np-audit 0.0.1-beta

package/src/config.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+
+const GLOBAL_CONFIG_PATH = path.join(os.homedir(), '.npmauditor.json');
+
+const DEFAULT_CONFIG = Object.freeze({
+  blockScore:      7,
+  warnScore:       4,
+  registry:        'https://registry.npmjs.org',
+  timeout:         30000,
+  parallelFetches: 5,
+  skipScopes:      [],
+  skipPackages:    [],
+});
+
+const VALID_KEYS = new Set(Object.keys(DEFAULT_CONFIG));
+
+function readJSON(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function loadConfig(cwd) {
+  const base    = { ...DEFAULT_CONFIG };
+  const global_ = readJSON(GLOBAL_CONFIG_PATH) || {};
+  const local   = cwd ? readJSON(path.join(cwd, '.npmauditor.json')) || {} : {};
+  return Object.assign(base, coerce(global_), coerce(local));
+}
+
+function coerce(obj) {
+  const result = {};
+  for (const [key, val] of Object.entries(obj)) {
+    if (!VALID_KEYS.has(key)) continue;
+    const def = DEFAULT_CONFIG[key];
+    if (Array.isArray(def)) {
+      result[key] = Array.isArray(val) ? val : [val];
+    } else if (typeof def === 'number') {
+      const n = Number(val);
+      if (!isNaN(n)) result[key] = n;
+    } else {
+      result[key] = val;
+    }
+  }
+  return result;
+}
+
+function setGlobalConfig(key, rawValue) {
+  if (!VALID_KEYS.has(key)) {
+    throw new Error(`Unknown config key "${key}". Valid keys: ${[...VALID_KEYS].join(', ')}`);
+  }
+  const current = readJSON(GLOBAL_CONFIG_PATH) || {};
+  const patch = coerce({ [key]: rawValue });
+  if (Object.keys(patch).length === 0) {
+    throw new Error(`Invalid value "${rawValue}" for key "${key}"`);
+  }
+  const updated = Object.assign(current, patch);
+  fs.writeFileSync(GLOBAL_CONFIG_PATH, JSON.stringify(updated, null, 2) + '\n', 'utf8');
+  return updated;
+}
+
+function getGlobalConfigPath() {
+  return GLOBAL_CONFIG_PATH;
+}
+
+module.exports = { loadConfig, setGlobalConfig, getGlobalConfigPath, DEFAULT_CONFIG, VALID_KEYS };

package/src/detector.js

@@ -0,0 +1,235 @@
+'use strict';
+
+// ─── Individual detection checks ─────────────────────────────────────────────
+
+/**
+ * Detect eval / dynamic code execution.
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkEval(code) {
+  const patterns = [
+    /\beval\s*\(/,
+    /new\s+Function\s*\(/,
+    /vm\.runInThisContext\s*\(/,
+    /vm\.runInNewContext\s*\(/,
+    /vm\.Script\s*\(/,
+  ];
+  const matched = patterns.filter(p => p.test(code));
+  if (matched.length === 0) return null;
+  return { name: 'eval/dynamic-exec', score: 8, detail: `eval-like call found (${matched.length} pattern(s))` };
+}
+
+/**
+ * Detect obfuscator.io signature: _0x variable naming.
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkObfuscatorIo(code) {
+  const matches = code.match(/_0x[0-9a-fA-F]+/g) || [];
+  if (matches.length < 3) return null;
+  return { name: 'obfuscator.io', score: 9, detail: `${matches.length} _0x identifiers found` };
+}
+
+/**
+ * Detect high-entropy strings (likely encoded/encrypted payloads).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkHighEntropy(code) {
+  // Extract string literals (single, double, template)
+  const stringRe = /(?:"([^"\\]|\\.){50,}"|'([^'\\]|\\.){50,}'|`([^`\\]|\\.){50,}`)/g;
+  let match;
+  let maxEntropy = 0;
+  let worst = '';
+  while ((match = stringRe.exec(code)) !== null) {
+    const s = match[0].slice(1, -1);
+    const e = shannonEntropy(s);
+    if (e > maxEntropy) { maxEntropy = e; worst = s.slice(0, 40); }
+  }
+  if (maxEntropy < 4.5) return null;
+  return {
+    name: 'high-entropy-string',
+    score: 6,
+    detail: `Entropy ${maxEntropy.toFixed(2)} in string "${worst}…"`,
+  };
+}
+
+/**
+ * Detect dense hex escape sequences (\x41).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkHexEscapes(code) {
+  const hexMatches = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
+  if (hexMatches < 10) return null;
+  return { name: 'hex-escape-density', score: 5, detail: `${hexMatches} \\xNN hex escapes found` };
+}
+
+/**
+ * Detect String.fromCharCode with many numeric arguments.
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkFromCharCode(code) {
+  const re = /String\.fromCharCode\s*\(([^)]+)\)/g;
+  let match;
+  let maxArgs = 0;
+  while ((match = re.exec(code)) !== null) {
+    const args = match[1].split(',').filter(a => /^\s*\d+\s*$/.test(a));
+    if (args.length > maxArgs) maxArgs = args.length;
+  }
+  if (maxArgs < 5) return null;
+  return { name: 'fromCharCode', score: 7, detail: `String.fromCharCode with ${maxArgs} numeric args` };
+}
+
+/**
+ * Detect base64 decode combined with eval-like execution.
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkBase64Exec(code) {
+  const hasBase64 = /atob\s*\(|Buffer\.from\s*\([^)]*,\s*['"]base64['"]\)/.test(code);
+  const hasExec   = /eval\s*\(|new\s+Function\s*\(|\.exec\s*\(/.test(code);
+  if (!hasBase64) return null;
+  if (hasBase64 && !hasExec) {
+    return { name: 'base64-decode', score: 3, detail: 'Base64 decode found — verify usage' };
+  }
+  return { name: 'base64-decode+exec', score: 8, detail: 'Base64 decode with code execution found' };
+}
+
+/**
+ * Detect child_process / shell execution patterns.
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkChildProcess(code) {
+  const patterns = [
+    /require\s*\(\s*['"]child_process['"]\s*\)/,
+    /\bexec\s*\(/,
+    /\bspawn\s*\(/,
+    /\bexecSync\s*\(/,
+    /\bspawnSync\s*\(/,
+    /\bexecFile\s*\(/,
+  ];
+  const matched = patterns.filter(p => p.test(code));
+  if (matched.length === 0) return null;
+  return { name: 'child-process', score: 5, detail: `Shell execution found (${matched.length} pattern(s))` };
+}
+
+/**
+ * Detect large hex literal arrays (common in minified obfuscated code).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkHexArray(code) {
+  // Count 0x1234-style literals
+  const hexLiterals = (code.match(/\b0x[0-9a-fA-F]+\b/g) || []).length;
+  if (hexLiterals < 20) return null;
+  return { name: 'hex-array', score: 7, detail: `${hexLiterals} hex literal values found` };
+}
+
+/**
+ * Detect process.env access (potential credential exfiltration signal).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkProcessEnv(code) {
+  const matches = (code.match(/process\.env\b/g) || []).length;
+  if (matches === 0) return null;
+  return { name: 'process-env', score: 3, detail: `${matches} process.env access(es)` };
+}
+
+/**
+ * Detect suspicious network calls (data exfiltration).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkNetworkCalls(code) {
+  const patterns = [
+    /require\s*\(\s*['"]https?['"]\s*\)/,
+    /require\s*\(\s*['"]net['"]\s*\)/,
+    /require\s*\(\s*['"]dns['"]\s*\)/,
+    /fetch\s*\(/,
+    /XMLHttpRequest/,
+    /\.request\s*\(/,
+  ];
+  const matched = patterns.filter(p => p.test(code));
+  if (matched.length === 0) return null;
+  return { name: 'network-call', score: 4, detail: `Network call found (${matched.length} pattern(s))` };
+}
+
+// ─── Entropy helper ──────────────────────────────────────────────────────────
+
+function shannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+// ─── Main detection function ─────────────────────────────────────────────────
+
+const CHECKS = [
+  checkEval,
+  checkObfuscatorIo,
+  checkHighEntropy,
+  checkHexEscapes,
+  checkFromCharCode,
+  checkBase64Exec,
+  checkChildProcess,
+  checkHexArray,
+  checkProcessEnv,
+  checkNetworkCalls,
+];
+
+/**
+ * Run all checks against a code string.
+ * @param {string} code
+ * @param {object} config  { blockScore, warnScore }
+ * @returns {{ score: number, findings: Finding[], verdict: 'BLOCK'|'WARN'|'OK' }}
+ */
+function detectObfuscation(code, config = { blockScore: 7, warnScore: 4 }) {
+  if (!code || typeof code !== 'string') {
+    return { score: 0, findings: [], verdict: 'OK' };
+  }
+
+  const findings = [];
+  for (const check of CHECKS) {
+    const result = check(code);
+    if (result) findings.push(result);
+  }
+
+  // Score = highest individual finding score (weighted max — avoid double-penalizing)
+  const score = findings.length > 0
+    ? Math.max(...findings.map(f => f.score))
+    : 0;
+
+  let verdict;
+  if (score >= config.blockScore) verdict = 'BLOCK';
+  else if (score >= config.warnScore) verdict = 'WARN';
+  else verdict = 'OK';
+
+  return { score, findings, verdict };
+}
+
+module.exports = {
+  detectObfuscation,
+  shannonEntropy,
+  // Export individual checks for testing
+  checkEval,
+  checkObfuscatorIo,
+  checkHighEntropy,
+  checkHexEscapes,
+  checkFromCharCode,
+  checkBase64Exec,
+  checkChildProcess,
+  checkHexArray,
+  checkProcessEnv,
+  checkNetworkCalls,
+};

package/src/fetcher.js

@@ -0,0 +1,129 @@
+'use strict';
+
+const https  = require('https');
+const http   = require('http');
+const crypto = require('crypto');
+const url    = require('url');
+
+const MAX_REDIRECTS = 5;
+const DEFAULT_TIMEOUT = 30000;
+
+/**
+ * Perform an HTTP/HTTPS GET and collect the response body as a Buffer.
+ * Follows redirects up to MAX_REDIRECTS.
+ * @param {string} rawUrl
+ * @param {object} opts  { timeout?, headers? }
+ * @returns {Promise<Buffer>}
+ */
+function fetch(rawUrl, opts = {}) {
+  return new Promise((resolve, reject) => {
+    let redirects = 0;
+
+    function request(target) {
+      const parsed = new url.URL(target);
+      const isHttps = parsed.protocol === 'https:';
+      const lib = isHttps ? https : http;
+
+      const reqOpts = {
+        hostname: parsed.hostname,
+        port:     parsed.port || (isHttps ? 443 : 80),
+        path:     parsed.pathname + parsed.search,
+        method:   'GET',
+        headers:  Object.assign({
+          'User-Agent': 'npa/1.0.0 (npm-auditor)',
+          'Accept':     '*/*',
+        }, opts.headers || {}),
+      };
+
+      const timeout = opts.timeout || DEFAULT_TIMEOUT;
+      const req = lib.request(reqOpts, (res) => {
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          if (++redirects > MAX_REDIRECTS) {
+            return reject(new Error(`Too many redirects for ${rawUrl}`));
+          }
+          res.resume();
+          return request(res.headers.location);
+        }
+
+        if (res.statusCode !== 200) {
+          res.resume();
+          return reject(new Error(`HTTP ${res.statusCode} for ${target}`));
+        }
+
+        const chunks = [];
+        res.on('data', chunk => chunks.push(chunk));
+        res.on('end',  () => resolve(Buffer.concat(chunks)));
+        res.on('error', reject);
+      });
+
+      req.setTimeout(timeout, () => {
+        req.destroy(new Error(`Request timed out after ${timeout}ms: ${target}`));
+      });
+
+      req.on('error', reject);
+      req.end();
+    }
+
+    request(rawUrl);
+  });
+}
+
+/**
+ * Fetch a tarball as a Buffer.
+ * @param {string} tarballUrl
+ * @param {object} opts  { timeout? }
+ * @returns {Promise<Buffer>}
+ */
+function fetchTarball(tarballUrl, opts = {}) {
+  return fetch(tarballUrl, opts);
+}
+
+/**
+ * Fetch JSON from npm registry.
+ * @param {string} jsonUrl
+ * @param {object} opts  { timeout? }
+ * @returns {Promise<object>}
+ */
+async function fetchJSON(jsonUrl, opts = {}) {
+  const buf = await fetch(jsonUrl, {
+    ...opts,
+    headers: { 'Accept': 'application/json' },
+  });
+  return JSON.parse(buf.toString('utf8'));
+}
+
+/**
+ * Build the canonical tarball URL when the lockfile resolved field is missing.
+ * @param {string} name      package name (may be scoped)
+ * @param {string} version
+ * @param {string} registry  base URL e.g. 'https://registry.npmjs.org'
+ * @returns {string}
+ */
+function buildTarballUrl(name, version, registry) {
+  const base = registry.replace(/\/$/, '');
+  if (name.startsWith('@')) {
+    // Scoped: @scope/pkg → @scope/pkg/-/@scope/pkg-version.tgz
+    const [scope, pkg] = name.split('/');
+    const encoded = encodeURIComponent(scope) + '%2F' + pkg;
+    return `${base}/${encoded}/-/${pkg}-${version}.tgz`;
+  }
+  return `${base}/${name}/-/${name}-${version}.tgz`;
+}
+
+/**
+ * Verify a tarball Buffer against an integrity string from the lockfile.
+ * Supports sha512-<base64> and sha1-<base64>.
+ * @param {Buffer} buffer
+ * @param {string} integrity  e.g. "sha512-abc123=="
+ * @returns {boolean}  true if valid or integrity is empty
+ */
+function verifyIntegrity(buffer, integrity) {
+  if (!integrity) return true;
+  const match = integrity.match(/^(sha512|sha1)-(.+)$/);
+  if (!match) return true;
+  const [, algo, expected] = match;
+  const actual = crypto.createHash(algo).update(buffer).digest('base64');
+  return actual === expected;
+}
+
+module.exports = { fetchTarball, fetchJSON, buildTarballUrl, verifyIntegrity };

package/src/lockfile.js

@@ -0,0 +1,107 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+/**
+ * Parse package-lock.json (v1, v2, v3) and return a normalized flat array of packages.
+ * @param {string} cwd  directory containing package-lock.json
+ * @returns {{ lockfileVersion: number, packages: PackageDescriptor[] }}
+ */
+function parseLockfile(cwd) {
+  const lockPath = path.join(cwd, 'package-lock.json');
+  if (!fs.existsSync(lockPath)) {
+    throw new Error(`package-lock.json not found in ${cwd}. Run "npm install" first or use "npa install".`);
+  }
+
+  let lockData;
+  try {
+    lockData = JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+  } catch (e) {
+    throw new Error(`Failed to parse package-lock.json: ${e.message}`);
+  }
+
+  const version = lockData.lockfileVersion || 1;
+  let packages;
+
+  if (version >= 2 && lockData.packages) {
+    packages = flattenV2(lockData.packages);
+  } else if (lockData.dependencies) {
+    packages = flattenV1(lockData.dependencies);
+  } else {
+    packages = [];
+  }
+
+  return { lockfileVersion: version, packages };
+}
+
+/**
+ * Flatten v2/v3 lockfile packages object (key → descriptor).
+ * @param {object} pkgsObj
+ * @returns {PackageDescriptor[]}
+ */
+function flattenV2(pkgsObj) {
+  const result = [];
+  for (const [key, entry] of Object.entries(pkgsObj)) {
+    if (key === '') continue; // root package
+    if (entry.link) continue; // workspace symlink
+
+    const name = nameFromKey(key);
+    if (!name) continue;
+
+    result.push({
+      name,
+      version:          entry.version || '',
+      resolved:         entry.resolved || '',
+      integrity:        entry.integrity || '',
+      hasInstallScript: entry.hasInstallScript === true,
+      dev:              entry.dev === true,
+      optional:         entry.optional === true,
+      inBundle:         entry.inBundle === true,
+      link:             false,
+      _lockKey:         key,
+    });
+  }
+  return result;
+}
+
+/**
+ * Recursively flatten v1 lockfile dependencies tree.
+ * @param {object} deps
+ * @param {PackageDescriptor[]} result
+ * @returns {PackageDescriptor[]}
+ */
+function flattenV1(deps, result = []) {
+  for (const [name, entry] of Object.entries(deps || {})) {
+    result.push({
+      name,
+      version:          entry.version || '',
+      resolved:         entry.resolved || '',
+      integrity:        entry.integrity || '',
+      hasInstallScript: false, // not indicated in v1 — must check
+      dev:              entry.dev === true,
+      optional:         entry.optional === true,
+      inBundle:         entry.bundled === true,
+      link:             false,
+      _lockKey:         `node_modules/${name}`,
+    });
+    if (entry.dependencies) {
+      flattenV1(entry.dependencies, result);
+    }
+  }
+  return result;
+}
+
+/**
+ * Extract the npm package name from a v2/v3 lockfile key.
+ * Examples:
+ *   "node_modules/express"           → "express"
+ *   "node_modules/@babel/core"       → "@babel/core"
+ *   "foo/node_modules/bar"           → "bar"
+ */
+function nameFromKey(key) {
+  const match = key.match(/node_modules\/(@[^/]+\/[^/]+|[^/]+)$/);
+  return match ? match[1] : null;
+}
+
+module.exports = { parseLockfile, nameFromKey };

package/src/output.js

@@ -0,0 +1,92 @@
+'use strict';
+
+const RESET = '\x1b[0m';
+const BOLD = '\x1b[1m';
+const DIM = '\x1b[2m';
+const RED = '\x1b[31m';
+const GREEN = '\x1b[32m';
+const YELLOW = '\x1b[33m';
+const BLUE = '\x1b[34m';
+const CYAN = '\x1b[36m';
+const WHITE = '\x1b[37m';
+const BG_RED = '\x1b[41m';
+const BG_YELLOW = '\x1b[43m';
+
+const NO_COLOR = !process.stdout.isTTY || process.env.NO_COLOR || process.env.CI;
+
+function c(code, text) {
+  if (NO_COLOR) return text;
+  return `${code}${text}${RESET}`;
+}
+
+function bold(text) { return c(BOLD, text); }
+function dim(text) { return c(DIM, text); }
+function red(text) { return c(RED, text); }
+function green(text) { return c(GREEN, text); }
+function yellow(text) { return c(YELLOW, text); }
+function blue(text) { return c(BLUE, text); }
+function cyan(text) { return c(CYAN, text); }
+function white(text) { return c(WHITE, text); }
+
+function error(msg) {
+  process.stderr.write(red(`✖ ${msg}`) + '\n');
+}
+
+function warn(msg) {
+  process.stderr.write(yellow(`⚠ ${msg}`) + '\n');
+}
+
+function info(msg) {
+  process.stdout.write(cyan(`ℹ ${msg}`) + '\n');
+}
+
+function success(msg) {
+  process.stdout.write(green(`✔ ${msg}`) + '\n');
+}
+
+function log(msg) {
+  process.stdout.write(msg + '\n');
+}
+
+function verdictBadge(verdict) {
+  if (NO_COLOR) return `[${verdict}]`;
+  if (verdict === 'BLOCK') return `${BG_RED}${BOLD} BLOCK ${RESET}`;
+  if (verdict === 'WARN')  return `${BG_YELLOW}\x1b[30m WARN  ${RESET}`;
+  return `${GREEN} OK    ${RESET}`;
+}
+
+function printScanHeader() {
+  log('');
+  log(bold(cyan('npa') + ' — npm package auditor'));
+  log(dim('Static obfuscation detection for install scripts'));
+  log(dim('─'.repeat(60)));
+  log('');
+}
+
+function printPackageResult(pkg, result) {
+  const badge = verdictBadge(result.verdict);
+  const name = bold(`${pkg.name}@${pkg.version}`);
+  const score = result.score > 0 ? dim(` (score: ${result.score})`) : '';
+  log(`  ${badge} ${name}${score}`);
+  for (const finding of result.findings) {
+    log(`         ${dim('└')} ${yellow(finding.name)}: ${dim(finding.detail)}`);
+  }
+}
+
+function printSummary(results) {
+  const blocked = results.filter(r => r.verdict === 'BLOCK').length;
+  const warned  = results.filter(r => r.verdict === 'WARN').length;
+  const ok      = results.filter(r => r.verdict === 'OK').length;
+
+  log('');
+  log(dim('─'.repeat(60)));
+  log(`  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`);
+  log('');
+}
+
+module.exports = {
+  bold, dim, red, green, yellow, blue, cyan, white,
+  error, warn, info, success, log,
+  verdictBadge, printScanHeader, printPackageResult, printSummary,
+  RESET, BOLD, DIM, RED, GREEN, YELLOW, BLUE, CYAN,
+};