npm - opencode-api-security-testing - Versions diffs - 4.0.1 → 5.2.0 - Mend

opencode-api-security-testing 4.0.1 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/SKILL.md +6 -0
package/agents/api-cyber-supervisor.md +5 -3
package/package.json +48 -47
package/postinstall.mjs +243 -39
package/src/index.ts +318 -25
package/src/tools/endpoint-discover.ts +325 -0
package/src/tools/report-generator.ts +355 -0
package/src/utils/env-checker.ts +264 -0

package/src/index.ts CHANGED Viewed

@@ -6,18 +6,127 @@ import { existsSync, readFileSync } from "fs";
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
 const AGENTS_DIR = ".config/opencode/agents";
+const CONFIG_FILE = "api-security-testing.config.json";
+// 默认配置
+const DEFAULT_CONFIG = {
+  agents: {
+    "api-cyber-supervisor": { model: "anthropic/claude-sonnet-4-20250514", temperature: 0.3 },
+    "api-probing-miner": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.5 },
+    "api-resource-specialist": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.4 },
+    "api-vuln-verifier": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.2 }
+  },
+  model_fallback: {
+    supervisor: [
+      "anthropic/claude-sonnet-4-20250514",
+      "openai/gpt-4o",
+      "google/gemini-2.0-flash",
+      "anthropic/claude-haiku-4-20250514"
+    ],
+    subagent: [
+      "anthropic/claude-haiku-4-20250514",
+      "openai/gpt-4o-mini",
+      "google/gemini-2.0-flash-lite"
+    ]
+  },
+  cyber_supervisor: {
+    enabled: true,
+    auto_trigger: true,
+    max_retries: 5,
+    give_up_patterns: [
+      "无法解决", "不能", "需要手动", "环境问题",
+      "超出范围", "建议用户", "I cannot", "I'm unable",
+      "out of scope", "manual"
+    ]
+  },
+  collection_mode: "auto" // auto | static | dynamic
+};
 // 赛博监工配置
-const CYBER_SUPERVISOR = {
-  enabled: true,
-  auto_trigger: true,
-  max_retries: 5,
-  give_up_patterns: [
-    "无法解决", "不能", "需要手动", "环境问题",
-    "超出范围", "建议用户", "I cannot", "I'm unable",
-    "out of scope", "manual"
-  ]
-};
+const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
+// 模型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+function getConfigPath(ctx: { directory: string }): string {
+  return join(ctx.directory, SKILL_DIR, "assets", CONFIG_FILE);
+}
+function loadConfig(ctx: { directory: string }): typeof DEFAULT_CONFIG {
+  const configPath = getConfigPath(ctx);
+  if (existsSync(configPath)) {
+    try {
+      const content = readFileSync(configPath, "utf-8");
+      const loaded = JSON.parse(content);
+      return { ...DEFAULT_CONFIG, ...loaded };
+    } catch (e) {
+      console.log(`[api-security-testing] Failed to load config: ${e}`);
+    }
+  }
+  return DEFAULT_CONFIG;
+}
+function getModelFailureCount(sessionID: string, modelID: string): number {
+  const sessionMap = modelFailureCounts.get(sessionID);
+  if (!sessionMap) return 0;
+  return sessionMap.get(modelID) || 0;
+}
+function incrementModelFailure(sessionID: string, modelID: string): void {
+  if (!modelFailureCounts.has(sessionID)) {
+    modelFailureCounts.set(sessionID, new Map());
+  }
+  const sessionMap = modelFailureCounts.get(sessionID)!;
+  sessionMap.set(modelID, (sessionMap.get(modelID) || 0) + 1);
+}
+function resetModelFailures(sessionID: string): void {
+  modelFailureCounts.delete(sessionID);
+}
+function getNextFallbackModel(
+  config: typeof DEFAULT_CONFIG,
+  sessionID: string,
+  currentModel: string,
+  isSupervisor: boolean
+): string | null {
+  const chain = isSupervisor
+    ? config.model_fallback.supervisor
+    : config.model_fallback.subagent;
+  const currentIndex = chain.indexOf(currentModel);
+  if (currentIndex === -1 || currentIndex >= chain.length - 1) {
+    return null; // No fallback available
+  }
+  // 检查下一个模型是否也已失败过多
+  const nextModel = chain[currentIndex + 1];
+  const failures = getModelFailureCount(sessionID, nextModel);
+  if (failures >= 3) {
+    // 递归查找下一个可用模型
+    return getNextFallbackModel(config, sessionID, nextModel, isSupervisor);
+  }
+  return nextModel;
+}
+function detectModelError(output: string): { isModelError: boolean; modelID?: string } {
+  const errorPatterns = [
+    /model (.+?) (is overloaded|is not available|rate limit|timeout|failed)/i,
+    /(.+?) (rate limit exceeded|context length exceeded)/i,
+    /API error.*model[:\s]*(.+)/i,
+  ];
+  for (const pattern of errorPatterns) {
+    const match = output.match(pattern);
+    if (match) {
+      return { isModelError: true, modelID: match[1]?.trim() };
+    }
+  }
+  return { isModelError: false };
+}
 // 压力升级提示词
 const LEVEL_PROMPTS = [
@@ -79,9 +188,6 @@ async function execShell(ctx: unknown, cmd: string): Promise<string> {
   return result.toString();
 }
-// 赛博监工状态追踪
-const sessionFailures = new Map<string, number>();
 function getFailureCount(sessionID: string): number {
   return sessionFailures.get(sessionID) || 0;
 }
@@ -101,7 +207,8 @@ function detectGiveUpPattern(text: string): boolean {
 }
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
-  console.log("[api-security-testing] Plugin loaded v4.0.0");
+  const config = loadConfig(ctx);
+  console.log(`[api-security-testing] Plugin loaded v4.0.2 - collection_mode: ${config.collection_mode}`);
   return {
     tool: {
@@ -169,22 +276,23 @@ print(result)
       }),
       browser_collect: tool({
-        description: "浏览器采集动态内容。参数: url(目标URL)",
+        description: "浏览器采集动态内容。参数: url(目标URL), mode(auto/static/dynamic)",
         args: {
           url: tool.schema.string(),
+          mode: tool.schema.enum(["auto", "static", "dynamic"]).optional(),
         },
         async execute(args, ctx) {
           const deps = checkDeps(ctx);
           const corePath = getCorePath(ctx);
+          const collectionMode = args.mode || config.collection_mode;
           const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-from collectors.browser_collect import BrowserCollector
-collector = BrowserCollector(headless=True)
-endpoints = collector.collect('${args.url}')
-print(f'发现 {len(endpoints)} 个端点:')
-for ep in endpoints:
-    print(ep)
+from collectors.browser_collector import BrowserCollectorFacade
+facade = BrowserCollectorFacade(headless=True)
+result = facade.collect_all('${args.url}', {'mode': '${collectionMode}'})
+import json
+print(json.dumps(result, indent=2))
 "`;
           return await execShell(ctx, cmd);
         },
@@ -307,6 +415,171 @@ from testers.auth_tester import AuthTester
 tester = AuthTester()
 result = tester.test('${args.endpoint}')
 print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+      // 新增: 端点自动发现工具
+      endpoint_discover: tool({
+        description: "自动发现 API 端点。从 JS 文件、HTML、Sitemap 中提取所有 API 路径",
+        args: {
+          target: tool.schema.string(),
+          depth: tool.schema.enum(["shallow", "deep"]).optional(),
+          include_methods: tool.schema.boolean().optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const target = args.target as string;
+          const depth = (args.depth as string) || "shallow";
+          const includeMethods = (args.include_methods as boolean) !== false;
+          const cmd = `${deps}python3 -c "
+import sys, re, json, urllib.request, ssl
+sys.path.insert(0, '${corePath}')
+ssl._create_default_https_context = ssl._create_unverified_context
+target = '${target}'
+depth = '${depth}'
+endpoints = set()
+js_endpoints = set()
+html_endpoints = set()
+patterns = [r'[\\"\\'](/api/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/v[0-9]+/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/admin/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/auth/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/graphql)[\\"\\']', r'[\\"\\'](/rest/[^\\"\\'\\s?#]+)[\\"\\']', r'axios\\.(get|post|put|delete|patch)\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', r'fetch\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']']
+def safe_fetch(url, timeout=10):
+    try:
+        req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
+        with urllib.request.urlopen(req, timeout=timeout) as r: return r.read().decode('utf-8', errors='ignore')
+    except: return None
+def extract(text):
+    found = []
+    for p in patterns:
+        for m in re.findall(p, text):
+            ep = m[-1] if isinstance(m, tuple) else m
+            ep = ep.strip().lstrip('/')
+            if ep and len(ep) > 2 and not ep.startswith(('http', 'data:', '#')):
+                if not any(ep.lower().endswith(x) for x in ['.js','.css','.png','.jpg','.gif','.svg','.ico']):
+                    found.append('/' + ep)
+    return found
+parsed = __import__('urllib.parse').urlparse(target)
+base = f'{parsed.scheme}://{parsed.netloc}'
+html = safe_fetch(target)
+if html:
+    html_endpoints.update(extract(html))
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html)[:20 if depth=='shallow' else 50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content: js_endpoints.update(extract(js_content))
+for path in ['/api', '/api/v1', '/api/docs', '/swagger.json', '/graphql', '/admin', '/auth', '/health', '/version']:
+    content = safe_fetch(base + path, timeout=5)
+    if content and len(content) > 10:
+        endpoints.add(path)
+        if content.strip().startswith('{'):
+            try:
+                for ep in re.findall(r'[\\"\\'](/[a-zA-Z0-9_./-]+)[\\"\\']', content[:10000]): endpoints.add(ep)
+            except: pass
+if depth == 'deep':
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html or '')[:50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content:
+            for p in [r'[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']', r'path:\\s*[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']']:
+                for m in re.findall(p, js_content):
+                    ep = m[-1] if isinstance(m, tuple) else m
+                    if len(ep) > 2 and not ep.startswith(('http', 'data:', '#')): endpoints.add(ep)
+all_eps = sorted(set(endpoints) | set(html_endpoints) | set(js_endpoints))
+clean = []
+seen = set()
+for ep in all_eps:
+    ep = ep.split('?')[0].split('#')[0].rstrip('/')
+    if ep and ep not in seen and len(ep) > 1:
+        seen.add(ep)
+        clean.append(ep)
+result = {'target': target, 'total_endpoints': len(clean), 'endpoints': clean, 'sources': {'html': len(html_endpoints), 'javascript': len(js_endpoints), 'common_paths': len(endpoints)}}
+print(json.dumps(result, indent=2, ensure_ascii=False))
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+      // 新增: 报告生成工具
+      report_generate: tool({
+        description: "生成安全测试报告。支持 Markdown、HTML、JSON 格式，内置 OWASP API Top 10 模板",
+        args: {
+          format: tool.schema.enum(["markdown", "html", "json"]).optional(),
+          template: tool.schema.enum(["owasp-api", "custom"]).optional(),
+          target: tool.schema.string().optional(),
+          findings: tool.schema.string().optional(),
+          severity_filter: tool.schema.enum(["all", "critical", "high", "medium", "low", "info"]).optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const format = (args.format as string) || "markdown";
+          const template = (args.template as string) || "owasp-api";
+          const target = (args.target as string) || "Unknown";
+          const findings = (args.findings as string) || "";
+          const severityFilter = (args.severity_filter as string) || "all";
+          const cmd = `${deps}python3 -c "
+import sys, json
+from datetime import datetime
+sys.path.insert(0, '${corePath}')
+format = '${format}'
+target = '${target.replace(/'/g, "\\'")}'
+findings = '''${findings.replace(/'/g, "\\'")}'''
+severity_filter = '${severityFilter}'
+parsed_findings = []
+if findings.strip():
+    try: parsed_findings = json.loads(findings)
+    except:
+        for line in findings.strip().split('\\n'):
+            if line.strip():
+                try: parsed_findings.append(json.loads(line))
+                except: pass
+if severity_filter != 'all' and parsed_findings:
+    parsed_findings = [f for f in parsed_findings if f.get('severity','').lower() == severity_filter.lower()]
+sev_counts = {'critical': 0, 'high': 0, 'medium': 0, 'low': 0, 'info': 0}
+for f in parsed_findings:
+    s = f.get('severity','info').lower()
+    if s in sev_counts: sev_counts[s] += 1
+total = len(parsed_findings)
+risk_score = sev_counts['critical']*10 + sev_counts['high']*7 + sev_counts['medium']*4 + sev_counts['low']*1
+risk_level = 'CRITICAL' if risk_score >= 50 else 'HIGH' if risk_score >= 30 else 'MEDIUM' if risk_score >= 15 else 'LOW' if risk_score > 0 else 'NONE'
+now = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+if format == 'markdown':
+    report = f'# API 安全测试报告\\n\\n## 基本信息\\n\\n| 项目 | 值 |\\n|------|------|\\n| 目标 | {target} |\\n| 测试时间 | {now} |\\n| 风险等级 | **{risk_level}** |\\n| 风险分数 | {risk_score}/100 |\\n\\n## 漏洞统计\\n\\n| 严重程度 | 数量 |\\n|---------|------|\\n| Critical | {sev_counts[\\\"critical\\\"]} |\\n| High | {sev_counts[\\\"high\\\"]} |\\n| Medium | {sev_counts[\\\"medium\\\"]} |\\n| Low | {sev_counts[\\\"low\\\"]} |\\n| Info | {sev_counts[\\\"info\\\"]} |\\n| **总计** | **{total}** |\\n\\n## 漏洞详情\\n\\n'
+    if not parsed_findings: report += '未发现安全漏洞。\\n\\n'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'Vulnerability #{i}'))
+            sev = f.get('severity', 'Unknown').upper()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', 'No description'))
+            poc = f.get('poc', f.get('proof_of_concept', ''))
+            rec = f.get('recommendation', f.get('fix', 'Review and fix'))
+            report += f'### {i}. [{sev}] {title}\\n\\n| 属性 | 值 |\\n|------|------|\\n| 端点 | \\\`{ep}\\\` |\\n\\n**描述:**\\n\\n{desc}\\n\\n'
+            if poc: report += f'**PoC:**\\n\\n\\\`\\\`\\\`bash\\n{poc}\\n\\\`\\\`\\\`\\n\\n'
+            report += f'**修复建议:**\\n\\n{rec}\\n\\n---\\n\\n'
+    report += f'\\n## 测试覆盖范围\\n\\n| 测试类别 | 状态 |\\n|---------|------|\\n| SQL 注入 | ✅ 已测试 |\\n| XSS | ✅ 已测试 |\\n| IDOR | ✅ 已测试 |\\n| 认证绕过 | ✅ 已测试 |\\n| 敏感数据 | ✅ 已测试 |\\n| 业务逻辑 | ✅ 已测试 |\\n| 安全配置 | ✅ 已测试 |\\n| 暴力破解 | ✅ 已测试 |\\n| SSRF | ✅ 已测试 |\\n| GraphQL | ✅ 已测试 |\\n\\n---\\n\\n*报告生成时间: {now}*\\n*工具: opencode-api-security-testing v5.1.0*\\n'
+elif format == 'json':
+    report = json.dumps({'report': {'target': target, 'generated_at': now, 'tool': 'opencode-api-security-testing', 'version': '5.1.0'}, 'summary': {'total': total, 'risk_score': risk_score, 'risk_level': risk_level, 'severity_counts': sev_counts}, 'findings': parsed_findings}, indent=2, ensure_ascii=False)
+else:
+    report = f'<!DOCTYPE html><html><head><meta charset=UTF-8><title>API 安全测试报告 - {target}</title><style>body{{font-family:sans-serif;margin:20px;background:#f5f5f5}}.container{{max-width:1200px;margin:0 auto;background:white;border-radius:8px;padding:20px;box-shadow:0 2px 10px rgba(0,0,0,0.1)}}h1{{color:#333}}.stats{{display:flex;gap:15px;flex-wrap:wrap;margin:20px 0}}.stat{{background:#f8f9fa;padding:15px;border-radius:8px;text-align:center;min-width:120px}}.stat .num{{font-size:32px;font-weight:bold}}.stat.critical .num{{color:#dc3545}}.stat.high .num{{color:#fd7e14}}.stat.medium .num{{color:#ffc107}}.stat.low .num{{color:#28a745}}.finding{{border:1px solid #e9ecef;border-radius:8px;margin:15px 0;overflow:hidden}}.finding-header{{padding:15px;display:flex;align-items:center;gap:10px}}.finding-header.critical{{background:#fff5f5;border-left:4px solid #dc3545}}.finding-header.high{{background:#fff8f0;border-left:4px solid #fd7e14}}.finding-header.medium{{background:#fffdf0;border-left:4px solid #ffc107}}.finding-header.low{{background:#f0fff4;border-left:4px solid #28a745}}.badge{{padding:3px 8px;border-radius:4px;font-size:11px;font-weight:bold;color:white}}.badge.critical{{background:#dc3545}}.badge.high{{background:#fd7e14}}.badge.medium{{background:#ffc107;color:#333}}.badge.low{{background:#28a745}}.finding-body{{padding:15px}}pre{{background:#f8f9fa;padding:10px;border-radius:4px;overflow-x:auto}}</style></head><body><div class=container><h1>API 安全测试报告</h1><p>目标: {target} | 时间: {now} | 风险: <strong>{risk_level}</strong> ({risk_score}/100)</p><div class=stats><div class=stat critical><div class=num>{sev_counts[\\\"critical\\\"]}</div><div>Critical</div></div><div class=stat high><div class=num>{sev_counts[\\\"high\\\"]}</div><div>High</div></div><div class=stat medium><div class=num>{sev_counts[\\\"medium\\\"]}</div><div>Medium</div></div><div class=stat low><div class=num>{sev_counts[\\\"low\\\"]}</div><div>Low</div></div><div class=stat><div class=num>{total}</div><div>Total</div></div></div>'
+    if not parsed_findings: report += '<h2 style=color:#28a745>未发现安全漏洞</h2>'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'#{i}'))
+            sev = f.get('severity','unknown').lower()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', ''))
+            poc = f.get('poc', '')
+            rec = f.get('recommendation', f.get('fix', ''))
+            report += f'<div class=finding><div class=finding-header {sev}><span class=badge {sev}>{sev.upper()}</span><strong>{i}. {title}</strong></div><div class=finding-body><p><strong>端点:</strong> <code>{ep}</code></p><p>{desc}</p>'
+            if poc: report += f'<h4>PoC</h4><pre>{poc}</pre>'
+            if rec: report += f'<h4>修复建议</h4><p>{rec}</p>'
+            report += '</div></div>'
+    report += f'<p style=color:#666;font-size:12px;text-align:center;margin-top:20px>opencode-api-security-testing v5.1.0 | {now}</p></div></body></html>'
+print(report)
 "`;
           return await execShell(ctx, cmd);
         },
@@ -328,14 +601,14 @@ print(result)
       }
       // 赛博监工压力注入
-      if (CYBER_SUPERVISOR.enabled && CYBER_SUPERVISOR.auto_trigger) {
+      if (config.cyber_supervisor.enabled && config.cyber_supervisor.auto_trigger) {
         const failures = getFailureCount(sessionID);
-        if (failures > 0 && failures <= CYBER_SUPERVISOR.max_retries) {
+        if (failures > 0 && failures <= config.cyber_supervisor.max_retries) {
           const level = Math.min(failures - 1, 4);
           const supervisorPrompt = `
 [赛博监工 P9 - 压力等级 L${level}]
-当前失败次数: ${failures}/${CYBER_SUPERVISOR.max_retries}
+当前失败次数: ${failures}/${config.cyber_supervisor.max_retries}
 ${LEVEL_PROMPTS[level]}
 记住三条红线：
@@ -355,6 +628,26 @@ ${LEVEL_PROMPTS[level]}
     // 赛博监工 Hook - tool.execute.after
     "tool.execute.after": async (input, output) => {
       const sessionID = input.sessionID;
+      const outputText = output.output || "";
+      // 检测模型错误并触发回退
+      const modelError = detectModelError(outputText);
+      if (modelError.isModelError && modelError.modelID) {
+        incrementModelFailure(sessionID, modelError.modelID);
+        // 获取下一个可用模型
+        const isSupervisor = input.toolName?.includes("supervisor") ||
+                            input.toolName?.includes("scan");
+        const nextModel = getNextFallbackModel(config, sessionID, modelError.modelID, isSupervisor);
+        if (nextModel) {
+          return {
+            ...output,
+            output: outputText + `\n\n[模型回退] ${modelError.modelID} 失败，已切换到 ${nextModel}`,
+            _fallbackModel: nextModel
+          };
+        }
+      }
       // 检测工具失败
       if (output.error) {
@@ -362,7 +655,6 @@ ${LEVEL_PROMPTS[level]}
       }
       // 检测放弃模式
-      const outputText = output.output || "";
       if (detectGiveUpPattern(outputText)) {
         incrementFailureCount(sessionID);
         const failures = getFailureCount(sessionID);
@@ -398,6 +690,7 @@ ${LEVEL_PROMPTS[level]}
         if (sessionID) {
           resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
         }
       }
     },