From 478013db822bf94273faf1246784289d4a2d29f4 Mon Sep 17 00:00:00 2001 From: "Thomas.G" Date: Thu, 30 Nov 2023 23:12:01 +0100 Subject: [PATCH] chore: setup workspaces (#172) * chore: setup workspaces * Update workspaces/estree-ast-utils/test/VariableTracer/assignments.spec.js Co-authored-by: PierreDemailly <39910767+PierreDemailly@users.noreply.github.com> --------- Co-authored-by: PierreDemailly <39910767+PierreDemailly@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +- .github/workflows/estree-ast-utils.yml | 41 ++ .github/workflows/node.js.yml | 4 +- .github/workflows/scorecard.yml | 8 +- .github/workflows/sec-literal.yml | 29 ++ README.md | 15 + package.json | 11 +- workspaces/estree-ast-utils/LICENSE | 21 + workspaces/estree-ast-utils/README.md | 109 +++++ workspaces/estree-ast-utils/package.json | 35 ++ .../src/arrayExpressionToString.js | 37 ++ .../src/concatBinaryExpression.js | 57 +++ .../src/getCallExpressionArguments.js | 45 ++ .../src/getCallExpressionIdentifier.js | 21 + .../src/getMemberExpressionIdentifier.js | 67 +++ .../src/getVariableDeclarationIdentifiers.js | 110 +++++ workspaces/estree-ast-utils/src/index.js | 9 + .../estree-ast-utils/src/isLiteralRegex.js | 3 + .../src/utils/VariableTracer.js | 411 ++++++++++++++++++ .../utils/getSubMemberExpressionSegments.js | 13 + .../estree-ast-utils/src/utils/index.js | 4 + .../src/utils/isEvilIdentifierPath.js | 18 + .../src/utils/notNullOrUndefined.js | 3 + .../VariableTracer/VariableTracer.spec.js | 145 ++++++ .../test/VariableTracer/assignments.spec.js | 133 ++++++ .../VariableTracer/cryptoCreateHash.spec.js | 194 +++++++++ .../test/arrayExpressionToString.spec.js | 75 ++++ .../test/concatBinaryExpression.spec.js | 92 ++++ .../test/getCallExpressionIdentifier.spec.js | 30 ++ .../getMemberExpressionIdentifier.spec.js | 84 ++++ .../test/isLiteralRegex.spec.js | 22 + workspaces/estree-ast-utils/test/utils.js | 62 +++ .../getSubMemberExpressionSegments.spec.js | 19 + .../test/utils/isEvilIdentifierPath.spec.js | 28 ++ .../test/utils/notNullOrUndefined.spec.js | 21 + workspaces/sec-literal/LICENSE | 21 + workspaces/sec-literal/README.md | 69 +++ workspaces/sec-literal/package.json | 39 ++ workspaces/sec-literal/src/hex.js | 53 +++ workspaces/sec-literal/src/index.js | 4 + workspaces/sec-literal/src/literal.js | 43 ++ workspaces/sec-literal/src/patterns.js | 98 +++++ workspaces/sec-literal/src/utils.js | 93 ++++ workspaces/sec-literal/test/hex.spec.js | 77 ++++ workspaces/sec-literal/test/literal.spec.js | 99 +++++ workspaces/sec-literal/test/patterns.spec.js | 64 +++ workspaces/sec-literal/test/utils.spec.js | 89 ++++ workspaces/sec-literal/test/utils/index.js | 10 + 48 files changed, 2731 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/estree-ast-utils.yml create mode 100644 .github/workflows/sec-literal.yml create mode 100644 workspaces/estree-ast-utils/LICENSE create mode 100644 workspaces/estree-ast-utils/README.md create mode 100644 workspaces/estree-ast-utils/package.json create mode 100644 workspaces/estree-ast-utils/src/arrayExpressionToString.js create mode 100644 workspaces/estree-ast-utils/src/concatBinaryExpression.js create mode 100644 workspaces/estree-ast-utils/src/getCallExpressionArguments.js create mode 100644 workspaces/estree-ast-utils/src/getCallExpressionIdentifier.js create mode 100644 workspaces/estree-ast-utils/src/getMemberExpressionIdentifier.js create mode 100644 workspaces/estree-ast-utils/src/getVariableDeclarationIdentifiers.js create mode 100644 workspaces/estree-ast-utils/src/index.js create mode 100644 workspaces/estree-ast-utils/src/isLiteralRegex.js create mode 100644 workspaces/estree-ast-utils/src/utils/VariableTracer.js create mode 100644 workspaces/estree-ast-utils/src/utils/getSubMemberExpressionSegments.js create mode 100644 workspaces/estree-ast-utils/src/utils/index.js create mode 100644 workspaces/estree-ast-utils/src/utils/isEvilIdentifierPath.js create mode 100644 workspaces/estree-ast-utils/src/utils/notNullOrUndefined.js create mode 100644 workspaces/estree-ast-utils/test/VariableTracer/VariableTracer.spec.js create mode 100644 workspaces/estree-ast-utils/test/VariableTracer/assignments.spec.js create mode 100644 workspaces/estree-ast-utils/test/VariableTracer/cryptoCreateHash.spec.js create mode 100644 workspaces/estree-ast-utils/test/arrayExpressionToString.spec.js create mode 100644 workspaces/estree-ast-utils/test/concatBinaryExpression.spec.js create mode 100644 workspaces/estree-ast-utils/test/getCallExpressionIdentifier.spec.js create mode 100644 workspaces/estree-ast-utils/test/getMemberExpressionIdentifier.spec.js create mode 100644 workspaces/estree-ast-utils/test/isLiteralRegex.spec.js create mode 100644 workspaces/estree-ast-utils/test/utils.js create mode 100644 workspaces/estree-ast-utils/test/utils/getSubMemberExpressionSegments.spec.js create mode 100644 workspaces/estree-ast-utils/test/utils/isEvilIdentifierPath.spec.js create mode 100644 workspaces/estree-ast-utils/test/utils/notNullOrUndefined.spec.js create mode 100644 workspaces/sec-literal/LICENSE create mode 100644 workspaces/sec-literal/README.md create mode 100644 workspaces/sec-literal/package.json create mode 100644 workspaces/sec-literal/src/hex.js create mode 100644 workspaces/sec-literal/src/index.js create mode 100644 workspaces/sec-literal/src/literal.js create mode 100644 workspaces/sec-literal/src/patterns.js create mode 100644 workspaces/sec-literal/src/utils.js create mode 100644 workspaces/sec-literal/test/hex.spec.js create mode 100644 workspaces/sec-literal/test/literal.spec.js create mode 100644 workspaces/sec-literal/test/patterns.spec.js create mode 100644 workspaces/sec-literal/test/utils.spec.js create mode 100644 workspaces/sec-literal/test/utils/index.js diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c346668..bd7e3ff 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -63,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -76,6 +76,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/estree-ast-utils.yml b/.github/workflows/estree-ast-utils.yml new file mode 100644 index 0000000..be460d3 --- /dev/null +++ b/.github/workflows/estree-ast-utils.yml @@ -0,0 +1,41 @@ +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs + +name: Node.js CI + +on: + push: + branches: + - main + paths: + - workspaces/estree-ast-utils/** + pull_request: + paths: + - workspaces/estree-ast-utils/** + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x] + # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 + with: + node-version: ${{ matrix.node-version }} + - run: npm install + - run: npm test diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 245317a..8457575 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -31,7 +31,7 @@ jobs: - name: Run tests run: npm run test - name: Send coverage report to Codecov - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + uses: codecov/codecov-action@428cda1b1c731be3e8bfa389049c3f276d572ffb # v4.0.0-beta.3 nsci: runs-on: ubuntu-latest strategy: @@ -51,7 +51,7 @@ jobs: node-version: ${{ matrix.node-version }} - name: Install dependencies run: npm install - - uses: NodeSecure/ci-action@e3ac9c03585752e979622279106a161e94d5717b # v1 + - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c # v1.4.1 with: warnings: warning vulnerabilities: off diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 682f0cd..2e35ffa 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,12 +37,12 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.3.0 # v3.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: sarif_file: results.sarif diff --git a/.github/workflows/sec-literal.yml b/.github/workflows/sec-literal.yml new file mode 100644 index 0000000..43ddff1 --- /dev/null +++ b/.github/workflows/sec-literal.yml @@ -0,0 +1,29 @@ +name: Node.js CI + +on: + push: + branches: + - main + paths: + - workspaces/sec-literal/** + pull_request: + paths: + - workspaces/sec-literal/** + +jobs: + test: + runs-on: ubuntu-latest + strategy: + matrix: + node-version: [18.x, 20.x] + fail-fast: false + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 + with: + node-version: ${{ matrix.node-version }} + - name: Install dependencies + run: npm install + - name: Run tests + run: npm run test diff --git a/README.md b/README.md index 083dac2..dc9ed4e 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,21 @@ export type ReportOnFile = { +## Workspaces + +Click on one of the links to access the documentation of the workspace: + +| name | package and link | +| --- | --- | +| estree-ast-util | [@nodesecure/estree-ast-util](./workspaces/estree-ast-util) | +| sec-literal | [@nodesecure/sec-literal ](./workspaces/sec-literal) | + +These packages are available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com). +```bash +$ npm i @nodesecure/estree-ast-util +# or +$ yarn add @nodesecure/estree-ast-util +``` ## Contributors ✨ diff --git a/package.json b/package.json index 78955f7..5f3cfa7 100644 --- a/package.json +++ b/package.json @@ -18,6 +18,10 @@ "type": "git", "url": "git+https://github.com/NodeSecure/js-x-ray.git" }, + "workspaces": [ + "workspaces/estree-ast-utils", + "workspaces/sec-literal" + ], "keywords": [ "ast", "nsecure", @@ -48,10 +52,15 @@ }, "devDependencies": { "@nodesecure/eslint-config": "^1.6.0", + "@small-tech/esm-tape-runner": "^2.0.0", + "@small-tech/tap-monkey": "^1.4.0", "@types/node": "^20.6.2", "c8": "^8.0.1", + "cross-env": "^7.0.3", "eslint": "^8.31.0", "glob": "^10.3.4", - "pkg-ok": "^3.0.0" + "iterator-matcher": "^2.1.0", + "pkg-ok": "^3.0.0", + "tape": "^5.7.2" } } diff --git a/workspaces/estree-ast-utils/LICENSE b/workspaces/estree-ast-utils/LICENSE new file mode 100644 index 0000000..346097d --- /dev/null +++ b/workspaces/estree-ast-utils/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 NodeSecure + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/workspaces/estree-ast-utils/README.md b/workspaces/estree-ast-utils/README.md new file mode 100644 index 0000000..27a3b14 --- /dev/null +++ b/workspaces/estree-ast-utils/README.md @@ -0,0 +1,109 @@ +# estree-ast-utils + +[![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/main/package.json&query=$.version&label=Version)](https://www.npmjs.com/package/@NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils) +[![maintained](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/graphs/commit-activity) +[![OpenSSF +Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils) +[![mit](https://img.shields.io/github/license/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/blob/main/LICENSE) +[![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/node.js.yml?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/actions?query=workflow%3A%22Node.js+CI%22) + +Utilities for AST (ESTree compliant) + +## Getting Started + +This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com). + +```bash +$ npm i @nodesecure/estree-ast-utils +# or +$ yarn add @nodesecure/estree-ast-utils +``` + +## Usage example + +```js +import { VariableTracer } from "@nodesecure/estree-ast-utils"; + +const tracer = new VariableTracer().enableDefaultTracing(); + +const data = tracer.getDataFromIdentifier("identifier...here"); +console.log(data); +``` + +## API + +
arrayExpressionToString(node): IterableIterator< string > + +Translate an ESTree ArrayExpression into an iterable of Literal value. + +```js +["foo", "bar"]; +``` + +will return `"foo"` then `"bar"`. + +
+ +
concatBinaryExpression(node, options): IterableIterator< string > + +Return all Literal part of a given Binary Expression. + +```js +"foo" + "bar"; +``` + +will return `"foo"` then `"bar"`. + +One of the options of the method is `stopOnUnsupportedNode`, if true it will throw an Error if the left or right side of the Expr is not a supported type. + +
+ +
getCallExpressionIdentifier(node): string | null + +Return the identifier name of the CallExpression (or null if there is none). + +```js +foobar(); +``` + +will return `"foobar"`. + +
+ +
getMemberExpressionIdentifier(node): IterableIterator< string > + +Return the identifier name of the CallExpression (or null if there is none). + +```js +foo.bar(); +``` + +will return `"foo"` then `"bar"`. + +
+ +
getVariableDeclarationIdentifiers(node): IterableIterator< string > + +Get all variables identifier name. + +```js +const [foo, bar] = [1, 2]; +``` + +will return `"foo"` then `"bar"`. + +
+ +
isLiteralRegex(node): boolean + +Return `true` if the given Node is a Literal Regex Node. + +```js +/^hello/g; +``` + +
+ +## License + +MIT diff --git a/workspaces/estree-ast-utils/package.json b/workspaces/estree-ast-utils/package.json new file mode 100644 index 0000000..8afe1d1 --- /dev/null +++ b/workspaces/estree-ast-utils/package.json @@ -0,0 +1,35 @@ +{ + "name": "@nodesecure/estree-ast-utils", + "version": "1.4.1", + "description": "Utilities for AST (ESTree compliant)", + "type": "module", + "exports": "./src/index.js", + "scripts": { + "lint": "eslint src test", + "prepublishOnly": "pkg-ok", + "test": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey", + "check": "cross-env npm run lint && npm run test", + "coverage": "c8 -r html npm test" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/NodeSecure/estree-ast-utils.git" + }, + "keywords": [ + "estree", + "ast", + "utils" + ], + "author": "GENTILHOMME Thomas ", + "license": "MIT", + "bugs": { + "url": "https://github.com/NodeSecure/estree-ast-utils/issues" + }, + "homepage": "https://github.com/NodeSecure/estree-ast-utils#readme", + "devDependencies": { + "estree-walker": "^3.0.2" + }, + "dependencies": { + "@nodesecure/sec-literal": "^1.1.0" + } +} diff --git a/workspaces/estree-ast-utils/src/arrayExpressionToString.js b/workspaces/estree-ast-utils/src/arrayExpressionToString.js new file mode 100644 index 0000000..548154c --- /dev/null +++ b/workspaces/estree-ast-utils/src/arrayExpressionToString.js @@ -0,0 +1,37 @@ +// Import Internal Dependencies +import { VariableTracer } from "./utils/VariableTracer.js"; + +/** + * @param {*} node + * @param {object} options + * @param {VariableTracer} [options.tracer=null] + * @returns {IterableIterator} + */ + +export function* arrayExpressionToString(node, options = {}) { + const { tracer = null } = options; + + if (!node || node.type !== "ArrayExpression") { + return; + } + + for (const row of node.elements) { + switch (row.type) { + case "Literal": { + if (row.value === "") { + continue; + } + + const value = Number(row.value); + yield Number.isNaN(value) ? row.value : String.fromCharCode(value); + break; + } + case "Identifier": { + if (tracer !== null && tracer.literalIdentifiers.has(row.name)) { + yield tracer.literalIdentifiers.get(row.name); + } + break; + } + } + } +} diff --git a/workspaces/estree-ast-utils/src/concatBinaryExpression.js b/workspaces/estree-ast-utils/src/concatBinaryExpression.js new file mode 100644 index 0000000..590c96c --- /dev/null +++ b/workspaces/estree-ast-utils/src/concatBinaryExpression.js @@ -0,0 +1,57 @@ +// Import Internal Dependencies +import { arrayExpressionToString } from "./arrayExpressionToString.js"; +import { VariableTracer } from "./utils/VariableTracer.js"; + +// CONSTANTS +const kBinaryExprTypes = new Set([ + "Literal", + "BinaryExpression", + "ArrayExpression", + "Identifier" +]); + +/** + * @param {*} node + * @param {object} options + * @param {VariableTracer} [options.tracer=null] + * @param {boolean} [options.stopOnUnsupportedNode=false] + * @returns {IterableIterator} + */ +export function* concatBinaryExpression(node, options = {}) { + const { + tracer = null, + stopOnUnsupportedNode = false + } = options; + const { left, right } = node; + + if ( + stopOnUnsupportedNode && + (!kBinaryExprTypes.has(left.type) || !kBinaryExprTypes.has(right.type)) + ) { + throw new Error("concatBinaryExpression:: Unsupported node detected"); + } + + for (const childNode of [left, right]) { + switch (childNode.type) { + case "BinaryExpression": { + yield* concatBinaryExpression(childNode, { + tracer, + stopOnUnsupportedNode + }); + break; + } + case "ArrayExpression": { + yield* arrayExpressionToString(childNode, { tracer }); + break; + } + case "Literal": + yield childNode.value; + break; + case "Identifier": + if (tracer !== null && tracer.literalIdentifiers.has(childNode.name)) { + yield tracer.literalIdentifiers.get(childNode.name); + } + break; + } + } +} diff --git a/workspaces/estree-ast-utils/src/getCallExpressionArguments.js b/workspaces/estree-ast-utils/src/getCallExpressionArguments.js new file mode 100644 index 0000000..f3f8b69 --- /dev/null +++ b/workspaces/estree-ast-utils/src/getCallExpressionArguments.js @@ -0,0 +1,45 @@ +// Import Third-party Dependencies +import { Hex } from "@nodesecure/sec-literal"; + +// Import Internal Dependencies +import { concatBinaryExpression } from "./concatBinaryExpression.js"; + +export function getCallExpressionArguments(node, options = {}) { + const { tracer = null } = options; + + if (node.type !== "CallExpression" || node.arguments.length === 0) { + return null; + } + + const literalsNode = []; + for (const arg of node.arguments) { + switch (arg.type) { + case "Identifier": { + if (tracer !== null && tracer.literalIdentifiers.has(arg.name)) { + literalsNode.push(tracer.literalIdentifiers.get(arg.name)); + } + + break; + } + case "Literal": { + literalsNode.push(hexToString(arg.value)); + + break; + } + case "BinaryExpression": { + const concatenatedBinaryExpr = [...concatBinaryExpression(arg, { tracer })].join(""); + if (concatenatedBinaryExpr !== "") { + literalsNode.push(concatenatedBinaryExpr); + } + + break; + } + } + } + + return literalsNode.length === 0 ? null : literalsNode; +} + +function hexToString(value) { + return Hex.isHex(value) ? Buffer.from(value, "hex").toString() : value; +} diff --git a/workspaces/estree-ast-utils/src/getCallExpressionIdentifier.js b/workspaces/estree-ast-utils/src/getCallExpressionIdentifier.js new file mode 100644 index 0000000..1f9f80c --- /dev/null +++ b/workspaces/estree-ast-utils/src/getCallExpressionIdentifier.js @@ -0,0 +1,21 @@ +// Import Internal Dependencies +import { getMemberExpressionIdentifier } from "./getMemberExpressionIdentifier.js"; + +/** + * @param {any} node + * @returns {string | null} + */ +export function getCallExpressionIdentifier(node) { + if (node.type !== "CallExpression") { + return null; + } + + if (node.callee.type === "Identifier") { + return node.callee.name; + } + if (node.callee.type === "MemberExpression") { + return [...getMemberExpressionIdentifier(node.callee)].join("."); + } + + return getCallExpressionIdentifier(node.callee); +} diff --git a/workspaces/estree-ast-utils/src/getMemberExpressionIdentifier.js b/workspaces/estree-ast-utils/src/getMemberExpressionIdentifier.js new file mode 100644 index 0000000..799dd56 --- /dev/null +++ b/workspaces/estree-ast-utils/src/getMemberExpressionIdentifier.js @@ -0,0 +1,67 @@ +// Import Third-party Dependencies +import { Hex } from "@nodesecure/sec-literal"; + +// Import Internal Dependencies +import { concatBinaryExpression } from "./concatBinaryExpression.js"; +import { VariableTracer } from "./utils/VariableTracer.js"; + +/** + * Return the complete identifier of a MemberExpression + * + * @param {any} node + * @param {object} options + * @param {VariableTracer} [options.tracer=null] + * @returns {IterableIterator} + */ +export function* getMemberExpressionIdentifier(node, options = {}) { + const { tracer = null } = options; + + switch (node.object.type) { + // Chain with another MemberExpression + case "MemberExpression": + yield* getMemberExpressionIdentifier(node.object, options); + break; + case "Identifier": + yield node.object.name; + break; + // Literal is used when the property is computed + case "Literal": + yield node.object.value; + break; + } + + switch (node.property.type) { + case "Identifier": { + if (tracer !== null && tracer.literalIdentifiers.has(node.property.name)) { + yield tracer.literalIdentifiers.get(node.property.name); + } + else { + yield node.property.name; + } + + break; + } + // Literal is used when the property is computed + case "Literal": + yield node.property.value; + break; + + // foo.bar[callexpr()] + case "CallExpression": { + const args = node.property.arguments; + if (args.length > 0 && args[0].type === "Literal" && Hex.isHex(args[0].value)) { + yield Buffer.from(args[0].value, "hex").toString(); + } + break; + } + + // foo.bar["k" + "e" + "y"] + case "BinaryExpression": { + const literal = [...concatBinaryExpression(node.property, options)].join(""); + if (literal.trim() !== "") { + yield literal; + } + break; + } + } +} diff --git a/workspaces/estree-ast-utils/src/getVariableDeclarationIdentifiers.js b/workspaces/estree-ast-utils/src/getVariableDeclarationIdentifiers.js new file mode 100644 index 0000000..acf2319 --- /dev/null +++ b/workspaces/estree-ast-utils/src/getVariableDeclarationIdentifiers.js @@ -0,0 +1,110 @@ +// Import Internal Dependencies +import { notNullOrUndefined } from "./utils/index.js"; + +export function* getVariableDeclarationIdentifiers(node, options = {}) { + const { prefix = null } = options; + + switch (node.type) { + case "VariableDeclaration": { + for (const variableDeclarator of node.declarations) { + yield* getVariableDeclarationIdentifiers(variableDeclarator.id); + } + + break; + } + + case "VariableDeclarator": + yield* getVariableDeclarationIdentifiers(node.id); + + break; + + case "Identifier": + yield { name: autoPrefix(node.name, prefix), assignmentId: node }; + + break; + + case "Property": { + if (node.kind !== "init") { + break; + } + + if (node.value.type === "ObjectPattern" || node.value.type === "ArrayPattern") { + yield* getVariableDeclarationIdentifiers(node.value, { + prefix: autoPrefix(node.key.name, prefix) + }); + break; + } + + let assignmentId = node.key; + if (node.value.type === "Identifier") { + assignmentId = node.value; + } + else if (node.value.type === "AssignmentPattern") { + assignmentId = node.value.left; + } + + yield { name: autoPrefix(node.key.name, prefix), assignmentId }; + + break; + } + + /** + * Rest syntax (in ArrayPattern or ObjectPattern for example) + * const [...foo] = [] + * const {...foo} = {} + */ + case "RestElement": + yield { name: autoPrefix(node.argument.name, prefix), assignmentId: node.argument }; + + break; + + /** + * (foo = 5) + */ + case "AssignmentExpression": + yield* getVariableDeclarationIdentifiers(node.left); + + break; + + /** + * const [{ foo }] = [] + * const [foo = 10] = [] + * ↪ Destructuration + Assignement of a default value + */ + case "AssignmentPattern": + if (node.left.type === "Identifier") { + yield node.left.name; + } + else { + yield* getVariableDeclarationIdentifiers(node.left); + } + + break; + + /** + * const [foo] = []; + * ↪ Destructuration of foo is an ArrayPattern + */ + case "ArrayPattern": + yield* node.elements + .filter(notNullOrUndefined) + .map((id) => [...getVariableDeclarationIdentifiers(id)]).flat(); + + break; + + /** + * const {foo} = {}; + * ↪ Destructuration of foo is an ObjectPattern + */ + case "ObjectPattern": + yield* node.properties + .filter(notNullOrUndefined) + .map((property) => [...getVariableDeclarationIdentifiers(property)]).flat(); + + break; + } +} + +function autoPrefix(name, prefix = null) { + return typeof prefix === "string" ? `${prefix}.${name}` : name; +} diff --git a/workspaces/estree-ast-utils/src/index.js b/workspaces/estree-ast-utils/src/index.js new file mode 100644 index 0000000..f747004 --- /dev/null +++ b/workspaces/estree-ast-utils/src/index.js @@ -0,0 +1,9 @@ +export * from "./getMemberExpressionIdentifier.js"; +export * from "./getCallExpressionIdentifier.js"; +export * from "./getVariableDeclarationIdentifiers.js"; +export * from "./getCallExpressionArguments.js"; +export * from "./concatBinaryExpression.js"; +export * from "./arrayExpressionToString.js"; +export * from "./isLiteralRegex.js"; + +export * from "./utils/VariableTracer.js"; diff --git a/workspaces/estree-ast-utils/src/isLiteralRegex.js b/workspaces/estree-ast-utils/src/isLiteralRegex.js new file mode 100644 index 0000000..b73beff --- /dev/null +++ b/workspaces/estree-ast-utils/src/isLiteralRegex.js @@ -0,0 +1,3 @@ +export function isLiteralRegex(node) { + return node.type === "Literal" && "regex" in node; +} diff --git a/workspaces/estree-ast-utils/src/utils/VariableTracer.js b/workspaces/estree-ast-utils/src/utils/VariableTracer.js new file mode 100644 index 0000000..965a48f --- /dev/null +++ b/workspaces/estree-ast-utils/src/utils/VariableTracer.js @@ -0,0 +1,411 @@ +// Import Node.js Dependencies +import { EventEmitter } from "node:events"; + +// Import Internal Dependencies +import { notNullOrUndefined } from "./notNullOrUndefined.js"; +import { isEvilIdentifierPath, isNeutralCallable } from "./isEvilIdentifierPath.js"; +import { getSubMemberExpressionSegments } from "./getSubMemberExpressionSegments.js"; +import { getMemberExpressionIdentifier } from "../getMemberExpressionIdentifier.js"; +import { getCallExpressionIdentifier } from "../getCallExpressionIdentifier.js"; +import { getVariableDeclarationIdentifiers } from "../getVariableDeclarationIdentifiers.js"; +import { getCallExpressionArguments } from "../getCallExpressionArguments.js"; + +// CONSTANTS +const kGlobalIdentifiersToTrace = new Set([ + "global", "globalThis", "root", "GLOBAL", "window" +]); +const kRequirePatterns = new Set([ + "require", "require.resolve", "require.main", "process.mainModule.require" +]); +const kUnsafeGlobalCallExpression = new Set(["eval", "Function"]); + +export class VariableTracer extends EventEmitter { + static AssignmentEvent = Symbol("AssignmentEvent"); + + // PUBLIC PROPERTIES + /** @type {Map} */ + literalIdentifiers = new Map(); + + /** @type {Set} */ + importedModules = new Set(); + + // PRIVATE PROPERTIES + #traced = new Map(); + #variablesRefToGlobal = new Set(); + + /** @type {Set} */ + #neutralCallable = new Set(); + + debug() { + console.log(this.#traced); + } + + enableDefaultTracing() { + [...kRequirePatterns] + .forEach((pattern) => this.trace(pattern, { followConsecutiveAssignment: true, name: "require" })); + + return this + .trace("eval") + .trace("Function") + .trace("atob", { followConsecutiveAssignment: true }); + } + + /** + * + * @param {!string} identifierOrMemberExpr + * @param {object} [options] + * @param {string} [options.name] + * @param {string} [options.moduleName=null] + * @param {boolean} [options.followConsecutiveAssignment=false] + * + * @example + * new VariableTracer() + * .trace("require", { followConsecutiveAssignment: true }) + * .trace("process.mainModule") + */ + trace(identifierOrMemberExpr, options = {}) { + const { + followConsecutiveAssignment = false, + moduleName = null, + name = identifierOrMemberExpr + } = options; + + this.#traced.set(identifierOrMemberExpr, { + name, + identifierOrMemberExpr, + followConsecutiveAssignment, + assignmentMemory: [], + moduleName + }); + + if (identifierOrMemberExpr.includes(".")) { + const exprs = [...getSubMemberExpressionSegments(identifierOrMemberExpr)] + .filter((expr) => !this.#traced.has(expr)); + + for (const expr of exprs) { + this.trace(expr, { + followConsecutiveAssignment: true, name, moduleName + }); + } + } + + return this; + } + + /** + * @param {!string} identifierOrMemberExpr An identifier like "foo" or "foo.bar" + */ + getDataFromIdentifier(identifierOrMemberExpr) { + const isMemberExpr = identifierOrMemberExpr.includes("."); + const isTracingIdentifier = this.#traced.has(identifierOrMemberExpr); + + let finalIdentifier = identifierOrMemberExpr; + if (isMemberExpr && !isTracingIdentifier) { + const [segment] = identifierOrMemberExpr.split("."); + if (this.#traced.has(segment)) { + const tracedIdentifier = this.#traced.get(segment); + finalIdentifier = `${tracedIdentifier.identifierOrMemberExpr}${identifierOrMemberExpr.slice(segment.length)}`; + } + + if (!this.#traced.has(finalIdentifier)) { + return null; + } + } + else if (!isTracingIdentifier) { + return null; + } + + const tracedIdentifier = this.#traced.get(finalIdentifier); + if (!this.#isTracedIdentifierImportedAsModule(tracedIdentifier)) { + return null; + } + + const assignmentMemory = this.#traced.get(tracedIdentifier.name)?.assignmentMemory ?? []; + + return { + name: tracedIdentifier.name, + identifierOrMemberExpr: tracedIdentifier.identifierOrMemberExpr, + assignmentMemory + }; + } + + #getTracedName(identifierOrMemberExpr) { + return this.#traced.has(identifierOrMemberExpr) ? + this.#traced.get(identifierOrMemberExpr).name : null; + } + + #isTracedIdentifierImportedAsModule(id) { + return id.moduleName === null || this.importedModules.has(id.moduleName); + } + + #declareNewAssignment(identifierOrMemberExpr, id) { + const tracedVariant = this.#traced.get(identifierOrMemberExpr); + + // We return if required module has not been imported + // It mean the assigment has no relation with the required tracing + if (!this.#isTracedIdentifierImportedAsModule(tracedVariant)) { + return; + } + + const newIdentiferName = id.name; + + const assignmentEventPayload = { + name: tracedVariant.name, + identifierOrMemberExpr: tracedVariant.identifierOrMemberExpr, + id: newIdentiferName, + location: id.loc + }; + this.emit(VariableTracer.AssignmentEvent, assignmentEventPayload); + this.emit(tracedVariant.identifierOrMemberExpr, assignmentEventPayload); + + if (tracedVariant.followConsecutiveAssignment && !this.#traced.has(newIdentiferName)) { + this.#traced.get(tracedVariant.name).assignmentMemory.push(newIdentiferName); + this.#traced.set(newIdentiferName, tracedVariant); + } + } + + #isGlobalVariableIdentifier(identifierName) { + return kGlobalIdentifiersToTrace.has(identifierName) || + this.#variablesRefToGlobal.has(identifierName); + } + + /** + * Search alternative for the given MemberExpression parts + * + * @example + * const { process: aName } = globalThis; + * const boo = aName.mainModule.require; // alternative: process.mainModule.require + */ + #searchForMemberExprAlternative(parts = []) { + return parts.flatMap((identifierName) => { + if (this.#traced.has(identifierName)) { + return this.#traced.get(identifierName).identifierOrMemberExpr; + } + + /** + * If identifier is global then we can eliminate the value from MemberExpr + * + * globalThis.process === process; + */ + if (this.#isGlobalVariableIdentifier(identifierName)) { + return []; + } + + return identifierName; + }); + } + + #autoTraceId(id, prefix = null) { + for (const { name, assignmentId } of getVariableDeclarationIdentifiers(id)) { + const identifierOrMemberExpr = typeof prefix === "string" ? `${prefix}.${name}` : name; + + if (this.#traced.has(identifierOrMemberExpr)) { + this.#declareNewAssignment(identifierOrMemberExpr, assignmentId); + } + } + } + + #walkImportDeclaration(node) { + const moduleName = node.source.value; + if (!this.#traced.has(moduleName)) { + return; + } + + this.importedModules.add(moduleName); + + // import * as boo from "crypto"; + if (node.specifiers[0].type === "ImportNamespaceSpecifier") { + const importNamespaceNode = node.specifiers[0]; + this.#declareNewAssignment(moduleName, importNamespaceNode.local); + + return; + } + + // import { createHash } from "crypto"; + const importSpecifiers = node.specifiers + .filter((specifierNode) => specifierNode.type === "ImportSpecifier"); + for (const specifier of importSpecifiers) { + const fullImportedName = `${moduleName}.${specifier.imported.name}`; + + if (this.#traced.has(fullImportedName)) { + this.#declareNewAssignment(fullImportedName, specifier.imported); + } + } + } + + #walkRequireCallExpression(variableDeclaratorNode) { + const { init, id } = variableDeclaratorNode; + + const moduleNameLiteral = init.arguments + .find((argumentNode) => argumentNode.type === "Literal" && this.#traced.has(argumentNode.value)); + if (!moduleNameLiteral) { + return; + } + this.importedModules.add(moduleNameLiteral.value); + + switch (id.type) { + case "Identifier": + this.#declareNewAssignment(moduleNameLiteral.value, id); + break; + case "ObjectPattern": { + this.#autoTraceId(id, moduleNameLiteral.value); + + break; + } + } + } + + #walkVariableDeclarationWithIdentifier(variableDeclaratorNode) { + const { init, id } = variableDeclaratorNode; + + switch (init.type) { + // let foo = "10"; <-- "foo" is the key and "10" the value + case "Literal": + this.literalIdentifiers.set(id.name, init.value); + break; + + // const g = eval("this"); + case "CallExpression": { + const fullIdentifierPath = getCallExpressionIdentifier(init); + if (fullIdentifierPath === null) { + break; + } + + const tracedFullIdentifierName = this.#getTracedName(fullIdentifierPath) ?? fullIdentifierPath; + const [identifierName] = fullIdentifierPath.split("."); + + // const id = Function.prototype.call.call(require, require, "http"); + if (this.#neutralCallable.has(identifierName) || isEvilIdentifierPath(fullIdentifierPath)) { + // TODO: make sure we are walking on a require CallExpr here ? + this.#walkRequireCallExpression(variableDeclaratorNode); + } + else if (kUnsafeGlobalCallExpression.has(identifierName)) { + this.#variablesRefToGlobal.add(id.name); + } + // const foo = require("crypto"); + // const bar = require.call(null, "crypto"); + else if (kRequirePatterns.has(identifierName)) { + this.#walkRequireCallExpression(variableDeclaratorNode); + } + else if (tracedFullIdentifierName === "atob") { + const callExprArguments = getCallExpressionArguments(init, { tracer: this }); + if (callExprArguments === null) { + break; + } + + const callExprArgumentNode = callExprArguments.at(0); + if (typeof callExprArgumentNode === "string") { + this.literalIdentifiers.set( + id.name, + Buffer.from(callExprArgumentNode, "base64").toString() + ); + } + } + + break; + } + + // const r = require + case "Identifier": { + const identifierName = init.name; + if (this.#traced.has(identifierName)) { + this.#declareNewAssignment(identifierName, variableDeclaratorNode.id); + } + else if (this.#isGlobalVariableIdentifier(identifierName)) { + this.#variablesRefToGlobal.add(id.name); + } + + break; + } + + // process.mainModule and require.resolve + case "MemberExpression": { + // Example: ["process", "mainModule"] + const memberExprParts = [...getMemberExpressionIdentifier(init, { tracer: this })]; + const memberExprFullname = memberExprParts.join("."); + + // Function.prototype.call + if (isNeutralCallable(memberExprFullname)) { + this.#neutralCallable.add(variableDeclaratorNode.id.name); + } + else if (this.#traced.has(memberExprFullname)) { + this.#declareNewAssignment(memberExprFullname, variableDeclaratorNode.id); + } + else { + const alternativeMemberExprParts = this.#searchForMemberExprAlternative(memberExprParts); + const alternativeMemberExprFullname = alternativeMemberExprParts.join("."); + + if (this.#traced.has(alternativeMemberExprFullname)) { + this.#declareNewAssignment(alternativeMemberExprFullname, variableDeclaratorNode.id); + } + } + + break; + } + } + } + + #walkVariableDeclarationWithAnythingElse(variableDeclaratorNode) { + const { init, id } = variableDeclaratorNode; + + switch (init.type) { + // const { process } = eval("this"); + case "CallExpression": { + const fullIdentifierPath = getCallExpressionIdentifier(init); + if (fullIdentifierPath === null) { + break; + } + const [identifierName] = fullIdentifierPath.split("."); + + // const {} = Function.prototype.call.call(require, require, "http"); + if (isEvilIdentifierPath(fullIdentifierPath)) { + this.#walkRequireCallExpression(variableDeclaratorNode); + } + else if (kUnsafeGlobalCallExpression.has(identifierName)) { + this.#autoTraceId(id); + } + // const { createHash } = require("crypto"); + else if (kRequirePatterns.has(identifierName)) { + this.#walkRequireCallExpression(variableDeclaratorNode); + } + + break; + } + + // const { process } = globalThis; + case "Identifier": { + const identifierName = init.name; + if (this.#isGlobalVariableIdentifier(identifierName)) { + this.#autoTraceId(id); + } + + break; + } + } + } + + walk(node) { + switch (node.type) { + case "ImportDeclaration": { + this.#walkImportDeclaration(node); + break; + } + case "VariableDeclaration": { + for (const variableDeclaratorNode of node.declarations) { + // var foo; <-- no initialization here. + if (!notNullOrUndefined(variableDeclaratorNode.init)) { + continue; + } + + if (variableDeclaratorNode.id.type === "Identifier") { + this.#walkVariableDeclarationWithIdentifier(variableDeclaratorNode); + } + else { + this.#walkVariableDeclarationWithAnythingElse(variableDeclaratorNode); + } + } + break; + } + } + } +} diff --git a/workspaces/estree-ast-utils/src/utils/getSubMemberExpressionSegments.js b/workspaces/estree-ast-utils/src/utils/getSubMemberExpressionSegments.js new file mode 100644 index 0000000..e4ccc3f --- /dev/null +++ b/workspaces/estree-ast-utils/src/utils/getSubMemberExpressionSegments.js @@ -0,0 +1,13 @@ +/** + * @param {!string} str + * @returns {IterableIterator} + */ +export function* getSubMemberExpressionSegments(memberExpressionFullpath) { + const identifiers = memberExpressionFullpath.split("."); + const segments = []; + + for (let i = 0; i < identifiers.length - 1; i++) { + segments.push(identifiers[i]); + yield segments.join("."); + } +} diff --git a/workspaces/estree-ast-utils/src/utils/index.js b/workspaces/estree-ast-utils/src/utils/index.js new file mode 100644 index 0000000..d4b343b --- /dev/null +++ b/workspaces/estree-ast-utils/src/utils/index.js @@ -0,0 +1,4 @@ +export * from "./getSubMemberExpressionSegments.js"; +export * from "./notNullOrUndefined.js"; +export * from "./VariableTracer.js"; +export * from "./isEvilIdentifierPath.js"; diff --git a/workspaces/estree-ast-utils/src/utils/isEvilIdentifierPath.js b/workspaces/estree-ast-utils/src/utils/isEvilIdentifierPath.js new file mode 100644 index 0000000..e9671c2 --- /dev/null +++ b/workspaces/estree-ast-utils/src/utils/isEvilIdentifierPath.js @@ -0,0 +1,18 @@ +/** + * @param {!string} identifier + */ +export function isEvilIdentifierPath(identifier) { + return isFunctionPrototype(identifier); +} + +export function isNeutralCallable(identifier) { + return identifier === "Function.prototype.call"; +} + +/** + * @param {!string} identifier + */ +function isFunctionPrototype(identifier) { + return identifier.startsWith("Function.prototype") + && /call|apply|bind/i.test(identifier); +} diff --git a/workspaces/estree-ast-utils/src/utils/notNullOrUndefined.js b/workspaces/estree-ast-utils/src/utils/notNullOrUndefined.js new file mode 100644 index 0000000..9eee585 --- /dev/null +++ b/workspaces/estree-ast-utils/src/utils/notNullOrUndefined.js @@ -0,0 +1,3 @@ +export function notNullOrUndefined(value) { + return value !== null && value !== void 0; +} diff --git a/workspaces/estree-ast-utils/test/VariableTracer/VariableTracer.spec.js b/workspaces/estree-ast-utils/test/VariableTracer/VariableTracer.spec.js new file mode 100644 index 0000000..41f9ce5 --- /dev/null +++ b/workspaces/estree-ast-utils/test/VariableTracer/VariableTracer.spec.js @@ -0,0 +1,145 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { createTracer } from "../utils.js"; + +test("getDataFromIdentifier must return primitive null is there is no kwown traced identifier", (tape) => { + const helpers = createTracer(true); + + const result = helpers.tracer.getDataFromIdentifier("foobar"); + + tape.strictEqual(result, null); + tape.end(); +}); + +test("it should be able to Trace a malicious code with Global, BinaryExpr, Assignments and Hexadecimal", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + var foo; + const g = eval("this"); + const p = g["pro" + "cess"]; + + const evil = p["mainMod" + "ule"][unhex("72657175697265")]; + const work = evil(unhex("2e2f746573742f64617461")) + `); + + const evil = helpers.tracer.getDataFromIdentifier("evil"); + tape.deepEqual(evil, { + name: "require", + identifierOrMemberExpr: "process.mainModule.require", + assignmentMemory: ["p", "evil"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "process"); + tape.strictEqual(eventOne.id, "p"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "process.mainModule.require"); + tape.strictEqual(eventTwo.id, "evil"); + + tape.end(); +}); + +test("it should be able to Trace a malicious CallExpression by recombining segments of the MemberExpression", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const g = global.process; + const r = g.mainModule; + const c = r.require; + c("http"); + r.require("fs"); + `); + + const evil = helpers.tracer.getDataFromIdentifier("r.require"); + tape.deepEqual(evil, { + name: "require", + identifierOrMemberExpr: "process.mainModule.require", + assignmentMemory: ["g", "r", "c"] + }); + tape.strictEqual(assignments.length, 3); + + const [eventOne, eventTwo, eventThree] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "process"); + tape.strictEqual(eventOne.id, "g"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "process.mainModule"); + tape.strictEqual(eventTwo.id, "r"); + + tape.strictEqual(eventThree.identifierOrMemberExpr, "process.mainModule.require"); + tape.strictEqual(eventThree.id, "c"); + + tape.end(); +}); + +test("given a MemberExpression segment that doesn't match anything then it should return null", (tape) => { + const helpers = createTracer(true); + + const result = helpers.tracer.getDataFromIdentifier("foo.bar"); + tape.strictEqual(result, null); + + tape.end(); +}); + +test("it should be able to Trace a require using Function.prototype.call", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("http"); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const proto = Function.prototype.call.call(require, require, "http"); + `); + + const proto = helpers.tracer.getDataFromIdentifier("proto"); + + tape.strictEqual(proto, null); + tape.strictEqual(assignments.length, 1); + + const [eventOne] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "http"); + tape.strictEqual(eventOne.id, "proto"); + + tape.end(); +}); + +test("it should be able to Trace an unsafe crypto.createHash using Function.prototype.call reassignment", (tape) => { + const helpers = createTracer(true); + helpers.tracer.trace("crypto.createHash", { followConsecutiveAssignment: true }); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const aA = Function.prototype.call; + const bB = require; + + const crr = aA.call(bB, bB, "crypto"); + const createHashBis = crr.createHash; + createHashBis("md5"); + `); + + const createHashBis = helpers.tracer.getDataFromIdentifier("createHashBis"); + tape.deepEqual(createHashBis, { + name: "crypto.createHash", + identifierOrMemberExpr: "crypto.createHash", + assignmentMemory: ["crr", "createHashBis"] + }); + + tape.strictEqual(helpers.tracer.importedModules.has("crypto"), true); + tape.strictEqual(assignments.length, 3); + + const [eventOne, eventTwo, eventThree] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "require"); + tape.strictEqual(eventOne.id, "bB"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "crypto"); + tape.strictEqual(eventTwo.id, "crr"); + + tape.strictEqual(eventThree.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventThree.id, "createHashBis"); + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/VariableTracer/assignments.spec.js b/workspaces/estree-ast-utils/test/VariableTracer/assignments.spec.js new file mode 100644 index 0000000..f1d1aa2 --- /dev/null +++ b/workspaces/estree-ast-utils/test/VariableTracer/assignments.spec.js @@ -0,0 +1,133 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { createTracer } from "../utils.js"; + +test("it should be able to Trace a require Assignment (using a global variable)", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const test = globalThis; + const foo = test.require; + foo("http"); + `); + + const foo = helpers.tracer.getDataFromIdentifier("foo"); + tape.deepEqual(foo, { + name: "require", + identifierOrMemberExpr: "require", + assignmentMemory: ["foo"] + }); + tape.strictEqual(assignments.length, 1); + + const [eventOne] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "require"); + tape.strictEqual(eventOne.id, "foo"); + + tape.end(); +}); + +test("it should be able to Trace a require Assignment (using a MemberExpression)", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const foo = require.resolve; + foo("http"); + `); + + const foo = helpers.tracer.getDataFromIdentifier("foo"); + tape.deepEqual(foo, { + name: "require", + identifierOrMemberExpr: "require.resolve", + assignmentMemory: ["foo"] + }); + tape.strictEqual(assignments.length, 1); + + const [eventOne] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "require.resolve"); + tape.strictEqual(eventOne.id, "foo"); + + tape.end(); +}); + +test("it should be able to Trace a global Assignment using an ESTree ObjectPattern", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const { process: yoo } = globalThis; + + const boo = yoo.mainModule.require; + `); + + const boo = helpers.tracer.getDataFromIdentifier("boo"); + + tape.deepEqual(boo, { + name: "require", + identifierOrMemberExpr: "process.mainModule.require", + assignmentMemory: ["yoo", "boo"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "process"); + tape.strictEqual(eventOne.id, "yoo"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "process.mainModule.require"); + tape.strictEqual(eventTwo.id, "boo"); + + tape.end(); +}); + +test("it should be able to Trace an Unsafe Function() Assignment using an ESTree ObjectPattern", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const { process: yoo } = Function("return this")(); + + const boo = yoo.mainModule.require; + `); + + const boo = helpers.tracer.getDataFromIdentifier("boo"); + + tape.deepEqual(boo, { + name: "require", + identifierOrMemberExpr: "process.mainModule.require", + assignmentMemory: ["yoo", "boo"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "process"); + tape.strictEqual(eventOne.id, "yoo"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "process.mainModule.require"); + tape.strictEqual(eventTwo.id, "boo"); + + tape.end(); +}); + +test("it should be able to Trace a require Assignment with atob", (tape) => { + const helpers = createTracer(true); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const xo = atob; + const yo = 'b3M='; + const ff = xo(yo); + `); + tape.strictEqual(assignments.length, 1); + + const [eventOne] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "atob"); + tape.strictEqual(eventOne.id, "xo"); + + tape.true(helpers.tracer.literalIdentifiers.has("ff")); + tape.strictEqual(helpers.tracer.literalIdentifiers.get("ff"), "os"); + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/VariableTracer/cryptoCreateHash.spec.js b/workspaces/estree-ast-utils/test/VariableTracer/cryptoCreateHash.spec.js new file mode 100644 index 0000000..55f01bf --- /dev/null +++ b/workspaces/estree-ast-utils/test/VariableTracer/cryptoCreateHash.spec.js @@ -0,0 +1,194 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { createTracer } from "../utils.js"; + +test("it should be able to Trace crypto.createHash when imported with an ESTree ImportNamespaceSpecifier (ESM)", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + import fs from "fs"; + import * as cryptoBis from "crypto"; + + const createHashBis = cryptoBis.createHash; + createHashBis("md5"); + `); + + const createHashBis = helpers.tracer.getDataFromIdentifier("createHashBis"); + + tape.deepEqual(createHashBis, { + name: "crypto.createHash", + identifierOrMemberExpr: "crypto.createHash", + assignmentMemory: ["cryptoBis", "createHashBis"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "crypto"); + tape.strictEqual(eventOne.id, "cryptoBis"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventTwo.id, "createHashBis"); + + tape.end(); +}); + +test("it should be able to Trace createHash when required (CommonJS) and destructured with an ESTree ObjectPattern", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + const assignments = helpers.getAssignmentArray(); + + /** + * This is an ObjectPattern: + * const { createHash } = ... + */ + helpers.walkOnCode(` + const { createHash } = require("crypto"); + + const createHashBis = createHash; + createHashBis("md5"); + `); + + const createHashBis = helpers.tracer.getDataFromIdentifier("createHashBis"); + + tape.deepEqual(createHashBis, { + name: "crypto.createHash", + identifierOrMemberExpr: "crypto.createHash", + assignmentMemory: ["createHash", "createHashBis"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventOne.id, "createHash"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventTwo.id, "createHashBis"); + + tape.end(); +}); + +test("it should be able to Trace crypto.createHash when imported with an ESTree ImportSpecifier (ESM)", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + import { createHash } from "crypto"; + + const createHashBis = createHash; + createHashBis("md5"); + `); + + const createHashBis = helpers.tracer.getDataFromIdentifier("createHashBis"); + + tape.deepEqual(createHashBis, { + name: "crypto.createHash", + identifierOrMemberExpr: "crypto.createHash", + assignmentMemory: ["createHash", "createHashBis"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventOne.id, "createHash"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventTwo.id, "createHashBis"); + + tape.end(); +}); + +test("it should be able to Trace crypto.createHash with CommonJS require and with a computed method with a Literal", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const fs = require("fs"); + const crypto = require("crypto"); + + const id = "createHash"; + const createHashBis = crypto[id]; + createHashBis("md5"); + `); + + tape.strictEqual(helpers.tracer.importedModules.has("crypto"), true); + + const createHashBis = helpers.tracer.getDataFromIdentifier("createHashBis"); + + tape.deepEqual(createHashBis, { + name: "crypto.createHash", + identifierOrMemberExpr: "crypto.createHash", + assignmentMemory: ["createHashBis"] + }); + tape.strictEqual(assignments.length, 2); + + const [eventOne, eventTwo] = assignments; + tape.strictEqual(eventOne.identifierOrMemberExpr, "crypto"); + tape.strictEqual(eventOne.id, "crypto"); + + tape.strictEqual(eventTwo.identifierOrMemberExpr, "crypto.createHash"); + tape.strictEqual(eventTwo.id, "createHashBis"); + + tape.end(); +}); + +test("it should not detect variable assignment since the crypto module is not imported", (tape) => { + const helpers = createTracer(); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + + const assignments = helpers.getAssignmentArray(); + + helpers.walkOnCode(` + const crypto = { + createHash() {} + } + const _t = crypto.createHash; + _t("md5"); + `); + + tape.strictEqual(helpers.tracer.importedModules.has("crypto"), false); + tape.strictEqual(assignments.length, 0); + + tape.end(); +}); + +test("it should return null because crypto.createHash is not imported from a module", (tape) => { + const helpers = createTracer(true); + helpers.tracer.trace("crypto.createHash", { + followConsecutiveAssignment: true, + moduleName: "crypto" + }); + + helpers.walkOnCode(` + const crypto = { + createHash() {} + } + const evil = crypto.createHash; + evil('md5'); + `); + + const result = helpers.tracer.getDataFromIdentifier("crypto.createHash"); + tape.strictEqual(result, null); + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/arrayExpressionToString.spec.js b/workspaces/estree-ast-utils/test/arrayExpressionToString.spec.js new file mode 100644 index 0000000..7de5156 --- /dev/null +++ b/workspaces/estree-ast-utils/test/arrayExpressionToString.spec.js @@ -0,0 +1,75 @@ +// Import Third-party Dependencies +import test from "tape"; +import { IteratorMatcher } from "iterator-matcher"; + +// Import Internal Dependencies +import { arrayExpressionToString } from "../src/index.js"; +import { codeToAst, getExpressionFromStatement, createTracer } from "./utils.js"; + +test("given an ArrayExpression with two Literals then the iterable must return them one by one", (tape) => { + const [astNode] = codeToAst("['foo', 'bar']"); + const iter = arrayExpressionToString(getExpressionFromStatement(astNode)); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("bar") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); + +test("given an ArrayExpression with two Identifiers then the iterable must return value from the Tracer", (tape) => { + const { tracer } = createTracer(); + tracer.literalIdentifiers.set("foo", "1"); + tracer.literalIdentifiers.set("bar", "2"); + + const [astNode] = codeToAst("[foo, bar]"); + const iter = arrayExpressionToString(getExpressionFromStatement(astNode), { tracer }); + + const iterResult = new IteratorMatcher() + .expect("1") + .expect("2") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); + +test(`given an ArrayExpression with two numbers + then the function must convert them as char code + and return them in the iterable`, (tape) => { + const [astNode] = codeToAst("[65, 66]"); + const iter = arrayExpressionToString(getExpressionFromStatement(astNode)); + + const iterResult = new IteratorMatcher() + .expect("A") + .expect("B") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); + +test("given an ArrayExpression with empty Literals then the iterable must return no values", (tape) => { + const [astNode] = codeToAst("['', '']"); + const iter = arrayExpressionToString(getExpressionFromStatement(astNode)); + + const iterResult = [...iter]; + + tape.strictEqual(iterResult.length, 0); + tape.end(); +}); + +test("given an AST that is not an ArrayExpression then it must return immediately", (tape) => { + const [astNode] = codeToAst("const foo = 5;"); + const iter = arrayExpressionToString(astNode); + + const iterResult = [...iter]; + + tape.strictEqual(iterResult.length, 0); + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/concatBinaryExpression.spec.js b/workspaces/estree-ast-utils/test/concatBinaryExpression.spec.js new file mode 100644 index 0000000..630d5a9 --- /dev/null +++ b/workspaces/estree-ast-utils/test/concatBinaryExpression.spec.js @@ -0,0 +1,92 @@ +// Import Third-party Dependencies +import test from "tape"; +import { IteratorMatcher } from "iterator-matcher"; + +// Import Internal Dependencies +import { concatBinaryExpression } from "../src/index.js"; +import { codeToAst, getExpressionFromStatement, createTracer } from "./utils.js"; + +test("given a BinaryExpression of two literals then the iterable must return Literal values", (tape) => { + const [astNode] = codeToAst("'foo' + 'bar' + 'xd'"); + const iter = concatBinaryExpression(getExpressionFromStatement(astNode)); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("bar") + .expect("xd") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 3); + tape.end(); +}); + +test("given a BinaryExpression of two ArrayExpression then the iterable must return Array values as string", (tape) => { + const [astNode] = codeToAst("['A'] + ['B']"); + const iter = concatBinaryExpression(getExpressionFromStatement(astNode)); + + const iterResult = new IteratorMatcher() + .expect("A") + .expect("B") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); + +test("given a BinaryExpression of two Identifiers then the iterable must the tracer values", (tape) => { + const { tracer } = createTracer(); + tracer.literalIdentifiers.set("foo", "A"); + tracer.literalIdentifiers.set("bar", "B"); + + const [astNode] = codeToAst("foo + bar"); + const iter = concatBinaryExpression(getExpressionFromStatement(astNode), { tracer }); + + const iterResult = new IteratorMatcher() + .expect("A") + .expect("B") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); + +test("given a one level BinaryExpression with an unsupported node it should throw an Error", (tape) => { + tape.plan(1); + const { tracer } = createTracer(); + + const [astNode] = codeToAst("evil() + 's'"); + try { + const iter = concatBinaryExpression(getExpressionFromStatement(astNode), { + tracer, + stopOnUnsupportedNode: true + }); + iter.next(); + } + catch (error) { + tape.strictEqual(error.message, "concatBinaryExpression:: Unsupported node detected"); + } + + tape.end(); +}); + +test("given a Deep BinaryExpression with an unsupported node it should throw an Error", (tape) => { + tape.plan(1); + const { tracer } = createTracer(); + + const [astNode] = codeToAst("'a' + evil() + 's'"); + try { + const iter = concatBinaryExpression(getExpressionFromStatement(astNode), { + tracer, + stopOnUnsupportedNode: true + }); + iter.next(); + } + catch (error) { + tape.strictEqual(error.message, "concatBinaryExpression:: Unsupported node detected"); + } + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/getCallExpressionIdentifier.spec.js b/workspaces/estree-ast-utils/test/getCallExpressionIdentifier.spec.js new file mode 100644 index 0000000..e0d29ec --- /dev/null +++ b/workspaces/estree-ast-utils/test/getCallExpressionIdentifier.spec.js @@ -0,0 +1,30 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { getCallExpressionIdentifier } from "../src/index.js"; +import { codeToAst, getExpressionFromStatement } from "./utils.js"; + +test("given a JavaScript eval CallExpression then it must return eval", (tape) => { + const [astNode] = codeToAst("eval(\"this\");"); + const nodeIdentifier = getCallExpressionIdentifier(getExpressionFromStatement(astNode)); + + tape.strictEqual(nodeIdentifier, "eval"); + tape.end(); +}); + +test("given a JavaScript Function() CallExpression then it must return Function", (tape) => { + const [astNode] = codeToAst("Function(\"return this\")();"); + const nodeIdentifier = getCallExpressionIdentifier(getExpressionFromStatement(astNode)); + + tape.strictEqual(nodeIdentifier, "Function"); + tape.end(); +}); + +test("given a JavaScript AssignmentExpression then it must return null", (tape) => { + const [astNode] = codeToAst("foo = 10;"); + const nodeIdentifier = getCallExpressionIdentifier(getExpressionFromStatement(astNode)); + + tape.strictEqual(nodeIdentifier, null); + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/getMemberExpressionIdentifier.spec.js b/workspaces/estree-ast-utils/test/getMemberExpressionIdentifier.spec.js new file mode 100644 index 0000000..8761e78 --- /dev/null +++ b/workspaces/estree-ast-utils/test/getMemberExpressionIdentifier.spec.js @@ -0,0 +1,84 @@ +// Import Third-party Dependencies +import test from "tape"; +import { IteratorMatcher } from "iterator-matcher"; + +// Import Internal Dependencies +import { getMemberExpressionIdentifier } from "../src/index.js"; +import { codeToAst, createTracer, getExpressionFromStatement } from "./utils.js"; + +test("it must return all literals part of the given MemberExpression", (tape) => { + const [astNode] = codeToAst("foo.bar.xd"); + const iter = getMemberExpressionIdentifier( + getExpressionFromStatement(astNode) + ); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("bar") + .expect("xd") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 3); + tape.end(); +}); + +test("it must return all computed properties of the given MemberExpression", (tape) => { + const [astNode] = codeToAst("foo['bar']['xd']"); + const iter = getMemberExpressionIdentifier( + getExpressionFromStatement(astNode) + ); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("bar") + .expect("xd") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 3); + + tape.end(); +}); + +test(`given a MemberExpression with a computed property containing a deep tree of BinaryExpression + then it must return all literals parts even the last one which is the concatenation of the BinaryExpr`, (tape) => { + const [astNode] = codeToAst("foo.bar[\"k\" + \"e\" + \"y\"]"); + const iter = getMemberExpressionIdentifier( + getExpressionFromStatement(astNode) + ); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("bar") + .expect("key") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 3); + + tape.end(); +}); + +test(`given a MemberExpression with computed properties containing identifiers + then it must return all literals values from the tracer`, (tape) => { + const { tracer } = createTracer(); + tracer.literalIdentifiers.set("foo", "hello"); + tracer.literalIdentifiers.set("yo", "bar"); + + const [astNode] = codeToAst("hey[foo][yo]"); + const iter = getMemberExpressionIdentifier( + getExpressionFromStatement(astNode), { tracer } + ); + + const iterResult = new IteratorMatcher() + .expect("hey") + .expect("hello") + .expect("bar") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 3); + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/isLiteralRegex.spec.js b/workspaces/estree-ast-utils/test/isLiteralRegex.spec.js new file mode 100644 index 0000000..97dd7be --- /dev/null +++ b/workspaces/estree-ast-utils/test/isLiteralRegex.spec.js @@ -0,0 +1,22 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { isLiteralRegex } from "../src/index.js"; +import { codeToAst, getExpressionFromStatement } from "./utils.js"; + +test("given a Literal Regex Node it should return true", (tape) => { + const [astNode] = codeToAst("/^a/g"); + const isLRegex = isLiteralRegex(getExpressionFromStatement(astNode)); + + tape.strictEqual(isLRegex, true); + tape.end(); +}); + +test("given a RegexObject Node it should return false", (tape) => { + const [astNode] = codeToAst("new RegExp('^hello')"); + const isLRegex = isLiteralRegex(getExpressionFromStatement(astNode)); + + tape.strictEqual(isLRegex, false); + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/utils.js b/workspaces/estree-ast-utils/test/utils.js new file mode 100644 index 0000000..4d654f5 --- /dev/null +++ b/workspaces/estree-ast-utils/test/utils.js @@ -0,0 +1,62 @@ +// Import Third-party Dependencies +import * as meriyah from "meriyah"; +import { walk } from "estree-walker"; + +// Import Internal Dependencies +import { VariableTracer } from "../src/index.js"; + +export function codeToAst(code) { + const estreeRootNode = meriyah.parseScript(code, { + next: true, + loc: true, + raw: true, + module: true, + globalReturn: false + }); + + return estreeRootNode.body; +} + +export function getExpressionFromStatement(node) { + return node.type === "ExpressionStatement" ? node.expression : null; +} + +export function createTracer(enableDefaultTracing = false) { + const tracer = new VariableTracer(); + if (enableDefaultTracing) { + tracer.enableDefaultTracing(); + } + + return { + tracer, + walkOnAst(astNode) { + walk(astNode, { + enter(node) { + tracer.walk(node); + } + }); + }, + /** + * @param {!string} codeStr + * @param {object} [options] + * @param {boolean} [options.debugAst=false] + * @returns {void} + */ + walkOnCode(codeStr, options = {}) { + const { debugAst = false } = options; + + const astNode = codeToAst(codeStr); + if (debugAst) { + console.log(JSON.stringify(astNode, null, 2)); + } + + this.walkOnAst(astNode); + }, + getAssignmentArray(event = VariableTracer.AssignmentEvent) { + const assignmentEvents = []; + tracer.on(event, (value) => assignmentEvents.push(value)); + + return assignmentEvents; + } + }; +} diff --git a/workspaces/estree-ast-utils/test/utils/getSubMemberExpressionSegments.spec.js b/workspaces/estree-ast-utils/test/utils/getSubMemberExpressionSegments.spec.js new file mode 100644 index 0000000..bab8c93 --- /dev/null +++ b/workspaces/estree-ast-utils/test/utils/getSubMemberExpressionSegments.spec.js @@ -0,0 +1,19 @@ +// Import Third-party Dependencies +import test from "tape"; +import { IteratorMatcher } from "iterator-matcher"; + +// Import Internal Dependencies +import { getSubMemberExpressionSegments } from "../../src/utils/index.js"; + +test("given a MemberExpression then it should return each segments (except the last one)", (tape) => { + const iter = getSubMemberExpressionSegments("foo.bar.xd"); + + const iterResult = new IteratorMatcher() + .expect("foo") + .expect("foo.bar") + .execute(iter, { allowNoMatchingValues: false }); + + tape.strictEqual(iterResult.isMatching, true); + tape.strictEqual(iterResult.elapsedSteps, 2); + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/utils/isEvilIdentifierPath.spec.js b/workspaces/estree-ast-utils/test/utils/isEvilIdentifierPath.spec.js new file mode 100644 index 0000000..9affdf9 --- /dev/null +++ b/workspaces/estree-ast-utils/test/utils/isEvilIdentifierPath.spec.js @@ -0,0 +1,28 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { isEvilIdentifierPath } from "../../src/utils/index.js"; + +test("given a random prototype method name then it should return false", (tape) => { + const result = isEvilIdentifierPath( + "Function.prototype.foo" + ); + + tape.strictEqual(result, false); + + tape.end(); +}); + +test("given a list of evil identifiers it should always return true", (tape) => { + const evilIdentifiers = [ + "Function.prototype.bind", + "Function.prototype.call", + "Function.prototype.apply" + ]; + for (const identifier of evilIdentifiers) { + tape.strictEqual(isEvilIdentifierPath(identifier), true); + } + + tape.end(); +}); diff --git a/workspaces/estree-ast-utils/test/utils/notNullOrUndefined.spec.js b/workspaces/estree-ast-utils/test/utils/notNullOrUndefined.spec.js new file mode 100644 index 0000000..4f7c031 --- /dev/null +++ b/workspaces/estree-ast-utils/test/utils/notNullOrUndefined.spec.js @@ -0,0 +1,21 @@ +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { notNullOrUndefined } from "../../src/utils/index.js"; + +test("given a null or undefined primitive value then it must always return false", (tape) => { + tape.strictEqual(notNullOrUndefined(null), false, "null primitive value should return false"); + tape.strictEqual(notNullOrUndefined(void 0), false, "undefined primitive value should return false"); + + tape.end(); +}); + +test("given values (primitive or objects) that are not null or undefined then it must always return true", (tape) => { + const valuesToAssert = ["", 1, true, Symbol("foo"), {}, [], /^xd/g]; + for (const value of valuesToAssert) { + tape.strictEqual(notNullOrUndefined(value), true); + } + + tape.end(); +}); diff --git a/workspaces/sec-literal/LICENSE b/workspaces/sec-literal/LICENSE new file mode 100644 index 0000000..346097d --- /dev/null +++ b/workspaces/sec-literal/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 NodeSecure + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/workspaces/sec-literal/README.md b/workspaces/sec-literal/README.md new file mode 100644 index 0000000..d2e7552 --- /dev/null +++ b/workspaces/sec-literal/README.md @@ -0,0 +1,69 @@ +# Sec-literal +![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal/master/package.json&query=$.version&label=Version) +[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal/commit-activity) +[![OpenSSF +Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal/badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal) +[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal/blob/master/LICENSE) +![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/blob/master/workspaces/sec-literal/node.js.yml) + +This package is a security utilities library created to analyze [ESTree Literal](https://github.com/estree/estree/blob/master/es5.md#literal) and JavaScript string primitive. This project was originally created to simplify and better test the functionalities required for the SAST Scanner [JS-X-Ray](https://github.com/fraxken/js-x-ray). + +## Features + +- Detect Hexadecimal, Base64, Hexa and Unicode sequences. +- Detect patterns (prefix, suffix) on groups of identifiers. +- Detect suspicious string and return advanced metrics on it (char diversity etc). + +## Getting Started + +This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com). + +```bash +$ npm i @nodesecure/sec-literal +# or +$ yarn add @nodesecure/sec-literal +``` + +## API + +## Hex + +### isHex(anyValue): boolean +Detect if the given string is an Hexadecimal value + +### isSafe(anyValue): boolean +Detect if the given string is a safe Hexadecimal value. The goal of this method is to eliminate false-positive. + +```js +Hex.isSafe("1234"); // true +Hex.isSafe("abcdef"); // true +``` + +## Literal + +### isLiteral(anyValue): boolean +### toValue(anyValue): string +### toRaw(anyValue): string +### defaultAnalysis(literalValue) + +## Utils + +### isSvg(strValue): boolean + +### isSvgPath(strValue): boolean +Detect if a given string is a svg path or not. + +### stringCharDiversity(str): number +Get the number of unique chars in a given string + +### stringSuspicionScore(str): number +Analyze a given string an give it a suspicion score (higher than 1 or 2 mean that the string is highly suspect). + +## Patterns + +### commonStringPrefix(leftStr, rightStr): string | null +### commonStringSuffix(leftStr, rightStr): string | null +### commonHexadecimalPrefix(identifiersArray: string[]) + +## License +MIT diff --git a/workspaces/sec-literal/package.json b/workspaces/sec-literal/package.json new file mode 100644 index 0000000..53b0995 --- /dev/null +++ b/workspaces/sec-literal/package.json @@ -0,0 +1,39 @@ +{ + "name": "@nodesecure/sec-literal", + "version": "1.2.0", + "description": "Package created to analyze JavaScript literals", + "exports": "./src/index.js", + "private": false, + "type": "module", + "scripts": { + "lint": "eslint --ext .js", + "test-only": "cross-env esm-tape-runner 'test/*.spec.js' | tap-monkey", + "test": "cross-env npm run lint && npm run test-only" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/NodeSecure/sec-literal.git" + }, + "keywords": [ + "security", + "literal", + "estree", + "analysis", + "scanner" + ], + "files": [ + "src" + ], + "author": "GENTILHOMME Thomas ", + "license": "MIT", + "bugs": { + "url": "https://github.com/NodeSecure/sec-literal/issues" + }, + "homepage": "https://github.com/NodeSecure/sec-literal#readme", + "dependencies": { + "frequency-set": "^1.0.2", + "is-base64": "^1.1.0", + "is-svg": "^4.3.2", + "string-width": "^5.1.2" + } +} diff --git a/workspaces/sec-literal/src/hex.js b/workspaces/sec-literal/src/hex.js new file mode 100644 index 0000000..cb0988c --- /dev/null +++ b/workspaces/sec-literal/src/hex.js @@ -0,0 +1,53 @@ +// Import Internal Dependencies +import * as Literal from "./literal.js"; +import * as Utils from "./utils.js"; + +const kUnsafeHexValues = new Set([ + "require", + "length" +].map((value) => Buffer.from(value).toString("hex"))); + +// CONSTANTS +const kSafeHexValues = new Set([ + "0123456789", + "123456789", + "abcdef", + "abc123456789", + "0123456789abcdef", + "abcdef0123456789abcdef" +]); + +export const CONSTANTS = Object.freeze({ + SAFE_HEXA_VALUES: [...kSafeHexValues], + UNSAFE_HEXA_VALUES: [...kUnsafeHexValues] +}); + +/** + * @description detect if the given string is an Hexadecimal value + * @param {SecLiteral.Literal | string} anyValue + * @returns {boolean} + */ +export function isHex(anyValue) { + const value = Literal.toValue(anyValue); + + return typeof value === "string" && /^[0-9A-Fa-f]{4,}$/g.test(value); +} + +/** + * @description detect if the given string is a safe Hexadecimal value + * @param {SecLiteral.Literal | string} anyValue + * @returns {boolean} + */ +export function isSafe(anyValue) { + const rawValue = Literal.toRaw(anyValue); + if (kUnsafeHexValues.has(rawValue)) { + return false; + } + + const charCount = Utils.stringCharDiversity(rawValue); + if (/^([0-9]+|[a-z]+|[A-Z]+)$/g.test(rawValue) || rawValue.length <= 5 || charCount <= 2) { + return true; + } + + return [...kSafeHexValues].some((value) => rawValue.toLowerCase().startsWith(value)); +} diff --git a/workspaces/sec-literal/src/index.js b/workspaces/sec-literal/src/index.js new file mode 100644 index 0000000..8eaea83 --- /dev/null +++ b/workspaces/sec-literal/src/index.js @@ -0,0 +1,4 @@ +export * as Hex from "./hex.js"; +export * as Literal from "./literal.js"; +export * as Utils from "./utils.js"; +export * as Patterns from "./patterns.js"; diff --git a/workspaces/sec-literal/src/literal.js b/workspaces/sec-literal/src/literal.js new file mode 100644 index 0000000..1937c07 --- /dev/null +++ b/workspaces/sec-literal/src/literal.js @@ -0,0 +1,43 @@ +// Import Third-party Dependencies +import isStringBase64 from "is-base64"; + +/** + * @param {SecLiteral.Literal | string} anyValue + * @returns {string} + */ +export function isLiteral(anyValue) { + return typeof anyValue === "object" && "type" in anyValue && anyValue.type === "Literal"; +} + +/** + * @param {SecLiteral.Literal | string} strOrLiteral + * @returns {string} + */ +export function toValue(strOrLiteral) { + return isLiteral(strOrLiteral) ? strOrLiteral.value : strOrLiteral; +} + +/** + * @param {SecLiteral.Literal | string} strOrLiteral + * @returns {string} + */ +export function toRaw(strOrLiteral) { + return isLiteral(strOrLiteral) ? strOrLiteral.raw : strOrLiteral; +} + +/** + * @param {!SecLiteral.Literal} literalValue + * @returns {SecLiteral.LiteralDefaultAnalysis} + */ +export function defaultAnalysis(literalValue) { + if (!isLiteral(literalValue)) { + return null; + } + + const hasRawValue = "raw" in literalValue; + const hasHexadecimalSequence = hasRawValue ? /\\x[a-fA-F0-9]{2}/g.exec(literalValue.raw) !== null : null; + const hasUnicodeSequence = hasRawValue ? /\\u[a-fA-F0-9]{4}/g.exec(literalValue.raw) !== null : null; + const isBase64 = isStringBase64(literalValue.value, { allowEmpty: false }); + + return { hasHexadecimalSequence, hasUnicodeSequence, isBase64 }; +} diff --git a/workspaces/sec-literal/src/patterns.js b/workspaces/sec-literal/src/patterns.js new file mode 100644 index 0000000..034654c --- /dev/null +++ b/workspaces/sec-literal/src/patterns.js @@ -0,0 +1,98 @@ +// Import Third-party Dependencies +import FrequencySet from "frequency-set"; + +// Import Internal Dependencies +import * as Literal from "./literal.js"; + +/** + * @description get the common string prefix (at the start) pattern + * @param {!string | SecLiteral} leftAnyValue + * @param {!string | SecLiteral} rightAnyValue + * @returns {string | null} + * + * @example + * commonStringPrefix("boo", "foo"); // null + * commonStringPrefix("bromance", "brother"); // "bro" + */ +export function commonStringPrefix(leftAnyValue, rightAnyValue) { + const leftStr = Literal.toValue(leftAnyValue); + const rightStr = Literal.toValue(rightAnyValue); + + // The length of leftStr cannot be greater than that rightStr + const minLen = leftStr.length > rightStr.length ? rightStr.length : leftStr.length; + let commonStr = ""; + + for (let id = 0; id < minLen; id++) { + if (leftStr.charAt(id) !== rightStr.charAt(id)) { + break; + } + + commonStr += leftStr.charAt(id); + } + + return commonStr === "" ? null : commonStr; +} + +function reverseString(string) { + return string.split("").reverse().join(""); +} + +/** + * @description get the common string suffixes (at the end) pattern + * @param {!string} leftStr + * @param {!string} rightStr + * @returns {string | null} + * + * @example + * commonStringSuffix("boo", "foo"); // oo + * commonStringSuffix("bromance", "brother"); // null + */ +export function commonStringSuffix(leftStr, rightStr) { + const commonPrefix = commonStringPrefix( + reverseString(leftStr), + reverseString(rightStr) + ); + + return commonPrefix === null ? null : reverseString(commonPrefix); +} + +export function commonHexadecimalPrefix(identifiersArray) { + if (!Array.isArray(identifiersArray)) { + throw new TypeError("identifiersArray must be an Array"); + } + const prefix = new FrequencySet(); + + mainLoop: for (const value of identifiersArray.slice().sort()) { + for (const [cp, count] of prefix) { + const commonStr = commonStringPrefix(value, cp); + if (commonStr === null) { + continue; + } + + if (commonStr === cp || commonStr.startsWith(cp)) { + prefix.add(cp); + } + else if (cp.startsWith(commonStr)) { + prefix.delete(cp); + prefix.add(commonStr, count + 1); + } + continue mainLoop; + } + + prefix.add(value); + } + + // We remove one-time occurences (because they are normal variables) + let oneTimeOccurence = 0; + for (const [key, value] of prefix.entries()) { + if (value === 1) { + prefix.delete(key); + oneTimeOccurence++; + } + } + + return { + oneTimeOccurence, + prefix: Object.fromEntries(prefix) + }; +} diff --git a/workspaces/sec-literal/src/utils.js b/workspaces/sec-literal/src/utils.js new file mode 100644 index 0000000..e77be2d --- /dev/null +++ b/workspaces/sec-literal/src/utils.js @@ -0,0 +1,93 @@ +// Import Third-party Dependencies +import isStringSvg from "is-svg"; +import stringWidth from "string-width"; + +// Import Internal Dependencies +import { toValue } from "./literal.js"; + +/** + * @param {SecLiteral.Literal | string} strOrLiteral + * @returns {boolean} + */ +export function isSvg(strOrLiteral) { + try { + const value = toValue(strOrLiteral); + + return isStringSvg(value) || isSvgPath(value); + } + catch { + return false; + } +} + +/** + * @description detect if a given string is a svg path or not. + * @param {!string} str svg path literal + * @returns {boolean} + */ +export function isSvgPath(str) { + if (typeof str !== "string") { + return false; + } + const trimStr = str.trim(); + + return trimStr.length > 4 && /^[mzlhvcsqta]\s*[-+.0-9][^mlhvzcsqta]+/i.test(trimStr) && /[\dz]$/i.test(trimStr); +} + +/** + * @description detect if a given string is a morse value. + * @param {!string} str any string value + * @returns {boolean} + */ +export function isMorse(str) { + return /^[.-]{1,5}(?:[\s\t]+[.-]{1,5})*(?:[\s\t]+[.-]{1,5}(?:[\s\t]+[.-]{1,5})*)*$/g.test(str); +} + +/** + * @param {!string} str any string value + * @returns {string} + */ +export function escapeRegExp(str) { + return str.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"); +} + +/** + * @description Get the number of unique chars in a given string + * @param {!string} str string + * @param {string[]} [charsToExclude=[]] + * @returns {number} + */ +export function stringCharDiversity(str, charsToExclude = []) { + const data = new Set(str); + charsToExclude.forEach((char) => data.delete(char)); + + return data.size; +} + +// --- +const kMaxSafeStringLen = 45; +const kMaxSafeStringCharDiversity = 70; +const kMinUnsafeStringLenThreshold = 200; +const kScoreStringLengthThreshold = 750; + +/** + * @description Analyze a given string an give it a suspicion score (higher than 1 or 2 mean that the string is highly suspect). + * @param {!string} str string to analyze + * @returns {number} + */ +export function stringSuspicionScore(str) { + const strLen = stringWidth(str); + if (strLen < kMaxSafeStringLen) { + return 0; + } + + const includeSpace = str.includes(" "); + const includeSpaceAtStart = includeSpace ? str.slice(0, kMaxSafeStringLen).includes(" ") : false; + + let suspectScore = includeSpaceAtStart ? 0 : 1; + if (strLen > kMinUnsafeStringLenThreshold) { + suspectScore += Math.ceil(strLen / kScoreStringLengthThreshold); + } + + return stringCharDiversity(str) >= kMaxSafeStringCharDiversity ? suspectScore + 2 : suspectScore; +} diff --git a/workspaces/sec-literal/test/hex.spec.js b/workspaces/sec-literal/test/hex.spec.js new file mode 100644 index 0000000..fb1b4e9 --- /dev/null +++ b/workspaces/sec-literal/test/hex.spec.js @@ -0,0 +1,77 @@ +// Import Node.js Dependencies +import { randomBytes } from "node:crypto"; + +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { isHex, isSafe, CONSTANTS } from "../src/hex.js"; +import { createLiteral } from "./utils/index.js"; + +test("isHex() of a random Hexadecimal value must return true", (tape) => { + const hexValue = randomBytes(4).toString("hex"); + + tape.strictEqual(isHex(hexValue), true, `Hexadecimal value '${hexValue}' must return true`); + tape.end(); +}); + +test("isHex() of an ESTree Literal containing a random Hexadecimal value must return true", (tape) => { + const hexValue = createLiteral(randomBytes(4).toString("hex")); + + tape.strictEqual(isHex(hexValue), true, `Hexadecimal value '${hexValue.value}' must return true`); + tape.end(); +}); + +test("An hexadecimal value must be at least 4 chars long", (tape) => { + const hexValue = randomBytes(1).toString("hex"); + + tape.strictEqual(isHex(hexValue), false, `Hexadecimal value '${hexValue}' must return false`); + tape.end(); +}); + +test("isHex() of a value that is not a string or an ESTree Literal must return false", (tape) => { + const hexValue = 100; + + tape.strictEqual(isHex(hexValue), false, "100 is typeof number so it must always return false"); + tape.end(); +}); + +test("isSafe must return true for a value with a length lower or equal five characters", (tape) => { + tape.ok(isSafe("h2l5x")); + tape.end(); +}); + +test("isSafe must return true if the string diversity is only two characters or lower", (tape) => { + tape.ok(isSafe("aaaaaaaaaaaaaabbbbbbbbbbbbb")); + tape.end(); +}); + +test("isSafe must always return true if argument is only number, lower or upper letters", (tape) => { + const values = ["00000000", "aaaaaaaa", "AAAAAAAAA"]; + + for (const hexValue of values) { + tape.ok(isSafe(hexValue)); + } + tape.end(); +}); + +test("isSafe() must always return true if the value start with one of the 'safe' values", (tape) => { + for (const safeValue of CONSTANTS.SAFE_HEXA_VALUES) { + const hexValue = safeValue + randomBytes(4).toString("hex"); + + tape.ok(isSafe(hexValue)); + } + tape.end(); +}); + +test("isSafe must return true because it start with a safe pattern (and it must lowerCase the string)", (tape) => { + tape.ok(isSafe("ABCDEF1234567890")); + tape.end(); +}); + +test("isSafe() must always return false if the value start with one of the 'unsafe' values", (tape) => { + for (const unsafeValue of CONSTANTS.UNSAFE_HEXA_VALUES) { + tape.strictEqual(isSafe(unsafeValue), false); + } + tape.end(); +}); diff --git a/workspaces/sec-literal/test/literal.spec.js b/workspaces/sec-literal/test/literal.spec.js new file mode 100644 index 0000000..b47df12 --- /dev/null +++ b/workspaces/sec-literal/test/literal.spec.js @@ -0,0 +1,99 @@ +// Import Node.js Dependencies +import { randomBytes } from "node:crypto"; + +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { isLiteral, toValue, toRaw, defaultAnalysis } from "../src/literal.js"; +import { createLiteral } from "./utils/index.js"; + +test("isLiteral must return true for a valid ESTree Literal Node", (tape) => { + const literalSample = createLiteral("boo"); + + tape.strictEqual(isLiteral(literalSample), true); + tape.strictEqual(isLiteral("hey"), false); + tape.strictEqual(isLiteral({ type: "fake", value: "boo" }), false); + tape.end(); +}); + +test("toValue must return a string when we give a valid EStree Literal", (tape) => { + const literalSample = createLiteral("boo"); + + tape.strictEqual(toValue(literalSample), "boo"); + tape.strictEqual(toValue("hey"), "hey"); + tape.end(); +}); + +test("toRaw must return a string when we give a valid EStree Literal", (tape) => { + const literalSample = createLiteral("boo", true); + + tape.strictEqual(toRaw(literalSample), "boo"); + tape.strictEqual(toRaw("hey"), "hey"); + tape.end(); +}); + +test("defaultAnalysis() of something else than a Literal must always return null", (tape) => { + tape.strictEqual(defaultAnalysis(10), null); + tape.end(); +}); + +test("defaultAnalysis() of an Hexadecimal value", (tape) => { + const hexValue = randomBytes(10).toString("hex"); + + const result = defaultAnalysis(createLiteral(hexValue, true)); + const expected = { + isBase64: true, hasHexadecimalSequence: false, hasUnicodeSequence: false + }; + + tape.deepEqual(result, expected); + tape.end(); +}); + +test("defaultAnalysis() of an Base64 value", (tape) => { + const hexValue = randomBytes(10).toString("base64"); + + const result = defaultAnalysis(createLiteral(hexValue, true)); + const expected = { + isBase64: true, hasHexadecimalSequence: false, hasUnicodeSequence: false + }; + + tape.deepEqual(result, expected); + tape.end(); +}); + +test("defaultAnalysis() of an Unicode Sequence", (tape) => { + const unicodeSequence = createLiteral("'\\u0024\\u0024'", true); + + const result = defaultAnalysis(unicodeSequence); + const expected = { + isBase64: false, hasHexadecimalSequence: false, hasUnicodeSequence: true + }; + + tape.deepEqual(result, expected); + tape.end(); +}); + +test("defaultAnalysis() of an Unicode Sequence", (tape) => { + const hexSequence = createLiteral("'\\x64\\x61\\x74\\x61'", true); + + const result = defaultAnalysis(hexSequence); + const expected = { + isBase64: false, hasHexadecimalSequence: true, hasUnicodeSequence: false + }; + + tape.deepEqual(result, expected); + tape.end(); +}); + +test("defaultAnalysis() with a Literal with no 'raw' property must return two null values", (tape) => { + const hexValue = randomBytes(10).toString("base64"); + + const result = defaultAnalysis(createLiteral(hexValue)); + const expected = { + isBase64: true, hasHexadecimalSequence: null, hasUnicodeSequence: null + }; + + tape.deepEqual(result, expected); + tape.end(); +}); diff --git a/workspaces/sec-literal/test/patterns.spec.js b/workspaces/sec-literal/test/patterns.spec.js new file mode 100644 index 0000000..89db85b --- /dev/null +++ b/workspaces/sec-literal/test/patterns.spec.js @@ -0,0 +1,64 @@ +// Import Internal Dependencies +import { + commonStringPrefix, + commonStringSuffix, + commonHexadecimalPrefix +} from "../src/patterns.js"; + +// Import Third-party Dependencies +import test from "tape"; + +test("commonStringPrefix of two strings that does not start with the same set of characters must return null", (tape) => { + tape.strictEqual(commonStringPrefix("boo", "foo"), null, + "there is no common prefix between 'boo' and 'foo' so the result must be null"); + tape.end(); +}); + +test("commonStringPrefix of two strings that start with the same set of characters must return it as result", (tape) => { + tape.strictEqual(commonStringPrefix("bromance", "brother"), "bro", + "the common prefix between bromance and brother must be 'bro'."); + tape.end(); +}); + +test("commonStringSuffix of two strings that end with the same set of characters must return it as result", (tape) => { + tape.strictEqual(commonStringSuffix("boo", "foo"), "oo", + "the common suffix between boo and foo must be 'oo'"); + tape.end(); +}); + +test("commonStringSuffix of two strings that does not end with the same set of characters must return null", (tape) => { + tape.strictEqual(commonStringSuffix("bromance", "brother"), null, + "there is no common suffix between 'bromance' and 'brother' so the result must be null"); + tape.end(); +}); + +test("commonHexadecimalPrefix - throw a TypeError if identifiersArray is not an Array", (tape) => { + tape.throws(() => commonHexadecimalPrefix(10), "identifiersArray must be an Array"); + tape.end(); +}); + +test("commonHexadecimalPrefix - only hexadecimal identifiers", (tape) => { + const data = [ + "_0x3c0c55", "_0x1185d5", "_0x160fc8", "_0x18a66f", "_0x18a835", "_0x1a8356", + "_0x1adf3b", "_0x1e4510", "_0x1e9a2a", "_0x215558", "_0x2b0194", "_0x2fffe5", + "_0x32c822", "_0x33bb79" + ]; + const result = commonHexadecimalPrefix(data); + + tape.strictEqual(result.oneTimeOccurence, 0); + tape.strictEqual(result.prefix._0x, data.length); + tape.end(); +}); + +test("commonHexadecimalPrefix - add one non-hexadecimal identifier", (tape) => { + const data = [ + "_0x3c0c55", "_0x1185d5", "_0x160fc8", "_0x18a66f", "_0x18a835", "_0x1a8356", + "_0x1adf3b", "_0x1e4510", "_0x1e9a2a", "_0x215558", "_0x2b0194", "_0x2fffe5", + "_0x32c822", "_0x33bb79", "foo" + ]; + const result = commonHexadecimalPrefix(data); + + tape.strictEqual(result.oneTimeOccurence, 1); + tape.strictEqual(result.prefix._0x, data.length - 1); + tape.end(); +}); diff --git a/workspaces/sec-literal/test/utils.spec.js b/workspaces/sec-literal/test/utils.spec.js new file mode 100644 index 0000000..830dfe4 --- /dev/null +++ b/workspaces/sec-literal/test/utils.spec.js @@ -0,0 +1,89 @@ +/* eslint-disable max-len */ + +// Import Node.js Dependencies +import { randomBytes } from "node:crypto"; + +// Import Third-party Dependencies +import test from "tape"; + +// Import Internal Dependencies +import { stringCharDiversity, isSvg, isSvgPath, stringSuspicionScore } from "../src/utils.js"; + +test("stringCharDiversity must return the number of unique chars in a given string", (tape) => { + tape.strictEqual(stringCharDiversity("helloo!"), 5, + "the following string 'helloo!' contains five unique chars: h, e, l, o and !"); + tape.end(); +}); + +test("stringCharDiversity must return the number of unique chars in a given string (but with exclusions of given chars)", (tape) => { + tape.strictEqual(stringCharDiversity("- - -\n", ["\n"]), 2); + tape.end(); +}); + +test("isSvg must return true for an HTML svg balise", (tape) => { + const SVGHTML = ` + + + + + `; + tape.strictEqual(isSvg(SVGHTML), true); + tape.end(); +}); + +test("isSvg of a SVG Path must return true", (tape) => { + tape.strictEqual(isSvg("M150 0 L75 200 L225 200 Z"), true); + tape.end(); +}); + +test("isSvg must return false for invalid XML string", (tape) => { + tape.strictEqual(isSvg(""), false); + tape.end(); +}); + +test("isSvgPath must return true when we give a valid svg path and false when the string is not valid", (tape) => { + tape.strictEqual(isSvgPath("M150 0 L75 200 L225 200 Z"), true); + tape.strictEqual(isSvgPath("M150"), false, "the length of an svg path must be always higher than four characters"); + tape.strictEqual(isSvgPath("hello world!"), false); + tape.strictEqual(isSvgPath(10), false, "isSvgPath argument must always return false for anything that is not a string primitive"); + tape.end(); +}); + +test("stringSuspicionScore must always return 0 if the string length if below 45", (tape) => { + for (let strSize = 1; strSize < 45; strSize++) { + // We generate a random String (with slice it in two because a size of 20 for hex is 40 bytes). + const randomStr = randomBytes(strSize).toString("hex").slice(strSize); + + tape.strictEqual(stringSuspicionScore(randomStr), 0); + } + tape.end(); +}); + +test("stringSuspicionScore must return one if the str is between 45 and 200 chars and had no space in the first 45 chars", (tape) => { + const randomStrWithNoSpaces = randomBytes(25).toString("hex"); + + tape.strictEqual(stringSuspicionScore(randomStrWithNoSpaces), 1); + tape.end(); +}); + +test("stringSuspicionScore must return zero if the str is between 45 and 200 chars and has at least one space in the first 45 chars", (tape) => { + const randomStrWithSpaces = randomBytes(10).toString("hex") + " -_- " + randomBytes(30).toString("hex"); + + tape.strictEqual(stringSuspicionScore(randomStrWithSpaces), 0); + tape.end(); +}); + +test("stringSuspicionScore must return a score of two for a string with more than 200 chars and no spaces", (tape) => { + const randomStr = randomBytes(200).toString("hex"); + + tape.strictEqual(stringSuspicionScore(randomStr), 2); + tape.end(); +}); + +test("stringSuspicionScore must add two to the final score when the string has more than 70 uniques chars", (tape) => { + const randomStr = "૱꠸┯┰┱┲❗►◄Ăă0123456789ᶀᶁᶂᶃᶄᶆᶇᶈᶉᶊᶋᶌᶍᶎᶏᶐᶑᶒᶓᶔᶕᶖᶗᶘᶙᶚᶸᵯᵰᵴᵶᵹᵼᵽᵾᵿ⤢⤣⤤⤥⥆⥇™°×π±√ "; + + tape.strictEqual(stringSuspicionScore(randomStr), 3); + tape.end(); +}); diff --git a/workspaces/sec-literal/test/utils/index.js b/workspaces/sec-literal/test/utils/index.js new file mode 100644 index 0000000..afc0950 --- /dev/null +++ b/workspaces/sec-literal/test/utils/index.js @@ -0,0 +1,10 @@ +// @see https://github.com/estree/estree/blob/master/es5.md#literal +export function createLiteral(value, includeRaw = false) { + const node = { type: "Literal", value }; + if (includeRaw) { + node.raw = value; + } + + return node; +} +