Skip to main content

agentshield/ir/
data_surface.rs

1use serde::{Deserialize, Serialize};
2
3use super::SourceLocation;
4
5/// Data flow surfaces — what data enters and exits the extension.
6#[derive(Debug, Clone, Default, Serialize, Deserialize)]
7pub struct DataSurface {
8    /// Taint sources (where untrusted data enters).
9    pub sources: Vec<TaintSource>,
10    /// Taint sinks (where data exits or has impact).
11    pub sinks: Vec<TaintSink>,
12    /// Detected taint paths (source -> sink connections).
13    pub taint_paths: Vec<TaintPath>,
14}
15
16#[derive(Debug, Clone, Serialize, Deserialize)]
17pub struct TaintSource {
18    pub source_type: TaintSourceType,
19    pub description: String,
20    pub location: SourceLocation,
21}
22
23#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
24#[serde(rename_all = "snake_case")]
25pub enum TaintSourceType {
26    /// User/LLM-provided tool input.
27    ToolArgument,
28    /// Prompt text (prompt injection vector).
29    PromptContent,
30    /// Environment variable read.
31    EnvVariable,
32    /// Credential/secret access.
33    SecretStore,
34    /// Data from HTTP response.
35    HttpResponse,
36    /// Data read from files.
37    FileContent,
38    /// Data from DB queries.
39    DatabaseQuery,
40}
41
42#[derive(Debug, Clone, Serialize, Deserialize)]
43pub struct TaintSink {
44    pub sink_type: TaintSinkType,
45    pub description: String,
46    pub location: SourceLocation,
47}
48
49#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
50#[serde(rename_all = "snake_case")]
51pub enum TaintSinkType {
52    /// subprocess, os.system, exec
53    ProcessExec,
54    /// eval(), exec(), compile()
55    DynamicEval,
56    /// Outbound HTTP (exfiltration).
57    HttpRequest,
58    /// Write to filesystem.
59    FileWrite,
60    /// print, logging (info leak).
61    LogOutput,
62    /// SQL injection potential.
63    DatabaseWrite,
64    /// Data returned to the LLM.
65    ResponseToLlm,
66}
67
68#[derive(Debug, Clone, Serialize, Deserialize)]
69pub struct TaintPath {
70    pub source: TaintSource,
71    pub sink: TaintSink,
72    /// Intermediate nodes in the taint propagation.
73    pub through: Vec<SourceLocation>,
74    /// Confidence that this path is exploitable (0.0-1.0).
75    pub confidence: f32,
76}