muaddib-scanner 1.3.1 → 1.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/daemon.js

@@ -22,12 +22,20 @@ async function startDaemon(options = {}) {
 
   // Surveille le dossier courant
   const cwd = process.cwd();
-  watchDirectory(cwd);
+  const watchers = watchDirectory(cwd);
+
+  // Cleanup function to close all watchers
+  function cleanup() {
+    for (const w of watchers) {
+      try { w.close(); } catch { /* ignore */ }
+    }
+  }
 
   // Garde le processus actif
   process.on('SIGINT', () => {
     console.log('\n[DAEMON] Arret...');
     isRunning = false;
+    cleanup();
     process.exit(0);
   });
 
@@ -38,6 +46,7 @@ async function startDaemon(options = {}) {
 }
 
 function watchDirectory(dir) {
+  const watchers = [];
   const nodeModulesPath = path.join(dir, 'node_modules');
   const packageLockPath = path.join(dir, 'package-lock.json');
   const yarnLockPath = path.join(dir, 'yarn.lock');
@@ -46,21 +55,21 @@ function watchDirectory(dir) {
 
   // Surveille package-lock.json
   if (fs.existsSync(packageLockPath)) {
-    watchFile(packageLockPath, dir);
+    watchers.push(watchFile(packageLockPath, dir));
   }
 
   // Surveille yarn.lock
   if (fs.existsSync(yarnLockPath)) {
-    watchFile(yarnLockPath, dir);
+    watchers.push(watchFile(yarnLockPath, dir));
   }
 
   // Surveille node_modules
   if (fs.existsSync(nodeModulesPath)) {
-    watchNodeModules(nodeModulesPath, dir);
+    watchers.push(watchNodeModules(nodeModulesPath, dir));
   }
 
   // Surveille la creation de node_modules
-  fs.watch(dir, (eventType, filename) => {
+  const dirWatcher = fs.watch(dir, (eventType, filename) => {
     if (filename === 'node_modules' && eventType === 'rename') {
       const nmPath = path.join(dir, 'node_modules');
       if (fs.existsSync(nmPath)) {
@@ -73,25 +82,32 @@ function watchDirectory(dir) {
       triggerScan(dir);
     }
   });
+  watchers.push(dirWatcher);
+
+  return watchers;
 }
 
 function watchFile(filePath, projectDir) {
   let lastMtime = fs.statSync(filePath).mtime.getTime();
 
-  fs.watch(filePath, (eventType) => {
+  return fs.watch(filePath, (eventType) => {
     if (eventType === 'change') {
-      const currentMtime = fs.statSync(filePath).mtime.getTime();
-      if (currentMtime !== lastMtime) {
-        lastMtime = currentMtime;
-        console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
-        triggerScan(projectDir);
+      try {
+        const currentMtime = fs.statSync(filePath).mtime.getTime();
+        if (currentMtime !== lastMtime) {
+          lastMtime = currentMtime;
+          console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
+          triggerScan(projectDir);
+        }
+      } catch {
+        // File may have been deleted between watch trigger and stat
       }
     }
   });
 }
 
 function watchNodeModules(nodeModulesPath, projectDir) {
-  fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
+  return fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
     if (filename && filename.includes('package.json')) {
       console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
       triggerScan(projectDir);

package/src/diff.js

@@ -4,6 +4,9 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 
+// Only allow safe characters in git refs (prevents command injection)
+const SAFE_REF_REGEX = /^[a-zA-Z0-9._\-/~^@{}:]+$/;
+
 /**
  * Get the list of commits/tags for comparison suggestions
  */
@@ -61,6 +64,9 @@ function getCurrentCommit(targetPath) {
  * Resolve a ref (tag, branch, commit) to a commit hash
  */
 function resolveRef(targetPath, ref) {
+  if (!SAFE_REF_REGEX.test(ref)) {
+    return null;
+  }
   try {
     return execSync(`git rev-parse ${ref}`, {
       cwd: targetPath,
@@ -92,11 +98,16 @@ function hasUncommittedChanges(targetPath) {
  * Create a temporary copy of the repo at a specific commit
  */
 function createTempCopyAtCommit(targetPath, commitHash) {
+  // Sanitize commitHash (should be a hex hash from resolveRef)
+  if (!SAFE_REF_REGEX.test(commitHash)) {
+    throw new Error('Invalid commit hash');
+  }
+
   const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'muaddib-diff-'));
 
   try {
-    // Clone the repo to temp directory
-    execSync(`git clone --quiet "${targetPath}" "${tempDir}"`, {
+    // Clone the repo to temp directory (use -- to separate paths from options)
+    execSync(`git clone --quiet -- "${targetPath}" "${tempDir}"`, {
       stdio: ['pipe', 'pipe', 'pipe']
     });
 
@@ -107,10 +118,11 @@ function createTempCopyAtCommit(targetPath, commitHash) {
     });
 
     // Install dependencies if package.json exists
+    // --ignore-scripts prevents execution of malicious preinstall/postinstall
     const packageJsonPath = path.join(tempDir, 'package.json');
     if (fs.existsSync(packageJsonPath)) {
       try {
-        execSync('npm install --quiet --no-audit --no-fund', {
+        execSync('npm install --quiet --no-audit --no-fund --ignore-scripts', {
           cwd: tempDir,
           stdio: ['pipe', 'pipe', 'pipe'],
           timeout: 60000
@@ -192,25 +204,20 @@ function compareThreats(oldThreats, newThreats) {
  * Run scan and capture results (without console output)
  */
 async function runSilentScan(targetPath, options = {}) {
-  // Capture console.log output
   const originalLog = console.log;
   const logs = [];
-  console.log = (...args) => logs.push(args.join(' '));
-
   try {
+    console.log = (...args) => logs.push(args.join(' '));
     await run(targetPath, { ...options, json: true });
+  } finally {
     console.log = originalLog;
+  }
 
-    // Parse the JSON output
-    const jsonOutput = logs.join('\n');
-    try {
-      return JSON.parse(jsonOutput);
-    } catch {
-      return { threats: [], summary: { total: 0 } };
-    }
-  } catch (err) {
-    console.log = originalLog;
-    throw err;
+  const jsonOutput = logs.join('\n');
+  try {
+    return JSON.parse(jsonOutput);
+  } catch {
+    return { threats: [], summary: { total: 0 } };
   }
 }
 

package/src/index.js

@@ -32,7 +32,10 @@ const SEVERITY_WEIGHTS = {
 
   // MEDIUM: Potential threats (suspicious patterns, light obfuscation)
   // Moderate impact, requires investigation but not necessarily malicious
-  MEDIUM: 3
+  MEDIUM: 3,
+
+  // LOW: Informational findings, minimal impact on risk score
+  LOW: 1
 };
 
 // Thresholds for determining the overall risk level
@@ -52,12 +55,12 @@ function scanParanoid(targetPath) {
   const threats = [];
 
   function scanFile(filePath) {
-  try {
-    const content = fs.readFileSync(filePath, 'utf8');
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
 
       // Ignore URLs (they often contain patterns like .git)
       const contentWithoutUrls = content.replace(/https?:\/\/[^\s"']+/g, '');
-      
+
       for (const [, rule] of Object.entries(PARANOID_RULES)) {
         for (const pattern of rule.patterns) {
           if (contentWithoutUrls.includes(pattern)) {
@@ -75,15 +78,18 @@ function scanParanoid(targetPath) {
       // Ignore read errors
     }
   }
-  
+
   function walkDir(dir) {
     const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension', '.muaddib-cache', 'data', 'iocs'];
     try {
       const files = fs.readdirSync(dir);
       for (const file of files) {
         const fullPath = path.join(dir, file);
-        const stat = fs.statSync(fullPath);
-        
+        // Use lstatSync to avoid following symlinks
+        const stat = fs.lstatSync(fullPath);
+
+        if (stat.isSymbolicLink()) continue;
+
         if (stat.isDirectory()) {
           if (!excluded.includes(file)) {
             walkDir(fullPath);
@@ -96,7 +102,7 @@ function scanParanoid(targetPath) {
       // Ignore walk errors
     }
   }
-  
+
   walkDir(targetPath);
   return threats;
 }
@@ -162,11 +168,13 @@ async function run(targetPath, options = {}) {
   const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
   const highCount = threats.filter(t => t.severity === 'HIGH').length;
   const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = threats.filter(t => t.severity === 'LOW').length;
 
   let riskScore = 0;
   riskScore += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
   riskScore += highCount * SEVERITY_WEIGHTS.HIGH;
   riskScore += mediumCount * SEVERITY_WEIGHTS.MEDIUM;
+  riskScore += lowCount * SEVERITY_WEIGHTS.LOW;
   riskScore = Math.min(MAX_RISK_SCORE, riskScore);
 
   const riskLevel = riskScore >= RISK_THRESHOLDS.CRITICAL ? 'CRITICAL'