sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

refactor: modularize codebase and add 404 unit tests (#13)
All checks were successful
CI / Format (push) Successful in 4s
Details
CI / Clippy (push) Successful in 4m19s
Details
CI / Security Audit (push) Successful in 1m44s
Details
CI / Tests (push) Successful in 5m15s
Details
CI / Detect Changes (push) Successful in 5s
Details
CI / Deploy Agent (push) Successful in 2s
Details
CI / Deploy Dashboard (push) Successful in 2s
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Successful in 2s
Details

Browse Source
This commit was merged in pull request #13.
This commit is contained in:
Sharang Parnerkar
2026-03-13 08:03:45 +00:00
parent acc5b86aa4
commit 3bb690e5bb
89 changed files with 11884 additions and 6046 deletions
Download Patch File Download Diff File Expand all files Collapse all files

387
compliance-dast/src/tools/csp_analyzer.rs
View File

@@ -47,7 +47,7 @@ impl CspAnalyzerTool {
url: &str,
target_id: &str,
status: u16,
csp_raw: &str,
_csp_raw: &str,
) -> Vec<DastFinding> {
let mut findings = Vec::new();
@@ -216,12 +216,18 @@ impl CspAnalyzerTool {
("object-src", "Controls plugins like Flash"),
("base-uri", "Controls the base URL for relative URLs"),
("form-action", "Controls where forms can submit to"),
("frame-ancestors", "Controls who can embed this page in iframes"),
(
"frame-ancestors",
"Controls who can embed this page in iframes",
),
];
for (dir_name, desc) in &important_directives {
if !directive_names.contains(dir_name)
&& !(has_default_src && *dir_name != "frame-ancestors" && *dir_name != "base-uri" && *dir_name != "form-action")
&& (!has_default_src
|| *dir_name == "frame-ancestors"
|| *dir_name == "base-uri"
|| *dir_name == "form-action")
{
let evidence = make_evidence(format!("CSP missing directive: {dir_name}"));
let mut finding = DastFinding::new(
@@ -258,6 +264,125 @@ impl CspAnalyzerTool {
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_csp_basic() {
let directives = CspAnalyzerTool::parse_csp(
"default-src 'self'; script-src 'self' https://cdn.example.com",
);
assert_eq!(directives.len(), 2);
assert_eq!(directives[0].name, "default-src");
assert_eq!(directives[0].values, vec!["'self'"]);
assert_eq!(directives[1].name, "script-src");
assert_eq!(
directives[1].values,
vec!["'self'", "https://cdn.example.com"]
);
}
#[test]
fn parse_csp_empty() {
let directives = CspAnalyzerTool::parse_csp("");
assert!(directives.is_empty());
}
#[test]
fn parse_csp_trailing_semicolons() {
let directives = CspAnalyzerTool::parse_csp("default-src 'none';;;");
assert_eq!(directives.len(), 1);
assert_eq!(directives[0].name, "default-src");
assert_eq!(directives[0].values, vec!["'none'"]);
}
#[test]
fn parse_csp_directive_without_value() {
let directives = CspAnalyzerTool::parse_csp("upgrade-insecure-requests");
assert_eq!(directives.len(), 1);
assert_eq!(directives[0].name, "upgrade-insecure-requests");
assert!(directives[0].values.is_empty());
}
#[test]
fn parse_csp_names_are_lowercased() {
let directives = CspAnalyzerTool::parse_csp("Script-Src 'self'");
assert_eq!(directives[0].name, "script-src");
}
#[test]
fn analyze_detects_unsafe_inline() {
let directives = CspAnalyzerTool::parse_csp("script-src 'self' 'unsafe-inline'");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
assert!(findings.iter().any(|f| f.title.contains("unsafe-inline")));
}
#[test]
fn analyze_detects_unsafe_eval() {
let directives = CspAnalyzerTool::parse_csp("script-src 'self' 'unsafe-eval'");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
assert!(findings.iter().any(|f| f.title.contains("unsafe-eval")));
}
#[test]
fn analyze_detects_wildcard() {
let directives = CspAnalyzerTool::parse_csp("img-src *");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
assert!(findings.iter().any(|f| f.title.contains("wildcard")));
}
#[test]
fn analyze_detects_data_uri_in_script_src() {
let directives = CspAnalyzerTool::parse_csp("script-src 'self' data:");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
assert!(findings.iter().any(|f| f.title.contains("data:")));
}
#[test]
fn analyze_detects_http_sources() {
let directives = CspAnalyzerTool::parse_csp("script-src http:");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
assert!(findings.iter().any(|f| f.title.contains("HTTP sources")));
}
#[test]
fn analyze_detects_missing_directives_without_default_src() {
let directives = CspAnalyzerTool::parse_csp("img-src 'self'");
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
let missing_names: Vec<&str> = findings
.iter()
.filter(|f| f.title.contains("missing"))
.map(|f| f.title.as_str())
.collect();
// Should flag script-src, object-src, base-uri, form-action, frame-ancestors
assert!(missing_names.len() >= 4);
}
#[test]
fn analyze_good_csp_no_unsafe_findings() {
let directives = CspAnalyzerTool::parse_csp(
"default-src 'none'; script-src 'self'; style-src 'self'; \
img-src 'self'; object-src 'none'; base-uri 'self'; \
form-action 'self'; frame-ancestors 'none'",
);
let findings =
CspAnalyzerTool::analyze_directives(&directives, "https://example.com", "t1", 200, "");
// A well-configured CSP should not produce unsafe-inline/eval/wildcard findings
assert!(findings.iter().all(|f| {
!f.title.contains("unsafe-inline")
&& !f.title.contains("unsafe-eval")
&& !f.title.contains("wildcard")
}));
}
}
impl PentestTool for CspAnalyzerTool {
fn name(&self) -> &str {
"csp_analyzer"
@@ -285,163 +410,167 @@ impl PentestTool for CspAnalyzerTool {
&'a self,
input: serde_json::Value,
context: &'a PentestToolContext,
) -> std::pin::Pin<Box<dyn std::future::Future<Output = Result<PentestToolResult, CoreError>> + Send + 'a>> {
) -> std::pin::Pin<
Box<dyn std::future::Future<Output = Result<PentestToolResult, CoreError>> + Send + 'a>,
> {
Box::pin(async move {
let url = input
.get("url")
.and_then(|v| v.as_str())
.ok_or_else(|| CoreError::Dast("Missing required 'url' parameter".to_string()))?;
let url = input
.get("url")
.and_then(|v| v.as_str())
.ok_or_else(|| CoreError::Dast("Missing required 'url' parameter".to_string()))?;
let target_id = context
.target
.id
.map(|oid| oid.to_hex())
.unwrap_or_else(|| "unknown".to_string());
let target_id = context
.target
.id
.map(|oid| oid.to_hex())
.unwrap_or_else(|| "unknown".to_string());
let response = self
.http
.get(url)
.send()
.await
.map_err(|e| CoreError::Dast(format!("Failed to fetch {url}: {e}")))?;
let response = self
.http
.get(url)
.send()
.await
.map_err(|e| CoreError::Dast(format!("Failed to fetch {url}: {e}")))?;
let status = response.status().as_u16();
let status = response.status().as_u16();
// Check for CSP header
let csp_header = response
.headers()
.get("content-security-policy")
.and_then(|v| v.to_str().ok())
.map(String::from);
// Check for CSP header
let csp_header = response
.headers()
.get("content-security-policy")
.and_then(|v| v.to_str().ok())
.map(String::from);
// Also check for report-only variant
let csp_report_only = response
.headers()
.get("content-security-policy-report-only")
.and_then(|v| v.to_str().ok())
.map(String::from);
// Also check for report-only variant
let csp_report_only = response
.headers()
.get("content-security-policy-report-only")
.and_then(|v| v.to_str().ok())
.map(String::from);
let mut findings = Vec::new();
let mut csp_data = json!({});
let mut findings = Vec::new();
let mut csp_data = json!({});
match &csp_header {
Some(csp) => {
let directives = Self::parse_csp(csp);
let directive_map: serde_json::Value = directives
.iter()
.map(|d| (d.name.clone(), json!(d.values)))
.collect::<serde_json::Map<String, serde_json::Value>>()
.into();
match &csp_header {
Some(csp) => {
let directives = Self::parse_csp(csp);
let directive_map: serde_json::Value = directives
.iter()
.map(|d| (d.name.clone(), json!(d.values)))
.collect::<serde_json::Map<String, serde_json::Value>>()
.into();
csp_data["csp_header"] = json!(csp);
csp_data["directives"] = directive_map;
csp_data["csp_header"] = json!(csp);
csp_data["directives"] = directive_map;
findings.extend(Self::analyze_directives(
&directives,
url,
&target_id,
status,
csp,
));
}
None => {
csp_data["csp_header"] = json!(null);
findings.extend(Self::analyze_directives(
&directives,
url,
&target_id,
status,
csp,
));
}
None => {
csp_data["csp_header"] = json!(null);
let evidence = DastEvidence {
request_method: "GET".to_string(),
request_url: url.to_string(),
request_headers: None,
request_body: None,
response_status: status,
response_headers: None,
response_snippet: Some("Content-Security-Policy header is missing".to_string()),
screenshot_path: None,
payload: None,
response_time_ms: None,
};
let evidence = DastEvidence {
request_method: "GET".to_string(),
request_url: url.to_string(),
request_headers: None,
request_body: None,
response_status: status,
response_headers: None,
response_snippet: Some(
"Content-Security-Policy header is missing".to_string(),
),
screenshot_path: None,
payload: None,
response_time_ms: None,
};
let mut finding = DastFinding::new(
String::new(),
target_id.clone(),
DastVulnType::CspIssue,
"Missing Content-Security-Policy header".to_string(),
format!(
"No Content-Security-Policy header is present on {url}. \
let mut finding = DastFinding::new(
String::new(),
target_id.clone(),
DastVulnType::CspIssue,
"Missing Content-Security-Policy header".to_string(),
format!(
"No Content-Security-Policy header is present on {url}. \
Without CSP, the browser has no instructions on which sources are \
trusted, making XSS exploitation much easier."
),
Severity::Medium,
url.to_string(),
"GET".to_string(),
);
finding.cwe = Some("CWE-16".to_string());
finding.evidence = vec![evidence];
finding.remediation = Some(
),
Severity::Medium,
url.to_string(),
"GET".to_string(),
);
finding.cwe = Some("CWE-16".to_string());
finding.evidence = vec![evidence];
finding.remediation = Some(
"Add a Content-Security-Policy header. Start with a restrictive policy like \
\"default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; \
object-src 'none'; frame-ancestors 'none'; base-uri 'self'\"."
.to_string(),
);
findings.push(finding);
findings.push(finding);
}
}
}
if let Some(ref report_only) = csp_report_only {
csp_data["csp_report_only"] = json!(report_only);
// If ONLY report-only exists (no enforcing CSP), warn
if csp_header.is_none() {
let evidence = DastEvidence {
request_method: "GET".to_string(),
request_url: url.to_string(),
request_headers: None,
request_body: None,
response_status: status,
response_headers: None,
response_snippet: Some(format!(
"Content-Security-Policy-Report-Only: {}",
report_only
)),
screenshot_path: None,
payload: None,
response_time_ms: None,
};
if let Some(ref report_only) = csp_report_only {
csp_data["csp_report_only"] = json!(report_only);
// If ONLY report-only exists (no enforcing CSP), warn
if csp_header.is_none() {
let evidence = DastEvidence {
request_method: "GET".to_string(),
request_url: url.to_string(),
request_headers: None,
request_body: None,
response_status: status,
response_headers: None,
response_snippet: Some(format!(
"Content-Security-Policy-Report-Only: {}",
report_only
)),
screenshot_path: None,
payload: None,
response_time_ms: None,
};
let mut finding = DastFinding::new(
String::new(),
target_id.clone(),
DastVulnType::CspIssue,
"CSP is report-only, not enforcing".to_string(),
"A Content-Security-Policy-Report-Only header is present but no enforcing \
let mut finding = DastFinding::new(
String::new(),
target_id.clone(),
DastVulnType::CspIssue,
"CSP is report-only, not enforcing".to_string(),
"A Content-Security-Policy-Report-Only header is present but no enforcing \
Content-Security-Policy header exists. Report-only mode only logs violations \
but does not block them."
.to_string(),
Severity::Low,
url.to_string(),
"GET".to_string(),
);
finding.cwe = Some("CWE-16".to_string());
finding.evidence = vec![evidence];
finding.remediation = Some(
.to_string(),
Severity::Low,
url.to_string(),
"GET".to_string(),
);
finding.cwe = Some("CWE-16".to_string());
finding.evidence = vec![evidence];
finding.remediation = Some(
"Once you have verified the CSP policy works correctly in report-only mode, \
deploy it as an enforcing Content-Security-Policy header."
.to_string(),
);
findings.push(finding);
findings.push(finding);
}
}
}
let count = findings.len();
info!(url, findings = count, "CSP analysis complete");
let count = findings.len();
info!(url, findings = count, "CSP analysis complete");
Ok(PentestToolResult {
summary: if count > 0 {
format!("Found {count} CSP issues for {url}.")
} else {
format!("Content-Security-Policy looks good for {url}.")
},
findings,
data: csp_data,
})
Ok(PentestToolResult {
summary: if count > 0 {
format!("Found {count} CSP issues for {url}.")
} else {
format!("Content-Security-Policy looks good for {url}.")
},
findings,
data: csp_data,
})
})
}
}