@nodesecure/js-x-ray 11.3.0 → 11.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/AstAnalyser.d.ts +13 -0
- package/dist/AstAnalyser.d.ts.map +1 -1
- package/dist/AstAnalyser.js +17 -11
- package/dist/AstAnalyser.js.map +1 -1
- package/dist/CollectableSet.d.ts +8 -5
- package/dist/CollectableSet.d.ts.map +1 -1
- package/dist/CollectableSet.js +12 -8
- package/dist/CollectableSet.js.map +1 -1
- package/dist/CollectableSetRegistry.d.ts +4 -2
- package/dist/CollectableSetRegistry.d.ts.map +1 -1
- package/dist/CollectableSetRegistry.js +5 -2
- package/dist/CollectableSetRegistry.js.map +1 -1
- package/dist/ProbeRunner.d.ts +7 -2
- package/dist/ProbeRunner.d.ts.map +1 -1
- package/dist/ProbeRunner.js +56 -11
- package/dist/ProbeRunner.js.map +1 -1
- package/dist/ShadyLink.d.ts +1 -0
- package/dist/ShadyLink.d.ts.map +1 -1
- package/dist/ShadyLink.js +17 -9
- package/dist/ShadyLink.js.map +1 -1
- package/dist/SourceFile.d.ts +5 -3
- package/dist/SourceFile.d.ts.map +1 -1
- package/dist/SourceFile.js +17 -1
- package/dist/SourceFile.js.map +1 -1
- package/dist/VirtualVariableIdentifier.d.ts +9 -0
- package/dist/VirtualVariableIdentifier.d.ts.map +1 -0
- package/dist/VirtualVariableIdentifier.js +17 -0
- package/dist/VirtualVariableIdentifier.js.map +1 -0
- package/dist/contants.d.ts +2 -0
- package/dist/contants.d.ts.map +1 -0
- package/dist/contants.js +3 -0
- package/dist/contants.js.map +1 -0
- package/dist/i18n/english.d.ts +28 -0
- package/dist/i18n/english.d.ts.map +1 -0
- package/dist/i18n/english.js +27 -0
- package/dist/i18n/english.js.map +1 -0
- package/dist/i18n/french.d.ts +28 -0
- package/dist/i18n/french.d.ts.map +1 -0
- package/dist/i18n/french.js +29 -0
- package/dist/i18n/french.js.map +1 -0
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -0
- package/dist/index.js.map +1 -1
- package/dist/probes/data-exfiltration.d.ts.map +1 -1
- package/dist/probes/data-exfiltration.js +21 -9
- package/dist/probes/data-exfiltration.js.map +1 -1
- package/dist/probes/isImportDeclaration.d.ts.map +1 -1
- package/dist/probes/isImportDeclaration.js +8 -3
- package/dist/probes/isImportDeclaration.js.map +1 -1
- package/dist/probes/isLiteral.d.ts.map +1 -1
- package/dist/probes/isLiteral.js +13 -1
- package/dist/probes/isLiteral.js.map +1 -1
- package/dist/probes/isMonkeyPatch.d.ts +17 -0
- package/dist/probes/isMonkeyPatch.d.ts.map +1 -0
- package/dist/probes/isMonkeyPatch.js +98 -0
- package/dist/probes/isMonkeyPatch.js.map +1 -0
- package/dist/probes/isRequire/InlinedRequire.d.ts +24 -0
- package/dist/probes/isRequire/InlinedRequire.d.ts.map +1 -0
- package/dist/probes/isRequire/InlinedRequire.js +88 -0
- package/dist/probes/isRequire/InlinedRequire.js.map +1 -0
- package/dist/probes/isRequire/RequireCallExpressionWalker.js +1 -1
- package/dist/probes/isRequire/RequireCallExpressionWalker.js.map +1 -1
- package/dist/probes/isRequire/isRequire.js +3 -3
- package/dist/probes/isRequire/isRequire.js.map +1 -1
- package/dist/probes/isSerializeEnv.d.ts +9 -4
- package/dist/probes/isSerializeEnv.d.ts.map +1 -1
- package/dist/probes/isSerializeEnv.js +42 -12
- package/dist/probes/isSerializeEnv.js.map +1 -1
- package/dist/probes/isSyncIO.d.ts +2 -1
- package/dist/probes/isSyncIO.d.ts.map +1 -1
- package/dist/probes/isSyncIO.js +12 -12
- package/dist/probes/isSyncIO.js.map +1 -1
- package/dist/probes/isUnsafeCommand.d.ts +5 -2
- package/dist/probes/isUnsafeCommand.d.ts.map +1 -1
- package/dist/probes/isUnsafeCommand.js +55 -53
- package/dist/probes/isUnsafeCommand.js.map +1 -1
- package/dist/probes/isWeakCrypto.d.ts +2 -1
- package/dist/probes/isWeakCrypto.d.ts.map +1 -1
- package/dist/probes/isWeakCrypto.js +6 -8
- package/dist/probes/isWeakCrypto.js.map +1 -1
- package/dist/probes/log-usage.d.ts +19 -0
- package/dist/probes/log-usage.d.ts.map +1 -0
- package/dist/probes/log-usage.js +47 -0
- package/dist/probes/log-usage.js.map +1 -0
- package/dist/probes/sql-injection.d.ts +12 -0
- package/dist/probes/sql-injection.d.ts.map +1 -0
- package/dist/probes/sql-injection.js +48 -0
- package/dist/probes/sql-injection.js.map +1 -0
- package/dist/warnings.d.ts +17 -2
- package/dist/warnings.d.ts.map +1 -1
- package/dist/warnings.js +15 -0
- package/dist/warnings.js.map +1 -1
- package/package.json +10 -4
package/dist/SourceFile.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SourceFile.d.ts","sourceRoot":"","sources":["../src/SourceFile.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"SourceFile.d.ts","sourceRoot":"","sources":["../src/SourceFile.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACZ,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAEL,KAAK,OAAO,EACb,MAAM,eAAe,CAAC;AAKvB,MAAM,MAAM,WAAW,GACnB,OAAO,GACP,iBAAiB,GACjB,aAAa,CAAC;AAElB,qBAAa,UAAU;IACrB,MAAM,iBAA+C;IACrD,cAAc,UAAS;IACvB,qBAAqB,UAAS;IAC9B,YAAY,eAAsB;IAClC,YAAY,0BAAiC;IAC7C,eAAe,sBAA6B;IAC5C,QAAQ,EAAE,OAAO,EAAE,CAAM;IACzB,KAAK,mBAA0B;IAC/B,IAAI,iBAAwB;IAC5B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAEvB,cAAc,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAKvE,aAAa,CACX,IAAI,EAAE,MAAM,EACZ,QAAQ,CAAC,EAAE,MAAM,CAAC,cAAc,GAAG,IAAI,EACvC,MAAM,GAAE,OAAoC;IAwB9C,iBAAiB,CACf,KAAK,EAAE,MAAM,EACb,QAAQ,wBAAiB;IAiB3B,cAAc,CACZ,IAAI,EAAE,GAAG,EACT,WAAW,UAAQ;IAsBrB,SAAS,CACP,UAAU,EAAE,OAAO,GAClB;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;KAAE;IA0CtE,IAAI,CACF,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,MAAM,CAAC,IAAI,EAAE;CA2BjB;AAED,qBAAa,cAAc;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B,GAAG,CACD,QAAQ,CAAC,EAAE,MAAM;IAKnB,OAAO,CACL,GAAG,KAAK,EAAE,MAAM,EAAE;CAQrB"}
|
package/dist/SourceFile.js
CHANGED
|
@@ -3,6 +3,7 @@ import path from "node:path";
|
|
|
3
3
|
// Import Third-party Dependencies
|
|
4
4
|
import { Literal, Utils } from "@nodesecure/sec-literal";
|
|
5
5
|
import { VariableTracer } from "@nodesecure/tracer";
|
|
6
|
+
import { InlinedRequire } from "./probes/isRequire/InlinedRequire.js";
|
|
6
7
|
import { Deobfuscator } from "./Deobfuscator.js";
|
|
7
8
|
import { rootLocation, toArrayLocation } from "./utils/index.js";
|
|
8
9
|
import { generateWarning } from "./warnings.js";
|
|
@@ -18,8 +19,11 @@ export class SourceFile {
|
|
|
18
19
|
warnings = [];
|
|
19
20
|
flags = new Set();
|
|
20
21
|
path = new SourceFilePath();
|
|
21
|
-
|
|
22
|
+
sensitivity;
|
|
23
|
+
metadata;
|
|
24
|
+
constructor(sourceLocation, metadata) {
|
|
22
25
|
this.path.use(sourceLocation);
|
|
26
|
+
this.metadata = metadata;
|
|
23
27
|
}
|
|
24
28
|
addDependency(name, location, unsafe = this.dependencyAutoWarning) {
|
|
25
29
|
if (typeof name !== "string" || name.trim() === "") {
|
|
@@ -96,6 +100,17 @@ export class SourceFile {
|
|
|
96
100
|
};
|
|
97
101
|
}
|
|
98
102
|
walk(node) {
|
|
103
|
+
const split = InlinedRequire.split(node);
|
|
104
|
+
if (split !== null) {
|
|
105
|
+
this.tracer.walk(split.virtualDeclaration);
|
|
106
|
+
if (split.rebuildExpression) {
|
|
107
|
+
this.tracer.walk(split.rebuildExpression);
|
|
108
|
+
}
|
|
109
|
+
return [
|
|
110
|
+
split.virtualDeclaration,
|
|
111
|
+
...(split.rebuildExpression ? [split.rebuildExpression] : [])
|
|
112
|
+
];
|
|
113
|
+
}
|
|
99
114
|
this.tracer.walk(node);
|
|
100
115
|
this.deobfuscator.walk(node);
|
|
101
116
|
// Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
|
|
@@ -105,6 +120,7 @@ export class SourceFile {
|
|
|
105
120
|
else if (node.type === "CatchClause") {
|
|
106
121
|
this.inTryStatement = false;
|
|
107
122
|
}
|
|
123
|
+
return [node];
|
|
108
124
|
}
|
|
109
125
|
}
|
|
110
126
|
export class SourceFilePath {
|
package/dist/SourceFile.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SourceFile.js","sourceRoot":"","sources":["../src/SourceFile.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"SourceFile.js","sourceRoot":"","sources":["../src/SourceFile.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAQpD,OAAO,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EACL,eAAe,EAEhB,MAAM,eAAe,CAAC;AAEvB,YAAY;AACZ,MAAM,uBAAuB,GAAG,EAAE,CAAC;AAOnC,MAAM,OAAO,UAAU;IACrB,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC,oBAAoB,EAAE,CAAC;IACrD,cAAc,GAAG,KAAK,CAAC;IACvB,qBAAqB,GAAG,KAAK,CAAC;IAC9B,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;IAClC,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC7C,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC5C,QAAQ,GAAc,EAAE,CAAC;IACzB,KAAK,GAAG,IAAI,GAAG,EAAe,CAAC;IAC/B,IAAI,GAAG,IAAI,cAAc,EAAE,CAAC;IAC5B,WAAW,CAAe;IAC1B,QAAQ,CAA2B;IAEnC,YAAY,cAAuB,EAAE,QAAkC;QACrE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,aAAa,CACX,IAAY,EACZ,QAAuC,EACvC,SAAkB,IAAI,CAAC,qBAAqB;QAE5C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;YAC3D,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE;YACpC,MAAM;YACN,KAAK,EAAE,IAAI,CAAC,cAAc;YAC1B,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,eAAe,CAAC,eAAe,EAAE;gBAC/B,KAAK,EAAE,cAAc;gBACrB,QAAQ,EAAE,QAAQ,IAAI,KAAK,CAAC;aAC7B,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iBAAiB,CACf,KAAa,EACb,QAAQ,GAAG,YAAY,EAAE;QAEzB,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,GAAG,uBAAuB,EAAE,CAAC;YACxD,OAAO;QACT,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAE,CAAC;YAC/C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;YAE9D,OAAO;QACT,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC5E,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,cAAc,CACZ,IAAS,EACT,WAAW,GAAG,KAAK;QAEnB,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE5C,MAAM,EACJ,sBAAsB,EACtB,kBAAkB,EAClB,QAAQ,EACT,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,CAAE,CAAC;QACnC,IAAI,CAAC,sBAAsB,IAAI,kBAAkB,CAAC,IAAI,QAAQ,EAAE,CAAC;YAC/D,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,CAAC;YACxC,CAAC;iBACI,CAAC;gBACJ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,CACP,UAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,CAAC;QAC7D,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,eAAe,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,oBAAoB,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW;aACvD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC;aAC9E,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG;YAClC,GAAG,CAAC,oBAAoB,CAAC;YACzB,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC;SACrC,CAAC;QACF,IAAI,CAAC,UAAU,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,IAAI,GAAG,EAAE,CAAC;YAC1E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,eAAe,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CACtE,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,eAAe,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CACtE,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,GAAG,uBAAuB,EAAE,CAAC;YACxD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,eAAe,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CACpD,CAAC;YACF,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ;iBAC1B,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;YACL,YAAY;YACZ,WAAW;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,IAAI,CACF,IAAiB;QAEjB,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YAC3C,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;YAC5C,CAAC;YAED,OAAO;gBACL,KAAK,CAAC,kBAAkB;gBACxB,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE7B,+FAA+F;QAC/F,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;aACI,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACrC,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;CACF;AAED,MAAM,OAAO,cAAc;IACzB,QAAQ,GAAkB,IAAI,CAAC;IAE/B,GAAG,CACD,QAAiB;QAEjB,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,IAAI,CAAC;IACnC,CAAC;IAED,OAAO,CACL,GAAG,KAAe;QAElB,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,CAAC;IAClD,CAAC;CACF;AAED,SAAS,GAAG,CACV,MAAgB,EAAE;IAElB,OAAO,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;AAC1F,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import type { ESTree } from "meriyah";
|
|
2
|
+
export type VirtualVariableLocation = ESTree.SourceLocation | null | undefined;
|
|
3
|
+
export declare class VirtualVariableIdentifier {
|
|
4
|
+
#private;
|
|
5
|
+
static generate(name: string, location?: VirtualVariableLocation): string;
|
|
6
|
+
static getLocation(virtualId: string): VirtualVariableLocation;
|
|
7
|
+
static reset(): void;
|
|
8
|
+
}
|
|
9
|
+
//# sourceMappingURL=VirtualVariableIdentifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"VirtualVariableIdentifier.d.ts","sourceRoot":"","sources":["../src/VirtualVariableIdentifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEtC,MAAM,MAAM,uBAAuB,GAAG,MAAM,CAAC,cAAc,GAAG,IAAI,GAAG,SAAS,CAAC;AAE/E,qBAAa,yBAAyB;;IAIpC,MAAM,CAAC,QAAQ,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,uBAAmC,GAC5C,MAAM;IAOT,MAAM,CAAC,WAAW,CAChB,SAAS,EAAE,MAAM,GAChB,uBAAuB;IAI1B,MAAM,CAAC,KAAK,IAAI,IAAI;CAIrB"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
export class VirtualVariableIdentifier {
|
|
2
|
+
static #idToLocations = new Map();
|
|
3
|
+
static #counter = 0;
|
|
4
|
+
static generate(name, location = undefined) {
|
|
5
|
+
const virtualId = `__virtual_${name}_${this.#counter++}__`;
|
|
6
|
+
this.#idToLocations.set(virtualId, location);
|
|
7
|
+
return virtualId;
|
|
8
|
+
}
|
|
9
|
+
static getLocation(virtualId) {
|
|
10
|
+
return this.#idToLocations.get(virtualId);
|
|
11
|
+
}
|
|
12
|
+
static reset() {
|
|
13
|
+
this.#counter = 0;
|
|
14
|
+
this.#idToLocations.clear();
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=VirtualVariableIdentifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"VirtualVariableIdentifier.js","sourceRoot":"","sources":["../src/VirtualVariableIdentifier.ts"],"names":[],"mappings":"AAKA,MAAM,OAAO,yBAAyB;IACpC,MAAM,CAAC,cAAc,GAAG,IAAI,GAAG,EAAmC,CAAC;IACnE,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC;IAEpB,MAAM,CAAC,QAAQ,CACb,IAAY,EACZ,WAAoC,SAAS;QAE7C,MAAM,SAAS,GAAG,aAAa,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAE7C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,WAAW,CAChB,SAAiB;QAEjB,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,KAAK;QACV,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"contants.d.ts","sourceRoot":"","sources":["../src/contants.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,oBAAoB,eAAmC,CAAC"}
|
package/dist/contants.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"contants.js","sourceRoot":"","sources":["../src/contants.ts"],"names":[],"mappings":"AAAA,YAAY;AACZ,MAAM,CAAC,MAAM,oBAAoB,GAAG,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
declare namespace _default {
|
|
2
|
+
export { sast_warnings };
|
|
3
|
+
}
|
|
4
|
+
export default _default;
|
|
5
|
+
declare namespace sast_warnings {
|
|
6
|
+
let parsing_error: string;
|
|
7
|
+
let unsafe_import: string;
|
|
8
|
+
let unsafe_regex: string;
|
|
9
|
+
let unsafe_stmt: string;
|
|
10
|
+
let unsafe_assign: string;
|
|
11
|
+
let encoded_literal: string;
|
|
12
|
+
let suspicious_file: string;
|
|
13
|
+
let short_identifiers: string;
|
|
14
|
+
let suspicious_literal: string;
|
|
15
|
+
let obfuscated_code: string;
|
|
16
|
+
let weak_crypto: string;
|
|
17
|
+
let shady_link: string;
|
|
18
|
+
let zero_semver: string;
|
|
19
|
+
let empty_package: string;
|
|
20
|
+
let unsafe_command: string;
|
|
21
|
+
let serialize_environment: string;
|
|
22
|
+
let synchronous_io: string;
|
|
23
|
+
let data_exfiltration: string;
|
|
24
|
+
let log_usage: string;
|
|
25
|
+
let sql_injection: string;
|
|
26
|
+
let monkey_patch: string;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=english.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"english.d.ts","sourceRoot":"","sources":["../../src/i18n/english.js"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
const sast_warnings = {
|
|
2
|
+
parsing_error: "An error occured when parsing the JavaScript code with meriyah. It mean that the conversion from string to AST has failed. If you encounter such an error, please open an issue here.",
|
|
3
|
+
unsafe_import: "Unable to follow an import (require, require.resolve) statement/expr.",
|
|
4
|
+
unsafe_regex: "A RegEx as been detected as unsafe and may be used for a ReDoS Attack.",
|
|
5
|
+
unsafe_stmt: "Usage of dangerous statement like eval() or Function(\"\").",
|
|
6
|
+
unsafe_assign: "Assignment of a protected global like process or require.",
|
|
7
|
+
encoded_literal: "An encoded literal has been detected (it can be an hexa value, unicode sequence, base64 string etc)",
|
|
8
|
+
suspicious_file: "A suspicious file with more than ten encoded-literal in it.",
|
|
9
|
+
short_identifiers: "This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers.",
|
|
10
|
+
suspicious_literal: "This mean that the sum of suspicious score of all Literals is bigger than 3.",
|
|
11
|
+
obfuscated_code: "There's a very high probability that the code is obfuscated...",
|
|
12
|
+
weak_crypto: "The code probably contains a weak crypto algorithm (md5, sha1...)",
|
|
13
|
+
shady_link: "A Literal (string) contains an URL to a domain with a suspicious extension.",
|
|
14
|
+
zero_semver: "Semantic version starting with 0.x (unstable project or without serious versioning)",
|
|
15
|
+
empty_package: "The package tarball only contains a package.json file.",
|
|
16
|
+
unsafe_command: "Usage of suspicious child_process command such as spawn() or exec()",
|
|
17
|
+
serialize_environment: "The code attempts to serialize process.env which could lead to environment variable exfiltration",
|
|
18
|
+
synchronous_io: "The code contains synchronous I/O operations, which can block the event loop and degrade performance.",
|
|
19
|
+
data_exfiltration: "Detects serialization of sensitive system information (os.userInfo, os.networkInterfaces, os.cpus, dns.getServers) which could indicate unauthorized data collection for external transmission.",
|
|
20
|
+
log_usage: "Usage of console logging methods (log, info, warn, error, debug) that may expose sensitive information in production environments.",
|
|
21
|
+
sql_injection: "Template literals with interpolated expressions in SQL queries (SELECT, INSERT, UPDATE, DELETE) without proper parameterization, creating potential SQL injection vulnerabilities.",
|
|
22
|
+
monkey_patch: "Modification of native prototypes or global objects at runtime, which introduces security risks including flow hijacking, global side effects, and potential concealment of malicious activities."
|
|
23
|
+
};
|
|
24
|
+
export default {
|
|
25
|
+
sast_warnings
|
|
26
|
+
};
|
|
27
|
+
//# sourceMappingURL=english.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"english.js","sourceRoot":"","sources":["../../src/i18n/english.js"],"names":[],"mappings":"AAAA,MAAM,aAAa,GAAG;IACpB,aAAa,EAAE,uLAAuL;IACtM,aAAa,EAAE,uEAAuE;IACtF,YAAY,EAAE,wEAAwE;IACtF,WAAW,EAAE,6DAA6D;IAC1E,aAAa,EAAE,2DAA2D;IAC1E,eAAe,EAAE,qGAAqG;IACtH,eAAe,EAAE,6DAA6D;IAC9E,iBAAiB,EAAE,6HAA6H;IAChJ,kBAAkB,EAAE,8EAA8E;IAClG,eAAe,EAAE,gEAAgE;IACjF,WAAW,EAAE,mEAAmE;IAChF,UAAU,EAAE,6EAA6E;IACzF,WAAW,EAAE,qFAAqF;IAClG,aAAa,EAAE,wDAAwD;IACvE,cAAc,EAAE,qEAAqE;IACrF,qBAAqB,EAAE,kGAAkG;IACzH,cAAc,EAAE,uGAAuG;IACvH,iBAAiB,EAAE,iMAAiM;IACpN,SAAS,EAAE,oIAAoI;IAC/I,aAAa,EAAE,oLAAoL;IACnM,YAAY,EAAE,mMAAmM;CAClN,CAAC;AAEF,eAAe;IACb,aAAa;CACd,CAAA"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
declare namespace _default {
|
|
2
|
+
export { sast_warnings };
|
|
3
|
+
}
|
|
4
|
+
export default _default;
|
|
5
|
+
declare namespace sast_warnings {
|
|
6
|
+
let parsing_error: string;
|
|
7
|
+
let unsafe_import: string;
|
|
8
|
+
let unsafe_regex: string;
|
|
9
|
+
let unsafe_stmt: string;
|
|
10
|
+
let unsafe_assign: string;
|
|
11
|
+
let encoded_literal: string;
|
|
12
|
+
let short_identifiers: string;
|
|
13
|
+
let suspicious_literal: string;
|
|
14
|
+
let suspicious_file: string;
|
|
15
|
+
let obfuscated_code: string;
|
|
16
|
+
let weak_crypto: string;
|
|
17
|
+
let shady_link: string;
|
|
18
|
+
let zero_semver: string;
|
|
19
|
+
let empty_package: string;
|
|
20
|
+
let unsafe_command: string;
|
|
21
|
+
let serialize_environment: string;
|
|
22
|
+
let synchronous_io: string;
|
|
23
|
+
let data_exfiltration: string;
|
|
24
|
+
let log_usage: string;
|
|
25
|
+
let sql_injection: string;
|
|
26
|
+
let monkey_patch: string;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=french.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"french.d.ts","sourceRoot":"","sources":["../../src/i18n/french.js"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
const sast_warnings = {
|
|
2
|
+
parsing_error: `Une erreur s'est produite lors de l'analyse du code JavaScript avec meriyah.
|
|
3
|
+
Cela signifie que la conversion de la chaîne de caractères AST a échoué.
|
|
4
|
+
Si vous rencontrez une telle erreur, veuillez ouvrir une issue.`,
|
|
5
|
+
unsafe_import: "Impossible de suivre l'import (require, require.resolve) statement/expr.",
|
|
6
|
+
unsafe_regex: "Un RegEx a été détecté comme non sûr et peut être utilisé pour une attaque ReDoS.",
|
|
7
|
+
unsafe_stmt: "Utilisation d'instructions dangereuses comme eval() ou Function(\"\").",
|
|
8
|
+
unsafe_assign: "Attribution d'un processus ou d'un require global protégé..",
|
|
9
|
+
encoded_literal: "Un code littérale a été découvert (il peut s'agir d'une valeur hexa, d'une séquence unicode, d'une chaîne de caractères base64, etc.)",
|
|
10
|
+
short_identifiers: "Cela signifie que tous les identifiants ont une longueur moyenne inférieure à 1,5. Seulement possible si le fichier contient plus de 5 identifiants.",
|
|
11
|
+
suspicious_literal: "Cela signifie que la somme des scores suspects de tous les littéraux est supérieure à 3.",
|
|
12
|
+
suspicious_file: "Un fichier suspect contenant plus de dix chaines de caractères encodés",
|
|
13
|
+
obfuscated_code: "Il y a une très forte probabilité que le code soit obscurci...",
|
|
14
|
+
weak_crypto: "Le code contient probablement un algorithme de chiffrement faiblement sécurisé (md5, sha1...).",
|
|
15
|
+
shady_link: "Un Literal (string) contient une URL vers un domaine avec une extension suspecte.",
|
|
16
|
+
zero_semver: "Version sémantique commençant par 0.x (projet instable ou sans versionnement sérieux)",
|
|
17
|
+
empty_package: "L'archive du package ne contient qu'un fichier package.json.",
|
|
18
|
+
unsafe_command: "Utilisation d'une commande child_process suspecte, comme spawn() ou exec()",
|
|
19
|
+
serialize_environment: "Le code tente de sérialiser process.env, ce qui pourrait entraîner une exfiltration des variables d'environnement",
|
|
20
|
+
synchronous_io: "Le code contient des opérations I/O synchrones, ce qui peut bloquer l'event-loop et dégrader les performances.",
|
|
21
|
+
data_exfiltration: "Détecte la sérialisation d'informations système sensibles (os.userInfo, os.networkInterfaces, os.cpus, dns.getServers) qui pourrait indiquer une collecte de données non autorisée pour transmission externe.",
|
|
22
|
+
log_usage: "Utilisation de méthodes de l'API console (log, info, warn, error, debug) qui peuvent exposer des informations sensibles en environnement de production.",
|
|
23
|
+
sql_injection: "Littéraux de gabarit avec expressions interpolées dans les requêtes SQL (SELECT, INSERT, UPDATE, DELETE) sans paramétrisation appropriée, créant des vulnérabilités potentielles d'injection SQL.",
|
|
24
|
+
monkey_patch: "Modification des prototypes natifs ou objets globaux à l'exécution, ce qui introduit des risques de sécurité incluant le détournement de flux, des effets secondaires globaux et la dissimulation potentielle d'activités malveillantes."
|
|
25
|
+
};
|
|
26
|
+
export default {
|
|
27
|
+
sast_warnings
|
|
28
|
+
};
|
|
29
|
+
//# sourceMappingURL=french.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"french.js","sourceRoot":"","sources":["../../src/i18n/french.js"],"names":[],"mappings":"AAAA,MAAM,aAAa,GAAG;IACpB,aAAa,EAAE;;8EAE6D;IAC5E,aAAa,EAAE,0EAA0E;IACzF,YAAY,EAAE,mFAAmF;IACjG,WAAW,EAAE,wEAAwE;IACrF,aAAa,EAAE,6DAA6D;IAC5E,eAAe,EAAE,uIAAuI;IACxJ,iBAAiB,EAAE,sJAAsJ;IACzK,kBAAkB,EAAE,0FAA0F;IAC9G,eAAe,EAAE,wEAAwE;IACzF,eAAe,EAAE,gEAAgE;IACjF,WAAW,EAAE,gGAAgG;IAC7G,UAAU,EAAE,mFAAmF;IAC/F,WAAW,EAAE,uFAAuF;IACpG,aAAa,EAAE,8DAA8D;IAC7E,cAAc,EAAE,4EAA4E;IAC5F,qBAAqB,EAAE,mHAAmH;IAC1I,cAAc,EAAE,gHAAgH;IAChI,iBAAiB,EAAE,+MAA+M;IAClO,SAAS,EAAE,yJAAyJ;IACpK,aAAa,EAAE,mMAAmM;IAClN,YAAY,EAAE,0OAA0O;CACzP,CAAC;AAEF,eAAe;IACb,aAAa;CACd,CAAA"}
|
package/dist/index.d.ts
CHANGED
|
@@ -5,4 +5,6 @@ export { Pipelines, type Pipeline } from "./pipelines/index.ts";
|
|
|
5
5
|
export * from "./SourceFile.ts";
|
|
6
6
|
export * from "./warnings.ts";
|
|
7
7
|
export * from "./CollectableSet.ts";
|
|
8
|
+
export * from "./contants.ts";
|
|
9
|
+
export declare function i18nLocation(): string;
|
|
8
10
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,OAAO,EACL,SAAS,EACT,KAAK,QAAQ,EACd,MAAM,sBAAsB,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC;AAE9B,wBAAgB,YAAY,WAE3B"}
|
package/dist/index.js
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
// Import Node.js Dependencies
|
|
2
|
+
import path from "node:path";
|
|
1
3
|
export * from "./AstAnalyser.js";
|
|
2
4
|
export * from "./EntryFilesAnalyser.js";
|
|
3
5
|
export * from "./JsSourceParser.js";
|
|
@@ -5,4 +7,8 @@ export { Pipelines } from "./pipelines/index.js";
|
|
|
5
7
|
export * from "./SourceFile.js";
|
|
6
8
|
export * from "./warnings.js";
|
|
7
9
|
export * from "./CollectableSet.js";
|
|
10
|
+
export * from "./contants.js";
|
|
11
|
+
export function i18nLocation() {
|
|
12
|
+
return path.join(import.meta.dirname, "i18n");
|
|
13
|
+
}
|
|
8
14
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,OAAO,EACL,SAAS,EAEV,MAAM,sBAAsB,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,OAAO,EACL,SAAS,EAEV,MAAM,sBAAsB,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC;AAE9B,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"data-exfiltration.d.ts","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"data-exfiltration.d.ts","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,OAAO,EAAiC,KAAK,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAatG,KAAK,0BAA0B,GAAG,MAAM,CAAC,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;AAExE,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAejB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,cAAc,EAC3B,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAwB9C;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAoC9C;AAED,iBAAS,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,0BAA0B,CAAC,QAO9D;AAED,QAAA,MAAM,iBAAiB;;;;;;;;CAQtB,CAAC;AAEF,eAAe,iBAAiB,CAAC"}
|
|
@@ -1,8 +1,11 @@
|
|
|
1
1
|
// Import Third-party Dependencies
|
|
2
2
|
import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
|
|
3
|
+
import { VariableTracer } from "@nodesecure/tracer";
|
|
4
|
+
import { CALL_EXPRESSION_DATA } from "../contants.js";
|
|
3
5
|
import { rootLocation, toArrayLocation } from "../utils/toArrayLocation.js";
|
|
4
6
|
import { generateWarning } from "../warnings.js";
|
|
5
7
|
// CONSTANTS
|
|
8
|
+
const kSensitiveModules = new Set(["os", "dns"]);
|
|
6
9
|
const kSensitiveMethods = [
|
|
7
10
|
"os.userInfo",
|
|
8
11
|
"os.networkInterfaces",
|
|
@@ -10,13 +13,10 @@ const kSensitiveMethods = [
|
|
|
10
13
|
"dns.getServers"
|
|
11
14
|
];
|
|
12
15
|
function validateNode(node, ctx) {
|
|
13
|
-
|
|
14
|
-
const id = getCallExpressionIdentifier(node);
|
|
15
|
-
if (id === null) {
|
|
16
|
+
if (ctx.sourceFile.sensitivity === "aggressive") {
|
|
16
17
|
return [false];
|
|
17
18
|
}
|
|
18
|
-
|
|
19
|
-
if (data === null || data.identifierOrMemberExpr !== "JSON.stringify") {
|
|
19
|
+
if (ctx.context?.[CALL_EXPRESSION_DATA]?.identifierOrMemberExpr !== "JSON.stringify") {
|
|
20
20
|
return [false];
|
|
21
21
|
}
|
|
22
22
|
const castedNode = node;
|
|
@@ -48,17 +48,21 @@ function main(node, ctx) {
|
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
50
|
function initialize(ctx) {
|
|
51
|
-
const { sourceFile
|
|
51
|
+
const { sourceFile, context } = ctx;
|
|
52
|
+
const { tracer } = sourceFile;
|
|
52
53
|
tracer
|
|
53
54
|
.trace("JSON.stringify", {
|
|
54
55
|
followConsecutiveAssignment: true
|
|
55
|
-
})
|
|
56
|
+
})
|
|
57
|
+
.trace("os.userInfo", {
|
|
56
58
|
moduleName: "os",
|
|
57
59
|
followConsecutiveAssignment: true
|
|
58
|
-
})
|
|
60
|
+
})
|
|
61
|
+
.trace("os.networkInterfaces", {
|
|
59
62
|
moduleName: "os",
|
|
60
63
|
followConsecutiveAssignment: true
|
|
61
|
-
})
|
|
64
|
+
})
|
|
65
|
+
.trace("os.cpus", {
|
|
62
66
|
moduleName: "os",
|
|
63
67
|
followConsecutiveAssignment: true
|
|
64
68
|
})
|
|
@@ -66,6 +70,14 @@ function initialize(ctx) {
|
|
|
66
70
|
moduleName: "dns",
|
|
67
71
|
followConsecutiveAssignment: true
|
|
68
72
|
});
|
|
73
|
+
if (sourceFile.sensitivity !== "aggressive") {
|
|
74
|
+
return;
|
|
75
|
+
}
|
|
76
|
+
tracer.on(VariableTracer.ImportEvent, ({ moduleName, location }) => {
|
|
77
|
+
if (kSensitiveModules.has(moduleName) && !(moduleName in context)) {
|
|
78
|
+
context[moduleName] = [toArrayLocation(location ?? undefined)];
|
|
79
|
+
}
|
|
80
|
+
});
|
|
69
81
|
}
|
|
70
82
|
function finalize(ctx) {
|
|
71
83
|
const { sourceFile, context } = ctx;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"data-exfiltration.js","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC5B,MAAM,8BAA8B,CAAC;
|
|
1
|
+
{"version":3,"file":"data-exfiltration.js","sourceRoot":"","sources":["../../src/probes/data-exfiltration.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC5B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AAK7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,eAAe,EAA4B,MAAM,6BAA6B,CAAC;AACtG,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,YAAY;AACZ,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAEjD,MAAM,iBAAiB,GAAG;IACxB,aAAa;IACb,sBAAsB;IACtB,SAAS;IACT,gBAAgB;CACjB,CAAC;AAIF,SAAS,YAAY,CACnB,IAAiB,EACjB,GAAiB;IAEjB,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,KAAK,YAAY,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC,EAAE,sBAAsB,KAAK,gBAAgB,EAAE,CAAC;QACrF,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,IAA6B,CAAC;IACjD,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,IAAI,CACX,IAA2B,EAC3B,GAA6C;IAE7C,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC;IAE3B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACvC,OAAO;IACT,CAAC;IACD,MAAM,EAAE,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;IAEjD,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACzD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,sBAAsB,KAAK,MAAM;WACzE,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,sBAAuB,CAAC,CAAC;QACnE,IAAI,aAAa,EAAE,CAAC;YAClB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC;aACI,CAAC;YACJ,GAAG,CAAC,OAAQ,CAAC,IAAI,EAAE,sBAAuB,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CACjB,GAA6C;IAE7C,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC;IAC9B,MAAM;SACH,KAAK,CAAC,gBAAgB,EAAE;QACvB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,aAAa,EAAE;QACpB,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,sBAAsB,EAAE;QAC7B,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,SAAS,EAAE;QAChB,UAAU,EAAE,IAAI;QAChB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,gBAAgB,EAAE;QACvB,UAAU,EAAE,KAAK;QACjB,2BAA2B,EAAE,IAAI;KAClC,CAAC,CAAC;IAEL,IAAI,UAAU,CAAC,WAAW,KAAK,YAAY,EAAE,CAAC;QAC5C,OAAO;IACT,CAAC;IACD,MAAM,CAAC,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,EACrC,UAAU,EACV,QAAQ,EACW,EAAE,EAAE;QACvB,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,IAAI,OAAQ,CAAC,EAAE,CAAC;YACnE,OAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,IAAI,SAAS,CAAC,CAAC,CAAC;QAClE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,GAA6C;IAC7D,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IACpC,IAAI,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,OAAO,GAAG,eAAe,CAAC,mBAAmB,EACjD,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9C,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,IAAI,EAAE,kBAAkB;IACxB,YAAY;IACZ,UAAU;IACV,QAAQ;IACR,IAAI;IACJ,YAAY,EAAE,KAAK;IACnB,OAAO,EAAE,EAAE;CACZ,CAAC;AAEF,eAAe,iBAAiB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isImportDeclaration.d.ts","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD;;;;;;;GAOG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAUjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,CACF,MAAM,CAAC,iBAAiB,GACxB,MAAM,CAAC,gBAAgB,CAC1B,GAAG;IAAE,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;CAAE,EAChC,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,
|
|
1
|
+
{"version":3,"file":"isImportDeclaration.d.ts","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD;;;;;;;GAOG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAUjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,CACF,MAAM,CAAC,iBAAiB,GACxB,MAAM,CAAC,gBAAgB,CAC1B,GAAG;IAAE,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;CAAE,EAChC,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,QAmBrC;;;;;;;;AAED,wBAME"}
|
|
@@ -21,9 +21,14 @@ function validateNode(node) {
|
|
|
21
21
|
}
|
|
22
22
|
function main(node, options) {
|
|
23
23
|
const { sourceFile } = options;
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
24
|
+
if ([
|
|
25
|
+
// Searching for dangerous import "data:text/javascript;..." statement.
|
|
26
|
+
// see: https://2ality.com/2019/10/eval-via-import.html
|
|
27
|
+
"data:text/javascript",
|
|
28
|
+
// Searching for dangerous import "file:..." statement
|
|
29
|
+
// see: https://en.wikipedia.org/wiki/File_inclusion_vulnerability
|
|
30
|
+
"file:"
|
|
31
|
+
].some((suspiciousPath) => node.source.value.startsWith(suspiciousPath))) {
|
|
27
32
|
sourceFile.warnings.push(generateWarning("unsafe-import", { value: node.source.value, location: node.loc }));
|
|
28
33
|
}
|
|
29
34
|
sourceFile.addDependency(node.source.value, node.loc);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isImportDeclaration.js","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AAGA,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,yEAAyE;IACzE,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,QAAQ;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAGgC,EAChC,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,uEAAuE;
|
|
1
|
+
{"version":3,"file":"isImportDeclaration.js","sourceRoot":"","sources":["../../src/probes/isImportDeclaration.ts"],"names":[],"mappings":"AAGA,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,yEAAyE;IACzE,OAAO;QACL,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,QAAQ;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAGgC,EAChC,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,IAAI;QACF,uEAAuE;QACvE,uDAAuD;QACvD,sBAAsB;QACtB,sDAAsD;QACtD,kEAAkE;QAClE,OAAO;KACR,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QACzE,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,CAClE,CACF,CAAC;IACJ,CAAC;IACD,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;AACxD,CAAC;AAED,eAAe;IACb,IAAI,EAAE,qBAAqB;IAC3B,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,IAAI;IAClB,UAAU,EAAE,QAAQ;CACrB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isLiteral.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAItC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"isLiteral.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAItC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAK3E;;;;;GAKG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAIjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EACrB,OAAO,EAAE;IACP,UAAU,EAAE,UAAU,CAAC;IACvB,sBAAsB,EAAE,sBAAsB,CAAC;CAChD,QAyEF;;;;;;;AAED,wBAKE"}
|
package/dist/probes/isLiteral.js
CHANGED
|
@@ -5,9 +5,11 @@ import { Hex } from "@nodesecure/sec-literal";
|
|
|
5
5
|
// Import Internal Dependencies
|
|
6
6
|
import { ShadyLink } from "../ShadyLink.js";
|
|
7
7
|
import { SourceFile } from "../SourceFile.js";
|
|
8
|
+
import { toArrayLocation } from "../utils/toArrayLocation.js";
|
|
8
9
|
import { generateWarning } from "../warnings.js";
|
|
9
10
|
// CONSTANTS
|
|
10
11
|
const kNodeDeps = new Set(builtinModules);
|
|
12
|
+
const kEmailRegex = /^[^.\s@:](?:[^\s@:]*[^\s@:.])?@[^.\s@]+(?:\.[^.\s@]+)*$/;
|
|
11
13
|
/**
|
|
12
14
|
* @description Search for Literal AST Node
|
|
13
15
|
* @see https://github.com/estree/estree/blob/master/es5.md#literal
|
|
@@ -25,7 +27,8 @@ function main(node, options) {
|
|
|
25
27
|
const shadyLinkOptions = {
|
|
26
28
|
file: sourceFile.path.location,
|
|
27
29
|
collectableSetRegistry,
|
|
28
|
-
location
|
|
30
|
+
location,
|
|
31
|
+
metadata: sourceFile.metadata
|
|
29
32
|
};
|
|
30
33
|
// We are searching for value obfuscated as hex of a minimum length of 4.
|
|
31
34
|
if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
|
|
@@ -41,6 +44,15 @@ function main(node, options) {
|
|
|
41
44
|
sourceFile.addEncodedLiteral(node.value, location);
|
|
42
45
|
}
|
|
43
46
|
}
|
|
47
|
+
else if (collectableSetRegistry.has("email") && kEmailRegex.test(node.value)) {
|
|
48
|
+
collectableSetRegistry.add("email", {
|
|
49
|
+
value: node.value,
|
|
50
|
+
file: sourceFile.path.location,
|
|
51
|
+
location: toArrayLocation(location),
|
|
52
|
+
metadata: sourceFile.metadata
|
|
53
|
+
});
|
|
54
|
+
return;
|
|
55
|
+
}
|
|
44
56
|
else if (ShadyLink.isValidIPAddress(node.value)) {
|
|
45
57
|
const result = ShadyLink.isIpAddressSafe(node.value, shadyLinkOptions);
|
|
46
58
|
if (!result.safe) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isLiteral.js","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAG9C,+BAA+B;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;AAC1C;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAqB,EACrB,OAGC;IAED,MAAM,EAAE,UAAU,EAAE,sBAAsB,EAAE,GAAG,OAAO,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;IAEpC,MAAM,gBAAgB,GAAG;QACvB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;QAC9B,sBAAsB;QACtB,QAAQ;
|
|
1
|
+
{"version":3,"file":"isLiteral.js","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAG9C,+BAA+B;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;AAC1C,MAAM,WAAW,GAAG,yDAAyD,CAAC;AAC9E;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAqB,EACrB,OAGC;IAED,MAAM,EAAE,UAAU,EAAE,sBAAsB,EAAE,GAAG,OAAO,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;IAEpC,MAAM,gBAAgB,GAAG;QACvB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;QAC9B,sBAAsB;QACtB,QAAQ;QACR,QAAQ,EAAE,UAAU,CAAC,QAAQ;KAC9B,CAAC;IAEF,yEAAyE;IACzE,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,UAAU,CAAC,YAAY,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE7C,sEAAsE;QACtE,iGAAiG;QACjG,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,UAAU,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAC3C,CACF,CAAC;QACJ,CAAC;aACI,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;SACI,IAAI,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7E,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE;YAClC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ;YAC9B,QAAQ,EAAE,eAAe,CAAC,QAAQ,CAAC;YACnC,QAAQ,EAAE,UAAU,CAAC,QAAQ;SAC9B,CAAC,CAAC;QAEH,OAAO;IACT,CAAC;SACI,IAAI,SAAS,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,YAAY,EAAE;gBAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ;gBACR,QAAQ,EAAE,aAAa;aACxB,CAAC,CACH,CAAC;YAEF,OAAO;QACT,CAAC;IACH,CAAC;IACD,gEAAgE;SAC3D,CAAC;QACJ,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAEjE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,YAAY,EAAE;gBAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,QAAQ;gBACR,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;aAC5D,CAAC,CACH,CAAC;YAEF,OAAO;QACT,CAAC;QAED,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,eAAe;IACb,IAAI,EAAE,WAAW;IACjB,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import type { ESTree } from "meriyah";
|
|
2
|
+
import type { ProbeMainContext, ProbeContext } from "../ProbeRunner.ts";
|
|
3
|
+
export declare const JS_TYPES: Set<string>;
|
|
4
|
+
/**
|
|
5
|
+
* @description Search for monkey patching of built-in prototypes.
|
|
6
|
+
* @example
|
|
7
|
+
* Array.prototype.map = function() {};
|
|
8
|
+
*/
|
|
9
|
+
declare function validateNodeAssignment(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
|
|
10
|
+
declare function main(node: ESTree.Node, options: ProbeMainContext): void;
|
|
11
|
+
declare const _default: {
|
|
12
|
+
name: string;
|
|
13
|
+
validateNode: (typeof validateNodeAssignment)[];
|
|
14
|
+
main: typeof main;
|
|
15
|
+
};
|
|
16
|
+
export default _default;
|
|
17
|
+
//# sourceMappingURL=isMonkeyPatch.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"isMonkeyPatch.d.ts","sourceRoot":"","sources":["../../src/probes/isMonkeyPatch.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAOtC,OAAO,KAAK,EACV,gBAAgB,EAChB,YAAY,EACb,MAAM,mBAAmB,CAAC;AAI3B,eAAO,MAAM,QAAQ,aA0CnB,CAAC;AAEH;;;;GAIG;AACH,iBAAS,sBAAsB,CAC7B,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CASjB;AA4CD,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,OAAO,EAAE,gBAAgB,QAO1B;;;;;;AAED,wBAOE"}
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
import { getCallExpressionIdentifier, getMemberExpressionIdentifier } from "@nodesecure/estree-ast-utils";
|
|
2
|
+
import { generateWarning } from "../warnings.js";
|
|
3
|
+
// CONSTANTS
|
|
4
|
+
export const JS_TYPES = new Set([
|
|
5
|
+
"AggregateError",
|
|
6
|
+
"Array",
|
|
7
|
+
"ArrayBuffer",
|
|
8
|
+
"BigInt",
|
|
9
|
+
"BigInt64Array",
|
|
10
|
+
"BigUint64Array",
|
|
11
|
+
"Boolean",
|
|
12
|
+
"DataView",
|
|
13
|
+
"Date",
|
|
14
|
+
"Error",
|
|
15
|
+
"EvalError",
|
|
16
|
+
"FinalizationRegistry",
|
|
17
|
+
"Float32Array",
|
|
18
|
+
"Float64Array",
|
|
19
|
+
"Function",
|
|
20
|
+
"Int16Array",
|
|
21
|
+
"Int32Array",
|
|
22
|
+
"Int8Array",
|
|
23
|
+
"Map",
|
|
24
|
+
"Number",
|
|
25
|
+
"Object",
|
|
26
|
+
"Promise",
|
|
27
|
+
"Proxy",
|
|
28
|
+
"RangeError",
|
|
29
|
+
"ReferenceError",
|
|
30
|
+
"Reflect",
|
|
31
|
+
"RegExp",
|
|
32
|
+
"Set",
|
|
33
|
+
"SharedArrayBuffer",
|
|
34
|
+
"String",
|
|
35
|
+
"Symbol",
|
|
36
|
+
"SyntaxError",
|
|
37
|
+
"TypeError",
|
|
38
|
+
"Uint16Array",
|
|
39
|
+
"Uint32Array",
|
|
40
|
+
"Uint8Array",
|
|
41
|
+
"Uint8ClampedArray",
|
|
42
|
+
"URIError",
|
|
43
|
+
"WeakMap",
|
|
44
|
+
"WeakRef",
|
|
45
|
+
"WeakSet"
|
|
46
|
+
]);
|
|
47
|
+
/**
|
|
48
|
+
* @description Search for monkey patching of built-in prototypes.
|
|
49
|
+
* @example
|
|
50
|
+
* Array.prototype.map = function() {};
|
|
51
|
+
*/
|
|
52
|
+
function validateNodeAssignment(node, ctx) {
|
|
53
|
+
if (node.type !== "AssignmentExpression" ||
|
|
54
|
+
node.left.type !== "MemberExpression") {
|
|
55
|
+
return [false];
|
|
56
|
+
}
|
|
57
|
+
return validateMemberExpression(node.left, ctx);
|
|
58
|
+
}
|
|
59
|
+
function validateDefineProperty(node, ctx) {
|
|
60
|
+
if (node.type !== "CallExpression") {
|
|
61
|
+
return [false];
|
|
62
|
+
}
|
|
63
|
+
const id = getCallExpressionIdentifier(node);
|
|
64
|
+
if ((id !== "Object.defineProperty" && id !== "Reflect.defineProperty")) {
|
|
65
|
+
return [false];
|
|
66
|
+
}
|
|
67
|
+
const firstArg = node.arguments.at(0);
|
|
68
|
+
if (firstArg?.type !== "MemberExpression") {
|
|
69
|
+
return [false];
|
|
70
|
+
}
|
|
71
|
+
return validateMemberExpression(firstArg, ctx);
|
|
72
|
+
}
|
|
73
|
+
function validateMemberExpression(node, ctx) {
|
|
74
|
+
const iter = getMemberExpressionIdentifier(node, {
|
|
75
|
+
externalIdentifierLookup: (name) => ctx.sourceFile.tracer.literalIdentifiers.get(name)?.value ?? null
|
|
76
|
+
});
|
|
77
|
+
const jsTypeName = iter.next().value;
|
|
78
|
+
if (typeof jsTypeName !== "string" || !JS_TYPES.has(jsTypeName)) {
|
|
79
|
+
return [false];
|
|
80
|
+
}
|
|
81
|
+
return [
|
|
82
|
+
iter.next().value === "prototype",
|
|
83
|
+
`${jsTypeName}.prototype`
|
|
84
|
+
];
|
|
85
|
+
}
|
|
86
|
+
function main(node, options) {
|
|
87
|
+
const { sourceFile, data: prototypeName } = options;
|
|
88
|
+
sourceFile.warnings.push(generateWarning("monkey-patch", { value: prototypeName, location: node.loc }));
|
|
89
|
+
}
|
|
90
|
+
export default {
|
|
91
|
+
name: "isMonkeyPatch",
|
|
92
|
+
validateNode: [
|
|
93
|
+
validateNodeAssignment,
|
|
94
|
+
validateDefineProperty
|
|
95
|
+
],
|
|
96
|
+
main
|
|
97
|
+
};
|
|
98
|
+
//# sourceMappingURL=isMonkeyPatch.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"isMonkeyPatch.js","sourceRoot":"","sources":["../../src/probes/isMonkeyPatch.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC9B,MAAM,8BAA8B,CAAC;AAOtC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,YAAY;AACZ,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IAC9B,gBAAgB;IAChB,OAAO;IACP,aAAa;IACb,QAAQ;IACR,eAAe;IACf,gBAAgB;IAChB,SAAS;IACT,UAAU;IACV,MAAM;IACN,OAAO;IACP,WAAW;IACX,sBAAsB;IACtB,cAAc;IACd,cAAc;IACd,UAAU;IACV,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,KAAK;IACL,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,OAAO;IACP,YAAY;IACZ,gBAAgB;IAChB,SAAS;IACT,QAAQ;IACR,KAAK;IACL,mBAAmB;IACnB,QAAQ;IACR,QAAQ;IACR,aAAa;IACb,WAAW;IACX,aAAa;IACb,aAAa;IACb,YAAY;IACZ,mBAAmB;IACnB,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;CACV,CAAC,CAAC;AAEH;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,IAAiB,EACjB,GAAiB;IAEjB,IACE,IAAI,CAAC,IAAI,KAAK,sBAAsB;QACpC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB,EACrC,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,wBAAwB,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,sBAAsB,CAC7B,IAAiB,EACjB,GAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE7C,IACE,CAAC,EAAE,KAAK,uBAAuB,IAAI,EAAE,KAAK,wBAAwB,CAAC,EACnE,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,QAAQ,EAAE,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,wBAAwB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,wBAAwB,CAC/B,IAA6B,EAC7B,GAAiB;IAEjB,MAAM,IAAI,GAAG,6BAA6B,CAAC,IAAI,EAAE;QAC/C,wBAAwB,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,IAAI,IAAI;KAC9G,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;IACrC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO;QACL,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,KAAK,WAAW;QACjC,GAAG,UAAU,YAAY;KAC1B,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAiB,EACjB,OAAyB;IAEzB,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IAEpD,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAC9E,CAAC;AACJ,CAAC;AAED,eAAe;IACb,IAAI,EAAE,eAAe;IACrB,YAAY,EAAE;QACZ,sBAAsB;QACtB,sBAAsB;KACvB;IACD,IAAI;CACL,CAAC"}
|