feat: initial open marketplace with llm-security, config-audit, ultraplan-local
This commit is contained in:
Kjell Tore Guttormsen
commit
f93d6abdae
380 changed files with 65935 additions and 0 deletions
119
plugins/llm-security/tests/scanners/taint.test.mjs
Normal file
119
plugins/llm-security/tests/scanners/taint.test.mjs
Normal file
|
|
@ -0,0 +1,119 @@
|
|||
// taint.test.mjs — Integration tests for the taint-tracer
|
||||
// Tests against the evil-project-health fixture — lib/telemetry.mjs has 4 planted flows:
|
||||
//
|
||||
// Flow 1: process.env → fetch (env exfiltration)
|
||||
// Flow 2: req.body → execSync (command injection)
|
||||
// Flow 3: process.argv → writeFileSync (path traversal)
|
||||
// Flow 4: user_input → eval (code injection)
|
||||
//
|
||||
// The taint-tracer uses heuristic analysis (~70% recall), so we require >= 3 detections.
|
||||
|
||||
import { describe, it, beforeEach } from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { resolve } from 'node:path';
|
||||
import { fileURLToPath } from 'node:url';
|
||||
import { resetCounter } from '../../scanners/lib/output.mjs';
|
||||
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
|
||||
import { scan } from '../../scanners/taint-tracer.mjs';
|
||||
|
||||
const __dirname = fileURLToPath(new URL('.', import.meta.url));
|
||||
const FIXTURE = resolve(__dirname, '../../examples/malicious-skill-demo/evil-project-health');
|
||||
|
||||
describe('taint-tracer integration', () => {
|
||||
let discovery;
|
||||
|
||||
beforeEach(async () => {
|
||||
resetCounter();
|
||||
discovery = await discoverFiles(FIXTURE);
|
||||
});
|
||||
|
||||
it('returns status ok', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
|
||||
});
|
||||
|
||||
it('scans at least one code file', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.ok(result.files_scanned >= 1, `Expected files_scanned >= 1, got ${result.files_scanned}`);
|
||||
});
|
||||
|
||||
it('detects at least 3 taint flows', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.ok(
|
||||
result.findings.length >= 3,
|
||||
`Expected >= 3 taint findings, got ${result.findings.length}. ` +
|
||||
`Findings: ${result.findings.map(f => f.title).join('; ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('reports at least one CRITICAL taint finding', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const criticals = result.findings.filter(f => f.severity === 'critical');
|
||||
assert.ok(
|
||||
criticals.length >= 1,
|
||||
`Expected >= 1 CRITICAL taint finding, got ${criticals.length}. ` +
|
||||
`Severities: ${result.findings.map(f => f.severity).join(', ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('detects command injection: req.body → execSync', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const cmdInjection = result.findings.find(
|
||||
f => f.title.toLowerCase().includes('req.body') ||
|
||||
f.evidence && f.evidence.includes('req.body')
|
||||
);
|
||||
assert.ok(
|
||||
cmdInjection,
|
||||
`Should detect req.body taint flow. All findings: ${result.findings.map(f => f.title).join('; ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('detects code injection: user_input → eval', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const evalFlow = result.findings.find(
|
||||
f => f.title.toLowerCase().includes('eval') ||
|
||||
(f.evidence && f.evidence.toLowerCase().includes('eval'))
|
||||
);
|
||||
assert.ok(
|
||||
evalFlow,
|
||||
`Should detect user_input → eval flow. All findings: ${result.findings.map(f => f.title).join('; ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('all findings have DS-TNT- prefix', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const wrongPrefix = result.findings.filter(f => !f.id.startsWith('DS-TNT-'));
|
||||
assert.equal(
|
||||
wrongPrefix.length, 0,
|
||||
`All taint findings should have DS-TNT- prefix. Wrong: ${wrongPrefix.map(f => f.id).join(', ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('all findings reference owasp LLM01 or LLM02', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
for (const f of result.findings) {
|
||||
assert.ok(
|
||||
f.owasp === 'LLM01' || f.owasp === 'LLM02',
|
||||
`Finding ${f.id} owasp should be LLM01 or LLM02, got ${f.owasp}`
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
it('findings reference telemetry.mjs as the source file', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const telemetryFindings = result.findings.filter(
|
||||
f => f.file && f.file.includes('telemetry')
|
||||
);
|
||||
assert.ok(
|
||||
telemetryFindings.length >= 1,
|
||||
`Expected findings referencing telemetry.mjs, got 0. ` +
|
||||
`Files referenced: ${[...new Set(result.findings.map(f => f.file))].join(', ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('finding IDs are sequential starting from DS-TNT-001 after reset', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
if (result.findings.length === 0) return;
|
||||
assert.equal(result.findings[0].id, 'DS-TNT-001');
|
||||
});
|
||||
});
|
||||
Loading…
Add table
Add a link
Reference in a new issue