@obfuscan/core 0.1.0

package/dist/detectors/bidi-control.js

@@ -0,0 +1,67 @@
+/**
+ * obf.bidi-control — Layer A.
+ *
+ * Flags Unicode bidirectional control characters in source code (Trojan
+ * Source, CVE-2021-42574). These are invisible characters that can make
+ * source code render differently than it executes.
+ *
+ * Always blocks: there is essentially no legitimate reason for these to
+ * appear in source. They come up in localized strings rarely, but those
+ * should be in resource files, not code.
+ */
+import { lineAtOffset, MAX_SOURCE_BYTES } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+// Listed individually for clarity. Same set as RFC + Rust's lint.
+const BIDI_CHARS = [
+    "\u202A", // LRE — Left-to-Right Embedding
+    "\u202B", // RLE — Right-to-Left Embedding
+    "\u202C", // PDF — Pop Directional Formatting
+    "\u202D", // LRO — Left-to-Right Override
+    "\u202E", // RLO — Right-to-Left Override
+    "\u2066", // LRI — Left-to-Right Isolate
+    "\u2067", // RLI — Right-to-Left Isolate
+    "\u2068", // FSI — First Strong Isolate
+    "\u2069", // PDI — Pop Directional Isolate
+];
+const BIDI_RE = new RegExp(`[${BIDI_CHARS.join("")}]`, "g");
+const NAMES = {
+    "\u202A": "LRE", "\u202B": "RLE", "\u202C": "PDF",
+    "\u202D": "LRO", "\u202E": "RLO", "\u2066": "LRI",
+    "\u2067": "RLI", "\u2068": "FSI", "\u2069": "PDI",
+};
+export const bidiControlChar = {
+    id: "obf.bidi-control",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfbidi-control",
+    applies(ctx) {
+        return ctx.source.length > 0 && ctx.source.length < MAX_SOURCE_BYTES;
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        let m;
+        BIDI_RE.lastIndex = 0;
+        while ((m = BIDI_RE.exec(src)) !== null) {
+            const ch = m[0];
+            const codePoint = ch.codePointAt(0);
+            const line = lineAtOffset(src, m.index);
+            // Take a small window of context around the bidi char for the snippet.
+            const winStart = Math.max(0, m.index - 20);
+            const winEnd = Math.min(src.length, m.index + 20);
+            const snippet = src.slice(winStart, winEnd);
+            findings.push({
+                ruleId: bidiControlChar.id,
+                severity: "block",
+                score: 10,
+                file: ctx.path,
+                line,
+                snippet: truncateSnippet(snippet),
+                reason: `Unicode bidirectional control character ` +
+                    `${NAMES[ch] ?? "?"} (U+${codePoint.toString(16).toUpperCase().padStart(4, "0")}) ` +
+                    `found in source. This is a Trojan Source attack vector (CVE-2021-42574).`,
+                evidence: { codePoint, name: NAMES[ch] ?? "unknown" },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=bidi-control.js.map

package/dist/detectors/bidi-control.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bidi-control.js","sourceRoot":"","sources":["../../src/detectors/bidi-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,kEAAkE;AAClE,MAAM,UAAU,GAAG;IACjB,QAAQ,EAAE,gCAAgC;IAC1C,QAAQ,EAAE,gCAAgC;IAC1C,QAAQ,EAAE,mCAAmC;IAC7C,QAAQ,EAAE,+BAA+B;IACzC,QAAQ,EAAE,+BAA+B;IACzC,QAAQ,EAAE,8BAA8B;IACxC,QAAQ,EAAE,8BAA8B;IACxC,QAAQ,EAAE,6BAA6B;IACvC,QAAQ,EAAE,gCAAgC;CAC3C,CAAC;AAEF,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAE5D,MAAM,KAAK,GAA2B;IACpC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK;IACjD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK;IACjD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK;CAClD,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAa;IACvC,EAAE,EAAE,kBAAkB;IACtB,OAAO,EAAE,qFAAqF;IAE9F,OAAO,CAAC,GAAgB;QACtB,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACvE,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAChB,MAAM,SAAS,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC;YACrC,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,uEAAuE;YACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YAClD,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE5C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,eAAe,CAAC,EAAE;gBAC1B,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,EAAE;gBACT,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI;gBACJ,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC;gBACjC,MAAM,EACJ,0CAA0C;oBAC1C,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,GAAG,OAAO,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI;oBACnF,0EAA0E;gBAC5E,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC,IAAI,SAAS,EAAE;aACtD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/cargo-build-rs-network.d.ts

@@ -0,0 +1,12 @@
+/**
+ * obf.cargo-build-rs-network — Manifest detector for Cargo `build.rs`.
+ *
+ * Flags `build.rs` files that perform network IO. `build.rs` runs at compile
+ * time on every machine that builds the crate; network-fetching binaries
+ * here is a supply-chain malware delivery shape.
+ *
+ * Allowed: `println!("cargo:...")` directives and pure-compute build logic.
+ */
+import type { Detector } from "../types.js";
+export declare const cargoBuildRsNetwork: Detector;
+//# sourceMappingURL=cargo-build-rs-network.d.ts.map

package/dist/detectors/cargo-build-rs-network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cargo-build-rs-network.d.ts","sourceRoot":"","sources":["../../src/detectors/cargo-build-rs-network.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAgBlE,eAAO,MAAM,mBAAmB,EAAE,QAqCjC,CAAC"}

package/dist/detectors/cargo-build-rs-network.js

@@ -0,0 +1,54 @@
+/**
+ * obf.cargo-build-rs-network — Manifest detector for Cargo `build.rs`.
+ *
+ * Flags `build.rs` files that perform network IO. `build.rs` runs at compile
+ * time on every machine that builds the crate; network-fetching binaries
+ * here is a supply-chain malware delivery shape.
+ *
+ * Allowed: `println!("cargo:...")` directives and pure-compute build logic.
+ */
+import { lineAtOffset } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+function isBuildRs(p) {
+    return p === "build.rs" || p.endsWith("/build.rs");
+}
+// Network markers in Rust build scripts
+const NETWORK_RE = /\b(?:reqwest::|ureq::|isahc::|hyper::|surf::|attohttpc::|curl::|tokio::net|std::net::TcpStream|std::net::UdpSocket)/g;
+// Process-spawn markers (curl|wget shelled out from build.rs)
+const PROCESS_NETWORK_RE = /Command::new\s*\(\s*"(?:curl|wget|powershell|pwsh)"/g;
+export const cargoBuildRsNetwork = {
+    id: "obf.cargo-build-rs-network",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfcargo-build-rs-network",
+    applies(ctx) {
+        return isBuildRs(ctx.path);
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        const seen = new Set();
+        for (const re of [NETWORK_RE, PROCESS_NETWORK_RE]) {
+            const local = new RegExp(re.source, re.flags);
+            let m;
+            while ((m = local.exec(src)) !== null) {
+                const line = lineAtOffset(src, m.index);
+                if (seen.has(line))
+                    continue;
+                seen.add(line);
+                findings.push({
+                    ruleId: cargoBuildRsNetwork.id,
+                    severity: "block",
+                    score: 9,
+                    file: ctx.path,
+                    line,
+                    snippet: truncateSnippet(m[0]),
+                    reason: `\`build.rs\` performs network IO at compile time. Fetching code or ` +
+                        `binaries from the network during a build is a supply-chain ` +
+                        `malware delivery vector.`,
+                    evidence: { marker: m[0] },
+                });
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=cargo-build-rs-network.js.map

package/dist/detectors/cargo-build-rs-network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cargo-build-rs-network.js","sourceRoot":"","sources":["../../src/detectors/cargo-build-rs-network.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACrD,CAAC;AAED,wCAAwC;AACxC,MAAM,UAAU,GACd,sHAAsH,CAAC;AAEzH,8DAA8D;AAC9D,MAAM,kBAAkB,GACtB,sDAAsD,CAAC;AAEzD,MAAM,CAAC,MAAM,mBAAmB,GAAa;IAC3C,EAAE,EAAE,4BAA4B;IAChC,OAAO,EAAE,+FAA+F;IAExG,OAAO,CAAC,GAAgB;QACtB,OAAO,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/B,KAAK,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;YAC9C,IAAI,CAAyB,CAAC;YAC9B,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;gBACxC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,mBAAmB,CAAC,EAAE;oBAC9B,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,CAAC;oBACR,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI;oBACJ,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC9B,MAAM,EACJ,qEAAqE;wBACrE,6DAA6D;wBAC7D,0BAA0B;oBAC5B,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE;iBAC3B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/decode-then-exec.d.ts

@@ -0,0 +1,20 @@
+/**
+ * obf.decode-then-exec.<lang> — Layer B.
+ *
+ * Fires when a value flowing out of a *decoder* (base64, hex, gzip, …) flows
+ * into a *dynamic-exec sink* (eval, exec, Function, …) — either as a direct
+ * argument or via one intermediate variable.
+ *
+ * Implementation note: the bundled engine is regex-driven over `ctx.source`.
+ * Each language config supplies the decoder + sink names; we build two
+ * patterns per file:
+ *
+ *   1. Direct:   sink( ... decoder( ... ) ... )
+ *   2. Indirect: var = decoder( ... ); ... sink(var)
+ *
+ * Hosts that want full scope analysis can replace this with a tree-sitter
+ * implementation by supplying their own `Detector` via `ScanOptions.detectors`.
+ */
+import type { Detector } from "../types.js";
+export declare const decodeThenExec: Detector;
+//# sourceMappingURL=decode-then-exec.d.ts.map

package/dist/detectors/decode-then-exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode-then-exec.d.ts","sourceRoot":"","sources":["../../src/detectors/decode-then-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAkHlF,eAAO,MAAM,cAAc,EAAE,QA0E5B,CAAC"}

package/dist/detectors/decode-then-exec.js

@@ -0,0 +1,189 @@
+/**
+ * obf.decode-then-exec.<lang> — Layer B.
+ *
+ * Fires when a value flowing out of a *decoder* (base64, hex, gzip, …) flows
+ * into a *dynamic-exec sink* (eval, exec, Function, …) — either as a direct
+ * argument or via one intermediate variable.
+ *
+ * Implementation note: the bundled engine is regex-driven over `ctx.source`.
+ * Each language config supplies the decoder + sink names; we build two
+ * patterns per file:
+ *
+ *   1. Direct:   sink( ... decoder( ... ) ... )
+ *   2. Indirect: var = decoder( ... ); ... sink(var)
+ *
+ * Hosts that want full scope analysis can replace this with a tree-sitter
+ * implementation by supplying their own `Detector` via `ScanOptions.detectors`.
+ */
+import { escapeRegex, lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const cache = new WeakMap();
+function candidateTokens(names) {
+    const out = [];
+    const seen = new Set();
+    for (const n of names) {
+        if (!n)
+            continue;
+        const tail = n.split(/[.\/:\s]+/).filter(Boolean).pop() ?? n;
+        const token = tail.replace(/[^A-Za-z0-9_]/g, "");
+        if (token.length < 3)
+            continue;
+        if (seen.has(token))
+            continue;
+        seen.add(token);
+        out.push(token);
+    }
+    return out;
+}
+function maybeRelevantSource(source, config) {
+    const sinkTokens = candidateTokens(config.dynamic_exec_sinks);
+    const decoderTokens = candidateTokens(config.decoders);
+    const hasSink = sinkTokens.some(t => source.includes(t));
+    if (!hasSink)
+        return false;
+    return decoderTokens.some(t => source.includes(t));
+}
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const decoders = namedCallAlternation(config.decoders);
+    const sinks = namedCallAlternation(config.dynamic_exec_sinks);
+    // Direct: sink( ... decoder( ... ) ... )
+    // We allow up to ~400 chars between the sink open and the decoder call to
+    // accommodate chained method calls (`.toString()`, `.text`, etc.).
+    const direct = new RegExp(`(?:${sinks})\\s*\\(([^()]{0,400}(?:\\([^()]*\\)[^()]{0,200}){0,3}(?:${decoders})\\s*\\()`, "g");
+    // Bash-specific: `sink "$( ... | base64 -d)"`. Decoders are pipeline words,
+    // not function calls. Require the sink to be followed (within ~400 chars)
+    // by a `$( ... decoder ... )` subshell; the decoder appears as a bare word
+    // possibly with args, e.g. `base64 -d`, `xxd -r -p`.
+    const isShell = (config.id === "bash" || (config.aliases ?? []).includes("sh"));
+    const bashSubshell = isShell
+        ? new RegExp(`(?:${sinks})\\s+"?\\$\\([\\s\\S]{0,400}?(?:${decoders})(?:\\s|\\b)`, "g")
+        : null;
+    const directUnion = bashSubshell
+        ? new RegExp(`${direct.source}|${bashSubshell.source}`, "g")
+        : direct;
+    // Indirect-assign: `var X = decoder(...);` and tuple-style assignments.
+    const indirectAssign = new RegExp(`([A-Za-z_$][\\w$]*)` +
+        `\\s*(?:,\\s*[A-Za-z_$][\\w$]*)*\\s*` +
+        `(?::=|=)\\s*` +
+        `(?:await\\s+)?` +
+        `(?:${decoders})\\s*\\(`, "g");
+    const sinkUse = (varName) => new RegExp(`(?:${sinks})\\s*(?:\\(|\\s+)\\s*(?:[A-Za-z_][\\w$]*\\s*\\(\\s*){0,2}[&*]*\\s*${escapeRegex(varName)}\\b`, "g");
+    const sinkCall = new RegExp(`(?:${sinks})\\s*(?:\\(|\\s+)([\\s\\S]{0,24})`, "g");
+    const decoderCall = new RegExp(`(?:${decoders})\\s*\\(`, "g");
+    const compiled = {
+        direct: directUnion,
+        indirectAssign,
+        sinkUse,
+        sinkCall,
+        decoderCall,
+    };
+    cache.set(config, compiled);
+    return compiled;
+}
+function isLiteralPeek(peek) {
+    const trimmed = peek.replace(/^\s+/, "");
+    if (trimmed.length === 0)
+        return false;
+    const c = trimmed[0];
+    if (c === '"' || c === "'")
+        return true;
+    if (c >= "0" && c <= "9")
+        return true;
+    if (c === "-" && trimmed[1] && trimmed[1] >= "0" && trimmed[1] <= "9")
+        return true;
+    if (c === "`")
+        return !trimmed.includes("${");
+    return false;
+}
+export const decodeThenExec = {
+    id: "obf.decode-then-exec",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfdecode-then-exec",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            ctx.config.dynamic_exec_sinks.length > 0 &&
+            ctx.config.decoders.length > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES &&
+            maybeRelevantSource(ctx.source, ctx.config));
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const src = ctx.source;
+        const { direct, indirectAssign, sinkUse, sinkCall, decoderCall } = compile(cfg);
+        const findings = [];
+        const seen = new Set(); // (line) dedupe
+        // Direct flow.
+        let m;
+        const directRe = new RegExp(direct.source, direct.flags);
+        while ((m = directRe.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const line = lineAtOffset(src, m.index);
+            if (seen.has(line))
+                continue;
+            seen.add(line);
+            findings.push(buildFinding(ctx, cfg.id, m[0], m.index, "direct"));
+        }
+        // Indirect flow: find decoder assignments, then look for sink(var) later.
+        const assignRe = new RegExp(indirectAssign.source, indirectAssign.flags);
+        while ((m = assignRe.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const varName = m[1];
+            if (!varName)
+                continue;
+            const after = src.slice(m.index + m[0].length);
+            const useRe = sinkUse(varName);
+            const useMatch = useRe.exec(after);
+            if (!useMatch)
+                continue;
+            const useOffset = m.index + m[0].length + useMatch.index;
+            const line = lineAtOffset(src, useOffset);
+            if (seen.has(line))
+                continue;
+            seen.add(line);
+            findings.push(buildFinding(ctx, cfg.id, useMatch[0], useOffset, "indirect"));
+        }
+        // Fallback: if a file contains both a decoder call and a dynamic-exec sink
+        // with a non-literal argument, flag it. This catches helper wrappers and
+        // statement-style sinks that don't fit the simple assignment model.
+        const hasDecoder = new RegExp(decoderCall.source, decoderCall.flags).test(src);
+        if (hasDecoder) {
+            const sinkRe = new RegExp(sinkCall.source, sinkCall.flags);
+            while ((m = sinkRe.exec(src)) !== null) {
+                if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                    break;
+                const peek = m[1] ?? "";
+                if (isLiteralPeek(peek))
+                    continue;
+                const offset = m.index + (m[0].length - peek.length);
+                const line = lineAtOffset(src, offset);
+                if (seen.has(line))
+                    continue;
+                seen.add(line);
+                findings.push(buildFinding(ctx, cfg.id, m[0], offset, "co-located"));
+            }
+        }
+        return findings;
+    },
+};
+function buildFinding(ctx, langId, rawSnippet, offset, flow) {
+    const line = lineAtOffset(ctx.source, offset);
+    return {
+        ruleId: `obf.decode-then-exec.${langId}`,
+        severity: "block",
+        score: 9,
+        file: ctx.path,
+        line,
+        snippet: truncateSnippet(rawSnippet),
+        reason: `Decoded value flows into a dynamic-exec sink (${flow}). This is the ` +
+            `canonical decode-then-exec obfuscation pattern.`,
+        evidence: { language: langId, flow },
+    };
+}
+//# sourceMappingURL=decode-then-exec.js.map

package/dist/detectors/decode-then-exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode-then-exec.js","sourceRoot":"","sources":["../../src/detectors/decode-then-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAUtD,MAAM,KAAK,GAAG,IAAI,OAAO,EAAoC,CAAC;AAE9D,SAAS,eAAe,CAAC,KAAwB;IAC/C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC/B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,SAAS;QAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc,EAAE,MAAsB;IACjE,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC9D,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAE9D,yCAAyC;IACzC,0EAA0E;IAC1E,mEAAmE;IACnE,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,MAAM,KAAK,4DAA4D,QAAQ,WAAW,EAC1F,GAAG,CACJ,CAAC;IAEF,4EAA4E;IAC5E,0EAA0E;IAC1E,2EAA2E;IAC3E,qDAAqD;IACrD,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAChF,MAAM,YAAY,GAAG,OAAO;QAC1B,CAAC,CAAC,IAAI,MAAM,CACR,MAAM,KAAK,mCAAmC,QAAQ,cAAc,EACpE,GAAG,CACJ;QACH,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,WAAW,GAAG,YAAY;QAC9B,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC;QAC5D,CAAC,CAAC,MAAM,CAAC;IAEX,wEAAwE;IACxE,MAAM,cAAc,GAAG,IAAI,MAAM,CAC/B,qBAAqB;QACrB,qCAAqC;QACrC,cAAc;QACd,gBAAgB;QAChB,MAAM,QAAQ,UAAU,EACxB,GAAG,CACJ,CAAC;IAEF,MAAM,OAAO,GAAG,CAAC,OAAe,EAAE,EAAE,CAClC,IAAI,MAAM,CACR,MAAM,KAAK,qEAAqE,WAAW,CAAC,OAAO,CAAC,KAAK,EACzG,GAAG,CACJ,CAAC;IAEJ,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,mCAAmC,EAAE,GAAG,CAAC,CAAC;IACjF,MAAM,WAAW,GAAG,IAAI,MAAM,CAAC,MAAM,QAAQ,UAAU,EAAE,GAAG,CAAC,CAAC;IAE9D,MAAM,QAAQ,GAAqB;QACjC,MAAM,EAAE,WAAW;QACnB,cAAc;QACd,OAAO;QACP,QAAQ;QACR,WAAW;KACZ,CAAC;IACF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;IACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACnF,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAa;IACtC,EAAE,EAAE,sBAAsB;IAC1B,OAAO,EAAE,yFAAyF;IAElG,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC9B,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB;YACpC,mBAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAC5C,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAEhF,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,gBAAgB;QAEhD,eAAe;QACf,IAAI,CAAyB,CAAC;QAC9B,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpE,CAAC;QAED,0EAA0E;QAC1E,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;YAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAExB,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC;YACzD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC;QAC/E,CAAC;QAED,2EAA2E;QAC3E,yEAAyE;QACzE,oEAAoE;QACpE,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/E,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACvC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;oBAAE,MAAM;gBACxD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxB,IAAI,aAAa,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAElC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;gBACrD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBACvC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;YACvE,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,SAAS,YAAY,CACnB,GAAgB,EAChB,MAAc,EACd,UAAkB,EAClB,MAAc,EACd,IAA0C;IAE1C,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,OAAO;QACL,MAAM,EAAE,wBAAwB,MAAM,EAAE;QACxC,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,CAAC;QACR,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI;QACJ,OAAO,EAAE,eAAe,CAAC,UAAU,CAAC;QACpC,MAAM,EACJ,iDAAiD,IAAI,iBAAiB;YACtE,iDAAiD;QACnD,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE;KACrC,CAAC;AACJ,CAAC"}

package/dist/detectors/deserializer-untrusted.d.ts

@@ -0,0 +1,15 @@
+/**
+ * obf.deserializer-untrusted.<lang> — Layer B.
+ *
+ * Fires when an unsafe deserializer (`pickle.loads`, `Marshal.load`,
+ * `unserialize`, `BinaryFormatter.Deserialize`, `ObjectInputStream.readObject`)
+ * is called with a non-literal argument. These are the canonical RCE-by-
+ * deserialization sinks.
+ *
+ * Safe deserializers (e.g. `JSON.parse`, `json_decode`, `JSON.stringify`)
+ * are skipped via an internal allowlist even if a `LanguageConfig` lists them,
+ * so authors who include them for completeness don't pay an FP tax.
+ */
+import type { Detector } from "../types.js";
+export declare const deserializerUntrusted: Detector;
+//# sourceMappingURL=deserializer-untrusted.d.ts.map

package/dist/detectors/deserializer-untrusted.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserializer-untrusted.d.ts","sourceRoot":"","sources":["../../src/detectors/deserializer-untrusted.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAiDlF,eAAO,MAAM,qBAAqB,EAAE,QA8CnC,CAAC"}

package/dist/detectors/deserializer-untrusted.js

@@ -0,0 +1,99 @@
+/**
+ * obf.deserializer-untrusted.<lang> — Layer B.
+ *
+ * Fires when an unsafe deserializer (`pickle.loads`, `Marshal.load`,
+ * `unserialize`, `BinaryFormatter.Deserialize`, `ObjectInputStream.readObject`)
+ * is called with a non-literal argument. These are the canonical RCE-by-
+ * deserialization sinks.
+ *
+ * Safe deserializers (e.g. `JSON.parse`, `json_decode`, `JSON.stringify`)
+ * are skipped via an internal allowlist even if a `LanguageConfig` lists them,
+ * so authors who include them for completeness don't pay an FP tax.
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+/**
+ * Names that are deserializers but are *safe* against untrusted input. If a
+ * `LanguageConfig` happens to list them (some do, for completeness), the
+ * detector still skips them.
+ */
+const SAFE_DESERIALIZERS = new Set([
+    "JSON.parse",
+    "v8.deserialize",
+    "node:v8.deserialize",
+    "json_decode",
+]);
+const cache = new WeakMap();
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const list = (config.deserializers ?? []).filter((d) => !SAFE_DESERIALIZERS.has(d));
+    if (list.length === 0)
+        return null;
+    const alt = namedCallAlternation(list);
+    // Match `deserializer( ... )` and capture a peek at the first argument.
+    const re = new RegExp(`(?:^|[^A-Za-z0-9_$])((?:${alt}))\\s*\\(([\\s\\S]{0,16})`, "g");
+    cache.set(config, re);
+    return re;
+}
+/**
+ * Skip definition contexts: `def name(`, `function name(`, `fn name(`,
+ * `sub name`, `func name(`. The detector is otherwise too eager when a
+ * deserializer's bare tail (e.g. `load`) collides with a function name.
+ */
+const DEFINITION_PREFIX_RE = /(?:\b(?:def|function|fn|func|sub)\s+|class\s+)$/;
+function looksLikeLiteralCall(peek) {
+    const t = peek.replace(/^\s+/, "");
+    if (t.length === 0)
+        return false;
+    const c = t[0];
+    return c === '"' || c === "'" || (c >= "0" && c <= "9");
+}
+export const deserializerUntrusted = {
+    id: "obf.deserializer-untrusted",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfdeserializer-untrusted",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            (ctx.config.deserializers?.length ?? 0) > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const re = compile(cfg);
+        if (!re)
+            return [];
+        const findings = [];
+        const local = new RegExp(re.source, re.flags);
+        let m;
+        while ((m = local.exec(ctx.source)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const name = m[1] ?? "";
+            const peek = m[2] ?? "";
+            if (looksLikeLiteralCall(peek))
+                continue;
+            // Skip `def load(...)`, `function load(...)`, etc. — definitions, not calls.
+            const lookback = ctx.source.slice(Math.max(0, m.index - 20), m.index + 1);
+            if (DEFINITION_PREFIX_RE.test(lookback))
+                continue;
+            const offset = m.index + (m[0].length - peek.length);
+            findings.push({
+                ruleId: `obf.deserializer-untrusted.${cfg.id}`,
+                severity: "block",
+                score: 9,
+                file: ctx.path,
+                line: lineAtOffset(ctx.source, offset),
+                snippet: truncateSnippet(`${name}(${peek}`),
+                reason: `Unsafe deserializer \`${name}\` called with a non-literal argument. ` +
+                    `Untrusted input here is RCE.`,
+                evidence: { language: cfg.id, deserializer: name },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=deserializer-untrusted.js.map

package/dist/detectors/deserializer-untrusted.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserializer-untrusted.js","sourceRoot":"","sources":["../../src/detectors/deserializer-untrusted.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAS;IACzC,YAAY;IACZ,gBAAgB;IAChB,qBAAqB;IACrB,aAAa;CACd,CAAC,CAAC;AAEH,MAAM,KAAK,GAAG,IAAI,OAAO,EAA0B,CAAC;AAEpD,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACvC,wEAAwE;IACxE,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,2BAA2B,GAAG,2BAA2B,EAAE,GAAG,CAAC,CAAC;IACtF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,oBAAoB,GAAG,iDAAiD,CAAC;AAE/E,SAAS,oBAAoB,CAAC,IAAY;IACxC,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAChB,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAa;IAC7C,EAAE,EAAE,4BAA4B;IAChC,OAAO,EAAE,+FAA+F;IAExG,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,CAAC,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,oBAAoB,CAAC,IAAI,CAAC;gBAAE,SAAS;YACzC,6EAA6E;YAC7E,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC1E,IAAI,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAClD,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,8BAA8B,GAAG,CAAC,EAAE,EAAE;gBAC9C,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBACtC,OAAO,EAAE,eAAe,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;gBAC3C,MAAM,EACJ,yBAAyB,IAAI,yCAAyC;oBACtE,8BAA8B;gBAChC,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;aACnD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/dockerfile-curl-pipe-shell.d.ts

@@ -0,0 +1,10 @@
+/**
+ * obf.dockerfile-curl-pipe-shell — Manifest detector for Dockerfiles.
+ *
+ * Flags `RUN curl|bash` and equivalents in Dockerfiles. Same shape as the
+ * GHA detector — a network download piped into a shell — but in the image
+ * build path.
+ */
+import type { Detector } from "../types.js";
+export declare const dockerfileCurlPipeShell: Detector;
+//# sourceMappingURL=dockerfile-curl-pipe-shell.d.ts.map

package/dist/detectors/dockerfile-curl-pipe-shell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dockerfile-curl-pipe-shell.d.ts","sourceRoot":"","sources":["../../src/detectors/dockerfile-curl-pipe-shell.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAYlE,eAAO,MAAM,uBAAuB,EAAE,QA6BrC,CAAC"}

package/dist/detectors/dockerfile-curl-pipe-shell.js

@@ -0,0 +1,42 @@
+/**
+ * obf.dockerfile-curl-pipe-shell — Manifest detector for Dockerfiles.
+ *
+ * Flags `RUN curl|bash` and equivalents in Dockerfiles. Same shape as the
+ * GHA detector — a network download piped into a shell — but in the image
+ * build path.
+ */
+import { lineAtOffset } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+function isDockerfile(p) {
+    const base = p.slice(p.lastIndexOf("/") + 1);
+    return base === "Dockerfile" || base.startsWith("Dockerfile.");
+}
+const RUN_CURL_PIPE_RE = /^\s*RUN\b[^\n]{0,500}(?:curl|wget|fetch)\b[^\n]{0,200}\|\s*(?:bash|sh|zsh|python|node|perl|powershell|pwsh)\b/gm;
+export const dockerfileCurlPipeShell = {
+    id: "obf.dockerfile-curl-pipe-shell",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfdockerfile-curl-pipe-shell",
+    applies(ctx) {
+        return isDockerfile(ctx.path);
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        const re = new RegExp(RUN_CURL_PIPE_RE.source, RUN_CURL_PIPE_RE.flags);
+        let m;
+        while ((m = re.exec(src)) !== null) {
+            findings.push({
+                ruleId: dockerfileCurlPipeShell.id,
+                severity: "block",
+                score: 9,
+                file: ctx.path,
+                line: lineAtOffset(src, m.index),
+                snippet: truncateSnippet(m[0].trim()),
+                reason: `Dockerfile RUN pipes a network download into a shell. ` +
+                    `Pin the artifact (sha256) or fetch + verify before executing.`,
+                evidence: { command: m[0].trim() },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=dockerfile-curl-pipe-shell.js.map

package/dist/detectors/dockerfile-curl-pipe-shell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dockerfile-curl-pipe-shell.js","sourceRoot":"","sources":["../../src/detectors/dockerfile-curl-pipe-shell.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7C,OAAO,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,gBAAgB,GACpB,iHAAiH,CAAC;AAEpH,MAAM,CAAC,MAAM,uBAAuB,GAAa;IAC/C,EAAE,EAAE,gCAAgC;IACpC,OAAO,EAAE,mGAAmG;IAE5G,OAAO,CAAC,GAAgB;QACtB,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACvE,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,uBAAuB,CAAC,EAAE;gBAClC,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC;gBAChC,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACrC,MAAM,EACJ,wDAAwD;oBACxD,+DAA+D;gBACjE,QAAQ,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE;aACnC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/dynamic-exec-non-literal.d.ts

@@ -0,0 +1,17 @@
+/**
+ * obf.dynamic-exec-with-non-literal.<lang> — Layer B.
+ *
+ * Fires when a dynamic-exec sink is called with an argument that is not a
+ * string/numeric literal. `eval("1+1")` is uninteresting; `eval(s)` is.
+ *
+ * The "is the argument a literal?" check is a syntactic approximation: we
+ * peek at the first non-whitespace character after the sink's `(`. If it's
+ * a quote or a digit, we treat the call as literal. Anything else — including
+ * template strings with `${}` interpolation — is non-literal.
+ *
+ * Pure template strings without interpolation (e.g. `eval(\`1+1\`)`) are
+ * treated as literal and not flagged.
+ */
+import type { Detector } from "../types.js";
+export declare const dynamicExecNonLiteral: Detector;
+//# sourceMappingURL=dynamic-exec-non-literal.d.ts.map

package/dist/detectors/dynamic-exec-non-literal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamic-exec-non-literal.d.ts","sourceRoot":"","sources":["../../src/detectors/dynamic-exec-non-literal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAyClF,eAAO,MAAM,qBAAqB,EAAE,QA0DnC,CAAC"}