:${metrics.LCP}ms FCP:${metrics.FCP}ms TTFB:${metrics.TTFB}ms CLS:${metrics.CLS}`);
+            }
+        } finally {
+            await browser.close();
+        }
+
+        this.logger?.info?.(`Performance Checker: found ${findings.length} issues`);
+        return findings;
+    }
+
+    async _measurePage(browser, url) {
+        const page = await browser.newPage({
+            viewport: { width: 1440, height: 900 },
+        });
+
+        try {
+            // Enable CDPSession for TBT/LCP metrics
+            const client = await page.context().newCDPSession(page);
+            await client.send('Performance.enable');
+
+            const startTime = Date.now();
+            await page.goto(url, { waitUntil: 'networkidle', timeout: 30000 });
+
+            // Give page time to fully paint
+            await page.waitForTimeout(2000);
+
+            const metrics = await page.evaluate(() => {
+                const perf = window.performance;
+                const navEntry = perf.getEntriesByType('navigation')[0];
+                const paintEntries = perf.getEntriesByType('paint');
+
+                const fcp = paintEntries.find(e => e.name === 'first-contentful-paint')?.startTime || null;
+
+                // LCP via PerformanceObserver (collected passively)
+                let lcp = null;
+                const lcpEntries = perf.getEntriesByType('largest-contentful-paint');
+                if (lcpEntries.length > 0) {
+                    lcp = lcpEntries[lcpEntries.length - 1].startTime;
+                }
+
+                // CLS via LayoutShift entries
+                let cls = 0;
+                let clsSessionValue = 0;
+                let clsSessionStart = 0;
+                let clsLastTimestamp = 0;
+                const layoutShiftEntries = perf.getEntriesByType('layout-shift');
+                for (const entry of layoutShiftEntries) {
+                    if (!entry.hadRecentInput) {
+                        if (entry.startTime - clsLastTimestamp > 5000 || entry.startTime - clsSessionStart > 1000) {
+                            clsSessionValue = entry.value;
+                            clsSessionStart = entry.startTime;
+                        } else {
+                            clsSessionValue += entry.value;
+                        }
+                        clsLastTimestamp = entry.startTime;
+                        if (clsSessionValue > cls) cls = clsSessionValue;
+                    }
+                }
+
+                // TBT via Long Tasks
+                let tbt = 0;
+                const longTasks = perf.getEntriesByType('longtask');
+                for (const task of longTasks) {
+                    if (task.duration > 50) tbt += task.duration - 50;
+                }
+
+                return {
+                    TTFB: navEntry ? Math.round(navEntry.responseStart - navEntry.requestStart) : null,
+                    FCP: fcp ? Math.round(fcp) : null,
+                    LCP: lcp ? Math.round(lcp) : null,
+                    CLS: Math.round(cls * 1000) / 1000,
+                    TBT: Math.round(tbt),
+                };
+            });
+
+            return metrics;
+        } catch (err) {
+            this.logger?.debug?.(`Performance measure failed for ${url}: ${err.message}`);
+            return null;
+        } finally {
+            await page.close();
+        }
+    }
+
+    _evaluateMetrics(metrics, url) {
+        const findings = [];
+        const thresholds = PerformanceChecker.THRESHOLDS;
+
+        const checks = [
+            { key: 'LCP', label: 'Largest Contentful Paint', unit: 'ms' },
+            { key: 'FCP', label: 'First Contentful Paint', unit: 'ms' },
+            { key: 'TTFB', label: 'Time to First Byte', unit: 'ms' },
+            { key: 'TBT', label: 'Total Blocking Time', unit: 'ms' },
+            { key: 'CLS', label: 'Cumulative Layout Shift', unit: '' },
+        ];
+
+        for (const { key, label, unit } of checks) {
+            const value = metrics[key];
+            if (value === null || value === undefined) continue;
+
+            const { good, poor } = thresholds[key];
+            if (value <= good) continue; // Passes — no finding
+
+            const isPoor = value > poor;
+            const severity = isPoor ? 'medium' : 'low';
+            const rating = isPoor ? 'Poor' : 'Needs Improvement';
+            const displayVal = unit === 'ms' ? `${value}${unit}` : String(value);
+            const goodDisplay = unit === 'ms' ? `${good}${unit}` : String(good);
+            const poorDisplay = unit === 'ms' ? `${poor}${unit}` : String(poor);
+
+            findings.push(createFinding({
+                module: 'qa',
+                title: `Performance: ${label} ${rating} (${displayVal}) — ${new URL(url).pathname}`,
+                severity,
+                affected_surface: url,
+                description: `The page at ${url} has a ${label} of ${displayVal}, which Google rates as "${rating}" (Good: <${goodDisplay}, Poor: >${poorDisplay}). ${this._getImpact(key, value)}`,
+                reproduction: [
+                    `1. Run Lighthouse on ${url}`,
+                    `2. Check ${label} in the Performance panel`,
+                    `3. Current value: ${displayVal}`,
+                ],
+                evidence: `${key}: ${displayVal} (Good: <${goodDisplay}, Poor: >${poorDisplay})\nFull metrics: ${JSON.stringify(metrics)}`,
+                remediation: this._getRemediation(key),
+                references: [
+                    'https://web.dev/articles/vitals',
+                    `https://web.dev/articles/${key.toLowerCase()}`,
+                ],
+            }));
+        }
+
+        return findings;
+    }
+
+    _getImpact(key, value) {
+        const impacts = {
+            LCP: 'Slow LCP typically indicates render-blocking resources, slow server response, or large unoptimized images. Google uses this as a Core Web Vital for search ranking.',
+            FCP: 'A slow FCP suggests excessive render-blocking CSS or scripts that prevent any content from appearing. Users may abandon the page before it loads.',
+            TTFB: 'A high TTFB indicates slow server processing, database queries, or CDN latency. Every other metric is blocked until the first byte arrives.',
+            TBT: 'High TBT means the main thread is blocked by long JavaScript tasks, making the page unresponsive to user input. Correlated with poor INP scores.',
+            CLS: 'A high CLS causes layout instability — content shifting after initial render. This degrades UX and is a Core Web Vital used in Google\'s search ranking.',
+        };
+        return impacts[key] || '';
+    }
+
+    _getRemediation(key) {
+        const remediations = {
+            LCP: 'Optimize LCP: use preload <link> for hero images, serve images in WebP/AVIF, reduce TTFB via edge caching, remove render-blocking CSS (inline critical CSS), use font-display: swap.',
+            FCP: 'Optimize FCP: eliminate render-blocking resources, minimize CSS and JS bundle sizes, use resource hints (preconnect, preload), defer non-critical scripts.',
+            TTFB: 'Optimize TTFB: use CDN edge caching, optimize database queries (add indexes, avoid N+1), implement server-side caching (Redis), reduce DNS lookup time.',
+            TBT: 'Reduce TBT: split large JavaScript bundles via code splitting, defer or async non-critical scripts, move heavy computation to Web Workers, minimize third-party script impact.',
+            CLS: 'Reduce CLS: always set explicit width/height on images and videos, use CSS aspect-ratio, avoid inserting content above existing content dynamically, use transform animations instead of layout-triggering properties.',
+        };
+        return remediations[key] || 'Follow Google\'s Core Web Vitals guidelines at web.dev/vitals.';
+    }
+}
+
+export default PerformanceChecker;