@obfuscan/core 0.1.0

package/dist/detectors/network-then-exec.js

@@ -0,0 +1,140 @@
+/**
+ * obf.network-then-exec.<lang> — Layer B.
+ *
+ * Fires when network IO output flows into a dynamic-exec sink. The shape:
+ *
+ *   eval(await (await fetch(url)).text())
+ *   exec(requests.get(url).text)
+ *   IEX (New-Object Net.WebClient).DownloadString($u)
+ *   eval "$(curl -s $URL)"
+ *
+ * Unlike decode-then-exec, the source of the executed string is *external*
+ * — strictly worse, because the attacker doesn't even need to be in the
+ * source tree. Always blocks.
+ */
+import { escapeRegex, lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const cache = new WeakMap();
+function candidateTokens(names) {
+    const out = [];
+    const seen = new Set();
+    for (const n of names) {
+        if (!n)
+            continue;
+        const tail = n.split(/[.\/:\s]+/).filter(Boolean).pop() ?? n;
+        const token = tail.replace(/[^A-Za-z0-9_]/g, "");
+        if (token.length < 3)
+            continue;
+        if (seen.has(token))
+            continue;
+        seen.add(token);
+        out.push(token);
+    }
+    return out;
+}
+function maybeRelevantSource(source, config) {
+    const networkTokens = candidateTokens(config.network_io ?? []);
+    const sinkTokens = candidateTokens(config.dynamic_exec_sinks);
+    const hasNetwork = networkTokens.some(t => source.includes(t));
+    if (!hasNetwork)
+        return false;
+    return sinkTokens.some(t => source.includes(t));
+}
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const network = namedCallAlternation(config.network_io ?? []);
+    const sinks = namedCallAlternation(config.dynamic_exec_sinks);
+    // Direct: sink( ... network( ... ) ... )
+    // Allow some method chaining (`.text()`, `.read()`) and up to two nested
+    // call groups between the sink and the network call — e.g.
+    // `eval(await (await fetch(url)).text())`. We use [\s\S] with a bounded
+    // length cap to keep this O(n) and avoid catastrophic backtracking.
+    const direct = new RegExp(`(?:${sinks})\\s*[("\\s][\\s\\S]{0,400}?(?:${network})\\s*[("\\s]`, "g");
+    // Bash-specific: `sink "$( ... pipe-decoder/network ... )"` where the inner
+    // shell expansion contains a network command. The direct regex above can
+    // miss this because the network name is a bare word (`curl`), not a call.
+    const bashSubshell = new RegExp(`(?:${sinks})\\s+"?\\$\\([\\s\\S]{0,400}?(?:${network})\\b`, "g");
+    // Reuse `direct` as the union: tests use `direct` only, but if the language
+    // is bash we want to fall back to the subshell shape below.
+    const isShell = (config.id === "bash" || config.aliases?.includes("sh"));
+    const directUnion = isShell
+        ? new RegExp(`${direct.source}|${bashSubshell.source}`, "g")
+        : direct;
+    // Indirect: `var X = network(...);` followed by `sink(X)`.
+    const indirectAssign = new RegExp(`(?:(?:const|let|var|my|local|\\$)\\s+)?` +
+        `([A-Za-z_$][\\w$]*)` +
+        `\\s*[:=]\\s*` +
+        `(?:await\\s+)?` +
+        `(?:${network})\\s*\\(`, "g");
+    const sinkUse = (v) => new RegExp(`(?:${sinks})\\s*[("\\s][^()]{0,200}\\b${escapeRegex(v)}\\b`, "g");
+    const compiled = { direct: directUnion, indirectAssign, sinkUse };
+    cache.set(config, compiled);
+    return compiled;
+}
+export const networkThenExec = {
+    id: "obf.network-then-exec",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfnetwork-then-exec",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            (ctx.config.network_io?.length ?? 0) > 0 &&
+            ctx.config.dynamic_exec_sinks.length > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES &&
+            maybeRelevantSource(ctx.source, ctx.config));
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const src = ctx.source;
+        const { direct, indirectAssign, sinkUse } = compile(cfg);
+        const findings = [];
+        const seen = new Set();
+        let m;
+        const directRe = new RegExp(direct.source, direct.flags);
+        while ((m = directRe.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const line = lineAtOffset(src, m.index);
+            if (seen.has(line))
+                continue;
+            seen.add(line);
+            findings.push(make(ctx, cfg.id, m[0], m.index, "direct"));
+        }
+        const assignRe = new RegExp(indirectAssign.source, indirectAssign.flags);
+        while ((m = assignRe.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const v = m[1];
+            if (!v)
+                continue;
+            const after = src.slice(m.index + m[0].length);
+            const u = sinkUse(v).exec(after);
+            if (!u)
+                continue;
+            const offset = m.index + m[0].length + u.index;
+            const line = lineAtOffset(src, offset);
+            if (seen.has(line))
+                continue;
+            seen.add(line);
+            findings.push(make(ctx, cfg.id, u[0], offset, "indirect"));
+        }
+        return findings;
+    },
+};
+function make(ctx, langId, rawSnippet, offset, flow) {
+    return {
+        ruleId: `obf.network-then-exec.${langId}`,
+        severity: "block",
+        score: 10,
+        file: ctx.path,
+        line: lineAtOffset(ctx.source, offset),
+        snippet: truncateSnippet(rawSnippet),
+        reason: `Network IO result flows into a dynamic-exec sink (${flow}). The ` +
+            `executed code is fully attacker-controlled.`,
+        evidence: { language: langId, flow },
+    };
+}
+//# sourceMappingURL=network-then-exec.js.map

package/dist/detectors/network-then-exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-then-exec.js","sourceRoot":"","sources":["../../src/detectors/network-then-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAQtD,MAAM,KAAK,GAAG,IAAI,OAAO,EAA4B,CAAC;AAEtD,SAAS,eAAe,CAAC,KAAwB;IAC/C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC/B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,SAAS;QAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc,EAAE,MAAsB;IACjE,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAE9D,yCAAyC;IACzC,yEAAyE;IACzE,2DAA2D;IAC3D,wEAAwE;IACxE,oEAAoE;IACpE,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,MAAM,KAAK,kCAAkC,OAAO,cAAc,EAClE,GAAG,CACJ,CAAC;IAEF,4EAA4E;IAC5E,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,IAAI,MAAM,CAC7B,MAAM,KAAK,mCAAmC,OAAO,MAAM,EAC3D,GAAG,CACJ,CAAC;IACF,4EAA4E;IAC5E,4DAA4D;IAC5D,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACzE,MAAM,WAAW,GAAG,OAAO;QACzB,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC;QAC5D,CAAC,CAAC,MAAM,CAAC;IAEX,2DAA2D;IAC3D,MAAM,cAAc,GAAG,IAAI,MAAM,CAC/B,yCAAyC;QACzC,qBAAqB;QACrB,cAAc;QACd,gBAAgB;QAChB,MAAM,OAAO,UAAU,EACvB,GAAG,CACJ,CAAC;IAEF,MAAM,OAAO,GAAG,CAAC,CAAS,EAAE,EAAE,CAC5B,IAAI,MAAM,CAAC,MAAM,KAAK,8BAA8B,WAAW,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEhF,MAAM,QAAQ,GAAa,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC;IAC5E,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAa;IACvC,EAAE,EAAE,uBAAuB;IAC3B,OAAO,EAAE,0FAA0F;IAEnG,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB;YACpC,mBAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAC5C,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/B,IAAI,CAAyB,CAAC;QAC9B,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACf,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC;YAC/C,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACvC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,SAAS,IAAI,CACX,GAAgB,EAChB,MAAc,EACd,UAAkB,EAClB,MAAc,EACd,IAA2B;IAE3B,OAAO;QACL,MAAM,EAAE,yBAAyB,MAAM,EAAE;QACzC,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,EAAE;QACT,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;QACtC,OAAO,EAAE,eAAe,CAAC,UAAU,CAAC;QACpC,MAAM,EACJ,qDAAqD,IAAI,SAAS;YAClE,6CAA6C;QAC/C,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE;KACrC,CAAC;AACJ,CAAC"}

package/dist/detectors/perl-makefile-side-effect.d.ts

@@ -0,0 +1,17 @@
+/**
+ * obf.perl-makefile-side-effect — Manifest detector for `Makefile.PL` and
+ * `Build.PL`.
+ *
+ * CPAN distributions ship a `Makefile.PL` (or `Build.PL`) which is executed
+ * verbatim by the user during `cpan install` / `cpanm`. The expected shape is
+ * a small declarative call to `WriteMakefile(...)` (ExtUtils::MakeMaker) or
+ * `Module::Build->new(...)->create_build_script` (Module::Build). Anything
+ * else at module scope runs on the user's machine.
+ *
+ * This detector is the Perl counterpart to `obf.python-setup-side-effect`.
+ *
+ * Severity: `block` (score 9) — same calculus as setup.py.
+ */
+import type { Detector } from "../types.js";
+export declare const perlMakefileSideEffect: Detector;
+//# sourceMappingURL=perl-makefile-side-effect.d.ts.map

package/dist/detectors/perl-makefile-side-effect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"perl-makefile-side-effect.d.ts","sourceRoot":"","sources":["../../src/detectors/perl-makefile-side-effect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAalE,eAAO,MAAM,sBAAsB,EAAE,QAwDpC,CAAC"}

package/dist/detectors/perl-makefile-side-effect.js

@@ -0,0 +1,72 @@
+/**
+ * obf.perl-makefile-side-effect — Manifest detector for `Makefile.PL` and
+ * `Build.PL`.
+ *
+ * CPAN distributions ship a `Makefile.PL` (or `Build.PL`) which is executed
+ * verbatim by the user during `cpan install` / `cpanm`. The expected shape is
+ * a small declarative call to `WriteMakefile(...)` (ExtUtils::MakeMaker) or
+ * `Module::Build->new(...)->create_build_script` (Module::Build). Anything
+ * else at module scope runs on the user's machine.
+ *
+ * This detector is the Perl counterpart to `obf.python-setup-side-effect`.
+ *
+ * Severity: `block` (score 9) — same calculus as setup.py.
+ */
+import { truncateSnippet } from "../internal/text.js";
+function isPerlInstaller(p) {
+    const norm = p.replace(/\\/g, "/");
+    const base = norm.slice(norm.lastIndexOf("/") + 1);
+    return base === "Makefile.PL" || base === "Build.PL";
+}
+// Suspicious shapes at module scope: network, shell-out, eval-like, decoders.
+const SUSPICIOUS_RE = /(\bsystem\s*\(|\bexec\s*\(|`[^`]*`|qx[\s({\[]|LWP::|HTTP::Tiny|IO::Socket|Net::|MIME::Base64|decode_base64|\beval\s*\{|\beval\s*['"]|use\s+inline\b)/i;
+export const perlMakefileSideEffect = {
+    id: "obf.perl-makefile-side-effect",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfperl-makefile-side-effect",
+    applies(ctx) {
+        return isPerlInstaller(ctx.path);
+    },
+    run(ctx) {
+        const findings = [];
+        const lines = ctx.source.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const raw = lines[i] ?? "";
+            // Strip trailing comments before testing.
+            const code = raw.replace(/(?<!\\)#.*$/, "");
+            if (code.trim().length === 0)
+                continue;
+            // Skip indented lines — only flag module-scope side effects. (Code
+            // inside a sub {} or block is indented in any reasonable style; this
+            // mirrors the python-setup heuristic.)
+            if (/^\s/.test(raw))
+                continue;
+            // Skip pragmas, package declarations, simple use/require, and
+            // declarative WriteMakefile / Module::Build calls.
+            if (/^\s*(?:use|no|require|package|our|my)\b/.test(code) ||
+                /^\s*(?:WriteMakefile|Module::Build)\b/.test(code) ||
+                /^\s*\)/.test(code) // tail of a multi-line call
+            ) {
+                continue;
+            }
+            if (SUSPICIOUS_RE.test(code)) {
+                findings.push({
+                    ruleId: perlMakefileSideEffect.id,
+                    severity: "block",
+                    score: 9,
+                    file: ctx.path,
+                    line: i + 1,
+                    snippet: truncateSnippet(code.trim()),
+                    reason: `${ctx.path} contains code outside the declarative ` +
+                        `\`WriteMakefile\` / \`Module::Build\` call that performs network, ` +
+                        `shell, or eval-like side effects. CPAN clients execute this file ` +
+                        `on the user's machine during \`cpan install\`.`,
+                    evidence: {},
+                });
+                // First match per file is enough to surface the issue.
+                break;
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=perl-makefile-side-effect.js.map

package/dist/detectors/perl-makefile-side-effect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"perl-makefile-side-effect.js","sourceRoot":"","sources":["../../src/detectors/perl-makefile-side-effect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,OAAO,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,UAAU,CAAC;AACvD,CAAC;AAED,8EAA8E;AAC9E,MAAM,aAAa,GACjB,uJAAuJ,CAAC;AAE1J,MAAM,CAAC,MAAM,sBAAsB,GAAa;IAC9C,EAAE,EAAE,+BAA+B;IACnC,OAAO,EACL,kGAAkG;IAEpG,OAAO,CAAC,GAAgB;QACtB,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3B,0CAA0C;YAC1C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEvC,mEAAmE;YACnE,qEAAqE;YACrE,uCAAuC;YACvC,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,SAAS;YAE9B,8DAA8D;YAC9D,mDAAmD;YACnD,IACE,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC;gBACpD,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,4BAA4B;cAChD,CAAC;gBACD,SAAS;YACX,CAAC;YAED,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,sBAAsB,CAAC,EAAE;oBACjC,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,CAAC;oBACR,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACrC,MAAM,EACJ,GAAG,GAAG,CAAC,IAAI,yCAAyC;wBACpD,oEAAoE;wBACpE,mEAAmE;wBACnE,gDAAgD;oBAClD,QAAQ,EAAE,EAAE;iBACb,CAAC,CAAC;gBACH,uDAAuD;gBACvD,MAAM;YACR,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/python-setup-side-effect.d.ts

@@ -0,0 +1,10 @@
+/**
+ * obf.python-setup-side-effect — Manifest detector for `setup.py`.
+ *
+ * Flags top-level executable code in `setup.py` other than the import,
+ * `setup(...)` call, and a small allowlist of bookkeeping. Real-world
+ * malicious `setup.py` files run network/shell side effects at install time.
+ */
+import type { Detector } from "../types.js";
+export declare const pythonSetupSideEffect: Detector;
+//# sourceMappingURL=python-setup-side-effect.d.ts.map

package/dist/detectors/python-setup-side-effect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python-setup-side-effect.d.ts","sourceRoot":"","sources":["../../src/detectors/python-setup-side-effect.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAelE,eAAO,MAAM,qBAAqB,EAAE,QA0EnC,CAAC"}

package/dist/detectors/python-setup-side-effect.js

@@ -0,0 +1,87 @@
+/**
+ * obf.python-setup-side-effect — Manifest detector for `setup.py`.
+ *
+ * Flags top-level executable code in `setup.py` other than the import,
+ * `setup(...)` call, and a small allowlist of bookkeeping. Real-world
+ * malicious `setup.py` files run network/shell side effects at install time.
+ */
+import { truncateSnippet } from "../internal/text.js";
+function isSetupPy(p) {
+    return p === "setup.py" || p.endsWith("/setup.py");
+}
+// Lines that are allowed at module scope without flagging.
+const ALLOWED_LINE_RE = /^(?:\s*$|\s*#|from\s+\S+\s+import\s+|import\s+\S+|setup\s*\(|\)\s*$|\s*[\w]+\s*=\s*[^=].*$)/;
+// Suspicious side-effect markers at module scope.
+const SUSPICIOUS_RE = /(urllib\.request|requests\.|httpx\.|urlretrieve|os\.system|subprocess\.|Popen|socket\.|exec\s*\(|eval\s*\(|base64\.b64decode\s*\()/;
+export const pythonSetupSideEffect = {
+    id: "obf.python-setup-side-effect",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfpython-setup-side-effect",
+    applies(ctx) {
+        return isSetupPy(ctx.path);
+    },
+    run(ctx) {
+        const findings = [];
+        const lines = ctx.source.split("\n");
+        let inSetupCall = false;
+        let parenDepth = 0;
+        for (let i = 0; i < lines.length; i++) {
+            const raw = lines[i] ?? "";
+            const line = raw;
+            if (inSetupCall) {
+                for (const c of line) {
+                    if (c === "(")
+                        parenDepth++;
+                    else if (c === ")") {
+                        parenDepth--;
+                        if (parenDepth <= 0) {
+                            inSetupCall = false;
+                            parenDepth = 0;
+                            break;
+                        }
+                    }
+                }
+                continue;
+            }
+            if (/^\s*setup\s*\(/.test(line)) {
+                inSetupCall = true;
+                parenDepth = 0;
+                for (const c of line) {
+                    if (c === "(")
+                        parenDepth++;
+                    else if (c === ")")
+                        parenDepth--;
+                }
+                if (parenDepth <= 0)
+                    inSetupCall = false;
+                continue;
+            }
+            // Indented lines are inside def/class/if blocks — skip; we only flag
+            // module-scope side-effects.
+            if (/^\s/.test(line))
+                continue;
+            if (SUSPICIOUS_RE.test(line)) {
+                findings.push({
+                    ruleId: pythonSetupSideEffect.id,
+                    severity: "block",
+                    score: 9,
+                    file: ctx.path,
+                    line: i + 1,
+                    snippet: truncateSnippet(line.trim()),
+                    reason: `setup.py contains code outside the \`setup()\` call that performs ` +
+                        `network, shell, or eval-like side effects at install time. This is ` +
+                        `the canonical \`pip install\` malware shape.`,
+                    evidence: {},
+                });
+                // First match per file is enough.
+                break;
+            }
+            // Otherwise: only flag if it's a function call that's NOT in our
+            // allowlist (imports, simple assignments, comments).
+            if (!ALLOWED_LINE_RE.test(line) && /\(/.test(line)) {
+                // Skip — too noisy. The SUSPICIOUS_RE branch above is the real signal.
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=python-setup-side-effect.js.map

package/dist/detectors/python-setup-side-effect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python-setup-side-effect.js","sourceRoot":"","sources":["../../src/detectors/python-setup-side-effect.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACrD,CAAC;AAED,2DAA2D;AAC3D,MAAM,eAAe,GACnB,6FAA6F,CAAC;AAEhG,kDAAkD;AAClD,MAAM,aAAa,GACjB,oIAAoI,CAAC;AAEvI,MAAM,CAAC,MAAM,qBAAqB,GAAa;IAC7C,EAAE,EAAE,8BAA8B;IAClC,OAAO,EAAE,iGAAiG;IAE1G,OAAO,CAAC,GAAgB;QACtB,OAAO,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC;YAEjB,IAAI,WAAW,EAAE,CAAC;gBAChB,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;oBACrB,IAAI,CAAC,KAAK,GAAG;wBAAE,UAAU,EAAE,CAAC;yBACvB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;wBACnB,UAAU,EAAE,CAAC;wBACb,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;4BACpB,WAAW,GAAG,KAAK,CAAC;4BACpB,UAAU,GAAG,CAAC,CAAC;4BACf,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,SAAS;YACX,CAAC;YAED,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,WAAW,GAAG,IAAI,CAAC;gBACnB,UAAU,GAAG,CAAC,CAAC;gBACf,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;oBACrB,IAAI,CAAC,KAAK,GAAG;wBAAE,UAAU,EAAE,CAAC;yBACvB,IAAI,CAAC,KAAK,GAAG;wBAAE,UAAU,EAAE,CAAC;gBACnC,CAAC;gBACD,IAAI,UAAU,IAAI,CAAC;oBAAE,WAAW,GAAG,KAAK,CAAC;gBACzC,SAAS;YACX,CAAC;YAED,qEAAqE;YACrE,6BAA6B;YAC7B,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE/B,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,qBAAqB,CAAC,EAAE;oBAChC,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,CAAC;oBACR,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACrC,MAAM,EACJ,oEAAoE;wBACpE,qEAAqE;wBACrE,8CAA8C;oBAChD,QAAQ,EAAE,EAAE;iBACb,CAAC,CAAC;gBACH,kCAAkC;gBAClC,MAAM;YACR,CAAC;YAED,iEAAiE;YACjE,qDAAqD;YACrD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,uEAAuE;YACzE,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/shell-untrusted-input.d.ts

@@ -0,0 +1,10 @@
+/**
+ * obf.shell-with-untrusted-input.<lang> — Layer B.
+ *
+ * Fires when a shell-exec sink (`child_process.exec`, `os.system`,
+ * `Runtime.exec`, …) receives an argument built via string interpolation
+ * or concatenation. Static-string commands are not flagged.
+ */
+import type { Detector } from "../types.js";
+export declare const shellUntrustedInput: Detector;
+//# sourceMappingURL=shell-untrusted-input.d.ts.map

package/dist/detectors/shell-untrusted-input.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-untrusted-input.d.ts","sourceRoot":"","sources":["../../src/detectors/shell-untrusted-input.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAmClF,eAAO,MAAM,mBAAmB,EAAE,QA6CjC,CAAC"}

package/dist/detectors/shell-untrusted-input.js

@@ -0,0 +1,76 @@
+/**
+ * obf.shell-with-untrusted-input.<lang> — Layer B.
+ *
+ * Fires when a shell-exec sink (`child_process.exec`, `os.system`,
+ * `Runtime.exec`, …) receives an argument built via string interpolation
+ * or concatenation. Static-string commands are not flagged.
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+// Heuristic markers that the argument is built dynamically.
+//   ${...}     — JS template / shell expansion
+//   `..${`     — JS template start
+//   f"..{..}"  — Python f-string with placeholder
+//   "..%s.."   — printf-style
+//   .. + ..    — concatenation (followed by an identifier)
+//   $variable  — shell/perl/php interpolation
+const DYNAMIC_ARG_RE = /(\$\{[^}]+\}|`[^`]*\$\{|f["'][^"']*\{[^}]+\}|"[^"]*%[sdif]"|\+\s*[A-Za-z_$][\w$]*|\$[A-Za-z_]\w*)/;
+const cache = new WeakMap();
+function compile(config) {
+    if (cache.has(config))
+        return cache.get(config) ?? null;
+    const list = config.shell_exec ?? [];
+    if (list.length === 0) {
+        cache.set(config, null);
+        return null;
+    }
+    const alt = namedCallAlternation(list);
+    // Capture sink + the first 80 chars of arguments
+    const re = new RegExp(`(?:^|[^A-Za-z0-9_$])((?:${alt}))\\s*\\(([^)\\n]{0,200})`, "g");
+    cache.set(config, re);
+    return re;
+}
+export const shellUntrustedInput = {
+    id: "obf.shell-with-untrusted-input",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfshell-with-untrusted-input",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            (ctx.config.shell_exec?.length ?? 0) > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const re = compile(cfg);
+        if (!re)
+            return [];
+        const findings = [];
+        const local = new RegExp(re.source, re.flags);
+        let m;
+        while ((m = local.exec(ctx.source)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const name = m[1] ?? "";
+            const args = m[2] ?? "";
+            if (!DYNAMIC_ARG_RE.test(args))
+                continue;
+            const offset = m.index + (m[0].length - args.length);
+            findings.push({
+                ruleId: `obf.shell-with-untrusted-input.${cfg.id}`,
+                severity: "warn",
+                score: 7,
+                file: ctx.path,
+                line: lineAtOffset(ctx.source, offset),
+                snippet: truncateSnippet(`${name}(${args}`),
+                reason: `Shell-exec sink \`${name}\` called with an interpolated/concatenated ` +
+                    `argument. Confirm any user input is escaped or routed through an ` +
+                    `arg-array form.`,
+                evidence: { language: cfg.id, sink: name },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=shell-untrusted-input.js.map

package/dist/detectors/shell-untrusted-input.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-untrusted-input.js","sourceRoot":"","sources":["../../src/detectors/shell-untrusted-input.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,4DAA4D;AAC5D,+CAA+C;AAC/C,mCAAmC;AACnC,kDAAkD;AAClD,8BAA8B;AAC9B,2DAA2D;AAC3D,8CAA8C;AAC9C,MAAM,cAAc,GAClB,mGAAmG,CAAC;AAEtG,MAAM,KAAK,GAAG,IAAI,OAAO,EAAiC,CAAC;AAE3D,SAAS,OAAO,CAAC,MAAsB;IACrC,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IACrC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACvC,iDAAiD;IACjD,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,2BAA2B,GAAG,2BAA2B,EAAE,GAAG,CAAC,CAAC;IACtF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAa;IAC3C,EAAE,EAAE,gCAAgC;IACpC,OAAO,EAAE,mGAAmG;IAE5G,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEzC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,kCAAkC,GAAG,CAAC,EAAE,EAAE;gBAClD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBACtC,OAAO,EAAE,eAAe,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;gBAC3C,MAAM,EACJ,qBAAqB,IAAI,8CAA8C;oBACvE,mEAAmE;oBACnE,iBAAiB;gBACnB,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aAC3C,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/string-array-decoder.d.ts

@@ -0,0 +1,15 @@
+/**
+ * obf.string-array-decoder.<lang> — Layer B.
+ *
+ * Two-step pattern: a high-entropy string array AND a decoder/sink wired to
+ * it in the same file. This is the structural fingerprint of obfuscator.io
+ * output beyond the lexical fingerprint of `encoded-array-fingerprint`.
+ *
+ * To fire, the file must contain BOTH:
+ *   - A long array of base64-shaped string literals (≥16 elements), AND
+ *   - A decoder call from the language config in the same file
+ *   - A dynamic-exec sink call from the language config in the same file
+ */
+import type { Detector } from "../types.js";
+export declare const stringArrayDecoder: Detector;
+//# sourceMappingURL=string-array-decoder.d.ts.map

package/dist/detectors/string-array-decoder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-array-decoder.d.ts","sourceRoot":"","sources":["../../src/detectors/string-array-decoder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AA8BlF,eAAO,MAAM,kBAAkB,EAAE,QA8ChC,CAAC"}

package/dist/detectors/string-array-decoder.js

@@ -0,0 +1,70 @@
+/**
+ * obf.string-array-decoder.<lang> — Layer B.
+ *
+ * Two-step pattern: a high-entropy string array AND a decoder/sink wired to
+ * it in the same file. This is the structural fingerprint of obfuscator.io
+ * output beyond the lexical fingerprint of `encoded-array-fingerprint`.
+ *
+ * To fire, the file must contain BOTH:
+ *   - A long array of base64-shaped string literals (≥16 elements), AND
+ *   - A decoder call from the language config in the same file
+ *   - A dynamic-exec sink call from the language config in the same file
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const ARRAY_RE = /\[\s*((?:"[^"\n]{4,}"|'[^'\n]{4,}')(?:\s*,\s*(?:"[^"\n]{4,}"|'[^'\n]{4,}')){15,})\s*\]/g;
+const cache = new WeakMap();
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const compiled = {
+        decoder: new RegExp(`(?:${namedCallAlternation(config.decoders)})\\s*\\(`, "g"),
+        sink: new RegExp(`(?:${namedCallAlternation(config.dynamic_exec_sinks)})\\s*\\(`, "g"),
+    };
+    cache.set(config, compiled);
+    return compiled;
+}
+export const stringArrayDecoder = {
+    id: "obf.string-array-decoder",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfstring-array-decoder",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            ctx.config.decoders.length > 0 &&
+            ctx.config.dynamic_exec_sinks.length > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const src = ctx.source;
+        const { decoder, sink } = compile(ctx.config);
+        const arrRe = new RegExp(ARRAY_RE.source, ARRAY_RE.flags);
+        const arrayMatch = arrRe.exec(src);
+        if (!arrayMatch)
+            return [];
+        const decRe = new RegExp(decoder.source, decoder.flags);
+        if (!decRe.exec(src))
+            return [];
+        const sinkRe = new RegExp(sink.source, sink.flags);
+        if (!sinkRe.exec(src))
+            return [];
+        const findings = [];
+        if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+            return findings;
+        findings.push({
+            ruleId: `obf.string-array-decoder.${ctx.config.id}`,
+            severity: "block",
+            score: 9,
+            file: ctx.path,
+            line: lineAtOffset(src, arrayMatch.index),
+            snippet: truncateSnippet(arrayMatch[0]),
+            reason: `String-array + decoder + dynamic-exec sink present in the same file. ` +
+                `This is the obfuscator.io / javascript-obfuscator structural fingerprint.`,
+            evidence: { language: ctx.config.id },
+        });
+        return findings;
+    },
+};
+//# sourceMappingURL=string-array-decoder.js.map

package/dist/detectors/string-array-decoder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-array-decoder.js","sourceRoot":"","sources":["../../src/detectors/string-array-decoder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,QAAQ,GACZ,yFAAyF,CAAC;AAO5F,MAAM,KAAK,GAAG,IAAI,OAAO,EAA4B,CAAC;AAEtD,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,QAAQ,GAAa;QACzB,OAAO,EAAE,IAAI,MAAM,CAAC,MAAM,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC;QAC/E,IAAI,EAAE,IAAI,MAAM,CAAC,MAAM,oBAAoB,CAAC,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,GAAG,CAAC;KACvF,CAAC;IACF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAa;IAC1C,EAAE,EAAE,0BAA0B;IAC9B,OAAO,EAAE,6FAA6F;IAEtG,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC9B,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE9C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU;YAAE,OAAO,EAAE,CAAC;QAE3B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAEhC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAEjC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;YAAE,OAAO,QAAQ,CAAC;QAElE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,4BAA4B,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE;YACnD,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC;YACR,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,UAAU,CAAC,KAAK,CAAC;YACzC,OAAO,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACvC,MAAM,EACJ,uEAAuE;gBACvE,2EAA2E;YAC7E,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE;SACtC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/suspicious-io-cluster.d.ts

@@ -0,0 +1,11 @@
+/**
+ * obf.suspicious-io-cluster.<lang> — Layer B.
+ *
+ * Fires when a single file *both* reads from a known-secrets path
+ * (~/.npmrc, ~/.aws/credentials, ~/.ssh/id_*, etc.) *and* makes an
+ * outbound network call. The cluster is the signal — either alone is
+ * usually benign.
+ */
+import type { Detector } from "../types.js";
+export declare const suspiciousIoCluster: Detector;
+//# sourceMappingURL=suspicious-io-cluster.d.ts.map

package/dist/detectors/suspicious-io-cluster.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"suspicious-io-cluster.d.ts","sourceRoot":"","sources":["../../src/detectors/suspicious-io-cluster.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAoClF,eAAO,MAAM,mBAAmB,EAAE,QA+DjC,CAAC"}