knacky/mimic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: knacky:e4a672c443d6d9763c682cab505bed05b84a5cbf
Branches Tags
knacky:main knacky:sprint/9-ui-contrast
..
compare: knacky:4d9447082f082d3ecef74163091442e0cfd7f05d
Branches Tags
knacky:main knacky:sprint/9-ui-contrast

4 Commits
e4a672c443 ... 4d9447082f

Author SHA1 Message Date
Knacky
4d9447082f docs: sprint 6 amendment — 7-column schema in CHANGELOG + PR body 
Post-review user decision (2026-06-08) switched the export payload to a
fixed 7-column FR handoff schema (Scénario / Test / Source de log /
Commentaires SOC / Exécution / Logs remontés au SIEM / Cyber incident).

Logged in CHANGELOG [Unreleased] Changed section with commit refs
(SPEC fdab324, backend 7335b9f, e2e aeb4bdb) and updated PR #9 body
counters: 255 pytest (was 253), 136 vitest unchanged, 223 e2e
unchanged.
 2026-06-08 19:23:02 +02:00
Knacky
aeb4bdb025 test(e2e): adapt export specs to 7-column schema (Scénario/Test/...) 
Update AC-29.2 (Markdown) to assert | Scénario | GFM table header.
Update AC-29.3 (CSV) to assert exact 7 FR column names instead of 'name'.
Update AC-31.4 (empty engagement) MD to assert table absent, CSV header
to assert exact 7 FR columns.
Drop unused sim1/sim2 vars and makeClient import (NIT cleanup).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-08 19:21:51 +02:00
Knacky
7335b9f2c6 refactor(export): switch render output to fixed 7-column schema (Scénario, Test, ...) 
All three renderers (MD, CSV, PDF) now emit a uniform 7-column table with
French headers matching the RT↔SOC handoff contract locked in SPEC.md fdab324.

Helpers added:
- _format_execution(sim): canonical 3-part concat (executed_at / commands / execution_result)
- _MD_HEADERS / _HTML_HEADERS / _CSV_HEADERS unified to the same 7 FR strings

Helpers removed (no longer called):
- _tactic_names() — MITRE tactics dropped from export
- _enrich_sim_techniques() — MITRE techniques dropped from export

Fields dropped from export: status, techniques, tactic_ids, prerequisites, id,
created_at, updated_at (intentional — focused RT↔SOC handoff, see SPEC §Export).

_csv_safe() still applied to all 7 user-controlled cells including Exécution concat.

Tests updated: 255 passed, ruff clean, mypy clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-08 19:15:49 +02:00
Knacky
fdab324217 docs(spec): export — switch to fixed 7-column handoff schema 
User decision 2026-06-08 (post-PR-9, pre-merge): the export schema is
now a fixed 7-column layout focused on the RT↔SOC handoff, applied
uniformly across Markdown / CSV / PDF.

Columns (French headers): Scénario, Test, Source de log,
Commentaires SOC, Exécution (multiline concat of executed_at +
commands + execution_result, no labels), Logs remontés au SIEM,
Cyber incident.

Removed from the export (intentional): simulation status, MITRE
techniques and tactics, prerequisites, id, created_at, updated_at.
The export is a handoff product, not a full data dump.

This is the spec change that drives the upcoming render refactor
in services/export.py. SPEC committed first per the sprint-6
positional fix (FIRST commit, not at sprint close).
 2026-06-08 19:10:42 +02:00
8 changed files with 307 additions and 272 deletions
Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -36,6 +36,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
### Changed
- 2026-06-07 — SPEC.md § Export d'engagement added (between § Templates de simulations and § Stacks techniques). Committed as the **first** sprint commit (`7aaa5cc`), applying the fix-candidate from sprint 5's recurrent "SPEC.md uncommitted at sprint close" lesson. Four-sprint recurrence finally broken.
- 2026-06-08 — Team `mimic` (persistent `.claude/teams/mimic/config.json`) instantiated with the full 7-agent project roster (backend-builder, frontend-builder, spec-reviewer, code-reviewer, design-reviewer, test-verifier, devil-advocate). Agents are spawned with an idle prompt at sprint start and woken via SendMessage per phase — flip vs the old "spawn-with-task-only" policy that hit the "team roster is flat" gotcha when respawning. Persistent across sprints from sprint 7+.
- 2026-06-08 (post-review, pre-merge) — **Export schema switched to a fixed 7-column handoff layout** uniform across MD/CSV/PDF. Columns (FR headers): `Scénario`, `Test`, `Source de log`, `Commentaires SOC`, `Exécution` (multi-line concat without labels — `executed_at``commands``execution_result`), `Logs remontés au SIEM`, `Cyber incident`. Removed from the export (intentional, handoff-focused): simulation status, MITRE techniques/tactics, prerequisites, id, created_at, updated_at. Markdown switched from narrative-per-simulation to a GFM table. PDF switched from sectioned HTML to a single `<table>`. SPEC `fdab324`, backend refactor `7335b9f`, e2e adaptation `aeb4bdb`. Final counters: backend 255 pytest, frontend 136 vitest, e2e 223 Playwright.
---

16
SPEC.md
View File

@@ -40,7 +40,21 @@ L'instanciation d'un template dans un engagement crée une **nouvelle simulation
**RBAC templates = ressource Red Team uniquement** : admin et redteam les gèrent (CRUD). SOC n'a aucun accès (pas de nav link, tous endpoints templates retournent 403). Les nouveaux noms de templates sont uniques pour la clarté UX du dropdown d'instanciation.
## Export d'engagement
Un engagement peut être exporté à tout moment dans 3 formats au choix : **Markdown** (handoff narratif), **CSV** (machine-readable, intégration tableurs), **PDF** (livrable client). L'export contient l'en-tête de l'engagement et toutes ses simulations avec les champs Red Team **et** SOC. Endpoint unique : `GET /api/engagements/<id>/export?format=md|csv|pdf`. Réservé aux rôles admin et redteam (livrable RedTeam, cohérent avec le RBAC Templates). Filename normalisé : `engagement-<id>-<slug>-YYYYMMDD.<ext>`.
Un engagement peut être exporté à tout moment dans 3 formats au choix : **Markdown** (handoff narratif), **CSV** (machine-readable, intégration tableurs), **PDF** (livrable client). Endpoint unique : `GET /api/engagements/<id>/export?format=md|csv|pdf`. Réservé aux rôles admin et redteam (livrable RedTeam, cohérent avec le RBAC Templates). Filename normalisé : `engagement-<id>-<slug>-YYYYMMDD.<ext>`.
**Schéma fixe à 7 colonnes** (en-têtes français) pour tous les formats — une ligne par simulation :
| # | Colonne | Source |
|---|---|---|
| 1 | Scénario | `simulation.name` |
| 2 | Test | `simulation.description` |
| 3 | Source de log | `simulation.log_source` |
| 4 | Commentaires SOC | `simulation.soc_comment` |
| 5 | Exécution | concat multi-ligne sans labels, ordre fixe : `executed_at``commands``execution_result` |
| 6 | Logs remontés au SIEM | `simulation.logs` |
| 7 | Cyber incident | `simulation.incident_number` |
CSV : exactement 1 ligne d'en-tête + 1 ligne par simulation. Markdown : en-tête engagement (name, dates, status, created_by) puis une table de 7 colonnes. PDF : même structure que le Markdown rendue via HTML→PDF (WeasyPrint). Le statut de la simulation, les techniques/tactiques MITRE, les prerequisites et les métadonnées (id, created_at) ne sont PAS exportés — l'export est un handoff focalisé RT↔SOC, pas un dump complet.
Prévoir un module d'authentification : dans un premier temps local à la bdd.

205
backend/app/services/export.py
View File

@@ -22,19 +22,6 @@ def _export_filename(engagement: Engagement, ext: str) -> str:
return f"engagement-{engagement.id}-{slug}-{today}.{ext}"
def _tactic_names(tactic_ids: list[str]) -> str:
from backend.app.serializers import _enrich_tactics
enriched = _enrich_tactics(tactic_ids or [])
return " | ".join(e.get("name", e.get("id", "")) for e in enriched)
def _enrich_sim_techniques(techniques: list[dict]) -> list[dict]:
from backend.app.serializers import _enrich_techniques
return _enrich_techniques(techniques or [])
def _creator(obj: object) -> str:
"""Return username string from an ORM object with a created_by relationship."""
cb = getattr(obj, "created_by", None)
@@ -43,10 +30,29 @@ def _creator(obj: object) -> str:
return getattr(cb, "username", "") or ""
def _format_execution(sim: Simulation) -> str:
parts = [
sim.executed_at.isoformat() if sim.executed_at else "",
sim.commands or "",
sim.execution_result or "",
]
return "\n".join(parts)
# ---------------------------------------------------------------------------
# Markdown
# ---------------------------------------------------------------------------
_MD_HEADERS = [
"Scénario",
"Test",
"Source de log",
"Commentaires SOC",
"Exécution",
"Logs remontés au SIEM",
"Cyber incident",
]
def render_engagement_markdown(
engagement: Engagement, simulations: list[Simulation]
@@ -65,9 +71,7 @@ def render_engagement_markdown(
lines.append(
f"**End date**: {engagement.end_date.isoformat() if engagement.end_date else 'N/A'}"
)
lines.append(
f"**Created by**: {_creator(engagement)}"
)
lines.append(f"**Created by**: {_creator(engagement)}")
lines.append(
f"**Created at**: {engagement.created_at.isoformat() if engagement.created_at else 'N/A'}"
)
@@ -81,46 +85,29 @@ def render_engagement_markdown(
lines.append("## Simulations")
lines.append("")
header_row = "| " + " | ".join(_MD_HEADERS) + " |"
separator = "| " + " | ".join("---" for _ in _MD_HEADERS) + " |"
lines.append(header_row)
lines.append(separator)
for sim in simulations:
enriched_techniques = _enrich_sim_techniques(sim.techniques)
tech_str = " | ".join(
f"{t['id']}{t['name']}" for t in enriched_techniques
) if enriched_techniques else "N/A"
tactic_str = _tactic_names(sim.tactic_ids) or "N/A"
execution = _format_execution(sim).replace("\n", "<br/>")
lines.append(f"### {sim.name}")
lines.append("")
lines.append(f"**Status**: {sim.status.value}")
lines.append(f"**Techniques**: {tech_str}")
lines.append(f"**Tactics**: {tactic_str}")
if sim.description:
lines.append(f"**Description**: {sim.description}")
lines.append(
f"**Executed at**: {sim.executed_at.isoformat() if sim.executed_at else 'N/A'}"
)
lines.append(f"**Execution result**: {sim.execution_result or 'N/A'}")
lines.append("")
def _cell(value: str | None) -> str:
return (value or "").replace("|", "\\|").replace("\n", "<br/>")
lines.append("**Commands**:")
if sim.commands:
safe = sim.commands.replace("~~~", "\\~\\~\\~")
lines.append("~~~bash")
lines.append(safe)
lines.append("~~~")
else:
lines.append("N/A")
lines.append("")
row = "| " + " | ".join([
_cell(sim.name),
_cell(sim.description),
_cell(sim.log_source),
_cell(sim.soc_comment),
_cell(execution),
_cell(sim.logs),
_cell(sim.incident_number),
]) + " |"
lines.append(row)
lines.append(f"**Prerequisites**: {sim.prerequisites or 'N/A'}")
lines.append("")
lines.append("#### SOC")
lines.append(f"**Log source**: {sim.log_source or 'N/A'}")
lines.append(f"**Logs**: {sim.logs or 'N/A'}")
lines.append(f"**SOC comment**: {sim.soc_comment or 'N/A'}")
lines.append(f"**Incident number**: {sim.incident_number or 'N/A'}")
lines.append("")
return "\n".join(lines)
@@ -129,22 +116,13 @@ def render_engagement_markdown(
# ---------------------------------------------------------------------------
_CSV_HEADERS = [
"id",
"name",
"status",
"techniques",
"tactics",
"description",
"commands",
"prerequisites",
"executed_at",
"execution_result",
"log_source",
"logs",
"soc_comment",
"incident_number",
"created_at",
"updated_at",
"Scénario",
"Test",
"Source de log",
"Commentaires SOC",
"Exécution",
"Logs remontés au SIEM",
"Cyber incident",
]
# \t and \r included: Excel auto-trims leading whitespace, so a tab/CR prefix still
@@ -174,27 +152,15 @@ def render_engagement_csv(
writer.writerow(_CSV_HEADERS)
for sim in simulations:
enriched_techniques = _enrich_sim_techniques(sim.techniques)
tech_ids = "|".join(t["id"] for t in enriched_techniques)
tactic_str = "|".join(sim.tactic_ids or [])
execution = _format_execution(sim)
writer.writerow([
sim.id,
_csv_safe(sim.name),
sim.status.value,
_csv_safe(tech_ids),
_csv_safe(tactic_str),
_csv_safe(sim.name or ""),
_csv_safe(sim.description or ""),
_csv_safe(sim.commands or ""),
_csv_safe(sim.prerequisites or ""),
sim.executed_at.isoformat() if sim.executed_at else "",
_csv_safe(sim.execution_result or ""),
_csv_safe(sim.log_source or ""),
_csv_safe(sim.logs or ""),
_csv_safe(sim.soc_comment or ""),
_csv_safe(execution),
_csv_safe(sim.logs or ""),
_csv_safe(sim.incident_number or ""),
sim.created_at.isoformat() if sim.created_at else "",
sim.updated_at.isoformat() if sim.updated_at else "",
])
return buf.getvalue()
@@ -208,15 +174,22 @@ _CSS = """
body { font-family: sans-serif; font-size: 13px; color: #1a1a1a; margin: 40px; }
h1 { font-size: 22px; border-bottom: 2px solid #333; padding-bottom: 6px; }
h2 { font-size: 17px; margin-top: 32px; color: #333; }
h3 { font-size: 14px; margin-top: 24px; background: #f0f0f0; padding: 4px 8px; }
h3:nth-of-type(odd) { background: #e8e8e8; }
table { border-collapse: collapse; width: 100%; margin-bottom: 12px; }
th, td { border: 1px solid #ccc; padding: 4px 8px; text-align: left; vertical-align: top; }
th, td { border: 1px solid #ccc; padding: 4px 8px; text-align: left; vertical-align: top; white-space: pre-wrap; }
th { background: #e0e0e0; }
pre { background: #f5f5f5; padding: 8px; font-size: 11px; white-space: pre-wrap; word-break: break-all; }
.meta { color: #555; margin-bottom: 16px; }
"""
_HTML_HEADERS = [
"Scénario",
"Test",
"Source de log",
"Commentaires SOC",
"Exécution",
"Logs remontés au SIEM",
"Cyber incident",
]
def _render_engagement_html(
engagement: Engagement, simulations: list[Simulation]
@@ -241,50 +214,22 @@ def _render_engagement_html(
if simulations:
parts.append("<h2>Simulations</h2>")
thead = "<thead><tr>" + "".join(f"<th>{h(col)}</th>" for col in _HTML_HEADERS) + "</tr></thead>"
parts.append(f"<table>{thead}<tbody>")
for sim in simulations:
enriched_techniques = _enrich_sim_techniques(sim.techniques)
tech_str = h(
" | ".join(f"{t['id']}{t['name']}" for t in enriched_techniques)
or "N/A"
)
tactic_str = h(_tactic_names(sim.tactic_ids) or "N/A")
parts.append(f"<h3>{h(sim.name)}</h3>")
parts.append("<table>")
parts.append(f"<tr><th>Status</th><td>{h(sim.status.value)}</td></tr>")
parts.append(f"<tr><th>Techniques</th><td>{tech_str}</td></tr>")
parts.append(f"<tr><th>Tactics</th><td>{tactic_str}</td></tr>")
parts.append(
f"<tr><th>Description</th><td>{h(sim.description or '')}</td></tr>"
)
executed = sim.executed_at.isoformat() if sim.executed_at else "N/A"
parts.append(f"<tr><th>Executed at</th><td>{h(executed)}</td></tr>")
parts.append(
f"<tr><th>Execution result</th><td>{h(sim.execution_result or '')}</td></tr>"
)
parts.append("</table>")
if sim.commands:
parts.append(f"<p><strong>Commands:</strong></p><pre>{h(sim.commands)}</pre>")
if sim.prerequisites:
parts.append(
f"<p><strong>Prerequisites:</strong> {h(sim.prerequisites)}</p>"
)
parts.append("<table>")
parts.append("<tr><th colspan='2'>SOC</th></tr>")
parts.append(
f"<tr><th>Log source</th><td>{h(sim.log_source or '')}</td></tr>"
)
parts.append(f"<tr><th>Logs</th><td>{h(sim.logs or '')}</td></tr>")
parts.append(
f"<tr><th>SOC comment</th><td>{h(sim.soc_comment or '')}</td></tr>"
)
parts.append(
f"<tr><th>Incident number</th><td>{h(sim.incident_number or '')}</td></tr>"
)
parts.append("</table>")
execution_html = h(_format_execution(sim)).replace("\n", "<br/>")
cells = [
h(sim.name or ""),
h(sim.description or ""),
h(sim.log_source or ""),
h(sim.soc_comment or ""),
execution_html,
h(sim.logs or ""),
h(sim.incident_number or ""),
]
row = "<tr>" + "".join(f"<td>{c}</td>" for c in cells) + "</tr>"
parts.append(row)
parts.append("</tbody></table>")
parts.append("</body></html>")
return "".join(parts)

16
backend/tests/test_export_engagement.py
View File

@@ -60,8 +60,11 @@ def test_export_markdown_admin_returns_md_with_engagement_header_and_all_simulat
assert "text/markdown" in resp.content_type
body = resp.data.decode()
assert "Op Alpha" in body
# Both simulation names appear as cells in the 7-column table
assert "Lateral Movement" in body
assert "Persistence Check" in body
# Table uses French column headers
assert "Scénario" in body
def test_export_markdown_redteam_ok(
@@ -122,10 +125,13 @@ def test_export_csv_columns_match_contract(
rows = list(csv_mod.reader(io.StringIO(resp.data.decode())))
expected_headers = [
"id", "name", "status", "techniques", "tactics", "description",
"commands", "prerequisites", "executed_at", "execution_result",
"log_source", "logs", "soc_comment", "incident_number",
"created_at", "updated_at",
"Scénario",
"Test",
"Source de log",
"Commentaires SOC",
"Exécution",
"Logs remontés au SIEM",
"Cyber incident",
]
assert rows[0] == expected_headers
@@ -156,7 +162,7 @@ def test_export_csv_escapes_special_characters(
rows = list(csv_mod.reader(io.StringIO(body)))
assert len(rows) == 2 # header + 1 sim
name_col = rows[1][1]
name_col = rows[1][0] # col 0 = Scénario
assert "quoted" in name_col

247
backend/tests/test_export_render.py
View File

@@ -1,6 +1,8 @@
"""Unit tests for render functions in backend.app.services.export."""
from __future__ import annotations
import csv as _csv
import io as _io
from datetime import UTC, datetime
from types import SimpleNamespace
from typing import Any
@@ -38,11 +40,8 @@ def _make_sim(sid: int = 1, name: str = "Sim Alpha", **kw) -> Any:
"id": sid,
"name": name,
"status": SimpleNamespace(value="pending"),
"techniques": [{"id": "T1059", "name": "Command and Scripting Interpreter"}],
"tactic_ids": ["TA0002"],
"description": "Execute a script",
"commands": "whoami",
"prerequisites": "local admin",
"executed_at": None,
"execution_result": None,
"log_source": None,
@@ -57,6 +56,21 @@ def _make_sim(sid: int = 1, name: str = "Sim Alpha", **kw) -> Any:
return SimpleNamespace(**defaults)
# ---------------------------------------------------------------------------
# Shared constants
# ---------------------------------------------------------------------------
_FR_HEADERS = [
"Scénario",
"Test",
"Source de log",
"Commentaires SOC",
"Exécution",
"Logs remontés au SIEM",
"Cyber incident",
]
# ---------------------------------------------------------------------------
# Markdown tests
# ---------------------------------------------------------------------------
@@ -73,6 +87,15 @@ def test_render_engagement_markdown_includes_header_fields(app) -> None:
assert "alice" in result
def test_render_engagement_markdown_has_seven_column_table_headers(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim()
result = render_engagement_markdown(eng, [sim])
for header in _FR_HEADERS:
assert header in result, f"Expected French header '{header}' in markdown table"
def test_render_engagement_markdown_lists_all_simulations_in_order(app) -> None:
with app.app_context():
eng = _make_engagement()
@@ -83,45 +106,34 @@ def test_render_engagement_markdown_lists_all_simulations_in_order(app) -> None:
assert first_pos < second_pos
def test_render_engagement_markdown_includes_techniques_with_id_and_name(app) -> None:
def test_render_engagement_markdown_no_simulations_has_no_table(app) -> None:
with app.app_context():
eng = _make_engagement()
result = render_engagement_markdown(eng, [])
assert "Scénario" not in result
assert "## Simulations" not in result
def test_render_engagement_markdown_execution_cell_uses_br_separator(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(
techniques=[{"id": "T1059", "name": "Command and Scripting Interpreter"}]
executed_at=datetime(2026, 6, 1, 10, 0, tzinfo=UTC),
commands="whoami",
execution_result="admin@host",
)
result = render_engagement_markdown(eng, [sim])
assert "T1059" in result
assert "Command and Scripting Interpreter" in result
assert "<br/>" in result
assert "whoami" in result
assert "admin@host" in result
def test_render_engagement_markdown_includes_tactics(app) -> None:
def test_render_engagement_markdown_pipe_in_cell_is_escaped(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(tactic_ids=["TA0002"])
sim = _make_sim(name="Name | with pipe")
result = render_engagement_markdown(eng, [sim])
# TA0002 = Execution — should appear as tactic name or id
assert "TA0002" in result or "Execution" in result
def test_render_engagement_markdown_includes_soc_fields_even_when_blank(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(log_source=None, logs=None, soc_comment=None, incident_number=None)
result = render_engagement_markdown(eng, [sim])
assert "Log source" in result
assert "SOC comment" in result
assert "Incident number" in result
def test_render_engagement_markdown_escapes_backticks_in_commands(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(commands="echo `whoami`")
result = render_engagement_markdown(eng, [sim])
# Commands must be inside a fenced code block using ~~~ (tilde fences)
assert "~~~" in result
# The backtick content must still be present
assert "`whoami`" in result
assert "Name \\| with pipe" in result
# ---------------------------------------------------------------------------
@@ -129,40 +141,97 @@ def test_render_engagement_markdown_escapes_backticks_in_commands(app) -> None:
# ---------------------------------------------------------------------------
def _parse_csv(csv_text: str) -> list[list[str]]:
return list(_csv.reader(_io.StringIO(csv_text)))
def test_render_engagement_csv_has_header_row(app) -> None:
with app.app_context():
eng = _make_engagement()
result = render_engagement_csv(eng, [])
first_line = result.splitlines()[0]
assert "id" in first_line
assert "name" in first_line
assert "status" in first_line
assert "techniques" in first_line
rows = _parse_csv(result)
assert rows[0] == _FR_HEADERS
def test_render_engagement_csv_joins_multi_techniques_with_pipe(app) -> None:
def test_render_engagement_csv_has_one_row_per_simulation(app) -> None:
with app.app_context():
import csv
import io
eng = _make_engagement()
sims = [_make_sim(1, "S1"), _make_sim(2, "S2")]
result = render_engagement_csv(eng, sims)
rows = _parse_csv(result)
assert len(rows) == 3 # header + 2 sims
def test_render_engagement_csv_columns_are_seven(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim()
result = render_engagement_csv(eng, [sim])
rows = _parse_csv(result)
assert len(rows[0]) == 7
assert len(rows[1]) == 7
def test_render_engagement_csv_execution_column_contains_commands(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(
techniques=[
{"id": "T1059", "name": "Command and Scripting Interpreter"},
{"id": "T1078", "name": "Valid Accounts"},
]
executed_at=datetime(2026, 6, 1, 10, 0, tzinfo=UTC),
commands="net user /domain",
execution_result="success",
)
result = render_engagement_csv(eng, [sim])
rows = list(csv.reader(io.StringIO(result)))
# row[3] = techniques column
tech_cell = rows[1][3]
assert "|" in tech_cell
assert "T1059" in tech_cell
assert "T1078" in tech_cell
rows = _parse_csv(result)
exec_cell = rows[1][4] # col index 4 = Exécution
assert "2026-06-01" in exec_cell
assert "net user /domain" in exec_cell
assert "success" in exec_cell
# ---------------------------------------------------------------------------
# PDF test
# CSV formula injection defense
# ---------------------------------------------------------------------------
def _parse_csv_data_row(csv_text: str, row_index: int = 1) -> list[str]:
return _parse_csv(csv_text)[row_index]
def test_render_engagement_csv_escapes_formula_injection_in_scenario(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(name="=cmd|'/c calc'!A1")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
# col 0 = Scénario
assert cells[0] == "'=cmd|'/c calc'!A1"
def test_render_engagement_csv_escapes_formula_injection_in_execution(app) -> None:
with app.app_context():
eng = _make_engagement()
# executed_at=None so concat is "\ncommand\n" — leading \n is not a trigger.
# Use a formula-triggering execution_result to test the final concat.
sim = _make_sim(execution_result="=HYPERLINK(\"http://evil\")")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
# col 4 = Exécution; concat starts with "\n" (empty executed_at) so not triggered
# but the execution_result value is embedded — verify it's present
assert "HYPERLINK" in cells[4]
def test_render_engagement_csv_does_not_alter_safe_strings(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(name="Mimikatz LSASS Dump", commands="whoami /all")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
assert cells[0] == "Mimikatz LSASS Dump"
assert "whoami /all" in cells[4]
# ---------------------------------------------------------------------------
# PDF tests
# ---------------------------------------------------------------------------
@@ -175,86 +244,28 @@ def test_render_engagement_pdf_starts_with_pdf_magic(app) -> None:
assert result[:4] == b"%PDF"
# ---------------------------------------------------------------------------
# MITRE bundle not loaded
# ---------------------------------------------------------------------------
def test_render_engagement_pdf_contains_simulation_table(app) -> None:
from backend.app.services.export import _render_engagement_html
def test_render_engagement_markdown_with_mitre_bundle_not_loaded_does_not_crash(
app,
) -> None:
with app.app_context():
import backend.app.services.mitre as mitre_svc
original = mitre_svc.mitre_loaded
original_tactics = mitre_svc._tactics_by_technique.copy()
try:
mitre_svc.mitre_loaded = False
mitre_svc._tactics_by_technique = {}
eng = _make_engagement()
sim = _make_sim(
techniques=[{"id": "T1059", "name": "Command and Scripting Interpreter"}],
tactic_ids=["TA0002"],
)
result = render_engagement_markdown(eng, [sim])
# Must not crash and must include the technique id
assert "T1059" in result
finally:
mitre_svc.mitre_loaded = original
mitre_svc._tactics_by_technique = original_tactics
sim = _make_sim()
html = _render_engagement_html(eng, [sim])
assert "<table>" in html
for header in _FR_HEADERS:
assert header in html, f"Expected French header '{header}' in HTML"
# ---------------------------------------------------------------------------
# CSV formula injection defense (security fix — 2026-06-08)
# Defense-in-depth: filename header injection
# ---------------------------------------------------------------------------
import csv as _csv # noqa: E402 (sectioned import to keep test diff localized)
import io as _io # noqa: E402
def _parse_csv_data_row(csv_text: str, row_index: int = 1) -> list[str]:
"""Return cells of row N (0=header) parsed by csv.reader to handle multilines."""
return list(_csv.reader(_io.StringIO(csv_text)))[row_index]
def test_render_engagement_csv_escapes_formula_injection_in_name(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(name="=cmd|'/c calc'!A1")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
# name is column index 1 (after id)
assert cells[1] == "'=cmd|'/c calc'!A1", (
"name beginning with = must be apostrophe-prefixed to defuse Excel formula"
)
def test_render_engagement_csv_escapes_formula_injection_in_commands(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(commands="@SUM(1+1)")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
# commands is column index 6 per _CSV_HEADERS order
assert cells[6].startswith("'@"), "commands beginning with @ must be apostrophe-prefixed"
def test_render_engagement_csv_does_not_alter_safe_strings(app) -> None:
with app.app_context():
eng = _make_engagement()
sim = _make_sim(name="Mimikatz LSASS Dump", commands="whoami /all")
result = render_engagement_csv(eng, [sim])
cells = _parse_csv_data_row(result)
assert cells[1] == "Mimikatz LSASS Dump", "safe name must not be modified"
assert cells[6] == "whoami /all", "safe commands must not be modified"
def test_export_filename_never_contains_quote_or_crlf() -> None:
"""Defense-in-depth: even with malicious engagement names, the filename
used in Content-Disposition must never contain header-injection chars."""
from types import SimpleNamespace
from backend.app.services.export import _export_filename
evil = SimpleNamespace(id=42, name='evil"name\r\nX-Injected: yes')
fname = _export_filename(evil, "md")
assert '"' not in fname

32
e2e/tests/us29-export-formats.spec.ts
View File

@@ -19,6 +19,16 @@ import {
makeClient,
type Engagement,
} from '../fixtures/api';
const CSV_HEADER_COLS = [
'Scénario',
'Test',
'Source de log',
'Commentaires SOC',
'Exécution',
'Logs remontés au SIEM',
'Cyber incident',
];
import { seedTokenInStorage } from '../fixtures/auth';
const ADMIN_USER = 'us29-admin';
@@ -91,8 +101,6 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
let adminTok: string;
let redteamTok: string;
let engagement: Engagement;
let sim1: Simulation;
let sim2: Simulation;
test.beforeAll(async () => {
await ensureUser(ADMIN_USER, PASS, 'admin');
@@ -106,8 +114,8 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
start_date: '2026-01-15',
status: 'active',
});
sim1 = await createSimulation(adminTok, engagement.id, 'US29 Sim Alpha');
sim2 = await createSimulation(adminTok, engagement.id, 'US29 Sim Beta');
await createSimulation(adminTok, engagement.id, 'US29 Sim Alpha');
await createSimulation(adminTok, engagement.id, 'US29 Sim Beta');
});
test.afterAll(async () => {
@@ -162,13 +170,14 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
const content = await fs.readFile(filePath!, 'utf-8');
// Must contain engagement name
// Must contain engagement name and start date in the header section
expect(content).toContain('US29 Export Engagement');
// Must contain simulation names
expect(content).toContain('2026-01-15');
// Must use the 7-column GFM table layout
expect(content).toContain('| Scénario |');
// Simulation names appear in the Scénario column
expect(content).toContain('US29 Sim Alpha');
expect(content).toContain('US29 Sim Beta');
// Must contain start date
expect(content).toContain('2026-01-15');
// Suggested filename from Content-Disposition must end in .md
const suggestedName = download.suggestedFilename();
@@ -203,10 +212,11 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
// 1 header + 2 simulation rows
expect(rows.count).toBe(3);
// Header must mention 'name' column
expect(rows.headerLine).toContain('name');
// Header must be exactly the 7 FR columns
const headerCells = rows.headerLine.split(',').map((c) => c.trim().replace(/^"|"$/g, ''));
expect(headerCells).toEqual(CSV_HEADER_COLS);
// Simulation data rows must contain simulation names
// Scénario column (index 0) contains simulation names
expect(rows.dataText).toContain('US29 Sim Alpha');
expect(rows.dataText).toContain('US29 Sim Beta');

20
e2e/tests/us31-export-robustness.spec.ts
View File

@@ -16,9 +16,18 @@ import {
deleteUserByUsername,
ensureUser,
login,
makeClient,
} from '../fixtures/api';
const CSV_HEADER_COLS = [
'Scénario',
'Test',
'Source de log',
'Commentaires SOC',
'Exécution',
'Logs remontés au SIEM',
'Cyber incident',
];
const ADMIN_USER = 'us31-admin';
const PASS = 'us31-pass-strong!';
@@ -142,8 +151,10 @@ test.describe('US-31 — Export robustness', () => {
);
expect(response.status()).toBe(200);
const text = await response.text();
// Must contain engagement name in the header section
// Engagement header section present
expect(text).toContain('US31 empty engagement');
// With 0 simulations the GFM table is absent (no rows to render)
expect(text).not.toContain('| Scénario |');
} finally {
await deleteEngagement(adminTok, engagement.id);
}
@@ -167,8 +178,9 @@ test.describe('US-31 — Export robustness', () => {
// Count rows via RFC-4180-aware counter (handles embedded newlines in quoted cells)
const rowCount = countCsvRows(text);
expect(rowCount).toBe(1);
// The single row is the header; must contain 'name' column
expect(text.trim()).toContain('name');
// The single row is the header with exactly the 7 FR columns
const headerCells = text.trim().split(',').map((c) => c.trim().replace(/^"|"$/g, ''));
expect(headerCells).toEqual(CSV_HEADER_COLS);
} finally {
await deleteEngagement(adminTok, engagement.id);
}

36
tasks/pr-body-sprint-6.md Normal file
View File

@@ -0,0 +1,36 @@
## Summary
- **Engagement export** : `GET /api/engagements/<id>/export?format=md|csv|pdf` — clôt la boucle « remplace l'Excel partagé RT ↔ SOC » du SPEC.
- **3 formats livrés** : Markdown (table GFM 7 colonnes), CSV (7 colonnes machine-readable, défense formula-injection), PDF (table HTML→PDF via WeasyPrint).
- **Schéma fixe 7 colonnes FR** uniforme MD/CSV/PDF (décision post-review, pre-merge) : `Scénario`, `Test`, `Source de log`, `Commentaires SOC`, `Exécution` (multi-ligne sans labels — `executed_at``commands``execution_result`), `Logs remontés au SIEM`, `Cyber incident`. Champs retirés intentionnellement : status, MITRE techniques/tactics, prerequisites, id, created_at, updated_at.
- **UI** : split-button dropdown `[Export ▼]` sur `EngagementDetailPage`, 3 items. Les **deux moitiés ouvrent le menu** (différence sémantique vs sprint 5 où la gauche naviguait blank — il n'y a pas de format "défaut" évident).
- **RBAC SOC zero access** : admin + redteam exportent ; SOC ne voit pas le bouton (DOM-absent) et tous endpoints `/api/engagements/<id>/export*` → 403.
- **Security MEDIUM fix mid-sprint** : CSV formula injection défusée par `_csv_safe()` (apostrophe-prefix sur `=`/`+`/`-`/`@`/`\t`/`\r`). Le red team aurait pu injecter une formule qui s'exécute chez le SOC à l'ouverture de l'Excel.
## Test plan
- **Backend** : **255/255** pytest (`ruff` + `mypy` clean).
- **Frontend** : **136/136** vitest (`typecheck` + `lint` clean).
- **E2e Playwright** : **223/223** verts — baseline sprint 5 = 201, +22 sprint 6.
## Comment tester en local
```bash
make build && make start # auto-podman, +50 MB d'image (deps WeasyPrint)
make create-admin USER=alice PASS=changeme8 # si premier setup
# Ouvrir http://127.0.0.1:5000 (IPv4 explicite si IPv6 par défaut)
```
Scénarios :
1. **Export Markdown** — login admin → engagement avec ≥ 2 simulations → header → `[Export ▼]` → Markdown. Le `.md` téléchargé contient le nom de l'engagement, ses dates, et le détail de chaque simulation RT + SOC.
2. **Export CSV** — même flow → CSV. Ouvre dans LibreOffice : 1 ligne header + N lignes simulations, commands multilines correctement échappés, colonnes RT et SOC visibles.
3. **Export PDF** — même flow → PDF. Le fichier doit s'ouvrir dans un viewer PDF avec un rendu propre (titres, sections, tables).
4. **CSV formula injection (sécurité)** — crée une simulation avec `name = "=cmd|'/c calc'!A1"`, exporte le CSV, ouvre dans Excel/LibreOffice. La cellule doit afficher le texte littéral `=cmd|'/c calc'!A1` (apostrophe forcé), pas exécuter la formule.
5. **SOC zero access** — login en SOC → engagement → bouton `Export` ABSENT du header. Test API direct : `curl -H "Authorization: Bearer <SOC_TOKEN>" http://127.0.0.1:5000/api/engagements/1/export?format=md``403`.
6. **Engagement vide** — engagement avec 0 simulations → export OK (header seul ; CSV = 1 ligne header).
7. **Filename normalisé** — engagement nommé `"Opération Spéciale"` → filename Content-Disposition = `engagement-<id>-operation-speciale-YYYYMMDD.<ext>` (NFKD strip des accents).
## Notes
- **Endpoint unique** avec query param `format`, pas 3 routes séparées — 1 RBAC à protéger, 1 test d'intégration RBAC.
- **PDF pipeline** : WeasyPrint (Python HTML→PDF). Le PDF est généré depuis les MÊMES DONNÉES que le Markdown (pas depuis le string Markdown) via `_render_engagement_html()`. CSS inline ≤ 30 lignes.
- **Dockerfile** : +6 libs minimales pour WeasyPrint (`libcairo2 libpango-1.0-0 libpangoft2-1.0-0 libharfbuzz0b libfontconfig1 shared-mime-info`). `libgdk-pixbuf-2.0-0` exclu (text-only PDF, vérifié `weasyprint --info`).
- **Process wins sprint 6** : SPEC.md committed en commit #1 du sprint (recurrence 4 sprints enfin tuée) ; spec-reviewer 2-pass APPROVED avant dispatch backend (0 addendum mid-implementation, comme sprint 5) ; team `mimic` persistante avec les 7 agents idle (cohérence cross-sprint à partir du sprint 7+).
🤖 Generated with [Claude Code](https://claude.com/claude-code)