muaddib-scanner 2.5.4 → 2.5.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.4",
+  "version": "2.5.5",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -27,7 +27,7 @@ const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows } = requi
 const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
-const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache } = require('./utils.js');
+const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
 const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
 
 const { MAX_FILE_SIZE } = require('./shared/constants.js');
@@ -218,8 +218,9 @@ async function run(targetPath, options = {}) {
       const graph = await yieldThen(() => buildModuleGraph(targetPath));
       const tainted = await yieldThen(() => annotateTaintedExports(graph, targetPath));
       crossFileFlows = await yieldThen(() => detectCrossFileFlows(graph, tainted, targetPath));
-    } catch {
+    } catch (e) {
       // Graceful fallback — module graph is best-effort
+      debugLog('[MODULE-GRAPH] Error:', e && e.message);
     }
   }
 

package/src/sandbox/analyzer.js

@@ -22,6 +22,24 @@ const TWENTY_FOUR_HOURS_MS = 24 * ONE_HOUR_MS;
  * @param {string} logContent - Raw preload log content
  * @returns {{ score: number, findings: Array<{type: string, severity: string, detail: string, evidence: string}> }}
  */
+/**
+ * Validate that a log line has the expected [PRELOAD] CATEGORY: format.
+ * Rejects lines that don't match the expected structure to prevent
+ * log injection attacks where malware injects fake preload log lines.
+ */
+const VALID_CATEGORIES = new Set([
+  'INIT', 'TIME', 'TIMER', 'NETWORK', 'FS_READ', 'FS_WRITE',
+  'EXEC', 'ENV_ACCESS', 'NATIVE_ADDON', 'WORKER'
+]);
+
+function isValidPreloadLine(line) {
+  if (!line || !line.includes('[PRELOAD]')) return false;
+  // Must match format: [PRELOAD] CATEGORY: ... (t+NNNms)
+  const match = line.match(/^\[PRELOAD\]\s+(\w+):/);
+  if (!match) return false;
+  return VALID_CATEGORIES.has(match[1]);
+}
+
 function analyzePreloadLog(logContent) {
   const findings = [];
   let score = 0;
@@ -30,7 +48,7 @@ function analyzePreloadLog(logContent) {
     return { score: 0, findings: [] };
   }
 
-  const lines = logContent.split('\n').filter(l => l.includes('[PRELOAD]'));
+  const lines = logContent.split('\n').filter(l => isValidPreloadLine(l));
 
   // Categorize lines
   const timerLines = [];
@@ -201,4 +219,4 @@ function analyzePreloadLog(logContent) {
   };
 }
 
-module.exports = { analyzePreloadLog };
+module.exports = { analyzePreloadLog, isValidPreloadLine };

package/src/scanner/ast-detectors.js

@@ -30,7 +30,7 @@ const SAFE_ENV_VARS = [
 ];
 
 // Env var prefixes that are safe (npm metadata, locale settings)
-const SAFE_ENV_PREFIXES = ['npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_'];
+const SAFE_ENV_PREFIXES = ['npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_', 'muaddib_'];
 
 // Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
 const ENV_SENSITIVE_KEYWORDS = [

package/src/scanner/dataflow.js

@@ -140,7 +140,26 @@ function analyzeFile(content, filePath, basePath) {
   // Track exec calls whose result is captured (for command_output source detection)
   const execResultNodes = new Set();
 
+  // Fix #22: EventEmitter tracking — detect tainted emit → on patterns
+  const eventHandlers = new Map(); // eventName → { hasNetworkSink: boolean }
+  const emitTaintedEvents = new Set(); // event names emitted with tainted data
+
+  // Fix #23: Function param tainting — track function declarations
+  const functionDefs = new Map(); // functionName → { params: [paramNames] }
+
   walk.simple(ast, {
+    FunctionDeclaration(node) {
+      // Fix #23: Track function declarations for param tainting
+      if (node.id && node.id.name && node.params) {
+        const paramNames = node.params
+          .filter(p => p.type === 'Identifier')
+          .map(p => p.name);
+        if (paramNames.length > 0) {
+          functionDefs.set(node.id.name, { params: paramNames });
+        }
+      }
+    },
+
     VariableDeclarator(node) {
       if (node.id?.type === 'Identifier' && node.init) {
         if (containsSensitiveLiteral(node.init)) {
@@ -373,6 +392,62 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Fix #22: EventEmitter tracking
+      if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+        const methodName = node.callee.property.name;
+
+        // Track .on('eventName', handler) — check if handler has network sink
+        if (methodName === 'on' && node.arguments.length >= 2) {
+          const eventArg = node.arguments[0];
+          if (eventArg.type === 'Literal' && typeof eventArg.value === 'string') {
+            const handler = node.arguments[1];
+            // Check if the handler body contains network sinks
+            let handlerHasSink = false;
+            if (handler.type === 'FunctionExpression' || handler.type === 'ArrowFunctionExpression') {
+              const bodyStr = content.slice(handler.start, handler.end);
+              handlerHasSink = /\b(request|fetch|https?\.get|https?\.request|dns\.resolve)\b/.test(bodyStr);
+            }
+            eventHandlers.set(eventArg.value, { hasNetworkSink: handlerHasSink });
+          }
+        }
+
+        // Track .emit('eventName', taintedData) — check if emitted data is tainted
+        if (methodName === 'emit' && node.arguments.length >= 2) {
+          const eventArg = node.arguments[0];
+          if (eventArg.type === 'Literal' && typeof eventArg.value === 'string') {
+            const dataArg = node.arguments[1];
+            if (dataArg.type === 'Identifier' && sensitivePathVars.has(dataArg.name)) {
+              emitTaintedEvents.add(eventArg.value);
+            }
+            // Also check taintMap
+            if (dataArg.type === 'Identifier') {
+              const taint = taintMap.get(dataArg.name);
+              if (taint && (taint.source === 'process.env' || MODULE_SOURCE_METHODS[taint.source])) {
+                emitTaintedEvents.add(eventArg.value);
+              }
+            }
+          }
+        }
+      }
+
+      // Fix #23: Function param tainting — propagate taint through function calls
+      if (node.callee.type === 'Identifier' && functionDefs.has(node.callee.name)) {
+        const funcDef = functionDefs.get(node.callee.name);
+        for (let i = 0; i < node.arguments.length && i < funcDef.params.length; i++) {
+          const arg = node.arguments[i];
+          if (arg.type === 'Identifier') {
+            // Check if argument is tainted
+            const argTaint = taintMap.get(arg.name);
+            if (argTaint && (argTaint.source === 'process.env' || MODULE_SOURCE_METHODS[argTaint.source])) {
+              sensitivePathVars.add(funcDef.params[i]);
+            }
+            if (sensitivePathVars.has(arg.name)) {
+              sensitivePathVars.add(funcDef.params[i]);
+            }
+          }
+        }
+      }
+
       // Exec callback: exec('cmd', (err, stdout) => {...}) — output will be used
       if (!execResultNodes.has(node) && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -471,6 +546,25 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
 
+  // Fix #22: EventEmitter compound detection
+  for (const eventName of emitTaintedEvents) {
+    const handler = eventHandlers.get(eventName);
+    if (handler && handler.hasNetworkSink) {
+      sources.push({
+        type: 'credential_read',
+        name: `EventEmitter.emit('${eventName}')`,
+        line: 0,
+        taint_tracked: true
+      });
+      sinks.push({
+        type: 'network_send',
+        name: `EventEmitter.on('${eventName}') handler`,
+        line: 0,
+        taint_tracked: true
+      });
+    }
+  }
+
   // Check if any source or sink was resolved via taint tracking
   const hasTaintTracked = sources.some(s => s.taint_tracked) || sinks.some(s => s.taint_tracked);
 
@@ -613,9 +707,13 @@ const SYSTEM_IDENTITY_ENVS = new Set([
   'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
 ]);
 
+// Env var prefixes for tool-internal configuration (not external credentials)
+const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
 function isSensitiveEnv(name) {
   const upper = name.toUpperCase();
   if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
+  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
   const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
   return sensitive.some(s => upper.includes(s));
 }

package/src/scanner/deobfuscate.js

@@ -581,4 +581,71 @@ function isPrintable(str) {
   return (controlCount / str.length) < 0.2;
 }
 
-module.exports = { deobfuscate };
+/**
+ * Detect control flow flattening obfuscation pattern.
+ * Pattern: while(true/1) { switch(var) { case N: ...; var = M; break; ... } }
+ * Returns true if the pattern is detected.
+ * @param {string} sourceCode — raw JS source
+ * @returns {boolean}
+ */
+function detectControlFlowFlattening(sourceCode) {
+  const ast = safeParse(sourceCode, { ranges: true });
+  if (!ast) return false;
+
+  let found = false;
+  walk.simple(ast, {
+    WhileStatement(node) {
+      if (found) return;
+      // Check for while(true) or while(1)
+      const test = node.test;
+      const isInfinite = (test.type === 'Literal' && (test.value === true || test.value === 1))
+        || (test.type === 'Identifier' && test.name === 'true');
+      if (!isInfinite) return;
+
+      // Body should contain a SwitchStatement
+      const body = node.body;
+      let switchNode = null;
+      if (body.type === 'SwitchStatement') {
+        switchNode = body;
+      } else if (body.type === 'BlockStatement' && body.body) {
+        switchNode = body.body.find(s => s.type === 'SwitchStatement');
+      }
+      if (!switchNode || !switchNode.cases) return;
+
+      // Need at least 3 cases for CFF pattern
+      if (switchNode.cases.length < 3) return;
+
+      // Check for state variable reassignment in at least 2 cases
+      const discriminant = switchNode.discriminant;
+      if (!discriminant) return;
+      let stateVarName = null;
+      if (discriminant.type === 'Identifier') {
+        stateVarName = discriminant.name;
+      } else if (discriminant.type === 'MemberExpression' && discriminant.property?.type === 'Identifier') {
+        stateVarName = discriminant.property.name;
+      }
+      if (!stateVarName) return;
+
+      // Count cases that reassign the state variable
+      let reassignCount = 0;
+      for (const c of switchNode.cases) {
+        if (!c.consequent) continue;
+        const caseSource = sourceCode.slice(c.start, c.end);
+        // Look for stateVar = <number> pattern
+        const reassignRe = new RegExp('\\b' + stateVarName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\s*=\\s*\\d+');
+        if (reassignRe.test(caseSource)) {
+          reassignCount++;
+        }
+      }
+
+      // CFF pattern: at least 2 cases reassign the state variable
+      if (reassignCount >= 2) {
+        found = true;
+      }
+    }
+  });
+
+  return found;
+}
+
+module.exports = { deobfuscate, detectControlFlowFlattening };

package/src/scanner/module-graph.js

@@ -63,18 +63,43 @@ function extractLocalImports(filePath, packagePath) {
   return [...new Set(imports)];
 }
 
+/**
+ * Try to resolve string concatenation in require arguments.
+ * require('./a' + '/b') → './a/b'
+ * @param {Object} node - BinaryExpression AST node
+ * @returns {string|null} Resolved string or null
+ */
+function tryResolveConcatRequire(node, depth) {
+  if (depth === undefined) depth = 0;
+  if (depth > 20) return null;
+  if (node.type === 'Literal' && typeof node.value === 'string') return node.value;
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    const left = tryResolveConcatRequire(node.left, depth + 1);
+    if (left === null) return null;
+    const right = tryResolveConcatRequire(node.right, depth + 1);
+    if (right === null) return null;
+    return left + right;
+  }
+  return null;
+}
+
 function walkForRequires(node, fileDir, packagePath, imports) {
   if (!node || typeof node !== 'object') return;
   if (
     node.type === 'CallExpression' &&
     node.callee && node.callee.type === 'Identifier' &&
     node.callee.name === 'require' &&
-    node.arguments.length === 1 &&
-    node.arguments[0].type === 'Literal' &&
-    typeof node.arguments[0].value === 'string'
+    node.arguments.length === 1
   ) {
-    const spec = node.arguments[0].value;
-    if (isLocalImport(spec)) {
+    const arg = node.arguments[0];
+    let spec = null;
+    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+      spec = arg.value;
+    } else if (arg.type === 'BinaryExpression') {
+      // Fix #25: Resolve simple string concatenation in require args
+      spec = tryResolveConcatRequire(arg);
+    }
+    if (spec && isLocalImport(spec)) {
       const resolved = resolveLocal(fileDir, spec, packagePath);
       if (resolved) imports.push(resolved);
     }
@@ -420,7 +445,7 @@ function expandTaintThroughReexports(graph, taintedExports, packagePath) {
     expanded[f] = { ...taintedExports[f] };
   }
 
-  for (let level = 0; level < 2; level++) {
+  for (let level = 0; level < 4; level++) {
     let changed = false;
     for (const relFile of Object.keys(graph)) {
       const absFile = path.resolve(packagePath, relFile);
@@ -878,5 +903,6 @@ function toRel(abs, packagePath) {
 
 module.exports = {
   buildModuleGraph, annotateTaintedExports, detectCrossFileFlows,
-  resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists
+  resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists,
+  tryResolveConcatRequire
 };

package/src/scoring.js

@@ -283,13 +283,25 @@ function calculateRiskScore(deduped) {
   // 4. Compute package-level score (typosquat, lifecycle, dependency IOC, etc.)
   const packageScore = computeGroupScore(packageLevelThreats);
 
-  // 5. Final score = max file score + package-level score, capped at 100
-  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + packageScore);
+  // 5. Cross-file bonus: aggregate signal from non-max files
+  // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.
+  // Add 25% of each non-max file's score as a bonus, capped at 25.
+  const sortedScores = Object.values(fileScores).sort((a, b) => b - a);
+  let crossFileBonus = 0;
+  if (sortedScores.length > 1) {
+    for (let i = 1; i < sortedScores.length; i++) {
+      crossFileBonus += Math.ceil(sortedScores[i] * 0.25);
+    }
+    crossFileBonus = Math.min(crossFileBonus, 25);
+  }
+
+  // 6. Final score = max file score + cross-file bonus + package-level score, capped at 100
+  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + packageScore);
 
-  // 6. Old global score for comparison (sum of ALL findings)
+  // 7. Old global score for comparison (sum of ALL findings)
   const globalRiskScore = computeGroupScore(deduped);
 
-  // 7. Severity counts (global, for summary display)
+  // 8. Severity counts (global, for summary display)
   const criticalCount = deduped.filter(t => t.severity === 'CRITICAL').length;
   const highCount = deduped.filter(t => t.severity === 'HIGH').length;
   const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
@@ -303,7 +315,7 @@ function calculateRiskScore(deduped) {
 
   return {
     riskScore, riskLevel, globalRiskScore,
-    maxFileScore, packageScore, mostSuspiciousFile, fileScores,
+    maxFileScore, crossFileBonus, packageScore, mostSuspiciousFile, fileScores,
     criticalCount, highCount, mediumCount, lowCount
   };
 }

package/src/shared/download.js

@@ -82,6 +82,38 @@ function isAllowedDownloadRedirect(redirectUrl) {
   }
 }
 
+/**
+ * Check if an IP address is private/internal.
+ */
+function isPrivateIP(ip) {
+  const normalized = normalizeHostname(ip);
+  return PRIVATE_IP_PATTERNS.some(p => p.test(normalized));
+}
+
+/**
+ * Resolve hostname to IP and validate it's not a private address.
+ * Prevents DNS rebinding attacks where a domain initially resolves to
+ * a public IP but later rebinds to a private IP.
+ */
+async function safeDnsResolve(hostname) {
+  // Skip for IP addresses (already validated in isAllowedDownloadRedirect)
+  if (/^(\d{1,3}\.){3}\d{1,3}$/.test(hostname)) {
+    if (isPrivateIP(hostname)) throw new Error(`DNS rebinding blocked: ${hostname} is private`);
+    return hostname;
+  }
+  const dns = require('dns');
+  const addresses = await dns.promises.resolve4(hostname);
+  if (!addresses || addresses.length === 0) {
+    throw new Error(`DNS resolution failed for ${hostname}`);
+  }
+  for (const addr of addresses) {
+    if (isPrivateIP(addr)) {
+      throw new Error(`DNS rebinding blocked: ${hostname} resolved to private IP ${addr}`);
+    }
+  }
+  return addresses[0];
+}
+
 /**
  * Download a file from HTTPS URL to disk, with SSRF-safe redirect handling.
  * @param {string} url - Source URL (must be HTTPS)
@@ -90,60 +122,64 @@ function isAllowedDownloadRedirect(redirectUrl) {
  * @returns {Promise<number>} Number of bytes downloaded
  */
 function downloadToFile(url, destPath, timeoutMs = DOWNLOAD_TIMEOUT) {
-  return new Promise((resolve, reject) => {
-    const doRequest = (requestUrl) => {
-      const req = https.get(requestUrl, { timeout: timeoutMs }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          res.resume();
-          const location = res.headers.location;
-          if (!location) return reject(new Error(`Redirect without Location for ${requestUrl}`));
-          // Resolve relative redirects against the request URL
-          const absoluteLocation = new URL(location, requestUrl).href;
-          const check = isAllowedDownloadRedirect(absoluteLocation);
-          if (!check.allowed) {
-            return reject(new Error(check.error));
+  // DNS rebinding protection: validate hostname before connecting
+  const parsedUrl = new URL(url);
+  return safeDnsResolve(parsedUrl.hostname).then(() => {
+    return new Promise((resolve, reject) => {
+      const doRequest = (requestUrl) => {
+        const req = https.get(requestUrl, { timeout: timeoutMs }, (res) => {
+          if (res.statusCode === 301 || res.statusCode === 302) {
+            res.resume();
+            const location = res.headers.location;
+            if (!location) return reject(new Error(`Redirect without Location for ${requestUrl}`));
+            // Resolve relative redirects against the request URL
+            const absoluteLocation = new URL(location, requestUrl).href;
+            const check = isAllowedDownloadRedirect(absoluteLocation);
+            if (!check.allowed) {
+              return reject(new Error(check.error));
+            }
+            return doRequest(absoluteLocation);
+          }
+          if (res.statusCode < 200 || res.statusCode >= 300) {
+            res.resume();
+            return reject(new Error(`HTTP ${res.statusCode} for ${requestUrl}`));
           }
-          return doRequest(absoluteLocation);
-        }
-        if (res.statusCode < 200 || res.statusCode >= 300) {
-          res.resume();
-          return reject(new Error(`HTTP ${res.statusCode} for ${requestUrl}`));
-        }
-        const contentLength = parseInt(res.headers['content-length'], 10);
-        if (contentLength && contentLength > MAX_TARBALL_SIZE) {
-          res.resume();
-          return reject(new Error(`Package too large: ${contentLength} bytes (max ${MAX_TARBALL_SIZE})`));
-        }
-        const fileStream = fs.createWriteStream(destPath);
-        let downloadedBytes = 0;
-        res.on('data', (chunk) => {
-          downloadedBytes += chunk.length;
-          if (downloadedBytes > MAX_TARBALL_SIZE) {
-            res.destroy();
+          const contentLength = parseInt(res.headers['content-length'], 10);
+          if (contentLength && contentLength > MAX_TARBALL_SIZE) {
+            res.resume();
+            return reject(new Error(`Package too large: ${contentLength} bytes (max ${MAX_TARBALL_SIZE})`));
+          }
+          const fileStream = fs.createWriteStream(destPath);
+          let downloadedBytes = 0;
+          res.on('data', (chunk) => {
+            downloadedBytes += chunk.length;
+            if (downloadedBytes > MAX_TARBALL_SIZE) {
+              res.destroy();
+              fileStream.destroy();
+              try { fs.unlinkSync(destPath); } catch {}
+              reject(new Error(`Package too large: ${downloadedBytes}+ bytes (max ${MAX_TARBALL_SIZE})`));
+            }
+          });
+          res.pipe(fileStream);
+          fileStream.on('finish', () => resolve(downloadedBytes));
+          fileStream.on('error', (err) => {
+            try { fs.unlinkSync(destPath); } catch {}
+            reject(err);
+          });
+          res.on('error', (err) => {
             fileStream.destroy();
             try { fs.unlinkSync(destPath); } catch {}
-            reject(new Error(`Package too large: ${downloadedBytes}+ bytes (max ${MAX_TARBALL_SIZE})`));
-          }
-        });
-        res.pipe(fileStream);
-        fileStream.on('finish', () => resolve(downloadedBytes));
-        fileStream.on('error', (err) => {
-          try { fs.unlinkSync(destPath); } catch {}
-          reject(err);
+            reject(err);
+          });
         });
-        res.on('error', (err) => {
-          fileStream.destroy();
-          try { fs.unlinkSync(destPath); } catch {}
-          reject(err);
+        req.on('error', reject);
+        req.on('timeout', () => {
+          req.destroy();
+          reject(new Error(`Timeout downloading ${requestUrl}`));
         });
-      });
-      req.on('error', reject);
-      req.on('timeout', () => {
-        req.destroy();
-        reject(new Error(`Timeout downloading ${requestUrl}`));
-      });
-    };
-    doRequest(url);
+      };
+      doRequest(url);
+    });
   });
 }
 
@@ -204,6 +240,8 @@ module.exports = {
   sanitizePackageName,
   isAllowedDownloadRedirect,
   normalizeHostname,
+  isPrivateIP,
+  safeDnsResolve,
   ALLOWED_DOWNLOAD_DOMAINS,
   PRIVATE_IP_PATTERNS
 };