muaddib-scanner 2.4.3 → 2.4.5

package/src/scanner/hash.js

@@ -1,118 +1,118 @@
-const fs = require('fs');
-const path = require('path');
-const nodeCrypto = require('crypto');
-const { loadCachedIOCs } = require('../ioc/updater.js');
-const { findFiles } = require('../utils.js');
-const { MAX_FILE_SIZE } = require('../shared/constants.js');
-
-// Hash cache: filePath -> { hash, mtime }
-const hashCache = new Map();
-const MAX_CACHE_SIZE = 10000;
-
-async function scanHashes(targetPath) {
-  const threats = [];
-  hashCache.clear(); // Clear stale cache between scans
-  const iocs = loadCachedIOCs();
-
-  // Use Set for O(1) lookup if available, otherwise create a Set
-  const knownHashes = iocs.hashesSet instanceof Set
-    ? iocs.hashesSet
-    : new Set(iocs.hashes || []);
-
-  if (knownHashes.size === 0) {
-    return threats;
-  }
-
-  const nodeModulesPath = path.join(targetPath, 'node_modules');
-
-  if (!fs.existsSync(nodeModulesPath)) {
-    return threats;
-  }
-
-  // Use shared findFiles utility (with symlink protection and depth limit)
-  const jsFiles = findFiles(nodeModulesPath, { extensions: ['.js'], excludedDirs: [], maxDepth: 100 });
-
-  for (const file of jsFiles) {
-    const hash = computeHashCached(file);
-
-    if (hash && knownHashes.has(hash)) {
-      threats.push({
-        type: 'known_malicious_hash',
-        severity: 'CRITICAL',
-        message: `Malicious hash detected: ${hash.substring(0, 16)}...`,
-        file: path.relative(targetPath, file)
-      });
-    }
-  }
-
-  return threats;
-}
-
-/**
- * Computes the SHA256 hash of a file with caching
- * Cache is invalidated if the file mtime changes
- * @param {string} filePath - File path
- * @returns {string|null} SHA256 hash or null on error
- */
-function computeHashCached(filePath) {
-  try {
-    const stat = fs.statSync(filePath);
-    if (stat.size > MAX_FILE_SIZE) return null;
-    const mtime = stat.mtimeMs;
-
-    // Check the cache
-    const cached = hashCache.get(filePath);
-    if (cached && cached.mtime === mtime) {
-      return cached.hash;
-    }
-
-    // Compute the hash
-    const hash = computeHash(filePath);
-
-    // FIFO eviction if cache is full
-    if (hashCache.size >= MAX_CACHE_SIZE) {
-      const firstKey = hashCache.keys().next().value;
-      hashCache.delete(firstKey);
-    }
-
-    // Store in cache
-    hashCache.set(filePath, { hash, mtime });
-
-    return hash;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Computes the SHA256 hash of a file
- * @param {string} filePath - File path
- * @returns {string} SHA256 hash
- */
-function computeHash(filePath) {
-  const content = fs.readFileSync(filePath);
-  return nodeCrypto.createHash('sha256').update(content).digest('hex');
-}
-
-/**
- * Clears the hash cache (useful for tests)
- */
-function clearHashCache() {
-  hashCache.clear();
-}
-
-/**
- * Returns the cache size (useful for debug/monitoring)
- * @returns {number}
- */
-function getHashCacheSize() {
-  return hashCache.size;
-}
-
-module.exports = {
-  scanHashes,
-  computeHash,
-  computeHashCached,
-  clearHashCache,
-  getHashCacheSize
-};
+const fs = require('fs');
+const path = require('path');
+const nodeCrypto = require('crypto');
+const { loadCachedIOCs } = require('../ioc/updater.js');
+const { findFiles } = require('../utils.js');
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
+
+// Hash cache: filePath -> { hash, mtime }
+const hashCache = new Map();
+const MAX_CACHE_SIZE = 10000;
+
+async function scanHashes(targetPath) {
+  const threats = [];
+  hashCache.clear(); // Clear stale cache between scans
+  const iocs = loadCachedIOCs();
+
+  // Use Set for O(1) lookup if available, otherwise create a Set
+  const knownHashes = iocs.hashesSet instanceof Set
+    ? iocs.hashesSet
+    : new Set(iocs.hashes || []);
+
+  if (knownHashes.size === 0) {
+    return threats;
+  }
+
+  const nodeModulesPath = path.join(targetPath, 'node_modules');
+
+  if (!fs.existsSync(nodeModulesPath)) {
+    return threats;
+  }
+
+  // Use shared findFiles utility (with symlink protection and depth limit)
+  const jsFiles = findFiles(nodeModulesPath, { extensions: ['.js'], excludedDirs: [], maxDepth: 100 });
+
+  for (const file of jsFiles) {
+    const hash = computeHashCached(file);
+
+    if (hash && knownHashes.has(hash)) {
+      threats.push({
+        type: 'known_malicious_hash',
+        severity: 'CRITICAL',
+        message: `Malicious hash detected: ${hash.substring(0, 16)}...`,
+        file: path.relative(targetPath, file)
+      });
+    }
+  }
+
+  return threats;
+}
+
+/**
+ * Computes the SHA256 hash of a file with caching
+ * Cache is invalidated if the file mtime changes
+ * @param {string} filePath - File path
+ * @returns {string|null} SHA256 hash or null on error
+ */
+function computeHashCached(filePath) {
+  try {
+    const stat = fs.statSync(filePath);
+    if (stat.size > MAX_FILE_SIZE) return null;
+    const mtime = stat.mtimeMs;
+
+    // Check the cache
+    const cached = hashCache.get(filePath);
+    if (cached && cached.mtime === mtime) {
+      return cached.hash;
+    }
+
+    // Compute the hash
+    const hash = computeHash(filePath);
+
+    // FIFO eviction if cache is full
+    if (hashCache.size >= MAX_CACHE_SIZE) {
+      const firstKey = hashCache.keys().next().value;
+      hashCache.delete(firstKey);
+    }
+
+    // Store in cache
+    hashCache.set(filePath, { hash, mtime });
+
+    return hash;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Computes the SHA256 hash of a file
+ * @param {string} filePath - File path
+ * @returns {string} SHA256 hash
+ */
+function computeHash(filePath) {
+  const content = fs.readFileSync(filePath);
+  return nodeCrypto.createHash('sha256').update(content).digest('hex');
+}
+
+/**
+ * Clears the hash cache (useful for tests)
+ */
+function clearHashCache() {
+  hashCache.clear();
+}
+
+/**
+ * Returns the cache size (useful for debug/monitoring)
+ * @returns {number}
+ */
+function getHashCacheSize() {
+  return hashCache.size;
+}
+
+module.exports = {
+  scanHashes,
+  computeHash,
+  computeHashCached,
+  clearHashCache,
+  getHashCacheSize
+};

package/src/scanner/npm-registry.js

@@ -1,128 +1,128 @@
-const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
-const { debugLog } = require('../utils.js');
-
-const REGISTRY_URL = 'https://registry.npmjs.org';
-const DOWNLOADS_URL = 'https://api.npmjs.org/downloads/point/last-week';
-const SEARCH_URL = 'https://registry.npmjs.org/-/v1/search';
-
-const REQUEST_TIMEOUT = 10000; // 10 seconds
-const MAX_RETRIES = 3;
-
-/**
- * Create a timeout signal, with fallback for older Node versions.
- * Returns { signal, cleanup } — call cleanup() after fetch to prevent timer leaks.
- */
-function createTimeoutSignal(ms) {
-  if (typeof AbortSignal !== 'undefined' && AbortSignal.timeout) {
-    return { signal: AbortSignal.timeout(ms), cleanup: () => {} };
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), ms);
-  return { signal: controller.signal, cleanup: () => clearTimeout(timer) };
-}
-
-async function fetchWithRetry(url) {
-  let lastError = null;
-
-  for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
-    let response;
-    const { signal, cleanup } = createTimeoutSignal(REQUEST_TIMEOUT);
-    try {
-      response = await fetch(url, { signal });
-    } catch (err) {
-      cleanup();
-      // REG-001: Retry on timeout/abort instead of returning null immediately
-      lastError = err;
-      if (attempt < MAX_RETRIES - 1) {
-        const backoff = Math.min(1000 * Math.pow(2, attempt), 8000);
-        await new Promise(r => setTimeout(r, backoff));
-      }
-      continue;
-    }
-
-    cleanup();
-
-    // 404 = package doesn't exist
-    if (response.status === 404) {
-      // Drain response body to free resources
-      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
-      return null;
-    }
-
-    // 429 = rate limit, respect Retry-After header (capped at 30s)
-    if (response.status === 429) {
-      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
-      const retryAfter = parseInt(response.headers.get('retry-after'), 10);
-      const delay = Math.min(retryAfter && retryAfter > 0 ? retryAfter * 1000 : 2000, 30000);
-      await new Promise(r => setTimeout(r, delay));
-      continue;
-    }
-
-    if (!response.ok) {
-      // Drain response body on errors
-      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
-      return null;
-    }
-
-    try {
-      return await response.json();
-    } catch {
-      return null;
-    }
-  }
-
-  // Don't throw — return null to prevent crashing the scan pipeline (REG-02)
-  return null;
-}
-
-async function getPackageMetadata(packageName) {
-  // Validate package name before building URL
-  if (!NPM_PACKAGE_REGEX.test(packageName)) return null;
-
-  // 1. Registry metadata
-  const registryUrl = REGISTRY_URL + '/' + encodeURIComponent(packageName);
-  const meta = await fetchWithRetry(registryUrl);
-  if (!meta) return null;
-
-  const createdAt = meta.time?.created || null;
-  const ageDays = createdAt
-    ? Math.floor((Date.now() - new Date(createdAt).getTime()) / (1000 * 60 * 60 * 24))
-    : null;
-
-  // Extract maintainer name from latest version
-  const latestVersion = meta['dist-tags']?.latest;
-  const latestMeta = latestVersion ? meta.versions?.[latestVersion] : null;
-  const maintainer = latestMeta?.maintainers?.[0]?.name
-    || meta.maintainers?.[0]?.name
-    || null;
-
-  const readmeText = meta.readme || '';
-  const hasReadme = readmeText.length > 100;
-
-  const hasRepository = !!(latestMeta?.repository || meta.repository);
-
-  // 2. Weekly downloads + author search (parallel)
-  const downloadsUrl = DOWNLOADS_URL + '/' + encodeURIComponent(packageName);
-  const authorUrl = maintainer
-    ? SEARCH_URL + '?text=maintainer:' + encodeURIComponent(maintainer) + '&size=1'
-    : null;
-
-  const [downloadsData, authorData] = await Promise.all([
-    fetchWithRetry(downloadsUrl),
-    authorUrl ? fetchWithRetry(authorUrl) : Promise.resolve(null)
-  ]);
-
-  const weeklyDownloads = downloadsData?.downloads ?? 0;
-  const authorPackageCount = authorData?.total ?? 0;
-
-  return {
-    created_at: createdAt,
-    age_days: ageDays,
-    weekly_downloads: weeklyDownloads,
-    author_package_count: authorPackageCount,
-    has_readme: hasReadme,
-    has_repository: hasRepository
-  };
-}
-
-module.exports = { getPackageMetadata };
+const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { debugLog } = require('../utils.js');
+
+const REGISTRY_URL = 'https://registry.npmjs.org';
+const DOWNLOADS_URL = 'https://api.npmjs.org/downloads/point/last-week';
+const SEARCH_URL = 'https://registry.npmjs.org/-/v1/search';
+
+const REQUEST_TIMEOUT = 10000; // 10 seconds
+const MAX_RETRIES = 3;
+
+/**
+ * Create a timeout signal, with fallback for older Node versions.
+ * Returns { signal, cleanup } — call cleanup() after fetch to prevent timer leaks.
+ */
+function createTimeoutSignal(ms) {
+  if (typeof AbortSignal !== 'undefined' && AbortSignal.timeout) {
+    return { signal: AbortSignal.timeout(ms), cleanup: () => {} };
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), ms);
+  return { signal: controller.signal, cleanup: () => clearTimeout(timer) };
+}
+
+async function fetchWithRetry(url) {
+  let lastError = null;
+
+  for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+    let response;
+    const { signal, cleanup } = createTimeoutSignal(REQUEST_TIMEOUT);
+    try {
+      response = await fetch(url, { signal });
+    } catch (err) {
+      cleanup();
+      // REG-001: Retry on timeout/abort instead of returning null immediately
+      lastError = err;
+      if (attempt < MAX_RETRIES - 1) {
+        const backoff = Math.min(1000 * Math.pow(2, attempt), 8000);
+        await new Promise(r => setTimeout(r, backoff));
+      }
+      continue;
+    }
+
+    cleanup();
+
+    // 404 = package doesn't exist
+    if (response.status === 404) {
+      // Drain response body to free resources
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
+      return null;
+    }
+
+    // 429 = rate limit, respect Retry-After header (capped at 30s)
+    if (response.status === 429) {
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
+      const retryAfter = parseInt(response.headers.get('retry-after'), 10);
+      const delay = Math.min(retryAfter && retryAfter > 0 ? retryAfter * 1000 : 2000, 30000);
+      await new Promise(r => setTimeout(r, delay));
+      continue;
+    }
+
+    if (!response.ok) {
+      // Drain response body on errors
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
+      return null;
+    }
+
+    try {
+      return await response.json();
+    } catch {
+      return null;
+    }
+  }
+
+  // Don't throw — return null to prevent crashing the scan pipeline (REG-02)
+  return null;
+}
+
+async function getPackageMetadata(packageName) {
+  // Validate package name before building URL
+  if (!NPM_PACKAGE_REGEX.test(packageName)) return null;
+
+  // 1. Registry metadata
+  const registryUrl = REGISTRY_URL + '/' + encodeURIComponent(packageName);
+  const meta = await fetchWithRetry(registryUrl);
+  if (!meta) return null;
+
+  const createdAt = meta.time?.created || null;
+  const ageDays = createdAt
+    ? Math.floor((Date.now() - new Date(createdAt).getTime()) / (1000 * 60 * 60 * 24))
+    : null;
+
+  // Extract maintainer name from latest version
+  const latestVersion = meta['dist-tags']?.latest;
+  const latestMeta = latestVersion ? meta.versions?.[latestVersion] : null;
+  const maintainer = latestMeta?.maintainers?.[0]?.name
+    || meta.maintainers?.[0]?.name
+    || null;
+
+  const readmeText = meta.readme || '';
+  const hasReadme = readmeText.length > 100;
+
+  const hasRepository = !!(latestMeta?.repository || meta.repository);
+
+  // 2. Weekly downloads + author search (parallel)
+  const downloadsUrl = DOWNLOADS_URL + '/' + encodeURIComponent(packageName);
+  const authorUrl = maintainer
+    ? SEARCH_URL + '?text=maintainer:' + encodeURIComponent(maintainer) + '&size=1'
+    : null;
+
+  const [downloadsData, authorData] = await Promise.all([
+    fetchWithRetry(downloadsUrl),
+    authorUrl ? fetchWithRetry(authorUrl) : Promise.resolve(null)
+  ]);
+
+  const weeklyDownloads = downloadsData?.downloads ?? 0;
+  const authorPackageCount = authorData?.total ?? 0;
+
+  return {
+    created_at: createdAt,
+    age_days: ageDays,
+    weekly_downloads: weeklyDownloads,
+    author_package_count: authorPackageCount,
+    has_readme: hasReadme,
+    has_repository: hasRepository
+  };
+}
+
+module.exports = { getPackageMetadata };