@nodesecure/js-x-ray 6.2.1 → 7.0.0

package/src/probes/isRequire.js

@@ -1,164 +0,0 @@
-/* eslint-disable consistent-return */
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-import { walk } from "estree-walker";
-import {
-  concatBinaryExpression,
-  arrayExpressionToString,
-  getMemberExpressionIdentifier,
-  getCallExpressionIdentifier,
-  getCallExpressionArguments
-} from "@nodesecure/estree-ast-utils";
-
-function validateNode(node, { tracer }) {
-  const id = getCallExpressionIdentifier(node);
-  if (id === null) {
-    return [false];
-  }
-
-  const data = tracer.getDataFromIdentifier(id);
-
-  return [
-    data !== null && data.name === "require",
-    data?.identifierOrMemberExpr ?? void 0
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-  const { tracer } = analysis;
-
-  if (node.arguments.length === 0) {
-    return;
-  }
-  const arg = node.arguments.at(0);
-
-  switch (arg.type) {
-    // const foo = "http"; require(foo);
-    case "Identifier":
-      if (analysis.tracer.literalIdentifiers.has(arg.name)) {
-        analysis.dependencies.add(
-          analysis.tracer.literalIdentifiers.get(arg.name),
-          node.loc
-        );
-      }
-      else {
-        analysis.addWarning("unsafe-import", null, node.loc);
-      }
-      break;
-
-    // require("http")
-    case "Literal":
-      analysis.dependencies.add(arg.value, node.loc);
-      break;
-
-    // require(["ht", "tp"])
-    case "ArrayExpression": {
-      const value = [...arrayExpressionToString(arg, { tracer })]
-        .join("")
-        .trim();
-
-      if (value === "") {
-        analysis.addWarning("unsafe-import", null, node.loc);
-      }
-      else {
-        analysis.dependencies.add(value, node.loc);
-      }
-      break;
-    }
-
-    // require("ht" + "tp");
-    case "BinaryExpression": {
-      if (arg.operator !== "+") {
-        analysis.addWarning("unsafe-import", null, node.loc);
-        break;
-      }
-
-      try {
-        const iter = concatBinaryExpression(arg, {
-          tracer, stopOnUnsupportedNode: true
-        });
-
-        analysis.dependencies.add([...iter].join(""), node.loc);
-      }
-      catch {
-        analysis.addWarning("unsafe-import", null, node.loc);
-      }
-      break;
-    }
-
-    // require(Buffer.from("...", "hex").toString());
-    case "CallExpression": {
-      walkRequireCallExpression(arg, tracer)
-        .forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
-
-      analysis.addWarning("unsafe-import", null, node.loc);
-
-      // We skip walking the tree to avoid anymore warnings...
-      return Symbol.for("skipWalk");
-    }
-
-    default:
-      analysis.addWarning("unsafe-import", null, node.loc);
-  }
-}
-
-function walkRequireCallExpression(nodeToWalk, tracer) {
-  const dependencies = new Set();
-
-  walk(nodeToWalk, {
-    enter(node) {
-      if (node.type !== "CallExpression" || node.arguments.length === 0) {
-        return;
-      }
-
-      const rootArgument = node.arguments.at(0);
-      if (rootArgument.type === "Literal" && Hex.isHex(rootArgument.value)) {
-        dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
-
-        return this.skip();
-      }
-
-      const fullName = node.callee.type === "MemberExpression" ?
-        [...getMemberExpressionIdentifier(node.callee)].join(".") :
-        node.callee.name;
-      const tracedFullName = tracer.getDataFromIdentifier(fullName)?.identifierOrMemberExpr ?? fullName;
-
-      switch (tracedFullName) {
-        case "atob": {
-          const nodeArguments = getCallExpressionArguments(node, { tracer });
-          if (nodeArguments !== null) {
-            dependencies.add(
-              Buffer.from(nodeArguments.at(0), "base64").toString()
-            );
-          }
-
-          break;
-        }
-        case "Buffer.from": {
-          const [element] = node.arguments;
-
-          if (element.type === "ArrayExpression") {
-            const depName = [...arrayExpressionToString(element)].join("").trim();
-            dependencies.add(depName);
-          }
-          break;
-        }
-        case "require.resolve": {
-          if (rootArgument.type === "Literal") {
-            dependencies.add(rootArgument.value);
-          }
-          break;
-        }
-      }
-    }
-  });
-
-  return [...dependencies];
-}
-
-export default {
-  name: "isRequire",
-  validateNode, main, breakOnMatch: true, breakGroup: "import"
-};

package/src/probes/isUnaryExpression.js

@@ -1,26 +0,0 @@
-/**
- * @description Search for UnaryExpression AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#unaryexpression
- * @example
- * -2
- */
-function validateNode(node) {
-  return [
-    node.type === "UnaryExpression"
-  ];
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  // Example: !![]
-  // See: https://docs.google.com/document/d/11ZrfW0bDQ-kd7Gr_Ixqyk8p3TGvxckmhFH3Z8dFoPhY/edit#
-  if (node.argument.type === "UnaryExpression" && node.argument.argument.type === "ArrayExpression") {
-    analysis.counter.doubleUnaryArray++;
-  }
-}
-
-export default {
-  name: "isUnaryExpression",
-  validateNode, main, breakOnMatch: false
-};

package/src/probes/isVariableDeclaration.js

@@ -1,30 +0,0 @@
-// Import Third-party Dependencies
-import {
-  getVariableDeclarationIdentifiers
-} from "@nodesecure/estree-ast-utils";
-
-// In case we are matching a Variable declaration, we have to save the identifier
-// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
-function validateNode(node) {
-  return [
-    node.type === "VariableDeclaration"
-  ];
-}
-
-function main(mainNode, options) {
-  const { analysis } = options;
-
-  analysis.varkinds[mainNode.kind]++;
-
-  for (const node of mainNode.declarations) {
-    analysis.idtypes.variableDeclarator++;
-    for (const { name } of getVariableDeclarationIdentifiers(node.id)) {
-      analysis.identifiersName.push({ name, type: "variableDeclarator" });
-    }
-  }
-}
-
-export default {
-  name: "isVariableDeclaration",
-  validateNode, main, breakOnMatch: false
-};

package/src/utils.js

@@ -1,48 +0,0 @@
-// Import Third-party Dependencies
-import {
-  getCallExpressionIdentifier
-} from "@nodesecure/estree-ast-utils";
-
-export function notNullOrUndefined(value) {
-  return value !== null && value !== void 0;
-}
-
-export function isUnsafeCallee(node) {
-  const identifier = getCallExpressionIdentifier(node);
-
-  // For Function we are looking for this: `Function("...")();`
-  // A double CallExpression
-  return [
-    identifier === "eval" || (identifier === "Function" && node.callee.type === "CallExpression"),
-    identifier
-  ];
-}
-
-export function rootLocation() {
-  return { start: { line: 0, column: 0 }, end: { line: 0, column: 0 } };
-}
-
-export function toArrayLocation(location = rootLocation()) {
-  const { start, end = start } = location;
-
-  return [
-    [start.line || 0, start.column || 0],
-    [end.line || 0, end.column || 0]
-  ];
-}
-
-export function extractNode(expectedType) {
-  return (callback, nodes) => {
-    const finalNodes = Array.isArray(nodes) ? nodes : [nodes];
-
-    for (const node of finalNodes) {
-      if (notNullOrUndefined(node) && node.type === expectedType) {
-        callback(node);
-      }
-    }
-  };
-}
-
-export function removeHTMLComment(str) {
-  return str.replace(/<!--[\s\S]*?(?:-->)/g, "");
-}

package/types/astdeps.d.ts

@@ -1,33 +0,0 @@
-export {
-  ASTDeps,
-  SourceLocation,
-  Dependency
-}
-
-interface SourceLocation {
-  start: {
-    line: number;
-    column: number;
-  };
-  end: {
-    line: number;
-    column: number;
-  }
-}
-
-interface Dependency {
-  unsafe: boolean;
-  inTry: boolean;
-  location?: SourceLocation;
-}
-
-declare class ASTDeps {
-  constructor();
-  removeByName(name: string): void;
-  add(depName: string): void;
-  getDependenciesInTryStatement(): IterableIterator<string>;
-
-  public isInTryStmt: boolean;
-  public dependencies: Record<string, Dependency>;
-  public readonly size: number;
-}