open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/tests/scanners
History
Kjell Tore Guttormsen 037b9644f3 feat(bash-normalize): T9 — one-level variable substitution (E10) 
Defeats split-and-substitute evasion where attackers split a destructive
command name across an assignment and a variable reference (X=rm; later
$X) so downstream regex gates miss the literal command name. T9 collects
prefix assignments (VAR=value at start of string or after ; & |) and
substitutes ${VAR} / $VAR forms with the captured value. One-level
forward-flow only — chained vars are not followed.

Documented limits in JSDoc:
- Quoted assignments (X="rm -rf") not parsed (whitespace stops capture)
- Substitution is global within string, not scoped. Acceptable because
  T3 strips unknown ${VAR} to '' afterwards.

Single-quoted literals are masked before T9 runs, so legitimate
strings are preserved (FP probe in tests).

7 new tests in bash-normalize-t7-t9.test.mjs.
Closes E10 in critical-review-2026-04-20.md.
2026-04-30 15:12:02 +02:00
..
ai-bom.test.mjs feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency 2026-04-10 13:29:30 +02:00
attack-simulator.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
auto-cleaner.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
bash-normalize-t5-t6.test.mjs test(scanners): cover bash-normalize T5 IFS + T6 hex + false-positive probe 2026-04-17 14:29:15 +02:00
bash-normalize-t7-t9.test.mjs feat(bash-normalize): T9 — one-level variable substitution (E10) 2026-04-30 15:12:02 +02:00
benchmark.test.mjs feat(scanner): add --benchmark mode to attack-simulator with structured reporting 2026-04-10 13:02:58 +02:00
ci-integration.test.mjs feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates 2026-04-10 14:59:05 +02:00
cli-wrapper.test.mjs feat(cli): add standalone CLI wrapper — npx llm-security scan without Claude Code 2026-04-10 13:58:25 +02:00
compliance-mapping.test.mjs feat(knowledge): add compliance-mapping document — EU AI Act, NIST AI RMF, ISO 42001 2026-04-10 12:29:14 +02:00
dashboard.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
dep-token-overlap.test.mjs fix(dep): B7 — token-overlap typosquat heuristic alongside Levenshtein 2026-04-29 14:10:53 +02:00
dep.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
entropy-context.test.mjs fix(entropy): E18 — rule 18 markdown-image CDN-aware + secret pre-check 2026-04-29 15:18:37 +02:00
entropy.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
git.test.mjs test(llm-security): loosen git-forensics finding count thresholds 2026-04-18 11:00:20 +02:00
ide-extension-data.test.mjs feat(llm-security): seed top-jetbrains-plugins.json + loadJetBrainsBlocklist export 2026-04-18 09:56:55 +02:00
ide-extension-discovery.test.mjs feat(llm-security): implement JetBrains discovery + Android Studio base dir 2026-04-18 10:16:28 +02:00
ide-extension-scanner.test.mjs test(llm-security): add end-to-end JetBrains scan integration tests 2026-04-18 10:51:48 +02:00
ide-extension-url.test.mjs feat(llm-security): OS sandbox for /security ide-scan <url> (v6.5.0) 2026-04-17 17:28:57 +02:00
jetbrains-fetch.test.mjs feat(llm-security): URL-fetch support for JetBrains Marketplace (v6.6.0) 2026-04-18 10:46:13 +02:00
jetbrains-parser.test.mjs feat(llm-security): implement parseIntelliJPlugin with nested-jar extraction 2026-04-18 10:15:12 +02:00
knowledge-atlas.test.mjs feat(knowledge): add MITRE ATLAS IDs to OWASP files + Norwegian regulatory context 2026-04-10 12:49:10 +02:00
memory-poisoning.test.mjs fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob 2026-04-29 14:13:01 +02:00
network.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
permission.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
posture.test.mjs feat(posture): add EU AI Act, NIST AI RMF, ISO 42001 compliance categories (14-16) 2026-04-10 13:17:25 +02:00
reference-config.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
sarif.test.mjs feat(scanner): add SARIF 2.1.0 output format to scan-orchestrator (--format sarif) 2026-04-10 13:22:59 +02:00
skill-scanner-narrative.test.mjs test(llm-security): narrative-coherence contract test (v7.1.1) 2026-04-29 12:50:27 +02:00
supply-chain-recheck.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
taint-destructuring.test.mjs fix(taint-tracer): B6 — recognize destructuring + spread + rest patterns 2026-04-29 14:05:34 +02:00
taint-tracer.test.mjs feat(llm-security): add .kt .groovy .scala to taint-tracer CODE_EXTENSIONS 2026-04-18 10:04:32 +02:00
taint.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
unicode.test.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
vsix-fetch.test.mjs feat(llm-security): add fetchJetBrainsPlugin + URL detection for plugins.jetbrains.com 2026-04-18 10:39:54 +02:00
vsix-sandbox.test.mjs refactor(llm-security): parameterize buildSandboxedWorker with workerPath 2026-04-18 10:37:10 +02:00
zip-extract.test.mjs feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0) 2026-04-17 17:16:26 +02:00