@nodesecure/js-x-ray 9.0.0 → 9.2.0

package/src/ProbeRunner.js

@@ -1,144 +0,0 @@
-// Import Native Dependencies
-import assert from "node:assert";
-
-// Import all the probes
-import isUnsafeCallee from "./probes/isUnsafeCallee.js";
-import isLiteral from "./probes/isLiteral.js";
-import isLiteralRegex from "./probes/isLiteralRegex.js";
-import isRegexObject from "./probes/isRegexObject.js";
-import isRequire from "./probes/isRequire/isRequire.js";
-import isImportDeclaration from "./probes/isImportDeclaration.js";
-import isWeakCrypto from "./probes/isWeakCrypto.js";
-import isBinaryExpression from "./probes/isBinaryExpression.js";
-import isArrayExpression from "./probes/isArrayExpression.js";
-import isESMExport from "./probes/isESMExport.js";
-import isFetch from "./probes/isFetch.js";
-
-// Import Internal Dependencies
-import { SourceFile } from "./SourceFile.js";
-
-/**
- * @typedef {Object} Probe
- * @property {string} name
- * @property {any} validateNode
- * @property {(node: any, options: any) => any} main
- * @property {(options: any) => void} teardown
- * @property {boolean} [breakOnMatch=false]
- * @property {string} [breakGroup]
- */
-
-export const ProbeSignals = Object.freeze({
-  Break: Symbol.for("breakWalk"),
-  Skip: Symbol.for("skipWalk")
-});
-
-export class ProbeRunner {
-  /**
-   * Note:
-   * The order of the table has an importance/impact on the correct execution of the probes
-   *
-   * @type {Probe[]}
-   */
-  static Defaults = [
-    isFetch,
-    isRequire,
-    isESMExport,
-    isUnsafeCallee,
-    isLiteral,
-    isLiteralRegex,
-    isRegexObject,
-    isImportDeclaration,
-    isWeakCrypto,
-    isBinaryExpression,
-    isArrayExpression
-  ];
-
-  /**
-   *
-   * @param {!SourceFile} sourceFile
-   * @param {Probe[]} [probes=ProbeRunner.Defaults]
-   */
-  constructor(
-    sourceFile,
-    probes = ProbeRunner.Defaults
-  ) {
-    this.sourceFile = sourceFile;
-
-    for (const probe of probes) {
-      assert(
-        typeof probe.validateNode === "function" || Array.isArray(probe.validateNode),
-        `Invalid probe ${probe.name}: validateNode must be a function or an array of functions`
-      );
-      assert(
-        typeof probe.main === "function",
-        `Invalid probe ${probe.name}: main must be a function`
-      );
-    }
-
-    this.probes = probes;
-  }
-
-  /**
-   * @param {!Probe} probe
-   * @param {!any} node
-   * @returns {null|void|Symbol}
-   */
-  #runProbe(probe, node) {
-    const validationFns = Array.isArray(probe.validateNode) ?
-      probe.validateNode : [probe.validateNode];
-    for (const validateNode of validationFns) {
-      const [isMatching, data = null] = validateNode(
-        node,
-        this.sourceFile
-      );
-
-      if (isMatching) {
-        return probe.main(node, {
-          sourceFile: this.sourceFile,
-          data
-        });
-      }
-    }
-
-    return null;
-  }
-
-  walk(node) {
-    /** @type {Set<string>} */
-    const breakGroups = new Set();
-
-    for (const probe of this.probes) {
-      if (breakGroups.has(probe.breakGroup)) {
-        continue;
-      }
-
-      try {
-        const result = this.#runProbe(probe, node);
-        if (result === null) {
-          continue;
-        }
-
-        if (result === ProbeSignals.Skip) {
-          return "skip";
-        }
-        if (result === ProbeSignals.Break || probe.breakOnMatch) {
-          const breakGroup = probe.breakGroup || null;
-
-          if (breakGroup === null) {
-            break;
-          }
-          else {
-            breakGroups.add(breakGroup);
-          }
-        }
-      }
-      finally {
-        if (probe.teardown) {
-          probe.teardown({ sourceFile: this.sourceFile });
-        }
-      }
-    }
-
-    return null;
-  }
-}

package/src/SourceFile.js

@@ -1,147 +0,0 @@
-// Import Third-party Dependencies
-import { Utils, Literal } from "@nodesecure/sec-literal";
-import { VariableTracer } from "@nodesecure/estree-ast-utils";
-
-// Import Internal Dependencies
-import { rootLocation, toArrayLocation } from "./utils/index.js";
-import { generateWarning } from "./warnings.js";
-import { ProbeRunner } from "./ProbeRunner.js";
-import { Deobfuscator } from "./Deobfuscator.js";
-import * as trojan from "./obfuscators/trojan-source.js";
-
-// CONSTANTS
-const kMaximumEncodedLiterals = 10;
-
-export class SourceFile {
-  inTryStatement = false;
-  dependencyAutoWarning = false;
-  deobfuscator = new Deobfuscator();
-  dependencies = new Map();
-  encodedLiterals = new Map();
-  warnings = [];
-  /** @type {Set<string>} */
-  flags = new Set();
-
-  constructor(sourceCodeString, probesOptions = {}) {
-    this.tracer = new VariableTracer()
-      .enableDefaultTracing()
-      .trace("crypto.createHash", {
-        followConsecutiveAssignment: true, moduleName: "crypto"
-      });
-
-    let probes = ProbeRunner.Defaults;
-    if (Array.isArray(probesOptions.customProbes) && probesOptions.customProbes.length > 0) {
-      probes = probesOptions.skipDefaultProbes === true ? probesOptions.customProbes : [...probes, ...probesOptions.customProbes];
-    }
-    this.probesRunner = new ProbeRunner(this, probes);
-
-    if (trojan.verify(sourceCodeString)) {
-      this.addWarning("obfuscated-code", "trojan-source");
-    }
-  }
-
-  addDependency(name, location = null, unsafe = this.dependencyAutoWarning) {
-    if (typeof name !== "string" || name.trim() === "") {
-      return;
-    }
-
-    const dependencyName = name.charAt(name.length - 1) === "/" ?
-      name.slice(0, -1) : name;
-    this.dependencies.set(dependencyName, {
-      unsafe,
-      inTry: this.inTryStatement,
-      ...(location === null ? {} : { location })
-    });
-
-    if (this.dependencyAutoWarning) {
-      this.addWarning("unsafe-import", dependencyName, location);
-    }
-  }
-
-  addWarning(name, value, location = rootLocation()) {
-    const isEncodedLiteral = name === "encoded-literal";
-    if (isEncodedLiteral) {
-      if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
-        return;
-      }
-
-      if (this.encodedLiterals.has(value)) {
-        const index = this.encodedLiterals.get(value);
-        this.warnings[index].location.push(toArrayLocation(location));
-
-        return;
-      }
-    }
-
-    this.warnings.push(generateWarning(name, { value, location }));
-    if (isEncodedLiteral) {
-      this.encodedLiterals.set(value, this.warnings.length - 1);
-    }
-  }
-
-  analyzeLiteral(node, inArrayExpr = false) {
-    if (typeof node.value !== "string" || Utils.isSvg(node)) {
-      return;
-    }
-    this.deobfuscator.analyzeString(node.value);
-
-    const { hasHexadecimalSequence, hasUnicodeSequence, isBase64 } = Literal.defaultAnalysis(node);
-    if ((hasHexadecimalSequence || hasUnicodeSequence) && isBase64) {
-      if (inArrayExpr) {
-        this.deobfuscator.encodedArrayValue++;
-      }
-      else {
-        this.addWarning("encoded-literal", node.value, node.loc);
-      }
-    }
-  }
-
-  getResult(isMinified) {
-    const obfuscatorName = this.deobfuscator.assertObfuscation(this);
-    if (obfuscatorName !== null) {
-      this.addWarning("obfuscated-code", obfuscatorName);
-    }
-
-    const identifiersLengthArr = this.deobfuscator.identifiers
-      .filter((value) => value.type !== "Property" && typeof value.name === "string")
-      .map((value) => value.name.length);
-
-    const [idsLengthAvg, stringScore] = [
-      sum(identifiersLengthArr),
-      sum(this.deobfuscator.literalScores)
-    ];
-    if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
-      this.addWarning("short-identifiers", idsLengthAvg);
-    }
-    if (stringScore >= 3) {
-      this.addWarning("suspicious-literal", stringScore);
-    }
-
-    if (this.encodedLiterals.size > kMaximumEncodedLiterals) {
-      this.addWarning("suspicious-file", null);
-      this.warnings = this.warnings
-        .filter((warning) => warning.kind !== "encoded-literal");
-    }
-
-    return { idsLengthAvg, stringScore, warnings: this.warnings };
-  }
-
-  walk(node) {
-    this.tracer.walk(node);
-    this.deobfuscator.walk(node);
-
-    // Detect TryStatement and CatchClause to known which dependency is required in a Try {} clause
-    if (node.type === "TryStatement" && node.handler) {
-      this.inTryStatement = true;
-    }
-    else if (node.type === "CatchClause") {
-      this.inTryStatement = false;
-    }
-
-    return this.probesRunner.walk(node);
-  }
-}
-
-function sum(arr = []) {
-  return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
-}

package/src/obfuscators/freejsobfuscator.js

@@ -1,9 +0,0 @@
-// Import Third-party Dependencies
-import { Utils } from "@nodesecure/sec-literal";
-
-export function verify(identifiers, prefix) {
-  const pValue = Object.keys(prefix).pop();
-  const regexStr = `^${Utils.escapeRegExp(pValue)}[a-zA-Z]{1,2}[0-9]{0,2}$`;
-
-  return identifiers.every(({ name }) => new RegExp(regexStr).test(name));
-}

package/src/obfuscators/jjencode.js

@@ -1,27 +0,0 @@
-// Import Internal Dependencies
-import { notNullOrUndefined } from "../utils/index.js";
-
-// CONSTANTS
-const kJJRegularSymbols = new Set(["$", "_"]);
-
-export function verify(identifiers, counters) {
-  if (counters.VariableDeclarator > 0 || counters.FunctionDeclaration > 0) {
-    return false;
-  }
-  if (counters.AssignmentExpression > counters.Property) {
-    return false;
-  }
-
-  const matchCount = identifiers.filter(({ name }) => {
-    if (!notNullOrUndefined(name)) {
-      return false;
-    }
-    const charsCode = [...new Set([...name])];
-
-    return charsCode.every((char) => kJJRegularSymbols.has(char));
-  }).length;
-  const pourcent = ((matchCount / identifiers.length) * 100);
-
-  return pourcent > 80;
-}
-

package/src/obfuscators/jsfuck.js

@@ -1,11 +0,0 @@
-// CONSTANTS
-const kJSFuckMinimumDoubleUnaryExpr = 5;
-
-export function verify(counters) {
-  const hasZeroAssign = counters.AssignmentExpression === 0
-    && counters.FunctionDeclaration === 0
-    && counters.Property === 0
-    && counters.VariableDeclarator === 0;
-
-  return hasZeroAssign && counters.DoubleUnaryExpression >= kJSFuckMinimumDoubleUnaryExpr;
-}

package/src/obfuscators/obfuscator-io.js

@@ -1,13 +0,0 @@
-export function verify(deobfuscator, counters) {
-  if ((counters.MemberExpression?.false ?? 0) > 0) {
-    return false;
-  }
-
-  const hasSomePatterns = counters.DoubleUnaryExpression > 0
-    || deobfuscator.deepBinaryExpression > 0
-    || deobfuscator.encodedArrayValue > 0
-    || deobfuscator.hasDictionaryString;
-
-  // TODO: hasPrefixedIdentifiers only work for hexadecimal id names generator
-  return deobfuscator.hasPrefixedIdentifiers && hasSomePatterns;
-}

package/src/obfuscators/trojan-source.js

@@ -1,28 +0,0 @@
-/**
- * Dangerous Unicode control characters that can be used by hackers
- * to perform trojan source.
- */
-const kUnsafeUnicodeControlCharacters = [
-  "\u202A",
-  "\u202B",
-  "\u202D",
-  "\u202E",
-  "\u202C",
-  "\u2066",
-  "\u2067",
-  "\u2068",
-  "\u2069",
-  "\u200E",
-  "\u200F",
-  "\u061C"
-];
-
-export function verify(sourceString) {
-  for (const unsafeCharacter of kUnsafeUnicodeControlCharacters) {
-    if (sourceString.includes(unsafeCharacter)) {
-      return true;
-    }
-  }
-
-  return false;
-}

package/src/probes/isBinaryExpression.js

@@ -1,55 +0,0 @@
-/**
- * @description Search for BinaryExpression AST Node.
- *
- * @see https://github.com/estree/estree/blob/master/es5.md#binaryexpression
- * @example
- * 5 + 5 + 10
- */
-function validateNode(node) {
-  return [
-    node.type === "BinaryExpression"
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  const [binaryExprDeepness, hasUnaryExpression] = walkBinaryExpression(node);
-  if (binaryExprDeepness >= 3 && hasUnaryExpression) {
-    sourceFile.deobfuscator.deepBinaryExpression++;
-  }
-}
-
-/**
- * @description Look for suspicious BinaryExpression (read the Obfuscator.io section of the linked G.Doc)
- * @see https://docs.google.com/document/d/11ZrfW0bDQ-kd7Gr_Ixqyk8p3TGvxckmhFH3Z8dFoPhY/edit?usp=sharing
- * @see https://github.com/estree/estree/blob/master/es5.md#unaryexpression
- * @example
- * 0x1*-0x12df+-0x1fb9*-0x1+0x2*-0x66d
- */
-function walkBinaryExpression(expr, level = 1) {
-  const [lt, rt] = [expr.left.type, expr.right.type];
-  let hasUnaryExpression = lt === "UnaryExpression" || rt === "UnaryExpression";
-  let currentLevel = lt === "BinaryExpression" || rt === "BinaryExpression" ? level + 1 : level;
-
-  for (const currExpr of [expr.left, expr.right]) {
-    if (currExpr.type === "BinaryExpression") {
-      const [deepLevel, deepHasUnaryExpression] = walkBinaryExpression(currExpr, currentLevel);
-      if (deepLevel > currentLevel) {
-        currentLevel = deepLevel;
-      }
-      if (!hasUnaryExpression && deepHasUnaryExpression) {
-        hasUnaryExpression = true;
-      }
-    }
-  }
-
-  return [currentLevel, hasUnaryExpression];
-}
-
-export default {
-  name: "isBinaryExpression",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isESMExport.js

@@ -1,31 +0,0 @@
-/**
- * @description Search for ESM Export
- *
- * @example
- * export { bar } from "./foo.js";
- * export * from "./bar.js";
- */
-function validateNode(node) {
-  return [
-    /**
-     * We must be sure that the source property is a Literal to not fall in a trap
-     * export const foo = "bar";
-     */
-    (node.type === "ExportNamedDeclaration" && node.source?.type === "Literal") ||
-    node.type === "ExportAllDeclaration"
-  ];
-}
-
-function main(node, { sourceFile }) {
-  sourceFile.addDependency(
-    node.source.value,
-    node.loc
-  );
-}
-
-export default {
-  name: "isESMExport",
-  validateNode,
-  main,
-  breakOnMatch: true
-};

package/src/probes/isFetch.js

@@ -1,19 +0,0 @@
-// Import Third-party Dependencies
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-
-function validateNode(node) {
-  const id = getCallExpressionIdentifier(node);
-
-  return [id === "fetch"];
-}
-
-function main(_node, { sourceFile }) {
-  sourceFile.flags.add("fetch");
-}
-
-export default {
-  name: "isFetch",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isImportDeclaration.js

@@ -1,33 +0,0 @@
-/**
- * @description Search for ESM ImportDeclaration
- * @see https://github.com/estree/estree/blob/master/es2015.md#importdeclaration
- * @example
- * import * as foo from "bar";
- * import fs from "fs";
- * import "make-promises-safe";
- */
-function validateNode(node) {
-  return [
-    // Note: the source property is the right-side Literal part of the Import
-    ["ImportDeclaration", "ImportExpression"].includes(node.type) && node.source.type === "Literal"
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  // Searching for dangerous import "data:text/javascript;..." statement.
-  // see: https://2ality.com/2019/10/eval-via-import.html
-  if (node.source.value.startsWith("data:text/javascript")) {
-    sourceFile.addWarning("unsafe-import", node.source.value, node.loc);
-  }
-  sourceFile.addDependency(node.source.value, node.loc);
-}
-
-export default {
-  name: "isImportDeclaration",
-  validateNode,
-  main,
-  breakOnMatch: true,
-  breakGroup: "import"
-};

package/src/probes/isLiteral.js

@@ -1,70 +0,0 @@
-// Import Node.js Dependencies
-import { builtinModules } from "module";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-
-const kMapRegexIps = Object.freeze({
-  // eslint-disable-next-line @stylistic/max-len
-  regexIPv4: /^(https?:\/\/)(?!127\.)(?!.*:(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9]))((?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])(?::\d{1,5})?(\/[^\s]*)?$/,
-  regexIPv6: /^(https?:\/\/)(\[[0-9A-Fa-f:]+\])(?::\d{1,5})?(\/[^\s]*)?$/
-});
-
-// CONSTANTS
-const kNodeDeps = new Set(builtinModules);
-const kShadyLinkRegExps = [
-  kMapRegexIps.regexIPv4,
-  kMapRegexIps.regexIPv6,
-  /(http[s]?:\/\/(bit\.ly|ipinfo\.io|httpbin\.org).*)$/,
-  /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/
-];
-/**
- * @description Search for Literal AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#literal
- * @example
- * "foobar"
- */
-function validateNode(node) {
-  return [
-    node.type === "Literal" && typeof node.value === "string"
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  // We are searching for value obfuscated as hex of a minimum length of 4.
-  if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
-    const value = Buffer.from(node.value, "hex").toString();
-    sourceFile.deobfuscator.analyzeString(value);
-
-    // If the value we are retrieving is the name of a Node.js dependency,
-    // then we add it to the dependencies list and we throw an unsafe-import at the current location.
-    if (kNodeDeps.has(value)) {
-      sourceFile.addDependency(value, node.loc);
-      sourceFile.addWarning("unsafe-import", null, node.loc);
-    }
-    else if (value === "require" || !Hex.isSafe(node.value)) {
-      sourceFile.addWarning("encoded-literal", node.value, node.loc);
-    }
-  }
-  // Else we are checking all other string with our suspect method
-  else {
-    for (const regex of kShadyLinkRegExps) {
-      if (regex.test(node.value)) {
-        sourceFile.addWarning("shady-link", node.value, node.loc);
-
-        return;
-      }
-    }
-
-    sourceFile.analyzeLiteral(node);
-  }
-}
-
-export default {
-  name: "isLiteral",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isLiteralRegex.js

@@ -1,31 +0,0 @@
-// Require Third-party Dependencies
-import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
-import safeRegex from "safe-regex";
-
-/**
- * @description Search for RegExpLiteral AST Node
- * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
- * @example
- * /hello/
- */
-function validateNode(node) {
-  return [
-    isLiteralRegex(node)
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  // We use the safe-regex package to detect whether or not regex is safe!
-  if (!safeRegex(node.regex.pattern)) {
-    sourceFile.addWarning("unsafe-regex", node.regex.pattern, node.loc);
-  }
-}
-
-export default {
-  name: "isLiteralRegex",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isRegexObject.js

@@ -1,49 +0,0 @@
-// Import Third-party Dependencies
-import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
-import safeRegex from "safe-regex";
-
-/**
- * @description Search for Regex Object constructor.
- * @see https://github.com/estree/estree/blob/master/es5.md#newexpression
- * @example
- * new RegExp("...");
- */
-function validateNode(node) {
-  return [
-    isRegexConstructor(node) && node.arguments.length > 0
-  ];
-}
-
-function main(node, options) {
-  const { sourceFile } = options;
-
-  const arg = node.arguments[0];
-  /**
-   * Note: RegExp Object can contain a RegExpLiteral
-   * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
-   *
-   * @example
-   * new RegExp(/^foo/)
-   */
-  const pattern = isLiteralRegex(arg) ? arg.regex.pattern : arg.value;
-
-  // We use the safe-regex package to detect whether or not regex is safe!
-  if (!safeRegex(pattern)) {
-    sourceFile.addWarning("unsafe-regex", pattern, node.loc);
-  }
-}
-
-function isRegexConstructor(node) {
-  if (node.type !== "NewExpression" || node.callee.type !== "Identifier") {
-    return false;
-  }
-
-  return node.callee.name === "RegExp";
-}
-
-export default {
-  name: "isRegexObject",
-  validateNode,
-  main,
-  breakOnMatch: false
-};