@nodesecure/js-x-ray 9.0.0 → 9.1.0

package/src/probes/isUnsafeCallee.js

@@ -1,35 +0,0 @@
-// Import Internal Dependencies
-import { isUnsafeCallee } from "../utils/index.js";
-import { ProbeSignals } from "../ProbeRunner.js";
-
-/**
- * @description Detect unsafe statement
- * @example
- * eval("this");
- * Function("return this")();
- */
-function validateNode(node) {
-  return isUnsafeCallee(node);
-}
-
-function main(node, options) {
-  const { sourceFile, data: calleeName } = options;
-
-  if (
-    calleeName === "Function" &&
-    node.callee.arguments.length > 0 &&
-    node.callee.arguments[0].value === "return this"
-  ) {
-    return ProbeSignals.Skip;
-  }
-  sourceFile.addWarning("unsafe-stmt", calleeName, node.loc);
-
-  return ProbeSignals.Skip;
-}
-
-export default {
-  name: "isUnsafeCallee",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isWeakCrypto.js

@@ -1,37 +0,0 @@
-// Import Third-party Dependencies
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-
-// CONSTANTS
-const kWeakAlgorithms = new Set([
-  "md5",
-  "sha1",
-  "ripemd160",
-  "md4",
-  "md2"
-]);
-
-function validateNode(node, { tracer }) {
-  const id = getCallExpressionIdentifier(node);
-  if (id === null || !tracer.importedModules.has("crypto")) {
-    return [false];
-  }
-
-  const data = tracer.getDataFromIdentifier(id);
-
-  return [data !== null && data.identifierOrMemberExpr === "crypto.createHash"];
-}
-
-function main(node, { sourceFile }) {
-  const arg = node.arguments.at(0);
-
-  if (kWeakAlgorithms.has(arg.value)) {
-    sourceFile.addWarning("weak-crypto", arg.value, node.loc);
-  }
-}
-
-export default {
-  name: "isWeakCrypto",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/utils/extractNode.js

@@ -1,14 +0,0 @@
-// Import Internal Dependencies
-import { notNullOrUndefined } from "./notNullOrUndefined.js";
-
-export function extractNode(expectedType) {
-  return (callback, nodes) => {
-    const finalNodes = Array.isArray(nodes) ? nodes : [nodes];
-
-    for (const node of finalNodes) {
-      if (notNullOrUndefined(node) && node.type === expectedType) {
-        callback(node);
-      }
-    }
-  };
-}

package/src/utils/index.js

@@ -1,8 +0,0 @@
-export * from "./exportAssignmentHasRequireLeave.js";
-export * from "./extractNode.js";
-export * from "./isOneLineExpressionExport.js";
-export * from "./isUnsafeCallee.js";
-export * from "./notNullOrUndefined.js";
-export * from "./rootLocation.js";
-export * from "./toArrayLocation.js";
-export * from "./isNode.js";

package/src/utils/isNode.js

@@ -1,5 +0,0 @@
-export function isNode(value) {
-  return (
-    value !== null && typeof value === "object" && "type" in value && typeof value.type === "string"
-  );
-}

package/src/utils/isOneLineExpressionExport.js

@@ -1,24 +0,0 @@
-// Import Internal Dependencies
-import { exportAssignmentHasRequireLeave } from "./exportAssignmentHasRequireLeave.js";
-
-export function isOneLineExpressionExport(body) {
-  if (body.length === 0 || body.length > 1) {
-    return false;
-  }
-
-  const [firstNode] = body;
-  if (firstNode.type !== "ExpressionStatement") {
-    return false;
-  }
-
-  switch (firstNode.expression.type) {
-    // module.exports = require('...');
-    case "AssignmentExpression":
-      return exportAssignmentHasRequireLeave(firstNode.expression.right);
-    // require('...');
-    case "CallExpression":
-      return exportAssignmentHasRequireLeave(firstNode.expression);
-    default:
-      return false;
-  }
-}

package/src/utils/isUnsafeCallee.js

@@ -1,28 +0,0 @@
-// Import Third-party Dependencies
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-
-function isEvalCallee(node) {
-  const identifier = getCallExpressionIdentifier(node, {
-    resolveCallExpression: false
-  });
-
-  return identifier === "eval";
-}
-
-function isFunctionCallee(node) {
-  const identifier = getCallExpressionIdentifier(node);
-
-  return identifier === "Function" && node.callee.type === "CallExpression";
-}
-
-export function isUnsafeCallee(node) {
-  if (isEvalCallee(node)) {
-    return [true, "eval"];
-  }
-
-  if (isFunctionCallee(node)) {
-    return [true, "Function"];
-  }
-
-  return [false, null];
-}

package/src/utils/notNullOrUndefined.js

@@ -1,3 +0,0 @@
-export function notNullOrUndefined(value) {
-  return value !== null && value !== void 0;
-}

package/src/utils/rootLocation.js

@@ -1,3 +0,0 @@
-export function rootLocation() {
-  return { start: { line: 0, column: 0 }, end: { line: 0, column: 0 } };
-}

package/src/utils/toArrayLocation.js

@@ -1,11 +0,0 @@
-// Import Internal Dependencies
-import { rootLocation } from "./rootLocation.js";
-
-export function toArrayLocation(location = rootLocation()) {
-  const { start, end = start } = location;
-
-  return [
-    [start.line || 0, start.column || 0],
-    [end.line || 0, end.column || 0]
-  ];
-}

package/src/warnings.js

@@ -1,77 +0,0 @@
-// Import Internal Dependencies
-import { toArrayLocation } from "./utils/toArrayLocation.js";
-import { notNullOrUndefined } from "./utils/notNullOrUndefined.js";
-
-export const warnings = Object.freeze({
-  "parsing-error": {
-    i18n: "sast_warnings.parsing_error",
-    severity: "Information"
-  },
-  "unsafe-import": {
-    i18n: "sast_warnings.unsafe_import",
-    severity: "Warning"
-  },
-  "unsafe-regex": {
-    i18n: "sast_warnings.unsafe_regex",
-    severity: "Warning"
-  },
-  "unsafe-stmt": {
-    code: "unsafe-stmt",
-    i18n: "sast_warnings.unsafe_stmt",
-    severity: "Warning"
-  },
-  "encoded-literal": {
-    i18n: "sast_warnings.encoded_literal",
-    severity: "Information"
-  },
-  "short-identifiers": {
-    i18n: "sast_warnings.short_identifiers",
-    severity: "Warning"
-  },
-  "suspicious-literal": {
-    i18n: "sast_warnings.suspicious_literal",
-    severity: "Warning"
-  },
-  "suspicious-file": {
-    i18n: "sast_warnings.suspicious_file",
-    severity: "Critical",
-    experimental: false
-  },
-  "obfuscated-code": {
-    i18n: "sast_warnings.obfuscated_code",
-    severity: "Critical",
-    experimental: true
-  },
-  "weak-crypto": {
-    i18n: "sast_warnings.weak_crypto",
-    severity: "Information",
-    experimental: false
-  },
-  "shady-link": {
-    i18n: "sast_warnings.shady_link",
-    severity: "Warning",
-    experimental: false
-  }
-});
-
-export function generateWarning(kind, options) {
-  const { location, file = null, value = null, source = "JS-X-Ray" } = options;
-
-  if (kind === "encoded-literal") {
-    return Object.assign(
-      { kind, value, location: [toArrayLocation(location)], source },
-      warnings[kind]
-    );
-  }
-
-  const result = { kind, location: toArrayLocation(location), source };
-  if (notNullOrUndefined(file)) {
-    result.file = file;
-  }
-  if (notNullOrUndefined(value)) {
-    result.value = value;
-  }
-
-  return Object.assign(result, warnings[kind]);
-}
-

package/types/api.d.ts

@@ -1,177 +0,0 @@
-// Third-party
-import type { DiGraph, VertexDefinition, VertexBody } from "digraph-js";
-import { Statement } from "meriyah";
-
-// Internal
-import {
-  Warning,
-  WarningName
-} from "./warnings.js";
-
-export {
-  AstAnalyser,
-  AstAnalyserOptions,
-
-  EntryFilesAnalyser,
-  EntryFilesAnalyserOptions,
-
-  JsSourceParser,
-  SourceParser,
-
-  RuntimeOptions,
-  RuntimeFileOptions,
-
-  Report,
-  ReportOnFile,
-
-  SourceFlags,
-  SourceLocation,
-  Dependency
-}
-
-type SourceFlags =
-  | "fetch"
-  | "oneline-require"
-  | "is-minified";
-
-interface SourceLocation {
-  start: {
-    line: number;
-    column: number;
-  };
-  end: {
-    line: number;
-    column: number;
-  }
-}
-
-interface Dependency {
-  unsafe: boolean;
-  inTry: boolean;
-  location?: null | SourceLocation;
-}
-
-interface RuntimeOptions {
-  /**
-   * @default true
-   */
-  module?: boolean;
-  /**
-   * @default false
-   */
-  removeHTMLComments?: boolean;
-  /**
-   * @default false
-   */
-  isMinified?: boolean;
-  initialize?: (sourceFile: SourceFile) => void;
-  finalize?: (sourceFile: SourceFile) => void;
-}
-
-interface RuntimeFileOptions extends Omit<RuntimeOptions, "isMinified"> {
-  packageName?: string;
-}
-
-interface AstAnalyserOptions {
-  /**
-   * @default JsSourceParser
-   */
-  customParser?: SourceParser;
-  /**
-   * @default []
-   */
-  customProbes?: Probe[];
-  /**
-   * @default false
-   */
-  skipDefaultProbes?: boolean;
-}
-
-interface Probe {
-  validateNode: Function | Function[];
-  main: Function;
-}
-
-interface Report {
-  dependencies: Map<string, Dependency>;
-  warnings: Warning[];
-  flags: Set<SourceFlags>;
-  idsLengthAvg: number;
-  stringScore: number;
-}
-
-type ReportOnFile = {
-  ok: true,
-  warnings: Warning[];
-  dependencies: Map<string, Dependency>;
-  flags: Set<SourceFlags>;
-} | {
-  ok: false,
-  warnings: Warning[];
-}
-
-interface SourceParser {
-  parse(source: string, options: unknown): Statement[];
-}
-
-declare class AstAnalyser {
-  constructor(options?: AstAnalyserOptions);
-  analyse: (
-    str: string,
-    options?: RuntimeOptions
-  ) => Report;
-  analyseFile(
-    pathToFile: string,
-    options?: RuntimeFileOptions
-  ): Promise<ReportOnFile>;
-  analyseFileSync(
-    pathToFile: string,
-    options?: RuntimeFileOptions
-  ): ReportOnFile;
-}
-
-declare class SourceFile {
-  flags: Set<SourceFlags>;
-
-  constructor(source: string, options: any);
-  addDependency(
-    name: string,
-    location?: string | null,
-    unsafe?: boolean
-  ): void;
-  addWarning(
-    name: WarningName,
-    value: string,
-    location?: any
-  ): void;
-  analyzeLiteral(node: any, inArrayExpr?: boolean): void;
-  getResult(isMinified: boolean): any;
-  walk(node: any): "skip" | null;
-}
-
-interface EntryFilesAnalyserOptions {
-  astAnalyzer?: AstAnalyser;
-  loadExtensions?: (defaults: string[]) => string[];
-  rootPath?: string | URL;
-  ignoreENOENT?: boolean;
-}
-
-declare class EntryFilesAnalyser {
-  public astAnalyzer: AstAnalyser;
-  public allowedExtensions: Set<string>;
-  public dependencies: DiGraph<VertexDefinition<VertexBody>>;
-
-  constructor(options?: EntryFilesAnalyserOptions);
-
-  /**
-   * Asynchronously analyze a set of entry files yielding analysis reports.
-   */
-  analyse(
-    entryFiles: Iterable<string | URL>,
-    options?: RuntimeFileOptions
-  ): AsyncGenerator<ReportOnFile & { file: string }>;
-}
-
-declare class JsSourceParser implements SourceParser {
-  parse(source: string, options: unknown): Statement[];
-}

package/types/warnings.d.ts

@@ -1,36 +0,0 @@
-
-export {
-  Warning,
-  WarningDefault,
-  WarningLocation,
-  WarningName,
-  WarningNameWithValue
-}
-
-type WarningNameWithValue = "parsing-error"
-| "encoded-literal"
-| "unsafe-regex"
-| "unsafe-stmt"
-| "short-identifiers"
-| "suspicious-literal"
-| "suspicious-file"
-| "obfuscated-code"
-| "weak-crypto"
-| "shady-link";
-type WarningName = WarningNameWithValue | "unsafe-import";
-
-type WarningLocation = [[number, number], [number, number]];
-
-interface WarningDefault<T = WarningName> {
-  kind: T;
-  file?: string;
-  value: string;
-  source: string;
-  location: null | WarningLocation | WarningLocation[];
-  i18n: string;
-  severity: "Information" | "Warning" | "Critical";
-  experimental?: boolean;
-}
-
-type Warning<T extends WarningDefault = WarningDefault> =
-  T extends { kind: WarningNameWithValue } ? T : Omit<T, "value">;