@nodesecure/js-x-ray 9.0.0 → 9.1.0

package/src/probes/{isRegexObject.js → isRegexObject.ts}

@@ -1,49 +1,71 @@
-// Import Third-party Dependencies
-import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
-import safeRegex from "safe-regex";
-
-/**
- * @description Search for Regex Object constructor.
- * @see https://github.com/estree/estree/blob/master/es5.md#newexpression
- * @example
- * new RegExp("...");
- */
-function validateNode(node) {
-  return [
-    isRegexConstructor(node) && node.arguments.length > 0
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  const arg = node.arguments[0];
-  /**
-   * Note: RegExp Object can contain a RegExpLiteral
-   * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
-   *
-   * @example
-   * new RegExp(/^foo/)
-   */
-  const pattern = isLiteralRegex(arg) ? arg.regex.pattern : arg.value;
-
-  // We use the safe-regex package to detect whether or not regex is safe!
-  if (!safeRegex(pattern)) {
-    sourceFile.addWarning("unsafe-regex", pattern, node.loc);
-  }
-}
-
-function isRegexConstructor(node) {
-  if (node.type !== "NewExpression" || node.callee.type !== "Identifier") {
-    return false;
-  }
-
-  return node.callee.name === "RegExp";
-}
-
-export default {
-  name: "isRegexObject",
-  validateNode,
-  main,
-  breakOnMatch: false
-};
+// Import Third-party Dependencies
+import safeRegex from "safe-regex";
+import type { ESTree } from "meriyah";
+
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+import type { Literal, RegExpLiteral } from "../types/estree.js";
+
+/**
+ * @description Search for Regex Object constructor.
+ * @see https://github.com/estree/estree/blob/master/es5.md#newexpression
+ * @example
+ * new RegExp("...");
+ */
+function validateNode(
+  node: ESTree.Node
+): [boolean, any?] {
+  return [
+    isRegexConstructor(node) && node.arguments.length > 0
+  ];
+}
+
+function main(
+  node: ESTree.NewExpression & {
+    callee: ESTree.Identifier;
+  },
+  options: { sourceFile: SourceFile; }
+) {
+  const { sourceFile } = options;
+
+  const arg = node.arguments.at(0) as Literal<string> | RegExpLiteral<string>;
+  if (!arg) {
+    return;
+  }
+
+  /**
+   * Note: RegExp Object can contain a RegExpLiteral
+   * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
+   *
+   * @example
+   * new RegExp(/^foo/)
+   */
+  const pattern = arg.type === "Literal" && "regex" in arg ?
+    arg.regex.pattern :
+    arg.value;
+
+  // We use the safe-regex package to detect whether or not regex is safe!
+  if (!safeRegex(pattern)) {
+    sourceFile.warnings.push(
+      generateWarning("unsafe-regex", { value: pattern, location: node.loc })
+    );
+  }
+}
+
+function isRegexConstructor(
+  node: ESTree.Node
+): node is ESTree.NewExpression {
+  if (node.type !== "NewExpression" || node.callee.type !== "Identifier") {
+    return false;
+  }
+
+  return node.callee.name === "RegExp";
+}
+
+export default {
+  name: "isRegexObject",
+  validateNode,
+  main,
+  breakOnMatch: false
+};

package/src/probes/isRequire/RequireCallExpressionWalker.ts

@@ -0,0 +1,142 @@
+// Import Node.js Dependencies
+import path from "node:path";
+
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+import { walk as doWalk } from "estree-walker";
+import {
+  arrayExpressionToString,
+  getMemberExpressionIdentifier,
+  getCallExpressionArguments
+} from "@nodesecure/estree-ast-utils";
+import type { ESTree } from "meriyah";
+import { VariableTracer } from "@nodesecure/tracer";
+
+// Import Internal Dependencies
+import {
+  isLiteral,
+  isCallExpression
+} from "../../types/estree.js";
+
+export class RequireCallExpressionWalker {
+  tracer: VariableTracer;
+  dependencies = new Set<string>();
+  triggerWarning = true;
+
+  constructor(
+    tracer: VariableTracer
+  ) {
+    this.tracer = tracer;
+  }
+
+  reset() {
+    this.dependencies.clear();
+    this.triggerWarning = true;
+  }
+
+  walk(
+    callExprNode: ESTree.CallExpression
+  ) {
+    this.reset();
+
+    // we need the `this` context of doWalk.enter
+    const self = this;
+    // @ts-expect-error
+    doWalk(callExprNode, {
+      enter(node: any) {
+        if (
+          !isCallExpression(node) ||
+          node.arguments.length === 0
+        ) {
+          return;
+        }
+
+        const castedNode = node as ESTree.CallExpression;
+        const rootArgument = castedNode.arguments.at(0)!;
+        if (
+          rootArgument.type === "Literal" &&
+          typeof rootArgument.value === "string" &&
+          Hex.isHex(rootArgument.value)
+        ) {
+          self.dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
+          this.skip();
+
+          return;
+        }
+
+        const fullName = castedNode.callee.type === "MemberExpression" ?
+          [...getMemberExpressionIdentifier(castedNode.callee)].join(".") :
+          castedNode.callee.name;
+        const tracedFullName = self.tracer.getDataFromIdentifier(fullName)?.identifierOrMemberExpr ?? fullName;
+        switch (tracedFullName) {
+          case "atob":
+            self.#handleAtob(castedNode);
+            break;
+          case "Buffer.from":
+            self.#handleBufferFrom(castedNode);
+            break;
+          case "require.resolve":
+            self.#handleRequireResolve(rootArgument);
+            break;
+          case "path.join":
+            self.#handlePathJoin(castedNode);
+            break;
+        }
+      }
+    });
+
+    return {
+      dependencies: this.dependencies,
+      triggerWarning: this.triggerWarning
+    };
+  }
+
+  #handleAtob(
+    node: ESTree.CallExpression
+  ): void {
+    const nodeArguments = getCallExpressionArguments(
+      node,
+      {
+        externalIdentifierLookup: (name) => this.tracer.literalIdentifiers.get(name) ?? null
+      }
+    );
+
+    if (nodeArguments !== null && nodeArguments.length > 0) {
+      this.dependencies.add(
+        Buffer.from(nodeArguments.at(0)!, "base64").toString()
+      );
+    }
+  }
+
+  #handleBufferFrom(
+    node: ESTree.CallExpression
+  ) {
+    const [element] = node.arguments;
+    if (element.type === "ArrayExpression") {
+      const depName = [...arrayExpressionToString(element)].join("").trim();
+      this.dependencies.add(depName);
+    }
+  }
+
+  #handleRequireResolve(
+    node: ESTree.Node
+  ) {
+    if (isLiteral(node)) {
+      this.dependencies.add(node.value);
+    }
+  }
+
+  #handlePathJoin(
+    node: ESTree.CallExpression
+  ) {
+    if (!node.arguments.every((arg) => isLiteral(arg))) {
+      return;
+    }
+
+    const constructedPath = path.posix.join(
+      ...node.arguments.map((arg) => arg.value)
+    );
+    this.dependencies.add(constructedPath);
+    this.triggerWarning = false;
+  }
+}

package/src/probes/isRequire/{isRequire.js → isRequire.ts}

@@ -1,148 +1,195 @@
-/* eslint-disable consistent-return */
-
-import {
-  concatBinaryExpression,
-  arrayExpressionToString,
-  getCallExpressionIdentifier,
-  getCallExpressionArguments
-} from "@nodesecure/estree-ast-utils";
-import { ProbeSignals } from "../../ProbeRunner.js";
-import { RequireCallExpressionWalker } from "./RequireCallExpressionWalker.js";
-
-function validateNodeRequire(node, { tracer }) {
-  const id = getCallExpressionIdentifier(node, {
-    resolveCallExpression: false
-  });
-  if (id === null) {
-    return [false];
-  }
-
-  const data = tracer.getDataFromIdentifier(id, {
-    removeGlobalIdentifier: true
-  });
-
-  return [
-    data !== null && data.name === "require",
-    id ?? void 0
-  ];
-}
-
-function validateNodeEvalRequire(node) {
-  const id = getCallExpressionIdentifier(node);
-
-  if (id !== "eval") {
-    return [false];
-  }
-  if (node.callee.type !== "CallExpression") {
-    return [false];
-  }
-
-  const args = getCallExpressionArguments(node.callee);
-
-  return [
-    args.length > 0 && args.at(0) === "require",
-    id
-  ];
-}
-
-function teardown({ sourceFile }) {
-  sourceFile.dependencyAutoWarning = false;
-}
-
-function main(node, options) {
-  const { sourceFile, data: calleeName } = options;
-  const { tracer } = sourceFile;
-
-  if (node.arguments.length === 0) {
-    return;
-  }
-  const arg = node.arguments.at(0);
-
-  if (calleeName === "eval") {
-    sourceFile.dependencyAutoWarning = true;
-  }
-
-  switch (arg.type) {
-    // const foo = "http"; require(foo);
-    case "Identifier":
-      if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
-        sourceFile.addDependency(
-          sourceFile.tracer.literalIdentifiers.get(arg.name),
-          node.loc
-        );
-      }
-      else {
-        sourceFile.addWarning("unsafe-import", null, node.loc);
-      }
-      break;
-
-    // require("http")
-    case "Literal":
-      sourceFile.addDependency(arg.value, node.loc);
-      break;
-
-    // require(["ht", "tp"])
-    case "ArrayExpression": {
-      const value = [...arrayExpressionToString(arg, { tracer })]
-        .join("")
-        .trim();
-
-      if (value === "") {
-        sourceFile.addWarning("unsafe-import", null, node.loc);
-      }
-      else {
-        sourceFile.addDependency(value, node.loc);
-      }
-      break;
-    }
-
-    // require("ht" + "tp");
-    case "BinaryExpression": {
-      if (arg.operator !== "+") {
-        sourceFile.addWarning("unsafe-import", null, node.loc);
-        break;
-      }
-
-      try {
-        const iter = concatBinaryExpression(arg, {
-          tracer, stopOnUnsupportedNode: true
-        });
-
-        sourceFile.addDependency([...iter].join(""), node.loc);
-      }
-      catch {
-        sourceFile.addWarning("unsafe-import", null, node.loc);
-      }
-      break;
-    }
-
-    // require(Buffer.from("...", "hex").toString());
-    case "CallExpression": {
-      const walker = new RequireCallExpressionWalker(tracer);
-      const { dependencies, triggerWarning } = walker.walk(arg);
-      dependencies.forEach((depName) => sourceFile.addDependency(depName, node.loc, true));
-
-      if (triggerWarning) {
-        sourceFile.addWarning("unsafe-import", null, node.loc);
-      }
-
-      // We skip walking the tree to avoid anymore warnings...
-      return ProbeSignals.Skip;
-    }
-
-    default:
-      sourceFile.addWarning("unsafe-import", null, node.loc);
-  }
-}
-
-export default {
-  name: "isRequire",
-  validateNode: [
-    validateNodeRequire,
-    validateNodeEvalRequire
-  ],
-  main,
-  teardown,
-  breakOnMatch: true,
-  breakGroup: "import"
-};
+/* eslint-disable consistent-return */
+
+// Import Third-party Dependencies
+import {
+  concatBinaryExpression,
+  arrayExpressionToString,
+  getCallExpressionIdentifier,
+  getCallExpressionArguments
+} from "@nodesecure/estree-ast-utils";
+import type { ESTree } from "meriyah";
+
+// Import Internal Dependencies
+import { ProbeSignals } from "../../ProbeRunner.js";
+import { SourceFile } from "../../SourceFile.js";
+import { isLiteral } from "../../types/estree.js";
+import { RequireCallExpressionWalker } from "./RequireCallExpressionWalker.js";
+import { generateWarning } from "../../warnings.js";
+
+function validateNodeRequire(
+  node: ESTree.Node,
+  { tracer }: SourceFile
+): [boolean, any?] {
+  const id = getCallExpressionIdentifier(node, {
+    resolveCallExpression: false
+  });
+  if (id === null) {
+    return [false];
+  }
+
+  const data = tracer.getDataFromIdentifier(id, {
+    removeGlobalIdentifier: true
+  });
+
+  return [
+    data !== null && data.name === "require",
+    id ?? void 0
+  ];
+}
+
+function validateNodeEvalRequire(
+  node: ESTree.Node
+): [boolean, any?] {
+  const id = getCallExpressionIdentifier(node);
+
+  if (id !== "eval") {
+    return [false];
+  }
+
+  const castedNode = node as ESTree.CallExpression;
+  if (castedNode.callee.type !== "CallExpression") {
+    return [false];
+  }
+
+  const args = getCallExpressionArguments(castedNode.callee);
+  if (args === null) {
+    return [false];
+  }
+
+  return [
+    args.length > 0 && args.at(0) === "require",
+    id
+  ];
+}
+
+function teardown(
+  { sourceFile }: { sourceFile: SourceFile; }
+) {
+  sourceFile.dependencyAutoWarning = false;
+}
+
+function main(
+  node: ESTree.CallExpression,
+  options: { sourceFile: SourceFile; data?: string; }
+) {
+  const { sourceFile, data: calleeName } = options;
+  const { tracer } = sourceFile;
+
+  if (node.arguments.length === 0) {
+    return;
+  }
+  const arg = node.arguments.at(0);
+  if (arg === undefined) {
+    return;
+  }
+
+  if (calleeName === "eval") {
+    sourceFile.dependencyAutoWarning = true;
+  }
+  const location = node.loc;
+
+  switch (arg.type) {
+    // const foo = "http"; require(foo);
+    case "Identifier":
+      if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
+        sourceFile.addDependency(
+          sourceFile.tracer.literalIdentifiers.get(arg.name)!,
+          node.loc
+        );
+      }
+      else {
+        sourceFile.warnings.push(
+          generateWarning("unsafe-import", { value: null, location })
+        );
+      }
+      break;
+
+    // require("http")
+    case "Literal":
+      if (isLiteral(arg)) {
+        sourceFile.addDependency(arg.value, node.loc);
+      }
+      break;
+
+    // require(["ht", "tp"])
+    case "ArrayExpression": {
+      const value = [
+        ...arrayExpressionToString(arg, {
+          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null
+        })
+      ]
+        .join("")
+        .trim();
+
+      if (value === "") {
+        sourceFile.warnings.push(
+          generateWarning("unsafe-import", { value: null, location })
+        );
+      }
+      else {
+        sourceFile.addDependency(value, node.loc);
+      }
+      break;
+    }
+
+    // require("ht" + "tp");
+    case "BinaryExpression": {
+      if (arg.operator !== "+") {
+        sourceFile.warnings.push(
+          generateWarning("unsafe-import", { value: null, location })
+        );
+        break;
+      }
+
+      try {
+        const iter = concatBinaryExpression(arg, {
+          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null,
+          stopOnUnsupportedNode: true
+        });
+
+        sourceFile.addDependency([...iter].join(""), node.loc);
+      }
+      catch {
+        sourceFile.warnings.push(
+          generateWarning("unsafe-import", { value: null, location })
+        );
+      }
+      break;
+    }
+
+    // require(Buffer.from("...", "hex").toString());
+    case "CallExpression": {
+      const walker = new RequireCallExpressionWalker(tracer);
+      const { dependencies, triggerWarning } = walker.walk(arg);
+      dependencies.forEach((depName) => sourceFile.addDependency(depName, node.loc, true));
+
+      if (triggerWarning) {
+        sourceFile.warnings.push(
+          generateWarning("unsafe-import", { value: null, location })
+        );
+      }
+
+      // We skip walking the tree to avoid anymore warnings...
+      return ProbeSignals.Skip;
+    }
+
+    default:
+      sourceFile.warnings.push(
+        generateWarning("unsafe-import", { value: null, location })
+      );
+  }
+
+  return;
+}
+
+export default {
+  name: "isRequire",
+  validateNode: [
+    validateNodeRequire,
+    validateNodeEvalRequire
+  ],
+  main,
+  teardown,
+  breakOnMatch: true,
+  breakGroup: "import"
+};

package/src/probes/isSerializeEnv.ts

@@ -0,0 +1,65 @@
+// Import Third-party Dependencies
+import {
+  getCallExpressionIdentifier,
+  getMemberExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
+import type { ESTree } from "meriyah";
+
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+import { ProbeSignals } from "../ProbeRunner.js";
+
+/**
+ * @description Detect serialization of process.env which could indicate environment variable exfiltration
+ * @example
+ * JSON.stringify(process.env)
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process[`env`])
+ */
+function validateNode(
+  node: ESTree.Node
+): [boolean, any?] {
+  const id = getCallExpressionIdentifier(node);
+  if (id !== "JSON.stringify") {
+    return [false];
+  }
+
+  const castedNode = node as ESTree.CallExpression;
+  if (castedNode.arguments.length === 0) {
+    return [false];
+  }
+
+  const firstArg = castedNode.arguments[0];
+  if (firstArg.type === "MemberExpression") {
+    const memberExprId = [...getMemberExpressionIdentifier(firstArg)].join(".");
+    if (memberExprId === "process.env") {
+      return [true];
+    }
+  }
+
+  return [false];
+}
+
+function main(
+  node: ESTree.Node,
+  options: { sourceFile: SourceFile; }
+) {
+  const { sourceFile } = options;
+
+  const warning = generateWarning("serialize-environment", {
+    value: "JSON.stringify(process.env)",
+    location: node.loc
+  });
+  sourceFile.warnings.push(warning);
+
+  return ProbeSignals.Skip;
+}
+
+export default {
+  name: "isSerializeEnv",
+  validateNode,
+  main,
+  breakOnMatch: false
+};