@nodesecure/js-x-ray 6.3.0 → 7.1.0

package/src/probes/isRequire/isRequire.js

@@ -0,0 +1,142 @@
+/* eslint-disable consistent-return */
+
+import {
+  concatBinaryExpression,
+  arrayExpressionToString,
+  getCallExpressionIdentifier,
+  getCallExpressionArguments
+} from "@nodesecure/estree-ast-utils";
+import { ProbeSignals } from "../../ProbeRunner.js";
+import { RequireCallExpressionWalker } from "./RequireCallExpressionWalker.js";
+
+function validateNodeRequire(node, { tracer }) {
+  const id = getCallExpressionIdentifier(node, {
+    resolveCallExpression: false
+  });
+  if (id === null) {
+    return [false];
+  }
+
+  const data = tracer.getDataFromIdentifier(id);
+
+  return [
+    data !== null && data.name === "require",
+    id ?? void 0
+  ];
+}
+
+function validateNodeEvalRequire(node) {
+  const id = getCallExpressionIdentifier(node);
+
+  if (id !== "eval") {
+    return [false];
+  }
+  if (node.callee.type !== "CallExpression") {
+    return [false];
+  }
+
+  const args = getCallExpressionArguments(node.callee);
+
+  return [
+    args.length > 0 && args.at(0) === "require",
+    id
+  ];
+}
+
+function teardown({ sourceFile }) {
+  sourceFile.dependencyAutoWarning = false;
+}
+
+function main(node, options) {
+  const { sourceFile, data: calleeName } = options;
+  const { tracer } = sourceFile;
+
+  if (node.arguments.length === 0) {
+    return;
+  }
+  const arg = node.arguments.at(0);
+
+  if (calleeName === "eval") {
+    sourceFile.dependencyAutoWarning = true;
+  }
+
+  switch (arg.type) {
+    // const foo = "http"; require(foo);
+    case "Identifier":
+      if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
+        sourceFile.addDependency(
+          sourceFile.tracer.literalIdentifiers.get(arg.name),
+          node.loc
+        );
+      }
+      else {
+        sourceFile.addWarning("unsafe-import", null, node.loc);
+      }
+      break;
+
+    // require("http")
+    case "Literal":
+      sourceFile.addDependency(arg.value, node.loc);
+      break;
+
+    // require(["ht", "tp"])
+    case "ArrayExpression": {
+      const value = [...arrayExpressionToString(arg, { tracer })]
+        .join("")
+        .trim();
+
+      if (value === "") {
+        sourceFile.addWarning("unsafe-import", null, node.loc);
+      }
+      else {
+        sourceFile.addDependency(value, node.loc);
+      }
+      break;
+    }
+
+    // require("ht" + "tp");
+    case "BinaryExpression": {
+      if (arg.operator !== "+") {
+        sourceFile.addWarning("unsafe-import", null, node.loc);
+        break;
+      }
+
+      try {
+        const iter = concatBinaryExpression(arg, {
+          tracer, stopOnUnsupportedNode: true
+        });
+
+        sourceFile.addDependency([...iter].join(""), node.loc);
+      }
+      catch {
+        sourceFile.addWarning("unsafe-import", null, node.loc);
+      }
+      break;
+    }
+
+    // require(Buffer.from("...", "hex").toString());
+    case "CallExpression": {
+      const walker = new RequireCallExpressionWalker(tracer);
+      const { dependencies, triggerWarning } = walker.walk(arg);
+      dependencies.forEach((depName) => sourceFile.addDependency(depName, node.loc, true));
+
+      if (triggerWarning) {
+        sourceFile.addWarning("unsafe-import", null, node.loc);
+      }
+
+      // We skip walking the tree to avoid anymore warnings...
+      return ProbeSignals.Skip;
+    }
+
+    default:
+      sourceFile.addWarning("unsafe-import", null, node.loc);
+  }
+}
+
+export default {
+  name: "isRequire",
+  validateNode: [validateNodeRequire, validateNodeEvalRequire],
+  main,
+  breakOnMatch: true,
+  breakGroup: "import"
+};

package/src/probes/isUnsafeCallee.js

@@ -1,5 +1,6 @@
 // Import Internal Dependencies
-import { isUnsafeCallee } from "../utils.js";
+import { isUnsafeCallee } from "../utils/index.js";
+import { ProbeSignals } from "../ProbeRunner.js";
 
 /**
  * @description Detect unsafe statement
@@ -12,14 +13,23 @@ function validateNode(node) {
 }
 
 function main(node, options) {
-  const { analysis, data: calleeName } = options;
+  const { sourceFile, data: calleeName } = options;
 
-  analysis.addWarning("unsafe-stmt", calleeName, node.loc);
+  if (
+    calleeName === "Function" &&
+    node.callee.arguments.length > 0 &&
+    node.callee.arguments[0].value === "return this"
+  ) {
+    return ProbeSignals.Skip;
+  }
+  sourceFile.addWarning("unsafe-stmt", calleeName, node.loc);
 
-  return Symbol.for("skipWalk");
+  return ProbeSignals.Skip;
 }
 
 export default {
   name: "isUnsafeCallee",
-  validateNode, main, breakOnMatch: false
+  validateNode,
+  main,
+  breakOnMatch: false
 };

package/src/probes/isWeakCrypto.js

@@ -21,15 +21,17 @@ function validateNode(node, { tracer }) {
   return [data !== null && data.identifierOrMemberExpr === "crypto.createHash"];
 }
 
-function main(node, { analysis }) {
+function main(node, { sourceFile }) {
   const arg = node.arguments.at(0);
 
   if (kWeakAlgorithms.has(arg.value)) {
-    analysis.addWarning("weak-crypto", arg.value, node.loc);
+    sourceFile.addWarning("weak-crypto", arg.value, node.loc);
   }
 }
 
 export default {
   name: "isWeakCrypto",
-  validateNode, main, breakOnMatch: false
+  validateNode,
+  main,
+  breakOnMatch: false
 };

package/src/utils/exportAssignmentHasRequireLeave.js

@@ -0,0 +1,40 @@
+// Import Third-party Dependencies
+import {
+  getCallExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
+
+export function exportAssignmentHasRequireLeave(expr) {
+  if (expr.type === "LogicalExpression") {
+    return atLeastOneBranchHasRequireLeave(expr.left, expr.right);
+  }
+
+  if (expr.type === "ConditionalExpression") {
+    return atLeastOneBranchHasRequireLeave(expr.consequent, expr.alternate);
+  }
+
+  if (expr.type === "CallExpression") {
+    return getCallExpressionIdentifier(expr) === "require";
+  }
+
+  if (expr.type === "MemberExpression") {
+    let rootMember = expr.object;
+    while (rootMember.type === "MemberExpression") {
+      rootMember = rootMember.object;
+    }
+
+    if (rootMember.type !== "CallExpression") {
+      return false;
+    }
+
+    return getCallExpressionIdentifier(rootMember) === "require";
+  }
+
+  return false;
+}
+
+function atLeastOneBranchHasRequireLeave(left, right) {
+  return [
+    exportAssignmentHasRequireLeave(left),
+    exportAssignmentHasRequireLeave(right)
+  ].some((hasRequire) => hasRequire);
+}

package/src/utils/extractNode.js

@@ -0,0 +1,14 @@
+// Import Internal Dependencies
+import { notNullOrUndefined } from "./notNullOrUndefined.js";
+
+export function extractNode(expectedType) {
+  return (callback, nodes) => {
+    const finalNodes = Array.isArray(nodes) ? nodes : [nodes];
+
+    for (const node of finalNodes) {
+      if (notNullOrUndefined(node) && node.type === expectedType) {
+        callback(node);
+      }
+    }
+  };
+}

package/src/utils/index.js

@@ -0,0 +1,8 @@
+export * from "./exportAssignmentHasRequireLeave.js";
+export * from "./extractNode.js";
+export * from "./isOneLineExpressionExport.js";
+export * from "./isUnsafeCallee.js";
+export * from "./notNullOrUndefined.js";
+export * from "./rootLocation.js";
+export * from "./toArrayLocation.js";
+export * from "./isNode.js";

package/src/utils/isNode.js

@@ -0,0 +1,5 @@
+export function isNode(value) {
+  return (
+    value !== null && typeof value === "object" && "type" in value && typeof value.type === "string"
+  );
+}

package/src/utils/isOneLineExpressionExport.js

@@ -0,0 +1,18 @@
+// Import Internal Dependencies
+import { exportAssignmentHasRequireLeave } from "./exportAssignmentHasRequireLeave.js";
+
+export function isOneLineExpressionExport(body) {
+  if (body.length > 1) {
+    return false;
+  }
+
+  if (body[0].type !== "ExpressionStatement") {
+    return false;
+  }
+
+  if (body[0].expression.type !== "AssignmentExpression") {
+    return false;
+  }
+
+  return exportAssignmentHasRequireLeave(body[0].expression.right);
+}

package/src/utils/isUnsafeCallee.js

@@ -0,0 +1,28 @@
+// Import Third-party Dependencies
+import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
+
+function isEvalCallee(node) {
+  const identifier = getCallExpressionIdentifier(node, {
+    resolveCallExpression: false
+  });
+
+  return identifier === "eval";
+}
+
+function isFunctionCallee(node) {
+  const identifier = getCallExpressionIdentifier(node);
+
+  return identifier === "Function" && node.callee.type === "CallExpression";
+}
+
+export function isUnsafeCallee(node) {
+  if (isEvalCallee(node)) {
+    return [true, "eval"];
+  }
+
+  if (isFunctionCallee(node)) {
+    return [true, "Function"];
+  }
+
+  return [false, null];
+}

package/src/utils/notNullOrUndefined.js

@@ -0,0 +1,3 @@
+export function notNullOrUndefined(value) {
+  return value !== null && value !== void 0;
+}

package/src/utils/rootLocation.js

@@ -0,0 +1,3 @@
+export function rootLocation() {
+  return { start: { line: 0, column: 0 }, end: { line: 0, column: 0 } };
+}

package/src/utils/toArrayLocation.js

@@ -0,0 +1,11 @@
+// Import Internal Dependencies
+import { rootLocation } from "./rootLocation.js";
+
+export function toArrayLocation(location = rootLocation()) {
+  const { start, end = start } = location;
+
+  return [
+    [start.line || 0, start.column || 0],
+    [end.line || 0, end.column || 0]
+  ];
+}

package/src/warnings.js

@@ -1,5 +1,5 @@
 // Import Internal Dependencies
-import * as utils from "./utils.js";
+import * as utils from "./utils/index.js";
 
 export const warnings = Object.freeze({
   "parsing-error": {

package/types/api.d.ts

@@ -1,7 +1,12 @@
-import { ASTDeps } from "./astdeps.js";
 import { Warning } from "./warnings.js";
+import { Statement } from "meriyah/dist/src/estree.js";
 
 export {
+  AstAnalyser,
+  AstAnalyserOptions,
+  EntryFilesAnalyser,
+  EntryFilesAnalyserOptions,
+  SourceParser,
   runASTAnalysis,
   runASTAnalysisOnFile,
 
@@ -9,7 +14,27 @@ export {
   RuntimeFileOptions,
 
   Report,
-  ReportOnFile
+  ReportOnFile,
+
+  SourceLocation,
+  Dependency
+}
+
+interface SourceLocation {
+  start: {
+    line: number;
+    column: number;
+  };
+  end: {
+    line: number;
+    column: number;
+  }
+}
+
+interface Dependency {
+  unsafe: boolean;
+  inTry: boolean;
+  location?: null | SourceLocation;
 }
 
 interface RuntimeOptions {
@@ -20,42 +45,78 @@ interface RuntimeOptions {
   /**
    * @default false
    */
-  isMinified?: boolean;
+  removeHTMLComments?: boolean;
   /**
    * @default false
    */
-  removeHTMLComments?: boolean;
+  isMinified?: boolean;
 }
 
-interface Report {
-  dependencies: ASTDeps;
-  warnings: Warning[];
-  idsLengthAvg: number;
-  stringScore: number;
-  isOneLineRequire: boolean;
+interface RuntimeFileOptions extends Omit<RuntimeOptions, "isMinified"> {
+  packageName?: string;
 }
 
-interface RuntimeFileOptions {
-  packageName?: string;
+interface AstAnalyserOptions {
   /**
-   * @default true
+   * @default JsSourceParser
    */
-  module?: boolean;
+  customParser?: SourceParser;
+  /**
+   * @default []
+   */
+  customProbes?: Probe[];
   /**
    * @default false
    */
-  removeHTMLComments?: boolean;
+  skipDefaultProbes?: boolean;
+}
+
+interface Probe {
+  validateNode: Function | Function[];
+  main: Function;
+}
+
+interface Report {
+  dependencies: Map<string, Dependency>;
+  warnings: Warning[];
+  idsLengthAvg: number;
+  stringScore: number;
+  isOneLineRequire: boolean;
 }
 
 type ReportOnFile = {
   ok: true,
   warnings: Warning[];
-  dependencies: ASTDeps;
+  dependencies: Map<string, Dependency>;
   isMinified: boolean;
 } | {
   ok: false,
   warnings: Warning[];
 }
 
-declare function runASTAnalysis(str: string, options?: RuntimeOptions): Report;
-declare function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
+interface SourceParser {
+  parse(source: string, options: unknown): Statement[];
+}
+
+declare class AstAnalyser {
+  constructor(options?: AstAnalyserOptions);
+  analyse: (str: string, options?: RuntimeOptions) => Report;
+  analyzeFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
+}
+
+interface EntryFilesAnalyserOptions {
+  astAnalyzer?: AstAnalyser;
+  loadExtensions?: (defaults: string[]) => string[];
+}
+
+declare class EntryFilesAnalyser {
+  constructor(options?: EntryFilesAnalyserOptions);
+
+  /**
+   * Asynchronously analyze a set of entry files yielding analysis reports.
+   */
+  analyse(entryFiles: (string | URL)[]): AsyncGenerator<ReportOnFile & { url: string }>;
+}
+
+declare function runASTAnalysis(str: string, options?: RuntimeOptions & AstAnalyserOptions): Report;
+declare function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions & AstAnalyserOptions): Promise<ReportOnFile>;

package/src/ASTDeps.js

@@ -1,63 +0,0 @@
-
-export default class ASTDeps {
-  #inTry = false;
-  dependencies = Object.create(null);
-
-  get isInTryStmt() {
-    return this.#inTry;
-  }
-
-  set isInTryStmt(value) {
-    if (typeof value !== "boolean") {
-      throw new TypeError("value must be a boolean!");
-    }
-
-    this.#inTry = value;
-  }
-
-  removeByName(name) {
-    if (Reflect.has(this.dependencies, name)) {
-      delete this.dependencies[name];
-    }
-  }
-
-  add(depName, location = null, unsafe = false) {
-    if (typeof depName !== "string" || depName.trim() === "") {
-      return;
-    }
-
-    const cleanDepName = depName.charAt(depName.length - 1) === "/" ? depName.slice(0, -1) : depName;
-    const dep = {
-      unsafe,
-      inTry: this.isInTryStmt
-    };
-    if (location !== null) {
-      dep.location = location;
-    }
-    this.dependencies[cleanDepName] = dep;
-  }
-
-  has(depName) {
-    if (depName.trim() === "") {
-      return false;
-    }
-
-    return Reflect.has(this.dependencies, depName);
-  }
-
-  get size() {
-    return Object.keys(this.dependencies).length;
-  }
-
-  * getDependenciesInTryStatement() {
-    for (const [depName, props] of Object.entries(this.dependencies)) {
-      if (props.inTry === true && props.unsafe === false) {
-        yield depName;
-      }
-    }
-  }
-
-  * [Symbol.iterator]() {
-    yield* Object.keys(this.dependencies);
-  }
-}

package/src/obfuscators/index.js

@@ -1,69 +0,0 @@
-// Import Third-party Dependencies
-import { Patterns } from "@nodesecure/sec-literal";
-
-// Import Internal Dependencies
-import * as jjencode from "./jjencode.js";
-import * as jsfuck from "./jsfuck.js";
-import * as freejsobfuscator from "./freejsobfuscator.js";
-import * as obfuscatorio from "./obfuscator-io.js";
-import * as trojan from "./trojan-source.js";
-
-// CONSTANTS
-const kMinimumIdsCount = 5;
-
-export function isObfuscatedCode(analysis) {
-  let encoderName = null;
-
-  if (jsfuck.verify(analysis)) {
-    encoderName = "jsfuck";
-  }
-  else if (jjencode.verify(analysis)) {
-    encoderName = "jjencode";
-  }
-  else if (analysis.counter.morseLiteral >= 36) {
-    encoderName = "morse";
-  }
-  else {
-    // TODO: also implement Dictionnary checkup
-    const identifiers = analysis.identifiersName
-      .map((value) => value?.name ?? null)
-      .filter((name) => typeof name === "string");
-
-    const { prefix, oneTimeOccurence } = Patterns.commonHexadecimalPrefix(
-      identifiers
-    );
-    const uPrefixNames = new Set(Object.keys(prefix));
-
-    if (analysis.counter.identifiers > kMinimumIdsCount && uPrefixNames.size > 0) {
-      analysis.hasPrefixedIdentifiers = calcAvgPrefixedIdentifiers(analysis, prefix) > 80;
-    }
-
-    if (uPrefixNames.size === 1 && freejsobfuscator.verify(analysis, prefix)) {
-      encoderName = "freejsobfuscator";
-    }
-    else if (obfuscatorio.verify(analysis)) {
-      encoderName = "obfuscator.io";
-    }
-    // else if ((analysis.counter.identifiers > (kMinimumIdsCount * 3) && analysis.hasPrefixedIdentifiers)
-    //     && (oneTimeOccurence <= 3 || analysis.counter.encodedArrayValue > 0)) {
-    //     encoderName = "unknown";
-    // }
-  }
-
-  return [encoderName !== null, encoderName];
-}
-
-export function hasTrojanSource(sourceString) {
-  return trojan.verify(sourceString);
-}
-
-function calcAvgPrefixedIdentifiers(analysis, prefix) {
-  const valuesArr = Object.values(prefix).slice().sort((left, right) => left - right);
-  if (valuesArr.length === 0) {
-    return 0;
-  }
-  const nbOfPrefixedIds = valuesArr.length === 1 ? valuesArr.pop() : (valuesArr.pop() + valuesArr.pop());
-  const maxIds = analysis.counter.identifiers - analysis.idtypes.property;
-
-  return ((nbOfPrefixedIds / maxIds) * 100);
-}

package/src/probes/index.js

@@ -1,70 +0,0 @@
-// Import all the probes
-import isUnsafeCallee from "./isUnsafeCallee.js";
-import isLiteral from "./isLiteral.js";
-import isLiteralRegex from "./isLiteralRegex.js";
-import isRegexObject from "./isRegexObject.js";
-import isVariableDeclaration from "./isVariableDeclaration.js";
-import isRequire from "./isRequire.js";
-import isImportDeclaration from "./isImportDeclaration.js";
-import isMemberExpression from "./isMemberExpression.js";
-import isArrayExpression from "./isArrayExpression.js";
-import isFunction from "./isFunction.js";
-import isAssignmentExpression from "./isAssignmentExpression.js";
-import isObjectExpression from "./isObjectExpression.js";
-import isUnaryExpression from "./isUnaryExpression.js";
-import isWeakCrypto from "./isWeakCrypto.js";
-import isClassDeclaration from "./isClassDeclaration.js";
-import isMethodDefinition from "./isMethodDefinition.js";
-
-// CONSTANTS
-const kListOfProbes = [
-  isUnsafeCallee,
-  isLiteral,
-  isLiteralRegex,
-  isRegexObject,
-  isVariableDeclaration,
-  isRequire,
-  isImportDeclaration,
-  isMemberExpression,
-  isAssignmentExpression,
-  isObjectExpression,
-  isArrayExpression,
-  isFunction,
-  isUnaryExpression,
-  isWeakCrypto,
-  isClassDeclaration,
-  isMethodDefinition
-];
-
-const kSymBreak = Symbol.for("breakWalk");
-const kSymSkip = Symbol.for("skipWalk");
-
-export function runOnProbes(node, analysis) {
-  const breakedGroups = new Set();
-
-  for (const probe of kListOfProbes) {
-    if (breakedGroups.has(probe.breakGroup)) {
-      continue;
-    }
-
-    const [isMatching, data = null] = probe.validateNode(node, analysis);
-    if (isMatching) {
-      const result = probe.main(node, { analysis, data });
-
-      if (result === kSymSkip) {
-        return "skip";
-      }
-      if (result === kSymBreak || probe.breakOnMatch) {
-        const breakGroup = probe.breakGroup || null;
-        if (breakGroup === null) {
-          break;
-        }
-        else {
-          breakedGroups.add(breakGroup);
-        }
-      }
-    }
-  }
-
-  return null;
-}