vibecodingmachine-core 2026.2.20-438 → 2026.2.26-1739

package/src/agents/SecurityValidationService.js

@@ -0,0 +1,534 @@
+/**
+ * Security Validation Service
+ * 
+ * Provides security validation for downloaded packages and files.
+ * Follows constitutional requirements: <555 lines, test-first approach.
+ */
+
+const crypto = require('crypto');
+const fs = require('fs').promises;
+const path = require('path');
+
+/**
+ * Security Validation Service class
+ */
+class SecurityValidationService {
+  /**
+   * Create security validation service instance
+   * @param {Object} options - Service options
+   */
+  constructor(options = {}) {
+    this.logger = options.logger || null;
+    this.strictMode = options.strictMode !== false; // Default to strict
+    this.maxFileSize = options.maxFileSize || 100 * 1024 * 1024; // 100MB
+    this.allowedExtensions = options.allowedExtensions || [
+      '.exe', '.msi', '.zip', '.tar', '.gz', '.js', '.json'
+    ];
+    this.blockedPatterns = options.blockedPatterns || [
+      /\.exe$/i, // Executables (require special handling)
+      /\.bat$/i, // Batch files
+      /\.cmd$/i, // Command files
+      /\.scr$/i, // Screensavers (often malicious)
+      /\.vbs$/i, // VBScript files
+      /\.ps1$/i  // PowerShell scripts (require validation)
+    ];
+    
+    // Known malicious signatures (simplified)
+    this.maliciousSignatures = [
+      'eval(',
+      'document.write(',
+      'setTimeout(',
+      'setInterval(',
+      'Function(',
+      'require(\'child_process\')',
+      'require(\'fs\')',
+      'spawn(',
+      'exec('
+    ];
+  }
+
+  /**
+   * Validate downloaded file
+   * @param {string} filePath - Path to downloaded file
+   * @param {Object} context - Validation context
+   * @returns {Promise<Object>} - Validation result
+   */
+  async validateFile(filePath, context = {}) {
+    const result = {
+      valid: true,
+      warnings: [],
+      errors: [],
+      security: {
+        fileSize: 0,
+        fileHash: null,
+        fileExtension: null,
+        maliciousContent: false,
+        suspiciousPatterns: [],
+        permissions: null
+      },
+      metadata: {
+        fileName: path.basename(filePath),
+        filePath,
+        validationTime: new Date().toISOString(),
+        context
+      }
+    };
+
+    try {
+      // Check file exists
+      const stats = await fs.stat(filePath);
+      if (!stats.isFile()) {
+        result.valid = false;
+        result.errors.push('File does not exist or is not a regular file');
+        return result;
+      }
+
+      // File size validation
+      result.security.fileSize = stats.size;
+      if (stats.size > this.maxFileSize) {
+        result.valid = false;
+        result.errors.push(`File size (${stats.size} bytes) exceeds maximum allowed size (${this.maxFileSize} bytes)`);
+      }
+
+      // File extension validation
+      const ext = path.extname(filePath).toLowerCase();
+      result.security.fileExtension = ext;
+      
+      if (!this.allowedExtensions.includes(ext)) {
+        result.warnings.push(`File extension '${ext}' is not in the allowed list`);
+      }
+
+      // Check for blocked patterns
+      for (const pattern of this.blockedPatterns) {
+        if (pattern.test(filePath)) {
+          result.warnings.push(`File name matches blocked pattern: ${pattern}`);
+          result.security.suspiciousPatterns.push(pattern.toString());
+        }
+      }
+
+      // Read file for content validation
+      const content = await fs.readFile(filePath);
+      
+      // Calculate file hash
+      result.security.fileHash = this.calculateHash(content);
+      
+      // Content validation
+      await this.validateContent(content, result);
+      
+      // Permission validation (Windows specific)
+      if (process.platform === 'win32') {
+        await this.validateFilePermissions(filePath, result);
+      }
+
+      // Log validation result
+      if (this.logger) {
+        this.logger.info('File security validation completed', {
+          filePath,
+          valid: result.valid,
+          errorsCount: result.errors.length,
+          warningsCount: result.warnings.length,
+          fileSize: result.security.fileSize,
+          fileHash: result.security.fileHash
+        });
+      }
+
+    } catch (error) {
+      result.valid = false;
+      result.errors.push(`Validation error: ${error.message}`);
+      
+      if (this.logger) {
+        this.logger.error('File security validation failed', {
+          filePath,
+          error: error.message
+        });
+      }
+    }
+
+    return result;
+  }
+
+  /**
+   * Validate file content
+   * @param {Buffer} content - File content
+   * @param {Object} result - Validation result to update
+   */
+  async validateContent(content, result) {
+    const contentString = content.toString('utf8', 0, Math.min(content.length, 1024 * 1024)); // First 1MB
+    
+    // Check for malicious signatures
+    for (const signature of this.maliciousSignatures) {
+      if (contentString.includes(signature)) {
+        result.valid = false;
+        result.errors.push(`Suspicious content detected: ${signature}`);
+        result.security.maliciousContent = true;
+        break;
+      }
+    }
+
+    // Check for suspicious patterns
+    const suspiciousPatterns = [
+      /base64/i,
+      /atob/i,
+      /btoa/i,
+      /\\x[0-9a-f]{2}/gi,
+      /%[0-9a-f]{2}/gi,
+      /document\.cookie/i,
+      /localStorage/i,
+      /sessionStorage/i
+    ];
+
+    for (const pattern of suspiciousPatterns) {
+      if (pattern.test(contentString)) {
+        result.warnings.push(`Suspicious pattern detected: ${pattern}`);
+        result.security.suspiciousPatterns.push(pattern.toString());
+      }
+    }
+
+    // Check for executable headers
+    if (content.length >= 2) {
+      const header = content.readUInt16LE(0);
+      const executableHeaders = [
+        0x5A4D, // MZ (PE executable)
+        0x4D5A, // ZM (PE executable, little-endian)
+        0x7F45, // ELF executable
+        0xCAFEBABE, // Java class file
+        0x89504E47 // PNG file (should not be executable)
+      ];
+
+      if (executableHeaders.includes(header)) {
+        result.warnings.push('File appears to be an executable binary');
+        result.security.suspiciousPatterns.push('Executable header detected');
+      }
+    }
+  }
+
+  /**
+   * Validate file permissions (Windows)
+   * @param {string} filePath - File path
+   * @param {Object} result - Validation result to update
+   */
+  async validateFilePermissions(filePath, result) {
+    try {
+      // Check if file is writable (potential security risk)
+      await fs.access(filePath, fs.constants.W_OK);
+      
+      // Check file attributes (Windows specific)
+      const stats = await fs.stat(filePath);
+      result.security.permissions = {
+        readable: true,
+        writable: true,
+        executable: false
+      };
+
+      // Warn about executable files
+      if (stats.mode & 0o111) {
+        result.warnings.push('File has executable permissions set');
+      }
+
+    } catch (error) {
+      result.warnings.push(`Could not validate file permissions: ${error.message}`);
+    }
+  }
+
+  /**
+   * Validate package signature
+   * @param {string} filePath - Path to package file
+   * @param {Object} expectedSignature - Expected signature
+   * @returns {Promise<Object>} - Signature validation result
+   */
+  async validatePackageSignature(filePath, expectedSignature = null) {
+    const result = {
+      valid: true,
+      errors: [],
+      warnings: [],
+      signature: null,
+      verified: false
+    };
+
+    try {
+      const content = await fs.readFile(filePath);
+      const actualHash = this.calculateHash(content);
+      result.signature = actualHash;
+
+      if (expectedSignature) {
+        if (actualHash === expectedSignature.hash) {
+          result.verified = true;
+        } else {
+          result.valid = false;
+          result.errors.push(`Package signature mismatch. Expected: ${expectedSignature.hash}, Actual: ${actualHash}`);
+        }
+      } else {
+        result.warnings.push('No expected signature provided for verification');
+      }
+
+      if (this.logger) {
+        this.logger.info('Package signature validation completed', {
+          filePath,
+          signature: actualHash,
+          verified: result.verified
+        });
+      }
+
+    } catch (error) {
+      result.valid = false;
+      result.errors.push(`Signature validation error: ${error.message}`);
+      
+      if (this.logger) {
+        this.logger.error('Package signature validation failed', {
+          filePath,
+          error: error.message
+        });
+      }
+    }
+
+    return result;
+  }
+
+  /**
+   * Validate download source
+   * @param {string} url - Download URL
+   * @returns {Object} - Source validation result
+   */
+  validateDownloadSource(url) {
+    const result = {
+      valid: true,
+      warnings: [],
+      errors: [],
+      trustLevel: 'UNKNOWN'
+    };
+
+    try {
+      const urlObj = new URL(url);
+      
+      // Check protocol
+      if (!['https:', 'http:'].includes(urlObj.protocol)) {
+        result.valid = false;
+        result.errors.push(`Unsupported protocol: ${urlObj.protocol}`);
+        return result;
+      }
+
+      // Check for HTTPS
+      if (urlObj.protocol !== 'https:') {
+        result.warnings.push('Download uses HTTP instead of HTTPS');
+        result.trustLevel = 'LOW';
+      } else {
+        result.trustLevel = 'MEDIUM';
+      }
+
+      // Check domain reputation (simplified)
+      const trustedDomains = [
+        'github.com',
+        'npmjs.org',
+        'microsoft.com',
+        'anthropic.com',
+        'google.com',
+        'winget.run',
+        'chocolatey.org'
+      ];
+
+      const domain = urlObj.hostname.toLowerCase();
+      if (trustedDomains.some(trusted => domain.includes(trusted))) {
+        result.trustLevel = 'HIGH';
+      } else {
+        result.warnings.push(`Download from untrusted domain: ${domain}`);
+      }
+
+      // Check for suspicious URL patterns
+      const suspiciousPatterns = [
+        /bit\.ly/i,
+        /tinyurl\.com/i,
+        /shortened/i,
+        /redirect/i
+      ];
+
+      for (const pattern of suspiciousPatterns) {
+        if (pattern.test(url)) {
+          result.warnings.push(`Suspicious URL pattern detected: ${pattern}`);
+        }
+      }
+
+    } catch (error) {
+      result.valid = false;
+      result.errors.push(`URL validation error: ${error.message}`);
+    }
+
+    return result;
+  }
+
+  /**
+   * Calculate file hash
+   * @param {Buffer} content - File content
+   * @returns {string} - SHA-256 hash
+   */
+  calculateHash(content) {
+    return crypto.createHash('sha256').update(content).digest('hex');
+  }
+
+  /**
+   * Validate multiple files
+   * @param {Array<string>} filePaths - Array of file paths
+   * @param {Object} context - Validation context
+   * @returns {Promise<Object>} - Batch validation result
+   */
+  async validateFiles(filePaths, context = {}) {
+    const results = {
+      valid: true,
+      files: [],
+      summary: {
+        total: filePaths.length,
+        valid: 0,
+        invalid: 0,
+        warnings: 0,
+        errors: 0
+      }
+    };
+
+    for (const filePath of filePaths) {
+      const fileResult = await this.validateFile(filePath, context);
+      results.files.push(fileResult);
+      
+      if (fileResult.valid) {
+        results.summary.valid++;
+      } else {
+        results.summary.invalid++;
+        results.valid = false;
+      }
+      
+      results.summary.warnings += fileResult.warnings.length;
+      results.summary.errors += fileResult.errors.length;
+    }
+
+    if (this.logger) {
+      this.logger.info('Batch file validation completed', {
+        totalFiles: results.summary.total,
+        validFiles: results.summary.valid,
+        invalidFiles: results.summary.invalid,
+        totalWarnings: results.summary.warnings,
+        totalErrors: results.summary.errors
+      });
+    }
+
+    return results;
+  }
+
+  /**
+   * Create security report
+   * @param {Array<Object>} validationResults - Array of validation results
+   * @returns {Object} - Security report
+   */
+  createSecurityReport(validationResults) {
+    const report = {
+      timestamp: new Date().toISOString(),
+      summary: {
+        totalFiles: validationResults.length,
+        validFiles: 0,
+        invalidFiles: 0,
+        totalWarnings: 0,
+        totalErrors: 0,
+        highRiskFiles: 0,
+        mediumRiskFiles: 0,
+        lowRiskFiles: 0
+      },
+      details: validationResults,
+      recommendations: []
+    };
+
+    for (const result of validationResults) {
+      if (result.valid) {
+        report.summary.validFiles++;
+      } else {
+        report.summary.invalidFiles++;
+      }
+
+      report.summary.totalWarnings += result.warnings.length;
+      report.summary.totalErrors += result.errors.length;
+
+      // Assess risk level
+      const riskLevel = this.assessRiskLevel(result);
+      if (riskLevel === 'HIGH') {
+        report.summary.highRiskFiles++;
+      } else if (riskLevel === 'MEDIUM') {
+        report.summary.mediumRiskFiles++;
+      } else {
+        report.summary.lowRiskFiles++;
+      }
+    }
+
+    // Generate recommendations
+    report.recommendations = this.generateRecommendations(report);
+
+    return report;
+  }
+
+  /**
+   * Assess risk level for validation result
+   * @param {Object} result - Validation result
+   * @returns {string} - Risk level
+   */
+  assessRiskLevel(result) {
+    if (result.security.maliciousContent) {
+      return 'HIGH';
+    }
+    
+    if (result.errors.length > 0) {
+      return 'HIGH';
+    }
+    
+    if (result.warnings.length > 3) {
+      return 'MEDIUM';
+    }
+    
+    if (result.warnings.length > 0) {
+      return 'LOW';
+    }
+    
+    return 'LOW';
+  }
+
+  /**
+   * Generate security recommendations
+   * @param {Object} report - Security report
+   * @returns {Array<string>} - Recommendations
+   */
+  generateRecommendations(report) {
+    const recommendations = [];
+
+    if (report.summary.highRiskFiles > 0) {
+      recommendations.push('Review and remove high-risk files immediately');
+    }
+
+    if (report.summary.mediumRiskFiles > 0) {
+      recommendations.push('Investigate medium-risk files before proceeding');
+    }
+
+    if (report.summary.totalWarnings > report.summary.totalFiles) {
+      recommendations.push('Consider reviewing download sources and security policies');
+    }
+
+    if (report.summary.invalidFiles > 0) {
+      recommendations.push('Fix validation errors before using files');
+    }
+
+    recommendations.push('Regularly update security validation rules');
+    recommendations.push('Use HTTPS downloads from trusted sources');
+    recommendations.push('Verify package signatures when available');
+
+    return recommendations;
+  }
+
+  /**
+   * Get current configuration
+   * @returns {Object} - Current configuration
+   */
+  getConfiguration() {
+    return {
+      strictMode: this.strictMode,
+      maxFileSize: this.maxFileSize,
+      allowedExtensions: this.allowedExtensions,
+      blockedPatterns: this.blockedPatterns.length,
+      maliciousSignatures: this.maliciousSignatures.length
+    };
+  }
+}
+
+module.exports = SecurityValidationService;