npm - @7nsane/zift - Versions diffs - 4.2.0 → 4.3.0 - Mend

@7nsane/zift 4.2.0 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "4.2.0",
+  "version": "4.3.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {
@@ -27,4 +27,4 @@
     "chalk": "^4.1.2",
     "glob": "^13.0.6"
   }
-}
+}

package/src/collector.js CHANGED Viewed

@@ -427,6 +427,45 @@ class ASTCollector {
                     }
                 });
+                // v5.2 Symbolic Async: await and .then()
+                if (calleeCode.includes('.then')) {
+                    const parts = calleeCode.split('.then');
+                    const promiseBase = parts[0];
+                    const isPromiseTainted = flows.some(f => f.toVar === promiseBase) || promiseBase.includes('process.env') || promiseBase.includes('secret');
+                    if (isPromiseTainted && node.arguments[0] && (node.arguments[0].type === 'ArrowFunctionExpression' || node.arguments[0].type === 'FunctionExpression')) {
+                        const param = node.arguments[0].params[0];
+                        if (param && param.type === 'Identifier') {
+                            flows.push({
+                                fromVar: promiseBase,
+                                toVar: param.name,
+                                file: filePath,
+                                line: node.loc.start.line,
+                                async: true
+                            });
+                        }
+                    }
+                }
+                // v5.1 Symbolic Mutations: .push(), .concat(), .assign()
+                const mutationMethods = ['push', 'unshift', 'concat', 'assign', 'append'];
+                if (mutationMethods.some(m => calleeCode.endsWith('.' + m))) {
+                    const objectName = calleeCode.split('.')[0];
+                    node.arguments.forEach(arg => {
+                        const argCode = sourceCode.substring(arg.start, arg.end);
+                        const isArgTainted = argCode.includes('process.env') || flows.some(f => f.toVar === argCode);
+                        if (isArgTainted) {
+                            flows.push({
+                                fromVar: argCode,
+                                toVar: objectName,
+                                file: filePath,
+                                line: node.loc.start.line,
+                                mutation: calleeCode
+                            });
+                        }
+                    });
+                }
                 // v5.0 Symbolic Transformers: Buffer/Base64/Hex
                 if (calleeCode.includes('Buffer.from') || calleeCode.includes('.toString')) {
                     const parent = ancestors[ancestors.length - 2];
@@ -452,6 +491,20 @@ class ASTCollector {
             },
             AssignmentExpression: (node) => {
                 const leftCode = sourceCode.substring(node.left.start, node.left.end);
+                if (node.right.type === 'AwaitExpression') {
+                    const from = sourceCode.substring(node.right.argument.start, node.right.argument.end);
+                    const isFromTainted = flows.some(f => f.toVar === from) || from.includes('process.env');
+                    if (isFromTainted) {
+                        flows.push({
+                            fromVar: from,
+                            toVar: leftCode,
+                            file: filePath,
+                            line: node.loc.start.line,
+                            async: true
+                        });
+                    }
+                }
                 if (leftCode === 'module.exports' || leftCode.startsWith('exports.')) {
                     facts.EXPORTS.push({
                         file: filePath,

package/src/engine.js CHANGED Viewed

@@ -30,24 +30,38 @@ class SafetyEngine {
         // Check required facts
         for (const req of rule.requires) {
-            let matchedFacts = facts[req] || [];
+            let matchedFacts = (facts[req] || []).map(f => ({ ...f, type: req }));
             // Handle virtual requirements (LIFECYCLE_CONTEXT)
             if (req === 'LIFECYCLE_CONTEXT' && matchedFacts.length === 0) {
-                // If any trigger so far is in a lifecycle file, we satisfy the virtual requirement
                 const virtualMatch = triggers.some(t => {
                     if (lifecycleFiles instanceof Set) return lifecycleFiles.has(t.file);
                     if (Array.isArray(lifecycleFiles)) return lifecycleFiles.includes(t.file);
                     return false;
                 });
                 if (virtualMatch) {
                     matchedFacts = [{ type: 'LIFECYCLE_CONTEXT', virtual: true }];
                 }
             }
-            if (matchedFacts.length === 0) return null; // Rule not matched
-            triggers.push(...matchedFacts.map(f => ({ ...f, type: req })));
+            if (matchedFacts.length === 0) return null;
+            // v5.3 Sequence Matching: Ensure facts occur in specified order (if rule has .sequence)
+            if (rule.sequence) {
+                const reqIndex = rule.requires.indexOf(req);
+                if (reqIndex > 0) {
+                    const prevReq = rule.requires[reqIndex - 1];
+                    const prevTriggers = triggers.filter(t => t.type === prevReq);
+                    // Filter current matches to only those that happen AFTER a previous trigger
+                    matchedFacts = matchedFacts.filter(curr => {
+                        return prevTriggers.some(prev => curr.line >= prev.line);
+                    });
+                }
+            }
+            if (matchedFacts.length === 0) return null;
+            triggers.push(...matchedFacts);
         }
         // Check optional facts for bonuses

package/src/shield.js CHANGED Viewed

@@ -14,8 +14,10 @@ function setupShield() {
         console.warn(`[ZIFT-SHIELD] 🌐 Outbound Connection: ${address}:${port}`);
     });
-    // 2. Wrap Child Process (for shell command execution) - IMMUTABLE
+    // 2. Wrap Child Process (for shell command execution) - ACTIVE BLOCKING
     const cp = require('node:child_process');
+    const ALLOWED_COMMANDS = ['npm install', 'npm audit', 'ls', 'dir', 'whoami', 'node -v'];
     ['exec', 'spawn', 'execSync', 'spawnSync'].forEach(method => {
         const original = cp[method];
         if (!original) return;
@@ -23,10 +25,18 @@ function setupShield() {
         const wrapper = function (...args) {
             const command = args[0];
             const cmdStr = typeof command === 'string' ? command : (Array.isArray(args[1]) ? args[1].join(' ') : String(command));
-            console.warn(`[ZIFT-SHIELD] 🐚 Shell Execution: ${cmdStr}`);
-            if (cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh') || cmdStr.includes('| bash')) {
-                console.error(`[ZIFT-SHIELD] ⚠️  CRITICAL: Potential Remote Dropper detected in shell execution!`);
+            // Security Logic
+            const isCritical = cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh') || cmdStr.includes('| bash') || cmdStr.includes('rm -rf /');
+            const isBlocked = !ALLOWED_COMMANDS.some(allowed => cmdStr.startsWith(allowed)) || isCritical;
+            if (isBlocked) {
+                console.error(`[ZIFT-SHIELD] ❌ BLOCKED: Unauthorized or dangerous shell execution: "${cmdStr}"`);
+                if (process.env.ZIFT_ENFORCE === 'true') {
+                    throw new Error(`[ZIFT-SHIELD] Access Denied: Shell command "${cmdStr}" is not in the allow-list.`);
+                }
+            } else {
+                console.warn(`[ZIFT-SHIELD] 🐚 Shell Execution (Allowed): ${cmdStr}`);
             }
             return original.apply(this, args);
@@ -39,6 +49,42 @@ function setupShield() {
         }
     });
+    // 2.5 Filesystem Protection
+    const fs = require('node:fs');
+    const PROTECTED_FILES = ['.env', '.npmrc', 'shadow', 'id_rsa', 'id_ed25519'];
+    const fsMethods = ['readFile', 'readFileSync', 'promises.readFile', 'createReadStream'];
+    fsMethods.forEach(methodPath => {
+        let parent = fs;
+        let method = methodPath;
+        if (methodPath.startsWith('promises.')) {
+            parent = fs.promises;
+            method = 'readFile';
+        }
+        const original = parent[method];
+        if (!original) return;
+        const wrapper = function (...args) {
+            const pathArg = args[0];
+            const pathStr = typeof pathArg === 'string' ? pathArg : (pathArg instanceof Buffer ? pathArg.toString() : String(pathArg));
+            if (PROTECTED_FILES.some(f => pathStr.includes(f))) {
+                console.error(`[ZIFT-SHIELD] ❌ BLOCKED: Access to protected file: "${pathStr}"`);
+                if (process.env.ZIFT_ENFORCE === 'true') {
+                    throw new Error(`[ZIFT-SHIELD] Access Denied: Protected file "${pathStr}" cannot be read.`);
+                }
+            }
+            return original.apply(this, args);
+        };
+        try {
+            Object.defineProperty(parent, method, { value: wrapper, writable: false, configurable: false });
+        } catch (e) {
+            parent[method] = wrapper;
+        }
+    });
     // 3. Monitor HTTP/HTTPS - IMMUTABLE
     const http = require('node:http');
     const https = require('node:https');