tryassay 0.32.0 → 0.33.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +55 -0
- package/dist/cli.js.map +1 -1
- package/dist/commands/assess.js +73 -0
- package/dist/commands/assess.js.map +1 -1
- package/dist/commands/bounty-chain.d.ts +1 -0
- package/dist/commands/bounty-chain.js +34 -0
- package/dist/commands/bounty-chain.js.map +1 -0
- package/dist/commands/bounty-check.d.ts +10 -0
- package/dist/commands/bounty-check.js +104 -0
- package/dist/commands/bounty-check.js.map +1 -0
- package/dist/commands/bounty-discover.d.ts +6 -0
- package/dist/commands/bounty-discover.js +45 -0
- package/dist/commands/bounty-discover.js.map +1 -0
- package/dist/commands/bounty-scan.d.ts +7 -0
- package/dist/commands/bounty-scan.js +312 -0
- package/dist/commands/bounty-scan.js.map +1 -0
- package/dist/commands/bounty-watch.d.ts +9 -0
- package/dist/commands/bounty-watch.js +210 -0
- package/dist/commands/bounty-watch.js.map +1 -0
- package/dist/commands/hunt.d.ts +11 -0
- package/dist/commands/hunt.js +216 -0
- package/dist/commands/hunt.js.map +1 -0
- package/dist/hunt/__tests__/deep-dive.test.d.ts +1 -0
- package/dist/hunt/__tests__/deep-dive.test.js +102 -0
- package/dist/hunt/__tests__/deep-dive.test.js.map +1 -0
- package/dist/hunt/__tests__/discovery.test.d.ts +1 -0
- package/dist/hunt/__tests__/discovery.test.js +55 -0
- package/dist/hunt/__tests__/discovery.test.js.map +1 -0
- package/dist/hunt/__tests__/e2e.test.d.ts +1 -0
- package/dist/hunt/__tests__/e2e.test.js +261 -0
- package/dist/hunt/__tests__/e2e.test.js.map +1 -0
- package/dist/hunt/__tests__/matcher.test.d.ts +1 -0
- package/dist/hunt/__tests__/matcher.test.js +63 -0
- package/dist/hunt/__tests__/matcher.test.js.map +1 -0
- package/dist/hunt/__tests__/orchestrator.test.d.ts +1 -0
- package/dist/hunt/__tests__/orchestrator.test.js +73 -0
- package/dist/hunt/__tests__/orchestrator.test.js.map +1 -0
- package/dist/hunt/__tests__/parse-utils.test.d.ts +1 -0
- package/dist/hunt/__tests__/parse-utils.test.js +28 -0
- package/dist/hunt/__tests__/parse-utils.test.js.map +1 -0
- package/dist/hunt/__tests__/state.test.d.ts +1 -0
- package/dist/hunt/__tests__/state.test.js +49 -0
- package/dist/hunt/__tests__/state.test.js.map +1 -0
- package/dist/hunt/__tests__/templates.test.d.ts +1 -0
- package/dist/hunt/__tests__/templates.test.js +32 -0
- package/dist/hunt/__tests__/templates.test.js.map +1 -0
- package/dist/hunt/__tests__/triage.test.d.ts +1 -0
- package/dist/hunt/__tests__/triage.test.js +91 -0
- package/dist/hunt/__tests__/triage.test.js.map +1 -0
- package/dist/hunt/__tests__/types.test.d.ts +1 -0
- package/dist/hunt/__tests__/types.test.js +65 -0
- package/dist/hunt/__tests__/types.test.js.map +1 -0
- package/dist/hunt/deep-dive.d.ts +8 -0
- package/dist/hunt/deep-dive.js +86 -0
- package/dist/hunt/deep-dive.js.map +1 -0
- package/dist/hunt/discovery.d.ts +15 -0
- package/dist/hunt/discovery.js +116 -0
- package/dist/hunt/discovery.js.map +1 -0
- package/dist/hunt/matcher.d.ts +8 -0
- package/dist/hunt/matcher.js +27 -0
- package/dist/hunt/matcher.js.map +1 -0
- package/dist/hunt/orchestrator.d.ts +27 -0
- package/dist/hunt/orchestrator.js +91 -0
- package/dist/hunt/orchestrator.js.map +1 -0
- package/dist/hunt/parse-utils.d.ts +2 -0
- package/dist/hunt/parse-utils.js +17 -0
- package/dist/hunt/parse-utils.js.map +1 -0
- package/dist/hunt/state.d.ts +5 -0
- package/dist/hunt/state.js +35 -0
- package/dist/hunt/state.js.map +1 -0
- package/dist/hunt/templates/auth-bypass.d.ts +2 -0
- package/dist/hunt/templates/auth-bypass.js +80 -0
- package/dist/hunt/templates/auth-bypass.js.map +1 -0
- package/dist/hunt/templates/cors-misconfig.d.ts +2 -0
- package/dist/hunt/templates/cors-misconfig.js +88 -0
- package/dist/hunt/templates/cors-misconfig.js.map +1 -0
- package/dist/hunt/templates/csrf-bypass.d.ts +2 -0
- package/dist/hunt/templates/csrf-bypass.js +65 -0
- package/dist/hunt/templates/csrf-bypass.js.map +1 -0
- package/dist/hunt/templates/index.d.ts +3 -0
- package/dist/hunt/templates/index.js +29 -0
- package/dist/hunt/templates/index.js.map +1 -0
- package/dist/hunt/templates/injection.d.ts +2 -0
- package/dist/hunt/templates/injection.js +103 -0
- package/dist/hunt/templates/injection.js.map +1 -0
- package/dist/hunt/templates/open-redirect.d.ts +2 -0
- package/dist/hunt/templates/open-redirect.js +93 -0
- package/dist/hunt/templates/open-redirect.js.map +1 -0
- package/dist/hunt/templates/path-traversal.d.ts +2 -0
- package/dist/hunt/templates/path-traversal.js +94 -0
- package/dist/hunt/templates/path-traversal.js.map +1 -0
- package/dist/hunt/templates/prototype-pollution.d.ts +2 -0
- package/dist/hunt/templates/prototype-pollution.js +108 -0
- package/dist/hunt/templates/prototype-pollution.js.map +1 -0
- package/dist/hunt/templates/ssrf.d.ts +2 -0
- package/dist/hunt/templates/ssrf.js +75 -0
- package/dist/hunt/templates/ssrf.js.map +1 -0
- package/dist/hunt/templates/timing-attack.d.ts +2 -0
- package/dist/hunt/templates/timing-attack.js +108 -0
- package/dist/hunt/templates/timing-attack.js.map +1 -0
- package/dist/hunt/templates/weak-random.d.ts +2 -0
- package/dist/hunt/templates/weak-random.js +73 -0
- package/dist/hunt/templates/weak-random.js.map +1 -0
- package/dist/hunt/triage.d.ts +8 -0
- package/dist/hunt/triage.js +78 -0
- package/dist/hunt/triage.js.map +1 -0
- package/dist/lib/__tests__/bounty-scan.test.d.ts +1 -0
- package/dist/lib/__tests__/bounty-scan.test.js +15 -0
- package/dist/lib/__tests__/bounty-scan.test.js.map +1 -0
- package/dist/lib/__tests__/chain-analyzer.test.d.ts +1 -0
- package/dist/lib/__tests__/chain-analyzer.test.js +47 -0
- package/dist/lib/__tests__/chain-analyzer.test.js.map +1 -0
- package/dist/lib/__tests__/finding-dedup.test.d.ts +1 -0
- package/dist/lib/__tests__/finding-dedup.test.js +30 -0
- package/dist/lib/__tests__/finding-dedup.test.js.map +1 -0
- package/dist/lib/__tests__/learned-rules.test.js +25 -0
- package/dist/lib/__tests__/learned-rules.test.js.map +1 -1
- package/dist/lib/__tests__/novelty-checker.test.d.ts +1 -0
- package/dist/lib/__tests__/novelty-checker.test.js +57 -0
- package/dist/lib/__tests__/novelty-checker.test.js.map +1 -0
- package/dist/lib/__tests__/program-registry.test.d.ts +1 -0
- package/dist/lib/__tests__/program-registry.test.js +40 -0
- package/dist/lib/__tests__/program-registry.test.js.map +1 -0
- package/dist/lib/__tests__/retry.test.d.ts +1 -0
- package/dist/lib/__tests__/retry.test.js +23 -0
- package/dist/lib/__tests__/retry.test.js.map +1 -0
- package/dist/lib/__tests__/watchlist.test.d.ts +1 -0
- package/dist/lib/__tests__/watchlist.test.js +88 -0
- package/dist/lib/__tests__/watchlist.test.js.map +1 -0
- package/dist/lib/chain-analyzer.d.ts +25 -0
- package/dist/lib/chain-analyzer.js +105 -0
- package/dist/lib/chain-analyzer.js.map +1 -0
- package/dist/lib/finding-dedup.d.ts +2 -0
- package/dist/lib/finding-dedup.js +9 -0
- package/dist/lib/finding-dedup.js.map +1 -0
- package/dist/lib/issue-reporter.d.ts +13 -0
- package/dist/lib/issue-reporter.js +51 -0
- package/dist/lib/issue-reporter.js.map +1 -0
- package/dist/lib/novelty-checker.d.ts +60 -0
- package/dist/lib/novelty-checker.js +223 -0
- package/dist/lib/novelty-checker.js.map +1 -0
- package/dist/lib/program-registry.d.ts +12 -0
- package/dist/lib/program-registry.js +18 -0
- package/dist/lib/program-registry.js.map +1 -0
- package/dist/lib/retry.d.ts +5 -0
- package/dist/lib/retry.js +19 -0
- package/dist/lib/retry.js.map +1 -0
- package/dist/lib/watchlist.d.ts +23 -0
- package/dist/lib/watchlist.js +31 -0
- package/dist/lib/watchlist.js.map +1 -0
- package/dist/runtime/safe-executor.js +1 -1
- package/dist/runtime/safe-executor.js.map +1 -1
- package/dist/runtime/types.d.ts +1 -1
- package/dist/sdk/forward-verify.js +1 -1
- package/dist/sdk/forward-verify.js.map +1 -1
- package/dist/types.d.ts +45 -0
- package/package.json +1 -1
|
@@ -0,0 +1,216 @@
|
|
|
1
|
+
import { resolve } from 'node:path';
|
|
2
|
+
import { HuntOrchestrator } from '../hunt/orchestrator.js';
|
|
3
|
+
import { saveState, loadState, getStateDir } from '../hunt/state.js';
|
|
4
|
+
import { discoverSecurityFiles } from '../hunt/discovery.js';
|
|
5
|
+
import { getProvider } from '../lib/llm-provider.js';
|
|
6
|
+
// ── Formatting helpers ─────────────────────────────────────────
|
|
7
|
+
const CONFIDENCE_COLORS = {
|
|
8
|
+
high: '\x1b[31m', // red
|
|
9
|
+
medium: '\x1b[33m', // yellow
|
|
10
|
+
low: '\x1b[36m', // cyan
|
|
11
|
+
};
|
|
12
|
+
const RESET = '\x1b[0m';
|
|
13
|
+
const BOLD = '\x1b[1m';
|
|
14
|
+
function colorConfidence(level) {
|
|
15
|
+
const color = CONFIDENCE_COLORS[level] ?? '';
|
|
16
|
+
return `${color}${level.toUpperCase()}${RESET}`;
|
|
17
|
+
}
|
|
18
|
+
function printHypothesesTable(hypotheses) {
|
|
19
|
+
if (hypotheses.length === 0) {
|
|
20
|
+
console.log(' No hypotheses found matching the criteria.');
|
|
21
|
+
return;
|
|
22
|
+
}
|
|
23
|
+
const header = ['#', 'Confidence', 'Template', 'File', 'Summary'];
|
|
24
|
+
const rows = hypotheses.map(h => [
|
|
25
|
+
String(h.id),
|
|
26
|
+
h.confidence.toUpperCase(),
|
|
27
|
+
h.templateId,
|
|
28
|
+
h.file.length > 40 ? '...' + h.file.slice(-37) : h.file,
|
|
29
|
+
h.summary.length > 60 ? h.summary.slice(0, 57) + '...' : h.summary,
|
|
30
|
+
]);
|
|
31
|
+
// Compute column widths
|
|
32
|
+
const widths = header.map((h, i) => Math.max(h.length, ...rows.map(r => r[i].length)));
|
|
33
|
+
const separator = '+' + widths.map(w => '-'.repeat(w + 2)).join('+') + '+';
|
|
34
|
+
const formatRow = (cells, useColor) => {
|
|
35
|
+
const formatted = cells.map((cell, i) => {
|
|
36
|
+
const padded = cell.padEnd(widths[i]);
|
|
37
|
+
if (useColor && i === 1) {
|
|
38
|
+
const color = CONFIDENCE_COLORS[cell.toLowerCase()] ?? '';
|
|
39
|
+
return ` ${color}${padded}${RESET} `;
|
|
40
|
+
}
|
|
41
|
+
return ` ${padded} `;
|
|
42
|
+
});
|
|
43
|
+
return '|' + formatted.join('|') + '|';
|
|
44
|
+
};
|
|
45
|
+
console.log(separator);
|
|
46
|
+
console.log(formatRow(header));
|
|
47
|
+
console.log(separator);
|
|
48
|
+
for (const row of rows) {
|
|
49
|
+
console.log(formatRow(row, true));
|
|
50
|
+
}
|
|
51
|
+
console.log(separator);
|
|
52
|
+
}
|
|
53
|
+
function printFinding(finding) {
|
|
54
|
+
const severityColor = finding.severity === 'critical' || finding.severity === 'high'
|
|
55
|
+
? '\x1b[31m' : '\x1b[33m';
|
|
56
|
+
console.log('');
|
|
57
|
+
console.log(`${BOLD}════════════════════════════════════════════════════════════${RESET}`);
|
|
58
|
+
console.log(`${BOLD}FINDING: ${finding.title}${RESET}`);
|
|
59
|
+
console.log(` File: ${finding.file}${finding.line ? `:${finding.line}` : ''}`);
|
|
60
|
+
console.log(` CWE: ${finding.cwe}`);
|
|
61
|
+
console.log(` Severity: ${severityColor}${finding.severity.toUpperCase()}${RESET}`);
|
|
62
|
+
console.log('');
|
|
63
|
+
console.log(`${BOLD}ATTACK SCENARIO${RESET}`);
|
|
64
|
+
console.log(indent(finding.attackScenario, 2));
|
|
65
|
+
console.log('');
|
|
66
|
+
console.log(`${BOLD}REPRODUCTION${RESET}`);
|
|
67
|
+
console.log(indent(finding.reproductionSteps, 2));
|
|
68
|
+
console.log('');
|
|
69
|
+
console.log(`${BOLD}EVIDENCE${RESET}`);
|
|
70
|
+
console.log(indent(finding.evidence, 2));
|
|
71
|
+
console.log('');
|
|
72
|
+
console.log(`${BOLD}RECOMMENDATION${RESET}`);
|
|
73
|
+
console.log(indent(finding.recommendation, 2));
|
|
74
|
+
console.log(`${BOLD}════════════════════════════════════════════════════════════${RESET}`);
|
|
75
|
+
}
|
|
76
|
+
function indent(text, spaces) {
|
|
77
|
+
const pad = ' '.repeat(spaces);
|
|
78
|
+
return text.split('\n').map(line => pad + line).join('\n');
|
|
79
|
+
}
|
|
80
|
+
// ── Main command ───────────────────────────────────────────────
|
|
81
|
+
export async function huntCommand(target, opts) {
|
|
82
|
+
const targetPath = resolve(target);
|
|
83
|
+
const minConfidence = (opts.minConfidence ?? 'low');
|
|
84
|
+
const concurrency = parseInt(opts.concurrency ?? '10', 10);
|
|
85
|
+
const templateFilter = opts.template ? opts.template.split(',').map(s => s.trim()) : undefined;
|
|
86
|
+
const provider = getProvider();
|
|
87
|
+
const stateDir = getStateDir(targetPath, opts.stateDir);
|
|
88
|
+
const orch = new HuntOrchestrator({
|
|
89
|
+
targetPath,
|
|
90
|
+
provider,
|
|
91
|
+
concurrency,
|
|
92
|
+
templateFilter,
|
|
93
|
+
minConfidence,
|
|
94
|
+
});
|
|
95
|
+
// ── Dive mode: deep-dive selected hypotheses from saved state ──
|
|
96
|
+
if (opts.dive) {
|
|
97
|
+
const ids = opts.dive.split(',').map(s => parseInt(s.trim(), 10)).filter(n => !isNaN(n));
|
|
98
|
+
const state = loadState(stateDir);
|
|
99
|
+
if (!state) {
|
|
100
|
+
console.error(`Error: No saved state found at ${stateDir}`);
|
|
101
|
+
console.error('Run without --dive first to generate hypotheses.');
|
|
102
|
+
process.exit(1);
|
|
103
|
+
}
|
|
104
|
+
const selected = state.hypotheses.filter(h => ids.includes(h.id));
|
|
105
|
+
if (selected.length === 0) {
|
|
106
|
+
console.error(`Error: No hypotheses found with IDs: ${ids.join(', ')}`);
|
|
107
|
+
console.error(`Available IDs: ${state.hypotheses.map(h => h.id).join(', ')}`);
|
|
108
|
+
process.exit(1);
|
|
109
|
+
}
|
|
110
|
+
console.log(`\nDeep-diving ${selected.length} hypothesis/hypotheses...`);
|
|
111
|
+
// Load file cache without re-triaging
|
|
112
|
+
const files = discoverSecurityFiles(targetPath);
|
|
113
|
+
orch.loadFiles(files);
|
|
114
|
+
const newFindings = await orch.deepDive(selected);
|
|
115
|
+
// Merge findings into state (avoid duplicates by hypothesisId)
|
|
116
|
+
const existingIds = new Set(state.findings.map(f => f.hypothesisId));
|
|
117
|
+
const merged = [
|
|
118
|
+
...state.findings,
|
|
119
|
+
...newFindings.filter(f => !existingIds.has(f.hypothesisId)),
|
|
120
|
+
];
|
|
121
|
+
const updatedState = { ...state, findings: merged };
|
|
122
|
+
saveState(stateDir, updatedState);
|
|
123
|
+
if (opts.json) {
|
|
124
|
+
console.log(JSON.stringify({ findings: newFindings }, null, 2));
|
|
125
|
+
return;
|
|
126
|
+
}
|
|
127
|
+
if (newFindings.length === 0) {
|
|
128
|
+
console.log('\nNo confirmed findings from deep-dive (all hypotheses were false positives).');
|
|
129
|
+
return;
|
|
130
|
+
}
|
|
131
|
+
console.log(`\n${BOLD}${newFindings.length} confirmed finding(s):${RESET}`);
|
|
132
|
+
for (const finding of newFindings) {
|
|
133
|
+
printFinding(finding);
|
|
134
|
+
}
|
|
135
|
+
return;
|
|
136
|
+
}
|
|
137
|
+
// ── Auto mode: triage + auto deep-dive all HIGH confidence ────
|
|
138
|
+
if (opts.auto) {
|
|
139
|
+
console.log(`\nRunning auto hunt on ${targetPath}...\n`);
|
|
140
|
+
const triageResult = await orch.triage();
|
|
141
|
+
const highConf = triageResult.hypotheses.filter(h => h.confidence === 'high');
|
|
142
|
+
console.log(`\nFound ${triageResult.hypotheses.length} hypotheses total, ${highConf.length} HIGH confidence.`);
|
|
143
|
+
if (!opts.json) {
|
|
144
|
+
printHypothesesTable(triageResult.hypotheses);
|
|
145
|
+
}
|
|
146
|
+
const findings = [];
|
|
147
|
+
if (highConf.length > 0) {
|
|
148
|
+
console.log(`\nAuto deep-diving ${highConf.length} HIGH confidence hypotheses...`);
|
|
149
|
+
const autoFindings = await orch.deepDive(highConf);
|
|
150
|
+
findings.push(...autoFindings);
|
|
151
|
+
}
|
|
152
|
+
const state = buildState(targetPath, triageResult.hypotheses, findings, triageResult.fileHashes, triageResult.filesScanned);
|
|
153
|
+
saveState(stateDir, state);
|
|
154
|
+
if (opts.json) {
|
|
155
|
+
console.log(JSON.stringify({ hypotheses: triageResult.hypotheses, findings }, null, 2));
|
|
156
|
+
return;
|
|
157
|
+
}
|
|
158
|
+
if (findings.length === 0) {
|
|
159
|
+
console.log('\nNo confirmed findings from auto deep-dive.');
|
|
160
|
+
}
|
|
161
|
+
else {
|
|
162
|
+
console.log(`\n${BOLD}${findings.length} confirmed finding(s):${RESET}`);
|
|
163
|
+
for (const finding of findings) {
|
|
164
|
+
printFinding(finding);
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
console.log(`\nState saved to: ${stateDir}`);
|
|
168
|
+
console.log(`To deep-dive more hypotheses: assay hunt ${target} --dive <id1,id2,...>`);
|
|
169
|
+
return;
|
|
170
|
+
}
|
|
171
|
+
// ── Default mode: discover → match → triage → display hypotheses ──
|
|
172
|
+
console.log(`\nHunting for vulnerabilities in ${targetPath}...\n`);
|
|
173
|
+
const triageResult = await orch.triage();
|
|
174
|
+
const state = buildState(targetPath, triageResult.hypotheses, [], triageResult.fileHashes, triageResult.filesScanned);
|
|
175
|
+
saveState(stateDir, state);
|
|
176
|
+
if (opts.json) {
|
|
177
|
+
console.log(JSON.stringify({
|
|
178
|
+
hypotheses: triageResult.hypotheses,
|
|
179
|
+
filesScanned: triageResult.filesScanned,
|
|
180
|
+
templateMatchCount: triageResult.templateMatchCount,
|
|
181
|
+
}, null, 2));
|
|
182
|
+
return;
|
|
183
|
+
}
|
|
184
|
+
console.log(`\n${BOLD}Triage complete:${RESET} ${triageResult.filesScanned} files scanned, ${triageResult.templateMatchCount} (file, template) pairs evaluated`);
|
|
185
|
+
console.log(`\n${BOLD}${triageResult.hypotheses.length} hypothesis/hypotheses above confidence threshold:${RESET}\n`);
|
|
186
|
+
printHypothesesTable(triageResult.hypotheses);
|
|
187
|
+
if (triageResult.hypotheses.length > 0) {
|
|
188
|
+
const high = triageResult.hypotheses.filter(h => h.confidence === 'high');
|
|
189
|
+
const ids = triageResult.hypotheses.map(h => h.id).join(',');
|
|
190
|
+
console.log('');
|
|
191
|
+
if (high.length > 0) {
|
|
192
|
+
console.log(`Next steps:`);
|
|
193
|
+
console.log(` Auto deep-dive all HIGH: assay hunt ${target} --auto`);
|
|
194
|
+
console.log(` Deep-dive specific IDs: assay hunt ${target} --dive ${high.map(h => h.id).join(',')}`);
|
|
195
|
+
console.log(` Deep-dive all: assay hunt ${target} --dive ${ids}`);
|
|
196
|
+
}
|
|
197
|
+
else {
|
|
198
|
+
console.log(`Next steps:`);
|
|
199
|
+
console.log(` Deep-dive specific IDs: assay hunt ${target} --dive <id1,id2,...>`);
|
|
200
|
+
console.log(` Deep-dive all: assay hunt ${target} --dive ${ids}`);
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
console.log(`\nState saved to: ${stateDir}`);
|
|
204
|
+
}
|
|
205
|
+
// ── Helpers ────────────────────────────────────────────────────
|
|
206
|
+
function buildState(path, hypotheses, findings, fileHashes, filesScanned) {
|
|
207
|
+
return {
|
|
208
|
+
scannedAt: new Date().toISOString(),
|
|
209
|
+
path,
|
|
210
|
+
fileHashes,
|
|
211
|
+
filesScanned,
|
|
212
|
+
hypotheses,
|
|
213
|
+
findings,
|
|
214
|
+
};
|
|
215
|
+
}
|
|
216
|
+
//# sourceMappingURL=hunt.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hunt.js","sourceRoot":"","sources":["../../src/commands/hunt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,SAAS,EAAkB,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACrF,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAerD,kEAAkE;AAElE,MAAM,iBAAiB,GAA2B;IAChD,IAAI,EAAI,UAAU,EAAE,MAAM;IAC1B,MAAM,EAAE,UAAU,EAAE,SAAS;IAC7B,GAAG,EAAK,UAAU,EAAE,OAAO;CAC5B,CAAC;AACF,MAAM,KAAK,GAAG,SAAS,CAAC;AACxB,MAAM,IAAI,GAAI,SAAS,CAAC;AAExB,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7C,OAAO,GAAG,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,GAAG,KAAK,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,oBAAoB,CAAC,UAA4B;IACxD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;QAC5D,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACZ,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;QAC1B,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;QACvD,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO;KACnE,CAAC,CAAC;IAEH,wBAAwB;IACxB,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACjC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAClD,CAAC;IAEF,MAAM,SAAS,GAAG,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC3E,MAAM,SAAS,GAAG,CAAC,KAAe,EAAE,QAAkB,EAAE,EAAE;QACxD,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;YACtC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,QAAQ,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;gBAC1D,OAAO,IAAI,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,CAAC;YACvC,CAAC;YACD,OAAO,IAAI,MAAM,GAAG,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,OAAO,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACzC,CAAC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/B,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,YAAY,CAAC,OAAoB;IACxC,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;QAClF,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;IAE5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,+DAA+D,KAAK,EAAE,CAAC,CAAC;IAC3F,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,YAAY,OAAO,CAAC,KAAK,GAAG,KAAK,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,eAAe,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,kBAAkB,KAAK,EAAE,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,eAAe,KAAK,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,WAAW,KAAK,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,iBAAiB,KAAK,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,+DAA+D,KAAK,EAAE,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,MAAM,CAAC,IAAY,EAAE,MAAc;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC;AAED,kEAAkE;AAElE,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,IAAwB;IAExB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,KAAK,CAA8B,CAAC;IACjF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE/F,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IAExD,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;QAChC,UAAU;QACV,QAAQ;QACR,WAAW;QACX,cAAc;QACd,aAAa;KACd,CAAC,CAAC;IAEH,kEAAkE;IAClE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzF,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,kCAAkC,QAAQ,EAAE,CAAC,CAAC;YAC5D,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,KAAK,CAAC,wCAAwC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxE,OAAO,CAAC,KAAK,CAAC,kBAAkB,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,iBAAiB,QAAQ,CAAC,MAAM,2BAA2B,CAAC,CAAC;QAEzE,sCAAsC;QACtC,MAAM,KAAK,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAEtB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAElD,+DAA+D;QAC/D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;QACrE,MAAM,MAAM,GAAG;YACb,GAAG,KAAK,CAAC,QAAQ;YACjB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;SAC7D,CAAC;QAEF,MAAM,YAAY,GAAG,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACpD,SAAS,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAElC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAChE,OAAO;QACT,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAC;YAC7F,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,WAAW,CAAC,MAAM,yBAAyB,KAAK,EAAE,CAAC,CAAC;QAC5E,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO;IACT,CAAC;IAED,iEAAiE;IACjE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,0BAA0B,UAAU,OAAO,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEzC,MAAM,QAAQ,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,WAAW,YAAY,CAAC,UAAU,CAAC,MAAM,sBAAsB,QAAQ,CAAC,MAAM,mBAAmB,CAAC,CAAC;QAE/G,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,oBAAoB,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,sBAAsB,QAAQ,CAAC,MAAM,gCAAgC,CAAC,CAAC;YACnF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnD,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,EAAE,YAAY,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,UAAU,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;QAC5H,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAE3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,QAAQ,CAAC,MAAM,yBAAyB,KAAK,EAAE,CAAC,CAAC;YACzE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,YAAY,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,4CAA4C,MAAM,uBAAuB,CAAC,CAAC;QACvF,OAAO;IACT,CAAC;IAED,qEAAqE;IACrE,OAAO,CAAC,GAAG,CAAC,oCAAoC,UAAU,OAAO,CAAC,CAAC;IAEnE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;IAEzC,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,EAAE,YAAY,CAAC,UAAU,EAAE,EAAE,EAAE,YAAY,CAAC,UAAU,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;IACtH,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,UAAU,EAAE,YAAY,CAAC,UAAU;YACnC,YAAY,EAAE,YAAY,CAAC,YAAY;YACvC,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;SACpD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACb,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,mBAAmB,KAAK,IAAI,YAAY,CAAC,YAAY,mBAAmB,YAAY,CAAC,kBAAkB,mCAAmC,CAAC,CAAC;IACjK,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,qDAAqD,KAAK,IAAI,CAAC,CAAC;IAEtH,oBAAoB,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IAE9C,IAAI,YAAY,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,0CAA0C,MAAM,SAAS,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,0CAA0C,MAAM,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACxG,OAAO,CAAC,GAAG,CAAC,0CAA0C,MAAM,WAAW,GAAG,EAAE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,0CAA0C,MAAM,uBAAuB,CAAC,CAAC;YACrF,OAAO,CAAC,GAAG,CAAC,0CAA0C,MAAM,WAAW,GAAG,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,kEAAkE;AAElE,SAAS,UAAU,CACjB,IAAY,EACZ,UAA4B,EAC5B,QAAuB,EACvB,UAAkC,EAClC,YAAoB;IAEpB,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI;QACJ,UAAU;QACV,YAAY;QACZ,UAAU;QACV,QAAQ;KACT,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
import { describe, it, expect, vi } from 'vitest';
|
|
2
|
+
import { runDeepDive, buildDeepDivePrompt } from '../deep-dive.js';
|
|
3
|
+
const makeFile = () => ({
|
|
4
|
+
relativePath: 'src/csrf.ts',
|
|
5
|
+
absolutePath: '/tmp/src/csrf.ts',
|
|
6
|
+
content: 'function matchWildcard(origin, pattern) { /* ... */ }',
|
|
7
|
+
imports: [],
|
|
8
|
+
exports: [],
|
|
9
|
+
functions: ['matchWildcard'],
|
|
10
|
+
contentHash: 'abc',
|
|
11
|
+
isLowPriority: false,
|
|
12
|
+
});
|
|
13
|
+
const makeHypothesis = () => ({
|
|
14
|
+
id: 1,
|
|
15
|
+
templateId: 'csrf-bypass',
|
|
16
|
+
file: 'src/csrf.ts',
|
|
17
|
+
confidence: 'high',
|
|
18
|
+
summary: 'Wildcard matching accepts TLD',
|
|
19
|
+
attackerControl: 'Origin header',
|
|
20
|
+
impact: 'CSRF bypass',
|
|
21
|
+
});
|
|
22
|
+
const makeTemplate = () => ({
|
|
23
|
+
id: 'csrf-bypass',
|
|
24
|
+
name: 'CSRF Bypass',
|
|
25
|
+
cwe: 'CWE-352',
|
|
26
|
+
filePatterns: [],
|
|
27
|
+
triagePrompt: '',
|
|
28
|
+
deepDivePrompt: 'Verify the CSRF bypass is exploitable.',
|
|
29
|
+
knownBypasses: ['TLD wildcard'],
|
|
30
|
+
specReferences: ['RFC 6454'],
|
|
31
|
+
severityRange: ['medium', 'critical'],
|
|
32
|
+
});
|
|
33
|
+
describe('buildDeepDivePrompt', () => {
|
|
34
|
+
it('includes hypothesis and template knowledge', () => {
|
|
35
|
+
const { systemPrompt, userPrompt } = buildDeepDivePrompt(makeTemplate(), makeHypothesis(), makeFile());
|
|
36
|
+
expect(systemPrompt).toContain('CSRF Bypass');
|
|
37
|
+
expect(systemPrompt).toContain('TLD wildcard');
|
|
38
|
+
expect(userPrompt).toContain('Wildcard matching accepts TLD');
|
|
39
|
+
expect(userPrompt).toContain('<analyzed-code>');
|
|
40
|
+
});
|
|
41
|
+
});
|
|
42
|
+
describe('runDeepDive', () => {
|
|
43
|
+
it('parses confirmed finding', async () => {
|
|
44
|
+
const mockProvider = {
|
|
45
|
+
type: 'api',
|
|
46
|
+
complete: vi.fn().mockResolvedValue({
|
|
47
|
+
content: JSON.stringify({
|
|
48
|
+
confirmed: true,
|
|
49
|
+
title: 'CSRF Bypass via TLD Wildcard',
|
|
50
|
+
severity: 'high',
|
|
51
|
+
cwe: 'CWE-352',
|
|
52
|
+
attack_scenario: '1. Register evil.com\n2. Send request',
|
|
53
|
+
reproduction_steps: 'curl -X POST ...',
|
|
54
|
+
evidence: 'Line 42: matchWildcard returns true for *.com',
|
|
55
|
+
recommendation: 'Reject TLD wildcards',
|
|
56
|
+
false_positive_reason: null,
|
|
57
|
+
}),
|
|
58
|
+
inputTokens: 500,
|
|
59
|
+
outputTokens: 200,
|
|
60
|
+
provider: 'api',
|
|
61
|
+
durationMs: 1000,
|
|
62
|
+
}),
|
|
63
|
+
};
|
|
64
|
+
const result = await runDeepDive(makeTemplate(), makeHypothesis(), makeFile(), mockProvider);
|
|
65
|
+
expect(result).not.toBeNull();
|
|
66
|
+
expect(result.confirmed).toBe(true);
|
|
67
|
+
expect(result.severity).toBe('high');
|
|
68
|
+
expect(result.title).toContain('CSRF');
|
|
69
|
+
});
|
|
70
|
+
it('returns null for unconfirmed hypothesis', async () => {
|
|
71
|
+
const mockProvider = {
|
|
72
|
+
type: 'api',
|
|
73
|
+
complete: vi.fn().mockResolvedValue({
|
|
74
|
+
content: JSON.stringify({
|
|
75
|
+
confirmed: false,
|
|
76
|
+
false_positive_reason: 'Origin check is correct',
|
|
77
|
+
}),
|
|
78
|
+
inputTokens: 500,
|
|
79
|
+
outputTokens: 100,
|
|
80
|
+
provider: 'api',
|
|
81
|
+
durationMs: 800,
|
|
82
|
+
}),
|
|
83
|
+
};
|
|
84
|
+
const result = await runDeepDive(makeTemplate(), makeHypothesis(), makeFile(), mockProvider);
|
|
85
|
+
expect(result).toBeNull();
|
|
86
|
+
});
|
|
87
|
+
it('returns null on malformed response', async () => {
|
|
88
|
+
const mockProvider = {
|
|
89
|
+
type: 'api',
|
|
90
|
+
complete: vi.fn().mockResolvedValue({
|
|
91
|
+
content: 'garbage',
|
|
92
|
+
inputTokens: 100,
|
|
93
|
+
outputTokens: 10,
|
|
94
|
+
provider: 'api',
|
|
95
|
+
durationMs: 200,
|
|
96
|
+
}),
|
|
97
|
+
};
|
|
98
|
+
const result = await runDeepDive(makeTemplate(), makeHypothesis(), makeFile(), mockProvider);
|
|
99
|
+
expect(result).toBeNull();
|
|
100
|
+
});
|
|
101
|
+
});
|
|
102
|
+
//# sourceMappingURL=deep-dive.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"deep-dive.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/deep-dive.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAInE,MAAM,QAAQ,GAAG,GAAmB,EAAE,CAAC,CAAC;IACtC,YAAY,EAAE,aAAa;IAC3B,YAAY,EAAE,kBAAkB;IAChC,OAAO,EAAE,uDAAuD;IAChE,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,SAAS,EAAE,CAAC,eAAe,CAAC;IAC5B,WAAW,EAAE,KAAK;IAClB,aAAa,EAAE,KAAK;CACrB,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,GAAmB,EAAE,CAAC,CAAC;IAC5C,EAAE,EAAE,CAAC;IACL,UAAU,EAAE,aAAa;IACzB,IAAI,EAAE,aAAa;IACnB,UAAU,EAAE,MAAM;IAClB,OAAO,EAAE,+BAA+B;IACxC,eAAe,EAAE,eAAe;IAChC,MAAM,EAAE,aAAa;CACtB,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC;IAC1B,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,aAAa;IACnB,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,EAAc;IAC5B,YAAY,EAAE,EAAE;IAChB,cAAc,EAAE,wCAAwC;IACxD,aAAa,EAAE,CAAC,cAAc,CAAC;IAC/B,cAAc,EAAE,CAAC,UAAU,CAAC;IAC5B,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAqB;CAC1D,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,YAAY,EAAE,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvG,MAAM,CAAC,YAAY,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC9C,MAAM,CAAC,YAAY,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC/C,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;QAC9D,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;oBACtB,SAAS,EAAE,IAAI;oBACf,KAAK,EAAE,8BAA8B;oBACrC,QAAQ,EAAE,MAAM;oBAChB,GAAG,EAAE,SAAS;oBACd,eAAe,EAAE,uCAAuC;oBACxD,kBAAkB,EAAE,kBAAkB;oBACtC,QAAQ,EAAE,+CAA+C;oBACzD,cAAc,EAAE,sBAAsB;oBACtC,qBAAqB,EAAE,IAAI;iBAC5B,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,YAAY,EAAE,GAAG;gBACjB,QAAQ,EAAE,KAAc;gBACxB,UAAU,EAAE,IAAI;aACjB,CAAC;SACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,EAAE,YAAmB,CAAC,CAAC;QACpG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,CAAC,MAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,CAAC,MAAO,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;oBACtB,SAAS,EAAE,KAAK;oBAChB,qBAAqB,EAAE,yBAAyB;iBACjD,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,YAAY,EAAE,GAAG;gBACjB,QAAQ,EAAE,KAAc;gBACxB,UAAU,EAAE,GAAG;aAChB,CAAC;SACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,EAAE,YAAmB,CAAC,CAAC;QACpG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,SAAS;gBAClB,WAAW,EAAE,GAAG;gBAChB,YAAY,EAAE,EAAE;gBAChB,QAAQ,EAAE,KAAc;gBACxB,UAAU,EAAE,GAAG;aAChB,CAAC;SACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,EAAE,YAAmB,CAAC,CAAC;QACpG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { discoverSecurityFiles } from '../discovery.js';
|
|
3
|
+
import { mkdtempSync, writeFileSync, mkdirSync } from 'fs';
|
|
4
|
+
import { join } from 'path';
|
|
5
|
+
import { tmpdir } from 'os';
|
|
6
|
+
function makeTempRepo(files) {
|
|
7
|
+
const dir = mkdtempSync(join(tmpdir(), 'hunt-test-'));
|
|
8
|
+
for (const [path, content] of Object.entries(files)) {
|
|
9
|
+
const full = join(dir, path);
|
|
10
|
+
mkdirSync(join(full, '..'), { recursive: true });
|
|
11
|
+
writeFileSync(full, content);
|
|
12
|
+
}
|
|
13
|
+
return dir;
|
|
14
|
+
}
|
|
15
|
+
describe('discoverSecurityFiles', () => {
|
|
16
|
+
it('finds files matching security keywords', () => {
|
|
17
|
+
const dir = makeTempRepo({
|
|
18
|
+
'src/auth.ts': 'export function login() {}',
|
|
19
|
+
'src/utils.ts': 'export function add(a, b) { return a + b; }',
|
|
20
|
+
'src/csrf-protection.ts': 'export function checkCsrf() {}',
|
|
21
|
+
});
|
|
22
|
+
const files = discoverSecurityFiles(dir);
|
|
23
|
+
const paths = files.map(f => f.relativePath);
|
|
24
|
+
expect(paths).toContain('src/auth.ts');
|
|
25
|
+
expect(paths).toContain('src/csrf-protection.ts');
|
|
26
|
+
expect(paths).not.toContain('src/utils.ts');
|
|
27
|
+
});
|
|
28
|
+
it('collects import metadata', () => {
|
|
29
|
+
const dir = makeTempRepo({
|
|
30
|
+
'src/auth.ts': `import { hash } from './crypto.js';\nexport function validateToken(t: string) { return hash(t); }`,
|
|
31
|
+
});
|
|
32
|
+
const files = discoverSecurityFiles(dir);
|
|
33
|
+
const auth = files.find(f => f.relativePath === 'src/auth.ts');
|
|
34
|
+
expect(auth).toBeDefined();
|
|
35
|
+
expect(auth.imports).toContain('./crypto.js');
|
|
36
|
+
});
|
|
37
|
+
it('skips files over size limit', () => {
|
|
38
|
+
const dir = makeTempRepo({
|
|
39
|
+
'src/auth.ts': 'x\n'.repeat(600),
|
|
40
|
+
});
|
|
41
|
+
const files = discoverSecurityFiles(dir, { maxLines: 500 });
|
|
42
|
+
expect(files).toHaveLength(0);
|
|
43
|
+
});
|
|
44
|
+
it('prioritizes source over test files', () => {
|
|
45
|
+
const dir = makeTempRepo({
|
|
46
|
+
'src/auth.ts': 'export function login() {}',
|
|
47
|
+
'tests/auth.test.ts': 'test("login", () => {})',
|
|
48
|
+
});
|
|
49
|
+
const files = discoverSecurityFiles(dir);
|
|
50
|
+
if (files.length > 1) {
|
|
51
|
+
expect(files[0].relativePath).toBe('src/auth.ts');
|
|
52
|
+
}
|
|
53
|
+
});
|
|
54
|
+
});
|
|
55
|
+
//# sourceMappingURL=discovery.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"discovery.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/discovery.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAAuB,MAAM,iBAAiB,CAAC;AAC7E,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAE5B,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE,4BAA4B;YAC3C,cAAc,EAAE,6CAA6C;YAC7D,wBAAwB,EAAE,gCAAgC;SAC3D,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE,mGAAmG;SACnH,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,aAAa,CAAC,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAK,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE,4BAA4B;YAC3C,oBAAoB,EAAE,yBAAyB;SAChD,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|