@cyberhub/shieldpm 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +239 -0
- package/dist/analyzer/static.d.ts +35 -0
- package/dist/analyzer/static.d.ts.map +1 -0
- package/dist/analyzer/static.js +416 -0
- package/dist/analyzer/static.js.map +1 -0
- package/dist/analyzer/typosquat.d.ts +30 -0
- package/dist/analyzer/typosquat.d.ts.map +1 -0
- package/dist/analyzer/typosquat.js +211 -0
- package/dist/analyzer/typosquat.js.map +1 -0
- package/dist/cli.d.ts +10 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +621 -0
- package/dist/cli.js.map +1 -0
- package/dist/diff/dependency.d.ts +51 -0
- package/dist/diff/dependency.d.ts.map +1 -0
- package/dist/diff/dependency.js +222 -0
- package/dist/diff/dependency.js.map +1 -0
- package/dist/fingerprint/profile.d.ts +68 -0
- package/dist/fingerprint/profile.d.ts.map +1 -0
- package/dist/fingerprint/profile.js +233 -0
- package/dist/fingerprint/profile.js.map +1 -0
- package/dist/index.d.ts +21 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +22 -0
- package/dist/index.js.map +1 -0
- package/dist/monitor/permissions.d.ts +45 -0
- package/dist/monitor/permissions.d.ts.map +1 -0
- package/dist/monitor/permissions.js +265 -0
- package/dist/monitor/permissions.js.map +1 -0
- package/dist/sandbox/runner.d.ts +46 -0
- package/dist/sandbox/runner.d.ts.map +1 -0
- package/dist/sandbox/runner.js +216 -0
- package/dist/sandbox/runner.js.map +1 -0
- package/dist/utils/colors.d.ts +31 -0
- package/dist/utils/colors.d.ts.map +1 -0
- package/dist/utils/colors.js +54 -0
- package/dist/utils/colors.js.map +1 -0
- package/dist/utils/logger.d.ts +26 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +77 -0
- package/dist/utils/logger.js.map +1 -0
- package/package.json +24 -0
- package/src/analyzer/static.ts +483 -0
- package/src/analyzer/typosquat.ts +272 -0
- package/src/cli.ts +700 -0
- package/src/diff/dependency.ts +297 -0
- package/src/fingerprint/profile.ts +333 -0
- package/src/index.ts +34 -0
- package/src/monitor/permissions.ts +330 -0
- package/src/sandbox/runner.ts +302 -0
- package/src/utils/colors.ts +58 -0
- package/src/utils/logger.ts +87 -0
- package/tsconfig.json +19 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile.js","sourceRoot":"","sources":["../../src/fingerprint/profile.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAQ,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA0DzC,4EAA4E;AAE5E,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC,SAAS,WAAW,CAAC,OAAe,EAAE,IAAY,EAAE,OAAe;IACjE,OAAO,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,OAAO,OAAO,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAe,EAAE,OAAwB;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjE,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACxE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAY,EACZ,OAAe;IAEf,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,6EAA6E;AAE7E,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC9E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;AAEnG,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAC3C,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,UAAU,IAAI,CAAC,CAAS;QAC3B,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,CAAC,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;oBAAE,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBACpE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,mBAAmB;IACnB,MAAM,SAAS,GAAG,0CAA0C,CAAC;IAC7D,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,aAAa;IACb,MAAM,QAAQ,GAAG,oDAAoD,CAAC;IACtE,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,iBAAiB;IACjB,MAAM,WAAW,GAAG,yCAAyC,CAAC;IAC9D,OAAO,CAAC,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,uBAAuB,CAAC,MAAc;IAC7C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,eAAe;IACf,MAAM,KAAK,GAAG,mCAAmC,CAAC;IAClD,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,mFAAmF;IACnF,MAAM,MAAM,GAAG,iDAAiD,CAAC;IACjE,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1C,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAEhC,iDAAiD;IACjD,MAAM,IAAI,GAAG,yHAAyH,CAAC;IACvI,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAe,EAAE,MAAc;IAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,cAAc;IACd,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,gDAAgD,CAAC;IACnE,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC7C,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC;IAED,8CAA8C;IAC9C,IAAI,2DAA2D,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7E,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,4EAA4E;AAE5E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,UAAkB,EAClB,IAAY,EACZ,OAAe;IAEf,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,eAAe,GAAG,EAAE,CAAC;IAEzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChE,UAAU,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;QAC3B,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3B,SAAS,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACxC,eAAe,IAAI,OAAO,GAAG,IAAI,CAAC;QAElC,KAAK,MAAM,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC;YAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/D,KAAK,MAAM,EAAE,IAAI,uBAAuB,CAAC,OAAO,CAAC;YAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxE,KAAK,MAAM,EAAE,IAAI,cAAc,CAAC,OAAO,CAAC;YAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC;SACrC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SAC/B,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,MAAM,cAAc,GAAG,qBAAqB,CAC1C,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EACzC,eAAe,CAChB,CAAC;IAEF,OAAO;QACL,IAAI;QACJ,OAAO;QACP,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,WAAW;QACX,UAAU;QACV,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE;QAC/B,cAAc;QACd,gBAAgB,EAAE,CAAC,GAAG,YAAY,CAAC,CAAC,IAAI,EAAE;QAC1C,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE;QAC/B,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,SAAS;KACV,CAAC;AACJ,CAAC;AAED,4EAA4E;AAE5E,SAAS,SAAS,CAAI,MAAW,EAAE,MAAW;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAA2B,EAAE,UAA2B;IACnF,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,SAAS,CAAC,UAAU,CAAC,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;IACjE,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC;IAEnF,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAE/C,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAC7D,CAAC;IAEF,MAAM,kBAAkB,GAAG,UAAU,CAAC,WAAW,KAAK,UAAU,CAAC,WAAW,CAAC;IAE7E,gBAAgB;IAChB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,cAAc,CAAC,CAAC;IAClF,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,gBAAgB,CAAC,CAAC;IACxF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAChF,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,cAAc,CAAC,CAAC;IACtF,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,kBAAkB,CAAC,CAAC;IAC9F,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,wBAAwB,CAAC,CAAC;IAC1F,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,sBAAsB,CAAC,CAAC;IAE9F,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC;QAC9B,CAAC,CAAC,YAAY,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QAChC,CAAC,CAAC,gCAAgC,CAAC;IAErC,OAAO;QACL,YAAY,EAAE,UAAU,CAAC,KAAK;QAC9B,cAAc,EAAE,UAAU,CAAC,OAAO;QAClC,qBAAqB,EAAE,OAAO,CAAC,KAAK;QACpC,uBAAuB,EAAE,OAAO,CAAC,OAAO;QACxC,YAAY,EAAE,MAAM,CAAC,KAAK;QAC1B,cAAc,EAAE,MAAM,CAAC,OAAO;QAC9B,mBAAmB,EAAE,UAAU,CAAC,KAAK;QACrC,qBAAqB,EAAE,UAAU,CAAC,OAAO;QACzC,UAAU,EAAE,QAAQ,CAAC,KAAK;QAC1B,YAAY,EAAE,QAAQ,CAAC,OAAO;QAC9B,YAAY;QACZ,kBAAkB;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShieldPM — Public API
|
|
3
|
+
* Runtime-aware package firewall for Node.js
|
|
4
|
+
*
|
|
5
|
+
* @module shieldpm
|
|
6
|
+
*/
|
|
7
|
+
export { analyzePackage, analyzeSource } from './analyzer/static.js';
|
|
8
|
+
export type { Finding, RiskReport, Severity } from './analyzer/static.js';
|
|
9
|
+
export { checkTyposquatting, checkMultiple, levenshtein, POPULAR_PACKAGES } from './analyzer/typosquat.js';
|
|
10
|
+
export type { TyposquatResult, DetectionMethod } from './analyzer/typosquat.js';
|
|
11
|
+
export { runSandboxed, runPostInstall } from './sandbox/runner.js';
|
|
12
|
+
export type { SandboxOptions, SandboxResult } from './sandbox/runner.js';
|
|
13
|
+
export { loadManifest, saveManifest, validateAccess, generateManifest } from './monitor/permissions.js';
|
|
14
|
+
export type { PermissionManifest, PackagePermissions, AccessCheck, ResourceType } from './monitor/permissions.js';
|
|
15
|
+
export { generateProfile, diffProfiles, saveProfile, loadProfile } from './fingerprint/profile.js';
|
|
16
|
+
export type { BehaviorProfile, ProfileDiff } from './fingerprint/profile.js';
|
|
17
|
+
export { diffLockfiles, diffLockfilesByPath } from './diff/dependency.js';
|
|
18
|
+
export type { DependencyDiffReport, PackageDelta, DeltaFlag } from './diff/dependency.js';
|
|
19
|
+
export { log } from './utils/logger.js';
|
|
20
|
+
export * as colors from './utils/colors.js';
|
|
21
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAG1E,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3G,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAGhF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACnE,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzE,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AACxG,YAAY,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAGlH,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACnG,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAG7E,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC1E,YAAY,EAAE,oBAAoB,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAG1F,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AACxC,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAC"}
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShieldPM — Public API
|
|
3
|
+
* Runtime-aware package firewall for Node.js
|
|
4
|
+
*
|
|
5
|
+
* @module shieldpm
|
|
6
|
+
*/
|
|
7
|
+
// Static analysis
|
|
8
|
+
export { analyzePackage, analyzeSource } from './analyzer/static.js';
|
|
9
|
+
// Typosquatting detection
|
|
10
|
+
export { checkTyposquatting, checkMultiple, levenshtein, POPULAR_PACKAGES } from './analyzer/typosquat.js';
|
|
11
|
+
// Sandbox execution
|
|
12
|
+
export { runSandboxed, runPostInstall } from './sandbox/runner.js';
|
|
13
|
+
// Permission manifest
|
|
14
|
+
export { loadManifest, saveManifest, validateAccess, generateManifest } from './monitor/permissions.js';
|
|
15
|
+
// Behavioral fingerprinting
|
|
16
|
+
export { generateProfile, diffProfiles, saveProfile, loadProfile } from './fingerprint/profile.js';
|
|
17
|
+
// Dependency diff
|
|
18
|
+
export { diffLockfiles, diffLockfilesByPath } from './diff/dependency.js';
|
|
19
|
+
// Utilities
|
|
20
|
+
export { log } from './utils/logger.js';
|
|
21
|
+
export * as colors from './utils/colors.js';
|
|
22
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,kBAAkB;AAClB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrE,0BAA0B;AAC1B,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAG3G,oBAAoB;AACpB,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGnE,sBAAsB;AACtB,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAGxG,4BAA4B;AAC5B,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGnG,kBAAkB;AAClB,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG1E,YAAY;AACZ,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AACxC,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShieldPM — Permission Manifest System
|
|
3
|
+
* Defines, loads, validates, and generates shieldpm.json permission manifests.
|
|
4
|
+
*/
|
|
5
|
+
export interface PackagePermissions {
|
|
6
|
+
/** Allowed network destinations (glob patterns), or false to block all */
|
|
7
|
+
net: string[] | false;
|
|
8
|
+
/** Allowed filesystem paths (relative or absolute), or false to block all */
|
|
9
|
+
fs: string[] | false;
|
|
10
|
+
/** Whether native/C++ addons are allowed */
|
|
11
|
+
native?: boolean;
|
|
12
|
+
/** Whether child_process spawning is allowed */
|
|
13
|
+
exec?: boolean;
|
|
14
|
+
/** Whether environment variable access is allowed */
|
|
15
|
+
env?: string[] | boolean;
|
|
16
|
+
}
|
|
17
|
+
export interface PermissionManifest {
|
|
18
|
+
/** Manifest format version */
|
|
19
|
+
version: 1;
|
|
20
|
+
/** Per-package permission declarations */
|
|
21
|
+
permissions: Record<string, PackagePermissions>;
|
|
22
|
+
}
|
|
23
|
+
export type ResourceType = 'net' | 'fs' | 'native' | 'exec' | 'env';
|
|
24
|
+
export interface AccessCheck {
|
|
25
|
+
allowed: boolean;
|
|
26
|
+
rule: string;
|
|
27
|
+
details: string;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Load the permission manifest from disk.
|
|
31
|
+
*/
|
|
32
|
+
export declare function loadManifest(dir?: string): Promise<PermissionManifest | null>;
|
|
33
|
+
/**
|
|
34
|
+
* Save a permission manifest to disk.
|
|
35
|
+
*/
|
|
36
|
+
export declare function saveManifest(manifest: PermissionManifest, dir?: string): Promise<string>;
|
|
37
|
+
/**
|
|
38
|
+
* Check whether a package is allowed to access a resource.
|
|
39
|
+
*/
|
|
40
|
+
export declare function validateAccess(manifest: PermissionManifest, packageName: string, resource: ResourceType, target?: string): AccessCheck;
|
|
41
|
+
/**
|
|
42
|
+
* Auto-generate a permission manifest by scanning installed packages.
|
|
43
|
+
*/
|
|
44
|
+
export declare function generateManifest(projectDir: string): Promise<PermissionManifest>;
|
|
45
|
+
//# sourceMappingURL=permissions.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/monitor/permissions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,GAAG,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACtB,6EAA6E;IAC7E,EAAE,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACrB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gDAAgD;IAChD,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,8BAA8B;IAC9B,OAAO,EAAE,CAAC,CAAC;IACX,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CACjD;AAED,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,IAAI,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAC;AAEpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD;;GAEG;AACH,wBAAsB,YAAY,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAqBnF;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,kBAAkB,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK9F;AAID;;GAEG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,kBAAkB,EAC5B,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,MAAM,CAAC,EAAE,MAAM,GACd,WAAW,CAqIb;AAyBD;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAyEtF"}
|
|
@@ -0,0 +1,265 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShieldPM — Permission Manifest System
|
|
3
|
+
* Defines, loads, validates, and generates shieldpm.json permission manifests.
|
|
4
|
+
*/
|
|
5
|
+
import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
|
|
6
|
+
import { join, resolve } from 'node:path';
|
|
7
|
+
import { analyzePackage } from '../analyzer/static.js';
|
|
8
|
+
// ── Default manifest path ────────────────────────────────────────────────
|
|
9
|
+
const MANIFEST_FILENAME = 'shieldpm.json';
|
|
10
|
+
function resolveManifestPath(dir) {
|
|
11
|
+
return join(dir ?? process.cwd(), MANIFEST_FILENAME);
|
|
12
|
+
}
|
|
13
|
+
// ── Load / Save ──────────────────────────────────────────────────────────
|
|
14
|
+
/**
|
|
15
|
+
* Load the permission manifest from disk.
|
|
16
|
+
*/
|
|
17
|
+
export async function loadManifest(dir) {
|
|
18
|
+
const path = resolveManifestPath(dir);
|
|
19
|
+
try {
|
|
20
|
+
const raw = await readFile(path, 'utf-8');
|
|
21
|
+
const parsed = JSON.parse(raw);
|
|
22
|
+
// Basic shape validation
|
|
23
|
+
if (!parsed.permissions || typeof parsed.permissions !== 'object') {
|
|
24
|
+
throw new Error('Invalid manifest: missing "permissions" object');
|
|
25
|
+
}
|
|
26
|
+
return {
|
|
27
|
+
version: parsed.version ?? 1,
|
|
28
|
+
permissions: parsed.permissions,
|
|
29
|
+
};
|
|
30
|
+
}
|
|
31
|
+
catch (err) {
|
|
32
|
+
if (err.code === 'ENOENT') {
|
|
33
|
+
return null; // No manifest yet
|
|
34
|
+
}
|
|
35
|
+
throw err;
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Save a permission manifest to disk.
|
|
40
|
+
*/
|
|
41
|
+
export async function saveManifest(manifest, dir) {
|
|
42
|
+
const path = resolveManifestPath(dir);
|
|
43
|
+
const json = JSON.stringify(manifest, null, 2) + '\n';
|
|
44
|
+
await writeFile(path, json, 'utf-8');
|
|
45
|
+
return path;
|
|
46
|
+
}
|
|
47
|
+
// ── Access validation ────────────────────────────────────────────────────
|
|
48
|
+
/**
|
|
49
|
+
* Check whether a package is allowed to access a resource.
|
|
50
|
+
*/
|
|
51
|
+
export function validateAccess(manifest, packageName, resource, target) {
|
|
52
|
+
const perms = manifest.permissions[packageName];
|
|
53
|
+
// No entry in manifest — default deny
|
|
54
|
+
if (!perms) {
|
|
55
|
+
return {
|
|
56
|
+
allowed: false,
|
|
57
|
+
rule: 'no-manifest-entry',
|
|
58
|
+
details: `Package "${packageName}" has no entry in the permission manifest`,
|
|
59
|
+
};
|
|
60
|
+
}
|
|
61
|
+
switch (resource) {
|
|
62
|
+
case 'net': {
|
|
63
|
+
if (perms.net === false) {
|
|
64
|
+
return {
|
|
65
|
+
allowed: false,
|
|
66
|
+
rule: 'net-blocked',
|
|
67
|
+
details: `Network access is blocked for "${packageName}"`,
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
if (!target) {
|
|
71
|
+
return {
|
|
72
|
+
allowed: Array.isArray(perms.net) && perms.net.length > 0,
|
|
73
|
+
rule: 'net-general',
|
|
74
|
+
details: Array.isArray(perms.net)
|
|
75
|
+
? `Network allowed to: ${perms.net.join(', ')}`
|
|
76
|
+
: 'Network access not configured',
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
// Check target against allowed patterns
|
|
80
|
+
const allowed = matchesAnyPattern(target, perms.net);
|
|
81
|
+
return {
|
|
82
|
+
allowed,
|
|
83
|
+
rule: allowed ? 'net-allowed' : 'net-denied',
|
|
84
|
+
details: allowed
|
|
85
|
+
? `"${target}" matches allowed network pattern`
|
|
86
|
+
: `"${target}" does not match any allowed network pattern for "${packageName}"`,
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
case 'fs': {
|
|
90
|
+
if (perms.fs === false) {
|
|
91
|
+
return {
|
|
92
|
+
allowed: false,
|
|
93
|
+
rule: 'fs-blocked',
|
|
94
|
+
details: `Filesystem access is blocked for "${packageName}"`,
|
|
95
|
+
};
|
|
96
|
+
}
|
|
97
|
+
if (!target) {
|
|
98
|
+
return {
|
|
99
|
+
allowed: Array.isArray(perms.fs) && perms.fs.length > 0,
|
|
100
|
+
rule: 'fs-general',
|
|
101
|
+
details: Array.isArray(perms.fs)
|
|
102
|
+
? `FS allowed in: ${perms.fs.join(', ')}`
|
|
103
|
+
: 'FS access not configured',
|
|
104
|
+
};
|
|
105
|
+
}
|
|
106
|
+
const resolvedTarget = resolve(target);
|
|
107
|
+
const allowed = perms.fs.some((pattern) => {
|
|
108
|
+
const resolvedPattern = resolve(pattern);
|
|
109
|
+
return resolvedTarget.startsWith(resolvedPattern);
|
|
110
|
+
});
|
|
111
|
+
return {
|
|
112
|
+
allowed,
|
|
113
|
+
rule: allowed ? 'fs-allowed' : 'fs-denied',
|
|
114
|
+
details: allowed
|
|
115
|
+
? `"${target}" is within allowed filesystem paths`
|
|
116
|
+
: `"${target}" is not within any allowed filesystem path for "${packageName}"`,
|
|
117
|
+
};
|
|
118
|
+
}
|
|
119
|
+
case 'native': {
|
|
120
|
+
const allowed = perms.native === true;
|
|
121
|
+
return {
|
|
122
|
+
allowed,
|
|
123
|
+
rule: allowed ? 'native-allowed' : 'native-denied',
|
|
124
|
+
details: allowed
|
|
125
|
+
? `Native modules allowed for "${packageName}"`
|
|
126
|
+
: `Native modules blocked for "${packageName}"`,
|
|
127
|
+
};
|
|
128
|
+
}
|
|
129
|
+
case 'exec': {
|
|
130
|
+
const allowed = perms.exec === true;
|
|
131
|
+
return {
|
|
132
|
+
allowed,
|
|
133
|
+
rule: allowed ? 'exec-allowed' : 'exec-denied',
|
|
134
|
+
details: allowed
|
|
135
|
+
? `Process execution allowed for "${packageName}"`
|
|
136
|
+
: `Process execution blocked for "${packageName}"`,
|
|
137
|
+
};
|
|
138
|
+
}
|
|
139
|
+
case 'env': {
|
|
140
|
+
if (perms.env === false || perms.env === undefined) {
|
|
141
|
+
return {
|
|
142
|
+
allowed: false,
|
|
143
|
+
rule: 'env-blocked',
|
|
144
|
+
details: `Environment variable access blocked for "${packageName}"`,
|
|
145
|
+
};
|
|
146
|
+
}
|
|
147
|
+
if (perms.env === true) {
|
|
148
|
+
return {
|
|
149
|
+
allowed: true,
|
|
150
|
+
rule: 'env-allowed-all',
|
|
151
|
+
details: `All environment variables allowed for "${packageName}"`,
|
|
152
|
+
};
|
|
153
|
+
}
|
|
154
|
+
if (!target) {
|
|
155
|
+
return {
|
|
156
|
+
allowed: true,
|
|
157
|
+
rule: 'env-general',
|
|
158
|
+
details: `Env access allowed for: ${perms.env.join(', ')}`,
|
|
159
|
+
};
|
|
160
|
+
}
|
|
161
|
+
const allowed = perms.env.includes(target);
|
|
162
|
+
return {
|
|
163
|
+
allowed,
|
|
164
|
+
rule: allowed ? 'env-allowed' : 'env-denied',
|
|
165
|
+
details: allowed
|
|
166
|
+
? `Env var "${target}" is allowed for "${packageName}"`
|
|
167
|
+
: `Env var "${target}" is not allowed for "${packageName}"`,
|
|
168
|
+
};
|
|
169
|
+
}
|
|
170
|
+
default:
|
|
171
|
+
return {
|
|
172
|
+
allowed: false,
|
|
173
|
+
rule: 'unknown-resource',
|
|
174
|
+
details: `Unknown resource type: ${resource}`,
|
|
175
|
+
};
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
// ── Pattern matching ─────────────────────────────────────────────────────
|
|
179
|
+
/**
|
|
180
|
+
* Match a string against an array of glob-like patterns.
|
|
181
|
+
* Supports: * (any), *.domain.com, exact match.
|
|
182
|
+
*/
|
|
183
|
+
function matchesAnyPattern(value, patterns) {
|
|
184
|
+
for (const pattern of patterns) {
|
|
185
|
+
if (pattern === '*')
|
|
186
|
+
return true;
|
|
187
|
+
// Convert glob pattern to regex
|
|
188
|
+
const regexStr = pattern
|
|
189
|
+
.replace(/\./g, '\\.')
|
|
190
|
+
.replace(/\*/g, '.*');
|
|
191
|
+
const regex = new RegExp(`^${regexStr}$`, 'i');
|
|
192
|
+
if (regex.test(value))
|
|
193
|
+
return true;
|
|
194
|
+
}
|
|
195
|
+
return false;
|
|
196
|
+
}
|
|
197
|
+
// ── Manifest generation ──────────────────────────────────────────────────
|
|
198
|
+
/**
|
|
199
|
+
* Auto-generate a permission manifest by scanning installed packages.
|
|
200
|
+
*/
|
|
201
|
+
export async function generateManifest(projectDir) {
|
|
202
|
+
const manifest = {
|
|
203
|
+
version: 1,
|
|
204
|
+
permissions: {},
|
|
205
|
+
};
|
|
206
|
+
const nodeModules = join(projectDir, 'node_modules');
|
|
207
|
+
let entries;
|
|
208
|
+
try {
|
|
209
|
+
entries = await readdir(nodeModules);
|
|
210
|
+
}
|
|
211
|
+
catch {
|
|
212
|
+
return manifest; // No node_modules
|
|
213
|
+
}
|
|
214
|
+
// Collect package directories (including scoped packages)
|
|
215
|
+
const packageDirs = [];
|
|
216
|
+
for (const entry of entries) {
|
|
217
|
+
if (entry.startsWith('.'))
|
|
218
|
+
continue;
|
|
219
|
+
const fullPath = join(nodeModules, entry);
|
|
220
|
+
const entryStat = await stat(fullPath).catch(() => null);
|
|
221
|
+
if (!entryStat?.isDirectory())
|
|
222
|
+
continue;
|
|
223
|
+
if (entry.startsWith('@')) {
|
|
224
|
+
// Scoped package — look one level deeper
|
|
225
|
+
const scopedEntries = await readdir(fullPath).catch(() => []);
|
|
226
|
+
for (const scopedEntry of scopedEntries) {
|
|
227
|
+
const scopedPath = join(fullPath, scopedEntry);
|
|
228
|
+
const scopedStat = await stat(scopedPath).catch(() => null);
|
|
229
|
+
if (scopedStat?.isDirectory()) {
|
|
230
|
+
packageDirs.push({ name: `${entry}/${scopedEntry}`, dir: scopedPath });
|
|
231
|
+
}
|
|
232
|
+
}
|
|
233
|
+
}
|
|
234
|
+
else {
|
|
235
|
+
packageDirs.push({ name: entry, dir: fullPath });
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
// Analyze each package and build permissions
|
|
239
|
+
for (const { name, dir } of packageDirs) {
|
|
240
|
+
const report = await analyzePackage(dir);
|
|
241
|
+
const perms = {
|
|
242
|
+
net: false,
|
|
243
|
+
fs: false,
|
|
244
|
+
};
|
|
245
|
+
// If the package uses network, allow it (but default to restrictive)
|
|
246
|
+
if (report.categoryCounts['network']) {
|
|
247
|
+
perms.net = []; // User must fill in allowed destinations
|
|
248
|
+
}
|
|
249
|
+
// If the package uses filesystem
|
|
250
|
+
if (report.categoryCounts['filesystem']) {
|
|
251
|
+
perms.fs = []; // User must fill in allowed paths
|
|
252
|
+
}
|
|
253
|
+
// If the package uses child_process
|
|
254
|
+
if (report.categoryCounts['process']) {
|
|
255
|
+
perms.exec = false; // Default deny, user opts in
|
|
256
|
+
}
|
|
257
|
+
// If the package accesses env
|
|
258
|
+
if (report.categoryCounts['environment']) {
|
|
259
|
+
perms.env = []; // User must fill in allowed vars
|
|
260
|
+
}
|
|
261
|
+
manifest.permissions[name] = perms;
|
|
262
|
+
}
|
|
263
|
+
return manifest;
|
|
264
|
+
}
|
|
265
|
+
//# sourceMappingURL=permissions.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/monitor/permissions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAgCvD,4EAA4E;AAE5E,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAE1C,SAAS,mBAAmB,CAAC,GAAY;IACvC,OAAO,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,iBAAiB,CAAC,CAAC;AACvD,CAAC;AAED,4EAA4E;AAE5E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAY;IAC7C,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/B,yBAAyB;QACzB,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAClE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,CAAC;YAC5B,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAA4B,EAAE,GAAY;IAC3E,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;IACtD,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAE5E;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA4B,EAC5B,WAAmB,EACnB,QAAsB,EACtB,MAAe;IAEf,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IAEhD,sCAAsC;IACtC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,mBAAmB;YACzB,OAAO,EAAE,YAAY,WAAW,2CAA2C;SAC5E,CAAC;IACJ,CAAC;IAED,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;gBACxB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,kCAAkC,WAAW,GAAG;iBAC1D,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;oBACzD,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;wBAC/B,CAAC,CAAC,uBAAuB,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;wBAC/C,CAAC,CAAC,+BAA+B;iBACpC,CAAC;YACJ,CAAC;YACD,wCAAwC;YACxC,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;YACrD,OAAO;gBACL,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY;gBAC5C,OAAO,EAAE,OAAO;oBACd,CAAC,CAAC,IAAI,MAAM,mCAAmC;oBAC/C,CAAC,CAAC,IAAI,MAAM,qDAAqD,WAAW,GAAG;aAClF,CAAC;QACJ,CAAC;QAED,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,IAAI,KAAK,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,IAAI,EAAE,YAAY;oBAClB,OAAO,EAAE,qCAAqC,WAAW,GAAG;iBAC7D,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC;oBACvD,IAAI,EAAE,YAAY;oBAClB,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC9B,CAAC,CAAC,kBAAkB,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;wBACzC,CAAC,CAAC,0BAA0B;iBAC/B,CAAC;YACJ,CAAC;YACD,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;gBACxC,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;gBACzC,OAAO,cAAc,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;YACpD,CAAC,CAAC,CAAC;YACH,OAAO;gBACL,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW;gBAC1C,OAAO,EAAE,OAAO;oBACd,CAAC,CAAC,IAAI,MAAM,sCAAsC;oBAClD,CAAC,CAAC,IAAI,MAAM,oDAAoD,WAAW,GAAG;aACjF,CAAC;QACJ,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC;YACtC,OAAO;gBACL,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,eAAe;gBAClD,OAAO,EAAE,OAAO;oBACd,CAAC,CAAC,+BAA+B,WAAW,GAAG;oBAC/C,CAAC,CAAC,+BAA+B,WAAW,GAAG;aAClD,CAAC;QACJ,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC;YACpC,OAAO;gBACL,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa;gBAC9C,OAAO,EAAE,OAAO;oBACd,CAAC,CAAC,kCAAkC,WAAW,GAAG;oBAClD,CAAC,CAAC,kCAAkC,WAAW,GAAG;aACrD,CAAC;QACJ,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBACnD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,4CAA4C,WAAW,GAAG;iBACpE,CAAC;YACJ,CAAC;YACD,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,iBAAiB;oBACvB,OAAO,EAAE,0CAA0C,WAAW,GAAG;iBAClE,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,2BAA2B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC3D,CAAC;YACJ,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO;gBACL,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY;gBAC5C,OAAO,EAAE,OAAO;oBACd,CAAC,CAAC,YAAY,MAAM,qBAAqB,WAAW,GAAG;oBACvD,CAAC,CAAC,YAAY,MAAM,yBAAyB,WAAW,GAAG;aAC9D,CAAC;QACJ,CAAC;QAED;YACE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,0BAA0B,QAAQ,EAAE;aAC9C,CAAC;IACN,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E;;;GAGG;AACH,SAAS,iBAAiB,CAAC,KAAa,EAAE,QAAkB;IAC1D,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAEjC,gCAAgC;QAChC,MAAM,QAAQ,GAAG,OAAO;aACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;aACrB,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,EAAE,GAAG,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;IACrC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAE5E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,UAAkB;IACvD,MAAM,QAAQ,GAAuB;QACnC,OAAO,EAAE,CAAC;QACV,WAAW,EAAE,EAAE;KAChB,CAAC;IAEF,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACrD,IAAI,OAAiB,CAAC;IAEtB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC,CAAC,kBAAkB;IACrC,CAAC;IAED,0DAA0D;IAC1D,MAAM,WAAW,GAAoC,EAAE,CAAC;IAExD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE;YAAE,SAAS;QAExC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,yCAAyC;YACzC,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAc,CAAC,CAAC;YAC1E,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;gBACxC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;gBAC/C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;gBAC5D,IAAI,UAAU,EAAE,WAAW,EAAE,EAAE,CAAC;oBAC9B,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,KAAK,IAAI,WAAW,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;QAEzC,MAAM,KAAK,GAAuB;YAChC,GAAG,EAAE,KAAK;YACV,EAAE,EAAE,KAAK;SACV,CAAC;QAEF,qEAAqE;QACrE,IAAI,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,yCAAyC;QAC3D,CAAC;QAED,iCAAiC;QACjC,IAAI,MAAM,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;YACxC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,kCAAkC;QACnD,CAAC;QAED,oCAAoC;QACpC,IAAI,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,6BAA6B;QACnD,CAAC;QAED,8BAA8B;QAC9B,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,EAAE,CAAC;YACzC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,iCAAiC;QACnD,CAAC;QAED,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACrC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShieldPM — Sandbox Runner
|
|
3
|
+
* Executes commands (especially postinstall scripts) in a restricted environment
|
|
4
|
+
* with network blocking, timeout enforcement, and output capture.
|
|
5
|
+
*/
|
|
6
|
+
export interface SandboxOptions {
|
|
7
|
+
/** Working directory for the command */
|
|
8
|
+
cwd?: string;
|
|
9
|
+
/** Timeout in milliseconds (default: 30000) */
|
|
10
|
+
timeout?: number;
|
|
11
|
+
/** Block network access (default: true) */
|
|
12
|
+
blockNetwork?: boolean;
|
|
13
|
+
/** Block environment variables (default: true) */
|
|
14
|
+
blockEnv?: boolean;
|
|
15
|
+
/** Allowed environment variable names to pass through */
|
|
16
|
+
allowedEnvVars?: string[];
|
|
17
|
+
/** Maximum stdout/stderr size in bytes (default: 1MB) */
|
|
18
|
+
maxOutputSize?: number;
|
|
19
|
+
/** Enable verbose logging of sandbox decisions */
|
|
20
|
+
verbose?: boolean;
|
|
21
|
+
}
|
|
22
|
+
export interface SandboxResult {
|
|
23
|
+
/** Process exit code (null if killed) */
|
|
24
|
+
exitCode: number | null;
|
|
25
|
+
/** Captured stdout */
|
|
26
|
+
stdout: string;
|
|
27
|
+
/** Captured stderr */
|
|
28
|
+
stderr: string;
|
|
29
|
+
/** Warnings generated during execution */
|
|
30
|
+
warnings: string[];
|
|
31
|
+
/** Actions that were blocked */
|
|
32
|
+
blocked: string[];
|
|
33
|
+
/** Whether the process was killed due to timeout */
|
|
34
|
+
timedOut: boolean;
|
|
35
|
+
/** Duration in milliseconds */
|
|
36
|
+
durationMs: number;
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Run a command inside a restricted sandbox environment.
|
|
40
|
+
*/
|
|
41
|
+
export declare function runSandboxed(command: string, args?: string[], options?: SandboxOptions): Promise<SandboxResult>;
|
|
42
|
+
/**
|
|
43
|
+
* Run an npm postinstall script in the sandbox.
|
|
44
|
+
*/
|
|
45
|
+
export declare function runPostInstall(packageDir: string, script: string, options?: SandboxOptions): Promise<SandboxResult>;
|
|
46
|
+
//# sourceMappingURL=runner.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/sandbox/runner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,yDAAyD;IACzD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kDAAkD;IAClD,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,yCAAyC;IACzC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gCAAgC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;CACpB;AA8GD;;GAEG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAM,EAAO,EACnB,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA4HxB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAQxB"}
|