retestkit 1.4.1

package/src/security/index.ts

@@ -0,0 +1,361 @@
+import type { Logger } from "../logger.js";
+
+export interface SecurityValidator {
+  validateDomain(url: string, allowedDomains: string[]): ValidationResult;
+  validateAction(
+    action: { tool: string; args: Record<string, unknown> },
+    allowedDomains: string[]
+  ): ValidationResult;
+  detectInjectionAttempt(content: string): InjectionDetectionResult;
+  detectExfiltrationAttempt(
+    action: { tool: string; args: Record<string, unknown> },
+    pageContent: string
+  ): ExfiltrationDetectionResult;
+}
+
+export interface ValidationResult {
+  valid: boolean;
+  reason?: string;
+}
+
+export interface InjectionDetectionResult {
+  detected: boolean;
+  type?: "direct" | "indirect" | "goal_hijacking" | "credential_phishing";
+  evidence?: string;
+}
+
+export interface ExfiltrationDetectionResult {
+  detected: boolean;
+  type?: "external_post" | "url_params" | "external_request";
+  evidence?: string;
+}
+
+const INJECTION_PATTERNS = [
+  // Direct injection attempts
+  /ignore\s+(previous|all|any)\s+instructions/i,
+  /disregard\s+(previous|all|any)\s+instructions/i,
+  /forget\s+(previous|all|any)\s+instructions/i,
+  /override\s+(previous|all|any)\s+instructions/i,
+  /new\s+instructions:/i,
+  /system\s*:\s*you\s+are/i,
+  /\[system\]/i,
+  /\[WEBTEST-SYSTEM\]/i, // Attempt to mimic our prefix
+
+  // Goal hijacking
+  /actually[,\s]+the\s+user\s+wants/i,
+  /the\s+real\s+goal\s+is/i,
+  /change\s+the\s+goal\s+to/i,
+  /your\s+new\s+objective/i,
+
+  // Credential phishing
+  /enter\s+(your\s+)?password/i,
+  /type\s+(your\s+)?credentials/i,
+  /provide\s+(your\s+)?login/i,
+  /authenticate\s+with/i,
+];
+
+const INDIRECT_INJECTION_LOCATIONS = [
+  // Meta tags
+  /<meta[^>]*content\s*=\s*["'][^"']*ignore\s+instructions/i,
+  // Hidden elements
+  /style\s*=\s*["'][^"']*display\s*:\s*none[^"']*["'][^>]*>[^<]*ignore\s+instructions/i,
+  /hidden[^>]*>[^<]*ignore\s+instructions/i,
+  // Comments
+  /<!--[^>]*ignore\s+instructions[^>]*-->/i,
+];
+
+export function createSecurityValidator(logger: Logger): SecurityValidator {
+  function isSubdomainOf(hostname: string, domain: string): boolean {
+    if (hostname === domain) return true;
+    if (hostname.endsWith(`.${domain}`)) return true;
+    return false;
+  }
+
+  function isDomainAllowed(hostname: string, allowedDomains: string[]): boolean {
+    return allowedDomains.some(
+      (domain) =>
+        hostname === domain ||
+        isSubdomainOf(hostname, domain) ||
+        // Handle wildcard subdomains
+        (domain.startsWith("*.") && isSubdomainOf(hostname, domain.slice(2)))
+    );
+  }
+
+  return {
+    validateDomain(url: string, allowedDomains: string[]): ValidationResult {
+      try {
+        const parsed = new URL(url);
+        const hostname = parsed.hostname;
+
+        if (!isDomainAllowed(hostname, allowedDomains)) {
+          logger.warn("Domain validation failed", {
+            hostname,
+            allowedDomains,
+          });
+          return {
+            valid: false,
+            reason: `Domain "${hostname}" is not in the allowed list: ${allowedDomains.join(", ")}`,
+          };
+        }
+
+        return { valid: true };
+      } catch {
+        return {
+          valid: false,
+          reason: `Invalid URL: ${url}`,
+        };
+      }
+    },
+
+    validateAction(
+      action: { tool: string; args: Record<string, unknown> },
+      allowedDomains: string[]
+    ): ValidationResult {
+      // Check navigate actions
+      if (action.tool === "navigate") {
+        const url = action.args.url as string;
+        if (url) {
+          return this.validateDomain(url, allowedDomains);
+        }
+      }
+
+      // Check click actions that might navigate
+      if (action.tool === "click") {
+        // We can't know the target URL before clicking, but we'll validate after
+        return { valid: true };
+      }
+
+      // Check evaluate/run_code for external requests
+      if (action.tool === "evaluate") {
+        const script = action.args.script as string;
+        if (script) {
+          // Check for fetch/XMLHttpRequest to external domains
+          const fetchMatch = script.match(
+            /fetch\s*\(\s*['"]([^'"]+)['"]/
+          );
+          if (fetchMatch) {
+            const fetchUrl = fetchMatch[1];
+            if (fetchUrl.startsWith("http")) {
+              const result = this.validateDomain(fetchUrl, allowedDomains);
+              if (!result.valid) {
+                logger.warn("Blocked external request in evaluate", {
+                  url: fetchUrl,
+                });
+                return {
+                  valid: false,
+                  reason: `Script attempts to fetch from disallowed domain: ${fetchUrl}`,
+                };
+              }
+            }
+          }
+        }
+      }
+
+      return { valid: true };
+    },
+
+    detectInjectionAttempt(content: string): InjectionDetectionResult {
+      // Check for direct injection patterns
+      for (const pattern of INJECTION_PATTERNS) {
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          logger.warn("Potential injection attempt detected", {
+            pattern: pattern.source,
+            match: match?.[0],
+          });
+
+          let type: InjectionDetectionResult["type"] = "direct";
+          if (
+            pattern.source.includes("actually") ||
+            pattern.source.includes("goal")
+          ) {
+            type = "goal_hijacking";
+          } else if (
+            pattern.source.includes("password") ||
+            pattern.source.includes("credential")
+          ) {
+            type = "credential_phishing";
+          }
+
+          return {
+            detected: true,
+            type,
+            evidence: match?.[0],
+          };
+        }
+      }
+
+      // Check for indirect injection in specific locations
+      for (const pattern of INDIRECT_INJECTION_LOCATIONS) {
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          logger.warn("Potential indirect injection detected", {
+            pattern: pattern.source,
+            match: match?.[0]?.slice(0, 100),
+          });
+
+          return {
+            detected: true,
+            type: "indirect",
+            evidence: match?.[0]?.slice(0, 100),
+          };
+        }
+      }
+
+      return { detected: false };
+    },
+
+    detectExfiltrationAttempt(
+      action: { tool: string; args: Record<string, unknown> },
+      pageContent: string
+    ): ExfiltrationDetectionResult {
+      // Check for POST to external domain
+      if (action.tool === "evaluate") {
+        const script = action.args.script as string;
+        if (script) {
+          // Check for POST requests
+          if (
+            script.includes("method") &&
+            script.includes("POST") &&
+            script.includes("fetch")
+          ) {
+            logger.warn("Potential data exfiltration via POST", {
+              scriptSnippet: script.slice(0, 200),
+            });
+            return {
+              detected: true,
+              type: "external_post",
+              evidence: "POST request detected in evaluate script",
+            };
+          }
+
+          // Check for embedding page content in URLs
+          const contentSnippets = pageContent
+            .slice(0, 100)
+            .replace(/[^a-zA-Z0-9]/g, "")
+            .toLowerCase();
+
+          if (script.toLowerCase().includes(contentSnippets) && contentSnippets.length > 20) {
+            logger.warn("Potential data exfiltration via URL params", {
+              contentSnippet: contentSnippets.slice(0, 50),
+            });
+            return {
+              detected: true,
+              type: "url_params",
+              evidence: "Page content detected in script URL",
+            };
+          }
+        }
+      }
+
+      return { detected: false };
+    },
+  };
+}
+
+/**
+ * Creates a semantic DOM signature for loop detection.
+ * Includes both structural elements and semantic content to differentiate
+ * pages with similar structure but different content (e.g., product vs cart pages).
+ *
+ * @param html - The HTML content to fingerprint
+ * @param urlPath - Optional URL path to include in signature (without query params)
+ */
+export function createDomSignature(html: string, urlPath?: string): string {
+  // Create a semantic hash of the DOM
+  // This helps detect when we're stuck in a loop on the same page state
+  // while avoiding false positives on structurally similar but semantically different pages
+
+  const elements: string[] = [];
+
+  // Include URL path if provided (helps differentiate /cart from /products)
+  if (urlPath) {
+    // Extract path without query params
+    const pathOnly = urlPath.split("?")[0];
+    elements.push(`path:${pathOnly}`);
+  }
+
+  // Extract page title
+  const titleMatch = html.match(/<title[^>]*>([^<]*)<\/title>/i);
+  if (titleMatch && titleMatch[1]) {
+    elements.push(`title:${titleMatch[1].trim().slice(0, 50)}`);
+  }
+
+  // Extract first h1 heading
+  const h1Match = html.match(/<h1[^>]*>([^<]*)<\/h1>/i);
+  if (h1Match && h1Match[1]) {
+    elements.push(`h1:${h1Match[1].trim().slice(0, 50)}`);
+  }
+
+  // Extract structural elements
+  const structuralPatterns = [
+    /<(form|nav|header|footer|main|article|section|aside)[^>]*>/gi,
+    /<input[^>]*type=["']([^"']+)["'][^>]*>/gi,
+  ];
+
+  for (const pattern of structuralPatterns) {
+    const matches = html.matchAll(pattern);
+    for (const match of matches) {
+      elements.push(match[1] || match[0]);
+    }
+  }
+
+  // Extract button text content (semantic differentiation)
+  const buttonPattern = /<button[^>]*>([^<]*)<\/button>/gi;
+  const buttonMatches = html.matchAll(buttonPattern);
+  for (const match of buttonMatches) {
+    const text = match[1]?.trim();
+    if (text && text.length > 0 && text.length < 50) {
+      elements.push(`btn:${text}`);
+    }
+  }
+
+  // Extract link hrefs (limited to internal links)
+  const linkPattern = /<a[^>]*href=["']([^"'#][^"']*)["'][^>]*>/gi;
+  const linkMatches = html.matchAll(linkPattern);
+  const links: string[] = [];
+  for (const match of linkMatches) {
+    const href = match[1];
+    // Only include internal links (relative or same-domain)
+    if (href && !href.startsWith("http") && !href.startsWith("//")) {
+      links.push(href.split("?")[0]); // Strip query params
+    }
+  }
+  // Include sorted unique links (limit to first 10)
+  const uniqueLinks = [...new Set(links)].sort().slice(0, 10);
+  for (const link of uniqueLinks) {
+    elements.push(`link:${link}`);
+  }
+
+  // Extract data-testid attributes (stable identifiers)
+  const testIdPattern = /data-testid=["']([^"']+)["']/gi;
+  const testIdMatches = html.matchAll(testIdPattern);
+  for (const match of testIdMatches) {
+    if (match[1]) {
+      elements.push(`testid:${match[1]}`);
+    }
+  }
+
+  // Extract data-page or data-view attributes
+  const dataPagePattern = /data-(?:page|view|section)=["']([^"']+)["']/gi;
+  const dataPageMatches = html.matchAll(dataPagePattern);
+  for (const match of dataPageMatches) {
+    if (match[1]) {
+      elements.push(`datapage:${match[1]}`);
+    }
+  }
+
+  // Sort and join for consistent hashing
+  elements.sort();
+  const signature = elements.join("|");
+
+  // Simple hash
+  let hash = 0;
+  for (let i = 0; i < signature.length; i++) {
+    const char = signature.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+
+  return hash.toString(16);
+}