@trailofbits/vsix-audit 0.1.0

package/dist/scanner/vsix.test.js

@@ -0,0 +1,355 @@
+import { mkdir, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { deflateRawSync } from "node:zlib";
+import { describe, expect, it, beforeAll, afterAll } from "vitest";
+import { computeSha256, extractVsix, loadDirectory, loadExtension } from "./vsix.js";
+/**
+ * Create a minimal ZIP file buffer for testing.
+ * Supports data descriptors (bit 3) which cause local header sizes to be 0.
+ */
+function createTestZip(files, options = {}) {
+    const { useDataDescriptor = false } = options;
+    const chunks = [];
+    const centralDirEntries = [];
+    for (const file of files) {
+        const localHeaderOffset = chunks.reduce((sum, buf) => sum + buf.length, 0);
+        const content = Buffer.from(file.content, "utf8");
+        const compressed = deflateRawSync(content);
+        const fileName = Buffer.from(file.name, "utf8");
+        // General purpose bit flag: bit 3 = data descriptor follows compressed data
+        const gpBitFlag = useDataDescriptor ? 0x0008 : 0x0000;
+        // Local file header (30 bytes + filename)
+        const localHeader = Buffer.alloc(30 + fileName.length);
+        localHeader.writeUInt32LE(0x04034b50, 0); // signature
+        localHeader.writeUInt16LE(20, 4); // version needed
+        localHeader.writeUInt16LE(gpBitFlag, 6); // general purpose bit flag
+        localHeader.writeUInt16LE(8, 8); // compression method (deflate)
+        localHeader.writeUInt16LE(0, 10); // mod time
+        localHeader.writeUInt16LE(0, 12); // mod date
+        // CRC and sizes: 0 if data descriptor, actual values otherwise
+        if (useDataDescriptor) {
+            localHeader.writeUInt32LE(0, 14); // crc32 = 0
+            localHeader.writeUInt32LE(0, 18); // compressed size = 0
+            localHeader.writeUInt32LE(0, 22); // uncompressed size = 0
+        }
+        else {
+            localHeader.writeUInt32LE(crc32(content), 14);
+            localHeader.writeUInt32LE(compressed.length, 18);
+            localHeader.writeUInt32LE(content.length, 22);
+        }
+        localHeader.writeUInt16LE(fileName.length, 26);
+        localHeader.writeUInt16LE(0, 28); // extra field length
+        fileName.copy(localHeader, 30);
+        chunks.push(localHeader);
+        // Compressed data
+        chunks.push(compressed);
+        // Data descriptor (if bit 3 set) - 16 bytes with signature
+        if (useDataDescriptor) {
+            const dataDesc = Buffer.alloc(16);
+            dataDesc.writeUInt32LE(0x08074b50, 0); // signature (optional but common)
+            dataDesc.writeUInt32LE(crc32(content), 4);
+            dataDesc.writeUInt32LE(compressed.length, 8);
+            dataDesc.writeUInt32LE(content.length, 12);
+            chunks.push(dataDesc);
+        }
+        // Central directory entry (46 bytes + filename)
+        const cdEntry = Buffer.alloc(46 + fileName.length);
+        cdEntry.writeUInt32LE(0x02014b50, 0); // signature
+        cdEntry.writeUInt16LE(20, 4); // version made by
+        cdEntry.writeUInt16LE(20, 6); // version needed
+        cdEntry.writeUInt16LE(gpBitFlag, 8); // general purpose bit flag
+        cdEntry.writeUInt16LE(8, 10); // compression method
+        cdEntry.writeUInt16LE(0, 12); // mod time
+        cdEntry.writeUInt16LE(0, 14); // mod date
+        cdEntry.writeUInt32LE(crc32(content), 16); // crc32 (always correct in CD)
+        cdEntry.writeUInt32LE(compressed.length, 20); // compressed size (always correct)
+        cdEntry.writeUInt32LE(content.length, 24); // uncompressed size (always correct)
+        cdEntry.writeUInt16LE(fileName.length, 28);
+        cdEntry.writeUInt16LE(0, 30); // extra field length
+        cdEntry.writeUInt16LE(0, 32); // comment length
+        cdEntry.writeUInt16LE(0, 34); // disk number start
+        cdEntry.writeUInt16LE(0, 36); // internal file attributes
+        cdEntry.writeUInt32LE(0, 38); // external file attributes
+        cdEntry.writeUInt32LE(localHeaderOffset, 42); // relative offset of local header
+        fileName.copy(cdEntry, 46);
+        centralDirEntries.push(cdEntry);
+    }
+    const cdOffset = chunks.reduce((sum, buf) => sum + buf.length, 0);
+    const cdSize = centralDirEntries.reduce((sum, buf) => sum + buf.length, 0);
+    // Add central directory entries
+    chunks.push(...centralDirEntries);
+    // End of central directory (22 bytes)
+    const eocd = Buffer.alloc(22);
+    eocd.writeUInt32LE(0x06054b50, 0); // signature
+    eocd.writeUInt16LE(0, 4); // disk number
+    eocd.writeUInt16LE(0, 6); // disk with CD
+    eocd.writeUInt16LE(files.length, 8); // entries on this disk
+    eocd.writeUInt16LE(files.length, 10); // total entries
+    eocd.writeUInt32LE(cdSize, 12); // size of CD
+    eocd.writeUInt32LE(cdOffset, 16); // offset to CD
+    eocd.writeUInt16LE(0, 20); // comment length
+    chunks.push(eocd);
+    return Buffer.concat(chunks);
+}
+/**
+ * Simple CRC32 implementation for test ZIP creation.
+ */
+function crc32(data) {
+    let crc = 0xffffffff;
+    for (const byte of data) {
+        crc ^= byte;
+        for (let i = 0; i < 8; i++) {
+            crc = crc & 1 ? (crc >>> 1) ^ 0xedb88320 : crc >>> 1;
+        }
+    }
+    return (crc ^ 0xffffffff) >>> 0;
+}
+describe("computeSha256", () => {
+    it("computes correct hash for buffer", () => {
+        const content = Buffer.from("test content");
+        const hash = computeSha256(content);
+        expect(hash).toMatch(/^[a-f0-9]{64}$/);
+        expect(hash).toBe("6ae8a75555209fd6c44157c0aed8016e763ff435a19cf186f76863140143ff72");
+    });
+    it("returns different hashes for different content", () => {
+        const hash1 = computeSha256(Buffer.from("content1"));
+        const hash2 = computeSha256(Buffer.from("content2"));
+        expect(hash1).not.toBe(hash2);
+    });
+});
+describe("loadDirectory", () => {
+    const testDir = join(tmpdir(), `vsix-audit-test-${Date.now()}`);
+    beforeAll(async () => {
+        await mkdir(testDir, { recursive: true });
+        await mkdir(join(testDir, "src"), { recursive: true });
+        const manifest = {
+            name: "test-extension",
+            publisher: "test-publisher",
+            version: "1.0.0",
+            main: "./src/extension.js",
+            activationEvents: ["onCommand:test.command"],
+        };
+        await writeFile(join(testDir, "package.json"), JSON.stringify(manifest, null, 2));
+        await writeFile(join(testDir, "src", "extension.js"), 'console.log("hello");');
+        await writeFile(join(testDir, "README.md"), "# Test Extension");
+    });
+    afterAll(async () => {
+        await rm(testDir, { recursive: true, force: true });
+    });
+    it("loads extension from directory", async () => {
+        const contents = await loadDirectory(testDir);
+        expect(contents.manifest.name).toBe("test-extension");
+        expect(contents.manifest.publisher).toBe("test-publisher");
+        expect(contents.manifest.version).toBe("1.0.0");
+        expect(contents.basePath).toBe(testDir);
+    });
+    it("loads all files from directory", async () => {
+        const contents = await loadDirectory(testDir);
+        expect(contents.files.has("package.json")).toBe(true);
+        expect(contents.files.has("src/extension.js")).toBe(true);
+        expect(contents.files.has("README.md")).toBe(true);
+    });
+    it("excludes node_modules and .git directories", async () => {
+        // Create node_modules and .git directories
+        await mkdir(join(testDir, "node_modules", "dep"), { recursive: true });
+        await mkdir(join(testDir, ".git", "objects"), { recursive: true });
+        await writeFile(join(testDir, "node_modules", "dep", "index.js"), "module.exports = {};");
+        await writeFile(join(testDir, ".git", "objects", "abc"), "git object");
+        const contents = await loadDirectory(testDir);
+        // Should not include node_modules or .git files
+        expect([...contents.files.keys()].some((f) => f.includes("node_modules"))).toBe(false);
+        expect([...contents.files.keys()].some((f) => f.includes(".git"))).toBe(false);
+    });
+    it("throws error for directory without package.json", async () => {
+        const emptyDir = join(tmpdir(), `vsix-audit-empty-${Date.now()}`);
+        await mkdir(emptyDir, { recursive: true });
+        try {
+            await expect(loadDirectory(emptyDir)).rejects.toThrow("missing package.json");
+        }
+        finally {
+            await rm(emptyDir, { recursive: true, force: true });
+        }
+    });
+});
+describe("loadExtension", () => {
+    const testDir = join(tmpdir(), `vsix-audit-load-test-${Date.now()}`);
+    beforeAll(async () => {
+        await mkdir(testDir, { recursive: true });
+        const manifest = {
+            name: "load-test",
+            publisher: "test",
+            version: "2.0.0",
+        };
+        await writeFile(join(testDir, "package.json"), JSON.stringify(manifest));
+    });
+    afterAll(async () => {
+        await rm(testDir, { recursive: true, force: true });
+    });
+    it("loads directory when target is a directory", async () => {
+        const contents = await loadExtension(testDir);
+        expect(contents.manifest.name).toBe("load-test");
+        expect(contents.manifest.version).toBe("2.0.0");
+    });
+    it("throws error for unsupported file type", async () => {
+        const invalidFile = join(tmpdir(), "invalid.txt");
+        await writeFile(invalidFile, "not a vsix");
+        try {
+            await expect(loadExtension(invalidFile)).rejects.toThrow("Unsupported target");
+        }
+        finally {
+            await rm(invalidFile, { force: true });
+        }
+    });
+});
+describe("extractVsix", () => {
+    it("extracts standard ZIP without data descriptors", async () => {
+        const manifest = JSON.stringify({
+            name: "test-ext",
+            publisher: "test",
+            version: "1.0.0",
+        });
+        const zipBuffer = createTestZip([
+            { name: "extension/package.json", content: manifest },
+            { name: "extension/main.js", content: 'console.log("hello");' },
+        ], { useDataDescriptor: false });
+        const vsixPath = join(tmpdir(), `test-standard-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            const contents = await extractVsix(vsixPath);
+            expect(contents.manifest.name).toBe("test-ext");
+            expect(contents.manifest.version).toBe("1.0.0");
+            expect(contents.files.has("package.json")).toBe(true);
+            expect(contents.files.has("main.js")).toBe(true);
+            expect(contents.files.get("main.js")?.toString()).toBe('console.log("hello");');
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("extracts ZIP with data descriptors (bit 3 set)", async () => {
+        const manifest = JSON.stringify({
+            name: "data-desc-ext",
+            publisher: "test",
+            version: "2.0.0",
+        });
+        const zipBuffer = createTestZip([
+            { name: "extension/package.json", content: manifest },
+            { name: "extension/src/index.js", content: "export default function() {}" },
+        ], { useDataDescriptor: true });
+        const vsixPath = join(tmpdir(), `test-datadesc-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            const contents = await extractVsix(vsixPath);
+            expect(contents.manifest.name).toBe("data-desc-ext");
+            expect(contents.manifest.version).toBe("2.0.0");
+            expect(contents.files.has("package.json")).toBe(true);
+            expect(contents.files.has("src/index.js")).toBe(true);
+            expect(contents.files.get("src/index.js")?.toString()).toBe("export default function() {}");
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("handles large files with data descriptors", async () => {
+        const manifest = JSON.stringify({
+            name: "large-file-ext",
+            publisher: "test",
+            version: "3.0.0",
+        });
+        // Create a larger file to ensure compression works correctly
+        const largeContent = "x".repeat(10000) + "\n" + "y".repeat(10000);
+        const zipBuffer = createTestZip([
+            { name: "extension/package.json", content: manifest },
+            { name: "extension/large.txt", content: largeContent },
+        ], { useDataDescriptor: true });
+        const vsixPath = join(tmpdir(), `test-large-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            const contents = await extractVsix(vsixPath);
+            expect(contents.manifest.name).toBe("large-file-ext");
+            expect(contents.files.has("large.txt")).toBe(true);
+            expect(contents.files.get("large.txt")?.toString()).toBe(largeContent);
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("throws on invalid ZIP without EOCD", async () => {
+        const invalidZip = Buffer.from("not a valid zip file");
+        const vsixPath = join(tmpdir(), `test-invalid-${Date.now()}.vsix`);
+        await writeFile(vsixPath, invalidZip);
+        try {
+            await expect(extractVsix(vsixPath)).rejects.toThrow("End of central directory not found");
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("throws on ZIP missing package.json", async () => {
+        const zipBuffer = createTestZip([{ name: "extension/readme.md", content: "# Hello" }], {
+            useDataDescriptor: false,
+        });
+        const vsixPath = join(tmpdir(), `test-nomanifest-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            await expect(extractVsix(vsixPath)).rejects.toThrow("missing package.json");
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("extracts ZIP with non-standard prefix (not extension/)", async () => {
+        const manifest = JSON.stringify({
+            name: "weird-prefix-ext",
+            publisher: "test",
+            version: "1.0.0",
+        });
+        const zipBuffer = createTestZip([
+            { name: "weird-prefix-ext-1.0.0/package.json", content: manifest },
+            { name: "weird-prefix-ext-1.0.0/main.js", content: 'console.log("hello");' },
+        ], { useDataDescriptor: false });
+        const vsixPath = join(tmpdir(), `test-weird-prefix-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            const contents = await extractVsix(vsixPath);
+            expect(contents.manifest.name).toBe("weird-prefix-ext");
+            expect(contents.manifest.version).toBe("1.0.0");
+            expect(contents.files.has("package.json")).toBe(true);
+            expect(contents.files.has("main.js")).toBe(true);
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+    it("extracts ZIP with publisher.name-version prefix pattern", async () => {
+        const manifest = JSON.stringify({
+            name: "theme-allhallowseve-remake",
+            publisher: "priskinski",
+            version: "1.0.0",
+        });
+        const zipBuffer = createTestZip([
+            {
+                name: "priskinski.theme-allhallowseve-remake-1.0.0/package.json",
+                content: manifest,
+            },
+            {
+                name: "priskinski.theme-allhallowseve-remake-1.0.0/node_modules/evil/index.js",
+                content: 'require("child_process").exec("malware");',
+            },
+        ], { useDataDescriptor: false });
+        const vsixPath = join(tmpdir(), `test-malformed-prefix-${Date.now()}.vsix`);
+        await writeFile(vsixPath, zipBuffer);
+        try {
+            const contents = await extractVsix(vsixPath);
+            expect(contents.manifest.name).toBe("theme-allhallowseve-remake");
+            expect(contents.manifest.publisher).toBe("priskinski");
+            expect(contents.files.has("package.json")).toBe(true);
+            expect(contents.files.has("node_modules/evil/index.js")).toBe(true);
+        }
+        finally {
+            await rm(vsixPath, { force: true });
+        }
+    });
+});
+//# sourceMappingURL=vsix.test.js.map

package/dist/scanner/vsix.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vsix.test.js","sourceRoot":"","sources":["../../src/scanner/vsix.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AACnE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAErF;;;GAGG;AACH,SAAS,aAAa,CACpB,KAA+C,EAC/C,UAA2C,EAAE;IAE7C,MAAM,EAAE,iBAAiB,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAC9C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAEhD,4EAA4E;QAC5E,MAAM,SAAS,GAAG,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QAEtD,0CAA0C;QAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QACvD,WAAW,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY;QACtD,WAAW,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,iBAAiB;QACnD,WAAW,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,2BAA2B;QACpE,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,+BAA+B;QAChE,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW;QAC7C,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW;QAC7C,+DAA+D;QAC/D,IAAI,iBAAiB,EAAE,CAAC;YACtB,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY;YAC9C,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sBAAsB;YACxD,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC5D,CAAC;aAAM,CAAC;YACN,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,WAAW,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACjD,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,WAAW,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/C,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;QACvD,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEzB,kBAAkB;QAClB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAExB,2DAA2D;QAC3D,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClC,QAAQ,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,kCAAkC;YACzE,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;YAC1C,QAAQ,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAC7C,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxB,CAAC;QAED,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY;QAClD,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,kBAAkB;QAChD,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,iBAAiB;QAC/C,OAAO,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,2BAA2B;QAChE,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;QACnD,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW;QACzC,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW;QACzC,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,+BAA+B;QAC1E,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,mCAAmC;QACjF,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,qCAAqC;QAChF,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;QACnD,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB;QAC/C,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,oBAAoB;QAClD,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,2BAA2B;QACzD,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,2BAA2B;QACzD,OAAO,CAAC,aAAa,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,kCAAkC;QAChF,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC3B,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE3E,gCAAgC;IAChC,MAAM,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;IAElC,sCAAsC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY;IAC/C,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc;IACxC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,eAAe;IACzC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,uBAAuB;IAC5D,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB;IACtD,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa;IAC7C,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe;IACjD,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB;IAC5C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAElB,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,KAAK,CAAC,IAAY;IACzB,IAAI,GAAG,GAAG,UAAU,CAAC;IACrB,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,GAAG,IAAI,IAAI,CAAC;QACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC;AAED,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAEpC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAErD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAEhE,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEvD,MAAM,QAAQ,GAAG;YACf,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,gBAAgB;YAC3B,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,oBAAoB;YAC1B,gBAAgB,EAAE,CAAC,wBAAwB,CAAC;SAC7C,CAAC;QAEF,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAClF,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,cAAc,CAAC,EAAE,uBAAuB,CAAC,CAAC;QAC/E,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,kBAAkB,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAE9C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAE9C,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1D,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,2CAA2C;QAC3C,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC1F,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,YAAY,CAAC,CAAC;QAEvE,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAE9C,gDAAgD;QAChD,MAAM,CAAC,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvF,MAAM,CAAC,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAClE,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAChF,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,wBAAwB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAErE,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG;YACf,IAAI,EAAE,WAAW;YACjB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC;QACF,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAE9C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;QAClD,MAAM,SAAS,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACjF,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,UAAU;YAChB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,aAAa,CAC7B;YACE,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,QAAQ,EAAE;YACrD,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,uBAAuB,EAAE;SAChE,EACD,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAC7B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACpE,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAChD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAClF,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,eAAe;YACrB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,aAAa,CAC7B;YACE,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,QAAQ,EAAE;YACrD,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,8BAA8B,EAAE;SAC5E,EACD,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAC5B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACpE,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACrD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC9F,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,6DAA6D;QAC7D,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAElE,MAAM,SAAS,GAAG,aAAa,CAC7B;YACE,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,QAAQ,EAAE;YACrD,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,YAAY,EAAE;SACvD,EACD,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAC5B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjE,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACnE,MAAM,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAEtC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;QAC5F,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,EAAE;YACrF,iBAAiB,EAAE,KAAK;SACzB,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACtE,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAC9E,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,kBAAkB;YACxB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,aAAa,CAC7B;YACE,EAAE,IAAI,EAAE,qCAAqC,EAAE,OAAO,EAAE,QAAQ,EAAE;YAClE,EAAE,IAAI,EAAE,gCAAgC,EAAE,OAAO,EAAE,uBAAuB,EAAE;SAC7E,EACD,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAC7B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,qBAAqB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACxD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,4BAA4B;YAClC,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,aAAa,CAC7B;YACE;gBACE,IAAI,EAAE,0DAA0D;gBAChE,OAAO,EAAE,QAAQ;aAClB;YACD;gBACE,IAAI,EAAE,wEAAwE;gBAC9E,OAAO,EAAE,2CAA2C;aACrD;SACF,EACD,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAC7B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,yBAAyB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5E,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAClE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACvD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,CAAC;gBAAS,CAAC;YACT,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@trailofbits/vsix-audit",
+  "version": "0.1.0",
+  "description": "Security scanner for VS Code extensions",
+  "keywords": [
+    "audit",
+    "scanner",
+    "security",
+    "trail-of-bits",
+    "vscode",
+    "vsix"
+  ],
+  "homepage": "https://github.com/trailofbits/vsix-audit#readme",
+  "bugs": {
+    "url": "https://github.com/trailofbits/vsix-audit/issues"
+  },
+  "license": "AGPL-3.0",
+  "author": "Trail of Bits",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/trailofbits/vsix-audit.git"
+  },
+  "bin": {
+    "vsix-audit": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "zoo"
+  ],
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "oxlint .",
+    "format": "oxfmt --write .",
+    "format:check": "oxfmt --check .",
+    "typecheck": "tsc --noEmit",
+    "check": "npm run typecheck && npm run lint && npm run test",
+    "prepublishOnly": "npm run check && npm run build"
+  },
+  "dependencies": {
+    "commander": "14.0.2",
+    "oxc-parser": "0.111.0",
+    "picocolors": "1.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "25.0.10",
+    "oxlint": "1.42.0",
+    "typescript": "5.9.3",
+    "vitest": "4.0.18"
+  },
+  "engines": {
+    "node": ">=22"
+  }
+}

package/zoo/blocklist/extensions.json

@@ -0,0 +1,201 @@
+{
+  "$schema": "../schemas/blocklist.schema.json",
+  "version": "1.1.0",
+  "lastUpdated": "2026-01-27",
+  "extensions": [
+    {
+      "id": "IconKiefApp.material-icon-theme",
+      "name": "Icon Theme: Material",
+      "reason": "GlassWorm malware - impersonates PKief.material-icon-theme",
+      "campaign": "GlassWorm",
+      "addedDate": "2025-11-28",
+      "reference": "https://www.nextron-systems.com/2025/11/28/malicious-vs-code-extension-impersonating-material-icon-theme-found-in-marketplace/"
+    },
+    {
+      "id": "498.cppplayground",
+      "name": "C++ Playground",
+      "reason": "TigerJack keylogger - steals keystrokes and .cpp files",
+      "campaign": "TigerJack",
+      "addedDate": "2025-10-01",
+      "reference": "https://www.koi.ai/blog/tiger-jack-malicious-vscode-extensions-stealing-code"
+    },
+    {
+      "id": "498.httpformat",
+      "name": "HTTP Format",
+      "reason": "TigerJack cryptominer - CoinIMP miner",
+      "campaign": "TigerJack",
+      "addedDate": "2025-10-01",
+      "reference": "https://www.koi.ai/blog/tiger-jack-malicious-vscode-extensions-stealing-code"
+    },
+    {
+      "id": "498.pythonformat",
+      "name": "Python Format",
+      "reason": "TigerJack backdoor - 20-minute C2 polling",
+      "campaign": "TigerJack",
+      "addedDate": "2025-10-01",
+      "reference": "https://www.koi.ai/blog/tiger-jack-malicious-vscode-extensions-stealing-code"
+    },
+    {
+      "id": "498-00.*",
+      "name": "498-00 publisher (all)",
+      "reason": "TigerJack republished extensions",
+      "campaign": "TigerJack",
+      "addedDate": "2025-09-17",
+      "reference": "https://www.bleepingcomputer.com/news/security/malicious-crypto-stealing-vscode-extensions-resurface-on-openvsx/"
+    },
+    {
+      "id": "BigBlack.bitcoin-black",
+      "name": "Bitcoin Black",
+      "reason": "Evelyn infostealer disguised as theme",
+      "campaign": "Evelyn",
+      "addedDate": "2025-12-05",
+      "reference": "https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/"
+    },
+    {
+      "id": "BigBlack.codo-ai",
+      "name": "Codo AI",
+      "reason": "Evelyn infostealer with working AI features as cover",
+      "campaign": "Evelyn",
+      "addedDate": "2025-12-08",
+      "reference": "https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen"
+    },
+    {
+      "id": "suspublisher18.susvsex",
+      "name": "susvsex",
+      "reason": "Ransomware - zipUploadAndEncrypt function",
+      "campaign": "Unknown",
+      "addedDate": "2025-11-01",
+      "reference": "https://www.businesstechweekly.com/technology-news/malicious-vs-code-extension-ransomware-capabilities-discovered-and-removed-from-marketplace/"
+    },
+    {
+      "id": "publishingsofficial.prettier-vscode-plus",
+      "name": "prettier-vscode-plus",
+      "reason": "OctoRAT - multi-stage RAT delivery",
+      "campaign": "OctoRAT",
+      "addedDate": "2025-11-21",
+      "reference": "https://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain"
+    },
+    {
+      "id": "ahban.shiba",
+      "name": "shiba",
+      "reason": "Ransomware - early stage, demonstrates name reuse vulnerability",
+      "campaign": "Shiba",
+      "addedDate": "2025-03-01",
+      "reference": "https://www.reversinglabs.com/blog/malware-vs-code-extension-names"
+    },
+    {
+      "id": "ahban.cychelloworld",
+      "name": "cychelloworld",
+      "reason": "Ransomware - related to shiba",
+      "campaign": "Shiba",
+      "addedDate": "2025-03-01",
+      "reference": "https://www.reversinglabs.com/blog/malware-vs-code-extension-names"
+    },
+    {
+      "id": "ahbanC.shiba",
+      "name": "shiba (republished)",
+      "reason": "Ransomware - republished after removal",
+      "campaign": "Shiba",
+      "addedDate": "2025-08-01",
+      "reference": "https://www.reversinglabs.com/blog/malware-vs-code-extension-names"
+    },
+    {
+      "id": "Ethereum.solidity",
+      "name": "Solidity (fake Ethereum publisher)",
+      "reason": "WhiteCobra - ScreenConnect RAT with fake download count",
+      "campaign": "WhiteCobra",
+      "platform": "openvsx",
+      "addedDate": "2025-08-10",
+      "reference": "https://dex.koi.security/reports/cursor/8e0ec40b-ef95-4e11-9264-cf055c58050c/0.0.7"
+    },
+    {
+      "id": "wli273088.vscode-pets-",
+      "name": "vscode-pets-",
+      "reason": "Malicious - Koidex Catch of the Day",
+      "campaign": "Unknown",
+      "addedDate": "2026-01-01",
+      "reference": "https://dex.koi.security/"
+    },
+    {
+      "id": "GPTOnce.chatgpt",
+      "name": "ChatGPT",
+      "reason": "Malicious - Koidex Catch of the Day",
+      "campaign": "Unknown",
+      "addedDate": "2026-01-01",
+      "reference": "https://dex.koi.security/"
+    },
+    {
+      "id": "juan-bianco.solidity-vlang",
+      "name": "Solidity (SleepyDuck)",
+      "reason": "SleepyDuck RAT - Ethereum smart contract C2",
+      "campaign": "WhiteCobra",
+      "platform": "openvsx",
+      "addedDate": "2025-11-03",
+      "reference": "https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/"
+    },
+    {
+      "id": "malkolm.*",
+      "name": "malkolm publisher (all)",
+      "reason": "Trojan-laden fake image - banner.png contains Rust binary",
+      "campaign": "ReversingLabs-Dec2025",
+      "addedDate": "2025-12-10",
+      "reference": "https://www.reversinglabs.com/blog/malicious-vs-code-fake-image"
+    },
+    {
+      "id": "pandaexpress.*",
+      "name": "pandaexpress publisher (all)",
+      "reason": "Trojan-laden fake image - banner.png contains Rust binary",
+      "campaign": "ReversingLabs-Dec2025",
+      "addedDate": "2025-12-10",
+      "reference": "https://www.reversinglabs.com/blog/malicious-vs-code-fake-image"
+    },
+    {
+      "id": "prada555.*",
+      "name": "prada555 publisher (all)",
+      "reason": "Trojan-laden fake image - banner.png contains Rust binary",
+      "campaign": "ReversingLabs-Dec2025",
+      "addedDate": "2025-12-10",
+      "reference": "https://www.reversinglabs.com/blog/malicious-vs-code-fake-image"
+    },
+    {
+      "id": "priskinski.*",
+      "name": "priskinski publisher (all)",
+      "reason": "Trojan-laden fake image - banner.png contains Rust binary",
+      "campaign": "ReversingLabs-Dec2025",
+      "addedDate": "2025-12-10",
+      "reference": "https://www.reversinglabs.com/blog/malicious-vs-code-fake-image"
+    },
+    {
+      "id": "iconkieftwo.icon-theme-materiall",
+      "name": "Icon Theme Material (GlassWorm Wave 3)",
+      "reason": "GlassWorm wave 3 - Rust implant with Solana C2",
+      "campaign": "GlassWorm",
+      "addedDate": "2025-12-01",
+      "reference": "https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/"
+    },
+    {
+      "id": "solaibot.*",
+      "name": "solaibot (MUT-9332)",
+      "reason": "MUT-9332 campaign - targets Solidity developers",
+      "campaign": "MUT-9332",
+      "addedDate": "2025-05-23",
+      "reference": "https://securityonline.info/malicious-vs-code-extensions-deliver-spyware-steal-crypto-credentials/"
+    },
+    {
+      "id": "among-eth.*",
+      "name": "among-eth (MUT-9332)",
+      "reason": "MUT-9332 campaign - targets Solidity developers",
+      "campaign": "MUT-9332",
+      "addedDate": "2025-05-23",
+      "reference": "https://securityonline.info/malicious-vs-code-extensions-deliver-spyware-steal-crypto-credentials/"
+    },
+    {
+      "id": "blankebesxstnion.*",
+      "name": "blankebesxstnion (MUT-9332)",
+      "reason": "MUT-9332 campaign - targets Solidity developers",
+      "campaign": "MUT-9332",
+      "addedDate": "2025-05-23",
+      "reference": "https://securityonline.info/malicious-vs-code-extensions-deliver-spyware-steal-crypto-credentials/"
+    }
+  ]
+}