@7nsane/zift 4.0.0 → 4.1.0

package/README.md

@@ -1,20 +1,20 @@
-# 🛡️ Zift (v4.0.0)
+# 🛡️ Zift (v4.1.0)
 
 [![npm version](https://img.shields.io/npm/v/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![License](https://img.shields.io/npm/l/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![Build Status](https://img.shields.io/badge/CI-passing-brightgreen?style=flat-square)](https://github.com/7nsane/zift)
 
-**The Deeply Hardened Ecosystem Security Engine for JavaScript.**
+**The Symbolically-Intelligent Ecosystem Security Engine for JavaScript.**
 
-Zift v4.0 is the "Deep Hardening" release, featuring **Immutable Runtime Guards** and **Opaque Payload Detection**, specifically designed to resist active attacker bypasses.
+Zift v5.0 is the "Intelligence" release, introducing **Symbolic Taint Analysis**. It can track sensitive data through complex code transformations, destructuring, and nested object structures across module boundaries.
 
-## 🚀 Key Advancements (v4.0.0)
+## 🚀 Key Advancements (v5.0.0)
 
-- **🛡️ Immutable Zift Shield**: Runtime sinks (`http`, `child_process`) are now immutable. Attackers cannot delete or re-assign them to bypass protection.
-- **🧩 Opaque Payload Detection**: Automatically flags compiled native binaries (`.node`) as high-risk.
-- **🧵 Universal Protection**: Zift Shield now automatically propagates into `worker_threads`.
-- **🕵️ Evasion Tracking**: Detects non-deterministic sink construction (e.g., using `Date.now()` or `Math.random()` to hide strings).
-- **🌍 Cross-File Intelligence**: Full multi-pass taint tracking for ESM and CommonJS.
+- **🧠 Symbolic Taint Analysis**: Tracks data through destructuring (`const { key } = process.env`) and deep property access (`obj.a.b.c`).
+- **🧬 Transformation Tracking**: Automatically follows taint through encoding methods like `Buffer.from(data).toString('base64')` or `hex`.
+- **🌍 Recursive Cross-File Intelligence**: Follows sensitive data even when it's re-exported through multiple intermediate files and objects.
+- **🛡️ Immutable Runtime Guards**: Structural protection for `http` and `child_process` sinks (v4.0 legacy).
+- **🧩 Opaque Payload Detection**: Flags native binaries (`.node`) and high-entropy skipped strings.
 
 ## 📦 Quick Start
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {

package/src/collector.js

@@ -153,7 +153,6 @@ class ASTCollector {
                     }
                 }
 
-                // De-obfuscation Trigger
                 const evaluated = this.tryEvaluate(node, sourceCode);
                 if (evaluated) {
                     if (this.getNetworkType(evaluated) || this.isShellSink(evaluated) || evaluated === 'eval' || evaluated === 'Function') {
@@ -254,6 +253,23 @@ class ASTCollector {
                         }
                     }
                 });
+
+                // v5.0 Symbolic Transformers: Buffer/Base64/Hex
+                if (calleeCode.includes('Buffer.from') || calleeCode.includes('.toString')) {
+                    const parent = ancestors[ancestors.length - 2];
+                    if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                        const arg = node.arguments[0] ? sourceCode.substring(node.arguments[0].start, node.arguments[0].end) : null;
+                        if (arg) {
+                            flows.push({
+                                fromVar: arg,
+                                toVar: parent.id.name,
+                                file: filePath,
+                                line: node.loc.start.line,
+                                transformation: calleeCode.includes('base64') ? 'base64' : (calleeCode.includes('hex') ? 'hex' : 'buffer')
+                            });
+                        }
+                    }
+                }
             },
             MemberExpression: (node) => {
                 const objectCode = sourceCode.substring(node.object.start, node.object.end);
@@ -275,14 +291,9 @@ class ASTCollector {
                 }
             },
             VariableDeclarator: (node) => {
-                if (node.init && node.id.type === 'Identifier') {
+                if (node.init) {
                     const from = sourceCode.substring(node.init.start, node.init.end);
-                    flows.push({
-                        fromVar: from,
-                        toVar: node.id.name,
-                        file: filePath,
-                        line: node.loc.start.line
-                    });
+                    this.handlePattern(node.id, from, flows, filePath, node.loc.start.line);
                 }
             },
             AssignmentExpression: (node) => {
@@ -306,6 +317,9 @@ class ASTCollector {
                         file: filePath,
                         line: node.loc.start.line
                     });
+                } else if (node.left.type === 'ObjectPattern' || node.left.type === 'ArrayPattern') {
+                    const from = sourceCode.substring(node.right.start, node.right.end);
+                    this.handlePattern(node.left, from, flows, filePath, node.loc.start.line);
                 }
             },
             ObjectExpression: (node, state, ancestors) => {
@@ -422,6 +436,28 @@ class ASTCollector {
             return null;
         }
     }
+
+    handlePattern(pattern, initCode, flows, filePath, line) {
+        if (pattern.type === 'Identifier') {
+            flows.push({ fromVar: initCode, toVar: pattern.name, file: filePath, line });
+        } else if (pattern.type === 'ObjectPattern') {
+            pattern.properties.forEach(prop => {
+                if (prop.type === 'Property') {
+                    const key = prop.key.type === 'Identifier' ? prop.key.name :
+                        (prop.key.type === 'Literal' ? prop.key.value : null);
+                    if (key) {
+                        this.handlePattern(prop.value, `${initCode}.${key}`, flows, filePath, line);
+                    }
+                }
+            });
+        } else if (pattern.type === 'ArrayPattern') {
+            pattern.elements.forEach((el, index) => {
+                if (el) {
+                    this.handlePattern(el, `${initCode}[${index}]`, flows, filePath, line);
+                }
+            });
+        }
+    }
 }
 
 module.exports = ASTCollector;

package/src/scanner.js

@@ -117,13 +117,13 @@ class PackageScanner {
         facts.EXPORTS.forEach(exp => {
             if (!exportMap.has(exp.file)) exportMap.set(exp.file, new Map());
 
-            // Check if localName is tainted in this file
-            const isLocalTainted = flows.some(f => f.file === exp.file && f.toVar === exp.local && f.fromVar.includes('process.env'));
-            const isNamedTainted = flows.some(f => f.file === exp.file && f.toVar === exp.name && f.fromVar.includes('process.env'));
+            // Check if localName is tainted (recursively)
+            const resolvedTaint = this.isVariableTainted(exp.local || exp.name, exp.file, flows);
 
             exportMap.get(exp.file).set(exp.name, {
                 local: exp.local,
-                isTainted: isLocalTainted || isNamedTainted
+                isTainted: !!resolvedTaint,
+                taintPath: resolvedTaint
             });
         });
 
@@ -132,7 +132,7 @@ class PackageScanner {
             let resolvedPath;
             if (imp.source.startsWith('.')) {
                 resolvedPath = path.resolve(path.dirname(imp.file), imp.source);
-                if (!resolvedPath.endsWith('.js')) resolvedPath += '.js';
+                if (!resolvedPath.endsWith('.js') && fs.existsSync(resolvedPath + '.js')) resolvedPath += '.js';
             }
 
             if (resolvedPath && exportMap.has(resolvedPath)) {
@@ -140,18 +140,50 @@ class PackageScanner {
                 const matchedExport = targetExports.get(imp.imported);
 
                 if (matchedExport && matchedExport.isTainted) {
-                    // Mark as a virtual ENV_READ in the importing file
                     facts.ENV_READ.push({
                         file: imp.file,
                         line: imp.line,
-                        variable: `[Cross-File] ${imp.local} (from ${imp.source})`,
+                        variable: `[Symbolic Cross-File] ${imp.local} <- ${matchedExport.taintPath} (from ${imp.source})`,
                         isCrossFile: true
                     });
+
+                    // Propagate further as a flow in this file
+                    flows.push({
+                        fromVar: matchedExport.taintPath,
+                        toVar: imp.local,
+                        file: imp.file,
+                        line: imp.line,
+                        type: 'cross-file-import'
+                    });
                 }
             }
         });
     }
 
+    isVariableTainted(varName, filePath, flows, visited = new Set()) {
+        if (!varName) return null;
+        const key = `${filePath}:${varName}`;
+        if (visited.has(key)) return null;
+        visited.add(key);
+
+        if (varName.includes('process.env')) return varName;
+
+        const incoming = flows.filter(f => f.file === filePath && f.toVar === varName);
+        for (const flow of incoming) {
+            const result = this.isVariableTainted(flow.fromVar, filePath, flows, visited);
+            if (result) return result;
+        }
+
+        // Check for property access patterns if base object is tainted
+        if (varName.includes('.')) {
+            const base = varName.split('.')[0];
+            const result = this.isVariableTainted(base, filePath, flows, visited);
+            if (result) return `${result}.${varName.split('.').slice(1).join('.')}`;
+        }
+
+        return null;
+    }
+
     async getFiles() {
         // Load .ziftignore
         const ziftIgnorePath = path.join(this.packageDir, '.ziftignore');