js-x-ray v7.0 releases: static analysis of detecting most common malicious patterns
js-x-ray
JavaScript AST analysis. This package has been created to export the Node-Secure AST Analysis to enable better code evolution and allow better access to developers and researchers.
The goal is to quickly identify dangerous code and patterns for developers and security researchers. Interpreting the results of this tool will still require you to have a set of security notions.
Goals
The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes.
Most of the time these hackers will try to hide the behavior of their codes as much as possible to avoid being spotted or easily understood… The work of the library is to understand and analyze these patterns that will allow us to detect malicious code.
Features Highlight
- Retrieve required dependencies and files for Node.js.
- Detect unsafe RegEx.
- Get warnings when the AST Analysis as a problem or when not able to follow a statement.
- Highlight common attack patterns and API usages.
- Capable to follow the usage of dangerous Node.js globals.
- Detect obfuscated code and when possible the tool that has been used.
This section describes all the possible warnings returned by JSXRay.
name | description |
---|---|
parsing-error | An error occurred when parsing the JavaScript code with meriyah. It means that the conversion from string to AST as failed. If you encounter such an error, please open an issue here. |
unsafe-import | Unable to follow an import (require, require.resolve) statement/expr. |
unsafe-regex | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. |
unsafe-stmt | Usage of a dangerous statement like eval() or Function("") . |
unsafe-assign | Assignment of a protected global like process or require . |
encoded-literal | An encoded literal has been detected (it can be an hexa value, Unicode sequence, base64 string, etc) |
short-identifiers | This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers. |
suspicious-literal | This mean that the sum of suspicious score of all Literals is bigger than 3. |
obfuscated-code (experimental) | There’s a very high probability that the code is obfuscated… |
Changelog v7.0
- chore(deps): bump is-svg from 4.4.0 to 5.0.0 by @dependabot in #181
- Docs: Fix badges in workspaces by @fabnguess in #184
- fix the example in readme to prevent “location” field displays wrong way when running as script with Node.js. (nested displayed as [Array]) by @zxkmm in #185
- refactor(test): move regress to /issues folder by @fraxken in #186
- refactor: remove ASTDeps class and rename Anaysis to SourceFile by @fraxken in #187
- refactor: use new SourceParser class by @fraxken in #189
- chore(deps): bump string-width from 5.1.2 to 7.0.0 by @dependabot in #182
- refactor(probe): allow array of validateNode functions by @fraxken in #191
- docs: estree-ast-utils typo by @PierreDemailly in #192
- fix(estree-ast-utils): add missing d.ts by @fraxken in #193
- feat(getCallExpressionIdentifier): add resolveCallExpression option by @fraxken in #194
- refactor: new ProbeRunner class by @fraxken in #195
- fix(unsafe-import): warning on unsafe-import using eval/require by @tchapacan in #190
- fix(isRequire): do not resolve CallExpr by @fraxken in #200
- Remove mockedFunction for Node.js test runner mock method by @jean-michelet in #201
- docs: add jean-michelet as a contributor for test by @allcontributors in #202
- chore(deps-dev): bump c8 from 8.0.1 to 9.0.0 by @dependabot in #199
- chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #197
- Bug#170 by @jean-michelet in #206
- feat(probeRunner): assert probes method in proberunner by @tchapacan in #204
- docs: add tchapacan as a contributor for code, and test by @allcontributors in #207
- Report.isOneLineRequire should be true if single line LogicalExpression assignment by @jean-michelet in #205
- refactor: split utils by @mkarkkainen in #209
- docs: add mkarkkainen as a contributor for code by @allcontributors in #210
- replace dead link by the webarchive one by @jean-michelet in #213
- build path.join called in require if args are string literals by @jean-michelet in #212
- chore(deps): bump actions/setup-node from 4.0.0 to 4.0.1 by @dependabot in #198
- chore(deps): bump github/codeql-action from 2.22.8 to 3.22.12 by @dependabot in #196
- Make SourceParser class heritable + create and use JsSourceParser in … by @jean-michelet in #215
- Refactor runASTAnalysis functions to use class AstAnalyser by @jean-michelet in #216
- docs: add jean-michelet as a contributor for code, test, and doc by @allcontributors in #217
- Create ts-source-parser package by @jean-michelet in #218
- docs(suspicious-file): fix typo by @FredGuiou in #219
- docs: add FredGuiou as a contributor for doc by @allcontributors in #222
- Update doc by @jean-michelet in #226
- refactor: consider Function(“return this”) as safe by @fraxken in #211
- refactor(analysis) : rename ‘analysis’ variable to ‘sourceFile’ by @FredGuiou in #232
- chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in #230
- chore(deps): bump step-security/harden-runner from 2.6.1 to 2.7.0 by @dependabot in #229
- chore(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by @dependabot in #228
- docs: add FredGuiou as a contributor for code, and doc by @allcontributors in #234
- Refactor isRequire probe with new class RequireCallExpressionWalker by @jean-michelet in #231
- Use JsSourceParser as default parser for AstAnalyser class by @madina0801 in #227
- docs: add madina0801 as a contributor for code by @allcontributors in #236
- refactor!: implement NodeCounter & Deobfuscator class by @fraxken in #239
- refactor(sec-literal/test): use the Node.js native test runner by @fabnguess in #242
- chore: update copyright by @fabnguess in #240
- chore: using dependabot groups by @fabnguess in #244
- refactor(estree-ast-utils/test): migrate to test_runner by @FredGuiou in #251
- chore(deps): bump the github-actions group with 3 updates by @dependabot in #248
- chore(deps): bump the dependencies group with 1 update by @dependabot in #252
- feat(customProbes): inject custom probes as param for AstAnalyser by @tchapacan in #250
- ci(nodejs): automatically merge dependabot PR by @fraxken in #254
Install & Use
Copyright (c) 2021 NodeSecure