opencode-api-security-testing 3.0.7 → 3.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +5 -1
- package/src/hooks/directory-agents-injector.ts +10 -6
- package/src/index.ts +18 -27
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "opencode-api-security-testing",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.8",
|
|
4
4
|
"description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "src/index.ts",
|
|
@@ -39,5 +39,9 @@
|
|
|
39
39
|
"dependencies": {
|
|
40
40
|
"@opencode-ai/plugin": "^1.1.19",
|
|
41
41
|
"@opencode-ai/sdk": "^1.1.19"
|
|
42
|
+
},
|
|
43
|
+
"devDependencies": {
|
|
44
|
+
"@types/node": "^25.5.2",
|
|
45
|
+
"typescript": "^6.0.2"
|
|
42
46
|
}
|
|
43
47
|
}
|
|
@@ -1,18 +1,24 @@
|
|
|
1
1
|
import type { PluginInput } from "@opencode-ai/plugin";
|
|
2
|
-
import { existsSync, readFileSync } from "
|
|
3
|
-
import { dirname, join, resolve } from "
|
|
2
|
+
import { existsSync, readFileSync } from "fs";
|
|
3
|
+
import { dirname, join, resolve } from "path";
|
|
4
4
|
|
|
5
5
|
const AGENTS_FILENAME = "AGENTS.md";
|
|
6
6
|
const AGENTS_DIR = ".config/opencode/agents";
|
|
7
7
|
|
|
8
|
+
function getHomeDir(): string {
|
|
9
|
+
return process.env.HOME || process.env.USERPROFILE || "/root";
|
|
10
|
+
}
|
|
11
|
+
|
|
8
12
|
export function createDirectoryAgentsInjectorHook(ctx: PluginInput) {
|
|
13
|
+
const injectedPaths = new Set<string>();
|
|
14
|
+
|
|
9
15
|
function resolveAgentsDir(): string | null {
|
|
10
|
-
const home =
|
|
11
|
-
if (!home) return null;
|
|
16
|
+
const home = getHomeDir();
|
|
12
17
|
return join(home, AGENTS_DIR);
|
|
13
18
|
}
|
|
14
19
|
|
|
15
20
|
function findAgentsMdUp(startDir: string, agentsDir: string): string | null {
|
|
21
|
+
const home = getHomeDir();
|
|
16
22
|
let current = startDir;
|
|
17
23
|
|
|
18
24
|
while (true) {
|
|
@@ -35,8 +41,6 @@ export function createDirectoryAgentsInjectorHook(ctx: PluginInput) {
|
|
|
35
41
|
return `api-sec-inject-${sessionID}`;
|
|
36
42
|
}
|
|
37
43
|
|
|
38
|
-
const injectedPaths = new Set<string>();
|
|
39
|
-
|
|
40
44
|
const toolExecuteAfter = async (
|
|
41
45
|
input: { tool: string; sessionID: string; callID: string },
|
|
42
46
|
output: { title: string; output: string; metadata: unknown }
|
package/src/index.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import type { Plugin } from "@opencode-ai/plugin";
|
|
2
2
|
import { tool } from "@opencode-ai/plugin";
|
|
3
|
-
import { join } from "path";
|
|
3
|
+
import { join, dirname, resolve } from "path";
|
|
4
4
|
import { existsSync, readFileSync } from "fs";
|
|
5
5
|
|
|
6
6
|
const SKILL_DIR = "skills/api-security-testing";
|
|
@@ -54,6 +54,12 @@ To activate these agents, simply mention their name in your response (e.g., "@ap
|
|
|
54
54
|
}
|
|
55
55
|
}
|
|
56
56
|
|
|
57
|
+
async function execShell(ctx: unknown, cmd: string): Promise<string> {
|
|
58
|
+
const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
|
|
59
|
+
const result = await shell.$`${cmd}`;
|
|
60
|
+
return result.toString();
|
|
61
|
+
}
|
|
62
|
+
|
|
57
63
|
const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
|
|
58
64
|
console.log("[api-security-testing] Plugin loaded");
|
|
59
65
|
|
|
@@ -78,8 +84,7 @@ tester = DeepAPITesterV55(target='${args.target}', headless=True)
|
|
|
78
84
|
results = tester.run_test()
|
|
79
85
|
print(results)
|
|
80
86
|
"`;
|
|
81
|
-
|
|
82
|
-
return result.toString();
|
|
87
|
+
return await execShell(ctx, cmd);
|
|
83
88
|
},
|
|
84
89
|
}),
|
|
85
90
|
|
|
@@ -100,8 +105,7 @@ fuzzer = APIFuzzer('${args.endpoint}')
|
|
|
100
105
|
results = fuzzer.fuzz(method='${args.method || 'GET'}')
|
|
101
106
|
print(results)
|
|
102
107
|
"`;
|
|
103
|
-
|
|
104
|
-
return result.toString();
|
|
108
|
+
return await execShell(ctx, cmd);
|
|
105
109
|
},
|
|
106
110
|
}),
|
|
107
111
|
|
|
@@ -122,8 +126,7 @@ verifier = VulnVerifier()
|
|
|
122
126
|
result = verifier.verify('${args.vuln_type}', '${args.endpoint}')
|
|
123
127
|
print(result)
|
|
124
128
|
"`;
|
|
125
|
-
|
|
126
|
-
return result.toString();
|
|
129
|
+
return await execShell(ctx, cmd);
|
|
127
130
|
},
|
|
128
131
|
}),
|
|
129
132
|
|
|
@@ -145,8 +148,7 @@ print(f'发现 {len(endpoints)} 个端点:')
|
|
|
145
148
|
for ep in endpoints:
|
|
146
149
|
print(ep)
|
|
147
150
|
"`;
|
|
148
|
-
|
|
149
|
-
return result.toString();
|
|
151
|
+
return await execShell(ctx, cmd);
|
|
150
152
|
},
|
|
151
153
|
}),
|
|
152
154
|
|
|
@@ -166,8 +168,7 @@ parser = JSParser()
|
|
|
166
168
|
endpoints = parser.parse_file('${args.file_path}')
|
|
167
169
|
print(f'从 JS 发现 {len(endpoints)} 个端点')
|
|
168
170
|
"`;
|
|
169
|
-
|
|
170
|
-
return result.toString();
|
|
171
|
+
return await execShell(ctx, cmd);
|
|
171
172
|
},
|
|
172
173
|
}),
|
|
173
174
|
|
|
@@ -187,8 +188,7 @@ analyzer = SmartAnalyzer()
|
|
|
187
188
|
result = analyzer.graphql_test('${args.endpoint}')
|
|
188
189
|
print(result)
|
|
189
190
|
"`;
|
|
190
|
-
|
|
191
|
-
return result.toString();
|
|
191
|
+
return await execShell(ctx, cmd);
|
|
192
192
|
},
|
|
193
193
|
}),
|
|
194
194
|
|
|
@@ -208,8 +208,7 @@ tester = CloudStorageTester()
|
|
|
208
208
|
result = tester.full_test('${args.bucket_url}')
|
|
209
209
|
print(result)
|
|
210
210
|
"`;
|
|
211
|
-
|
|
212
|
-
return result.toString();
|
|
211
|
+
return await execShell(ctx, cmd);
|
|
213
212
|
},
|
|
214
213
|
}),
|
|
215
214
|
|
|
@@ -230,8 +229,7 @@ tester = IDORTester()
|
|
|
230
229
|
result = tester.test('${args.endpoint}', '${args.resource_id}')
|
|
231
230
|
print(result)
|
|
232
231
|
"`;
|
|
233
|
-
|
|
234
|
-
return result.toString();
|
|
232
|
+
return await execShell(ctx, cmd);
|
|
235
233
|
},
|
|
236
234
|
}),
|
|
237
235
|
|
|
@@ -252,8 +250,7 @@ tester = SQLiTester()
|
|
|
252
250
|
result = tester.test('${args.endpoint}', '${args.param}')
|
|
253
251
|
print(result)
|
|
254
252
|
"`;
|
|
255
|
-
|
|
256
|
-
return result.toString();
|
|
253
|
+
return await execShell(ctx, cmd);
|
|
257
254
|
},
|
|
258
255
|
}),
|
|
259
256
|
|
|
@@ -273,8 +270,7 @@ tester = AuthTester()
|
|
|
273
270
|
result = tester.test('${args.endpoint}')
|
|
274
271
|
print(result)
|
|
275
272
|
"`;
|
|
276
|
-
|
|
277
|
-
return result.toString();
|
|
273
|
+
return await execShell(ctx, cmd);
|
|
278
274
|
},
|
|
279
275
|
}),
|
|
280
276
|
},
|
|
@@ -344,9 +340,4 @@ print(result)
|
|
|
344
340
|
};
|
|
345
341
|
};
|
|
346
342
|
|
|
347
|
-
|
|
348
|
-
if (filePath.startsWith("/")) return filePath;
|
|
349
|
-
return join(process.cwd(), filePath);
|
|
350
|
-
}
|
|
351
|
-
|
|
352
|
-
export default ApiSecurityTestingPlugin;
|
|
343
|
+
export default ApiSecurityTestingPlugin;
|