npm - @archpublicwebsite/eslint-config - Versions diffs - 1.0.15 → 1.0.18 - Mend

@archpublicwebsite/eslint-config 1.0.15 → 1.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +19 -1
package/eslint.config.mjs +60 -4
package/package.json +7 -1
package/tools/git-hooks/pre-commit.mjs +30 -0
package/tools/security/patterns.mjs +311 -0
package/tools/security/safe-reinstall.sh +179 -0
package/tools/security/scan-global.sh +155 -0
package/tools/security/scan.mjs +465 -0
package/tools/security/test-patterns.mjs +114 -0
package/tools/setup/install.mjs +70 -2

package/tools/security/test-patterns.mjs ADDED Viewed

@@ -0,0 +1,114 @@
+#!/usr/bin/env node
+/**
+ * Pattern-detection self-test
+ * Run: node packages/eslint-config/tools/security/test-patterns.mjs
+ *
+ * Validates that every attack vector in the wild (including the dropper from
+ * the supply-chain report) is caught by FILE_PATTERNS.
+ */
+import { FILE_PATTERNS } from './patterns.mjs'
+const RED = '\x1b[31m'
+const GRN = '\x1b[32m'
+const YLW = '\x1b[33m'
+const BOLD = '\x1b[1m'
+const R = '\x1b[0m'
+// ─── Test cases (real-world attack lines) ─────────────────────────────────────
+const testCases = [
+  // ── From the exact dropper submitted in the issue ─────────────────────────
+  {
+    label: 'Dropper — global require hijack',
+    expectedId: 'require-global-hijack',
+    line: "global[_$_1e42[0]]= require;",
+  },
+  {
+    label: 'Dropper — global bracket assignment via decoded array',
+    expectedId: 'global-bracket-assignment',
+    line: "global[_$_1e42[2]]= module",
+  },
+  {
+    label: 'Dropper — obfuscated _$_ variable names',
+    expectedId: 'obfuscated-variable-names',
+    line: "var _$_1e42=(function(l,e){var h=l.length;var g=[];",
+  },
+  {
+    label: 'Dropper — shuffle-cipher IIFE bootstrap',
+    expectedId: 'shuffle-cipher-iife',
+    line: `var _$_1e42=(function(l,e){var h=l.length;var g=[];for(var j=0;j<h;j++){g[j]=l.charAt(j)};for(var j=0;j<h;j++){var s=e*(j+489)+(e%19597);var w=e*(j+659)+(e%48014);var t=s%h;var p=w%h;var y=g[t];g[t]=g[p];g[p]=y;e=(s+w)%4573868};return g.join('')})("rmcej%otb%",2857687)`,
+  },
+  {
+    label: 'Dropper — array-based Function call chain (final execution)',
+    expectedId: 'array-fn-call-chain',
+    line: "var Tgw=jFD(LQI,pYd );Tgw(2509);",
+  },
+  // ── Classic attack patterns ───────────────────────────────────────────────
+  {
+    label: 'eval() call',
+    expectedId: 'no-eval',
+    line: "const x = eval(someVar)",
+  },
+  {
+    label: 'new Function() call',
+    expectedId: 'no-new-func',
+    line: "const fn = new Function('a','return a+1')",
+  },
+  {
+    label: 'Buffer base64 decode',
+    expectedId: 'base64-decode',
+    line: `const payload = Buffer.from('abc123', 'base64').toString()`,
+  },
+  {
+    label: 'String.fromCharCode obfuscation',
+    expectedId: 'charcode-obfuscation',
+    line: "const s = String.fromCharCode(104, 101, 108, 108, 111, 32, 119, 111, 114)",
+  },
+  {
+    label: 'Hex-escaped string payload',
+    expectedId: 'hex-string-obfuscation',
+    line: `const k='\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x20\\x68'`,
+  },
+  {
+    label: 'Prototype pollution',
+    expectedId: 'prototype-pollution',
+    line: "obj.__proto__ = { admin: true }",
+  },
+  {
+    label: 'child_process in config',
+    expectedId: 'child-process-in-config',
+    configOnly: true,
+    line: "const { execSync } = require('child_process')",
+  },
+]
+// ─── Run tests ────────────────────────────────────────────────────────────────
+let passed = 0
+let failed = 0
+for (const tc of testCases) {
+  // For configOnly patterns, the scanner applies them; we can test them directly
+  const matched = FILE_PATTERNS.filter(p => p.regex.test(tc.line))
+  const hit = matched.find(p => p.id === tc.expectedId)
+  if (hit) {
+    console.log(`${GRN}✔${R}  ${tc.label}`)
+    console.log(`   ${YLW}→ [${hit.severity.toUpperCase()}] ${hit.id}${R}`)
+    passed++
+  }
+  else {
+    console.log(`${RED}${BOLD}✖  ${tc.label}${R}`)
+    console.log(`   Expected pattern id: ${tc.expectedId}`)
+    if (matched.length > 0)
+      console.log(`   (other matches: ${matched.map(p => p.id).join(', ')})`)
+    else
+      console.log(`   (no patterns matched this line)`)
+    failed++
+  }
+}
+console.log(`\n${'─'.repeat(50)}`)
+console.log(`${passed} passed  ${failed > 0 ? `${RED}${BOLD}${failed} FAILED${R}` : ''}`)
+if (failed > 0) process.exit(1)

package/tools/setup/install.mjs CHANGED Viewed

@@ -1,9 +1,11 @@
 import { execSync } from 'node:child_process'
-import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
-import { join } from 'node:path'
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
 import { ensureVscodeSettings } from './vscode.mjs'
 const TAG = '[@archpublicwebsite/eslint-config]'
+const __dirname = dirname(fileURLToPath(import.meta.url))
 function log(msg) {
   console.log(`${TAG} ${msg}`)
@@ -193,6 +195,70 @@ function ensureHooksPath(projectRoot) {
   }
 }
+// ─── security shell scripts ────────────────────────────────────────────────
+function ensureSecurityScripts(projectRoot) {
+  const securityDir = join(__dirname, '../security')
+  const scripts = ['safe-reinstall.sh', 'scan-global.sh']
+  let created = false
+  for (const scriptName of scripts) {
+    const sourcePath = join(securityDir, scriptName)
+    const targetPath = join(projectRoot, scriptName)
+    if (!existsSync(sourcePath) || existsSync(targetPath)) {
+      continue
+    }
+    copyFileSync(sourcePath, targetPath)
+    chmodSync(targetPath, 0o755)
+    created = true
+  }
+  if (created) {
+    log('Created security scripts (safe-reinstall.sh, scan-global.sh)')
+  }
+}
+function ensurePackageScripts(projectRoot) {
+  const packageJsonPath = join(projectRoot, 'package.json')
+  if (!existsSync(packageJsonPath)) {
+    return
+  }
+  let pkg
+  try {
+    pkg = JSON.parse(readFileSync(packageJsonPath, 'utf8'))
+  }
+  catch {
+    return
+  }
+  const scripts = pkg.scripts && typeof pkg.scripts === 'object' ? pkg.scripts : {}
+  const desiredScripts = {
+    precommit: 'node node_modules/@archpublicwebsite/eslint-config/tools/git-hooks/pre-commit.mjs',
+    'security:global-scan': 'bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/scan-global.sh',
+    'security:safe-check': 'bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/safe-reinstall.sh --check-only',
+  }
+  let updated = false
+  for (const [name, value] of Object.entries(desiredScripts)) {
+    if (!scripts[name]) {
+      scripts[name] = value
+      updated = true
+    }
+  }
+  if (!updated) {
+    return
+  }
+  pkg.scripts = scripts
+  writeFileSync(packageJsonPath, `${JSON.stringify(pkg, null, 2)}\n`, 'utf8')
+  log('Updated package.json scripts (precommit, security:global-scan, security:safe-check)')
+}
 // ─── .vscode/extensions.json ────────────────────────────────────────────────
 function ensureVscodeExtensions(projectRoot) {
@@ -240,6 +306,8 @@ function main() {
   ensurePrettierConfig(projectRoot)
   ensureHooks(projectRoot)
   ensureHooksPath(projectRoot)
+  ensureSecurityScripts(projectRoot)
+  ensurePackageScripts(projectRoot)
   ensureVscodeSettings(projectRoot)
   ensureVscodeExtensions(projectRoot)