npm - @nodesecure/js-x-ray - Versions diffs - 4.1.2 → 4.2.0 - Mend

@nodesecure/js-x-ray 4.1.2 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +148 -147
package/index.js +93 -92
package/package.json +5 -5
package/src/Analysis.js +152 -146
package/src/constants.js +47 -28
package/src/obfuscators/index.js +70 -65
package/src/obfuscators/trojan-source.js +11 -0

package/README.md CHANGED Viewed

@@ -1,147 +1,148 @@
-# js-x-ray
-![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/js-x-ray/commit-activity)
-[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
-)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/js-x-ray/Node.js%20CI)
-JavaScript AST analysis. This package has been created to export the [Node-Secure](https://github.com/ES-Community/nsecure) AST Analysis to enable better code evolution and allow better access to developers and researchers.
-The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.
-> 💖 I have no particular background in security. I'm simply becoming more and more interested and passionate about static code analysis. But I would be more than happy to learn that my work can help prevent potential future attacks (or leaks).
-## Goals
-The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..
-Most of the time these hackers will try to hide the behaviour of their codes as much as possible to avoid being spotted or easily understood... The work of the library is to understand and analyze these patterns that will allow us to detect malicious code..
-## Features Highlight
-- Retrieve required dependencies and files for Node.js.
-- Detect unsafe RegEx.
-- Get warnings when the AST Analysis as a problem or when not able to follow a statement.
-- Highlight common attack patterns and API usages.
-- Capable to follow the usage of dangerous Node.js globals.
-- Detect obfuscated code and when possible the tool that has been used.
-## Getting Started
-This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
-```bash
-$ npm i @nodesecure/js-x-ray
-# or
-$ yarn add @nodesecure/js-x-ray
-```
-## Usage example
-Create a local `.js` file with the following content:
-```js
-try  {
-    require("http");
-}
-catch (err) {
-    // do nothing
-}
-const lib = "crypto";
-require(lib);
-require("util");
-require(Buffer.from("6673", "hex").toString());
-```
----
-Then use `js-x-ray` to run an analysis of the JavaScript code:
-```js
-import { runASTAnalysis } from "@nodesecure/js-x-ray";
-import { readFileSync } from "fs";
-const str = readFileSync("./file.js", "utf-8");
-const { warnings, dependencies } = runASTAnalysis(str);
-const dependenciesName = [...dependencies];
-const inTryDeps = [...dependencies.getDependenciesInTryStatement()];
-console.log(dependenciesName);
-console.log(inTryDeps);
-console.log(warnings);
-```
-The analysis will return: `http` (in try), `crypto`, `util` and `fs`.
-> ⚠️ There is also a lot of suspicious code example in the root cases directory. Feel free to try the tool on these files.
-## Warnings Legends (v2.0+)
-> Node-secure versions equal or lower than 0.7.0 are no longer compatible with the warnings table below.
-This section describe all the possible warnings returned by JSXRay.
-| name | description |
-| --- | --- |
-| parsing-error | An error occured when parsing the JavaScript code with meriyah. It mean that the conversion from string to AST as failed. If you encounter such an error, **please open an issue here**. |
-| unsafe-import | Unable to follow an import (require, require.resolve) statement/expr. |
-| unsafe-regex | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. |
-| unsafe-stmt | Usage of dangerous statement like `eval()` or `Function("")`. |
-| unsafe-assign | Assignment of a protected global like `process` or `require`. |
-| encoded-literal | An encoded literal has been detected (it can be an hexa value, unicode sequence, base64 string etc) |
-| short-identifiers | This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers. |
-| suspicious-literal | This mean that the sum of suspicious score of all Literals is bigger than 3. |
-| obfuscated-code (**experimental**) | There's a very high probability that the code is obfuscated... |
-> 👀 More details on warnings and their implementations [here](./WARNINGS.md)
-## API
-<details>
-<summary>runASTAnalysis(str: string, options?: RuntimeOptions): Report</summary>
-```ts
-interface RuntimeOptions {
-    module?: boolean;
-    isMinified?: boolean;
-}
-```
-The method take a first argument which is the code you want to analyse. It will return a Report Object:
-```ts
-interface Report {
-    dependencies: ASTDeps;
-    warnings: Warning<BaseWarning>[];
-    idsLengthAvg: number;
-    stringScore: number;
-    isOneLineRequire: boolean;
-}
-```
-</details>
-## Contributors ✨
-<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-2-orange.svg?style=flat-square)](#contributors-)
-<!-- ALL-CONTRIBUTORS-BADGE:END -->
-Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
-<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
-<!-- prettier-ignore-start -->
-<!-- markdownlint-disable -->
-<table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
-  </tr>
-</table>
-<!-- markdownlint-restore -->
-<!-- prettier-ignore-end -->
-<!-- ALL-CONTRIBUTORS-LIST:END -->
-## License
-MIT
+# js-x-ray
+![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version)
+[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/js-x-ray/commit-activity)
+[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
+)
+[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE)
+![build](https://img.shields.io/github/workflow/status/NodeSecure/js-x-ray/Node.js%20CI)
+JavaScript AST analysis. This package has been created to export the [Node-Secure](https://github.com/ES-Community/nsecure) AST Analysis to enable better code evolution and allow better access to developers and researchers.
+The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.
+> 💖 I have no particular background in security. I'm simply becoming more and more interested and passionate about static code analysis. But I would be more than happy to learn that my work can help prevent potential future attacks (or leaks).
+## Goals
+The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..
+Most of the time these hackers will try to hide the behaviour of their codes as much as possible to avoid being spotted or easily understood... The work of the library is to understand and analyze these patterns that will allow us to detect malicious code..
+## Features Highlight
+- Retrieve required dependencies and files for Node.js.
+- Detect unsafe RegEx.
+- Get warnings when the AST Analysis as a problem or when not able to follow a statement.
+- Highlight common attack patterns and API usages.
+- Capable to follow the usage of dangerous Node.js globals.
+- Detect obfuscated code and when possible the tool that has been used.
+## Getting Started
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+```bash
+$ npm i @nodesecure/js-x-ray
+# or
+$ yarn add @nodesecure/js-x-ray
+```
+## Usage example
+Create a local `.js` file with the following content:
+```js
+try  {
+    require("http");
+}
+catch (err) {
+    // do nothing
+}
+const lib = "crypto";
+require(lib);
+require("util");
+require(Buffer.from("6673", "hex").toString());
+```
+---
+Then use `js-x-ray` to run an analysis of the JavaScript code:
+```js
+import { runASTAnalysis } from "@nodesecure/js-x-ray";
+import { readFileSync } from "fs";
+const str = readFileSync("./file.js", "utf-8");
+const { warnings, dependencies } = runASTAnalysis(str);
+const dependenciesName = [...dependencies];
+const inTryDeps = [...dependencies.getDependenciesInTryStatement()];
+console.log(dependenciesName);
+console.log(inTryDeps);
+console.log(warnings);
+```
+The analysis will return: `http` (in try), `crypto`, `util` and `fs`.
+> ⚠️ There is also a lot of suspicious code example in the root cases directory. Feel free to try the tool on these files.
+## Warnings Legends (v2.0+)
+> Node-secure versions equal or lower than 0.7.0 are no longer compatible with the warnings table below.
+This section describe all the possible warnings returned by JSXRay.
+| name | description |
+| --- | --- |
+| parsing-error | An error occured when parsing the JavaScript code with meriyah. It mean that the conversion from string to AST as failed. If you encounter such an error, **please open an issue here**. |
+| unsafe-import | Unable to follow an import (require, require.resolve) statement/expr. |
+| unsafe-regex | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. |
+| unsafe-stmt | Usage of dangerous statement like `eval()` or `Function("")`. |
+| unsafe-assign | Assignment of a protected global like `process` or `require`. |
+| encoded-literal | An encoded literal has been detected (it can be an hexa value, unicode sequence, base64 string etc) |
+| short-identifiers | This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers. |
+| suspicious-literal | This mean that the sum of suspicious score of all Literals is bigger than 3. |
+| obfuscated-code (**experimental**) | There's a very high probability that the code is obfuscated... |
+> 👀 More details on warnings and their implementations [here](./WARNINGS.md)
+## API
+<details>
+<summary>runASTAnalysis(str: string, options?: RuntimeOptions): Report</summary>
+```ts
+interface RuntimeOptions {
+    module?: boolean;
+    isMinified?: boolean;
+}
+```
+The method take a first argument which is the code you want to analyse. It will return a Report Object:
+```ts
+interface Report {
+    dependencies: ASTDeps;
+    warnings: Warning<BaseWarning>[];
+    idsLengthAvg: number;
+    stringScore: number;
+    isOneLineRequire: boolean;
+}
+```
+</details>
+## Contributors ✨
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-3-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+    <td align="center"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
+    <td align="center"><a href="https://github.com/antoine-coulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=antoine-coulon" title="Code">💻</a></td>
+  </tr>
+</table>
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+## License
+MIT

package/index.js CHANGED Viewed

@@ -1,92 +1,93 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-// Import Third-party Dependencies
-import { walk } from "estree-walker";
-import * as meriyah from "meriyah";
-import isMinified from "is-minified-code";
-// Import Internal Dependencies
-import Analysis from "./src/Analysis.js";
-export function runASTAnalysis(str, options = Object.create(null)) {
-  const { module = true, isMinified = false } = options;
-  // Note: if the file start with a shebang then we remove it because 'parseScript' may fail to parse it.
-  // Example: #!/usr/bin/env node
-  const strToAnalyze = str.charAt(0) === "#" ? str.slice(str.indexOf("\n")) : str;
-  const { body } = meriyah.parseScript(strToAnalyze, {
-    next: true, loc: true, raw: true, module: Boolean(module)
-  });
-  const sastAnalysis = new Analysis();
-  // we walk each AST Nodes, this is a purely synchronous I/O
-  walk(body, {
-    enter(node) {
-      // Skip the root of the AST.
-      if (Array.isArray(node)) {
-        return;
-      }
-      const action = sastAnalysis.walk(node);
-      if (action === "skip") {
-        this.skip();
-      }
-    }
-  });
-  const dependencies = sastAnalysis.dependencies;
-  const { idsLengthAvg, stringScore, warnings } = sastAnalysis.getResult(isMinified);
-  const isOneLineRequire = body.length <= 1 && dependencies.size <= 1;
-  return {
-    dependencies, warnings, idsLengthAvg, stringScore, isOneLineRequire
-  };
-}
-export async function runASTAnalysisOnFile(pathToFile, options = {}) {
-  try {
-    const { packageName = null, module = true } = options;
-    const str = await fs.readFile(pathToFile, "utf-8");
-    const isMin = pathToFile.includes(".min") || isMinified(str);
-    const data = runASTAnalysis(str, {
-      isMinified: isMin,
-      module: path.extname(pathToFile) === ".mjs" ? true : module
-    });
-    if (packageName !== null) {
-      data.dependencies.removeByName(packageName);
-    }
-    return {
-      ok: true,
-      dependencies: data.dependencies,
-      warnings: data.warnings,
-      isMinified: !data.isOneLineRequire && isMin
-    };
-  }
-  catch (error) {
-    return {
-      ok: false,
-      warnings: [
-        { kind: "parsing-error", value: error.message, location: [[0, 0], [0, 0]] }
-      ]
-    };
-  }
-}
-export const CONSTANTS = {
-  Warnings: Object.freeze({
-    parsingError: "ast-error",
-    unsafeImport: "unsafe-import",
-    unsafeRegex: "unsafe-regex",
-    unsafeStmt: "unsafe-stmt",
-    unsafeAssign: "unsafe-assign",
-    encodedLiteral: "encoded-literal",
-    shortIdentifiers: "short-identifiers",
-    suspiciousLiteral: "suspicious-literal",
-    obfuscatedCode: "obfuscated-code"
-  })
-};
+// Import Node.js Dependencies
+import fs from "fs/promises";
+import path from "path";
+// Import Third-party Dependencies
+import { walk } from "estree-walker";
+import * as meriyah from "meriyah";
+import isMinified from "is-minified-code";
+// Import Internal Dependencies
+import Analysis from "./src/Analysis.js";
+export function runASTAnalysis(str, options = Object.create(null)) {
+  const { module = true, isMinified = false } = options;
+  // Note: if the file start with a shebang then we remove it because 'parseScript' may fail to parse it.
+  // Example: #!/usr/bin/env node
+  const strToAnalyze = str.charAt(0) === "#" ? str.slice(str.indexOf("\n")) : str;
+  const { body } = meriyah.parseScript(strToAnalyze, {
+    next: true, loc: true, raw: true, module: Boolean(module)
+  });
+  const sastAnalysis = new Analysis();
+  sastAnalysis.analyzeSourceString(str);
+  // we walk each AST Nodes, this is a purely synchronous I/O
+  walk(body, {
+    enter(node) {
+      // Skip the root of the AST.
+      if (Array.isArray(node)) {
+        return;
+      }
+      const action = sastAnalysis.walk(node);
+      if (action === "skip") {
+        this.skip();
+      }
+    }
+  });
+  const dependencies = sastAnalysis.dependencies;
+  const { idsLengthAvg, stringScore, warnings } = sastAnalysis.getResult(isMinified);
+  const isOneLineRequire = body.length <= 1 && dependencies.size <= 1;
+  return {
+    dependencies, warnings, idsLengthAvg, stringScore, isOneLineRequire
+  };
+}
+export async function runASTAnalysisOnFile(pathToFile, options = {}) {
+  try {
+    const { packageName = null, module = true } = options;
+    const str = await fs.readFile(pathToFile, "utf-8");
+    const isMin = pathToFile.includes(".min") || isMinified(str);
+    const data = runASTAnalysis(str, {
+      isMinified: isMin,
+      module: path.extname(pathToFile) === ".mjs" ? true : module
+    });
+    if (packageName !== null) {
+      data.dependencies.removeByName(packageName);
+    }
+    return {
+      ok: true,
+      dependencies: data.dependencies,
+      warnings: data.warnings,
+      isMinified: !data.isOneLineRequire && isMin
+    };
+  }
+  catch (error) {
+    return {
+      ok: false,
+      warnings: [
+        { kind: "parsing-error", value: error.message, location: [[0, 0], [0, 0]] }
+      ]
+    };
+  }
+}
+export const CONSTANTS = {
+  Warnings: Object.freeze({
+    parsingError: "ast-error",
+    unsafeImport: "unsafe-import",
+    unsafeRegex: "unsafe-regex",
+    unsafeStmt: "unsafe-stmt",
+    unsafeAssign: "unsafe-assign",
+    encodedLiteral: "encoded-literal",
+    shortIdentifiers: "short-identifiers",
+    suspiciousLiteral: "suspicious-literal",
+    obfuscatedCode: "obfuscated-code"
+  })
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "4.1.2",
+  "version": "4.2.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -37,7 +37,7 @@
   },
   "homepage": "https://github.com/NodeSecure/js-x-ray#readme",
   "dependencies": {
-    "@nodesecure/sec-literal": "^1.0.0",
+    "@nodesecure/sec-literal": "^1.0.1",
     "estree-walker": "^3.0.0",
     "is-minified-code": "^2.0.0",
     "meriyah": "^4.2.0",
@@ -48,10 +48,10 @@
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^1.0.3",
     "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^16.11.7",
+    "@types/node": "^16.11.10",
     "cross-env": "^7.0.3",
-    "eslint": "^8.2.0",
+    "eslint": "^8.3.0",
     "pkg-ok": "^2.3.1",
-    "tape": "^5.3.1"
+    "tape": "^5.3.2"
   }
 }

package/src/Analysis.js CHANGED Viewed

@@ -1,146 +1,152 @@
-// Import Third-party Dependencies
-import { Utils, Literal } from "@nodesecure/sec-literal";
-// Import Internal Dependencies
-import { rootLocation, toArrayLocation, generateWarning } from "./utils.js";
-import { warnings as _warnings, processMainModuleRequire } from "./constants.js";
-import ASTDeps from "./ASTDeps.js";
-import { isObfuscatedCode } from "./obfuscators/index.js";
-import { runOnProbes } from "./probes/index.js";
-// CONSTANTS
-const kDictionaryStrParts = [
-  "abcdefghijklmnopqrstuvwxyz",
-  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-  "0123456789"
-];
-const kWarningsNameStr = Object.freeze({
-  [_warnings.parsingError]: "parsing-error",
-  [_warnings.unsafeImport]: "unsafe-import",
-  [_warnings.unsafeRegex]: "unsafe-regex",
-  [_warnings.unsafeStmt]: "unsafe-stmt",
-  [_warnings.unsafeAssign]: "unsafe-assign",
-  [_warnings.encodedLiteral]: "encoded-literal",
-  [_warnings.shortIdentifiers]: "short-identifiers",
-  [_warnings.suspiciousLiteral]: "suspicious-literal",
-  [_warnings.obfuscatedCode]: "obfuscated-code"
-});
-export default class Analysis {
-  hasDictionaryString = false;
-  hasPrefixedIdentifiers = false;
-  varkinds = { var: 0, let: 0, const: 0 };
-  idtypes = { assignExpr: 0, property: 0, variableDeclarator: 0, functionDeclaration: 0 };
-  counter = {
-    identifiers: 0,
-    doubleUnaryArray: 0,
-    computedMemberExpr: 0,
-    memberExpr: 0,
-    deepBinaryExpr: 0,
-    encodedArrayValue: 0,
-    morseLiteral: 0
-  };
-  identifiersName = [];
-  constructor() {
-    this.dependencies = new ASTDeps();
-    this.identifiers = new Map();
-    this.globalParts = new Map();
-    this.handledEncodedLiteralValues = new Map();
-    this.requireIdentifiers = new Set(["require", processMainModuleRequire]);
-    this.warnings = [];
-    this.literalScores = [];
-  }
-  addWarning(symbol, value, location = rootLocation()) {
-    if (symbol === _warnings.encodedLiteral && this.handledEncodedLiteralValues.has(value)) {
-      const index = this.handledEncodedLiteralValues.get(value);
-      this.warnings[index].location.push(toArrayLocation(location));
-      return;
-    }
-    const warningName = kWarningsNameStr[symbol];
-    this.warnings.push(generateWarning(warningName, { value, location }));
-    if (symbol === _warnings.encodedLiteral) {
-      this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
-    }
-  }
-  analyzeString(str) {
-    const score = Utils.stringSuspicionScore(str);
-    if (score !== 0) {
-      this.literalScores.push(score);
-    }
-    if (!this.hasDictionaryString) {
-      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
-      if (isDictionaryStr) {
-        this.hasDictionaryString = true;
-      }
-    }
-    // Searching for morse string like "--.- --.--."
-    if (Utils.stringCharDiversity(str, ["\n"]) >= 3 && Utils.isMorse(str)) {
-      this.counter.morseLiteral++;
-    }
-  }
-  analyzeLiteral(node, inArrayExpr = false) {
-    if (typeof node.value !== "string" || Utils.isSvg(node)) {
-      return;
-    }
-    this.analyzeString(node.value);
-    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
-    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
-      if (inArrayExpr) {
-        this.counter.encodedArrayValue++;
-      }
-      else {
-        this.addWarning(_warnings.encodedLiteral, node.value, node.loc);
-      }
-    }
-  }
-  getResult(isMinified) {
-    this.counter.identifiers = this.identifiersName.length;
-    const [isObfuscated, kind] = isObfuscatedCode(this);
-    if (isObfuscated) {
-      this.addWarning(_warnings.obfuscatedCode, kind || "unknown");
-    }
-    const identifiersLengthArr = this.identifiersName
-      .filter((value) => value.type !== "property" && typeof value.name === "string").map((value) => value.name.length);
-    const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
-    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
-      this.addWarning(_warnings.shortIdentifiers, idsLengthAvg);
-    }
-    if (stringScore >= 3) {
-      this.addWarning(_warnings.suspiciousLiteral, stringScore);
-    }
-    return { idsLengthAvg, stringScore, warnings: this.warnings };
-  }
-  walk(node) {
-    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
-    if (node.type === "TryStatement" && typeof node.handler !== "undefined") {
-      this.dependencies.isInTryStmt = true;
-    }
-    else if (node.type === "CatchClause") {
-      this.dependencies.isInTryStmt = false;
-    }
-    return runOnProbes(node, this);
-  }
-}
-function sum(arr = []) {
-  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
-}
-Analysis.Warnings = _warnings;
+// Import Third-party Dependencies
+import { Utils, Literal } from "@nodesecure/sec-literal";
+// Import Internal Dependencies
+import { rootLocation, toArrayLocation, generateWarning } from "./utils.js";
+import { warnings as _warnings, processMainModuleRequire } from "./constants.js";
+import ASTDeps from "./ASTDeps.js";
+import { isObfuscatedCode, hasTrojanSource } from "./obfuscators/index.js";
+import { runOnProbes } from "./probes/index.js";
+// CONSTANTS
+const kDictionaryStrParts = [
+  "abcdefghijklmnopqrstuvwxyz",
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+  "0123456789"
+];
+const kWarningsNameStr = Object.freeze({
+  [_warnings.parsingError]: "parsing-error",
+  [_warnings.unsafeImport]: "unsafe-import",
+  [_warnings.unsafeRegex]: "unsafe-regex",
+  [_warnings.unsafeStmt]: "unsafe-stmt",
+  [_warnings.unsafeAssign]: "unsafe-assign",
+  [_warnings.encodedLiteral]: "encoded-literal",
+  [_warnings.shortIdentifiers]: "short-identifiers",
+  [_warnings.suspiciousLiteral]: "suspicious-literal",
+  [_warnings.obfuscatedCode]: "obfuscated-code"
+});
+export default class Analysis {
+  hasDictionaryString = false;
+  hasPrefixedIdentifiers = false;
+  varkinds = { var: 0, let: 0, const: 0 };
+  idtypes = { assignExpr: 0, property: 0, variableDeclarator: 0, functionDeclaration: 0 };
+  counter = {
+    identifiers: 0,
+    doubleUnaryArray: 0,
+    computedMemberExpr: 0,
+    memberExpr: 0,
+    deepBinaryExpr: 0,
+    encodedArrayValue: 0,
+    morseLiteral: 0
+  };
+  identifiersName = [];
+  constructor() {
+    this.dependencies = new ASTDeps();
+    this.identifiers = new Map();
+    this.globalParts = new Map();
+    this.handledEncodedLiteralValues = new Map();
+    this.requireIdentifiers = new Set(["require", processMainModuleRequire]);
+    this.warnings = [];
+    this.literalScores = [];
+  }
+  addWarning(symbol, value, location = rootLocation()) {
+    if (symbol === _warnings.encodedLiteral && this.handledEncodedLiteralValues.has(value)) {
+      const index = this.handledEncodedLiteralValues.get(value);
+      this.warnings[index].location.push(toArrayLocation(location));
+      return;
+    }
+    const warningName = kWarningsNameStr[symbol];
+    this.warnings.push(generateWarning(warningName, { value, location }));
+    if (symbol === _warnings.encodedLiteral) {
+      this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
+    }
+  }
+  analyzeSourceString(sourceString) {
+    if (hasTrojanSource(sourceString)) {
+      this.addWarning(_warnings.obfuscatedCode, "trojan-source");
+    }
+  }
+  analyzeString(str) {
+    const score = Utils.stringSuspicionScore(str);
+    if (score !== 0) {
+      this.literalScores.push(score);
+    }
+    if (!this.hasDictionaryString) {
+      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
+      if (isDictionaryStr) {
+        this.hasDictionaryString = true;
+      }
+    }
+    // Searching for morse string like "--.- --.--."
+    if (Utils.stringCharDiversity(str, ["\n"]) >= 3 && Utils.isMorse(str)) {
+      this.counter.morseLiteral++;
+    }
+  }
+  analyzeLiteral(node, inArrayExpr = false) {
+    if (typeof node.value !== "string" || Utils.isSvg(node)) {
+      return;
+    }
+    this.analyzeString(node.value);
+    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
+    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
+      if (inArrayExpr) {
+        this.counter.encodedArrayValue++;
+      }
+      else {
+        this.addWarning(_warnings.encodedLiteral, node.value, node.loc);
+      }
+    }
+  }
+  getResult(isMinified) {
+    this.counter.identifiers = this.identifiersName.length;
+    const [isObfuscated, kind] = isObfuscatedCode(this);
+    if (isObfuscated) {
+      this.addWarning(_warnings.obfuscatedCode, kind || "unknown");
+    }
+    const identifiersLengthArr = this.identifiersName
+      .filter((value) => value.type !== "property" && typeof value.name === "string").map((value) => value.name.length);
+    const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
+    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
+      this.addWarning(_warnings.shortIdentifiers, idsLengthAvg);
+    }
+    if (stringScore >= 3) {
+      this.addWarning(_warnings.suspiciousLiteral, stringScore);
+    }
+    return { idsLengthAvg, stringScore, warnings: this.warnings };
+  }
+  walk(node) {
+    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
+    if (node.type === "TryStatement" && typeof node.handler !== "undefined") {
+      this.dependencies.isInTryStmt = true;
+    }
+    else if (node.type === "CatchClause") {
+      this.dependencies.isInTryStmt = false;
+    }
+    return runOnProbes(node, this);
+  }
+}
+function sum(arr = []) {
+  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
+}
+Analysis.Warnings = _warnings;

package/src/constants.js CHANGED Viewed

@@ -1,28 +1,47 @@
-/**
- * This is one of the way to get a valid require.
- *
- * @see https://nodejs.org/api/process.html#process_process_mainmodule
- */
-export const processMainModuleRequire = "process.mainModule.require";
-/**
- * JavaScript dangerous global identifiers that can be used by hackers
- */
-export const globalIdentifiers = new Set(["global", "globalThis", "root", "GLOBAL", "window"]);
-/**
- * Dangerous Global identifiers parts
- */
-export const globalParts = new Set([...globalIdentifiers, "process", "mainModule", "require"]);
-export const warnings = Object.freeze({
-  parsingError: Symbol("ParsingError"),
-  unsafeImport: Symbol("UnsafeImport"),
-  unsafeRegex: Symbol("UnsafeRegex"),
-  unsafeStmt: Symbol("UnsafeStmt"),
-  unsafeAssign: Symbol("UnsafeAssign"),
-  encodedLiteral: Symbol("EncodedLiteral"),
-  shortIdentifiers: Symbol("ShortIdentifiers"),
-  suspiciousLiteral: Symbol("SuspiciousLiteral"),
-  obfuscatedCode: Symbol("ObfuscatedCode")
-});
+/**
+ * This is one of the way to get a valid require.
+ *
+ * @see https://nodejs.org/api/process.html#process_process_mainmodule
+ */
+export const processMainModuleRequire = "process.mainModule.require";
+/**
+ * JavaScript dangerous global identifiers that can be used by hackers
+ */
+export const globalIdentifiers = new Set(["global", "globalThis", "root", "GLOBAL", "window"]);
+/**
+ * Dangerous Global identifiers parts
+ */
+export const globalParts = new Set([...globalIdentifiers, "process", "mainModule", "require"]);
+/**
+ * Dangerous Unicode control characters that can be used by hackers
+ * to perform trojan source.
+ */
+export const unsafeUnicodeControlCharacters = [
+  "\u202A",
+  "\u202B",
+  "\u202D",
+  "\u202E",
+  "\u202C",
+  "\u2066",
+  "\u2067",
+  "\u2068",
+  "\u2069",
+  "\u200E",
+  "\u200F",
+  "\u061C"
+];
+export const warnings = Object.freeze({
+  parsingError: Symbol("ParsingError"),
+  unsafeImport: Symbol("UnsafeImport"),
+  unsafeRegex: Symbol("UnsafeRegex"),
+  unsafeStmt: Symbol("UnsafeStmt"),
+  unsafeAssign: Symbol("UnsafeAssign"),
+  encodedLiteral: Symbol("EncodedLiteral"),
+  shortIdentifiers: Symbol("ShortIdentifiers"),
+  suspiciousLiteral: Symbol("SuspiciousLiteral"),
+  obfuscatedCode: Symbol("ObfuscatedCode")
+});

package/src/obfuscators/index.js CHANGED Viewed

@@ -1,65 +1,70 @@
-// Import Third-party Dependencies
-import { Patterns } from "@nodesecure/sec-literal";
-// Import Internal Dependencies
-import * as jjencode from "./jjencode.js";
-import * as jsfuck from "./jsfuck.js";
-import * as freejsobfuscator from "./freejsobfuscator.js";
-import * as obfuscatorio from "./obfuscator-io.js";
-// CONSTANTS
-const kMinimumIdsCount = 5;
-export function isObfuscatedCode(analysis) {
-  let encoderName = null;
-  if (jsfuck.verify(analysis)) {
-    encoderName = "jsfuck";
-  }
-  else if (jjencode.verify(analysis)) {
-    encoderName = "jjencode";
-  }
-  else if (analysis.counter.morseLiteral >= 36) {
-    encoderName = "morse";
-  }
-  else {
-    // TODO: also implement Dictionnary checkup
-    const { prefix, oneTimeOccurence } = Patterns.commonHexadecimalPrefix(
-      analysis.identifiersName.map((value) => value.name)
-    );
-    const uPrefixNames = new Set(Object.keys(prefix));
-    if (analysis.counter.identifiers > kMinimumIdsCount && uPrefixNames.size > 0) {
-      analysis.hasPrefixedIdentifiers = calcAvgPrefixedIdentifiers(analysis, prefix) > 80;
-    }
-    // console.log(prefix);
-    // console.log(oneTimeOccurence);
-    // console.log(analysis.hasPrefixedIdentifiers);
-    // console.log(analysis.counter.identifiers);
-    // console.log(analysis.counter.encodedArrayValue);
-    if (uPrefixNames.size === 1 && freejsobfuscator.verify(analysis, prefix)) {
-      encoderName = "freejsobfuscator";
-    }
-    else if (obfuscatorio.verify(analysis)) {
-      encoderName = "obfuscator.io";
-    }
-    // else if ((analysis.counter.identifiers > (kMinimumIdsCount * 3) && analysis.hasPrefixedIdentifiers)
-    //     && (oneTimeOccurence <= 3 || analysis.counter.encodedArrayValue > 0)) {
-    //     encoderName = "unknown";
-    // }
-  }
-  return [encoderName !== null, encoderName];
-}
-function calcAvgPrefixedIdentifiers(analysis, prefix) {
-  const valuesArr = Object.values(prefix).slice().sort((left, right) => left - right);
-  if (valuesArr.length === 0) {
-    return 0;
-  }
-  const nbOfPrefixedIds = valuesArr.length === 1 ? valuesArr.pop() : (valuesArr.pop() + valuesArr.pop());
-  const maxIds = analysis.counter.identifiers - analysis.idtypes.property;
-  return ((nbOfPrefixedIds / maxIds) * 100);
-}
+// Import Third-party Dependencies
+import { Patterns } from "@nodesecure/sec-literal";
+// Import Internal Dependencies
+import * as jjencode from "./jjencode.js";
+import * as jsfuck from "./jsfuck.js";
+import * as freejsobfuscator from "./freejsobfuscator.js";
+import * as obfuscatorio from "./obfuscator-io.js";
+import * as trojan from "./trojan-source.js";
+// CONSTANTS
+const kMinimumIdsCount = 5;
+export function isObfuscatedCode(analysis) {
+  let encoderName = null;
+  if (jsfuck.verify(analysis)) {
+    encoderName = "jsfuck";
+  }
+  else if (jjencode.verify(analysis)) {
+    encoderName = "jjencode";
+  }
+  else if (analysis.counter.morseLiteral >= 36) {
+    encoderName = "morse";
+  }
+  else {
+    // TODO: also implement Dictionnary checkup
+    const { prefix, oneTimeOccurence } = Patterns.commonHexadecimalPrefix(
+      analysis.identifiersName.map((value) => value.name)
+    );
+    const uPrefixNames = new Set(Object.keys(prefix));
+    if (analysis.counter.identifiers > kMinimumIdsCount && uPrefixNames.size > 0) {
+      analysis.hasPrefixedIdentifiers = calcAvgPrefixedIdentifiers(analysis, prefix) > 80;
+    }
+    // console.log(prefix);
+    // console.log(oneTimeOccurence);
+    // console.log(analysis.hasPrefixedIdentifiers);
+    // console.log(analysis.counter.identifiers);
+    // console.log(analysis.counter.encodedArrayValue);
+    if (uPrefixNames.size === 1 && freejsobfuscator.verify(analysis, prefix)) {
+      encoderName = "freejsobfuscator";
+    }
+    else if (obfuscatorio.verify(analysis)) {
+      encoderName = "obfuscator.io";
+    }
+    // else if ((analysis.counter.identifiers > (kMinimumIdsCount * 3) && analysis.hasPrefixedIdentifiers)
+    //     && (oneTimeOccurence <= 3 || analysis.counter.encodedArrayValue > 0)) {
+    //     encoderName = "unknown";
+    // }
+  }
+  return [encoderName !== null, encoderName];
+}
+export function hasTrojanSource(sourceString) {
+  return trojan.verify(sourceString);
+}
+function calcAvgPrefixedIdentifiers(analysis, prefix) {
+  const valuesArr = Object.values(prefix).slice().sort((left, right) => left - right);
+  if (valuesArr.length === 0) {
+    return 0;
+  }
+  const nbOfPrefixedIds = valuesArr.length === 1 ? valuesArr.pop() : (valuesArr.pop() + valuesArr.pop());
+  const maxIds = analysis.counter.identifiers - analysis.idtypes.property;
+  return ((nbOfPrefixedIds / maxIds) * 100);
+}

package/src/obfuscators/trojan-source.js ADDED Viewed

@@ -0,0 +1,11 @@
+import { unsafeUnicodeControlCharacters } from "../constants.js";
+export function verify(sourceString) {
+  for (const unsafeCharacter of unsafeUnicodeControlCharacters) {
+    if (sourceString.includes(unsafeCharacter)) {
+      return true;
+    }
+  }
+  return false;
+}