npm - muaddib-scanner - Versions diffs - 2.4.19 → 2.5.0 - Mend

muaddib-scanner 2.4.19 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +5 -3
package/src/index.js +38 -22
package/src/ioc/updater.js +62 -5
package/src/sandbox/index.js +4 -0
package/src/scanner/deobfuscate.js +8 -3
package/src/scoring.js +9 -2
package/src/shared/download.js +32 -4

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.4.19",
+  "version": "2.5.0",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -48,8 +48,10 @@
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.16",
-    "js-yaml": "4.1.1",
-    "loadash": "^1.0.0"
+    "js-yaml": "4.1.1"
+  },
+  "overrides": {
+    "loadash": "0.0.0-security"
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",

package/src/index.js CHANGED Viewed

@@ -32,6 +32,10 @@ const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat,
 const { MAX_FILE_SIZE } = require('./shared/constants.js');
+// Timeout constants for scan safety
+const SCANNER_TIMEOUT = 15000;  // 15s per individual scanner
+const SCAN_TIMEOUT = 60000;     // 60s global scan timeout
 // Paranoid mode scanner
 function scanParanoid(targetPath) {
   const threats = [];
@@ -222,27 +226,38 @@ async function run(targetPath, options = {}) {
   // Sequential execution of scanners with event loop yields between each.
   // All scanners (even "async" ones) are effectively synchronous (readFileSync, readdirSync).
   // Running them via yieldThen ensures the spinner animates between each scanner.
-  let scanResult;
-  try {
-    scanResult = await Promise.all([
-      yieldThen(() => scanPackageJson(targetPath)),
-      yieldThen(() => scanShellScripts(targetPath)),
-      yieldThen(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn })),
-      yieldThen(() => detectObfuscation(targetPath)),
-      yieldThen(() => scanDependencies(targetPath)),
-      yieldThen(() => scanHashes(targetPath)),
-      yieldThen(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn })),
-      yieldThen(() => scanTyposquatting(targetPath)),
-      yieldThen(() => scanGitHubActions(targetPath)),
-      yieldThen(() => matchPythonIOCs(pythonDeps, targetPath)),
-      yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath)),
-      yieldThen(() => scanEntropy(targetPath, { entropyThreshold: options.entropyThreshold || undefined })),
-      yieldThen(() => scanAIConfig(targetPath))
-    ]);
-  } catch (err) {
-    if (spinner) spinner.fail(`[MUADDIB] Scan failed: ${err.message}`);
-    throw err;
-  }
+  // Uses Promise.allSettled so one scanner crash doesn't kill the entire scan.
+  const SCANNER_NAMES = [
+    'scanPackageJson', 'scanShellScripts', 'analyzeAST', 'detectObfuscation',
+    'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
+    'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
+    'scanEntropy', 'scanAIConfig'
+  ];
+  const settledResults = await Promise.allSettled([
+    yieldThen(() => scanPackageJson(targetPath)),
+    yieldThen(() => scanShellScripts(targetPath)),
+    yieldThen(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn })),
+    yieldThen(() => detectObfuscation(targetPath)),
+    yieldThen(() => scanDependencies(targetPath)),
+    yieldThen(() => scanHashes(targetPath)),
+    yieldThen(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn })),
+    yieldThen(() => scanTyposquatting(targetPath)),
+    yieldThen(() => scanGitHubActions(targetPath)),
+    yieldThen(() => matchPythonIOCs(pythonDeps, targetPath)),
+    yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath)),
+    yieldThen(() => scanEntropy(targetPath, { entropyThreshold: options.entropyThreshold || undefined })),
+    yieldThen(() => scanAIConfig(targetPath))
+  ]);
+  // Extract results: use empty array for rejected scanners, log errors
+  const scannerErrors = [];
+  const scanResult = settledResults.map((r, i) => {
+    if (r.status === 'fulfilled') return r.value;
+    scannerErrors.push({ scanner: SCANNER_NAMES[i], error: r.reason });
+    console.error(`[WARN] Scanner ${SCANNER_NAMES[i]} failed: ${r.reason?.message || r.reason}`);
+    return [];
+  });
   const [
     packageThreats,
@@ -420,7 +435,8 @@ async function run(targetPath, options = {}) {
       fileScores,
       breakdown
     },
-    sandbox: sandboxData
+    sandbox: sandboxData,
+    scannerErrors: scannerErrors.length > 0 ? scannerErrors : undefined
   };
   // _capture mode: return result directly without printing (used by diff.js)

package/src/ioc/updater.js CHANGED Viewed

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const HOME_DATA_PATH = path.join(os.homedir(), '.muaddib', 'data');
 const CACHE_IOC_FILE = path.join(HOME_DATA_PATH, 'iocs.json');
@@ -100,9 +101,14 @@ async function updateIOCs() {
   // Atomic write: write to .tmp then rename (UP-001)
   const tmpFile = CACHE_IOC_FILE + '.tmp';
-  fs.writeFileSync(tmpFile, JSON.stringify(baseIOCs));
+  const jsonData = JSON.stringify(baseIOCs);
+  fs.writeFileSync(tmpFile, jsonData);
   fs.renameSync(tmpFile, CACHE_IOC_FILE);
+  // Write HMAC signature alongside the cache file
+  const hmac = generateIOCHMAC(jsonData);
+  fs.writeFileSync(CACHE_IOC_FILE + '.hmac', hmac);
   const totalNpm = baseIOCs.packages.length;
   const totalPyPI = (baseIOCs.pypi_packages || []).length;
   console.log('[4/4] Saved to cache: ' + CACHE_IOC_FILE);
@@ -217,11 +223,22 @@ function loadCachedIOCs() {
     }
   }
-  // Priority 3: Cached IOCs (from previous update)
+  // Priority 3: Cached IOCs (from previous update) — verify HMAC integrity
   if (fs.existsSync(CACHE_IOC_FILE)) {
     try {
-      const cachedIOCs = JSON.parse(fs.readFileSync(CACHE_IOC_FILE, 'utf8'));
-      mergeIOCs(merged, cachedIOCs);
+      const cachedData = fs.readFileSync(CACHE_IOC_FILE, 'utf8');
+      const hmacFile = CACHE_IOC_FILE + '.hmac';
+      if (fs.existsSync(hmacFile)) {
+        const storedHmac = fs.readFileSync(hmacFile, 'utf8').trim();
+        if (!verifyIOCHMAC(cachedData, storedHmac)) {
+          console.log('[WARN] IOC cache HMAC verification failed — possible tampering. Skipping cache.');
+        } else {
+          mergeIOCs(merged, JSON.parse(cachedData));
+        }
+      } else {
+        // No HMAC file yet (first run or pre-HMAC version) — load but warn
+        mergeIOCs(merged, JSON.parse(cachedData));
+      }
     } catch (e) {
       console.log('[WARN] Failed to load cached IOCs: ' + e.message);
     }
@@ -421,4 +438,44 @@ function invalidateCache() {
   cachedIOCsTime = 0;
 }
-module.exports = { updateIOCs, loadCachedIOCs, invalidateCache, generateCompactIOCs, expandCompactIOCs, mergeIOCs, createOptimizedIOCs };
+// ============================================
+// IOC INTEGRITY: HMAC-SHA256 signing/verification
+// ============================================
+// Key is derived from a stable machine-specific seed + hardcoded salt.
+// This protects against local file tampering by unauthorized processes.
+const IOC_HMAC_SALT = 'muaddib-ioc-integrity-v1';
+function getIOCHMACKey() {
+  // Derive key from salt + hostname (machine-specific but stable)
+  const seed = IOC_HMAC_SALT + ':' + os.hostname();
+  return crypto.createHash('sha256').update(seed).digest();
+}
+/**
+ * Generate HMAC-SHA256 for IOC data string.
+ * @param {string} data - JSON string of IOC data
+ * @returns {string} Hex-encoded HMAC
+ */
+function generateIOCHMAC(data) {
+  const key = getIOCHMACKey();
+  return crypto.createHmac('sha256', key).update(data).digest('hex');
+}
+/**
+ * Verify HMAC-SHA256 of IOC data.
+ * @param {string} data - JSON string of IOC data
+ * @param {string} hmac - Expected HMAC hex string
+ * @returns {boolean} True if HMAC matches
+ */
+function verifyIOCHMAC(data, hmac) {
+  if (!hmac || typeof hmac !== 'string') return false;
+  const expected = generateIOCHMAC(data);
+  // Constant-time comparison to prevent timing attacks
+  try {
+    return crypto.timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(hmac, 'hex'));
+  } catch {
+    return false;
+  }
+}
+module.exports = { updateIOCs, loadCachedIOCs, invalidateCache, generateCompactIOCs, expandCompactIOCs, mergeIOCs, createOptimizedIOCs, generateIOCHMAC, verifyIOCHMAC };

package/src/sandbox/index.js CHANGED Viewed

@@ -188,6 +188,10 @@ async function runSingleSandbox(packageName, options = {}) {
     dockerArgs.push('--tmpfs', '/home/sandboxuser:rw,noexec,nosuid,size=16m');
     dockerArgs.push('--read-only');
+    // Mount fake /proc/uptime to prevent time-based sandbox evasion (T1497.003)
+    // Malware reads /proc/uptime to detect sandboxes (low uptime = sandbox)
+    dockerArgs.push('--tmpfs', '/proc/uptime:ro,size=4k');
     dockerArgs.push('--security-opt', 'no-new-privileges');
     if (local && localAbsPath) {

package/src/scanner/deobfuscate.js CHANGED Viewed

@@ -339,15 +339,20 @@ function foldConcatsOnly(sourceCode) {
 /**
  * Recursively fold string concat BinaryExpression.
  * Returns the concatenated string, or null if any part is not a string literal.
+ * Depth limit prevents stack overflow DoS on deeply nested expressions.
  */
-function tryFoldConcat(node) {
+const MAX_FOLD_DEPTH = 100;
+function tryFoldConcat(node, depth) {
+  if (depth === undefined) depth = 0;
+  if (depth > MAX_FOLD_DEPTH) return null;
   if (node.type === 'Literal' && typeof node.value === 'string') {
     return node.value;
   }
   if (node.type === 'BinaryExpression' && node.operator === '+') {
-    const left = tryFoldConcat(node.left);
+    const left = tryFoldConcat(node.left, depth + 1);
     if (left === null) return null;
-    const right = tryFoldConcat(node.right);
+    const right = tryFoldConcat(node.right, depth + 1);
     if (right === null) return null;
     return left + right;
   }

package/src/scoring.js CHANGED Viewed

@@ -180,12 +180,19 @@ function applyFPReductions(threats, reachableFiles, packageName) {
     typeCounts[t.type] = (typeCounts[t.type] || 0) + 1;
   }
+  const totalThreats = threats.length;
   for (const t of threats) {
     // Count-based downgrade: if a threat type appears too many times,
-    // it's a framework/plugin system, not malware
+    // it's a framework/plugin system, not malware.
+    // Percentage guard: only downgrade if the type is < 50% of total threats.
+    // When a type dominates findings (> 50%), it may be real malware, not framework noise.
     const rule = FP_COUNT_THRESHOLDS[t.type];
     if (rule && typeCounts[t.type] > rule.maxCount && (!rule.from || t.severity === rule.from)) {
-      t.severity = rule.to;
+      const typeRatio = typeCounts[t.type] / totalThreats;
+      if (typeRatio < 0.5) {
+        t.severity = rule.to;
+      }
     }
     // require_cache_poison: single hit → HIGH (plugin dedup/hot-reload, not malware)

package/src/shared/download.js CHANGED Viewed

@@ -26,9 +26,35 @@ const PRIVATE_IP_PATTERNS = [
   /^fe80:/
 ];
+/**
+ * Normalize a hostname by unwrapping IPv6-mapped IPv4 addresses
+ * and converting decimal IP notation to dotted notation.
+ * @param {string} hostname - Raw hostname from URL
+ * @returns {string} Normalized hostname for SSRF validation
+ */
+function normalizeHostname(hostname) {
+  hostname = hostname.toLowerCase();
+  // Unwrap IPv6-mapped IPv4: ::ffff:192.168.1.1 → 192.168.1.1
+  if (hostname.startsWith('::ffff:')) {
+    const ipv4Part = hostname.slice(7);
+    if (/^(\d{1,3}\.){3}\d{1,3}$/.test(ipv4Part)) {
+      return ipv4Part;
+    }
+  }
+  // Convert decimal IP notation: 2130706433 → 127.0.0.1
+  if (/^\d+$/.test(hostname)) {
+    const num = parseInt(hostname, 10);
+    if (num > 0 && num < 4294967296) {
+      return [(num >>> 24) & 255, (num >>> 16) & 255, (num >>> 8) & 255, num & 255].join('.');
+    }
+  }
+  return hostname;
+}
 /**
  * Validates that a redirect URL is allowed (SSRF protection).
  * Only HTTPS to whitelisted domains is permitted.
+ * Normalizes IPv6-mapped IPv4 and decimal IP notation before validation.
  * @param {string} redirectUrl - The redirect target URL
  * @returns {{allowed: boolean, error?: string}}
  */
@@ -38,10 +64,11 @@ function isAllowedDownloadRedirect(redirectUrl) {
     if (urlObj.protocol !== 'https:') {
       return { allowed: false, error: `Redirect blocked: non-HTTPS protocol ${urlObj.protocol}` };
     }
-    const hostname = urlObj.hostname.toLowerCase();
-    // Block private IP addresses
-    if (PRIVATE_IP_PATTERNS.some(p => p.test(hostname))) {
-      return { allowed: false, error: `Redirect blocked: private IP ${hostname}` };
+    const rawHostname = urlObj.hostname.toLowerCase();
+    const hostname = normalizeHostname(rawHostname);
+    // Block private IP addresses (check both raw and normalized)
+    if (PRIVATE_IP_PATTERNS.some(p => p.test(hostname) || p.test(rawHostname))) {
+      return { allowed: false, error: `Redirect blocked: private IP ${rawHostname}` };
     }
     const domainAllowed = ALLOWED_DOWNLOAD_DOMAINS.some(domain =>
       hostname === domain || hostname.endsWith('.' + domain)
@@ -176,6 +203,7 @@ module.exports = {
   extractTarGz,
   sanitizePackageName,
   isAllowedDownloadRedirect,
+  normalizeHostname,
   ALLOWED_DOWNLOAD_DOMAINS,
   PRIVATE_IP_PATTERNS
 };