pompelmi 0.20.0 → 0.21.0

package/dist/pompelmi.esm.js

@@ -1,3 +1,7 @@
+import * as crypto from 'crypto';
+import * as os from 'os';
+import * as path from 'path';
+
 function toScanFn(s) {
     return (typeof s === "function" ? s : s.scan);
 }
@@ -17,12 +21,98 @@ function composeScanners(...scanners) {
         return all;
     };
 }
-function createPresetScanner(_preset, _opts = {}) {
-    // TODO: wire to real preset registry
-    return async (_input, _ctx) => {
-        return [];
-    };
+function createPresetScanner(preset, opts = {}) {
+    const scanners = [];
+    // Add decompilation scanners based on preset
+    if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
+        preset === 'malware-analysis' || opts.enableDecompilation) {
+        const depth = preset === 'decompilation-deep' ? 'deep' :
+            preset === 'decompilation-basic' ? 'basic' :
+                opts.decompilationDepth || 'basic';
+        if (!opts.decompilationEngine || opts.decompilationEngine === 'binaryninja-hlil' || opts.decompilationEngine === 'both') {
+            try {
+                // Dynamic import to avoid bundling issues
+                import('@pompelmi/engine-binaryninja').then(({ createBinaryNinjaScanner }) => {
+                    const binjaScanner = createBinaryNinjaScanner({
+                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                        depth,
+                        pythonPath: opts.pythonPath,
+                        binaryNinjaPath: opts.binaryNinjaPath
+                    });
+                    scanners.push(binjaScanner);
+                }).catch(() => {
+                    // Binary Ninja engine not available
+                });
+            }
+            catch {
+                // Engine not installed
+            }
+        }
+        if (!opts.decompilationEngine || opts.decompilationEngine === 'ghidra-pcode' || opts.decompilationEngine === 'both') {
+            try {
+                // Dynamic import for Ghidra engine (when implemented)
+                import('@pompelmi/engine-ghidra').then(({ createGhidraScanner }) => {
+                    const ghidraScanner = createGhidraScanner({
+                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                        depth,
+                        ghidraPath: opts.ghidraPath,
+                        analyzeHeadless: opts.analyzeHeadless
+                    });
+                    scanners.push(ghidraScanner);
+                }).catch(() => {
+                    // Ghidra engine not available
+                });
+            }
+            catch {
+                // Engine not installed
+            }
+        }
+    }
+    // Add other scanners for advanced presets
+    if (preset === 'advanced' || preset === 'malware-analysis') {
+        // Add heuristics scanner
+        try {
+            const { CommonHeuristicsScanner } = require('./scanners/common-heuristics');
+            scanners.push(new CommonHeuristicsScanner());
+        }
+        catch {
+            // Heuristics not available
+        }
+    }
+    if (scanners.length === 0) {
+        // Fallback scanner that returns no matches
+        return async (_input, _ctx) => {
+            return [];
+        };
+    }
+    return composeScanners(...scanners);
 }
+// Preset configurations
+const PRESET_CONFIGS = {
+    'basic': {
+        timeout: 10000
+    },
+    'advanced': {
+        timeout: 30000,
+        enableDecompilation: false
+    },
+    'malware-analysis': {
+        timeout: 60000,
+        enableDecompilation: true,
+        decompilationEngine: 'both',
+        decompilationDepth: 'deep'
+    },
+    'decompilation-basic': {
+        timeout: 30000,
+        enableDecompilation: true,
+        decompilationDepth: 'basic'
+    },
+    'decompilation-deep': {
+        timeout: 120000,
+        enableDecompilation: true,
+        decompilationDepth: 'deep'
+    }
+};
 
 /** Mappa veloce estensione -> mime (basic) */
 function guessMimeByExt(name) {
@@ -59,13 +149,13 @@ function toYaraMatches(ms) {
 /** Scan di bytes (browser/node) usando preset (default: zip-basic) */
 async function scanBytes(input, opts = {}) {
     const t0 = Date.now();
-    opts.preset ?? 'zip-basic';
+    const preset = opts.preset ?? 'zip-basic';
     const ctx = {
         ...opts.ctx,
         mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
         size: opts.ctx?.size ?? input.byteLength,
     };
-    const scanFn = createPresetScanner();
+    const scanFn = createPresetScanner(preset);
     const matchesH = await (typeof scanFn === "function" ? scanFn : scanFn.scan)(input, ctx);
     const matches = toYaraMatches(matchesH);
     const verdict = computeVerdict(matches);
@@ -2108,6 +2198,353 @@ async function scanFilesWithRemoteYara(files, rulesSource, remote) {
     return results;
 }
 
+/** Decompilation-specific types for Pompelmi */
+const SUSPICIOUS_PATTERNS = [
+    {
+        name: 'syscall_direct',
+        description: 'Direct system call without library wrapper',
+        severity: 'medium',
+        pattern: /syscall|sysenter|int\s+0x80/i
+    },
+    {
+        name: 'process_injection',
+        description: 'Process injection techniques',
+        severity: 'high',
+        pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i
+    },
+    {
+        name: 'anti_debug',
+        description: 'Anti-debugging techniques',
+        severity: 'medium',
+        pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i
+    },
+    {
+        name: 'obfuscation_xor',
+        description: 'XOR-based obfuscation pattern',
+        severity: 'medium',
+        pattern: /xor.*0x[0-9a-f]+.*xor/i
+    },
+    {
+        name: 'crypto_constants',
+        description: 'Cryptographic constants',
+        severity: 'low',
+        pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i
+    }
+];
+
+/**
+ * HIPAA Compliance Module for Pompelmi
+ *
+ * This module provides comprehensive HIPAA compliance features for healthcare environments
+ * where Pompelmi is used to analyze potentially compromised systems containing PHI.
+ *
+ * Key protections:
+ * - Data sanitization and redaction
+ * - Secure temporary file handling
+ * - Audit logging
+ * - Memory protection
+ * - Error message sanitization
+ */
+class HipaaComplianceManager {
+    constructor(config) {
+        this.auditEvents = [];
+        this.config = {
+            enabled: true,
+            sanitizeErrors: true,
+            sanitizeFilenames: true,
+            encryptTempFiles: true,
+            memoryProtection: true,
+            requireSecureTransport: true,
+            ...config
+        };
+        this.sessionId = this.generateSessionId();
+    }
+    /**
+     * Sanitize filename to prevent PHI leakage in logs
+     */
+    sanitizeFilename(filename) {
+        if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
+            return filename || 'unknown';
+        }
+        // Remove potentially sensitive path information
+        const basename = path.basename(filename);
+        // Hash the filename to create a consistent but non-revealing identifier
+        const hash = crypto.createHash('sha256').update(basename).digest('hex').substring(0, 8);
+        // Preserve file extension for analysis purposes
+        const ext = path.extname(basename);
+        return `file_${hash}${ext}`;
+    }
+    /**
+     * Sanitize error messages to prevent PHI exposure
+     */
+    sanitizeError(error) {
+        if (!this.config.enabled || !this.config.sanitizeErrors) {
+            return typeof error === 'string' ? error : error.message;
+        }
+        const message = typeof error === 'string' ? error : error.message;
+        // Remove common patterns that might contain PHI
+        let sanitized = message
+            // Remove file paths
+            .replace(/[A-Za-z]:\\\\[^\\s]+/g, '[REDACTED_PATH]')
+            .replace(/\/[^\\s]+/g, '[REDACTED_PATH]')
+            // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
+            .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, '[REDACTED_ID]')
+            .replace(/\\b\\d{6,}\\b/g, '[REDACTED_ID]')
+            // Remove email addresses
+            .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, '[REDACTED_EMAIL]')
+            // Remove potential names (capitalize words in error messages)
+            .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, '[REDACTED_NAME]')
+            // Remove IP addresses
+            .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, '[REDACTED_IP]');
+        return sanitized;
+    }
+    /**
+     * Create secure temporary file path with encryption if enabled
+     */
+    createSecureTempPath(prefix = 'pompelmi') {
+        if (!this.config.enabled) {
+            return path.join(os.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+        }
+        // Use cryptographically secure random names
+        const randomId = crypto.randomBytes(16).toString('hex');
+        const timestamp = Date.now();
+        // Create path in secure temp directory
+        const secureTempDir = this.getSecureTempDir();
+        const tempPath = path.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
+        this.auditLog('temp_file_created', {
+            action: 'create_temp_file',
+            success: true,
+            metadata: { path: this.sanitizeFilename(tempPath) }
+        });
+        return tempPath;
+    }
+    /**
+     * Get or create secure temporary directory with restricted permissions
+     */
+    getSecureTempDir() {
+        const secureTempPath = path.join(os.tmpdir(), 'pompelmi-secure');
+        try {
+            const fs = require('fs');
+            if (!fs.existsSync(secureTempPath)) {
+                fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
+            }
+        }
+        catch (error) {
+            // Fallback to system temp
+            return os.tmpdir();
+        }
+        return secureTempPath;
+    }
+    /**
+     * Secure file cleanup with multiple overwrite passes
+     */
+    async secureFileCleanup(filePath) {
+        if (!this.config.enabled) {
+            try {
+                const fs = await import('fs/promises');
+                await fs.unlink(filePath);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            return;
+        }
+        try {
+            const fs = await import('fs/promises');
+            const stats = await fs.stat(filePath);
+            if (this.config.memoryProtection) {
+                // Overwrite file with random data multiple times (DoD 5220.22-M standard)
+                const fileSize = stats.size;
+                const buffer = crypto.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
+                for (let pass = 0; pass < 3; pass++) {
+                    const handle = await fs.open(filePath, 'r+');
+                    try {
+                        for (let offset = 0; offset < fileSize; offset += buffer.length) {
+                            const chunk = offset + buffer.length > fileSize
+                                ? buffer.subarray(0, fileSize - offset)
+                                : buffer;
+                            await handle.write(chunk, 0, chunk.length, offset);
+                        }
+                        await handle.sync();
+                    }
+                    finally {
+                        await handle.close();
+                    }
+                }
+            }
+            // Final deletion
+            await fs.unlink(filePath);
+            this.auditLog('temp_file_deleted', {
+                action: 'secure_delete',
+                success: true,
+                metadata: {
+                    path: this.sanitizeFilename(filePath),
+                    overwritePasses: this.config.memoryProtection ? 3 : 0
+                }
+            });
+        }
+        catch (error) {
+            this.auditLog('temp_file_deleted', {
+                action: 'secure_delete',
+                success: false,
+                sanitizedError: this.sanitizeError(error),
+                metadata: { path: this.sanitizeFilename(filePath) }
+            });
+        }
+    }
+    /**
+     * Calculate secure file hash for audit purposes
+     */
+    calculateFileHash(data) {
+        return crypto.createHash('sha256').update(data).digest('hex');
+    }
+    /**
+     * Log audit event
+     */
+    auditLog(eventType, details) {
+        if (!this.config.enabled)
+            return;
+        const event = {
+            timestamp: new Date().toISOString(),
+            eventType,
+            sessionId: this.sessionId,
+            details: {
+                action: details.action || 'unknown',
+                success: details.success ?? true,
+                ...details
+            }
+        };
+        this.auditEvents.push(event);
+        // Write to audit log file if configured
+        if (this.config.auditLogPath) {
+            this.writeAuditLog(event).catch(() => {
+                // Silent failure to prevent error loops
+            });
+        }
+    }
+    /**
+     * Write audit event to file
+     */
+    async writeAuditLog(event) {
+        if (!this.config.auditLogPath)
+            return;
+        try {
+            const fs = await import('fs/promises');
+            const logLine = JSON.stringify(event) + '\\n';
+            await fs.appendFile(this.config.auditLogPath, logLine, { flag: 'a' });
+        }
+        catch {
+            // Silent failure
+        }
+    }
+    /**
+     * Generate cryptographically secure session ID
+     */
+    generateSessionId() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+    /**
+     * Get current audit events for this session
+     */
+    getAuditEvents() {
+        return [...this.auditEvents];
+    }
+    /**
+     * Clear sensitive data from memory
+     */
+    clearSensitiveData() {
+        if (!this.config.enabled || !this.config.memoryProtection)
+            return;
+        // Clear audit events
+        this.auditEvents.length = 0;
+        // Force garbage collection if available
+        if (global.gc) {
+            global.gc();
+        }
+    }
+    /**
+     * Validate transport security
+     */
+    validateTransportSecurity(url) {
+        if (!this.config.enabled || !this.config.requireSecureTransport) {
+            return true;
+        }
+        if (!url)
+            return true;
+        try {
+            const urlObj = new URL(url);
+            const isSecure = urlObj.protocol === 'https:' || urlObj.hostname === 'localhost' || urlObj.hostname === '127.0.0.1';
+            if (!isSecure) {
+                this.auditLog('security_violation', {
+                    action: 'insecure_transport',
+                    success: false,
+                    metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname }
+                });
+            }
+            return isSecure;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+// Global HIPAA compliance instance
+let hipaaManager = null;
+/**
+ * Initialize HIPAA compliance
+ */
+function initializeHipaaCompliance(config) {
+    hipaaManager = new HipaaComplianceManager(config);
+    return hipaaManager;
+}
+/**
+ * Get current HIPAA compliance manager
+ */
+function getHipaaManager() {
+    return hipaaManager;
+}
+/**
+ * HIPAA-compliant error wrapper
+ */
+function createHipaaError(error, context) {
+    const manager = getHipaaManager();
+    if (!manager) {
+        return typeof error === 'string' ? new Error(error) : error;
+    }
+    const sanitizedMessage = manager.sanitizeError(error);
+    const hipaaError = new Error(sanitizedMessage);
+    manager.auditLog('error_occurred', {
+        action: context || 'error',
+        success: false,
+        sanitizedError: sanitizedMessage
+    });
+    return hipaaError;
+}
+/**
+ * HIPAA-compliant temporary file utilities
+ */
+const HipaaTemp = {
+    createPath: (prefix) => {
+        const manager = getHipaaManager();
+        return manager ? manager.createSecureTempPath(prefix) : path.join(os.tmpdir(), `${prefix || 'pompelmi'}-${Date.now()}`);
+    },
+    cleanup: async (filePath) => {
+        const manager = getHipaaManager();
+        if (manager) {
+            await manager.secureFileCleanup(filePath);
+        }
+        else {
+            try {
+                const fs = await import('fs/promises');
+                await fs.unlink(filePath);
+            }
+            catch {
+                // Ignore errors
+            }
+        }
+    }
+};
+
 function mapMatchesToVerdict(matches = []) {
     if (!matches.length)
         return 'clean';
@@ -2322,5 +2759,5 @@ function definePolicy(input = {}) {
     return p;
 }
 
-export { CommonHeuristicsScanner, DEFAULT_POLICY, composeScanners, createPresetScanner, createZipBombGuard, definePolicy, mapMatchesToVerdict, scanBytes, scanFile, scanFiles, scanFilesWithRemoteYara, useFileScanner, validateFile };
+export { CommonHeuristicsScanner, DEFAULT_POLICY, HipaaComplianceManager, HipaaTemp, PRESET_CONFIGS, SUSPICIOUS_PATTERNS, composeScanners, createHipaaError, createPresetScanner, createZipBombGuard, definePolicy, getHipaaManager, initializeHipaaCompliance, mapMatchesToVerdict, scanBytes, scanFile, scanFiles, scanFilesWithRemoteYara, useFileScanner, validateFile };
 //# sourceMappingURL=pompelmi.esm.js.map