muaddib-scanner 2.5.2 → 2.5.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.2",
+  "version": "2.5.4",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/sandbox/analyzer.js

@@ -2,7 +2,7 @@
  * MUAD'DIB Sandbox Preload Log Analyzer
  *
  * Parses [PRELOAD] log lines produced by docker/preload.js and generates
- * scored findings for behavioral analysis. Six detection rules:
+ * scored findings for behavioral analysis. Seven detection rules:
  *
  *   1. sandbox_timer_delay_suspicious — timer delay > 1h (MEDIUM, +15)
  *   2. sandbox_timer_delay_critical   — timer delay > 24h (CRITICAL, +30, supersedes #1)
@@ -10,6 +10,7 @@
  *   4. sandbox_network_after_sensitive_read — network call after sensitive read (CRITICAL, +40)
  *   5. sandbox_exec_suspicious        — dangerous command execution (HIGH, +25)
  *   6. sandbox_env_token_access       — sensitive env var access (MEDIUM, +10)
+ *   7. sandbox_native_addon_load      — native .node addon loaded (MEDIUM, +15)
  */
 
 const ONE_HOUR_MS = 3600000;
@@ -38,6 +39,7 @@ function analyzePreloadLog(logContent) {
   const networkLines = [];
   const execLines = [];
   const envLines = [];
+  const nativeAddonLines = [];
 
   for (const line of lines) {
     if (line.includes('TIMER:')) {
@@ -52,6 +54,8 @@ function analyzePreloadLog(logContent) {
       execLines.push(line);
     } else if (line.includes('ENV_ACCESS:')) {
       envLines.push(line);
+    } else if (line.includes('NATIVE_ADDON:')) {
+      nativeAddonLines.push(line);
     }
   }
 
@@ -173,6 +177,24 @@ function analyzePreloadLog(logContent) {
     });
   }
 
+  // ── Rule 7: Native addon loading ──
+  // Native addons (.node files) can bypass all JS monkey-patches via syscalls.
+  // Flag their loading so analysts know time-based evasion may be undetected.
+  if (nativeAddonLines.length > 0) {
+    const addons = nativeAddonLines.map(l => {
+      const m = l.match(/process\.dlopen:\s*(.+?)(?:\s+\(t\+|$)/);
+      return m ? m[1].trim() : 'unknown';
+    });
+
+    score += 15;
+    findings.push({
+      type: 'sandbox_native_addon_load',
+      severity: 'MEDIUM',
+      detail: `Native addon loaded (${addons.length}): time-based evasion via syscalls possible`,
+      evidence: addons.join(', ')
+    });
+  }
+
   return {
     score: Math.min(100, score),
     findings

package/src/sandbox/index.js

@@ -171,14 +171,18 @@ async function runSingleSandbox(packageName, options = {}) {
       dockerArgs.push('-e', `CANARY_NPMRC_CONTENT=${createCanaryNpmrc(canaryTokens).replace(/\r?\n/g, '\\n')}`);
     }
 
-    // Inject time offset and preload for monkey-patching
+    // Inject time offset (preload.js deferred to entry point in sandbox-runner.sh)
     dockerArgs.push('-e', `MUADDIB_TIME_OFFSET_MS=${timeOffset}`);
-    dockerArgs.push('-e', 'NODE_OPTIONS=--require /opt/preload.js');
 
     // Both modes need NET_RAW for tcpdump (runs as root in entrypoint).
     // Strict mode also needs NET_ADMIN for iptables network blocking.
     // SYS_PTRACE is not needed: strace traces its own child (npm install via su).
+    // SETUID + SETGID required for su (privilege drop to sandboxuser).
+    // CHOWN required for chown in sandbox-runner.sh.
     dockerArgs.push('--cap-add=NET_RAW');
+    dockerArgs.push('--cap-add=SETUID');
+    dockerArgs.push('--cap-add=SETGID');
+    dockerArgs.push('--cap-add=CHOWN');
     if (strict) {
       dockerArgs.push('--cap-add=NET_ADMIN');
     }
@@ -188,9 +192,8 @@ async function runSingleSandbox(packageName, options = {}) {
     dockerArgs.push('--tmpfs', '/home/sandboxuser:rw,noexec,nosuid,size=16m');
     dockerArgs.push('--read-only');
 
-    // Mount fake /proc/uptime to prevent time-based sandbox evasion (T1497.003)
-    // Malware reads /proc/uptime to detect sandboxes (low uptime = sandbox)
-    dockerArgs.push('--tmpfs', '/proc/uptime:ro,size=4k');
+    // /proc/uptime evasion (T1497.003) handled by preload.js monkey-patching
+    // (process.uptime, Date.now, performance.now, process.hrtime)
 
     dockerArgs.push('--security-opt', 'no-new-privileges');
 
@@ -230,9 +233,21 @@ async function runSingleSandbox(packageName, options = {}) {
       }
     });
 
-    proc.on('close', () => {
+    proc.on('close', (code) => {
       clearTimeout(timer);
 
+      // Docker-level failure: log error and return clean result
+      if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
+        const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
+        if (errLines.length > 0) {
+          console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
+        } else {
+          console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
+        }
+        resolve(cleanResult);
+        return;
+      }
+
       if (timedOut) {
         const result = {
           score: 100,

package/src/scanner/ast-detectors.js

@@ -862,6 +862,81 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect eval.call(null, code) / eval.apply(null, [code]) / Function.call/apply
+  if (node.callee.type === 'MemberExpression' && !node.callee.computed &&
+      node.callee.property?.type === 'Identifier' &&
+      (node.callee.property.name === 'call' || node.callee.property.name === 'apply')) {
+    const obj = node.callee.object;
+    if (obj?.type === 'Identifier' && (obj.name === 'eval' || obj.name === 'Function')) {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: obj.name === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+        severity: 'HIGH',
+        message: `${obj.name}.${node.callee.property.name}() — indirect execution via call/apply evasion technique.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Detect array access pattern: [require][0]('child_process') or [eval][0](code)
+  if (node.callee.type === 'MemberExpression' && node.callee.computed &&
+      node.callee.object?.type === 'ArrayExpression' &&
+      node.callee.property?.type === 'Literal' && typeof node.callee.property.value === 'number') {
+    const elements = node.callee.object.elements;
+    for (const el of elements) {
+      if (el?.type === 'Identifier') {
+        if (el.name === 'eval') {
+          ctx.hasEvalInFile = true;
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: '[eval][0]() — array access evasion technique for indirect eval execution.',
+            file: ctx.relFile
+          });
+        } else if (el.name === 'require') {
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity: 'HIGH',
+            message: '[require][0]() — array access evasion technique for indirect require.',
+            file: ctx.relFile
+          });
+        } else if (el.name === 'Function') {
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'dangerous_call_function',
+            severity: 'MEDIUM',
+            message: '[Function][0]() — array access evasion technique for indirect Function construction.',
+            file: ctx.relFile
+          });
+        }
+      }
+    }
+  }
+
+  // Detect new Proxy(require, handler) — proxy wrapping require to intercept module loading
+  if (node.callee.type === 'Identifier' && node.callee.name !== 'Proxy') {
+    // handled below in handleNewExpression
+  }
+
+  // Detect template literals in exec/execSync: execSync(`${cmd}`)
+  if ((execName || memberExec) && node.arguments.length > 0) {
+    const arg = node.arguments[0];
+    if (arg.type === 'TemplateLiteral' && arg.expressions.length > 0) {
+      // Template literal with dynamic expressions in exec — bypass for string matching
+      const staticParts = arg.quasis.map(q => q.value.raw).join('');
+      if (DANGEROUS_CMD_PATTERNS.some(p => p.test(staticParts))) {
+        ctx.threats.push({
+          type: 'dangerous_exec',
+          severity: 'CRITICAL',
+          message: `Dangerous command in template literal exec(): "${staticParts.substring(0, 80)}" — template literal evasion.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect indirect eval/Function via computed property
   if (node.callee.type === 'MemberExpression' && node.callee.computed) {
     const prop = node.callee.property;
@@ -1058,6 +1133,15 @@ function handleNewExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // Detect new Proxy(require, handler) — intercept module loading
+    if (target.type === 'Identifier' && target.name === 'require') {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: 'new Proxy(require) — proxy wrapping require to intercept/redirect module loading.',
+        file: ctx.relFile
+      });
+    }
   }
 }
 
@@ -1119,6 +1203,54 @@ function handleLiteral(node, ctx) {
 }
 
 function handleAssignmentExpression(node, ctx) {
+  // Detect object property indirection: obj.exec = require('child_process').exec
+  // or obj.fn = eval — stashing dangerous functions in object properties
+  if (node.left?.type === 'MemberExpression' && node.right) {
+    const propName = node.left.property?.type === 'Identifier' ? node.left.property.name :
+                     (node.left.property?.type === 'Literal' ? String(node.left.property.value) : null);
+
+    if (propName) {
+      // Assigning require('child_process') or its methods to an object property
+      if (node.right.type === 'CallExpression' && getCallName(node.right) === 'require' &&
+          node.right.arguments.length > 0 && node.right.arguments[0]?.type === 'Literal') {
+        const mod = node.right.arguments[0].value;
+        if (mod === 'child_process' || mod === 'fs' || mod === 'net' || mod === 'dns') {
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity: 'HIGH',
+            message: `Object property indirection: ${propName} = require('${mod}') — hiding dangerous module in object property.`,
+            file: ctx.relFile
+          });
+        }
+      }
+      // Assigning require('child_process').exec to an object property
+      if (node.right.type === 'MemberExpression' && node.right.object?.type === 'CallExpression' &&
+          getCallName(node.right.object) === 'require' &&
+          node.right.object.arguments.length > 0 && node.right.object.arguments[0]?.type === 'Literal' &&
+          node.right.object.arguments[0].value === 'child_process') {
+        const method = node.right.property?.type === 'Identifier' ? node.right.property.name : null;
+        if (method && ['exec', 'execSync', 'spawn', 'execFile'].includes(method)) {
+          ctx.threats.push({
+            type: 'dangerous_exec',
+            severity: 'HIGH',
+            message: `Object property indirection: ${propName} = require('child_process').${method} — hiding exec in object property.`,
+            file: ctx.relFile
+          });
+        }
+      }
+      // Assigning eval or Function to an object property
+      if (node.right.type === 'Identifier' && (node.right.name === 'eval' || node.right.name === 'Function')) {
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: node.right.name === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+          severity: 'HIGH',
+          message: `Object property indirection: ${propName} = ${node.right.name} — stashing dangerous function in object property.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
@@ -1375,6 +1507,33 @@ function handlePostWalk(ctx) {
   }
 }
 
+function handleWithStatement(node, ctx) {
+  // with(require('child_process')) exec(cmd) — scope injection evasion
+  // The with() statement makes all properties of the object available as local variables.
+  // When used with require(), it allows calling exec(), spawn() etc. without explicit reference.
+  if (node.object?.type === 'CallExpression' && getCallName(node.object) === 'require') {
+    const arg = node.object.arguments[0];
+    const modName = arg?.type === 'Literal' ? arg.value : null;
+    const dangerousModules = ['child_process', 'fs', 'http', 'https', 'net', 'dns'];
+    if (modName && dangerousModules.includes(modName)) {
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_exec',
+        severity: 'CRITICAL',
+        message: `with(require('${modName}')) — scope injection evasion: all module methods available as local variables.`,
+        file: ctx.relFile
+      });
+    } else if (!modName) {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: 'with(require(...)) — scope injection with dynamic module. Evasion technique.',
+        file: ctx.relFile
+      });
+    }
+  }
+}
+
 module.exports = {
   handleVariableDeclarator,
   handleCallExpression,
@@ -1383,5 +1542,6 @@ module.exports = {
   handleLiteral,
   handleAssignmentExpression,
   handleMemberExpression,
+  handleWithStatement,
   handlePostWalk
 };

package/src/scanner/ast.js

@@ -11,6 +11,7 @@ const {
   handleLiteral,
   handleAssignmentExpression,
   handleMemberExpression,
+  handleWithStatement,
   handlePostWalk
 } = require('./ast-detectors.js');
 
@@ -121,7 +122,8 @@ function analyzeFile(content, filePath, basePath) {
     NewExpression(node) { handleNewExpression(node, ctx); },
     Literal(node) { handleLiteral(node, ctx); },
     AssignmentExpression(node) { handleAssignmentExpression(node, ctx); },
-    MemberExpression(node) { handleMemberExpression(node, ctx); }
+    MemberExpression(node) { handleMemberExpression(node, ctx); },
+    WithStatement(node) { handleWithStatement(node, ctx); }
   });
 
   // FIX 5: DNS chunk exfiltration — verify dns.resolve* is inside a loop body