muaddib-scanner 2.10.94 → 2.10.95

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/scanner/ast-detectors/handle-post-walk.js +6 -0
  3. package/src/scanner/ast.js +14 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.10.94",
3
+ "version": "2.10.95",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/src/scanner/ast-detectors/handle-post-walk.js CHANGED
@@ -135,6 +135,12 @@ function handlePostWalk(ctx) {
135
135
  // B4: removed fetchOnlySafeDomains guard — compound requires fetch+chmod+exec, which is never legitimate
136
136
  // C10: If file also contains hash/checksum verification, downgrade to HIGH — real droppers
137
137
  // don't verify payload integrity; legitimate installers (esbuild, sharp) do.
138
+ // v2.10.95: hasHashVerification is now gated by presence of a comparison operator
139
+ // in the same file (see ast.js:211 — best-effort heuristic). No additional tier
140
+ // added: diagnostic on 545 benign packages showed download_exec_binary fires on
141
+ // only 3 packages (esbuild, yarn, @backstage/create-app) and their final score is
142
+ // dominated by other CRITICAL rules, so a MEDIUM tier here had 0 FPR impact.
143
+ // Full validation in data/fp-v2.10.95-validation.md.
138
144
  if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall) {
139
145
  ctx.threats.push({
140
146
  type: 'download_exec_binary',
package/src/scanner/ast.js CHANGED
@@ -205,10 +205,20 @@ function analyzeFile(content, filePath, basePath) {
205
205
  stringBuildVars: new Set(), // variables assigned from BinaryExpression with '+' (string concat)
206
206
  // Audit v3 B2: Entropy split detection — high-entropy string concat + eval/decode
207
207
  highEntropyConcatFound: false, // set when a concat chain with >=3 leaves and high combined entropy is found
208
- // C10: Hash verification — legitimate binary installers verify checksums
209
- // Requires BOTH createHash() call AND .digest() call false positives from
210
- // standalone mentions of 'sha256' or 'integrity' in comments/descriptions
211
- hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content),
208
+ // C10: Hash verification — legitimate binary installers verify checksums.
209
+ // v2.10.95: file-level heuristic durcie par un check de comparaison. Requires
210
+ // createHash+digest AND at least one comparison/assert/throw in the same file.
211
+ // THIS IS NOT A PROOF that the hash is actually verified — a malicious author
212
+ // can include a === or assert elsewhere in the file without comparing the
213
+ // digest result. This gate is best-effort and gains value only through the
214
+ // triple-gate in handle-post-walk.js (requires also fetchOnlySafeDomains).
215
+ // Proper fix would require function-scope AST tracking to confirm the
216
+ // comparison consumes the digest result — deferred until a dedicated
217
+ // taint-tracking PR.
218
+ hasHashVerification:
219
+ /\bcreateHash\s*\(/.test(content) &&
220
+ /\.digest\s*\(/.test(content) &&
221
+ /\b(===|!==|\.equals\s*\(|assert\.(strictEqual|equal|deepEqual|deepStrictEqual)\s*\(|\bthrow\b)/.test(content),
212
222
  // GlassWorm: variation selector decoder pattern (.codePointAt + 0xFE00/0xE0100)
213
223
  hasCodePointAt: false,
214
224
  hasVariationSelectorConst: false,