muaddib-scanner 2.2.11 → 2.2.14

package/src/scanner/shell.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 const MALICIOUS_PATTERNS = [
   { pattern: /curl.*\|.*sh/m, name: 'curl_pipe_shell', severity: 'HIGH' },
@@ -26,16 +25,7 @@ async function scanShellScripts(targetPath) {
   // Cherche les fichiers shell
   const files = findFiles(targetPath, { extensions: ['.sh', '.bash', '.zsh', '.command'], excludedDirs: SHELL_EXCLUDED_DIRS });
 
-  for (const file of files) {
-    let content;
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
-    
+  forEachSafeFile(files, (file, content) => {
     // Strip comment lines to avoid false positives on documentation
     const activeContent = content.split('\n')
       .filter(line => !line.trimStart().startsWith('#'))
@@ -51,7 +41,7 @@ async function scanShellScripts(targetPath) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/shared/analyze-helper.js

@@ -0,0 +1,49 @@
+const path = require('path');
+const { isDevFile, findJsFiles, forEachSafeFile } = require('../utils.js');
+
+/**
+ * Shared scanner wrapper: iterates JS files, runs analyzeFileFn on original + deobfuscated code,
+ * deduplicates findings by type::message key.
+ * @param {string} targetPath - Root directory to scan
+ * @param {Function} analyzeFileFn - (content, filePath, basePath) => threats[]
+ * @param {object} [options]
+ * @param {Function} [options.deobfuscate] - Deobfuscation function
+ * @param {string[]} [options.excludedFiles] - Relative paths to skip
+ * @param {boolean} [options.skipDevFiles=true] - Whether to skip dev/test files
+ * @returns {Array} Combined threats
+ */
+function analyzeWithDeobfuscation(targetPath, analyzeFileFn, options = {}) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  forEachSafeFile(files, (file, content) => {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+
+    if (options.excludedFiles && options.excludedFiles.includes(relativePath)) return;
+    if (options.skipDevFiles !== false && isDevFile(relativePath)) return;
+
+    // Analyze original code first (preserves obfuscation-detection rules)
+    const fileThreats = analyzeFileFn(content, file, targetPath);
+    threats.push(...fileThreats);
+
+    // Also analyze deobfuscated code for additional findings hidden by obfuscation
+    if (typeof options.deobfuscate === 'function') {
+      try {
+        const result = options.deobfuscate(content);
+        if (result.transforms.length > 0) {
+          const deobThreats = analyzeFileFn(result.code, file, targetPath);
+          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
+          for (const dt of deobThreats) {
+            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
+              threats.push(dt);
+            }
+          }
+        }
+      } catch { /* deobfuscation failed — skip */ }
+    }
+  });
+
+  return threats;
+}
+
+module.exports = { analyzeWithDeobfuscation };

package/src/shared/constants.js

@@ -86,4 +86,8 @@ const NPM_PACKAGE_REGEX = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*
 const MAX_TARBALL_SIZE = 50 * 1024 * 1024; // 50MB
 const DOWNLOAD_TIMEOUT = 30_000; // 30 seconds
 
-module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT };
+// Shared scanner constants
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB — skip files larger than this to avoid memory issues
+const ACORN_OPTIONS = { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true };
+
+module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT, MAX_FILE_SIZE, ACORN_OPTIONS };

package/src/temporal-ast-diff.js

@@ -4,12 +4,13 @@ const path = require('path');
 const os = require('os');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { findJsFiles } = require('./utils.js');
+const { findJsFiles, forEachSafeFile, debugLog } = require('./utils.js');
 const { fetchPackageMetadata, getLatestVersions } = require('./temporal-analysis.js');
 const { downloadToFile, extractTarGz, sanitizePackageName } = require('./shared/download.js');
 
+const { MAX_FILE_SIZE, ACORN_OPTIONS } = require('./shared/constants.js');
+
 const REGISTRY_URL = 'https://registry.npmjs.org';
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const METADATA_TIMEOUT = 10_000;
 
 const SENSITIVE_PATHS = [
@@ -101,12 +102,12 @@ async function fetchPackageTarball(packageName, version) {
     await downloadToFile(tarballUrl, tgzPath);
     extractedDir = extractTarGz(tgzPath, tmpDir);
   } catch (err) {
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) { debugLog('tmpDir cleanup failed:', e.message); }
     throw err;
   }
 
   const cleanup = () => {
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) { debugLog('tmpDir cleanup failed:', e.message); }
   };
 
   return { dir: extractedDir, cleanup };
@@ -120,20 +121,9 @@ async function fetchPackageTarball(packageName, version) {
 function extractDangerousPatterns(directory) {
   const patterns = new Set();
   const files = findJsFiles(directory);
-
-  for (const file of files) {
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try { content = fs.readFileSync(file, 'utf8'); }
-    catch { continue; }
-
+  forEachSafeFile(files, (file, content) => {
     extractPatternsFromSource(content, patterns);
-  }
-
+  });
   return patterns;
 }
 
@@ -145,7 +135,7 @@ function extractDangerousPatterns(directory) {
 function extractPatternsFromSource(source, patterns) {
   let ast;
   try {
-    ast = acorn.parse(source, { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true });
+    ast = acorn.parse(source, ACORN_OPTIONS);
   } catch { return; }
 
   walk.simple(ast, {

package/src/utils.js

@@ -1,5 +1,6 @@
 const fs = require('fs');
 const path = require('path');
+const { MAX_FILE_SIZE } = require('./shared/constants.js');
 
 /**
  * Directories excluded from scanning.
@@ -145,7 +146,7 @@ function findFiles(dir, options = {}) {
  * @returns {string[]} List of .js file paths
  */
 function findJsFiles(dir, results = []) {
-  return findFiles(dir, { extensions: ['.js'], results });
+  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs'], results });
 }
 
 /**
@@ -228,6 +229,61 @@ class Spinner {
   }
 }
 
+/**
+ * Iterates files with size guard and error handling.
+ * Calls callback(file, content) for each readable file under MAX_FILE_SIZE.
+ */
+function forEachSafeFile(files, callback) {
+  for (const file of files) {
+    try {
+      const stat = fs.statSync(file);
+      if (stat.size > MAX_FILE_SIZE) continue;
+    } catch { continue; }
+    let content;
+    try {
+      content = fs.readFileSync(file, 'utf8');
+    } catch { continue; }
+    callback(file, content);
+  }
+}
+
+/**
+ * Lists installed packages in node_modules (handles scoped packages).
+ * @param {string} targetPath - Root of the project
+ * @returns {string[]} Package names (e.g. ['express', '@babel/core'])
+ */
+function listInstalledPackages(targetPath) {
+  const nm = path.join(targetPath, 'node_modules');
+  if (!fs.existsSync(nm)) return [];
+  const names = [];
+  try {
+    for (const item of fs.readdirSync(nm)) {
+      if (item.startsWith('.')) continue;
+      const itemPath = path.join(nm, item);
+      try {
+        const stat = fs.lstatSync(itemPath);
+        if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
+        if (item.startsWith('@')) {
+          for (const si of fs.readdirSync(itemPath)) {
+            const ss = fs.lstatSync(path.join(itemPath, si));
+            if (!ss.isSymbolicLink() && ss.isDirectory()) names.push(`${item}/${si}`);
+          }
+        } else {
+          names.push(item);
+        }
+      } catch { /* skip unreadable */ }
+    }
+  } catch { /* no node_modules readable */ }
+  return names;
+}
+
+/**
+ * Logs to stderr when MUADDIB_DEBUG is set. No-op otherwise.
+ */
+function debugLog(...args) {
+  if (process.env.MUADDIB_DEBUG) console.error('[DEBUG]', ...args);
+}
+
 module.exports = {
   EXCLUDED_DIRS,
   DEV_PATTERNS,
@@ -238,5 +294,8 @@ module.exports = {
   getCallName,
   Spinner,
   setExtraExcludes,
-  getExtraExcludes
+  getExtraExcludes,
+  forEachSafeFile,
+  listInstalledPackages,
+  debugLog
 };