@nodesecure/js-x-ray 6.0.0 → 6.1.0

package/README.md

@@ -1,13 +1,24 @@
 <p align="center">
-  <h1 align="center">JS-X-RAY</h1>
+  <img src="https://user-images.githubusercontent.com/4438263/213887379-c873eb89-8786-4b5c-8a59-dcca49e01cb8.jpg" alt="@nodesecure/js-x-ray">
 </p>
 
-![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE)
-[![OpenSSF
-Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray)
-![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/node.js.yml?style=for-the-badge)
-![coverage](https://img.shields.io/codecov/c/github/NodeSecure/js-x-ray?style=for-the-badge)
+<p align="center">
+    <a href="https://github.com/NodeSecure/js-x-ray">
+      <img src="https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version" alt="npm version">
+    </a>
+    <a href="https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE">
+      <img src="https://img.shields.io/github/license/Naereen/StrapDown.js.svg?style=for-the-badge" alt="license">
+    </a>
+    <a href="https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray">
+      <img src="https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/badge?style=for-the-badge" alt="ossf scorecard">
+    </a>
+    <a href="https://github.com/NodeSecure/js-x-ray/actions?query=workflow%3A%22Node.js+CI%22">
+      <img src="https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/node.js.yml?style=for-the-badge" alt="github ci workflow">
+    </a>
+    <a href="https://codecov.io/github/NodeSecure/js-xray">
+      <img src="https://img.shields.io/codecov/c/github/NodeSecure/js-x-ray?style=for-the-badge" alt="codecov">
+    </a>
+</p>
 
 JavaScript AST analysis. This package has been created to export the [Node-Secure](https://github.com/ES-Community/nsecure) AST Analysis to enable better code evolution and allow better access to developers and researchers.
 
@@ -90,7 +101,8 @@ type WarningName = "parsing-error"
 | "suspicious-file"
 | "obfuscated-code"
 | "weak-crypto"
-| "unsafe-import";
+| "unsafe-import"
+| "shady-link";
 
 declare const warnings: Record<WarningName, {
   i18n: string;
@@ -126,6 +138,7 @@ This section describe all the possible warnings returned by JSXRay. Click on the
 | [suspicious-file](./docs/suspicious-file.md) | ✔️ | A suspicious file with more than ten encoded-literal in it |
 | [obfuscated-code](./docs/obfuscated-code.md) | ✔️ | There's a very high probability that the code is obfuscated. |
 | [weak-crypto](./docs/weak-crypto.md) | ✔️ | The code probably contains a weak crypto algorithm (md5, sha1...) |
+| [shady-link](./docs/shady-link.md) | ✔️ | The code contains shady/unsafe link |
 
 ## API
 
@@ -134,8 +147,9 @@ This section describe all the possible warnings returned by JSXRay. Click on the
 
 ```ts
 interface RuntimeOptions {
-    module?: boolean;
-    isMinified?: boolean;
+  module?: boolean;
+  isMinified?: boolean;
+  removeHTMLComments?: boolean;
 }
 ```
 
@@ -143,11 +157,11 @@ The method take a first argument which is the code you want to analyse. It will
 
 ```ts
 interface Report {
-    dependencies: ASTDeps;
-    warnings: Warning[];
-    idsLengthAvg: number;
-    stringScore: number;
-    isOneLineRequire: boolean;
+  dependencies: ASTDeps;
+  warnings: Warning[];
+  idsLengthAvg: number;
+  stringScore: number;
+  isOneLineRequire: boolean;
 }
 ```
 
@@ -158,8 +172,9 @@ interface Report {
 
 ```ts
 interface RuntimeOptions {
-    module?: boolean;
-    isMinified?: boolean;
+  module?: boolean;
+  isMinified?: boolean;
+  removeHTMLComments?: boolean;
 }
 ```
 
@@ -194,18 +209,18 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
 <table>
   <tbody>
     <tr>
-      <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-      <td align="center"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
-      <td align="center"><a href="https://github.com/antoine-coulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine"/><br /><sub><b>Antoine</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=antoine-coulon" title="Code">💻</a></td>
-      <td align="center"><a href="https://github.com/Mathieuka"><img src="https://avatars.githubusercontent.com/u/34446722?v=4?s=100" width="100px;" alt="Mathieu"/><br /><sub><b>Mathieu</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Mathieuka" title="Code">💻</a></td>
-      <td align="center"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt="Vincent Dhennin"/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Tests">⚠️</a></td>
-      <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Tests">⚠️</a></td>
-      <td align="center"><a href="https://github.com/PierreDemailly"><img src="https://avatars.githubusercontent.com/u/39910767?v=4?s=100" width="100px;" alt="PierreD"/><br /><sub><b>PierreD</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=PierreDemailly" title="Tests">⚠️</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Rossb0b"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Rossb0b" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/antoine-coulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine"/><br /><sub><b>Antoine</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=antoine-coulon" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Mathieuka"><img src="https://avatars.githubusercontent.com/u/34446722?v=4?s=100" width="100px;" alt="Mathieu"/><br /><sub><b>Mathieu</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Mathieuka" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt="Vincent Dhennin"/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=Kawacrepe" title="Tests">⚠️</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=tony-go" title="Tests">⚠️</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/PierreDemailly"><img src="https://avatars.githubusercontent.com/u/39910767?v=4?s=100" width="100px;" alt="PierreD"/><br /><sub><b>PierreD</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=PierreDemailly" title="Tests">⚠️</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=PierreDemailly" title="Code">💻</a></td>
     </tr>
     <tr>
-      <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Aekk0" title="Code">💻</a></td>
-      <td align="center"><a href="https://maji.kiwi"><img src="https://avatars.githubusercontent.com/u/33150916?v=4?s=100" width="100px;" alt="Maji"/><br /><sub><b>Maji</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=M4gie" title="Code">💻</a></td>
-      <td align="center"><a href="https://github.com/targos"><img src="https://avatars.githubusercontent.com/u/2352663?v=4?s=100" width="100px;" alt="Michaël Zasso"/><br /><sub><b>Michaël Zasso</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=targos" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Atargos" title="Bug reports">🐛</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Aekk0" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://maji.kiwi"><img src="https://avatars.githubusercontent.com/u/33150916?v=4?s=100" width="100px;" alt="Maji"/><br /><sub><b>Maji</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=M4gie" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/targos"><img src="https://avatars.githubusercontent.com/u/2352663?v=4?s=100" width="100px;" alt="Michaël Zasso"/><br /><sub><b>Michaël Zasso</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=targos" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Atargos" title="Bug reports">🐛</a></td>
     </tr>
   </tbody>
 </table>

package/index.js

@@ -10,22 +10,30 @@ import isMinified from "is-minified-code";
 // Import Internal Dependencies
 import Analysis from "./src/Analysis.js";
 import { warnings } from "./src/warnings.js";
+import * as utils from "./src/utils.js";
 
 // CONSTANTS
 const kMeriyahDefaultOptions = {
   next: true,
   loc: true,
-  raw: true
+  raw: true,
+  jsx: true
 };
 
 export function runASTAnalysis(str, options = Object.create(null)) {
-  const { module = true, isMinified = false } = options;
+  const {
+    module = true,
+    isMinified = false,
+    removeHTMLComments = false
+  } = options;
 
   // Note: if the file start with a shebang then we remove it because 'parseScript' may fail to parse it.
   // Example: #!/usr/bin/env node
   const strToAnalyze = str.charAt(0) === "#" ? str.slice(str.indexOf("\n")) : str;
-  const isEcmaScriptModule = Boolean(module);
-  const body = parseScriptExtended(strToAnalyze, isEcmaScriptModule);
+  const body = parseScriptExtended(strToAnalyze, {
+    isEcmaScriptModule: Boolean(module),
+    removeHTMLComments
+  });
 
   const sastAnalysis = new Analysis();
   sastAnalysis.analyzeSourceString(str);
@@ -56,14 +64,20 @@ export function runASTAnalysis(str, options = Object.create(null)) {
 
 export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   try {
-    const { packageName = null, module = true } = options;
+    const {
+      packageName = null,
+      module = true,
+      removeHTMLComments = false
+    } = options;
+
     const str = await fs.readFile(pathToFile, "utf-8");
     const filePathString = pathToFile instanceof URL ? pathToFile.href : pathToFile;
 
     const isMin = filePathString.includes(".min") || isMinified(str);
     const data = runASTAnalysis(str, {
       isMinified: isMin,
-      module: path.extname(filePathString) === ".mjs" ? true : module
+      module: path.extname(filePathString) === ".mjs" ? true : module,
+      removeHTMLComments
     });
     if (packageName !== null) {
       data.dependencies.removeByName(packageName);
@@ -86,21 +100,39 @@ export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   }
 }
 
-function parseScriptExtended(strToAnalyze, isEcmaScriptModule) {
+function parseScriptExtended(strToAnalyze, options = {}) {
+  const { isEcmaScriptModule, removeHTMLComments } = options;
+
+  /**
+   * @see https://github.com/NodeSecure/js-x-ray/issues/109
+   */
+  const cleanedStrToAnalyze = removeHTMLComments ?
+    utils.removeHTMLComment(strToAnalyze) : strToAnalyze;
+
   try {
-    const { body } = meriyah.parseScript(strToAnalyze, {
-      ...kMeriyahDefaultOptions,
-      module: isEcmaScriptModule,
-      globalReturn: !isEcmaScriptModule
-    });
+    const { body } = meriyah.parseScript(
+      cleanedStrToAnalyze,
+      {
+        ...kMeriyahDefaultOptions,
+        module: isEcmaScriptModule,
+        globalReturn: !isEcmaScriptModule
+      }
+    );
 
     return body;
   }
   catch (error) {
-    if (error.name === "SyntaxError" && error.description.includes("The import keyword")) {
-      const { body } = meriyah.parseScript(strToAnalyze, {
-        ...kMeriyahDefaultOptions, module: true
-      });
+    if (error.name === "SyntaxError" && (
+      error.description.includes("The import keyword") ||
+      error.description.includes("The export keyword")
+    )) {
+      const { body } = meriyah.parseScript(
+        cleanedStrToAnalyze,
+        {
+          ...kMeriyahDefaultOptions,
+          module: true
+        }
+      );
 
       return body;
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "6.0.0",
+  "version": "6.1.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -39,7 +39,7 @@
   },
   "homepage": "https://github.com/NodeSecure/js-x-ray#readme",
   "dependencies": {
-    "@nodesecure/estree-ast-utils": "^1.3.0",
+    "@nodesecure/estree-ast-utils": "^1.3.1",
     "@nodesecure/sec-literal": "^1.2.0",
     "estree-walker": "^3.0.1",
     "is-minified-code": "^2.0.0",
@@ -48,7 +48,7 @@
   },
   "devDependencies": {
     "@nodesecure/eslint-config": "^1.6.0",
-    "@slimio/is": "^1.5.1",
+    "@slimio/is": "^2.0.0",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
     "@types/node": "^18.11.18",

package/src/obfuscators/freejsobfuscator.js

@@ -1,9 +1,9 @@
-// Import Third-party Dependencies
-import { Utils } from "@nodesecure/sec-literal";
-
-export function verify(analysis, prefix) {
-  const pValue = Object.keys(prefix).pop();
-  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
-
-  return analysis.identifiersName.every(({ name }) => new RegExp(regexStr).test(name));
-}
+// Import Third-party Dependencies
+import { Utils } from "@nodesecure/sec-literal";
+
+export function verify(analysis, prefix) {
+  const pValue = Object.keys(prefix).pop();
+  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
+
+  return analysis.identifiersName.every(({ name }) => new RegExp(regexStr).test(name));
+}

package/src/obfuscators/index.js

@@ -25,8 +25,12 @@ export function isObfuscatedCode(analysis) {
   }
   else {
     // TODO: also implement Dictionnary checkup
+    const identifiers = analysis.identifiersName
+      .map((value) => value?.name ?? null)
+      .filter((name) => typeof name === "string");
+
     const { prefix, oneTimeOccurence } = Patterns.commonHexadecimalPrefix(
-      analysis.identifiersName.map((value) => value.name)
+      identifiers
     );
     const uPrefixNames = new Set(Object.keys(prefix));
 

package/src/probes/isAssignmentExpression.js

@@ -1,29 +1,29 @@
-// Import Third-party Dependencies
-import { getVariableDeclarationIdentifiers } from "@nodesecure/estree-ast-utils";
-
-/**
- * @description Search for AssignmentExpression (Not to be confused with AssignmentPattern).
- *
- * @see https://github.com/estree/estree/blob/master/es5.md#assignmentexpression
- * @example
- * (foo = 5)
- */
-function validateNode(node) {
-  return [
-    node.type === "AssignmentExpression"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  analysis.idtypes.assignExpr++;
-  for (const { name } of getVariableDeclarationIdentifiers(node.left)) {
-    analysis.identifiersName.push({ name, type: "assignExpr" });
-  }
-}
-
-export default {
-  name: "isAssignmentExpression",
-  validateNode, main, breakOnMatch: false
-};
+// Import Third-party Dependencies
+import { getVariableDeclarationIdentifiers } from "@nodesecure/estree-ast-utils";
+
+/**
+ * @description Search for AssignmentExpression (Not to be confused with AssignmentPattern).
+ *
+ * @see https://github.com/estree/estree/blob/master/es5.md#assignmentexpression
+ * @example
+ * (foo = 5)
+ */
+function validateNode(node) {
+  return [
+    node.type === "AssignmentExpression"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  analysis.idtypes.assignExpr++;
+  for (const { name } of getVariableDeclarationIdentifiers(node.left)) {
+    analysis.identifiersName.push({ name, type: "assignExpr" });
+  }
+}
+
+export default {
+  name: "isAssignmentExpression",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isLiteral.js

@@ -1,49 +1,61 @@
-// Import Node.js Dependencies
-import { builtinModules } from "repl";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-
-// CONSTANTS
-const kNodeDeps = new Set(builtinModules);
-
-/**
- * @description Search for Literal AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#literal
- * @example
- * "foobar"
- */
-function validateNode(node) {
-  return [
-    node.type === "Literal" && typeof node.value === "string"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  // We are searching for value obfuscated as hex of a minimum length of 4.
-  if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
-    const value = Buffer.from(node.value, "hex").toString();
-    analysis.analyzeString(value);
-
-    // If the value we are retrieving is the name of a Node.js dependency,
-    // then we add it to the dependencies list and we throw an unsafe-import at the current location.
-    if (kNodeDeps.has(value)) {
-      analysis.dependencies.add(value, node.loc);
-      analysis.addWarning("unsafe-import", null, node.loc);
-    }
-    else if (value === "require" || !Hex.isSafe(node.value)) {
-      analysis.addWarning("encoded-literal", node.value, node.loc);
-    }
-  }
-  // Else we are checking all other string with our suspect method
-  else {
-    analysis.analyzeLiteral(node);
-  }
-}
-
-export default {
-  name: "isLiteral",
-  validateNode, main, breakOnMatch: false
-};
+// Import Node.js Dependencies
+import { builtinModules } from "repl";
+
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+
+// CONSTANTS
+const kNodeDeps = new Set(builtinModules);
+const kShadyLinkRegExps = [
+  /(http[s]?:\/\/bit\.ly.*)$/,
+  /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/
+];
+
+/**
+ * @description Search for Literal AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#literal
+ * @example
+ * "foobar"
+ */
+function validateNode(node) {
+  return [
+    node.type === "Literal" && typeof node.value === "string"
+  ];
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  // We are searching for value obfuscated as hex of a minimum length of 4.
+  if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
+    const value = Buffer.from(node.value, "hex").toString();
+    analysis.analyzeString(value);
+
+    // If the value we are retrieving is the name of a Node.js dependency,
+    // then we add it to the dependencies list and we throw an unsafe-import at the current location.
+    if (kNodeDeps.has(value)) {
+      analysis.dependencies.add(value, node.loc);
+      analysis.addWarning("unsafe-import", null, node.loc);
+    }
+    else if (value === "require" || !Hex.isSafe(node.value)) {
+      analysis.addWarning("encoded-literal", node.value, node.loc);
+    }
+  }
+  // Else we are checking all other string with our suspect method
+  else {
+    for (const regex of kShadyLinkRegExps) {
+      if (regex.test(node.value)) {
+        analysis.addWarning("shady-link", node.value, node.loc);
+
+        return;
+      }
+    }
+
+    analysis.analyzeLiteral(node);
+  }
+}
+
+export default {
+  name: "isLiteral",
+  validateNode, main, breakOnMatch: false
+};

package/src/utils.js

@@ -42,3 +42,7 @@ export function extractNode(expectedType) {
     }
   };
 }
+
+export function removeHTMLComment(str) {
+  return str.replace(/<!--[\s\S]*?(?:-->)/g, "");
+}

package/src/warnings.js

@@ -45,6 +45,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.weak_crypto",
     severity: "Information",
     experimental: true
+  },
+  "shady-link": {
+    i18n: "sast_warnings.shady_link",
+    severity: "Warning",
+    experimental: true
   }
 });
 

package/types/api.d.ts

@@ -13,8 +13,18 @@ export {
 }
 
 interface RuntimeOptions {
+  /**
+   * @default true
+   */
   module?: boolean;
+  /**
+   * @default false
+   */
   isMinified?: boolean;
+  /**
+   * @default false
+   */
+  removeHTMLComments?: boolean;
 }
 
 interface Report {
@@ -27,7 +37,14 @@ interface Report {
 
 interface RuntimeFileOptions {
   packageName?: string;
+  /**
+   * @default true
+   */
   module?: boolean;
+  /**
+   * @default false
+   */
+  removeHTMLComments?: boolean;
 }
 
 type ReportOnFile = {

package/types/warnings.d.ts

@@ -15,7 +15,8 @@ type WarningNameWithValue = "parsing-error"
 | "suspicious-literal"
 | "suspicious-file"
 | "obfuscated-code"
-| "weak-crypto";
+| "weak-crypto"
+| "shady-link";
 type WarningName = WarningNameWithValue | "unsafe-import";
 
 type WarningLocation = [[number, number], [number, number]];