@nodesecure/js-x-ray 4.2.0 → 4.4.0

package/README.md

@@ -73,6 +73,38 @@ The analysis will return: `http` (in try), `crypto`, `util` and `fs`.
 
 > ⚠️ There is also a lot of suspicious code example in the root cases directory. Feel free to try the tool on these files.
 
+## Warnings
+
+This section describes how use `warnings` export.
+
+The structure of the `warnings` is as follows:
+```
+/**
+ * @property {object}  warnings                         - The default values for Constants.
+ * @property {string}  warnings[name]                   - The default warning name (parsingError, unsafeImport etc...).
+ * @property {string}  warnings[name].i18n              - i18n token.
+ * @property {string}  warnings[name].code              - Used to perform unit tests.
+ */
+ 
+export const warnings = Object.freeze({
+    parsingError: {
+      i18n: "sast_warnings.ast_error"
+      code: "ast-error",
+    },
+    ...otherWarnings
+  });
+```
+
+We make a call to `i18n` through the package `NodeSecure/i18n` to get the translation.
+
+```
+import * as jsxray from "@nodesecure/js-x-ray";
+import * as i18n from "@nodesecure/i18n";
+
+console.log(i18n.getToken(jsxray.warnings.parsingError.i18n));
+
+```
+
 ## Warnings Legends (v2.0+)
 
 > Node-secure versions equal or lower than 0.7.0 are no longer compatible with the warnings table below.

package/index.d.ts

@@ -1,92 +1,124 @@
-/// <reference types="meriyah"/>
-
-import { SourceLocation } from "meriyah/dist/estree";
-
-declare class ASTDeps {
-  constructor();
-  removeByName(name: string): void;
-  add(depName: string): void;
-  getDependenciesInTryStatement(): IterableIterator<string>;
-
-  public isInTryStmt: boolean;
-  public dependencies: Record<string, JSXRay.Dependency>;
-  public readonly size: number;
-}
-
-declare namespace JSXRay {
-  type kindWithValue = "parsing-error"
-    | "encoded-literal"
-    | "unsafe-regex"
-    | "unsafe-stmt"
-    | "unsafe-assign"
-    | "short-identifiers"
-    | "suspicious-literal"
-    | "obfuscated-code";
-
-  type WarningLocation = [[number, number], [number, number]];
-  interface BaseWarning {
-    kind: "unsafe-import" | kindWithValue;
-    file?: string;
-    value: string;
-    location: WarningLocation | WarningLocation[];
-  }
-
-  type Warning<T extends BaseWarning> = T extends { kind: kindWithValue } ? T : Omit<T, "value">;
-
-  interface Report {
-    dependencies: ASTDeps;
-    warnings: Warning<BaseWarning>[];
-    idsLengthAvg: number;
-    stringScore: number;
-    isOneLineRequire: boolean;
-  }
-
-  interface Dependency {
-    unsafe: boolean;
-    inTry: boolean;
-    location?: SourceLocation;
-  };
-
-  interface WarningsNames {
-    parsingError: "parsing-error",
-    unsafeImport: "unsafe-import",
-    unsafeStmt: "unsafe-stmt",
-    unsafeRegex: "unsafe-regex",
-    unsafeAssign: "unsafe-assign",
-    encodedLiteral: "encoded-literal",
-    shortIdentifiers: "short-identifiers",
-    suspiciousLiteral: "suspicious-literal",
-    obfuscatedCode: "obfuscated-code"
-  }
-
-  interface RuntimeOptions {
-    module?: boolean;
-    isMinified?: boolean;
-  }
-
-  export function runASTAnalysis(str: string, options?: RuntimeOptions): Report;
-
-  export type ReportOnFile = {
-    ok: true,
-    warnings: Warning<BaseWarning>[];
-    dependencies: ASTDeps;
-    isMinified: boolean;
-  } | {
-    ok: false,
-    warnings: Warning<BaseWarning>[];
-  }
-
-  export interface RuntimeFileOptions {
-    packageName?: string;
-    module?: boolean;
-  }
-
-  export function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
-
-  export namespace CONSTANTS {
-    export const Warnings: WarningsNames;
-  }
-}
-
-export = JSXRay;
-export as namespace JSXRay;
+declare class ASTDeps {
+  constructor();
+  removeByName(name: string): void;
+  add(depName: string): void;
+  getDependenciesInTryStatement(): IterableIterator<string>;
+
+  public isInTryStmt: boolean;
+  public dependencies: Record<string, JSXRay.Dependency>;
+  public readonly size: number;
+}
+
+declare namespace JSXRay {
+  type kindWithValue = "parsing-error"
+    | "encoded-literal"
+    | "unsafe-regex"
+    | "unsafe-stmt"
+    | "unsafe-assign"
+    | "short-identifiers"
+    | "suspicious-literal"
+    | "obfuscated-code";
+
+  type WarningLocation = [[number, number], [number, number]];
+  interface BaseWarning {
+    kind: "unsafe-import" | kindWithValue;
+    file?: string;
+    value: string;
+    location: WarningLocation | WarningLocation[];
+  }
+
+  type Warning<T extends BaseWarning> = T extends { kind: kindWithValue } ? T : Omit<T, "value">;
+
+  interface Report {
+    dependencies: ASTDeps;
+    warnings: Warning<BaseWarning>[];
+    idsLengthAvg: number;
+    stringScore: number;
+    isOneLineRequire: boolean;
+  }
+
+  interface SourceLocation {
+    start: {
+      line: number;
+      column: number;
+    };
+    end: {
+      line: number;
+      column: number;
+    }
+  }
+
+  interface Dependency {
+    unsafe: boolean;
+    inTry: boolean;
+    location?: SourceLocation;
+  }
+
+  interface WarningsNames {
+    parsingError: {
+      code: "ast-error",
+      i18n: "sast_warnings.ast_error"
+    },
+    unsafeImport: {
+      code: "unsafe-import",
+      i18n: "sast_warnings.unsafe_import"
+    },
+    unsafeRegex: {
+      code: "unsafe-regex",
+      i18n: "sast_warnings.unsafe_regex"
+    },
+    unsafeStmt: {
+      code: "unsafe-stmt",
+      i18n: "sast_warnings.unsafe_stmt"
+    },
+    unsafeAssign: {
+      code: "unsafe-assign",
+      i18n: "sast_warnings.unsafe_assign"
+    },
+    encodedLiteral: {
+      code: "encoded-literal",
+      i18n: "sast_warnings.encoded_literal"
+    },
+    shortIdentifiers: {
+      code: "short-identifiers",
+      i18n: "sast_warnings.short_identifiers"
+    },
+    suspiciousLiteral: {
+      code: "suspicious-literal",
+      i18n: "sast_warnings.suspicious_literal"
+    },
+    obfuscatedCode: {
+      code: "obfuscated-code",
+      i18n: "sast_warnings.obfuscated_code"
+    }
+  }
+
+  interface RuntimeOptions {
+    module?: boolean;
+    isMinified?: boolean;
+  }
+
+  export function runASTAnalysis(str: string, options?: RuntimeOptions): Report;
+
+  export type ReportOnFile = {
+    ok: true,
+    warnings: Warning<BaseWarning>[];
+    dependencies: ASTDeps;
+    isMinified: boolean;
+  } | {
+    ok: false,
+    warnings: Warning<BaseWarning>[];
+  }
+
+  export interface RuntimeFileOptions {
+    packageName?: string;
+    module?: boolean;
+  }
+
+  export function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
+
+  export const warnings: WarningsNames;
+}
+
+export = JSXRay;
+export as namespace JSXRay;

package/index.js

@@ -16,8 +16,13 @@ export function runASTAnalysis(str, options = Object.create(null)) {
   // Note: if the file start with a shebang then we remove it because 'parseScript' may fail to parse it.
   // Example: #!/usr/bin/env node
   const strToAnalyze = str.charAt(0) === "#" ? str.slice(str.indexOf("\n")) : str;
+  const isEcmaScriptModule = Boolean(module);
   const { body } = meriyah.parseScript(strToAnalyze, {
-    next: true, loc: true, raw: true, module: Boolean(module)
+    next: true,
+    loc: true,
+    raw: true,
+    module: isEcmaScriptModule,
+    globalReturn: !isEcmaScriptModule
   });
 
   const sastAnalysis = new Analysis();
@@ -78,16 +83,43 @@ export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   }
 }
 
-export const CONSTANTS = {
-  Warnings: Object.freeze({
-    parsingError: "ast-error",
-    unsafeImport: "unsafe-import",
-    unsafeRegex: "unsafe-regex",
-    unsafeStmt: "unsafe-stmt",
-    unsafeAssign: "unsafe-assign",
-    encodedLiteral: "encoded-literal",
-    shortIdentifiers: "short-identifiers",
-    suspiciousLiteral: "suspicious-literal",
-    obfuscatedCode: "obfuscated-code"
-  })
-};
+export const warnings = Object.freeze({
+  parsingError: {
+    code: "ast-error",
+    i18n: "sast_warnings.ast_error"
+  },
+  unsafeImport: {
+    code: "unsafe-import",
+    i18n: "sast_warnings.unsafe_import"
+  },
+  unsafeRegex: {
+    code: "unsafe-regex",
+    i18n: "sast_warnings.unsafe_regex"
+  },
+  unsafeStmt: {
+    code: "unsafe-stmt",
+    i18n: "sast_warnings.unsafe_stmt"
+  },
+  unsafeAssign: {
+    code: "unsafe-assign",
+    i18n: "sast_warnings.unsafe_assign"
+  },
+  encodedLiteral: {
+    code: "encoded-literal",
+    i18n: "sast_warnings.encoded_literal"
+  },
+  shortIdentifiers: {
+    code: "short-identifiers",
+    i18n: "sast_warnings.short_identifiers"
+  },
+  suspiciousLiteral: {
+    code: "suspicious-literal",
+    i18n: "sast_warnings.suspicious_literal"
+  },
+  obfuscatedCode: {
+    code: "obfuscated-code",
+    i18n: "sast_warnings.obfuscated_code"
+  }
+});
+
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "4.2.0",
+  "version": "4.4.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -37,21 +37,21 @@
   },
   "homepage": "https://github.com/NodeSecure/js-x-ray#readme",
   "dependencies": {
-    "@nodesecure/sec-literal": "^1.0.1",
-    "estree-walker": "^3.0.0",
+    "@nodesecure/sec-literal": "^1.1.0",
+    "estree-walker": "^3.0.1",
     "is-minified-code": "^2.0.0",
-    "meriyah": "^4.2.0",
+    "meriyah": "^4.2.1",
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.3.0",
+    "@nodesecure/eslint-config": "^1.3.1",
     "@slimio/is": "^1.5.1",
-    "@small-tech/esm-tape-runner": "^1.0.3",
+    "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^16.11.10",
+    "@types/node": "^17.0.31",
     "cross-env": "^7.0.3",
-    "eslint": "^8.3.0",
-    "pkg-ok": "^2.3.1",
-    "tape": "^5.3.2"
+    "eslint": "^8.15.0",
+    "pkg-ok": "^3.0.0",
+    "tape": "^5.5.3"
   }
 }

package/src/Analysis.js

@@ -1,152 +1,152 @@
-// Import Third-party Dependencies
-import { Utils, Literal } from "@nodesecure/sec-literal";
-
-// Import Internal Dependencies
-import { rootLocation, toArrayLocation, generateWarning } from "./utils.js";
-import { warnings as _warnings, processMainModuleRequire } from "./constants.js";
-import ASTDeps from "./ASTDeps.js";
-import { isObfuscatedCode, hasTrojanSource } from "./obfuscators/index.js";
-import { runOnProbes } from "./probes/index.js";
-
-// CONSTANTS
-const kDictionaryStrParts = [
-  "abcdefghijklmnopqrstuvwxyz",
-  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-  "0123456789"
-];
-
-const kWarningsNameStr = Object.freeze({
-  [_warnings.parsingError]: "parsing-error",
-  [_warnings.unsafeImport]: "unsafe-import",
-  [_warnings.unsafeRegex]: "unsafe-regex",
-  [_warnings.unsafeStmt]: "unsafe-stmt",
-  [_warnings.unsafeAssign]: "unsafe-assign",
-  [_warnings.encodedLiteral]: "encoded-literal",
-  [_warnings.shortIdentifiers]: "short-identifiers",
-  [_warnings.suspiciousLiteral]: "suspicious-literal",
-  [_warnings.obfuscatedCode]: "obfuscated-code"
-});
-
-export default class Analysis {
-  hasDictionaryString = false;
-  hasPrefixedIdentifiers = false;
-  varkinds = { var: 0, let: 0, const: 0 };
-  idtypes = { assignExpr: 0, property: 0, variableDeclarator: 0, functionDeclaration: 0 };
-  counter = {
-    identifiers: 0,
-    doubleUnaryArray: 0,
-    computedMemberExpr: 0,
-    memberExpr: 0,
-    deepBinaryExpr: 0,
-    encodedArrayValue: 0,
-    morseLiteral: 0
-  };
-  identifiersName = [];
-
-  constructor() {
-    this.dependencies = new ASTDeps();
-
-    this.identifiers = new Map();
-    this.globalParts = new Map();
-    this.handledEncodedLiteralValues = new Map();
-
-    this.requireIdentifiers = new Set(["require", processMainModuleRequire]);
-    this.warnings = [];
-    this.literalScores = [];
-  }
-
-  addWarning(symbol, value, location = rootLocation()) {
-    if (symbol === _warnings.encodedLiteral && this.handledEncodedLiteralValues.has(value)) {
-      const index = this.handledEncodedLiteralValues.get(value);
-      this.warnings[index].location.push(toArrayLocation(location));
-
-      return;
-    }
-    const warningName = kWarningsNameStr[symbol];
-    this.warnings.push(generateWarning(warningName, { value, location }));
-    if (symbol === _warnings.encodedLiteral) {
-      this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
-    }
-  }
-
-  analyzeSourceString(sourceString) {
-    if (hasTrojanSource(sourceString)) {
-      this.addWarning(_warnings.obfuscatedCode, "trojan-source");
-    }
-  }
-
-  analyzeString(str) {
-    const score = Utils.stringSuspicionScore(str);
-    if (score !== 0) {
-      this.literalScores.push(score);
-    }
-
-    if (!this.hasDictionaryString) {
-      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
-      if (isDictionaryStr) {
-        this.hasDictionaryString = true;
-      }
-    }
-
-    // Searching for morse string like "--.- --.--."
-    if (Utils.stringCharDiversity(str, ["\n"]) >= 3 && Utils.isMorse(str)) {
-      this.counter.morseLiteral++;
-    }
-  }
-
-  analyzeLiteral(node, inArrayExpr = false) {
-    if (typeof node.value !== "string" || Utils.isSvg(node)) {
-      return;
-    }
-    this.analyzeString(node.value);
-
-    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
-    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
-      if (inArrayExpr) {
-        this.counter.encodedArrayValue++;
-      }
-      else {
-        this.addWarning(_warnings.encodedLiteral, node.value, node.loc);
-      }
-    }
-  }
-
-  getResult(isMinified) {
-    this.counter.identifiers = this.identifiersName.length;
-    const [isObfuscated, kind] = isObfuscatedCode(this);
-    if (isObfuscated) {
-      this.addWarning(_warnings.obfuscatedCode, kind || "unknown");
-    }
-
-    const identifiersLengthArr = this.identifiersName
-      .filter((value) => value.type !== "property" && typeof value.name === "string").map((value) => value.name.length);
-
-    const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
-    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
-      this.addWarning(_warnings.shortIdentifiers, idsLengthAvg);
-    }
-    if (stringScore >= 3) {
-      this.addWarning(_warnings.suspiciousLiteral, stringScore);
-    }
-
-    return { idsLengthAvg, stringScore, warnings: this.warnings };
-  }
-
-  walk(node) {
-    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
-    if (node.type === "TryStatement" && typeof node.handler !== "undefined") {
-      this.dependencies.isInTryStmt = true;
-    }
-    else if (node.type === "CatchClause") {
-      this.dependencies.isInTryStmt = false;
-    }
-
-    return runOnProbes(node, this);
-  }
-}
-
-function sum(arr = []) {
-  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
-}
-
-Analysis.Warnings = _warnings;
+// Import Third-party Dependencies
+import { Utils, Literal } from "@nodesecure/sec-literal";
+
+// Import Internal Dependencies
+import { rootLocation, toArrayLocation, generateWarning } from "./utils.js";
+import { warnings as _warnings, processMainModuleRequire } from "./constants.js";
+import ASTDeps from "./ASTDeps.js";
+import { isObfuscatedCode, hasTrojanSource } from "./obfuscators/index.js";
+import { runOnProbes } from "./probes/index.js";
+
+// CONSTANTS
+const kDictionaryStrParts = [
+  "abcdefghijklmnopqrstuvwxyz",
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+  "0123456789"
+];
+
+const kWarningsNameStr = Object.freeze({
+  [_warnings.parsingError]: "parsing-error",
+  [_warnings.unsafeImport]: "unsafe-import",
+  [_warnings.unsafeRegex]: "unsafe-regex",
+  [_warnings.unsafeStmt]: "unsafe-stmt",
+  [_warnings.unsafeAssign]: "unsafe-assign",
+  [_warnings.encodedLiteral]: "encoded-literal",
+  [_warnings.shortIdentifiers]: "short-identifiers",
+  [_warnings.suspiciousLiteral]: "suspicious-literal",
+  [_warnings.obfuscatedCode]: "obfuscated-code"
+});
+
+export default class Analysis {
+  hasDictionaryString = false;
+  hasPrefixedIdentifiers = false;
+  varkinds = { var: 0, let: 0, const: 0 };
+  idtypes = { assignExpr: 0, property: 0, variableDeclarator: 0, functionDeclaration: 0 };
+  counter = {
+    identifiers: 0,
+    doubleUnaryArray: 0,
+    computedMemberExpr: 0,
+    memberExpr: 0,
+    deepBinaryExpr: 0,
+    encodedArrayValue: 0,
+    morseLiteral: 0
+  };
+  identifiersName = [];
+
+  constructor() {
+    this.dependencies = new ASTDeps();
+
+    this.identifiers = new Map();
+    this.globalParts = new Map();
+    this.handledEncodedLiteralValues = new Map();
+
+    this.requireIdentifiers = new Set(["require", processMainModuleRequire]);
+    this.warnings = [];
+    this.literalScores = [];
+  }
+
+  addWarning(symbol, value, location = rootLocation()) {
+    if (symbol === _warnings.encodedLiteral && this.handledEncodedLiteralValues.has(value)) {
+      const index = this.handledEncodedLiteralValues.get(value);
+      this.warnings[index].location.push(toArrayLocation(location));
+
+      return;
+    }
+    const warningName = kWarningsNameStr[symbol];
+    this.warnings.push(generateWarning(warningName, { value, location }));
+    if (symbol === _warnings.encodedLiteral) {
+      this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
+    }
+  }
+
+  analyzeSourceString(sourceString) {
+    if (hasTrojanSource(sourceString)) {
+      this.addWarning(_warnings.obfuscatedCode, "trojan-source");
+    }
+  }
+
+  analyzeString(str) {
+    const score = Utils.stringSuspicionScore(str);
+    if (score !== 0) {
+      this.literalScores.push(score);
+    }
+
+    if (!this.hasDictionaryString) {
+      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
+      if (isDictionaryStr) {
+        this.hasDictionaryString = true;
+      }
+    }
+
+    // Searching for morse string like "--.- --.--."
+    if (Utils.stringCharDiversity(str, ["\n"]) >= 3 && Utils.isMorse(str)) {
+      this.counter.morseLiteral++;
+    }
+  }
+
+  analyzeLiteral(node, inArrayExpr = false) {
+    if (typeof node.value !== "string" || Utils.isSvg(node)) {
+      return;
+    }
+    this.analyzeString(node.value);
+
+    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
+    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
+      if (inArrayExpr) {
+        this.counter.encodedArrayValue++;
+      }
+      else {
+        this.addWarning(_warnings.encodedLiteral, node.value, node.loc);
+      }
+    }
+  }
+
+  getResult(isMinified) {
+    this.counter.identifiers = this.identifiersName.length;
+    const [isObfuscated, kind] = isObfuscatedCode(this);
+    if (isObfuscated) {
+      this.addWarning(_warnings.obfuscatedCode, kind || "unknown");
+    }
+
+    const identifiersLengthArr = this.identifiersName
+      .filter((value) => value.type !== "property" && typeof value.name === "string").map((value) => value.name.length);
+
+    const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
+    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
+      this.addWarning(_warnings.shortIdentifiers, idsLengthAvg);
+    }
+    if (stringScore >= 3) {
+      this.addWarning(_warnings.suspiciousLiteral, stringScore);
+    }
+
+    return { idsLengthAvg, stringScore, warnings: this.warnings };
+  }
+
+  walk(node) {
+    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
+    if (node.type === "TryStatement" && typeof node.handler !== "undefined") {
+      this.dependencies.isInTryStmt = true;
+    }
+    else if (node.type === "CatchClause") {
+      this.dependencies.isInTryStmt = false;
+    }
+
+    return runOnProbes(node, this);
+  }
+}
+
+function sum(arr = []) {
+  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
+}
+
+Analysis.Warnings = _warnings;