UNPKG

@nodesecure/js-x-ray

Version:

JavaScript AST XRay analysis

github.com/NodeSecure/js-x-ray

NodeSecure/js-x-ray

97 lines 2.94 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
// Import Internal Dependencies import { getMemberExpressionIdentifier } from "../estree/index.js"; import { CALL_EXPRESSION_DATA } from "../contants.js"; import { generateWarning } from "../warnings.js"; /** * @description Detect serialization of process.env which could indicate environment variable exfiltration * @example * JSON.stringify(process.env) * JSON.stringify(process["env"]) * JSON.stringify(process["env"]) * JSON.stringify(process[`env`]) */ function validateJsonStringify(node, ctx) { const { tracer } = ctx.sourceFile; if (ctx.context[CALL_EXPRESSION_DATA]?.identifierOrMemberExpr !== "JSON.stringify") { return [false]; } const castedNode = node; if (castedNode.arguments.length === 0) { return [false]; } const firstArg = castedNode.arguments[0]; if (firstArg.type === "MemberExpression") { const memberExprId = [...getMemberExpressionIdentifier(firstArg)].join("."); if (memberExprId === "process.env") { return [true]; } } if (firstArg.type === "Identifier") { const data = tracer.getDataFromIdentifier(firstArg.name); if (data !== null) { return [true]; } } return [false]; } /** * @description Detect direct process.env access (for aggressive mode) * @example * process.env * const env = process.env */ function validateProcessEnv(node, ctx) { if (node.type !== "MemberExpression") { return [false]; } const memberExprId = [...getMemberExpressionIdentifier(node)].join("."); if (memberExprId === "process.env") { ctx.setEntryPoint("process.env"); return [true]; } return [false]; } function defaultHandler(node, ctx) { const { sourceFile, signals } = ctx; const warning = generateWarning("serialize-environment", { value: "JSON.stringify(process.env)", location: node.loc }); sourceFile.warnings.push(warning); return signals.Skip; } function processEnvHandler(node, ctx) { const { sourceFile, signals } = ctx; // Only trigger warning in aggressive mode if (sourceFile.sensitivity !== "aggressive") { return null; } const warning = generateWarning("serialize-environment", { value: "process.env", location: node.loc }); sourceFile.warnings.push(warning); return signals.Skip; } function initialize(ctx) { const { tracer } = ctx.sourceFile; tracer .trace("process.env", { followConsecutiveAssignment: true }) .trace("JSON.stringify", { followConsecutiveAssignment: true }); } export default { name: "isSerializeEnv", validateNode: [validateJsonStringify, validateProcessEnv], initialize, main: { default: defaultHandler, "process.env": processEnvHandler }, breakOnMatch: false, context: {} }; //# sourceMappingURL=isSerializeEnv.js.map