@nodesecure/js-x-ray 5.1.0 → 6.0.1

package/src/probes/isRequire.js

@@ -1,54 +1,46 @@
 /* eslint-disable consistent-return */
 
-// Import Internal Dependencies
-import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
-
 // Import Third-party Dependencies
 import { Hex } from "@nodesecure/sec-literal";
 import { walk } from "estree-walker";
-
-function validateNode(node, analysis) {
-  return [
-    isRequireIdentifiers(node, analysis) ||
-    isRequireResolve(node) ||
-    isRequireMemberExpr(node)
-  ];
-}
-
-function isRequireResolve(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
+import {
+  concatBinaryExpression,
+  arrayExpressionToString,
+  getMemberExpressionIdentifier,
+  getCallExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
+
+function validateNode(node, { tracer }) {
+  const id = getCallExpressionIdentifier(node);
+  if (id === null) {
+    return [false];
   }
 
-  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
-}
+  const data = tracer.getDataFromIdentifier(id);
 
-function isRequireMemberExpr(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
-}
-
-function isRequireIdentifiers(node, analysis) {
-  if (node.type !== "CallExpression") {
-    return false;
-  }
-  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-
-  return analysis.requireIdentifiers.has(fullName);
+  return [
+    data !== null && data.name === "require",
+    data?.identifierOrMemberExpr ?? void 0
+  ];
 }
 
 function main(node, options) {
   const { analysis } = options;
+  const { tracer } = analysis;
+
+  if (node.arguments.length === 0) {
+    return;
+  }
+  const arg = node.arguments.at(0);
 
-  const arg = node.arguments[0];
   switch (arg.type) {
     // const foo = "http"; require(foo);
     case "Identifier":
-      if (analysis.identifiers.has(arg.name)) {
-        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
+      if (analysis.tracer.literalIdentifiers.has(arg.name)) {
+        analysis.dependencies.add(
+          analysis.tracer.literalIdentifiers.get(arg.name),
+          node.loc
+        );
       }
       else {
         analysis.addWarning("unsafe-import", null, node.loc);
@@ -60,9 +52,12 @@ function main(node, options) {
       analysis.dependencies.add(arg.value, node.loc);
       break;
 
-    // require(["ht" + "tp"])
+    // require(["ht", "tp"])
     case "ArrayExpression": {
-      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
+      const value = [...arrayExpressionToString(arg, { tracer })]
+        .join("")
+        .trim();
+
       if (value === "") {
         analysis.addWarning("unsafe-import", null, node.loc);
       }
@@ -75,23 +70,27 @@ function main(node, options) {
     // require("ht" + "tp");
     case "BinaryExpression": {
       if (arg.operator !== "+") {
+        analysis.addWarning("unsafe-import", null, node.loc);
         break;
       }
 
-      const value = concatBinaryExpr(arg, analysis.identifiers);
-      if (value === null) {
-        analysis.addWarning("unsafe-import", null, node.loc);
+      try {
+        const iter = concatBinaryExpression(arg, {
+          tracer, stopOnUnsupportedNode: true
+        });
+
+        analysis.dependencies.add([...iter].join(""), node.loc);
       }
-      else {
-        analysis.dependencies.add(value, node.loc);
+      catch {
+        analysis.addWarning("unsafe-import", null, node.loc);
       }
       break;
     }
 
     // require(Buffer.from("...", "hex").toString());
     case "CallExpression": {
-      const { dependencies } = parseRequireCallExpression(arg);
-      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
+      walkRequireCallExpression(arg)
+        .forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
 
       analysis.addWarning("unsafe-import", null, node.loc);
 
@@ -104,7 +103,7 @@ function main(node, options) {
   }
 }
 
-function parseRequireCallExpression(nodeToWalk) {
+function walkRequireCallExpression(nodeToWalk) {
   const dependencies = new Set();
 
   walk(nodeToWalk, {
@@ -113,34 +112,30 @@ function parseRequireCallExpression(nodeToWalk) {
         return;
       }
 
-      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
-        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
+      const rootArgument = node.arguments.at(0);
+      if (rootArgument.type === "Literal" && Hex.isHex(rootArgument.value)) {
+        dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
 
         return this.skip();
       }
 
-      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+      const fullName = node.callee.type === "MemberExpression" ?
+        [...getMemberExpressionIdentifier(node.callee)].join(".") :
+        node.callee.name;
+
       switch (fullName) {
         case "Buffer.from": {
-          const [element, convert] = node.arguments;
+          const [element] = node.arguments;
 
           if (element.type === "ArrayExpression") {
-            const depName = arrExprToString(element);
-            if (depName.trim() !== "") {
-              dependencies.add(depName);
-            }
-          }
-          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
-            const value = Buffer.from(element.value, "hex").toString();
-            dependencies.add(value);
+            const depName = [...arrayExpressionToString(element)].join("").trim();
+            dependencies.add(depName);
           }
           break;
         }
         case "require.resolve": {
-          const [element] = node.arguments;
-
-          if (element.type === "Literal") {
-            dependencies.add(element.value);
+          if (rootArgument.type === "Literal") {
+            dependencies.add(rootArgument.value);
           }
           break;
         }
@@ -148,9 +143,7 @@ function parseRequireCallExpression(nodeToWalk) {
     }
   });
 
-  return {
-    dependencies: [...dependencies]
-  };
+  return [...dependencies];
 }
 
 export default {

package/src/probes/isUnsafeCallee.js

@@ -1,4 +1,4 @@
-// Require Internal Dependencies
+// Import Internal Dependencies
 import { isUnsafeCallee } from "../utils.js";
 
 /**
@@ -15,6 +15,8 @@ function main(node, options) {
   const { analysis, data: calleeName } = options;
 
   analysis.addWarning("unsafe-stmt", calleeName, node.loc);
+
+  return Symbol.for("skipWalk");
 }
 
 export default {

package/src/probes/isVariableDeclaration.js

@@ -1,104 +1,30 @@
-// Require Internal Dependencies
-import { getIdName, getMemberExprName, isUnsafeCallee, isRequireGlobalMemberExpr } from "../utils.js";
-import { globalParts, processMainModuleRequire } from "../constants.js";
-
-// CONSTANTS
-const kUnsafeCallee = new Set(["eval", "Function"]);
-
-// In case we are matching a Variable declaration, we have to save the identifier
-// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
-function validateNode(node) {
-  return [
-    node.type === "VariableDeclaration"
-  ];
-}
-
-function main(mainNode, options) {
-  const { analysis } = options;
-
-  analysis.varkinds[mainNode.kind]++;
-
-  for (const node of mainNode.declarations) {
-    analysis.idtypes.variableDeclarator++;
-    for (const name of getIdName(node.id)) {
-      analysis.identifiersName.push({ name, type: "variableDeclarator" });
-    }
-
-    if (node.init === null || node.id.type !== "Identifier") {
-      continue;
-    }
-
-    if (node.init.type === "Literal") {
-      analysis.identifiers.set(node.id.name, String(node.init.value));
-    }
-
-    // Searching for someone who assign require to a variable, ex:
-    // const r = require
-    else if (node.init.type === "Identifier") {
-      if (kUnsafeCallee.has(node.init.name)) {
-        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
-      }
-      else if (analysis.requireIdentifiers.has(node.init.name)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
-      }
-      else if (globalParts.has(node.init.name)) {
-        analysis.globalParts.set(node.id.name, node.init.name);
-        getRequirablePatterns(analysis.globalParts)
-          .forEach((name) => analysis.requireIdentifiers.add(name));
-      }
-    }
-
-    // Same as before but for pattern like process.mainModule and require.resolve
-    else if (node.init.type === "MemberExpression") {
-      const value = getMemberExprName(node.init);
-      const members = value.split(".");
-
-      if (analysis.globalParts.has(members[0]) || members.every((part) => globalParts.has(part))) {
-        analysis.globalParts.set(node.id.name, members.slice(1).join("."));
-        analysis.addWarning("unsafe-assign", value, node.loc);
-      }
-      getRequirablePatterns(analysis.globalParts)
-        .forEach((name) => analysis.requireIdentifiers.add(name));
-
-      if (isRequireStatement(value)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning("unsafe-assign", value, node.loc);
-      }
-    }
-    else if (isUnsafeCallee(node.init)[0]) {
-      analysis.globalParts.set(node.id.name, "global");
-      globalParts.add(node.id.name);
-      analysis.requireIdentifiers.add(`${node.id.name}.${processMainModuleRequire}`);
-    }
-  }
-}
-
-function isRequireStatement(value) {
-  return value.startsWith("require") ||
-    value.startsWith(processMainModuleRequire) ||
-    isRequireGlobalMemberExpr(value);
-}
-
-function getRequirablePatterns(parts) {
-  const result = new Set();
-
-  for (const [id, path] of parts.entries()) {
-    if (path === "process") {
-      result.add(`${id}.mainModule.require`);
-    }
-    else if (path === "mainModule") {
-      result.add(`${id}.require`);
-    }
-    else if (path.includes("require")) {
-      result.add(id);
-    }
-  }
-
-  return [...result];
-}
-
-export default {
-  name: "isVariableDeclaration",
-  validateNode, main, breakOnMatch: false
-};
+// Import Third-party Dependencies
+import {
+  getVariableDeclarationIdentifiers
+} from "@nodesecure/estree-ast-utils";
+
+// In case we are matching a Variable declaration, we have to save the identifier
+// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
+function validateNode(node) {
+  return [
+    node.type === "VariableDeclaration"
+  ];
+}
+
+function main(mainNode, options) {
+  const { analysis } = options;
+
+  analysis.varkinds[mainNode.kind]++;
+
+  for (const node of mainNode.declarations) {
+    analysis.idtypes.variableDeclarator++;
+    for (const { name } of getVariableDeclarationIdentifiers(node.id)) {
+      analysis.identifiersName.push({ name, type: "variableDeclarator" });
+    }
+  }
+}
+
+export default {
+  name: "isVariableDeclaration",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isWeakCrypto.js

@@ -1,26 +1,30 @@
+// Import Third-party Dependencies
+import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
+
 // CONSTANTS
-const kWeakAlgorithms = new Set(["md5", "sha1", "ripemd160", "md4", "md2"]);
+const kWeakAlgorithms = new Set([
+  "md5",
+  "sha1",
+  "ripemd160",
+  "md4",
+  "md2"
+]);
+
+function validateNode(node, { tracer }) {
+  const id = getCallExpressionIdentifier(node);
+  if (id === null || !tracer.importedModules.has("crypto")) {
+    return [false];
+  }
 
-function validateNode(node) {
-  const isCallExpression = node.type === "CallExpression";
-  const isSimpleIdentifier = isCallExpression &&
-    node.callee.type === "Identifier" &&
-    node.callee.name === "createHash";
-  const isMemberExpression = isCallExpression &&
-    node.callee.type === "MemberExpression" &&
-    node.callee.property.name === "createHash";
+  const data = tracer.getDataFromIdentifier(id);
 
-  return [isSimpleIdentifier || isMemberExpression];
+  return [data !== null && data.identifierOrMemberExpr === "crypto.createHash"];
 }
 
 function main(node, { analysis }) {
   const arg = node.arguments.at(0);
-  const isCryptoImported = analysis.dependencies.has("crypto");
 
-  if (
-    kWeakAlgorithms.has(arg.value) &&
-    isCryptoImported
-  ) {
+  if (kWeakAlgorithms.has(arg.value)) {
     analysis.addWarning("weak-crypto", arg.value, node.loc);
   }
 }

package/src/utils.js

@@ -1,166 +1,44 @@
 // Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-
-// Import Internal Dependencies
-import { globalIdentifiers, processMainModuleRequire } from "./constants.js";
-
-// CONSTANTS
-const kBinaryExprTypes = new Set(["Literal", "BinaryExpression", "Identifier"]);
-const kExperimentalWarnings = new Set(["weak-crypto"]);
+import {
+  getCallExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
 
 export function notNullOrUndefined(value) {
   return value !== null && value !== void 0;
 }
 
-export function* getIdName(node) {
-  switch (node.type) {
-    case "Identifier":
-      yield node.name;
-      break;
-    case "RestElement":
-      yield node.argument.name;
-      break;
-    case "AssignmentPattern":
-      yield node.left.name;
-      break;
-    case "ArrayPattern":
-      yield* node.elements.filter(notNullOrUndefined).map((id) => [...getIdName(id)]).flat();
-      break;
-    case "ObjectPattern":
-      yield* node.properties.filter(notNullOrUndefined).map((property) => [...getIdName(property)]).flat();
-      break;
-  }
-}
-
-export function isRequireGlobalMemberExpr(value) {
-  return [...globalIdentifiers]
-    .some((name) => value.startsWith(`${name}.${processMainModuleRequire}`));
-}
-
 export function isUnsafeCallee(node) {
-  if (node.type !== "CallExpression") {
-    return [false, null];
-  }
-
-  if (node.callee.type === "Identifier") {
-    return [node.callee.name === "eval", "eval"];
-  }
-
-  if (node.callee.type !== "CallExpression") {
-    return [false, null];
-  }
-  const callee = node.callee.callee;
-
-  return [callee.type === "Identifier" && callee.name === "Function", "Function"];
-}
+  const identifier = getCallExpressionIdentifier(node);
 
-export function isLiteralRegex(node) {
-  return node.type === "Literal" && Reflect.has(node, "regex");
+  // For Function we are looking for this: `Function("...")();`
+  // A double CallExpression
+  return [
+    identifier === "eval" || (identifier === "Function" && node.callee.type === "CallExpression"),
+    identifier
+  ];
 }
 
-export function arrExprToString(elements, identifiers = null) {
-  let ret = "";
-  const isArrayExpr = typeof elements === "object" && Reflect.has(elements, "elements");
-  const localElements = isArrayExpr ? elements.elements : elements;
-
-  for (const row of localElements) {
-    if (row.type === "Literal") {
-      if (row.value === "") {
-        continue;
-      }
-
-      const value = Number(row.value);
-      ret += Number.isNaN(value) ? row.value : String.fromCharCode(value);
-    }
-    else if (row.type === "Identifier" && identifiers !== null && identifiers.has(row.name)) {
-      ret += identifiers.get(row.name);
-    }
-  }
-
-  return ret;
+export function rootLocation() {
+  return { start: { line: 0, column: 0 }, end: { line: 0, column: 0 } };
 }
 
-export function concatBinaryExpr(node, identifiers = new Set()) {
-  const { left, right } = node;
-  if (!kBinaryExprTypes.has(left.type) || !kBinaryExprTypes.has(right.type)) {
-    return null;
-  }
-  let str = "";
-
-  for (const childNode of [left, right]) {
-    switch (childNode.type) {
-      case "BinaryExpression": {
-        const value = concatBinaryExpr(childNode, identifiers);
-        if (value !== null) {
-          str += value;
-        }
-        break;
-      }
-      case "ArrayExpression": {
-        str += arrExprToString(childNode.elements, identifiers);
-        break;
-      }
-      case "Literal":
-        str += childNode.value;
-        break;
-      case "Identifier":
-        if (identifiers.has(childNode.name)) {
-          str += identifiers.get(childNode.name);
-        }
-        break;
-    }
-  }
+export function toArrayLocation(location = rootLocation()) {
+  const { start, end = start } = location;
 
-  return str;
+  return [
+    [start.line || 0, start.column || 0],
+    [end.line || 0, end.column || 0]
+  ];
 }
 
-export function getMemberExprName(node) {
-  let name = "";
+export function extractNode(expectedType) {
+  return (callback, nodes) => {
+    const finalNodes = Array.isArray(nodes) ? nodes : [nodes];
 
-  switch (node.object.type) {
-    case "MemberExpression":
-      name += getMemberExprName(node.object);
-      break;
-    case "Identifier":
-      name += node.object.name;
-      break;
-    case "Literal":
-      name += node.object.value;
-      break;
-  }
-
-  switch (node.property.type) {
-    case "Identifier":
-      name += `.${node.property.name}`;
-      break;
-    case "Literal":
-      name += `.${node.property.value}`;
-      break;
-    case "CallExpression": {
-      const args = node.property.arguments;
-      if (args.length > 0 && args[0].type === "Literal" && Hex.isHex(args[0].value)) {
-        name += `.${Buffer.from(args[0].value, "hex").toString()}`;
-      }
-      break;
-    }
-    case "BinaryExpression": {
-      const value = concatBinaryExpr(node.property);
-      if (value !== null && value.trim() !== "") {
-        name += `.${value}`;
+    for (const node of finalNodes) {
+      if (notNullOrUndefined(node) && node.type === expectedType) {
+        callback(node);
       }
-      break;
     }
-  }
-
-  return name;
-}
-
-export function rootLocation() {
-  return { start: { line: 0, column: 0 }, end: { line: 0, column: 0 } };
-}
-
-export function toArrayLocation(location = rootLocation()) {
-  const { start, end = start } = location;
-
-  return [[start.line || 0, start.column || 0], [end.line || 0, end.column || 0]];
+  };
 }

package/src/warnings.js

@@ -19,10 +19,6 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.unsafe_stmt",
     severity: "Warning"
   },
-  "unsafe-assign": {
-    i18n: "sast_warnings.unsafe_assign",
-    severity: "Warning"
-  },
   "encoded-literal": {
     i18n: "sast_warnings.encoded_literal",
     severity: "Information"
@@ -35,6 +31,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.suspicious_literal",
     severity: "Warning"
   },
+  "suspicious-file": {
+    i18n: "sast_warnings.suspicious_file",
+    severity: "Critical",
+    experimental: true
+  },
   "obfuscated-code": {
     i18n: "sast_warnings.obfuscated_code",
     severity: "Critical",

package/types/api.d.ts

@@ -1,5 +1,5 @@
-import { ASTDeps } from "./astdeps";
-import { Warning } from "./warnings";
+import { ASTDeps } from "./astdeps.js";
+import { Warning } from "./warnings.js";
 
 export {
   runASTAnalysis,

package/types/warnings.d.ts

@@ -11,9 +11,9 @@ type WarningNameWithValue = "parsing-error"
 | "encoded-literal"
 | "unsafe-regex"
 | "unsafe-stmt"
-| "unsafe-assign"
 | "short-identifiers"
 | "suspicious-literal"
+| "suspicious-file"
 | "obfuscated-code"
 | "weak-crypto";
 type WarningName = WarningNameWithValue | "unsafe-import";

package/src/constants.js

@@ -1,35 +0,0 @@
-/**
- * This is one of the way to get a valid require.
- *
- * @see https://nodejs.org/api/process.html#process_process_mainmodule
- */
-export const processMainModuleRequire = "process.mainModule.require";
-
-/**
- * JavaScript dangerous global identifiers that can be used by hackers
- */
-export const globalIdentifiers = new Set(["global", "globalThis", "root", "GLOBAL", "window"]);
-
-/**
- * Dangerous Global identifiers parts
- */
-export const globalParts = new Set([...globalIdentifiers, "process", "mainModule", "require"]);
-
-/**
- * Dangerous Unicode control characters that can be used by hackers
- * to perform trojan source.
- */
-export const unsafeUnicodeControlCharacters = [
-  "\u202A",
-  "\u202B",
-  "\u202D",
-  "\u202E",
-  "\u202C",
-  "\u2066",
-  "\u2067",
-  "\u2068",
-  "\u2069",
-  "\u200E",
-  "\u200F",
-  "\u061C"
-];