aiptx 2.0.7__py3-none-any.whl

aipt_v2/scripts/security_audit.py

@@ -0,0 +1,366 @@
+#!/usr/bin/env python3
+"""
+AIPT v2 Security Audit Script
+=============================
+
+Performs comprehensive security checks on the AIPT codebase.
+
+Usage:
+    python scripts/security_audit.py [--fix] [--verbose]
+
+Checks:
+    1. Bandit SAST scan for vulnerabilities
+    2. Dependency vulnerability check with safety
+    3. Hardcoded secrets detection
+    4. Outdated dependencies
+    5. Shell command patterns
+    6. Request timeout verification
+"""
+
+import argparse
+import subprocess
+import sys
+import re
+from pathlib import Path
+from typing import List, Tuple
+
+# Colors for output
+RED = "\033[91m"
+GREEN = "\033[92m"
+YELLOW = "\033[93m"
+BLUE = "\033[94m"
+RESET = "\033[0m"
+BOLD = "\033[1m"
+
+
+def print_header(title: str):
+    """Print a section header."""
+    print(f"\n{BOLD}{BLUE}{'='*60}{RESET}")
+    print(f"{BOLD}{BLUE}  {title}{RESET}")
+    print(f"{BOLD}{BLUE}{'='*60}{RESET}\n")
+
+
+def print_result(passed: bool, message: str):
+    """Print a check result."""
+    status = f"{GREEN}[PASS]{RESET}" if passed else f"{RED}[FAIL]{RESET}"
+    print(f"  {status} {message}")
+
+
+def print_warning(message: str):
+    """Print a warning."""
+    print(f"  {YELLOW}[WARN]{RESET} {message}")
+
+
+def run_command(cmd: List[str], timeout: int = 120) -> Tuple[int, str, str]:
+    """Run a command and return exit code, stdout, stderr."""
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout
+        )
+        return result.returncode, result.stdout, result.stderr
+    except subprocess.TimeoutExpired:
+        return -1, "", "Command timed out"
+    except FileNotFoundError:
+        return -1, "", f"Command not found: {cmd[0]}"
+
+
+def check_bandit(verbose: bool = False) -> Tuple[bool, int, int, int]:
+    """Run Bandit security scanner."""
+    print_header("Bandit SAST Scan")
+
+    code, stdout, stderr = run_command([
+        "python3", "-m", "bandit",
+        "-r", ".",
+        "--exclude", "./htmlcov,./venv,./.venv,./tests",
+        "-f", "custom",
+        "--msg-template", "{severity}: {test_id} at {relpath}:{line} - {msg}"
+    ])
+
+    high = stdout.count("HIGH:")
+    medium = stdout.count("MEDIUM:")
+    low = stdout.count("LOW:")
+
+    print_result(high == 0, f"No HIGH severity issues")
+    print_result(medium <= 5, f"Medium severity issues: {medium}")
+    print_result(True, f"Low severity issues: {low}")
+
+    if verbose and (high > 0 or medium > 0):
+        print(f"\n{stdout}")
+
+    return high == 0, high, medium, low
+
+
+def check_secrets() -> bool:
+    """Check for hardcoded secrets."""
+    print_header("Hardcoded Secrets Check")
+
+    # Patterns for actual hardcoded secrets (not variable names or field definitions)
+    patterns = [
+        # Look for actual string assignments that look like secrets
+        (r'(?:password|passwd|pwd)\s*=\s*["\'](?![\'"]\s*$)[a-zA-Z0-9!@#$%^&*]{8,}["\']', "password"),
+        (r'(?:api_key|apikey)\s*=\s*["\'](?![\'"]\s*$)[a-zA-Z0-9_-]{20,}["\']', "api_key"),
+        (r'(?:secret|secret_key)\s*=\s*["\'](?![\'"]\s*$)[a-zA-Z0-9_-]{16,}["\']', "secret"),
+        (r'(?:auth_token|bearer_token)\s*=\s*["\'](?![\'"]\s*$)[a-zA-Z0-9._-]{20,}["\']', "token"),
+    ]
+
+    found_secrets = []
+    exclude_dirs = {".git", "htmlcov", "venv", ".venv", "__pycache__", "tests", "scripts"}
+
+    # Also exclude common false positive files
+    exclude_files = {"config.py", "__init__.py"}
+
+    for py_file in Path(".").rglob("*.py"):
+        if any(ex in str(py_file) for ex in exclude_dirs):
+            continue
+        if py_file.name in exclude_files:
+            continue
+
+        try:
+            content = py_file.read_text()
+            lines = content.split("\n")
+
+            for i, line in enumerate(lines, 1):
+                # Skip comments
+                if line.strip().startswith("#"):
+                    continue
+                # Skip obvious false positives
+                if "Field(" in line or "Optional[" in line or "description=" in line:
+                    continue
+                if "getenv" in line or "environ" in line:
+                    continue
+                if "example" in line.lower() or "placeholder" in line.lower():
+                    continue
+                # Skip common placeholder patterns
+                if "your-" in line.lower() or "-here" in line.lower() or "xxx" in line.lower():
+                    continue
+
+                for pattern, name in patterns:
+                    if re.search(pattern, line, re.IGNORECASE):
+                        found_secrets.append((py_file, i, name, line.strip()[:50]))
+        except Exception:
+            continue
+
+    passed = len(found_secrets) == 0
+    print_result(passed, f"No hardcoded secrets found" if passed else f"Found {len(found_secrets)} potential secrets")
+
+    if found_secrets:
+        for file, line_num, name, value in found_secrets[:5]:
+            print_warning(f"  {file}:{line_num}: {name}")
+
+    return passed
+
+
+def check_shell_commands() -> bool:
+    """Check for unsafe shell command patterns."""
+    print_header("Shell Command Security Check")
+
+    # Look for actual shell=True in subprocess calls (not comments about it)
+    code, stdout, stderr = run_command([
+        "grep", "-rn", "--include=*.py",
+        r"subprocess.*shell=True\|create_subprocess_shell",
+        "."
+    ])
+
+    # Filter out comments and safe patterns
+    issues = []
+    for line in stdout.split("\n"):
+        if not line:
+            continue
+        # Skip tests, htmlcov, scripts, and virtual environments
+        if "tests/" in line or "htmlcov/" in line or "scripts/" in line or ".venv/" in line or "venv/" in line:
+            continue
+        # Skip comments (lines where # appears before the pattern)
+        file_content = line.split(":", 2)
+        if len(file_content) >= 3:
+            code_part = file_content[2]
+            # If it's a comment about shell=True (contains "Security:" or starts with #)
+            if "Security:" in code_part or code_part.strip().startswith("#"):
+                continue
+            # If it's actual shell=True usage
+            if "shell=True" in code_part and "subprocess" in code_part:
+                issues.append(line)
+            # create_subprocess_shell is inherently shell execution
+            elif "create_subprocess_shell" in code_part:
+                # These are expected in pentest tools
+                pass  # Don't flag as issue, this is intentional
+
+    passed = len(issues) == 0
+    print_result(passed, f"No unsafe shell=True patterns" if passed else f"Found {len(issues)} shell=True usages")
+
+    if issues:
+        for issue in issues[:5]:
+            print_warning(f"  {issue[:80]}...")
+
+    return passed
+
+
+def check_request_timeouts() -> bool:
+    """Check for HTTP requests without timeout."""
+    print_header("HTTP Request Timeout Check")
+
+    # Find all Python files with requests calls
+    issues = []
+    exclude_dirs = {".git", "htmlcov", "venv", ".venv", "__pycache__", "tests"}
+
+    for py_file in Path(".").rglob("*.py"):
+        if any(ex in str(py_file) for ex in exclude_dirs):
+            continue
+
+        try:
+            content = py_file.read_text()
+            lines = content.split("\n")
+
+            for i, line in enumerate(lines, 1):
+                # Look for requests.get/post/put/delete calls
+                if re.search(r'requests\.(get|post|put|delete|patch)\s*\(', line):
+                    # Check if timeout is specified (in same line or next few lines for multiline)
+                    context = "\n".join(lines[max(0, i-1):min(len(lines), i+5)])
+                    if "timeout" not in context:
+                        issues.append(f"{py_file}:{i}: {line.strip()[:60]}")
+        except Exception:
+            continue
+
+    passed = len(issues) == 0
+    print_result(passed, f"All HTTP requests have timeouts" if passed else f"Found {len(issues)} requests without timeout")
+
+    if issues:
+        for issue in issues[:5]:
+            print_warning(f"  {issue}")
+
+    return passed
+
+
+def check_dependencies() -> Tuple[bool, int]:
+    """Check for outdated dependencies in project virtual environment only."""
+    print_header("Dependency Security Check")
+
+    # Determine which Python to use (prefer virtual environment)
+    venv_python = Path(".venv/bin/python")
+    if venv_python.exists():
+        python_cmd = str(venv_python)
+        pip_cmd = [python_cmd, "-m", "pip"]
+        print_result(True, "Using virtual environment (.venv)")
+    else:
+        python_cmd = "python3"
+        pip_cmd = ["pip3"]
+        print_warning("No virtual environment found, using system Python")
+
+    # Check for outdated packages in the environment
+    code, stdout, stderr = run_command(pip_cmd + ["list", "--outdated"])
+
+    outdated = len([l for l in stdout.split("\n") if l.strip()]) - 2  # Header lines
+    if outdated < 0:
+        outdated = 0
+
+    # More lenient threshold for virtual environments (they start fresh)
+    threshold = 20 if venv_python.exists() else 10
+    print_result(outdated < threshold, f"Outdated packages: {outdated}")
+
+    # Check for vulnerable packages using safety within the environment
+    code, stdout, stderr = run_command([
+        python_cmd, "-m", "safety", "check", "--short-report"
+    ], timeout=60)
+
+    if code == 0:
+        print_result(True, "No known vulnerabilities in dependencies")
+        return True, outdated
+    elif "No known security" in stdout:
+        print_result(True, "No known vulnerabilities in dependencies")
+        return True, outdated
+    elif "Command not found" in stderr or "No module named" in stderr:
+        # Safety not installed in this environment - check if requirements are pinned
+        print_warning("Safety not installed, checking for pinned dependencies")
+        pyproject = Path("pyproject.toml")
+        if pyproject.exists():
+            content = pyproject.read_text()
+            # Check if dependencies have version constraints
+            has_pins = ">=" in content or "==" in content or "~=" in content
+            print_result(has_pins, "Dependencies have version constraints in pyproject.toml")
+            return has_pins, outdated
+        return False, outdated
+    else:
+        # Count vulnerabilities - exclude system paths from count
+        vuln_lines = [l for l in stdout.split("\n") if "Vulnerability found" in l]
+        # Filter out system Python vulnerabilities (only count project deps)
+        project_vulns = [l for l in vuln_lines
+                        if "/Library/Developer/" not in l
+                        and "/usr/lib/" not in l
+                        and "site-packages" not in l or ".venv" in l]
+        vuln_count = len(project_vulns)
+
+        if vuln_count == 0 and len(vuln_lines) > 0:
+            print_result(True, f"No project vulnerabilities (system: {len(vuln_lines)} ignored)")
+        else:
+            print_result(vuln_count == 0, f"Vulnerable packages: {vuln_count}")
+        return vuln_count == 0, outdated
+
+
+def check_domain_validation() -> bool:
+    """Check that domain validation is in place."""
+    print_header("Domain Validation Check")
+
+    orchestrator_path = Path("orchestrator.py")
+    if not orchestrator_path.exists():
+        print_warning("orchestrator.py not found")
+        return False
+
+    content = orchestrator_path.read_text()
+
+    has_validation = "validate_domain" in content
+    has_sanitize = "sanitize_for_shell" in content or "safe_domain" in content
+
+    print_result(has_validation, "Domain validation function exists")
+    print_result(has_sanitize, "Shell sanitization in place")
+
+    return has_validation and has_sanitize
+
+
+def main():
+    parser = argparse.ArgumentParser(description="AIPT v2 Security Audit")
+    parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output")
+    parser.add_argument("--fix", action="store_true", help="Attempt to fix issues (not implemented)")
+    args = parser.parse_args()
+
+    print(f"\n{BOLD}{'='*60}{RESET}")
+    print(f"{BOLD}  AIPT v2 SECURITY AUDIT{RESET}")
+    print(f"{BOLD}{'='*60}{RESET}")
+
+    results = []
+
+    # Run all checks
+    bandit_passed, high, medium, low = check_bandit(args.verbose)
+    results.append(("Bandit SAST", bandit_passed))
+
+    results.append(("Hardcoded Secrets", check_secrets()))
+    results.append(("Shell Commands", check_shell_commands()))
+    results.append(("Request Timeouts", check_request_timeouts()))
+
+    dep_passed, outdated = check_dependencies()
+    results.append(("Dependencies", dep_passed))
+
+    results.append(("Domain Validation", check_domain_validation()))
+
+    # Summary
+    print_header("AUDIT SUMMARY")
+
+    passed = sum(1 for _, p in results if p)
+    total = len(results)
+
+    for name, result in results:
+        print_result(result, name)
+
+    print(f"\n{BOLD}Score: {passed}/{total} checks passed{RESET}")
+
+    if passed == total:
+        print(f"\n{GREEN}{BOLD}All security checks passed!{RESET}")
+        return 0
+    else:
+        print(f"\n{YELLOW}{BOLD}Some security checks failed. Review the issues above.{RESET}")
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())