@archpublicwebsite/eslint-config 1.0.15 → 1.0.18

package/tools/security/scan-global.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+# =============================================================================
+# scan-global.sh
+# Scan global node_modules and caches for PolinRider IOC markers.
+# Run once per machine — no need to be inside any repo.
+#
+# Locations scanned:
+#   • npm global node_modules      (npm root -g)
+#   • All nvm node versions        (~/.nvm/versions/node/*/lib/node_modules)
+#   • pnpm global node_modules     (pnpm root -g)
+#   • pnpm store                   (pnpm store path)
+#   • npx cache                    (~/.npm/_npx)
+#
+# Usage:
+#   bash scan-global.sh
+# =============================================================================
+
+set -euo pipefail
+
+GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'
+BLUE='\033[0;34m'; GRAY='\033[0;90m'; NC='\033[0m'
+
+step() { echo -e "\n${BLUE}[→]${NC} $1"; }
+ok()   { echo -e "${GREEN}[✓]${NC} $1"; }
+warn() { echo -e "${YELLOW}[!]${NC} $1"; }
+skip() { echo -e "${GRAY}[–]${NC} $1"; }
+hr()   { echo -e "${BLUE}────────────────────────────────────────────────────${NC}"; }
+
+# IOC patterns: payload markers + C2 hosts from the incident report
+IOC_PATTERN="9-0224-2|9-857-1|trongrid\.io|aptoslabs\.com|bsc-dataseed\.binance|publicnode\.com"
+
+SCAN_DIRS=()   # entries formatted as "label|path"
+TOTAL_HITS=0
+
+hr
+echo -e "${BLUE}  Global IOC Scan  ·  Post-PolinRider (Jun 2026)${NC}"
+echo -e "  Host: $(hostname)"
+hr
+
+# ── Collect scan targets ──────────────────────────────────────────────────────
+
+# 1. npm global node_modules
+step "Locating npm global node_modules..."
+NPM_GLOBAL=$(npm root -g 2>/dev/null || echo "")
+if [[ -n "$NPM_GLOBAL" && -d "$NPM_GLOBAL" ]]; then
+  SCAN_DIRS+=("npm global|$NPM_GLOBAL")
+  ok "$NPM_GLOBAL"
+else
+  skip "npm global not found"
+fi
+
+# 2. All nvm-managed node versions
+step "Locating nvm node_modules..."
+NVM_BASE="${NVM_DIR:-$HOME/.nvm}/versions/node"
+if [[ -d "$NVM_BASE" ]]; then
+  while IFS= read -r ver; do
+    nm="$ver/lib/node_modules"
+    if [[ -d "$nm" ]]; then
+      SCAN_DIRS+=("nvm $(basename "$ver")|$nm")
+      ok "$nm"
+    fi
+  done < <(find "$NVM_BASE" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sort)
+else
+  skip "nvm not found (checked $NVM_BASE)"
+fi
+
+# 3. pnpm global node_modules
+step "Locating pnpm global node_modules..."
+if command -v pnpm >/dev/null 2>&1; then
+  PNPM_GLOBAL=$(pnpm root -g 2>/dev/null || echo "")
+  if [[ -n "$PNPM_GLOBAL" && -d "$PNPM_GLOBAL" ]]; then
+    SCAN_DIRS+=("pnpm global|$PNPM_GLOBAL")
+    ok "$PNPM_GLOBAL"
+  else
+    skip "pnpm global node_modules not found"
+  fi
+else
+  skip "pnpm not installed"
+fi
+
+# 4. pnpm store (content-addressable cache)
+step "Locating pnpm store..."
+if command -v pnpm >/dev/null 2>&1; then
+  PNPM_STORE=$(pnpm store path 2>/dev/null || echo "")
+  if [[ -n "$PNPM_STORE" && -d "$PNPM_STORE" ]]; then
+    SCAN_DIRS+=("pnpm store|$PNPM_STORE")
+    warn "pnpm store can be large — this may take a moment"
+    warn "$PNPM_STORE"
+  else
+    skip "pnpm store not found"
+  fi
+else
+  skip "pnpm not installed"
+fi
+
+# 5. npx cache
+step "Locating npx cache..."
+NPM_CACHE=$(npm config get cache 2>/dev/null || echo "$HOME/.npm")
+NPX_CACHE="$NPM_CACHE/_npx"
+if [[ -d "$NPX_CACHE" ]]; then
+  SCAN_DIRS+=("npx cache|$NPX_CACHE")
+  ok "$NPX_CACHE"
+else
+  skip "npx cache not found at $NPX_CACHE"
+fi
+
+# ── Run scan ──────────────────────────────────────────────────────────────────
+
+echo ""
+hr
+echo -e "${BLUE}  Scanning ${#SCAN_DIRS[@]} location(s)...${NC}"
+hr
+
+for ENTRY in "${SCAN_DIRS[@]}"; do
+  LABEL="${ENTRY%%|*}"
+  DIR="${ENTRY##*|}"
+
+  echo -e "\n${BLUE}[→]${NC} ${LABEL}"
+  echo -e "    ${GRAY}${DIR}${NC}"
+
+  HITS=$(grep -rl \
+    --include="*.js" --include="*.mjs" --include="*.cjs" \
+    -E "$IOC_PATTERN" "$DIR" 2>/dev/null || true)
+
+  if [[ -z "$HITS" ]]; then
+    ok "Clean"
+  else
+    HIT_COUNT=$(echo "$HITS" | grep -c "." || true)
+    echo -e "${RED}[✗]${NC} IOC markers found in ${HIT_COUNT} file(s):"
+    while IFS= read -r f; do
+      echo -e "    ${RED}${f}${NC}"
+      PREVIEW=$(grep -m1 -oE ".{0,30}(${IOC_PATTERN}).{0,30}" "$f" 2>/dev/null || true)
+      [[ -n "$PREVIEW" ]] && echo -e "    ${GRAY}→ ${PREVIEW}${NC}"
+    done <<< "$HITS"
+    TOTAL_HITS=$((TOTAL_HITS + HIT_COUNT))
+  fi
+done
+
+# ── Summary ───────────────────────────────────────────────────────────────────
+
+echo ""
+hr
+if [[ "$TOTAL_HITS" -eq 0 ]]; then
+  echo -e "${GREEN}  ✓  All ${#SCAN_DIRS[@]} location(s) clean — machine is clear${NC}"
+else
+  echo -e "${RED}  ✗  IOC markers found in ${TOTAL_HITS} file(s) across global locations${NC}"
+  echo ""
+  echo -e "${YELLOW}  Recommended next steps:${NC}"
+  echo -e "${YELLOW}  1. npm cache clean --force${NC}"
+  echo -e "${YELLOW}  2. pnpm store prune          (if pnpm is installed)${NC}"
+  echo -e "${YELLOW}  3. Identify and remove the flagged packages globally${NC}"
+  echo -e "${YELLOW}  4. See: Security-Remediation-Runbook-2026-06.md${NC}"
+fi
+hr
+echo ""

package/tools/security/scan.mjs

@@ -0,0 +1,465 @@
+#!/usr/bin/env node
+/**
+ * @archipelago/security-scan
+ *
+ * Pre-commit scanner inspired by socket.dev.
+ * Detects malicious code in staged files and supply-chain risks in
+ * newly added packages — blocking zero-day attacks before they reach
+ * CI or production.
+ *
+ * ┌─────────────────────────────────────────────────────┐
+ * │  What is checked                                    │
+ * │  1. Staged .js/.ts/.vue files — eval, obfuscation,  │
+ * │     base64 payloads, net/dns/child_process in       │
+ * │     build-config files, prototype pollution         │
+ * │  2. Newly added npm packages — install scripts      │
+ * │     with curl/wget, base64-exec, credential theft   │
+ * │  3. Typosquatting — package names within edit-      │
+ * │     distance 1 of popular npm packages              │
+ * └─────────────────────────────────────────────────────┘
+ *
+ * Environment flags:
+ *   SKIP_SECURITY_SCAN=1   Bypass all checks (logged loudly to stderr)
+ *   SECURITY_AUDIT=1       Also run `pnpm audit` and surface known CVEs
+ */
+
+import { existsSync, readFileSync } from 'node:fs'
+import { extname, join } from 'node:path'
+import {
+  CONFIG_FILE_PATTERNS,
+  FILE_PATTERNS,
+  INSTALL_SCRIPT_PATTERNS,
+  POPULAR_PACKAGES,
+  SCAN_EXTENSIONS,
+} from './patterns.mjs'
+import {
+  getRepoRoot,
+  getStagedNameStatus,
+  runSafe,
+} from '../git-hooks/shared.mjs'
+
+// ─── ANSI colours ──────────────────────────────────────────────────────────────
+const R = '\x1b[0m'
+const RED = '\x1b[31m'
+const YLW = '\x1b[33m'
+const CYN = '\x1b[36m'
+const GRN = '\x1b[32m'
+const BOLD = '\x1b[1m'
+const DIM = '\x1b[2m'
+const HR = `${DIM}${'─'.repeat(62)}${R}`
+
+function badge(severity) {
+  switch (severity) {
+    case 'critical': return `${RED}${BOLD}[CRITICAL]${R}`
+    case 'high':     return `${RED}[HIGH]    ${R}`
+    case 'medium':   return `${YLW}[MEDIUM]  ${R}`
+    default:         return `${CYN}[LOW]     ${R}`
+  }
+}
+
+function isBlocking(severity) {
+  return severity === 'critical' || severity === 'high'
+}
+
+// ─── Helpers ───────────────────────────────────────────────────────────────────
+
+function isConfigFile(filePath) {
+  return CONFIG_FILE_PATTERNS.some(p => p.test(filePath))
+}
+
+// Files that intentionally contain dangerous-pattern literals for lint/security
+// rule definitions and scanner fixture tests. Scanning them with FILE_PATTERNS
+// causes self-referential false positives and blocks commits.
+const SELF_REFERENTIAL_SCAN_EXCLUSIONS = [
+  'packages/eslint-config/eslint.config.mjs',
+  'packages/eslint-config/tools/security/patterns.mjs',
+  'packages/eslint-config/tools/security/test-patterns.mjs',
+]
+
+function shouldSkipSelfReferentialFile(filePath) {
+  const normalizedPath = filePath.replaceAll('\\', '/')
+  return SELF_REFERENTIAL_SCAN_EXCLUSIONS.some(excluded => normalizedPath.endsWith(excluded))
+}
+
+function collectPatternFindings(lines, isConfig, filePath) {
+  const findings = []
+
+  for (const pattern of FILE_PATTERNS) {
+    if (pattern.configOnly && !isConfig) continue
+
+    for (let i = 0; i < lines.length; i++) {
+      if (pattern.regex.test(lines[i])) {
+        findings.push({
+          file: filePath,
+          line: i + 1,
+          lineContent: lines[i].trim().slice(0, 120),
+          patternId: pattern.id,
+          severity: pattern.severity,
+          message: pattern.message,
+        })
+      }
+    }
+  }
+
+  return findings
+}
+
+function collectObfuscatedLineFindings(lines, filePath) {
+  const findings = []
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (line.length <= 800) continue
+
+    // Encoded payload lines tend to have unusually high symbol density.
+    const nonWord = (line.match(/[^a-zA-Z0-9\s.,;:(){}[\]=<>+\-*/'"_]/g) || []).length
+    const density = nonWord / line.length
+    if (density <= 0.18) continue
+
+    findings.push({
+      file: filePath,
+      line: i + 1,
+      lineContent: `[${line.length} chars] ${line.trim().slice(0, 80)}…`,
+      patternId: 'long-obfuscated-line',
+      severity: 'critical',
+      message: `Line is ${line.length} chars with high symbol density (${(density * 100).toFixed(0)}%) — likely an embedded payload (dropper pattern)`,
+    })
+  }
+
+  return findings
+}
+
+/**
+ * Read the staged (index) version of a file so we scan exactly what will be
+ * committed — not any unsaved working-tree changes.
+ */
+function readStagedContent(filePath) {
+  return runSafe(`git show ":${filePath}"`)
+}
+
+/**
+ * Levenshtein distance between two strings.
+ * Used to detect typosquatted package names.
+ * @param {string} a
+ * @param {string} b
+ * @returns {number}
+ */
+function levenshtein(a, b) {
+  const dp = Array.from({ length: a.length + 1 }, (_, i) => [i])
+  for (let j = 0; j <= b.length; j++) dp[0][j] = j
+  for (let i = 1; i <= a.length; i++) {
+    for (let j = 1; j <= b.length; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1])
+    }
+  }
+  return dp[a.length][b.length]
+}
+
+/**
+ * Returns the popular package name that the given name is likely a typosquat
+ * of (edit distance === 1), or null if no match.
+ * @param {string} pkgName
+ * @returns {string|null}
+ */
+function detectTyposquat(pkgName) {
+  // Strip npm scope for comparison
+  const bare = pkgName.startsWith('@') ? (pkgName.split('/')[1] ?? pkgName) : pkgName
+  if (bare.length < 3) return null
+
+  for (const popular of POPULAR_PACKAGES) {
+    if (bare === popular) return null // exact match is fine
+    if (levenshtein(bare.toLowerCase(), popular.toLowerCase()) === 1) return popular
+  }
+  return null
+}
+
+// ─── Stage-file scanner ────────────────────────────────────────────────────────
+
+/**
+ * @typedef {{ file: string, line: number, lineContent: string,
+ *             patternId: string, severity: string, message: string }} FileFinding
+ */
+
+/**
+ * Scan every staged JS/TS/Vue file against FILE_PATTERNS.
+ * @param {string} _repoRoot   (unused here but kept for symmetry)
+ * @returns {FileFinding[]}
+ */
+function scanStagedFiles(_repoRoot) {
+  const staged = getStagedNameStatus()
+  const toScan = staged.filter(({ status, path }) =>
+    ['A', 'M'].includes(status[0]) && SCAN_EXTENSIONS.has(extname(path)),
+  )
+
+  if (toScan.length === 0) return []
+
+  process.stdout.write(`\nScanning ${toScan.length} staged source file(s)...\n`)
+
+  const findings = []
+  let skipped = 0
+
+  for (const { path: filePath } of toScan) {
+    if (shouldSkipSelfReferentialFile(filePath)) {
+      skipped++
+      continue
+    }
+
+    const content = readStagedContent(filePath)
+    if (!content) continue
+
+    const lines = content.split('\n')
+    const isConfig = isConfigFile(filePath)
+
+    findings.push(
+      ...collectPatternFindings(lines, isConfig, filePath),
+      ...collectObfuscatedLineFindings(lines, filePath),
+    )
+  }
+
+  if (skipped > 0) {
+    process.stdout.write(`Skipping ${skipped} self-referential security definition/test file(s).\n`)
+  }
+
+  return findings
+}
+
+// ─── Supply-chain scanner ──────────────────────────────────────────────────────
+
+/**
+ * Compare staged vs committed package.json files to find packages that were
+ * newly added in this commit (across all dependency fields).
+ * @returns {string[]} Array of package names
+ */
+function getNewlyAddedPackages() {
+  const staged = getStagedNameStatus()
+  const pkgFiles = staged.filter(({ status, path }) =>
+    ['A', 'M'].includes(status[0])
+    && path.endsWith('package.json')
+    && !path.includes('node_modules'),
+  )
+
+  if (pkgFiles.length === 0) return []
+
+  const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']
+
+  function extractDepNames(jsonContent) {
+    if (!jsonContent) return new Set()
+    try {
+      const pkg = JSON.parse(jsonContent)
+      const all = new Set()
+      for (const field of depFields) {
+        if (pkg[field] && typeof pkg[field] === 'object') {
+          for (const name of Object.keys(pkg[field])) all.add(name)
+        }
+      }
+      return all
+    }
+    catch {
+      return new Set()
+    }
+  }
+
+  const added = new Set()
+
+  for (const { path: pkgFile } of pkgFiles) {
+    const newContent = readStagedContent(pkgFile)
+    const oldContent = runSafe(`git show "HEAD:${pkgFile}"`)
+    const newDeps = extractDepNames(newContent)
+    const oldDeps = extractDepNames(oldContent)
+    for (const name of newDeps) {
+      if (!oldDeps.has(name)) added.add(name)
+    }
+  }
+
+  return [...added]
+}
+
+/**
+ * @typedef {{ pkg: string, scriptName?: string, patternId: string,
+ *             severity: string, message: string, lineContent: string }} SupplyFinding
+ */
+
+/**
+ * Inspect a single package's install scripts in node_modules.
+ * @param {string} pkgName
+ * @param {string} repoRoot
+ * @returns {SupplyFinding[]}
+ */
+function checkInstallScripts(pkgName, repoRoot) {
+  const pkgJsonPath = join(repoRoot, 'node_modules', pkgName, 'package.json')
+  if (!existsSync(pkgJsonPath)) return []
+
+  let pkg
+  try {
+    pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'))
+  }
+  catch {
+    return []
+  }
+
+  const findings = []
+  const scriptFields = ['preinstall', 'install', 'postinstall']
+
+  for (const scriptName of scriptFields) {
+    const script = pkg.scripts?.[scriptName]
+    if (!script) continue
+
+    // Always surface that an install script exists (medium — for awareness)
+    findings.push({
+      pkg: pkgName,
+      scriptName,
+      patternId: 'install-script-present',
+      severity: 'medium',
+      message: `Package has a ${scriptName} script — verify it is legitimate`,
+      lineContent: script.slice(0, 120),
+    })
+
+    // Check for specific dangerous patterns (high/critical)
+    for (const pattern of INSTALL_SCRIPT_PATTERNS) {
+      if (pattern.regex.test(script)) {
+        findings.push({
+          pkg: pkgName,
+          scriptName,
+          patternId: pattern.id,
+          severity: pattern.severity,
+          message: pattern.message,
+          lineContent: script.slice(0, 120),
+        })
+      }
+    }
+  }
+
+  return findings
+}
+
+/**
+ * Run the full supply-chain scan: typosquatting + install-script analysis
+ * for every newly added package.
+ * @param {string} repoRoot
+ * @returns {SupplyFinding[]}
+ */
+function scanNewDependencies(repoRoot) {
+  const newPkgs = getNewlyAddedPackages()
+  if (newPkgs.length === 0) return []
+
+  process.stdout.write(`\nSupply-chain scan: ${newPkgs.length} newly added package(s)...\n`)
+
+  const findings = []
+
+  for (const pkgName of newPkgs) {
+    // 1. Typosquatting
+    const similar = detectTyposquat(pkgName)
+    if (similar) {
+      findings.push({
+        pkg: pkgName,
+        patternId: 'typosquat',
+        severity: 'high',
+        message: `Possible typosquat of "${similar}" — verify the package name is correct`,
+        lineContent: `"${pkgName}" is 1 edit away from "${similar}"`,
+      })
+    }
+
+    // 2. Install scripts
+    const scriptFindings = checkInstallScripts(pkgName, repoRoot)
+    findings.push(...scriptFindings)
+  }
+
+  return findings
+}
+
+// ─── Optional: pnpm/npm audit ─────────────────────────────────────────────────
+
+/**
+ * Run `pnpm audit --audit-level=high` when SECURITY_AUDIT=1 is set.
+ * Non-fatal: output is printed but does not block the commit so it doesn't
+ * slow down normal developer workflows.
+ */
+function runAudit(repoRoot) {
+  if (process.env.SECURITY_AUDIT !== '1') return
+
+  process.stdout.write(`\nRunning pnpm audit (SECURITY_AUDIT=1)...\n`)
+  const result = runSafe('pnpm audit --audit-level=high 2>&1')
+  if (result) {
+    process.stdout.write(`${DIM}${result}${R}\n`)
+  }
+}
+
+// ─── Output helpers ────────────────────────────────────────────────────────────
+
+function printFileFinding(f) {
+  console.log(`\n  ${badge(f.severity)} ${DIM}${f.file}:${f.line}${R}`)
+  console.log(`  ${BOLD}${f.message}${R}`)
+  console.log(`  ${DIM}│${R}  ${f.lineContent}`)
+}
+
+function printSupplyFinding(f) {
+  if (f.patternId === 'install-script-present') {
+    console.log(`  ${DIM}⚑${R}  ${BOLD}${f.pkg}${R} — ${f.scriptName}: ${DIM}${f.lineContent}${R}`)
+    return
+  }
+  const scriptLabel = f.scriptName ? ` (${DIM}${f.scriptName}${R})` : ''
+  console.log(`\n  ${badge(f.severity)} ${BOLD}${f.pkg}${R}${scriptLabel}`)
+  console.log(`  ${f.message}`)
+  console.log(`  ${DIM}│${R}  ${f.lineContent}`)
+}
+
+// ─── Entry point ───────────────────────────────────────────────────────────────
+
+function main() {
+  if (process.env.SKIP_SECURITY_SCAN === '1') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — all security checks bypassed.${R}\n`
+      + `${YLW}   This bypass is intentional and has been logged.${R}\n\n`,
+    )
+    return
+  }
+
+  const repoRoot = getRepoRoot()
+
+  console.log(`\n${HR}`)
+  console.log(`  ${BOLD}@archipelago/security-scan${R}  ${DIM}socket.dev-style pre-commit guard${R}`)
+  console.log(HR)
+
+  const fileFindings = scanStagedFiles(repoRoot)
+  const supplyFindings = scanNewDependencies(repoRoot)
+
+  runAudit(repoRoot)
+
+  const allFindings = [...fileFindings, ...supplyFindings]
+
+  if (fileFindings.length > 0) {
+    console.log(`\n${BOLD}Source-code findings:${R}`)
+    fileFindings.forEach(printFileFinding)
+  }
+
+  if (supplyFindings.length > 0) {
+    console.log(`\n${BOLD}Supply-chain findings:${R}`)
+    supplyFindings.forEach(printSupplyFinding)
+  }
+
+  const blocking = allFindings.filter(f => isBlocking(f.severity))
+  const warnings = allFindings.filter(f => !isBlocking(f.severity))
+
+  console.log(`\n${HR}`)
+
+  if (blocking.length === 0) {
+    const warnNote = warnings.length > 0 ? `  ${DIM}(${warnings.length} warning(s) — review recommended)${R}` : ''
+    console.log(`  ${GRN}${BOLD}✔  Security scan passed${R}${warnNote}`)
+    console.log(HR)
+    console.log()
+    return
+  }
+
+  console.log(
+    `  ${RED}${BOLD}✖  COMMIT BLOCKED${R} — ${blocking.length} critical/high security issue(s) found`,
+  )
+  console.log(`  ${DIM}To bypass (emergencies only): SKIP_SECURITY_SCAN=1 git commit …${R}`)
+  console.log(HR)
+  console.log()
+
+  process.exit(1)
+}
+
+main()