@archpublicwebsite/eslint-config 1.0.16 → 1.0.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",

package/tools/security/patterns.mjs

@@ -62,18 +62,6 @@ export const FILE_PATTERNS = [
     message: 'String.fromCharCode sequence — common technique to obfuscate malicious strings',
     regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){4,}\d+\s*\)/,
   },
-  {
-    id: 'unicode-bidi-control',
-    severity: 'critical',
-    message: 'Unicode bidi control characters detected — hidden code/trick rendering attack (Trojan Source)',
-    regex: /[\u202A-\u202E\u2066-\u2069]/,
-  },
-  {
-    id: 'zero-width-hidden-char',
-    severity: 'high',
-    message: 'Zero-width/invisible Unicode characters detected — possible hidden payload marker',
-    regex: /[\u200B-\u200D\uFEFF]/,
-  },
   {
     id: 'hex-string-obfuscation',
     severity: 'high',
@@ -91,17 +79,10 @@ export const FILE_PATTERNS = [
     configOnly: true,
   },
   {
-    id: 'http-in-config-require',
+    id: 'http-in-config',
     severity: 'critical',
     message: 'HTTP/HTTPS module in build config — potential data-exfiltration vector',
-    regex: /require\s*\(\s*['"](?:node:)?https?['"]\s*\)/,
-    configOnly: true,
-  },
-  {
-    id: 'http-in-config-import',
-    severity: 'critical',
-    message: 'HTTP/HTTPS module in build config — potential data-exfiltration vector',
-    regex: /from\s+['"](?:node:)?https?['"]/,
+    regex: /require\s*\(\s*['"](?:node:)?https?['"]\s*\)|from\s+['"](?:node:)?https?['"]/,
     configOnly: true,
   },
   {
@@ -183,26 +164,16 @@ export const FILE_PATTERNS = [
     id: 'function-constructor-via-array',
     severity: 'critical',
     message: 'Function constructor accessed via decoded array — used to run hidden payload without calling new Function() directly',
-    // Generalised: identifier assigned from decoded array accessor, then invoked.
-    regex: /=\s*\w+\s*\[\s*\w+\s*\]\s*;.{0,80}\w+\s*\(\s*\w+\s*,\s*\w+\s*\(\s*\w+\s*\)\s*\)/,
+    // Matches: var x = sfL[EKc]  where the array was built from a string decoder
+    // Generalised: identifier assigned from identifier[short-identifier] then called as a function
+    regex: /=\s*\w{2,5}\s*\[\s*\w{2,5}\s*\]\s*;[^;]{0,60}=\s*\w{2,5}\s*\(\s*\w+\s*,\s*\w{2,5}\s*\(\s*\w+\s*\)\s*\)/,
   },
   {
-    id: 'global-bracket-assignment-index',
+    id: 'global-bracket-assignment',
     severity: 'high',
     message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
-    regex: /global\s*\[\s*[\w$]+\s*\[\s*\d+\s*\]\s*\]\s*=/,
-  },
-  {
-    id: 'global-bracket-assignment-string',
-    severity: 'high',
-    message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
-    regex: /global\s*\[\s*['"][^'"]{1,40}['"]\s*\]\s*=/,
-  },
-  {
-    id: 'global-bracket-assignment-var',
-    severity: 'high',
-    message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
-    regex: /global\s*\[\s*[\w$]+\s*\]\s*=/,
+    // Matches: global[anyVar[index]] = ...  OR  global['key'] = ...  OR  global[variable] = ...
+    regex: /global\s*\[\s*(?:[\w$]+\s*\[\s*\d+\s*\]|['"][^'"]{1,40}['"]|[\w$]+)\s*\]\s*=/,
   },
   {
     id: 'module-global-hijack',
@@ -210,18 +181,6 @@ export const FILE_PATTERNS = [
     message: 'global[...] = module — dropper technique to expose Node module reference as a global',
     regex: /global\s*\[.*?\]\s*=\s*module\b/,
   },
-  {
-    id: 'define-property-backdoor-getter',
-    severity: 'critical',
-    message: 'Object.defineProperty used to define hidden getter/setter/value with dynamic execution — potential backdoor',
-    regex: /Object\.defineProperty\s*\([^)]*\b(?:get|set)\s*:\s*(?:function|\([^)]*\)\s*=>)/,
-  },
-  {
-    id: 'define-property-backdoor-value',
-    severity: 'critical',
-    message: 'Object.defineProperty used to define hidden getter/setter/value with dynamic execution — potential backdoor',
-    regex: /Object\.defineProperty\s*\([^)]*\bvalue\s*:\s*(?:eval\s*\(|new\s+Function\s*\(|require\s*\()/,
-  },
 ]
 
 // ─── Install-script patterns ───────────────────────────────────────────────────

package/tools/security/test-patterns.mjs

@@ -25,7 +25,7 @@ const testCases = [
   },
   {
     label: 'Dropper — global bracket assignment via decoded array',
-    expectedId: 'global-bracket-assignment-index',
+    expectedId: 'global-bracket-assignment',
     line: "global[_$_1e42[2]]= module",
   },
   {
@@ -68,22 +68,7 @@ const testCases = [
   {
     label: 'Hex-escaped string payload',
     expectedId: 'hex-string-obfuscation',
-    line: String.raw`const k='\x68\x65\x6c\x6c\x6f\x77\x6f\x72\x6c\x64\x68\x65\x6c\x6c\x6f\x77\x6f\x72\x6c\x64\x20\x68'`,
-  },
-  {
-    label: 'Trojan Source (unicode bidi control)',
-    expectedId: 'unicode-bidi-control',
-    line: 'const safe = true;\u202E // hidden direction override',
-  },
-  {
-    label: 'Zero-width hidden character',
-    expectedId: 'zero-width-hidden-char',
-    line: 'const key = "api\u200BToken"',
-  },
-  {
-    label: 'defineProperty hidden getter backdoor',
-    expectedId: 'define-property-backdoor-getter',
-    line: 'Object.defineProperty(globalThis, "loader", { get: function(){ return eval(secret) } })',
+    line: `const k='\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x20\\x68'`,
   },
   {
     label: 'Prototype pollution',
@@ -125,6 +110,5 @@ for (const tc of testCases) {
 }
 
 console.log(`\n${'─'.repeat(50)}`)
-const failedText = failed > 0 ? `${RED}${BOLD}${failed} FAILED${R}` : ''
-console.log(`${passed} passed  ${failedText}`)
+console.log(`${passed} passed  ${failed > 0 ? `${RED}${BOLD}${failed} FAILED${R}` : ''}`)
 if (failed > 0) process.exit(1)