npm - @aspect-guard/core - Versions diffs - 0.5.1 → 0.5.2 - Mend

@aspect-guard/core 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -265,6 +265,77 @@ declare class RuleRegistry {
 }
 declare const ruleRegistry: RuleRegistry;
+/**
+ * Shared pattern matching utilities for detection rules.
+ * Reduces code duplication across rules and improves maintainability.
+ */
+/**
+ * Pattern definition for matching in file content
+ */
+interface MatchPattern {
+    /** Name of the pattern for evidence reporting */
+    name: string;
+    /** Regex pattern (should have 'g' flag for multiple matches) */
+    pattern: RegExp;
+    /** If specified, use this capture group for the matched value */
+    matchGroup?: number;
+}
+/**
+ * Options for file filtering
+ */
+interface FileFilterOptions {
+    /** File extensions to include (e.g., ['.js', '.ts']) */
+    extensions?: string[];
+    /** Regex patterns to exclude files */
+    excludePatterns?: RegExp[];
+}
+/**
+ * Options for pattern matching
+ */
+interface MatchOptions {
+    /** Maximum length for snippet in evidence */
+    maxSnippetLength?: number;
+    /** Function to validate matched value (return false to skip) */
+    validate?: (value: string, content: string, matchIndex: number) => boolean;
+}
+/** Default code file extensions */
+declare const CODE_EXTENSIONS: string[];
+/** Simple JS/TS extensions */
+declare const JS_TS_EXTENSIONS: string[];
+/**
+ * Check if a file should be processed based on extension
+ */
+declare function hasExtension(filePath: string, extensions: string[]): boolean;
+/**
+ * Check if a file matches any exclusion pattern
+ */
+declare function isExcluded(filePath: string, patterns: RegExp[]): boolean;
+/**
+ * Get line number from content index (1-based)
+ */
+declare function getLineNumber(content: string, index: number): number;
+/**
+ * Get line content at a specific line number (1-based)
+ */
+declare function getLineContent(lines: string[], lineNumber: number): string;
+/**
+ * Check if an index position is inside a comment
+ */
+declare function isInComment(content: string, matchIndex: number): boolean;
+/**
+ * Match all patterns in a single file and generate evidence
+ */
+declare function matchPatternsInFile(filePath: string, content: string, patterns: MatchPattern[], options?: MatchOptions): Evidence[];
+/**
+ * Match patterns across all files with filtering
+ */
+declare function matchPatternsInFiles(files: Map<string, string>, patterns: MatchPattern[], filterOptions?: FileFilterOptions, matchOptions?: MatchOptions): Evidence[];
+/**
+ * Check if content within a context window matches a pattern
+ */
+declare function hasPatternInContext(content: string, matchIndex: number, matchLength: number, contextPattern: RegExp, contextWindow?: number): boolean;
 declare function registerBuiltInRules(): void;
 /**
@@ -752,6 +823,6 @@ declare function generateBaseline(_extensionPaths: string[], _outputPath?: strin
     errors: string[];
 }>;
-declare const VERSION = "0.5.1";
+declare const VERSION = "0.5.2";
-export { ALL_POPULAR_EXTENSIONS, type AdjustFindingsOptions, type AuditReport, type BundleDetectionResult, DETECTION_RULES, type DetectedIDE, type DetectionRule, type Evidence, type ExtensionCategory, ExtensionGuardScanner, type ExtensionHash, type ExtensionInfo, type ExtensionManifest, type Finding, type FindingCategory, type FullScanReport, type HashDatabase, IDE_PATHS, type InspectOptions, type IntegrityInfo, type IntegrityResult, type IntegrityStatus, JsonReporter, MEGA_POPULAR_EXTENSIONS, MarkdownReporter, POPULAR_EXTENSIONS, type PolicyAction, type PolicyConfig, PolicyEngine, type PolicyRules, type PolicyViolation, type PopularExtension, type Reporter, type ReporterOptions, type RiskLevel, RuleEngine, type RuleEngineOptions, SEVERITY_ORDER, SarifReporter, type ScanOptions, type ScanResult, type ScanSummary, type Severity, TRUSTED_EXTENSION_IDS, TRUSTED_PUBLISHERS, VERIFIED_PUBLISHERS, VERSION, addHash, adjustFindings, categorizeExtension, clearHashCache, collectFiles, compareSeverity, computeExtensionHashes, createHashRecord, detectBundle, detectIDEPaths, expandPath, generateBaseline, getDefaultDatabasePath, getHash, getIDEExtensionPath, getPopularityTier, getSupportedIDEs, isAtLeastSeverity, isBundleOutputPath, isIDEInstalled, isMegaPopular, isPopular, isTrustedExtension, isTrustedPublisher, isVerifiedPublisher, loadHashDatabase, loadPolicyConfig, readExtension, readExtensionsFromDirectory, registerBuiltInRules, ruleRegistry, saveHashDatabase, sha256, shouldCollectFile, shouldReduceSeverityForBundle, verifyIntegrity };
+export { ALL_POPULAR_EXTENSIONS, type AdjustFindingsOptions, type AuditReport, type BundleDetectionResult, CODE_EXTENSIONS, DETECTION_RULES, type DetectedIDE, type DetectionRule, type Evidence, type ExtensionCategory, ExtensionGuardScanner, type ExtensionHash, type ExtensionInfo, type ExtensionManifest, type FileFilterOptions, type Finding, type FindingCategory, type FullScanReport, type HashDatabase, IDE_PATHS, type InspectOptions, type IntegrityInfo, type IntegrityResult, type IntegrityStatus, JS_TS_EXTENSIONS, JsonReporter, MEGA_POPULAR_EXTENSIONS, MarkdownReporter, type MatchOptions, type MatchPattern, POPULAR_EXTENSIONS, type PolicyAction, type PolicyConfig, PolicyEngine, type PolicyRules, type PolicyViolation, type PopularExtension, type Reporter, type ReporterOptions, type RiskLevel, RuleEngine, type RuleEngineOptions, SEVERITY_ORDER, SarifReporter, type ScanOptions, type ScanResult, type ScanSummary, type Severity, TRUSTED_EXTENSION_IDS, TRUSTED_PUBLISHERS, VERIFIED_PUBLISHERS, VERSION, addHash, adjustFindings, categorizeExtension, clearHashCache, collectFiles, compareSeverity, computeExtensionHashes, createHashRecord, detectBundle, detectIDEPaths, expandPath, generateBaseline, getDefaultDatabasePath, getHash, getIDEExtensionPath, getLineContent, getLineNumber, getPopularityTier, getSupportedIDEs, hasExtension, hasPatternInContext, isAtLeastSeverity, isBundleOutputPath, isExcluded, isIDEInstalled, isInComment, isMegaPopular, isPopular, isTrustedExtension, isTrustedPublisher, isVerifiedPublisher, loadHashDatabase, loadPolicyConfig, matchPatternsInFile, matchPatternsInFiles, readExtension, readExtensionsFromDirectory, registerBuiltInRules, ruleRegistry, saveHashDatabase, sha256, shouldCollectFile, shouldReduceSeverityForBundle, verifyIntegrity };

package/dist/index.js CHANGED Viewed

@@ -1110,8 +1110,89 @@ var critDataExfiltration = {
   }
 };
+// src/rules/pattern-matcher.ts
+var CODE_EXTENSIONS = [".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"];
+var JS_TS_EXTENSIONS = [".js", ".ts"];
+function hasExtension(filePath, extensions) {
+  return extensions.some((ext) => filePath.endsWith(ext));
+}
+function isExcluded(filePath, patterns) {
+  return patterns.some((pattern) => pattern.test(filePath));
+}
+function getLineNumber(content, index) {
+  return content.slice(0, index).split("\n").length;
+}
+function getLineContent(lines, lineNumber) {
+  return lines[lineNumber - 1]?.trim() ?? "";
+}
+function isInComment(content, matchIndex) {
+  const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
+  const lineContent = content.slice(lineStart, matchIndex);
+  if (lineContent.includes("//")) {
+    return true;
+  }
+  const beforeMatch = content.slice(0, matchIndex);
+  const lastBlockStart = beforeMatch.lastIndexOf("/*");
+  const lastBlockEnd = beforeMatch.lastIndexOf("*/");
+  return lastBlockStart > lastBlockEnd;
+}
+function matchPatternsInFile(filePath, content, patterns, options = {}) {
+  const evidences = [];
+  const lines = content.split("\n");
+  const maxSnippetLength = options.maxSnippetLength ?? 100;
+  for (const { name, pattern, matchGroup } of patterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const matchIndex = match.index;
+      const matchedValue = matchGroup !== void 0 ? match[matchGroup] : match[0];
+      if (!matchedValue) {
+        continue;
+      }
+      if (options.validate && !options.validate(matchedValue, content, matchIndex)) {
+        continue;
+      }
+      const lineNumber = getLineNumber(content, matchIndex);
+      const lineContent = getLineContent(lines, lineNumber);
+      evidences.push({
+        filePath,
+        lineNumber,
+        lineContent: lineContent.length > maxSnippetLength ? lineContent.slice(0, maxSnippetLength) + "..." : lineContent,
+        matchedPattern: name,
+        snippet: matchedValue.length > maxSnippetLength ? matchedValue.slice(0, maxSnippetLength) + "..." : matchedValue
+      });
+    }
+  }
+  return evidences;
+}
+function matchPatternsInFiles(files, patterns, filterOptions = {}, matchOptions = {}) {
+  const evidences = [];
+  const extensions = filterOptions.extensions ?? JS_TS_EXTENSIONS;
+  const excludePatterns = filterOptions.excludePatterns ?? [];
+  for (const [filePath, content] of files) {
+    if (!hasExtension(filePath, extensions)) {
+      continue;
+    }
+    if (excludePatterns.length > 0 && isExcluded(filePath, excludePatterns)) {
+      continue;
+    }
+    if (!content || content.trim().length === 0) {
+      continue;
+    }
+    const fileEvidences = matchPatternsInFile(filePath, content, patterns, matchOptions);
+    evidences.push(...fileEvidences);
+  }
+  return evidences;
+}
+function hasPatternInContext(content, matchIndex, matchLength, contextPattern, contextWindow = 200) {
+  const startIndex = Math.max(0, matchIndex - contextWindow);
+  const endIndex = Math.min(content.length, matchIndex + matchLength + contextWindow);
+  const context = content.slice(startIndex, endIndex);
+  return contextPattern.test(context);
+}
 // src/rules/built-in/crit-remote-execution.ts
-var DANGEROUS_PATTERNS = [
+var PATTERNS = [
   { name: "eval", pattern: /\beval\s*\(/g },
   { name: "Function-constructor", pattern: /new\s+Function\s*\(/g },
   {
@@ -1124,9 +1205,9 @@ var DANGEROUS_PATTERNS = [
   },
   { name: "child_process-spawn-shell", pattern: /\.spawn\s*\([^)]*\{[^}]*shell\s*:\s*true/g },
   { name: "vm-runInContext", pattern: /vm\.run(?:InContext|InNewContext|InThisContext)\s*\(/g },
-  { name: "vm-Script", pattern: /new\s+vm\.Script\s*\(/g }
+  { name: "vm-Script", pattern: /new\s+vm\.Script\s*\(/g },
+  { name: "dynamic-require", pattern: /require\s*\(\s*(?:[^'"`\s)]|`[^`]*\$\{)/g }
 ];
-var DYNAMIC_REQUIRE = /require\s*\(\s*(?:[^'"`\s)]|`[^`]*\$\{)/g;
 var critRemoteExecution = {
   id: "EG-CRIT-002",
   name: "Remote Code Execution",
@@ -1136,40 +1217,7 @@ var critRemoteExecution = {
   mitreAttackId: "T1059",
   enabled: true,
   detect(files, _manifest) {
-    const evidences = [];
-    for (const [filePath, content] of files) {
-      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
-        continue;
-      }
-      const lines = content.split("\n");
-      for (const { name, pattern } of DANGEROUS_PATTERNS) {
-        pattern.lastIndex = 0;
-        let match2;
-        while ((match2 = pattern.exec(content)) !== null) {
-          const lineNumber = content.slice(0, match2.index).split("\n").length;
-          evidences.push({
-            filePath,
-            lineNumber,
-            lineContent: lines[lineNumber - 1]?.trim(),
-            matchedPattern: name,
-            snippet: match2[0]
-          });
-        }
-      }
-      DYNAMIC_REQUIRE.lastIndex = 0;
-      let match;
-      while ((match = DYNAMIC_REQUIRE.exec(content)) !== null) {
-        const lineNumber = content.slice(0, match.index).split("\n").length;
-        evidences.push({
-          filePath,
-          lineNumber,
-          lineContent: lines[lineNumber - 1]?.trim(),
-          matchedPattern: "dynamic-require",
-          snippet: match[0]
-        });
-      }
-    }
-    return evidences;
+    return matchPatternsInFiles(files, PATTERNS);
   }
 };
@@ -1199,41 +1247,40 @@ var critCredentialAccess = {
   mitreAttackId: "T1552.004",
   enabled: true,
   detect(files, _manifest) {
-    const evidences = [];
-    for (const [filePath, content] of files) {
-      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
-        continue;
-      }
-      const lines = content.split("\n");
-      for (const { name, pattern } of SENSITIVE_PATHS) {
-        pattern.lastIndex = 0;
-        let match;
-        while ((match = pattern.exec(content)) !== null) {
-          const startIndex = Math.max(0, match.index - 200);
-          const endIndex = Math.min(content.length, match.index + match[0].length + 200);
-          const context = content.slice(startIndex, endIndex);
-          if (FILE_READ_CONTEXT.test(context)) {
-            const lineNumber = content.slice(0, match.index).split("\n").length;
-            evidences.push({
-              filePath,
-              lineNumber,
-              lineContent: lines[lineNumber - 1]?.trim(),
-              matchedPattern: name,
-              snippet: match[0]
-            });
-          }
-        }
+    return matchPatternsInFiles(
+      files,
+      SENSITIVE_PATHS,
+      {},
+      {
+        validate: (value, content, matchIndex) => hasPatternInContext(content, matchIndex, value.length, FILE_READ_CONTEXT, 200)
       }
-    }
-    return evidences;
+    );
   }
 };
 // src/rules/built-in/high-suspicious-network.ts
-var HTTP_TO_IP = /(?:fetch|axios(?:\.(?:get|post|put|delete|request))?|https?\.(?:get|post|request)|XMLHttpRequest)\s*\([^)]*['"`]https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g;
-var DYNAMIC_URL = /(?:fetch|axios|https?\.request)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*\w)/g;
-var WEBSOCKET_TO_IP = /new\s+WebSocket\s*\(\s*['"`]wss?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g;
-var UNUSUAL_PORTS = /['"`]https?:\/\/[^'"`:]+:(?!443|80|8080|3000|8443|5000)[0-9]{2,5}/g;
+var PATTERNS2 = [
+  // HTTP requests to IP addresses instead of domains
+  {
+    name: "http-to-ip",
+    pattern: /(?:fetch|axios(?:\.(?:get|post|put|delete|request))?|https?\.(?:get|post|request)|XMLHttpRequest)\s*\([^)]*['"`]https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g
+  },
+  // Dynamic URL construction (template literals or concatenation)
+  {
+    name: "dynamic-url",
+    pattern: /(?:fetch|axios|https?\.request)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*\w)/g
+  },
+  // WebSocket connections to IP addresses
+  {
+    name: "websocket-to-ip",
+    pattern: /new\s+WebSocket\s*\(\s*['"`]wss?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g
+  },
+  // Unusual ports
+  {
+    name: "unusual-port",
+    pattern: /['"`]https?:\/\/[^'"`:]+:(?!443|80|8080|3000|8443|5000)[0-9]{2,5}/g
+  }
+];
 var highSuspiciousNetwork = {
   id: "EG-HIGH-002",
   name: "Suspicious Network Activity",
@@ -1243,34 +1290,7 @@ var highSuspiciousNetwork = {
   mitreAttackId: "T1071",
   enabled: true,
   detect(files, _manifest) {
-    const evidences = [];
-    for (const [filePath, content] of files) {
-      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
-        continue;
-      }
-      const lines = content.split("\n");
-      const patterns = [
-        { pattern: HTTP_TO_IP, name: "http-to-ip" },
-        { pattern: DYNAMIC_URL, name: "dynamic-url" },
-        { pattern: WEBSOCKET_TO_IP, name: "websocket-to-ip" },
-        { pattern: UNUSUAL_PORTS, name: "unusual-port" }
-      ];
-      for (const { pattern, name } of patterns) {
-        pattern.lastIndex = 0;
-        let match;
-        while ((match = pattern.exec(content)) !== null) {
-          const lineNumber = content.slice(0, match.index).split("\n").length;
-          evidences.push({
-            filePath,
-            lineNumber,
-            lineContent: lines[lineNumber - 1]?.trim(),
-            matchedPattern: name,
-            snippet: match[0].slice(0, 100)
-          });
-        }
-      }
-    }
-    return evidences;
+    return matchPatternsInFiles(files, PATTERNS2);
   }
 };
@@ -1496,23 +1516,6 @@ function calculateSecretEntropy(str) {
   }
   return entropy;
 }
-function isInComment(content, matchIndex) {
-  const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
-  const lineContent = content.slice(lineStart, matchIndex);
-  if (lineContent.includes("//")) {
-    return true;
-  }
-  const beforeMatch = content.slice(0, matchIndex);
-  const lastBlockStart = beforeMatch.lastIndexOf("/*");
-  const lastBlockEnd = beforeMatch.lastIndexOf("*/");
-  if (lastBlockStart > lastBlockEnd) {
-    return true;
-  }
-  return false;
-}
-function getLineNumber(content, index) {
-  return content.slice(0, index).split("\n").length;
-}
 var highHardcodedSecret = {
   id: "EG-HIGH-006",
   name: "Hardcoded Secrets",
@@ -3016,12 +3019,14 @@ var PolicyEngine = class {
 };
 // src/index.ts
-var VERSION = "0.5.1";
+var VERSION = "0.5.2";
 export {
   ALL_POPULAR_EXTENSIONS,
+  CODE_EXTENSIONS,
   DETECTION_RULES,
   ExtensionGuardScanner,
   IDE_PATHS,
+  JS_TS_EXTENSIONS,
   JsonReporter,
   MEGA_POPULAR_EXTENSIONS,
   MarkdownReporter,
@@ -3049,11 +3054,17 @@ export {
   getDefaultDatabasePath,
   getHash,
   getIDEExtensionPath,
+  getLineContent,
+  getLineNumber,
   getPopularityTier,
   getSupportedIDEs,
+  hasExtension,
+  hasPatternInContext,
   isAtLeastSeverity,
   isBundleOutputPath,
+  isExcluded,
   isIDEInstalled,
+  isInComment,
   isMegaPopular,
   isPopular,
   isTrustedExtension,
@@ -3061,6 +3072,8 @@ export {
   isVerifiedPublisher,
   loadHashDatabase,
   loadPolicyConfig,
+  matchPatternsInFile,
+  matchPatternsInFiles,
   readExtension,
   readExtensionsFromDirectory,
   registerBuiltInRules,