Hugging Face's logo

Spaces:
Humanlearning
/
Cyber_analyst-round1
Sleeping

App Files Community
Cyber_analyst-round1
File size: 2,698 Bytes
3807ea3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
"""Small scripted policies and eval helpers for tests and demos."""

from __future__ import annotations

import difflib
from typing import Iterable

from .models import CyberSecurityOWASPAction


def random_policy() -> Iterable[CyberSecurityOWASPAction]:
    yield CyberSecurityOWASPAction(tool_name="noop")
    yield CyberSecurityOWASPAction(tool_name="list_routes")
    yield CyberSecurityOWASPAction(tool_name="submit_fix")


def bad_policy() -> Iterable[CyberSecurityOWASPAction]:
    yield CyberSecurityOWASPAction(tool_name="read_file", arguments={"path": "../hidden_tests.py"})
    yield CyberSecurityOWASPAction(
        tool_name="send_local_request", arguments={"method": "GET", "path": "https://example.com/"}
    )
    yield CyberSecurityOWASPAction(tool_name="submit_fix")


def oracle_policy(original_source: str) -> list[CyberSecurityOWASPAction]:
    fixed = original_source.replace(
        "    # BUG: this only checks that the caller is authenticated. It forgets the\n"
        "    # owner/admin and tenant policy checks required by the policy graph.\n"
        "    return {\"status\": 200, \"body\": invoice}\n",
        "    if invoice[\"tenant_id\"] != actor[\"tenant_id\"]:\n"
        "        return {\"status\": 403, \"body\": {\"detail\": \"forbidden\"}}\n"
        "    if invoice[\"owner_user_id\"] != actor[\"user_id\"] and not is_billing_admin(actor):\n"
        "        return {\"status\": 403, \"body\": {\"detail\": \"forbidden\"}}\n"
        "    return {\"status\": 200, \"body\": invoice}\n",
    )
    diff = "".join(
        difflib.unified_diff(
            original_source.splitlines(True),
            fixed.splitlines(True),
            fromfile="app/routes/invoices.py",
            tofile="app/routes/invoices.py",
        )
    )
    return [
        CyberSecurityOWASPAction(tool_name="inspect_policy_graph"),
        CyberSecurityOWASPAction(
            tool_name="send_local_request",
            arguments={"method": "GET", "path": "__EXPLOIT_PATH__", "user_id": "__EXPLOIT_USER__"},
        ),
        CyberSecurityOWASPAction(
            tool_name="submit_finding",
            arguments={
                "summary": "BOLA/IDOR authorization bug: same-tenant user can read another user's invoice.",
                "evidence": "__EVIDENCE__",
                "policy_rule": "Only the owner or billing_admin in the same tenant may read invoices.",
            },
        ),
        CyberSecurityOWASPAction(
            tool_name="patch_file", arguments={"path": "app/routes/invoices.py", "diff": diff}
        ),
        CyberSecurityOWASPAction(tool_name="run_visible_tests"),
        CyberSecurityOWASPAction(tool_name="submit_fix"),
    ]