npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@nodesecure/js-x-ray

v6.3.0

Published

JavaScript AST XRay analysis

Downloads

969

Readme

JavaScript AST analysis. This package has been created to export the NodeSecure AST Analysis to enable better code evolution and allow better access to developers and researchers.

The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.

Goals

The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..

Most of the time these hackers will try to hide the behaviour of their codes as much as possible to avoid being spotted or easily understood... The work of the library is to understand and analyze these patterns that will allow us to detect malicious code..

Features Highlight

  • Retrieve required dependencies and files for Node.js.
  • Detect unsafe RegEx.
  • Get warnings when the AST Analysis as a problem or when not able to follow a statement.
  • Highlight common attack patterns and API usages.
  • Capable to follow the usage of dangerous Node.js globals.
  • Detect obfuscated code and when possible the tool that has been used.

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/js-x-ray
# or
$ yarn add @nodesecure/js-x-ray

Usage example

Create a local .js file with the following content:

try  {
    require("http");
}
catch (err) {
    // do nothing
}
const lib = "crypto";
require(lib);
require("util");
require(Buffer.from("6673", "hex").toString());

Then use js-x-ray to run an analysis of the JavaScript code:

import { runASTAnalysis } from "@nodesecure/js-x-ray";
import { readFileSync } from "fs";

const str = readFileSync("./file.js", "utf-8");
const { warnings, dependencies } = runASTAnalysis(str);

const dependenciesName = [...dependencies];
const inTryDeps = [...dependencies.getDependenciesInTryStatement()];

console.log(dependenciesName);
console.log(inTryDeps);
console.log(warnings);

The analysis will return: http (in try), crypto, util and fs.

[!NOTE] There is also a lot of suspicious code example in the ./examples cases directory. Feel free to try the tool on these files.

Warnings

This section describes how use warnings export.

type WarningName = "parsing-error"
| "encoded-literal"
| "unsafe-regex"
| "unsafe-stmt"
| "short-identifiers"
| "suspicious-literal"
| "suspicious-file"
| "obfuscated-code"
| "weak-crypto"
| "unsafe-import"
| "shady-link";

declare const warnings: Record<WarningName, {
  i18n: string;
  severity: "Information" | "Warning" | "Critical";
  experimental?: boolean;
}>;

We make a call to i18n through the package NodeSecure/i18n to get the translation.

import * as jsxray from "@nodesecure/js-x-ray";
import * as i18n from "@nodesecure/i18n";

console.log(i18n.getTokenSync(jsxray.warnings["parsing-error"].i18n));

Warnings Legends

This section describe all the possible warnings returned by JSXRay. Click on the warning name for additional information and examples.

| name | experimental | description | | --- | :-: | --- | | parsing-error | ❌ | The AST parser throw an error | | unsafe-import | ❌ | Unable to follow an import (require, require.resolve) statement/expr. | | unsafe-regex | ❌ | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. | | unsafe-stmt | ❌ | Usage of dangerous statement like eval() or Function(""). | | encoded-literal | ❌ | An encoded literal has been detected (it can be an hexa value, unicode sequence or a base64 string) | | short-identifiers | ❌ | This mean that all identifiers has an average length below 1.5. | | suspicious-literal | ❌ | A suspicious literal has been found in the source code. | | suspicious-file | ✔️ | A suspicious file with more than ten encoded-literal in it | | obfuscated-code | ✔️ | There's a very high probability that the code is obfuscated. | | weak-crypto | ✔️ | The code probably contains a weak crypto algorithm (md5, sha1...) | | shady-link | ✔️ | The code contains shady/unsafe link |

API

interface RuntimeOptions {
  module?: boolean;
  isMinified?: boolean;
  removeHTMLComments?: boolean;
}

The method take a first argument which is the code you want to analyse. It will return a Report Object:

interface Report {
  dependencies: ASTDeps;
  warnings: Warning[];
  idsLengthAvg: number;
  stringScore: number;
  isOneLineRequire: boolean;
}
interface RuntimeOptions {
  module?: boolean;
  isMinified?: boolean;
  removeHTMLComments?: boolean;
}

Run the SAST scanner on a given JavaScript file.

export type ReportOnFile = {
  ok: true,
  warnings: Warning[];
  dependencies: ASTDeps;
  isMinified: boolean;
} | {
  ok: false,
  warnings: Warning[];
}

Workspaces

Click on one of the links to access the documentation of the workspace:

| name | package and link | | --- | --- | | estree-ast-util | @nodesecure/estree-ast-util | | sec-literal | @nodesecure/sec-literal |

These packages are available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/estree-ast-util
# or
$ yarn add @nodesecure/estree-ast-util

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

License

MIT