muaddib-scanner 2.9.5 → 2.9.6

package/bin/muaddib.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const { exec } = require('child_process');
+const { execFile } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -160,7 +160,8 @@ for (let i = 0; i < options.length; i++) {
 if (!jsonOutput && !sarifOutput && command !== 'feed' && command !== 'serve') {
   try {
     const currentVersion = require('../package.json').version;
-    exec('npm view muaddib-scanner version', { timeout: 5000 }, (err, stdout) => {
+    const npmBin = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    execFile(npmBin, ['view', 'muaddib-scanner', 'version'], { timeout: 5000 }, (err, stdout) => {
       if (err) return; // No network or npm unavailable
       const latest = (stdout || '').toString().trim();
       if (!latest || latest === currentVersion) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.5",
+  "version": "2.9.6",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -186,8 +186,8 @@ function scanParanoid(targetPath) {
           }
         }
       });
-    } catch {
-      // Ignore read/parse errors
+    } catch (e) {
+      debugLog('[PARANOID] AST parse error:', e?.message);
     }
   }
 
@@ -218,8 +218,8 @@ function scanParanoid(targetPath) {
         const relFile = path.relative(targetPath, filePath);
         scanFileContent(filePath, content, relFile);
       }
-    } catch {
-      // Ignore read errors
+    } catch (e) {
+      debugLog('[PARANOID] file read error:', e?.message);
     }
   }
 
@@ -247,8 +247,8 @@ function scanParanoid(targetPath) {
           scanFile(fullPath);
         }
       }
-    } catch {
-      // Ignore walk errors
+    } catch (e) {
+      debugLog('[PARANOID] walkDir error:', e?.message);
     }
   }
 
@@ -550,7 +550,8 @@ async function run(targetPath, options = {}) {
       if (!reachability.skipped) {
         reachableFiles = reachability.reachableFiles;
       }
-    } catch {
+    } catch (e) {
+      debugLog('[REACHABILITY] error:', e?.message);
       // Graceful fallback — treat all files as reachable
     }
   }

package/src/scanner/ast-detectors.js

@@ -1495,10 +1495,15 @@ function handleCallExpression(node, ctx) {
     if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
         (ctx.globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
       ctx.hasEvalInFile = true;
+      // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
+      const resolvedValue = ctx.stringVarValues.get(prop.name);
+      const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
       ctx.threats.push({
         type: 'dangerous_call_eval',
-        severity: 'HIGH',
-        message: `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+        severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
+        message: isEvalOrFunction
+          ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
+          : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
         file: ctx.relFile
       });
     }

package/src/scanner/deobfuscate.js

@@ -154,6 +154,27 @@ function deobfuscate(sourceCode) {
       const hexResult = tryResolveHexArrayMap(node, sourceCode);
       if (hexResult !== null) {
         replacements.push(hexResult);
+        return;
+      }
+
+      // ---- 5. ARRAY JOIN ----
+      // ['e','v','a','l'].join('') → "eval"
+      if (node.callee?.type === 'MemberExpression' &&
+          node.callee.property?.name === 'join' &&
+          node.callee.object?.type === 'ArrayExpression' &&
+          node.arguments?.length === 1 &&
+          node.arguments[0]?.type === 'Literal' &&
+          node.arguments[0].value === '') {
+        const elements = node.callee.object.elements;
+        if (elements.length > 0 && elements.every(el => el?.type === 'Literal' && typeof el.value === 'string')) {
+          const joined = elements.map(el => el.value).join('');
+          const before = sourceCode.slice(node.start, node.end);
+          replacements.push({
+            start: node.start, end: node.end,
+            value: quoteString(joined),
+            type: 'array_join', before
+          });
+        }
       }
     }
   });

package/src/scanner/shell.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles, forEachSafeFile } = require('../utils.js');
+const { findFiles, forEachSafeFile, debugLog } = require('../utils.js');
 const { MAX_FILE_SIZE } = require('../shared/constants.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
@@ -56,7 +56,7 @@ function scanFileContent(file, content, targetPath, threats) {
 function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
   if (depth > 20) return results;
   let items;
-  try { items = fs.readdirSync(dir); } catch { return results; }
+  try { items = fs.readdirSync(dir); } catch (e) { debugLog('[SHELL] readdirSync error:', e?.message); return results; }
 
   for (const item of items) {
     if (excludedDirs.includes(item)) continue;
@@ -69,7 +69,7 @@ function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
       } else if (lstat.isFile() && !path.extname(item) && lstat.size <= MAX_FILE_SIZE) {
         results.push(fullPath);
       }
-    } catch { /* permission error */ }
+    } catch (e) { debugLog('[SHELL] stat error:', e?.message); }
   }
   return results;
 }
@@ -94,7 +94,7 @@ async function scanShellScripts(targetPath) {
       if (SHEBANG_RE.test(firstLine)) {
         scanFileContent(file, content, targetPath, threats);
       }
-    } catch { /* ignore unreadable files */ }
+    } catch (e) { debugLog('[SHELL] readFile error:', e?.message); }
   }
 
   return threats;

package/src/scoring.js

@@ -279,11 +279,11 @@ function applyCompoundBoosts(threats) {
 
     // Check all required types are present
     if (compound.requires.every(req => typeSet.has(req))) {
-      // Severity gate: at least one component must have severity >= MEDIUM
-      // after FP reductions. If all components were downgraded to LOW,
-      // the compound signal is not strong enough to justify a CRITICAL boost.
+      // Severity gate: at least one component must have had original severity >= MEDIUM.
+      // Uses originalSeverity (pre-FP-reduction) to prevent attackers from
+      // manipulating compound gates via count-threshold or dist-file downgrades.
       const hasSignificantComponent = compound.requires.some(req =>
-        threats.some(t => t.type === req && t.severity !== 'LOW')
+        threats.some(t => t.type === req && (t.originalSeverity || t.severity) !== 'LOW')
       );
       if (!hasSignificantComponent) continue;
 
@@ -323,8 +323,11 @@ const FRAMEWORK_PROTO_RE = new RegExp(
 
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
   // Initialize reductions audit trail on each threat
+  // Store original severity before any FP reductions, so compound
+  // severity gates can check pre-reduction severity (GAP 4b).
   for (const t of threats) {
     t.reductions = [];
+    t.originalSeverity = t.severity;
   }
 
   // Count occurrences of each threat type (package-level, across all files)
@@ -384,6 +387,29 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
     // The READ/WRITE distinction in ast-detectors already handles the FP case:
     // READ-only → LOW (hot-reload, introspection), WRITE → CRITICAL (malicious replacement).
     // A single cache WRITE is genuinely malicious — no downgrade needed.
+  }
+
+  // Dilution floor: retain at least one instance at original severity per type
+  // to prevent complete count-threshold dilution by injected benign patterns.
+  // Only applies to types with low maxCount (≤3) and a severity constraint (from field),
+  // where injection of benign patterns is feasible. High-count types (dynamic_require,
+  // env_access) and unconstrained types (suspicious_dataflow) represent legitimate
+  // framework patterns and should allow full downgrade.
+  const restoredTypes = new Set();
+  for (const t of threats) {
+    const lastReduction = t.reductions?.find(r => r.rule === 'count_threshold');
+    if (lastReduction && !restoredTypes.has(t.type)) {
+      const rule = FP_COUNT_THRESHOLDS[t.type];
+      if (rule && rule.from && rule.maxCount <= 3) {
+        t.severity = lastReduction.from;
+        t.reductions = t.reductions.filter(r => r.rule !== 'count_threshold');
+        t.reductions.push({ rule: 'count_threshold_floor', note: 'retained one instance at original severity' });
+        restoredTypes.add(t.type);
+      }
+    }
+  }
+
+  for (const t of threats) {
 
     // Prototype hook: framework class prototypes → MEDIUM
     // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL