@nodesecure/tarball 3.0.0 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/class/DnsResolver.class.d.ts +8 -0
- package/dist/class/DnsResolver.class.d.ts.map +1 -0
- package/dist/class/DnsResolver.class.js +24 -0
- package/dist/class/DnsResolver.class.js.map +1 -0
- package/dist/class/NpmTarball.class.d.ts +6 -1
- package/dist/class/NpmTarball.class.d.ts.map +1 -1
- package/dist/class/NpmTarball.class.js +32 -3
- package/dist/class/NpmTarball.class.js.map +1 -1
- package/package.json +4 -3
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"DnsResolver.class.d.ts","sourceRoot":"","sources":["../../src/class/DnsResolver.class.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,QAAQ;IACvB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACnD;AAED,qBAAa,WAAY,YAAW,QAAQ;;IACpC,aAAa,CAAC,QAAQ,EAAE,MAAM;CAqBrC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
// Import Node.js Dependencies
|
|
2
|
+
import { lookup } from "node:dns/promises";
|
|
3
|
+
import {} from "node:dns";
|
|
4
|
+
// Import Third-party Dependencies
|
|
5
|
+
import ipaddress from "ipaddr.js";
|
|
6
|
+
export class DnsResolver {
|
|
7
|
+
async isPrivateHost(hostname) {
|
|
8
|
+
const ipAddressListDetails = await lookup(hostname, { all: true });
|
|
9
|
+
const ipAddressList = ipAddressListDetails.map((ipAddressDetails) => ipAddressDetails.address);
|
|
10
|
+
return ipAddressList.some(this.#isPrivateIPAddress);
|
|
11
|
+
}
|
|
12
|
+
#isPrivateIPAddress(ipAddress) {
|
|
13
|
+
let ip = ipaddress.parse(ipAddress);
|
|
14
|
+
if (ip instanceof ipaddress.IPv6 && ip.isIPv4MappedAddress()) {
|
|
15
|
+
ip = ip.toIPv4Address();
|
|
16
|
+
}
|
|
17
|
+
const range = ip.range();
|
|
18
|
+
if (range !== "unicast") {
|
|
19
|
+
return true;
|
|
20
|
+
}
|
|
21
|
+
return false;
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
//# sourceMappingURL=DnsResolver.class.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"DnsResolver.class.js","sourceRoot":"","sources":["../../src/class/DnsResolver.class.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAsB,MAAM,UAAU,CAAC;AAE9C,kCAAkC;AAClC,OAAO,SAAS,MAAM,WAAW,CAAC;AAMlC,MAAM,OAAO,WAAW;IACtB,KAAK,CAAC,aAAa,CAAC,QAAgB;QAClC,MAAM,oBAAoB,GAAoB,MAAM,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACpF,MAAM,aAAa,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,gBAAgB,EAAE,EAAE,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAE/F,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACtD,CAAC;IAED,mBAAmB,CAAC,SAAiB;QACnC,IAAI,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAEpC,IAAI,EAAE,YAAY,SAAS,CAAC,IAAI,IAAI,EAAE,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC7D,EAAE,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,EAAE,CAAC;QACzB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}
|
|
@@ -3,15 +3,20 @@ import { ManifestManager, type LocatedManifestManager } from "@nodesecure/mama";
|
|
|
3
3
|
import { type AstAnalyserOptions } from "@nodesecure/js-x-ray";
|
|
4
4
|
import { SourceCodeReport } from "./SourceCodeScanner.class.ts";
|
|
5
5
|
import { type TarballComposition } from "../utils/index.ts";
|
|
6
|
+
import { type Resolver } from "./DnsResolver.class.ts";
|
|
6
7
|
export interface ScannedFilesResult {
|
|
7
8
|
composition: TarballComposition;
|
|
8
9
|
conformance: conformance.SpdxExtractedResult;
|
|
9
10
|
code: SourceCodeReport;
|
|
10
11
|
}
|
|
12
|
+
export type NpmTarballOptions = {
|
|
13
|
+
resolver?: Resolver;
|
|
14
|
+
};
|
|
11
15
|
export declare class NpmTarball {
|
|
16
|
+
#private;
|
|
12
17
|
static JS_EXTENSIONS: Set<string>;
|
|
13
18
|
manifest: LocatedManifestManager;
|
|
14
|
-
constructor(mama: ManifestManager);
|
|
19
|
+
constructor(mama: ManifestManager, options?: NpmTarballOptions);
|
|
15
20
|
scanFiles(astAnalyserOptions?: AstAnalyserOptions): Promise<ScannedFilesResult>;
|
|
16
21
|
}
|
|
17
22
|
//# sourceMappingURL=NpmTarball.class.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"NpmTarball.class.d.ts","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,KAAK,sBAAsB,EAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,
|
|
1
|
+
{"version":3,"file":"NpmTarball.class.d.ts","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,KAAK,sBAAsB,EAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,gBAAgB,EAEjB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,KAAK,QAAQ,EAAe,MAAM,wBAAwB,CAAC;AAEpE,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,kBAAkB,CAAC;IAChC,WAAW,EAAE,WAAW,CAAC,mBAAmB,CAAC;IAC7C,IAAI,EAAE,gBAAgB,CAAC;CACxB;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB,CAAC;AAEF,qBAAa,UAAU;;IACrB,MAAM,CAAC,aAAa,cAIjB;IAEH,QAAQ,EAAE,sBAAsB,CAAC;gBAI/B,IAAI,EAAE,eAAe,EACrB,OAAO,GAAE,iBAAsB;IAU3B,SAAS,CACb,kBAAkB,CAAC,EAAE,kBAAkB,GACtC,OAAO,CAAC,kBAAkB,CAAC;CAgE/B"}
|
|
@@ -3,10 +3,11 @@ import path from "node:path";
|
|
|
3
3
|
// Import Third-party Dependencies
|
|
4
4
|
import * as conformance from "@nodesecure/conformance";
|
|
5
5
|
import { ManifestManager } from "@nodesecure/mama";
|
|
6
|
-
import { AstAnalyser } from "@nodesecure/js-x-ray";
|
|
6
|
+
import { AstAnalyser, CollectableSet, warnings } from "@nodesecure/js-x-ray";
|
|
7
7
|
// Import Internal Dependencies
|
|
8
8
|
import { SourceCodeReport, SourceCodeScanner } from "./SourceCodeScanner.class.js";
|
|
9
9
|
import { getTarballComposition } from "../utils/index.js";
|
|
10
|
+
import { DnsResolver } from "./DnsResolver.class.js";
|
|
10
11
|
export class NpmTarball {
|
|
11
12
|
static JS_EXTENSIONS = new Set([
|
|
12
13
|
".js", ".mjs", ".cjs",
|
|
@@ -14,11 +15,13 @@ export class NpmTarball {
|
|
|
14
15
|
".jsx", ".tsx"
|
|
15
16
|
]);
|
|
16
17
|
manifest;
|
|
17
|
-
|
|
18
|
+
#resolver;
|
|
19
|
+
constructor(mama, options = {}) {
|
|
18
20
|
if (!ManifestManager.isLocated(mama)) {
|
|
19
21
|
throw new Error("ManifestManager must have a location");
|
|
20
22
|
}
|
|
21
23
|
this.manifest = mama;
|
|
24
|
+
this.#resolver = options?.resolver ?? new DnsResolver();
|
|
22
25
|
}
|
|
23
26
|
async scanFiles(astAnalyserOptions) {
|
|
24
27
|
const location = this.manifest.location;
|
|
@@ -31,13 +34,32 @@ export class NpmTarball {
|
|
|
31
34
|
code = new SourceCodeReport();
|
|
32
35
|
}
|
|
33
36
|
else {
|
|
34
|
-
const
|
|
37
|
+
const options = this.#optionsWithHostnameSet(astAnalyserOptions ?? {});
|
|
38
|
+
const hostNameSet = options?.collectables?.find((collectable) => collectable.type === "hostname");
|
|
39
|
+
const astAnalyser = new AstAnalyser(options);
|
|
35
40
|
code = await new SourceCodeScanner(this.manifest, { astAnalyser }).iterate({
|
|
36
41
|
manifest: [...this.manifest.getEntryFiles()]
|
|
37
42
|
.flatMap(filterJavaScriptFiles()),
|
|
38
43
|
javascript: composition.files
|
|
39
44
|
.flatMap(filterJavaScriptFiles())
|
|
40
45
|
});
|
|
46
|
+
const operationQueue = Array.from(hostNameSet)
|
|
47
|
+
.map(({ value, locations }) => this.#resolver.isPrivateHost(value)
|
|
48
|
+
.then((isPrivate) => {
|
|
49
|
+
if (isPrivate) {
|
|
50
|
+
locations.forEach(({ file, location }) => {
|
|
51
|
+
code.warnings.push({
|
|
52
|
+
kind: "shady-link",
|
|
53
|
+
...warnings["shady-link"],
|
|
54
|
+
file: file ?? undefined,
|
|
55
|
+
location,
|
|
56
|
+
value,
|
|
57
|
+
source: "Scanner"
|
|
58
|
+
});
|
|
59
|
+
});
|
|
60
|
+
}
|
|
61
|
+
}));
|
|
62
|
+
await Promise.allSettled(operationQueue);
|
|
41
63
|
}
|
|
42
64
|
return {
|
|
43
65
|
conformance: spdx,
|
|
@@ -45,6 +67,13 @@ export class NpmTarball {
|
|
|
45
67
|
code
|
|
46
68
|
};
|
|
47
69
|
}
|
|
70
|
+
#optionsWithHostnameSet(options) {
|
|
71
|
+
const hasHostnameSet = options?.collectables?.some((collectable) => collectable.type === "hostname");
|
|
72
|
+
if (hasHostnameSet) {
|
|
73
|
+
return options;
|
|
74
|
+
}
|
|
75
|
+
return { ...options, collectables: [...options.collectables ?? [], new CollectableSet("hostname")] };
|
|
76
|
+
}
|
|
48
77
|
}
|
|
49
78
|
function filterJavaScriptFiles() {
|
|
50
79
|
return (file) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"NpmTarball.class.js","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EAEhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,WAAW,
|
|
1
|
+
{"version":3,"file":"NpmTarball.class.js","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EAEhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,WAAW,EACX,cAAc,EACd,QAAQ,EAET,MAAM,sBAAsB,CAAC;AAE9B,+BAA+B;AAC/B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,qBAAqB,EAEtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAiB,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAYpE,MAAM,OAAO,UAAU;IACrB,MAAM,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC;QAC7B,KAAK,EAAE,MAAM,EAAE,MAAM;QACrB,KAAK,EAAE,MAAM,EAAE,MAAM;QACrB,MAAM,EAAE,MAAM;KACf,CAAC,CAAC;IAEH,QAAQ,CAAyB;IACjC,SAAS,CAAW;IAEpB,YACE,IAAqB,EACrB,UAA6B,EAAE;QAE/B,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,QAAQ,IAAI,IAAI,WAAW,EAAE,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,SAAS,CACb,kBAAuC;QAEvC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxC,MAAM,CACJ,WAAW,EACX,IAAI,CACL,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACpB,qBAAqB,CAAC,QAAQ,CAAC;YAC/B,WAAW,CAAC,eAAe,CAAC,QAAQ,CAAC;SACtC,CAAC,CAAC;QAEH,IAAI,IAAsB,CAAC;QAC3B,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACjF,IAAI,GAAG,IAAI,gBAAgB,EAAE,CAAC;QAChC,CAAC;aACI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC;YAEvE,MAAM,WAAW,GAAG,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,UAAU,CAAE,CAAC;YAEnG,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;YAE7C,IAAI,GAAG,MAAM,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC;gBACzE,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;qBACzC,OAAO,CAAC,qBAAqB,EAAE,CAAC;gBACnC,UAAU,EAAE,WAAW,CAAC,KAAK;qBAC1B,OAAO,CAAC,qBAAqB,EAAE,CAAC;aACpC,CAAC,CAAC;YAEH,MAAM,cAAc,GAClB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;iBACpB,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC;iBAC/D,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBAClB,IAAI,SAAS,EAAE,CAAC;oBACd,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE;wBACvC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACjB,IAAI,EAAE,YAAY;4BAClB,GAAG,QAAQ,CAAC,YAAY,CAAC;4BACzB,IAAI,EAAE,IAAI,IAAI,SAAS;4BACvB,QAAQ;4BACR,KAAK;4BACL,MAAM,EAAE,SAAS;yBAClB,CAAC,CAAC;oBACL,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CACH,CAAC;YACN,MAAM,OAAO,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,WAAW;YACX,IAAI;SACL,CAAC;IACJ,CAAC;IAED,uBAAuB,CAAC,OAA2B;QACjD,MAAM,cAAc,GAAG,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QACrG,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,OAAO,EAAE,GAAG,OAAO,EAAE,YAAY,EAAE,CAAC,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,EAAE,IAAI,cAAc,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;IACvG,CAAC;;AAGH,SAAS,qBAAqB;IAC5B,OAAO,CAAC,IAAY,EAAE,EAAE;QACtB,IAAI,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nodesecure/tarball",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.1.0",
|
|
4
4
|
"description": "NodeSecure tarball scanner",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": {
|
|
@@ -47,10 +47,11 @@
|
|
|
47
47
|
"dependencies": {
|
|
48
48
|
"@nodesecure/conformance": "^1.2.1",
|
|
49
49
|
"@nodesecure/fs-walk": "^2.0.0",
|
|
50
|
-
"@nodesecure/js-x-ray": "11.
|
|
51
|
-
"@nodesecure/mama": "^2.1.
|
|
50
|
+
"@nodesecure/js-x-ray": "11.3.0",
|
|
51
|
+
"@nodesecure/mama": "^2.1.1",
|
|
52
52
|
"@nodesecure/npm-types": "^1.2.0",
|
|
53
53
|
"@nodesecure/utils": "^2.3.0",
|
|
54
|
+
"ipaddr.js": "2.3.0",
|
|
54
55
|
"pacote": "^21.0.0"
|
|
55
56
|
},
|
|
56
57
|
"devDependencies": {
|