npm - @nodesecure/js-x-ray - Versions diffs - 8.2.0 → 9.1.0 - Mend

@nodesecure/js-x-ray 8.2.0 → 9.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/LICENSE +21 -21
package/README.md +9 -208
package/package.json +62 -63
package/src/{AstAnalyser.js → AstAnalyser.ts} +283 -209
package/src/{Deobfuscator.js → Deobfuscator.ts} +228 -195
package/src/{EntryFilesAnalyser.js → EntryFilesAnalyser.ts} +206 -167
package/src/JsSourceParser.ts +77 -0
package/src/NodeCounter.ts +90 -0
package/src/{ProbeRunner.js → ProbeRunner.ts} +167 -144
package/src/SourceFile.ts +226 -0
package/src/index.ts +5 -0
package/src/obfuscators/freejsobfuscator.ts +17 -0
package/src/obfuscators/{jjencode.js → jjencode.ts} +39 -27
package/src/obfuscators/jsfuck.ts +19 -0
package/src/obfuscators/{obfuscator-io.js → obfuscator-io.ts} +25 -13
package/src/obfuscators/{trojan-source.js → trojan-source.ts} +3 -1
package/src/probes/{isArrayExpression.js → isArrayExpression.ts} +12 -3
package/src/probes/{isBinaryExpression.js → isBinaryExpression.ts} +74 -55
package/src/probes/isESMExport.ts +50 -0
package/src/probes/{isFetch.js → isFetch.ts} +28 -19
package/src/probes/isImportDeclaration.ts +58 -0
package/src/probes/{isLiteral.js → isLiteral.ts} +91 -70
package/src/probes/isLiteralRegex.ts +42 -0
package/src/probes/{isRegexObject.js → isRegexObject.ts} +71 -49
package/src/probes/isRequire/RequireCallExpressionWalker.ts +142 -0
package/src/probes/isRequire/{isRequire.js → isRequire.ts} +195 -148
package/src/probes/isSerializeEnv.ts +65 -0
package/src/probes/isSyncIO.ts +96 -0
package/src/probes/isUnsafeCallee.ts +89 -0
package/src/probes/isUnsafeCommand.ts +133 -0
package/src/probes/isWeakCrypto.ts +69 -0
package/src/types/estree.ts +35 -0
package/src/utils/extractNode.ts +22 -0
package/src/utils/index.ts +4 -0
package/src/utils/{exportAssignmentHasRequireLeave.js → isOneLineExpressionExport.ts} +70 -40
package/src/utils/notNullOrUndefined.ts +5 -0
package/src/utils/toArrayLocation.ts +22 -0
package/src/warnings.ts +146 -0
package/index.d.ts +0 -46
package/index.js +0 -4
package/src/JsSourceParser.js +0 -57
package/src/NodeCounter.js +0 -76
package/src/SourceFile.js +0 -147
package/src/obfuscators/freejsobfuscator.js +0 -9
package/src/obfuscators/jsfuck.js +0 -11
package/src/probes/isESMExport.js +0 -31
package/src/probes/isImportDeclaration.js +0 -33
package/src/probes/isLiteralRegex.js +0 -31
package/src/probes/isRequire/RequireCallExpressionWalker.js +0 -93
package/src/probes/isUnsafeCallee.js +0 -35
package/src/probes/isWeakCrypto.js +0 -37
package/src/utils/extractNode.js +0 -14
package/src/utils/index.js +0 -8
package/src/utils/isNode.js +0 -5
package/src/utils/isOneLineExpressionExport.js +0 -24
package/src/utils/isUnsafeCallee.js +0 -28
package/src/utils/notNullOrUndefined.js +0 -3
package/src/utils/rootLocation.js +0 -3
package/src/utils/toArrayLocation.js +0 -11
package/src/warnings.js +0 -76
package/types/api.d.ts +0 -177
package/types/warnings.d.ts +0 -36

package/src/{Deobfuscator.js → Deobfuscator.ts} RENAMED Viewed

@@ -1,195 +1,228 @@
-// Import Third-party Dependencies
-import { getVariableDeclarationIdentifiers } from "@nodesecure/estree-ast-utils";
-import { Utils, Patterns } from "@nodesecure/sec-literal";
-import { match } from "ts-pattern";
-// Import Internal Dependencies
-import { NodeCounter } from "./NodeCounter.js";
-import { extractNode } from "./utils/index.js";
-import * as jjencode from "./obfuscators/jjencode.js";
-import * as jsfuck from "./obfuscators/jsfuck.js";
-import * as freejsobfuscator from "./obfuscators/freejsobfuscator.js";
-import * as obfuscatorio from "./obfuscators/obfuscator-io.js";
-// CONSTANTS
-const kIdentifierNodeExtractor = extractNode("Identifier");
-const kDictionaryStrParts = [
-  "abcdefghijklmnopqrstuvwxyz",
-  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-  "0123456789"
-];
-const kMinimumIdsCount = 5;
-export class Deobfuscator {
-  deepBinaryExpression = 0;
-  encodedArrayValue = 0;
-  hasDictionaryString = false;
-  hasPrefixedIdentifiers = false;
-  /** @type {Set<string>} */
-  morseLiterals = new Set();
-  /** @type {number[]} */
-  literalScores = [];
-  /** @type {({ name: string; type: string; })[]} */
-  identifiers = [];
-  #counters = [
-    new NodeCounter("VariableDeclaration[kind]"),
-    new NodeCounter("AssignmentExpression", {
-      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.left)
-    }),
-    new NodeCounter("FunctionDeclaration", {
-      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.id)
-    }),
-    new NodeCounter("MemberExpression[computed]"),
-    new NodeCounter("Property", {
-      filter: (node) => node.key.type === "Identifier",
-      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.key)
-    }),
-    new NodeCounter("UnaryExpression", {
-      name: "DoubleUnaryExpression",
-      filter: ({ argument }) => argument.type === "UnaryExpression" && argument.argument.type === "ArrayExpression"
-    }),
-    new NodeCounter("VariableDeclarator", {
-      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.id)
-    })
-  ];
-  /**
-   * @param {!NodeCounter} nc
-   * @param {*} node
-   */
-  #extractCounterIdentifiers(nc, node) {
-    if (node === null) {
-      return;
-    }
-    const { type } = nc;
-    switch (type) {
-      case "VariableDeclarator":
-      case "AssignmentExpression": {
-        for (const { name } of getVariableDeclarationIdentifiers(node)) {
-          this.identifiers.push({ name, type });
-        }
-        break;
-      }
-      case "Property":
-      case "FunctionDeclaration":
-        this.identifiers.push({ name: node.name, type });
-        break;
-    }
-  }
-  analyzeString(str) {
-    const score = Utils.stringSuspicionScore(str);
-    if (score !== 0) {
-      this.literalScores.push(score);
-    }
-    if (!this.hasDictionaryString) {
-      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
-      if (isDictionaryStr) {
-        this.hasDictionaryString = true;
-      }
-    }
-    // Searching for morse string like "--.- --.--"
-    if (Utils.isMorse(str)) {
-      this.morseLiterals.add(str);
-    }
-  }
-  walk(node) {
-    const { type } = node;
-    const isFunctionParams = node.type === "FunctionDeclaration" || node.type === "FunctionExpression";
-    const nodesToExtract = match(type)
-      .with("ClassDeclaration", () => [node.id, node.superClass])
-      .with("FunctionDeclaration", () => node.params)
-      .with("FunctionExpression", () => node.params)
-      .with("MethodDefinition", () => [node.key])
-      .otherwise(() => []);
-    kIdentifierNodeExtractor(
-      ({ name }) => this.identifiers.push({ name, type: isFunctionParams ? "FunctionParams" : type }),
-      nodesToExtract
-    );
-    this.#counters.forEach((counter) => counter.walk(node));
-  }
-  aggregateCounters() {
-    const defaultValue = {
-      Identifiers: this.identifiers.length
-    };
-    return this.#counters.reduce((result, counter) => {
-      result[counter.name] = counter.lookup ?
-        counter.properties :
-        counter.count;
-      return result;
-    }, defaultValue);
-  }
-  #calcAvgPrefixedIdentifiers(
-    counters,
-    prefix
-  ) {
-    const valuesArr = Object
-      .values(prefix)
-      .slice()
-      .sort((left, right) => left - right);
-    if (valuesArr.length === 0) {
-      return 0;
-    }
-    const nbOfPrefixedIds = valuesArr.length === 1 ?
-      valuesArr.pop() :
-      (valuesArr.pop() + valuesArr.pop());
-    const maxIds = counters.Identifiers - counters.Property;
-    return ((nbOfPrefixedIds / maxIds) * 100);
-  }
-  assertObfuscation() {
-    const counters = this.aggregateCounters();
-    if (jsfuck.verify(counters)) {
-      return "jsfuck";
-    }
-    if (jjencode.verify(this.identifiers, counters)) {
-      return "jjencode";
-    }
-    if (this.morseLiterals.size >= 36) {
-      return "morse";
-    }
-    const { prefix } = Patterns.commonHexadecimalPrefix(
-      this.identifiers.flatMap(
-        ({ name }) => (typeof name === "string" ? [name] : [])
-      )
-    );
-    const uPrefixNames = new Set(Object.keys(prefix));
-    if (this.identifiers.length > kMinimumIdsCount && uPrefixNames.size > 0) {
-      this.hasPrefixedIdentifiers = this.#calcAvgPrefixedIdentifiers(counters, prefix) > 80;
-    }
-    if (uPrefixNames.size === 1 && freejsobfuscator.verify(this.identifiers, prefix)) {
-      return "freejsobfuscator";
-    }
-    if (obfuscatorio.verify(this, counters)) {
-      return "obfuscator.io";
-    }
-    // if ((identifierLength > (kMinimumIdsCount * 3) && this.hasPrefixedIdentifiers)
-    //     && (oneTimeOccurence <= 3 || this.encodedArrayValue > 0)) {
-    //     return "unknown";
-    // }
-    return null;
-  }
-}
+// Import Third-party Dependencies
+import { getVariableDeclarationIdentifiers } from "@nodesecure/estree-ast-utils";
+import { Utils, Patterns } from "@nodesecure/sec-literal";
+import { match } from "ts-pattern";
+import type { ESTree } from "meriyah";
+// Import Internal Dependencies
+import { NodeCounter } from "./NodeCounter.js";
+import { extractNode } from "./utils/index.js";
+import * as jjencode from "./obfuscators/jjencode.js";
+import * as jsfuck from "./obfuscators/jsfuck.js";
+import * as freejsobfuscator from "./obfuscators/freejsobfuscator.js";
+import * as obfuscatorio from "./obfuscators/obfuscator-io.js";
+// CONSTANTS
+const kIdentifierNodeExtractor = extractNode<ESTree.Identifier>("Identifier");
+const kDictionaryStrParts = [
+  "abcdefghijklmnopqrstuvwxyz",
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+  "0123456789"
+];
+const kMinimumIdsCount = 5;
+export type ObfuscatedEngine =
+  | "jsfuck"
+  | "jjencode"
+  | "morse"
+  | "freejsobfuscator"
+  | "obfuscator.io"
+  | "unknown";
+export interface ObfuscatedIdentifier {
+  name: string;
+  type: string;
+}
+export interface ObfuscatedCounters {
+  Identifiers: number;
+  VariableDeclaration?: {
+    const?: number;
+    let?: number;
+    var?: number;
+  };
+  VariableDeclarator?: number;
+  AssignmentExpression?: number;
+  FunctionDeclaration?: number;
+  MemberExpression?: Record<string, number>;
+  Property?: number;
+  UnaryExpression?: number;
+  DoubleUnaryExpression?: number;
+}
+export class Deobfuscator {
+  deepBinaryExpression = 0;
+  encodedArrayValue = 0;
+  hasDictionaryString = false;
+  hasPrefixedIdentifiers = false;
+  morseLiterals = new Set<string>();
+  literalScores: number[] = [];
+  identifiers: ObfuscatedIdentifier[] = [];
+  #counters = [
+    new NodeCounter<ESTree.VariableDeclaration>("VariableDeclaration[kind]"),
+    new NodeCounter<ESTree.AssignmentExpression>("AssignmentExpression", {
+      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.left)
+    }),
+    new NodeCounter<ESTree.FunctionDeclaration>("FunctionDeclaration", {
+      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.id)
+    }),
+    new NodeCounter<ESTree.MemberExpression>("MemberExpression[computed]"),
+    new NodeCounter<ESTree.Property>("Property", {
+      filter: (node) => node.key.type === "Identifier",
+      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.key)
+    }),
+    new NodeCounter<ESTree.UnaryExpression>("UnaryExpression", {
+      name: "DoubleUnaryExpression",
+      filter: ({ argument }) => argument.type === "UnaryExpression" && argument.argument.type === "ArrayExpression"
+    }),
+    new NodeCounter<ESTree.VariableDeclarator>("VariableDeclarator", {
+      match: (node, nc) => this.#extractCounterIdentifiers(nc, node.id)
+    })
+  ];
+  #extractCounterIdentifiers(
+    nc: NodeCounter<any>,
+    node: ESTree.Node | null
+  ) {
+    if (node === null) {
+      return;
+    }
+    const { type } = nc;
+    switch (type) {
+      case "VariableDeclarator":
+      case "AssignmentExpression": {
+        for (const { name } of getVariableDeclarationIdentifiers(node)) {
+          this.identifiers.push({ name, type });
+        }
+        break;
+      }
+      case "Property":
+      case "FunctionDeclaration":
+        if (node.type === "Identifier") {
+          this.identifiers.push({ name: node.name, type });
+        }
+        break;
+    }
+  }
+  analyzeString(
+    str: string
+  ): void {
+    const score = Utils.stringSuspicionScore(str);
+    if (score !== 0) {
+      this.literalScores.push(score);
+    }
+    if (!this.hasDictionaryString) {
+      const isDictionaryStr = kDictionaryStrParts.every((word) => str.includes(word));
+      if (isDictionaryStr) {
+        this.hasDictionaryString = true;
+      }
+    }
+    // Searching for morse string like "--.- --.--"
+    if (Utils.isMorse(str)) {
+      this.morseLiterals.add(str);
+    }
+  }
+  walk(
+    node: ESTree.Node
+  ): void {
+    const nodesToExtract = match(node)
+      .with({ type: "ClassDeclaration" }, (node) => [node.id, node.superClass])
+      .with({ type: "FunctionDeclaration" }, (node) => node.params)
+      .with({ type: "FunctionExpression" }, (node) => node.params)
+      .with({ type: "MethodDefinition" }, (node) => [node.key])
+      .otherwise(() => []);
+    const isFunctionParams =
+      node.type === "FunctionDeclaration" ||
+      node.type === "FunctionExpression";
+    kIdentifierNodeExtractor(
+      ({ name }) => this.identifiers.push({
+        name,
+        type: isFunctionParams ? "FunctionParams" : node.type
+      }),
+      nodesToExtract
+    );
+    this.#counters.forEach((counter) => counter.walk(node));
+  }
+  aggregateCounters(): ObfuscatedCounters {
+    return this.#counters.reduce((result, counter) => {
+      result[counter.name] = counter.lookup ?
+        counter.properties :
+        counter.count;
+      return result;
+    }, {
+      Identifiers: this.identifiers.length
+    });
+  }
+  #calcAvgPrefixedIdentifiers(
+    counters: ObfuscatedCounters,
+    prefix: Record<string, number>
+  ): number {
+    const valuesArr = Object
+      .values(prefix)
+      .slice()
+      .sort((left, right) => left - right);
+    if (valuesArr.length === 0) {
+      return 0;
+    }
+    const nbOfPrefixedIds = valuesArr.length === 1 ?
+      valuesArr.pop()! :
+      (valuesArr.pop()! + valuesArr.pop()!);
+    const maxIds = counters.Identifiers - (counters.Property ?? 0);
+    return ((nbOfPrefixedIds / maxIds) * 100);
+  }
+  assertObfuscation(): ObfuscatedEngine | null {
+    const counters = this.aggregateCounters();
+    if (jsfuck.verify(counters)) {
+      return "jsfuck";
+    }
+    if (jjencode.verify(this.identifiers, counters)) {
+      return "jjencode";
+    }
+    if (this.morseLiterals.size >= 36) {
+      return "morse";
+    }
+    const { prefix } = Patterns.commonHexadecimalPrefix(
+      this.identifiers.flatMap(
+        ({ name }) => (typeof name === "string" ? [name] : [])
+      )
+    );
+    const uPrefixNames = new Set(Object.keys(prefix));
+    if (this.identifiers.length > kMinimumIdsCount && uPrefixNames.size > 0) {
+      this.hasPrefixedIdentifiers = this.#calcAvgPrefixedIdentifiers(counters, prefix) > 80;
+    }
+    if (uPrefixNames.size === 1 && freejsobfuscator.verify(this.identifiers, prefix)) {
+      return "freejsobfuscator";
+    }
+    if (obfuscatorio.verify(this, counters)) {
+      return "obfuscator.io";
+    }
+    // if ((identifierLength > (kMinimumIdsCount * 3) && this.hasPrefixedIdentifiers)
+    //     && (oneTimeOccurence <= 3 || this.encodedArrayValue > 0)) {
+    //     return "unknown";
+    // }
+    return null;
+  }
+}