@nodesecure/js-x-ray 6.1.0 → 6.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -3
- package/package.json +8 -12
- package/src/Analysis.js +1 -1
- package/src/obfuscators/index.js +0 -5
- package/src/probes/isRequire.js +17 -4
- package/src/warnings.js +5 -5
- package/types/warnings.d.ts +1 -0
package/README.md
CHANGED
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
<img src="https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/master/package.json&query=$.version&label=Version" alt="npm version">
|
|
8
8
|
</a>
|
|
9
9
|
<a href="https://github.com/NodeSecure/js-x-ray/blob/master/LICENSE">
|
|
10
|
-
<img src="https://img.shields.io/github/license/
|
|
10
|
+
<img src="https://img.shields.io/github/license/NodeSecure/js-x-ray.svg?style=for-the-badge" alt="license">
|
|
11
11
|
</a>
|
|
12
12
|
<a href="https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray">
|
|
13
13
|
<img src="https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/badge?style=for-the-badge" alt="ossf scorecard">
|
|
@@ -117,7 +117,7 @@ We make a call to `i18n` through the package `NodeSecure/i18n` to get the transl
|
|
|
117
117
|
import * as jsxray from "@nodesecure/js-x-ray";
|
|
118
118
|
import * as i18n from "@nodesecure/i18n";
|
|
119
119
|
|
|
120
|
-
console.log(i18n.
|
|
120
|
+
console.log(i18n.getTokenSync(jsxray.warnings["parsing-error"].i18n));
|
|
121
121
|
```
|
|
122
122
|
|
|
123
123
|
## Warnings Legends
|
|
@@ -198,7 +198,7 @@ export type ReportOnFile = {
|
|
|
198
198
|
## Contributors ✨
|
|
199
199
|
|
|
200
200
|
<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
|
|
201
|
-
[](#contributors-)
|
|
202
202
|
<!-- ALL-CONTRIBUTORS-BADGE:END -->
|
|
203
203
|
|
|
204
204
|
Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
|
|
@@ -221,6 +221,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
|
|
|
221
221
|
<td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=Aekk0" title="Code">💻</a></td>
|
|
222
222
|
<td align="center" valign="top" width="14.28%"><a href="https://maji.kiwi"><img src="https://avatars.githubusercontent.com/u/33150916?v=4?s=100" width="100px;" alt="Maji"/><br /><sub><b>Maji</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=M4gie" title="Code">💻</a></td>
|
|
223
223
|
<td align="center" valign="top" width="14.28%"><a href="https://github.com/targos"><img src="https://avatars.githubusercontent.com/u/2352663?v=4?s=100" width="100px;" alt="Michaël Zasso"/><br /><sub><b>Michaël Zasso</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=targos" title="Code">💻</a> <a href="https://github.com/NodeSecure/js-x-ray/issues?q=author%3Atargos" title="Bug reports">🐛</a></td>
|
|
224
|
+
<td align="center" valign="top" width="14.28%"><a href="https://github.com/fabnguess"><img src="https://avatars.githubusercontent.com/u/72697416?v=4?s=100" width="100px;" alt="Kouadio Fabrice Nguessan"/><br /><sub><b>Kouadio Fabrice Nguessan</b></sub></a><br /><a href="#maintenance-fabnguess" title="Maintenance">🚧</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=fabnguess" title="Code">💻</a></td>
|
|
224
225
|
</tr>
|
|
225
226
|
</tbody>
|
|
226
227
|
</table>
|
package/package.json
CHANGED
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nodesecure/js-x-ray",
|
|
3
|
-
"version": "6.
|
|
3
|
+
"version": "6.2.0",
|
|
4
4
|
"description": "JavaScript AST XRay analysis",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": "./index.js",
|
|
7
7
|
"engines": {
|
|
8
|
-
"node": "
|
|
8
|
+
"node": ">=18.0.0"
|
|
9
9
|
},
|
|
10
10
|
"scripts": {
|
|
11
11
|
"lint": "eslint src test",
|
|
12
12
|
"prepublishOnly": "pkg-ok",
|
|
13
|
-
"test-only": "
|
|
13
|
+
"test-only": "glob -c \"node --test-reporter=spec --test\" \"./test/**/*.spec.js\"",
|
|
14
14
|
"test": "c8 --all --src ./src -r html npm run test-only",
|
|
15
|
-
"check": "
|
|
15
|
+
"check": "npm run lint && npm run test-only"
|
|
16
16
|
},
|
|
17
17
|
"repository": {
|
|
18
18
|
"type": "git",
|
|
@@ -48,14 +48,10 @@
|
|
|
48
48
|
},
|
|
49
49
|
"devDependencies": {
|
|
50
50
|
"@nodesecure/eslint-config": "^1.6.0",
|
|
51
|
-
"@
|
|
52
|
-
"
|
|
53
|
-
"@small-tech/tap-monkey": "^1.4.0",
|
|
54
|
-
"@types/node": "^18.11.18",
|
|
55
|
-
"c8": "^7.12.0",
|
|
56
|
-
"cross-env": "^7.0.3",
|
|
51
|
+
"@types/node": "^20.6.2",
|
|
52
|
+
"c8": "^8.0.1",
|
|
57
53
|
"eslint": "^8.31.0",
|
|
58
|
-
"
|
|
59
|
-
"
|
|
54
|
+
"glob": "^10.3.4",
|
|
55
|
+
"pkg-ok": "^3.0.0"
|
|
60
56
|
}
|
|
61
57
|
}
|
package/src/Analysis.js
CHANGED
package/src/obfuscators/index.js
CHANGED
|
@@ -37,11 +37,6 @@ export function isObfuscatedCode(analysis) {
|
|
|
37
37
|
if (analysis.counter.identifiers > kMinimumIdsCount && uPrefixNames.size > 0) {
|
|
38
38
|
analysis.hasPrefixedIdentifiers = calcAvgPrefixedIdentifiers(analysis, prefix) > 80;
|
|
39
39
|
}
|
|
40
|
-
// console.log(prefix);
|
|
41
|
-
// console.log(oneTimeOccurence);
|
|
42
|
-
// console.log(analysis.hasPrefixedIdentifiers);
|
|
43
|
-
// console.log(analysis.counter.identifiers);
|
|
44
|
-
// console.log(analysis.counter.encodedArrayValue);
|
|
45
40
|
|
|
46
41
|
if (uPrefixNames.size === 1 && freejsobfuscator.verify(analysis, prefix)) {
|
|
47
42
|
encoderName = "freejsobfuscator";
|
package/src/probes/isRequire.js
CHANGED
|
@@ -7,7 +7,8 @@ import {
|
|
|
7
7
|
concatBinaryExpression,
|
|
8
8
|
arrayExpressionToString,
|
|
9
9
|
getMemberExpressionIdentifier,
|
|
10
|
-
getCallExpressionIdentifier
|
|
10
|
+
getCallExpressionIdentifier,
|
|
11
|
+
getCallExpressionArguments
|
|
11
12
|
} from "@nodesecure/estree-ast-utils";
|
|
12
13
|
|
|
13
14
|
function validateNode(node, { tracer }) {
|
|
@@ -89,7 +90,7 @@ function main(node, options) {
|
|
|
89
90
|
|
|
90
91
|
// require(Buffer.from("...", "hex").toString());
|
|
91
92
|
case "CallExpression": {
|
|
92
|
-
walkRequireCallExpression(arg)
|
|
93
|
+
walkRequireCallExpression(arg, tracer)
|
|
93
94
|
.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
|
|
94
95
|
|
|
95
96
|
analysis.addWarning("unsafe-import", null, node.loc);
|
|
@@ -103,7 +104,7 @@ function main(node, options) {
|
|
|
103
104
|
}
|
|
104
105
|
}
|
|
105
106
|
|
|
106
|
-
function walkRequireCallExpression(nodeToWalk) {
|
|
107
|
+
function walkRequireCallExpression(nodeToWalk, tracer) {
|
|
107
108
|
const dependencies = new Set();
|
|
108
109
|
|
|
109
110
|
walk(nodeToWalk, {
|
|
@@ -122,8 +123,19 @@ function walkRequireCallExpression(nodeToWalk) {
|
|
|
122
123
|
const fullName = node.callee.type === "MemberExpression" ?
|
|
123
124
|
[...getMemberExpressionIdentifier(node.callee)].join(".") :
|
|
124
125
|
node.callee.name;
|
|
126
|
+
const tracedFullName = tracer.getDataFromIdentifier(fullName)?.identifierOrMemberExpr ?? fullName;
|
|
127
|
+
|
|
128
|
+
switch (tracedFullName) {
|
|
129
|
+
case "atob": {
|
|
130
|
+
const nodeArguments = getCallExpressionArguments(node, { tracer });
|
|
131
|
+
if (nodeArguments !== null) {
|
|
132
|
+
dependencies.add(
|
|
133
|
+
Buffer.from(nodeArguments.at(0), "base64").toString()
|
|
134
|
+
);
|
|
135
|
+
}
|
|
125
136
|
|
|
126
|
-
|
|
137
|
+
break;
|
|
138
|
+
}
|
|
127
139
|
case "Buffer.from": {
|
|
128
140
|
const [element] = node.arguments;
|
|
129
141
|
|
|
@@ -134,6 +146,7 @@ function walkRequireCallExpression(nodeToWalk) {
|
|
|
134
146
|
break;
|
|
135
147
|
}
|
|
136
148
|
case "require.resolve": {
|
|
149
|
+
console.log("require.resolve!");
|
|
137
150
|
if (rootArgument.type === "Literal") {
|
|
138
151
|
dependencies.add(rootArgument.value);
|
|
139
152
|
}
|
package/src/warnings.js
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
import * as utils from "./utils.js";
|
|
3
3
|
|
|
4
4
|
export const warnings = Object.freeze({
|
|
5
|
-
"
|
|
6
|
-
i18n: "sast_warnings.
|
|
5
|
+
"parsing-error": {
|
|
6
|
+
i18n: "sast_warnings.parsing_error",
|
|
7
7
|
severity: "Information"
|
|
8
8
|
},
|
|
9
9
|
"unsafe-import": {
|
|
@@ -54,16 +54,16 @@ export const warnings = Object.freeze({
|
|
|
54
54
|
});
|
|
55
55
|
|
|
56
56
|
export function generateWarning(kind, options) {
|
|
57
|
-
const { location, file = null, value = null } = options;
|
|
57
|
+
const { location, file = null, value = null, source = "JS-X-Ray" } = options;
|
|
58
58
|
|
|
59
59
|
if (kind === "encoded-literal") {
|
|
60
60
|
return Object.assign(
|
|
61
|
-
{ kind, value, location: [utils.toArrayLocation(location)] },
|
|
61
|
+
{ kind, value, location: [utils.toArrayLocation(location)], source },
|
|
62
62
|
warnings[kind]
|
|
63
63
|
);
|
|
64
64
|
}
|
|
65
65
|
|
|
66
|
-
const result = { kind, location: utils.toArrayLocation(location) };
|
|
66
|
+
const result = { kind, location: utils.toArrayLocation(location), source };
|
|
67
67
|
if (utils.notNullOrUndefined(file)) {
|
|
68
68
|
result.file = file;
|
|
69
69
|
}
|