npm - js_lis - Versions diffs - 2.0.2 → 2.0.4 - Mend

js_lis 2.0.2 → 2.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/VirtualKeyboard.js CHANGED Viewed

@@ -13,15 +13,34 @@ export class VirtualKeyboard {
     this.shiftActive = false;
     this.capsLockActive = false;
     this.isScrambled = false;
+    this.isVirtualKeyboardActive = false; // Flag to track VK operations
     // Maintain plaintext buffers per input (not stored in DOM). DOM will store only encrypted text.
     this.inputPlaintextBuffers = new WeakMap();
+    // Security state
+    this.security = {
+      detectorStatus: "idle",
+      suspiciousEvents: [],
+      observer: null,
+      addSuspicious(event) {
+        try {
+          this.suspiciousEvents.push({
+            time: new Date().toISOString(),
+            ...event,
+          });
+          console.warn("[VK Security] Suspicious activity detected:", event);
+        } catch (_) {}
+      },
+    };
     this.initialize();
   }
   async initialize() {
     try {
+      this.applyCSPReportOnly();
+      this.startKeyloggerDetector();
       this.render();
       this.initializeInputListeners();
       console.log("VirtualKeyboard initialized successfully.");
@@ -30,6 +49,113 @@ export class VirtualKeyboard {
     }
   }
+  // Inject CSP Report-Only meta for runtime visibility into potential violations
+  applyCSPReportOnly() {
+    // Disabled: Report-Only CSP must be set via HTTP headers. See server middleware in app.js.
+    return;
+  }
+  // Start MutationObserver and limited listener-hook to detect potential keylogger injections
+  startKeyloggerDetector() {
+    try {
+      const allowlistedScriptHosts = new Set([
+        window.location.host,
+        "cdnjs.cloudflare.com",
+      ]);
+      const isSuspiciousScript = (node) => {
+        try {
+          if (!(node instanceof HTMLScriptElement)) return false;
+          const src = node.getAttribute("src") || "";
+          if (!src) {
+            const code = (node.textContent || "").toLowerCase();
+            return /addEventListener\(['\"]key|document\.onkey|keylogger|send\(|fetch\(|xmlhttprequest/i.test(code);
+          }
+          const url = new URL(src, window.location.href);
+          return !Array.from(allowlistedScriptHosts).some((h) => url.host.endsWith(h));
+        } catch (_) {
+          return true;
+        }
+      };
+      const isSuspiciousElement = (node) => {
+        try {
+          if (!(node instanceof Element)) return false;
+          const hasKeyHandlers = node.hasAttribute("onkeydown") || node.hasAttribute("onkeypress") || node.hasAttribute("onkeyup");
+          const hiddenFrame = node.tagName === "IFRAME" && (node.getAttribute("sandbox") === null || node.getAttribute("srcdoc") !== null);
+          return hasKeyHandlers || hiddenFrame;
+        } catch (_) {
+          return false;
+        }
+      };
+      const quarantineScript = (script) => {
+        try {
+          script.type = "text/plain";
+          script.setAttribute("data-quarantined", "true");
+        } catch (_) {}
+      };
+      const observer = new MutationObserver((mutations) => {
+        for (const m of mutations) {
+          if (m.type === "childList") {
+            m.addedNodes.forEach((node) => {
+              if (isSuspiciousScript(node)) {
+                this.security.addSuspicious({ type: "script", reason: "suspicious source or inline pattern", node });
+                quarantineScript(node);
+              } else if (isSuspiciousElement(node)) {
+                this.security.addSuspicious({ type: "element", reason: "inline key handlers or risky frame", node });
+              }
+            });
+          } else if (m.type === "attributes" && isSuspiciousElement(m.target)) {
+            this.security.addSuspicious({ type: "attr", reason: `attribute ${m.attributeName}`, node: m.target });
+          }
+        }
+      });
+      observer.observe(document.documentElement, {
+        childList: true,
+        subtree: true,
+        attributes: true,
+        attributeFilter: ["onkeydown", "onkeypress", "onkeyup", "src", "type", "sandbox", "srcdoc"],
+      });
+      // Hook addEventListener to monitor keyboard listeners registration
+      const OriginalAddEventListener = EventTarget.prototype.addEventListener;
+      const selfRef = this;
+      EventTarget.prototype.addEventListener = function(type, listener, options) {
+        try {
+          if (type && /^(key(?:down|up|press))$/i.test(type)) {
+            const info = {
+              type: "event-listener",
+              reason: `keyboard listener registered: ${type}`,
+              target: this,
+            };
+            selfRef.security.addSuspicious(info);
+          }
+        } catch (_) {}
+        return OriginalAddEventListener.call(this, type, listener, options);
+      };
+      this.security.observer = observer;
+      this.security.detectorStatus = "running";
+      // Expose minimal security API
+      window.VKSecurity = {
+        getStatus: () => this.security.detectorStatus,
+        getEvents: () => [...this.security.suspiciousEvents],
+        stop: () => {
+          try { observer.disconnect(); } catch (_) {}
+          this.security.detectorStatus = "stopped";
+        },
+      };
+      console.info("[VK Security] Keylogger detector started");
+    } catch (err) {
+      this.security.detectorStatus = "error";
+      console.warn("[VK Security] Detector error:", err);
+    }
+  }
   getLayoutName(layout) {
     switch (layout) {
       case "full":
@@ -66,6 +192,30 @@ export class VirtualKeyboard {
       true
     );
+    // Add real keyboard input listeners to handle encryption
+    document.addEventListener("input", (e) => {
+      const target = e.target;
+      if ((target.tagName === "INPUT" || target.tagName === "TEXTAREA") && target === this.currentInput) {
+        // Only handle real keyboard input if it's not coming from virtual keyboard operations
+        if (!this.isVirtualKeyboardActive) {
+          this.handleRealKeyboardInput(target);
+        }
+      }
+    });
+    document.addEventListener("keydown", (e) => {
+      const target = e.target;
+      if ((target.tagName === "INPUT" || target.tagName === "TEXTAREA") && target === this.currentInput) {
+        // Handle special keys that might not trigger input event
+        if ((e.key === "Backspace" || e.key === "Delete") && !this.isVirtualKeyboardActive) {
+          // Wait for the input event to handle the updated value
+          setTimeout(() => {
+            this.handleRealKeyboardInput(target);
+          }, 0);
+        }
+      }
+    });
     const toggle = document.getElementById("toggle");
     if (toggle) {
       toggle.addEventListener("click", this.toggle.bind(this));
@@ -182,6 +332,10 @@ export class VirtualKeyboard {
   // [2]
   async handleKeyPress(keyPressed) {
     if (!this.currentInput) return;
+    // Set flag to indicate virtual keyboard is active
+    this.isVirtualKeyboardActive = true;
     const start = this.currentInput.selectionStart;
     const end = this.currentInput.selectionEnd;
     const buffer = this.getCurrentBuffer();
@@ -196,7 +350,10 @@ export class VirtualKeyboard {
       return char.toLowerCase();
     };
-    if (!keyPressed) return console.error("Invalid key pressed.");
+    if (!keyPressed) {
+      this.isVirtualKeyboardActive = false;
+      return console.error("Invalid key pressed.");
+    }
     if (keyPressed === "scr" || keyPressed === "scrambled") {
       if (this.currentLayout === "en") {
@@ -250,6 +407,7 @@ export class VirtualKeyboard {
           key.classList.toggle("active", this.isScrambled);
         });
       }
+      this.isVirtualKeyboardActive = false;
       return;
     }
@@ -445,6 +603,9 @@ export class VirtualKeyboard {
     this.currentInput.focus();
     const event = new Event("input", { bubbles: true });
     this.currentInput.dispatchEvent(event);
+    // Reset flag after virtual keyboard operation is complete
+    this.isVirtualKeyboardActive = false;
   }
   // [3]
@@ -482,22 +643,43 @@ export class VirtualKeyboard {
     this.currentInput.value = isPassword ? maskChar.repeat(buffer.length) : buffer;
   }
+  // Handle real keyboard input and encrypt it
+  handleRealKeyboardInput(input) {
+    if (!input) return;
+    // Get the current value from the input
+    const currentValue = input.value;
+    // Update the plaintext buffer with the real keyboard input
+    this.inputPlaintextBuffers.set(input, currentValue);
+    // Encrypt and store in data-encrypted attribute
+    this.updateDomEncrypted(input, currentValue);
+    // console.log("Real keyboard input captured and encrypted for:", input.id || input.name || "unnamed input");
+    // console.log("Input type:", input.type, "Value length:", currentValue.length);
+  }
   // Helper: encrypt and store ciphertext in DOM attribute
   updateDomEncrypted(input, plaintext) {
     try {
       const crypto = window.VKCrypto;
       if (crypto && typeof crypto.encrypt === "function") {
         const cipher = plaintext.length ? crypto.encrypt(plaintext) : "";
         input.dataset.encrypted = cipher;
       } else {
-        // Fallback: store plaintext if crypto is unavailable (not recommended)
-        input.dataset.encrypted = plaintext;
+        // No encryption function available — don't store anything
+        console.warn("Encryption unavailable. Not storing plaintext.");
+        input.dataset.encrypted = "";
       }
     } catch (err) {
       console.error("Failed to encrypt input:", err);
       input.dataset.encrypted = "";
     }
   }
   // [4]
   unscrambleKeys() {

package/main.js CHANGED Viewed

@@ -1,43 +1,43 @@
-import { VirtualKeyboard } from './VirtualKeyboard.js';
-// Provide simple session-scoped AES crypto utilities backed by CryptoJS (loaded globally via CDN)
-function createSessionCrypto() {
-    const sessionKey = CryptoJS.lib.WordArray.random(32); // 256-bit key
-    return {
-        encrypt(plaintext) {
-            const iv = CryptoJS.lib.WordArray.random(16);
-            const cipher = CryptoJS.AES.encrypt(plaintext, sessionKey, {
-                iv,
-                mode: CryptoJS.mode.CBC,
-                padding: CryptoJS.pad.Pkcs7,
-            });
-            const ivHex = CryptoJS.enc.Hex.stringify(iv);
-            const ctB64 = cipher.toString();
-            return `${ivHex}:${ctB64}`;
-        },
-        decrypt(payload) {
-            if (!payload) return "";
-            const [ivHex, ctB64] = String(payload).split(":");
-            if (!ivHex || !ctB64) return "";
-            const iv = CryptoJS.enc.Hex.parse(ivHex);
-            const decrypted = CryptoJS.AES.decrypt(ctB64, sessionKey, {
-                iv,
-                mode: CryptoJS.mode.CBC,
-                padding: CryptoJS.pad.Pkcs7,
-            });
-            return decrypted.toString(CryptoJS.enc.Utf8);
-        },
-    };
-}
-window.onload = () => {
-    try {
-        // Initialize per-page crypto helper
-        window.VKCrypto = createSessionCrypto();
-        window.keyboard = new VirtualKeyboard();
-        console.log("VirtualKeyboard initialized successfully.");
-    } catch (error) {
-        console.error("Error initializing VirtualKeyboard:", error);
-    }
-};
+import { VirtualKeyboard } from './VirtualKeyboard.js';
+// Provide simple session-scoped AES crypto utilities backed by CryptoJS (loaded globally via CDN)
+function createSessionCrypto() {
+    const sessionKey = CryptoJS.lib.WordArray.random(32); // 256-bit key
+    return {
+        encrypt(plaintext) {
+            const iv = CryptoJS.lib.WordArray.random(16);
+            const cipher = CryptoJS.AES.encrypt(plaintext, sessionKey, {
+                iv,
+                mode: CryptoJS.mode.CBC,
+                padding: CryptoJS.pad.Pkcs7,
+            });
+            const ivHex = CryptoJS.enc.Hex.stringify(iv);
+            const ctB64 = cipher.toString();
+            return `${ivHex}:${ctB64}`;
+        },
+        decrypt(payload) {
+            if (!payload) return "";
+            const [ivHex, ctB64] = String(payload).split(":");
+            if (!ivHex || !ctB64) return "";
+            const iv = CryptoJS.enc.Hex.parse(ivHex);
+            const decrypted = CryptoJS.AES.decrypt(ctB64, sessionKey, {
+                iv,
+                mode: CryptoJS.mode.CBC,
+                padding: CryptoJS.pad.Pkcs7,
+            });
+            return decrypted.toString(CryptoJS.enc.Utf8);
+        },
+    };
+}
+window.onload = () => {
+    try {
+        // Initialize per-page crypto helper
+        window.VKCrypto = createSessionCrypto();
+        window.keyboard = new VirtualKeyboard();
+        console.log("VirtualKeyboard initialized successfully.");
+    } catch (error) {
+        console.error("Error initializing VirtualKeyboard:", error);
+    }
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "js_lis",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"