pompelmi 0.34.10 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (112) hide show
  1. package/README.md +26 -15
  2. package/dist/pompelmi.audit.cjs +13 -15
  3. package/dist/pompelmi.audit.cjs.map +1 -1
  4. package/dist/pompelmi.audit.esm.js +13 -15
  5. package/dist/pompelmi.audit.esm.js.map +1 -1
  6. package/dist/pompelmi.browser.cjs +585 -534
  7. package/dist/pompelmi.browser.cjs.map +1 -1
  8. package/dist/pompelmi.browser.esm.js +585 -534
  9. package/dist/pompelmi.browser.esm.js.map +1 -1
  10. package/dist/pompelmi.cjs +2066 -2016
  11. package/dist/pompelmi.cjs.map +1 -1
  12. package/dist/pompelmi.esm.js +2066 -2016
  13. package/dist/pompelmi.esm.js.map +1 -1
  14. package/dist/pompelmi.hooks.cjs +2 -2
  15. package/dist/pompelmi.hooks.cjs.map +1 -1
  16. package/dist/pompelmi.hooks.esm.js +2 -2
  17. package/dist/pompelmi.hooks.esm.js.map +1 -1
  18. package/dist/pompelmi.policy-packs.cjs +74 -73
  19. package/dist/pompelmi.policy-packs.cjs.map +1 -1
  20. package/dist/pompelmi.policy-packs.esm.js +74 -73
  21. package/dist/pompelmi.policy-packs.esm.js.map +1 -1
  22. package/dist/pompelmi.quarantine.cjs +135 -133
  23. package/dist/pompelmi.quarantine.cjs.map +1 -1
  24. package/dist/pompelmi.quarantine.esm.js +135 -133
  25. package/dist/pompelmi.quarantine.esm.js.map +1 -1
  26. package/dist/pompelmi.react.cjs +585 -534
  27. package/dist/pompelmi.react.cjs.map +1 -1
  28. package/dist/pompelmi.react.esm.js +585 -534
  29. package/dist/pompelmi.react.esm.js.map +1 -1
  30. package/dist/types/audit.d.ts +12 -12
  31. package/dist/types/browser-index.d.ts +12 -12
  32. package/dist/types/config.d.ts +4 -4
  33. package/dist/types/engines/dynamic-taint.d.ts +1 -1
  34. package/dist/types/engines/hybrid-orchestrator.d.ts +1 -1
  35. package/dist/types/engines/hybrid-taint-integration.d.ts +6 -6
  36. package/dist/types/engines/taint-policies.d.ts +4 -4
  37. package/dist/types/hipaa-compliance.d.ts +2 -2
  38. package/dist/types/hooks.d.ts +2 -2
  39. package/dist/types/index.d.ts +20 -20
  40. package/dist/types/node/scanDir.d.ts +5 -5
  41. package/dist/types/policy-packs.d.ts +2 -2
  42. package/dist/types/presets.d.ts +3 -3
  43. package/dist/types/quarantine/index.d.ts +3 -3
  44. package/dist/types/quarantine/storage.d.ts +1 -1
  45. package/dist/types/quarantine/types.d.ts +3 -3
  46. package/dist/types/quarantine/workflow.d.ts +4 -4
  47. package/dist/types/react-index.d.ts +2 -2
  48. package/dist/types/risk.d.ts +1 -1
  49. package/dist/types/scan/remote.d.ts +2 -2
  50. package/dist/types/scan.d.ts +5 -5
  51. package/dist/types/scanners/common-heuristics.d.ts +1 -1
  52. package/dist/types/scanners/zip-bomb-guard.d.ts +1 -1
  53. package/dist/types/src/audit.d.ts +84 -0
  54. package/dist/types/src/browser-index.d.ts +29 -0
  55. package/dist/types/src/config.d.ts +143 -0
  56. package/dist/types/src/engines/dynamic-taint.d.ts +102 -0
  57. package/dist/types/src/engines/hybrid-orchestrator.d.ts +65 -0
  58. package/dist/types/src/engines/hybrid-taint-integration.d.ts +129 -0
  59. package/dist/types/src/engines/taint-policies.d.ts +84 -0
  60. package/dist/types/src/hipaa-compliance.d.ts +110 -0
  61. package/dist/types/src/hooks.d.ts +89 -0
  62. package/dist/types/src/index.d.ts +29 -0
  63. package/dist/types/src/magic.d.ts +7 -0
  64. package/dist/types/src/node/scanDir.d.ts +30 -0
  65. package/dist/types/src/policy-packs.d.ts +98 -0
  66. package/dist/types/src/policy.d.ts +12 -0
  67. package/dist/types/src/presets.d.ts +72 -0
  68. package/dist/types/src/quarantine/index.d.ts +18 -0
  69. package/dist/types/src/quarantine/storage.d.ts +77 -0
  70. package/dist/types/src/quarantine/types.d.ts +78 -0
  71. package/dist/types/src/quarantine/workflow.d.ts +97 -0
  72. package/dist/types/src/react-index.d.ts +13 -0
  73. package/dist/types/src/risk.d.ts +18 -0
  74. package/dist/types/src/scan/remote.d.ts +12 -0
  75. package/dist/types/src/scan.d.ts +17 -0
  76. package/dist/types/src/scanners/common-heuristics.d.ts +14 -0
  77. package/dist/types/src/scanners/zip-bomb-guard.d.ts +9 -0
  78. package/dist/types/src/scanners/zipTraversalGuard.d.ts +19 -0
  79. package/dist/types/src/stream.d.ts +10 -0
  80. package/dist/types/src/types/decompilation.d.ts +96 -0
  81. package/dist/types/src/types/taint-tracking.d.ts +495 -0
  82. package/dist/types/src/types.d.ts +48 -0
  83. package/dist/types/src/useFileScanner.d.ts +15 -0
  84. package/dist/types/src/utils/advanced-detection.d.ts +21 -0
  85. package/dist/types/src/utils/batch-scanner.d.ts +62 -0
  86. package/dist/types/src/utils/cache-manager.d.ts +95 -0
  87. package/dist/types/src/utils/export.d.ts +51 -0
  88. package/dist/types/src/utils/performance-metrics.d.ts +68 -0
  89. package/dist/types/src/utils/threat-intelligence.d.ts +96 -0
  90. package/dist/types/src/validate.d.ts +7 -0
  91. package/dist/types/src/verdict.d.ts +2 -0
  92. package/dist/types/src/yara/browser.d.ts +7 -0
  93. package/dist/types/src/yara/index.d.ts +17 -0
  94. package/dist/types/src/yara/node.d.ts +2 -0
  95. package/dist/types/src/yara/remote.d.ts +10 -0
  96. package/dist/types/src/yara-bridge.d.ts +3 -0
  97. package/dist/types/src/zip.d.ts +13 -0
  98. package/dist/types/types/decompilation.d.ts +4 -4
  99. package/dist/types/types/taint-tracking.d.ts +19 -19
  100. package/dist/types/types.d.ts +3 -3
  101. package/dist/types/useFileScanner.d.ts +1 -1
  102. package/dist/types/utils/advanced-detection.d.ts +1 -1
  103. package/dist/types/utils/batch-scanner.d.ts +3 -3
  104. package/dist/types/utils/cache-manager.d.ts +1 -1
  105. package/dist/types/utils/export.d.ts +2 -2
  106. package/dist/types/utils/threat-intelligence.d.ts +4 -4
  107. package/dist/types/verdict.d.ts +1 -1
  108. package/dist/types/yara/browser.d.ts +1 -1
  109. package/dist/types/yara/index.d.ts +1 -1
  110. package/dist/types/yara/node.d.ts +1 -1
  111. package/dist/types/yara/remote.d.ts +2 -2
  112. package/package.json +6 -6
package/dist/pompelmi.esm.js CHANGED
@@ -3,1044 +3,631 @@ import { createHash } from 'crypto';
3
3
  import * as os from 'os';
4
4
  import * as path from 'path';
5
5
 
6
- function hasAsciiToken(buf, token) {
7
- // Use latin1 so we can safely search binary
8
- return buf.indexOf(token, 0, 'latin1') !== -1;
9
- }
10
- function startsWith(buf, bytes) {
11
- if (buf.length < bytes.length)
12
- return false;
13
- for (let i = 0; i < bytes.length; i++)
14
- if (buf[i] !== bytes[i])
15
- return false;
16
- return true;
17
- }
18
- function isPDF(buf) {
19
- // %PDF-
20
- return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
21
- }
22
- function isOleCfb(buf) {
23
- // D0 CF 11 E0 A1 B1 1A E1
24
- const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
25
- return startsWith(buf, sig);
26
- }
27
- function isZipLike$1(buf) {
28
- // PK\x03\x04
29
- return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
30
- }
31
- function isPeExecutable(buf) {
32
- // "MZ"
33
- return startsWith(buf, [0x4d, 0x5a]);
34
- }
35
- /** OOXML macro hint via filename token in ZIP container */
36
- function hasOoxmlMacros(buf) {
37
- if (!isZipLike$1(buf))
38
- return false;
39
- return hasAsciiToken(buf, 'vbaProject.bin');
40
- }
41
- /** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
42
- function pdfRiskTokens(buf) {
43
- const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
44
- return tokens.filter(t => hasAsciiToken(buf, t));
45
- }
46
- const CommonHeuristicsScanner = {
47
- async scan(input) {
48
- const buf = Buffer.from(input);
49
- const matches = [];
50
- // Office macros (OLE / OOXML)
51
- if (isOleCfb(buf)) {
52
- matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
53
- }
54
- if (hasOoxmlMacros(buf)) {
55
- matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
56
- }
57
- // PDF risky tokens
58
- if (isPDF(buf)) {
59
- const toks = pdfRiskTokens(buf);
60
- if (toks.length) {
61
- matches.push({
62
- rule: 'pdf_risky_actions',
63
- severity: 'suspicious',
64
- meta: { tokens: toks }
65
- });
66
- }
67
- }
68
- // Executable header
69
- if (isPeExecutable(buf)) {
70
- matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
71
- }
72
- // EICAR test file
73
- const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
74
- if (hasAsciiToken(buf, EICAR_NEEDLE)) {
75
- matches.push({ rule: 'eicar_test_file', severity: 'high', meta: { note: 'EICAR standard antivirus test file detected' } });
76
- }
77
- return matches;
78
- }
79
- };
80
-
81
- function toScanFn(s) {
82
- return (typeof s === "function" ? s : s.scan);
83
- }
84
- /** Map a Match's severity field to a Verdict for stopOn comparison. */
85
- function matchToVerdict(m) {
86
- const s = m.severity;
87
- if (s === "critical" || s === "high" || s === "malicious")
88
- return "malicious";
89
- if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
90
- return "suspicious";
91
- return "clean";
92
- }
93
- /** Highest verdict across all matches in the list. */
94
- function highestSeverity(matches) {
95
- if (matches.length === 0)
96
- return null;
97
- if (matches.some((m) => matchToVerdict(m) === "malicious"))
98
- return "malicious";
99
- if (matches.some((m) => matchToVerdict(m) === "suspicious"))
100
- return "suspicious";
101
- return "clean";
102
- }
103
- const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
104
- function shouldStop(matches, stopOn) {
105
- if (!stopOn)
106
- return false;
107
- const highest = highestSeverity(matches);
108
- if (!highest)
109
- return false;
110
- return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
111
- }
112
- async function runWithTimeout(fn, timeoutMs) {
113
- if (!timeoutMs)
114
- return fn();
115
- return new Promise((resolve, reject) => {
116
- const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
117
- fn().then((v) => { clearTimeout(timer); resolve(v); }, (e) => { clearTimeout(timer); reject(e); });
118
- });
119
- }
120
- // eslint-disable-next-line @typescript-eslint/no-explicit-any
121
- function composeScanners(...args) {
122
- const first = args[0];
123
- const rest = args.slice(1);
124
- // ── Named-scanner array form ──────────────────────────────────────────────
125
- if (Array.isArray(first) &&
126
- (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
127
- const entries = first;
128
- const opts = rest.length > 0 && !Array.isArray(rest[0]) && typeof rest[0] !== "function" &&
129
- !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
130
- ? rest[0]
131
- : {};
132
- return async (input, ctx) => {
133
- const all = [];
134
- if (opts.parallel) {
135
- // Parallel execution — collect all results then return
136
- const results = await Promise.allSettled(entries.map(([name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
137
- for (let i = 0; i < results.length; i++) {
138
- const result = results[i];
139
- if (result.status === "fulfilled" && Array.isArray(result.value)) {
140
- const matches = opts.tagSourceName
141
- ? result.value.map((m) => ({
142
- ...m,
143
- meta: { ...m.meta, _sourceName: entries[i][0] },
144
- }))
145
- : result.value;
146
- all.push(...matches);
147
- }
148
- }
149
- }
150
- else {
151
- // Sequential execution with optional stopOn short-circuit
152
- for (const [name, scanner] of entries) {
153
- try {
154
- const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
155
- if (Array.isArray(out)) {
156
- const matches = opts.tagSourceName
157
- ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
158
- : out;
159
- all.push(...matches);
160
- if (shouldStop(all, opts.stopOn))
161
- break;
162
- }
163
- }
164
- catch {
165
- // individual scanner failure is non-fatal
166
- }
167
- }
168
- }
169
- return all;
170
- };
171
- }
172
- // ── Variadic form (backward-compatible) ───────────────────────────────────
173
- const scanners = [first, ...rest].filter(Boolean);
174
- return async (input, ctx) => {
175
- const all = [];
176
- for (const s of scanners) {
177
- try {
178
- const out = await toScanFn(s)(input, ctx);
179
- if (Array.isArray(out))
180
- all.push(...out);
181
- }
182
- catch {
183
- // ignore individual scanner failures
184
- }
185
- }
186
- return all;
187
- };
188
- }
189
- function createPresetScanner(preset, opts = {}) {
190
- const scanners = [];
191
- // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
192
- scanners.push(CommonHeuristicsScanner);
193
- // Add decompilation scanners based on preset
194
- if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
195
- preset === 'malware-analysis' || opts.enableDecompilation) {
196
- const depth = preset === 'decompilation-deep' ? 'deep' :
197
- preset === 'decompilation-basic' ? 'basic' :
198
- opts.decompilationDepth || 'basic';
199
- if (!opts.decompilationEngine || opts.decompilationEngine === 'binaryninja-hlil' || opts.decompilationEngine === 'both') {
200
- try {
201
- // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
202
- const importModule = new Function('specifier', 'return import(specifier)');
203
- importModule('@pompelmi/engine-binaryninja').then((mod) => {
204
- const binjaScanner = mod.createBinaryNinjaScanner({
205
- timeout: opts.decompilationTimeout || opts.timeout || 30000,
206
- depth,
207
- pythonPath: opts.pythonPath,
208
- binaryNinjaPath: opts.binaryNinjaPath
209
- });
210
- scanners.push(binjaScanner);
211
- }).catch(() => {
212
- // Binary Ninja engine not available - silently skip
213
- });
214
- }
215
- catch {
216
- // Engine not installed
217
- }
218
- }
219
- if (!opts.decompilationEngine || opts.decompilationEngine === 'ghidra-pcode' || opts.decompilationEngine === 'both') {
220
- try {
221
- // Dynamic import for Ghidra engine (when implemented) - using Function to bypass TypeScript type checking
222
- const importModule = new Function('specifier', 'return import(specifier)');
223
- importModule('@pompelmi/engine-ghidra').then((mod) => {
224
- const ghidraScanner = mod.createGhidraScanner({
225
- timeout: opts.decompilationTimeout || opts.timeout || 30000,
226
- depth,
227
- ghidraPath: opts.ghidraPath,
228
- analyzeHeadless: opts.analyzeHeadless
229
- });
230
- scanners.push(ghidraScanner);
231
- }).catch(() => {
232
- // Ghidra engine not available - silently skip
233
- });
234
- }
235
- catch {
236
- // Engine not installed
237
- }
238
- }
239
- }
240
- if (scanners.length === 0) {
241
- // Fallback scanner that returns no matches
242
- return async (_input, _ctx) => {
243
- return [];
244
- };
245
- }
246
- return composeScanners(...scanners);
247
- }
248
-
249
- /**
250
- * Performance monitoring utilities for pompelmi scans
251
- * @module utils/performance-metrics
252
- */
253
6
  /**
254
- * Track performance metrics for a scan operation
255
- */
256
- class PerformanceTracker {
257
- constructor() {
258
- this.checkpoints = new Map();
259
- this.startTime = Date.now();
260
- }
261
- /**
262
- * Mark a checkpoint in the scan process
263
- */
264
- checkpoint(name) {
265
- this.checkpoints.set(name, Date.now());
266
- }
267
- /**
268
- * Get duration since start or since a specific checkpoint
269
- */
270
- getDuration(since) {
271
- const now = Date.now();
272
- if (since && this.checkpoints.has(since)) {
273
- return now - (this.checkpoints.get(since) ?? now);
274
- }
275
- return now - this.startTime;
276
- }
277
- /**
278
- * Generate final metrics report
279
- */
280
- getMetrics(bytesScanned) {
281
- const totalDuration = this.getDuration();
282
- const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
283
- return {
284
- totalDurationMs: totalDuration,
285
- heuristicsDurationMs: this.checkpoints.has('heuristics_end')
286
- ? (this.checkpoints.get('heuristics_end') ?? 0) - (this.checkpoints.get('heuristics_start') ?? 0)
287
- : undefined,
288
- yaraDurationMs: this.checkpoints.has('yara_end')
289
- ? (this.checkpoints.get('yara_end') ?? 0) - (this.checkpoints.get('yara_start') ?? 0)
290
- : undefined,
291
- prepDurationMs: this.checkpoints.has('prep_end')
292
- ? (this.checkpoints.get('prep_end') ?? 0) - this.startTime
293
- : undefined,
294
- throughputBps: throughput,
295
- bytesScanned,
296
- startedAt: this.startTime,
297
- completedAt: Date.now(),
298
- };
299
- }
300
- }
301
- /**
302
- * Aggregate statistics from multiple scan reports
303
- */
304
- function aggregateScanStats(reports) {
305
- let cleanCount = 0;
306
- let suspiciousCount = 0;
307
- let maliciousCount = 0;
308
- let totalDuration = 0;
309
- let totalBytes = 0;
310
- let validDurationCount = 0;
311
- for (const report of reports) {
312
- if (report.verdict === 'clean')
313
- cleanCount++;
314
- else if (report.verdict === 'suspicious')
315
- suspiciousCount++;
316
- else if (report.verdict === 'malicious')
317
- maliciousCount++;
318
- if (report.durationMs !== undefined) {
319
- totalDuration += report.durationMs;
320
- validDurationCount++;
321
- }
322
- if (report.file?.size !== undefined) {
323
- totalBytes += report.file.size;
324
- }
325
- }
326
- const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
327
- const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
328
- return {
329
- totalScans: reports.length,
330
- cleanCount,
331
- suspiciousCount,
332
- maliciousCount,
333
- avgDurationMs: avgDuration,
334
- avgThroughputBps: avgThroughput,
335
- totalBytesScanned: totalBytes,
336
- };
337
- }
338
-
339
- /**
340
- * Advanced threat detection utilities
341
- * @module utils/advanced-detection
342
- */
343
- /**
344
- * Enhanced polyglot file detection
345
- * Detects files that can be interpreted as multiple formats
7
+ * Advanced configuration system for pompelmi
8
+ * @module config
346
9
  */
347
- function detectPolyglot(bytes) {
348
- const matches = [];
349
- // Check for PDF/ZIP polyglot
350
- if (isPDFZipPolyglot(bytes)) {
351
- matches.push({
352
- rule: 'polyglot_pdf_zip',
353
- severity: 'high',
354
- meta: { description: 'File can be interpreted as both PDF and ZIP' },
355
- });
356
- }
357
- // Check for image/script polyglot
358
- if (isImageScriptPolyglot(bytes)) {
359
- matches.push({
360
- rule: 'polyglot_image_script',
361
- severity: 'high',
362
- meta: { description: 'Image file contains executable script content' },
363
- });
364
- }
365
- // Check for GIFAR (GIF/JAR polyglot)
366
- if (isGIFAR(bytes)) {
367
- matches.push({
368
- rule: 'polyglot_gifar',
369
- severity: 'critical',
370
- meta: { description: 'GIF file contains Java archive' },
371
- });
372
- }
373
- return matches;
374
- }
375
10
  /**
376
- * Detect obfuscated JavaScript/VBScript
377
- */
378
- function detectObfuscatedScripts(bytes) {
379
- const matches = [];
380
- const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
381
- // Check for common obfuscation patterns
382
- const obfuscationPatterns = [
383
- /eval\s*\(\s*unescape\s*\(/gi,
384
- /eval\s*\(\s*atob\s*\(/gi,
385
- /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
386
- /[a-z0-9]{100,}/gi, // Long encoded strings
387
- /\\x[0-9a-f]{2}/gi, // Hex escapes
388
- ];
389
- for (const pattern of obfuscationPatterns) {
390
- if (pattern.test(text)) {
391
- matches.push({
392
- rule: 'obfuscated_script',
393
- severity: 'medium',
394
- meta: {
395
- description: 'Detected obfuscated script content',
396
- pattern: pattern.source,
397
- },
398
- });
399
- break;
400
- }
401
- }
402
- return matches;
403
- }
404
- /**
405
- * Enhanced nested archive detection with depth limits
11
+ * Default configuration
406
12
  */
407
- function analyzeNestedArchives(bytes, maxDepth = 10) {
408
- let depth = 0;
409
- let currentBytes = bytes;
410
- while (depth < maxDepth) {
411
- if (isArchive(currentBytes)) {
412
- depth++;
413
- {
414
- break;
415
- }
416
- }
417
- else {
418
- break;
419
- }
420
- }
421
- return {
422
- depth,
423
- hasExcessiveNesting: depth >= 5,
424
- };
425
- }
426
- // Helper functions
427
- function isPDFZipPolyglot(bytes) {
428
- if (bytes.length < 8)
429
- return false;
430
- // Check for PDF signature
431
- const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
432
- // Check for ZIP signature anywhere in the file
433
- let hasZIP = false;
434
- for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
435
- if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
436
- hasZIP = true;
437
- break;
438
- }
439
- }
440
- return hasPDF && hasZIP;
441
- }
442
- function isImageScriptPolyglot(bytes) {
443
- if (bytes.length < 100)
444
- return false;
445
- // Check for image signatures
446
- const isImage = ((bytes[0] === 0xFF && bytes[1] === 0xD8) || // JPEG
447
- (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4E && bytes[3] === 0x47) || // PNG
448
- (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46) // GIF
449
- );
450
- if (!isImage)
451
- return false;
452
- // Check for script content
453
- const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes);
454
- return /<script|javascript:|eval\(|function\s*\(/i.test(text);
455
- }
456
- function isGIFAR(bytes) {
457
- if (bytes.length < 100)
458
- return false;
459
- // Check for GIF signature
460
- const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
461
- // Check for ZIP/JAR signature
462
- let hasZIP = false;
463
- for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
464
- if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
465
- hasZIP = true;
466
- break;
467
- }
468
- }
469
- return isGIF && hasZIP;
470
- }
471
- function isArchive(bytes) {
472
- if (bytes.length < 4)
473
- return false;
474
- return (
475
- // ZIP
476
- (bytes[0] === 0x50 && bytes[1] === 0x4B && bytes[2] === 0x03 && bytes[3] === 0x04) ||
477
- // RAR
478
- (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
479
- // 7z
480
- (bytes[0] === 0x37 && bytes[1] === 0x7A && bytes[2] === 0xBC && bytes[3] === 0xAF) ||
481
- // tar.gz
482
- (bytes[0] === 0x1F && bytes[1] === 0x8B));
483
- }
484
-
13
+ const DEFAULT_CONFIG = {
14
+ defaultPreset: "zip-basic",
15
+ performance: {
16
+ enableCache: false,
17
+ enablePerformanceTracking: false,
18
+ enableParallel: true,
19
+ maxConcurrency: 5,
20
+ cacheOptions: {
21
+ maxSize: 1000,
22
+ ttl: 3600000, // 1 hour
23
+ enableLRU: true,
24
+ enableStats: false,
25
+ },
26
+ },
27
+ security: {
28
+ maxFileSize: 100 * 1024 * 1024, // 100MB
29
+ enableThreatIntel: false,
30
+ scanTimeout: 30000, // 30 seconds
31
+ strictMode: false,
32
+ },
33
+ advanced: {
34
+ enablePolyglotDetection: true,
35
+ enableObfuscationDetection: true,
36
+ enableNestedArchiveAnalysis: true,
37
+ maxArchiveDepth: 5,
38
+ },
39
+ logging: {
40
+ verbose: false,
41
+ level: "info",
42
+ enableStats: false,
43
+ },
44
+ };
485
45
  /**
486
- * Cache management system for scan results
487
- * @module utils/cache-manager
46
+ * Configuration presets for common use cases
488
47
  */
48
+ const CONFIG_PRESETS = {
49
+ /** Fast scanning with minimal features */
50
+ fast: {
51
+ defaultPreset: "basic",
52
+ performance: {
53
+ enableCache: true,
54
+ enablePerformanceTracking: false,
55
+ maxConcurrency: 10,
56
+ },
57
+ advanced: {
58
+ enablePolyglotDetection: false,
59
+ enableObfuscationDetection: false,
60
+ enableNestedArchiveAnalysis: false,
61
+ },
62
+ },
63
+ /** Balanced scanning (recommended) */
64
+ balanced: DEFAULT_CONFIG,
65
+ /** Thorough scanning with all features */
66
+ thorough: {
67
+ defaultPreset: "advanced",
68
+ performance: {
69
+ enableCache: true,
70
+ enablePerformanceTracking: true,
71
+ maxConcurrency: 3,
72
+ },
73
+ security: {
74
+ maxFileSize: 500 * 1024 * 1024, // 500MB
75
+ enableThreatIntel: true,
76
+ scanTimeout: 60000, // 60 seconds
77
+ strictMode: true,
78
+ },
79
+ advanced: {
80
+ enablePolyglotDetection: true,
81
+ enableObfuscationDetection: true,
82
+ enableNestedArchiveAnalysis: true,
83
+ maxArchiveDepth: 10,
84
+ },
85
+ logging: {
86
+ verbose: true,
87
+ level: "debug",
88
+ enableStats: true,
89
+ },
90
+ },
91
+ /** Production-ready configuration */
92
+ production: {
93
+ defaultPreset: "advanced",
94
+ performance: {
95
+ enableCache: true,
96
+ enablePerformanceTracking: true,
97
+ maxConcurrency: 5,
98
+ cacheOptions: {
99
+ maxSize: 5000,
100
+ ttl: 7200000, // 2 hours
101
+ enableLRU: true,
102
+ enableStats: true,
103
+ },
104
+ },
105
+ security: {
106
+ maxFileSize: 200 * 1024 * 1024, // 200MB
107
+ enableThreatIntel: true,
108
+ scanTimeout: 45000,
109
+ strictMode: false,
110
+ },
111
+ advanced: {
112
+ enablePolyglotDetection: true,
113
+ enableObfuscationDetection: true,
114
+ enableNestedArchiveAnalysis: true,
115
+ maxArchiveDepth: 7,
116
+ },
117
+ logging: {
118
+ verbose: false,
119
+ level: "warn",
120
+ enableStats: true,
121
+ },
122
+ },
123
+ /** Development configuration */
124
+ development: {
125
+ defaultPreset: "basic",
126
+ performance: {
127
+ enableCache: false,
128
+ enablePerformanceTracking: true,
129
+ maxConcurrency: 3,
130
+ },
131
+ security: {
132
+ maxFileSize: 50 * 1024 * 1024, // 50MB
133
+ scanTimeout: 15000,
134
+ strictMode: false,
135
+ },
136
+ logging: {
137
+ verbose: true,
138
+ level: "debug",
139
+ enableStats: true,
140
+ },
141
+ },
142
+ };
489
143
  /**
490
- * LRU cache for scan results with TTL support
144
+ * Configuration manager
491
145
  */
492
- class ScanCacheManager {
493
- constructor(options = {}) {
494
- this.cache = new Map();
495
- // Statistics
496
- this.stats = {
497
- hits: 0,
498
- misses: 0,
499
- evictions: 0,
500
- };
501
- this.maxSize = options.maxSize ?? 1000;
502
- this.ttl = options.ttl ?? 3600000; // 1 hour default
503
- this.enableLRU = options.enableLRU ?? true;
504
- this.enableStats = options.enableStats ?? false;
146
+ class ConfigManager {
147
+ constructor(initialConfig) {
148
+ this.config = this.mergeConfig(DEFAULT_CONFIG, initialConfig || {});
505
149
  }
506
150
  /**
507
- * Generate cache key from file content
151
+ * Get current configuration
508
152
  */
509
- generateKey(content, preset) {
510
- const hash = createHash('sha256')
511
- .update(content)
512
- .update(preset || 'default')
513
- .digest('hex');
514
- return hash;
153
+ getConfig() {
154
+ return { ...this.config };
515
155
  }
516
156
  /**
517
- * Check if cache entry is still valid
157
+ * Update configuration
518
158
  */
519
- isValid(entry) {
520
- return Date.now() - entry.timestamp < this.ttl;
159
+ updateConfig(updates) {
160
+ this.config = this.mergeConfig(this.config, updates);
521
161
  }
522
162
  /**
523
- * Evict oldest or least-used entry when cache is full
163
+ * Load a preset configuration
524
164
  */
525
- evict() {
526
- if (this.cache.size === 0)
527
- return;
528
- let targetKey = null;
529
- let oldestTime = Infinity;
530
- let lowestAccess = Infinity;
531
- for (const [key, entry] of this.cache.entries()) {
532
- if (this.enableLRU) {
533
- // LRU: evict least recently used
534
- if (entry.timestamp < oldestTime) {
535
- oldestTime = entry.timestamp;
536
- targetKey = key;
537
- }
538
- }
539
- else {
540
- // LFU: evict least frequently used
541
- if (entry.accessCount < lowestAccess) {
542
- lowestAccess = entry.accessCount;
543
- targetKey = key;
544
- }
545
- }
546
- }
547
- if (targetKey) {
548
- this.cache.delete(targetKey);
549
- if (this.enableStats)
550
- this.stats.evictions++;
551
- }
165
+ loadPreset(preset) {
166
+ const presetConfig = CONFIG_PRESETS[preset];
167
+ this.config = this.mergeConfig(DEFAULT_CONFIG, presetConfig);
552
168
  }
553
169
  /**
554
- * Store scan result in cache
170
+ * Reset to default configuration
555
171
  */
556
- set(content, report, preset) {
557
- const key = this.generateKey(content, preset);
558
- // Evict if necessary
559
- if (this.cache.size >= this.maxSize) {
560
- this.evict();
561
- }
562
- this.cache.set(key, {
563
- report,
564
- timestamp: Date.now(),
565
- accessCount: 0,
566
- });
172
+ reset() {
173
+ this.config = { ...DEFAULT_CONFIG };
567
174
  }
568
175
  /**
569
- * Retrieve scan result from cache
176
+ * Get a specific configuration value
570
177
  */
571
- get(content, preset) {
572
- const key = this.generateKey(content, preset);
573
- const entry = this.cache.get(key);
574
- if (!entry) {
575
- if (this.enableStats)
576
- this.stats.misses++;
577
- return null;
578
- }
579
- if (!this.isValid(entry)) {
580
- this.cache.delete(key);
581
- if (this.enableStats)
582
- this.stats.misses++;
583
- return null;
584
- }
585
- // Update access tracking
586
- entry.accessCount++;
587
- entry.timestamp = Date.now(); // Update for LRU
588
- if (this.enableStats)
589
- this.stats.hits++;
590
- return entry.report;
178
+ get(key) {
179
+ return this.config[key];
591
180
  }
592
181
  /**
593
- * Check if result exists in cache
182
+ * Set a specific configuration value
594
183
  */
595
- has(content, preset) {
596
- const key = this.generateKey(content, preset);
597
- const entry = this.cache.get(key);
598
- return entry !== undefined && this.isValid(entry);
184
+ set(key, value) {
185
+ this.config[key] = value;
599
186
  }
600
187
  /**
601
- * Clear entire cache
188
+ * Validate configuration
602
189
  */
603
- clear() {
604
- this.cache.clear();
605
- if (this.enableStats) {
606
- this.stats.hits = 0;
607
- this.stats.misses = 0;
608
- this.stats.evictions = 0;
190
+ validate() {
191
+ const errors = [];
192
+ // Validate performance settings
193
+ if (this.config.performance?.maxConcurrency !== undefined) {
194
+ if (this.config.performance.maxConcurrency < 1) {
195
+ errors.push("maxConcurrency must be at least 1");
196
+ }
197
+ if (this.config.performance.maxConcurrency > 50) {
198
+ errors.push("maxConcurrency should not exceed 50");
199
+ }
609
200
  }
610
- }
611
- /**
612
- * Remove expired entries
613
- */
614
- prune() {
615
- let removed = 0;
616
- for (const [key, entry] of this.cache.entries()) {
617
- if (!this.isValid(entry)) {
618
- this.cache.delete(key);
619
- removed++;
201
+ // Validate security settings
202
+ if (this.config.security?.maxFileSize !== undefined) {
203
+ if (this.config.security.maxFileSize < 1024) {
204
+ errors.push("maxFileSize must be at least 1KB");
620
205
  }
621
206
  }
622
- return removed;
207
+ if (this.config.security?.scanTimeout !== undefined) {
208
+ if (this.config.security.scanTimeout < 1000) {
209
+ errors.push("scanTimeout must be at least 1000ms");
210
+ }
211
+ }
212
+ // Validate advanced settings
213
+ if (this.config.advanced?.maxArchiveDepth !== undefined) {
214
+ if (this.config.advanced.maxArchiveDepth < 1) {
215
+ errors.push("maxArchiveDepth must be at least 1");
216
+ }
217
+ if (this.config.advanced.maxArchiveDepth > 20) {
218
+ errors.push("maxArchiveDepth should not exceed 20");
219
+ }
220
+ }
221
+ return {
222
+ valid: errors.length === 0,
223
+ errors,
224
+ };
623
225
  }
624
226
  /**
625
- * Get cache statistics
227
+ * Deep merge configuration objects
626
228
  */
627
- getStats() {
628
- const total = this.stats.hits + this.stats.misses;
629
- const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
229
+ mergeConfig(base, updates) {
630
230
  return {
631
- hits: this.stats.hits,
632
- misses: this.stats.misses,
633
- size: this.cache.size,
634
- hitRate,
635
- evictions: this.stats.evictions,
231
+ ...base,
232
+ ...updates,
233
+ performance: {
234
+ ...base.performance,
235
+ ...updates.performance,
236
+ cacheOptions: {
237
+ ...base.performance?.cacheOptions,
238
+ ...updates.performance?.cacheOptions,
239
+ },
240
+ },
241
+ security: {
242
+ ...base.security,
243
+ ...updates.security,
244
+ },
245
+ advanced: {
246
+ ...base.advanced,
247
+ ...updates.advanced,
248
+ },
249
+ logging: {
250
+ ...base.logging,
251
+ ...updates.logging,
252
+ },
253
+ callbacks: {
254
+ ...base.callbacks,
255
+ ...updates.callbacks,
256
+ },
257
+ presetOptions: {
258
+ ...base.presetOptions,
259
+ ...updates.presetOptions,
260
+ },
636
261
  };
637
262
  }
638
263
  /**
639
- * Get current cache size
264
+ * Export configuration as JSON
640
265
  */
641
- get size() {
642
- return this.cache.size;
266
+ toJSON() {
267
+ return JSON.stringify(this.config, null, 2);
268
+ }
269
+ /**
270
+ * Load configuration from JSON
271
+ */
272
+ fromJSON(json) {
273
+ try {
274
+ const parsed = JSON.parse(json);
275
+ this.config = this.mergeConfig(DEFAULT_CONFIG, parsed);
276
+ }
277
+ catch (error) {
278
+ throw new Error(`Failed to parse configuration JSON: ${error}`);
279
+ }
643
280
  }
644
281
  }
645
- // Export singleton instance for convenience
646
- let defaultCache = null;
647
282
  /**
648
- * Get or create the default cache instance
283
+ * Create a new configuration manager
649
284
  */
650
- function getDefaultCache(options) {
651
- if (!defaultCache) {
652
- defaultCache = new ScanCacheManager(options);
653
- }
654
- return defaultCache;
285
+ function createConfig(config) {
286
+ return new ConfigManager(config);
655
287
  }
656
288
  /**
657
- * Reset the default cache instance
289
+ * Get a preset configuration
658
290
  */
659
- function resetDefaultCache() {
660
- defaultCache = null;
661
- }
662
-
663
- /** Mappa veloce estensione -> mime (basic) */
664
- function guessMimeByExt(name) {
665
- if (!name)
666
- return;
667
- const ext = name.toLowerCase().split('.').pop();
668
- switch (ext) {
669
- case 'zip': return 'application/zip';
670
- case 'png': return 'image/png';
671
- case 'jpg':
672
- case 'jpeg': return 'image/jpeg';
673
- case 'pdf': return 'application/pdf';
674
- case 'txt': return 'text/plain';
675
- default: return;
676
- }
677
- }
678
- /** Heuristica semplice per verdetto */
679
- function computeVerdict(matches) {
680
- if (!matches.length)
681
- return 'clean';
682
- // se la regola contiene 'zip_' lo marchiamo "suspicious"
683
- const anyHigh = matches.some(m => (m.tags ?? []).includes('critical') || (m.tags ?? []).includes('high'));
684
- return anyHigh ? 'malicious' : 'suspicious';
685
- }
686
- /** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
687
- function toYaraMatches(ms) {
688
- return ms.map(m => ({
689
- rule: m.rule,
690
- namespace: 'heuristics',
691
- tags: ['heuristics'].concat(m.severity ? [m.severity] : []),
692
- meta: m.meta,
693
- }));
694
- }
695
- /** Scan di bytes (browser/node) usando preset (default: zip-basic) */
696
- async function scanBytes(input, opts = {}) {
697
- // Check cache first if enabled
698
- if (opts.enableCache || opts.config?.performance?.enableCache) {
699
- const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
700
- const cached = cache.get(input, opts.preset);
701
- if (cached) {
702
- return cached;
703
- }
704
- }
705
- const perfTracker = (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)
706
- ? new PerformanceTracker()
707
- : null;
708
- perfTracker?.checkpoint('prep_start');
709
- const preset = opts.preset ?? opts.config?.defaultPreset ?? 'zip-basic';
710
- const ctx = {
711
- ...opts.ctx,
712
- mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
713
- size: opts.ctx?.size ?? input.byteLength,
714
- };
715
- perfTracker?.checkpoint('prep_end');
716
- perfTracker?.checkpoint('heuristics_start');
717
- const scanFn = createPresetScanner(preset);
718
- const matchesH = await (typeof scanFn === "function" ? scanFn : scanFn.scan)(input, ctx);
719
- let allMatches = [...matchesH];
720
- perfTracker?.checkpoint('heuristics_end');
721
- // Advanced detection (enabled by default, can be overridden by config)
722
- const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
723
- if (advancedEnabled) {
724
- perfTracker?.checkpoint('advanced_start');
725
- // Detect polyglot files
726
- if (opts.config?.advanced?.enablePolyglotDetection !== false) {
727
- const polyglotMatches = detectPolyglot(input);
728
- allMatches.push(...polyglotMatches);
729
- }
730
- // Detect obfuscated scripts
731
- if (opts.config?.advanced?.enableObfuscationDetection !== false) {
732
- const obfuscatedMatches = detectObfuscatedScripts(input);
733
- allMatches.push(...obfuscatedMatches);
734
- }
735
- // Check for excessive nesting in archives
736
- if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
737
- const nestingAnalysis = analyzeNestedArchives(input);
738
- const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
739
- if (nestingAnalysis.hasExcessiveNesting || (nestingAnalysis.depth > maxDepth)) {
740
- allMatches.push({
741
- rule: 'excessive_archive_nesting',
742
- severity: 'high',
743
- meta: {
744
- description: 'Excessive archive nesting detected',
745
- depth: nestingAnalysis.depth,
746
- maxAllowed: maxDepth,
747
- },
748
- });
749
- }
750
- }
751
- perfTracker?.checkpoint('advanced_end');
752
- }
753
- const matches = toYaraMatches(allMatches);
754
- const verdict = computeVerdict(matches);
755
- perfTracker ? perfTracker.getDuration() : Date.now();
756
- const durationMs = perfTracker ? perfTracker.getDuration() : 0;
757
- const report = {
758
- ok: verdict === 'clean',
759
- verdict,
760
- matches,
761
- reasons: matches.map(m => m.rule),
762
- file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
763
- durationMs,
764
- engine: 'heuristics',
765
- truncated: false,
766
- timedOut: false,
767
- };
768
- // Add performance metrics if tracking enabled
769
- if (perfTracker && (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
770
- report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
771
- }
772
- // Cache result if enabled
773
- if (opts.enableCache || opts.config?.performance?.enableCache) {
774
- const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
775
- cache.set(input, report, opts.preset);
776
- }
777
- // Invoke callbacks if configured
778
- opts.config?.callbacks?.onScanComplete?.(report);
779
- return report;
780
- }
781
- /** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
782
- async function scanFile(filePath, opts = {}) {
783
- const [{ readFile, stat }, path] = await Promise.all([
784
- import('fs/promises'),
785
- import('path'),
786
- ]);
787
- const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
788
- const ctx = {
789
- filename: path.basename(filePath),
790
- mimeType: guessMimeByExt(filePath),
791
- size: st.size,
792
- };
793
- return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
794
- }
795
- /** Scan multipli File (browser) usando scanBytes + preset di default */
796
- async function scanFiles(files, opts = {}) {
797
- const list = Array.from(files);
798
- const out = [];
799
- for (const f of list) {
800
- const buf = new Uint8Array(await f.arrayBuffer());
801
- const rep = await scanBytes(buf, {
802
- ...opts,
803
- ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
804
- });
805
- out.push(rep);
806
- }
807
- return out;
291
+ function getPresetConfig(preset) {
292
+ return { ...DEFAULT_CONFIG, ...CONFIG_PRESETS[preset] };
808
293
  }
809
294
 
810
295
  /**
811
- * Validates a File by MIME type and size (max 5 MB).
296
+ * HIPAA Compliance Module for Pompelmi
297
+ *
298
+ * This module provides comprehensive HIPAA compliance features for healthcare environments
299
+ * where Pompelmi is used to analyze potentially compromised systems containing PHI.
300
+ *
301
+ * Key protections:
302
+ * - Data sanitization and redaction
303
+ * - Secure temporary file handling
304
+ * - Audit logging
305
+ * - Memory protection
306
+ * - Error message sanitization
812
307
  */
813
- function validateFile(file) {
814
- const maxSize = 5 * 1024 * 1024;
815
- const allowedTypes = ['text/plain', 'application/json', 'text/csv'];
816
- if (!allowedTypes.includes(file.type)) {
817
- return { valid: false, error: 'Unsupported file type' };
308
+ class HipaaComplianceManager {
309
+ constructor(config) {
310
+ this.auditEvents = [];
311
+ this.config = {
312
+ sanitizeErrors: true,
313
+ sanitizeFilenames: true,
314
+ encryptTempFiles: true,
315
+ memoryProtection: true,
316
+ requireSecureTransport: true,
317
+ ...config,
318
+ enabled: config.enabled !== undefined ? config.enabled : true,
319
+ };
320
+ this.sessionId = this.generateSessionId();
818
321
  }
819
- if (file.size > maxSize) {
820
- return { valid: false, error: 'File too large (max 5 MB)' };
322
+ /**
323
+ * Sanitize filename to prevent PHI leakage in logs
324
+ */
325
+ sanitizeFilename(filename) {
326
+ if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
327
+ return filename || "unknown";
328
+ }
329
+ // Remove potentially sensitive path information
330
+ const basename = path.basename(filename);
331
+ // Hash the filename to create a consistent but non-revealing identifier
332
+ const hash = crypto.createHash("sha256").update(basename).digest("hex").substring(0, 8);
333
+ // Preserve file extension for analysis purposes
334
+ const ext = path.extname(basename);
335
+ return `file_${hash}${ext}`;
821
336
  }
822
- return { valid: true };
823
- }
824
-
825
- async function createRemoteEngine(opts) {
826
- const { endpoint, headers = {}, rulesField = 'rules', fileField = 'file', mode = 'multipart', rulesAsBase64 = false, } = opts;
827
- const engine = {
828
- async compile(rulesSource) {
829
- return {
830
- async scan(data) {
831
- const fetchFn = globalThis.fetch;
832
- if (!fetchFn)
833
- throw new Error('[remote-yara] fetch non disponibile in questo ambiente');
834
- let res;
835
- if (mode === 'multipart') {
836
- const FormDataCtor = globalThis.FormData;
837
- const BlobCtor = globalThis.Blob;
838
- if (!FormDataCtor || !BlobCtor) {
839
- throw new Error('[remote-yara] FormData/Blob non disponibili (usa json-base64 oppure esegui in browser)');
840
- }
841
- const form = new FormDataCtor();
842
- form.set(rulesField, new BlobCtor([rulesSource], { type: 'text/plain' }), 'rules.yar');
843
- form.set(fileField, new BlobCtor([data], { type: 'application/octet-stream' }), 'sample.bin');
844
- res = await fetchFn(endpoint, { method: 'POST', body: form, headers });
845
- }
846
- else {
847
- const b64 = base64FromBytes(data);
848
- const payload = { [fileField]: b64 };
849
- if (rulesAsBase64) {
850
- payload['rulesB64'] = base64FromString(rulesSource);
851
- }
852
- else {
853
- payload[rulesField] = rulesSource;
854
- }
855
- res = await fetchFn(endpoint, {
856
- method: 'POST',
857
- headers: { 'Content-Type': 'application/json', ...headers },
858
- body: JSON.stringify(payload),
859
- });
860
- }
861
- if (!res.ok) {
862
- throw new Error(`[remote-yara] HTTP ${res.status} ${res.statusText}`);
863
- }
864
- const json = await res.json().catch(() => null);
865
- const arr = Array.isArray(json) ? json : (json?.matches ?? []);
866
- return (arr ?? []).map((m) => ({
867
- rule: m.rule ?? m.ruleIdentifier ?? 'unknown',
868
- tags: m.tags ?? [],
869
- }));
870
- },
871
- };
872
- },
873
- };
874
- return engine;
875
- }
876
- // Helpers
877
- function base64FromBytes(bytes) {
878
- // usa btoa se disponibile (browser); altrimenti fallback manuale
879
- const btoaFn = globalThis.btoa;
880
- let bin = '';
881
- for (let i = 0; i < bytes.byteLength; i++)
882
- bin += String.fromCharCode(bytes[i]);
883
- return btoaFn ? btoaFn(bin) : Buffer.from(bin, 'binary').toString('base64');
884
- }
885
- function base64FromString(s) {
886
- const btoaFn = globalThis.btoa;
887
- return btoaFn ? btoaFn(s) : Buffer.from(s, 'utf8').toString('base64');
888
- }
889
-
890
- // src/scan/remote.ts
891
- /**
892
- * Scansiona una lista di File nel browser usando il motore remoto via HTTP.
893
- * Non richiede WASM né dipendenze native sul client.
894
- */
895
- async function scanFilesWithRemoteYara(files, rulesSource, remote) {
896
- const engine = await createRemoteEngine(remote);
897
- const compiled = await engine.compile(rulesSource);
898
- const results = [];
899
- for (const file of files) {
337
+ /**
338
+ * Sanitize error messages to prevent PHI exposure
339
+ */
340
+ sanitizeError(error) {
341
+ if (!this.config.enabled || !this.config.sanitizeErrors) {
342
+ return typeof error === "string" ? error : error.message;
343
+ }
344
+ const message = typeof error === "string" ? error : error.message;
345
+ // Remove common patterns that might contain PHI
346
+ const sanitized = message
347
+ // Remove file paths
348
+ .replace(/[A-Za-z]:\\\\[^\\s]+/g, "[REDACTED_PATH]")
349
+ .replace(/\/[^\\s]+/g, "[REDACTED_PATH]")
350
+ // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
351
+ .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, "[REDACTED_ID]")
352
+ .replace(/\\b\\d{6,}\\b/g, "[REDACTED_ID]")
353
+ // Remove email addresses
354
+ .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, "[REDACTED_EMAIL]")
355
+ // Remove potential names (capitalize words in error messages)
356
+ .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, "[REDACTED_NAME]")
357
+ // Remove IP addresses
358
+ .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, "[REDACTED_IP]");
359
+ return sanitized;
360
+ }
361
+ /**
362
+ * Create secure temporary file path with encryption if enabled
363
+ */
364
+ createSecureTempPath(prefix = "pompelmi") {
365
+ if (!this.config.enabled) {
366
+ return path.join(os.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
367
+ }
368
+ // Use cryptographically secure random names
369
+ const randomId = crypto.randomBytes(16).toString("hex");
370
+ const timestamp = Date.now();
371
+ // Create path in secure temp directory
372
+ const secureTempDir = this.getSecureTempDir();
373
+ const tempPath = path.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
374
+ this.auditLog("temp_file_created", {
375
+ action: "create_temp_file",
376
+ success: true,
377
+ metadata: { path: this.sanitizeFilename(tempPath) },
378
+ });
379
+ return tempPath;
380
+ }
381
+ /**
382
+ * Get or create secure temporary directory with restricted permissions
383
+ */
384
+ getSecureTempDir() {
385
+ const secureTempPath = path.join(os.tmpdir(), "pompelmi-secure");
900
386
  try {
901
- const bytes = new Uint8Array(await file.arrayBuffer());
902
- const matches = await compiled.scan(bytes);
903
- results.push({ file, matches });
387
+ const fs = require("fs");
388
+ if (!fs.existsSync(secureTempPath)) {
389
+ fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
390
+ }
904
391
  }
905
- catch (err) {
906
- console.warn('[remote-yara] scan error for', file.name, err);
907
- results.push({ file, matches: [], error: String(err?.message ?? err) });
392
+ catch (error) {
393
+ // Fallback to system temp
394
+ return os.tmpdir();
908
395
  }
396
+ return secureTempPath;
909
397
  }
910
- return results;
911
- }
912
-
913
- const SIG_CEN = 0x02014b50;
914
- const DEFAULTS = {
915
- maxEntries: 1000,
916
- maxTotalUncompressedBytes: 500 * 1024 * 1024,
917
- maxEntryNameLength: 255,
918
- maxCompressionRatio: 1000,
919
- eocdSearchWindow: 70000,
920
- };
921
- function r16(buf, off) {
922
- return buf.readUInt16LE(off);
923
- }
924
- function r32(buf, off) {
925
- return buf.readUInt32LE(off);
926
- }
927
- function isZipLike(buf) {
928
- // local file header at start is common
929
- return buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04;
930
- }
931
- function lastIndexOfEOCD(buf, window) {
932
- const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
933
- const start = Math.max(0, buf.length - window);
934
- const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
935
- return idx >= start ? idx : -1;
936
- }
937
- function hasTraversal(name) {
938
- return name.includes('../') || name.includes('..\\') || name.startsWith('/') || /^[A-Za-z]:/.test(name);
939
- }
940
- function createZipBombGuard(opts = {}) {
941
- const cfg = { ...DEFAULTS, ...opts };
942
- return {
943
- async scan(input) {
944
- const buf = Buffer.from(input);
945
- const matches = [];
946
- if (!isZipLike(buf))
947
- return matches;
948
- // Find EOCD near the end
949
- const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
950
- if (eocdPos < 0 || eocdPos + 22 > buf.length) {
951
- // ZIP but no EOCD — malformed or polyglot → suspicious
952
- matches.push({ rule: 'zip_eocd_not_found', severity: 'medium' });
953
- return matches;
398
+ /**
399
+ * Secure file cleanup with multiple overwrite passes
400
+ */
401
+ async secureFileCleanup(filePath) {
402
+ if (!this.config.enabled) {
403
+ try {
404
+ const fs = await import('fs/promises');
405
+ await fs.unlink(filePath);
954
406
  }
955
- const totalEntries = r16(buf, eocdPos + 10);
956
- const cdSize = r32(buf, eocdPos + 12);
957
- const cdOffset = r32(buf, eocdPos + 16);
958
- // Bounds check
959
- if (cdOffset + cdSize > buf.length) {
960
- matches.push({ rule: 'zip_cd_out_of_bounds', severity: 'medium' });
961
- return matches;
407
+ catch {
408
+ // Ignore cleanup errors
962
409
  }
963
- // Iterate central directory entries
964
- let ptr = cdOffset;
965
- let seen = 0;
966
- let sumComp = 0;
967
- let sumUnc = 0;
968
- while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
969
- const sig = r32(buf, ptr);
970
- if (sig !== SIG_CEN)
971
- break; // stop if structure breaks
972
- const compSize = r32(buf, ptr + 20);
973
- const uncSize = r32(buf, ptr + 24);
974
- const fnLen = r16(buf, ptr + 28);
975
- const exLen = r16(buf, ptr + 30);
976
- const cmLen = r16(buf, ptr + 32);
977
- const nameStart = ptr + 46;
978
- const nameEnd = nameStart + fnLen;
979
- if (nameEnd > buf.length)
980
- break;
981
- const name = buf.toString('utf8', nameStart, nameEnd);
982
- sumComp += compSize;
983
- sumUnc += uncSize;
984
- seen++;
985
- if (name.length > cfg.maxEntryNameLength) {
986
- matches.push({ rule: 'zip_entry_name_too_long', severity: 'medium', meta: { name, length: name.length } });
987
- }
988
- if (hasTraversal(name)) {
989
- matches.push({ rule: 'zip_path_traversal_entry', severity: 'medium', meta: { name } });
410
+ return;
411
+ }
412
+ try {
413
+ const fs = await import('fs/promises');
414
+ const stats = await fs.stat(filePath);
415
+ if (this.config.memoryProtection) {
416
+ // Overwrite file with random data multiple times (DoD 5220.22-M standard)
417
+ const fileSize = stats.size;
418
+ const buffer = crypto.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
419
+ for (let pass = 0; pass < 3; pass++) {
420
+ const handle = await fs.open(filePath, "r+");
421
+ try {
422
+ for (let offset = 0; offset < fileSize; offset += buffer.length) {
423
+ const chunk = offset + buffer.length > fileSize ? buffer.subarray(0, fileSize - offset) : buffer;
424
+ await handle.write(chunk, 0, chunk.length, offset);
425
+ }
426
+ await handle.sync();
427
+ }
428
+ finally {
429
+ await handle.close();
430
+ }
990
431
  }
991
- // move to next entry
992
- ptr = nameEnd + exLen + cmLen;
993
- }
994
- if (seen !== totalEntries) {
995
- // central dir truncated/odd, still report what we found
996
- matches.push({ rule: 'zip_cd_truncated', severity: 'medium', meta: { seen, totalEntries } });
997
- }
998
- // Heuristics thresholds
999
- if (seen > cfg.maxEntries) {
1000
- matches.push({ rule: 'zip_too_many_entries', severity: 'medium', meta: { seen, limit: cfg.maxEntries } });
1001
432
  }
1002
- if (sumUnc > cfg.maxTotalUncompressedBytes) {
1003
- matches.push({
1004
- rule: 'zip_total_uncompressed_too_large',
1005
- severity: 'medium',
1006
- meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes }
433
+ // Final deletion
434
+ await fs.unlink(filePath);
435
+ this.auditLog("temp_file_deleted", {
436
+ action: "secure_delete",
437
+ success: true,
438
+ metadata: {
439
+ path: this.sanitizeFilename(filePath),
440
+ overwritePasses: this.config.memoryProtection ? 3 : 0,
441
+ },
442
+ });
443
+ }
444
+ catch (error) {
445
+ this.auditLog("temp_file_deleted", {
446
+ action: "secure_delete",
447
+ success: false,
448
+ sanitizedError: this.sanitizeError(error),
449
+ metadata: { path: this.sanitizeFilename(filePath) },
450
+ });
451
+ }
452
+ }
453
+ /**
454
+ * Calculate secure file hash for audit purposes
455
+ */
456
+ calculateFileHash(data) {
457
+ return crypto.createHash("sha256").update(data).digest("hex");
458
+ }
459
+ /**
460
+ * Log audit event
461
+ */
462
+ auditLog(eventType, details) {
463
+ if (!this.config.enabled)
464
+ return;
465
+ const event = {
466
+ timestamp: new Date().toISOString(),
467
+ eventType,
468
+ sessionId: this.sessionId,
469
+ details: {
470
+ action: details.action || "unknown",
471
+ success: details.success ?? true,
472
+ ...details,
473
+ },
474
+ };
475
+ this.auditEvents.push(event);
476
+ // Write to audit log file if configured
477
+ if (this.config.auditLogPath) {
478
+ this.writeAuditLog(event).catch(() => {
479
+ // Silent failure to prevent error loops
480
+ });
481
+ }
482
+ }
483
+ /**
484
+ * Write audit event to file
485
+ */
486
+ async writeAuditLog(event) {
487
+ if (!this.config.auditLogPath)
488
+ return;
489
+ try {
490
+ const fs = await import('fs/promises');
491
+ const logLine = JSON.stringify(event) + "\\n";
492
+ await fs.appendFile(this.config.auditLogPath, logLine, { flag: "a" });
493
+ }
494
+ catch {
495
+ // Silent failure
496
+ }
497
+ }
498
+ /**
499
+ * Generate cryptographically secure session ID
500
+ */
501
+ generateSessionId() {
502
+ return crypto.randomBytes(16).toString("hex");
503
+ }
504
+ /**
505
+ * Get current audit events for this session
506
+ */
507
+ getAuditEvents() {
508
+ return [...this.auditEvents];
509
+ }
510
+ /**
511
+ * Clear sensitive data from memory
512
+ */
513
+ clearSensitiveData() {
514
+ if (!this.config.enabled || !this.config.memoryProtection)
515
+ return;
516
+ // Clear audit events
517
+ this.auditEvents.length = 0;
518
+ // Force garbage collection if available
519
+ if (global.gc) {
520
+ global.gc();
521
+ }
522
+ }
523
+ /**
524
+ * Validate transport security
525
+ */
526
+ validateTransportSecurity(url) {
527
+ if (!this.config.enabled || !this.config.requireSecureTransport) {
528
+ return true;
529
+ }
530
+ if (!url)
531
+ return true;
532
+ try {
533
+ const urlObj = new URL(url);
534
+ const isSecure = urlObj.protocol === "https:" ||
535
+ urlObj.hostname === "localhost" ||
536
+ urlObj.hostname === "127.0.0.1";
537
+ if (!isSecure) {
538
+ this.auditLog("security_violation", {
539
+ action: "insecure_transport",
540
+ success: false,
541
+ metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname },
1007
542
  });
1008
543
  }
1009
- if (sumComp === 0 && sumUnc > 0) {
1010
- matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio: Infinity } });
544
+ return isSecure;
545
+ }
546
+ catch {
547
+ return false;
548
+ }
549
+ }
550
+ }
551
+ // Global HIPAA compliance instance
552
+ let hipaaManager = null;
553
+ /**
554
+ * Initialize HIPAA compliance
555
+ */
556
+ function initializeHipaaCompliance(config) {
557
+ hipaaManager = new HipaaComplianceManager(config);
558
+ return hipaaManager;
559
+ }
560
+ /**
561
+ * Get current HIPAA compliance manager
562
+ */
563
+ function getHipaaManager() {
564
+ return hipaaManager;
565
+ }
566
+ /**
567
+ * HIPAA-compliant error wrapper
568
+ */
569
+ function createHipaaError(error, context) {
570
+ const manager = getHipaaManager();
571
+ if (!manager) {
572
+ return typeof error === "string" ? new Error(error) : error;
573
+ }
574
+ const sanitizedMessage = manager.sanitizeError(error);
575
+ const hipaaError = new Error(sanitizedMessage);
576
+ manager.auditLog("error_occurred", {
577
+ action: context || "error",
578
+ success: false,
579
+ sanitizedError: sanitizedMessage,
580
+ });
581
+ return hipaaError;
582
+ }
583
+ /**
584
+ * HIPAA-compliant temporary file utilities
585
+ */
586
+ const HipaaTemp = {
587
+ createPath: (prefix) => {
588
+ const manager = getHipaaManager();
589
+ return manager
590
+ ? manager.createSecureTempPath(prefix)
591
+ : path.join(os.tmpdir(), `${prefix || "pompelmi"}-${Date.now()}`);
592
+ },
593
+ cleanup: async (filePath) => {
594
+ const manager = getHipaaManager();
595
+ if (manager) {
596
+ await manager.secureFileCleanup(filePath);
597
+ }
598
+ else {
599
+ try {
600
+ const fs = await import('fs/promises');
601
+ await fs.unlink(filePath);
1011
602
  }
1012
- else if (sumComp > 0) {
1013
- const ratio = sumUnc / Math.max(1, sumComp);
1014
- if (ratio >= cfg.maxCompressionRatio) {
1015
- matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio, limit: cfg.maxCompressionRatio } });
1016
- }
603
+ catch {
604
+ // Ignore errors
1017
605
  }
1018
- return matches;
1019
606
  }
1020
- };
1021
- }
607
+ },
608
+ };
1022
609
 
1023
610
  const MB$1 = 1024 * 1024;
1024
611
  const DEFAULT_POLICY = {
1025
- includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
1026
- allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
612
+ includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf"],
613
+ allowedMimeTypes: ["application/zip", "image/png", "image/jpeg", "application/pdf", "text/plain"],
1027
614
  maxFileSizeBytes: 20 * MB$1,
1028
615
  timeoutMs: 5000,
1029
616
  concurrency: 4,
1030
- failClosed: true
617
+ failClosed: true,
1031
618
  };
1032
619
  function definePolicy(input = {}) {
1033
620
  const p = { ...DEFAULT_POLICY, ...input };
1034
621
  if (!Array.isArray(p.includeExtensions))
1035
- throw new TypeError('includeExtensions must be string[]');
622
+ throw new TypeError("includeExtensions must be string[]");
1036
623
  if (!Array.isArray(p.allowedMimeTypes))
1037
- throw new TypeError('allowedMimeTypes must be string[]');
624
+ throw new TypeError("allowedMimeTypes must be string[]");
1038
625
  if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
1039
- throw new TypeError('maxFileSizeBytes must be > 0');
626
+ throw new TypeError("maxFileSizeBytes must be > 0");
1040
627
  if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
1041
- throw new TypeError('timeoutMs must be > 0');
628
+ throw new TypeError("timeoutMs must be > 0");
1042
629
  if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
1043
- throw new TypeError('concurrency must be > 0');
630
+ throw new TypeError("concurrency must be > 0");
1044
631
  return p;
1045
632
  }
1046
633
 
@@ -1084,33 +671,39 @@ const MB = 1024 * KB;
1084
671
  */
1085
672
  const DOCUMENTS_ONLY = definePolicy({
1086
673
  includeExtensions: [
1087
- 'pdf',
1088
- 'doc', 'docx',
1089
- 'xls', 'xlsx',
1090
- 'ppt', 'pptx',
1091
- 'odt', 'ods', 'odp',
1092
- 'csv',
1093
- 'txt',
1094
- 'json',
1095
- 'yaml', 'yml',
1096
- 'md',
674
+ "pdf",
675
+ "doc",
676
+ "docx",
677
+ "xls",
678
+ "xlsx",
679
+ "ppt",
680
+ "pptx",
681
+ "odt",
682
+ "ods",
683
+ "odp",
684
+ "csv",
685
+ "txt",
686
+ "json",
687
+ "yaml",
688
+ "yml",
689
+ "md",
1097
690
  ],
1098
691
  allowedMimeTypes: [
1099
- 'application/pdf',
1100
- 'application/msword',
1101
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
1102
- 'application/vnd.ms-excel',
1103
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
1104
- 'application/vnd.ms-powerpoint',
1105
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
1106
- 'application/vnd.oasis.opendocument.text',
1107
- 'application/vnd.oasis.opendocument.spreadsheet',
1108
- 'application/vnd.oasis.opendocument.presentation',
1109
- 'text/csv',
1110
- 'text/plain',
1111
- 'application/json',
1112
- 'text/yaml',
1113
- 'text/markdown',
692
+ "application/pdf",
693
+ "application/msword",
694
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
695
+ "application/vnd.ms-excel",
696
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
697
+ "application/vnd.ms-powerpoint",
698
+ "application/vnd.openxmlformats-officedocument.presentationml.presentation",
699
+ "application/vnd.oasis.opendocument.text",
700
+ "application/vnd.oasis.opendocument.spreadsheet",
701
+ "application/vnd.oasis.opendocument.presentation",
702
+ "text/csv",
703
+ "text/plain",
704
+ "application/json",
705
+ "text/yaml",
706
+ "text/markdown",
1114
707
  ],
1115
708
  maxFileSizeBytes: 25 * MB,
1116
709
  timeoutMs: 10000,
@@ -1128,17 +721,17 @@ const DOCUMENTS_ONLY = definePolicy({
1128
721
  * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
1129
722
  */
1130
723
  const IMAGES_ONLY = definePolicy({
1131
- includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
724
+ includeExtensions: ["jpg", "jpeg", "png", "gif", "webp", "avif", "tiff", "tif", "bmp", "ico"],
1132
725
  allowedMimeTypes: [
1133
- 'image/jpeg',
1134
- 'image/png',
1135
- 'image/gif',
1136
- 'image/webp',
1137
- 'image/avif',
1138
- 'image/tiff',
1139
- 'image/bmp',
1140
- 'image/x-icon',
1141
- 'image/vnd.microsoft.icon',
726
+ "image/jpeg",
727
+ "image/png",
728
+ "image/gif",
729
+ "image/webp",
730
+ "image/avif",
731
+ "image/tiff",
732
+ "image/bmp",
733
+ "image/x-icon",
734
+ "image/vnd.microsoft.icon",
1142
735
  ],
1143
736
  maxFileSizeBytes: 10 * MB,
1144
737
  timeoutMs: 5000,
@@ -1155,13 +748,8 @@ const IMAGES_ONLY = definePolicy({
1155
748
  * allowlist. Only allows plain images and PDF.
1156
749
  */
1157
750
  const STRICT_PUBLIC_UPLOAD = definePolicy({
1158
- includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
1159
- allowedMimeTypes: [
1160
- 'image/jpeg',
1161
- 'image/png',
1162
- 'image/webp',
1163
- 'application/pdf',
1164
- ],
751
+ includeExtensions: ["jpg", "jpeg", "png", "webp", "pdf"],
752
+ allowedMimeTypes: ["image/jpeg", "image/png", "image/webp", "application/pdf"],
1165
753
  maxFileSizeBytes: 5 * MB,
1166
754
  timeoutMs: 4000,
1167
755
  concurrency: 2,
@@ -1175,16 +763,16 @@ const STRICT_PUBLIC_UPLOAD = definePolicy({
1175
763
  * shorter timeout than the permissive default.
1176
764
  */
1177
765
  const CONSERVATIVE_DEFAULT = definePolicy({
1178
- includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
766
+ includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf", "txt", "csv", "docx", "xlsx"],
1179
767
  allowedMimeTypes: [
1180
- 'application/zip',
1181
- 'image/png',
1182
- 'image/jpeg',
1183
- 'application/pdf',
1184
- 'text/plain',
1185
- 'text/csv',
1186
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
1187
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
768
+ "application/zip",
769
+ "image/png",
770
+ "image/jpeg",
771
+ "application/pdf",
772
+ "text/plain",
773
+ "text/csv",
774
+ "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
775
+ "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
1188
776
  ],
1189
777
  maxFileSizeBytes: 10 * MB,
1190
778
  timeoutMs: 8000,
@@ -1208,15 +796,15 @@ const CONSERVATIVE_DEFAULT = definePolicy({
1208
796
  * ```
1209
797
  */
1210
798
  const ARCHIVES = definePolicy({
1211
- includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
799
+ includeExtensions: ["zip", "tar", "gz", "tgz", "bz2", "xz", "7z", "rar"],
1212
800
  allowedMimeTypes: [
1213
- 'application/zip',
1214
- 'application/x-tar',
1215
- 'application/gzip',
1216
- 'application/x-bzip2',
1217
- 'application/x-xz',
1218
- 'application/x-7z-compressed',
1219
- 'application/x-rar-compressed',
801
+ "application/zip",
802
+ "application/x-tar",
803
+ "application/gzip",
804
+ "application/x-bzip2",
805
+ "application/x-xz",
806
+ "application/x-7z-compressed",
807
+ "application/x-rar-compressed",
1220
808
  ],
1221
809
  maxFileSizeBytes: 100 * MB,
1222
810
  timeoutMs: 30000,
@@ -1232,11 +820,11 @@ const ARCHIVES = definePolicy({
1232
820
  * ```
1233
821
  */
1234
822
  const POLICY_PACKS = {
1235
- 'documents-only': DOCUMENTS_ONLY,
1236
- 'images-only': IMAGES_ONLY,
1237
- 'strict-public-upload': STRICT_PUBLIC_UPLOAD,
1238
- 'conservative-default': CONSERVATIVE_DEFAULT,
1239
- 'archives': ARCHIVES,
823
+ "documents-only": DOCUMENTS_ONLY,
824
+ "images-only": IMAGES_ONLY,
825
+ "strict-public-upload": STRICT_PUBLIC_UPLOAD,
826
+ "conservative-default": CONSERVATIVE_DEFAULT,
827
+ archives: ARCHIVES,
1240
828
  };
1241
829
  /**
1242
830
  * Look up a policy pack by name.
@@ -1245,1184 +833,1646 @@ const POLICY_PACKS = {
1245
833
  function getPolicyPack(name) {
1246
834
  const policy = POLICY_PACKS[name];
1247
835
  if (!policy)
1248
- throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
836
+ throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(", ")}`);
1249
837
  return policy;
1250
838
  }
1251
839
 
1252
- function mapMatchesToVerdict(matches = []) {
1253
- if (!matches.length)
1254
- return 'clean';
1255
- const malHints = ['trojan', 'ransom', 'worm', 'spy', 'rootkit', 'keylog', 'botnet'];
1256
- const tagSet = new Set(matches.flatMap(m => (m.tags ?? []).map(t => t.toLowerCase())));
1257
- const nameHit = (r) => malHints.some(h => r.toLowerCase().includes(h));
1258
- const isMal = matches.some(m => nameHit(m.rule)) || tagSet.has('malware') || tagSet.has('critical');
1259
- return isMal ? 'malicious' : 'suspicious';
840
+ function hasAsciiToken(buf, token) {
841
+ // Use latin1 so we can safely search binary
842
+ return buf.indexOf(token, 0, "latin1") !== -1;
1260
843
  }
1261
-
1262
- /** Decompilation-specific types for Pompelmi */
1263
- const SUSPICIOUS_PATTERNS = [
1264
- {
1265
- name: 'syscall_direct',
1266
- description: 'Direct system call without library wrapper',
1267
- severity: 'medium',
1268
- pattern: /syscall|sysenter|int\s+0x80/i
1269
- },
1270
- {
1271
- name: 'process_injection',
1272
- description: 'Process injection techniques',
1273
- severity: 'high',
1274
- pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i
1275
- },
1276
- {
1277
- name: 'anti_debug',
1278
- description: 'Anti-debugging techniques',
1279
- severity: 'medium',
1280
- pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i
1281
- },
1282
- {
1283
- name: 'obfuscation_xor',
1284
- description: 'XOR-based obfuscation pattern',
1285
- severity: 'medium',
1286
- pattern: /xor.*0x[0-9a-f]+.*xor/i
844
+ function startsWith(buf, bytes) {
845
+ if (buf.length < bytes.length)
846
+ return false;
847
+ for (let i = 0; i < bytes.length; i++)
848
+ if (buf[i] !== bytes[i])
849
+ return false;
850
+ return true;
851
+ }
852
+ function isPDF(buf) {
853
+ // %PDF-
854
+ return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
855
+ }
856
+ function isOleCfb(buf) {
857
+ // D0 CF 11 E0 A1 B1 1A E1
858
+ const sig = [0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1];
859
+ return startsWith(buf, sig);
860
+ }
861
+ function isZipLike$1(buf) {
862
+ // PK\x03\x04
863
+ return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
864
+ }
865
+ function isPeExecutable(buf) {
866
+ // "MZ"
867
+ return startsWith(buf, [0x4d, 0x5a]);
868
+ }
869
+ /** OOXML macro hint via filename token in ZIP container */
870
+ function hasOoxmlMacros(buf) {
871
+ if (!isZipLike$1(buf))
872
+ return false;
873
+ return hasAsciiToken(buf, "vbaProject.bin");
874
+ }
875
+ /** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
876
+ function pdfRiskTokens(buf) {
877
+ const tokens = ["/JavaScript", "/OpenAction", "/AA", "/Launch"];
878
+ return tokens.filter((t) => hasAsciiToken(buf, t));
879
+ }
880
+ const CommonHeuristicsScanner = {
881
+ async scan(input) {
882
+ const buf = Buffer.from(input);
883
+ const matches = [];
884
+ // Office macros (OLE / OOXML)
885
+ if (isOleCfb(buf)) {
886
+ matches.push({ rule: "office_ole_container", severity: "suspicious" });
887
+ }
888
+ if (hasOoxmlMacros(buf)) {
889
+ matches.push({ rule: "office_ooxml_macros", severity: "suspicious" });
890
+ }
891
+ // PDF risky tokens
892
+ if (isPDF(buf)) {
893
+ const toks = pdfRiskTokens(buf);
894
+ if (toks.length) {
895
+ matches.push({
896
+ rule: "pdf_risky_actions",
897
+ severity: "suspicious",
898
+ meta: { tokens: toks },
899
+ });
900
+ }
901
+ }
902
+ // Executable header
903
+ if (isPeExecutable(buf)) {
904
+ matches.push({ rule: "pe_executable_signature", severity: "suspicious" });
905
+ }
906
+ // EICAR test file
907
+ const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
908
+ if (hasAsciiToken(buf, EICAR_NEEDLE)) {
909
+ matches.push({
910
+ rule: "eicar_test_file",
911
+ severity: "high",
912
+ meta: { note: "EICAR standard antivirus test file detected" },
913
+ });
914
+ }
915
+ return matches;
1287
916
  },
1288
- {
1289
- name: 'crypto_constants',
1290
- description: 'Cryptographic constants',
1291
- severity: 'low',
1292
- pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i
1293
- }
1294
- ];
917
+ };
1295
918
 
1296
- /**
1297
- * Batch scanning with concurrency control
1298
- * @module utils/batch-scanner
1299
- */
1300
- /**
1301
- * Batch file scanner with concurrency control and progress tracking
1302
- */
1303
- class BatchScanner {
1304
- constructor(options = {}) {
1305
- this.options = {
1306
- concurrency: 5,
1307
- continueOnError: true,
1308
- ...options,
919
+ function toScanFn(s) {
920
+ return (typeof s === "function" ? s : s.scan);
921
+ }
922
+ /** Map a Match's severity field to a Verdict for stopOn comparison. */
923
+ function matchToVerdict(m) {
924
+ const s = m.severity;
925
+ if (s === "critical" || s === "high" || s === "malicious")
926
+ return "malicious";
927
+ if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
928
+ return "suspicious";
929
+ return "clean";
930
+ }
931
+ /** Highest verdict across all matches in the list. */
932
+ function highestSeverity(matches) {
933
+ if (matches.length === 0)
934
+ return null;
935
+ if (matches.some((m) => matchToVerdict(m) === "malicious"))
936
+ return "malicious";
937
+ if (matches.some((m) => matchToVerdict(m) === "suspicious"))
938
+ return "suspicious";
939
+ return "clean";
940
+ }
941
+ const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
942
+ function shouldStop(matches, stopOn) {
943
+ if (!stopOn)
944
+ return false;
945
+ const highest = highestSeverity(matches);
946
+ if (!highest)
947
+ return false;
948
+ return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
949
+ }
950
+ async function runWithTimeout(fn, timeoutMs) {
951
+ if (!timeoutMs)
952
+ return fn();
953
+ return new Promise((resolve, reject) => {
954
+ const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
955
+ fn().then((v) => {
956
+ clearTimeout(timer);
957
+ resolve(v);
958
+ }, (e) => {
959
+ clearTimeout(timer);
960
+ reject(e);
961
+ });
962
+ });
963
+ }
964
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
965
+ function composeScanners(...args) {
966
+ const first = args[0];
967
+ const rest = args.slice(1);
968
+ // ── Named-scanner array form ──────────────────────────────────────────────
969
+ if (Array.isArray(first) &&
970
+ (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
971
+ const entries = first;
972
+ const opts = rest.length > 0 &&
973
+ !Array.isArray(rest[0]) &&
974
+ typeof rest[0] !== "function" &&
975
+ !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
976
+ ? rest[0]
977
+ : {};
978
+ return async (input, ctx) => {
979
+ const all = [];
980
+ if (opts.parallel) {
981
+ // Parallel execution — collect all results then return
982
+ const results = await Promise.allSettled(entries.map(([name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
983
+ for (let i = 0; i < results.length; i++) {
984
+ const result = results[i];
985
+ if (result.status === "fulfilled" && Array.isArray(result.value)) {
986
+ const matches = opts.tagSourceName
987
+ ? result.value.map((m) => ({
988
+ ...m,
989
+ meta: { ...m.meta, _sourceName: entries[i][0] },
990
+ }))
991
+ : result.value;
992
+ all.push(...matches);
993
+ }
994
+ }
995
+ }
996
+ else {
997
+ // Sequential execution with optional stopOn short-circuit
998
+ for (const [name, scanner] of entries) {
999
+ try {
1000
+ const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
1001
+ if (Array.isArray(out)) {
1002
+ const matches = opts.tagSourceName
1003
+ ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
1004
+ : out;
1005
+ all.push(...matches);
1006
+ if (shouldStop(all, opts.stopOn))
1007
+ break;
1008
+ }
1009
+ }
1010
+ catch {
1011
+ // individual scanner failure is non-fatal
1012
+ }
1013
+ }
1014
+ }
1015
+ return all;
1309
1016
  };
1310
1017
  }
1311
- /**
1312
- * Scan multiple files with controlled concurrency
1313
- */
1314
- async scanBatch(tasks) {
1315
- const startTime = Date.now();
1316
- const results = new Array(tasks.length);
1317
- const errors = [];
1318
- let successCount = 0;
1319
- let errorCount = 0;
1320
- let completedCount = 0;
1321
- const concurrency = this.options.concurrency ?? 5;
1322
- // Process tasks in chunks with controlled concurrency
1323
- const processingQueue = [];
1324
- let currentIndex = 0;
1325
- const processTask = async (index) => {
1018
+ // ── Variadic form (backward-compatible) ───────────────────────────────────
1019
+ const scanners = [first, ...rest].filter(Boolean);
1020
+ return async (input, ctx) => {
1021
+ const all = [];
1022
+ for (const s of scanners) {
1023
+ try {
1024
+ const out = await toScanFn(s)(input, ctx);
1025
+ if (Array.isArray(out))
1026
+ all.push(...out);
1027
+ }
1028
+ catch {
1029
+ // ignore individual scanner failures
1030
+ }
1031
+ }
1032
+ return all;
1033
+ };
1034
+ }
1035
+ function createPresetScanner(preset, opts = {}) {
1036
+ const scanners = [];
1037
+ // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
1038
+ scanners.push(CommonHeuristicsScanner);
1039
+ // Add decompilation scanners based on preset
1040
+ if (preset === "decompilation-basic" ||
1041
+ preset === "decompilation-deep" ||
1042
+ preset === "malware-analysis" ||
1043
+ opts.enableDecompilation) {
1044
+ const depth = preset === "decompilation-deep"
1045
+ ? "deep"
1046
+ : preset === "decompilation-basic"
1047
+ ? "basic"
1048
+ : opts.decompilationDepth || "basic";
1049
+ if (!opts.decompilationEngine ||
1050
+ opts.decompilationEngine === "binaryninja-hlil" ||
1051
+ opts.decompilationEngine === "both") {
1326
1052
  try {
1327
- const task = tasks[index];
1328
- const report = await scanBytes(task.content, {
1329
- ...this.options,
1330
- ctx: task.context,
1053
+ // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
1054
+ const importModule = new Function("specifier", "return import(specifier)");
1055
+ importModule("@pompelmi/engine-binaryninja")
1056
+ .then((mod) => {
1057
+ const binjaScanner = mod.createBinaryNinjaScanner({
1058
+ timeout: opts.decompilationTimeout || opts.timeout || 30000,
1059
+ depth,
1060
+ pythonPath: opts.pythonPath,
1061
+ binaryNinjaPath: opts.binaryNinjaPath,
1062
+ });
1063
+ scanners.push(binjaScanner);
1064
+ })
1065
+ .catch(() => {
1066
+ // Binary Ninja engine not available - silently skip
1331
1067
  });
1332
- results[index] = report;
1333
- successCount++;
1334
- completedCount++;
1335
- if (this.options.onProgress) {
1336
- this.options.onProgress(completedCount, tasks.length, report);
1337
- }
1338
1068
  }
1339
- catch (error) {
1340
- errorCount++;
1341
- completedCount++;
1342
- const err = error instanceof Error ? error : new Error(String(error));
1343
- if (this.options.onError) {
1344
- this.options.onError(err, index);
1345
- }
1346
- errors.push({ index, error: err });
1347
- if (!this.options.continueOnError) {
1348
- throw err;
1349
- }
1350
- results[index] = null;
1069
+ catch {
1070
+ // Engine not installed
1351
1071
  }
1352
- };
1353
- // Start initial batch of concurrent tasks
1354
- while (currentIndex < tasks.length) {
1355
- while (processingQueue.length < concurrency && currentIndex < tasks.length) {
1356
- const promise = processTask(currentIndex);
1357
- processingQueue.push(promise);
1358
- currentIndex++;
1359
- // Remove completed promises from queue
1360
- promise.finally(() => {
1361
- const idx = processingQueue.indexOf(promise);
1362
- if (idx > -1)
1363
- processingQueue.splice(idx, 1);
1072
+ }
1073
+ if (!opts.decompilationEngine ||
1074
+ opts.decompilationEngine === "ghidra-pcode" ||
1075
+ opts.decompilationEngine === "both") {
1076
+ try {
1077
+ // Dynamic import for Ghidra engine (when implemented) - using Function to bypass TypeScript type checking
1078
+ const importModule = new Function("specifier", "return import(specifier)");
1079
+ importModule("@pompelmi/engine-ghidra")
1080
+ .then((mod) => {
1081
+ const ghidraScanner = mod.createGhidraScanner({
1082
+ timeout: opts.decompilationTimeout || opts.timeout || 30000,
1083
+ depth,
1084
+ ghidraPath: opts.ghidraPath,
1085
+ analyzeHeadless: opts.analyzeHeadless,
1086
+ });
1087
+ scanners.push(ghidraScanner);
1088
+ })
1089
+ .catch(() => {
1090
+ // Ghidra engine not available - silently skip
1364
1091
  });
1365
1092
  }
1366
- // Wait for at least one task to complete before continuing
1367
- if (processingQueue.length >= concurrency) {
1368
- await Promise.race(processingQueue);
1093
+ catch {
1094
+ // Engine not installed
1369
1095
  }
1370
1096
  }
1371
- // Wait for all remaining tasks
1372
- await Promise.all(processingQueue);
1373
- const totalDurationMs = Date.now() - startTime;
1374
- return {
1375
- reports: results,
1376
- successCount,
1377
- errorCount,
1378
- totalDurationMs,
1379
- errors,
1097
+ }
1098
+ if (scanners.length === 0) {
1099
+ // Fallback scanner that returns no matches
1100
+ return async (_input, _ctx) => {
1101
+ return [];
1380
1102
  };
1381
1103
  }
1382
- /**
1383
- * Scan files from File objects (browser environment)
1384
- */
1385
- async scanFiles(files) {
1386
- const tasks = await Promise.all(files.map(async (file) => ({
1387
- content: new Uint8Array(await file.arrayBuffer()),
1388
- context: {
1389
- filename: file.name,
1390
- mimeType: file.type,
1391
- size: file.size,
1392
- },
1393
- })));
1394
- return this.scanBatch(tasks);
1104
+ return composeScanners(...scanners);
1105
+ }
1106
+
1107
+ /**
1108
+ * Advanced threat detection utilities
1109
+ * @module utils/advanced-detection
1110
+ */
1111
+ /**
1112
+ * Enhanced polyglot file detection
1113
+ * Detects files that can be interpreted as multiple formats
1114
+ */
1115
+ function detectPolyglot(bytes) {
1116
+ const matches = [];
1117
+ // Check for PDF/ZIP polyglot
1118
+ if (isPDFZipPolyglot(bytes)) {
1119
+ matches.push({
1120
+ rule: "polyglot_pdf_zip",
1121
+ severity: "high",
1122
+ meta: { description: "File can be interpreted as both PDF and ZIP" },
1123
+ });
1395
1124
  }
1396
- /**
1397
- * Scan files from file paths (Node.js environment)
1398
- */
1399
- async scanFilePaths(filePaths) {
1400
- const fs = await import('fs/promises');
1401
- const path = await import('path');
1402
- const tasks = await Promise.all(filePaths.map(async (filePath) => {
1403
- const [content, stats] = await Promise.all([
1404
- fs.readFile(filePath),
1405
- fs.stat(filePath),
1406
- ]);
1407
- return {
1408
- content: new Uint8Array(content),
1409
- context: {
1410
- filename: path.basename(filePath),
1411
- size: stats.size,
1125
+ // Check for image/script polyglot
1126
+ if (isImageScriptPolyglot(bytes)) {
1127
+ matches.push({
1128
+ rule: "polyglot_image_script",
1129
+ severity: "high",
1130
+ meta: { description: "Image file contains executable script content" },
1131
+ });
1132
+ }
1133
+ // Check for GIFAR (GIF/JAR polyglot)
1134
+ if (isGIFAR(bytes)) {
1135
+ matches.push({
1136
+ rule: "polyglot_gifar",
1137
+ severity: "critical",
1138
+ meta: { description: "GIF file contains Java archive" },
1139
+ });
1140
+ }
1141
+ return matches;
1142
+ }
1143
+ /**
1144
+ * Detect obfuscated JavaScript/VBScript
1145
+ */
1146
+ function detectObfuscatedScripts(bytes) {
1147
+ const matches = [];
1148
+ const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
1149
+ // Check for common obfuscation patterns
1150
+ const obfuscationPatterns = [
1151
+ /eval\s*\(\s*unescape\s*\(/gi,
1152
+ /eval\s*\(\s*atob\s*\(/gi,
1153
+ /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
1154
+ /[a-z0-9]{100,}/gi, // Long encoded strings
1155
+ /\\x[0-9a-f]{2}/gi, // Hex escapes
1156
+ ];
1157
+ for (const pattern of obfuscationPatterns) {
1158
+ if (pattern.test(text)) {
1159
+ matches.push({
1160
+ rule: "obfuscated_script",
1161
+ severity: "medium",
1162
+ meta: {
1163
+ description: "Detected obfuscated script content",
1164
+ pattern: pattern.source,
1412
1165
  },
1413
- };
1414
- }));
1415
- return this.scanBatch(tasks);
1166
+ });
1167
+ break;
1168
+ }
1416
1169
  }
1170
+ return matches;
1417
1171
  }
1418
1172
  /**
1419
- * Quick helper for batch scanning with default options
1173
+ * Enhanced nested archive detection with depth limits
1420
1174
  */
1421
- async function batchScan(tasks, options) {
1422
- const scanner = new BatchScanner(options);
1423
- return scanner.scanBatch(tasks);
1175
+ function analyzeNestedArchives(bytes, maxDepth = 10) {
1176
+ let depth = 0;
1177
+ let currentBytes = bytes;
1178
+ while (depth < maxDepth) {
1179
+ if (isArchive(currentBytes)) {
1180
+ depth++;
1181
+ {
1182
+ break;
1183
+ }
1184
+ }
1185
+ else {
1186
+ break;
1187
+ }
1188
+ }
1189
+ return {
1190
+ depth,
1191
+ hasExcessiveNesting: depth >= 5,
1192
+ };
1193
+ }
1194
+ // Helper functions
1195
+ function isPDFZipPolyglot(bytes) {
1196
+ if (bytes.length < 8)
1197
+ return false;
1198
+ // Check for PDF signature
1199
+ const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
1200
+ // Check for ZIP signature anywhere in the file
1201
+ let hasZIP = false;
1202
+ for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
1203
+ if (bytes[i] === 0x50 &&
1204
+ bytes[i + 1] === 0x4b &&
1205
+ bytes[i + 2] === 0x03 &&
1206
+ bytes[i + 3] === 0x04) {
1207
+ hasZIP = true;
1208
+ break;
1209
+ }
1210
+ }
1211
+ return hasPDF && hasZIP;
1212
+ }
1213
+ function isImageScriptPolyglot(bytes) {
1214
+ if (bytes.length < 100)
1215
+ return false;
1216
+ // Check for image signatures
1217
+ const isImage = (bytes[0] === 0xff && bytes[1] === 0xd8) || // JPEG
1218
+ (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4e && bytes[3] === 0x47) || // PNG
1219
+ (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46); // GIF
1220
+ if (!isImage)
1221
+ return false;
1222
+ // Check for script content
1223
+ const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes);
1224
+ return /<script|javascript:|eval\(|function\s*\(/i.test(text);
1225
+ }
1226
+ function isGIFAR(bytes) {
1227
+ if (bytes.length < 100)
1228
+ return false;
1229
+ // Check for GIF signature
1230
+ const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
1231
+ // Check for ZIP/JAR signature
1232
+ let hasZIP = false;
1233
+ for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
1234
+ if (bytes[i] === 0x50 &&
1235
+ bytes[i + 1] === 0x4b &&
1236
+ bytes[i + 2] === 0x03 &&
1237
+ bytes[i + 3] === 0x04) {
1238
+ hasZIP = true;
1239
+ break;
1240
+ }
1241
+ }
1242
+ return isGIF && hasZIP;
1243
+ }
1244
+ function isArchive(bytes) {
1245
+ if (bytes.length < 4)
1246
+ return false;
1247
+ return (
1248
+ // ZIP
1249
+ (bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04) ||
1250
+ // RAR
1251
+ (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
1252
+ // 7z
1253
+ (bytes[0] === 0x37 && bytes[1] === 0x7a && bytes[2] === 0xbc && bytes[3] === 0xaf) ||
1254
+ // tar.gz
1255
+ (bytes[0] === 0x1f && bytes[1] === 0x8b));
1424
1256
  }
1425
1257
 
1426
1258
  /**
1427
- * Threat intelligence integration and enhanced detection
1428
- * @module utils/threat-intelligence
1259
+ * Cache management system for scan results
1260
+ * @module utils/cache-manager
1429
1261
  */
1430
1262
  /**
1431
- * Built-in threat intelligence - known malware hashes
1432
- * In production, this would connect to real threat intel APIs
1263
+ * LRU cache for scan results with TTL support
1433
1264
  */
1434
- class LocalThreatIntelligence {
1435
- constructor() {
1436
- this.name = 'Local Database';
1437
- this.knownThreats = new Map();
1438
- // Initialize with some example known threats (in production, load from database)
1439
- this.initializeKnownThreats();
1440
- }
1441
- initializeKnownThreats() {
1442
- // Example: EICAR test file hash
1443
- this.knownThreats.set('275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f', {
1444
- threatLevel: 100,
1445
- category: 'test-malware',
1446
- source: 'local',
1447
- metadata: { name: 'EICAR Test File' },
1448
- });
1265
+ class ScanCacheManager {
1266
+ constructor(options = {}) {
1267
+ this.cache = new Map();
1268
+ // Statistics
1269
+ this.stats = {
1270
+ hits: 0,
1271
+ misses: 0,
1272
+ evictions: 0,
1273
+ };
1274
+ this.maxSize = options.maxSize ?? 1000;
1275
+ this.ttl = options.ttl ?? 3600000; // 1 hour default
1276
+ this.enableLRU = options.enableLRU ?? true;
1277
+ this.enableStats = options.enableStats ?? false;
1449
1278
  }
1450
- async checkHash(hash) {
1451
- return this.knownThreats.get(hash.toLowerCase()) || null;
1279
+ /**
1280
+ * Generate cache key from file content
1281
+ */
1282
+ generateKey(content, preset) {
1283
+ const hash = createHash("sha256")
1284
+ .update(content)
1285
+ .update(preset || "default")
1286
+ .digest("hex");
1287
+ return hash;
1452
1288
  }
1453
1289
  /**
1454
- * Add a known threat to the local database
1290
+ * Check if cache entry is still valid
1455
1291
  */
1456
- addThreat(hash, info) {
1457
- this.knownThreats.set(hash.toLowerCase(), info);
1292
+ isValid(entry) {
1293
+ return Date.now() - entry.timestamp < this.ttl;
1458
1294
  }
1459
1295
  /**
1460
- * Remove a threat from the local database
1296
+ * Evict oldest or least-used entry when cache is full
1461
1297
  */
1462
- removeThreat(hash) {
1463
- return this.knownThreats.delete(hash.toLowerCase());
1298
+ evict() {
1299
+ if (this.cache.size === 0)
1300
+ return;
1301
+ let targetKey = null;
1302
+ let oldestTime = Infinity;
1303
+ let lowestAccess = Infinity;
1304
+ for (const [key, entry] of this.cache.entries()) {
1305
+ if (this.enableLRU) {
1306
+ // LRU: evict least recently used
1307
+ if (entry.timestamp < oldestTime) {
1308
+ oldestTime = entry.timestamp;
1309
+ targetKey = key;
1310
+ }
1311
+ }
1312
+ else {
1313
+ // LFU: evict least frequently used
1314
+ if (entry.accessCount < lowestAccess) {
1315
+ lowestAccess = entry.accessCount;
1316
+ targetKey = key;
1317
+ }
1318
+ }
1319
+ }
1320
+ if (targetKey) {
1321
+ this.cache.delete(targetKey);
1322
+ if (this.enableStats)
1323
+ this.stats.evictions++;
1324
+ }
1464
1325
  }
1465
1326
  /**
1466
- * Get all known threats
1327
+ * Store scan result in cache
1467
1328
  */
1468
- getAllThreats() {
1469
- return new Map(this.knownThreats);
1329
+ set(content, report, preset) {
1330
+ const key = this.generateKey(content, preset);
1331
+ // Evict if necessary
1332
+ if (this.cache.size >= this.maxSize) {
1333
+ this.evict();
1334
+ }
1335
+ this.cache.set(key, {
1336
+ report,
1337
+ timestamp: Date.now(),
1338
+ accessCount: 0,
1339
+ });
1470
1340
  }
1471
- }
1472
- /**
1473
- * Threat intelligence aggregator
1474
- */
1475
- class ThreatIntelligenceAggregator {
1476
- constructor(sources) {
1477
- this.sources = [];
1478
- if (sources) {
1479
- this.sources = sources;
1341
+ /**
1342
+ * Retrieve scan result from cache
1343
+ */
1344
+ get(content, preset) {
1345
+ const key = this.generateKey(content, preset);
1346
+ const entry = this.cache.get(key);
1347
+ if (!entry) {
1348
+ if (this.enableStats)
1349
+ this.stats.misses++;
1350
+ return null;
1480
1351
  }
1481
- else {
1482
- // Default to local intelligence
1483
- this.sources = [new LocalThreatIntelligence()];
1352
+ if (!this.isValid(entry)) {
1353
+ this.cache.delete(key);
1354
+ if (this.enableStats)
1355
+ this.stats.misses++;
1356
+ return null;
1484
1357
  }
1358
+ // Update access tracking
1359
+ entry.accessCount++;
1360
+ entry.timestamp = Date.now(); // Update for LRU
1361
+ if (this.enableStats)
1362
+ this.stats.hits++;
1363
+ return entry.report;
1485
1364
  }
1486
1365
  /**
1487
- * Add a threat intelligence source
1366
+ * Check if result exists in cache
1488
1367
  */
1489
- addSource(source) {
1490
- this.sources.push(source);
1368
+ has(content, preset) {
1369
+ const key = this.generateKey(content, preset);
1370
+ const entry = this.cache.get(key);
1371
+ return entry !== undefined && this.isValid(entry);
1491
1372
  }
1492
1373
  /**
1493
- * Check file hash against all sources
1374
+ * Clear entire cache
1494
1375
  */
1495
- async checkHash(hash) {
1496
- const results = await Promise.allSettled(this.sources.map(source => source.checkHash(hash)));
1497
- const threats = [];
1498
- for (const result of results) {
1499
- if (result.status === 'fulfilled' && result.value) {
1500
- threats.push(result.value);
1376
+ clear() {
1377
+ this.cache.clear();
1378
+ if (this.enableStats) {
1379
+ this.stats.hits = 0;
1380
+ this.stats.misses = 0;
1381
+ this.stats.evictions = 0;
1382
+ }
1383
+ }
1384
+ /**
1385
+ * Remove expired entries
1386
+ */
1387
+ prune() {
1388
+ let removed = 0;
1389
+ for (const [key, entry] of this.cache.entries()) {
1390
+ if (!this.isValid(entry)) {
1391
+ this.cache.delete(key);
1392
+ removed++;
1501
1393
  }
1502
1394
  }
1503
- return threats;
1395
+ return removed;
1504
1396
  }
1505
1397
  /**
1506
- * Enhance scan report with threat intelligence
1398
+ * Get cache statistics
1507
1399
  */
1508
- async enhanceScanReport(content, report) {
1509
- // Calculate file hash
1510
- const hash = createHash('sha256').update(content).digest('hex');
1511
- // Check threat intelligence
1512
- const threatIntel = await this.checkHash(hash);
1513
- // Calculate risk score
1514
- const riskScore = this.calculateRiskScore(report, threatIntel);
1400
+ getStats() {
1401
+ const total = this.stats.hits + this.stats.misses;
1402
+ const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
1515
1403
  return {
1516
- ...report,
1517
- fileHash: hash,
1518
- threatIntel: threatIntel.length > 0 ? threatIntel : undefined,
1519
- riskScore,
1404
+ hits: this.stats.hits,
1405
+ misses: this.stats.misses,
1406
+ size: this.cache.size,
1407
+ hitRate,
1408
+ evictions: this.stats.evictions,
1520
1409
  };
1521
1410
  }
1522
1411
  /**
1523
- * Calculate overall risk score based on scan results and threat intel
1412
+ * Get current cache size
1524
1413
  */
1525
- calculateRiskScore(report, threats) {
1526
- let score = 0;
1527
- // Base score from verdict
1528
- switch (report.verdict) {
1529
- case 'malicious':
1530
- score += 70;
1531
- break;
1532
- case 'suspicious':
1533
- score += 40;
1534
- break;
1535
- case 'clean':
1536
- score += 0;
1537
- break;
1538
- }
1539
- // Add points for number of matches
1540
- score += Math.min(report.matches.length * 5, 20);
1541
- // Add points from threat intelligence
1542
- if (threats.length > 0) {
1543
- const maxThreat = Math.max(...threats.map(t => t.threatLevel));
1544
- score = Math.max(score, maxThreat);
1545
- }
1546
- return Math.min(score, 100);
1414
+ get size() {
1415
+ return this.cache.size;
1547
1416
  }
1548
1417
  }
1418
+ // Export singleton instance for convenience
1419
+ let defaultCache = null;
1549
1420
  /**
1550
- * Create default threat intelligence aggregator
1421
+ * Get or create the default cache instance
1551
1422
  */
1552
- function createThreatIntelligence() {
1553
- return new ThreatIntelligenceAggregator();
1423
+ function getDefaultCache(options) {
1424
+ if (!defaultCache) {
1425
+ defaultCache = new ScanCacheManager(options);
1426
+ }
1427
+ return defaultCache;
1554
1428
  }
1555
1429
  /**
1556
- * Helper to get file hash
1430
+ * Reset the default cache instance
1557
1431
  */
1558
- function getFileHash(content) {
1559
- return createHash('sha256').update(content).digest('hex');
1432
+ function resetDefaultCache() {
1433
+ defaultCache = null;
1560
1434
  }
1561
1435
 
1562
1436
  /**
1563
- * Export utilities for scan results
1564
- * @module utils/export
1565
- */
1566
- /**
1567
- * Export scan results to various formats
1568
- */
1569
- class ScanResultExporter {
1570
- /**
1571
- * Export to JSON format
1572
- */
1573
- toJSON(reports, options = {}) {
1574
- const data = Array.isArray(reports) ? reports : [reports];
1575
- if (!options.includeDetails) {
1576
- // Simplified output
1577
- const simplified = data.map(r => ({
1578
- verdict: r.verdict,
1579
- file: r.file?.name,
1580
- matches: r.matches.length,
1581
- durationMs: r.durationMs,
1582
- }));
1583
- return options.prettyPrint
1584
- ? JSON.stringify(simplified, null, 2)
1585
- : JSON.stringify(simplified);
1586
- }
1587
- return options.prettyPrint
1588
- ? JSON.stringify(data, null, 2)
1589
- : JSON.stringify(data);
1590
- }
1591
- /**
1592
- * Export to CSV format
1593
- */
1594
- toCSV(reports, options = {}) {
1595
- const data = Array.isArray(reports) ? reports : [reports];
1596
- const headers = [
1597
- 'filename',
1598
- 'verdict',
1599
- 'matches_count',
1600
- 'file_size',
1601
- 'mime_type',
1602
- 'duration_ms',
1603
- 'engine',
1604
- ];
1605
- if (options.includeDetails) {
1606
- headers.push('reasons', 'match_rules');
1607
- }
1608
- const rows = data.map(report => {
1609
- const row = [
1610
- this.escapeCsv(report.file?.name || 'unknown'),
1611
- report.verdict,
1612
- report.matches.length.toString(),
1613
- (report.file?.size || 0).toString(),
1614
- this.escapeCsv(report.file?.mimeType || 'unknown'),
1615
- (report.durationMs || 0).toString(),
1616
- report.engine || 'unknown',
1617
- ];
1618
- if (options.includeDetails) {
1619
- row.push(this.escapeCsv((report.reasons || []).join('; ')), this.escapeCsv(report.matches.map(m => m.rule).join('; ')));
1620
- }
1621
- return row.join(',');
1622
- });
1623
- return [headers.join(','), ...rows].join('\n');
1624
- }
1625
- /**
1626
- * Export to Markdown format
1627
- */
1628
- toMarkdown(reports, options = {}) {
1629
- const data = Array.isArray(reports) ? reports : [reports];
1630
- let md = '# Scan Results\n\n';
1631
- md += `**Total Scans:** ${data.length}\n\n`;
1632
- const clean = data.filter(r => r.verdict === 'clean').length;
1633
- const suspicious = data.filter(r => r.verdict === 'suspicious').length;
1634
- const malicious = data.filter(r => r.verdict === 'malicious').length;
1635
- md += '## Summary\n\n';
1636
- md += `- ✅ Clean: ${clean}\n`;
1637
- md += `- ⚠️ Suspicious: ${suspicious}\n`;
1638
- md += `- ❌ Malicious: ${malicious}\n\n`;
1639
- md += '## Detailed Results\n\n';
1640
- for (const report of data) {
1641
- const icon = report.verdict === 'clean' ? '✅' : report.verdict === 'suspicious' ? '⚠️' : '❌';
1642
- md += `### ${icon} ${report.file?.name || 'Unknown'}\n\n`;
1643
- md += `- **Verdict:** ${report.verdict}\n`;
1644
- md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
1645
- md += `- **MIME Type:** ${report.file?.mimeType || 'unknown'}\n`;
1646
- md += `- **Duration:** ${report.durationMs || 0}ms\n`;
1647
- md += `- **Matches:** ${report.matches.length}\n`;
1648
- if (options.includeDetails && report.matches.length > 0) {
1649
- md += '\n**Match Details:**\n';
1650
- for (const match of report.matches) {
1651
- md += `- ${match.rule}`;
1652
- if (match.tags && match.tags.length > 0) {
1653
- md += ` (${match.tags.join(', ')})`;
1654
- }
1655
- md += '\n';
1656
- }
1657
- }
1658
- md += '\n';
1659
- }
1660
- return md;
1437
+ * Performance monitoring utilities for pompelmi scans
1438
+ * @module utils/performance-metrics
1439
+ */
1440
+ /**
1441
+ * Track performance metrics for a scan operation
1442
+ */
1443
+ class PerformanceTracker {
1444
+ constructor() {
1445
+ this.checkpoints = new Map();
1446
+ this.startTime = Date.now();
1661
1447
  }
1662
1448
  /**
1663
- * Export to SARIF format (Static Analysis Results Interchange Format)
1664
- * Useful for CI/CD integration
1449
+ * Mark a checkpoint in the scan process
1665
1450
  */
1666
- toSARIF(reports, options = {}) {
1667
- const data = Array.isArray(reports) ? reports : [reports];
1668
- const results = data.flatMap(report => {
1669
- if (report.verdict === 'clean')
1670
- return [];
1671
- return report.matches.map(match => ({
1672
- ruleId: match.rule,
1673
- level: report.verdict === 'malicious' ? 'error' : 'warning',
1674
- message: {
1675
- text: `${match.rule} detected in ${report.file?.name || 'unknown file'}`,
1676
- },
1677
- locations: [
1678
- {
1679
- physicalLocation: {
1680
- artifactLocation: {
1681
- uri: report.file?.name || 'unknown',
1682
- },
1683
- },
1684
- },
1685
- ],
1686
- properties: {
1687
- tags: match.tags,
1688
- metadata: match.meta,
1689
- },
1690
- }));
1691
- });
1692
- const sarif = {
1693
- version: '2.1.0',
1694
- $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
1695
- runs: [
1696
- {
1697
- tool: {
1698
- driver: {
1699
- name: 'Pompelmi',
1700
- version: '0.29.0',
1701
- informationUri: 'https://pompelmi.github.io/pompelmi/',
1702
- },
1703
- },
1704
- results,
1705
- },
1706
- ],
1707
- };
1708
- return options.prettyPrint
1709
- ? JSON.stringify(sarif, null, 2)
1710
- : JSON.stringify(sarif);
1451
+ checkpoint(name) {
1452
+ this.checkpoints.set(name, Date.now());
1711
1453
  }
1712
1454
  /**
1713
- * Export to HTML format
1455
+ * Get duration since start or since a specific checkpoint
1714
1456
  */
1715
- toHTML(reports, options = {}) {
1716
- const data = Array.isArray(reports) ? reports : [reports];
1717
- const clean = data.filter(r => r.verdict === 'clean').length;
1718
- const suspicious = data.filter(r => r.verdict === 'suspicious').length;
1719
- const malicious = data.filter(r => r.verdict === 'malicious').length;
1720
- let html = `<!DOCTYPE html>
1721
- <html lang="en">
1722
- <head>
1723
- <meta charset="UTF-8">
1724
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
1725
- <title>Pompelmi Scan Results</title>
1726
- <style>
1727
- body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
1728
- .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
1729
- .card { padding: 20px; border-radius: 8px; text-align: center; }
1730
- .clean { background: #d4edda; color: #155724; }
1731
- .suspicious { background: #fff3cd; color: #856404; }
1732
- .malicious { background: #f8d7da; color: #721c24; }
1733
- .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
1734
- .result h3 { margin-top: 0; }
1735
- .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
1736
- table { width: 100%; border-collapse: collapse; }
1737
- th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
1738
- </style>
1739
- </head>
1740
- <body>
1741
- <h1>🛡️ Pompelmi Scan Results</h1>
1742
- <div class="summary">
1743
- <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
1744
- <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
1745
- <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
1746
- </div>
1747
- <h2>Detailed Results</h2>`;
1748
- for (const report of data) {
1749
- const statusClass = report.verdict;
1750
- html += `<div class="result ${statusClass}">`;
1751
- html += `<h3>${this.escapeHtml(report.file?.name || 'Unknown')}</h3>`;
1752
- html += `<table>`;
1753
- html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
1754
- html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
1755
- html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || 'unknown')}</td></tr>`;
1756
- html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
1757
- html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
1758
- html += `</table>`;
1759
- if (options.includeDetails && report.matches.length > 0) {
1760
- html += `<h4>Match Details:</h4><ul>`;
1761
- for (const match of report.matches) {
1762
- html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
1763
- if (match.tags && match.tags.length > 0) {
1764
- html += ` ${match.tags.map(tag => `<span class="badge">${this.escapeHtml(tag)}</span>`).join('')}`;
1765
- }
1766
- html += `</li>`;
1767
- }
1768
- html += `</ul>`;
1769
- }
1770
- html += `</div>`;
1457
+ getDuration(since) {
1458
+ const now = Date.now();
1459
+ if (since && this.checkpoints.has(since)) {
1460
+ return now - (this.checkpoints.get(since) ?? now);
1771
1461
  }
1772
- html += `</body></html>`;
1773
- return html;
1462
+ return now - this.startTime;
1774
1463
  }
1775
1464
  /**
1776
- * Export to specified format
1465
+ * Generate final metrics report
1777
1466
  */
1778
- export(reports, format, options = {}) {
1779
- switch (format) {
1780
- case 'json':
1781
- return this.toJSON(reports, options);
1782
- case 'csv':
1783
- return this.toCSV(reports, options);
1784
- case 'markdown':
1785
- return this.toMarkdown(reports, options);
1786
- case 'html':
1787
- return this.toHTML(reports, options);
1788
- case 'sarif':
1789
- return this.toSARIF(reports, options);
1790
- default:
1791
- throw new Error(`Unsupported export format: ${format}`);
1467
+ getMetrics(bytesScanned) {
1468
+ const totalDuration = this.getDuration();
1469
+ const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
1470
+ return {
1471
+ totalDurationMs: totalDuration,
1472
+ heuristicsDurationMs: this.checkpoints.has("heuristics_end")
1473
+ ? (this.checkpoints.get("heuristics_end") ?? 0) -
1474
+ (this.checkpoints.get("heuristics_start") ?? 0)
1475
+ : undefined,
1476
+ yaraDurationMs: this.checkpoints.has("yara_end")
1477
+ ? (this.checkpoints.get("yara_end") ?? 0) - (this.checkpoints.get("yara_start") ?? 0)
1478
+ : undefined,
1479
+ prepDurationMs: this.checkpoints.has("prep_end")
1480
+ ? (this.checkpoints.get("prep_end") ?? 0) - this.startTime
1481
+ : undefined,
1482
+ throughputBps: throughput,
1483
+ bytesScanned,
1484
+ startedAt: this.startTime,
1485
+ completedAt: Date.now(),
1486
+ };
1487
+ }
1488
+ }
1489
+ /**
1490
+ * Aggregate statistics from multiple scan reports
1491
+ */
1492
+ function aggregateScanStats(reports) {
1493
+ let cleanCount = 0;
1494
+ let suspiciousCount = 0;
1495
+ let maliciousCount = 0;
1496
+ let totalDuration = 0;
1497
+ let totalBytes = 0;
1498
+ let validDurationCount = 0;
1499
+ for (const report of reports) {
1500
+ if (report.verdict === "clean")
1501
+ cleanCount++;
1502
+ else if (report.verdict === "suspicious")
1503
+ suspiciousCount++;
1504
+ else if (report.verdict === "malicious")
1505
+ maliciousCount++;
1506
+ if (report.durationMs !== undefined) {
1507
+ totalDuration += report.durationMs;
1508
+ validDurationCount++;
1509
+ }
1510
+ if (report.file?.size !== undefined) {
1511
+ totalBytes += report.file.size;
1792
1512
  }
1793
1513
  }
1794
- escapeCsv(value) {
1795
- if (value.includes(',') || value.includes('"') || value.includes('\n')) {
1796
- return `"${value.replace(/"/g, '""')}"`;
1514
+ const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
1515
+ const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
1516
+ return {
1517
+ totalScans: reports.length,
1518
+ cleanCount,
1519
+ suspiciousCount,
1520
+ maliciousCount,
1521
+ avgDurationMs: avgDuration,
1522
+ avgThroughputBps: avgThroughput,
1523
+ totalBytesScanned: totalBytes,
1524
+ };
1525
+ }
1526
+
1527
+ /** Mappa veloce estensione -> mime (basic) */
1528
+ function guessMimeByExt(name) {
1529
+ if (!name)
1530
+ return;
1531
+ const ext = name.toLowerCase().split(".").pop();
1532
+ switch (ext) {
1533
+ case "zip":
1534
+ return "application/zip";
1535
+ case "png":
1536
+ return "image/png";
1537
+ case "jpg":
1538
+ case "jpeg":
1539
+ return "image/jpeg";
1540
+ case "pdf":
1541
+ return "application/pdf";
1542
+ case "txt":
1543
+ return "text/plain";
1544
+ default:
1545
+ return;
1546
+ }
1547
+ }
1548
+ /** Heuristica semplice per verdetto */
1549
+ function computeVerdict(matches) {
1550
+ if (!matches.length)
1551
+ return "clean";
1552
+ // se la regola contiene 'zip_' lo marchiamo "suspicious"
1553
+ const anyHigh = matches.some((m) => (m.tags ?? []).includes("critical") || (m.tags ?? []).includes("high"));
1554
+ return anyHigh ? "malicious" : "suspicious";
1555
+ }
1556
+ /** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
1557
+ function toYaraMatches(ms) {
1558
+ return ms.map((m) => ({
1559
+ rule: m.rule,
1560
+ namespace: "heuristics",
1561
+ tags: ["heuristics"].concat(m.severity ? [m.severity] : []),
1562
+ meta: m.meta,
1563
+ }));
1564
+ }
1565
+ /** Scan di bytes (browser/node) usando preset (default: zip-basic) */
1566
+ async function scanBytes(input, opts = {}) {
1567
+ // Check cache first if enabled
1568
+ if (opts.enableCache || opts.config?.performance?.enableCache) {
1569
+ const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
1570
+ const cached = cache.get(input, opts.preset);
1571
+ if (cached) {
1572
+ return cached;
1797
1573
  }
1798
- return value;
1799
1574
  }
1800
- escapeHtml(value) {
1801
- return value
1802
- .replace(/&/g, '&amp;')
1803
- .replace(/</g, '&lt;')
1804
- .replace(/>/g, '&gt;')
1805
- .replace(/"/g, '&quot;')
1806
- .replace(/'/g, '&#039;');
1575
+ const perfTracker = opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking
1576
+ ? new PerformanceTracker()
1577
+ : null;
1578
+ perfTracker?.checkpoint("prep_start");
1579
+ const preset = opts.preset ?? opts.config?.defaultPreset ?? "zip-basic";
1580
+ const ctx = {
1581
+ ...opts.ctx,
1582
+ mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
1583
+ size: opts.ctx?.size ?? input.byteLength,
1584
+ };
1585
+ perfTracker?.checkpoint("prep_end");
1586
+ perfTracker?.checkpoint("heuristics_start");
1587
+ const scanFn = createPresetScanner(preset);
1588
+ const matchesH = await (typeof scanFn === "function"
1589
+ ? scanFn
1590
+ : scanFn.scan)(input, ctx);
1591
+ const allMatches = [...matchesH];
1592
+ perfTracker?.checkpoint("heuristics_end");
1593
+ // Advanced detection (enabled by default, can be overridden by config)
1594
+ const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
1595
+ if (advancedEnabled) {
1596
+ perfTracker?.checkpoint("advanced_start");
1597
+ // Detect polyglot files
1598
+ if (opts.config?.advanced?.enablePolyglotDetection !== false) {
1599
+ const polyglotMatches = detectPolyglot(input);
1600
+ allMatches.push(...polyglotMatches);
1601
+ }
1602
+ // Detect obfuscated scripts
1603
+ if (opts.config?.advanced?.enableObfuscationDetection !== false) {
1604
+ const obfuscatedMatches = detectObfuscatedScripts(input);
1605
+ allMatches.push(...obfuscatedMatches);
1606
+ }
1607
+ // Check for excessive nesting in archives
1608
+ if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
1609
+ const nestingAnalysis = analyzeNestedArchives(input);
1610
+ const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
1611
+ if (nestingAnalysis.hasExcessiveNesting || nestingAnalysis.depth > maxDepth) {
1612
+ allMatches.push({
1613
+ rule: "excessive_archive_nesting",
1614
+ severity: "high",
1615
+ meta: {
1616
+ description: "Excessive archive nesting detected",
1617
+ depth: nestingAnalysis.depth,
1618
+ maxAllowed: maxDepth,
1619
+ },
1620
+ });
1621
+ }
1622
+ }
1623
+ perfTracker?.checkpoint("advanced_end");
1807
1624
  }
1808
- formatBytes(bytes) {
1809
- if (bytes === 0)
1810
- return '0 Bytes';
1811
- const k = 1024;
1812
- const sizes = ['Bytes', 'KB', 'MB', 'GB'];
1813
- const i = Math.floor(Math.log(bytes) / Math.log(k));
1814
- return Math.round(bytes / Math.pow(k, i) * 100) / 100 + ' ' + sizes[i];
1625
+ const matches = toYaraMatches(allMatches);
1626
+ const verdict = computeVerdict(matches);
1627
+ perfTracker ? perfTracker.getDuration() : Date.now();
1628
+ const durationMs = perfTracker ? perfTracker.getDuration() : 0;
1629
+ const report = {
1630
+ ok: verdict === "clean",
1631
+ verdict,
1632
+ matches,
1633
+ reasons: matches.map((m) => m.rule),
1634
+ file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
1635
+ durationMs,
1636
+ engine: "heuristics",
1637
+ truncated: false,
1638
+ timedOut: false,
1639
+ };
1640
+ // Add performance metrics if tracking enabled
1641
+ if (perfTracker &&
1642
+ (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
1643
+ report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
1644
+ }
1645
+ // Cache result if enabled
1646
+ if (opts.enableCache || opts.config?.performance?.enableCache) {
1647
+ const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
1648
+ cache.set(input, report, opts.preset);
1649
+ }
1650
+ // Invoke callbacks if configured
1651
+ opts.config?.callbacks?.onScanComplete?.(report);
1652
+ return report;
1653
+ }
1654
+ /** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
1655
+ async function scanFile(filePath, opts = {}) {
1656
+ const [{ readFile, stat }, path] = await Promise.all([import('fs/promises'), import('path')]);
1657
+ const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
1658
+ const ctx = {
1659
+ filename: path.basename(filePath),
1660
+ mimeType: guessMimeByExt(filePath),
1661
+ size: st.size,
1662
+ };
1663
+ return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
1664
+ }
1665
+ /** Scan multipli File (browser) usando scanBytes + preset di default */
1666
+ async function scanFiles(files, opts = {}) {
1667
+ const list = Array.from(files);
1668
+ const out = [];
1669
+ for (const f of list) {
1670
+ const buf = new Uint8Array(await f.arrayBuffer());
1671
+ const rep = await scanBytes(buf, {
1672
+ ...opts,
1673
+ ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
1674
+ });
1675
+ out.push(rep);
1815
1676
  }
1677
+ return out;
1816
1678
  }
1817
- /**
1818
- * Quick export helper
1819
- */
1820
- function exportScanResults(reports, format, options) {
1821
- const exporter = new ScanResultExporter();
1822
- return exporter.export(reports, format, options);
1679
+
1680
+ async function createRemoteEngine(opts) {
1681
+ const { endpoint, headers = {}, rulesField = "rules", fileField = "file", mode = "multipart", rulesAsBase64 = false, } = opts;
1682
+ const engine = {
1683
+ async compile(rulesSource) {
1684
+ return {
1685
+ async scan(data) {
1686
+ const fetchFn = globalThis.fetch;
1687
+ if (!fetchFn)
1688
+ throw new Error("[remote-yara] fetch non disponibile in questo ambiente");
1689
+ let res;
1690
+ if (mode === "multipart") {
1691
+ const FormDataCtor = globalThis.FormData;
1692
+ const BlobCtor = globalThis.Blob;
1693
+ if (!FormDataCtor || !BlobCtor) {
1694
+ throw new Error("[remote-yara] FormData/Blob non disponibili (usa json-base64 oppure esegui in browser)");
1695
+ }
1696
+ const form = new FormDataCtor();
1697
+ form.set(rulesField, new BlobCtor([rulesSource], { type: "text/plain" }), "rules.yar");
1698
+ form.set(fileField, new BlobCtor([data], { type: "application/octet-stream" }), "sample.bin");
1699
+ res = await fetchFn(endpoint, { method: "POST", body: form, headers });
1700
+ }
1701
+ else {
1702
+ const b64 = base64FromBytes(data);
1703
+ const payload = { [fileField]: b64 };
1704
+ if (rulesAsBase64) {
1705
+ payload["rulesB64"] = base64FromString(rulesSource);
1706
+ }
1707
+ else {
1708
+ payload[rulesField] = rulesSource;
1709
+ }
1710
+ res = await fetchFn(endpoint, {
1711
+ method: "POST",
1712
+ headers: { "Content-Type": "application/json", ...headers },
1713
+ body: JSON.stringify(payload),
1714
+ });
1715
+ }
1716
+ if (!res.ok) {
1717
+ throw new Error(`[remote-yara] HTTP ${res.status} ${res.statusText}`);
1718
+ }
1719
+ const json = await res.json().catch(() => null);
1720
+ const arr = Array.isArray(json) ? json : (json?.matches ?? []);
1721
+ return (arr ?? []).map((m) => ({
1722
+ rule: m.rule ?? m.ruleIdentifier ?? "unknown",
1723
+ tags: m.tags ?? [],
1724
+ }));
1725
+ },
1726
+ };
1727
+ },
1728
+ };
1729
+ return engine;
1730
+ }
1731
+ // Helpers
1732
+ function base64FromBytes(bytes) {
1733
+ // usa btoa se disponibile (browser); altrimenti fallback manuale
1734
+ const btoaFn = globalThis.btoa;
1735
+ let bin = "";
1736
+ for (let i = 0; i < bytes.byteLength; i++)
1737
+ bin += String.fromCharCode(bytes[i]);
1738
+ return btoaFn ? btoaFn(bin) : Buffer.from(bin, "binary").toString("base64");
1739
+ }
1740
+ function base64FromString(s) {
1741
+ const btoaFn = globalThis.btoa;
1742
+ return btoaFn ? btoaFn(s) : Buffer.from(s, "utf8").toString("base64");
1823
1743
  }
1824
1744
 
1745
+ // src/scan/remote.ts
1825
1746
  /**
1826
- * Advanced configuration system for pompelmi
1827
- * @module config
1828
- */
1829
- /**
1830
- * Default configuration
1747
+ * Scansiona una lista di File nel browser usando il motore remoto via HTTP.
1748
+ * Non richiede WASM né dipendenze native sul client.
1831
1749
  */
1832
- const DEFAULT_CONFIG = {
1833
- defaultPreset: 'zip-basic',
1834
- performance: {
1835
- enableCache: false,
1836
- enablePerformanceTracking: false,
1837
- enableParallel: true,
1838
- maxConcurrency: 5,
1839
- cacheOptions: {
1840
- maxSize: 1000,
1841
- ttl: 3600000, // 1 hour
1842
- enableLRU: true,
1843
- enableStats: false,
1844
- },
1845
- },
1846
- security: {
1847
- maxFileSize: 100 * 1024 * 1024, // 100MB
1848
- enableThreatIntel: false,
1849
- scanTimeout: 30000, // 30 seconds
1850
- strictMode: false,
1851
- },
1852
- advanced: {
1853
- enablePolyglotDetection: true,
1854
- enableObfuscationDetection: true,
1855
- enableNestedArchiveAnalysis: true,
1856
- maxArchiveDepth: 5,
1857
- },
1858
- logging: {
1859
- verbose: false,
1860
- level: 'info',
1861
- enableStats: false,
1862
- },
1750
+ async function scanFilesWithRemoteYara(files, rulesSource, remote) {
1751
+ const engine = await createRemoteEngine(remote);
1752
+ const compiled = await engine.compile(rulesSource);
1753
+ const results = [];
1754
+ for (const file of files) {
1755
+ try {
1756
+ const bytes = new Uint8Array(await file.arrayBuffer());
1757
+ const matches = await compiled.scan(bytes);
1758
+ results.push({ file, matches });
1759
+ }
1760
+ catch (err) {
1761
+ console.warn("[remote-yara] scan error for", file.name, err);
1762
+ results.push({ file, matches: [], error: String(err?.message ?? err) });
1763
+ }
1764
+ }
1765
+ return results;
1766
+ }
1767
+
1768
+ const SIG_CEN = 0x02014b50;
1769
+ const DEFAULTS = {
1770
+ maxEntries: 1000,
1771
+ maxTotalUncompressedBytes: 500 * 1024 * 1024,
1772
+ maxEntryNameLength: 255,
1773
+ maxCompressionRatio: 1000,
1774
+ eocdSearchWindow: 70000,
1863
1775
  };
1864
- /**
1865
- * Configuration presets for common use cases
1866
- */
1867
- const CONFIG_PRESETS = {
1868
- /** Fast scanning with minimal features */
1869
- fast: {
1870
- defaultPreset: 'basic',
1871
- performance: {
1872
- enableCache: true,
1873
- enablePerformanceTracking: false,
1874
- maxConcurrency: 10,
1875
- },
1876
- advanced: {
1877
- enablePolyglotDetection: false,
1878
- enableObfuscationDetection: false,
1879
- enableNestedArchiveAnalysis: false,
1880
- },
1881
- },
1882
- /** Balanced scanning (recommended) */
1883
- balanced: DEFAULT_CONFIG,
1884
- /** Thorough scanning with all features */
1885
- thorough: {
1886
- defaultPreset: 'advanced',
1887
- performance: {
1888
- enableCache: true,
1889
- enablePerformanceTracking: true,
1890
- maxConcurrency: 3,
1891
- },
1892
- security: {
1893
- maxFileSize: 500 * 1024 * 1024, // 500MB
1894
- enableThreatIntel: true,
1895
- scanTimeout: 60000, // 60 seconds
1896
- strictMode: true,
1897
- },
1898
- advanced: {
1899
- enablePolyglotDetection: true,
1900
- enableObfuscationDetection: true,
1901
- enableNestedArchiveAnalysis: true,
1902
- maxArchiveDepth: 10,
1903
- },
1904
- logging: {
1905
- verbose: true,
1906
- level: 'debug',
1907
- enableStats: true,
1776
+ function r16(buf, off) {
1777
+ return buf.readUInt16LE(off);
1778
+ }
1779
+ function r32(buf, off) {
1780
+ return buf.readUInt32LE(off);
1781
+ }
1782
+ function isZipLike(buf) {
1783
+ // local file header at start is common
1784
+ return (buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04);
1785
+ }
1786
+ function lastIndexOfEOCD(buf, window) {
1787
+ const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
1788
+ const start = Math.max(0, buf.length - window);
1789
+ const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
1790
+ return idx >= start ? idx : -1;
1791
+ }
1792
+ function hasTraversal(name) {
1793
+ return (name.includes("../") || name.includes("..\\") || name.startsWith("/") || /^[A-Za-z]:/.test(name));
1794
+ }
1795
+ function createZipBombGuard(opts = {}) {
1796
+ const cfg = { ...DEFAULTS, ...opts };
1797
+ return {
1798
+ async scan(input) {
1799
+ const buf = Buffer.from(input);
1800
+ const matches = [];
1801
+ if (!isZipLike(buf))
1802
+ return matches;
1803
+ // Find EOCD near the end
1804
+ const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
1805
+ if (eocdPos < 0 || eocdPos + 22 > buf.length) {
1806
+ // ZIP but no EOCD — malformed or polyglot → suspicious
1807
+ matches.push({ rule: "zip_eocd_not_found", severity: "medium" });
1808
+ return matches;
1809
+ }
1810
+ const totalEntries = r16(buf, eocdPos + 10);
1811
+ const cdSize = r32(buf, eocdPos + 12);
1812
+ const cdOffset = r32(buf, eocdPos + 16);
1813
+ // Bounds check
1814
+ if (cdOffset + cdSize > buf.length) {
1815
+ matches.push({ rule: "zip_cd_out_of_bounds", severity: "medium" });
1816
+ return matches;
1817
+ }
1818
+ // Iterate central directory entries
1819
+ let ptr = cdOffset;
1820
+ let seen = 0;
1821
+ let sumComp = 0;
1822
+ let sumUnc = 0;
1823
+ while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
1824
+ const sig = r32(buf, ptr);
1825
+ if (sig !== SIG_CEN)
1826
+ break; // stop if structure breaks
1827
+ const compSize = r32(buf, ptr + 20);
1828
+ const uncSize = r32(buf, ptr + 24);
1829
+ const fnLen = r16(buf, ptr + 28);
1830
+ const exLen = r16(buf, ptr + 30);
1831
+ const cmLen = r16(buf, ptr + 32);
1832
+ const nameStart = ptr + 46;
1833
+ const nameEnd = nameStart + fnLen;
1834
+ if (nameEnd > buf.length)
1835
+ break;
1836
+ const name = buf.toString("utf8", nameStart, nameEnd);
1837
+ sumComp += compSize;
1838
+ sumUnc += uncSize;
1839
+ seen++;
1840
+ if (name.length > cfg.maxEntryNameLength) {
1841
+ matches.push({
1842
+ rule: "zip_entry_name_too_long",
1843
+ severity: "medium",
1844
+ meta: { name, length: name.length },
1845
+ });
1846
+ }
1847
+ if (hasTraversal(name)) {
1848
+ matches.push({ rule: "zip_path_traversal_entry", severity: "medium", meta: { name } });
1849
+ }
1850
+ // move to next entry
1851
+ ptr = nameEnd + exLen + cmLen;
1852
+ }
1853
+ if (seen !== totalEntries) {
1854
+ // central dir truncated/odd, still report what we found
1855
+ matches.push({
1856
+ rule: "zip_cd_truncated",
1857
+ severity: "medium",
1858
+ meta: { seen, totalEntries },
1859
+ });
1860
+ }
1861
+ // Heuristics thresholds
1862
+ if (seen > cfg.maxEntries) {
1863
+ matches.push({
1864
+ rule: "zip_too_many_entries",
1865
+ severity: "medium",
1866
+ meta: { seen, limit: cfg.maxEntries },
1867
+ });
1868
+ }
1869
+ if (sumUnc > cfg.maxTotalUncompressedBytes) {
1870
+ matches.push({
1871
+ rule: "zip_total_uncompressed_too_large",
1872
+ severity: "medium",
1873
+ meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes },
1874
+ });
1875
+ }
1876
+ if (sumComp === 0 && sumUnc > 0) {
1877
+ matches.push({
1878
+ rule: "zip_suspicious_ratio",
1879
+ severity: "medium",
1880
+ meta: { ratio: Infinity },
1881
+ });
1882
+ }
1883
+ else if (sumComp > 0) {
1884
+ const ratio = sumUnc / Math.max(1, sumComp);
1885
+ if (ratio >= cfg.maxCompressionRatio) {
1886
+ matches.push({
1887
+ rule: "zip_suspicious_ratio",
1888
+ severity: "medium",
1889
+ meta: { ratio, limit: cfg.maxCompressionRatio },
1890
+ });
1891
+ }
1892
+ }
1893
+ return matches;
1908
1894
  },
1895
+ };
1896
+ }
1897
+
1898
+ /** Decompilation-specific types for Pompelmi */
1899
+ const SUSPICIOUS_PATTERNS = [
1900
+ {
1901
+ name: "syscall_direct",
1902
+ description: "Direct system call without library wrapper",
1903
+ severity: "medium",
1904
+ pattern: /syscall|sysenter|int\s+0x80/i,
1909
1905
  },
1910
- /** Production-ready configuration */
1911
- production: {
1912
- defaultPreset: 'advanced',
1913
- performance: {
1914
- enableCache: true,
1915
- enablePerformanceTracking: true,
1916
- maxConcurrency: 5,
1917
- cacheOptions: {
1918
- maxSize: 5000,
1919
- ttl: 7200000, // 2 hours
1920
- enableLRU: true,
1921
- enableStats: true,
1922
- },
1923
- },
1924
- security: {
1925
- maxFileSize: 200 * 1024 * 1024, // 200MB
1926
- enableThreatIntel: true,
1927
- scanTimeout: 45000,
1928
- strictMode: false,
1929
- },
1930
- advanced: {
1931
- enablePolyglotDetection: true,
1932
- enableObfuscationDetection: true,
1933
- enableNestedArchiveAnalysis: true,
1934
- maxArchiveDepth: 7,
1935
- },
1936
- logging: {
1937
- verbose: false,
1938
- level: 'warn',
1939
- enableStats: true,
1940
- },
1906
+ {
1907
+ name: "process_injection",
1908
+ description: "Process injection techniques",
1909
+ severity: "high",
1910
+ pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i,
1941
1911
  },
1942
- /** Development configuration */
1943
- development: {
1944
- defaultPreset: 'basic',
1945
- performance: {
1946
- enableCache: false,
1947
- enablePerformanceTracking: true,
1948
- maxConcurrency: 3,
1949
- },
1950
- security: {
1951
- maxFileSize: 50 * 1024 * 1024, // 50MB
1952
- scanTimeout: 15000,
1953
- strictMode: false,
1954
- },
1955
- logging: {
1956
- verbose: true,
1957
- level: 'debug',
1958
- enableStats: true,
1959
- },
1912
+ {
1913
+ name: "anti_debug",
1914
+ description: "Anti-debugging techniques",
1915
+ severity: "medium",
1916
+ pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i,
1960
1917
  },
1961
- };
1918
+ {
1919
+ name: "obfuscation_xor",
1920
+ description: "XOR-based obfuscation pattern",
1921
+ severity: "medium",
1922
+ pattern: /xor.*0x[0-9a-f]+.*xor/i,
1923
+ },
1924
+ {
1925
+ name: "crypto_constants",
1926
+ description: "Cryptographic constants",
1927
+ severity: "low",
1928
+ pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i,
1929
+ },
1930
+ ];
1931
+
1962
1932
  /**
1963
- * Configuration manager
1933
+ * Batch scanning with concurrency control
1934
+ * @module utils/batch-scanner
1964
1935
  */
1965
- class ConfigManager {
1966
- constructor(initialConfig) {
1967
- this.config = this.mergeConfig(DEFAULT_CONFIG, initialConfig || {});
1968
- }
1969
- /**
1970
- * Get current configuration
1971
- */
1972
- getConfig() {
1973
- return { ...this.config };
1974
- }
1975
- /**
1976
- * Update configuration
1977
- */
1978
- updateConfig(updates) {
1979
- this.config = this.mergeConfig(this.config, updates);
1980
- }
1981
- /**
1982
- * Load a preset configuration
1983
- */
1984
- loadPreset(preset) {
1985
- const presetConfig = CONFIG_PRESETS[preset];
1986
- this.config = this.mergeConfig(DEFAULT_CONFIG, presetConfig);
1987
- }
1988
- /**
1989
- * Reset to default configuration
1990
- */
1991
- reset() {
1992
- this.config = { ...DEFAULT_CONFIG };
1993
- }
1994
- /**
1995
- * Get a specific configuration value
1996
- */
1997
- get(key) {
1998
- return this.config[key];
1999
- }
2000
- /**
2001
- * Set a specific configuration value
2002
- */
2003
- set(key, value) {
2004
- this.config[key] = value;
1936
+ /**
1937
+ * Batch file scanner with concurrency control and progress tracking
1938
+ */
1939
+ class BatchScanner {
1940
+ constructor(options = {}) {
1941
+ this.options = {
1942
+ concurrency: 5,
1943
+ continueOnError: true,
1944
+ ...options,
1945
+ };
2005
1946
  }
2006
1947
  /**
2007
- * Validate configuration
1948
+ * Scan multiple files with controlled concurrency
2008
1949
  */
2009
- validate() {
1950
+ async scanBatch(tasks) {
1951
+ const startTime = Date.now();
1952
+ const results = new Array(tasks.length);
2010
1953
  const errors = [];
2011
- // Validate performance settings
2012
- if (this.config.performance?.maxConcurrency !== undefined) {
2013
- if (this.config.performance.maxConcurrency < 1) {
2014
- errors.push('maxConcurrency must be at least 1');
2015
- }
2016
- if (this.config.performance.maxConcurrency > 50) {
2017
- errors.push('maxConcurrency should not exceed 50');
2018
- }
2019
- }
2020
- // Validate security settings
2021
- if (this.config.security?.maxFileSize !== undefined) {
2022
- if (this.config.security.maxFileSize < 1024) {
2023
- errors.push('maxFileSize must be at least 1KB');
1954
+ let successCount = 0;
1955
+ let errorCount = 0;
1956
+ let completedCount = 0;
1957
+ const concurrency = this.options.concurrency ?? 5;
1958
+ // Process tasks in chunks with controlled concurrency
1959
+ const processingQueue = [];
1960
+ let currentIndex = 0;
1961
+ const processTask = async (index) => {
1962
+ try {
1963
+ const task = tasks[index];
1964
+ const report = await scanBytes(task.content, {
1965
+ ...this.options,
1966
+ ctx: task.context,
1967
+ });
1968
+ results[index] = report;
1969
+ successCount++;
1970
+ completedCount++;
1971
+ if (this.options.onProgress) {
1972
+ this.options.onProgress(completedCount, tasks.length, report);
1973
+ }
2024
1974
  }
2025
- }
2026
- if (this.config.security?.scanTimeout !== undefined) {
2027
- if (this.config.security.scanTimeout < 1000) {
2028
- errors.push('scanTimeout must be at least 1000ms');
1975
+ catch (error) {
1976
+ errorCount++;
1977
+ completedCount++;
1978
+ const err = error instanceof Error ? error : new Error(String(error));
1979
+ if (this.options.onError) {
1980
+ this.options.onError(err, index);
1981
+ }
1982
+ errors.push({ index, error: err });
1983
+ if (!this.options.continueOnError) {
1984
+ throw err;
1985
+ }
1986
+ results[index] = null;
2029
1987
  }
2030
- }
2031
- // Validate advanced settings
2032
- if (this.config.advanced?.maxArchiveDepth !== undefined) {
2033
- if (this.config.advanced.maxArchiveDepth < 1) {
2034
- errors.push('maxArchiveDepth must be at least 1');
1988
+ };
1989
+ // Start initial batch of concurrent tasks
1990
+ while (currentIndex < tasks.length) {
1991
+ while (processingQueue.length < concurrency && currentIndex < tasks.length) {
1992
+ const promise = processTask(currentIndex);
1993
+ processingQueue.push(promise);
1994
+ currentIndex++;
1995
+ // Remove completed promises from queue
1996
+ promise.finally(() => {
1997
+ const idx = processingQueue.indexOf(promise);
1998
+ if (idx > -1)
1999
+ processingQueue.splice(idx, 1);
2000
+ });
2035
2001
  }
2036
- if (this.config.advanced.maxArchiveDepth > 20) {
2037
- errors.push('maxArchiveDepth should not exceed 20');
2002
+ // Wait for at least one task to complete before continuing
2003
+ if (processingQueue.length >= concurrency) {
2004
+ await Promise.race(processingQueue);
2038
2005
  }
2039
2006
  }
2007
+ // Wait for all remaining tasks
2008
+ await Promise.all(processingQueue);
2009
+ const totalDurationMs = Date.now() - startTime;
2040
2010
  return {
2041
- valid: errors.length === 0,
2011
+ reports: results,
2012
+ successCount,
2013
+ errorCount,
2014
+ totalDurationMs,
2042
2015
  errors,
2043
2016
  };
2044
2017
  }
2045
2018
  /**
2046
- * Deep merge configuration objects
2019
+ * Scan files from File objects (browser environment)
2047
2020
  */
2048
- mergeConfig(base, updates) {
2049
- return {
2050
- ...base,
2051
- ...updates,
2052
- performance: {
2053
- ...base.performance,
2054
- ...updates.performance,
2055
- cacheOptions: {
2056
- ...base.performance?.cacheOptions,
2057
- ...updates.performance?.cacheOptions,
2058
- },
2059
- },
2060
- security: {
2061
- ...base.security,
2062
- ...updates.security,
2063
- },
2064
- advanced: {
2065
- ...base.advanced,
2066
- ...updates.advanced,
2067
- },
2068
- logging: {
2069
- ...base.logging,
2070
- ...updates.logging,
2071
- },
2072
- callbacks: {
2073
- ...base.callbacks,
2074
- ...updates.callbacks,
2075
- },
2076
- presetOptions: {
2077
- ...base.presetOptions,
2078
- ...updates.presetOptions,
2021
+ async scanFiles(files) {
2022
+ const tasks = await Promise.all(files.map(async (file) => ({
2023
+ content: new Uint8Array(await file.arrayBuffer()),
2024
+ context: {
2025
+ filename: file.name,
2026
+ mimeType: file.type,
2027
+ size: file.size,
2079
2028
  },
2080
- };
2081
- }
2082
- /**
2083
- * Export configuration as JSON
2084
- */
2085
- toJSON() {
2086
- return JSON.stringify(this.config, null, 2);
2029
+ })));
2030
+ return this.scanBatch(tasks);
2087
2031
  }
2088
2032
  /**
2089
- * Load configuration from JSON
2033
+ * Scan files from file paths (Node.js environment)
2090
2034
  */
2091
- fromJSON(json) {
2092
- try {
2093
- const parsed = JSON.parse(json);
2094
- this.config = this.mergeConfig(DEFAULT_CONFIG, parsed);
2095
- }
2096
- catch (error) {
2097
- throw new Error(`Failed to parse configuration JSON: ${error}`);
2098
- }
2035
+ async scanFilePaths(filePaths) {
2036
+ const fs = await import('fs/promises');
2037
+ const path = await import('path');
2038
+ const tasks = await Promise.all(filePaths.map(async (filePath) => {
2039
+ const [content, stats] = await Promise.all([fs.readFile(filePath), fs.stat(filePath)]);
2040
+ return {
2041
+ content: new Uint8Array(content),
2042
+ context: {
2043
+ filename: path.basename(filePath),
2044
+ size: stats.size,
2045
+ },
2046
+ };
2047
+ }));
2048
+ return this.scanBatch(tasks);
2099
2049
  }
2100
2050
  }
2101
2051
  /**
2102
- * Create a new configuration manager
2052
+ * Quick helper for batch scanning with default options
2103
2053
  */
2104
- function createConfig(config) {
2105
- return new ConfigManager(config);
2054
+ async function batchScan(tasks, options) {
2055
+ const scanner = new BatchScanner(options);
2056
+ return scanner.scanBatch(tasks);
2106
2057
  }
2058
+
2107
2059
  /**
2108
- * Get a preset configuration
2060
+ * Export utilities for scan results
2061
+ * @module utils/export
2109
2062
  */
2110
- function getPresetConfig(preset) {
2111
- return { ...DEFAULT_CONFIG, ...CONFIG_PRESETS[preset] };
2112
- }
2113
-
2114
2063
  /**
2115
- * HIPAA Compliance Module for Pompelmi
2116
- *
2117
- * This module provides comprehensive HIPAA compliance features for healthcare environments
2118
- * where Pompelmi is used to analyze potentially compromised systems containing PHI.
2119
- *
2120
- * Key protections:
2121
- * - Data sanitization and redaction
2122
- * - Secure temporary file handling
2123
- * - Audit logging
2124
- * - Memory protection
2125
- * - Error message sanitization
2064
+ * Export scan results to various formats
2126
2065
  */
2127
- class HipaaComplianceManager {
2128
- constructor(config) {
2129
- this.auditEvents = [];
2130
- this.config = {
2131
- sanitizeErrors: true,
2132
- sanitizeFilenames: true,
2133
- encryptTempFiles: true,
2134
- memoryProtection: true,
2135
- requireSecureTransport: true,
2136
- ...config,
2137
- enabled: config.enabled !== undefined ? config.enabled : true
2138
- };
2139
- this.sessionId = this.generateSessionId();
2140
- }
2066
+ class ScanResultExporter {
2141
2067
  /**
2142
- * Sanitize filename to prevent PHI leakage in logs
2068
+ * Export to JSON format
2143
2069
  */
2144
- sanitizeFilename(filename) {
2145
- if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
2146
- return filename || 'unknown';
2070
+ toJSON(reports, options = {}) {
2071
+ const data = Array.isArray(reports) ? reports : [reports];
2072
+ if (!options.includeDetails) {
2073
+ // Simplified output
2074
+ const simplified = data.map((r) => ({
2075
+ verdict: r.verdict,
2076
+ file: r.file?.name,
2077
+ matches: r.matches.length,
2078
+ durationMs: r.durationMs,
2079
+ }));
2080
+ return options.prettyPrint ? JSON.stringify(simplified, null, 2) : JSON.stringify(simplified);
2147
2081
  }
2148
- // Remove potentially sensitive path information
2149
- const basename = path.basename(filename);
2150
- // Hash the filename to create a consistent but non-revealing identifier
2151
- const hash = crypto.createHash('sha256').update(basename).digest('hex').substring(0, 8);
2152
- // Preserve file extension for analysis purposes
2153
- const ext = path.extname(basename);
2154
- return `file_${hash}${ext}`;
2082
+ return options.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
2155
2083
  }
2156
2084
  /**
2157
- * Sanitize error messages to prevent PHI exposure
2085
+ * Export to CSV format
2158
2086
  */
2159
- sanitizeError(error) {
2160
- if (!this.config.enabled || !this.config.sanitizeErrors) {
2161
- return typeof error === 'string' ? error : error.message;
2087
+ toCSV(reports, options = {}) {
2088
+ const data = Array.isArray(reports) ? reports : [reports];
2089
+ const headers = [
2090
+ "filename",
2091
+ "verdict",
2092
+ "matches_count",
2093
+ "file_size",
2094
+ "mime_type",
2095
+ "duration_ms",
2096
+ "engine",
2097
+ ];
2098
+ if (options.includeDetails) {
2099
+ headers.push("reasons", "match_rules");
2162
2100
  }
2163
- const message = typeof error === 'string' ? error : error.message;
2164
- // Remove common patterns that might contain PHI
2165
- let sanitized = message
2166
- // Remove file paths
2167
- .replace(/[A-Za-z]:\\\\[^\\s]+/g, '[REDACTED_PATH]')
2168
- .replace(/\/[^\\s]+/g, '[REDACTED_PATH]')
2169
- // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
2170
- .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, '[REDACTED_ID]')
2171
- .replace(/\\b\\d{6,}\\b/g, '[REDACTED_ID]')
2172
- // Remove email addresses
2173
- .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, '[REDACTED_EMAIL]')
2174
- // Remove potential names (capitalize words in error messages)
2175
- .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, '[REDACTED_NAME]')
2176
- // Remove IP addresses
2177
- .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, '[REDACTED_IP]');
2178
- return sanitized;
2101
+ const rows = data.map((report) => {
2102
+ const row = [
2103
+ this.escapeCsv(report.file?.name || "unknown"),
2104
+ report.verdict,
2105
+ report.matches.length.toString(),
2106
+ (report.file?.size || 0).toString(),
2107
+ this.escapeCsv(report.file?.mimeType || "unknown"),
2108
+ (report.durationMs || 0).toString(),
2109
+ report.engine || "unknown",
2110
+ ];
2111
+ if (options.includeDetails) {
2112
+ row.push(this.escapeCsv((report.reasons || []).join("; ")), this.escapeCsv(report.matches.map((m) => m.rule).join("; ")));
2113
+ }
2114
+ return row.join(",");
2115
+ });
2116
+ return [headers.join(","), ...rows].join("\n");
2179
2117
  }
2180
2118
  /**
2181
- * Create secure temporary file path with encryption if enabled
2119
+ * Export to Markdown format
2182
2120
  */
2183
- createSecureTempPath(prefix = 'pompelmi') {
2184
- if (!this.config.enabled) {
2185
- return path.join(os.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
2121
+ toMarkdown(reports, options = {}) {
2122
+ const data = Array.isArray(reports) ? reports : [reports];
2123
+ let md = "# Scan Results\n\n";
2124
+ md += `**Total Scans:** ${data.length}\n\n`;
2125
+ const clean = data.filter((r) => r.verdict === "clean").length;
2126
+ const suspicious = data.filter((r) => r.verdict === "suspicious").length;
2127
+ const malicious = data.filter((r) => r.verdict === "malicious").length;
2128
+ md += "## Summary\n\n";
2129
+ md += `- ✅ Clean: ${clean}\n`;
2130
+ md += `- ⚠️ Suspicious: ${suspicious}\n`;
2131
+ md += `- ❌ Malicious: ${malicious}\n\n`;
2132
+ md += "## Detailed Results\n\n";
2133
+ for (const report of data) {
2134
+ const icon = report.verdict === "clean" ? "✅" : report.verdict === "suspicious" ? "⚠️" : "❌";
2135
+ md += `### ${icon} ${report.file?.name || "Unknown"}\n\n`;
2136
+ md += `- **Verdict:** ${report.verdict}\n`;
2137
+ md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
2138
+ md += `- **MIME Type:** ${report.file?.mimeType || "unknown"}\n`;
2139
+ md += `- **Duration:** ${report.durationMs || 0}ms\n`;
2140
+ md += `- **Matches:** ${report.matches.length}\n`;
2141
+ if (options.includeDetails && report.matches.length > 0) {
2142
+ md += "\n**Match Details:**\n";
2143
+ for (const match of report.matches) {
2144
+ md += `- ${match.rule}`;
2145
+ if (match.tags && match.tags.length > 0) {
2146
+ md += ` (${match.tags.join(", ")})`;
2147
+ }
2148
+ md += "\n";
2149
+ }
2150
+ }
2151
+ md += "\n";
2186
2152
  }
2187
- // Use cryptographically secure random names
2188
- const randomId = crypto.randomBytes(16).toString('hex');
2189
- const timestamp = Date.now();
2190
- // Create path in secure temp directory
2191
- const secureTempDir = this.getSecureTempDir();
2192
- const tempPath = path.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
2193
- this.auditLog('temp_file_created', {
2194
- action: 'create_temp_file',
2195
- success: true,
2196
- metadata: { path: this.sanitizeFilename(tempPath) }
2197
- });
2198
- return tempPath;
2153
+ return md;
2199
2154
  }
2200
2155
  /**
2201
- * Get or create secure temporary directory with restricted permissions
2156
+ * Export to SARIF format (Static Analysis Results Interchange Format)
2157
+ * Useful for CI/CD integration
2202
2158
  */
2203
- getSecureTempDir() {
2204
- const secureTempPath = path.join(os.tmpdir(), 'pompelmi-secure');
2205
- try {
2206
- const fs = require('fs');
2207
- if (!fs.existsSync(secureTempPath)) {
2208
- fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
2209
- }
2210
- }
2211
- catch (error) {
2212
- // Fallback to system temp
2213
- return os.tmpdir();
2214
- }
2215
- return secureTempPath;
2159
+ toSARIF(reports, options = {}) {
2160
+ const data = Array.isArray(reports) ? reports : [reports];
2161
+ const results = data.flatMap((report) => {
2162
+ if (report.verdict === "clean")
2163
+ return [];
2164
+ return report.matches.map((match) => ({
2165
+ ruleId: match.rule,
2166
+ level: report.verdict === "malicious" ? "error" : "warning",
2167
+ message: {
2168
+ text: `${match.rule} detected in ${report.file?.name || "unknown file"}`,
2169
+ },
2170
+ locations: [
2171
+ {
2172
+ physicalLocation: {
2173
+ artifactLocation: {
2174
+ uri: report.file?.name || "unknown",
2175
+ },
2176
+ },
2177
+ },
2178
+ ],
2179
+ properties: {
2180
+ tags: match.tags,
2181
+ metadata: match.meta,
2182
+ },
2183
+ }));
2184
+ });
2185
+ const sarif = {
2186
+ version: "2.1.0",
2187
+ $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
2188
+ runs: [
2189
+ {
2190
+ tool: {
2191
+ driver: {
2192
+ name: "Pompelmi",
2193
+ version: "0.29.0",
2194
+ informationUri: "https://pompelmi.github.io/pompelmi/",
2195
+ },
2196
+ },
2197
+ results,
2198
+ },
2199
+ ],
2200
+ };
2201
+ return options.prettyPrint ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
2216
2202
  }
2217
2203
  /**
2218
- * Secure file cleanup with multiple overwrite passes
2204
+ * Export to HTML format
2219
2205
  */
2220
- async secureFileCleanup(filePath) {
2221
- if (!this.config.enabled) {
2222
- try {
2223
- const fs = await import('fs/promises');
2224
- await fs.unlink(filePath);
2225
- }
2226
- catch {
2227
- // Ignore cleanup errors
2228
- }
2229
- return;
2230
- }
2231
- try {
2232
- const fs = await import('fs/promises');
2233
- const stats = await fs.stat(filePath);
2234
- if (this.config.memoryProtection) {
2235
- // Overwrite file with random data multiple times (DoD 5220.22-M standard)
2236
- const fileSize = stats.size;
2237
- const buffer = crypto.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
2238
- for (let pass = 0; pass < 3; pass++) {
2239
- const handle = await fs.open(filePath, 'r+');
2240
- try {
2241
- for (let offset = 0; offset < fileSize; offset += buffer.length) {
2242
- const chunk = offset + buffer.length > fileSize
2243
- ? buffer.subarray(0, fileSize - offset)
2244
- : buffer;
2245
- await handle.write(chunk, 0, chunk.length, offset);
2246
- }
2247
- await handle.sync();
2248
- }
2249
- finally {
2250
- await handle.close();
2206
+ toHTML(reports, options = {}) {
2207
+ const data = Array.isArray(reports) ? reports : [reports];
2208
+ const clean = data.filter((r) => r.verdict === "clean").length;
2209
+ const suspicious = data.filter((r) => r.verdict === "suspicious").length;
2210
+ const malicious = data.filter((r) => r.verdict === "malicious").length;
2211
+ let html = `<!DOCTYPE html>
2212
+ <html lang="en">
2213
+ <head>
2214
+ <meta charset="UTF-8">
2215
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
2216
+ <title>Pompelmi Scan Results</title>
2217
+ <style>
2218
+ body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
2219
+ .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
2220
+ .card { padding: 20px; border-radius: 8px; text-align: center; }
2221
+ .clean { background: #d4edda; color: #155724; }
2222
+ .suspicious { background: #fff3cd; color: #856404; }
2223
+ .malicious { background: #f8d7da; color: #721c24; }
2224
+ .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
2225
+ .result h3 { margin-top: 0; }
2226
+ .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
2227
+ table { width: 100%; border-collapse: collapse; }
2228
+ th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
2229
+ </style>
2230
+ </head>
2231
+ <body>
2232
+ <h1>🛡️ Pompelmi Scan Results</h1>
2233
+ <div class="summary">
2234
+ <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
2235
+ <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
2236
+ <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
2237
+ </div>
2238
+ <h2>Detailed Results</h2>`;
2239
+ for (const report of data) {
2240
+ const statusClass = report.verdict;
2241
+ html += `<div class="result ${statusClass}">`;
2242
+ html += `<h3>${this.escapeHtml(report.file?.name || "Unknown")}</h3>`;
2243
+ html += `<table>`;
2244
+ html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
2245
+ html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
2246
+ html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || "unknown")}</td></tr>`;
2247
+ html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
2248
+ html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
2249
+ html += `</table>`;
2250
+ if (options.includeDetails && report.matches.length > 0) {
2251
+ html += `<h4>Match Details:</h4><ul>`;
2252
+ for (const match of report.matches) {
2253
+ html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
2254
+ if (match.tags && match.tags.length > 0) {
2255
+ html += ` ${match.tags.map((tag) => `<span class="badge">${this.escapeHtml(tag)}</span>`).join("")}`;
2251
2256
  }
2257
+ html += `</li>`;
2252
2258
  }
2259
+ html += `</ul>`;
2253
2260
  }
2254
- // Final deletion
2255
- await fs.unlink(filePath);
2256
- this.auditLog('temp_file_deleted', {
2257
- action: 'secure_delete',
2258
- success: true,
2259
- metadata: {
2260
- path: this.sanitizeFilename(filePath),
2261
- overwritePasses: this.config.memoryProtection ? 3 : 0
2262
- }
2263
- });
2261
+ html += `</div>`;
2264
2262
  }
2265
- catch (error) {
2266
- this.auditLog('temp_file_deleted', {
2267
- action: 'secure_delete',
2268
- success: false,
2269
- sanitizedError: this.sanitizeError(error),
2270
- metadata: { path: this.sanitizeFilename(filePath) }
2271
- });
2263
+ html += `</body></html>`;
2264
+ return html;
2265
+ }
2266
+ /**
2267
+ * Export to specified format
2268
+ */
2269
+ export(reports, format, options = {}) {
2270
+ switch (format) {
2271
+ case "json":
2272
+ return this.toJSON(reports, options);
2273
+ case "csv":
2274
+ return this.toCSV(reports, options);
2275
+ case "markdown":
2276
+ return this.toMarkdown(reports, options);
2277
+ case "html":
2278
+ return this.toHTML(reports, options);
2279
+ case "sarif":
2280
+ return this.toSARIF(reports, options);
2281
+ default:
2282
+ throw new Error(`Unsupported export format: ${format}`);
2283
+ }
2284
+ }
2285
+ escapeCsv(value) {
2286
+ if (value.includes(",") || value.includes('"') || value.includes("\n")) {
2287
+ return `"${value.replace(/"/g, '""')}"`;
2272
2288
  }
2289
+ return value;
2290
+ }
2291
+ escapeHtml(value) {
2292
+ return value
2293
+ .replace(/&/g, "&amp;")
2294
+ .replace(/</g, "&lt;")
2295
+ .replace(/>/g, "&gt;")
2296
+ .replace(/"/g, "&quot;")
2297
+ .replace(/'/g, "&#039;");
2298
+ }
2299
+ formatBytes(bytes) {
2300
+ if (bytes === 0)
2301
+ return "0 Bytes";
2302
+ const k = 1024;
2303
+ const sizes = ["Bytes", "KB", "MB", "GB"];
2304
+ const i = Math.floor(Math.log(bytes) / Math.log(k));
2305
+ return Math.round((bytes / k ** i) * 100) / 100 + " " + sizes[i];
2306
+ }
2307
+ }
2308
+ /**
2309
+ * Quick export helper
2310
+ */
2311
+ function exportScanResults(reports, format, options) {
2312
+ const exporter = new ScanResultExporter();
2313
+ return exporter.export(reports, format, options);
2314
+ }
2315
+
2316
+ /**
2317
+ * Threat intelligence integration and enhanced detection
2318
+ * @module utils/threat-intelligence
2319
+ */
2320
+ /**
2321
+ * Built-in threat intelligence - known malware hashes
2322
+ * In production, this would connect to real threat intel APIs
2323
+ */
2324
+ class LocalThreatIntelligence {
2325
+ constructor() {
2326
+ this.name = "Local Database";
2327
+ this.knownThreats = new Map();
2328
+ // Initialize with some example known threats (in production, load from database)
2329
+ this.initializeKnownThreats();
2330
+ }
2331
+ initializeKnownThreats() {
2332
+ // Example: EICAR test file hash
2333
+ this.knownThreats.set("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", {
2334
+ threatLevel: 100,
2335
+ category: "test-malware",
2336
+ source: "local",
2337
+ metadata: { name: "EICAR Test File" },
2338
+ });
2339
+ }
2340
+ async checkHash(hash) {
2341
+ return this.knownThreats.get(hash.toLowerCase()) || null;
2273
2342
  }
2274
2343
  /**
2275
- * Calculate secure file hash for audit purposes
2344
+ * Add a known threat to the local database
2276
2345
  */
2277
- calculateFileHash(data) {
2278
- return crypto.createHash('sha256').update(data).digest('hex');
2346
+ addThreat(hash, info) {
2347
+ this.knownThreats.set(hash.toLowerCase(), info);
2279
2348
  }
2280
2349
  /**
2281
- * Log audit event
2350
+ * Remove a threat from the local database
2282
2351
  */
2283
- auditLog(eventType, details) {
2284
- if (!this.config.enabled)
2285
- return;
2286
- const event = {
2287
- timestamp: new Date().toISOString(),
2288
- eventType,
2289
- sessionId: this.sessionId,
2290
- details: {
2291
- action: details.action || 'unknown',
2292
- success: details.success ?? true,
2293
- ...details
2294
- }
2295
- };
2296
- this.auditEvents.push(event);
2297
- // Write to audit log file if configured
2298
- if (this.config.auditLogPath) {
2299
- this.writeAuditLog(event).catch(() => {
2300
- // Silent failure to prevent error loops
2301
- });
2302
- }
2352
+ removeThreat(hash) {
2353
+ return this.knownThreats.delete(hash.toLowerCase());
2303
2354
  }
2304
2355
  /**
2305
- * Write audit event to file
2356
+ * Get all known threats
2306
2357
  */
2307
- async writeAuditLog(event) {
2308
- if (!this.config.auditLogPath)
2309
- return;
2310
- try {
2311
- const fs = await import('fs/promises');
2312
- const logLine = JSON.stringify(event) + '\\n';
2313
- await fs.appendFile(this.config.auditLogPath, logLine, { flag: 'a' });
2358
+ getAllThreats() {
2359
+ return new Map(this.knownThreats);
2360
+ }
2361
+ }
2362
+ /**
2363
+ * Threat intelligence aggregator
2364
+ */
2365
+ class ThreatIntelligenceAggregator {
2366
+ constructor(sources) {
2367
+ this.sources = [];
2368
+ if (sources) {
2369
+ this.sources = sources;
2314
2370
  }
2315
- catch {
2316
- // Silent failure
2371
+ else {
2372
+ // Default to local intelligence
2373
+ this.sources = [new LocalThreatIntelligence()];
2317
2374
  }
2318
2375
  }
2319
2376
  /**
2320
- * Generate cryptographically secure session ID
2377
+ * Add a threat intelligence source
2321
2378
  */
2322
- generateSessionId() {
2323
- return crypto.randomBytes(16).toString('hex');
2379
+ addSource(source) {
2380
+ this.sources.push(source);
2324
2381
  }
2325
2382
  /**
2326
- * Get current audit events for this session
2383
+ * Check file hash against all sources
2327
2384
  */
2328
- getAuditEvents() {
2329
- return [...this.auditEvents];
2385
+ async checkHash(hash) {
2386
+ const results = await Promise.allSettled(this.sources.map((source) => source.checkHash(hash)));
2387
+ const threats = [];
2388
+ for (const result of results) {
2389
+ if (result.status === "fulfilled" && result.value) {
2390
+ threats.push(result.value);
2391
+ }
2392
+ }
2393
+ return threats;
2330
2394
  }
2331
2395
  /**
2332
- * Clear sensitive data from memory
2396
+ * Enhance scan report with threat intelligence
2333
2397
  */
2334
- clearSensitiveData() {
2335
- if (!this.config.enabled || !this.config.memoryProtection)
2336
- return;
2337
- // Clear audit events
2338
- this.auditEvents.length = 0;
2339
- // Force garbage collection if available
2340
- if (global.gc) {
2341
- global.gc();
2342
- }
2398
+ async enhanceScanReport(content, report) {
2399
+ // Calculate file hash
2400
+ const hash = createHash("sha256").update(content).digest("hex");
2401
+ // Check threat intelligence
2402
+ const threatIntel = await this.checkHash(hash);
2403
+ // Calculate risk score
2404
+ const riskScore = this.calculateRiskScore(report, threatIntel);
2405
+ return {
2406
+ ...report,
2407
+ fileHash: hash,
2408
+ threatIntel: threatIntel.length > 0 ? threatIntel : undefined,
2409
+ riskScore,
2410
+ };
2343
2411
  }
2344
2412
  /**
2345
- * Validate transport security
2413
+ * Calculate overall risk score based on scan results and threat intel
2346
2414
  */
2347
- validateTransportSecurity(url) {
2348
- if (!this.config.enabled || !this.config.requireSecureTransport) {
2349
- return true;
2350
- }
2351
- if (!url)
2352
- return true;
2353
- try {
2354
- const urlObj = new URL(url);
2355
- const isSecure = urlObj.protocol === 'https:' || urlObj.hostname === 'localhost' || urlObj.hostname === '127.0.0.1';
2356
- if (!isSecure) {
2357
- this.auditLog('security_violation', {
2358
- action: 'insecure_transport',
2359
- success: false,
2360
- metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname }
2361
- });
2362
- }
2363
- return isSecure;
2415
+ calculateRiskScore(report, threats) {
2416
+ let score = 0;
2417
+ // Base score from verdict
2418
+ switch (report.verdict) {
2419
+ case "malicious":
2420
+ score += 70;
2421
+ break;
2422
+ case "suspicious":
2423
+ score += 40;
2424
+ break;
2425
+ case "clean":
2426
+ score += 0;
2427
+ break;
2364
2428
  }
2365
- catch {
2366
- return false;
2429
+ // Add points for number of matches
2430
+ score += Math.min(report.matches.length * 5, 20);
2431
+ // Add points from threat intelligence
2432
+ if (threats.length > 0) {
2433
+ const maxThreat = Math.max(...threats.map((t) => t.threatLevel));
2434
+ score = Math.max(score, maxThreat);
2367
2435
  }
2436
+ return Math.min(score, 100);
2368
2437
  }
2369
2438
  }
2370
- // Global HIPAA compliance instance
2371
- let hipaaManager = null;
2372
2439
  /**
2373
- * Initialize HIPAA compliance
2440
+ * Create default threat intelligence aggregator
2374
2441
  */
2375
- function initializeHipaaCompliance(config) {
2376
- hipaaManager = new HipaaComplianceManager(config);
2377
- return hipaaManager;
2442
+ function createThreatIntelligence() {
2443
+ return new ThreatIntelligenceAggregator();
2378
2444
  }
2379
2445
  /**
2380
- * Get current HIPAA compliance manager
2446
+ * Helper to get file hash
2381
2447
  */
2382
- function getHipaaManager() {
2383
- return hipaaManager;
2448
+ function getFileHash(content) {
2449
+ return createHash("sha256").update(content).digest("hex");
2384
2450
  }
2451
+
2385
2452
  /**
2386
- * HIPAA-compliant error wrapper
2453
+ * Validates a File by MIME type and size (max 5 MB).
2387
2454
  */
2388
- function createHipaaError(error, context) {
2389
- const manager = getHipaaManager();
2390
- if (!manager) {
2391
- return typeof error === 'string' ? new Error(error) : error;
2455
+ function validateFile(file) {
2456
+ const maxSize = 5 * 1024 * 1024;
2457
+ const allowedTypes = ["text/plain", "application/json", "text/csv"];
2458
+ if (!allowedTypes.includes(file.type)) {
2459
+ return { valid: false, error: "Unsupported file type" };
2392
2460
  }
2393
- const sanitizedMessage = manager.sanitizeError(error);
2394
- const hipaaError = new Error(sanitizedMessage);
2395
- manager.auditLog('error_occurred', {
2396
- action: context || 'error',
2397
- success: false,
2398
- sanitizedError: sanitizedMessage
2399
- });
2400
- return hipaaError;
2401
- }
2402
- /**
2403
- * HIPAA-compliant temporary file utilities
2404
- */
2405
- const HipaaTemp = {
2406
- createPath: (prefix) => {
2407
- const manager = getHipaaManager();
2408
- return manager ? manager.createSecureTempPath(prefix) : path.join(os.tmpdir(), `${prefix || 'pompelmi'}-${Date.now()}`);
2409
- },
2410
- cleanup: async (filePath) => {
2411
- const manager = getHipaaManager();
2412
- if (manager) {
2413
- await manager.secureFileCleanup(filePath);
2414
- }
2415
- else {
2416
- try {
2417
- const fs = await import('fs/promises');
2418
- await fs.unlink(filePath);
2419
- }
2420
- catch {
2421
- // Ignore errors
2422
- }
2423
- }
2461
+ if (file.size > maxSize) {
2462
+ return { valid: false, error: "File too large (max 5 MB)" };
2424
2463
  }
2425
- };
2464
+ return { valid: true };
2465
+ }
2466
+
2467
+ function mapMatchesToVerdict(matches = []) {
2468
+ if (!matches.length)
2469
+ return "clean";
2470
+ const malHints = ["trojan", "ransom", "worm", "spy", "rootkit", "keylog", "botnet"];
2471
+ const tagSet = new Set(matches.flatMap((m) => (m.tags ?? []).map((t) => t.toLowerCase())));
2472
+ const nameHit = (r) => malHints.some((h) => r.toLowerCase().includes(h));
2473
+ const isMal = matches.some((m) => nameHit(m.rule)) || tagSet.has("malware") || tagSet.has("critical");
2474
+ return isMal ? "malicious" : "suspicious";
2475
+ }
2426
2476
 
2427
2477
  export { ARCHIVES, BatchScanner, CONFIG_PRESETS, CONSERVATIVE_DEFAULT, CommonHeuristicsScanner, ConfigManager, DEFAULT_CONFIG, DEFAULT_POLICY, DOCUMENTS_ONLY, HipaaTemp, IMAGES_ONLY, LocalThreatIntelligence, POLICY_PACKS, PerformanceTracker, STRICT_PUBLIC_UPLOAD, SUSPICIOUS_PATTERNS, ScanCacheManager, ScanResultExporter, ThreatIntelligenceAggregator, aggregateScanStats, analyzeNestedArchives, batchScan, composeScanners, createConfig, createHipaaError, createPresetScanner, createThreatIntelligence, createZipBombGuard, definePolicy, detectObfuscatedScripts, detectPolyglot, exportScanResults, getDefaultCache, getFileHash, getHipaaManager, getPolicyPack, getPresetConfig, initializeHipaaCompliance, mapMatchesToVerdict, resetDefaultCache, scanBytes, scanFile, scanFiles, scanFilesWithRemoteYara, validateFile };
2428
2478
  //# sourceMappingURL=pompelmi.esm.js.map