muaddib-scanner 1.3.1 → 1.4.1

package/bin/muaddib.js

@@ -8,7 +8,7 @@ const { runScraper } = require('../src/ioc/scraper.js');
 const { safeInstall } = require('../src/safe-install.js');
 const { buildSandboxImage, runSandbox } = require('../src/sandbox.js');
 const { diff, showRefs } = require('../src/diff.js');
-const { initHooks } = require('../src/hooks-init.js');
+const { initHooks, removeHooks } = require('../src/hooks-init.js');
 
 const args = process.argv.slice(2);
 const command = args[0];
@@ -238,6 +238,7 @@ const helpText = `
     muaddib watch [path]             Watch in real-time
     muaddib daemon [options]         Start daemon
     muaddib init-hooks [options]     Setup git pre-commit hooks
+    muaddib remove-hooks [path]      Remove MUAD'DIB git hooks
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
     muaddib sandbox <pkg>            Analyze in isolated Docker container
@@ -385,6 +386,13 @@ if (!command || command === '--help' || command === '-h') {
     console.error('[ERROR]', err.message);
     process.exit(1);
   });
+} else if (command === 'remove-hooks') {
+  removeHooks(target).then(success => {
+    process.exit(success ? 0 : 1);
+  }).catch(err => {
+    console.error('[ERROR]', err.message);
+    process.exit(1);
+  });
 } else if (command === 'help') {
   console.log(helpText);
   process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.3.1",
+  "version": "1.4.1",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/daemon.js

@@ -22,22 +22,30 @@ async function startDaemon(options = {}) {
 
   // Surveille le dossier courant
   const cwd = process.cwd();
-  watchDirectory(cwd);
+  const watchers = watchDirectory(cwd);
 
-  // Garde le processus actif
-  process.on('SIGINT', () => {
-    console.log('\n[DAEMON] Arret...');
-    isRunning = false;
-    process.exit(0);
+  // Cleanup function to close all watchers
+  function cleanup() {
+    for (const w of watchers) {
+      try { w.close(); } catch { /* ignore */ }
+    }
+  }
+
+  // Keep process alive until SIGINT
+  await new Promise((resolve) => {
+    process.on('SIGINT', () => {
+      console.log('\n[DAEMON] Arret...');
+      isRunning = false;
+      cleanup();
+      resolve();
+    });
   });
 
-  // Boucle infinie
-  while (isRunning) {
-    await sleep(1000);
-  }
+  process.exit(0);
 }
 
 function watchDirectory(dir) {
+  const watchers = [];
   const nodeModulesPath = path.join(dir, 'node_modules');
   const packageLockPath = path.join(dir, 'package-lock.json');
   const yarnLockPath = path.join(dir, 'yarn.lock');
@@ -46,21 +54,23 @@ function watchDirectory(dir) {
 
   // Surveille package-lock.json
   if (fs.existsSync(packageLockPath)) {
-    watchFile(packageLockPath, dir);
+    const w = watchFile(packageLockPath, dir);
+    if (w) watchers.push(w);
   }
 
   // Surveille yarn.lock
   if (fs.existsSync(yarnLockPath)) {
-    watchFile(yarnLockPath, dir);
+    const w = watchFile(yarnLockPath, dir);
+    if (w) watchers.push(w);
   }
 
   // Surveille node_modules
   if (fs.existsSync(nodeModulesPath)) {
-    watchNodeModules(nodeModulesPath, dir);
+    watchers.push(watchNodeModules(nodeModulesPath, dir));
   }
 
   // Surveille la creation de node_modules
-  fs.watch(dir, (eventType, filename) => {
+  const dirWatcher = fs.watch(dir, (eventType, filename) => {
     if (filename === 'node_modules' && eventType === 'rename') {
       const nmPath = path.join(dir, 'node_modules');
       if (fs.existsSync(nmPath)) {
@@ -73,25 +83,37 @@ function watchDirectory(dir) {
       triggerScan(dir);
     }
   });
+  watchers.push(dirWatcher);
+
+  return watchers;
 }
 
 function watchFile(filePath, projectDir) {
-  let lastMtime = fs.statSync(filePath).mtime.getTime();
+  let lastMtime;
+  try {
+    lastMtime = fs.statSync(filePath).mtime.getTime();
+  } catch {
+    return null; // File deleted between existsSync and statSync
+  }
 
-  fs.watch(filePath, (eventType) => {
+  return fs.watch(filePath, (eventType) => {
     if (eventType === 'change') {
-      const currentMtime = fs.statSync(filePath).mtime.getTime();
-      if (currentMtime !== lastMtime) {
-        lastMtime = currentMtime;
-        console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
-        triggerScan(projectDir);
+      try {
+        const currentMtime = fs.statSync(filePath).mtime.getTime();
+        if (currentMtime !== lastMtime) {
+          lastMtime = currentMtime;
+          console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
+          triggerScan(projectDir);
+        }
+      } catch {
+        // File may have been deleted between watch trigger and stat
       }
     }
   });
 }
 
 function watchNodeModules(nodeModulesPath, projectDir) {
-  fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
+  return fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
     if (filename && filename.includes('package.json')) {
       console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
       triggerScan(projectDir);
@@ -133,8 +155,4 @@ function triggerScan(dir) {
   }, 3000);
 }
 
-function sleep(ms) {
-  return new Promise(resolve => setTimeout(resolve, ms));
-}
-
 module.exports = { startDaemon };

package/src/diff.js

@@ -4,6 +4,9 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 
+// Only allow safe characters in git refs (prevents command injection)
+const SAFE_REF_REGEX = /^[a-zA-Z0-9._\-/~^@{}:]+$/;
+
 /**
  * Get the list of commits/tags for comparison suggestions
  */
@@ -61,6 +64,9 @@ function getCurrentCommit(targetPath) {
  * Resolve a ref (tag, branch, commit) to a commit hash
  */
 function resolveRef(targetPath, ref) {
+  if (!SAFE_REF_REGEX.test(ref)) {
+    return null;
+  }
   try {
     return execSync(`git rev-parse ${ref}`, {
       cwd: targetPath,
@@ -92,11 +98,16 @@ function hasUncommittedChanges(targetPath) {
  * Create a temporary copy of the repo at a specific commit
  */
 function createTempCopyAtCommit(targetPath, commitHash) {
+  // Sanitize commitHash (should be a hex hash from resolveRef)
+  if (!SAFE_REF_REGEX.test(commitHash)) {
+    throw new Error('Invalid commit hash');
+  }
+
   const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'muaddib-diff-'));
 
   try {
-    // Clone the repo to temp directory
-    execSync(`git clone --quiet "${targetPath}" "${tempDir}"`, {
+    // Clone the repo to temp directory (use -- to separate paths from options)
+    execSync(`git clone --quiet -- "${targetPath}" "${tempDir}"`, {
       stdio: ['pipe', 'pipe', 'pipe']
     });
 
@@ -107,10 +118,11 @@ function createTempCopyAtCommit(targetPath, commitHash) {
     });
 
     // Install dependencies if package.json exists
+    // --ignore-scripts prevents execution of malicious preinstall/postinstall
     const packageJsonPath = path.join(tempDir, 'package.json');
     if (fs.existsSync(packageJsonPath)) {
       try {
-        execSync('npm install --quiet --no-audit --no-fund', {
+        execSync('npm install --quiet --no-audit --no-fund --ignore-scripts', {
           cwd: tempDir,
           stdio: ['pipe', 'pipe', 'pipe'],
           timeout: 60000
@@ -192,25 +204,20 @@ function compareThreats(oldThreats, newThreats) {
  * Run scan and capture results (without console output)
  */
 async function runSilentScan(targetPath, options = {}) {
-  // Capture console.log output
   const originalLog = console.log;
   const logs = [];
-  console.log = (...args) => logs.push(args.join(' '));
-
   try {
+    console.log = (...args) => logs.push(args.join(' '));
     await run(targetPath, { ...options, json: true });
+  } finally {
     console.log = originalLog;
+  }
 
-    // Parse the JSON output
-    const jsonOutput = logs.join('\n');
-    try {
-      return JSON.parse(jsonOutput);
-    } catch {
-      return { threats: [], summary: { total: 0 } };
-    }
-  } catch (err) {
-    console.log = originalLog;
-    throw err;
+  const jsonOutput = logs.join('\n');
+  try {
+    return JSON.parse(jsonOutput);
+  } catch {
+    return { threats: [], summary: { total: 0 } };
   }
 }
 

package/src/hooks-init.js

@@ -2,6 +2,15 @@ const { execSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 
+// Read version from package.json for pre-commit config
+const PKG_VERSION = (() => {
+  try {
+    return 'v' + JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8')).version;
+  } catch {
+    return 'v1.0.0';
+  }
+})();
+
 /**
  * Detect which hook system is available
  */
@@ -131,7 +140,7 @@ async function initPreCommit(targetPath, mode) {
   const hookId = mode === 'diff' ? 'muaddib-diff' : 'muaddib-scan';
   const muaddibConfig = `
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.2.7
+    rev: ${PKG_VERSION}
     hooks:
       - id: ${hookId}
 `;

package/src/index.js

@@ -32,7 +32,10 @@ const SEVERITY_WEIGHTS = {
 
   // MEDIUM: Potential threats (suspicious patterns, light obfuscation)
   // Moderate impact, requires investigation but not necessarily malicious
-  MEDIUM: 3
+  MEDIUM: 3,
+
+  // LOW: Informational findings, minimal impact on risk score
+  LOW: 1
 };
 
 // Thresholds for determining the overall risk level
@@ -52,12 +55,12 @@ function scanParanoid(targetPath) {
   const threats = [];
 
   function scanFile(filePath) {
-  try {
-    const content = fs.readFileSync(filePath, 'utf8');
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
 
       // Ignore URLs (they often contain patterns like .git)
       const contentWithoutUrls = content.replace(/https?:\/\/[^\s"']+/g, '');
-      
+
       for (const [, rule] of Object.entries(PARANOID_RULES)) {
         for (const pattern of rule.patterns) {
           if (contentWithoutUrls.includes(pattern)) {
@@ -75,15 +78,18 @@ function scanParanoid(targetPath) {
       // Ignore read errors
     }
   }
-  
+
   function walkDir(dir) {
     const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension', '.muaddib-cache', 'data', 'iocs'];
     try {
       const files = fs.readdirSync(dir);
       for (const file of files) {
         const fullPath = path.join(dir, file);
-        const stat = fs.statSync(fullPath);
-        
+        // Use lstatSync to avoid following symlinks
+        const stat = fs.lstatSync(fullPath);
+
+        if (stat.isSymbolicLink()) continue;
+
         if (stat.isDirectory()) {
           if (!excluded.includes(file)) {
             walkDir(fullPath);
@@ -96,7 +102,7 @@ function scanParanoid(targetPath) {
       // Ignore walk errors
     }
   }
-  
+
   walkDir(targetPath);
   return threats;
 }
@@ -162,11 +168,13 @@ async function run(targetPath, options = {}) {
   const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
   const highCount = threats.filter(t => t.severity === 'HIGH').length;
   const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = threats.filter(t => t.severity === 'LOW').length;
 
   let riskScore = 0;
   riskScore += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
   riskScore += highCount * SEVERITY_WEIGHTS.HIGH;
   riskScore += mediumCount * SEVERITY_WEIGHTS.MEDIUM;
+  riskScore += lowCount * SEVERITY_WEIGHTS.LOW;
   riskScore = Math.min(MAX_RISK_SCORE, riskScore);
 
   const riskLevel = riskScore >= RISK_THRESHOLDS.CRITICAL ? 'CRITICAL'
@@ -184,6 +192,7 @@ async function run(targetPath, options = {}) {
       critical: criticalCount,
       high: highCount,
       medium: mediumCount,
+      low: lowCount,
       riskScore: riskScore,
       riskLevel: riskLevel
     }