@nodesecure/js-x-ray 7.0.0 → 7.1.1

package/README.md

@@ -67,11 +67,13 @@ require(Buffer.from("6673", "hex").toString());
 
 Then use `js-x-ray` to run an analysis of the JavaScript code:
 ```js
-import { runASTAnalysis } from "@nodesecure/js-x-ray";
+import { AstAnalyser } from "@nodesecure/js-x-ray";
 import { readFileSync } from "node:fs";
 
-const { warnings, dependencies } = runASTAnalysis(
-  readFileSync("./file.js", "utf-8")
+const scanner = new AstAnalyser();
+
+const { warnings, dependencies } = await scanner.analyseFile(
+  "./file.js"
 );
 
 console.log(dependencies);
@@ -174,11 +176,16 @@ You can pass an array of probes to the `runASTAnalysis/runASTAnalysisOnFile` fun
 Here using the example probe upper:
 
 ```ts
-import { runASTAnalysis } from "@nodesecure/js-x-ray";
+import { AstAnalyser } from "@nodesecure/js-x-ray";
 
 // add your customProbes here (see example above)
 
-const result = runASTAnalysis("const danger = 'danger';", { customProbes, skipDefaultProbes: true });
+const scanner = new AstAnalyser({
+  customProbes,
+  skipDefaultProbes: true
+});
+
+const result = scanner.analyse("const danger = 'danger';");
 
 console.log(result);
 ```
@@ -202,6 +209,12 @@ Congrats, you have created your first custom probe! 🎉
 > Check the types in [index.d.ts](index.d.ts) and [types/api.d.ts](types/api.d.ts) for more details about the `options`
 
 ## API
+
+- [AstAnalyser](./docs/api/AstAnalyser.md)
+- [EntryFilesAnalyser](./docs/api/EntryFilesAnalyser.md)
+
+Legacy APIs waiting to be deprecated;
+
 <details>
 <summary>runASTAnalysis(str: string, options?: RuntimeOptions & AstAnalyserOptions): Report</summary>
 
@@ -290,7 +303,7 @@ $ yarn add @nodesecure/estree-ast-util
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-16-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-17-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -321,6 +334,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/FredGuiou"><img src="https://avatars.githubusercontent.com/u/99122562?v=4?s=100" width="100px;" alt="FredGuiou"/><br /><sub><b>FredGuiou</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=FredGuiou" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/js-x-ray/commits?author=FredGuiou" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/madina0801"><img src="https://avatars.githubusercontent.com/u/101329759?v=4?s=100" width="100px;" alt="Madina"/><br /><sub><b>Madina</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=madina0801" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/sairuss7"><img src="https://avatars.githubusercontent.com/u/87803528?v=4?s=100" width="100px;" alt="SairussDev"/><br /><sub><b>SairussDev</b></sub></a><br /><a href="https://github.com/NodeSecure/js-x-ray/commits?author=sairuss7" title="Code">💻</a></td>
     </tr>
   </tbody>
 </table>

package/index.d.ts

@@ -1,6 +1,12 @@
 import {
   AstAnalyser,
+  AstAnalyserOptions,
+
+  EntryFilesAnalyser,
+  EntryFilesAnalyserOptions,
+
   SourceParser,
+  JsSourceParser,
   runASTAnalysis,
   runASTAnalysisOnFile,
   Report,
@@ -23,6 +29,10 @@ declare const warnings: Record<WarningName, Pick<WarningDefault, "experimental"
 export {
   warnings,
   AstAnalyser,
+  AstAnalyserOptions,
+  EntryFilesAnalyser,
+  EntryFilesAnalyserOptions,
+  JsSourceParser,
   SourceParser,
   runASTAnalysis,
   runASTAnalysisOnFile,

package/index.js

@@ -2,6 +2,7 @@
 import { warnings } from "./src/warnings.js";
 import { JsSourceParser } from "./src/JsSourceParser.js";
 import { AstAnalyser } from "./src/AstAnalyser.js";
+import { EntryFilesAnalyser } from "./src/EntryFilesAnalyser.js";
 
 function runASTAnalysis(
   str,
@@ -28,8 +29,8 @@ async function runASTAnalysisOnFile(
   options = {}
 ) {
   const {
-    customParser = new JsSourceParser(),
     customProbes = [],
+    customParser = new JsSourceParser(),
     skipDefaultProbes = false,
     ...opts
   } = options;
@@ -46,6 +47,8 @@ async function runASTAnalysisOnFile(
 export {
   warnings,
   AstAnalyser,
+  EntryFilesAnalyser,
+  JsSourceParser,
   runASTAnalysis,
   runASTAnalysisOnFile
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "7.0.0",
+  "version": "7.1.1",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -58,7 +58,7 @@
     "@types/node": "^20.6.2",
     "c8": "^9.0.0",
     "cross-env": "^7.0.3",
-    "eslint": "^8.31.0",
+    "eslint": "^9.0.0",
     "glob": "^10.3.4",
     "iterator-matcher": "^2.1.0",
     "pkg-ok": "^3.0.0"

package/src/AstAnalyser.js

@@ -1,137 +1,137 @@
-// Import Node.js Dependencies
-import fs from "node:fs/promises";
-import path from "node:path";
-
-// Import Third-party Dependencies
-import { walk } from "estree-walker";
-import isMinified from "is-minified-code";
-
-// Import Internal Dependencies
-import { SourceFile } from "./SourceFile.js";
-import { isOneLineExpressionExport } from "./utils/index.js";
-import { JsSourceParser } from "./JsSourceParser.js";
-
-export class AstAnalyser {
-  /**
-   * @constructor
-   * @param {object} [options={}]
-   * @param {SourceParser} [options.customParser]
-   * @param {Array<object>} [options.customProbes]
-   * @param {boolean} [options.skipDefaultProbes=false]
-   */
-  constructor(options = {}) {
-    this.parser = options.customParser ?? new JsSourceParser();
-    this.probesOptions = {
-      customProbes: options.customProbes ?? [],
-      skipDefaultProbes: options.skipDefaultProbes ?? false
-    };
-  }
-
-  analyse(str, options = Object.create(null)) {
-    const {
-      isMinified = false,
-      module = true,
-      removeHTMLComments = false
-    } = options;
-
-    const body = this.parser.parse(this.prepareSource(str, { removeHTMLComments }), {
-      isEcmaScriptModule: Boolean(module)
-    });
-
-    const source = new SourceFile(str, this.probesOptions);
-
-    // we walk each AST Nodes, this is a purely synchronous I/O
-    walk(body, {
-      enter(node) {
-        // Skip the root of the AST.
-        if (Array.isArray(node)) {
-          return;
-        }
-
-        const action = source.walk(node);
-        if (action === "skip") {
-          this.skip();
-        }
-      }
-    });
-
-    return {
-      ...source.getResult(isMinified),
-      dependencies: source.dependencies,
-      isOneLineRequire: isOneLineExpressionExport(body)
-    };
-  }
-
-  async analyseFile(
-    pathToFile,
-    options = {}
-  ) {
-    try {
-      const {
-        packageName = null,
-        module = true,
-        removeHTMLComments = false
-      } = options;
-
-      const str = await fs.readFile(pathToFile, "utf-8");
-      const filePathString = pathToFile instanceof URL ? pathToFile.href : pathToFile;
-
-      const isMin = filePathString.includes(".min") || isMinified(str);
-      const data = this.analyse(str, {
-        isMinified: isMin,
-        module: path.extname(filePathString) === ".mjs" ? true : module,
-        removeHTMLComments
-      });
-
-      if (packageName !== null) {
-        data.dependencies.delete(packageName);
-      }
-
-      return {
-        ok: true,
-        dependencies: data.dependencies,
-        warnings: data.warnings,
-        isMinified: !data.isOneLineRequire && isMin
-      };
-    }
-    catch (error) {
-      return {
-        ok: false,
-        warnings: [
-          { kind: "parsing-error", value: error.message, location: [[0, 0], [0, 0]] }
-        ]
-      };
-    }
-  }
-
-  /**
-   * @param {!string} source
-   * @param {object} options
-   * @param {boolean} [options.removeHTMLComments=false]
-   */
-  prepareSource(source, options = {}) {
-    if (typeof source !== "string") {
-      throw new TypeError("source must be a string");
-    }
-    const { removeHTMLComments = false } = options;
-
-    /**
-     * if the file start with a shebang then we remove it because meriyah.parseScript fail to parse it.
-     * @example
-     * #!/usr/bin/env node
-     */
-    const rawNoShebang = source.startsWith("#") ?
-      source.slice(source.indexOf("\n") + 1) : source;
-
-    return removeHTMLComments ?
-      this.#removeHTMLComment(rawNoShebang) : rawNoShebang;
-  }
-
-  /**
-   * @param {!string} str
-   * @returns {string}
-   */
-  #removeHTMLComment(str) {
-    return str.replaceAll(/<!--[\s\S]*?(?:-->)/g, "");
-  }
-}
+// Import Node.js Dependencies
+import fs from "node:fs/promises";
+import path from "node:path";
+
+// Import Third-party Dependencies
+import { walk } from "estree-walker";
+import isMinified from "is-minified-code";
+
+// Import Internal Dependencies
+import { SourceFile } from "./SourceFile.js";
+import { isOneLineExpressionExport } from "./utils/index.js";
+import { JsSourceParser } from "./JsSourceParser.js";
+
+export class AstAnalyser {
+  /**
+   * @constructor
+   * @param {object} [options={}]
+   * @param {SourceParser} [options.customParser]
+   * @param {Array<object>} [options.customProbes]
+   * @param {boolean} [options.skipDefaultProbes=false]
+   */
+  constructor(options = {}) {
+    this.parser = options.customParser ?? new JsSourceParser();
+    this.probesOptions = {
+      customProbes: options.customProbes ?? [],
+      skipDefaultProbes: options.skipDefaultProbes ?? false
+    };
+  }
+
+  analyse(str, options = Object.create(null)) {
+    const {
+      isMinified = false,
+      module = true,
+      removeHTMLComments = false
+    } = options;
+
+    const body = this.parser.parse(this.prepareSource(str, { removeHTMLComments }), {
+      isEcmaScriptModule: Boolean(module)
+    });
+
+    const source = new SourceFile(str, this.probesOptions);
+
+    // we walk each AST Nodes, this is a purely synchronous I/O
+    walk(body, {
+      enter(node) {
+        // Skip the root of the AST.
+        if (Array.isArray(node)) {
+          return;
+        }
+
+        const action = source.walk(node);
+        if (action === "skip") {
+          this.skip();
+        }
+      }
+    });
+
+    return {
+      ...source.getResult(isMinified),
+      dependencies: source.dependencies,
+      isOneLineRequire: isOneLineExpressionExport(body)
+    };
+  }
+
+  async analyseFile(
+    pathToFile,
+    options = {}
+  ) {
+    try {
+      const {
+        packageName = null,
+        module = true,
+        removeHTMLComments = false
+      } = options;
+
+      const str = await fs.readFile(pathToFile, "utf-8");
+      const filePathString = pathToFile instanceof URL ? pathToFile.href : pathToFile;
+
+      const isMin = filePathString.includes(".min") || isMinified(str);
+      const data = this.analyse(str, {
+        isMinified: isMin,
+        module: path.extname(filePathString) === ".mjs" ? true : module,
+        removeHTMLComments
+      });
+
+      if (packageName !== null) {
+        data.dependencies.delete(packageName);
+      }
+
+      return {
+        ok: true,
+        dependencies: data.dependencies,
+        warnings: data.warnings,
+        isMinified: !data.isOneLineRequire && isMin
+      };
+    }
+    catch (error) {
+      return {
+        ok: false,
+        warnings: [
+          { kind: "parsing-error", value: error.message, location: [[0, 0], [0, 0]] }
+        ]
+      };
+    }
+  }
+
+  /**
+   * @param {!string} source
+   * @param {object} options
+   * @param {boolean} [options.removeHTMLComments=false]
+   */
+  prepareSource(source, options = {}) {
+    if (typeof source !== "string") {
+      throw new TypeError("source must be a string");
+    }
+    const { removeHTMLComments = false } = options;
+
+    /**
+     * if the file start with a shebang then we remove it because meriyah.parseScript fail to parse it.
+     * @example
+     * #!/usr/bin/env node
+     */
+    const rawNoShebang = source.startsWith("#") ?
+      source.slice(source.indexOf("\n") + 1) : source;
+
+    return removeHTMLComments ?
+      this.#removeHTMLComment(rawNoShebang) : rawNoShebang;
+  }
+
+  /**
+   * @param {!string} str
+   * @returns {string}
+   */
+  #removeHTMLComment(str) {
+    return str.replaceAll(/<!--[\s\S]*?(?:-->)/g, "");
+  }
+}

package/src/EntryFilesAnalyser.js

@@ -0,0 +1,99 @@
+// Import Node.js Dependencies
+import fs from "node:fs/promises";
+import path from "node:path";
+
+// Import Internal Dependencies
+import { AstAnalyser } from "./AstAnalyser.js";
+
+const kDefaultExtensions = ["js", "cjs", "mjs", "node"];
+
+export class EntryFilesAnalyser {
+  /**
+   * @constructor
+   * @param {object} [options={}]
+   * @param {AstAnalyser} [options.astAnalyzer=new AstAnalyser()]
+   * @param {function} [options.loadExtensions]
+  */
+  constructor(options = {}) {
+    this.astAnalyzer = options.astAnalyzer ?? new AstAnalyser();
+    this.allowedExtensions = options.loadExtensions
+      ? options.loadExtensions(kDefaultExtensions)
+      : kDefaultExtensions;
+  }
+
+  /**
+   * Asynchronously analyze a set of entry files yielding analysis reports.
+   *
+   * @param {(string | URL)[]} entryFiles
+   * @yields {Object} - Yields an object containing the analysis report for each file.
+  */
+  async* analyse(entryFiles) {
+    this.analyzedDeps = new Set();
+
+    for (const file of entryFiles) {
+      yield* this.#analyzeFile(file);
+    }
+  }
+
+  async* #analyzeFile(file) {
+    const filePath = file instanceof URL ? file.pathname : file;
+    const report = await this.astAnalyzer.analyseFile(file);
+
+    yield { url: filePath, ...report };
+
+    if (!report.ok) {
+      return;
+    }
+
+    yield* this.#analyzeDeps(report.dependencies, path.dirname(filePath));
+  }
+
+  async* #analyzeDeps(deps, basePath) {
+    for (const [name] of deps) {
+      const depPath = await this.#getInternalDepPath(name, basePath);
+      if (depPath && !this.analyzedDeps.has(depPath)) {
+        this.analyzedDeps.add(depPath);
+
+        yield* this.#analyzeFile(depPath);
+      }
+    }
+  }
+
+  async #getInternalDepPath(name, basePath) {
+    const depPath = path.join(basePath, name);
+    const existingExt = path.extname(name);
+    if (existingExt !== "") {
+      if (!this.allowedExtensions.includes(existingExt.slice(1))) {
+        return null;
+      }
+
+      if (await this.#fileExists(depPath)) {
+        return depPath;
+      }
+    }
+
+    for (const ext of this.allowedExtensions) {
+      const depPathWithExt = `${depPath}.${ext}`;
+      if (await this.#fileExists(depPathWithExt)) {
+        return depPathWithExt;
+      }
+    }
+
+    return null;
+  }
+
+  async #fileExists(path) {
+    try {
+      await fs.access(path, fs.constants.F_OK);
+
+      return true;
+    }
+    catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+
+      return false;
+    }
+  }
+}

package/src/probes/isImportDeclaration.js

@@ -9,7 +9,7 @@
 function validateNode(node) {
   return [
     // Note: the source property is the right-side Literal part of the Import
-    node.type === "ImportDeclaration" && node.source.type === "Literal"
+    ["ImportDeclaration", "ImportExpression"].includes(node.type) && node.source.type === "Literal"
   ];
 }
 

package/src/probes/isLiteral.js

@@ -4,13 +4,19 @@ import { builtinModules } from "repl";
 // Import Third-party Dependencies
 import { Hex } from "@nodesecure/sec-literal";
 
+const kMapRegexIps = Object.freeze({
+  regexIPv4: /^(https?:\/\/)(?!127\.)(?!.*:(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9]))((?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])(?::\d{1,5})?(\/[^\s]*)?$/,
+  regexIPv6: /^(https?:\/\/)(\[[0-9A-Fa-f:]+\])(?::\d{1,5})?(\/[^\s]*)?$/
+});
+
 // CONSTANTS
 const kNodeDeps = new Set(builtinModules);
 const kShadyLinkRegExps = [
+  kMapRegexIps.regexIPv4,
+  kMapRegexIps.regexIPv6,
   /(http[s]?:\/\/bit\.ly.*)$/,
   /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/
 ];
-
 /**
  * @description Search for Literal AST Node
  * @see https://github.com/estree/estree/blob/master/es5.md#literal

package/types/api.d.ts

@@ -3,6 +3,12 @@ import { Statement } from "meriyah/dist/src/estree.js";
 
 export {
   AstAnalyser,
+  AstAnalyserOptions,
+
+  EntryFilesAnalyser,
+  EntryFilesAnalyserOptions,
+
+  JsSourceParser,
   SourceParser,
   runASTAnalysis,
   runASTAnalysisOnFile,
@@ -98,8 +104,24 @@ interface SourceParser {
 declare class AstAnalyser {
   constructor(options?: AstAnalyserOptions);
   analyse: (str: string, options?: RuntimeOptions) => Report;
-  analyzeFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
+  analyseFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
+}
+
+interface EntryFilesAnalyserOptions {
+  astAnalyzer?: AstAnalyser;
+  loadExtensions?: (defaults: string[]) => string[];
+}
+
+declare class EntryFilesAnalyser {
+  constructor(options?: EntryFilesAnalyserOptions);
+
+  /**
+   * Asynchronously analyze a set of entry files yielding analysis reports.
+   */
+  analyse(entryFiles: (string | URL)[]): AsyncGenerator<ReportOnFile & { url: string }>;
 }
 
+declare class JsSourceParser implements SourceParser {}
+
 declare function runASTAnalysis(str: string, options?: RuntimeOptions & AstAnalyserOptions): Report;
 declare function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions & AstAnalyserOptions): Promise<ReportOnFile>;