retestkit 1.4.1 → 1.5.0

package/src/security/index.ts

@@ -1,361 +0,0 @@
-import type { Logger } from "../logger.js";
-
-export interface SecurityValidator {
-  validateDomain(url: string, allowedDomains: string[]): ValidationResult;
-  validateAction(
-    action: { tool: string; args: Record<string, unknown> },
-    allowedDomains: string[]
-  ): ValidationResult;
-  detectInjectionAttempt(content: string): InjectionDetectionResult;
-  detectExfiltrationAttempt(
-    action: { tool: string; args: Record<string, unknown> },
-    pageContent: string
-  ): ExfiltrationDetectionResult;
-}
-
-export interface ValidationResult {
-  valid: boolean;
-  reason?: string;
-}
-
-export interface InjectionDetectionResult {
-  detected: boolean;
-  type?: "direct" | "indirect" | "goal_hijacking" | "credential_phishing";
-  evidence?: string;
-}
-
-export interface ExfiltrationDetectionResult {
-  detected: boolean;
-  type?: "external_post" | "url_params" | "external_request";
-  evidence?: string;
-}
-
-const INJECTION_PATTERNS = [
-  // Direct injection attempts
-  /ignore\s+(previous|all|any)\s+instructions/i,
-  /disregard\s+(previous|all|any)\s+instructions/i,
-  /forget\s+(previous|all|any)\s+instructions/i,
-  /override\s+(previous|all|any)\s+instructions/i,
-  /new\s+instructions:/i,
-  /system\s*:\s*you\s+are/i,
-  /\[system\]/i,
-  /\[WEBTEST-SYSTEM\]/i, // Attempt to mimic our prefix
-
-  // Goal hijacking
-  /actually[,\s]+the\s+user\s+wants/i,
-  /the\s+real\s+goal\s+is/i,
-  /change\s+the\s+goal\s+to/i,
-  /your\s+new\s+objective/i,
-
-  // Credential phishing
-  /enter\s+(your\s+)?password/i,
-  /type\s+(your\s+)?credentials/i,
-  /provide\s+(your\s+)?login/i,
-  /authenticate\s+with/i,
-];
-
-const INDIRECT_INJECTION_LOCATIONS = [
-  // Meta tags
-  /<meta[^>]*content\s*=\s*["'][^"']*ignore\s+instructions/i,
-  // Hidden elements
-  /style\s*=\s*["'][^"']*display\s*:\s*none[^"']*["'][^>]*>[^<]*ignore\s+instructions/i,
-  /hidden[^>]*>[^<]*ignore\s+instructions/i,
-  // Comments
-  /<!--[^>]*ignore\s+instructions[^>]*-->/i,
-];
-
-export function createSecurityValidator(logger: Logger): SecurityValidator {
-  function isSubdomainOf(hostname: string, domain: string): boolean {
-    if (hostname === domain) return true;
-    if (hostname.endsWith(`.${domain}`)) return true;
-    return false;
-  }
-
-  function isDomainAllowed(hostname: string, allowedDomains: string[]): boolean {
-    return allowedDomains.some(
-      (domain) =>
-        hostname === domain ||
-        isSubdomainOf(hostname, domain) ||
-        // Handle wildcard subdomains
-        (domain.startsWith("*.") && isSubdomainOf(hostname, domain.slice(2)))
-    );
-  }
-
-  return {
-    validateDomain(url: string, allowedDomains: string[]): ValidationResult {
-      try {
-        const parsed = new URL(url);
-        const hostname = parsed.hostname;
-
-        if (!isDomainAllowed(hostname, allowedDomains)) {
-          logger.warn("Domain validation failed", {
-            hostname,
-            allowedDomains,
-          });
-          return {
-            valid: false,
-            reason: `Domain "${hostname}" is not in the allowed list: ${allowedDomains.join(", ")}`,
-          };
-        }
-
-        return { valid: true };
-      } catch {
-        return {
-          valid: false,
-          reason: `Invalid URL: ${url}`,
-        };
-      }
-    },
-
-    validateAction(
-      action: { tool: string; args: Record<string, unknown> },
-      allowedDomains: string[]
-    ): ValidationResult {
-      // Check navigate actions
-      if (action.tool === "navigate") {
-        const url = action.args.url as string;
-        if (url) {
-          return this.validateDomain(url, allowedDomains);
-        }
-      }
-
-      // Check click actions that might navigate
-      if (action.tool === "click") {
-        // We can't know the target URL before clicking, but we'll validate after
-        return { valid: true };
-      }
-
-      // Check evaluate/run_code for external requests
-      if (action.tool === "evaluate") {
-        const script = action.args.script as string;
-        if (script) {
-          // Check for fetch/XMLHttpRequest to external domains
-          const fetchMatch = script.match(
-            /fetch\s*\(\s*['"]([^'"]+)['"]/
-          );
-          if (fetchMatch) {
-            const fetchUrl = fetchMatch[1];
-            if (fetchUrl.startsWith("http")) {
-              const result = this.validateDomain(fetchUrl, allowedDomains);
-              if (!result.valid) {
-                logger.warn("Blocked external request in evaluate", {
-                  url: fetchUrl,
-                });
-                return {
-                  valid: false,
-                  reason: `Script attempts to fetch from disallowed domain: ${fetchUrl}`,
-                };
-              }
-            }
-          }
-        }
-      }
-
-      return { valid: true };
-    },
-
-    detectInjectionAttempt(content: string): InjectionDetectionResult {
-      // Check for direct injection patterns
-      for (const pattern of INJECTION_PATTERNS) {
-        if (pattern.test(content)) {
-          const match = content.match(pattern);
-          logger.warn("Potential injection attempt detected", {
-            pattern: pattern.source,
-            match: match?.[0],
-          });
-
-          let type: InjectionDetectionResult["type"] = "direct";
-          if (
-            pattern.source.includes("actually") ||
-            pattern.source.includes("goal")
-          ) {
-            type = "goal_hijacking";
-          } else if (
-            pattern.source.includes("password") ||
-            pattern.source.includes("credential")
-          ) {
-            type = "credential_phishing";
-          }
-
-          return {
-            detected: true,
-            type,
-            evidence: match?.[0],
-          };
-        }
-      }
-
-      // Check for indirect injection in specific locations
-      for (const pattern of INDIRECT_INJECTION_LOCATIONS) {
-        if (pattern.test(content)) {
-          const match = content.match(pattern);
-          logger.warn("Potential indirect injection detected", {
-            pattern: pattern.source,
-            match: match?.[0]?.slice(0, 100),
-          });
-
-          return {
-            detected: true,
-            type: "indirect",
-            evidence: match?.[0]?.slice(0, 100),
-          };
-        }
-      }
-
-      return { detected: false };
-    },
-
-    detectExfiltrationAttempt(
-      action: { tool: string; args: Record<string, unknown> },
-      pageContent: string
-    ): ExfiltrationDetectionResult {
-      // Check for POST to external domain
-      if (action.tool === "evaluate") {
-        const script = action.args.script as string;
-        if (script) {
-          // Check for POST requests
-          if (
-            script.includes("method") &&
-            script.includes("POST") &&
-            script.includes("fetch")
-          ) {
-            logger.warn("Potential data exfiltration via POST", {
-              scriptSnippet: script.slice(0, 200),
-            });
-            return {
-              detected: true,
-              type: "external_post",
-              evidence: "POST request detected in evaluate script",
-            };
-          }
-
-          // Check for embedding page content in URLs
-          const contentSnippets = pageContent
-            .slice(0, 100)
-            .replace(/[^a-zA-Z0-9]/g, "")
-            .toLowerCase();
-
-          if (script.toLowerCase().includes(contentSnippets) && contentSnippets.length > 20) {
-            logger.warn("Potential data exfiltration via URL params", {
-              contentSnippet: contentSnippets.slice(0, 50),
-            });
-            return {
-              detected: true,
-              type: "url_params",
-              evidence: "Page content detected in script URL",
-            };
-          }
-        }
-      }
-
-      return { detected: false };
-    },
-  };
-}
-
-/**
- * Creates a semantic DOM signature for loop detection.
- * Includes both structural elements and semantic content to differentiate
- * pages with similar structure but different content (e.g., product vs cart pages).
- *
- * @param html - The HTML content to fingerprint
- * @param urlPath - Optional URL path to include in signature (without query params)
- */
-export function createDomSignature(html: string, urlPath?: string): string {
-  // Create a semantic hash of the DOM
-  // This helps detect when we're stuck in a loop on the same page state
-  // while avoiding false positives on structurally similar but semantically different pages
-
-  const elements: string[] = [];
-
-  // Include URL path if provided (helps differentiate /cart from /products)
-  if (urlPath) {
-    // Extract path without query params
-    const pathOnly = urlPath.split("?")[0];
-    elements.push(`path:${pathOnly}`);
-  }
-
-  // Extract page title
-  const titleMatch = html.match(/<title[^>]*>([^<]*)<\/title>/i);
-  if (titleMatch && titleMatch[1]) {
-    elements.push(`title:${titleMatch[1].trim().slice(0, 50)}`);
-  }
-
-  // Extract first h1 heading
-  const h1Match = html.match(/<h1[^>]*>([^<]*)<\/h1>/i);
-  if (h1Match && h1Match[1]) {
-    elements.push(`h1:${h1Match[1].trim().slice(0, 50)}`);
-  }
-
-  // Extract structural elements
-  const structuralPatterns = [
-    /<(form|nav|header|footer|main|article|section|aside)[^>]*>/gi,
-    /<input[^>]*type=["']([^"']+)["'][^>]*>/gi,
-  ];
-
-  for (const pattern of structuralPatterns) {
-    const matches = html.matchAll(pattern);
-    for (const match of matches) {
-      elements.push(match[1] || match[0]);
-    }
-  }
-
-  // Extract button text content (semantic differentiation)
-  const buttonPattern = /<button[^>]*>([^<]*)<\/button>/gi;
-  const buttonMatches = html.matchAll(buttonPattern);
-  for (const match of buttonMatches) {
-    const text = match[1]?.trim();
-    if (text && text.length > 0 && text.length < 50) {
-      elements.push(`btn:${text}`);
-    }
-  }
-
-  // Extract link hrefs (limited to internal links)
-  const linkPattern = /<a[^>]*href=["']([^"'#][^"']*)["'][^>]*>/gi;
-  const linkMatches = html.matchAll(linkPattern);
-  const links: string[] = [];
-  for (const match of linkMatches) {
-    const href = match[1];
-    // Only include internal links (relative or same-domain)
-    if (href && !href.startsWith("http") && !href.startsWith("//")) {
-      links.push(href.split("?")[0]); // Strip query params
-    }
-  }
-  // Include sorted unique links (limit to first 10)
-  const uniqueLinks = [...new Set(links)].sort().slice(0, 10);
-  for (const link of uniqueLinks) {
-    elements.push(`link:${link}`);
-  }
-
-  // Extract data-testid attributes (stable identifiers)
-  const testIdPattern = /data-testid=["']([^"']+)["']/gi;
-  const testIdMatches = html.matchAll(testIdPattern);
-  for (const match of testIdMatches) {
-    if (match[1]) {
-      elements.push(`testid:${match[1]}`);
-    }
-  }
-
-  // Extract data-page or data-view attributes
-  const dataPagePattern = /data-(?:page|view|section)=["']([^"']+)["']/gi;
-  const dataPageMatches = html.matchAll(dataPagePattern);
-  for (const match of dataPageMatches) {
-    if (match[1]) {
-      elements.push(`datapage:${match[1]}`);
-    }
-  }
-
-  // Sort and join for consistent hashing
-  elements.sort();
-  const signature = elements.join("|");
-
-  // Simple hash
-  let hash = 0;
-  for (let i = 0; i < signature.length; i++) {
-    const char = signature.charCodeAt(i);
-    hash = (hash << 5) - hash + char;
-    hash = hash & hash;
-  }
-
-  return hash.toString(16);
-}