devguard 0.2.0__py3-none-any.whl

devguard/checkers/npm_security.py

@@ -0,0 +1,244 @@
+"""Deep npm package security analysis checker."""
+
+import logging
+import tempfile
+from pathlib import Path
+
+from devguard.checkers.base import BaseChecker
+from devguard.http_client import create_client
+from devguard.models import CheckResult, Severity, Vulnerability
+
+logger = logging.getLogger(__name__)
+
+# Import analysis functions from the red team script
+try:
+    from devguard.scripts.redteam_npm_packages import (
+        analyze_package_contents,
+        check_dependency_vulnerabilities,
+        download_package_tarball,
+        extract_tarball,
+        fetch_package_info,
+    )
+except ImportError:
+    logger.warning("npm security analysis functions not available")
+    analyze_package_contents = None
+    check_dependency_vulnerabilities = None
+    download_package_tarball = None
+    extract_tarball = None
+    fetch_package_info = None
+
+
+class NpmSecurityChecker(BaseChecker):
+    """Deep security analysis of published npm packages."""
+
+    check_type = "npm_security"
+
+    async def check(self) -> CheckResult:
+        """Run deep security analysis on npm packages."""
+        vulnerabilities: list[Vulnerability] = []
+        errors: list[str] = []
+
+        if not self.settings.npm_packages_to_monitor:
+            return CheckResult(
+                check_type=self.check_type,
+                success=True,
+                vulnerabilities=[],
+                errors=["No npm packages configured for deep security analysis"],
+            )
+
+        if not analyze_package_contents:
+            return CheckResult(
+                check_type=self.check_type,
+                success=False,
+                vulnerabilities=[],
+                errors=["npm security analysis functions not available"],
+            )
+
+        for package in self.settings.npm_packages_to_monitor:
+            try:
+                pkg_vulns = await self._analyze_package_security(package)
+                vulnerabilities.extend(pkg_vulns)
+            except Exception as e:
+                error_msg = f"Error analyzing package {package}: {str(e)}"
+                errors.append(error_msg)
+                logger.warning(error_msg)
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=len(errors) == 0,
+            vulnerabilities=vulnerabilities,
+            errors=errors,
+        )
+
+    async def _analyze_package_security(self, package: str) -> list[Vulnerability]:
+        """Perform deep security analysis on a package."""
+        vulnerabilities: list[Vulnerability] = []
+
+        try:
+            async with create_client() as client:
+                # Get package info
+                package_info = await fetch_package_info(client, package)
+
+                # Get latest version
+                dist_tags = package_info.get("dist-tags", {})
+                version = dist_tags.get("latest")
+                if not version:
+                    versions = package_info.get("versions", {})
+                    if versions:
+                        version = max(versions.keys())
+
+                if not version:
+                    logger.warning(f"Could not determine version for {package}")
+                    return vulnerabilities
+
+                # Download and analyze package
+                tarball_data = await download_package_tarball(client, package, version)
+
+                # Check dependency vulnerabilities
+                dep_vulns = await check_dependency_vulnerabilities(client, package, version)
+
+                # Extract and analyze contents
+                with tempfile.TemporaryDirectory() as tmpdir:
+                    extract_dir = Path(tmpdir)
+                    extract_tarball(tarball_data, extract_dir)
+
+                    # Find package directory
+                    package_dir = extract_dir / "package"
+                    if not package_dir.exists():
+                        package_dir = extract_dir
+
+                    findings = analyze_package_contents(package_dir)
+
+                    # Convert findings to vulnerabilities
+                    vulnerabilities.extend(
+                        self._convert_findings_to_vulnerabilities(
+                            package, version, findings, dep_vulns
+                        )
+                    )
+
+        except Exception as e:
+            logger.error(f"Error in deep security analysis for {package}: {e}")
+            raise
+
+        return vulnerabilities
+
+    def _convert_findings_to_vulnerabilities(
+        self,
+        package: str,
+        version: str,
+        findings: dict,
+        dep_vulns: list[dict],
+    ) -> list[Vulnerability]:
+        """Convert security findings to Guardian Vulnerability objects."""
+        vulnerabilities: list[Vulnerability] = []
+
+        # Convert secrets to vulnerabilities
+        for secret in findings.get("secrets", []):
+            severity = self._map_severity(secret.get("severity", "medium"))
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=severity,
+                    summary=f"Exposed secret: {secret.get('type', 'Unknown')}",
+                    description=f"Secret found in {secret.get('file', 'unknown')} at line {secret.get('line', '?')}: {secret.get('match', '')[:100]}",
+                    source="npm_security",
+                )
+            )
+
+        # Convert sensitive files to vulnerabilities
+        for file_path in findings.get("sensitive_files", []):
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=Severity.HIGH,
+                    summary=f"Sensitive file published: {file_path}",
+                    description=f"Package contains sensitive file that should not be published: {file_path}",
+                    source="npm_security",
+                )
+            )
+
+        # Convert obfuscated code to vulnerabilities
+        for obf in findings.get("obfuscated_code", []):
+            severity = self._map_severity(obf.get("severity", "low"))
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=severity,
+                    summary=f"Obfuscated code detected: {obf.get('description', 'Unknown pattern')}",
+                    description=f"Obfuscated code pattern found in package: {obf.get('match', '')[:100]}",
+                    source="npm_security",
+                )
+            )
+
+        # Git history is critical
+        if findings.get("git_history"):
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=Severity.CRITICAL,
+                    summary="Git history published in package",
+                    description="Package contains .git directory with full commit history",
+                    source="npm_security",
+                )
+            )
+
+        # Missing .npmignore is a warning (medium severity)
+        if findings.get("npmignore_missing"):
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=Severity.MEDIUM,
+                    summary="Missing .npmignore file",
+                    description="Package lacks .npmignore file, increasing risk of publishing sensitive files",
+                    source="npm_security",
+                )
+            )
+
+        # Suspicious install scripts
+        pkg_issues = findings.get("package_json_issues", {})
+        for script in pkg_issues.get("suspicious_scripts", []):
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=Severity.HIGH,
+                    summary=f"Suspicious install script: {script.get('script', 'unknown')}",
+                    description=f"Install script contains potentially dangerous operations: {script.get('reason', '')}",
+                    source="npm_security",
+                )
+            )
+
+        # Dependency vulnerabilities
+        for dep_vuln in dep_vulns:
+            severity = self._map_severity(dep_vuln.get("severity", "medium"))
+            vulnerabilities.append(
+                Vulnerability(
+                    package_name=package,
+                    package_version=version,
+                    severity=severity,
+                    summary=dep_vuln.get("title", "Dependency vulnerability"),
+                    description=dep_vuln.get("overview", ""),
+                    advisory_id=dep_vuln.get("id"),
+                    cve_id=dep_vuln.get("cves", [None])[0] if dep_vuln.get("cves") else None,
+                    source="npm_security",
+                )
+            )
+
+        return vulnerabilities
+
+    def _map_severity(self, severity_str: str) -> Severity:
+        """Map string severity to Severity enum."""
+        severity_lower = severity_str.lower()
+        if severity_lower in ("critical", "crit"):
+            return Severity.CRITICAL
+        elif severity_lower in ("high", "h"):
+            return Severity.HIGH
+        elif severity_lower in ("medium", "med", "moderate"):
+            return Severity.MEDIUM
+        else:
+            return Severity.LOW

devguard/checkers/redteam.py

@@ -0,0 +1,290 @@
+"""Red team security testing for deployments."""
+
+import logging
+from datetime import datetime
+
+import httpx
+
+from devguard.checkers.base import BaseChecker
+from devguard.http_client import create_client
+from devguard.models import CheckResult, Severity, Vulnerability
+
+logger = logging.getLogger(__name__)
+
+
+class RedTeamChecker(BaseChecker):
+    """Red team security testing for deployment endpoints."""
+
+    check_type = "redteam"
+
+    def __init__(self, settings):
+        """Initialize red team checker."""
+        super().__init__(settings)
+        self.endpoints_to_test: list[dict[str, str]] = []
+
+    async def check(self, deployment_results: list | None = None) -> CheckResult:
+        """Run red team security tests on endpoints.
+
+        Args:
+            deployment_results: Optional list of CheckResult objects from deployment
+                               checkers (vercel, fly) to extract endpoints from.
+        """
+        vulnerabilities: list[Vulnerability] = []
+        errors: list[str] = []
+
+        # Reset endpoints for each check run
+        self.endpoints_to_test = []
+
+        # Collect endpoints from deployment results
+        self._collect_endpoints_from_results(deployment_results or [])
+
+        if not self.endpoints_to_test:
+            return CheckResult(
+                check_type=self.check_type,
+                success=True,
+                vulnerabilities=[],
+                errors=["No endpoints to test"],
+            )
+
+        async with create_client() as client:
+            for endpoint_info in self.endpoints_to_test:
+                url = endpoint_info["url"]
+                platform = endpoint_info.get("platform", "unknown")
+
+                try:
+                    findings = await self._test_endpoint(client, url, platform)
+                    vulnerabilities.extend(findings)
+                except Exception as e:
+                    errors.append(f"Error testing {url}: {str(e)}")
+                    logger.warning(f"Error testing endpoint {url}: {e}")
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=len(errors) == 0,
+            vulnerabilities=vulnerabilities,
+            errors=errors,
+        )
+
+    def _collect_endpoints_from_results(self, deployment_results: list) -> None:
+        """Collect endpoints from deployment check results."""
+        for check_result in deployment_results:
+            for deployment in check_result.deployments:
+                if deployment.url:
+                    self.endpoints_to_test.append(
+                        {
+                            "url": deployment.url,
+                            "platform": deployment.platform,
+                            "project": deployment.project_name,
+                        }
+                    )
+
+    async def _test_endpoint(
+        self, client: httpx.AsyncClient, url: str, platform: str
+    ) -> list[Vulnerability]:
+        """Test a single endpoint for security issues."""
+        findings: list[Vulnerability] = []
+
+        # Test 1: Check for security headers
+        try:
+            response = await client.head(url, timeout=10.0, follow_redirects=True)
+            header_issues = self._check_security_headers(response, url, platform)
+            findings.extend(header_issues)
+        except Exception as e:
+            logger.debug(f"Error checking headers for {url}: {e}")
+
+        # Test 2: Check for exposed admin/management endpoints
+        admin_paths = [
+            "/admin",
+            "/api/admin",
+            "/management",
+            "/.env",
+            "/.git",
+            "/.well-known",
+            "/debug",
+            "/health",
+            "/metrics",
+            "/status",
+            "/api/health",
+            "/api/status",
+        ]
+
+        for path in admin_paths:
+            try:
+                test_url = f"{url.rstrip('/')}{path}"
+                response = await client.get(test_url, timeout=5.0, follow_redirects=False)
+                if response.status_code == 200:
+                    # Check if it's actually exposing something
+                    content_type = response.headers.get("content-type", "").lower()
+                    if "json" in content_type or "text" in content_type:
+                        content = response.text[:500]  # Sample first 500 chars
+                        if self._is_sensitive_content(content):
+                            findings.append(
+                                Vulnerability(
+                                    package_name=platform,
+                                    package_version="",
+                                    severity=Severity.HIGH,
+                                    summary=f"Exposed endpoint: {path}",
+                                    description=f"Endpoint {test_url} is publicly accessible and may expose sensitive information",
+                                    source="redteam",
+                                )
+                            )
+            except Exception:
+                pass  # Endpoint doesn't exist or timed out
+
+        # Test 3: Check for CORS misconfiguration
+        try:
+            cors_response = await client.options(
+                url,
+                headers={"Origin": "https://evil.com"},
+                timeout=5.0,
+            )
+            cors_issues = self._check_cors(cors_response, url, platform)
+            findings.extend(cors_issues)
+        except Exception:
+            pass
+
+        # Test 4: Check for information disclosure in error messages
+        try:
+            # Try to trigger an error
+            error_response = await client.get(
+                f"{url}/nonexistent-path-{datetime.now().timestamp()}",
+                timeout=5.0,
+            )
+            if error_response.status_code >= 400:
+                error_issues = self._check_error_disclosure(error_response, url, platform)
+                findings.extend(error_issues)
+        except Exception:
+            pass
+
+        return findings
+
+    def _check_security_headers(
+        self, response: httpx.Response, url: str, platform: str
+    ) -> list[Vulnerability]:
+        """Check for missing security headers."""
+        findings: list[Vulnerability] = []
+        headers = response.headers
+
+        # Required security headers
+        security_headers = {
+            "X-Content-Type-Options": "nosniff",
+            "X-Frame-Options": "DENY",
+            "X-XSS-Protection": "1; mode=block",
+            "Strict-Transport-Security": None,  # Any value is good
+            "Content-Security-Policy": None,  # Any value is good
+        }
+
+        missing_headers = []
+        for header, expected_value in security_headers.items():
+            if header not in headers:
+                missing_headers.append(header)
+            elif expected_value and headers[header] != expected_value:
+                missing_headers.append(f"{header} (incorrect value)")
+
+        if missing_headers:
+            severity = Severity.MEDIUM if len(missing_headers) <= 2 else Severity.HIGH
+            findings.append(
+                Vulnerability(
+                    package_name=platform,
+                    package_version="",
+                    severity=severity,
+                    summary=f"Missing security headers: {', '.join(missing_headers)}",
+                    description=f"Endpoint {url} is missing important security headers",
+                    source="redteam",
+                )
+            )
+
+        return findings
+
+    def _check_cors(self, response: httpx.Response, url: str, platform: str) -> list[Vulnerability]:
+        """Check for CORS misconfiguration."""
+        findings: list[Vulnerability] = []
+        headers = response.headers
+
+        acao = headers.get("Access-Control-Allow-Origin", "")
+        acac = headers.get("Access-Control-Allow-Credentials", "")
+
+        # Check for overly permissive CORS
+        if acao == "*" and acac.lower() == "true":
+            findings.append(
+                Vulnerability(
+                    package_name=platform,
+                    package_version="",
+                    severity=Severity.HIGH,
+                    summary="Overly permissive CORS configuration",
+                    description=f"Endpoint {url} allows credentials with wildcard origin (*)",
+                    source="redteam",
+                )
+            )
+        elif acao == "*":
+            findings.append(
+                Vulnerability(
+                    package_name=platform,
+                    package_version="",
+                    severity=Severity.MEDIUM,
+                    summary="Permissive CORS configuration",
+                    description=f"Endpoint {url} allows all origins (*)",
+                    source="redteam",
+                )
+            )
+
+        return findings
+
+    def _check_error_disclosure(
+        self, response: httpx.Response, url: str, platform: str
+    ) -> list[Vulnerability]:
+        """Check for information disclosure in error messages."""
+        findings: list[Vulnerability] = []
+        text = response.text.lower()
+
+        # Sensitive patterns that shouldn't be exposed
+        sensitive_patterns = [
+            "stack trace",
+            "exception",
+            "error at",
+            "file://",
+            "database",
+            "sql",
+            "password",
+            "secret",
+            "api key",
+            "token",
+            "aws",
+            "access key",
+        ]
+
+        found_patterns = [p for p in sensitive_patterns if p in text]
+
+        if found_patterns:
+            findings.append(
+                Vulnerability(
+                    package_name=platform,
+                    package_version="",
+                    severity=Severity.MEDIUM,
+                    summary="Information disclosure in error messages",
+                    description=f"Endpoint {url} exposes sensitive information in error responses: {', '.join(found_patterns[:3])}",
+                    source="redteam",
+                )
+            )
+
+        return findings
+
+    def _is_sensitive_content(self, content: str) -> bool:
+        """Check if content appears to be sensitive."""
+        content_lower = content.lower()
+
+        # Patterns indicating sensitive data
+        sensitive_indicators = [
+            "password",
+            "secret",
+            "api_key",
+            "token",
+            "private",
+            "database",
+            "connection",
+            "aws",
+            "access",
+            "credential",
+        ]
+
+        return any(indicator in content_lower for indicator in sensitive_indicators)