feat: new optional synchronous IO warning (#355)

Co-authored-by: Thomas.G <gentilhomme.thomas@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

README.md

@@ -19,12 +19,14 @@ export class AstAnalyser {
    * @param {SourceParser} [options.customParser]
    * @param {Array<object>} [options.customProbes]
    * @param {boolean} [options.skipDefaultProbes=false]
+   * @param {boolean | Iterable<string>} [options.optionalWarnings=false]
    */
   constructor(options = {}) {
     this.parser = options.customParser ?? new JsSourceParser();
     this.probesOptions = {
       customProbes: options.customProbes ?? [],
-      skipDefaultProbes: options.skipDefaultProbes ?? false
+      skipDefaultProbes: options.skipDefaultProbes ?? false,
+      optionalWarnings: options.optionalWarnings ?? false
     };
   }
 

docs/synchronous-io.md

@@ -14,6 +14,7 @@ import isArrayExpression from "./probes/isArrayExpression.js";
 import isESMExport from "./probes/isESMExport.js";
 import isFetch from "./probes/isFetch.js";
 import isUnsafeCommand from "./probes/isUnsafeCommand.js";
+import isSyncIO from "./probes/isSyncIO.js";
 
 /**
  * @typedef {import('./SourceFile.js').SourceFile} SourceFile
@@ -56,6 +57,14 @@ export class ProbeRunner {
     isUnsafeCommand
   ];
 
+  /**
+   *
+   * @type {Record<string,Probe>}
+   */
+  static Optionals = {
+    "synchronous-io": isSyncIO
+  };
+
   /**
    *
    * @param {!SourceFile} sourceFile

src/AstAnalyser.js

@@ -11,6 +11,36 @@ import * as trojan from "./obfuscators/trojan-source.js";
 
 // CONSTANTS
 const kMaximumEncodedLiterals = 10;
+const kIdentifierOrMemberExps = [
+  "crypto.createHash",
+  "crypto.pbkdf2Sync",
+  "crypto.scryptSync",
+  "crypto.generateKeyPairSync",
+  "fs.readFileSync",
+  "fs.writeFileSync",
+  "fs.appendFileSync",
+  "fs.readSync",
+  "fs.writeSync",
+  "fs.readdirSync",
+  "fs.statSync",
+  "fs.mkdirSync",
+  "fs.renameSync",
+  "fs.unlinkSync",
+  "fs.symlinkSync",
+  "fs.openSync",
+  "fs.fstatSync",
+  "fs.linkSync",
+  "fs.realpathSync",
+  "child_process.execSync",
+  "child_process.spawnSync",
+  "child_process.execFileSync",
+  "zlib.deflateSync",
+  "zlib.inflateSync",
+  "zlib.gzipSync",
+  "zlib.gunzipSync",
+  "zlib.brotliCompressSync",
+  "zlib.brotliDecompressSync"
+];
 
 export class SourceFile {
   inTryStatement = false;
@@ -24,15 +54,30 @@ export class SourceFile {
 
   constructor(sourceCodeString, probesOptions = {}) {
     this.tracer = new VariableTracer()
-      .enableDefaultTracing()
-      .trace("crypto.createHash", {
-        followConsecutiveAssignment: true, moduleName: "crypto"
-      });
+      .enableDefaultTracing();
+
+    kIdentifierOrMemberExps.forEach((identifierOrMemberExp) => this.tracer.trace(identifierOrMemberExp, {
+      followConsecutiveAssignment: true,
+      moduleName: identifierOrMemberExp.split(".")[0]
+    }));
 
     let probes = ProbeRunner.Defaults;
     if (Array.isArray(probesOptions.customProbes) && probesOptions.customProbes.length > 0) {
       probes = probesOptions.skipDefaultProbes === true ? probesOptions.customProbes : [...probes, ...probesOptions.customProbes];
     }
+
+    if (typeof probesOptions.optionalWarnings === "boolean") {
+      if (probesOptions.optionalWarnings) {
+        probes = [...probes, ...Object.values(ProbeRunner.Optionals)];
+      }
+    }
+    else {
+      const optionalProbes = Array.from(probesOptions.optionalWarnings ?? [])
+        .flatMap((warning) => ProbeRunner.Optionals[warning] ?? []);
+
+      probes = [...probes, ...optionalProbes];
+    }
+
     this.probesRunner = new ProbeRunner(this, probes);
 
     if (trojan.verify(sourceCodeString)) {

src/ProbeRunner.js

@@ -0,0 +1,27 @@
+// Import Third-party Dependencies
+import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
+
+// Constants
+const kTracedNodeCoreModules = ["fs", "crypto", "child_process", "zlib"];
+
+function validateNode(node, { tracer }) {
+  const id = getCallExpressionIdentifier(node, { tracer });
+  if (id === null || !kTracedNodeCoreModules.some((moduleName) => tracer.importedModules.has(moduleName))) {
+    return [false];
+  }
+
+  const data = tracer.getDataFromIdentifier(id);
+
+  return [data !== null && data.identifierOrMemberExpr.endsWith("Sync")];
+}
+
+function main(node, { sourceFile }) {
+  sourceFile.addWarning("synchronous-io", node.callee.name, node.loc);
+}
+
+export default {
+  name: "isSyncIO",
+  validateNode,
+  main,
+  breakOnMatch: false
+};

src/SourceFile.js

@@ -56,6 +56,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.unsafe-command",
     severity: "Warning",
     experimental: true
+  },
+  "synchronous-io": {
+    i18n: "sast_warnings.synchronous-io",
+    severity: "Warning",
+    experimental: true
   }
 });
 

src/probes/isSyncIO.js

@@ -698,6 +698,14 @@ describe("AstAnalyser", () => {
       assert.strictEqual(FakeSourceParser.prototype.parse.mock.calls.length, 1);
     });
   });
+
+  describe("optional warnings", () => {
+    it("should not crash when there is an unknown optional warning", () => {
+      new AstAnalyser({
+        optionalWarnings: ["unknown"]
+      }).analyse("");
+    });
+  });
 });
 
 let analyser = null;

src/warnings.js

@@ -0,0 +1,3 @@
+const { appendFileSync } = require("fs");
+
+appendFileSync("./foo.txt");

test/AstAnalyser.spec.js

@@ -0,0 +1,3 @@
+const { brotliCompressSync } = require("zlib");
+
+brotliCompressSync(Buffer.from("text","utf-8"));