john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): implement attack surface exposure prevention (inst_084)

Browse source 
Adds comprehensive protection against exposing internal implementation
details in public-facing documentation.

New Governance Rule (inst_084):
- Quadrant: SYSTEM
- Persistence: HIGH
- Scope: Public documents (confidential:false)
- Enforcement: Pre-commit hooks (mandatory)

Implementation:
1. attack-surface-validator.util.js
   - Pattern detection for file paths, API endpoints, admin URLs, ports
   - Frontmatter parsing (respects confidential:true exemption)
   - Code block exemption (doesn't flag technical examples)
   - Intelligent line numbering for violation reporting

2. check-attack-surface.js
   - Pre-commit script that scans staged documents
   - User-friendly violation reporting with suggestions
   - Integration with git workflow

3. Pre-commit hook integration
   - Added as Check #3 in git hooks
   - Runs after prohibited terms, before test requirements
   - Blocks commits with attack surface exposures

Detection Patterns:
 File paths: src/*, public/*, scripts/*
 API endpoints: /api/*, /admin/*
 File naming patterns: *.util.js, *.service.js
 Port numbers in prose
 Connection strings

Exemptions:
- Code blocks (```)
- Inline code (`)
- Confidential documents (confidential:true)
- Internal technical documentation

Security Rationale (Defense-in-Depth):
- Prevents reconnaissance by obscuring architecture
- Reduces attack surface by hiding implementation paths
- Complements credential protection (inst_069/070)
- Part of layered security strategy (inst_072)

Testing:
- Validated against test document with known exposures
- 7 violations detected correctly
- Code block exemption verified
- All expected pattern types detected

Example Violations Blocked:
 "Dashboard at /admin/audit-analytics.html"
 "Administrative Dashboard"
 "GET /api/admin/audit-logs endpoint"
 "Authenticated API for audit data"
 "In activity-classifier.util.js"
 "The activity classifier"

This enforcement prevented the exact security issue discovered in
governance-bi-tools.md which exposed admin paths and API endpoints.

Also fixed prohibited terms checker to exempt instruction-history.json
(which contains prohibited term DEFINITIONS, not violations).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
TheFlow 2025-10-27 12:11:43 +13:00
parent d854ac85e2
commit e821987d9a
4 changed files with 468 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
scripts/add-attack-surface-rule.js Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/env node
/**
* Add Attack Surface Exposure Prevention Rule (inst_084)
*/
const fs = require('fs');
const path = require('path');
const historyPath = path.join(__dirname, '../.claude/instruction-history.json');
const data = JSON.parse(fs.readFileSync(historyPath, 'utf8'));
const newInstruction = {
"id": "inst_084",
"text": "NEVER expose internal implementation details in public-facing documents (confidential:false). Block exact file paths, API endpoints, database schemas, port numbers, and internal URLs. Use generalized component names instead.",
"timestamp": new Date().toISOString(),
"quadrant": "SYSTEM",
"persistence": "HIGH",
"temporal_scope": "PERMANENT",
"verification_required": "MANDATORY",
"explicitness": 1.0,
"source": "security_requirement",
"session_id": "2025-10-27-attack-surface-prevention",
"parameters": {
"security_layer": "defense_in_depth",
"enforcement": "pre_commit_hook",
"scope": "public_documents"
},
"active": true,
"notes": "Prevents reconnaissance by obscuring internal architecture in public documentation. Part of defense-in-depth security strategy (inst_072).",
"examples": [
"❌ BAD: 'Dashboard at /admin/audit-analytics.html'",
"✅ GOOD: 'Administrative Dashboard'",
"❌ BAD: 'GET /api/admin/audit-logs endpoint'",
"✅ GOOD: 'Authenticated API for retrieving audit data'",
"❌ BAD: 'In activity-classifier.util.js'",
"✅ GOOD: 'The activity classifier'",
"❌ BAD: 'MongoDB on port 27017'",
"✅ GOOD: 'Database backend'"
],
"enforcement_patterns": [
"File paths: src/*, public/*, scripts/*",
"API endpoints: /api/*, /admin/*",
"File extensions in prose: .js, .html, .css",
"Port numbers in public docs",
"Internal URLs with specific paths"
],
"exemptions": [
"Code blocks in technical implementation guides marked confidential:true",
"Internal architectural documentation",
"Developer setup guides not published externally"
],
"related_rules": [
"inst_072"
]
};
data.instructions.push(newInstruction);
data.last_updated = new Date().toISOString();
fs.writeFileSync(historyPath, JSON.stringify(data, null, 2));
console.log('✅ Added inst_084: Attack Surface Exposure Prevention');
console.log(` Quadrant: ${newInstruction.quadrant}`);
console.log(` Persistence: ${newInstruction.persistence}`);
console.log(` Enforcement: Pre-commit hooks for public documents`);

144
scripts/check-attack-surface.js Executable file
View file

@ -0,0 +1,144 @@
#!/usr/bin/env node
/*
* Copyright 2025 John G Stroh
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Pre-commit Attack Surface Check (inst_084)
*
* Scans staged files for attack surface exposures
* Blocks commits that expose internal implementation details in public documents
*/
const { execSync } = require('child_process');
const fs = require('fs');
const path = require('path');
const { validateFile } = require('../src/utils/attack-surface-validator.util');
function getStagedFiles() {
try {
const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
encoding: 'utf8',
stdio: ['pipe', 'pipe', 'ignore']
});
return output.split('\n').filter(f => f.trim());
} catch (error) {
return [];
}
}
function checkStagedFiles() {
const stagedFiles = getStagedFiles();
if (stagedFiles.length === 0) {
console.log('✅ No attack surface exposure check needed (no staged files)');
return { success: true, exposures: [] };
}
// Filter for documents only
const documentFiles = stagedFiles.filter(f =>
f.endsWith('.md') || f.includes('/docs/')
);
if (documentFiles.length === 0) {
console.log('✅ No documents in staged files');
return { success: true, exposures: [] };
}
console.log(`\n🔍 Scanning ${documentFiles.length} document(s) for attack surface exposure...`);
const allExposures = [];
for (const file of documentFiles) {
const filePath = path.join(process.cwd(), file);
if (!fs.existsSync(filePath)) {
continue; // File was deleted
}
const content = fs.readFileSync(filePath, 'utf8');
const result = validateFile(file, content);
if (!result.allowed) {
allExposures.push({
file,
violations: result.violations
});
}
}
return {
success: allExposures.length === 0,
exposures: allExposures
};
}
function printExposures(exposures) {
console.log('\n' + '━'.repeat(80));
console.log('❌ ATTACK SURFACE EXPOSURE DETECTED (inst_084)');
console.log('━'.repeat(80));
console.log('');
console.log('The following files expose internal implementation details:');
console.log('');
for (const { file, violations } of exposures) {
console.log(`\n🔴 ${file}`);
console.log('');
for (const violation of violations) {
console.log(` Line ${violation.line}: ${violation.description}`);
console.log(` Found: "${violation.match}"`);
console.log(` 💡 ${violation.suggestion}`);
console.log('');
}
}
console.log('━'.repeat(80));
console.log('⚠️ SECURITY RISK: Internal architecture exposed in public documents');
console.log('━'.repeat(80));
console.log('');
console.log('Why this matters:');
console.log(' • Exact file paths → easier reconnaissance for attackers');
console.log(' • API endpoints → attack surface mapping');
console.log(' • Port numbers → network scanning targets');
console.log(' • Internal URLs → direct access attempts');
console.log('');
console.log('Fix: Use generalized component names instead of specific paths');
console.log('');
console.log('Examples:');
console.log(' ❌ "Dashboard at /admin/audit-analytics.html"');
console.log(' ✅ "Administrative Dashboard"');
console.log(' ❌ "GET /api/admin/audit-logs endpoint"');
console.log(' ✅ "Authenticated API for audit data"');
console.log('');
console.log('To bypass (NOT RECOMMENDED):');
console.log(' git commit --no-verify');
console.log('');
}
// Main execution
const result = checkStagedFiles();
if (!result.success) {
printExposures(result.exposures);
process.exit(1);
} else {
if (result.exposures.length === 0) {
console.log('✅ No attack surface exposures detected');
}
process.exit(0);
}

3
scripts/check-prohibited-terms.js
View file

@ -100,6 +100,9 @@ function scanFiles(files) {
files.forEach(file => {
if (!fs.existsSync(file)) return;
// Skip instruction-history.json (contains prohibited term DEFINITIONS, not violations)
if (file.includes('instruction-history.json')) return;
// Only scan text files (markdown, HTML, text)
const ext = path.extname(file).toLowerCase();
if (!['.md', '.html', '.txt', '.json'].includes(ext)) return;

255
src/utils/attack-surface-validator.util.js Normal file
View file

@ -0,0 +1,255 @@
/*
* Copyright 2025 John G Stroh
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Attack Surface Validator (inst_084)
*
* Prevents exposure of internal implementation details in public-facing documents
* Part of defense-in-depth security strategy
*/
/**
* Attack surface exposure patterns
* Each pattern includes regex, description, and suggested replacement
*/
const ATTACK_SURFACE_PATTERNS = [
// File paths
{
regex: /\bsrc\/[a-zA-Z0-9_\-\/]+\.(js|ts|jsx|tsx)\b/g,
type: 'file_path',
description: 'Source file path exposed',
example: 'src/utils/activity-classifier.util.js',
suggestion: 'Use component name instead (e.g., "the activity classifier")'
},
{
regex: /\bpublic\/[a-zA-Z0-9_\-\/]+\.(html|css|js)\b/g,
type: 'file_path',
description: 'Public file path exposed',
example: 'public/admin/dashboard.html',
suggestion: 'Use page name instead (e.g., "administrative dashboard")'
},
{
regex: /\bscripts\/[a-zA-Z0-9_\-\/]+\.js\b/g,
type: 'file_path',
description: 'Script file path exposed',
example: 'scripts/validate-file-edit.js',
suggestion: 'Use functional description (e.g., "file edit validator")'
},
// API endpoints
{
regex: /\/api\/[a-zA-Z0-9_\-\/]+/g,
type: 'api_endpoint',
description: 'API endpoint path exposed',
example: '/api/admin/audit-logs',
suggestion: 'Use functional description (e.g., "authenticated API for audit data")'
},
{
regex: /\/admin\/[a-zA-Z0-9_\-\/]+\.html/g,
type: 'admin_path',
description: 'Admin page path exposed',
example: '/admin/dashboard.html',
suggestion: 'Use page name (e.g., "admin dashboard")'
},
// Port numbers in prose (not in code blocks)
{
regex: /\bport\s+\d{4,5}\b/gi,
type: 'port_number',
description: 'Port number exposed in text',
example: 'port 27017',
suggestion: 'Avoid mentioning specific ports in public docs'
},
{
regex: /\bon\s+port\s+\d{4,5}\b/gi,
type: 'port_number',
description: 'Port number exposed with "on port"',
example: 'on port 9000',
suggestion: 'Remove port number from public docs'
},
// Database specifics
{
regex: /mongodb:\/\/[^\s]+/g,
type: 'connection_string',
description: 'MongoDB connection string pattern',
example: 'mongodb://localhost:27017',
suggestion: 'Use "database connection" instead'
},
// File extensions in prose (likely indicating file names)
{
regex: /\b[a-zA-Z0-9_\-]+\.(util|service|controller|model|middleware)\.js\b/g,
type: 'file_pattern',
description: 'Node.js file naming pattern exposed',
example: 'activity-classifier.util.js',
suggestion: 'Use component description without file name'
}
];
/**
* Patterns that are exempt from attack surface checking
*/
const EXEMPTION_PATTERNS = [
/```[\s\S]*?```/g, // Code blocks
/`[^`]+`/g, // Inline code
/<!--[\s\S]*?-->/g // HTML comments
];
/**
* Check if file is a public-facing document
* @param {string} filePath - Path to file
* @returns {boolean} - True if public-facing
*/
function isPublicDocument(filePath) {
// Check if in docs/ directory
if (filePath.includes('/docs/')) {
return true;
}
// Check if markdown file
if (filePath.endsWith('.md')) {
return true;
}
// Check frontmatter for confidential flag
// (Will be checked separately in main function)
return false;
}
/**
* Extract frontmatter from markdown content
* @param {string} content - File content
* @returns {Object|null} - Frontmatter metadata or null
*/
function extractFrontmatter(content) {
const frontmatterRegex = /^---\s*\n([\s\S]*?)\n---/;
const match = content.match(frontmatterRegex);
if (!match) {
return null;
}
const frontmatter = {};
const lines = match[1].split('\n');
for (const line of lines) {
const colonIndex = line.indexOf(':');
if (colonIndex === -1) continue;
const key = line.slice(0, colonIndex).trim();
const value = line.slice(colonIndex + 1).trim();
frontmatter[key] = value;
}
return frontmatter;
}
/**
* Remove exempted sections from content
* @param {string} content - File content
* @returns {Object} - {scannableContent, exemptedSections}
*/
function removeExemptedSections(content) {
let scannableContent = content;
const exemptedSections = [];
for (const pattern of EXEMPTION_PATTERNS) {
const matches = content.match(pattern) || [];
exemptedSections.push(...matches);
scannableContent = scannableContent.replace(pattern, '');
}
return { scannableContent, exemptedSections };
}
/**
* Scan content for attack surface exposures
* @param {string} content - Content to scan
* @param {string} filePath - Path to file being scanned
* @returns {Array} - Array of exposure findings
*/
function scanForExposures(content, filePath) {
const findings = [];
// Check if this is a public document
if (!isPublicDocument(filePath)) {
return findings; // Skip non-public documents
}
// Check frontmatter for confidential flag
const frontmatter = extractFrontmatter(content);
if (frontmatter && frontmatter.confidential === 'true') {
return findings; // Skip confidential documents
}
// Remove code blocks and other exempted sections
const { scannableContent } = removeExemptedSections(content);
// Scan for each pattern
for (const pattern of ATTACK_SURFACE_PATTERNS) {
const matches = scannableContent.matchAll(pattern.regex);
for (const match of matches) {
// Get line number
const beforeMatch = scannableContent.slice(0, match.index);
const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
findings.push({
type: pattern.type,
description: pattern.description,
match: match[0],
lineNumber,
suggestion: pattern.suggestion,
example: pattern.example
});
}
}
return findings;
}
/**
* Validate file for attack surface exposures
* @param {string} filePath - Path to file
* @param {string} content - File content
* @returns {Object} - {allowed: boolean, violations: Array}
*/
function validateFile(filePath, content) {
const exposures = scanForExposures(content, filePath);
return {
allowed: exposures.length === 0,
violations: exposures.map(exp => ({
ruleId: 'inst_084',
severity: 'MEDIUM',
type: exp.type,
description: exp.description,
line: exp.lineNumber,
match: exp.match,
suggestion: exp.suggestion
}))
};
}
module.exports = {
scanForExposures,
validateFile,
isPublicDocument,
ATTACK_SURFACE_PATTERNS
};