@nodesecure/js-x-ray 11.3.0 → 11.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/AstAnalyser.d.ts +13 -0
- package/dist/AstAnalyser.d.ts.map +1 -1
- package/dist/AstAnalyser.js +11 -7
- package/dist/AstAnalyser.js.map +1 -1
- package/dist/CollectableSet.d.ts +8 -5
- package/dist/CollectableSet.d.ts.map +1 -1
- package/dist/CollectableSet.js +12 -8
- package/dist/CollectableSet.js.map +1 -1
- package/dist/CollectableSetRegistry.d.ts +4 -2
- package/dist/CollectableSetRegistry.d.ts.map +1 -1
- package/dist/CollectableSetRegistry.js +5 -2
- package/dist/CollectableSetRegistry.js.map +1 -1
- package/dist/ProbeRunner.d.ts +6 -1
- package/dist/ProbeRunner.d.ts.map +1 -1
- package/dist/ProbeRunner.js +31 -5
- package/dist/ProbeRunner.js.map +1 -1
- package/dist/ShadyLink.d.ts +1 -0
- package/dist/ShadyLink.d.ts.map +1 -1
- package/dist/ShadyLink.js +17 -9
- package/dist/ShadyLink.js.map +1 -1
- package/dist/SourceFile.d.ts +5 -3
- package/dist/SourceFile.d.ts.map +1 -1
- package/dist/SourceFile.js +17 -1
- package/dist/SourceFile.js.map +1 -1
- package/dist/VirtualVariableIdentifier.d.ts +9 -0
- package/dist/VirtualVariableIdentifier.d.ts.map +1 -0
- package/dist/VirtualVariableIdentifier.js +17 -0
- package/dist/VirtualVariableIdentifier.js.map +1 -0
- package/dist/probes/data-exfiltration.d.ts.map +1 -1
- package/dist/probes/data-exfiltration.js +21 -4
- package/dist/probes/data-exfiltration.js.map +1 -1
- package/dist/probes/isImportDeclaration.d.ts.map +1 -1
- package/dist/probes/isImportDeclaration.js +8 -3
- package/dist/probes/isImportDeclaration.js.map +1 -1
- package/dist/probes/isLiteral.d.ts.map +1 -1
- package/dist/probes/isLiteral.js +13 -1
- package/dist/probes/isLiteral.js.map +1 -1
- package/dist/probes/isRequire/InlinedRequire.d.ts +24 -0
- package/dist/probes/isRequire/InlinedRequire.d.ts.map +1 -0
- package/dist/probes/isRequire/InlinedRequire.js +88 -0
- package/dist/probes/isRequire/InlinedRequire.js.map +1 -0
- package/dist/probes/isSerializeEnv.d.ts +8 -4
- package/dist/probes/isSerializeEnv.d.ts.map +1 -1
- package/dist/probes/isSerializeEnv.js +37 -4
- package/dist/probes/isSerializeEnv.js.map +1 -1
- package/dist/probes/isUnsafeCommand.d.ts +4 -2
- package/dist/probes/isUnsafeCommand.d.ts.map +1 -1
- package/dist/probes/isUnsafeCommand.js +60 -51
- package/dist/probes/isUnsafeCommand.js.map +1 -1
- package/dist/probes/log-usage.d.ts +19 -0
- package/dist/probes/log-usage.d.ts.map +1 -0
- package/dist/probes/log-usage.js +53 -0
- package/dist/probes/log-usage.js.map +1 -0
- package/dist/probes/sql-injection.d.ts +12 -0
- package/dist/probes/sql-injection.d.ts.map +1 -0
- package/dist/probes/sql-injection.js +32 -0
- package/dist/probes/sql-injection.js.map +1 -0
- package/dist/utils/toLiteral.d.ts +3 -0
- package/dist/utils/toLiteral.d.ts.map +1 -0
- package/dist/utils/toLiteral.js +4 -0
- package/dist/utils/toLiteral.js.map +1 -0
- package/dist/warnings.d.ts +12 -2
- package/dist/warnings.d.ts.map +1 -1
- package/dist/warnings.js +10 -0
- package/dist/warnings.js.map +1 -1
- package/package.json +5 -2
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import type { ESTree } from "meriyah";
|
|
2
|
+
export type VirtualVariableLocation = ESTree.SourceLocation | null | undefined;
|
|
3
|
+
export declare class VirtualVariableIdentifier {
|
|
4
|
+
#private;
|
|
5
|
+
static generate(name: string, location?: VirtualVariableLocation): string;
|
|
6
|
+
static getLocation(virtualId: string): VirtualVariableLocation;
|
|
7
|
+
static reset(): void;
|
|
8
|
+
}
|
|
9
|
+
//# sourceMappingURL=VirtualVariableIdentifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"VirtualVariableIdentifier.d.ts","sourceRoot":"","sources":["../src/VirtualVariableIdentifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtC,MAAM,MAAM,uBAAuB,GAAG,MAAM,CAAC,cAAc,GAAG,IAAI,GAAG,SAAS,CAAC;AAE/E,qBAAa,yBAAyB;;IAIpC,MAAM,CAAC,QAAQ,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,uBAAmC,GAC5C,MAAM;IAOT,MAAM,CAAC,WAAW,CAChB,SAAS,EAAE,MAAM,GAChB,uBAAuB;IAI1B,MAAM,CAAC,KAAK,IAAI,IAAI;CAIrB"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
export class VirtualVariableIdentifier {
|
|
2
|
+
static #idToLocations = new Map();
|
|
3
|
+
static #counter = 0;
|
|
4
|
+
static generate(name, location = undefined) {
|
|
5
|
+
const virtualId = `__virtual_${name}_${this.#counter++}__`;
|
|
6
|
+
this.#idToLocations.set(virtualId, location);
|
|
7
|
+
return virtualId;
|
|
8
|
+
}
|
|
9
|
+
static getLocation(virtualId) {
|
|
10
|
+
return this.#idToLocations.get(virtualId);
|
|
11
|
+
}
|
|
12
|
+
static reset() {
|
|
13
|
+
this.#counter = 0;
|
|
14
|
+
this.#idToLocations.clear();
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=VirtualVariableIdentifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"VirtualVariableIdentifier.js","sourceRoot":"","sources":["../src/VirtualVariableIdentifier.ts"],"names":[],"mappings":"AAKA,MAAM,OAAO,yBAAyB;IACpC,MAAM,CAAC,cAAc,GAAG,IAAI,GAAG,EAAmC,CAAC;IACnE,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC;IAEpB,MAAM,CAAC,QAAQ,CACb,IAAY,EACZ,WAAoC,SAAS;QAE7C,MAAM,SAAS,GAAG,aAAa,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAE7C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,WAAW,CAChB,SAAiB;QAEjB,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,KAAK;QACV,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"data-exfiltration.d.ts","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"data-exfiltration.d.ts","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAiC,KAAK,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAatG,KAAK,0BAA0B,GAAG,MAAM,CAAC,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;AAExE,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAsBjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,cAAc,EAC3B,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAwB9C;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAoC9C;AAED,iBAAS,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAO9D;AAED,QAAA,MAAM,iBAAiB;;;;;;;;CAQtB,CAAC;AAEF,eAAe,iBAAiB,CAAC"}
|
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
// Import Third-party Dependencies
|
|
2
2
|
import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
|
|
3
|
+
import { VariableTracer } from "@nodesecure/tracer";
|
|
3
4
|
import { rootLocation, toArrayLocation } from "../utils/toArrayLocation.js";
|
|
4
5
|
import { generateWarning } from "../warnings.js";
|
|
5
6
|
// CONSTANTS
|
|
7
|
+
const kSensitiveModules = new Set(["os", "dns"]);
|
|
6
8
|
const kSensitiveMethods = [
|
|
7
9
|
"os.userInfo",
|
|
8
10
|
"os.networkInterfaces",
|
|
@@ -10,6 +12,9 @@ const kSensitiveMethods = [
|
|
|
10
12
|
"dns.getServers"
|
|
11
13
|
];
|
|
12
14
|
function validateNode(node, ctx) {
|
|
15
|
+
if (ctx.sourceFile.sensitivity === "aggressive") {
|
|
16
|
+
return [false];
|
|
17
|
+
}
|
|
13
18
|
const tracer = ctx.sourceFile.tracer;
|
|
14
19
|
const id = getCallExpressionIdentifier(node);
|
|
15
20
|
if (id === null) {
|
|
@@ -48,17 +53,21 @@ function main(node, ctx) {
|
|
|
48
53
|
}
|
|
49
54
|
}
|
|
50
55
|
function initialize(ctx) {
|
|
51
|
-
const { sourceFile
|
|
56
|
+
const { sourceFile, context } = ctx;
|
|
57
|
+
const { tracer } = sourceFile;
|
|
52
58
|
tracer
|
|
53
59
|
.trace("JSON.stringify", {
|
|
54
60
|
followConsecutiveAssignment: true
|
|
55
|
-
})
|
|
61
|
+
})
|
|
62
|
+
.trace("os.userInfo", {
|
|
56
63
|
moduleName: "os",
|
|
57
64
|
followConsecutiveAssignment: true
|
|
58
|
-
})
|
|
65
|
+
})
|
|
66
|
+
.trace("os.networkInterfaces", {
|
|
59
67
|
moduleName: "os",
|
|
60
68
|
followConsecutiveAssignment: true
|
|
61
|
-
})
|
|
69
|
+
})
|
|
70
|
+
.trace("os.cpus", {
|
|
62
71
|
moduleName: "os",
|
|
63
72
|
followConsecutiveAssignment: true
|
|
64
73
|
})
|
|
@@ -66,6 +75,14 @@ function initialize(ctx) {
|
|
|
66
75
|
moduleName: "dns",
|
|
67
76
|
followConsecutiveAssignment: true
|
|
68
77
|
});
|
|
78
|
+
if (sourceFile.sensitivity !== "aggressive") {
|
|
79
|
+
return;
|
|
80
|
+
}
|
|
81
|
+
tracer.on(VariableTracer.ImportEvent, ({ moduleName, location }) => {
|
|
82
|
+
if (kSensitiveModules.has(moduleName) && !(moduleName in context)) {
|
|
83
|
+
context[moduleName] = [toArrayLocation(location ?? undefined)];
|
|
84
|
+
}
|
|
85
|
+
});
|
|
69
86
|
}
|
|
70
87
|
function finalize(ctx) {
|
|
71
88
|
const { sourceFile, context } = ctx;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"data-exfiltration.js","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC5B,MAAM,8BAA8B,CAAC;
|
|
1
|
+
{"version":3,"file":"data-exfiltration.js","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC5B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AAK7E,OAAO,EAAE,YAAY,EAAE,eAAe,EAA4B,MAAM,6BAA6B,CAAC;AACtG,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,YAAY;AACZ,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAEjD,MAAM,iBAAiB,GAAG;IACxB,aAAa;IACb,sBAAsB;IACtB,SAAS;IACT,gBAAgB;CACjB,CAAC;AAIF,SAAS,YAAY,CACnB,IAAiB,EACjB,GAAiB;IAEjB,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,KAAK,YAAY,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;IACrC,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAE9C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,sBAAsB,KAAK,gBAAgB,EAAE,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,IAA6B,CAAC;IACjD,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,IAAI,CACX,IAA2B,EAC3B,GAA6C;IAE7C,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC;IAE3B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACvC,OAAO;IACT,CAAC;IACD,MAAM,EAAE,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;IAEjD,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACzD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,sBAAsB,KAAK,MAAM;WACzE,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,sBAAuB,CAAC,CAAC;QACnE,IAAI,aAAa,EAAE,CAAC;YAClB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC;aACI,CAAC;YACJ,GAAG,CAAC,OAAQ,CAAC,IAAI,EAAE,sBAAuB,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CACjB,GAA6C;IAE7C,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC;IAC9B,MAAM;SACH,KAAK,CAAC,gBAAgB,EAAE;QACvB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,aAAa,EAAE;QACpB,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,sBAAsB,EAAE;QAC7B,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,SAAS,EAAE;QAChB,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,gBAAgB,EAAE;QACvB,UAAU,EAAE,KAAK;QACjB,2BAA2B,EAAE,IAAI;KAClC,CAAC,CAAC;IAEL,IAAI,UAAU,CAAC,WAAW,KAAK,YAAY,EAAE,CAAC;QAC5C,OAAO;IACT,CAAC;IACD,MAAM,CAAC,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,EACrC,UAAU,EACV,QAAQ,EACW,EAAE,EAAE;QACvB,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,IAAI,OAAQ,CAAC,EAAE,CAAC;YACnE,OAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,IAAI,SAAS,CAAC,CAAC,CAAC;QAClE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,GAA6C;IAC7D,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IACpC,IAAI,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,OAAO,GAAG,eAAe,CAAC,mBAAmB,EACjD,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9C,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,IAAI,EAAE,kBAAkB;IACxB,YAAY;IACZ,UAAU;IACV,QAAQ;IACR,IAAI;IACJ,YAAY,EAAE,KAAK;IACnB,OAAO,EAAE,EAAE;CACZ,CAAC;AAEF,eAAe,iBAAiB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isImportDeclaration.d.ts","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD;;;;;;;GAOG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAUjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,CACF,MAAM,CAAC,iBAAiB,GACxB,MAAM,CAAC,gBAAgB,CAC1B,GAAG;IAAE,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;CAAE,EAChC,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,
|
|
1
|
+
{"version":3,"file":"isImportDeclaration.d.ts","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD;;;;;;;GAOG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAUjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,CACF,MAAM,CAAC,iBAAiB,GACxB,MAAM,CAAC,gBAAgB,CAC1B,GAAG;IAAE,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;CAAE,EAChC,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,QAmBrC;;;;;;;;AAED,wBAME"}
|
|
@@ -21,9 +21,14 @@ function validateNode(node) {
|
|
|
21
21
|
}
|
|
22
22
|
function main(node, options) {
|
|
23
23
|
const { sourceFile } = options;
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
24
|
+
if ([
|
|
25
|
+
// Searching for dangerous import "data:text/javascript;..." statement.
|
|
26
|
+
// see: https://2ality.com/2019/10/eval-via-import.html
|
|
27
|
+
"data:text/javascript",
|
|
28
|
+
// Searching for dangerous import "file:..." statement
|
|
29
|
+
// see: https://en.wikipedia.org/wiki/File_inclusion_vulnerability
|
|
30
|
+
"file:"
|
|
31
|
+
].some((suspiciousPath) => node.source.value.startsWith(suspiciousPath))) {
|
|
27
32
|
sourceFile.warnings.push(generateWarning("unsafe-import", { value: node.source.value, location: node.loc }));
|
|
28
33
|
}
|
|
29
34
|
sourceFile.addDependency(node.source.value, node.loc);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isImportDeclaration.js","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AAGA,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,yEAAyE;IACzE,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,QAAQ;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAGgC,EAChC,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,uEAAuE;
|
|
1
|
+
{"version":3,"file":"isImportDeclaration.js","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AAGA,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,yEAAyE;IACzE,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,QAAQ;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAGgC,EAChC,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,IAAI;QACF,uEAAuE;QACvE,uDAAuD;QACvD,sBAAsB;QACtB,sDAAsD;QACtD,kEAAkE;QAClE,OAAO;KACR,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QACzE,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,CAClE,CACF,CAAC;IACJ,CAAC;IACD,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;AACxD,CAAC;AAED,eAAe;IACb,IAAI,EAAE,qBAAqB;IAC3B,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,IAAI;IAClB,UAAU,EAAE,QAAQ;CACrB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isLiteral.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAItC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"isLiteral.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAItC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAK3E;;;;;GAKG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAIjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EACrB,OAAO,EAAE;IACP,UAAU,EAAE,UAAU,CAAC;IACvB,sBAAsB,EAAE,sBAAsB,CAAC;CAChD,QAyEF;;;;;;;AAED,wBAKE"}
|
package/dist/probes/isLiteral.js
CHANGED
|
@@ -5,9 +5,11 @@ import { Hex } from "@nodesecure/sec-literal";
|
|
|
5
5
|
// Import Internal Dependencies
|
|
6
6
|
import { ShadyLink } from "../ShadyLink.js";
|
|
7
7
|
import { SourceFile } from "../SourceFile.js";
|
|
8
|
+
import { toArrayLocation } from "../utils/toArrayLocation.js";
|
|
8
9
|
import { generateWarning } from "../warnings.js";
|
|
9
10
|
// CONSTANTS
|
|
10
11
|
const kNodeDeps = new Set(builtinModules);
|
|
12
|
+
const kEmailRegex = /^[^\.\s@:](?:[^\s@:]*[^\s@:.])?@[^\.\s@]+(?:\.[^.\s@]+)*$/;
|
|
11
13
|
/**
|
|
12
14
|
* @description Search for Literal AST Node
|
|
13
15
|
* @see https://github.com/estree/estree/blob/master/es5.md#literal
|
|
@@ -25,7 +27,8 @@ function main(node, options) {
|
|
|
25
27
|
const shadyLinkOptions = {
|
|
26
28
|
file: sourceFile.path.location,
|
|
27
29
|
collectableSetRegistry,
|
|
28
|
-
location
|
|
30
|
+
location,
|
|
31
|
+
metadata: sourceFile.metadata
|
|
29
32
|
};
|
|
30
33
|
// We are searching for value obfuscated as hex of a minimum length of 4.
|
|
31
34
|
if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
|
|
@@ -41,6 +44,15 @@ function main(node, options) {
|
|
|
41
44
|
sourceFile.addEncodedLiteral(node.value, location);
|
|
42
45
|
}
|
|
43
46
|
}
|
|
47
|
+
else if (collectableSetRegistry.has("email") && kEmailRegex.test(node.value)) {
|
|
48
|
+
collectableSetRegistry.add("email", {
|
|
49
|
+
value: node.value,
|
|
50
|
+
file: sourceFile.path.location,
|
|
51
|
+
location: toArrayLocation(location),
|
|
52
|
+
metadata: sourceFile.metadata
|
|
53
|
+
});
|
|
54
|
+
return;
|
|
55
|
+
}
|
|
44
56
|
else if (ShadyLink.isValidIPAddress(node.value)) {
|
|
45
57
|
const result = ShadyLink.isIpAddressSafe(node.value, shadyLinkOptions);
|
|
46
58
|
if (!result.safe) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isLiteral.js","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAG9C,+BAA+B;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;AAC1C;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAqB,EACrB,OAGC;IAED,MAAM,EAAE,UAAU,EAAE,sBAAsB,EAAE,GAAG,OAAO,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;IAEpC,MAAM,gBAAgB,GAAG;QACvB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;QAC9B,sBAAsB;QACtB,QAAQ;
|
|
1
|
+
{"version":3,"file":"isLiteral.js","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAG9C,+BAA+B;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;AAC1C,MAAM,WAAW,GAAG,2DAA2D,CAAC;AAChF;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAqB,EACrB,OAGC;IAED,MAAM,EAAE,UAAU,EAAE,sBAAsB,EAAE,GAAG,OAAO,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;IAEpC,MAAM,gBAAgB,GAAG;QACvB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;QAC9B,sBAAsB;QACtB,QAAQ;QACR,QAAQ,EAAE,UAAU,CAAC,QAAQ;KAC9B,CAAC;IAEF,yEAAyE;IACzE,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,UAAU,CAAC,YAAY,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE7C,sEAAsE;QACtE,iGAAiG;QACjG,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,UAAU,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAC3C,CACF,CAAC;QACJ,CAAC;aACI,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;SACI,IAAI,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7E,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE;YAClC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;YAC9B,QAAQ,EAAE,eAAe,CAAC,QAAQ,CAAC;YACnC,QAAQ,EAAE,UAAU,CAAC,QAAQ;SAC9B,CAAC,CAAC;QAEH,OAAO;IACT,CAAC;SACI,IAAI,SAAS,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,YAAY,EAAE;gBAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ;gBACR,QAAQ,EAAE,aAAa;aACxB,CAAC,CACH,CAAC;YAEF,OAAO;QACT,CAAC;IACH,CAAC;IACD,gEAAgE;SAC3D,CAAC;QACJ,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAEjE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,YAAY,EAAE;gBAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ;gBACR,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;aAC5D,CAAC,CACH,CAAC;YAEF,OAAO;QACT,CAAC;QAED,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,eAAe;IACb,IAAI,EAAE,WAAW;IACjB,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import type { ESTree } from "meriyah";
|
|
2
|
+
export interface SplitResult {
|
|
3
|
+
/**
|
|
4
|
+
* A virtual variable name that replaces the require() call
|
|
5
|
+
*/
|
|
6
|
+
virtualIdentifier: string;
|
|
7
|
+
/**
|
|
8
|
+
* Virtual variable declaration: const __virtual_require_0__ = require("xxx")
|
|
9
|
+
* Can be walked with standard ESTree walkers.
|
|
10
|
+
*/
|
|
11
|
+
virtualDeclaration: ESTree.VariableDeclaration;
|
|
12
|
+
/**
|
|
13
|
+
* The rebuilt expression with require() replaced by the virtual identifier.
|
|
14
|
+
* For `require("x").spawn("y")`, this would be `__virtual_require_0__.spawn("y")`
|
|
15
|
+
* Can be walked with standard ESTree walkers.
|
|
16
|
+
*/
|
|
17
|
+
rebuildExpression: ESTree.Node | null;
|
|
18
|
+
}
|
|
19
|
+
export declare class InlinedRequire {
|
|
20
|
+
#private;
|
|
21
|
+
static assertNode(node: ESTree.Node): node is ESTree.CallExpression;
|
|
22
|
+
static split(expectedCallExpr: ESTree.Node): SplitResult | null;
|
|
23
|
+
}
|
|
24
|
+
//# sourceMappingURL=InlinedRequire.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"InlinedRequire.d.ts","sourceRoot":"","sources":["../../../src/probes/isRequire/InlinedRequire.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAKtC,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,kBAAkB,EAAE,MAAM,CAAC,mBAAmB,CAAC;IAC/C;;;;OAIG;IACH,iBAAiB,EAAE,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;CACvC;AAED,qBAAa,cAAc;;IACzB,MAAM,CAAC,UAAU,CACf,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,IAAI,IAAI,MAAM,CAAC,cAAc;IAWhC,MAAM,CAAC,KAAK,CACV,gBAAgB,EAAE,MAAM,CAAC,IAAI,GAC5B,WAAW,GAAG,IAAI;CA6HtB"}
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
// Import Third-party Dependencies
|
|
2
|
+
import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
|
|
3
|
+
// Import Internal Dependencies
|
|
4
|
+
import { VirtualVariableIdentifier } from "../../VirtualVariableIdentifier.js";
|
|
5
|
+
export class InlinedRequire {
|
|
6
|
+
static assertNode(node) {
|
|
7
|
+
if (node.type === "CallExpression" &&
|
|
8
|
+
getCallExpressionIdentifier(node)?.match(/^require..*$/i)) {
|
|
9
|
+
return true;
|
|
10
|
+
}
|
|
11
|
+
return false;
|
|
12
|
+
}
|
|
13
|
+
static split(expectedCallExpr) {
|
|
14
|
+
if (!InlinedRequire.assertNode(expectedCallExpr)) {
|
|
15
|
+
return null;
|
|
16
|
+
}
|
|
17
|
+
const requireCall = InlinedRequire.#findRequireCall(expectedCallExpr);
|
|
18
|
+
if (!requireCall) {
|
|
19
|
+
return null;
|
|
20
|
+
}
|
|
21
|
+
const virtualIdentifier = VirtualVariableIdentifier.generate("require", expectedCallExpr.loc);
|
|
22
|
+
return {
|
|
23
|
+
virtualIdentifier,
|
|
24
|
+
virtualDeclaration: {
|
|
25
|
+
type: "VariableDeclaration",
|
|
26
|
+
kind: "const",
|
|
27
|
+
declarations: [
|
|
28
|
+
{
|
|
29
|
+
type: "VariableDeclarator",
|
|
30
|
+
id: {
|
|
31
|
+
type: "Identifier",
|
|
32
|
+
name: virtualIdentifier
|
|
33
|
+
},
|
|
34
|
+
init: requireCall
|
|
35
|
+
}
|
|
36
|
+
]
|
|
37
|
+
},
|
|
38
|
+
rebuildExpression: InlinedRequire.#rebuildWithVirtualIdentifier(expectedCallExpr, requireCall, virtualIdentifier)
|
|
39
|
+
};
|
|
40
|
+
}
|
|
41
|
+
static #findRequireCall(node) {
|
|
42
|
+
const object = node.type === "MemberExpression"
|
|
43
|
+
? node.object
|
|
44
|
+
: node.callee;
|
|
45
|
+
if (object.type === "CallExpression" &&
|
|
46
|
+
object.callee.type === "Identifier" &&
|
|
47
|
+
object.callee.name === "require") {
|
|
48
|
+
return object;
|
|
49
|
+
}
|
|
50
|
+
if (object.type === "MemberExpression" ||
|
|
51
|
+
object.type === "CallExpression") {
|
|
52
|
+
return InlinedRequire.#findRequireCall(object);
|
|
53
|
+
}
|
|
54
|
+
return null;
|
|
55
|
+
}
|
|
56
|
+
static #rebuildWithVirtualIdentifier(node, requireCall, virtualIdentifier) {
|
|
57
|
+
if (node === requireCall) {
|
|
58
|
+
return null;
|
|
59
|
+
}
|
|
60
|
+
const virtualId = {
|
|
61
|
+
type: "Identifier",
|
|
62
|
+
name: virtualIdentifier
|
|
63
|
+
};
|
|
64
|
+
return InlinedRequire.#cloneAndReplace(node, requireCall, virtualId);
|
|
65
|
+
}
|
|
66
|
+
static #cloneAndReplace(node, target, replacement) {
|
|
67
|
+
if (node === target) {
|
|
68
|
+
return replacement;
|
|
69
|
+
}
|
|
70
|
+
if (node.type === "CallExpression") {
|
|
71
|
+
const callee = InlinedRequire.#cloneAndReplace(node.callee, target, replacement);
|
|
72
|
+
const args = node.arguments.map((arg) => InlinedRequire.#cloneAndReplace(arg, target, replacement));
|
|
73
|
+
return {
|
|
74
|
+
...node,
|
|
75
|
+
callee,
|
|
76
|
+
arguments: args
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
if (node.type === "MemberExpression") {
|
|
80
|
+
return {
|
|
81
|
+
...node,
|
|
82
|
+
object: InlinedRequire.#cloneAndReplace(node.object, target, replacement)
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
return node;
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
//# sourceMappingURL=InlinedRequire.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"InlinedRequire.js","sourceRoot":"","sources":["../../../src/probes/isRequire/InlinedRequire.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC5B,MAAM,8BAA8B,CAAC;AAGtC,+BAA+B;AAC/B,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAoB/E,MAAM,OAAO,cAAc;IACzB,MAAM,CAAC,UAAU,CACf,IAAiB;QAEjB,IACE,IAAI,CAAC,IAAI,KAAK,gBAAgB;YAC9B,2BAA2B,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,EACzD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,KAAK,CACV,gBAA6B;QAE7B,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,cAAc,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,CAAC;QACtE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,QAAQ,CAC1D,SAAS,EACT,gBAAgB,CAAC,GAAG,CACrB,CAAC;QAEF,OAAO;YACL,iBAAiB;YACjB,kBAAkB,EAAE;gBAClB,IAAI,EAAE,qBAAqB;gBAC3B,IAAI,EAAE,OAAO;gBACb,YAAY,EAAE;oBACZ;wBACE,IAAI,EAAE,oBAAoB;wBAC1B,EAAE,EAAE;4BACF,IAAI,EAAE,YAAY;4BAClB,IAAI,EAAE,iBAAiB;yBACxB;wBACD,IAAI,EAAE,WAAW;qBAClB;iBACF;aACF;YACD,iBAAiB,EAAE,cAAc,CAAC,6BAA6B,CAC7D,gBAAgB,EAChB,WAAW,EACX,iBAAiB,CAClB;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,gBAAgB,CACrB,IAAqD;QAErD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,KAAK,kBAAkB;YAC7C,CAAC,CAAC,IAAI,CAAC,MAAM;YACb,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;QAEhB,IACE,MAAM,CAAC,IAAI,KAAK,gBAAgB;YAChC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;YACnC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,EAChC,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;YAClC,MAAM,CAAC,IAAI,KAAK,gBAAgB,EAChC,CAAC;YACD,OAAO,cAAc,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,6BAA6B,CAClC,IAA2B,EAC3B,WAAkC,EAClC,iBAAyB;QAEzB,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,SAAS,GAAsB;YACnC,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,iBAAiB;SACxB,CAAC;QAEF,OAAO,cAAc,CAAC,gBAAgB,CACpC,IAAI,EACJ,WAAW,EACX,SAAS,CACV,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,gBAAgB,CACrB,IAAiB,EACjB,MAA6B,EAC7B,WAA8B;QAE9B,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,cAAc,CAAC,gBAAgB,CAC5C,IAAI,CAAC,MAAM,EACX,MAAM,EACN,WAAW,CACS,CAAC;YAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAC7B,CAAC,GAAG,EAAE,EAAE,CAAC,cAAc,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,CAAC,CAC5C,CAAC;YAEzB,OAAO;gBACL,GAAG,IAAI;gBACP,MAAM;gBACN,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACrC,OAAO;gBACL,GAAG,IAAI;gBACP,MAAM,EAAE,cAAc,CAAC,gBAAgB,CACrC,IAAI,CAAC,MAAM,EACX,MAAM,EACN,WAAW,CACS;aACvB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}
|
|
@@ -8,14 +8,18 @@ import type { ProbeContext, ProbeMainContext } from "../ProbeRunner.ts";
|
|
|
8
8
|
* JSON.stringify(process["env"])
|
|
9
9
|
* JSON.stringify(process[`env`])
|
|
10
10
|
*/
|
|
11
|
-
declare function
|
|
12
|
-
declare function
|
|
11
|
+
declare function validateJsonStringify(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
|
|
12
|
+
declare function defaultHandler(node: ESTree.Node, ctx: ProbeMainContext): symbol;
|
|
13
|
+
declare function processEnvHandler(node: ESTree.Node, ctx: ProbeMainContext): symbol | null;
|
|
13
14
|
declare function initialize(ctx: ProbeContext): void;
|
|
14
15
|
declare const _default: {
|
|
15
16
|
name: string;
|
|
16
|
-
validateNode: typeof
|
|
17
|
+
validateNode: (typeof validateJsonStringify)[];
|
|
17
18
|
initialize: typeof initialize;
|
|
18
|
-
main:
|
|
19
|
+
main: {
|
|
20
|
+
default: typeof defaultHandler;
|
|
21
|
+
"process.env": typeof processEnvHandler;
|
|
22
|
+
};
|
|
19
23
|
breakOnMatch: boolean;
|
|
20
24
|
};
|
|
21
25
|
export default _default;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isSerializeEnv.d.ts","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAG3B;;;;;;;GAOG;AACH,iBAAS,
|
|
1
|
+
{"version":3,"file":"isSerializeEnv.d.ts","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAG3B;;;;;;;GAOG;AACH,iBAAS,qBAAqB,CAC5B,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAmCjB;AA0BD,iBAAS,cAAc,CACrB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,gBAAgB,UAWtB;AAED,iBAAS,iBAAiB,CACxB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,gBAAgB,iBAgBtB;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,QAWlB;;;;;;;;;;;AAED,wBASE"}
|
|
@@ -9,7 +9,7 @@ import { generateWarning } from "../warnings.js";
|
|
|
9
9
|
* JSON.stringify(process["env"])
|
|
10
10
|
* JSON.stringify(process[`env`])
|
|
11
11
|
*/
|
|
12
|
-
function
|
|
12
|
+
function validateJsonStringify(node, ctx) {
|
|
13
13
|
const { tracer } = ctx.sourceFile;
|
|
14
14
|
const id = getCallExpressionIdentifier(node);
|
|
15
15
|
if (id === null) {
|
|
@@ -38,7 +38,24 @@ function validateNode(node, ctx) {
|
|
|
38
38
|
}
|
|
39
39
|
return [false];
|
|
40
40
|
}
|
|
41
|
-
|
|
41
|
+
/**
|
|
42
|
+
* @description Detect direct process.env access (for aggressive mode)
|
|
43
|
+
* @example
|
|
44
|
+
* process.env
|
|
45
|
+
* const env = process.env
|
|
46
|
+
*/
|
|
47
|
+
function validateProcessEnv(node, ctx) {
|
|
48
|
+
if (node.type !== "MemberExpression") {
|
|
49
|
+
return [false];
|
|
50
|
+
}
|
|
51
|
+
const memberExprId = [...getMemberExpressionIdentifier(node)].join(".");
|
|
52
|
+
if (memberExprId === "process.env") {
|
|
53
|
+
ctx.setEntryPoint("process.env");
|
|
54
|
+
return [true];
|
|
55
|
+
}
|
|
56
|
+
return [false];
|
|
57
|
+
}
|
|
58
|
+
function defaultHandler(node, ctx) {
|
|
42
59
|
const { sourceFile, signals } = ctx;
|
|
43
60
|
const warning = generateWarning("serialize-environment", {
|
|
44
61
|
value: "JSON.stringify(process.env)",
|
|
@@ -47,6 +64,19 @@ function main(node, ctx) {
|
|
|
47
64
|
sourceFile.warnings.push(warning);
|
|
48
65
|
return signals.Skip;
|
|
49
66
|
}
|
|
67
|
+
function processEnvHandler(node, ctx) {
|
|
68
|
+
const { sourceFile, signals } = ctx;
|
|
69
|
+
// Only trigger warning in aggressive mode
|
|
70
|
+
if (sourceFile.sensitivity !== "aggressive") {
|
|
71
|
+
return null;
|
|
72
|
+
}
|
|
73
|
+
const warning = generateWarning("serialize-environment", {
|
|
74
|
+
value: "process.env",
|
|
75
|
+
location: node.loc
|
|
76
|
+
});
|
|
77
|
+
sourceFile.warnings.push(warning);
|
|
78
|
+
return signals.Skip;
|
|
79
|
+
}
|
|
50
80
|
function initialize(ctx) {
|
|
51
81
|
const { tracer } = ctx.sourceFile;
|
|
52
82
|
tracer
|
|
@@ -59,9 +89,12 @@ function initialize(ctx) {
|
|
|
59
89
|
}
|
|
60
90
|
export default {
|
|
61
91
|
name: "isSerializeEnv",
|
|
62
|
-
validateNode,
|
|
92
|
+
validateNode: [validateJsonStringify, validateProcessEnv],
|
|
63
93
|
initialize,
|
|
64
|
-
main
|
|
94
|
+
main: {
|
|
95
|
+
default: defaultHandler,
|
|
96
|
+
"process.env": processEnvHandler
|
|
97
|
+
},
|
|
65
98
|
breakOnMatch: false
|
|
66
99
|
};
|
|
67
100
|
//# sourceMappingURL=isSerializeEnv.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isSerializeEnv.js","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC9B,MAAM,8BAA8B,CAAC;AAQtC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,
|
|
1
|
+
{"version":3,"file":"isSerializeEnv.js","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC9B,MAAM,8BAA8B,CAAC;AAQtC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,qBAAqB,CAC5B,IAAiB,EACjB,GAAiB;IAEjB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CAAC;IAElC,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAE9C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,sBAAsB,KAAK,gBAAgB,EAAE,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,IAA6B,CAAC;IACjD,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACzC,IAAI,QAAQ,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,CAAC,GAAG,6BAA6B,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5E,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CACzB,IAAiB,EACjB,GAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,YAAY,GAAG,CAAC,GAAG,6BAA6B,CAAC,IAA+B,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnG,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QACnC,GAAG,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,CAAC;AACjB,CAAC;AAED,SAAS,cAAc,CACrB,IAAiB,EACjB,GAAqB;IAErB,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAEpC,MAAM,OAAO,GAAG,eAAe,CAAC,uBAAuB,EAAE;QACvD,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,IAAI,CAAC,GAAG;KACnB,CAAC,CAAC;IACH,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElC,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAiB,EACjB,GAAqB;IAErB,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAEpC,0CAA0C;IAC1C,IAAI,UAAU,CAAC,WAAW,KAAK,YAAY,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,uBAAuB,EAAE;QACvD,KAAK,EAAE,aAAa;QACpB,QAAQ,EAAE,IAAI,CAAC,GAAG;KACnB,CAAC,CAAC;IACH,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElC,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC;AAED,SAAS,UAAU,CACjB,GAAiB;IAEjB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CAAC;IAElC,MAAM;SACH,KAAK,CAAC,aAAa,EAAE;QACpB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,gBAAgB,EAAE;QACvB,2BAA2B,EAAE,IAAI;KAClC,CAAC,CAAC;AACP,CAAC;AAED,eAAe;IACb,IAAI,EAAE,gBAAgB;IACtB,YAAY,EAAE,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;IACzD,UAAU;IACV,IAAI,EAAE;QACJ,OAAO,EAAE,cAAc;QACvB,aAAa,EAAE,iBAAiB;KACjC;IACD,YAAY,EAAE,KAAK;CACpB,CAAC"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import type { ESTree } from "meriyah";
|
|
2
|
-
import type { ProbeMainContext } from "../ProbeRunner.ts";
|
|
2
|
+
import type { ProbeMainContext, ProbeContext } from "../ProbeRunner.ts";
|
|
3
3
|
/**
|
|
4
4
|
* @description Detect spawn or exec unsafe commands
|
|
5
5
|
* @example
|
|
@@ -10,12 +10,14 @@ import type { ProbeMainContext } from "../ProbeRunner.ts";
|
|
|
10
10
|
* const { exec } = require("child_process");
|
|
11
11
|
* exec("csrutil status");
|
|
12
12
|
*/
|
|
13
|
-
declare function validateNode(node: ESTree.Node): [boolean, any?];
|
|
13
|
+
declare function validateNode(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
|
|
14
14
|
declare function main(node: ESTree.CallExpression, ctx: ProbeMainContext): symbol | null;
|
|
15
|
+
declare function initialize(ctx: ProbeContext): void;
|
|
15
16
|
declare const _default: {
|
|
16
17
|
name: string;
|
|
17
18
|
validateNode: typeof validateNode;
|
|
18
19
|
main: typeof main;
|
|
20
|
+
initialize: typeof initialize;
|
|
19
21
|
};
|
|
20
22
|
export default _default;
|
|
21
23
|
//# sourceMappingURL=isUnsafeCommand.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isUnsafeCommand.d.ts","sourceRoot":"","sources":["../../src/probes/isUnsafeCommand.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"isUnsafeCommand.d.ts","sourceRoot":"","sources":["../../src/probes/isUnsafeCommand.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EACV,gBAAgB,EAChB,YAAY,EACb,MAAM,mBAAmB,CAAC;AAyD3B;;;;;;;;;GASG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAqBjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,cAAc,EAC3B,GAAG,EAAE,gBAAgB,iBA8CtB;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,QAUlB;;;;;;;AAED,wBAKE"}
|