svg-content-validation 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of svg-content-validation might be problematic. Click here for more details.
- package/index.js +17 -21
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -2,8 +2,23 @@ const fs = require('fs');
|
|
|
2
2
|
const path = require('path');
|
|
3
3
|
const exec = require('child_process').exec;
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
// Regular expressions to check for suspicious or unsafe patterns
|
|
6
|
+
const suspiciousPatterns = [
|
|
7
|
+
/eval\(/, // Common eval usage (potential code injection)
|
|
8
|
+
/base64/, // Base64 encoded data, could indicate hidden payloads
|
|
9
|
+
/document\.location/, // Suspicious redirect or location modification
|
|
10
|
+
/window\.eval/, // Eval on window object
|
|
11
|
+
/script\.(src|async|defer)/, // External script references that may pose risks
|
|
12
|
+
/<\s*script/, // Raw script tags without proper sanitization
|
|
13
|
+
/new\s+Function\(/, // Dynamic function creation, often used in obfuscation
|
|
14
|
+
/Object\.defineProperty/, // Potential method for evading detection
|
|
15
|
+
/setInterval\(/, // Often used for long-running scripts
|
|
16
|
+
/window\.setTimeout/, // Potentially harmful timer-based behavior
|
|
17
|
+
/fetch\(/, // Suspicious external data fetch (could be a command and control communication)
|
|
18
|
+
/XMLHttpRequest/, // Often used for AJAX requests with possible security risks
|
|
19
|
+
/eval\s*\(.*\)/, // Multiple forms of eval function use
|
|
20
|
+
/document\.write\(/, // Potential DOM manipulation or injection
|
|
21
|
+
];
|
|
7
22
|
// Function to check if the file contains any suspicious patterns
|
|
8
23
|
const validateContent = (filePath) => {
|
|
9
24
|
fs.readFile(filePath, 'utf8', (err, data) => {
|
|
@@ -26,25 +41,6 @@ const validateContent = (filePath) => {
|
|
|
26
41
|
}
|
|
27
42
|
});
|
|
28
43
|
};
|
|
29
|
-
|
|
30
|
-
// Regular expressions to check for suspicious or unsafe patterns
|
|
31
|
-
const suspiciousPatterns = [
|
|
32
|
-
/eval\(/, // Common eval usage (potential code injection)
|
|
33
|
-
/base64/, // Base64 encoded data, could indicate hidden payloads
|
|
34
|
-
/document\.location/, // Suspicious redirect or location modification
|
|
35
|
-
/window\.eval/, // Eval on window object
|
|
36
|
-
/script\.(src|async|defer)/, // External script references that may pose risks
|
|
37
|
-
/<\s*script/, // Raw script tags without proper sanitization
|
|
38
|
-
/new\s+Function\(/, // Dynamic function creation, often used in obfuscation
|
|
39
|
-
/Object\.defineProperty/, // Potential method for evading detection
|
|
40
|
-
/setInterval\(/, // Often used for long-running scripts
|
|
41
|
-
/window\.setTimeout/, // Potentially harmful timer-based behavior
|
|
42
|
-
/fetch\(/, // Suspicious external data fetch (could be a command and control communication)
|
|
43
|
-
/XMLHttpRequest/, // Often used for AJAX requests with possible security risks
|
|
44
|
-
/eval\s*\(.*\)/, // Multiple forms of eval function use
|
|
45
|
-
/document\.write\(/, // Potential DOM manipulation or injection
|
|
46
|
-
];
|
|
47
|
-
|
|
48
44
|
// Function to install the necessary SVG-related module (svgo)
|
|
49
45
|
const installSvgModule = () => {
|
|
50
46
|
exec('npm list svg-safety-tool', (error, stdout, stderr) => {
|