muaddib-scanner 2.5.2 → 2.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/sandbox/index.js +21 -6
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.5.2",
3
+ "version": "2.5.3",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/src/sandbox/index.js CHANGED
@@ -171,14 +171,18 @@ async function runSingleSandbox(packageName, options = {}) {
171
171
  dockerArgs.push('-e', `CANARY_NPMRC_CONTENT=${createCanaryNpmrc(canaryTokens).replace(/\r?\n/g, '\\n')}`);
172
172
  }
173
173
 
174
- // Inject time offset and preload for monkey-patching
174
+ // Inject time offset (preload.js deferred to entry point in sandbox-runner.sh)
175
175
  dockerArgs.push('-e', `MUADDIB_TIME_OFFSET_MS=${timeOffset}`);
176
- dockerArgs.push('-e', 'NODE_OPTIONS=--require /opt/preload.js');
177
176
 
178
177
  // Both modes need NET_RAW for tcpdump (runs as root in entrypoint).
179
178
  // Strict mode also needs NET_ADMIN for iptables network blocking.
180
179
  // SYS_PTRACE is not needed: strace traces its own child (npm install via su).
180
+ // SETUID + SETGID required for su (privilege drop to sandboxuser).
181
+ // CHOWN required for chown in sandbox-runner.sh.
181
182
  dockerArgs.push('--cap-add=NET_RAW');
183
+ dockerArgs.push('--cap-add=SETUID');
184
+ dockerArgs.push('--cap-add=SETGID');
185
+ dockerArgs.push('--cap-add=CHOWN');
182
186
  if (strict) {
183
187
  dockerArgs.push('--cap-add=NET_ADMIN');
184
188
  }
@@ -188,9 +192,8 @@ async function runSingleSandbox(packageName, options = {}) {
188
192
  dockerArgs.push('--tmpfs', '/home/sandboxuser:rw,noexec,nosuid,size=16m');
189
193
  dockerArgs.push('--read-only');
190
194
 
191
- // Mount fake /proc/uptime to prevent time-based sandbox evasion (T1497.003)
192
- // Malware reads /proc/uptime to detect sandboxes (low uptime = sandbox)
193
- dockerArgs.push('--tmpfs', '/proc/uptime:ro,size=4k');
195
+ // /proc/uptime evasion (T1497.003) handled by preload.js monkey-patching
196
+ // (process.uptime, Date.now, performance.now, process.hrtime)
194
197
 
195
198
  dockerArgs.push('--security-opt', 'no-new-privileges');
196
199
 
@@ -230,9 +233,21 @@ async function runSingleSandbox(packageName, options = {}) {
230
233
  }
231
234
  });
232
235
 
233
- proc.on('close', () => {
236
+ proc.on('close', (code) => {
234
237
  clearTimeout(timer);
235
238
 
239
+ // Docker-level failure: log error and return clean result
240
+ if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
241
+ const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
242
+ if (errLines.length > 0) {
243
+ console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
244
+ } else {
245
+ console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
246
+ }
247
+ resolve(cleanResult);
248
+ return;
249
+ }
250
+
236
251
  if (timedOut) {
237
252
  const result = {
238
253
  score: 100,