admin0911 1.0.1 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/admin0911-1.0.3.tgz +0 -0
- package/index.js +65 -21
- package/package.json +1 -1
- package/admin0911-1.0.1.tgz +0 -0
|
Binary file
|
package/index.js
CHANGED
|
@@ -7,15 +7,6 @@ const ROOT_DIR = process.cwd();
|
|
|
7
7
|
const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5MB
|
|
8
8
|
const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build'];
|
|
9
9
|
|
|
10
|
-
const regexes = [
|
|
11
|
-
{ name: 'JWT', pattern: /[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g },
|
|
12
|
-
{ name: 'BearerToken', pattern: /Bearer\s+([A-Za-z0-9-_.]+)/gi },
|
|
13
|
-
{ name: 'AWSAccessKey', pattern: /AKIA[0-9A-Z]{16}/g },
|
|
14
|
-
{ name: 'GoogleAPIKey', pattern: /AIza[0-9A-Za-z-_]{35}/g },
|
|
15
|
-
{ name: 'SlackToken', pattern: /xox[baprs]-[0-9A-Za-z-]+/g },
|
|
16
|
-
{ name: 'GenericAPIKey', pattern: /(?:api_key|apikey|api-key|auth_token|token|secret)\s*[=:]\s*['\"]?([A-Za-z0-9-_]{16,})['\"]?/gi }
|
|
17
|
-
];
|
|
18
|
-
|
|
19
10
|
const found = [];
|
|
20
11
|
|
|
21
12
|
function isTextFile(filePath) {
|
|
@@ -23,6 +14,29 @@ function isTextFile(filePath) {
|
|
|
23
14
|
return textExtensions.includes(path.extname(filePath).toLowerCase());
|
|
24
15
|
}
|
|
25
16
|
|
|
17
|
+
function base64UrlDecode(input) {
|
|
18
|
+
let str = input.replace(/-/g, '+').replace(/_/g, '/');
|
|
19
|
+
while (str.length % 4) str += '=';
|
|
20
|
+
return Buffer.from(str, 'base64').toString('utf8');
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
function isValidJWT(token) {
|
|
24
|
+
const parts = token.split('.');
|
|
25
|
+
if (parts.length !== 3) return false;
|
|
26
|
+
if (parts[0].length < 10 || parts[1].length < 10) return false; // Relaxed signature requirement
|
|
27
|
+
try {
|
|
28
|
+
const header = JSON.parse(base64UrlDecode(parts[0]));
|
|
29
|
+
const payload = JSON.parse(base64UrlDecode(parts[1]));
|
|
30
|
+
return !!(header && header.typ === 'JWT' && payload);
|
|
31
|
+
} catch {
|
|
32
|
+
return false;
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
function addResult(entry) {
|
|
37
|
+
found.push(entry);
|
|
38
|
+
}
|
|
39
|
+
|
|
26
40
|
function scanFile(filePath) {
|
|
27
41
|
try {
|
|
28
42
|
const stats = fs.statSync(filePath);
|
|
@@ -30,13 +44,41 @@ function scanFile(filePath) {
|
|
|
30
44
|
if (!isTextFile(filePath)) return;
|
|
31
45
|
|
|
32
46
|
const content = fs.readFileSync(filePath, 'utf8');
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
47
|
+
|
|
48
|
+
// JWT tokens
|
|
49
|
+
const jwtPattern = /[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
|
|
50
|
+
let match;
|
|
51
|
+
while ((match = jwtPattern.exec(content))) {
|
|
52
|
+
const token = match[0];
|
|
53
|
+
if (isValidJWT(token)) {
|
|
54
|
+
addResult({ file: path.relative(ROOT_DIR, filePath), type: 'JWT', token });
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
// Bearer / Authorization tokens
|
|
59
|
+
const bearerPattern = /Bearer\s+([A-Za-z0-9-_.]{20,})/gi;
|
|
60
|
+
while ((match = bearerPattern.exec(content))) {
|
|
61
|
+
addResult({ file: path.relative(ROOT_DIR, filePath), type: 'BearerToken', token: match[1] });
|
|
62
|
+
}
|
|
63
|
+
|
|
64
|
+
// Known key formats
|
|
65
|
+
const patterns = [
|
|
66
|
+
{ name: 'AWSAccessKey', regex: /AKIA[0-9A-Z]{16}/g },
|
|
67
|
+
{ name: 'GoogleAPIKey', regex: /AIza[0-9A-Za-z-_]{35}/g },
|
|
68
|
+
{ name: 'SlackToken', regex: /xox[baprs]-[0-9A-Za-z-]+/g }
|
|
69
|
+
];
|
|
70
|
+
patterns.forEach(({ name, regex }) => {
|
|
71
|
+
let pMatch;
|
|
72
|
+
while ((pMatch = regex.exec(content))) {
|
|
73
|
+
addResult({ file: path.relative(ROOT_DIR, filePath), type: name, token: pMatch[0] });
|
|
38
74
|
}
|
|
39
75
|
});
|
|
76
|
+
|
|
77
|
+
// Generic secrets in assignment form
|
|
78
|
+
const genericPattern = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key)\s*[=:]\s*['\"]?([A-Za-z0-9-_]{20,})['\"]?/gi;
|
|
79
|
+
while ((match = genericPattern.exec(content))) {
|
|
80
|
+
addResult({ file: path.relative(ROOT_DIR, filePath), type: 'GenericSecret', token: match[1] });
|
|
81
|
+
}
|
|
40
82
|
} catch (e) {
|
|
41
83
|
// ignore unreadable files
|
|
42
84
|
}
|
|
@@ -57,13 +99,15 @@ function scanDirectory(dir) {
|
|
|
57
99
|
|
|
58
100
|
function scanEnvVars() {
|
|
59
101
|
Object.entries(process.env).forEach(([key, value]) => {
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
});
|
|
102
|
+
if (!value) return;
|
|
103
|
+
const lowerKey = key.toLowerCase();
|
|
104
|
+
const suspiciousKey = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key|password|access_key|secret_key)/i.test(lowerKey);
|
|
105
|
+
if (suspiciousKey && value.length >= 20) {
|
|
106
|
+
addResult({ source: 'env', key, type: 'EnvSecret', token: value });
|
|
107
|
+
}
|
|
108
|
+
const bearerMatch = value.match(/Bearer\s+([A-Za-z0-9-_.]{20,})/i);
|
|
109
|
+
if (bearerMatch) addResult({ source: 'env', key, type: 'BearerToken', token: bearerMatch[1] });
|
|
110
|
+
if (isValidJWT(value)) addResult({ source: 'env', key, type: 'JWT', token: value });
|
|
67
111
|
});
|
|
68
112
|
}
|
|
69
113
|
|
package/package.json
CHANGED
package/admin0911-1.0.1.tgz
DELETED
|
Binary file
|