@nodesecure/js-x-ray 9.0.0 → 9.1.0

package/src/warnings.ts

@@ -0,0 +1,146 @@
+// Import Third-party Dependencies
+import type { ESTree } from "meriyah";
+
+// Import Internal Dependencies
+import {
+  toArrayLocation,
+  rootLocation,
+  type SourceArrayLocation
+} from "./utils/toArrayLocation.js";
+import { notNullOrUndefined } from "./utils/notNullOrUndefined.js";
+
+export type OptionalWarningName =
+  | "synchronous-io";
+
+export type WarningName =
+  | "parsing-error"
+  | "encoded-literal"
+  | "unsafe-regex"
+  | "unsafe-stmt"
+  | "short-identifiers"
+  | "suspicious-literal"
+  | "suspicious-file"
+  | "obfuscated-code"
+  | "weak-crypto"
+  | "shady-link"
+  | "unsafe-command"
+  | "unsafe-import"
+  | "serialize-environment"
+  | OptionalWarningName;
+
+export interface Warning<T = WarningName> {
+  kind: T | (string & {});
+  file?: string;
+  value: string | null;
+  source: string;
+  location: null | SourceArrayLocation | SourceArrayLocation[];
+  i18n: string;
+  severity: "Information" | "Warning" | "Critical";
+  experimental?: boolean;
+}
+
+export const warnings = Object.freeze({
+  "parsing-error": {
+    i18n: "sast_warnings.parsing_error",
+    severity: "Information"
+  },
+  "unsafe-import": {
+    i18n: "sast_warnings.unsafe_import",
+    severity: "Warning"
+  },
+  "unsafe-regex": {
+    i18n: "sast_warnings.unsafe_regex",
+    severity: "Warning"
+  },
+  "unsafe-stmt": {
+    code: "unsafe-stmt",
+    i18n: "sast_warnings.unsafe_stmt",
+    severity: "Warning"
+  },
+  "encoded-literal": {
+    i18n: "sast_warnings.encoded_literal",
+    severity: "Information"
+  },
+  "short-identifiers": {
+    i18n: "sast_warnings.short_identifiers",
+    severity: "Warning"
+  },
+  "suspicious-literal": {
+    i18n: "sast_warnings.suspicious_literal",
+    severity: "Warning"
+  },
+  "suspicious-file": {
+    i18n: "sast_warnings.suspicious_file",
+    severity: "Critical",
+    experimental: false
+  },
+  "obfuscated-code": {
+    i18n: "sast_warnings.obfuscated_code",
+    severity: "Critical",
+    experimental: true
+  },
+  "weak-crypto": {
+    i18n: "sast_warnings.weak_crypto",
+    severity: "Information",
+    experimental: false
+  },
+  "shady-link": {
+    i18n: "sast_warnings.shady_link",
+    severity: "Warning",
+    experimental: false
+  },
+  "unsafe-command": {
+    i18n: "sast_warnings.unsafe-command",
+    severity: "Warning",
+    experimental: true
+  },
+  "synchronous-io": {
+    i18n: "sast_warnings.synchronous-io",
+    severity: "Warning",
+    experimental: true
+  },
+  "serialize-environment": {
+    i18n: "sast_warnings.serialize-environment",
+    severity: "Warning",
+    experimental: false
+  }
+}) satisfies Record<WarningName, Pick<Warning, "experimental" | "i18n" | "severity">>;
+
+export interface GenerateWarningOptions {
+  location?: ESTree.SourceLocation | null;
+  file?: string | null;
+  value: string | null;
+  source?: string;
+}
+
+export function generateWarning<T extends WarningName>(
+  kind: T,
+  options: GenerateWarningOptions
+): Warning<T> {
+  const {
+    file = null,
+    value,
+    source = "JS-X-Ray"
+  } = options;
+  const location = options.location ?? rootLocation();
+
+  if (kind === "encoded-literal") {
+    return {
+      kind,
+      value,
+      location: [toArrayLocation(location)],
+      source,
+      ...warnings[kind]
+    };
+  }
+
+  return {
+    kind,
+    location: toArrayLocation(location),
+    source,
+    ...warnings[kind],
+    ...(notNullOrUndefined(file) ? { file } : {}),
+    ...(notNullOrUndefined(value) ? { value } : { value: null })
+  };
+}
+

package/index.d.ts

@@ -1,46 +0,0 @@
-import {
-  AstAnalyser,
-  AstAnalyserOptions,
-
-  EntryFilesAnalyser,
-  EntryFilesAnalyserOptions,
-
-  SourceParser,
-  JsSourceParser,
-  Report,
-  ReportOnFile,
-  RuntimeFileOptions,
-  RuntimeOptions,
-  SourceLocation,
-  Dependency
-} from "./types/api.js";
-import {
-  Warning,
-  WarningDefault,
-  WarningLocation,
-  WarningName,
-  WarningNameWithValue
-} from "./types/warnings.js";
-
-declare const warnings: Record<WarningName, Pick<WarningDefault, "experimental" | "i18n" | "severity">>;
-
-export {
-  warnings,
-  AstAnalyser,
-  AstAnalyserOptions,
-  EntryFilesAnalyser,
-  EntryFilesAnalyserOptions,
-  JsSourceParser,
-  SourceParser,
-  Report,
-  ReportOnFile,
-  RuntimeFileOptions,
-  RuntimeOptions,
-  SourceLocation,
-  Dependency,
-  Warning,
-  WarningDefault,
-  WarningLocation,
-  WarningName,
-  WarningNameWithValue
-}

package/index.js

@@ -1,4 +0,0 @@
-export { warnings } from "./src/warnings.js";
-export { JsSourceParser } from "./src/JsSourceParser.js";
-export { AstAnalyser } from "./src/AstAnalyser.js";
-export { EntryFilesAnalyser } from "./src/EntryFilesAnalyser.js";

package/src/JsSourceParser.js

@@ -1,57 +0,0 @@
-// Import Third-party Dependencies
-import * as meriyah from "meriyah";
-
-// CONSTANTS
-const kParsingOptions = {
-  next: true,
-  loc: true,
-  raw: true,
-  jsx: true
-};
-
-export class JsSourceParser {
-  /**
-   * @param {object} options
-   * @param {boolean} options.isEcmaScriptModule
-   */
-  parse(source, options = {}) {
-    const {
-      isEcmaScriptModule
-    } = options;
-
-    try {
-      const { body } = meriyah.parseScript(
-        source,
-        {
-          ...kParsingOptions,
-          module: isEcmaScriptModule,
-          globalReturn: !isEcmaScriptModule
-        }
-      );
-
-      return body;
-    }
-    catch (error) {
-      const isIllegalReturn = error.description.includes("Illegal return statement");
-
-      if (error.name === "SyntaxError" && (
-        error.description.includes("The import keyword") ||
-        error.description.includes("The export keyword") ||
-        isIllegalReturn
-      )) {
-        const { body } = meriyah.parseScript(
-          source,
-          {
-            ...kParsingOptions,
-            module: true,
-            globalReturn: isIllegalReturn
-          }
-        );
-
-        return body;
-      }
-
-      throw error;
-    }
-  }
-}

package/src/NodeCounter.js

@@ -1,76 +0,0 @@
-// Import Third-party Dependencies
-import FrequencySet from "frequency-set";
-
-// Import Internal Dependencies
-import { isNode } from "./utils/index.js";
-
-// eslint-disable-next-line func-style
-const noop = (node) => true;
-
-export class NodeCounter {
-  lookup = null;
-
-  #count = 0;
-  #properties = null;
-  #filterFn = noop;
-  #matchFn = noop;
-
-  /**
-   * @param {!string} type
-   * @param {Object} [options]
-   * @param {string} [options.name]
-   * @param {(node: any) => boolean} [options.filter]
-   * @param {(node: any, nc: NodeCounter) => void} [options.match]
-   *
-   * @example
-   * new NodeCounter("FunctionDeclaration");
-   * new NodeCounter("VariableDeclaration[kind]");
-   */
-  constructor(type, options = {}) {
-    if (typeof type !== "string") {
-      throw new TypeError("type must be a string");
-    }
-
-    const typeResult = /([A-Za-z]+)(\[[a-zA-Z]+\])?/g.exec(type);
-    if (typeResult === null) {
-      throw new Error("invalid type argument syntax");
-    }
-    this.type = typeResult[1];
-    this.lookup = typeResult[2]?.slice(1, -1) ?? null;
-    this.name = options?.name ?? this.type;
-    if (this.lookup) {
-      this.#properties = new FrequencySet();
-    }
-
-    this.#filterFn = options.filter ?? noop;
-    this.#matchFn = options.match ?? noop;
-  }
-
-  get count() {
-    return this.#count;
-  }
-
-  get properties() {
-    return Object.fromEntries(
-      this.#properties?.entries() ?? []
-    );
-  }
-
-  walk(node) {
-    if (!isNode(node) || node.type !== this.type) {
-      return;
-    }
-    if (!this.#filterFn(node)) {
-      return;
-    }
-
-    this.#count++;
-    if (this.lookup === null) {
-      this.#matchFn(node, this);
-    }
-    else if (this.lookup in node) {
-      this.#properties.add(node[this.lookup]);
-      this.#matchFn(node, this);
-    }
-  }
-}

package/src/SourceFile.js

@@ -1,147 +0,0 @@
-// Import Third-party Dependencies
-import { Utils, Literal } from "@nodesecure/sec-literal";
-import { VariableTracer } from "@nodesecure/estree-ast-utils";
-
-// Import Internal Dependencies
-import { rootLocation, toArrayLocation } from "./utils/index.js";
-import { generateWarning } from "./warnings.js";
-import { ProbeRunner } from "./ProbeRunner.js";
-import { Deobfuscator } from "./Deobfuscator.js";
-import * as trojan from "./obfuscators/trojan-source.js";
-
-// CONSTANTS
-const kMaximumEncodedLiterals = 10;
-
-export class SourceFile {
-  inTryStatement = false;
-  dependencyAutoWarning = false;
-  deobfuscator = new Deobfuscator();
-  dependencies = new Map();
-  encodedLiterals = new Map();
-  warnings = [];
-  /** @type {Set<string>} */
-  flags = new Set();
-
-  constructor(sourceCodeString, probesOptions = {}) {
-    this.tracer = new VariableTracer()
-      .enableDefaultTracing()
-      .trace("crypto.createHash", {
-        followConsecutiveAssignment: true, moduleName: "crypto"
-      });
-
-    let probes = ProbeRunner.Defaults;
-    if (Array.isArray(probesOptions.customProbes) && probesOptions.customProbes.length > 0) {
-      probes = probesOptions.skipDefaultProbes === true ? probesOptions.customProbes : [...probes, ...probesOptions.customProbes];
-    }
-    this.probesRunner = new ProbeRunner(this, probes);
-
-    if (trojan.verify(sourceCodeString)) {
-      this.addWarning("obfuscated-code", "trojan-source");
-    }
-  }
-
-  addDependency(name, location = null, unsafe = this.dependencyAutoWarning) {
-    if (typeof name !== "string" || name.trim() === "") {
-      return;
-    }
-
-    const dependencyName = name.charAt(name.length - 1) === "/" ?
-      name.slice(0, -1) : name;
-    this.dependencies.set(dependencyName, {
-      unsafe,
-      inTry: this.inTryStatement,
-      ...(location === null ? {} : { location })
-    });
-
-    if (this.dependencyAutoWarning) {
-      this.addWarning("unsafe-import", dependencyName, location);
-    }
-  }
-
-  addWarning(name, value, location = rootLocation()) {
-    const isEncodedLiteral = name === "encoded-literal";
-    if (isEncodedLiteral) {
-      if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
-        return;
-      }
-
-      if (this.encodedLiterals.has(value)) {
-        const index = this.encodedLiterals.get(value);
-        this.warnings[index].location.push(toArrayLocation(location));
-
-        return;
-      }
-    }
-
-    this.warnings.push(generateWarning(name, { value, location }));
-    if (isEncodedLiteral) {
-      this.encodedLiterals.set(value, this.warnings.length - 1);
-    }
-  }
-
-  analyzeLiteral(node, inArrayExpr = false) {
-    if (typeof node.value !== "string" || Utils.isSvg(node)) {
-      return;
-    }
-    this.deobfuscator.analyzeString(node.value);
-
-    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
-    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
-      if (inArrayExpr) {
-        this.deobfuscator.encodedArrayValue++;
-      }
-      else {
-        this.addWarning("encoded-literal", node.value, node.loc);
-      }
-    }
-  }
-
-  getResult(isMinified) {
-    const obfuscatorName = this.deobfuscator.assertObfuscation(this);
-    if (obfuscatorName !== null) {
-      this.addWarning("obfuscated-code", obfuscatorName);
-    }
-
-    const identifiersLengthArr = this.deobfuscator.identifiers
-      .filter((value) => value.type !== "Property" && typeof value.name === "string")
-      .map((value) => value.name.length);
-
-    const [idsLengthAvg, stringScore] = [
-      sum(identifiersLengthArr),
-      sum(this.deobfuscator.literalScores)
-    ];
-    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
-      this.addWarning("short-identifiers", idsLengthAvg);
-    }
-    if (stringScore >= 3) {
-      this.addWarning("suspicious-literal", stringScore);
-    }
-
-    if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
-      this.addWarning("suspicious-file", null);
-      this.warnings = this.warnings
-        .filter((warning) => warning.kind !== "encoded-literal");
-    }
-
-    return { idsLengthAvg, stringScore, warnings: this.warnings };
-  }
-
-  walk(node) {
-    this.tracer.walk(node);
-    this.deobfuscator.walk(node);
-
-    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
-    if (node.type === "TryStatement" && node.handler) {
-      this.inTryStatement = true;
-    }
-    else if (node.type === "CatchClause") {
-      this.inTryStatement = false;
-    }
-
-    return this.probesRunner.walk(node);
-  }
-}
-
-function sum(arr = []) {
-  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
-}

package/src/obfuscators/freejsobfuscator.js

@@ -1,9 +0,0 @@
-// Import Third-party Dependencies
-import { Utils } from "@nodesecure/sec-literal";
-
-export function verify(identifiers, prefix) {
-  const pValue = Object.keys(prefix).pop();
-  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
-
-  return identifiers.every(({ name }) => new RegExp(regexStr).test(name));
-}

package/src/obfuscators/jsfuck.js

@@ -1,11 +0,0 @@
-// CONSTANTS
-const kJSFuckMinimumDoubleUnaryExpr = 5;
-
-export function verify(counters) {
-  const hasZeroAssign = counters.AssignmentExpression === 0
-    && counters.FunctionDeclaration === 0
-    && counters.Property === 0
-    && counters.VariableDeclarator === 0;
-
-  return hasZeroAssign && counters.DoubleUnaryExpression >= kJSFuckMinimumDoubleUnaryExpr;
-}

package/src/probes/isESMExport.js

@@ -1,31 +0,0 @@
-/**
- * @description Search for ESM Export
- *
- * @example
- * export { bar } from "./foo.js";
- * export * from "./bar.js";
- */
-function validateNode(node) {
-  return [
-    /**
-     * We must be sure that the source property is a Literal to not fall in a trap
-     * export const foo = "bar";
-     */
-    (node.type === "ExportNamedDeclaration" && node.source?.type === "Literal") ||
-    node.type === "ExportAllDeclaration"
-  ];
-}
-
-function main(node, { sourceFile }) {
-  sourceFile.addDependency(
-    node.source.value,
-    node.loc
-  );
-}
-
-export default {
-  name: "isESMExport",
-  validateNode,
-  main,
-  breakOnMatch: true
-};

package/src/probes/isImportDeclaration.js

@@ -1,33 +0,0 @@
-/**
- * @description Search for ESM ImportDeclaration
- * @see https://github.com/estree/estree/blob/master/es2015.md#importdeclaration
- * @example
- * import * as foo from "bar";
- * import fs from "fs";
- * import "make-promises-safe";
- */
-function validateNode(node) {
-  return [
-    // Note: the source property is the right-side Literal part of the Import
-    ["ImportDeclaration", "ImportExpression"].includes(node.type) && node.source.type === "Literal"
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  // Searching for dangerous import "data:text/javascript;..." statement.
-  // see: https://2ality.com/2019/10/eval-via-import.html
-  if (node.source.value.startsWith("data:text/javascript")) {
-    sourceFile.addWarning("unsafe-import", node.source.value, node.loc);
-  }
-  sourceFile.addDependency(node.source.value, node.loc);
-}
-
-export default {
-  name: "isImportDeclaration",
-  validateNode,
-  main,
-  breakOnMatch: true,
-  breakGroup: "import"
-};

package/src/probes/isLiteralRegex.js

@@ -1,31 +0,0 @@
-// Require Third-party Dependencies
-import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
-import safeRegex from "safe-regex";
-
-/**
- * @description Search for RegExpLiteral AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
- * @example
- * /hello/
- */
-function validateNode(node) {
-  return [
-    isLiteralRegex(node)
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  // We use the safe-regex package to detect whether or not regex is safe!
-  if (!safeRegex(node.regex.pattern)) {
-    sourceFile.addWarning("unsafe-regex", node.regex.pattern, node.loc);
-  }
-}
-
-export default {
-  name: "isLiteralRegex",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isRequire/RequireCallExpressionWalker.js

@@ -1,93 +0,0 @@
-// Import Node.js Dependencies
-import path from "node:path";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-import { walk as doWalk } from "estree-walker";
-import {
-  arrayExpressionToString,
-  getMemberExpressionIdentifier,
-  getCallExpressionArguments
-} from "@nodesecure/estree-ast-utils";
-
-export class RequireCallExpressionWalker {
-  constructor(tracer) {
-    this.tracer = tracer;
-    this.dependencies = new Set();
-    this.triggerWarning = true;
-  }
-
-  walk(nodeToWalk) {
-    this.dependencies = new Set();
-    this.triggerWarning = true;
-
-    // we need the `this` context of doWalk.enter
-    const self = this;
-    doWalk(nodeToWalk, {
-      enter(node) {
-        if (node.type !== "CallExpression" || node.arguments.length === 0) {
-          return;
-        }
-
-        const rootArgument = node.arguments.at(0);
-        if (rootArgument.type === "Literal" && Hex.isHex(rootArgument.value)) {
-          self.dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
-          this.skip();
-
-          return;
-        }
-
-        const fullName = node.callee.type === "MemberExpression" ?
-          [...getMemberExpressionIdentifier(node.callee)].join(".") :
-          node.callee.name;
-        const tracedFullName = self.tracer.getDataFromIdentifier(fullName)?.identifierOrMemberExpr ?? fullName;
-        switch (tracedFullName) {
-          case "atob":
-            self.#handleAtob(node);
-            break;
-          case "Buffer.from":
-            self.#handleBufferFrom(node);
-            break;
-          case "require.resolve":
-            self.#handleRequireResolve(rootArgument);
-            break;
-          case "path.join":
-            self.#handlePathJoin(node);
-            break;
-        }
-      }
-    });
-
-    return { dependencies: this.dependencies, triggerWarning: this.triggerWarning };
-  }
-
-  #handleAtob(node) {
-    const nodeArguments = getCallExpressionArguments(node, { tracer: this.tracer });
-    if (nodeArguments !== null) {
-      this.dependencies.add(Buffer.from(nodeArguments.at(0), "base64").toString());
-    }
-  }
-
-  #handleBufferFrom(node) {
-    const [element] = node.arguments;
-    if (element.type === "ArrayExpression") {
-      const depName = [...arrayExpressionToString(element)].join("").trim();
-      this.dependencies.add(depName);
-    }
-  }
-
-  #handleRequireResolve(rootArgument) {
-    if (rootArgument.type === "Literal") {
-      this.dependencies.add(rootArgument.value);
-    }
-  }
-
-  #handlePathJoin(node) {
-    if (!node.arguments.every((arg) => arg.type === "Literal" && typeof arg.value === "string")) {
-      return;
-    }
-    const constructedPath = path.posix.join(...node.arguments.map((arg) => arg.value));
-    this.dependencies.add(constructedPath);
-    this.triggerWarning = false;
-  }
-}