@nodesecure/js-x-ray 5.1.0 → 6.0.0

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2021 NodeSecure
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2021 NodeSecure
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,8 +1,13 @@
-# js-x-ray
-![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/js-x-ray/commit-activity)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/js-x-ray/Node.js%20CI)
+<p align="center">
+  <h1 align="center">JS-X-RAY</h1>
+</p>
+
+![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version)
+[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE)
+[![OpenSSF
+Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray)
+![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/node.js.yml?style=for-the-badge)
+![coverage](https://img.shields.io/codecov/c/github/NodeSecure/js-x-ray?style=for-the-badge)
 
 JavaScript AST analysis. This package has been created to export the [Node-Secure](https://github.com/ES-Community/nsecure) AST Analysis to enable better code evolution and allow better access to developers and researchers.
 
@@ -80,9 +85,9 @@ type WarningName = "parsing-error"
 | "encoded-literal"
 | "unsafe-regex"
 | "unsafe-stmt"
-| "unsafe-assign"
 | "short-identifiers"
 | "suspicious-literal"
+| "suspicious-file"
 | "obfuscated-code"
 | "weak-crypto"
 | "unsafe-import";
@@ -115,10 +120,10 @@ This section describe all the possible warnings returned by JSXRay. Click on the
 | [unsafe-import](./docs/unsafe-import.md) | ❌ | Unable to follow an import (require, require.resolve) statement/expr. |
 | [unsafe-regex](./docs/unsafe-regex.md) | ❌ | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. |
 | [unsafe-stmt](./docs//unsafe-stmt.md) | ❌ | Usage of dangerous statement like `eval()` or `Function("")`. |
-| [unsafe-assign](./docs/unsafe-assign.md) | ❌ | Assignment of a protected global like `process` or `require`. |
 | [encoded-literal](./docs/encoded-literal.md) | ❌ | An encoded literal has been detected (it can be an hexa value, unicode sequence or a base64 string) |
 | [short-identifiers](./docs/short-identifiers.md) | ❌ | This mean that all identifiers has an average length below 1.5. |
 | [suspicious-literal](./docs/suspicious-literal.md) | ❌ | A suspicious literal has been found in the source code. |
+| [suspicious-file](./docs/suspicious-file.md) | ✔️ | A suspicious file with more than ten encoded-literal in it |
 | [obfuscated-code](./docs/obfuscated-code.md) | ✔️ | There's a very high probability that the code is obfuscated. |
 | [weak-crypto](./docs/weak-crypto.md) | ✔️ | The code probably contains a weak crypto algorithm (md5, sha1...) |
 
@@ -178,7 +183,7 @@ export type ReportOnFile = {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-8-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-10-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -187,18 +192,22 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->
 <table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
-    <td align="center"><a href="https://github.com/antoine-coulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=antoine-coulon" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/Mathieuka"><img src="https://avatars.githubusercontent.com/u/34446722?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Mathieu</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Mathieuka" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Tests">⚠️</a></td>
-    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Tests">⚠️</a></td>
-    <td align="center"><a href="https://github.com/PierreDemailly"><img src="https://avatars.githubusercontent.com/u/39910767?v=4?s=100" width="100px;" alt=""/><br /><sub><b>PierreD</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=PierreDemailly" title="Tests">⚠️</a></td>
-  </tr>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Aekk0" title="Code">💻</a></td>
-  </tr>
+  <tbody>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+      <td align="center"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
+      <td align="center"><a href="https://github.com/antoine-coulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine"/><br /><sub><b>Antoine</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=antoine-coulon" title="Code">💻</a></td>
+      <td align="center"><a href="https://github.com/Mathieuka"><img src="https://avatars.githubusercontent.com/u/34446722?v=4?s=100" width="100px;" alt="Mathieu"/><br /><sub><b>Mathieu</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Mathieuka" title="Code">💻</a></td>
+      <td align="center"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt="Vincent Dhennin"/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Tests">⚠️</a></td>
+      <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Tests">⚠️</a></td>
+      <td align="center"><a href="https://github.com/PierreDemailly"><img src="https://avatars.githubusercontent.com/u/39910767?v=4?s=100" width="100px;" alt="PierreD"/><br /><sub><b>PierreD</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=PierreDemailly" title="Tests">⚠️</a></td>
+    </tr>
+    <tr>
+      <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Aekk0" title="Code">💻</a></td>
+      <td align="center"><a href="https://maji.kiwi"><img src="https://avatars.githubusercontent.com/u/33150916?v=4?s=100" width="100px;" alt="Maji"/><br /><sub><b>Maji</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=M4gie" title="Code">💻</a></td>
+      <td align="center"><a href="https://github.com/targos"><img src="https://avatars.githubusercontent.com/u/2352663?v=4?s=100" width="100px;" alt="Michaël Zasso"/><br /><sub><b>Michaël Zasso</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=targos" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Atargos" title="Bug reports">🐛</a></td>
+    </tr>
+  </tbody>
 </table>
 
 <!-- markdownlint-restore -->

package/index.d.ts

@@ -5,15 +5,15 @@ import {
   ReportOnFile,
   RuntimeFileOptions,
   RuntimeOptions
-} from "./types/api";
+} from "./types/api.js";
 import {
   Warning,
   WarningDefault,
   WarningLocation,
   WarningName,
   WarningNameWithValue
-} from "./types/warnings";
-import { ASTDeps, Dependency } from "./types/astdeps";
+} from "./types/warnings.js";
+import { ASTDeps, Dependency } from "./types/astdeps.js";
 
 declare const warnings: Record<WarningName, Pick<WarningDefault, "experimental" | "i18n" | "severity">>;
 

package/index.js

@@ -11,6 +11,13 @@ import isMinified from "is-minified-code";
 import Analysis from "./src/Analysis.js";
 import { warnings } from "./src/warnings.js";
 
+// CONSTANTS
+const kMeriyahDefaultOptions = {
+  next: true,
+  loc: true,
+  raw: true
+};
+
 export function runASTAnalysis(str, options = Object.create(null)) {
   const { module = true, isMinified = false } = options;
 
@@ -18,13 +25,7 @@ export function runASTAnalysis(str, options = Object.create(null)) {
   // Example: #!/usr/bin/env node
   const strToAnalyze = str.charAt(0) === "#" ? str.slice(str.indexOf("\n")) : str;
   const isEcmaScriptModule = Boolean(module);
-  const { body } = meriyah.parseScript(strToAnalyze, {
-    next: true,
-    loc: true,
-    raw: true,
-    module: isEcmaScriptModule,
-    globalReturn: !isEcmaScriptModule
-  });
+  const body = parseScriptExtended(strToAnalyze, isEcmaScriptModule);
 
   const sastAnalysis = new Analysis();
   sastAnalysis.analyzeSourceString(str);
@@ -57,11 +58,12 @@ export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   try {
     const { packageName = null, module = true } = options;
     const str = await fs.readFile(pathToFile, "utf-8");
+    const filePathString = pathToFile instanceof URL ? pathToFile.href : pathToFile;
 
-    const isMin = pathToFile.includes(".min") || isMinified(str);
+    const isMin = filePathString.includes(".min") || isMinified(str);
     const data = runASTAnalysis(str, {
       isMinified: isMin,
-      module: path.extname(pathToFile) === ".mjs" ? true : module
+      module: path.extname(filePathString) === ".mjs" ? true : module
     });
     if (packageName !== null) {
       data.dependencies.removeByName(packageName);
@@ -84,4 +86,27 @@ export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   }
 }
 
+function parseScriptExtended(strToAnalyze, isEcmaScriptModule) {
+  try {
+    const { body } = meriyah.parseScript(strToAnalyze, {
+      ...kMeriyahDefaultOptions,
+      module: isEcmaScriptModule,
+      globalReturn: !isEcmaScriptModule
+    });
+
+    return body;
+  }
+  catch (error) {
+    if (error.name === "SyntaxError" && error.description.includes("The import keyword")) {
+      const { body } = meriyah.parseScript(strToAnalyze, {
+        ...kMeriyahDefaultOptions, module: true
+      });
+
+      return body;
+    }
+
+    throw error;
+  }
+}
+
 export { warnings };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "5.1.0",
+  "version": "6.0.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -10,8 +10,9 @@
   "scripts": {
     "lint": "eslint src test",
     "prepublishOnly": "pkg-ok",
-    "test": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
-    "check": "cross-env npm run lint && npm run test"
+    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "test": "c8 --all --src ./src -r html npm run test-only",
+    "check": "cross-env npm run lint && npm run test-only"
   },
   "repository": {
     "type": "git",
@@ -38,21 +39,23 @@
   },
   "homepage": "https://github.com/NodeSecure/js-x-ray#readme",
   "dependencies": {
-    "@nodesecure/sec-literal": "^1.1.0",
+    "@nodesecure/estree-ast-utils": "^1.3.0",
+    "@nodesecure/sec-literal": "^1.2.0",
     "estree-walker": "^3.0.1",
     "is-minified-code": "^2.0.0",
-    "meriyah": "^4.3.0",
+    "meriyah": "^4.3.3",
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.5.0",
+    "@nodesecure/eslint-config": "^1.6.0",
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
-    "@types/node": "^18.7.13",
+    "@types/node": "^18.11.18",
+    "c8": "^7.12.0",
     "cross-env": "^7.0.3",
-    "eslint": "^8.23.0",
+    "eslint": "^8.31.0",
     "pkg-ok": "^3.0.0",
-    "tape": "^5.6.0"
+    "tape": "^5.6.1"
   }
 }

package/src/ASTDeps.js

@@ -22,7 +22,7 @@ export default class ASTDeps {
   }
 
   add(depName, location = null, unsafe = false) {
-    if (depName.trim() === "") {
+    if (typeof depName !== "string" || depName.trim() === "") {
       return;
     }
 

package/src/Analysis.js

@@ -1,10 +1,10 @@
 // Import Third-party Dependencies
 import { Utils, Literal } from "@nodesecure/sec-literal";
+import { VariableTracer } from "@nodesecure/estree-ast-utils";
 
 // Import Internal Dependencies
 import { rootLocation, toArrayLocation } from "./utils.js";
 import { generateWarning } from "./warnings.js";
-import { processMainModuleRequire } from "./constants.js";
 import ASTDeps from "./ASTDeps.js";
 import { isObfuscatedCode, hasTrojanSource } from "./obfuscators/index.js";
 import { runOnProbes } from "./probes/index.js";
@@ -16,6 +16,8 @@ const kDictionaryStrParts = [
   "0123456789"
 ];
 
+const kMaximumEncodedLiterals = 10;
+
 export default class Analysis {
   hasDictionaryString = false;
   hasPrefixedIdentifiers = false;
@@ -33,29 +35,36 @@ export default class Analysis {
   identifiersName = [];
 
   constructor() {
-    this.dependencies = new ASTDeps();
-
-    this.identifiers = new Map();
-    this.globalParts = new Map();
-    this.handledEncodedLiteralValues = new Map();
+    this.tracer = new VariableTracer()
+      .enableDefaultTracing()
+      .trace("crypto.createHash", {
+        followConsecutiveAssignment: true, moduleName: "crypto"
+      });
 
-    this.requireIdentifiers = new Set(["require", processMainModuleRequire]);
+    this.dependencies = new ASTDeps();
+    this.encodedLiterals = new Map();
     this.warnings = [];
     this.literalScores = [];
   }
 
   addWarning(name, value, location = rootLocation()) {
     const isEncodedLiteral = name === "encoded-literal";
-    if (isEncodedLiteral && this.handledEncodedLiteralValues.has(value)) {
-      const index = this.handledEncodedLiteralValues.get(value);
-      this.warnings[index].location.push(toArrayLocation(location));
+    if (isEncodedLiteral) {
+      if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
+        return;
+      }
 
-      return;
+      if (this.encodedLiterals.has(value)) {
+        const index = this.encodedLiterals.get(value);
+        this.warnings[index].location.push(toArrayLocation(location));
+
+        return;
+      }
     }
 
     this.warnings.push(generateWarning(name, { value, location }));
     if (isEncodedLiteral) {
-      this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
+      this.encodedLiterals.set(value, this.warnings.length - 1);
     }
   }
 
@@ -105,11 +114,12 @@ export default class Analysis {
     this.counter.identifiers = this.identifiersName.length;
     const [isObfuscated, kind] = isObfuscatedCode(this);
     if (isObfuscated) {
-      this.addWarning("obfuscated-code", kind || "unknown");
+      this.addWarning("obfuscated-code", kind);
     }
 
     const identifiersLengthArr = this.identifiersName
-      .filter((value) => value.type !== "property" && typeof value.name === "string").map((value) => value.name.length);
+      .filter((value) => value.type !== "property" && typeof value.name === "string")
+      .map((value) => value.name.length);
 
     const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
     if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
@@ -119,10 +129,18 @@ export default class Analysis {
       this.addWarning("suspicious-literal", stringScore);
     }
 
+    if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
+      this.addWarning("suspicious-file", null);
+      this.warnings = this.warnings
+        .filter((warning) => warning.kind !== "encoded-literal");
+    }
+
     return { idsLengthAvg, stringScore, warnings: this.warnings };
   }
 
   walk(node) {
+    this.tracer.walk(node);
+
     // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
     if (node.type === "TryStatement" && typeof node.handler !== "undefined") {
       this.dependencies.isInTryStmt = true;

package/src/obfuscators/freejsobfuscator.js

@@ -1,9 +1,9 @@
-// Import Third-party Dependencies
-import { Utils } from "@nodesecure/sec-literal";
-
-export function verify(analysis, prefix) {
-  const pValue = Object.keys(prefix).pop();
-  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
-
-  return analysis.identifiersName.every(({ name }) => new RegExp(regexStr).test(name));
-}
+// Import Third-party Dependencies
+import { Utils } from "@nodesecure/sec-literal";
+
+export function verify(analysis, prefix) {
+  const pValue = Object.keys(prefix).pop();
+  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
+
+  return analysis.identifiersName.every(({ name }) => new RegExp(regexStr).test(name));
+}

package/src/obfuscators/jjencode.js

@@ -1,27 +1,27 @@
-// Require Internal Dependencies
-import { notNullOrUndefined } from "../utils.js";
-
-// CONSTANTS
-const kJJRegularSymbols = new Set(["$", "_"]);
-
-export function verify(analysis) {
-  if (analysis.counter.variableDeclarator > 0 || analysis.counter.functionDeclaration > 0) {
-    return false;
-  }
-  if (analysis.idtypes.assignExpr > analysis.idtypes.property) {
-    return false;
-  }
-
-  const matchCount = analysis.identifiersName.filter(({ name }) => {
-    if (!notNullOrUndefined(name)) {
-      return false;
-    }
-    const charsCode = [...new Set([...name])];
-
-    return charsCode.every((char) => kJJRegularSymbols.has(char));
-  }).length;
-  const pourcent = ((matchCount / analysis.identifiersName.length) * 100);
-
-  return pourcent > 80;
-}
-
+// Require Internal Dependencies
+import { notNullOrUndefined } from "../utils.js";
+
+// CONSTANTS
+const kJJRegularSymbols = new Set(["$", "_"]);
+
+export function verify(analysis) {
+  if (analysis.counter.variableDeclarator > 0 || analysis.counter.functionDeclaration > 0) {
+    return false;
+  }
+  if (analysis.idtypes.assignExpr > analysis.idtypes.property) {
+    return false;
+  }
+
+  const matchCount = analysis.identifiersName.filter(({ name }) => {
+    if (!notNullOrUndefined(name)) {
+      return false;
+    }
+    const charsCode = [...new Set([...name])];
+
+    return charsCode.every((char) => kJJRegularSymbols.has(char));
+  }).length;
+  const pourcent = ((matchCount / analysis.identifiersName.length) * 100);
+
+  return pourcent > 80;
+}
+

package/src/obfuscators/jsfuck.js

@@ -1,11 +1,11 @@
-// CONSTANTS
-const kJSFuckMinimumDoubleUnaryExpr = 5;
-
-export function verify(analysis) {
-  const hasZeroAssign = analysis.idtypes.assignExpr === 0
-    && analysis.idtypes.functionDeclaration === 0
-    && analysis.idtypes.property === 0
-    && analysis.idtypes.variableDeclarator === 0;
-
-  return hasZeroAssign && analysis.counter.doubleUnaryArray >= kJSFuckMinimumDoubleUnaryExpr;
-}
+// CONSTANTS
+const kJSFuckMinimumDoubleUnaryExpr = 5;
+
+export function verify(analysis) {
+  const hasZeroAssign = analysis.idtypes.assignExpr === 0
+    && analysis.idtypes.functionDeclaration === 0
+    && analysis.idtypes.property === 0
+    && analysis.idtypes.variableDeclarator === 0;
+
+  return hasZeroAssign && analysis.counter.doubleUnaryArray >= kJSFuckMinimumDoubleUnaryExpr;
+}

package/src/obfuscators/obfuscator-io.js

@@ -1,13 +1,13 @@
-export function verify(analysis) {
-  if (analysis.counter.memberExpr > 0) {
-    return false;
-  }
-
-  const hasSomePatterns = analysis.counter.doubleUnaryArray > 0
-    || analysis.counter.deepBinaryExpr > 0
-    || analysis.counter.encodedArrayValue > 0
-    || analysis.hasDictionaryString;
-
-  // TODO: hasPrefixedIdentifiers only work for hexadecimal id names generator
-  return analysis.hasPrefixedIdentifiers && hasSomePatterns;
-}
+export function verify(analysis) {
+  if (analysis.counter.memberExpr > 0) {
+    return false;
+  }
+
+  const hasSomePatterns = analysis.counter.doubleUnaryArray > 0
+    || analysis.counter.deepBinaryExpr > 0
+    || analysis.counter.encodedArrayValue > 0
+    || analysis.hasDictionaryString;
+
+  // TODO: hasPrefixedIdentifiers only work for hexadecimal id names generator
+  return analysis.hasPrefixedIdentifiers && hasSomePatterns;
+}

package/src/obfuscators/trojan-source.js

@@ -1,7 +1,24 @@
-import { unsafeUnicodeControlCharacters } from "../constants.js";
+/**
+ * Dangerous Unicode control characters that can be used by hackers
+ * to perform trojan source.
+ */
+const kUnsafeUnicodeControlCharacters = [
+  "\u202A",
+  "\u202B",
+  "\u202D",
+  "\u202E",
+  "\u202C",
+  "\u2066",
+  "\u2067",
+  "\u2068",
+  "\u2069",
+  "\u200E",
+  "\u200F",
+  "\u061C"
+];
 
 export function verify(sourceString) {
-  for (const unsafeCharacter of unsafeUnicodeControlCharacters) {
+  for (const unsafeCharacter of kUnsafeUnicodeControlCharacters) {
     if (sourceString.includes(unsafeCharacter)) {
       return true;
     }