hackmyagent 0.11.3 → 0.11.4

package/dist/hardening/scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAkF3F,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA8HD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAiBlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAMvB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YAmSvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAmGvB,aAAa;YAgDb,cAAc;YA+Fd,oBAAoB;YAwDpB,gBAAgB;YA0IhB,oBAAoB;YAgFpB,gBAAgB;YA2IhB,mBAAmB;YA4EnB,iBAAiB;YAyCjB,iBAAiB;YA+DjB,wBAAwB;YA0FxB,wBAAwB;YAmExB,wBAAwB;YAqHxB,oBAAoB;YA+GpB,uBAAuB;YAwIvB,iBAAiB;YA8GjB,oBAAoB;YAsHpB,mBAAmB;YAiGnB,gBAAgB;YAmIhB,oBAAoB;YAoIpB,gBAAgB;YAyHhB,qBAAqB;YA+GrB,eAAe;IAiI7B;;OAEG;YACW,mBAAmB;IA8GjC;;OAEG;YACW,oBAAoB;IAiKlC;;OAEG;YACW,iBAAiB;IA4I/B;;OAEG;YACW,oBAAoB;IAwIlC;;OAEG;YACW,eAAe;IAqJ7B;;OAEG;YACW,eAAe;IAuI7B;;OAEG;YACW,eAAe;IAyG7B;;OAEG;YACW,mBAAmB;IAmHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAkD1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IAycjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IA2LpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAqVlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IA6VjC;;OAEG;YACW,wBAAwB;IA4OtC;;OAEG;YACW,gBAAgB;IA6J9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IA+JlC;;;OAGG;YACW,iBAAiB;IA6H/B;;;OAGG;YACW,kBAAkB;IA+EhC;;;OAGG;YACW,aAAa;IAuF3B;;OAEG;YACW,gBAAgB;IA+D9B;;;;OAIG;YACW,yBAAyB;CA4NxC"}
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAkF3F,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAoID,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAiBlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAMvB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YAmSvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAmGvB,aAAa;YAgDb,cAAc;YA+Fd,oBAAoB;YAwDpB,gBAAgB;YA0IhB,oBAAoB;YAgFpB,gBAAgB;YA2IhB,mBAAmB;YA4EnB,iBAAiB;YAyCjB,iBAAiB;YA+DjB,wBAAwB;YA0FxB,wBAAwB;YAmExB,wBAAwB;YAqHxB,oBAAoB;YA+GpB,uBAAuB;YAwIvB,iBAAiB;YA8GjB,oBAAoB;YAsHpB,mBAAmB;YAiGnB,gBAAgB;YAmIhB,oBAAoB;YAoIpB,gBAAgB;YAyHhB,qBAAqB;YA+GrB,eAAe;IAiI7B;;OAEG;YACW,mBAAmB;IA8GjC;;OAEG;YACW,oBAAoB;IAiKlC;;OAEG;YACW,iBAAiB;IA4I/B;;OAEG;YACW,oBAAoB;IAwIlC;;OAEG;YACW,eAAe;IAqJ7B;;OAEG;YACW,eAAe;IAuI7B;;OAEG;YACW,eAAe;IAyG7B;;OAEG;YACW,mBAAmB;IAmHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAkD1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IAycjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IA2LpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAqVlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IA6VjC;;OAEG;YACW,wBAAwB;IA4OtC;;OAEG;YACW,gBAAgB;IA6J9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IA+JlC;;;OAGG;YACW,iBAAiB;IA6H/B;;;OAGG;YACW,kBAAkB;IA+EhC;;;OAGG;YACW,aAAa;IAuF3B;;OAEG;YACW,gBAAgB;IA+D9B;;;;OAIG;YACW,yBAAyB;CAoWxC"}

package/dist/hardening/scanner.js

@@ -218,6 +218,11 @@ const SEVERITY_WEIGHTS = {
 };
 const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB max file size to prevent memory exhaustion
 const MAX_LINE_LENGTH = 10000; // 10KB max line length for regex safety
+/** Shell-escape a string for safe interpolation into advisory fix commands. */
+function shellEscape(s) {
+    // Wrap in single quotes and escape embedded single quotes: ' -> '\''
+    return "'" + s.replace(/'/g, "'\\''") + "'";
+}
 class HardeningScanner {
     constructor() {
         this.cliName = 'hackmyagent';
@@ -3756,7 +3761,7 @@ dist/
             await fs.access(backupBaseDir);
         }
         catch {
-            throw new Error('No backup found. Run hackmyagent harden --fix <dir> first to create a backup.');
+            throw new Error('No backup found. Run hackmyagent secure --fix <dir> first to create a backup.');
         }
         // Find the most recent backup
         const backups = await fs.readdir(backupBaseDir);
@@ -3765,7 +3770,7 @@ dist/
             .sort()
             .reverse();
         if (sortedBackups.length === 0) {
-            throw new Error('No backup found. Run hackmyagent harden --fix <dir> first to create a backup.');
+            throw new Error('No backup found. Run hackmyagent secure --fix <dir> first to create a backup.');
         }
         const latestBackup = sortedBackups[0];
         const backupDir = path.join(backupBaseDir, latestBackup);
@@ -4883,8 +4888,8 @@ dist/
                 if (!this.isPathWithinDirectory(fullPath, targetDir)) {
                     continue;
                 }
-                // Skip node_modules and .git directories
-                if (entryName === 'node_modules' || entryName === '.git') {
+                // Skip node_modules, .git, and backup directories
+                if (entryName === 'node_modules' || entryName === '.git' || entryName === '.hackmyagent-backup') {
                     continue;
                 }
                 let stat;
@@ -6224,7 +6229,9 @@ dist/
      */
     async checkUnicodeSteganography(targetDir, _autoFix) {
         const findings = [];
-        const sourceFiles = await this.findSourceFiles(targetDir, targetDir);
+        // Scan expanded file types beyond JS/TS (configs, docs, and Python are attack surfaces too)
+        const stegoExtensions = ['.ts', '.js', '.mjs', '.cjs', '.tsx', '.jsx', '.py', '.md', '.txt', '.yaml', '.yml', '.json', '.toml'];
+        const sourceFiles = await this.walkDirectory(targetDir, stegoExtensions);
         for (const filePath of sourceFiles) {
             const relativePath = path.relative(targetDir, filePath);
             let rawBuffer;
@@ -6238,12 +6245,22 @@ dist/
             if (rawBuffer.length > MAX_FILE_SIZE)
                 continue;
             // UNICODE-STEGO-001: Invisible Codepoint Detection
-            // Scan for variation selectors U+FE00-FE0F (UTF-8: EF B8 80-8F)
-            // and tag characters U+E0100-E01EF (UTF-8: F3 A0 84 80 - F3 A0 87 AF)
+            // Scan for:
+            //   - Variation selectors U+FE00-FE0F (UTF-8: EF B8 80-8F)
+            //   - Tag characters U+E0100-E01EF (UTF-8: F3 A0 84 80 - F3 A0 87 AF)
+            //   - Zero-width chars: U+200B (E2 80 8B), U+200C (E2 80 8C), U+200D (E2 80 8D)
+            //   - Mid-file BOM: U+FEFF (EF BB BF) -- skip offset 0
+            //   - Bidi overrides: U+202A-202E (E2 80 AA-AE), U+2066-2069 (E2 81 A6-A9)
             let hasVariationSelectors = false;
             let variationSelectorLine = 1;
             let hasTagCharsIn001 = false;
             let tagCharLine001 = 1;
+            let hasZeroWidth = false;
+            let zeroWidthLine = 1;
+            let hasMidFileBom = false;
+            let midFileBomLine = 1;
+            let hasBidiOverride = false;
+            let bidiOverrideLine = 1;
             let currentLine = 1;
             for (let i = 0; i < rawBuffer.length; i++) {
                 if (rawBuffer[i] === 0x0A) {
@@ -6272,25 +6289,86 @@ dist/
                         tagCharLine001 = currentLine;
                     }
                 }
+                // Zero-width chars: U+200B/200C/200D = E2 80 8B/8C/8D
+                if (rawBuffer[i] === 0xE2 &&
+                    i + 2 < rawBuffer.length &&
+                    rawBuffer[i + 1] === 0x80 &&
+                    rawBuffer[i + 2] >= 0x8B &&
+                    rawBuffer[i + 2] <= 0x8D) {
+                    if (!hasZeroWidth) {
+                        hasZeroWidth = true;
+                        zeroWidthLine = currentLine;
+                    }
+                }
+                // Mid-file BOM: U+FEFF = EF BB BF (skip if at offset 0)
+                if (i > 0 &&
+                    rawBuffer[i] === 0xEF &&
+                    i + 2 < rawBuffer.length &&
+                    rawBuffer[i + 1] === 0xBB &&
+                    rawBuffer[i + 2] === 0xBF) {
+                    if (!hasMidFileBom) {
+                        hasMidFileBom = true;
+                        midFileBomLine = currentLine;
+                    }
+                }
+                // Bidi overrides: U+202A-202E = E2 80 AA-AE
+                if (rawBuffer[i] === 0xE2 &&
+                    i + 2 < rawBuffer.length &&
+                    rawBuffer[i + 1] === 0x80 &&
+                    rawBuffer[i + 2] >= 0xAA &&
+                    rawBuffer[i + 2] <= 0xAE) {
+                    if (!hasBidiOverride) {
+                        hasBidiOverride = true;
+                        bidiOverrideLine = currentLine;
+                    }
+                }
+                // Bidi isolates: U+2066-2069 = E2 81 A6-A9
+                if (rawBuffer[i] === 0xE2 &&
+                    i + 2 < rawBuffer.length &&
+                    rawBuffer[i + 1] === 0x81 &&
+                    rawBuffer[i + 2] >= 0xA6 &&
+                    rawBuffer[i + 2] <= 0xA9) {
+                    if (!hasBidiOverride) {
+                        hasBidiOverride = true;
+                        bidiOverrideLine = currentLine;
+                    }
+                }
             }
-            if (hasVariationSelectors || hasTagCharsIn001) {
+            // Bidi and variation/tag chars are critical; zero-width-only is high
+            const hasCriticalInvisible = hasVariationSelectors || hasTagCharsIn001 || hasBidiOverride;
+            const hasAnyInvisible = hasCriticalInvisible || hasZeroWidth || hasMidFileBom;
+            if (hasAnyInvisible) {
                 const detectedTypes = [];
                 if (hasVariationSelectors)
                     detectedTypes.push('variation selectors (U+FE00-FE0F)');
                 if (hasTagCharsIn001)
                     detectedTypes.push('tag characters (U+E0100-E01EF)');
+                if (hasZeroWidth)
+                    detectedTypes.push('zero-width characters (U+200B-200D)');
+                if (hasMidFileBom)
+                    detectedTypes.push('mid-file BOM (U+FEFF)');
+                if (hasBidiOverride)
+                    detectedTypes.push('bidi overrides (U+202A-202E, U+2066-2069)');
+                // Determine first line hit for reporting
+                const firstLine = Math.min(...[
+                    hasVariationSelectors ? variationSelectorLine : Infinity,
+                    hasTagCharsIn001 ? tagCharLine001 : Infinity,
+                    hasZeroWidth ? zeroWidthLine : Infinity,
+                    hasMidFileBom ? midFileBomLine : Infinity,
+                    hasBidiOverride ? bidiOverrideLine : Infinity,
+                ]);
                 findings.push({
                     checkId: 'UNICODE-STEGO-001',
                     name: 'Invisible Unicode Codepoints Detected',
                     description: 'Source file contains invisible Unicode codepoints that can hide malicious payloads (GlassWorm attack vector)',
                     category: 'unicode-stego',
-                    severity: 'critical',
+                    severity: hasCriticalInvisible ? 'critical' : 'high',
                     passed: false,
                     message: `Found ${detectedTypes.join(' and ')} in ${relativePath}`,
                     file: relativePath,
-                    line: hasVariationSelectors ? variationSelectorLine : tagCharLine001,
+                    line: firstLine,
                     fixable: false,
-                    fix: 'Inspect the file with a hex editor (e.g., xxd) to identify and remove invisible Unicode codepoints. Run: xxd ' + relativePath + ' | grep -E "fe0[0-9a-f]|f3a0"',
+                    fix: 'Inspect the file with a hex editor (e.g., xxd) to identify and remove invisible Unicode codepoints. Run: xxd ' + shellEscape(relativePath) + ' | grep -iE "e280[8-9a-e]|efbb|efb8|f3a0"',
                 });
             }
             // UNICODE-STEGO-002: GlassWorm Decoder Pattern
@@ -6380,7 +6458,7 @@ dist/
                         file: relativePath,
                         line: evalLine,
                         fixable: false,
-                        fix: 'Remove the eval/Function call and inspect the string argument with a hex editor. The string likely contains invisible Unicode characters encoding a malicious payload. Run: node -e "const fs=require(\'fs\'); const s=fs.readFileSync(\'' + relativePath + '\',\'utf8\'); console.log([...s].filter(c=>c.codePointAt(0)>0x200).map(c=>c.codePointAt(0).toString(16)))"',
+                        fix: 'Remove the eval/Function call and inspect the string argument with a hex editor. The string likely contains invisible Unicode characters encoding a malicious payload. Run: node -e "const fs=require(\'fs\'); const s=fs.readFileSync(' + JSON.stringify(relativePath) + ',\'utf8\'); console.log([...s].filter(c=>c.codePointAt(0)>0x200).map(c=>c.codePointAt(0).toString(16)))"',
                     });
                     break; // One finding per file
                 }
@@ -6422,10 +6500,61 @@ dist/
                         file: relativePath,
                         line: tagBlockLine,
                         fixable: false,
-                        fix: 'Inspect the file with a hex editor to identify tag block characters (byte sequence starting with F3 A0). These characters are invisible and have no legitimate use in source code. Run: xxd ' + relativePath + ' | grep "f3a0"',
+                        fix: 'Inspect the file with a hex editor to identify tag block characters (byte sequence starting with F3 A0). These characters are invisible and have no legitimate use in source code. Run: xxd ' + shellEscape(relativePath) + ' | grep "f3a0"',
                     });
                 }
             }
+            // UNICODE-STEGO-005: Homoglyph Confusable Detection
+            // Detect Cyrillic/Greek characters that look identical to Latin but have different codepoints.
+            // These can be used to bypass code review and hide malicious identifiers.
+            const homoglyphCodepoints = new Set([
+                // Cyrillic uppercase that look like Latin: A, B, C, E, H, K, M, O, P, T, X
+                0x0410, 0x0412, 0x0421, 0x0415, 0x041D, 0x041A, 0x041C, 0x041E, 0x0420, 0x0422, 0x0425,
+                // Cyrillic lowercase that look like Latin: a, e, o, p, c, x
+                0x0430, 0x0435, 0x043E, 0x0440, 0x0441, 0x0445,
+                // Fullwidth Latin (U+FF21-FF3A, U+FF41-FF5A) -- spot-check common ones
+                0xFF21, 0xFF22, 0xFF41, 0xFF42,
+            ]);
+            let homoglyphFound = false;
+            let homoglyphLine = 1;
+            let homoglyphChar = '';
+            const contentForHomoglyph = content || rawBuffer.toString('utf-8');
+            const homoglyphLines = contentForHomoglyph.split('\n');
+            for (let lineIdx = 0; lineIdx < homoglyphLines.length; lineIdx++) {
+                const line = homoglyphLines[lineIdx];
+                if (line.length > MAX_LINE_LENGTH)
+                    continue;
+                // Skip comment lines
+                const trimmed = line.trimStart();
+                if (trimmed.startsWith('//') || trimmed.startsWith('#') || trimmed.startsWith('*'))
+                    continue;
+                for (const ch of line) {
+                    const cp = ch.codePointAt(0);
+                    if (homoglyphCodepoints.has(cp)) {
+                        homoglyphFound = true;
+                        homoglyphLine = lineIdx + 1;
+                        homoglyphChar = `U+${cp.toString(16).toUpperCase().padStart(4, '0')}`;
+                        break;
+                    }
+                }
+                if (homoglyphFound)
+                    break;
+            }
+            if (homoglyphFound) {
+                findings.push({
+                    checkId: 'UNICODE-STEGO-005',
+                    name: 'Homoglyph Confusable Characters Detected',
+                    description: 'Source file contains characters from non-Latin scripts (Cyrillic, Greek, Fullwidth) that visually resemble Latin letters. These can be used to create identifiers that look identical in code review but behave differently at runtime.',
+                    category: 'unicode-stego',
+                    severity: 'high',
+                    passed: false,
+                    message: `Found homoglyph confusable character (${homoglyphChar}) in ${relativePath} at line ${homoglyphLine}`,
+                    file: relativePath,
+                    line: homoglyphLine,
+                    fixable: false,
+                    fix: 'Inspect the file for characters that look like Latin letters but are actually Cyrillic, Greek, or Fullwidth. Replace them with their ASCII equivalents. Run: node -e "const fs=require(\'fs\'); [...fs.readFileSync(' + JSON.stringify(relativePath) + ',\'utf8\')].forEach((c,i)=>{const cp=c.codePointAt(0); if(cp>0x7F && cp<0xFFFF) console.log(i, cp.toString(16), c)})"',
+                });
+            }
         }
         return findings;
     }