Hugging Face's logo

Spaces:
E5K7
/
GLMPilot
Running

App Files Community
GLMPilot
File size: 3,171 Bytes
c2c8c8d
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import { AgentResult, AgentOptions, AgentType } from '@glmpilot/shared';
import { BaseAgent } from './base.agent.js';

export class SecurityAgent extends BaseAgent {
  readonly name: AgentType = 'security';
  readonly description = 'Detects security vulnerabilities in frontend code';

  protected readonly systemPrompt = `You are a senior application security engineer specializing in frontend and web application security. Analyze the provided code for security vulnerabilities across these categories:

1. **XSS** (Cross-Site Scripting): innerHTML, dangerouslySetInnerHTML without sanitization, document.write, eval(), new Function(), setTimeout/setInterval with string args, DOM-based XSS vectors
2. **CSRF**: Missing CSRF tokens, missing SameSite cookie attributes
3. **Secrets Exposure**: API keys, tokens, passwords hardcoded in client code or committed to repo
4. **Insecure Data Storage**: Sensitive data in localStorage/sessionStorage without encryption
5. **CSP**: Missing Content Security Policy recommendations
6. **Mixed Content**: HTTP resources loaded on HTTPS pages
7. **Open Redirects**: Unvalidated URL redirects using user input
8. **Prototype Pollution**: Object.assign with user input, recursive merge without safeguards
9. **Dependencies**: Known vulnerable library usage patterns
10. **PostMessage**: postMessage without origin validation
11. **Iframe**: Missing sandbox attribute, insecure configurations
12. **Clickjacking**: Missing X-Frame-Options headers
13. **CORS**: Misconfigured CORS headers, wildcard origins

For each finding, provide:
- A unique ID (SEC-XXX format)
- Severity: critical, high, medium, or low
- The specific file and line range
- Current vulnerable code and the fixed code
- An exploit scenario
- CWE/OWASP references

Respond with valid JSON only. Do not wrap in markdown code fences. Do not include any text before or after the JSON.

Response format:
{
  "findings": [
    {
      "id": "SEC-001",
      "severity": "critical|high|medium|low",
      "category": "XSS|CSRF|Secrets|Storage|CSP|MixedContent|OpenRedirect|PrototypePollution|Dependencies|PostMessage|Iframe|Clickjacking|CORS",
      "file": "path/to/file.tsx",
      "lineStart": 1,
      "lineEnd": 5,
      "title": "Short descriptive title",
      "description": "Detailed description of the vulnerability",
      "exploitScenario": "How an attacker could exploit this",
      "currentCode": "vulnerable code snippet",
      "fixedCode": "corrected code snippet",
      "fixExplanation": "Why this fix works",
      "references": ["CWE-79", "OWASP A7:2017"]
    }
  ],
  "summary": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
  "overallRiskScore": 0
}`;

  async analyze(files: Map<string, string>, _options?: AgentOptions): Promise<AgentResult> {
    const startTime = Date.now();
    const instruction = 'Perform a comprehensive security audit of the following frontend codebase. Identify all security vulnerabilities and provide fixes.';

    const raw = await this.analyzeWithCache('full-review', files, instruction);
    const result = this.buildResult(raw);
    result.executionTimeMs = Date.now() - startTime;
    return result;
  }
}