tryassay 0.32.0 → 0.33.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +55 -0
- package/dist/cli.js.map +1 -1
- package/dist/commands/assess.js +73 -0
- package/dist/commands/assess.js.map +1 -1
- package/dist/commands/bounty-chain.d.ts +1 -0
- package/dist/commands/bounty-chain.js +34 -0
- package/dist/commands/bounty-chain.js.map +1 -0
- package/dist/commands/bounty-check.d.ts +10 -0
- package/dist/commands/bounty-check.js +104 -0
- package/dist/commands/bounty-check.js.map +1 -0
- package/dist/commands/bounty-discover.d.ts +6 -0
- package/dist/commands/bounty-discover.js +45 -0
- package/dist/commands/bounty-discover.js.map +1 -0
- package/dist/commands/bounty-scan.d.ts +7 -0
- package/dist/commands/bounty-scan.js +312 -0
- package/dist/commands/bounty-scan.js.map +1 -0
- package/dist/commands/bounty-watch.d.ts +9 -0
- package/dist/commands/bounty-watch.js +210 -0
- package/dist/commands/bounty-watch.js.map +1 -0
- package/dist/commands/hunt.d.ts +11 -0
- package/dist/commands/hunt.js +216 -0
- package/dist/commands/hunt.js.map +1 -0
- package/dist/hunt/__tests__/deep-dive.test.d.ts +1 -0
- package/dist/hunt/__tests__/deep-dive.test.js +102 -0
- package/dist/hunt/__tests__/deep-dive.test.js.map +1 -0
- package/dist/hunt/__tests__/discovery.test.d.ts +1 -0
- package/dist/hunt/__tests__/discovery.test.js +55 -0
- package/dist/hunt/__tests__/discovery.test.js.map +1 -0
- package/dist/hunt/__tests__/e2e.test.d.ts +1 -0
- package/dist/hunt/__tests__/e2e.test.js +261 -0
- package/dist/hunt/__tests__/e2e.test.js.map +1 -0
- package/dist/hunt/__tests__/matcher.test.d.ts +1 -0
- package/dist/hunt/__tests__/matcher.test.js +63 -0
- package/dist/hunt/__tests__/matcher.test.js.map +1 -0
- package/dist/hunt/__tests__/orchestrator.test.d.ts +1 -0
- package/dist/hunt/__tests__/orchestrator.test.js +73 -0
- package/dist/hunt/__tests__/orchestrator.test.js.map +1 -0
- package/dist/hunt/__tests__/parse-utils.test.d.ts +1 -0
- package/dist/hunt/__tests__/parse-utils.test.js +28 -0
- package/dist/hunt/__tests__/parse-utils.test.js.map +1 -0
- package/dist/hunt/__tests__/state.test.d.ts +1 -0
- package/dist/hunt/__tests__/state.test.js +49 -0
- package/dist/hunt/__tests__/state.test.js.map +1 -0
- package/dist/hunt/__tests__/templates.test.d.ts +1 -0
- package/dist/hunt/__tests__/templates.test.js +32 -0
- package/dist/hunt/__tests__/templates.test.js.map +1 -0
- package/dist/hunt/__tests__/triage.test.d.ts +1 -0
- package/dist/hunt/__tests__/triage.test.js +91 -0
- package/dist/hunt/__tests__/triage.test.js.map +1 -0
- package/dist/hunt/__tests__/types.test.d.ts +1 -0
- package/dist/hunt/__tests__/types.test.js +65 -0
- package/dist/hunt/__tests__/types.test.js.map +1 -0
- package/dist/hunt/deep-dive.d.ts +8 -0
- package/dist/hunt/deep-dive.js +86 -0
- package/dist/hunt/deep-dive.js.map +1 -0
- package/dist/hunt/discovery.d.ts +15 -0
- package/dist/hunt/discovery.js +116 -0
- package/dist/hunt/discovery.js.map +1 -0
- package/dist/hunt/matcher.d.ts +8 -0
- package/dist/hunt/matcher.js +27 -0
- package/dist/hunt/matcher.js.map +1 -0
- package/dist/hunt/orchestrator.d.ts +27 -0
- package/dist/hunt/orchestrator.js +91 -0
- package/dist/hunt/orchestrator.js.map +1 -0
- package/dist/hunt/parse-utils.d.ts +2 -0
- package/dist/hunt/parse-utils.js +17 -0
- package/dist/hunt/parse-utils.js.map +1 -0
- package/dist/hunt/state.d.ts +5 -0
- package/dist/hunt/state.js +35 -0
- package/dist/hunt/state.js.map +1 -0
- package/dist/hunt/templates/auth-bypass.d.ts +2 -0
- package/dist/hunt/templates/auth-bypass.js +80 -0
- package/dist/hunt/templates/auth-bypass.js.map +1 -0
- package/dist/hunt/templates/cors-misconfig.d.ts +2 -0
- package/dist/hunt/templates/cors-misconfig.js +88 -0
- package/dist/hunt/templates/cors-misconfig.js.map +1 -0
- package/dist/hunt/templates/csrf-bypass.d.ts +2 -0
- package/dist/hunt/templates/csrf-bypass.js +65 -0
- package/dist/hunt/templates/csrf-bypass.js.map +1 -0
- package/dist/hunt/templates/index.d.ts +3 -0
- package/dist/hunt/templates/index.js +29 -0
- package/dist/hunt/templates/index.js.map +1 -0
- package/dist/hunt/templates/injection.d.ts +2 -0
- package/dist/hunt/templates/injection.js +103 -0
- package/dist/hunt/templates/injection.js.map +1 -0
- package/dist/hunt/templates/open-redirect.d.ts +2 -0
- package/dist/hunt/templates/open-redirect.js +93 -0
- package/dist/hunt/templates/open-redirect.js.map +1 -0
- package/dist/hunt/templates/path-traversal.d.ts +2 -0
- package/dist/hunt/templates/path-traversal.js +94 -0
- package/dist/hunt/templates/path-traversal.js.map +1 -0
- package/dist/hunt/templates/prototype-pollution.d.ts +2 -0
- package/dist/hunt/templates/prototype-pollution.js +108 -0
- package/dist/hunt/templates/prototype-pollution.js.map +1 -0
- package/dist/hunt/templates/ssrf.d.ts +2 -0
- package/dist/hunt/templates/ssrf.js +75 -0
- package/dist/hunt/templates/ssrf.js.map +1 -0
- package/dist/hunt/templates/timing-attack.d.ts +2 -0
- package/dist/hunt/templates/timing-attack.js +108 -0
- package/dist/hunt/templates/timing-attack.js.map +1 -0
- package/dist/hunt/templates/weak-random.d.ts +2 -0
- package/dist/hunt/templates/weak-random.js +73 -0
- package/dist/hunt/templates/weak-random.js.map +1 -0
- package/dist/hunt/triage.d.ts +8 -0
- package/dist/hunt/triage.js +78 -0
- package/dist/hunt/triage.js.map +1 -0
- package/dist/lib/__tests__/bounty-scan.test.d.ts +1 -0
- package/dist/lib/__tests__/bounty-scan.test.js +15 -0
- package/dist/lib/__tests__/bounty-scan.test.js.map +1 -0
- package/dist/lib/__tests__/chain-analyzer.test.d.ts +1 -0
- package/dist/lib/__tests__/chain-analyzer.test.js +47 -0
- package/dist/lib/__tests__/chain-analyzer.test.js.map +1 -0
- package/dist/lib/__tests__/finding-dedup.test.d.ts +1 -0
- package/dist/lib/__tests__/finding-dedup.test.js +30 -0
- package/dist/lib/__tests__/finding-dedup.test.js.map +1 -0
- package/dist/lib/__tests__/learned-rules.test.js +25 -0
- package/dist/lib/__tests__/learned-rules.test.js.map +1 -1
- package/dist/lib/__tests__/novelty-checker.test.d.ts +1 -0
- package/dist/lib/__tests__/novelty-checker.test.js +57 -0
- package/dist/lib/__tests__/novelty-checker.test.js.map +1 -0
- package/dist/lib/__tests__/program-registry.test.d.ts +1 -0
- package/dist/lib/__tests__/program-registry.test.js +40 -0
- package/dist/lib/__tests__/program-registry.test.js.map +1 -0
- package/dist/lib/__tests__/retry.test.d.ts +1 -0
- package/dist/lib/__tests__/retry.test.js +23 -0
- package/dist/lib/__tests__/retry.test.js.map +1 -0
- package/dist/lib/__tests__/watchlist.test.d.ts +1 -0
- package/dist/lib/__tests__/watchlist.test.js +88 -0
- package/dist/lib/__tests__/watchlist.test.js.map +1 -0
- package/dist/lib/chain-analyzer.d.ts +25 -0
- package/dist/lib/chain-analyzer.js +105 -0
- package/dist/lib/chain-analyzer.js.map +1 -0
- package/dist/lib/finding-dedup.d.ts +2 -0
- package/dist/lib/finding-dedup.js +9 -0
- package/dist/lib/finding-dedup.js.map +1 -0
- package/dist/lib/issue-reporter.d.ts +13 -0
- package/dist/lib/issue-reporter.js +51 -0
- package/dist/lib/issue-reporter.js.map +1 -0
- package/dist/lib/novelty-checker.d.ts +60 -0
- package/dist/lib/novelty-checker.js +223 -0
- package/dist/lib/novelty-checker.js.map +1 -0
- package/dist/lib/program-registry.d.ts +12 -0
- package/dist/lib/program-registry.js +18 -0
- package/dist/lib/program-registry.js.map +1 -0
- package/dist/lib/retry.d.ts +5 -0
- package/dist/lib/retry.js +19 -0
- package/dist/lib/retry.js.map +1 -0
- package/dist/lib/watchlist.d.ts +23 -0
- package/dist/lib/watchlist.js +31 -0
- package/dist/lib/watchlist.js.map +1 -0
- package/dist/runtime/safe-executor.js +1 -1
- package/dist/runtime/safe-executor.js.map +1 -1
- package/dist/runtime/types.d.ts +1 -1
- package/dist/sdk/forward-verify.js +1 -1
- package/dist/sdk/forward-verify.js.map +1 -1
- package/dist/types.d.ts +45 -0
- package/package.json +1 -1
|
@@ -0,0 +1,261 @@
|
|
|
1
|
+
import { describe, it, expect, vi } from 'vitest';
|
|
2
|
+
import { HuntOrchestrator } from '../orchestrator.js';
|
|
3
|
+
import { mkdtempSync, writeFileSync, mkdirSync } from 'fs';
|
|
4
|
+
import { join } from 'path';
|
|
5
|
+
import { tmpdir } from 'os';
|
|
6
|
+
function makeTempRepo(files) {
|
|
7
|
+
const dir = mkdtempSync(join(tmpdir(), 'hunt-e2e-'));
|
|
8
|
+
for (const [path, content] of Object.entries(files)) {
|
|
9
|
+
const full = join(dir, path);
|
|
10
|
+
mkdirSync(join(full, '..'), { recursive: true });
|
|
11
|
+
writeFileSync(full, content);
|
|
12
|
+
}
|
|
13
|
+
return dir;
|
|
14
|
+
}
|
|
15
|
+
describe('Hunt E2E', () => {
|
|
16
|
+
it('full pipeline: discover → match → triage → deep dive', async () => {
|
|
17
|
+
const dir = makeTempRepo({
|
|
18
|
+
'src/csrf-protection.ts': `
|
|
19
|
+
// CSRF protection for origin validation
|
|
20
|
+
// Wildcards like *.com should be rejected
|
|
21
|
+
export function matchWildcardDomain(origin: string, pattern: string): boolean {
|
|
22
|
+
if (!pattern.startsWith('*.')) return origin === pattern;
|
|
23
|
+
const suffix = pattern.slice(1); // e.g., '.example.com'
|
|
24
|
+
return origin.endsWith(suffix);
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
export function validateOrigin(origin: string, allowlist: string[]): boolean {
|
|
28
|
+
return allowlist.some(pattern => matchWildcardDomain(origin, pattern));
|
|
29
|
+
}
|
|
30
|
+
`,
|
|
31
|
+
});
|
|
32
|
+
let triageCallCount = 0;
|
|
33
|
+
let deepDiveCallCount = 0;
|
|
34
|
+
const mockProvider = {
|
|
35
|
+
type: 'api',
|
|
36
|
+
complete: vi.fn().mockImplementation(async (params) => {
|
|
37
|
+
// Detect phase by looking at the prompt
|
|
38
|
+
const prompt = params.userPrompt || '';
|
|
39
|
+
const isDeepDive = prompt.includes('HYPOTHESIS:');
|
|
40
|
+
if (isDeepDive) {
|
|
41
|
+
deepDiveCallCount++;
|
|
42
|
+
return {
|
|
43
|
+
content: JSON.stringify({
|
|
44
|
+
confirmed: true,
|
|
45
|
+
title: 'CSRF Bypass via TLD Wildcard',
|
|
46
|
+
severity: 'high',
|
|
47
|
+
cwe: 'CWE-352',
|
|
48
|
+
attack_scenario: '1. Register evil.com\n2. *.com pattern matches evil.com',
|
|
49
|
+
reproduction_steps: 'matchWildcardDomain("evil.com", "*.com") returns true',
|
|
50
|
+
evidence: 'Line 4: origin.endsWith(suffix) — for *.com, suffix is .com, and evil.com ends with .com',
|
|
51
|
+
recommendation: 'Reject wildcards with fewer than 3 labels',
|
|
52
|
+
false_positive_reason: null,
|
|
53
|
+
}),
|
|
54
|
+
inputTokens: 500,
|
|
55
|
+
outputTokens: 200,
|
|
56
|
+
provider: 'api',
|
|
57
|
+
durationMs: 1000,
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
else {
|
|
61
|
+
triageCallCount++;
|
|
62
|
+
return {
|
|
63
|
+
content: JSON.stringify({
|
|
64
|
+
vulnerable: true,
|
|
65
|
+
confidence: 'high',
|
|
66
|
+
summary: 'matchWildcardDomain accepts TLD wildcards like *.com',
|
|
67
|
+
attacker_control: 'Origin header',
|
|
68
|
+
impact: 'CSRF bypass for any .com domain',
|
|
69
|
+
line: 4,
|
|
70
|
+
}),
|
|
71
|
+
inputTokens: 200,
|
|
72
|
+
outputTokens: 80,
|
|
73
|
+
provider: 'api',
|
|
74
|
+
durationMs: 600,
|
|
75
|
+
};
|
|
76
|
+
}
|
|
77
|
+
}),
|
|
78
|
+
};
|
|
79
|
+
const orch = new HuntOrchestrator({
|
|
80
|
+
targetPath: dir,
|
|
81
|
+
provider: mockProvider,
|
|
82
|
+
concurrency: 1,
|
|
83
|
+
});
|
|
84
|
+
// Triage phase
|
|
85
|
+
const triageResult = await orch.triage();
|
|
86
|
+
expect(triageResult.filesScanned).toBe(1);
|
|
87
|
+
expect(triageResult.hypotheses.length).toBeGreaterThanOrEqual(1);
|
|
88
|
+
expect(triageCallCount).toBeGreaterThanOrEqual(1);
|
|
89
|
+
// Verify triage result structure
|
|
90
|
+
const hypothesis = triageResult.hypotheses[0];
|
|
91
|
+
expect(hypothesis).toBeDefined();
|
|
92
|
+
expect(hypothesis.id).toBeDefined();
|
|
93
|
+
expect(hypothesis.templateId).toBeDefined();
|
|
94
|
+
expect(hypothesis.file).toContain('csrf-protection.ts');
|
|
95
|
+
expect(hypothesis.confidence).toBe('high');
|
|
96
|
+
expect(hypothesis.summary).toContain('TLD wildcards');
|
|
97
|
+
// Deep dive phase: only HIGH confidence hypotheses
|
|
98
|
+
const high = triageResult.hypotheses.filter(h => h.confidence === 'high');
|
|
99
|
+
expect(high.length).toBeGreaterThanOrEqual(1);
|
|
100
|
+
const findings = await orch.deepDive(high);
|
|
101
|
+
expect(deepDiveCallCount).toBeGreaterThanOrEqual(1);
|
|
102
|
+
expect(findings.length).toBeGreaterThanOrEqual(1);
|
|
103
|
+
// Verify finding structure
|
|
104
|
+
const finding = findings[0];
|
|
105
|
+
expect(finding.title).toContain('CSRF');
|
|
106
|
+
expect(finding.severity).toBe('high');
|
|
107
|
+
expect(finding.confirmed).toBe(true);
|
|
108
|
+
expect(finding.cwe).toBe('CWE-352');
|
|
109
|
+
expect(finding.attackScenario).toContain('evil.com');
|
|
110
|
+
expect(finding.reproductionSteps).toContain('matchWildcardDomain');
|
|
111
|
+
expect(finding.recommendation).toContain('Reject wildcards');
|
|
112
|
+
});
|
|
113
|
+
it('handles false positives during deep dive', async () => {
|
|
114
|
+
const dir = makeTempRepo({
|
|
115
|
+
'src/query-validator.ts': `
|
|
116
|
+
// Query validation - injection pattern match
|
|
117
|
+
export function validateQuery(query: string): boolean {
|
|
118
|
+
// Basic validation but appears to handle SQL queries
|
|
119
|
+
return query.length > 0;
|
|
120
|
+
}
|
|
121
|
+
`,
|
|
122
|
+
});
|
|
123
|
+
const mockProvider = {
|
|
124
|
+
type: 'api',
|
|
125
|
+
complete: vi.fn().mockImplementation(async (params) => {
|
|
126
|
+
// Detect phase by looking at the prompt
|
|
127
|
+
const prompt = params.userPrompt || '';
|
|
128
|
+
const isDeepDive = prompt.includes('HYPOTHESIS:');
|
|
129
|
+
if (isDeepDive) {
|
|
130
|
+
// Deep dive rejects it as false positive
|
|
131
|
+
return {
|
|
132
|
+
content: JSON.stringify({
|
|
133
|
+
confirmed: false,
|
|
134
|
+
title: null,
|
|
135
|
+
severity: null,
|
|
136
|
+
cwe: null,
|
|
137
|
+
attack_scenario: null,
|
|
138
|
+
reproduction_steps: null,
|
|
139
|
+
evidence: 'Query validation is basic but not actually executing queries, so not a real injection risk',
|
|
140
|
+
recommendation: null,
|
|
141
|
+
false_positive_reason: 'No actual SQL execution, just length check',
|
|
142
|
+
}),
|
|
143
|
+
inputTokens: 300,
|
|
144
|
+
outputTokens: 80,
|
|
145
|
+
provider: 'api',
|
|
146
|
+
durationMs: 500,
|
|
147
|
+
};
|
|
148
|
+
}
|
|
149
|
+
else {
|
|
150
|
+
// Triage returns confidence medium
|
|
151
|
+
return {
|
|
152
|
+
content: JSON.stringify({
|
|
153
|
+
vulnerable: true,
|
|
154
|
+
confidence: 'medium',
|
|
155
|
+
summary: 'Query validation might miss SQL injection vectors',
|
|
156
|
+
attacker_control: 'Query parameter',
|
|
157
|
+
impact: 'Potential injection if not properly sanitized',
|
|
158
|
+
line: 3,
|
|
159
|
+
}),
|
|
160
|
+
inputTokens: 200,
|
|
161
|
+
outputTokens: 60,
|
|
162
|
+
provider: 'api',
|
|
163
|
+
durationMs: 400,
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
}),
|
|
167
|
+
};
|
|
168
|
+
const orch = new HuntOrchestrator({
|
|
169
|
+
targetPath: dir,
|
|
170
|
+
provider: mockProvider,
|
|
171
|
+
concurrency: 1,
|
|
172
|
+
});
|
|
173
|
+
const triageResult = await orch.triage();
|
|
174
|
+
expect(triageResult.hypotheses.length).toBeGreaterThanOrEqual(1);
|
|
175
|
+
const findings = await orch.deepDive(triageResult.hypotheses);
|
|
176
|
+
// False positives are filtered out (confirmed: false)
|
|
177
|
+
expect(findings.filter(f => f.confirmed).length).toBe(0);
|
|
178
|
+
});
|
|
179
|
+
it('respects confidence filters during triage', async () => {
|
|
180
|
+
const dir = makeTempRepo({
|
|
181
|
+
'src/token-generator.ts': `
|
|
182
|
+
// Token generation - security relevant
|
|
183
|
+
export function generateToken() {
|
|
184
|
+
return Math.random().toString();
|
|
185
|
+
}
|
|
186
|
+
`,
|
|
187
|
+
});
|
|
188
|
+
const mockProvider = {
|
|
189
|
+
type: 'api',
|
|
190
|
+
complete: vi.fn().mockResolvedValue({
|
|
191
|
+
content: JSON.stringify({
|
|
192
|
+
vulnerable: true,
|
|
193
|
+
confidence: 'low',
|
|
194
|
+
summary: 'Weak random might be used for tokens',
|
|
195
|
+
attacker_control: 'None',
|
|
196
|
+
impact: 'Potential predictability',
|
|
197
|
+
line: 3,
|
|
198
|
+
}),
|
|
199
|
+
inputTokens: 150,
|
|
200
|
+
outputTokens: 40,
|
|
201
|
+
provider: 'api',
|
|
202
|
+
durationMs: 300,
|
|
203
|
+
}),
|
|
204
|
+
};
|
|
205
|
+
const orch = new HuntOrchestrator({
|
|
206
|
+
targetPath: dir,
|
|
207
|
+
provider: mockProvider,
|
|
208
|
+
concurrency: 1,
|
|
209
|
+
minConfidence: 'high', // Filter to HIGH only
|
|
210
|
+
});
|
|
211
|
+
const triageResult = await orch.triage();
|
|
212
|
+
// LOW confidence should be filtered out by minConfidence
|
|
213
|
+
expect(triageResult.hypotheses.filter(h => h.confidence === 'low').length).toBe(0);
|
|
214
|
+
});
|
|
215
|
+
it('handles multiple files with multiple matches', async () => {
|
|
216
|
+
const dir = makeTempRepo({
|
|
217
|
+
'src/auth.ts': `
|
|
218
|
+
export function checkPassword(pwd: string, hash: string) {
|
|
219
|
+
return pwd === hash; // Insecure
|
|
220
|
+
}
|
|
221
|
+
`,
|
|
222
|
+
'src/crypto.ts': `
|
|
223
|
+
export function generateToken() {
|
|
224
|
+
return Math.random().toString(); // Weak random
|
|
225
|
+
}
|
|
226
|
+
`,
|
|
227
|
+
});
|
|
228
|
+
let fileNum = 0;
|
|
229
|
+
const mockProvider = {
|
|
230
|
+
type: 'api',
|
|
231
|
+
complete: vi.fn().mockImplementation(async () => {
|
|
232
|
+
fileNum++;
|
|
233
|
+
return {
|
|
234
|
+
content: JSON.stringify({
|
|
235
|
+
vulnerable: true,
|
|
236
|
+
confidence: fileNum === 1 ? 'high' : 'medium',
|
|
237
|
+
summary: `Issue in file ${fileNum}`,
|
|
238
|
+
attacker_control: 'Test attacker',
|
|
239
|
+
impact: 'Test impact',
|
|
240
|
+
line: 2,
|
|
241
|
+
}),
|
|
242
|
+
inputTokens: 100,
|
|
243
|
+
outputTokens: 50,
|
|
244
|
+
provider: 'api',
|
|
245
|
+
durationMs: 400,
|
|
246
|
+
};
|
|
247
|
+
}),
|
|
248
|
+
};
|
|
249
|
+
const orch = new HuntOrchestrator({
|
|
250
|
+
targetPath: dir,
|
|
251
|
+
provider: mockProvider,
|
|
252
|
+
concurrency: 1,
|
|
253
|
+
});
|
|
254
|
+
const triageResult = await orch.triage();
|
|
255
|
+
expect(triageResult.filesScanned).toBe(2);
|
|
256
|
+
// At least 2 pairs (2 files × at least 1 template match each)
|
|
257
|
+
expect(triageResult.templateMatchCount).toBeGreaterThanOrEqual(2);
|
|
258
|
+
expect(triageResult.hypotheses.length).toBeGreaterThanOrEqual(1);
|
|
259
|
+
});
|
|
260
|
+
});
|
|
261
|
+
//# sourceMappingURL=e2e.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"e2e.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/e2e.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAE5B,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;IACxB,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,wBAAwB,EAAE;;;;;;;;;;;;OAYzB;SACF,CAAC,CAAC;QAEH,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,iBAAiB,GAAG,CAAC,CAAC;QAC1B,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAW,EAAE,EAAE;gBACzD,wCAAwC;gBACxC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;gBAElD,IAAI,UAAU,EAAE,CAAC;oBACf,iBAAiB,EAAE,CAAC;oBACpB,OAAO;wBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;4BACtB,SAAS,EAAE,IAAI;4BACf,KAAK,EAAE,8BAA8B;4BACrC,QAAQ,EAAE,MAAM;4BAChB,GAAG,EAAE,SAAS;4BACd,eAAe,EAAE,yDAAyD;4BAC1E,kBAAkB,EAAE,uDAAuD;4BAC3E,QAAQ,EAAE,0FAA0F;4BACpG,cAAc,EAAE,2CAA2C;4BAC3D,qBAAqB,EAAE,IAAI;yBAC5B,CAAC;wBACF,WAAW,EAAE,GAAG;wBAChB,YAAY,EAAE,GAAG;wBACjB,QAAQ,EAAE,KAAc;wBACxB,UAAU,EAAE,IAAI;qBACjB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;4BACtB,UAAU,EAAE,IAAI;4BAChB,UAAU,EAAE,MAAM;4BAClB,OAAO,EAAE,sDAAsD;4BAC/D,gBAAgB,EAAE,eAAe;4BACjC,MAAM,EAAE,iCAAiC;4BACzC,IAAI,EAAE,CAAC;yBACR,CAAC;wBACF,WAAW,EAAE,GAAG;wBAChB,YAAY,EAAE,EAAE;wBAChB,QAAQ,EAAE,KAAc;wBACxB,UAAU,EAAE,GAAG;qBAChB,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC;SACH,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,YAAmB;YAC7B,WAAW,EAAE,CAAC;SACf,CAAC,CAAC;QAEH,eAAe;QACf,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,CAAC,eAAe,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAElD,iCAAiC;QACjC,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QACjC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACxD,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAEtD,mDAAmD;QACnD,MAAM,IAAI,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC;QAC1E,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAE9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,iBAAiB,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAElD,2BAA2B;QAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACxC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,wBAAwB,EAAE;;;;;;OAMzB;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAW,EAAE,EAAE;gBACzD,wCAAwC;gBACxC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;gBAElD,IAAI,UAAU,EAAE,CAAC;oBACf,yCAAyC;oBACzC,OAAO;wBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;4BACtB,SAAS,EAAE,KAAK;4BAChB,KAAK,EAAE,IAAI;4BACX,QAAQ,EAAE,IAAI;4BACd,GAAG,EAAE,IAAI;4BACT,eAAe,EAAE,IAAI;4BACrB,kBAAkB,EAAE,IAAI;4BACxB,QAAQ,EAAE,4FAA4F;4BACtG,cAAc,EAAE,IAAI;4BACpB,qBAAqB,EAAE,4CAA4C;yBACpE,CAAC;wBACF,WAAW,EAAE,GAAG;wBAChB,YAAY,EAAE,EAAE;wBAChB,QAAQ,EAAE,KAAc;wBACxB,UAAU,EAAE,GAAG;qBAChB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,mCAAmC;oBACnC,OAAO;wBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;4BACtB,UAAU,EAAE,IAAI;4BAChB,UAAU,EAAE,QAAQ;4BACpB,OAAO,EAAE,mDAAmD;4BAC5D,gBAAgB,EAAE,iBAAiB;4BACnC,MAAM,EAAE,+CAA+C;4BACvD,IAAI,EAAE,CAAC;yBACR,CAAC;wBACF,WAAW,EAAE,GAAG;wBAChB,YAAY,EAAE,EAAE;wBAChB,QAAQ,EAAE,KAAc;wBACxB,UAAU,EAAE,GAAG;qBAChB,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC;SACH,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,YAAmB;YAC7B,WAAW,EAAE,CAAC;SACf,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAEjE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC9D,sDAAsD;QACtD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,wBAAwB,EAAE;;;;;OAKzB;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;oBACtB,UAAU,EAAE,IAAI;oBAChB,UAAU,EAAE,KAAK;oBACjB,OAAO,EAAE,sCAAsC;oBAC/C,gBAAgB,EAAE,MAAM;oBACxB,MAAM,EAAE,0BAA0B;oBAClC,IAAI,EAAE,CAAC;iBACR,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,YAAY,EAAE,EAAE;gBAChB,QAAQ,EAAE,KAAc;gBACxB,UAAU,EAAE,GAAG;aAChB,CAAC;SACH,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,YAAmB;YAC7B,WAAW,EAAE,CAAC;YACd,aAAa,EAAE,MAAM,EAAE,sBAAsB;SAC9C,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACzC,yDAAyD;QACzD,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE;;;;OAId;YACD,eAAe,EAAE;;;;OAIhB;SACF,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,IAAI,EAAE;gBAC9C,OAAO,EAAE,CAAC;gBACV,OAAO;oBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;wBACtB,UAAU,EAAE,IAAI;wBAChB,UAAU,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;wBAC7C,OAAO,EAAE,iBAAiB,OAAO,EAAE;wBACnC,gBAAgB,EAAE,eAAe;wBACjC,MAAM,EAAE,aAAa;wBACrB,IAAI,EAAE,CAAC;qBACR,CAAC;oBACF,WAAW,EAAE,GAAG;oBAChB,YAAY,EAAE,EAAE;oBAChB,QAAQ,EAAE,KAAc;oBACxB,UAAU,EAAE,GAAG;iBAChB,CAAC;YACJ,CAAC,CAAC;SACH,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,YAAmB;YAC7B,WAAW,EAAE,CAAC;SACf,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,8DAA8D;QAC9D,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { matchTemplates } from '../matcher.js';
|
|
3
|
+
const makeFile = (path, content) => ({
|
|
4
|
+
relativePath: path,
|
|
5
|
+
absolutePath: `/tmp/${path}`,
|
|
6
|
+
content,
|
|
7
|
+
imports: [],
|
|
8
|
+
exports: [],
|
|
9
|
+
functions: [],
|
|
10
|
+
contentHash: 'abc123',
|
|
11
|
+
isLowPriority: false,
|
|
12
|
+
});
|
|
13
|
+
const makeTemplate = (overrides) => ({
|
|
14
|
+
id: 'test',
|
|
15
|
+
name: 'Test',
|
|
16
|
+
cwe: 'CWE-000',
|
|
17
|
+
filePatterns: ['auth', 'token'],
|
|
18
|
+
triagePrompt: 'test prompt',
|
|
19
|
+
deepDivePrompt: 'test prompt',
|
|
20
|
+
knownBypasses: ['bypass1'],
|
|
21
|
+
specReferences: ['RFC 0000'],
|
|
22
|
+
severityRange: ['low', 'high'],
|
|
23
|
+
...overrides,
|
|
24
|
+
});
|
|
25
|
+
describe('matchTemplates', () => {
|
|
26
|
+
it('matches file with 2+ keyword hits', () => {
|
|
27
|
+
const file = makeFile('src/auth.ts', 'function validateToken(token) { return auth(token); }');
|
|
28
|
+
const template = makeTemplate({ filePatterns: ['auth', 'token', 'validate'] });
|
|
29
|
+
const matches = matchTemplates(file, [template]);
|
|
30
|
+
expect(matches).toHaveLength(1);
|
|
31
|
+
expect(matches[0].score).toBeGreaterThanOrEqual(2);
|
|
32
|
+
});
|
|
33
|
+
it('rejects file with only 1 keyword hit', () => {
|
|
34
|
+
const file = makeFile('src/utils.ts', 'function add(a, b) { return a + b; }');
|
|
35
|
+
const template = makeTemplate({ filePatterns: ['auth', 'token'] });
|
|
36
|
+
const matches = matchTemplates(file, [template]);
|
|
37
|
+
expect(matches).toHaveLength(0);
|
|
38
|
+
});
|
|
39
|
+
it('respects negativePatterns', () => {
|
|
40
|
+
const file = makeFile('src/query.ts', 'import { prisma } from "./db";\nconst result = prisma.query.findMany();');
|
|
41
|
+
const template = makeTemplate({
|
|
42
|
+
id: 'injection',
|
|
43
|
+
filePatterns: ['query', 'exec', 'sql'],
|
|
44
|
+
negativePatterns: ['prisma', 'drizzle'],
|
|
45
|
+
});
|
|
46
|
+
const matches = matchTemplates(file, [template]);
|
|
47
|
+
expect(matches).toHaveLength(0);
|
|
48
|
+
});
|
|
49
|
+
it('respects custom minMatchScore', () => {
|
|
50
|
+
const file = makeFile('src/auth.ts', 'auth token');
|
|
51
|
+
const template = makeTemplate({ minMatchScore: 3, filePatterns: ['auth', 'token', 'session'] });
|
|
52
|
+
const matches = matchTemplates(file, [template]);
|
|
53
|
+
expect(matches).toHaveLength(0);
|
|
54
|
+
});
|
|
55
|
+
it('returns multiple template matches for one file', () => {
|
|
56
|
+
const file = makeFile('src/cors-auth.ts', 'function corsAuth(origin, token) { validateOrigin(origin); }');
|
|
57
|
+
const t1 = makeTemplate({ id: 'cors', filePatterns: ['cors', 'origin', 'access-control'] });
|
|
58
|
+
const t2 = makeTemplate({ id: 'auth', filePatterns: ['auth', 'token', 'validate'] });
|
|
59
|
+
const matches = matchTemplates(file, [t1, t2]);
|
|
60
|
+
expect(matches.length).toBe(2);
|
|
61
|
+
});
|
|
62
|
+
});
|
|
63
|
+
//# sourceMappingURL=matcher.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"matcher.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/matcher.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAI/C,MAAM,QAAQ,GAAG,CAAC,IAAY,EAAE,OAAe,EAAkB,EAAE,CAAC,CAAC;IACnE,YAAY,EAAE,IAAI;IAClB,YAAY,EAAE,QAAQ,IAAI,EAAE;IAC5B,OAAO;IACP,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,SAAS,EAAE,EAAE;IACb,WAAW,EAAE,QAAQ;IACrB,aAAa,EAAE,KAAK;CACrB,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,SAAyC,EAAyB,EAAE,CAAC,CAAC;IAC1F,EAAE,EAAE,MAAM;IACV,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IAC/B,YAAY,EAAE,aAAa;IAC3B,cAAc,EAAE,aAAa;IAC7B,aAAa,EAAE,CAAC,SAAS,CAAC;IAC1B,cAAc,EAAE,CAAC,UAAU,CAAC;IAC5B,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;IAC9B,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,uDAAuD,CAAC,CAAC;QAC9F,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/E,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,cAAc,EAAE,sCAAsC,CAAC,CAAC;QAC9E,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,IAAI,GAAG,QAAQ,CAAC,cAAc,EAAE,yEAAyE,CAAC,CAAC;QACjH,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,EAAE,EAAE,WAAW;YACf,YAAY,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC;YACtC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;SACxC,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;QAChG,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,kBAAkB,EAAE,8DAA8D,CAAC,CAAC;QAC1G,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
import { describe, it, expect, vi } from 'vitest';
|
|
2
|
+
import { HuntOrchestrator } from '../orchestrator.js';
|
|
3
|
+
import { mkdtempSync, writeFileSync, mkdirSync } from 'fs';
|
|
4
|
+
import { join } from 'path';
|
|
5
|
+
import { tmpdir } from 'os';
|
|
6
|
+
function makeTempRepo(files) {
|
|
7
|
+
const dir = mkdtempSync(join(tmpdir(), 'hunt-orch-'));
|
|
8
|
+
for (const [path, content] of Object.entries(files)) {
|
|
9
|
+
const full = join(dir, path);
|
|
10
|
+
mkdirSync(join(full, '..'), { recursive: true });
|
|
11
|
+
writeFileSync(full, content);
|
|
12
|
+
}
|
|
13
|
+
return dir;
|
|
14
|
+
}
|
|
15
|
+
describe('HuntOrchestrator', () => {
|
|
16
|
+
it('runs triage and returns hypotheses', async () => {
|
|
17
|
+
const dir = makeTempRepo({
|
|
18
|
+
'src/csrf.ts': `
|
|
19
|
+
import { verify } from './utils.js';
|
|
20
|
+
export function checkOrigin(origin: string, allowedOrigins: string[]) {
|
|
21
|
+
for (const pattern of allowedOrigins) {
|
|
22
|
+
if (origin.endsWith(pattern.replace('*', ''))) return true;
|
|
23
|
+
}
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
`,
|
|
27
|
+
});
|
|
28
|
+
const mockProvider = {
|
|
29
|
+
type: 'api',
|
|
30
|
+
complete: vi.fn().mockResolvedValue({
|
|
31
|
+
content: JSON.stringify({
|
|
32
|
+
vulnerable: true,
|
|
33
|
+
confidence: 'high',
|
|
34
|
+
summary: 'Origin endsWith check is bypassable',
|
|
35
|
+
attacker_control: 'Origin header',
|
|
36
|
+
impact: 'CSRF bypass',
|
|
37
|
+
line: 4,
|
|
38
|
+
}),
|
|
39
|
+
inputTokens: 100,
|
|
40
|
+
outputTokens: 50,
|
|
41
|
+
provider: 'api',
|
|
42
|
+
durationMs: 500,
|
|
43
|
+
}),
|
|
44
|
+
};
|
|
45
|
+
const orch = new HuntOrchestrator({
|
|
46
|
+
targetPath: dir,
|
|
47
|
+
provider: mockProvider,
|
|
48
|
+
concurrency: 1,
|
|
49
|
+
});
|
|
50
|
+
const result = await orch.triage();
|
|
51
|
+
expect(result.filesScanned).toBeGreaterThanOrEqual(0);
|
|
52
|
+
expect(mockProvider.complete).toHaveBeenCalled();
|
|
53
|
+
});
|
|
54
|
+
it('loadFiles populates file cache for dive mode', () => {
|
|
55
|
+
const orch = new HuntOrchestrator({
|
|
56
|
+
targetPath: '/tmp/test',
|
|
57
|
+
provider: { type: 'api', complete: vi.fn() },
|
|
58
|
+
});
|
|
59
|
+
orch.loadFiles([{
|
|
60
|
+
relativePath: 'src/auth.ts',
|
|
61
|
+
absolutePath: '/tmp/src/auth.ts',
|
|
62
|
+
content: 'code',
|
|
63
|
+
imports: [],
|
|
64
|
+
exports: [],
|
|
65
|
+
functions: [],
|
|
66
|
+
contentHash: 'abc',
|
|
67
|
+
isLowPriority: false,
|
|
68
|
+
}]);
|
|
69
|
+
// File cache is populated (tested indirectly via deepDive)
|
|
70
|
+
expect(true).toBe(true); // loadFiles doesn't throw
|
|
71
|
+
});
|
|
72
|
+
});
|
|
73
|
+
//# sourceMappingURL=orchestrator.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"orchestrator.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/orchestrator.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAE5B,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,GAAG,GAAG,YAAY,CAAC;YACvB,aAAa,EAAE;;;;;;;;OAQd;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,KAAc;YACpB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;oBACtB,UAAU,EAAE,IAAI;oBAChB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,qCAAqC;oBAC9C,gBAAgB,EAAE,eAAe;oBACjC,MAAM,EAAE,aAAa;oBACrB,IAAI,EAAE,CAAC;iBACR,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,YAAY,EAAE,EAAE;gBAChB,QAAQ,EAAE,KAAc;gBACxB,UAAU,EAAE,GAAG;aAChB,CAAC;SACH,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,YAAmB;YAC7B,WAAW,EAAE,CAAC;SACf,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,gBAAgB,EAAE,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,IAAI,GAAG,IAAI,gBAAgB,CAAC;YAChC,UAAU,EAAE,WAAW;YACvB,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAc,EAAE,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,EAAS;SAC7D,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,CAAC,CAAC;gBACd,YAAY,EAAE,aAAa;gBAC3B,YAAY,EAAE,kBAAkB;gBAChC,OAAO,EAAE,MAAM;gBACf,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,EAAE;gBACb,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,KAAK;aACrB,CAAC,CAAC,CAAC;QAEJ,2DAA2D;QAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,0BAA0B;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { stripCodeFences, safeParseJSON } from '../parse-utils.js';
|
|
3
|
+
describe('stripCodeFences', () => {
|
|
4
|
+
it('strips markdown code fences', () => {
|
|
5
|
+
expect(stripCodeFences('```json\n{"a":1}\n```')).toBe('{"a":1}');
|
|
6
|
+
});
|
|
7
|
+
it('handles no fences', () => {
|
|
8
|
+
expect(stripCodeFences('{"a":1}')).toBe('{"a":1}');
|
|
9
|
+
});
|
|
10
|
+
it('strips fences with language tag', () => {
|
|
11
|
+
expect(stripCodeFences('```typescript\ncode\n```')).toBe('code');
|
|
12
|
+
});
|
|
13
|
+
});
|
|
14
|
+
describe('safeParseJSON', () => {
|
|
15
|
+
it('parses valid JSON', () => {
|
|
16
|
+
expect(safeParseJSON('{"a":1}')).toEqual({ a: 1 });
|
|
17
|
+
});
|
|
18
|
+
it('parses JSON inside code fences', () => {
|
|
19
|
+
expect(safeParseJSON('```json\n{"a":1}\n```')).toEqual({ a: 1 });
|
|
20
|
+
});
|
|
21
|
+
it('returns null for invalid JSON', () => {
|
|
22
|
+
expect(safeParseJSON('not json')).toBeNull();
|
|
23
|
+
});
|
|
24
|
+
it('returns null for empty string', () => {
|
|
25
|
+
expect(safeParseJSON('')).toBeNull();
|
|
26
|
+
});
|
|
27
|
+
});
|
|
28
|
+
//# sourceMappingURL=parse-utils.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"parse-utils.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/parse-utils.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEnE,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,eAAe,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,eAAe,CAAC,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,aAAa,CAAC,uBAAuB,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { saveState, loadState, checkStaleness, getStateDir } from '../state.js';
|
|
3
|
+
import { mkdtempSync } from 'fs';
|
|
4
|
+
import { join } from 'path';
|
|
5
|
+
import { tmpdir } from 'os';
|
|
6
|
+
describe('Hunt state', () => {
|
|
7
|
+
it('saves and loads state', () => {
|
|
8
|
+
const stateDir = mkdtempSync(join(tmpdir(), 'hunt-state-'));
|
|
9
|
+
const state = {
|
|
10
|
+
scannedAt: new Date().toISOString(),
|
|
11
|
+
path: '/tmp/repo',
|
|
12
|
+
fileHashes: { 'src/auth.ts': 'abc123' },
|
|
13
|
+
filesScanned: 1,
|
|
14
|
+
hypotheses: [],
|
|
15
|
+
findings: [],
|
|
16
|
+
};
|
|
17
|
+
saveState(stateDir, state);
|
|
18
|
+
const loaded = loadState(stateDir);
|
|
19
|
+
expect(loaded).not.toBeNull();
|
|
20
|
+
expect(loaded.path).toBe('/tmp/repo');
|
|
21
|
+
expect(loaded.fileHashes['src/auth.ts']).toBe('abc123');
|
|
22
|
+
});
|
|
23
|
+
it('returns null for missing state', () => {
|
|
24
|
+
const stateDir = mkdtempSync(join(tmpdir(), 'hunt-empty-'));
|
|
25
|
+
expect(loadState(stateDir)).toBeNull();
|
|
26
|
+
});
|
|
27
|
+
it('detects stale files', () => {
|
|
28
|
+
const state = {
|
|
29
|
+
scannedAt: new Date().toISOString(),
|
|
30
|
+
path: '/tmp/repo',
|
|
31
|
+
fileHashes: { 'src/auth.ts': 'abc123' },
|
|
32
|
+
filesScanned: 1,
|
|
33
|
+
hypotheses: [{ id: 1, templateId: 'test', file: 'src/auth.ts', confidence: 'high', summary: 'test', attackerControl: 'x', impact: 'x' }],
|
|
34
|
+
findings: [],
|
|
35
|
+
};
|
|
36
|
+
const staleFiles = checkStaleness(state, { 'src/auth.ts': 'different_hash' });
|
|
37
|
+
expect(staleFiles).toContain('src/auth.ts');
|
|
38
|
+
const freshFiles = checkStaleness(state, { 'src/auth.ts': 'abc123' });
|
|
39
|
+
expect(freshFiles).toHaveLength(0);
|
|
40
|
+
});
|
|
41
|
+
it('generates deterministic state dir from path', () => {
|
|
42
|
+
const dir1 = getStateDir('/tmp/repo-a');
|
|
43
|
+
const dir2 = getStateDir('/tmp/repo-a');
|
|
44
|
+
const dir3 = getStateDir('/tmp/repo-b');
|
|
45
|
+
expect(dir1).toBe(dir2);
|
|
46
|
+
expect(dir1).not.toBe(dir3);
|
|
47
|
+
});
|
|
48
|
+
});
|
|
49
|
+
//# sourceMappingURL=state.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"state.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/state.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,EAAE,WAAW,EAA0C,MAAM,IAAI,CAAC;AACzE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAG5B,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC;QAC5D,MAAM,KAAK,GAAc;YACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,IAAI,EAAE,WAAW;YACjB,UAAU,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE;YACvC,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb,CAAC;QAEF,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvC,MAAM,CAAC,MAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC;QAC5D,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,KAAK,GAAc;YACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,IAAI,EAAE,WAAW;YACjB,UAAU,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE;YACvC,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YACxI,QAAQ,EAAE,EAAE;SACb,CAAC;QAEF,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,EAAE,EAAE,aAAa,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC9E,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAE5C,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,IAAI,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { getAllTemplates, getTemplateById } from '../templates/index.js';
|
|
3
|
+
describe('Template registry', () => {
|
|
4
|
+
it('loads all templates', () => {
|
|
5
|
+
const templates = getAllTemplates();
|
|
6
|
+
expect(templates.length).toBeGreaterThanOrEqual(1);
|
|
7
|
+
for (const t of templates) {
|
|
8
|
+
expect(t.id).toBeTruthy();
|
|
9
|
+
expect(t.cwe).toMatch(/^CWE-\d+$/);
|
|
10
|
+
expect(t.filePatterns.length).toBeGreaterThan(0);
|
|
11
|
+
expect(t.triagePrompt.length).toBeGreaterThan(50);
|
|
12
|
+
expect(t.deepDivePrompt.length).toBeGreaterThan(50);
|
|
13
|
+
expect(t.knownBypasses.length).toBeGreaterThan(0);
|
|
14
|
+
}
|
|
15
|
+
});
|
|
16
|
+
it('finds template by id', () => {
|
|
17
|
+
const t = getTemplateById('csrf-bypass');
|
|
18
|
+
expect(t).toBeDefined();
|
|
19
|
+
expect(t.cwe).toBe('CWE-352');
|
|
20
|
+
});
|
|
21
|
+
it('returns undefined for unknown id', () => {
|
|
22
|
+
expect(getTemplateById('nonexistent')).toBeUndefined();
|
|
23
|
+
});
|
|
24
|
+
it('has exactly 10 templates', () => {
|
|
25
|
+
expect(getAllTemplates()).toHaveLength(10);
|
|
26
|
+
});
|
|
27
|
+
it('each template has unique id', () => {
|
|
28
|
+
const ids = getAllTemplates().map(t => t.id);
|
|
29
|
+
expect(new Set(ids).size).toBe(ids.length);
|
|
30
|
+
});
|
|
31
|
+
});
|
|
32
|
+
//# sourceMappingURL=templates.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"templates.test.js","sourceRoot":"","sources":["../../../src/hunt/__tests__/templates.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAEzE,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;QACpC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;YACpD,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;QACzC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,CAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|