@nodesecure/js-x-ray 5.1.0 → 6.0.0

package/src/probes/index.js

@@ -1,68 +1,70 @@
-// Import all the probes
-import isUnsafeCallee from "./isUnsafeCallee.js";
-import isLiteral from "./isLiteral.js";
-import isLiteralRegex from "./isLiteralRegex.js";
-import isRegexObject from "./isRegexObject.js";
-import isVariableDeclaration from "./isVariableDeclaration.js";
-import isAssignmentExprOrMemberExpr from "./isAssignmentExprOrMemberExpr.js";
-import isRequire from "./isRequire.js";
-import isImportDeclaration from "./isImportDeclaration.js";
-import isMemberExpression from "./isMemberExpression.js";
-import isArrayExpression from "./isArrayExpression.js";
-import isFunctionDeclaration from "./isFunctionDeclaration.js";
-import isAssignmentExpression from "./isAssignmentExpression.js";
-import isObjectExpression from "./isObjectExpression.js";
-import isUnaryExpression from "./isUnaryExpression.js";
-import isWeakCrypto from "./isWeakCrypto.js";
-
-// CONSTANTS
-const kListOfProbes = [
-  isUnsafeCallee,
-  isLiteral,
-  isLiteralRegex,
-  isRegexObject,
-  isVariableDeclaration,
-  isAssignmentExprOrMemberExpr,
-  isRequire,
-  isImportDeclaration,
-  isMemberExpression,
-  isAssignmentExpression,
-  isObjectExpression,
-  isArrayExpression,
-  isFunctionDeclaration,
-  isUnaryExpression,
-  isWeakCrypto
-];
-
-const kSymBreak = Symbol.for("breakWalk");
-const kSymSkip = Symbol.for("skipWalk");
-
-export function runOnProbes(node, analysis) {
-  const breakedGroups = new Set();
-
-  for (const probe of kListOfProbes) {
-    if (breakedGroups.has(probe.breakGroup)) {
-      continue;
-    }
-
-    const [isMatching, data = null] = probe.validateNode(node, analysis);
-    if (isMatching) {
-      const result = probe.main(node, { analysis, data });
-
-      if (result === kSymSkip) {
-        return "skip";
-      }
-      if (result === kSymBreak || probe.breakOnMatch) {
-        const breakGroup = probe.breakGroup || null;
-        if (breakGroup === null) {
-          break;
-        }
-        else {
-          breakedGroups.add(breakGroup);
-        }
-      }
-    }
-  }
-
-  return null;
-}
+// Import all the probes
+import isUnsafeCallee from "./isUnsafeCallee.js";
+import isLiteral from "./isLiteral.js";
+import isLiteralRegex from "./isLiteralRegex.js";
+import isRegexObject from "./isRegexObject.js";
+import isVariableDeclaration from "./isVariableDeclaration.js";
+import isRequire from "./isRequire.js";
+import isImportDeclaration from "./isImportDeclaration.js";
+import isMemberExpression from "./isMemberExpression.js";
+import isArrayExpression from "./isArrayExpression.js";
+import isFunction from "./isFunction.js";
+import isAssignmentExpression from "./isAssignmentExpression.js";
+import isObjectExpression from "./isObjectExpression.js";
+import isUnaryExpression from "./isUnaryExpression.js";
+import isWeakCrypto from "./isWeakCrypto.js";
+import isClassDeclaration from "./isClassDeclaration.js";
+import isMethodDefinition from "./isMethodDefinition.js";
+
+// CONSTANTS
+const kListOfProbes = [
+  isUnsafeCallee,
+  isLiteral,
+  isLiteralRegex,
+  isRegexObject,
+  isVariableDeclaration,
+  isRequire,
+  isImportDeclaration,
+  isMemberExpression,
+  isAssignmentExpression,
+  isObjectExpression,
+  isArrayExpression,
+  isFunction,
+  isUnaryExpression,
+  isWeakCrypto,
+  isClassDeclaration,
+  isMethodDefinition
+];
+
+const kSymBreak = Symbol.for("breakWalk");
+const kSymSkip = Symbol.for("skipWalk");
+
+export function runOnProbes(node, analysis) {
+  const breakedGroups = new Set();
+
+  for (const probe of kListOfProbes) {
+    if (breakedGroups.has(probe.breakGroup)) {
+      continue;
+    }
+
+    const [isMatching, data = null] = probe.validateNode(node, analysis);
+    if (isMatching) {
+      const result = probe.main(node, { analysis, data });
+
+      if (result === kSymSkip) {
+        return "skip";
+      }
+      if (result === kSymBreak || probe.breakOnMatch) {
+        const breakGroup = probe.breakGroup || null;
+        if (breakGroup === null) {
+          break;
+        }
+        else {
+          breakedGroups.add(breakGroup);
+        }
+      }
+    }
+  }
+
+  return null;
+}

package/src/probes/isArrayExpression.js

@@ -1,3 +1,9 @@
+// Import Internal Dependencies
+import { extractNode } from "../utils.js";
+
+// CONSTANTS
+const kLiteralExtractor = extractNode("Literal");
+
 /**
  * @description Search for ArrayExpression AST Node (Commonly known as JS Arrays)
  *
@@ -11,14 +17,11 @@ function validateNode(node) {
   ];
 }
 
-function main(node, options) {
-  const { analysis } = options;
-
-  for (const elem of node.elements) {
-    if (elem !== null && elem.type === "Literal") {
-      analysis.analyzeLiteral(elem, true);
-    }
-  }
+function main(node, { analysis }) {
+  kLiteralExtractor(
+    (literalNode) => analysis.analyzeLiteral(literalNode, true),
+    node.elements
+  );
 }
 
 export default {

package/src/probes/isAssignmentExpression.js

@@ -1,5 +1,5 @@
-// Import Internal Dependencies
-import { getIdName } from "../utils.js";
+// Import Third-party Dependencies
+import { getVariableDeclarationIdentifiers } from "@nodesecure/estree-ast-utils";
 
 /**
  * @description Search for AssignmentExpression (Not to be confused with AssignmentPattern).
@@ -18,7 +18,7 @@ function main(node, options) {
   const { analysis } = options;
 
   analysis.idtypes.assignExpr++;
-  for (const name of getIdName(node.left)) {
+  for (const { name } of getVariableDeclarationIdentifiers(node.left)) {
     analysis.identifiersName.push({ name, type: "assignExpr" });
   }
 }

package/src/probes/isClassDeclaration.js

@@ -0,0 +1,25 @@
+// Import Internal Dependencies
+import { extractNode } from "../utils.js";
+
+// CONSTANTS
+const kIdExtractor = extractNode("Identifier");
+
+function validateNode(node) {
+  return [
+    node.type === "ClassDeclaration"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  kIdExtractor(
+    ({ name }) => analysis.identifiersName.push({ name, type: "class" }),
+    [node.id, node.superClass]
+  );
+}
+
+export default {
+  name: "isClassDeclaration",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/{isFunctionDeclaration.js → isFunction.js}

@@ -1,3 +1,9 @@
+// Import Internal Dependencies
+import { extractNode } from "../utils.js";
+
+// CONSTANTS
+const kIdExtractor = extractNode("Identifier");
+
 /**
  * @description Search for FunctionDeclaration AST Node.
  *
@@ -7,13 +13,18 @@
  */
 function validateNode(node) {
   return [
-    node.type === "FunctionDeclaration"
+    node.type === "FunctionDeclaration" || node.type === "FunctionExpression"
   ];
 }
 
 function main(node, options) {
   const { analysis } = options;
 
+  kIdExtractor(
+    ({ name }) => analysis.identifiersName.push({ name, type: "params" }),
+    node.params
+  );
+
   if (node.id === null || node.id.type !== "Identifier") {
     return;
   }

package/src/probes/isLiteral.js

@@ -1,52 +1,49 @@
-// Import Node.js Dependencies
-import { builtinModules } from "repl";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-
-// Import Internal Dependencies
-import { globalParts } from "../constants.js";
-
-// CONSTANTS
-const kNodeDeps = new Set(builtinModules);
-
-/**
- * @description Search for Literal AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#literal
- * @example
- * "foobar"
- */
-function validateNode(node) {
-  return [
-    node.type === "Literal" && typeof node.value === "string"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  // We are searching for value obfuscated as hex of a minimum length of 4.
-  if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
-    const value = Buffer.from(node.value, "hex").toString();
-    analysis.analyzeString(value);
-
-    // If the value we are retrieving is the name of a Node.js dependency,
-    // then we add it to the dependencies list and we throw an unsafe-import at the current location.
-    if (kNodeDeps.has(value)) {
-      analysis.dependencies.add(value, node.loc);
-      analysis.addWarning("unsafe-import", null, node.loc);
-    }
-    else if (globalParts.has(value) || !Hex.isSafe(node.value)) {
-      analysis.addWarning("encoded-literal", node.value, node.loc);
-    }
-  }
-  // Else we are checking all other string with our suspect method
-  else {
-    analysis.analyzeLiteral(node);
-  }
-}
-
-export default {
-  name: "isLiteral",
-  validateNode, main, breakOnMatch: false
-};
+// Import Node.js Dependencies
+import { builtinModules } from "repl";
+
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+
+// CONSTANTS
+const kNodeDeps = new Set(builtinModules);
+
+/**
+ * @description Search for Literal AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#literal
+ * @example
+ * "foobar"
+ */
+function validateNode(node) {
+  return [
+    node.type === "Literal" && typeof node.value === "string"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  // We are searching for value obfuscated as hex of a minimum length of 4.
+  if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
+    const value = Buffer.from(node.value, "hex").toString();
+    analysis.analyzeString(value);
+
+    // If the value we are retrieving is the name of a Node.js dependency,
+    // then we add it to the dependencies list and we throw an unsafe-import at the current location.
+    if (kNodeDeps.has(value)) {
+      analysis.dependencies.add(value, node.loc);
+      analysis.addWarning("unsafe-import", null, node.loc);
+    }
+    else if (value === "require" || !Hex.isSafe(node.value)) {
+      analysis.addWarning("encoded-literal", node.value, node.loc);
+    }
+  }
+  // Else we are checking all other string with our suspect method
+  else {
+    analysis.analyzeLiteral(node);
+  }
+}
+
+export default {
+  name: "isLiteral",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isLiteralRegex.js

@@ -1,7 +1,5 @@
-// Require Internal Dependencies
-import { isLiteralRegex } from "../utils.js";
-
 // Require Third-party Dependencies
+import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
 import safeRegex from "safe-regex";
 
 /**

package/src/probes/isMemberExpression.js

@@ -1,31 +1,16 @@
-// Import Internal Dependencies
-import { getMemberExprName } from "../utils.js";
-import { processMainModuleRequire } from "../constants.js";
-
-// searching for "process.mainModule" pattern (processMainModuleRequire)
-function validateNode(node) {
-  return [
-    node.type === "MemberExpression"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  analysis.counter[node.computed ? "computedMemberExpr" : "memberExpr"]++;
-
-  // retrieve the member name, like: foo.bar.hello
-  // in our case we are searching for process.mainModule.*
-  const memberName = getMemberExprName(node);
-
-  if (memberName.startsWith(processMainModuleRequire)) {
-    analysis.dependencies.add(memberName.slice(processMainModuleRequire.length), node.loc);
-  }
-
-  // TODO: require.main ?
-}
-
-export default {
-  name: "isMemberExpression",
-  validateNode, main, breakOnMatch: true, breakGroup: "import"
-};
+function validateNode(node) {
+  return [
+    node.type === "MemberExpression"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  analysis.counter[node.computed ? "computedMemberExpr" : "memberExpr"]++;
+}
+
+export default {
+  name: "isMemberExpression",
+  validateNode, main, breakOnMatch: true, breakGroup: "import"
+};

package/src/probes/isMethodDefinition.js

@@ -0,0 +1,25 @@
+// Import Internal Dependencies
+import { extractNode } from "../utils.js";
+
+// CONSTANTS
+const kIdExtractor = extractNode("Identifier");
+
+function validateNode(node) {
+  return [
+    node.type === "MethodDefinition"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  kIdExtractor(
+    ({ name }) => analysis.identifiersName.push({ name, type: "method" }),
+    [node.key]
+  );
+}
+
+export default {
+  name: "isMethodDefinition",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isRegexObject.js

@@ -1,7 +1,5 @@
-// Import Internal Dependencies
-import { isLiteralRegex } from "../utils.js";
-
 // Import Third-party Dependencies
+import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
 import safeRegex from "safe-regex";
 
 /**
@@ -20,6 +18,13 @@ function main(node, options) {
   const { analysis } = options;
 
   const arg = node.arguments[0];
+  /**
+   * Note: RegExp Object can contain a RegExpLiteral
+   * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
+   *
+   * @example
+   * new RegExp(/^foo/)
+   */
   const pattern = isLiteralRegex(arg) ? arg.regex.pattern : arg.value;
 
   // We use the safe-regex package to detect whether or not regex is safe!

package/src/probes/isRequire.js

@@ -1,54 +1,46 @@
 /* eslint-disable consistent-return */
 
-// Import Internal Dependencies
-import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
-
 // Import Third-party Dependencies
 import { Hex } from "@nodesecure/sec-literal";
 import { walk } from "estree-walker";
-
-function validateNode(node, analysis) {
-  return [
-    isRequireIdentifiers(node, analysis) ||
-    isRequireResolve(node) ||
-    isRequireMemberExpr(node)
-  ];
-}
-
-function isRequireResolve(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
+import {
+  concatBinaryExpression,
+  arrayExpressionToString,
+  getMemberExpressionIdentifier,
+  getCallExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
+
+function validateNode(node, { tracer }) {
+  const id = getCallExpressionIdentifier(node);
+  if (id === null) {
+    return [false];
   }
 
-  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
-}
+  const data = tracer.getDataFromIdentifier(id);
 
-function isRequireMemberExpr(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
-}
-
-function isRequireIdentifiers(node, analysis) {
-  if (node.type !== "CallExpression") {
-    return false;
-  }
-  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-
-  return analysis.requireIdentifiers.has(fullName);
+  return [
+    data !== null && data.name === "require",
+    data?.identifierOrMemberExpr ?? void 0
+  ];
 }
 
 function main(node, options) {
   const { analysis } = options;
+  const { tracer } = analysis;
+
+  if (node.arguments.length === 0) {
+    return;
+  }
+  const arg = node.arguments.at(0);
 
-  const arg = node.arguments[0];
   switch (arg.type) {
     // const foo = "http"; require(foo);
     case "Identifier":
-      if (analysis.identifiers.has(arg.name)) {
-        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
+      if (analysis.tracer.literalIdentifiers.has(arg.name)) {
+        analysis.dependencies.add(
+          analysis.tracer.literalIdentifiers.get(arg.name),
+          node.loc
+        );
       }
       else {
         analysis.addWarning("unsafe-import", null, node.loc);
@@ -60,9 +52,12 @@ function main(node, options) {
       analysis.dependencies.add(arg.value, node.loc);
       break;
 
-    // require(["ht" + "tp"])
+    // require(["ht", "tp"])
     case "ArrayExpression": {
-      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
+      const value = [...arrayExpressionToString(arg, { tracer })]
+        .join("")
+        .trim();
+
       if (value === "") {
         analysis.addWarning("unsafe-import", null, node.loc);
       }
@@ -75,23 +70,27 @@ function main(node, options) {
     // require("ht" + "tp");
     case "BinaryExpression": {
       if (arg.operator !== "+") {
+        analysis.addWarning("unsafe-import", null, node.loc);
         break;
       }
 
-      const value = concatBinaryExpr(arg, analysis.identifiers);
-      if (value === null) {
-        analysis.addWarning("unsafe-import", null, node.loc);
+      try {
+        const iter = concatBinaryExpression(arg, {
+          tracer, stopOnUnsupportedNode: true
+        });
+
+        analysis.dependencies.add([...iter].join(""), node.loc);
       }
-      else {
-        analysis.dependencies.add(value, node.loc);
+      catch {
+        analysis.addWarning("unsafe-import", null, node.loc);
       }
       break;
     }
 
     // require(Buffer.from("...", "hex").toString());
     case "CallExpression": {
-      const { dependencies } = parseRequireCallExpression(arg);
-      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
+      walkRequireCallExpression(arg)
+        .forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
 
       analysis.addWarning("unsafe-import", null, node.loc);
 
@@ -104,7 +103,7 @@ function main(node, options) {
   }
 }
 
-function parseRequireCallExpression(nodeToWalk) {
+function walkRequireCallExpression(nodeToWalk) {
   const dependencies = new Set();
 
   walk(nodeToWalk, {
@@ -113,34 +112,30 @@ function parseRequireCallExpression(nodeToWalk) {
         return;
       }
 
-      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
-        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
+      const rootArgument = node.arguments.at(0);
+      if (rootArgument.type === "Literal" && Hex.isHex(rootArgument.value)) {
+        dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
 
         return this.skip();
       }
 
-      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+      const fullName = node.callee.type === "MemberExpression" ?
+        [...getMemberExpressionIdentifier(node.callee)].join(".") :
+        node.callee.name;
+
       switch (fullName) {
         case "Buffer.from": {
-          const [element, convert] = node.arguments;
+          const [element] = node.arguments;
 
           if (element.type === "ArrayExpression") {
-            const depName = arrExprToString(element);
-            if (depName.trim() !== "") {
-              dependencies.add(depName);
-            }
-          }
-          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
-            const value = Buffer.from(element.value, "hex").toString();
-            dependencies.add(value);
+            const depName = [...arrayExpressionToString(element)].join("").trim();
+            dependencies.add(depName);
           }
           break;
         }
         case "require.resolve": {
-          const [element] = node.arguments;
-
-          if (element.type === "Literal") {
-            dependencies.add(element.value);
+          if (rootArgument.type === "Literal") {
+            dependencies.add(rootArgument.value);
           }
           break;
         }
@@ -148,9 +143,7 @@ function parseRequireCallExpression(nodeToWalk) {
     }
   });
 
-  return {
-    dependencies: [...dependencies]
-  };
+  return [...dependencies];
 }
 
 export default {

package/src/probes/isUnsafeCallee.js

@@ -1,4 +1,4 @@
-// Require Internal Dependencies
+// Import Internal Dependencies
 import { isUnsafeCallee } from "../utils.js";
 
 /**
@@ -15,6 +15,8 @@ function main(node, options) {
   const { analysis, data: calleeName } = options;
 
   analysis.addWarning("unsafe-stmt", calleeName, node.loc);
+
+  return Symbol.for("skipWalk");
 }
 
 export default {