PyPI - zen-ai-pentest - Versions diffs - 2.2.0__py3-none-any.whl → 2.3.0__py3-none-any.whl - Mend

zen-ai-pentest 2.2.0py3-none-any.whl → 2.3.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

api/auth.py +61 -7
api/csrf_protection.py +286 -0
api/main.py +77 -11
api/rate_limiter.py +317 -0
api/rate_limiter_v2.py +586 -0
autonomous/ki_analysis_agent.py +1033 -0
benchmarks/__init__.py +12 -142
benchmarks/agent_performance.py +374 -0
benchmarks/api_performance.py +479 -0
benchmarks/scan_performance.py +272 -0
modules/agent_coordinator.py +255 -0
modules/api_key_manager.py +501 -0
modules/benchmark.py +706 -0
modules/cve_updater.py +303 -0
modules/false_positive_filter.py +149 -0
modules/output_formats.py +1088 -0
modules/risk_scoring.py +206 -0
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/METADATA +134 -289
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/RECORD +23 -9
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/WHEEL +0 -0
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/entry_points.txt +0 -0
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/licenses/LICENSE +0 -0
{zen_ai_pentest-2.2.0.dist-info → zen_ai_pentest-2.3.0.dist-info}/top_level.txt +0 -0

api/auth.py CHANGED Viewed

@@ -1,7 +1,14 @@
 """
 JWT Authentication für Zen-AI-Pentest API
+SECURITY NOTES:
+- All secrets are loaded from environment variables
+- Never commit actual secrets to version control
+- Use .env file locally, proper secret management in production
 """
+import os
+import secrets
 from datetime import datetime, timedelta
 from typing import Optional, Dict
 from jose import JWTError, jwt
@@ -9,23 +16,47 @@ from passlib.context import CryptContext
 from fastapi import Depends, HTTPException, status
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-# Configuration
-SECRET_KEY = "your-secret-key-here-change-in-production"  # In production: env var
-ALGORITHM = "HS256"
-ACCESS_TOKEN_EXPIRE_MINUTES = 30
+# =============================================================================
+# Configuration - Load from environment variables
+# =============================================================================
+# JWT Configuration
+SECRET_KEY = os.getenv("JWT_SECRET_KEY")
+if not SECRET_KEY or SECRET_KEY == "your-super-secret-jwt-key-change-this-in-production":
+    # Generate a random key for development (not for production!)
+    import warnings
+    warnings.warn(
+        "JWT_SECRET_KEY not set or using default! Using random key for development. "
+        "Set JWT_SECRET_KEY environment variable for production!",
+        RuntimeWarning
+    )
+    SECRET_KEY = secrets.token_hex(32)
+ALGORITHM = os.getenv("JWT_ALGORITHM", "HS256")
+ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("JWT_ACCESS_TOKEN_EXPIRE_MINUTES", "30"))
 # Password hashing
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
 security = HTTPBearer()
+# =============================================================================
+# Password Functions
+# =============================================================================
 def verify_password(plain_password: str, hashed_password: str) -> bool:
     """Verifiziert Passwort"""
     return pwd_context.verify(plain_password, hashed_password)
 def get_password_hash(password: str) -> str:
     """Hashed Passwort"""
     return pwd_context.hash(password)
+# =============================================================================
+# JWT Token Functions
+# =============================================================================
 def create_access_token(data: Dict, expires_delta: Optional[timedelta] = None) -> str:
     """Erstellt JWT Token"""
     to_encode = data.copy()
@@ -34,6 +65,7 @@ def create_access_token(data: Dict, expires_delta: Optional[timedelta] = None) -
     encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
     return encoded_jwt
 def decode_token(token: str) -> Optional[Dict]:
     """Decodiert JWT Token"""
     try:
@@ -42,6 +74,11 @@ def decode_token(token: str) -> Optional[Dict]:
     except JWTError:
         return None
+# =============================================================================
+# FastAPI Dependencies
+# =============================================================================
 async def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)) -> Dict:
     """FastAPI Dependency für Token-Verifizierung"""
     token = credentials.credentials
@@ -65,6 +102,7 @@ async def verify_token(credentials: HTTPAuthorizationCredentials = Depends(secur
     return payload
 def check_permissions(user: Dict, required_role: str) -> bool:
     """Prüft ob User die benötigte Rolle hat"""
     user_role = user.get("role", "viewer")
@@ -80,6 +118,7 @@ def check_permissions(user: Dict, required_role: str) -> bool:
     return user_level >= required_level
 async def require_admin(credentials: HTTPAuthorizationCredentials = Depends(security)) -> Dict:
     """Erfordert Admin-Rolle"""
     user = await verify_token(credentials)
@@ -92,6 +131,7 @@ async def require_admin(credentials: HTTPAuthorizationCredentials = Depends(secu
     return user
 async def require_operator(credentials: HTTPAuthorizationCredentials = Depends(security)) -> Dict:
     """Erfordert Operator oder höhere Rolle"""
     user = await verify_token(credentials)
@@ -104,16 +144,22 @@ async def require_operator(credentials: HTTPAuthorizationCredentials = Depends(s
     return user
-# API Key Authentication (für CI/CD Integrationen)
-API_KEYS = {}  # In production: in DB speichern
+# =============================================================================
+# API Key Authentication
+# =============================================================================
+# In-memory store for API keys (use database in production!)
+API_KEYS: Dict[str, Dict] = {}
 def verify_api_key(api_key: str) -> Optional[Dict]:
     """Verifiziert API Key"""
     return API_KEYS.get(api_key)
 def create_api_key(user_id: int, name: str) -> str:
     """Erstellt neuen API Key"""
-    import secrets
     key = secrets.token_urlsafe(32)
     API_KEYS[key] = {
         "user_id": user_id,
@@ -121,3 +167,11 @@ def create_api_key(user_id: int, name: str) -> str:
         "created_at": datetime.utcnow().isoformat()
     }
     return key
+def revoke_api_key(api_key: str) -> bool:
+    """Widerruft API Key"""
+    if api_key in API_KEYS:
+        del API_KEYS[api_key]
+        return True
+    return False

api/csrf_protection.py ADDED Viewed

@@ -0,0 +1,286 @@
+"""
+CSRF Protection für Zen-AI-Pentest API
+Implementiert Double-Submit-Cookie Pattern:
+1. Server setzt CSRF-Token als Cookie
+2. Client muss Token im Header zurücksenden
+3. Server vergleicht Cookie vs Header
+Schützt vor:
+- Cross-Site Request Forgery
+- Session Riding
+- Unautorisierte POST/PUT/DELETE Requests
+"""
+import os
+import secrets
+import hashlib
+import hmac
+from typing import Optional, Dict
+from datetime import datetime, timedelta
+from fastapi import Request, HTTPException, status
+from fastapi.responses import Response
+import logging
+logger = logging.getLogger(__name__)
+# =============================================================================
+# Configuration
+# =============================================================================
+CSRF_COOKIE_NAME = "csrf_token"
+CSRF_HEADER_NAME = "X-CSRF-Token"
+CSRF_COOKIE_SECURE = os.getenv("CSRF_COOKIE_SECURE", "false").lower() == "true"
+CSRF_COOKIE_SAMESITE = os.getenv("CSRF_COOKIE_SAMESITE", "Lax")
+CSRF_TOKEN_EXPIRY = int(os.getenv("CSRF_TOKEN_EXPIRY", "86400"))  # 24 hours
+# =============================================================================
+# CSRF Token Management
+# =============================================================================
+class CSRFToken:
+    """CSRF Token mit Zeitstempel und Validierung"""
+    def __init__(self, token: str = None, timestamp: datetime = None):
+        self.token = token or self._generate_token()
+        self.timestamp = timestamp or datetime.utcnow()
+    def _generate_token(self) -> str:
+        """Generiert kryptographisch sicheres Token"""
+        return secrets.token_urlsafe(32)
+    def is_valid(self) -> bool:
+        """Prüft ob Token noch gültig ist"""
+        expiry = self.timestamp + timedelta(seconds=CSRF_TOKEN_EXPIRY)
+        return datetime.utcnow() < expiry
+    def to_cookie_value(self) -> str:
+        """Formatiert Token für Cookie"""
+        return f"{self.token}|{int(self.timestamp.timestamp())}"
+    @classmethod
+    def from_cookie_value(cls, cookie_value: str) -> Optional["CSRFToken"]:
+        """Parst Token aus Cookie"""
+        try:
+            parts = cookie_value.split("|")
+            if len(parts) != 2:
+                return None
+            token, timestamp = parts
+            dt = datetime.fromtimestamp(int(timestamp))
+            return cls(token, dt)
+        except (ValueError, TypeError):
+            return None
+# =============================================================================
+# CSRF Protection Middleware
+# =============================================================================
+class CSRFProtection:
+    """
+    CSRF Protection Middleware
+    Usage:
+        from api.csrf_protection import CSRFProtection
+        csrf = CSRFProtection()
+        @app.get("/csrf-token")
+        async def get_csrf_token(response: Response):
+            return csrf.set_token(response)
+        @app.post("/api/action")
+        async def protected_action(request: Request):
+            csrf.validate(request)  # Wirft 403 falls ungültig
+            return {"status": "ok"}
+    """
+    # Endpoints die kein CSRF benötigen (z.B. Login, API Keys)
+    EXEMPT_ENDPOINTS = [
+        "/auth/login",
+        "/auth/logout",
+        "/auth/refresh",
+        "/api/webhook",  # Webhooks kommen von extern
+        "/health",
+        "/docs",
+        "/openapi.json",
+    ]
+    # HTTP Methoden die CSRF-Schutz benötigen
+    PROTECTED_METHODS = ["POST", "PUT", "PATCH", "DELETE"]
+    def __init__(self):
+        self.tokens: Dict[str, CSRFToken] = {}  # Session -> Token
+    def set_token(self, response: Response, session_id: str = None) -> Dict:
+        """
+        Setzt neuen CSRF Token als Cookie
+        Returns:
+            Dict mit Token für Client
+        """
+        token = CSRFToken()
+        # Cookie setzen
+        cookie_value = token.to_cookie_value()
+        response.set_cookie(
+            key=CSRF_COOKIE_NAME,
+            value=cookie_value,
+            httponly=False,  # Muss von JavaScript lesbar sein
+            secure=CSRF_COOKIE_SECURE,
+            samesite=CSRF_COOKIE_SAMESITE,
+            max_age=CSRF_TOKEN_EXPIRY,
+            path="/"
+        )
+        # In Speicher merken (für Validierung)
+        if session_id:
+            self.tokens[session_id] = token
+        logger.debug(f"CSRF Token gesetzt für Session: {session_id}")
+        return {
+            "csrf_token": token.token,
+            "expires_in": CSRF_TOKEN_EXPIRY
+        }
+    def validate(self, request: Request) -> bool:
+        """
+        Validiert CSRF Token aus Request
+        Raises:
+            HTTPException: 403 falls Token ungültig/fehlt
+        """
+        # Prüfe ob Endpoint exempt ist
+        path = request.url.path
+        method = request.method
+        if method not in self.PROTECTED_METHODS:
+            return True  # GET, HEAD, OPTIONS, TRACE brauchen kein CSRF
+        if any(path.startswith(exempt) for exempt in self.EXEMPT_ENDPOINTS):
+            return True  # Exempt Endpoints
+        # Token aus Cookie holen
+        cookie_token = request.cookies.get(CSRF_COOKIE_NAME)
+        if not cookie_token:
+            logger.warning(f"CSRF Cookie fehlt: {path}")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="CSRF token missing. Get a token from /csrf-token first."
+            )
+        # Token parsen und validieren
+        csrf_token = CSRFToken.from_cookie_value(cookie_token)
+        if not csrf_token or not csrf_token.is_valid():
+            logger.warning(f"CSRF Token abgelaufen oder ungültig: {path}")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="CSRF token expired or invalid."
+            )
+        # Token aus Header holen
+        header_token = request.headers.get(CSRF_HEADER_NAME)
+        if not header_token:
+            logger.warning(f"CSRF Header fehlt: {path}")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"CSRF header '{CSRF_HEADER_NAME}' required."
+            )
+        # Tokens vergleichen (timing-safe)
+        if not hmac.compare_digest(csrf_token.token, header_token):
+            logger.warning(f"CSRF Token mismatch: {path}")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="CSRF token mismatch."
+            )
+        logger.debug(f"CSRF Token validiert: {path}")
+        return True
+    def rotate_token(self, response: Response, session_id: str = None) -> Dict:
+        """
+        Rotiert CSRF Token (nach Login oder periodisch)
+        """
+        # Altes Token entfernen
+        if session_id and session_id in self.tokens:
+            del self.tokens[session_id]
+        # Neues Token setzen
+        return self.set_token(response, session_id)
+    def clear_token(self, response: Response, session_id: str = None):
+        """
+        Löscht CSRF Token (bei Logout)
+        """
+        response.delete_cookie(
+            key=CSRF_COOKIE_NAME,
+            path="/"
+        )
+        if session_id and session_id in self.tokens:
+            del self.tokens[session_id]
+        logger.debug(f"CSRF Token gelöscht für Session: {session_id}")
+# =============================================================================
+# FastAPI Dependency
+# =============================================================================
+csrf_protection = CSRFProtection()
+async def require_csrf(request: Request):
+    """
+    FastAPI Dependency für CSRF-Schutz
+    Usage:
+        @app.post("/api/action")
+        async def action(request: Request, _=Depends(require_csrf)):
+            return {"status": "ok"}
+    """
+    csrf_protection.validate(request)
+    return True
+# =============================================================================
+# Middleware für automatischen CSRF-Schutz
+# =============================================================================
+class CSRFMiddleware:
+    """
+    ASGI Middleware für automatischen CSRF-Schutz
+    Usage:
+        from api.csrf_protection import CSRFMiddleware
+        app.add_middleware(CSRFMiddleware)
+    """
+    def __init__(self, app):
+        self.app = app
+        self.csrf = CSRFProtection()
+    async def __call__(self, scope, receive, send):
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+        # Request prüfen
+        request = Request(scope, receive)
+        try:
+            self.csrf.validate(request)
+        except HTTPException as e:
+            # Fehler direkt zurückgeben
+            await send({
+                "type": "http.response.start",
+                "status": e.status_code,
+                "headers": [[b"content-type", b"application/json"]]
+            })
+            await send({
+                "type": "http.response.body",
+                "body": f'"{e.detail}"'.encode()
+            })
+            return
+        await self.app(scope, receive, send)

api/main.py CHANGED Viewed

@@ -11,7 +11,7 @@ from pathlib import Path
 # Add parent to path
 sys.path.insert(0, str(Path(__file__).parent.parent))
-from fastapi import FastAPI, Depends, HTTPException, BackgroundTasks, WebSocket, WebSocketDisconnect
+from fastapi import FastAPI, Depends, HTTPException, BackgroundTasks, WebSocket, WebSocketDisconnect, Request, Response
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from contextlib import asynccontextmanager
@@ -36,6 +36,13 @@ from api.schemas import (
 )
 from api.auth import verify_token, create_access_token
 from api.websocket import ConnectionManager
+from api.rate_limiter import (
+    check_auth_rate_limit,
+    record_auth_failure,
+    record_auth_success,
+    rate_limit
+)
+from api.csrf_protection import csrf_protection, require_csrf
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
@@ -64,26 +71,73 @@ app = FastAPI(
     lifespan=lifespan
 )
-# CORS
+# =============================================================================
+# CORS Configuration
+# =============================================================================
+# Load allowed origins from environment variable
+# Format: comma-separated list of origins
+# Example: CORS_ORIGINS=https://domain.com,https://app.domain.com
+cors_origins_str = os.getenv("CORS_ORIGINS", "http://localhost:3000,http://localhost:8000")
+ALLOWED_ORIGINS = [origin.strip() for origin in cors_origins_str.split(",")]
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Production: Einschränken!
+    allow_origins=ALLOWED_ORIGINS,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH"],
+    allow_headers=["Authorization", "Content-Type", "X-Request-ID"],
+    expose_headers=["X-Request-ID"],
+    max_age=600,  # 10 minutes cache for preflight
 )
 # ============================================================================
 # AUTHENTICATION
 # ============================================================================
+# =============================================================================
+# Secure Credential Store (In production: use database!)
+# =============================================================================
+# Load admin credentials from environment variables
+ADMIN_USERNAME = os.getenv("ADMIN_USERNAME", "admin")
+ADMIN_PASSWORD = os.getenv("ADMIN_PASSWORD")
+if not ADMIN_PASSWORD:
+    import warnings
+    warnings.warn(
+        "ADMIN_PASSWORD not set! Using insecure default for development only. "
+        "Set ADMIN_PASSWORD environment variable for production!",
+        RuntimeWarning
+    )
+    ADMIN_PASSWORD = "admin"  # Only for development!
+def verify_admin_credentials(username: str, password: str) -> bool:
+    """Securely verify admin credentials using constant-time comparison"""
+    import hmac
+    return hmac.compare_digest(username, ADMIN_USERNAME) and \
+           hmac.compare_digest(password, ADMIN_PASSWORD)
 @app.post("/auth/login")
-async def login(credentials: dict):
-    """Login and get JWT token"""
-    # Simplified - in production: verify against DB/LDAP
-    if credentials.get("username") == "admin" and credentials.get("password") == "admin":
-        token = create_access_token({"sub": "admin", "role": "admin"})
+async def login(credentials: dict, request: Request):
+    """Login and get JWT token with secure credential verification and rate limiting"""
+    client_ip = request.client.host if request.client else "unknown"
+    # Check auth rate limit
+    check_auth_rate_limit(client_ip)
+    username = credentials.get("username", "")
+    password = credentials.get("password", "")
+    if verify_admin_credentials(username, password):
+        record_auth_success(client_ip)
+        token = create_access_token({"sub": username, "role": "admin"})
+        logger.info(f"Successful login for user: {username} from {client_ip}")
         return {"access_token": token, "token_type": "bearer"}
+    # Record failed attempt
+    record_auth_failure(client_ip)
+    logger.warning(f"Failed login attempt for user: {username} from {client_ip}")
     raise HTTPException(status_code=401, detail="Invalid credentials")
 @app.get("/auth/me")
@@ -91,16 +145,28 @@ async def me(user: dict = Depends(verify_token)):
     """Get current user info"""
     return user
+@app.get("/csrf-token")
+async def get_csrf_token(response: Response):
+    """
+    Get CSRF Token for protected endpoints
+    Returns CSRF token that must be included in X-CSRF-Token header
+    for all POST/PUT/DELETE requests.
+    """
+    return csrf_protection.set_token(response)
 # ============================================================================
 # SCANS
 # ============================================================================
 @app.post("/scans", response_model=ScanResponse)
 async def create_new_scan(
+    request: Request,
     scan: ScanCreate,
     background_tasks: BackgroundTasks,
     user: dict = Depends(verify_token),
-    db = Depends(get_db)
+    db = Depends(get_db),
+    _: bool = Depends(require_csrf)
 ):
     """Create a new pentest scan"""
     db_scan = create_scan(

zen-ai-pentest 2.2.0__py3-none-any.whl → 2.3.0__py3-none-any.whl

zen-ai-pentest 2.2.0py3-none-any.whl → 2.3.0py3-none-any.whl