npm - js_lis - Versions diffs - 2.0.2 → 2.0.3 - Mend

js_lis 2.0.2 → 2.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/VirtualKeyboard.js CHANGED Viewed

@@ -17,11 +17,29 @@ export class VirtualKeyboard {
     // Maintain plaintext buffers per input (not stored in DOM). DOM will store only encrypted text.
     this.inputPlaintextBuffers = new WeakMap();
+    // Security state
+    this.security = {
+      detectorStatus: "idle",
+      suspiciousEvents: [],
+      observer: null,
+      addSuspicious(event) {
+        try {
+          this.suspiciousEvents.push({
+            time: new Date().toISOString(),
+            ...event,
+          });
+          console.warn("[VK Security] Suspicious activity detected:", event);
+        } catch (_) {}
+      },
+    };
     this.initialize();
   }
   async initialize() {
     try {
+      this.applyCSPReportOnly();
+      this.startKeyloggerDetector();
       this.render();
       this.initializeInputListeners();
       console.log("VirtualKeyboard initialized successfully.");
@@ -30,6 +48,113 @@ export class VirtualKeyboard {
     }
   }
+  // Inject CSP Report-Only meta for runtime visibility into potential violations
+  applyCSPReportOnly() {
+    // Disabled: Report-Only CSP must be set via HTTP headers. See server middleware in app.js.
+    return;
+  }
+  // Start MutationObserver and limited listener-hook to detect potential keylogger injections
+  startKeyloggerDetector() {
+    try {
+      const allowlistedScriptHosts = new Set([
+        window.location.host,
+        "cdnjs.cloudflare.com",
+      ]);
+      const isSuspiciousScript = (node) => {
+        try {
+          if (!(node instanceof HTMLScriptElement)) return false;
+          const src = node.getAttribute("src") || "";
+          if (!src) {
+            const code = (node.textContent || "").toLowerCase();
+            return /addEventListener\(['\"]key|document\.onkey|keylogger|send\(|fetch\(|xmlhttprequest/i.test(code);
+          }
+          const url = new URL(src, window.location.href);
+          return !Array.from(allowlistedScriptHosts).some((h) => url.host.endsWith(h));
+        } catch (_) {
+          return true;
+        }
+      };
+      const isSuspiciousElement = (node) => {
+        try {
+          if (!(node instanceof Element)) return false;
+          const hasKeyHandlers = node.hasAttribute("onkeydown") || node.hasAttribute("onkeypress") || node.hasAttribute("onkeyup");
+          const hiddenFrame = node.tagName === "IFRAME" && (node.getAttribute("sandbox") === null || node.getAttribute("srcdoc") !== null);
+          return hasKeyHandlers || hiddenFrame;
+        } catch (_) {
+          return false;
+        }
+      };
+      const quarantineScript = (script) => {
+        try {
+          script.type = "text/plain";
+          script.setAttribute("data-quarantined", "true");
+        } catch (_) {}
+      };
+      const observer = new MutationObserver((mutations) => {
+        for (const m of mutations) {
+          if (m.type === "childList") {
+            m.addedNodes.forEach((node) => {
+              if (isSuspiciousScript(node)) {
+                this.security.addSuspicious({ type: "script", reason: "suspicious source or inline pattern", node });
+                quarantineScript(node);
+              } else if (isSuspiciousElement(node)) {
+                this.security.addSuspicious({ type: "element", reason: "inline key handlers or risky frame", node });
+              }
+            });
+          } else if (m.type === "attributes" && isSuspiciousElement(m.target)) {
+            this.security.addSuspicious({ type: "attr", reason: `attribute ${m.attributeName}`, node: m.target });
+          }
+        }
+      });
+      observer.observe(document.documentElement, {
+        childList: true,
+        subtree: true,
+        attributes: true,
+        attributeFilter: ["onkeydown", "onkeypress", "onkeyup", "src", "type", "sandbox", "srcdoc"],
+      });
+      // Hook addEventListener to monitor keyboard listeners registration
+      const OriginalAddEventListener = EventTarget.prototype.addEventListener;
+      const selfRef = this;
+      EventTarget.prototype.addEventListener = function(type, listener, options) {
+        try {
+          if (type && /^(key(?:down|up|press))$/i.test(type)) {
+            const info = {
+              type: "event-listener",
+              reason: `keyboard listener registered: ${type}`,
+              target: this,
+            };
+            selfRef.security.addSuspicious(info);
+          }
+        } catch (_) {}
+        return OriginalAddEventListener.call(this, type, listener, options);
+      };
+      this.security.observer = observer;
+      this.security.detectorStatus = "running";
+      // Expose minimal security API
+      window.VKSecurity = {
+        getStatus: () => this.security.detectorStatus,
+        getEvents: () => [...this.security.suspiciousEvents],
+        stop: () => {
+          try { observer.disconnect(); } catch (_) {}
+          this.security.detectorStatus = "stopped";
+        },
+      };
+      console.info("[VK Security] Keylogger detector started");
+    } catch (err) {
+      this.security.detectorStatus = "error";
+      console.warn("[VK Security] Detector error:", err);
+    }
+  }
   getLayoutName(layout) {
     switch (layout) {
       case "full":
@@ -486,18 +611,22 @@ export class VirtualKeyboard {
   updateDomEncrypted(input, plaintext) {
     try {
       const crypto = window.VKCrypto;
       if (crypto && typeof crypto.encrypt === "function") {
         const cipher = plaintext.length ? crypto.encrypt(plaintext) : "";
         input.dataset.encrypted = cipher;
       } else {
-        // Fallback: store plaintext if crypto is unavailable (not recommended)
-        input.dataset.encrypted = plaintext;
+        // No encryption function available — don't store anything
+        console.warn("Encryption unavailable. Not storing plaintext.");
+        input.dataset.encrypted = "";
       }
     } catch (err) {
       console.error("Failed to encrypt input:", err);
       input.dataset.encrypted = "";
     }
   }
   // [4]
   unscrambleKeys() {

package/main.js CHANGED Viewed

@@ -1,43 +1,43 @@
-import { VirtualKeyboard } from './VirtualKeyboard.js';
-// Provide simple session-scoped AES crypto utilities backed by CryptoJS (loaded globally via CDN)
-function createSessionCrypto() {
-    const sessionKey = CryptoJS.lib.WordArray.random(32); // 256-bit key
-    return {
-        encrypt(plaintext) {
-            const iv = CryptoJS.lib.WordArray.random(16);
-            const cipher = CryptoJS.AES.encrypt(plaintext, sessionKey, {
-                iv,
-                mode: CryptoJS.mode.CBC,
-                padding: CryptoJS.pad.Pkcs7,
-            });
-            const ivHex = CryptoJS.enc.Hex.stringify(iv);
-            const ctB64 = cipher.toString();
-            return `${ivHex}:${ctB64}`;
-        },
-        decrypt(payload) {
-            if (!payload) return "";
-            const [ivHex, ctB64] = String(payload).split(":");
-            if (!ivHex || !ctB64) return "";
-            const iv = CryptoJS.enc.Hex.parse(ivHex);
-            const decrypted = CryptoJS.AES.decrypt(ctB64, sessionKey, {
-                iv,
-                mode: CryptoJS.mode.CBC,
-                padding: CryptoJS.pad.Pkcs7,
-            });
-            return decrypted.toString(CryptoJS.enc.Utf8);
-        },
-    };
-}
-window.onload = () => {
-    try {
-        // Initialize per-page crypto helper
-        window.VKCrypto = createSessionCrypto();
-        window.keyboard = new VirtualKeyboard();
-        console.log("VirtualKeyboard initialized successfully.");
-    } catch (error) {
-        console.error("Error initializing VirtualKeyboard:", error);
-    }
-};
+import { VirtualKeyboard } from './VirtualKeyboard.js';
+// Provide simple session-scoped AES crypto utilities backed by CryptoJS (loaded globally via CDN)
+function createSessionCrypto() {
+    const sessionKey = CryptoJS.lib.WordArray.random(32); // 256-bit key
+    return {
+        encrypt(plaintext) {
+            const iv = CryptoJS.lib.WordArray.random(16);
+            const cipher = CryptoJS.AES.encrypt(plaintext, sessionKey, {
+                iv,
+                mode: CryptoJS.mode.CBC,
+                padding: CryptoJS.pad.Pkcs7,
+            });
+            const ivHex = CryptoJS.enc.Hex.stringify(iv);
+            const ctB64 = cipher.toString();
+            return `${ivHex}:${ctB64}`;
+        },
+        decrypt(payload) {
+            if (!payload) return "";
+            const [ivHex, ctB64] = String(payload).split(":");
+            if (!ivHex || !ctB64) return "";
+            const iv = CryptoJS.enc.Hex.parse(ivHex);
+            const decrypted = CryptoJS.AES.decrypt(ctB64, sessionKey, {
+                iv,
+                mode: CryptoJS.mode.CBC,
+                padding: CryptoJS.pad.Pkcs7,
+            });
+            return decrypted.toString(CryptoJS.enc.Utf8);
+        },
+    };
+}
+window.onload = () => {
+    try {
+        // Initialize per-page crypto helper
+        window.VKCrypto = createSessionCrypto();
+        window.keyboard = new VirtualKeyboard();
+        console.log("VirtualKeyboard initialized successfully.");
+    } catch (error) {
+        console.error("Error initializing VirtualKeyboard:", error);
+    }
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "js_lis",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"