muaddib-scanner 2.5.5 → 2.5.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.5",
+  "version": "2.5.6",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -30,7 +30,8 @@ const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
 const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
 
-const { MAX_FILE_SIZE } = require('./shared/constants.js');
+const { MAX_FILE_SIZE, safeParse } = require('./shared/constants.js');
+const walk = require('acorn-walk');
 
 // Timeout constants for scan safety
 const SCANNER_TIMEOUT = 15000;  // 15s per individual scanner
@@ -40,27 +41,169 @@ const SCAN_TIMEOUT = 60000;     // 60s global scan timeout
 function scanParanoid(targetPath) {
   const threats = [];
 
-  function scanFile(filePath) {
+  // AST-based paranoid detection patterns
+  const PARANOID_AST_DETECTORS = {
+    network_access: {
+      callNames: new Set(['fetch', 'axios']),
+      memberPatterns: [
+        { obj: 'http', prop: 'request' }, { obj: 'http', prop: 'get' },
+        { obj: 'https', prop: 'request' }, { obj: 'https', prop: 'get' },
+        { obj: 'net', prop: 'connect' }
+      ],
+      newNames: new Set(['XMLHttpRequest'])
+    },
+    sensitive_file_access: {
+      sensitiveStrings: ['.env', '.npmrc', '.ssh', '.git', 'id_rsa', 'credentials', 'secrets']
+    },
+    dynamic_execution: {
+      callNames: new Set(['eval']),
+      newNames: new Set(['Function']),
+      memberPatterns: [
+        { obj: 'vm', prop: 'runInContext' }, { obj: 'vm', prop: 'runInNewContext' },
+        { obj: 'vm', prop: 'runInThisContext' }
+      ]
+    },
+    subprocess: {
+      callNames: new Set(['exec', 'execSync', 'spawn', 'spawnSync', 'fork', 'execFile', 'execFileSync']),
+      memberPatterns: [
+        { obj: 'child_process', prop: 'exec' }, { obj: 'child_process', prop: 'execSync' },
+        { obj: 'child_process', prop: 'spawn' }, { obj: 'child_process', prop: 'fork' }
+      ]
+    },
+    env_access: {
+      memberPatterns: [{ obj: 'process', prop: 'env' }]
+    }
+  };
+
+  function scanFileAST(filePath) {
     try {
       const stat = fs.statSync(filePath);
       if (stat.size > MAX_FILE_SIZE) return;
       const content = fs.readFileSync(filePath, 'utf8');
+      const relFile = path.relative(targetPath, filePath);
 
-      // Ignore URLs (they often contain patterns like .git)
-      const contentWithoutUrls = content.replace(/https?:\/\/[^\s"']+/g, '');
+      const ast = safeParse(content);
+      if (!ast) {
+        // Parse failed — fall back to content matching for this file
+        scanFileContent(filePath, content, relFile);
+        return;
+      }
 
-      for (const [, rule] of Object.entries(PARANOID_RULES)) {
-        for (const pattern of rule.patterns) {
-          if (contentWithoutUrls.includes(pattern)) {
+      const found = new Set(); // deduplicate: one finding per rule per file
+
+      walk.simple(ast, {
+        CallExpression(node) {
+          // Direct calls: eval(), exec(), fetch(), etc.
+          if (node.callee.type === 'Identifier') {
+            const name = node.callee.name;
+            for (const [ruleKey, detector] of Object.entries(PARANOID_AST_DETECTORS)) {
+              if (detector.callNames && detector.callNames.has(name) && !found.has(ruleKey)) {
+                found.add(ruleKey);
+                const rule = PARANOID_RULES[ruleKey];
+                threats.push({
+                  type: rule.id, severity: rule.severity.toUpperCase(),
+                  message: `${rule.message}: "${name}"`, file: relFile, mitre: rule.mitre
+                });
+              }
+            }
+          }
+          // Member calls: http.request(), child_process.exec(), etc.
+          if (node.callee.type === 'MemberExpression' &&
+              node.callee.object?.type === 'Identifier' &&
+              node.callee.property?.type === 'Identifier') {
+            const obj = node.callee.object.name;
+            const prop = node.callee.property.name;
+            for (const [ruleKey, detector] of Object.entries(PARANOID_AST_DETECTORS)) {
+              if (detector.memberPatterns &&
+                  detector.memberPatterns.some(m => m.obj === obj && m.prop === prop) &&
+                  !found.has(ruleKey)) {
+                found.add(ruleKey);
+                const rule = PARANOID_RULES[ruleKey];
+                threats.push({
+                  type: rule.id, severity: rule.severity.toUpperCase(),
+                  message: `${rule.message}: "${obj}.${prop}"`, file: relFile, mitre: rule.mitre
+                });
+              }
+            }
+          }
+        },
+        NewExpression(node) {
+          if (node.callee.type === 'Identifier') {
+            const name = node.callee.name;
+            for (const [ruleKey, detector] of Object.entries(PARANOID_AST_DETECTORS)) {
+              if (detector.newNames && detector.newNames.has(name) && !found.has(ruleKey)) {
+                found.add(ruleKey);
+                const rule = PARANOID_RULES[ruleKey];
+                threats.push({
+                  type: rule.id, severity: rule.severity.toUpperCase(),
+                  message: `${rule.message}: "new ${name}"`, file: relFile, mitre: rule.mitre
+                });
+              }
+            }
+          }
+        },
+        MemberExpression(node) {
+          // process.env access
+          if (node.object?.type === 'Identifier' && node.object.name === 'process' &&
+              node.property?.type === 'Identifier' && node.property.name === 'env' &&
+              !found.has('env_access')) {
+            found.add('env_access');
+            const rule = PARANOID_RULES.env_access;
             threats.push({
-              type: rule.id,
-              severity: rule.severity.toUpperCase(),
-              message: `${rule.message}: "${pattern}"`,
-              file: path.relative(targetPath, filePath),
-              mitre: rule.mitre
+              type: rule.id, severity: rule.severity.toUpperCase(),
+              message: `${rule.message}: "process.env"`, file: relFile, mitre: rule.mitre
             });
           }
+        },
+        Literal(node) {
+          // Sensitive file string literals
+          if (typeof node.value === 'string' && !found.has('sensitive_file_access')) {
+            const detector = PARANOID_AST_DETECTORS.sensitive_file_access;
+            for (const s of detector.sensitiveStrings) {
+              if (node.value.includes(s)) {
+                found.add('sensitive_file_access');
+                const rule = PARANOID_RULES.sensitive_file_access;
+                threats.push({
+                  type: rule.id, severity: rule.severity.toUpperCase(),
+                  message: `${rule.message}: "${s}"`, file: relFile, mitre: rule.mitre
+                });
+                break;
+              }
+            }
+          }
         }
+      });
+    } catch {
+      // Ignore read/parse errors
+    }
+  }
+
+  // Content-based fallback for non-JS files or parse failures
+  function scanFileContent(filePath, content, relFile) {
+    const contentWithoutUrls = content.replace(/https?:\/\/[^\s"']+/g, '');
+    for (const [, rule] of Object.entries(PARANOID_RULES)) {
+      for (const pattern of rule.patterns) {
+        if (contentWithoutUrls.includes(pattern)) {
+          threats.push({
+            type: rule.id, severity: rule.severity.toUpperCase(),
+            message: `${rule.message}: "${pattern}"`, file: relFile, mitre: rule.mitre
+          });
+        }
+      }
+    }
+  }
+
+  function scanFile(filePath) {
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.size > MAX_FILE_SIZE) return;
+      const ext = path.extname(filePath);
+      if (ext === '.js' || ext === '.mjs' || ext === '.cjs') {
+        scanFileAST(filePath);
+      } else {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const relFile = path.relative(targetPath, filePath);
+        scanFileContent(filePath, content, relFile);
       }
     } catch {
       // Ignore read errors
@@ -86,7 +229,8 @@ function scanParanoid(targetPath) {
           if (!isExcluded) {
             walkDir(fullPath, depth + 1);
           }
-        } else if (file.endsWith('.js') || file.endsWith('.json') || file.endsWith('.sh')) {
+        } else if (file.endsWith('.js') || file.endsWith('.mjs') || file.endsWith('.cjs') ||
+                   file.endsWith('.json') || file.endsWith('.sh')) {
           scanFile(fullPath);
         }
       }

package/src/rules/index.js

@@ -424,7 +424,7 @@ const RULES = {
     mitre: 'T1105'
   },
   network_require: {
-    id: 'MUADDIB-PKG-006',
+    id: 'MUADDIB-PKG-011',
     name: 'Network Module in Lifecycle Script',
     severity: 'HIGH',
     confidence: 'high',
@@ -433,7 +433,7 @@ const RULES = {
     mitre: 'T1105'
   },
   node_inline_exec: {
-    id: 'MUADDIB-PKG-007',
+    id: 'MUADDIB-PKG-012',
     name: 'Node Inline Execution in Lifecycle Script',
     severity: 'HIGH',
     confidence: 'high',

package/src/scanner/ast-detectors.js

@@ -165,11 +165,30 @@ function resolveStringConcat(node) {
   if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
     return node.quasis.map(q => q.value.raw).join('');
   }
+  // TemplateLiteral with resolvable expressions
+  if (node.type === 'TemplateLiteral' && node.expressions.length > 0) {
+    const parts = [];
+    for (let i = 0; i < node.quasis.length; i++) {
+      parts.push(node.quasis[i].value.raw);
+      if (i < node.expressions.length) {
+        const resolved = resolveStringConcat(node.expressions[i]);
+        if (resolved === null) return null;
+        parts.push(resolved);
+      }
+    }
+    return parts.join('');
+  }
   if (node.type === 'BinaryExpression' && node.operator === '+') {
     const left = resolveStringConcat(node.left);
     const right = resolveStringConcat(node.right);
     if (left !== null && right !== null) return left + right;
   }
+  // ConditionalExpression — either branch is enough for detection
+  if (node.type === 'ConditionalExpression') {
+    const consequent = resolveStringConcat(node.consequent);
+    const alternate = resolveStringConcat(node.alternate);
+    return consequent !== null ? consequent : alternate;
+  }
   return null;
 }
 

package/src/shared/download.js

@@ -229,9 +229,12 @@ function extractTarGz(tgzPath, destDir) {
  */
 function sanitizePackageName(packageName) {
   return packageName
+    .normalize('NFC')
+    .replace(/[^\x20-\x7E]/g, '')   // Strip non-ASCII (Unicode confusables)
     .replace(/\.\./g, '')
-    .replace(/\//g, '_')
-    .replace(/@/g, '');
+    .replace(/[/\\]/g, '_')          // Both slash types → _
+    .replace(/[@:]/g, '')            // @ and : (Windows drive letter)
+    .replace(/[\x00-\x1F]/g, '');   // Control chars (safety net)
 }
 
 module.exports = {

package/src/utils.js

@@ -81,6 +81,7 @@ function findFiles(dir, options = {}) {
     maxDepth = 100,
     results = [],
     visitedInodes = new Set(),
+    visitedPaths = new Set(),
     depth = 0
   } = options;
 
@@ -90,15 +91,15 @@ function findFiles(dir, options = {}) {
       [...excludedDirs, ..._extraExcludedDirs].sort().join(',');
     const cached = _fileListCache.get(cacheKey);
     if (cached) return [...cached]; // return copy to prevent mutation
-    const result = _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, depth });
+    const result = _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, visitedPaths, depth });
     _fileListCache.set(cacheKey, [...result]);
     return result;
   }
 
-  return _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, depth });
+  return _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, visitedPaths, depth });
 }
 
-function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, depth }) {
+function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visitedInodes, visitedPaths, depth }) {
   if (depth > maxDepth) return results;
   if (!fs.existsSync(dir)) return results;
 
@@ -132,10 +133,16 @@ function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visi
         try {
           const realPath = fs.realpathSync(fullPath);
           const realStat = fs.statSync(realPath);
-          if (realStat.ino !== 0 && visitedInodes.has(realStat.ino)) continue;
-          if (realStat.ino !== 0) visitedInodes.add(realStat.ino);
+          if (realStat.ino !== 0) {
+            if (visitedInodes.has(realStat.ino)) continue;
+            visitedInodes.add(realStat.ino);
+          } else {
+            // Windows ino=0 fallback: use resolved path for cycle detection
+            if (visitedPaths.has(realPath)) continue;
+            visitedPaths.add(realPath);
+          }
           if (realStat.isDirectory()) {
-            _findFilesImpl(realPath, { extensions, excludedDirs, maxDepth, results, visitedInodes, depth: depth + 1 });
+            _findFilesImpl(realPath, { extensions, excludedDirs, maxDepth, results, visitedInodes, visitedPaths, depth: depth + 1 });
           } else if (extensions.some(ext => item.endsWith(ext))) {
             results.push(realPath);
           }
@@ -145,10 +152,19 @@ function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visi
         continue;
       }
 
-      if (lstat.ino !== 0) visitedInodes.add(lstat.ino);
+      if (lstat.ino !== 0) {
+        visitedInodes.add(lstat.ino);
+      } else {
+        // Windows ino=0 fallback: use resolved path for cycle detection
+        const resolvedPath = path.resolve(fullPath);
+        if (lstat.isDirectory()) {
+          if (visitedPaths.has(resolvedPath)) continue;
+          visitedPaths.add(resolvedPath);
+        }
+      }
 
       if (lstat.isDirectory()) {
-        _findFilesImpl(fullPath, { extensions, excludedDirs, maxDepth, results, visitedInodes, depth: depth + 1 });
+        _findFilesImpl(fullPath, { extensions, excludedDirs, maxDepth, results, visitedInodes, visitedPaths, depth: depth + 1 });
       } else if (extensions.some(ext => item.endsWith(ext))) {
         results.push(fullPath);
       }