open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/tests/scanners/memory-poisoning.test.mjs
Kjell Tore Guttormsen b0f1a9abfd fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob 
Critical-review §4 E15 finding: agent files in .claude/agents/ are loaded
as Claude Code subagent system prompts and are a direct memory-poisoning
surface. Pre-v7.2.0 the scanner covered CLAUDE.md, .claude/rules/*.md,
memory/*.md, REMEMBER.md, .local.md, and .claude-plugin/plugin.json —
but not .claude/agents/*.md.

Single-line addition to MEMORY_FILE_PATTERNS:
  /(?:^|\/)\.claude\/agents\/[^/]+\.md$/

The existing scan loop, scanForInjection integration, and severity-
mapping logic all apply unchanged. STRICT_FILES_PATTERN intentionally
NOT extended — agents may legitimately quote shell commands as examples
(consistent with CLAUDE.md treatment).

Tests: +3 cases in tests/scanners/memory-poisoning.test.mjs:
- "scans .claude/agents/*.md" (smoke test — at least one finding from
  the new fixture)
- "agent file injection pattern detected"
- "agent file credential path detected"

New fixture: tests/fixtures/memory-scan/poisoned-project/.claude/agents/
poisoned-agent.md — agent with injection, credential ref, permission
expansion, and exfil URL. Triggers all 4 detection categories.

Suite: 1591 → 1594 (+3). All green.
2026-04-29 14:13:01 +02:00

231 lines
9.1 KiB
JavaScript
Raw Blame History

// memory-poisoning.test.mjs — Integration tests for the memory-poisoning-scanner
// Tests against fixtures in tests/fixtures/memory-scan/ with:
// - clean-project: normal CLAUDE.md + memory file + rules (0 findings expected)
// - poisoned-project: injection, shell commands, credential paths, suspicious URLs,
// permission expansion, encoded payloads
import { describe, it, beforeEach } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { fileURLToPath } from 'node:url';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
import { scan } from '../../scanners/memory-poisoning-scanner.mjs';
const __dirname = fileURLToPath(new URL('.', import.meta.url));
const CLEAN_FIXTURE = resolve(__dirname, '../fixtures/memory-scan/clean-project');
const POISONED_FIXTURE = resolve(__dirname, '../fixtures/memory-scan/poisoned-project');
// ---------------------------------------------------------------------------
// Clean project — should produce 0 findings
// ---------------------------------------------------------------------------
describe('memory-poisoning-scanner: clean project', () => {
let discovery;
beforeEach(async () => {
resetCounter();
discovery = await discoverFiles(CLEAN_FIXTURE);
});
it('returns status ok', async () => {
const result = await scan(CLEAN_FIXTURE, discovery);
assert.equal(result.status, 'ok');
});
it('scans memory/config files', async () => {
const result = await scan(CLEAN_FIXTURE, discovery);
assert.ok(result.files_scanned >= 1, `Expected >= 1 files scanned, got ${result.files_scanned}`);
});
it('produces 0 findings for clean project', async () => {
const result = await scan(CLEAN_FIXTURE, discovery);
assert.equal(
result.findings.length, 0,
`Expected 0 findings, got ${result.findings.length}: ${result.findings.map(f => f.title).join('; ')}`
);
});
});
// ---------------------------------------------------------------------------
// Poisoned project — should produce multiple findings
// ---------------------------------------------------------------------------
describe('memory-poisoning-scanner: poisoned project', () => {
let discovery;
beforeEach(async () => {
resetCounter();
discovery = await discoverFiles(POISONED_FIXTURE);
});
it('returns status ok', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
assert.equal(result.status, 'ok');
});
it('scans memory/config files', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
assert.ok(result.files_scanned >= 3, `Expected >= 3 files scanned (CLAUDE.md + memory + rules), got ${result.files_scanned}`);
});
it('detects at least 5 findings in poisoned project', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
assert.ok(
result.findings.length >= 5,
`Expected >= 5 findings, got ${result.findings.length}: ${result.findings.map(f => `${f.title} [${f.severity}]`).join('; ')}`
);
});
it('all findings have DS-MEM- prefix', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const wrongPrefix = result.findings.filter(f => !f.id.startsWith('DS-MEM-'));
assert.equal(
wrongPrefix.length, 0,
`All findings should have DS-MEM- prefix. Wrong: ${wrongPrefix.map(f => f.id).join(', ')}`
);
});
it('finding IDs are sequential starting from DS-MEM-001', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
if (result.findings.length === 0) return;
assert.equal(result.findings[0].id, 'DS-MEM-001');
});
it('maps to correct OWASP categories (LLM01 or ASI02)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
for (const f of result.findings) {
assert.ok(
f.owasp === 'LLM01' || f.owasp === 'ASI02',
`Finding ${f.id} owasp should be LLM01 or ASI02, got: ${f.owasp}`
);
}
});
it('all findings have required fields', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
for (const f of result.findings) {
assert.ok(f.id, `Finding missing id`);
assert.ok(f.scanner === 'MEM', `Finding ${f.id} scanner should be MEM, got ${f.scanner}`);
assert.ok(f.severity, `Finding ${f.id} missing severity`);
assert.ok(f.title, `Finding ${f.id} missing title`);
assert.ok(f.description, `Finding ${f.id} missing description`);
assert.ok(f.file, `Finding ${f.id} missing file`);
assert.ok(f.recommendation, `Finding ${f.id} missing recommendation`);
}
});
it('detects injection patterns (CRITICAL or HIGH)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const injections = result.findings.filter(f => f.title.includes('Injection pattern'));
assert.ok(
injections.length >= 1,
`Expected >= 1 injection finding, got ${injections.length}`
);
});
it('detects permission expansion (CRITICAL)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const perms = result.findings.filter(f => f.title.includes('Permission expansion'));
assert.ok(
perms.length >= 1,
`Expected >= 1 permission expansion finding, got ${perms.length}`
);
assert.ok(
perms.every(f => f.severity === 'critical'),
'Permission expansion findings should be CRITICAL'
);
});
it('detects suspicious URLs (HIGH)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const urls = result.findings.filter(f => f.title.includes('Suspicious exfiltration URL'));
assert.ok(
urls.length >= 1,
`Expected >= 1 suspicious URL finding, got ${urls.length}`
);
});
it('detects credential path references (HIGH)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const creds = result.findings.filter(f => f.title.includes('Credential path'));
assert.ok(
creds.length >= 1,
`Expected >= 1 credential path finding, got ${creds.length}`
);
});
it('detects shell commands in memory files (HIGH)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const shells = result.findings.filter(f => f.title.includes('Shell command in memory'));
assert.ok(
shells.length >= 1,
`Expected >= 1 shell command finding in memory file, got ${shells.length}`
);
});
it('detects encoded payloads (MEDIUM)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const encoded = result.findings.filter(f => f.title.includes('encoded'));
assert.ok(
encoded.length >= 1,
`Expected >= 1 encoded payload finding, got ${encoded.length}`
);
});
it('severity counts are correct', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const { counts } = result;
const total = counts.critical + counts.high + counts.medium + counts.low + counts.info;
assert.equal(total, result.findings.length, 'Severity counts should sum to total findings');
assert.ok(counts.critical >= 1, 'Expected at least 1 CRITICAL finding');
assert.ok(counts.high >= 1, 'Expected at least 1 HIGH finding');
});
it('duration_ms is a non-negative number', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
assert.ok(typeof result.duration_ms === 'number', 'duration_ms should be a number');
assert.ok(result.duration_ms >= 0, 'duration_ms should be >= 0');
});
// E15 (v7.2.0): .claude/agents/*.md is now in MEMORY_FILE_PATTERNS.
// Pinned by the existence of tests/fixtures/memory-scan/poisoned-project/
// .claude/agents/poisoned-agent.md, which contains an injection pattern,
// a credential path, permission expansion, and a suspicious URL.
it('E15 — scans .claude/agents/*.md (was missed pre-v7.2.0)', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const agentFindings = result.findings.filter(f =>
f.file && f.file.includes('.claude/agents/')
);
assert.ok(
agentFindings.length >= 1,
`Expected >= 1 finding from .claude/agents/. Got: ${result.findings.map(f => f.file).join('; ')}`,
);
});
it('E15 — agent file injection pattern detected', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const agentInjection = result.findings.find(f =>
f.file && f.file.includes('.claude/agents/poisoned-agent.md') &&
f.title.includes('Injection pattern')
);
assert.ok(
agentInjection,
`Expected injection finding for poisoned-agent.md. ` +
`Got: ${result.findings.filter(f => f.file && f.file.includes('agents/')).map(f => f.title).join('; ')}`,
);
});
it('E15 — agent file credential path detected', async () => {
const result = await scan(POISONED_FIXTURE, discovery);
const agentCred = result.findings.find(f =>
f.file && f.file.includes('.claude/agents/poisoned-agent.md') &&
f.title.includes('Credential path')
);
assert.ok(
agentCred,
`Expected credential-path finding for poisoned-agent.md`,
);
});
});
Reference in a new issue View git blame Copy permalink