muaddib-scanner 2.9.8 → 2.9.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.8",
+  "version": "2.9.9",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/config.js

@@ -205,12 +205,23 @@ function validateConfig(raw) {
 
 /**
  * Resolve which config file to load.
- * Priority: --config <path> > .muaddibrc.json at targetPath root
+ * Priority: --config <path> > ~/.muaddibrc.json > CWD/.muaddibrc.json (if CWD ≠ targetPath)
+ *
+ * SECURITY: NEVER auto-detect config from targetPath (the scanned directory).
+ * An attacker can place .muaddibrc.json in their npm package with
+ * severityWeights: {critical:0, high:0, medium:0, low:0} to neutralize the scanner.
+ * Only load config from trusted locations:
+ * - Explicit --config <path>
+ * - User home directory (~/.muaddibrc.json)
+ * - CWD, but ONLY when CWD is different from the scan target
+ *
  * @param {string} targetPath - scan target directory
  * @param {string|null} configPath - explicit --config path (or null)
  * @returns {{ config: object|null, warnings: string[], errors: string[], source: string|null }}
  */
 function resolveConfig(targetPath, configPath) {
+  const warnings = [];
+
   // Explicit --config path
   if (configPath) {
     const absPath = path.isAbsolute(configPath) ? configPath : path.resolve(configPath);
@@ -229,22 +240,39 @@ function resolveConfig(targetPath, configPath) {
     return result;
   }
 
-  // Auto-detect .muaddibrc.json at target root
-  const rcPath = path.join(targetPath, '.muaddibrc.json');
-  if (!fs.existsSync(rcPath)) {
-    return { config: null, warnings: [], errors: [], source: null };
+  // SECURITY: Warn if .muaddibrc.json is found INSIDE the scanned package (informational only)
+  const targetRcPath = path.join(targetPath, '.muaddibrc.json');
+  if (fs.existsSync(targetRcPath)) {
+    warnings.push('[SECURITY] .muaddibrc.json found inside scanned package — ignored (potential config neutralization attack)');
   }
-  const { raw, error } = loadConfigFile(rcPath);
-  if (error) {
-    // Auto-detected config with errors is a warning, not a fatal error
-    return { config: null, warnings: [`[CONFIG] ${error} — .muaddibrc.json ignored`], errors: [], source: null };
-  }
-  const result = validateConfig(raw);
-  if (result.config) {
-    result.warnings.unshift('Loaded custom thresholds from .muaddibrc.json');
+
+  // Auto-detect ONLY from safe locations (NOT from scan target)
+  const cwd = process.cwd();
+  const homedir = require('os').homedir();
+  const candidates = [
+    path.join(homedir, '.muaddibrc.json'),
+    // CWD config only if CWD is NOT the scan target (developer scanning an external package)
+    ...(path.resolve(cwd) !== path.resolve(targetPath) ? [path.join(cwd, '.muaddibrc.json')] : [])
+  ];
+
+  for (const rcPath of candidates) {
+    if (!fs.existsSync(rcPath)) continue;
+    const { raw, error } = loadConfigFile(rcPath);
+    if (error) {
+      warnings.push(`[CONFIG] ${error} — ${rcPath} ignored`);
+      continue;
+    }
+    const result = validateConfig(raw);
+    // Prepend any security warnings accumulated before this config was found
+    result.warnings = [...warnings, ...result.warnings];
+    if (result.config) {
+      result.warnings.unshift(`Loaded custom thresholds from ${rcPath}`);
+    }
+    result.source = rcPath;
+    return result;
   }
-  result.source = rcPath;
-  return result;
+
+  return { config: null, warnings, errors: [], source: null };
 }
 
 module.exports = { DEFAULTS, loadConfigFile, validateConfig, resolveConfig };

package/src/response/playbooks.js

@@ -537,6 +537,12 @@ const PLAYBOOKS = {
     'Cout de rotation: 0.000005 SOL par changement d\'adresse C2 — censorship-resistant. ' +
     'Bloquer les connexions vers les RPC Solana. Supprimer le package.',
 
+  module_load_bypass:
+    'CRITIQUE: Module._load() detecte — bypass du module loader interne de Node.js. ' +
+    'Permet de charger dynamiquement des modules (child_process, fs, net) sans passer par require(), ' +
+    'contournant les restrictions et les hooks de chargement. ' +
+    'Supprimer le package immediatement. Auditer les modules charges dynamiquement.',
+
   blockchain_rpc_endpoint:
     'Endpoint RPC blockchain hardcode detecte (Solana mainnet, Infura Ethereum). ' +
     'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +

package/src/rules/index.js

@@ -1595,6 +1595,19 @@ const RULES = {
     ],
     mitre: 'T1102'
   },
+  module_load_bypass: {
+    id: 'MUADDIB-AST-056',
+    name: 'Module._load() Internal Loader Bypass',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Module._load() detecte — bypass du module loader interne de Node.js pour charger dynamiquement des modules sans passer par require(). Technique d\'evasion contournant les restrictions de chargement de modules.',
+    references: [
+      'https://nodejs.org/api/modules.html',
+      'https://attack.mitre.org/techniques/T1059/007/'
+    ],
+    mitre: 'T1059.007'
+  },
+
   blockchain_rpc_endpoint: {
     id: 'MUADDIB-AST-055',
     name: 'Hardcoded Blockchain RPC Endpoint',

package/src/sandbox/index.js

@@ -240,18 +240,8 @@ async function runSingleSandbox(packageName, options = {}) {
     proc.on('close', (code) => {
       clearTimeout(timer);
 
-      // Docker-level failure: log error and return clean result
-      if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
-        const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
-        if (errLines.length > 0) {
-          console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
-        } else {
-          console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
-        }
-        resolve(cleanResult);
-        return;
-      }
-
+      // TIMEOUT FIRST: docker kill causes non-zero exit (code 137/SIGKILL),
+      // must check before Docker error handler to avoid returning CLEAN on timeout
       if (timedOut) {
         const result = {
           score: 100,
@@ -269,6 +259,18 @@ async function runSingleSandbox(packageName, options = {}) {
         return;
       }
 
+      // Docker-level failure (non-timeout): log error and return clean result
+      if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
+        const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
+        if (errLines.length > 0) {
+          console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
+        } else {
+          console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
+        }
+        resolve(cleanResult);
+        return;
+      }
+
       // Parse JSON from container stdout using delimiter
       let report;
       try {

package/src/scanner/ast-detectors.js

@@ -281,6 +281,40 @@ function resolveStringConcat(node) {
   return null;
 }
 
+/**
+ * Like resolveStringConcat, but additionally resolves Identifier nodes via
+ * a stringVarValues Map (variable name → known string value).
+ * Used for double-indirection patterns: var a='ev',b='al'; globalThis[a+b]()
+ */
+function resolveStringConcatWithVars(node, stringVarValues) {
+  if (!node) return null;
+  if (node.type === 'Literal' && typeof node.value === 'string') return node.value;
+  if (node.type === 'Identifier' && stringVarValues && stringVarValues.has(node.name)) {
+    return stringVarValues.get(node.name);
+  }
+  if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
+    return node.quasis.map(q => q.value.raw).join('');
+  }
+  if (node.type === 'TemplateLiteral' && node.expressions.length > 0) {
+    const parts = [];
+    for (let i = 0; i < node.quasis.length; i++) {
+      parts.push(node.quasis[i].value.raw);
+      if (i < node.expressions.length) {
+        const resolved = resolveStringConcatWithVars(node.expressions[i], stringVarValues);
+        if (resolved === null) return null;
+        parts.push(resolved);
+      }
+    }
+    return parts.join('');
+  }
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    const left = resolveStringConcatWithVars(node.left, stringVarValues);
+    const right = resolveStringConcatWithVars(node.right, stringVarValues);
+    if (left !== null && right !== null) return left + right;
+  }
+  return null;
+}
+
 /**
  * Extract string value from a node, including BinaryExpression resolution.
  * Falls back to extractStringValue if concat resolution fails.
@@ -383,7 +417,7 @@ function handleVariableDeclarator(node, ctx) {
       ctx.staticAssignments.add(node.id.name);
     }
 
-    // Track dynamic require vars
+    // Track dynamic require vars + module aliases
     if (node.init?.type === 'CallExpression') {
       const initCallName = getCallName(node.init);
       if (initCallName === 'require' && node.init.arguments.length > 0) {
@@ -391,6 +425,12 @@ function handleVariableDeclarator(node, ctx) {
         if (arg.type !== 'Literal') {
           ctx.dynamicRequireVars.add(node.id.name);
         }
+        // Track require('module') or require('node:module') aliases for Module._load detection
+        const reqVal = extractStringValueDeep(arg);
+        if (reqVal === 'module') {
+          if (!ctx.moduleAliases) ctx.moduleAliases = new Set();
+          ctx.moduleAliases.add(node.id.name);
+        }
       }
     }
     // Track variables assigned dangerous command strings
@@ -717,6 +757,35 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect process.mainModule.require('child_process') — module system bypass
+  if (node.callee.type === 'MemberExpression' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'require' &&
+      node.callee.object?.type === 'MemberExpression' &&
+      node.callee.object.object?.type === 'Identifier' &&
+      node.callee.object.object.name === 'process' &&
+      node.callee.object.property?.type === 'Identifier' &&
+      node.callee.object.property.name === 'mainModule' &&
+      node.arguments.length > 0) {
+    const arg = node.arguments[0];
+    const modName = extractStringValueDeep(arg);
+    const DANGEROUS_MODS = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+    if (modName && DANGEROUS_MODS.includes(modName)) {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'CRITICAL',
+        message: `process.mainModule.require('${modName}') — bypasses module system restrictions.`,
+        file: ctx.relFile
+      });
+    } else {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: `process.mainModule.require() detected — module system bypass.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
   // Detect exec/execSync with dangerous shell commands (direct or via MemberExpression)
   const execName = callName === 'exec' || callName === 'execSync' ? callName : null;
   const memberExec = !execName && node.callee.type === 'MemberExpression' &&
@@ -1490,22 +1559,45 @@ function handleCallExpression(node, ctx) {
         });
       }
     }
-    // Detect computed call on globalThis/global alias with variable property
+    // Detect computed call on globalThis/global alias with variable or expression property
     const obj = node.callee.object;
-    if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
+    if (obj?.type === 'Identifier' &&
         (ctx.globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
-      ctx.hasEvalInFile = true;
-      // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
-      const resolvedValue = ctx.stringVarValues.get(prop.name);
-      const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
-      ctx.threats.push({
-        type: 'dangerous_call_eval',
-        severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
-        message: isEvalOrFunction
-          ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
-          : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
-        file: ctx.relFile
-      });
+      if (prop.type === 'Identifier') {
+        ctx.hasEvalInFile = true;
+        // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
+        const resolvedValue = ctx.stringVarValues.get(prop.name);
+        const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
+        ctx.threats.push({
+          type: 'dangerous_call_eval',
+          severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
+          message: isEvalOrFunction
+            ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
+            : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+          file: ctx.relFile
+        });
+      } else {
+        // BinaryExpression, TemplateLiteral, or other computed expression
+        // Try to resolve via stringVarValues (e.g., var a='ev',b='al'; globalThis[a+b]())
+        const resolvedProp = resolveStringConcatWithVars(prop, ctx.stringVarValues);
+        if (resolvedProp === 'eval' || resolvedProp === 'Function') {
+          ctx.hasEvalInFile = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'CRITICAL',
+            message: `Resolved indirect ${resolvedProp}() via computed expression (${obj.name}[...="${resolvedProp}"]) — concat evasion.`,
+            file: ctx.relFile
+          });
+        } else if (resolvedProp !== null) {
+          ctx.hasEvalInFile = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: `Dynamic global dispatch via computed expression (${obj.name}[...="${resolvedProp}"]).`,
+            file: ctx.relFile
+          });
+        }
+      }
     }
   }
 
@@ -1609,6 +1701,24 @@ function handleCallExpression(node, ctx) {
       }
     }
 
+    // Module._load() — internal module loader bypass (ANSSI audit v2)
+    if (propName === '_load') {
+      const calleeObj = node.callee.object;
+      const isModuleIdentifier = calleeObj.type === 'Identifier' &&
+        (calleeObj.name === 'Module' || calleeObj.name === 'module' ||
+         (ctx.moduleAliases && ctx.moduleAliases.has(calleeObj.name)));
+      const isMemberChain = calleeObj.type === 'MemberExpression';
+      const isConstructed = calleeObj.type === 'NewExpression' || calleeObj.type === 'CallExpression';
+      if (isModuleIdentifier || isMemberChain || isConstructed || ctx.hasModuleImport) {
+        ctx.threats.push({
+          type: 'module_load_bypass',
+          severity: 'CRITICAL',
+          message: 'Module._load() detected — internal module loader bypass for dynamic code loading.',
+          file: ctx.relFile
+        });
+      }
+    }
+
     // SANDWORM_MODE: Track writeFileSync/writeFile to temp paths
     if (propName === 'writeFileSync' || propName === 'writeFile') {
       const arg = node.arguments && node.arguments[0];