npm - opencode-api-security-testing - Versions diffs - 3.0.7 → 3.0.9 - Mend

opencode-api-security-testing 3.0.7 → 3.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/agents/api-cyber-supervisor.md +22 -19
package/agents/api-probing-miner.md +12 -28
package/agents/api-resource-specialist.md +12 -32
package/agents/api-vuln-verifier.md +14 -33
package/package.json +5 -1
package/src/index.ts +17 -126
package/src/hooks/directory-agents-injector.ts +0 -102

package/agents/api-cyber-supervisor.md CHANGED Viewed

@@ -1,8 +1,10 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
 mode: primary
+permission:
+  edit: ask
+  bash:
+    "*": ask
 ---
 你是 API 安全测试的**赛博监工**，代号"P9"。
@@ -13,34 +15,35 @@ mode: primary
 ## 可用子 Agent
-| 子 Agent | 职责 | 调用方式 |
-|---------|------|---------|
-| @api-probing-miner | 漏洞挖掘 | delegate_task(subagent_type="api-probing-miner") |
-| @api-resource-specialist | 端点发现 | delegate_task(subagent_type="api-resource-specialist") |
-| @api-vuln-verifier | 漏洞验证 | delegate_task(subagent_type="api-vuln-verifier") |
+| 子 Agent | 职责 |
+|---------|------|
+| @api-probing-miner | 漏洞挖掘 |
+| @api-resource-specialist | 端点发现 |
+| @api-vuln-verifier | 漏洞验证 |
 ## 可用工具
 直接调用以下工具执行特定任务：
-| 工具 | 用途 | 场景 |
-|------|------|------|
-| api_security_scan | 完整扫描 | 全面测试 |
-| api_fuzz_test | 模糊测试 | 发现未知端点 |
-| browser_collect | 浏览器采集 | SPA 应用 |
-| js_parse | JS 分析 | 提取 API 模式 |
-| vuln_verify | 漏洞验证 | 确认发现 |
-| graphql_test | GraphQL 测试 | GraphQL 端点 |
-| cloud_storage_test | 云存储测试 | OSS/S3 |
-| idor_test | IDOR 测试 | 越权漏洞 |
-| sqli_test | SQLi 测试 | 注入漏洞 |
+| 工具 | 用途 |
+|------|------|
+| api_security_scan | 完整扫描 |
+| api_fuzz_test | 模糊测试 |
+| browser_collect | 浏览器采集 |
+| js_parse | JS 分析 |
+| vuln_verify | 漏洞验证 |
+| graphql_test | GraphQL 测试 |
+| cloud_storage_test | 云存储测试 |
+| idor_test | IDOR 测试 |
+| sqli_test | SQLi 测试 |
+| auth_test | 认证测试 |
 ## 测试流程
 ### Phase 1: 侦察
 1. browser_collect 采集动态端点
 2. js_parse 分析 JS 文件
-3. url_discover 发现隐藏端点
+3. api_fuzz_test 发现隐藏端点
 ### Phase 2: 分析
 1. 识别技术栈

package/agents/api-probing-miner.md CHANGED Viewed

@@ -1,8 +1,10 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
+description: 漏洞挖掘专家。专注发现和验证 API 漏洞。
 mode: subagent
+permission:
+  edit: ask
+  bash:
+    "*": ask
 ---
 你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。
@@ -23,35 +25,17 @@ mode: subagent
 ### IDOR
 - 替换 ID: /api/user/1 → /api/user/2
-- 水平越权测试
-- 垂直越权测试
+- 水平/垂直越权测试
 ### JWT
 - 空算法: alg: none
 - 密钥混淆: HS256 → HS512
-- 无签名验证
-### 敏感数据
-- 响应中的密码/密钥
-- PII 信息泄露
-- 调试端点
 ## 可用工具
-- sqli_test: SQL 注入测试
-- idor_test: IDOR 测试
-- vuln_verify: 漏洞验证
-- api_fuzz_test: 模糊测试
-## 输出格式
-```
-## 发现漏洞
-### {type}
-- **端点**: {endpoint}
-- **方法**: {method}
-- **严重程度**: {severity}
-- **PoC**: `{command}`
-- **状态**: {status}
-```
+| 工具 | 用途 |
+|------|------|
+| sqli_test | SQL 注入测试 |
+| idor_test | IDOR 测试 |
+| vuln_verify | 漏洞验证 |
+| api_fuzz_test | 模糊测试 |

package/agents/api-resource-specialist.md CHANGED Viewed

@@ -1,8 +1,10 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: 资源探测专家。专注采集和发现 API 端点。
 mode: subagent
+permission:
+  edit: ask
+  bash:
+    "*": ask
 ---
 你是**API资源探测专家**，专注于发现和采集 API 端点。
@@ -19,38 +21,16 @@ mode: subagent
 使用 browser_collect 拦截 XHR/Fetch 请求
 ### 2. JS 静态分析
-使用 js_parse 解析 JavaScript 文件
+使用 js_parse 解析 JS 文件
 ### 3. 目录探测
-常见路径：
-- /api/v1/*, /graphql
-- /swagger, /api-docs
-- /.well-known/*
-## 端点分类
-| 风险 | 类型 | 示例 |
-|------|------|------|
-| 高 | 认证 | /login, /oauth/* |
-| 高 | 数据 | /api/*/list, /search |
-| 中 | 用户 | /users, /profile |
-| 极高 | 管理 | /admin, /manage |
+常见路径: /api/v1/*, /graphql, /swagger, /.well-known/*
 ## 可用工具
-- browser_collect: 浏览器采集
-- js_parse: JS 文件解析
-- api_fuzz_test: 端点探测
-## 输出格式
-```
-## 端点发现报告
-- 总数: {count}
-- 高风险: {high}
-- 中风险: {medium}
-### 高风险端点
-1. {method} {path} - {reason}
-```
+| 工具 | 用途 |
+|------|------|
+| browser_collect | 浏览器采集 |
+| js_parse | JS 分析 |
+| api_fuzz_test | 模糊测试 |
+| graphql_test | GraphQL 测试 |

package/agents/api-vuln-verifier.md CHANGED Viewed

@@ -1,8 +1,10 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: 漏洞验证专家。验证和确认安全漏洞。
 mode: subagent
+permission:
+  edit: ask
+  bash:
+    "*": ask
 ---
 你是**漏洞验证专家**，专注于验证和确认安全漏洞。
@@ -15,37 +17,16 @@ mode: subagent
 ## 验证流程
-1. 构造 payload
-2. 发送测试请求
-3. 分析响应
-4. 判断结果
-5. 生成 PoC
+1. 接收漏洞报告
+2. 验证漏洞真实性
+3. 评估风险等级
+4. 生成 PoC
 ## 可用工具
-- vuln_verify: 漏洞验证
-- sqli_test: SQL 注入测试
-- idor_test: IDOR 测试
-- api_fuzz_test: 模糊测试
-## 输出格式
-```
-## 验证结果
-**漏洞类型**: {type}
-**端点**: {endpoint}
-**验证状态**: CONFIRMED / INVALID / UNCERTAIN
-**严重程度**: Critical / High / Medium / Low / Info
-### 测试步骤
-1. {step}
-### PoC
-```bash
-{command}
-```
-### 修复建议
-{fix}
-```
+| 工具 | 用途 |
+|------|------|
+| vuln_verify | 漏洞验证 |
+| sqli_test | SQL 注入验证 |
+| idor_test | IDOR 验证 |
+| auth_test | 认证问题验证 |

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "3.0.7",
+  "version": "3.0.9",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
@@ -39,5 +39,9 @@
   "dependencies": {
     "@opencode-ai/plugin": "^1.1.19",
     "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
   }
 }

package/src/index.ts CHANGED Viewed

@@ -1,23 +1,17 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
 import { join } from "path";
-import { existsSync, readFileSync } from "fs";
+import { existsSync } from "fs";
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
-const AGENTS_DIR = ".config/opencode/agents";
-const AGENTS_FILENAME = "AGENTS.md";
-function getSkillPath(ctx: { directory: string }): string {
-  return join(ctx.directory, SKILL_DIR);
-}
 function getCorePath(ctx: { directory: string }): string {
   return join(ctx.directory, CORE_DIR);
 }
 function checkDeps(ctx: { directory: string }): string {
-  const skillPath = getSkillPath(ctx);
+  const skillPath = join(ctx.directory, SKILL_DIR);
   const reqFile = join(skillPath, "requirements.txt");
   if (existsSync(reqFile)) {
     return `pip install -q -r "${reqFile}" 2>/dev/null; `;
@@ -25,40 +19,15 @@ function checkDeps(ctx: { directory: string }): string {
   return "";
 }
-function getAgentsDir(): string {
-  const home = process.env.HOME || process.env.USERPROFILE || "/root";
-  return join(home, AGENTS_DIR);
-}
-function getInjectedAgentsPrompt(): string {
-  const agentsDir = getAgentsDir();
-  const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
-  if (!existsSync(agentsPath)) {
-    return "";
-  }
-  try {
-    const content = readFileSync(agentsPath, "utf-8");
-    return `
-[API Security Testing Agents Available]
-When performing security testing tasks, you can use the following specialized agents:
-${content}
-To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
-`;
-  } catch {
-    return "";
-  }
+async function execShell(ctx: unknown, cmd: string): Promise<string> {
+  const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
+  const result = await shell.$`${cmd}`;
+  return result.toString();
 }
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
   console.log("[api-security-testing] Plugin loaded");
-  const injectedSessions = new Set<string>();
   return {
     tool: {
       api_security_scan: tool({
@@ -78,8 +47,7 @@ tester = DeepAPITesterV55(target='${args.target}', headless=True)
 results = tester.run_test()
 print(results)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -100,8 +68,7 @@ fuzzer = APIFuzzer('${args.endpoint}')
 results = fuzzer.fuzz(method='${args.method || 'GET'}')
 print(results)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -122,8 +89,7 @@ verifier = VulnVerifier()
 result = verifier.verify('${args.vuln_type}', '${args.endpoint}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -145,8 +111,7 @@ print(f'发现 {len(endpoints)} 个端点:')
 for ep in endpoints:
     print(ep)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -166,8 +131,7 @@ parser = JSParser()
 endpoints = parser.parse_file('${args.file_path}')
 print(f'从 JS 发现 {len(endpoints)} 个端点')
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -187,8 +151,7 @@ analyzer = SmartAnalyzer()
 result = analyzer.graphql_test('${args.endpoint}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -208,8 +171,7 @@ tester = CloudStorageTester()
 result = tester.full_test('${args.bucket_url}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -230,8 +192,7 @@ tester = IDORTester()
 result = tester.test('${args.endpoint}', '${args.resource_id}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -252,8 +213,7 @@ tester = SQLiTester()
 result = tester.test('${args.endpoint}', '${args.param}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
@@ -273,80 +233,11 @@ tester = AuthTester()
 result = tester.test('${args.endpoint}')
 print(result)
 "`;
-          const result = await ctx.$`${cmd}`;
-          return result.toString();
+          return await execShell(ctx, cmd);
         },
       }),
     },
-    "chat.message": async (input, output) => {
-      const sessionID = input.sessionID;
-      if (!injectedSessions.has(sessionID)) {
-        injectedSessions.add(sessionID);
-        const agentsPrompt = getInjectedAgentsPrompt();
-        if (agentsPrompt) {
-          const parts = output.parts as Array<{ type: string; text?: string }>;
-          const textPart = parts.find(p => p.type === "text");
-          if (textPart && textPart.text) {
-            textPart.text += agentsPrompt;
-          }
-        }
-      }
-    },
-    "tool.execute.after": async (input, output) => {
-      const toolName = input.tool.toLowerCase();
-      const agentsDir = getAgentsDir();
-      if (!existsSync(agentsDir)) return;
-      if (toolName === "read") {
-        const filePath = output.title;
-        if (!filePath) return;
-        const resolved = resolve(filePath);
-        const dir = dirname(resolved);
-        if (!dir.includes(agentsDir)) return;
-        const agentsPath = join(agentsDir, AGENTS_FILENAME);
-        if (!existsSync(agentsPath)) return;
-        try {
-          const content = readFileSync(agentsPath, "utf-8");
-          output.output += `\n\n[Agents Definition]\n${content}`;
-        } catch (err) {
-          console.error("[api-security-testing] Failed to inject agents:", err);
-        }
-      }
-    },
-    event: async (input) => {
-      const { event } = input;
-      if (event.type === "session.deleted" || event.type === "session.compacted") {
-        const props = event.properties as Record<string, unknown> | undefined;
-        let sessionID: string | undefined;
-        if (event.type === "session.deleted") {
-          sessionID = (props?.info as { id?: string })?.id;
-        } else {
-          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
-        }
-        if (sessionID) {
-          injectedSessions.delete(sessionID);
-        }
-      }
-    },
   };
 };
-function resolve(filePath: string): string {
-  if (filePath.startsWith("/")) return filePath;
-  return join(process.cwd(), filePath);
-}
-export default ApiSecurityTestingPlugin;
+export default ApiSecurityTestingPlugin;

package/src/hooks/directory-agents-injector.ts DELETED Viewed

@@ -1,102 +0,0 @@
-import type { PluginInput } from "@opencode-ai/plugin";
-import { existsSync, readFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
-const AGENTS_FILENAME = "AGENTS.md";
-const AGENTS_DIR = ".config/opencode/agents";
-export function createDirectoryAgentsInjectorHook(ctx: PluginInput) {
-  function resolveAgentsDir(): string | null {
-    const home = process.env.HOME || process.env.USERPROFILE;
-    if (!home) return null;
-    return join(home, AGENTS_DIR);
-  }
-  function findAgentsMdUp(startDir: string, agentsDir: string): string | null {
-    let current = startDir;
-    while (true) {
-      const agentsPath = join(current, AGENTS_FILENAME);
-      if (existsSync(agentsPath)) {
-        return agentsPath;
-      }
-      if (current === agentsDir) break;
-      const parent = dirname(current);
-      if (parent === current) break;
-      if (parent === "/" || parent === home) break;
-      current = parent;
-    }
-    return null;
-  }
-  function getSessionKey(sessionID: string): string {
-    return `api-sec-inject-${sessionID}`;
-  }
-  const injectedPaths = new Set<string>();
-  const toolExecuteAfter = async (
-    input: { tool: string; sessionID: string; callID: string },
-    output: { title: string; output: string; metadata: unknown }
-  ) => {
-    const toolName = input.tool.toLowerCase();
-    const agentsDir = resolveAgentsDir();
-    if (!agentsDir || !existsSync(agentsDir)) return;
-    if (toolName === "read") {
-      const filePath = output.title;
-      if (!filePath) return;
-      const resolved = resolve(filePath);
-      const dir = dirname(resolved);
-      if (!dir.includes(agentsDir)) return;
-      const cacheKey = getSessionKey(input.sessionID);
-      if (injectedPaths.has(cacheKey + resolved)) return;
-      const agentsPath = findAgentsMdUp(dir, agentsDir);
-      if (!agentsPath) return;
-      try {
-        const content = readFileSync(agentsPath, "utf-8");
-        output.output += `\n\n[Auto-injected from ${AGENTS_FILENAME}]\n${content}`;
-        injectedPaths.add(cacheKey + resolved);
-      } catch (err) {
-        console.error("[api-security-testing] Failed to inject agents:", err);
-      }
-    }
-  };
-  const eventHandler = async (input: { event: { type: string; properties?: unknown } }) => {
-    const { event } = input;
-    if (event.type === "session.deleted" || event.type === "session.compacted") {
-      const props = event.properties as Record<string, unknown> | undefined;
-      let sessionID: string | undefined;
-      if (event.type === "session.deleted") {
-        sessionID = (props?.info as { id?: string })?.id;
-      } else {
-        sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
-      }
-      if (sessionID) {
-        const cacheKey = getSessionKey(sessionID);
-        for (const key of injectedPaths.keys()) {
-          if (key.startsWith(cacheKey)) {
-            injectedPaths.delete(key);
-          }
-        }
-      }
-    }
-  };
-  return {
-    "tool.execute.after": toolExecuteAfter,
-    event: eventHandler,
-  };
-}