muaddib-scanner 2.5.6 → 2.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/sandbox/analyzer.js +6 -1
- package/src/sandbox/index.js +5 -1
package/package.json
CHANGED
package/src/sandbox/analyzer.js
CHANGED
|
@@ -162,7 +162,12 @@ function analyzePreloadLog(logContent) {
|
|
|
162
162
|
}
|
|
163
163
|
|
|
164
164
|
// ── Rule 5: Suspicious exec ──
|
|
165
|
-
const dangerousExecLines = execLines.filter(l =>
|
|
165
|
+
const dangerousExecLines = execLines.filter(l => {
|
|
166
|
+
if (!l.includes('DANGEROUS')) return false;
|
|
167
|
+
// Skip sandbox infrastructure commands (e.g. /usr/bin/timeout wrapping node)
|
|
168
|
+
if (/\btimeout\b/.test(l)) return false;
|
|
169
|
+
return true;
|
|
170
|
+
});
|
|
166
171
|
if (dangerousExecLines.length > 0) {
|
|
167
172
|
const cmds = dangerousExecLines.map(l => {
|
|
168
173
|
const m = l.match(/(?:exec|execSync|spawn|spawnSync|execFile|execFileSync):\s*(.+?)(?:\s+\(t\+|$)/);
|
package/src/sandbox/index.js
CHANGED
|
@@ -46,6 +46,9 @@ const PROBE_PORTS = [65535]; // Node.js internal connectivity checks
|
|
|
46
46
|
// Commands that are always suspicious in a sandbox
|
|
47
47
|
const DANGEROUS_CMDS = ['curl', 'wget', 'nc', 'netcat', 'python', 'python3', 'bash', 'sh'];
|
|
48
48
|
|
|
49
|
+
// Commands that are sandbox infrastructure — not spawned by the package
|
|
50
|
+
const SAFE_SANDBOX_CMDS = new Set(['timeout', 'node', 'npm', 'npx', 'su', 'env']);
|
|
51
|
+
|
|
49
52
|
// Static canary tokens injected by sandbox-runner.sh (fallback honeypots).
|
|
50
53
|
// These are searched in the sandbox report as a complement to the dynamic
|
|
51
54
|
// tokens from canary-tokens.js (which use random suffixes per session).
|
|
@@ -607,6 +610,7 @@ function scoreFindings(report) {
|
|
|
607
610
|
for (const p of (report.processes?.spawned || [])) {
|
|
608
611
|
const cmd = p.command || '';
|
|
609
612
|
const basename = path.basename(cmd);
|
|
613
|
+
if (SAFE_SANDBOX_CMDS.has(basename)) continue; // Skip sandbox infrastructure
|
|
610
614
|
if (DANGEROUS_CMDS.some(d => basename === d)) {
|
|
611
615
|
score += 40;
|
|
612
616
|
findings.push({ type: 'suspicious_process', severity: 'CRITICAL', detail: `Dangerous command spawned: ${cmd}`, evidence: cmd });
|
|
@@ -762,4 +766,4 @@ function displayResults(result) {
|
|
|
762
766
|
}
|
|
763
767
|
}
|
|
764
768
|
|
|
765
|
-
module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS };
|
|
769
|
+
module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS };
|