nodesecure / js-x-ray Goto Github PK

https://unpkg.com/[email protected]/dist/cjs/index.js

The goal of this task (issue) is to develop a new feature capable of detecting any usage of weak hash algorithm like md5.

For the sake of simplicity it is sufficient to look for the createHash method.

Example of code that should throw a new warning:

import crypto from "crypto";

crypto.createHash("md5");

We may have to answer few questions for this issue:

• Do we have to handle other API (like the WebCrypto API)? Maybe we can also in some ways deal with popular crypto library ?
• Is there is another algorithms that we are considering "weak" other than md5 ? (i guess sha1 has to be considered weak too).

I think we need to split the utils file into multiple files like in Scanner: https://github.com/NodeSecure/scanner/tree/master/src/utils

The main idea is to avoid having a file with too many lines of code

Maybe we can do better by detecting other core deps like os and dns

see: https://socket.dev/npm/package/execer/files/8.0.7/index.json

URL with raw IPs should be tagged as unsafe links (except 127.0.0.1).

See the following code: https://unpkg.com/browse/[email protected]/index.js (do not use this as example, this code is dangerous)

There is currently a lot of situations where we are missing dynamic RegExps. Ref and examples here: nodejs/security-wg#208

We should probably use the new Tracer to detect those cases (extension, proxy ...).

Hey @NodeSecure!

We at @CybercentreCanada are loving all of the work that you've put into this tool!

A file that we came across recently in the wild has been causing JS-X-Ray to crash, unless we manually tweak the file content (CybercentreCanada/assemblyline-service-jsjaws#370). Obviously this is not ideal, and we would love to have the fix included in JS-X-Ray itself :)

I cannot share the entire file, but here is a screenshot of the initial HTML file:

and a screenshot of the extracted JavaScript that is sent to JS-X-Ray:

There is an opening HTML comment prior to the obfuscated code, and this is ignored when emulated in Node, but crashes the JS-X-Ray tool when the Meriyah library attempts to parse it. Here is the crash log:

file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:182
    throw new ParseError(parser.index, parser.line, parser.column, type, ...params);
          ^

ParseError [SyntaxError]: [1:4]: Unexpected token
    at report (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:182:11)
    at skipSingleHTMLComment (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:708:9)
    at scanSingleToken (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:1825:41)
    at nextToken (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:1736:20)
    at parseModuleItemList (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:4836:5)
    at parseSource (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:4789:16)
    at Module.parseScript (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:8821:12)
    at parseScriptExtended (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/@nodesecure/js-x-ray/index.js:92:30)
    at runASTAnalysis (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/@nodesecure/js-x-ray/index.js:29:16)
    at file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/js-x-ray-run.js:17:22 {
  index: 4,
  line: 1,
  column: 4,
  description: '[1:4]: Unexpected token',
  loc: { line: 1, column: 4 }
}

When this opening comment is removed, JS-X-Ray works great, parses the file and identifies it as being obfuscated with Obfuscator.io.

Is there anyway that HTML comments () could be removed prior to parsing? We found that closing HTML comments (-->) also cause Meriyah to crash, so it would amazing if they could be ignored / removed once sent to JS-X-Ray.

Let me know what you think!

Kevin

The ASTDeps type is missing the Symbol.iteraror (so for TypeScript the Object is not iterable).

The goal is to add UT about https://github.com/NodeSecure/js-x-ray/tree/master/src/probes/

It can help you to get into this project, feel free to submit a PR about 1 or multiples probes :)

Note for me to not forget to check the Jose package. Node-secure return a parse-error in lib/jwt/decode.js of [email protected]

erreur: Cannot read property 'length' of undefined

Right now JS-X-Ray is only capable to scan one sourcefile by one sourcefile. The Scanner package is currently responsible of listing and iterating all JavaScript files from a given NPM tarball (for example).

What's the issue with that?

index.js
src/
  other.js
test/
  foobar.js

In the example above we will scan every files. But in reality there is a high probability that test/foobar.js will never be executed (and it will also be the biggest vector of false positives).

My idea is to add a new strategy that will take entry files as input. We will then only scan files imported from these entry points.

Eventually, we could combine the two ways of doing things to ensure greater security while reducing false positives overall.

The codebase contains a lot of analysis variable which is the old name of SourceFile class.

https://github.com/search?q=repo%3ANodeSecure%2Fjs-x-ray%20analysis&type=code

We should rename it sourceFile to avoid confusion.

As time goes by, I think that not all warnings are equivalent.

I want to add a new severity property for each warning:

• Information (For things not related to security, with valid values or a lot of false positive).
• Warning (the default).
• Critical (Implies malicious code or intent).

Maybe the way we call them is not right ? Maybe we should call warning "Alarm" ?

I will classify the existing warnings this way:

• Information: parsing-error, encoded-literal
• Warning: ALL OTHERS
• Critical: obfuscated-code

The idea for the next Major release is to find a way to build a new Analysis workflow capable of storing informations about multiple files and then re-iterating a second time.

Few things that could help;

• Design and implement an option to specificate when a probe should run (always, first iteration, others ?).
• Focus to solve: #42

The sec-literal workspace currently use tape as test runner. The idea is to replace it by the Node.js test runner.

Note that JS-X-Ray itself has already been migred (so you can inspire yourself from that)

Exemple PR #108

Add a deprecation warning to our legacy API runASTAnalysis and runASTAnalysisOnFile to detect and force people still using them to upgrade. We could easily do that using Node.js process.emitWarning API.

An example message could be The runASTAnalysis API is deprecated and will be removed in v8. Please use the AstAnalyser class instead.

Here is a roadmap about my ideas about future releases of JS-X-Ray (outside of fixing current issues).

• Add new documentation about Architectures
• #267
• Improve the way to add new Dependency/Warning (we probably need dedicated class with maybe Lazy probes). My idea is allow probes to be more independant from the SourceFile implementation.

Create a workspace and include the following packages:

• https://github.com/NodeSecure/estree-ast-utils
• https://github.com/NodeSecure/sec-literal

Morse detection is currently broken (and the test in obfuscated.spec.js is commented)

The warning short identifiers is throw on the following file: https://unpkg.com/[email protected]/lib/fetch/file.js

It should not throw for this file. I guess the current analysis don't take in account class name and methods but I think it should.

Sub-issue related to: NodeSecure/ci#5 (please read it for initial context).

⚠️ This issue is blocked by: NodeSecure/i18n#17

The goal of this task is to enhance the current export of Warnings CONSTANTS.

This format will not match our needs so we need to replace it with a new one. One of the idea could be:

unsafeImport: {
 code: "unsafe-import",
 i18n: "token"
}

The structure can be modified according to our needs.

see: https://socket.dev/npm/package/uplex-child-process/files/8.1.2/index.js

Please add other examples in this thread

Currently, we do not analyze dynamic imports:

async function loadModule() {
    const myModule = await import('./myModule.js'); // dynamic import
    // code...
}

Should be added to isImportDeclaration probe.

The idea/goal of the task is to refactor the isRequire who is becoming more complicated to read and maintain.

I think the part where we walk the require arguments need to be externalized to a dedicated class: https://github.com/NodeSecure/js-x-ray/blob/master/src/probes/isRequire.js#L142

However this can be a challenge because of how we currently walk the AST.

https://unpkg.com/[email protected]/core.js

We should detect the following code as an unsafe-import (but still detect the usage of the stream core module)

// Using `eval` to work around issues when bundling with Webpack
const stream = eval('require')('stream'); // eslint-disable-line no-eval

The goal of this task is to add a new warning to signal malicious characters in source code.

If you don't know what I'm talking about yet, here is some reading:

• https://www.trojansource.codes/

The verification itself is not that hard and can be inspired by the following code: https://github.com/lirantal/anti-trojan-source/blob/main/src/main.js#L4

Because the whole string is required for the analysis, i guess the code is going to be somewhere here: https://github.com/NodeSecure/js-x-ray/blob/master/index.js#L13

smith-and-wesson-skimmer

I would like to a new source property to warnings to be able to identity who created the warning. Nowadays warnings can be generated from JS-X-Ray or Scanner (take invalid-semver warning).

The task consist of updating the TS interface and add the source in the generateWarning function.

The warning parsing-error is missing from the warnings list: https://github.com/NodeSecure/js-x-ray/blob/master/src/warnings.js#L4

The following code must not crash

import * as jsxray from "@nodesecure/js-x-ray";
import * as i18n from "@nodesecure/i18n";

console.log(i18n.getTokenSync(jsxray.warnings["parsing-error"].i18n));

Also please update the README example to use getTokenSync instead of getToken

The goal of the task is to allow to package users (developers) to inject a new custom probe using the AstAnalyser

const { AstAnalyser, JsSourceParser } = require("@nodesecure/js-x-ray");

new AstAnalyser({
  parser: new JsSourceParser(),
  probes: [
    // Any valid probe object here
  }
});

We probably need to instanciate the ProbeRunner class outside of SourceFile

The parser argument in the constructor of AstAnalyser class is currently required:

https://github.com/NodeSecure/js-x-ray/blob/master/src/AstAnalyser.js#L18

For me we should make it optional and assign new JsSourceParser() by default.

The aim would be to successfully resolve dependency paths like in the following code example;

const bin = require(path.join('.', 'bin.js'))

For this given code we want:

• Normalized dependency with ./bin.js path (normalized using UNIX path)
• No unsafe-import warning

There is possibility for having identifiers like __dirname to appear

const bin = require(path.join(__dirname, 'bin.js'))

The challenge here is to compute the location of the file to dynamically inject the __dirname value (Maybe to handle in a second evolution).

Current SourceFile class implement a bunch of counter and also identifiersName that keep the trace of all kind of declaration identifiers across the file.

Today, these "counters" are updated in probes that are often used for no other purpose.

Or

For me, these should not be managed by probes but by another mechanism/abstraction

const isIdentifier = (node) => node !== null && node.type === "Identifier";

const nc = new NodeCounter("FunctionDeclaration", (node) => isIdentifier(node.id));
console.log(nc.type); // FunctionDeclaration

nc.walk(astNode);

console.log(nc.nodes); // integer

Then we could probably create a CounterAggregator or something like that to get an Object at the end.

But we still need a way to also manage identifiersName.

see: nodejs/node#52762

Badges need to be fixed in the workspaces packages

A static analysis of the following code: https://unpkg.com/[email protected]/bin/which.js throw ParseError [SyntaxError]: [15:8]: Illegal return statement

here is a minimal reproduction

const argv = process.argv.slice(2);

function foobar() {
  console.log("foobar");
}

if (!argv.length) {
  return foobar();
}

This code is legal in Node.js CJS because the module is wrapped in function (I think).

Use the Node.js test runner mock.fn instead of the current mockedFunction (we dit that because mock was not available at the time).

Current AstAnalyser as flaw when we want to manipulate the SourceFile class before or after walking the AST, here is an example where we add new custom tracing;

import { AstAnalyser } from "@nodesecure/js-x-ray";

const scanner = new AstAnalyser();

scanner.analyse("const foo = 'bar';", {
 initialize(sourceFile) {
   sourceFile.tracer.trace("...");
 },
 finalize(sourceFile) {
   // do something
 }
});

Those callbacks should be triggered before and after walking the AST

Hey NodeSecure,

We at the @CybercentreCanada love JS-X-Ray and have it tightly integrated into our JavaScript analysis service JsJaws. However, it looks like there is work being done on this project that has not been released to npmjs.com? The release version there is 3.2.0 but it looks like you are on v5.1.0. Any chance you can update this on npmjs.com?

🇨🇦

The following file is detected as minified: https://unpkg.com/[email protected]/index.js

expected: should not be detected as a minified file

The severity property is not dispatched properly. I think generateWarning is responsible of this:

https://github.com/NodeSecure/js-x-ray/blob/master/src/utils.js#L168

Code like that should be valid and not detected as unsafe

var root = freeGlobal || freeSelf || Function('return this')();

import { runASTAnalysis } from "@nodesecure/js-x-ray";

const result = runASTAnalysis(`
var root = freeGlobal || freeSelf || Function('return this')();
`);

console.log(result);

The following code should return no warnings

https://unpkg.com/[email protected]/bin.js

The following code make JS-X-Ray throw an unsafe-import

const help = require('help-me')({
  dir: path.join(__dirname, 'help'),
  ext: '.txt'
})

The goal of the task is to be able to provide a custom SourceParser to the runASTAnalysis function (if not provided it will take the default JsSourceParser for example).

The idea behind that is to allow anyone to extend/add a new Parsing mechanism (to support TypeScript source for example).

In my mind I see two build-in class:

• SourceParser (with the current constructor code)

• JsSourceParser extending SourceParser (with the current parseScript code). The default parser for JS-X-Ray.

https://github.com/NodeSecure/js-x-ray/blob/master/src/SourceParser.js#L50

If someone want to re-implement his own, it would look like this;

import { SourceParser, runASTAnalysis } from "@nodesecure/js-x-ray";
import { parse } from '@typescript-eslint/typescript-estree';

export class TsSourceParser extends SourceParser {
  parseScript() {
    const ast = parse(this.source, {});

    return ast;
  }
}

const { warnings, dependencies } = runASTAnalysis(
  readFileSync("./file.ts", "utf-8"),
  {
    sourceParser: TsSourceParser
  }
);

My idea of this task is to implement a new warning responsible of detecting shady links in Literals. I have been inspired by one of the detection of guarddog from DataDog.

They use the following RegEx:
(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))

This RegEx allow to detect an URL like that:

https://foobar.xyz

The idea is to create a new probe or to update isLiteral probe to add that new warning. The probe will execute on every ESTree Literal.

const maliciousUrl = "https://foobar.xyz";

Maybe we need to conduct additional research on the subject (maybe there is some study we may want to read to improve the detection?).

The idea is to implement a synchronous version of analyseFile to simply scenarios where we don't need an Asynchronous I/O. Recent API updates would force to switch some sync API to async (requiring ESM and Top-level-await).

Hey!

There are a paper about "trojan-source" attack and tool for detecting it.

Should we add a new warning for this attack?

If so, I can prepare PR for it.