Add API category token matching and new test cases for API5

Av7danger · Av7danger · commit 2c14c8859868 · 2026-03-08T15:00:13.000+05:30
- Introduced a new helper function `_has_api_category_token` in `validate.py` to improve matching of OWASP API category tokens.
- Updated the validation logic to utilize the new function for better accuracy in detecting API-related vulnerabilities.
- Added test cases in `test_ai_modules.py` to verify the correct triggering of deterministic findings for API5 and ensure that non-OWASP markers do not trigger false positives.
diff --git a/src/secnodeapi/ai/validate.py b/src/secnodeapi/ai/validate.py
@@ -36,6 +36,11 @@ def _class_keywords(result: TestResult) -> str:
     )
 
 
+def _has_api_category_token(category_text: str, api_number: int) -> bool:
+    """Match exact OWASP API category tokens like API1 without matching API10."""
+    return re.search(rf"\bapi{api_number}\b", category_text) is not None
+
+
 def _deterministic_validate_result(result: TestResult) -> Optional[Finding]:
     """Deterministic validators for high-value classes to reduce hallucinations."""
     category_text = _class_keywords(result)
@@ -46,16 +51,16 @@ def _deterministic_validate_result(result: TestResult) -> Optional[Finding]:
 
     bola_like = (
         any(keyword in category_text for keyword in ("bola", "idor", "bfla", "broken object", "broken function"))
-        or re.search(r"\bapi1\b", category_text) is not None
-        or re.search(r"\bapi5\b", category_text) is not None
+        or _has_api_category_token(category_text, 1)
+        or _has_api_category_token(category_text, 5)
     )
     mass_assignment_like = (
         any(keyword in category_text for keyword in ("mass assignment", "bopla"))
-        or re.search(r"\bapi3\b", category_text) is not None
+        or _has_api_category_token(category_text, 3)
     )
     rate_limit_like = (
         any(keyword in category_text for keyword in ("rate limit", "ratelimit"))
-        or re.search(r"\bapi4\b", category_text) is not None
+        or _has_api_category_token(category_text, 4)
     )
 
     if bola_like and is_2xx:
diff --git a/tests/test_ai_modules.py b/tests/test_ai_modules.py
@@ -190,3 +190,72 @@ async def fake_call_llm(*args, **kwargs):
     assert called is True
     assert confirmed == []
     assert suspected == []
+
+
+@pytest.mark.asyncio
+async def test_classify_findings_api5_token_triggers_deterministic(monkeypatch) -> None:
+    test_case = TestCase(
+        id="T-API5-1",
+        name="Authorization check",
+        description="token-only category marker",
+        owasp_category="API5:2023",
+        endpoint="/admin/actions",
+        method="POST",
+    )
+    result = TestResult(
+        test_case=test_case,
+        status_code=200,
+        response_body='{"ok":true}',
+        response_headers={},
+        request_url="https://api.example.com/admin/actions",
+        request_headers={},
+        request_body=None,
+        response_time_ms=12.0,
+    )
+
+    async def fail_if_called(*args, **kwargs):
+        raise AssertionError("LLM should not be called for deterministic finding")
+
+    monkeypatch.setattr("secnodeapi.ai.validate.call_llm", fail_if_called)
+    confirmed, suspected = await classify_findings([result])
+    assert len(confirmed) == 1
+    assert confirmed[0].validation_source == "deterministic"
+    assert suspected == []
+
+
+@pytest.mark.asyncio
+async def test_classify_findings_api50_does_not_trigger_api5_deterministic(monkeypatch) -> None:
+    test_case = TestCase(
+        id="T-API50-1",
+        name="Non-OWASP marker",
+        description="custom internal category only",
+        owasp_category="API50: custom internal tag",
+        endpoint="/custom/path",
+        method="GET",
+    )
+    result = TestResult(
+        test_case=test_case,
+        status_code=200,
+        response_body='{"status":"ok"}',
+        response_headers={},
+        request_url="https://api.example.com/custom/path",
+        request_headers={},
+        request_body=None,
+        response_time_ms=10.0,
+    )
+    called = False
+
+    async def fake_call_llm(*args, **kwargs):
+        nonlocal called
+        called = True
+        return (
+            '{"analysis":"not vulnerable","is_vulnerable":false,"cvss_score":0.0,'
+            '"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",'
+            '"description":"no issue","remediation":"none","confidence":0.9}'
+        )
+
+    monkeypatch.setattr("secnodeapi.ai.validate.call_llm", fake_call_llm)
+    confirmed, suspected = await classify_findings([result])
+    assert called is True
+    assert confirmed == []
+    assert suspected == []
