npm - xploitscan-shared-rules - Versions diffs - 1.8.1 → 1.10.0 - Mend

xploitscan-shared-rules 1.8.1 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -329,8 +329,140 @@ var TAINTED_REQUEST_OBJECTS = /* @__PURE__ */ new Set([
   "event"
   // Lambda
 ]);
+var FS_READ_METHODS = /* @__PURE__ */ new Set(["readFile", "readFileSync"]);
+var PARSE_OBJECTS = /* @__PURE__ */ new Set([
+  "JSON",
+  "csv",
+  "papa",
+  "Papa",
+  "yaml",
+  "YAML",
+  "toml",
+  "qs",
+  "querystring"
+]);
+var PARSE_BARE = /* @__PURE__ */ new Set(["parse", "parseSync"]);
+var ARRAY_ELEMENT_METHODS = /* @__PURE__ */ new Set([
+  "map",
+  "filter",
+  "forEach",
+  "find",
+  "findIndex",
+  "flatMap",
+  "some",
+  "every"
+]);
+var ARRAY_REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+function callPreservesTaint(node, rec) {
+  const callee = node.callee;
+  const anyArgTainted = () => node.arguments.some((a) => a.type !== "SpreadElement" && rec(a));
+  if (callee.type === "MemberExpression" && callee.property.type === "Identifier") {
+    const pname = callee.property.name;
+    if (FS_READ_METHODS.has(pname)) return anyArgTainted();
+    if (pname === "parse" || pname === "parseSync") {
+      const obj = callee.object;
+      if (obj.type === "Identifier" && PARSE_OBJECTS.has(obj.name)) return anyArgTainted();
+    }
+  }
+  if (callee.type === "Identifier") {
+    if (FS_READ_METHODS.has(callee.name)) return anyArgTainted();
+    if (PARSE_BARE.has(callee.name)) return anyArgTainted();
+  }
+  return false;
+}
+function isParamDerived(n, p) {
+  if (!n) return false;
+  if (n.type === "Identifier") return n.name === p;
+  if (n.type === "MemberExpression") return isParamDerived(n.object, p);
+  return false;
+}
+function formattedFlow(n, p) {
+  if (!n) return false;
+  switch (n.type) {
+    case "TemplateLiteral":
+      return n.expressions.some(
+        (e) => isParamDerived(e, p) || formattedFlow(e, p)
+      );
+    case "BinaryExpression":
+      if (n.operator !== "+") return false;
+      return isParamDerived(n.left, p) || isParamDerived(n.right, p) || formattedFlow(n.left, p) || formattedFlow(n.right, p);
+    case "ObjectExpression":
+      return n.properties.some(
+        (pr) => pr.type === "SpreadElement" && isParamDerived(pr.argument, p)
+      );
+    case "ArrayExpression":
+      return n.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isParamDerived(el.argument, p)
+      );
+    case "ConditionalExpression":
+      return formattedFlow(n.consequent, p) || formattedFlow(n.alternate, p);
+    case "AwaitExpression":
+      return formattedFlow(n.argument, p);
+    default:
+      return false;
+  }
+}
+function collectReturnArgs(fn) {
+  const out = [];
+  if (fn.type === "ArrowFunctionExpression" && fn.body.type !== "BlockStatement") {
+    out.push(fn.body);
+    return out;
+  }
+  const visit = (n) => {
+    if (!n || typeof n !== "object") return;
+    const node = n;
+    if (typeof node.type !== "string") return;
+    if (node.type === "ReturnStatement") {
+      const arg = node.argument;
+      if (arg) out.push(arg);
+      return;
+    }
+    if (node.type === "FunctionDeclaration" || node.type === "FunctionExpression" || node.type === "ArrowFunctionExpression") {
+      return;
+    }
+    for (const key of Object.keys(node)) {
+      const v = node[key];
+      if (Array.isArray(v)) v.forEach(visit);
+      else visit(v);
+    }
+  };
+  visit(fn.body);
+  return out;
+}
+function computePassthrough(fn) {
+  const params = fn.params ?? [];
+  const returns = collectReturnArgs(fn);
+  const out = /* @__PURE__ */ new Set();
+  for (let i = 0; i < params.length; i++) {
+    const param = params[i];
+    if (param.type !== "Identifier") continue;
+    const name = param.name;
+    if (returns.some((r) => formattedFlow(r, name))) out.add(i);
+  }
+  return out;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
+  function markPatternTainted(target) {
+    if (target.type === "Identifier") {
+      tainted.add(target.name);
+    } else if (target.type === "ObjectPattern") {
+      for (const prop of target.properties) {
+        if (prop.type === "ObjectProperty" && prop.value.type === "Identifier") {
+          tainted.add(prop.value.name);
+        } else if (prop.type === "RestElement" && prop.argument.type === "Identifier") {
+          tainted.add(prop.argument.name);
+        }
+      }
+    } else if (target.type === "ArrayPattern") {
+      for (const el of target.elements) {
+        if (el && el.type === "Identifier") tainted.add(el.name);
+        else if (el && el.type === "RestElement" && el.argument.type === "Identifier") {
+          tainted.add(el.argument.name);
+        }
+      }
+    }
+  }
   function reachesRequestIdent(node) {
     if (!node) return false;
     if (node.type === "Identifier") return TAINTED_REQUEST_OBJECTS.has(node.name);
@@ -401,6 +533,8 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
+      if (callPreservesTaint(node, exprIsTainted)) return true;
+      if (localCallPropagates(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -421,8 +555,46 @@ function buildTaintMap(parsed) {
     if (node.type === "AwaitExpression") {
       return exprIsTainted(node.argument);
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && exprIsTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && exprIsTainted(p.argument)
+      );
+    }
     return false;
   }
+  const fnPassthrough = /* @__PURE__ */ new Map();
+  const recordFn = (name, fn) => {
+    const pt = computePassthrough(fn);
+    if (pt.size > 0) fnPassthrough.set(name, pt);
+  };
+  traverse(parsed.ast, {
+    FunctionDeclaration(path) {
+      const n = path.node;
+      if (n.type === "FunctionDeclaration" && n.id && n.id.type === "Identifier") {
+        recordFn(n.id.name, n);
+      }
+    },
+    VariableDeclarator(path) {
+      const n = path.node;
+      if (n.type !== "VariableDeclarator" || n.id.type !== "Identifier" || !n.init) return;
+      if (n.init.type === "ArrowFunctionExpression" || n.init.type === "FunctionExpression") {
+        recordFn(n.id.name, n.init);
+      }
+    }
+  });
+  function localCallPropagates(node, rec) {
+    if (node.callee.type !== "Identifier") return false;
+    const pt = fnPassthrough.get(node.callee.name);
+    if (!pt) return false;
+    return node.arguments.some(
+      (a, i) => pt.has(i) && a.type !== "SpreadElement" && rec(a)
+    );
+  }
   traverse(parsed.ast, {
     VariableDeclarator(path) {
       const node = path.node;
@@ -455,6 +627,32 @@ function buildTaintMap(parsed) {
       if (exprIsTainted(node.right)) {
         tainted.add(node.left.name);
       }
+    },
+    // for (const row of <tainted>) → row tainted (and destructured names).
+    ForOfStatement(path) {
+      const node = path.node;
+      if (node.type !== "ForOfStatement") return;
+      if (!exprIsTainted(node.right)) return;
+      const decl = node.left;
+      const target = decl.type === "VariableDeclaration" && decl.declarations[0] ? decl.declarations[0].id : decl;
+      markPatternTainted(target);
+    },
+    // Array-iteration element taint: <tainted>.map((row) => …) marks `row`
+    // tainted inside the callback. Gated on the receiver already being
+    // tainted, so this never originates taint.
+    CallExpression(path) {
+      const node = path.node;
+      if (node.type !== "CallExpression") return;
+      const callee = node.callee;
+      if (callee.type !== "MemberExpression" || callee.property.type !== "Identifier") return;
+      const method = callee.property.name;
+      const isReduce = ARRAY_REDUCE_METHODS.has(method);
+      if (!ARRAY_ELEMENT_METHODS.has(method) && !isReduce) return;
+      if (!exprIsTainted(callee.object)) return;
+      const cb = node.arguments[0];
+      if (!cb || cb.type !== "ArrowFunctionExpression" && cb.type !== "FunctionExpression") return;
+      const elemParam = cb.params[isReduce ? 1 : 0];
+      if (elemParam) markPatternTainted(elemParam);
     }
   });
   const isTainted = (node) => {
@@ -480,6 +678,8 @@ function buildTaintMap(parsed) {
       return isTainted(node.object);
     }
     if (node.type === "CallExpression") {
+      if (callPreservesTaint(node, isTainted)) return true;
+      if (localCallPropagates(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -497,6 +697,16 @@ function buildTaintMap(parsed) {
         }
       }
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && isTainted(p.argument)
+      );
+    }
     return false;
   };
   return {