guardrail-security 1.0.0

package/src/supply-chain/malicious-db.ts

@@ -0,0 +1,103 @@
+/**
+ * Malicious Package Database
+ *
+ * Checks packages against known malicious packages
+ */
+
+export interface MaliciousPackageInfo {
+  name: string;
+  version?: string;
+  reason: string;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  cve?: string;
+  reported: Date;
+}
+
+/**
+ * Known malicious packages (this would be updated regularly from external sources)
+ */
+const KNOWN_MALICIOUS: MaliciousPackageInfo[] = [
+  // Example entries - in production, this would be fetched from:
+  // - npm security advisories
+  // - Snyk vulnerability database
+  // - GitHub Advisory Database
+  // - Custom threat intelligence feeds
+];
+
+export class MaliciousPackageDB {
+  private maliciousPackages: Map<string, MaliciousPackageInfo[]> = new Map();
+
+  constructor() {
+    this.loadDatabase();
+  }
+
+  /**
+   * Check if package is known to be malicious
+   */
+  async checkPackage(name: string, version: string): Promise<{
+    isMalicious: boolean;
+    matches: MaliciousPackageInfo[];
+  }> {
+    const matches: MaliciousPackageInfo[] = [];
+
+    // Check exact name match
+    const nameMatches = this.maliciousPackages.get(name) || [];
+
+    for (const match of nameMatches) {
+      // If no version specified in DB, flag all versions
+      if (!match.version) {
+        matches.push(match);
+        continue;
+      }
+
+      // Check version match
+      if (match.version === version || match.version === '*') {
+        matches.push(match);
+      }
+    }
+
+    return {
+      isMalicious: matches.length > 0,
+      matches,
+    };
+  }
+
+  /**
+   * Load malicious packages database
+   */
+  private loadDatabase(): void {
+    for (const pkg of KNOWN_MALICIOUS) {
+      if (!this.maliciousPackages.has(pkg.name)) {
+        this.maliciousPackages.set(pkg.name, []);
+      }
+      this.maliciousPackages.get(pkg.name)!.push(pkg);
+    }
+  }
+
+  /**
+   * Update database from external sources
+   */
+  async updateDatabase(): Promise<{ added: number; updated: number }> {
+    // In production, this would:
+    // 1. Fetch from npm security advisories API
+    // 2. Fetch from Snyk API
+    // 3. Fetch from GitHub Advisory Database
+    // 4. Merge with existing database
+    // 5. Return statistics
+
+    return { added: 0, updated: 0 };
+  }
+
+  /**
+   * Add custom malicious package
+   */
+  addMaliciousPackage(info: MaliciousPackageInfo): void {
+    if (!this.maliciousPackages.has(info.name)) {
+      this.maliciousPackages.set(info.name, []);
+    }
+    this.maliciousPackages.get(info.name)!.push(info);
+  }
+}
+
+// Export singleton
+export const maliciousPackageDB = new MaliciousPackageDB();

package/src/supply-chain/script-analyzer.ts

@@ -0,0 +1,194 @@
+/**
+ * Script Analyzer
+ *
+ * Analyzes package.json scripts for suspicious behavior
+ */
+
+export interface ScriptAnalysisResult {
+  scriptName: string;
+  scriptContent: string;
+  isSuspicious: boolean;
+  threats: ScriptThreat[];
+  riskScore: number;
+}
+
+export interface ScriptThreat {
+  type: 'data_exfiltration' | 'crypto_mining' | 'backdoor' | 'malicious_download' | 'privilege_escalation';
+  pattern: string;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  description: string;
+}
+
+export class ScriptAnalyzer {
+  /**
+   * Analyze package.json scripts
+   */
+  async analyzeScripts(_packageName: string, _version: string): Promise<ScriptAnalysisResult[]> {
+    // In production, this would fetch package.json from npm registry
+    // For now, return empty array
+    return [];
+  }
+
+  /**
+   * Analyze a single script
+   */
+  analyzeScript(scriptName: string, scriptContent: string): ScriptAnalysisResult {
+    const threats: ScriptThreat[] = [];
+
+    // Check for data exfiltration
+    if (this.detectExfiltration(scriptContent)) {
+      threats.push({
+        type: 'data_exfiltration',
+        pattern: 'network_request',
+        severity: 'high',
+        description: 'Script makes network requests that could exfiltrate data',
+      });
+    }
+
+    // Check for crypto mining
+    if (this.detectCryptoMining(scriptContent)) {
+      threats.push({
+        type: 'crypto_mining',
+        pattern: 'crypto_miner',
+        severity: 'high',
+        description: 'Script contains crypto mining code',
+      });
+    }
+
+    // Check for backdoors
+    if (this.detectBackdoor(scriptContent)) {
+      threats.push({
+        type: 'backdoor',
+        pattern: 'reverse_shell',
+        severity: 'critical',
+        description: 'Script opens a backdoor or reverse shell',
+      });
+    }
+
+    // Check for malicious downloads
+    if (this.detectMaliciousDownload(scriptContent)) {
+      threats.push({
+        type: 'malicious_download',
+        pattern: 'download_execute',
+        severity: 'critical',
+        description: 'Script downloads and executes code',
+      });
+    }
+
+    // Check for privilege escalation
+    if (this.detectPrivilegeEscalation(scriptContent)) {
+      threats.push({
+        type: 'privilege_escalation',
+        pattern: 'sudo_usage',
+        severity: 'high',
+        description: 'Script attempts privilege escalation',
+      });
+    }
+
+    // Calculate risk score
+    const riskScore = this.calculateRiskScore(threats);
+
+    return {
+      scriptName,
+      scriptContent,
+      isSuspicious: threats.length > 0,
+      threats,
+      riskScore,
+    };
+  }
+
+  /**
+   * Detect data exfiltration patterns
+   */
+  detectExfiltration(script: string): boolean {
+    const patterns = [
+      /curl\s+.*\|\s*bash/i,              // Pipe to bash
+      /wget\s+.*\|\s*sh/i,                // Pipe to sh
+      /fetch\(['"]http/i,                 // HTTP requests
+      /axios\./i,                          // Axios requests
+      /http\.request/i,                    // HTTP module
+      /child_process\.exec.*curl/i,       // Execute curl
+    ];
+
+    return patterns.some((p) => p.test(script));
+  }
+
+  /**
+   * Detect crypto mining
+   */
+  detectCryptoMining(script: string): boolean {
+    const patterns = [
+      /coinhive/i,
+      /cryptonight/i,
+      /monero/i,
+      /xmrig/i,
+      /stratum\+tcp/i,
+    ];
+
+    return patterns.some((p) => p.test(script));
+  }
+
+  /**
+   * Detect backdoor patterns
+   */
+  private detectBackdoor(script: string): boolean {
+    const patterns = [
+      /nc\s+-l/i,                         // Netcat listener
+      /\/bin\/sh\s+-i/i,                  // Interactive shell
+      /bash\s+-i/i,                       // Interactive bash
+      /python.*socket/i,                  // Python socket
+    ];
+
+    return patterns.some((p) => p.test(script));
+  }
+
+  /**
+   * Detect malicious downloads
+   */
+  private detectMaliciousDownload(script: string): boolean {
+    const patterns = [
+      /curl.*\|\s*bash/i,
+      /wget.*&&.*chmod\s*\+x/i,
+      /download.*&&.*execute/i,
+    ];
+
+    return patterns.some((p) => p.test(script));
+  }
+
+  /**
+   * Detect privilege escalation
+   */
+  private detectPrivilegeEscalation(script: string): boolean {
+    const patterns = [
+      /sudo\s+/i,
+      /su\s+-/i,
+      /chmod\s+777/i,
+      /chown\s+root/i,
+    ];
+
+    return patterns.some((p) => p.test(script));
+  }
+
+  /**
+   * Calculate risk score
+   */
+  private calculateRiskScore(threats: ScriptThreat[]): number {
+    const severityScores = {
+      low: 25,
+      medium: 50,
+      high: 75,
+      critical: 100,
+    };
+
+    if (threats.length === 0) return 0;
+
+    const totalScore = threats.reduce((sum, threat) => {
+      return sum + severityScores[threat.severity];
+    }, 0);
+
+    return Math.min(100, totalScore / threats.length);
+  }
+}
+
+// Export singleton
+export const scriptAnalyzer = new ScriptAnalyzer();

package/src/supply-chain/typosquat.ts

@@ -0,0 +1,302 @@
+/**
+ * Typosquatting Detection
+ *
+ * Detects potential typosquatting attacks against popular packages
+ */
+
+/**
+ * Top 100 most popular npm packages (simplified list)
+ */
+const POPULAR_PACKAGES = [
+  'react', 'vue', 'angular', 'express', 'next', 'axios', 'lodash', 'webpack',
+  'typescript', 'eslint', 'prettier', 'jest', 'mocha', 'chai', 'babel',
+  'moment', 'dayjs', 'date-fns', 'redux', 'mobx', 'rxjs', 'socket.io',
+  'fastify', 'koa', 'hapi', 'nestjs', 'prisma', 'mongoose', 'sequelize',
+  'typeorm', 'knex', 'pg', 'mysql', 'redis', 'mongodb', 'sqlite3',
+  'passport', 'jsonwebtoken', 'bcrypt', 'crypto-js', 'uuid', 'nanoid',
+  'dotenv', 'config', 'yargs', 'commander', 'inquirer', 'chalk', 'ora',
+  'debug', 'winston', 'pino', 'morgan', 'cors', 'helmet', 'compression',
+  'multer', 'body-parser', 'cookie-parser', 'express-session', 'passport',
+  'nodemailer', 'sendgrid', 'twilio', 'stripe', 'aws-sdk', 'google-cloud',
+  'firebase', 'azure', 'docker', 'kubernetes', 'terraform', 'ansible',
+  'jenkins', 'gitlab', 'github', 'bitbucket', 'jira', 'confluence',
+  'slack', 'discord', 'telegram', 'whatsapp', 'sentry', 'datadog',
+  'newrelic', 'prometheus', 'grafana', 'elasticsearch', 'kibana', 'logstash',
+  'kafka', 'rabbitmq', 'celery', 'bull', 'agenda', 'cron', 'node-schedule',
+];
+
+export interface TyposquatResult {
+  isTyposquat: boolean;
+  suspiciousPackage: string;
+  targetPackage?: string;
+  similarity: number;
+  patterns: string[];
+}
+
+export class TyposquatDetector {
+  private popularPackages: Set<string>;
+
+  constructor() {
+    this.popularPackages = new Set(POPULAR_PACKAGES);
+  }
+
+  /**
+   * Detect typosquatting
+   */
+  async detectTyposquatting(packageName: string): Promise<TyposquatResult> {
+    const patterns: string[] = [];
+    let targetPackage: string | undefined;
+    let maxSimilarity = 0;
+
+    // Check against popular packages
+    for (const popular of this.popularPackages) {
+      // Skip if exact match
+      if (packageName === popular) {
+        continue;
+      }
+
+      // Check various typosquatting techniques
+      const techniques = [
+        this.checkCharacterSwap(packageName, popular),
+        this.checkMissingCharacter(packageName, popular),
+        this.checkExtraCharacter(packageName, popular),
+        this.checkHomoglyph(packageName, popular),
+        this.checkCombosquatting(packageName, popular),
+        this.checkLevenshtein(packageName, popular),
+      ];
+
+      for (const technique of techniques) {
+        if (technique.isMatch) {
+          patterns.push(technique.pattern);
+
+          if (technique.similarity > maxSimilarity) {
+            maxSimilarity = technique.similarity;
+            targetPackage = popular;
+          }
+        }
+      }
+    }
+
+    return {
+      isTyposquat: patterns.length > 0,
+      suspiciousPackage: packageName,
+      targetPackage,
+      similarity: maxSimilarity,
+      patterns,
+    };
+  }
+
+  /**
+   * Check for character swap (e.g., raect vs react)
+   */
+  private checkCharacterSwap(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    if (Math.abs(pkg.length - popular.length) > 0) {
+      return { isMatch: false, pattern: '', similarity: 0 };
+    }
+
+    // Try swapping adjacent characters
+    for (let i = 0; i < popular.length - 1; i++) {
+      const swapped = popular.substring(0, i) +
+                     popular[i + 1] +
+                     popular[i] +
+                     popular.substring(i + 2);
+
+      if (swapped === pkg) {
+        return {
+          isMatch: true,
+          pattern: 'character_swap',
+          similarity: 0.95,
+        };
+      }
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Check for missing character (e.g., reat vs react)
+   */
+  private checkMissingCharacter(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    if (pkg.length !== popular.length - 1) {
+      return { isMatch: false, pattern: '', similarity: 0 };
+    }
+
+    // Try removing each character
+    for (let i = 0; i < popular.length; i++) {
+      const removed = popular.substring(0, i) + popular.substring(i + 1);
+
+      if (removed === pkg) {
+        return {
+          isMatch: true,
+          pattern: 'missing_character',
+          similarity: 0.9,
+        };
+      }
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Check for extra character (e.g., reactt vs react)
+   */
+  private checkExtraCharacter(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    if (pkg.length !== popular.length + 1) {
+      return { isMatch: false, pattern: '', similarity: 0 };
+    }
+
+    // Try removing each character from pkg
+    for (let i = 0; i < pkg.length; i++) {
+      const removed = pkg.substring(0, i) + pkg.substring(i + 1);
+
+      if (removed === popular) {
+        return {
+          isMatch: true,
+          pattern: 'extra_character',
+          similarity: 0.9,
+        };
+      }
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Check for homoglyph substitution (e.g., react with Cyrillic 'а')
+   */
+  private checkHomoglyph(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    // Common homoglyphs
+    const homoglyphs: Record<string, string[]> = {
+      'a': ['а', 'ɑ', 'α'],  // Cyrillic/Greek a
+      'e': ['е', ' е'],       // Cyrillic e
+      'o': ['о', 'ο', '0'],  // Cyrillic/Greek o, zero
+      'i': ['і', 'ı', 'l', '1'], // Cyrillic i, Turkish i, l, one
+      'c': ['с', 'ϲ'],       // Cyrillic c
+      'p': ['р'],            // Cyrillic p
+      'x': ['х', 'χ'],       // Cyrillic/Greek x
+    };
+
+    // Normalize both strings
+    const normalize = (str: string): string => {
+      let normalized = str;
+      for (const [latin, alternates] of Object.entries(homoglyphs)) {
+        for (const alt of alternates) {
+          normalized = normalized.replace(new RegExp(alt, 'g'), latin);
+        }
+      }
+      return normalized;
+    };
+
+    const normalizedPkg = normalize(pkg);
+
+    if (normalizedPkg === popular && normalizedPkg !== pkg) {
+      return {
+        isMatch: true,
+        pattern: 'homoglyph',
+        similarity: 0.95,
+      };
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Check for combosquatting (e.g., react-native-safe vs react)
+   */
+  private checkCombosquatting(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    if (pkg.includes(popular) && pkg !== popular) {
+      // Check if it's just adding common suffixes/prefixes
+      const commonAdditions = ['-js', '-node', '-utils', '-core', '-plugin', '-webpack', '-babel'];
+
+      for (const addition of commonAdditions) {
+        if (pkg === popular + addition || pkg === addition + popular) {
+          return {
+            isMatch: true,
+            pattern: 'combosquatting',
+            similarity: 0.7,
+          };
+        }
+      }
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Check Levenshtein distance
+   */
+  private checkLevenshtein(pkg: string, popular: string): { isMatch: boolean; pattern: string; similarity: number } {
+    const distance = this.levenshteinDistance(pkg, popular);
+    const maxLength = Math.max(pkg.length, popular.length);
+    const similarity = 1 - (distance / maxLength);
+
+    // Consider it suspicious if similarity > 0.8
+    if (similarity >= 0.8 && similarity < 1.0) {
+      return {
+        isMatch: true,
+        pattern: 'levenshtein_distance',
+        similarity,
+      };
+    }
+
+    return { isMatch: false, pattern: '', similarity: 0 };
+  }
+
+  /**
+   * Calculate Levenshtein distance
+   */
+  levenshteinDistance(a: string, b: string): number {
+    const matrix: number[][] = [];
+    
+    // Initialize matrix with proper dimensions
+    for (let i = 0; i <= b.length; i++) {
+      matrix[i] = [];
+      for (let j = 0; j <= a.length; j++) {
+        matrix[i]![j] = 0;
+      }
+    }
+    
+    // Set first column
+    for (let i = 0; i <= b.length; i++) {
+      matrix[i]![0] = i;
+    }
+
+    // Set first row
+    for (let j = 0; j <= a.length; j++) {
+      matrix[0]![j] = j;
+    }
+
+    for (let i = 1; i <= b.length; i++) {
+      for (let j = 1; j <= a.length; j++) {
+        if (b.charAt(i - 1) === a.charAt(j - 1)) {
+          matrix[i]![j] = matrix[i - 1]![j - 1]!;
+        } else {
+          matrix[i]![j] = Math.min(
+            matrix[i - 1]![j - 1]! + 1, // substitution
+            matrix[i]![j - 1]! + 1,     // insertion
+            matrix[i - 1]![j]! + 1      // deletion
+          );
+        }
+      }
+    }
+
+    return matrix[b.length]![a.length]!;
+  }
+
+  /**
+   * Get popular packages list
+   */
+  async getPopularPackages(): Promise<string[]> {
+    return Array.from(this.popularPackages);
+  }
+
+  /**
+   * Add custom popular package
+   */
+  addPopularPackage(packageName: string): void {
+    this.popularPackages.add(packageName);
+  }
+}
+
+// Export singleton
+export const typosquatDetector = new TyposquatDetector();