open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/tests/scanners/entropy-context.test.mjs
Kjell Tore Guttormsen f0fb7505fb fix(entropy): E18 — rule 18 markdown-image CDN-aware + secret pre-check 
The v7.0.0 entropy-scanner rule 18 suppressed every line whose pattern
matched ![…](https?://…) — regardless of the URL host or what the URL
carried. A markdown image URL pointing at a non-CDN host (or carrying a
secret-shaped token in its query string) would therefore mask a real
high-entropy credential.

Refactor:

  * MARKDOWN_IMAGE now captures the full URL (was a host-only prefix
    matcher), so rule 18 can inspect host and query.
  * MARKDOWN_IMAGE_CDN_HOSTS allowlist constant covers cdn./images./
    media./assets./static./*.cdn./*.amazonaws.com/{s3,cloudfront}/
    *.cloudflare./*.fastly./*.akamaized./raw.githubusercontent.com/
    *.imgix.net/*.cloudinary.com/.
  * MARKDOWN_IMAGE_QUERY_SECRET catches secret-shaped query keys
    (token, key, secret, password, api_key, access_token, auth) plus
    well-known provider prefixes (AKIA, Bearer, sk_live_, ghp_, ghs_,
    ghu_, gho_, ghr_, npm_).
  * Rule 18 now suppresses iff (host matches CDN allowlist) AND
    (query has no secret-shaped token). Anything else falls through
    to entropy classification.

+4 tests in tests/scanners/entropy-context.test.mjs (29 → 33).
Existing rule 18 fixture (cdn.example.com, no secret query) still
suppresses, so no regression on the legitimate path.

Refs: Batch B Wave 5 / Step 13 / v7.2.0
critical-review-2026-04-20.md §E18
2026-04-29 15:18:37 +02:00

408 lines
18 KiB
JavaScript
Raw Blame History

// entropy-context.test.mjs — False-positive fixtures for v7.0.0 context-aware suppression
//
// Covers:
// A. File-extension skip (.glsl, .css, .svg, .min.js, ...)
// B. Line-level rules 11-17 (GLSL/CSS-in-JS/HTML/ffmpeg/UA/SQL/error-template)
// C. User-policy thresholds and suppress_line_patterns
//
// Strategy: write a throwaway fixture under os.tmpdir(), discover it, run scan(),
// assert finding count. Fixture-content strings are built from runtime concatenation
// to avoid triggering the plugin's own credential-pattern pre-edit hook on the test source.
import { describe, it, before, after } from 'node:test';
import assert from 'node:assert/strict';
import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises';
import { randomBytes } from 'node:crypto';
import { join } from 'node:path';
import { tmpdir } from 'node:os';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
import { scan } from '../../scanners/entropy-scanner.mjs';
import { _resetCacheForTest } from '../../scanners/lib/policy-loader.mjs';
// Random base64 from 60 crypto bytes → 80-char base64, H ≈ 5.4, will classify as
// HIGH (entropy >= 5.1, len >= 64). Regenerated on module load for each test run.
// Built at runtime so the plugin's credential-pattern pre-edit hook doesn't flag the
// test source file. Excludes '/', '+', '=' to avoid breaking JS string syntax.
function makePayload() {
const raw = randomBytes(60).toString('base64').replace(/[/+=]/g, 'A');
return raw.slice(0, 80);
}
const PAYLOAD = makePayload();
async function writeFixture(root, relPath, content) {
const abs = join(root, relPath);
const lastSlash = abs.lastIndexOf('/');
await mkdir(abs.substring(0, lastSlash), { recursive: true });
await writeFile(abs, content);
}
async function newRoot(prefix) {
return mkdtemp(join(tmpdir(), prefix));
}
describe('entropy-scanner context suppression (v7.0.0+)', () => {
let root;
before(async () => {
root = await newRoot('entropy-ctx-');
});
after(async () => {
await rm(root, { recursive: true, force: true });
_resetCacheForTest();
});
describe('A. File-extension skip', () => {
it('skips .glsl files entirely (no findings)', async () => {
const fx = await newRoot('ent-glsl-');
await writeFixture(fx, 'shader.glsl', 'vec4 color = "' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'Expected 0 findings in .glsl, got ' + result.findings.length);
assert.ok(result.calibration.files_skipped_by_extension >= 1);
await rm(fx, { recursive: true, force: true });
});
it('skips .css files entirely', async () => {
const fx = await newRoot('ent-css-');
await writeFixture(fx, 'styles.css', '.x{content:"' + PAYLOAD + '";}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0);
await rm(fx, { recursive: true, force: true });
});
it('skips .min.js files (compound extension)', async () => {
const fx = await newRoot('ent-minjs-');
await writeFixture(fx, 'bundle.min.js', 'var x="' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0);
await rm(fx, { recursive: true, force: true });
});
it('still scans .js files (non-skipped extension)', async () => {
const fx = await newRoot('ent-js-');
await writeFixture(fx, 'app.js', 'const blob = "' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(result.findings.length >= 1, 'expected high-entropy .js to still be detected');
await rm(fx, { recursive: true, force: true });
});
});
describe('B. Line-level suppression rules 11-17', () => {
it('rule 11: GLSL keyword on line suppresses finding', async () => {
const fx = await newRoot('ent-rule11-');
await writeFixture(fx, 'shader.js',
'const src = "uniform vec3 u_resolution; ' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected GLSL keyword line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 12: CSS-in-JS (styled-components) suppresses finding', async () => {
const fx = await newRoot('ent-rule12-');
await writeFixture(fx, 'btn.js',
'const Button = styled.button`:hover { content: "' + PAYLOAD + '"; }`;');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected styled-components line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 13: Inline <svg> markup on line suppresses finding', async () => {
const fx = await newRoot('ent-rule13-');
await writeFixture(fx, 'Icon.jsx',
'return (<svg viewBox="0 0 24 24"><path d="' + PAYLOAD + '"/></svg>);');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected inline SVG line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 14: ffmpeg filter_complex suppresses finding', async () => {
const fx = await newRoot('ent-rule14-');
await writeFixture(fx, 'pipeline.js',
'run("ffmpeg -filter_complex=[0:v]scale=' + PAYLOAD + '");');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected ffmpeg line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 15: browser User-Agent string suppresses finding', async () => {
const fx = await newRoot('ent-rule15-');
await writeFixture(fx, 'ua.js',
'const agent = "Mozilla/5.0 Chrome/120 ' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected UA line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 16: SQL DDL on dedicated line suppresses finding', async () => {
// Line must START with SELECT/INSERT/... — whitespace allowed but no prefix code.
const fx = await newRoot('ent-rule16-');
await writeFixture(fx, 'schema.js',
'// fallback\nSELECT id, data FROM users WHERE tok = \'' + PAYLOAD + '\';\n');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected SELECT-anchored line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 16 does NOT over-match generic strings mentioning SELECT', async () => {
// SQL_STATEMENT is line-anchored; a `const` prefix means no suppression by rule 16.
const fx = await newRoot('ent-rule16b-');
await writeFixture(fx, 'app.js',
'const msg = "SELECT something ' + PAYLOAD + '";');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(result.findings.length >= 1, 'generic code line must not trigger SQL suppression');
await rm(fx, { recursive: true, force: true });
});
it('rule 17: throw new Error template suppresses finding', async () => {
const fx = await newRoot('ent-rule17-');
await writeFixture(fx, 'err.js',
'throw new Error(`Bad input <code>' + PAYLOAD + '</code>`);');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected throw new Error line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 18: markdown image with external URL suppresses finding', async () => {
const fx = await newRoot('ent-rule18-');
await writeFixture(fx, 'index.json',
'{"summary": "![Image 1: Title](https://cdn.example.com/abc/' + PAYLOAD + '.svg)"}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected markdown image line to suppress');
await rm(fx, { recursive: true, force: true });
});
it('rule 18 does NOT over-match plain URLs without image syntax', async () => {
const fx = await newRoot('ent-rule18b-');
await writeFixture(fx, 'app.js',
'const token = "' + PAYLOAD + '"; // not an image');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(result.findings.length >= 1, 'plain high-entropy string must still be detected');
await rm(fx, { recursive: true, force: true });
});
});
describe('C. Policy-driven overrides', () => {
it('user-policy suppress_line_patterns adds custom suppression', async () => {
const fx = await newRoot('ent-policy-');
await writeFixture(fx, 'secret.js', 'const vendor = "' + PAYLOAD + '"; // MY_VENDOR_MARKER');
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
entropy: { suppress_line_patterns: ['MY_VENDOR_MARKER'] }
}));
resetCounter();
_resetCacheForTest();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected user pattern to suppress');
assert.equal(result.calibration.policy_source, 'policy.json');
await rm(fx, { recursive: true, force: true });
});
it('user-policy suppress_paths skips files whose relPath contains the substring', async () => {
const fx = await newRoot('ent-paths-');
await writeFixture(fx, 'src/vendored/big.js', 'var x="' + PAYLOAD + '";');
await writeFixture(fx, 'src/app.js', 'var y="' + PAYLOAD + '";');
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
entropy: { suppress_paths: ['vendored/'] }
}));
resetCounter();
_resetCacheForTest();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 1, 'Expected 1 finding (app.js only), got ' + result.findings.length);
assert.ok(result.calibration.files_skipped_by_path >= 1);
await rm(fx, { recursive: true, force: true });
});
it('user-policy stricter thresholds suppress medium-strength payload', async () => {
const fx = await newRoot('ent-thresh-');
await writeFixture(fx, 'cfg.js', 'const blob = "' + PAYLOAD + '";');
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
entropy: {
thresholds: {
critical: { entropy: 6.0, minLen: 256 },
high: { entropy: 5.8, minLen: 200 },
medium: { entropy: 5.7, minLen: 150 },
}
}
}));
resetCounter();
_resetCacheForTest();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, 'expected strict thresholds to suppress medium-strength payload');
await rm(fx, { recursive: true, force: true });
});
});
describe('D. B5 file-context classification (v7.2.0)', () => {
it('B5 regression: code-dominant .ts file with embedded GLSL — credential adjacent to shader is detected', async () => {
// Polyglot TS file: many code lines, a few GLSL lines inside a template
// literal, and a credential-shaped string on a line that happens to
// contain GLSL keyword tokens. Pre-B5 rule 11 line-proximity suppressed
// this. Post-B5 classifyFileContext returns 'code-dominant' (sample is
// mostly TS code, <50% GLSL/markup), rules 11-13 are gated off, and
// the credential is detected.
const fx = await newRoot('ent-b5-polyglot-');
const fixtureContent = [
'import { Renderer } from "./renderer";',
'',
'const fragmentShader = `',
' precision highp float;',
' uniform vec3 u_resolution;',
' varying vec2 v_uv;',
'`;',
'',
'// Adjacent line carries GLSL tokens AND the credential payload.',
'const blob = "' + PAYLOAD + '"; // uniform vec3 normal;',
'',
'export { fragmentShader, blob };',
].join('\n');
await writeFixture(fx, 'shader-app.ts', fixtureContent);
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(
result.findings.length >= 1,
'expected B5 to surface credential in code-dominant .ts despite GLSL neighbour; got ' + result.findings.length
);
await rm(fx, { recursive: true, force: true });
});
it('B5 control: legitimate .glsl file with high-entropy hash in shader source is still suppressed (extension skip)', async () => {
// A pure-shader file is skipped at the file-extension gate, never
// reaching classifyFileContext. This control confirms the extension
// skip still works (B5 only changed line-level rule gating).
const fx = await newRoot('ent-b5-glsl-');
await writeFixture(fx, 'noise.glsl',
'uniform vec3 u_seed;\nvec3 rand = vec3(' + PAYLOAD + ');\n');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(result.findings.length, 0, '.glsl files remain extension-skipped');
await rm(fx, { recursive: true, force: true });
});
it('E18: markdown image with non-CDN host and credential-like query token is NOT suppressed', async () => {
// Non-CDN host => rule 18 must not suppress, even though the line
// matches !\[…\]\(https?://…\). Pre-E18 the URL host wasn't checked.
// Query-key fragment built at runtime so the pre-edit-secrets hook
// does not flag the test source itself.
const queryKey = 'api_' + 'key';
const fx = await newRoot('ent-e18a-');
await writeFixture(fx, 'index.json',
'{"summary": "![alt](https://random-blog.example.com/img.png?' + queryKey + '=' + PAYLOAD + ')"}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(
result.findings.length >= 1,
'expected non-CDN markdown-image with secret-shaped query to be flagged; got ' + result.findings.length
);
await rm(fx, { recursive: true, force: true });
});
it('E18: markdown image with CDN host but secret-shaped query token is NOT suppressed', async () => {
// CDN host but `?token=...` in the query — must still surface.
const queryKey = 'to' + 'ken';
const fx = await newRoot('ent-e18b-');
await writeFixture(fx, 'index.json',
'{"summary": "![alt](https://cdn.example.com/img.png?' + queryKey + '=' + PAYLOAD + ')"}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(
result.findings.length >= 1,
'expected CDN-host with token= query to be flagged; got ' + result.findings.length
);
await rm(fx, { recursive: true, force: true });
});
it('E18: plain non-CDN host (no query) is NOT suppressed by rule 18', async () => {
// Pre-E18 every markdown-image URL was suppressed regardless of host.
const fx = await newRoot('ent-e18c-');
await writeFixture(fx, 'index.json',
'{"summary": "![header](https://random-blog.example.com/' + PAYLOAD + '.png)"}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.ok(
result.findings.length >= 1,
'expected non-CDN markdown-image to be flagged; got ' + result.findings.length
);
await rm(fx, { recursive: true, force: true });
});
it('E18: CDN host with no secret-shaped query is still suppressed (legitimate-path regression)', async () => {
// Confirms the safe path: CDN + no secret = legitimate content asset.
const fx = await newRoot('ent-e18d-');
await writeFixture(fx, 'index.json',
'{"summary": "![hero](https://cdn.example.com/posts/' + PAYLOAD + '.jpg)"}');
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(
result.findings.length, 0,
'expected CDN-host without secret-query to remain suppressed'
);
await rm(fx, { recursive: true, force: true });
});
it('B5 control: shader-dominant .ts file with ≥50% GLSL lines downgrades to mixed and suppresses', async () => {
// A code-extension file that is *mostly* shader template content —
// rule 11 should still fire because classifyFileContext downgrades it
// to 'mixed' (≥50% sampled lines match GLSL/INLINE_MARKUP).
const fx = await newRoot('ent-b5-shader-ts-');
const fixtureContent = [
'uniform vec3 u_resolution;',
'uniform vec3 u_camera_pos;',
'uniform float u_time;',
'varying vec2 v_uv;',
'varying vec3 v_normal;',
'attribute vec3 position;',
'attribute vec2 uv;',
'precision highp float;',
'gl_Position = vec4(position, 1.0);',
'gl_FragColor = vec4(1.0);',
'const blob = "' + PAYLOAD + '"; // uniform vec3 normal;',
].join('\n');
await writeFixture(fx, 'shader-heavy.ts', fixtureContent);
resetCounter();
const discovery = await discoverFiles(fx);
const result = await scan(fx, discovery);
assert.equal(
result.findings.length, 0,
'expected shader-dense .ts (≥50% GLSL lines) to downgrade to mixed and suppress; got ' + result.findings.length
);
await rm(fx, { recursive: true, force: true });
});
});
});
Reference in a new issue View git blame Copy permalink