npm - @nodesecure/js-x-ray - Versions diffs - 9.1.0 → 10.0.0 - Mend

@nodesecure/js-x-ray 9.1.0 → 10.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (202) hide show

package/dist/AstAnalyser.d.ts +79 -0
package/dist/AstAnalyser.d.ts.map +1 -0
package/dist/AstAnalyser.js +183 -0
package/dist/AstAnalyser.js.map +1 -0
package/dist/Deobfuscator.d.ts +36 -0
package/dist/Deobfuscator.d.ts.map +1 -0
package/dist/Deobfuscator.js +154 -0
package/dist/Deobfuscator.js.map +1 -0
package/dist/EntryFilesAnalyser.d.ts +20 -0
package/dist/EntryFilesAnalyser.d.ts.map +1 -0
package/dist/EntryFilesAnalyser.js +121 -0
package/dist/EntryFilesAnalyser.js.map +1 -0
package/dist/JsSourceParser.d.ts +18 -0
package/dist/JsSourceParser.d.ts.map +1 -0
package/dist/JsSourceParser.js +38 -0
package/dist/JsSourceParser.js.map +1 -0
package/dist/NodeCounter.d.ts +24 -0
package/dist/NodeCounter.d.ts.map +1 -0
package/dist/NodeCounter.js +62 -0
package/dist/NodeCounter.js.map +1 -0
package/dist/ProbeRunner.d.ts +45 -0
package/dist/ProbeRunner.d.ts.map +1 -0
package/dist/ProbeRunner.js +136 -0
package/dist/ProbeRunner.js.map +1 -0
package/dist/SourceFile.d.ts +26 -0
package/dist/SourceFile.d.ts.map +1 -0
package/dist/SourceFile.js +108 -0
package/dist/SourceFile.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/{src/index.ts → dist/index.js} +2 -0
package/dist/index.js.map +1 -0
package/dist/obfuscators/freejsobfuscator.d.ts +3 -0
package/dist/obfuscators/freejsobfuscator.d.ts.map +1 -0
package/dist/obfuscators/freejsobfuscator.js +10 -0
package/dist/obfuscators/freejsobfuscator.js.map +1 -0
package/dist/obfuscators/jjencode.d.ts +3 -0
package/dist/obfuscators/jjencode.d.ts.map +1 -0
package/dist/obfuscators/jjencode.js +24 -0
package/dist/obfuscators/jjencode.js.map +1 -0
package/dist/obfuscators/jsfuck.d.ts +3 -0
package/dist/obfuscators/jsfuck.d.ts.map +1 -0
package/dist/obfuscators/jsfuck.js +13 -0
package/dist/obfuscators/jsfuck.js.map +1 -0
package/dist/obfuscators/obfuscator-io.d.ts +3 -0
package/dist/obfuscators/obfuscator-io.d.ts.map +1 -0
package/dist/obfuscators/obfuscator-io.js +15 -0
package/dist/obfuscators/obfuscator-io.js.map +1 -0
package/dist/obfuscators/trojan-source.d.ts +2 -0
package/dist/obfuscators/trojan-source.d.ts.map +1 -0
package/dist/obfuscators/trojan-source.js +27 -0
package/dist/obfuscators/trojan-source.js.map +1 -0
package/dist/pipelines/Runner.class.d.ts +11 -0
package/dist/pipelines/Runner.class.d.ts.map +1 -0
package/dist/pipelines/Runner.class.js +20 -0
package/dist/pipelines/Runner.class.js.map +1 -0
package/dist/pipelines/deobfuscate.d.ts +8 -0
package/dist/pipelines/deobfuscate.d.ts.map +1 -0
package/dist/pipelines/deobfuscate.js +33 -0
package/dist/pipelines/deobfuscate.js.map +1 -0
package/dist/pipelines/index.d.ts +8 -0
package/dist/pipelines/index.d.ts.map +1 -0
package/dist/pipelines/index.js +8 -0
package/dist/pipelines/index.js.map +1 -0
package/dist/probes/data-exfiltration.d.ts +19 -0
package/dist/probes/data-exfiltration.d.ts.map +1 -0
package/dist/probes/data-exfiltration.js +84 -0
package/dist/probes/data-exfiltration.js.map +1 -0
package/dist/probes/isArrayExpression.d.ts +21 -0
package/dist/probes/isArrayExpression.d.ts.map +1 -0
package/dist/probes/isArrayExpression.js +27 -0
package/dist/probes/isArrayExpression.js.map +1 -0
package/dist/probes/isBinaryExpression.d.ts +21 -0
package/dist/probes/isBinaryExpression.d.ts.map +1 -0
package/dist/probes/isBinaryExpression.js +54 -0
package/dist/probes/isBinaryExpression.js.map +1 -0
package/dist/probes/isESMExport.d.ts +24 -0
package/dist/probes/isESMExport.d.ts.map +1 -0
package/dist/probes/isESMExport.js +30 -0
package/dist/probes/isESMExport.js.map +1 -0
package/dist/probes/isFetch.d.ts +14 -0
package/dist/probes/isFetch.d.ts.map +1 -0
package/dist/probes/isFetch.js +26 -0
package/dist/probes/isFetch.js.map +1 -0
package/dist/probes/isImportDeclaration.d.ts +26 -0
package/dist/probes/isImportDeclaration.d.ts.map +1 -0
package/dist/probes/isImportDeclaration.js +38 -0
package/dist/probes/isImportDeclaration.js.map +1 -0
package/dist/probes/isLiteral.d.ts +21 -0
package/dist/probes/isLiteral.d.ts.map +1 -0
package/dist/probes/isLiteral.js +66 -0
package/dist/probes/isLiteral.js.map +1 -0
package/dist/probes/isLiteralRegex.d.ts +20 -0
package/dist/probes/isLiteralRegex.d.ts.map +1 -0
package/dist/probes/isLiteralRegex.js +30 -0
package/dist/probes/isLiteralRegex.js.map +1 -0
package/dist/probes/isRegexObject.d.ts +22 -0
package/dist/probes/isRegexObject.d.ts.map +1 -0
package/dist/probes/isRegexObject.js +50 -0
package/dist/probes/isRegexObject.js.map +1 -0
package/dist/probes/isRequire/RequireCallExpressionWalker.d.ts +15 -0
package/dist/probes/isRequire/RequireCallExpressionWalker.d.ts.map +1 -0
package/dist/probes/isRequire/RequireCallExpressionWalker.js +92 -0
package/dist/probes/isRequire/RequireCallExpressionWalker.js.map +1 -0
package/dist/probes/isRequire/isRequire.d.ts +15 -0
package/dist/probes/isRequire/isRequire.d.ts.map +1 -0
package/dist/probes/isRequire/isRequire.js +136 -0
package/dist/probes/isRequire/isRequire.js.map +1 -0
package/dist/probes/isSerializeEnv.d.ts +22 -0
package/dist/probes/isSerializeEnv.d.ts.map +1 -0
package/dist/probes/isSerializeEnv.js +68 -0
package/dist/probes/isSerializeEnv.js.map +1 -0
package/dist/probes/isSyncIO.d.ts +14 -0
package/dist/probes/isSyncIO.d.ts.map +1 -0
package/dist/probes/isSyncIO.js +73 -0
package/dist/probes/isSyncIO.js.map +1 -0
package/dist/probes/isUnsafeCallee.d.ts +19 -0
package/dist/probes/isUnsafeCallee.d.ts.map +1 -0
package/dist/probes/isUnsafeCallee.js +58 -0
package/dist/probes/isUnsafeCallee.js.map +1 -0
package/dist/probes/isUnsafeCommand.d.ts +21 -0
package/dist/probes/isUnsafeCommand.d.ts.map +1 -0
package/dist/probes/isUnsafeCommand.js +110 -0
package/dist/probes/isUnsafeCommand.js.map +1 -0
package/dist/probes/isWeakCrypto.d.ts +14 -0
package/dist/probes/isWeakCrypto.d.ts.map +1 -0
package/dist/probes/isWeakCrypto.js +46 -0
package/dist/probes/isWeakCrypto.js.map +1 -0
package/dist/types/estree.d.ts +12 -0
package/dist/types/estree.d.ts.map +1 -0
package/dist/types/estree.js +26 -0
package/dist/types/estree.js.map +1 -0
package/dist/utils/extractNode.d.ts +5 -0
package/dist/utils/extractNode.d.ts.map +1 -0
package/dist/utils/extractNode.js +13 -0
package/dist/utils/extractNode.js.map +1 -0
package/dist/utils/index.d.ts +5 -0
package/dist/utils/index.d.ts.map +1 -0
package/{src/utils/index.ts → dist/utils/index.js} +1 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/isOneLineExpressionExport.d.ts +3 -0
package/dist/utils/isOneLineExpressionExport.d.ts.map +1 -0
package/dist/utils/isOneLineExpressionExport.js +49 -0
package/dist/utils/isOneLineExpressionExport.js.map +1 -0
package/dist/utils/notNullOrUndefined.d.ts +2 -0
package/dist/utils/notNullOrUndefined.d.ts.map +1 -0
package/dist/utils/notNullOrUndefined.js +4 -0
package/dist/utils/notNullOrUndefined.js.map +1 -0
package/dist/utils/toArrayLocation.d.ts +5 -0
package/dist/utils/toArrayLocation.d.ts.map +1 -0
package/dist/utils/toArrayLocation.js +14 -0
package/dist/utils/toArrayLocation.js.map +1 -0
package/dist/walker/index.d.ts +9 -0
package/dist/walker/index.d.ts.map +1 -0
package/dist/walker/index.js +10 -0
package/dist/walker/index.js.map +1 -0
package/dist/walker/walker.base.d.ts +17 -0
package/dist/walker/walker.base.d.ts.map +1 -0
package/dist/walker/walker.base.js +45 -0
package/dist/walker/walker.base.js.map +1 -0
package/dist/walker/walker.sync.d.ts +15 -0
package/dist/walker/walker.sync.d.ts.map +1 -0
package/dist/walker/walker.sync.js +87 -0
package/dist/walker/walker.sync.js.map +1 -0
package/dist/warnings.d.ts +93 -0
package/dist/warnings.d.ts.map +1 -0
package/dist/warnings.js +96 -0
package/dist/warnings.js.map +1 -0
package/package.json +4 -8
package/src/AstAnalyser.ts +0 -283
package/src/Deobfuscator.ts +0 -228
package/src/EntryFilesAnalyser.ts +0 -206
package/src/JsSourceParser.ts +0 -77
package/src/NodeCounter.ts +0 -90
package/src/ProbeRunner.ts +0 -167
package/src/SourceFile.ts +0 -226
package/src/obfuscators/freejsobfuscator.ts +0 -17
package/src/obfuscators/jjencode.ts +0 -39
package/src/obfuscators/jsfuck.ts +0 -19
package/src/obfuscators/obfuscator-io.ts +0 -25
package/src/obfuscators/trojan-source.ts +0 -30
package/src/probes/isArrayExpression.ts +0 -41
package/src/probes/isBinaryExpression.ts +0 -74
package/src/probes/isESMExport.ts +0 -50
package/src/probes/isFetch.ts +0 -28
package/src/probes/isImportDeclaration.ts +0 -58
package/src/probes/isLiteral.ts +0 -91
package/src/probes/isLiteralRegex.ts +0 -42
package/src/probes/isRegexObject.ts +0 -71
package/src/probes/isRequire/RequireCallExpressionWalker.ts +0 -142
package/src/probes/isRequire/isRequire.ts +0 -195
package/src/probes/isSerializeEnv.ts +0 -65
package/src/probes/isSyncIO.ts +0 -96
package/src/probes/isUnsafeCallee.ts +0 -89
package/src/probes/isUnsafeCommand.ts +0 -133
package/src/probes/isWeakCrypto.ts +0 -69
package/src/types/estree.ts +0 -35
package/src/utils/extractNode.ts +0 -22
package/src/utils/isOneLineExpressionExport.ts +0 -70
package/src/utils/notNullOrUndefined.ts +0 -5
package/src/utils/toArrayLocation.ts +0 -22
package/src/warnings.ts +0 -146

package/src/probes/isRequire/isRequire.ts DELETED Viewed

@@ -1,195 +0,0 @@
-/* eslint-disable consistent-return */
-// Import Third-party Dependencies
-import {
-  concatBinaryExpression,
-  arrayExpressionToString,
-  getCallExpressionIdentifier,
-  getCallExpressionArguments
-} from "@nodesecure/estree-ast-utils";
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { ProbeSignals } from "../../ProbeRunner.js";
-import { SourceFile } from "../../SourceFile.js";
-import { isLiteral } from "../../types/estree.js";
-import { RequireCallExpressionWalker } from "./RequireCallExpressionWalker.js";
-import { generateWarning } from "../../warnings.js";
-function validateNodeRequire(
-  node: ESTree.Node,
-  { tracer }: SourceFile
-): [boolean, any?] {
-  const id = getCallExpressionIdentifier(node, {
-    resolveCallExpression: false
-  });
-  if (id === null) {
-    return [false];
-  }
-  const data = tracer.getDataFromIdentifier(id, {
-    removeGlobalIdentifier: true
-  });
-  return [
-    data !== null && data.name === "require",
-    id ?? void 0
-  ];
-}
-function validateNodeEvalRequire(
-  node: ESTree.Node
-): [boolean, any?] {
-  const id = getCallExpressionIdentifier(node);
-  if (id !== "eval") {
-    return [false];
-  }
-  const castedNode = node as ESTree.CallExpression;
-  if (castedNode.callee.type !== "CallExpression") {
-    return [false];
-  }
-  const args = getCallExpressionArguments(castedNode.callee);
-  if (args === null) {
-    return [false];
-  }
-  return [
-    args.length > 0 && args.at(0) === "require",
-    id
-  ];
-}
-function teardown(
-  { sourceFile }: { sourceFile: SourceFile; }
-) {
-  sourceFile.dependencyAutoWarning = false;
-}
-function main(
-  node: ESTree.CallExpression,
-  options: { sourceFile: SourceFile; data?: string; }
-) {
-  const { sourceFile, data: calleeName } = options;
-  const { tracer } = sourceFile;
-  if (node.arguments.length === 0) {
-    return;
-  }
-  const arg = node.arguments.at(0);
-  if (arg === undefined) {
-    return;
-  }
-  if (calleeName === "eval") {
-    sourceFile.dependencyAutoWarning = true;
-  }
-  const location = node.loc;
-  switch (arg.type) {
-    // const foo = "http"; require(foo);
-    case "Identifier":
-      if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
-        sourceFile.addDependency(
-          sourceFile.tracer.literalIdentifiers.get(arg.name)!,
-          node.loc
-        );
-      }
-      else {
-        sourceFile.warnings.push(
-          generateWarning("unsafe-import", { value: null, location })
-        );
-      }
-      break;
-    // require("http")
-    case "Literal":
-      if (isLiteral(arg)) {
-        sourceFile.addDependency(arg.value, node.loc);
-      }
-      break;
-    // require(["ht", "tp"])
-    case "ArrayExpression": {
-      const value = [
-        ...arrayExpressionToString(arg, {
-          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null
-        })
-      ]
-        .join("")
-        .trim();
-      if (value === "") {
-        sourceFile.warnings.push(
-          generateWarning("unsafe-import", { value: null, location })
-        );
-      }
-      else {
-        sourceFile.addDependency(value, node.loc);
-      }
-      break;
-    }
-    // require("ht" + "tp");
-    case "BinaryExpression": {
-      if (arg.operator !== "+") {
-        sourceFile.warnings.push(
-          generateWarning("unsafe-import", { value: null, location })
-        );
-        break;
-      }
-      try {
-        const iter = concatBinaryExpression(arg, {
-          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null,
-          stopOnUnsupportedNode: true
-        });
-        sourceFile.addDependency([...iter].join(""), node.loc);
-      }
-      catch {
-        sourceFile.warnings.push(
-          generateWarning("unsafe-import", { value: null, location })
-        );
-      }
-      break;
-    }
-    // require(Buffer.from("...", "hex").toString());
-    case "CallExpression": {
-      const walker = new RequireCallExpressionWalker(tracer);
-      const { dependencies, triggerWarning } = walker.walk(arg);
-      dependencies.forEach((depName) => sourceFile.addDependency(depName, node.loc, true));
-      if (triggerWarning) {
-        sourceFile.warnings.push(
-          generateWarning("unsafe-import", { value: null, location })
-        );
-      }
-      // We skip walking the tree to avoid anymore warnings...
-      return ProbeSignals.Skip;
-    }
-    default:
-      sourceFile.warnings.push(
-        generateWarning("unsafe-import", { value: null, location })
-      );
-  }
-  return;
-}
-export default {
-  name: "isRequire",
-  validateNode: [
-    validateNodeRequire,
-    validateNodeEvalRequire
-  ],
-  main,
-  teardown,
-  breakOnMatch: true,
-  breakGroup: "import"
-};

package/src/probes/isSerializeEnv.ts DELETED Viewed

@@ -1,65 +0,0 @@
-// Import Third-party Dependencies
-import {
-  getCallExpressionIdentifier,
-  getMemberExpressionIdentifier
-} from "@nodesecure/estree-ast-utils";
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { SourceFile } from "../SourceFile.js";
-import { generateWarning } from "../warnings.js";
-import { ProbeSignals } from "../ProbeRunner.js";
-/**
- * @description Detect serialization of process.env which could indicate environment variable exfiltration
- * @example
- * JSON.stringify(process.env)
- * JSON.stringify(process["env"])
- * JSON.stringify(process["env"])
- * JSON.stringify(process[`env`])
- */
-function validateNode(
-  node: ESTree.Node
-): [boolean, any?] {
-  const id = getCallExpressionIdentifier(node);
-  if (id !== "JSON.stringify") {
-    return [false];
-  }
-  const castedNode = node as ESTree.CallExpression;
-  if (castedNode.arguments.length === 0) {
-    return [false];
-  }
-  const firstArg = castedNode.arguments[0];
-  if (firstArg.type === "MemberExpression") {
-    const memberExprId = [...getMemberExpressionIdentifier(firstArg)].join(".");
-    if (memberExprId === "process.env") {
-      return [true];
-    }
-  }
-  return [false];
-}
-function main(
-  node: ESTree.Node,
-  options: { sourceFile: SourceFile; }
-) {
-  const { sourceFile } = options;
-  const warning = generateWarning("serialize-environment", {
-    value: "JSON.stringify(process.env)",
-    location: node.loc
-  });
-  sourceFile.warnings.push(warning);
-  return ProbeSignals.Skip;
-}
-export default {
-  name: "isSerializeEnv",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isSyncIO.ts DELETED Viewed

@@ -1,96 +0,0 @@
-// Import Third-party Dependencies
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { SourceFile } from "../SourceFile.js";
-import { generateWarning } from "../warnings.js";
-// CONSTANTS
-const kTracedNodeCoreModules = ["fs", "crypto", "child_process", "zlib"];
-const kSyncIOIdentifierOrMemberExps = [
-  "crypto.pbkdf2Sync",
-  "crypto.scryptSync",
-  "crypto.generateKeyPairSync",
-  "fs.readFileSync",
-  "fs.writeFileSync",
-  "fs.appendFileSync",
-  "fs.readSync",
-  "fs.writeSync",
-  "fs.readdirSync",
-  "fs.statSync",
-  "fs.mkdirSync",
-  "fs.renameSync",
-  "fs.unlinkSync",
-  "fs.symlinkSync",
-  "fs.openSync",
-  "fs.fstatSync",
-  "fs.linkSync",
-  "fs.realpathSync",
-  "child_process.execSync",
-  "child_process.spawnSync",
-  "child_process.execFileSync",
-  "zlib.deflateSync",
-  "zlib.inflateSync",
-  "zlib.gzipSync",
-  "zlib.gunzipSync",
-  "zlib.brotliCompressSync",
-  "zlib.brotliDecompressSync"
-];
-function validateNode(
-  node: ESTree.Node,
-  { tracer }: SourceFile
-): [boolean, any?] {
-  const id = getCallExpressionIdentifier(
-    node,
-    {
-      externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null
-    }
-  );
-  if (
-    id === null ||
-    !kTracedNodeCoreModules.some((moduleName) => tracer.importedModules.has(moduleName))
-  ) {
-    return [false];
-  }
-  const data = tracer.getDataFromIdentifier(id);
-  return [
-    data !== null &&
-    data.identifierOrMemberExpr.endsWith("Sync")
-  ];
-}
-function initialize(
-  sourceFile: SourceFile
-) {
-  kSyncIOIdentifierOrMemberExps.forEach((identifierOrMemberExp) => {
-    const moduleName = identifierOrMemberExp.split(".")[0];
-    return sourceFile.tracer.trace(identifierOrMemberExp, {
-      followConsecutiveAssignment: true,
-      moduleName
-    });
-  });
-}
-function main(
-  node: ESTree.CallExpression,
-  { sourceFile }: { sourceFile: SourceFile; }
-) {
-  const warning = generateWarning("synchronous-io", {
-    value: node.callee.name,
-    location: node.loc
-  });
-  sourceFile.warnings.push(warning);
-}
-export default {
-  name: "isSyncIO",
-  validateNode,
-  main,
-  initialize,
-  breakOnMatch: false
-};

package/src/probes/isUnsafeCallee.ts DELETED Viewed

@@ -1,89 +0,0 @@
-// Import Third-party Dependencies
-import type { ESTree } from "meriyah";
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-// Import Internal Dependencies
-import { SourceFile } from "../SourceFile.js";
-import { generateWarning } from "../warnings.js";
-import { ProbeSignals } from "../ProbeRunner.js";
-/**
- * @description Detect unsafe statement
- * @example
- * eval("this");
- * Function("return this")();
- */
-function validateNode(
-  node: ESTree.Node
-): [boolean, any?] {
-  return isUnsafeCallee(node);
-}
-function main(
-  node: ESTree.CallExpression,
-  options: { sourceFile: SourceFile; data?: string; }
-) {
-  const { sourceFile, data: calleeName } = options;
-  if (!calleeName) {
-    return ProbeSignals.Skip;
-  }
-  if (
-    calleeName === "Function" &&
-    node.callee.arguments.length > 0 &&
-    node.callee.arguments[0].value === "return this"
-  ) {
-    return ProbeSignals.Skip;
-  }
-  const warning = generateWarning("unsafe-stmt", {
-    value: calleeName,
-    location: node.loc
-  });
-  sourceFile.warnings.push(warning);
-  return ProbeSignals.Skip;
-}
-function isEvalCallee(
-  node: ESTree.CallExpression
-): boolean {
-  const identifier = getCallExpressionIdentifier(node, {
-    resolveCallExpression: false
-  });
-  return identifier === "eval";
-}
-function isFunctionCallee(
-  node: ESTree.CallExpression
-): boolean {
-  const identifier = getCallExpressionIdentifier(node);
-  return identifier === "Function" && node.callee.type === "CallExpression";
-}
-export function isUnsafeCallee(
-  node: ESTree.CallExpression | ESTree.Node
-): [boolean, "eval" | "Function" | null] {
-  if (node.type !== "CallExpression") {
-    return [false, null];
-  }
-  if (isEvalCallee(node)) {
-    return [true, "eval"];
-  }
-  if (isFunctionCallee(node)) {
-    return [true, "Function"];
-  }
-  return [false, null];
-}
-export default {
-  name: "isUnsafeCallee",
-  validateNode,
-  main,
-  breakOnMatch: false
-};

package/src/probes/isUnsafeCommand.ts DELETED Viewed

@@ -1,133 +0,0 @@
-// Import Third-party Dependencies
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { SourceFile } from "../SourceFile.js";
-import { generateWarning } from "../warnings.js";
-import { ProbeSignals } from "../ProbeRunner.js";
-import { isLiteral } from "../types/estree.js";
-// CONSTANTS
-const kUnsafeCommands = ["csrutil"];
-function isUnsafeCommand(
-  command: string
-): boolean {
-  return kUnsafeCommands.some((unsafeCommand) => command.includes(unsafeCommand));
-}
-function isSpawnOrExec(
-  name: string
-): boolean {
-  return name === "spawn" ||
-    name === "exec" ||
-    name === "spawnSync" ||
-    name === "execSync";
-}
-/**
- * @description Detect spawn or exec unsafe commands
- * @example
- * child_process.spawn("csrutil", ["status"]);
- *
- * require("child_process").spawn("csrutil", ["disable"]);
- *
- * const { exec } = require("child_process");
- * exec("csrutil status");
- */
-function validateNode(
-  node: ESTree.Node
-): [boolean, any?] {
-  if (node.type !== "CallExpression" || node.arguments.length === 0) {
-    return [false];
-  }
-  // const { spawn } = require("child_process");
-  // spawn("...", ["..."]);
-  // or
-  // const { exec } = require("child_process");
-  // exec(...);
-  if (node.type === "CallExpression" &&
-    node.callee.type === "Identifier" &&
-    isSpawnOrExec(node.callee.name)
-  ) {
-    return [true, node.callee.name];
-  }
-  // child_process.spawn(...) or require("child_process").spawn(...)
-  // child_process.exec(...) or require("child_process").exec(...)
-  if (
-    node.callee.type === "MemberExpression" &&
-    node.callee.property.type === "Identifier" &&
-    isSpawnOrExec(node.callee.property.name)
-  ) {
-    // child_process.spawn(...)
-    // child_process.exec(...)
-    if (
-      node.callee.object.type === "Identifier" &&
-      node.callee.object.name === "child_process"
-    ) {
-      return [true, node.callee.property.name];
-    }
-    // require("child_process").spawn(...)
-    // require("child_process").exec(...)
-    if (
-      node.callee.object.type === "CallExpression" &&
-      node.callee.object.callee.type === "Identifier" &&
-      node.callee.object.callee.name === "require" &&
-      node.callee.object.arguments.length === 1 &&
-      node.callee.object.arguments[0].type === "Literal" &&
-      node.callee.object.arguments[0].value === "child_process"
-    ) {
-      return [true, node.callee.property.name];
-    }
-  }
-  return [false];
-}
-function main(
-  node: ESTree.CallExpression,
-  options: { sourceFile: SourceFile; data?: string; }
-) {
-  const { sourceFile, data: methodName } = options;
-  const commandArg = node.arguments[0];
-  if (!isLiteral(commandArg)) {
-    return null;
-  }
-  let command = commandArg.value;
-  if (isUnsafeCommand(command)) {
-    // Spawned command arguments are filled into an Array
-    // as second arguments. This is why we should add them
-    // manually to the command string.
-    if (methodName === "spawn" || methodName === "spawnSync") {
-      const arrExpr = node.arguments.at(1);
-      if (arrExpr && arrExpr.type === "ArrayExpression") {
-        arrExpr.elements
-          .filter((element) => isLiteral(element))
-          .forEach((element) => {
-            command += ` ${element.value}`;
-          });
-      }
-    }
-    const warning = generateWarning("unsafe-command", {
-      value: command,
-      location: node.loc
-    });
-    sourceFile.warnings.push(warning);
-    return ProbeSignals.Skip;
-  }
-  return null;
-}
-export default {
-  name: "isUnsafeCommand",
-  validateNode,
-  main
-};

package/src/probes/isWeakCrypto.ts DELETED Viewed

@@ -1,69 +0,0 @@
-// Import Third-party Dependencies
-import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { SourceFile } from "../SourceFile.js";
-import { generateWarning } from "../warnings.js";
-import {
-  isLiteral
-} from "../types/estree.js";
-// CONSTANTS
-const kWeakAlgorithms = new Set([
-  "md5",
-  "sha1",
-  "ripemd160",
-  "md4",
-  "md2"
-]);
-function validateNode(
-  node: ESTree.Node,
-  sourceFile: SourceFile
-): [boolean, any?] {
-  const { tracer } = sourceFile;
-  const id = getCallExpressionIdentifier(node);
-  if (id === null || !tracer.importedModules.has("crypto")) {
-    return [false];
-  }
-  const data = tracer.getDataFromIdentifier(id);
-  return [
-    data !== null && data.identifierOrMemberExpr === "crypto.createHash"
-  ];
-}
-function initialize(
-  sourceFile: SourceFile
-) {
-  sourceFile.tracer.trace("crypto.createHash", {
-    followConsecutiveAssignment: true,
-    moduleName: "crypto"
-  });
-}
-function main(
-  node: ESTree.CallExpression,
-  { sourceFile }: { sourceFile: SourceFile; }
-) {
-  const arg = node.arguments.at(0);
-  if (isLiteral(arg) && kWeakAlgorithms.has(arg.value)) {
-    const warning = generateWarning(
-      "weak-crypto",
-      { value: arg.value, location: node.loc }
-    );
-    sourceFile.warnings.push(warning);
-  }
-}
-export default {
-  name: "isWeakCrypto",
-  validateNode,
-  main,
-  initialize,
-  breakOnMatch: false
-};

package/src/types/estree.ts DELETED Viewed

@@ -1,35 +0,0 @@
-// Import Third-party Dependencies
-import type { ESTree } from "meriyah";
-export type Literal<T> = ESTree.Literal & {
-  value: T;
-};
-export type RegExpLiteral<T> = ESTree.RegExpLiteral & {
-  value: T;
-};
-export function isNode(
-  value: any
-): value is ESTree.Node {
-  return (
-    value !== null &&
-    typeof value === "object" &&
-    "type" in value &&
-    typeof value.type === "string"
-  );
-}
-export function isLiteral(
-  node: any
-): node is Literal<string> {
-  return isNode(node) &&
-    node.type === "Literal" &&
-    typeof node.value === "string";
-}
-export function isCallExpression(
-  node: any
-): node is ESTree.CallExpression {
-  return isNode(node) && node.type === "CallExpression";
-}

package/src/utils/extractNode.ts DELETED Viewed

@@ -1,22 +0,0 @@
-// Import Third-party Dependencies
-import type { ESTree } from "meriyah";
-// Import Internal Dependencies
-import { isNode } from "../types/estree.js";
-export type NodeExtractorCallback<T> = (node: T) => void;
-export type NodeOrNull = ESTree.Node | null;
-export function extractNode<T extends ESTree.Node>(
-  expectedType: T["type"]
-) {
-  return (callback: NodeExtractorCallback<T>, nodes: NodeOrNull | NodeOrNull[]) => {
-    const finalNodes = Array.isArray(nodes) ? nodes : [nodes];
-    for (const node of finalNodes) {
-      if (isNode(node) && node.type === expectedType) {
-        callback(node as T);
-      }
-    }
-  };
-}