@nodesecure/js-x-ray 4.3.0 → 5.0.0

package/src/probes/isRequire.js

@@ -1,160 +1,159 @@
-/* eslint-disable consistent-return */
-
-// Import Internal Dependencies
-import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
-import { warnings } from "../constants.js";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-import { walk } from "estree-walker";
-
-function validateNode(node, analysis) {
-  return [
-    isRequireIdentifiers(node, analysis) ||
-    isRequireResolve(node) ||
-    isRequireMemberExpr(node)
-  ];
-}
-
-function isRequireResolve(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
-}
-
-function isRequireMemberExpr(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
-}
-
-function isRequireIdentifiers(node, analysis) {
-  if (node.type !== "CallExpression") {
-    return false;
-  }
-  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-
-  return analysis.requireIdentifiers.has(fullName);
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  const arg = node.arguments[0];
-  switch (arg.type) {
-    // const foo = "http"; require(foo);
-    case "Identifier":
-      if (analysis.identifiers.has(arg.name)) {
-        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
-      }
-      else {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      break;
-
-    // require("http")
-    case "Literal":
-      analysis.dependencies.add(arg.value, node.loc);
-      break;
-
-    // require(["ht" + "tp"])
-    case "ArrayExpression": {
-      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
-      if (value === "") {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      else {
-        analysis.dependencies.add(value, node.loc);
-      }
-      break;
-    }
-
-    // require("ht" + "tp");
-    case "BinaryExpression": {
-      if (arg.operator !== "+") {
-        break;
-      }
-
-      const value = concatBinaryExpr(arg, analysis.identifiers);
-      if (value === null) {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      else {
-        analysis.dependencies.add(value, node.loc);
-      }
-      break;
-    }
-
-    // require(Buffer.from("...", "hex").toString());
-    case "CallExpression": {
-      const { dependencies } = parseRequireCallExpression(arg);
-      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
-
-      analysis.addWarning(warnings.unsafeImport, null, node.loc);
-
-      // We skip walking the tree to avoid anymore warnings...
-      return Symbol.for("skipWalk");
-    }
-
-    default:
-      analysis.addWarning(warnings.unsafeImport, null, node.loc);
-  }
-}
-
-function parseRequireCallExpression(nodeToWalk) {
-  const dependencies = new Set();
-
-  walk(nodeToWalk, {
-    enter(node) {
-      if (node.type !== "CallExpression" || node.arguments.length === 0) {
-        return;
-      }
-
-      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
-        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
-
-        return this.skip();
-      }
-
-      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-      switch (fullName) {
-        case "Buffer.from": {
-          const [element, convert] = node.arguments;
-
-          if (element.type === "ArrayExpression") {
-            const depName = arrExprToString(element);
-            if (depName.trim() !== "") {
-              dependencies.add(depName);
-            }
-          }
-          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
-            const value = Buffer.from(element.value, "hex").toString();
-            dependencies.add(value);
-          }
-          break;
-        }
-        case "require.resolve": {
-          const [element] = node.arguments;
-
-          if (element.type === "Literal") {
-            dependencies.add(element.value);
-          }
-          break;
-        }
-      }
-    }
-  });
-
-  return {
-    dependencies: [...dependencies]
-  };
-}
-
-export default {
-  name: "isRequire",
-  validateNode, main, breakOnMatch: true, breakGroup: "import"
-};
+/* eslint-disable consistent-return */
+
+// Import Internal Dependencies
+import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
+
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+import { walk } from "estree-walker";
+
+function validateNode(node, analysis) {
+  return [
+    isRequireIdentifiers(node, analysis) ||
+    isRequireResolve(node) ||
+    isRequireMemberExpr(node)
+  ];
+}
+
+function isRequireResolve(node) {
+  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
+    return false;
+  }
+
+  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
+}
+
+function isRequireMemberExpr(node) {
+  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
+    return false;
+  }
+
+  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
+}
+
+function isRequireIdentifiers(node, analysis) {
+  if (node.type !== "CallExpression") {
+    return false;
+  }
+  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+
+  return analysis.requireIdentifiers.has(fullName);
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  const arg = node.arguments[0];
+  switch (arg.type) {
+    // const foo = "http"; require(foo);
+    case "Identifier":
+      if (analysis.identifiers.has(arg.name)) {
+        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
+      }
+      else {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      break;
+
+    // require("http")
+    case "Literal":
+      analysis.dependencies.add(arg.value, node.loc);
+      break;
+
+    // require(["ht" + "tp"])
+    case "ArrayExpression": {
+      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
+      if (value === "") {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      else {
+        analysis.dependencies.add(value, node.loc);
+      }
+      break;
+    }
+
+    // require("ht" + "tp");
+    case "BinaryExpression": {
+      if (arg.operator !== "+") {
+        break;
+      }
+
+      const value = concatBinaryExpr(arg, analysis.identifiers);
+      if (value === null) {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      else {
+        analysis.dependencies.add(value, node.loc);
+      }
+      break;
+    }
+
+    // require(Buffer.from("...", "hex").toString());
+    case "CallExpression": {
+      const { dependencies } = parseRequireCallExpression(arg);
+      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
+
+      analysis.addWarning("unsafe-import", null, node.loc);
+
+      // We skip walking the tree to avoid anymore warnings...
+      return Symbol.for("skipWalk");
+    }
+
+    default:
+      analysis.addWarning("unsafe-import", null, node.loc);
+  }
+}
+
+function parseRequireCallExpression(nodeToWalk) {
+  const dependencies = new Set();
+
+  walk(nodeToWalk, {
+    enter(node) {
+      if (node.type !== "CallExpression" || node.arguments.length === 0) {
+        return;
+      }
+
+      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
+        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
+
+        return this.skip();
+      }
+
+      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+      switch (fullName) {
+        case "Buffer.from": {
+          const [element, convert] = node.arguments;
+
+          if (element.type === "ArrayExpression") {
+            const depName = arrExprToString(element);
+            if (depName.trim() !== "") {
+              dependencies.add(depName);
+            }
+          }
+          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
+            const value = Buffer.from(element.value, "hex").toString();
+            dependencies.add(value);
+          }
+          break;
+        }
+        case "require.resolve": {
+          const [element] = node.arguments;
+
+          if (element.type === "Literal") {
+            dependencies.add(element.value);
+          }
+          break;
+        }
+      }
+    }
+  });
+
+  return {
+    dependencies: [...dependencies]
+  };
+}
+
+export default {
+  name: "isRequire",
+  validateNode, main, breakOnMatch: true, breakGroup: "import"
+};

package/src/probes/isUnaryExpression.js

@@ -1,18 +1,26 @@
-function validateNode(node) {
-  return [
-    node.type === "UnaryExpression"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  if (node.argument.type === "UnaryExpression" && node.argument.argument.type === "ArrayExpression") {
-    analysis.counter.doubleUnaryArray++;
-  }
-}
-
-export default {
-  name: "isUnaryExpression",
-  validateNode, main, breakOnMatch: false
-};
+/**
+ * @description Search for UnaryExpression AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#unaryexpression
+ * @example
+ * -2
+ */
+function validateNode(node) {
+  return [
+    node.type === "UnaryExpression"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  // Example: !![]
+  // See: https://docs.google.com/document/d/11ZrfW0bDQ-kd7Gr_Ixqyk8p3TGvxckmhFH3Z8dFoPhY/edit#
+  if (node.argument.type === "UnaryExpression" && node.argument.argument.type === "ArrayExpression") {
+    analysis.counter.doubleUnaryArray++;
+  }
+}
+
+export default {
+  name: "isUnaryExpression",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isUnsafeCallee.js

@@ -1,19 +1,23 @@
-// Require Internal Dependencies
-import { isUnsafeCallee } from "../utils.js";
-import { warnings } from "../constants.js";
-
-// Detect unsafe statement like eval("this") or Function("return this")();
-function validateNode(node) {
-  return isUnsafeCallee(node);
-}
-
-function main(node, options) {
-  const { analysis, data: calleeName } = options;
-
-  analysis.addWarning(warnings.unsafeStmt, calleeName, node.loc);
-}
-
-export default {
-  name: "isUnsafeCallee",
-  validateNode, main, breakOnMatch: false
-};
+// Require Internal Dependencies
+import { isUnsafeCallee } from "../utils.js";
+
+/**
+ * @description Detect unsafe statement
+ * @example
+ * eval("this");
+ * Function("return this")();
+ */
+function validateNode(node) {
+  return isUnsafeCallee(node);
+}
+
+function main(node, options) {
+  const { analysis, data: calleeName } = options;
+
+  analysis.addWarning("unsafe-stmt", calleeName, node.loc);
+}
+
+export default {
+  name: "isUnsafeCallee",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isVariableDeclaration.js

@@ -1,104 +1,104 @@
-// Require Internal Dependencies
-import { getIdName, getMemberExprName, isUnsafeCallee, isRequireGlobalMemberExpr } from "../utils.js";
-import { warnings, globalParts, processMainModuleRequire } from "../constants.js";
-
-// CONSTANTS
-const kUnsafeCallee = new Set(["eval", "Function"]);
-
-// In case we are matching a Variable declaration, we have to save the identifier
-// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
-function validateNode(node) {
-  return [
-    node.type === "VariableDeclaration"
-  ];
-}
-
-function main(mainNode, options) {
-  const { analysis } = options;
-
-  analysis.varkinds[mainNode.kind]++;
-
-  for (const node of mainNode.declarations) {
-    analysis.idtypes.variableDeclarator++;
-    for (const name of getIdName(node.id)) {
-      analysis.identifiersName.push({ name, type: "variableDeclarator" });
-    }
-
-    if (node.init === null || node.id.type !== "Identifier") {
-      continue;
-    }
-
-    if (node.init.type === "Literal") {
-      analysis.identifiers.set(node.id.name, String(node.init.value));
-    }
-
-    // Searching for someone who assign require to a variable, ex:
-    // const r = require
-    else if (node.init.type === "Identifier") {
-      if (kUnsafeCallee.has(node.init.name)) {
-        analysis.addWarning(warnings.unsafeAssign, node.init.name, node.loc);
-      }
-      else if (analysis.requireIdentifiers.has(node.init.name)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning(warnings.unsafeAssign, node.init.name, node.loc);
-      }
-      else if (globalParts.has(node.init.name)) {
-        analysis.globalParts.set(node.id.name, node.init.name);
-        getRequirablePatterns(analysis.globalParts)
-          .forEach((name) => analysis.requireIdentifiers.add(name));
-      }
-    }
-
-    // Same as before but for pattern like process.mainModule and require.resolve
-    else if (node.init.type === "MemberExpression") {
-      const value = getMemberExprName(node.init);
-      const members = value.split(".");
-
-      if (analysis.globalParts.has(members[0]) || members.every((part) => globalParts.has(part))) {
-        analysis.globalParts.set(node.id.name, members.slice(1).join("."));
-        analysis.addWarning(warnings.unsafeAssign, value, node.loc);
-      }
-      getRequirablePatterns(analysis.globalParts)
-        .forEach((name) => analysis.requireIdentifiers.add(name));
-
-      if (isRequireStatement(value)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning(warnings.unsafeAssign, value, node.loc);
-      }
-    }
-    else if (isUnsafeCallee(node.init)[0]) {
-      analysis.globalParts.set(node.id.name, "global");
-      globalParts.add(node.id.name);
-      analysis.requireIdentifiers.add(`${node.id.name}.${processMainModuleRequire}`);
-    }
-  }
-}
-
-function isRequireStatement(value) {
-  return value.startsWith("require") ||
-    value.startsWith(processMainModuleRequire) ||
-    isRequireGlobalMemberExpr(value);
-}
-
-function getRequirablePatterns(parts) {
-  const result = new Set();
-
-  for (const [id, path] of parts.entries()) {
-    if (path === "process") {
-      result.add(`${id}.mainModule.require`);
-    }
-    else if (path === "mainModule") {
-      result.add(`${id}.require`);
-    }
-    else if (path.includes("require")) {
-      result.add(id);
-    }
-  }
-
-  return [...result];
-}
-
-export default {
-  name: "isVariableDeclaration",
-  validateNode, main, breakOnMatch: false
-};
+// Require Internal Dependencies
+import { getIdName, getMemberExprName, isUnsafeCallee, isRequireGlobalMemberExpr } from "../utils.js";
+import { globalParts, processMainModuleRequire } from "../constants.js";
+
+// CONSTANTS
+const kUnsafeCallee = new Set(["eval", "Function"]);
+
+// In case we are matching a Variable declaration, we have to save the identifier
+// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
+function validateNode(node) {
+  return [
+    node.type === "VariableDeclaration"
+  ];
+}
+
+function main(mainNode, options) {
+  const { analysis } = options;
+
+  analysis.varkinds[mainNode.kind]++;
+
+  for (const node of mainNode.declarations) {
+    analysis.idtypes.variableDeclarator++;
+    for (const name of getIdName(node.id)) {
+      analysis.identifiersName.push({ name, type: "variableDeclarator" });
+    }
+
+    if (node.init === null || node.id.type !== "Identifier") {
+      continue;
+    }
+
+    if (node.init.type === "Literal") {
+      analysis.identifiers.set(node.id.name, String(node.init.value));
+    }
+
+    // Searching for someone who assign require to a variable, ex:
+    // const r = require
+    else if (node.init.type === "Identifier") {
+      if (kUnsafeCallee.has(node.init.name)) {
+        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
+      }
+      else if (analysis.requireIdentifiers.has(node.init.name)) {
+        analysis.requireIdentifiers.add(node.id.name);
+        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
+      }
+      else if (globalParts.has(node.init.name)) {
+        analysis.globalParts.set(node.id.name, node.init.name);
+        getRequirablePatterns(analysis.globalParts)
+          .forEach((name) => analysis.requireIdentifiers.add(name));
+      }
+    }
+
+    // Same as before but for pattern like process.mainModule and require.resolve
+    else if (node.init.type === "MemberExpression") {
+      const value = getMemberExprName(node.init);
+      const members = value.split(".");
+
+      if (analysis.globalParts.has(members[0]) || members.every((part) => globalParts.has(part))) {
+        analysis.globalParts.set(node.id.name, members.slice(1).join("."));
+        analysis.addWarning("unsafe-assign", value, node.loc);
+      }
+      getRequirablePatterns(analysis.globalParts)
+        .forEach((name) => analysis.requireIdentifiers.add(name));
+
+      if (isRequireStatement(value)) {
+        analysis.requireIdentifiers.add(node.id.name);
+        analysis.addWarning("unsafe-assign", value, node.loc);
+      }
+    }
+    else if (isUnsafeCallee(node.init)[0]) {
+      analysis.globalParts.set(node.id.name, "global");
+      globalParts.add(node.id.name);
+      analysis.requireIdentifiers.add(`${node.id.name}.${processMainModuleRequire}`);
+    }
+  }
+}
+
+function isRequireStatement(value) {
+  return value.startsWith("require") ||
+    value.startsWith(processMainModuleRequire) ||
+    isRequireGlobalMemberExpr(value);
+}
+
+function getRequirablePatterns(parts) {
+  const result = new Set();
+
+  for (const [id, path] of parts.entries()) {
+    if (path === "process") {
+      result.add(`${id}.mainModule.require`);
+    }
+    else if (path === "mainModule") {
+      result.add(`${id}.require`);
+    }
+    else if (path.includes("require")) {
+      result.add(id);
+    }
+  }
+
+  return [...result];
+}
+
+export default {
+  name: "isVariableDeclaration",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isWeakCrypto.js

@@ -0,0 +1,31 @@
+// CONSTANTS
+const kWeakAlgorithms = new Set(["md5", "sha1", "ripemd160", "md4", "md2"]);
+
+function validateNode(node) {
+  const isCallExpression = node.type === "CallExpression";
+  const isSimpleIdentifier = isCallExpression &&
+    node.callee.type === "Identifier" &&
+    node.callee.name === "createHash";
+  const isMemberExpression = isCallExpression &&
+    node.callee.type === "MemberExpression" &&
+    node.callee.property.name === "createHash";
+
+  return [isSimpleIdentifier || isMemberExpression];
+}
+
+function main(node, { analysis }) {
+  const arg = node.arguments.at(0);
+  const isCryptoImported = analysis.dependencies.has("crypto");
+
+  if (
+    kWeakAlgorithms.has(arg.value) &&
+    isCryptoImported
+  ) {
+    analysis.addWarning("weak-crypto", arg.value, node.loc);
+  }
+}
+
+export default {
+  name: "isWeakCrypto",
+  validateNode, main, breakOnMatch: false
+};