@nodesecure/js-x-ray 9.1.0 → 10.0.0

package/dist/probes/isLiteral.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isLiteral.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAiBlD;;;;;GAKG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAIjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EACrB,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,QAwCrC;;;;;;;AAED,wBAKE"}

package/dist/probes/isLiteral.js

@@ -0,0 +1,66 @@
+// Import Node.js Dependencies
+import { builtinModules } from "node:module";
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+const kMapRegexIps = Object.freeze({
+    // eslint-disable-next-line @stylistic/max-len
+    regexIPv4: /^(https?:\/\/)(?!127\.)(?!.*:(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9]))((?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])(?::\d{1,5})?(\/[^\s]*)?$/,
+    regexIPv6: /^(https?:\/\/)(\[[0-9A-Fa-f:]+\])(?::\d{1,5})?(\/[^\s]*)?$/
+});
+// CONSTANTS
+const kNodeDeps = new Set(builtinModules);
+const kShadyLinkRegExps = [
+    kMapRegexIps.regexIPv4,
+    kMapRegexIps.regexIPv6,
+    /(http[s]?:\/\/(bit\.ly|ipinfo\.io|httpbin\.org|api\.ipify\.org).*)$/,
+    /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/
+];
+/**
+ * @description Search for Literal AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#literal
+ * @example
+ * "foobar"
+ */
+function validateNode(node) {
+    return [
+        node.type === "Literal" && typeof node.value === "string"
+    ];
+}
+function main(node, options) {
+    const { sourceFile } = options;
+    const location = node.loc ?? void 0;
+    // We are searching for value obfuscated as hex of a minimum length of 4.
+    if (/^[0-9A-Fa-f]{4,}$/g.test(node.value)) {
+        const value = Buffer.from(node.value, "hex").toString();
+        sourceFile.deobfuscator.analyzeString(value);
+        // If the value we are retrieving is the name of a Node.js dependency,
+        // then we add it to the dependencies list and we throw an unsafe-import at the current location.
+        if (kNodeDeps.has(value)) {
+            sourceFile.addDependency(value, node.loc);
+            sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+        }
+        else if (value === "require" || !Hex.isSafe(node.value)) {
+            sourceFile.addEncodedLiteral(node.value, location);
+        }
+    }
+    // Else we are checking all other string with our suspect method
+    else {
+        for (const regex of kShadyLinkRegExps) {
+            if (regex.test(node.value)) {
+                sourceFile.warnings.push(generateWarning("shady-link", { value: node.value, location }));
+                return;
+            }
+        }
+        sourceFile.analyzeLiteral(node);
+    }
+}
+export default {
+    name: "isLiteral",
+    validateNode,
+    main,
+    breakOnMatch: false
+};
+//# sourceMappingURL=isLiteral.js.map

package/dist/probes/isLiteral.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isLiteral.js","sourceRoot":"","sources":["../../src/probes/isLiteral.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAG9C,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;IACjC,8CAA8C;IAC9C,SAAS,EAAE,uTAAuT;IAClU,SAAS,EAAE,4DAA4D;CACxE,CAAC,CAAC;AAEH,YAAY;AACZ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;AAC1C,MAAM,iBAAiB,GAAG;IACxB,YAAY,CAAC,SAAS;IACtB,YAAY,CAAC,SAAS;IACtB,qEAAqE;IACrE,4HAA4H;CAC7H,CAAC;AAEF;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAAqB,EACrB,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;IAEpC,yEAAyE;IACzE,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,UAAU,CAAC,YAAY,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE7C,sEAAsE;QACtE,iGAAiG;QACjG,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,UAAU,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAC3C,CACF,CAAC;QACJ,CAAC;aACI,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IACD,gEAAgE;SAC3D,CAAC;QACJ,KAAK,MAAM,KAAK,IAAI,iBAAiB,EAAE,CAAC;YACtC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CACb,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAC9C,CACF,CAAC;gBAEF,OAAO;YACT,CAAC;QACH,CAAC;QAED,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,eAAe;IACb,IAAI,EAAE,WAAW;IACjB,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}

package/dist/probes/isLiteralRegex.d.ts

@@ -0,0 +1,20 @@
+import type { ESTree } from "meriyah";
+import { SourceFile } from "../SourceFile.js";
+/**
+ * @description Search for RegExpLiteral AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
+ * @example
+ * /hello/
+ */
+declare function validateNode(node: ESTree.Node): [boolean, any?];
+declare function main(node: ESTree.RegExpLiteral, options: {
+    sourceFile: SourceFile;
+}): void;
+declare const _default: {
+    name: string;
+    validateNode: typeof validateNode;
+    main: typeof main;
+    breakOnMatch: boolean;
+};
+export default _default;
+//# sourceMappingURL=isLiteralRegex.d.ts.map

package/dist/probes/isLiteralRegex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isLiteralRegex.d.ts","sourceRoot":"","sources":["../../src/probes/isLiteralRegex.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAG9C;;;;;GAKG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAIjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,aAAa,EAC1B,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,QAUrC;;;;;;;AAED,wBAKE"}

package/dist/probes/isLiteralRegex.js

@@ -0,0 +1,30 @@
+// Import Third-party Dependencies
+import safeRegex from "safe-regex";
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+/**
+ * @description Search for RegExpLiteral AST Node
+ * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
+ * @example
+ * /hello/
+ */
+function validateNode(node) {
+    return [
+        node.type === "Literal" && "regex" in node
+    ];
+}
+function main(node, options) {
+    const { sourceFile } = options;
+    // We use the safe-regex package to detect whether or not regex is safe!
+    if (!safeRegex(node.regex.pattern)) {
+        sourceFile.warnings.push(generateWarning("unsafe-regex", { value: node.regex.pattern, location: node.loc }));
+    }
+}
+export default {
+    name: "isLiteralRegex",
+    validateNode,
+    main,
+    breakOnMatch: false
+};
+//# sourceMappingURL=isLiteralRegex.js.map

package/dist/probes/isLiteralRegex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isLiteralRegex.js","sourceRoot":"","sources":["../../src/probes/isLiteralRegex.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,SAAS,MAAM,YAAY,CAAC;AAGnC,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,IAAI;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAA0B,EAC1B,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,wEAAwE;IACxE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CACnF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,eAAe;IACb,IAAI,EAAE,gBAAgB;IACtB,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}

package/dist/probes/isRegexObject.d.ts

@@ -0,0 +1,22 @@
+import type { ESTree } from "meriyah";
+import { SourceFile } from "../SourceFile.js";
+/**
+ * @description Search for Regex Object constructor.
+ * @see https://github.com/estree/estree/blob/master/es5.md#newexpression
+ * @example
+ * new RegExp("...");
+ */
+declare function validateNode(node: ESTree.Node): [boolean, any?];
+declare function main(node: ESTree.NewExpression & {
+    callee: ESTree.Identifier;
+}, options: {
+    sourceFile: SourceFile;
+}): void;
+declare const _default: {
+    name: string;
+    validateNode: typeof validateNode;
+    main: typeof main;
+    breakOnMatch: boolean;
+};
+export default _default;
+//# sourceMappingURL=isRegexObject.d.ts.map

package/dist/probes/isRegexObject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isRegexObject.d.ts","sourceRoot":"","sources":["../../src/probes/isRegexObject.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAI9C;;;;;GAKG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAIjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,aAAa,GAAG;IAC3B,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC;CAC3B,EACD,OAAO,EAAE;IAAE,UAAU,EAAE,UAAU,CAAC;CAAE,QA0BrC;;;;;;;AAYD,wBAKE"}

package/dist/probes/isRegexObject.js

@@ -0,0 +1,50 @@
+// Import Third-party Dependencies
+import safeRegex from "safe-regex";
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+/**
+ * @description Search for Regex Object constructor.
+ * @see https://github.com/estree/estree/blob/master/es5.md#newexpression
+ * @example
+ * new RegExp("...");
+ */
+function validateNode(node) {
+    return [
+        isRegexConstructor(node) && node.arguments.length > 0
+    ];
+}
+function main(node, options) {
+    const { sourceFile } = options;
+    const arg = node.arguments.at(0);
+    if (!arg) {
+        return;
+    }
+    /**
+     * Note: RegExp Object can contain a RegExpLiteral
+     * @see https://github.com/estree/estree/blob/master/es5.md#regexpliteral
+     *
+     * @example
+     * new RegExp(/^foo/)
+     */
+    const pattern = arg.type === "Literal" && "regex" in arg ?
+        arg.regex.pattern :
+        arg.value;
+    // We use the safe-regex package to detect whether or not regex is safe!
+    if (!safeRegex(pattern)) {
+        sourceFile.warnings.push(generateWarning("unsafe-regex", { value: pattern, location: node.loc }));
+    }
+}
+function isRegexConstructor(node) {
+    if (node.type !== "NewExpression" || node.callee.type !== "Identifier") {
+        return false;
+    }
+    return node.callee.name === "RegExp";
+}
+export default {
+    name: "isRegexObject",
+    validateNode,
+    main,
+    breakOnMatch: false
+};
+//# sourceMappingURL=isRegexObject.js.map

package/dist/probes/isRegexObject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isRegexObject.js","sourceRoot":"","sources":["../../src/probes/isRegexObject.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,SAAS,MAAM,YAAY,CAAC;AAGnC,+BAA+B;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD;;;;;GAKG;AACH,SAAS,YAAY,CACnB,IAAiB;IAEjB,OAAO;QACL,kBAAkB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,IAEC,EACD,OAAoC;IAEpC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAA4C,CAAC;IAC5E,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;IACT,CAAC;IAED;;;;;;OAMG;IACH,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,GAAG,CAAC,CAAC;QACxD,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnB,GAAG,CAAC,KAAK,CAAC;IAEZ,wEAAwE;IACxE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CACxE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CACzB,IAAiB;IAEjB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACvE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC;AACvC,CAAC;AAED,eAAe;IACb,IAAI,EAAE,eAAe;IACrB,YAAY;IACZ,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}

package/dist/probes/isRequire/RequireCallExpressionWalker.d.ts

@@ -0,0 +1,15 @@
+import type { ESTree } from "meriyah";
+import { VariableTracer } from "@nodesecure/tracer";
+export declare class RequireCallExpressionWalker {
+    #private;
+    tracer: VariableTracer;
+    dependencies: Set<string>;
+    triggerWarning: boolean;
+    constructor(tracer: VariableTracer);
+    reset(): void;
+    walk(callExprNode: ESTree.CallExpression): {
+        dependencies: Set<string>;
+        triggerWarning: boolean;
+    };
+}
+//# sourceMappingURL=RequireCallExpressionWalker.d.ts.map

package/dist/probes/isRequire/RequireCallExpressionWalker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequireCallExpressionWalker.d.ts","sourceRoot":"","sources":["../../../src/probes/isRequire/RequireCallExpressionWalker.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AASpD,qBAAa,2BAA2B;;IACtC,MAAM,EAAE,cAAc,CAAC;IACvB,YAAY,cAAqB;IACjC,cAAc,UAAQ;gBAGpB,MAAM,EAAE,cAAc;IAKxB,KAAK;IAKL,IAAI,CACF,YAAY,EAAE,MAAM,CAAC,cAAc;;;;CAqGtC"}

package/dist/probes/isRequire/RequireCallExpressionWalker.js

@@ -0,0 +1,92 @@
+// Import Node.js Dependencies
+import path from "node:path";
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+import { arrayExpressionToString, getMemberExpressionIdentifier, getCallExpressionArguments } from "@nodesecure/estree-ast-utils";
+import { VariableTracer } from "@nodesecure/tracer";
+// Import Internal Dependencies
+import { isLiteral, isCallExpression } from "../../types/estree.js";
+import { walkEnter } from "../../walker/index.js";
+export class RequireCallExpressionWalker {
+    tracer;
+    dependencies = new Set();
+    triggerWarning = true;
+    constructor(tracer) {
+        this.tracer = tracer;
+    }
+    reset() {
+        this.dependencies.clear();
+        this.triggerWarning = true;
+    }
+    walk(callExprNode) {
+        this.reset();
+        // we need the `this` context of doWalk.enter
+        const self = this;
+        walkEnter(callExprNode, function enter(node) {
+            if (!isCallExpression(node) ||
+                node.arguments.length === 0) {
+                return;
+            }
+            const castedNode = node;
+            const rootArgument = castedNode.arguments.at(0);
+            if (rootArgument.type === "Literal" &&
+                typeof rootArgument.value === "string" &&
+                Hex.isHex(rootArgument.value)) {
+                self.dependencies.add(Buffer.from(rootArgument.value, "hex").toString());
+                this.skip();
+                return;
+            }
+            const fullName = castedNode.callee.type === "MemberExpression" ?
+                [...getMemberExpressionIdentifier(castedNode.callee)].join(".") :
+                castedNode.callee.name;
+            const tracedFullName = self.tracer.getDataFromIdentifier(fullName)?.identifierOrMemberExpr ?? fullName;
+            switch (tracedFullName) {
+                case "atob":
+                    self.#handleAtob(castedNode);
+                    break;
+                case "Buffer.from":
+                    self.#handleBufferFrom(castedNode);
+                    break;
+                case "require.resolve":
+                    self.#handleRequireResolve(rootArgument);
+                    break;
+                case "path.join":
+                    self.#handlePathJoin(castedNode);
+                    break;
+            }
+        });
+        return {
+            dependencies: this.dependencies,
+            triggerWarning: this.triggerWarning
+        };
+    }
+    #handleAtob(node) {
+        const nodeArguments = getCallExpressionArguments(node, {
+            externalIdentifierLookup: (name) => this.tracer.literalIdentifiers.get(name) ?? null
+        });
+        if (nodeArguments !== null && nodeArguments.length > 0) {
+            this.dependencies.add(Buffer.from(nodeArguments.at(0), "base64").toString());
+        }
+    }
+    #handleBufferFrom(node) {
+        const [element] = node.arguments;
+        if (element.type === "ArrayExpression") {
+            const depName = [...arrayExpressionToString(element)].join("").trim();
+            this.dependencies.add(depName);
+        }
+    }
+    #handleRequireResolve(node) {
+        if (isLiteral(node)) {
+            this.dependencies.add(node.value);
+        }
+    }
+    #handlePathJoin(node) {
+        if (!node.arguments.every((arg) => isLiteral(arg))) {
+            return;
+        }
+        const constructedPath = path.posix.join(...node.arguments.map((arg) => arg.value));
+        this.dependencies.add(constructedPath);
+        this.triggerWarning = false;
+    }
+}
+//# sourceMappingURL=RequireCallExpressionWalker.js.map

package/dist/probes/isRequire/RequireCallExpressionWalker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequireCallExpressionWalker.js","sourceRoot":"","sources":["../../../src/probes/isRequire/RequireCallExpressionWalker.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,0BAA0B,EAC3B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,+BAA+B;AAC/B,OAAO,EACL,SAAS,EACT,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,MAAM,OAAO,2BAA2B;IACtC,MAAM,CAAiB;IACvB,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,cAAc,GAAG,IAAI,CAAC;IAEtB,YACE,MAAsB;QAEtB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,CAAC;IAED,IAAI,CACF,YAAmC;QAEnC,IAAI,CAAC,KAAK,EAAE,CAAC;QAEb,6CAA6C;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAC;QAClB,SAAS,CAAC,YAAY,EAAE,SAAS,KAAK,CAAC,IAAI;YACzC,IACE,CAAC,gBAAgB,CAAC,IAAI,CAAC;gBACvB,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAC3B,CAAC;gBACD,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,IAA6B,CAAC;YACjD,MAAM,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAE,CAAC;YACjD,IACE,YAAY,CAAC,IAAI,KAAK,SAAS;gBAC/B,OAAO,YAAY,CAAC,KAAK,KAAK,QAAQ;gBACtC,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,EAC7B,CAAC;gBACD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACzE,IAAI,CAAC,IAAI,EAAE,CAAC;gBAEZ,OAAO;YACT,CAAC;YAED,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;gBAC9D,CAAC,GAAG,6BAA6B,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBACjE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;YACzB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE,sBAAsB,IAAI,QAAQ,CAAC;YACvG,QAAQ,cAAc,EAAE,CAAC;gBACvB,KAAK,MAAM;oBACT,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;oBAC7B,MAAM;gBACR,KAAK,aAAa;oBAChB,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;oBACnC,MAAM;gBACR,KAAK,iBAAiB;oBACpB,IAAI,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC;oBACzC,MAAM;gBACR,KAAK,WAAW;oBACd,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;oBACjC,MAAM;YACV,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC;IACJ,CAAC;IAED,WAAW,CACT,IAA2B;QAE3B,MAAM,aAAa,GAAG,0BAA0B,CAC9C,IAAI,EACJ;YACE,wBAAwB,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI;SACrF,CACF,CAAC;QAEF,IAAI,aAAa,KAAK,IAAI,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,YAAY,CAAC,GAAG,CACnB,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAE,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CACvD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iBAAiB,CACf,IAA2B;QAE3B,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,IAAI,OAAO,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACtE,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,qBAAqB,CACnB,IAAiB;QAEjB,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,eAAe,CACb,IAA2B;QAE3B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CACrC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAC1C,CAAC;QACF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACvC,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC;IAC9B,CAAC;CACF"}

package/dist/probes/isRequire/isRequire.d.ts

@@ -0,0 +1,15 @@
+import type { ESTree } from "meriyah";
+import type { ProbeContext, ProbeMainContext } from "../../ProbeRunner.js";
+declare function validateNodeRequire(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
+declare function teardown(ctx: ProbeContext): void;
+declare function main(node: ESTree.CallExpression, ctx: ProbeMainContext): symbol | undefined;
+declare const _default: {
+    name: string;
+    validateNode: (typeof validateNodeRequire)[];
+    main: typeof main;
+    teardown: typeof teardown;
+    breakOnMatch: boolean;
+    breakGroup: string;
+};
+export default _default;
+//# sourceMappingURL=isRequire.d.ts.map

package/dist/probes/isRequire/isRequire.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isRequire.d.ts","sourceRoot":"","sources":["../../../src/probes/isRequire/isRequire.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAK3E,iBAAS,mBAAmB,CAC1B,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAiBjB;AA2BD,iBAAS,QAAQ,CACf,GAAG,EAAE,YAAY,QAGlB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,cAAc,EAC3B,GAAG,EAAE,gBAAgB,sBA8GtB;;;;;;;;;AAED,wBAUE"}

package/dist/probes/isRequire/isRequire.js

@@ -0,0 +1,136 @@
+/* eslint-disable consistent-return */
+// Import Third-party Dependencies
+import { concatBinaryExpression, arrayExpressionToString, getCallExpressionIdentifier, getCallExpressionArguments } from "@nodesecure/estree-ast-utils";
+import { isLiteral } from "../../types/estree.js";
+import { RequireCallExpressionWalker } from "./RequireCallExpressionWalker.js";
+import { generateWarning } from "../../warnings.js";
+function validateNodeRequire(node, ctx) {
+    const { tracer } = ctx.sourceFile;
+    const id = getCallExpressionIdentifier(node, {
+        resolveCallExpression: false
+    });
+    if (id === null) {
+        return [false];
+    }
+    const data = tracer.getDataFromIdentifier(id, {
+        removeGlobalIdentifier: true
+    });
+    return [
+        data !== null && data.name === "require",
+        id ?? void 0
+    ];
+}
+function validateNodeEvalRequire(node) {
+    const id = getCallExpressionIdentifier(node);
+    if (id !== "eval") {
+        return [false];
+    }
+    const castedNode = node;
+    if (castedNode.callee.type !== "CallExpression") {
+        return [false];
+    }
+    const args = getCallExpressionArguments(castedNode.callee);
+    if (args === null) {
+        return [false];
+    }
+    return [
+        args.length > 0 && args.at(0) === "require",
+        id
+    ];
+}
+function teardown(ctx) {
+    ctx.sourceFile.dependencyAutoWarning = false;
+}
+function main(node, ctx) {
+    const { sourceFile, data: calleeName, signals } = ctx;
+    const { tracer } = sourceFile;
+    if (node.arguments.length === 0) {
+        return;
+    }
+    const arg = node.arguments.at(0);
+    if (arg === undefined) {
+        return;
+    }
+    if (calleeName === "eval") {
+        sourceFile.dependencyAutoWarning = true;
+    }
+    const location = node.loc;
+    switch (arg.type) {
+        // const foo = "http"; require(foo);
+        case "Identifier":
+            if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
+                sourceFile.addDependency(sourceFile.tracer.literalIdentifiers.get(arg.name), node.loc);
+            }
+            else {
+                sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+            }
+            break;
+        // require("http")
+        case "Literal":
+            if (isLiteral(arg)) {
+                sourceFile.addDependency(arg.value, node.loc);
+            }
+            break;
+        // require(["ht", "tp"])
+        case "ArrayExpression": {
+            const value = [
+                ...arrayExpressionToString(arg, {
+                    externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null
+                })
+            ]
+                .join("")
+                .trim();
+            if (value === "") {
+                sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+            }
+            else {
+                sourceFile.addDependency(value, node.loc);
+            }
+            break;
+        }
+        // require("ht" + "tp");
+        case "BinaryExpression": {
+            if (arg.operator !== "+") {
+                sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+                break;
+            }
+            try {
+                const iter = concatBinaryExpression(arg, {
+                    externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null,
+                    stopOnUnsupportedNode: true
+                });
+                sourceFile.addDependency([...iter].join(""), node.loc);
+            }
+            catch {
+                sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+            }
+            break;
+        }
+        // require(Buffer.from("...", "hex").toString());
+        case "CallExpression": {
+            const walker = new RequireCallExpressionWalker(tracer);
+            const { dependencies, triggerWarning } = walker.walk(arg);
+            dependencies.forEach((depName) => sourceFile.addDependency(depName, node.loc, true));
+            if (triggerWarning) {
+                sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+            }
+            // We skip walking the tree to avoid anymore warnings...
+            return signals.Skip;
+        }
+        default:
+            sourceFile.warnings.push(generateWarning("unsafe-import", { value: null, location }));
+    }
+    return;
+}
+export default {
+    name: "isRequire",
+    validateNode: [
+        validateNodeRequire,
+        validateNodeEvalRequire
+    ],
+    main,
+    teardown,
+    breakOnMatch: true,
+    breakGroup: "import"
+};
+//# sourceMappingURL=isRequire.js.map

package/dist/probes/isRequire/isRequire.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isRequire.js","sourceRoot":"","sources":["../../../src/probes/isRequire/isRequire.ts"],"names":[],"mappings":"AAAA,sCAAsC;AAEtC,kCAAkC;AAClC,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,2BAA2B,EAC3B,0BAA0B,EAC3B,MAAM,8BAA8B,CAAC;AAKtC,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,SAAS,mBAAmB,CAC1B,IAAiB,EACjB,GAAiB;IAEjB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CAAC;IAClC,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,EAAE;QAC3C,qBAAqB,EAAE,KAAK;KAC7B,CAAC,CAAC;IACH,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,EAAE,EAAE;QAC5C,sBAAsB,EAAE,IAAI;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QACxC,EAAE,IAAI,KAAK,CAAC;KACb,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,IAAiB;IAEjB,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,EAAE,KAAK,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,IAA6B,CAAC;IACjD,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,IAAI,GAAG,0BAA0B,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,OAAO;QACL,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,SAAS;QAC3C,EAAE;KACH,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CACf,GAAiB;IAEjB,GAAG,CAAC,UAAU,CAAC,qBAAqB,GAAG,KAAK,CAAC;AAC/C,CAAC;AAED,SAAS,IAAI,CACX,IAA2B,EAC3B,GAAqB;IAErB,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IACtD,MAAM,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC;IAE9B,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACjC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC1B,UAAU,CAAC,qBAAqB,GAAG,IAAI,CAAC;IAC1C,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC;IAE1B,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;QACjB,oCAAoC;QACpC,KAAK,YAAY;YACf,IAAI,UAAU,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvD,UAAU,CAAC,aAAa,CACtB,UAAU,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAE,EACnD,IAAI,CAAC,GAAG,CACT,CAAC;YACJ,CAAC;iBACI,CAAC;gBACJ,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;YACJ,CAAC;YACD,MAAM;QAER,kBAAkB;QAClB,KAAK,SAAS;YACZ,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAChD,CAAC;YACD,MAAM;QAER,wBAAwB;QACxB,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,MAAM,KAAK,GAAG;gBACZ,GAAG,uBAAuB,CAAC,GAAG,EAAE;oBAC9B,wBAAwB,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI;iBAChF,CAAC;aACH;iBACE,IAAI,CAAC,EAAE,CAAC;iBACR,IAAI,EAAE,CAAC;YAEV,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;gBACjB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;YACJ,CAAC;iBACI,CAAC;gBACJ,UAAU,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC5C,CAAC;YACD,MAAM;QACR,CAAC;QAED,wBAAwB;QACxB,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACzB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;gBACF,MAAM;YACR,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,EAAE;oBACvC,wBAAwB,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI;oBAC/E,qBAAqB,EAAE,IAAI;iBAC5B,CAAC,CAAC;gBAEH,UAAU,CAAC,aAAa,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YACzD,CAAC;YACD,MAAM,CAAC;gBACL,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;YACJ,CAAC;YACD,MAAM;QACR,CAAC;QAED,iDAAiD;QACjD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,MAAM,GAAG,IAAI,2BAA2B,CAAC,MAAM,CAAC,CAAC;YACvD,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1D,YAAY,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YAErF,IAAI,cAAc,EAAE,CAAC;gBACnB,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;YACJ,CAAC;YAED,wDAAwD;YACxD,OAAO,OAAO,CAAC,IAAI,CAAC;QACtB,CAAC;QAED;YACE,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,eAAe,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAC5D,CAAC;IACN,CAAC;IAED,OAAO;AACT,CAAC;AAED,eAAe;IACb,IAAI,EAAE,WAAW;IACjB,YAAY,EAAE;QACZ,mBAAmB;QACnB,uBAAuB;KACxB;IACD,IAAI;IACJ,QAAQ;IACR,YAAY,EAAE,IAAI;IAClB,UAAU,EAAE,QAAQ;CACrB,CAAC"}

package/dist/probes/isSerializeEnv.d.ts

@@ -0,0 +1,22 @@
+import type { ESTree } from "meriyah";
+import type { ProbeContext, ProbeMainContext } from "../ProbeRunner.js";
+/**
+ * @description Detect serialization of process.env which could indicate environment variable exfiltration
+ * @example
+ * JSON.stringify(process.env)
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process[`env`])
+ */
+declare function validateNode(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
+declare function main(node: ESTree.Node, ctx: ProbeMainContext): symbol;
+declare function initialize(ctx: ProbeContext): void;
+declare const _default: {
+    name: string;
+    validateNode: typeof validateNode;
+    initialize: typeof initialize;
+    main: typeof main;
+    breakOnMatch: boolean;
+};
+export default _default;
+//# sourceMappingURL=isSerializeEnv.d.ts.map

package/dist/probes/isSerializeEnv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSerializeEnv.d.ts","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAItC,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAE3B;;;;;;;GAOG;AACH,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAmCjB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,gBAAgB,UAWtB;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,QAWlB;;;;;;;;AAED,wBAME"}

package/dist/probes/isSerializeEnv.js

@@ -0,0 +1,68 @@
+// Import Third-party Dependencies
+import { getCallExpressionIdentifier, getMemberExpressionIdentifier } from "@nodesecure/estree-ast-utils";
+// Import Internal Dependencies
+import { generateWarning } from "../warnings.js";
+/**
+ * @description Detect serialization of process.env which could indicate environment variable exfiltration
+ * @example
+ * JSON.stringify(process.env)
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process["env"])
+ * JSON.stringify(process[`env`])
+ */
+function validateNode(node, ctx) {
+    const { tracer } = ctx.sourceFile;
+    const id = getCallExpressionIdentifier(node);
+    if (id === null) {
+        return [false];
+    }
+    const data = tracer.getDataFromIdentifier(id);
+    if (data === null || data.identifierOrMemberExpr !== "JSON.stringify") {
+        return [false];
+    }
+    const castedNode = node;
+    if (castedNode.arguments.length === 0) {
+        return [false];
+    }
+    const firstArg = castedNode.arguments[0];
+    if (firstArg.type === "MemberExpression") {
+        const memberExprId = [...getMemberExpressionIdentifier(firstArg)].join(".");
+        if (memberExprId === "process.env") {
+            return [true];
+        }
+    }
+    if (firstArg.type === "Identifier") {
+        const data = tracer.getDataFromIdentifier(firstArg.name);
+        if (data !== null) {
+            return [true];
+        }
+    }
+    return [false];
+}
+function main(node, ctx) {
+    const { sourceFile, signals } = ctx;
+    const warning = generateWarning("serialize-environment", {
+        value: "JSON.stringify(process.env)",
+        location: node.loc
+    });
+    sourceFile.warnings.push(warning);
+    return signals.Skip;
+}
+function initialize(ctx) {
+    const { tracer } = ctx.sourceFile;
+    tracer
+        .trace("process.env", {
+        followConsecutiveAssignment: true
+    })
+        .trace("JSON.stringify", {
+        followConsecutiveAssignment: true
+    });
+}
+export default {
+    name: "isSerializeEnv",
+    validateNode,
+    initialize,
+    main,
+    breakOnMatch: false
+};
+//# sourceMappingURL=isSerializeEnv.js.map

package/dist/probes/isSerializeEnv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSerializeEnv.js","sourceRoot":"","sources":["../../src/probes/isSerializeEnv.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC9B,MAAM,8BAA8B,CAAC;AAGtC,+BAA+B;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAMjD;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,IAAiB,EACjB,GAAiB;IAEjB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CAAC;IAElC,MAAM,EAAE,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAE9C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,sBAAsB,KAAK,gBAAgB,EAAE,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,IAA6B,CAAC;IACjD,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACzC,IAAI,QAAQ,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,CAAC,GAAG,6BAA6B,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5E,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,CAAC;AACjB,CAAC;AAED,SAAS,IAAI,CACX,IAAiB,EACjB,GAAqB;IAErB,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAEpC,MAAM,OAAO,GAAG,eAAe,CAAC,uBAAuB,EAAE;QACvD,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,IAAI,CAAC,GAAG;KACnB,CAAC,CAAC;IACH,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElC,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC;AAED,SAAS,UAAU,CACjB,GAAiB;IAEjB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CAAC;IAElC,MAAM;SACH,KAAK,CAAC,aAAa,EAAE;QACpB,2BAA2B,EAAE,IAAI;KAClC,CAAC;SACD,KAAK,CAAC,gBAAgB,EAAE;QACvB,2BAA2B,EAAE,IAAI;KAClC,CAAC,CAAC;AACP,CAAC;AAED,eAAe;IACb,IAAI,EAAE,gBAAgB;IACtB,YAAY;IACZ,UAAU;IACV,IAAI;IACJ,YAAY,EAAE,KAAK;CACpB,CAAC"}

package/dist/probes/isSyncIO.d.ts

@@ -0,0 +1,14 @@
+import type { ESTree } from "meriyah";
+import type { ProbeContext } from "../ProbeRunner.js";
+declare function validateNode(node: ESTree.Node, ctx: ProbeContext): [boolean, any?];
+declare function initialize(ctx: ProbeContext): void;
+declare function main(node: ESTree.CallExpression, ctx: ProbeContext): void;
+declare const _default: {
+    name: string;
+    validateNode: typeof validateNode;
+    main: typeof main;
+    initialize: typeof initialize;
+    breakOnMatch: boolean;
+};
+export default _default;
+//# sourceMappingURL=isSyncIO.d.ts.map

package/dist/probes/isSyncIO.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSyncIO.d.ts","sourceRoot":"","sources":["../../src/probes/isSyncIO.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAmCtD,iBAAS,YAAY,CACnB,IAAI,EAAE,MAAM,CAAC,IAAI,EACjB,GAAG,EAAE,YAAY,GAChB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAqBjB;AAED,iBAAS,UAAU,CACjB,GAAG,EAAE,YAAY,QAUlB;AAED,iBAAS,IAAI,CACX,IAAI,EAAE,MAAM,CAAC,cAAc,EAC3B,GAAG,EAAE,YAAY,QAOlB;;;;;;;;AAED,wBAME"}