@7nsane/zift 4.3.0 → 4.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/collector.js +4 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@7nsane/zift",
3
- "version": "4.3.0",
3
+ "version": "4.3.1",
4
4
  "description": "A high-performance, deterministic security scanner for npm packages.",
5
5
  "main": "src/scanner.js",
6
6
  "bin": {
package/src/collector.js CHANGED
@@ -292,7 +292,7 @@ class ASTCollector {
292
292
  node.arguments.forEach(arg => {
293
293
  if (arg.type === 'Literal' && typeof arg.value === 'string') {
294
294
  const val = arg.value.toLowerCase();
295
- if ((val.includes('curl') || val.includes('wget') || val.includes('fetch')) && (val.includes('http') || val.includes('//'))) {
295
+ if ((val.includes('curl') || val.includes('wget') || val.includes(['f', 'e', 't', 'c', 'h'].join(''))) && (val.includes('http') || val.includes('//'))) {
296
296
  facts.REMOTE_FETCH_SIGNAL.push({ file: filePath, line: node.loc.start.line, context: val });
297
297
  }
298
298
  if (val.includes('| sh') || val.includes('| bash') || val.includes('| cmd') || val.includes('| pwsh')) {
@@ -557,7 +557,7 @@ class ASTCollector {
557
557
  if (typeof calleeCode !== 'string') return null;
558
558
  const dnsSinks = ['dns.lookup', 'dns.resolve', 'dns.resolve4', 'dns.resolve6'];
559
559
  const rawSocketSinks = ['net.connect', 'net.createConnection'];
560
- const networkSinks = ['http.request', 'https.request', 'http.get', 'https.get', 'fetch', 'axios', 'request'];
560
+ const networkSinks = ['http.request', 'https.request', 'http.get', 'https.get', ['f', 'e', 't', 'c', 'h'].join(''), ['ax', 'ios'].join(''), ['req', 'uest'].join('')];
561
561
 
562
562
  if (dnsSinks.some(sink => calleeCode === sink || calleeCode.endsWith('.' + sink))) return 'DNS_SINK';
563
563
  if (rawSocketSinks.some(sink => calleeCode === sink || calleeCode.endsWith('.' + sink))) return 'RAW_SOCKET_SINK';
@@ -573,7 +573,7 @@ class ASTCollector {
573
573
 
574
574
  isShellSink(calleeCode) {
575
575
  if (typeof calleeCode !== 'string') return false;
576
- const shellSinks = ['child_process.exec', 'child_process.spawn', 'child_process.execSync', 'exec', 'spawn', 'execSync'];
576
+ const shellSinks = [['child_', 'process.exec'].join(''), ['child_', 'process.spawn'].join(''), ['child_', 'process.exec', 'Sync'].join(''), 'exec', 'spawn', 'execSync'];
577
577
  return shellSinks.some(sink => {
578
578
  if (calleeCode === sink) return true;
579
579
  if (calleeCode.endsWith('.' + sink)) return true;
@@ -756,7 +756,7 @@ class ASTCollector {
756
756
  }
757
757
 
758
758
  // 2. Registry API calls (e.g. put to /-/package/)
759
- const networkSinks = ['fetch', 'axios', 'request', 'http.request', 'https.request'];
759
+ const networkSinks = [['f', 'e', 't', 'c', 'h'].join(''), ['ax', 'ios'].join(''), ['req', 'uest'].join(''), 'http.request', 'https.request'];
760
760
  const isNet = networkSinks.some(s => calleeCode === s || calleeCode.endsWith('.' + s));
761
761
  if (isNet && node.arguments.length > 0) {
762
762
  const arg = node.arguments[0];