websec-validator 0.2.5__tar.gz → 0.2.7__tar.gz

{websec_validator-0.2.5/src/websec_validator.egg-info → websec_validator-0.2.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.5
+Version: 0.2.7
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.5 → websec_validator-0.2.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.5"
+version = "0.2.7"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/dynamic.py

@@ -308,19 +308,24 @@ def forged_token_bypass(target: str, facts: dict, cookie_names=None,
         base_code, _ = _request(method, url, token=None, data=body)
         if base_code not in (401, 403):
             continue  # only routes that are gated WITHOUT auth tell us anything about forgery
-        attempts = [("Authorization: Bearer", _request(method, url, token=forged, data=body)[0])]
-        for cn in cookie_names:
-            attempts.append((f"cookie:{cn}", _request(method, url, token=None, data=body, cookie=f"{cn}={forged}")[0]))
-        hit = next(((via, code) for via, code in attempts if code in _REACHED_HANDLER), None)
-        if hit:
-            via, fcode = hit
-            row = {"method": method, "path": path, "baseline": base_code, "forged": fcode,
-                   "via": via, "verdict": "BYPASS"}
-            bypassed.append(row)
+        # Bearer first (cheapest, most universal); only forge into each known auth cookie if
+        # Bearer didn't reach the handler — short-circuits to keep request volume (and
+        # rate-limiter pressure) down. cookie_names is what catches cookie-ONLY session apps.
+        hit, bearer_code = None, _request(method, url, token=forged, data=body)[0]
+        if bearer_code in _REACHED_HANDLER:
+            hit = ("Authorization: Bearer", bearer_code)
         else:
-            row = {"method": method, "path": path, "baseline": base_code,
-                   "forged": attempts[0][1], "via": "Authorization: Bearer", "verdict": "rejected"}
+            for cn in (cookie_names or []):
+                cc = _request(method, url, token=None, data=body, cookie=f"{cn}={forged}")[0]
+                if cc in _REACHED_HANDLER:
+                    hit = (f"cookie:{cn}", cc)
+                    break
+        via, fcode = hit if hit else ("Authorization: Bearer", bearer_code)
+        row = {"method": method, "path": path, "baseline": base_code, "forged": fcode,
+               "via": via, "verdict": "BYPASS" if hit else "rejected"}
         results.append(row)
+        if hit:
+            bypassed.append(row)
 
     return {
         "target": target,
@@ -338,8 +343,10 @@ def forged_token_bypass(target: str, facts: dict, cookie_names=None,
 
 def run_unauth(target: str, facts_path: Path, outdir: Path, probe_writes: bool = False) -> dict:
     facts = json.loads(Path(facts_path).read_text())
+    cookie_names = (facts.get("auth") or {}).get("cookie_names")
     res = {"unauth_reachability": unauth_reachability(target, facts),
-           "forged_token_bypass": forged_token_bypass(target, facts, probe_writes=probe_writes)}
+           "forged_token_bypass": forged_token_bypass(target, facts, cookie_names=cookie_names,
+                                                       probe_writes=probe_writes)}
     if probe_writes:
         res["write_auth_enforcement"] = write_auth_enforcement(target, facts)
     outdir.mkdir(parents=True, exist_ok=True)

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/extractors/auth.py

@@ -17,6 +17,15 @@ PASSPORT = re.compile(r"\bpassport\b|passport-jwt|passport-local")
 SESSION = re.compile(r"express-session|cookie-session|iron-session|flask\.session|request\.session|getServerSession|getToken", re.I)
 APIKEY = re.compile(r"x-api-key|api[_-]?key|apikey", re.I)
 GUARDS = re.compile(r"requireAuth|requirePermission|requireRole|isAuthenticated|@login_required|@require|ensureAuth|withAuth|getServerSession|verifyToken|authMiddleware|@roles_required|can\(|ability\.", re.I)
+# Cookie READ sites — the names the app pulls a token/session from. The forged-token probe
+# forges into these (not just Authorization: Bearer) so a cookie-ONLY session app isn't a
+# false negative. Covers cookies.get('X') / cookies['X'] / getCookie('X') / req.cookies.X.
+COOKIE_READ = re.compile(
+    r"""cookies\s*(?:\.get\(|\[)\s*['"]([A-Za-z0-9_.\-]{2,64})['"]"""      # cookies.get('X') / cookies['X']
+    r"""|getCookie\(\s*['"]([A-Za-z0-9_.\-]{2,64})['"]"""                 # getCookie('X')
+    r"""|\.cookies\.([A-Za-z_][A-Za-z0-9_]{1,63})\b(?!\s*\()""")          # req.cookies.X (not a .get()/.set() call)
+_COOKIE_RESERVED = {"get", "set", "getall", "has", "delete", "clear", "tostring",
+                    "foreach", "entries", "keys", "values", "size", "name", "value", "length"}
 
 
 class AuthExtractor(Extractor):
@@ -31,6 +40,7 @@ class AuthExtractor(Extractor):
         # scheme: framework/route signals first, then grep
         jwt = passport = session = apikey = 0
         guard_files = []
+        cookie_names: list[str] = []
         for _p, rel, text in ctx.iter_code():
             if JWT_LIBS.search(text):
                 jwt += 1
@@ -42,6 +52,11 @@ class AuthExtractor(Extractor):
                 apikey += 1
             if GUARDS.search(text) and len(guard_files) < 25:
                 guard_files.append(rel)
+            if len(cookie_names) < 20:
+                for m in COOKIE_READ.finditer(text):
+                    name = m.group(1) or m.group(2) or m.group(3)
+                    if name and name.lower() not in _COOKIE_RESERVED and name not in cookie_names:
+                        cookie_names.append(name)
 
         nextauth = "nextauth" in frameworks or any("nextauth" in e.lower() for e in auth_eps)
 
@@ -70,6 +85,7 @@ class AuthExtractor(Extractor):
             "schemes_detected": detected,
             "token_location": token_location,
             "login_endpoints": auth_eps,
+            "cookie_names": cookie_names[:15],
             "guard_files": guard_files,
             "signal_counts": {"jwt": jwt, "passport": passport, "session": session, "api_key": apikey},
             "note": "AGENT: confirm the PRIMARY auth flow + how a test token is minted before the JWT/auth "

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/findings.py

@@ -184,7 +184,9 @@ def build_ledger(facts: dict, unified: dict | None, dynamic: dict | None = None,
         cat = t.get("category", "")
         cls = cat_to_class.get(cat, "sast")
         sev = t.get("severity", "MEDIUM")
-        conf = "HIGH" if cat in ("secret",) or (cat == "sca" and sev in ("HIGH", "CRITICAL")) else "MEDIUM"
+        # Confidence follows severity for secrets/CVEs: a generic-api-key tiered down to MEDIUM
+        # (low-precision rule, bug-072) should NOT be stamped HIGH-confidence — keep P(real) honest.
+        conf = "HIGH" if (cat in ("secret", "sca") and sev in ("HIGH", "CRITICAL")) else "MEDIUM"
         out.append(_f(t.get("title", cat), f"static-{cat}", cls, sev, conf, t.get("file", ""),
                       [{"layer": "static", "detail": f"{'+'.join(t.get('tools', []))}: {t.get('title','')}"}]))
 

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/probes.py

@@ -111,6 +111,7 @@ def build_context(facts: dict) -> dict:
         "auth": {
             "scheme": auth.get("scheme"),
             "token_location": auth.get("token_location"),
+            "cookie_names": auth.get("cookie_names", []),
             "login_endpoints": tgt.get("auth_endpoints", [])[:10],
             "how_to_authenticate": "cookie-session (e.g. NextAuth) → send the session cookie; "
                                    "bearer → Authorization: Bearer <jwt>; api-key → the documented key header",

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/scanners.py

@@ -200,6 +200,23 @@ def _aws_secret_tier(secret: str, match: str):
     return None, None
 
 
+# gitleaks/trivy "generic" + entropy/keyword rules are high-recall, low-precision: they fire on
+# public keys, wallet addresses, hashes, env-var refs and test fixtures about as often as real
+# credentials. Tier those to MEDIUM + a verify note (NEVER hide them) so the HIGH secret tier
+# stays trustworthy in a shareable report; specific-format rules (AKIA, private-key, GitHub/
+# Stripe/Slack/JWT, etc.) keep HIGH. (bug-072 — dogfooding a wallet app surfaced ~20 HIGH
+# generic-api-key FPs in committed source.)
+_GENERIC_SECRET_RULES = {"generic-api-key", "generic-api-key-1", "generic", "api-key",
+                         "secret-keyword", "high-entropy", "high-entropy-string", "entropy"}
+_GENERIC_NOTE = ("generic/entropy match — verify it's a live credential "
+                 "(often a public key, address, hash or env-ref, not a secret)")
+
+
+def _generic_secret(rule: str) -> bool:
+    r = (rule or "").lower()
+    return r in _GENERIC_SECRET_RULES or "generic" in r or "entropy" in r
+
+
 def _norm_trivy(data: dict) -> list:
     out = []
     for res in (data.get("Results") or []):
@@ -210,11 +227,14 @@ def _norm_trivy(data: dict) -> list:
                         "title": f"{v.get('PkgName')} {v.get('InstalledVersion')} → {v.get('FixedVersion', '(no fix)')}",
                         "fingerprint": f"cve|{v.get('PkgName')}|{v.get('VulnerabilityID')}"})
         for s in (res.get("Secrets") or []):
+            rid = s.get("RuleID", "")
             sev, note = _aws_secret_tier(s.get("Match", ""), s.get("Code", "") or "")
-            title = f"secret: {s.get('Title') or s.get('RuleID')}" + (f" — {note}" if note else "")
+            if not sev and _generic_secret(rid):
+                sev, note = "MEDIUM", _GENERIC_NOTE
+            title = f"secret: {s.get('Title') or rid}" + (f" — {note}" if note else "")
             out.append({"tool": "trivy", "category": "secret", "severity": sev or _sev(s.get("Severity") or "HIGH"),
-                        "key": s.get("RuleID", ""), "file": tgt, "line": s.get("StartLine", 0),
-                        "title": title, "fingerprint": f"secret|{tgt}|{s.get('RuleID')}"})
+                        "key": rid, "file": tgt, "line": s.get("StartLine", 0),
+                        "title": title, "fingerprint": f"secret|{tgt}|{rid}"})
         for m in (res.get("Misconfigurations") or []):
             out.append({"tool": "trivy", "category": "iac", "severity": _sev(m.get("Severity")),
                         "key": m.get("ID", ""), "file": tgt, "line": 0, "title": (m.get("Title") or "")[:90],
@@ -228,6 +248,8 @@ def _norm_gitleaks(data) -> list:
     for x in rows:
         f, rule = x.get("File", ""), x.get("RuleID", "")
         sev, note = _aws_secret_tier(x.get("Secret", ""), x.get("Match", ""))
+        if not sev and _generic_secret(rule):
+            sev, note = "MEDIUM", _GENERIC_NOTE
         title = f"secret: {(x.get('Description') or rule)[:80]}" + (f" — {note}" if note else "")
         out.append({"tool": "gitleaks", "category": "secret", "severity": sev or "HIGH",
                     "key": rule, "file": f, "line": x.get("StartLine", 0),

{websec_validator-0.2.5 → websec_validator-0.2.7}/src/websec_validator/templates/probes/forged-token.sh

@@ -26,6 +26,16 @@ def b(o): return base64.urlsafe_b64encode(json.dumps(o).encode()).rstrip(b'=').d
 print(b({'alg':'RS256','typ':'JWT','kid':'forged'})+'.'+b({'sub':'websec-forged','email':'websec-forged@example.com','role':'admin','roles':['admin'],'exp':9999999999})+'.d2Vic2VjLWZvcmdlZC1zaWc')
 ")
 
+# Auth cookie names the app reads (from recon → probe-context.json) + an optional COOKIE_NAME
+# override. We forge into these too, not just Authorization: Bearer, so a cookie-ONLY app isn't
+# a false negative. (portable; macOS bash 3.2 lacks `mapfile`.)
+COOKIES=()
+[ -n "${COOKIE_NAME:-}" ] && COOKIES+=("$COOKIE_NAME")
+while IFS= read -r cn; do [ -n "$cn" ] && COOKIES+=("$cn"); done < <(python3 -c "
+import json
+for c in json.load(open('$ctx')).get('auth',{}).get('cookie_names',[]): print(c)
+" 2>/dev/null)
+
 # Routes to test: GET reads + GET idor/ssrf candidates (always); writes when PROBE_WRITES=1.
 # Skip any path with an unfilled {param}. (portable; macOS bash 3.2 lacks `mapfile`.)
 ROUTES=()
@@ -64,9 +74,11 @@ for ep in "${ROUTES[@]}"; do
   if [ "$na" != "401" ] && [ "$na" != "403" ]; then skip=$((skip+1)); continue; fi   # not gated unauthenticated → N/A here
   fg=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" -H "Authorization: Bearer $FORGED" ${data[@]+"${data[@]}"} --max-time 15)
   via="Bearer"
-  if ! reached "$fg" && [ -n "${COOKIE_NAME:-}" ]; then
-    fg=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" -H "Cookie: $COOKIE_NAME=$FORGED" ${data[@]+"${data[@]}"} --max-time 15)
-    via="cookie:$COOKIE_NAME"
+  if ! reached "$fg"; then   # Bearer didn't reach the handler → try forging into each known auth cookie
+    for cn in ${COOKIES[@]+"${COOKIES[@]}"}; do
+      cfg=$(curl -s -o /dev/null -w '%{http_code}' -X "$method" "$BASE$path" -H "Cookie: $cn=$FORGED" ${data[@]+"${data[@]}"} --max-time 15)
+      if reached "$cfg"; then fg="$cfg"; via="cookie:$cn"; break; fi
+    done
   fi
   if reached "$fg"; then
     printf '  BYPASS  %s→%s  %s %s   (forged token accepted via %s)\n' "$na" "$fg" "$method" "$path" "$via"; bypass=$((bypass+1))

{websec_validator-0.2.5 → websec_validator-0.2.7/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.5
+Version: 0.2.7
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.5 → websec_validator-0.2.7}/tests/test_hardening.py

@@ -17,6 +17,8 @@ ROOT = Path(__file__).resolve().parents[1]
 sys.path.insert(0, str(ROOT / "src"))
 
 from websec_validator import dynamic, findings, probes, scanners  # noqa: E402
+from websec_validator.extractors.auth import AuthExtractor  # noqa: E402
+from websec_validator.extractors.base import RepoContext  # noqa: E402
 
 FACTS = {"routes": {"endpoints": [
     {"method": "GET", "path": "/api/bypass"},      # gated; accepts forged token  -> BYPASS
@@ -133,5 +135,73 @@ class ProbeRegistrationTests(unittest.TestCase):
         self.assertEqual(ctx["endpoints"]["reads"], ["GET /api/a"])
 
 
+class SecretPrecisionTests(unittest.TestCase):
+    """bug-072: low-precision generic/entropy secret rules -> MEDIUM (+verify note); specific
+    rules (AKIA, private-key, …) keep HIGH. Nothing is hidden."""
+
+    def test_generic_rule_detection(self):
+        self.assertTrue(scanners._generic_secret("generic-api-key"))
+        self.assertTrue(scanners._generic_secret("high-entropy-string"))
+        self.assertFalse(scanners._generic_secret("aws-access-token"))
+        self.assertFalse(scanners._generic_secret("private-key"))
+
+    def test_gitleaks_generic_is_medium_specific_is_high(self):
+        rows = [
+            {"File": "src/lib/chains.ts", "RuleID": "generic-api-key", "Secret": "x" * 40, "Match": "x" * 40, "StartLine": 1},
+            {"File": "src/k.pem", "RuleID": "private-key", "Secret": "-----BEGIN", "Match": "-----BEGIN", "StartLine": 1},
+            {"File": "src/a.ts", "RuleID": "aws-access-token", "Secret": "AKIA" + "A" * 16, "Match": "AKIA" + "A" * 16, "StartLine": 1},
+        ]
+        by = {r["key"]: r for r in scanners._norm_gitleaks(rows)}
+        self.assertEqual(by["generic-api-key"]["severity"], "MEDIUM")
+        self.assertIn("generic/entropy", by["generic-api-key"]["title"])
+        self.assertEqual(by["private-key"]["severity"], "HIGH")          # specific rule untouched
+        self.assertEqual(by["aws-access-token"]["severity"], "HIGH")     # AKIA via _aws_secret_tier
+
+    def test_trivy_generic_secret_is_medium(self):
+        data = {"Results": [{"Target": "src/x.ts", "Secrets": [
+            {"RuleID": "generic-api-key", "Title": "Generic API Key", "Match": "y" * 40, "StartLine": 2}]}]}
+        secs = [f for f in scanners._norm_trivy(data) if f["category"] == "secret"]
+        self.assertEqual(secs[0]["severity"], "MEDIUM")
+
+    def test_medium_secret_gets_medium_confidence_in_ledger(self):
+        unified = {"top": [{"severity": "MEDIUM", "category": "secret",
+                            "title": "secret: Generic API Key — generic/entropy match", "file": "src/x.ts", "tools": ["gitleaks"]}]}
+        led = findings.build_ledger({}, unified, None, [])
+        hit = [f for f in led["findings"] if f["category"] == "static-secret"][0]
+        self.assertEqual(hit["confidence"], "MEDIUM")
+
+
+class CookieCoverageTests(unittest.TestCase):
+    """0.2.7: extract auth cookie names so the forged-token engine covers cookie-ONLY apps."""
+
+    def test_extracts_cookie_names(self):
+        with tempfile.TemporaryDirectory() as d:
+            d = Path(d)
+            (d / "auth.ts").write_text(
+                "const s = request.cookies.get('agent_wallet_session');\n"
+                "const p = req.cookies['ping_id_token'];\n"
+                "const x = getCookie('dynamic_authentication_token');\n")
+            out = AuthExtractor().extract(RepoContext(d), {"stack": {"frameworks": []}, "routes": {}})
+        names = set(out["cookie_names"])
+        self.assertIn("agent_wallet_session", names)
+        self.assertIn("ping_id_token", names)
+        self.assertIn("dynamic_authentication_token", names)
+        self.assertNotIn("get", names)  # reserved method name filtered
+
+    def test_forged_bypass_detected_via_cookie(self):
+        facts = {"routes": {"endpoints": [{"method": "GET", "path": "/api/cookieonly"}]}}
+
+        def fake(method, url, token=None, timeout=20, data=None, cookie=None):
+            if token:
+                return 401, "x"                       # Bearer rejected
+            if cookie and "sess=" in cookie:
+                return 200, "x"                        # forged cookie accepted (cookie-only app)
+            return 401, "x"                            # no-auth baseline (gated)
+        with mock.patch.object(dynamic, "_request", fake):
+            r = dynamic.forged_token_bypass("http://t", facts, cookie_names=["sess"])
+        self.assertEqual([b["path"] for b in r["bypassed"]], ["/api/cookieonly"])
+        self.assertTrue(r["bypassed"][0]["via"].startswith("cookie:"))
+
+
 if __name__ == "__main__":
     unittest.main()