feat(probes): add minimal implementation of data exfiltration (#399)

Author: clemgbld

.changeset/chatty-eagles-draw.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": minor
+---
+
+feat(probes) add minimal implementation of data-exfiltration

README.md

@@ -144,6 +144,8 @@ This section describes all the possible warnings returned by JSXRay. Click on th
 | [shady-link](./docs/shady-link.md) | ❌ | The code contains a shady/unsafe link |
 | [synchronous-io](./docs/synchronous-io.md) | ✔️ | The code contains a synchronous IO call. |
 | [serialize-environment](./docs/serialize-environment.md) | ❌ | The code attempts to serialize process.env which could lead to environment variable exfiltration |
+| [data-exfiltration](./docs/data-exfiltration.md) | ❌ | the code potentially attemps to transfer sensitive data wihtout authorization from a computer or network to an external location. |
+
 
 ## Workspaces
 

docs/data-exfiltration.md

@@ -0,0 +1,17 @@
+# Data exfiltration 
+
+| Code | Severity | i18n | Experimental |
+| --- | --- | --- | :-: |
+| data-exfiltration | `Warning` | `sast_warnings.data_exfiltration` | ❌ | 
+
+## Introduction
+
+Data exfiltration is the unauthorized transfer of sensitive data from a computer or network to an external location. This can occur through malicious code, insider threats, or compromised systems.
+
+## Example
+
+```js
+import os from "os";
+
+JSON.stringify(os.userInfo());
+```

workspaces/js-x-ray/src/ProbeRunner.ts

@@ -19,6 +19,7 @@ import isFetch from "./probes/isFetch.js";
 import isUnsafeCommand from "./probes/isUnsafeCommand.js";
 import isSyncIO from "./probes/isSyncIO.js";
 import isSerializeEnv from "./probes/isSerializeEnv.js";
+import dataExfiltration from "./probes/data-exfiltration.js";
 
 import type { SourceFile } from "./SourceFile.js";
 import type { OptionalWarningName } from "./warnings.js";
@@ -83,7 +84,8 @@ export class ProbeRunner {
     isBinaryExpression,
     isArrayExpression,
     isUnsafeCommand,
-    isSerializeEnv
+    isSerializeEnv,
+    dataExfiltration
   ];
 
   static Optionals: Record<OptionalWarningName, Probe> = {
@@ -113,8 +115,9 @@ export class ProbeRunner {
         const isDefined = Reflect.defineProperty(probe, kProbeOriginalContext, {
           enumerable: false,
           value: structuredClone(probe.context),
-          writable: false
+          configurable: true
         });
+
         if (!isDefined) {
           throw new Error(`Failed to define original context for probe '${probe.name}'`);
         }

workspaces/js-x-ray/src/probes/data-exfiltration.ts

@@ -0,0 +1,111 @@
+// Import Third-party Dependencies
+import {
+  getCallExpressionIdentifier
+} from "@nodesecure/estree-ast-utils";
+import type { ESTree } from "meriyah";
+
+// Import Internal Dependencies
+import { generateWarning } from "../warnings.js";
+import type { ProbeContext } from "../ProbeRunner.js";
+import { rootLocation, toArrayLocation, type SourceArrayLocation } from "../utils/toArrayLocation.js";
+
+// CONSTANTS
+const kSensitiveMethods = [
+  "os.userInfo",
+  "os.networkInterfaces",
+  "os.cpus",
+  "dns.getServers"
+];
+
+type DataExfiltrationContextDef = Record<string, SourceArrayLocation[]>;
+
+function validateNode(
+  node: ESTree.Node,
+  ctx: ProbeContext
+): [boolean, any?] {
+  const tracer = ctx.sourceFile.tracer;
+  const id = getCallExpressionIdentifier(node);
+
+  if (id === null) {
+    return [false];
+  }
+  const data = tracer.getDataFromIdentifier(id);
+
+  if (data === null || data.identifierOrMemberExpr !== "JSON.stringify") {
+    return [false];
+  }
+
+  const castedNode = node as ESTree.CallExpression;
+  if (castedNode.arguments.length === 0) {
+    return [false];
+  }
+
+  return [true];
+}
+
+function main(
+  node: ESTree.CallExpression,
+  ctx: ProbeContext<DataExfiltrationContextDef>
+) {
+  const { sourceFile } = ctx;
+
+  const firstArg = node.arguments[0];
+  if (firstArg.type !== "CallExpression") {
+    return;
+  }
+  const id = getCallExpressionIdentifier(firstArg)!;
+  const data = sourceFile.tracer.getDataFromIdentifier(id);
+  if (kSensitiveMethods.some((method) => data?.identifierOrMemberExpr === method
+    && sourceFile.tracer.importedModules.has(method.split(".")[0]))) {
+    const arrayLocation = ctx.context?.[data?.identifierOrMemberExpr!];
+    if (arrayLocation) {
+      arrayLocation.push(toArrayLocation(firstArg.loc ?? rootLocation()));
+    }
+    else {
+      ctx.context![data?.identifierOrMemberExpr!] = [toArrayLocation(firstArg.loc ?? rootLocation())];
+    }
+  }
+}
+
+function initialize(
+  ctx: ProbeContext<DataExfiltrationContextDef>
+) {
+  const { sourceFile: { tracer } } = ctx;
+  tracer
+    .trace("JSON.stringify", {
+      followConsecutiveAssignment: true
+    }).trace("os.userInfo", {
+      moduleName: "os",
+      followConsecutiveAssignment: true
+    }).trace("os.networkInterfaces", {
+      moduleName: "os",
+      followConsecutiveAssignment: true
+    }).trace("os.cpus", {
+      moduleName: "os",
+      followConsecutiveAssignment: true
+    }).trace("dns.getServers", {
+      moduleName: "dns",
+      followConsecutiveAssignment: true
+    });
+}
+
+function finalize(ctx: ProbeContext<DataExfiltrationContextDef>) {
+  const { sourceFile, context } = ctx;
+  if (context && Object.keys(context).length > 0) {
+    const warning = generateWarning("data-exfiltration",
+      { value: Object.keys(context).join(", ") });
+    sourceFile.warnings.push({ ...warning, location: Object.values(context).flat() });
+  }
+}
+
+const dateExifiltration = {
+  name: "dataExfiltration",
+  validateNode,
+  initialize,
+  finalize,
+  main,
+  breakOnMatch: false,
+  context: {}
+};
+
+export default dateExifiltration;

workspaces/js-x-ray/src/warnings.ts

@@ -26,6 +26,7 @@ export type WarningName =
   | "unsafe-command"
   | "unsafe-import"
   | "serialize-environment"
+  | "data-exfiltration"
   | OptionalWarningName;
 
 export interface Warning<T = WarningName> {
@@ -103,6 +104,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.serialize_environment",
     severity: "Warning",
     experimental: false
+  },
+  "data-exfiltration": {
+    i18n: "sast_warnings.data_exfiltration",
+    severity: "Warning",
+    experimental: false
   }
 }) satisfies Record<WarningName, Pick<Warning, "experimental" | "i18n" | "severity">>;
 

workspaces/js-x-ray/test/probes/data-exfiltration.spec.ts

@@ -0,0 +1,133 @@
+// Import Node.js Dependencies
+import { test, describe } from "node:test";
+import assert from "node:assert";
+import { readFileSync } from "node:fs";
+import fs from "node:fs/promises";
+
+// Import Internal Dependencies
+import { AstAnalyser } from "../../src/index.js";
+
+const FIXTURE_URL = new URL("fixtures/dataExfiltration/", import.meta.url);
+
+describe("data exfiltration", () => {
+  test("it should report a warning in case of `JSON.stringify(sensitiveData) for member expression`", async() => {
+    const fixturesDir = new URL("memberExpression/", FIXTURE_URL);
+    const fixtureFiles = await fs.readdir(fixturesDir);
+
+    for (const fixtureFile of fixtureFiles) {
+      const fixture = readFileSync(new URL(fixtureFile, fixturesDir), "utf-8");
+      const { warnings: outputWarnings } = new AstAnalyser(
+        {
+          optionalWarnings: true
+        }
+      ).analyse(fixture);
+
+      const [firstWarning] = outputWarnings;
+      assert.strictEqual(outputWarnings.length, 1);
+      assert.deepEqual(firstWarning.kind, "data-exfiltration");
+      assert.strictEqual(firstWarning.value, `${fixtureFile.split(".").slice(0, 2).join(".")}`);
+    }
+  });
+
+  test("it should report a warning in case of `JSON.stringify(sensitiveData) for direct call expression`", async() => {
+    const fixturesDir = new URL("directCallExpression/", FIXTURE_URL);
+    const fixtureFiles = await fs.readdir(fixturesDir);
+
+    for (const fixtureFile of fixtureFiles) {
+      const fixture = readFileSync(new URL(fixtureFile, fixturesDir), "utf-8");
+      const { warnings: outputWarnings } = new AstAnalyser(
+        {
+          optionalWarnings: true
+        }
+      ).analyse(fixture);
+
+      const [firstWarning] = outputWarnings;
+      assert.strictEqual(outputWarnings.length, 1);
+      assert.deepEqual(firstWarning.kind, "data-exfiltration");
+      assert.strictEqual(firstWarning.value, `${fixtureFile.split(".").slice(0, 2).join(".")}`);
+    }
+  });
+
+  test("should only generate one warning when multiple detection of data exfiltration occurs", () => {
+    const code = `
+     import os from "os"; 
+
+     JSON.stringify(os.userInfo()); 
+     JSON.stringify(os.userInfo()); 
+     JSON.stringify(os.networkInterfaces()); 
+    `;
+
+    const { warnings: outputWarnings } = new AstAnalyser(
+      {
+        optionalWarnings: true
+      }
+    ).analyse(code);
+
+    const [firstWarning] = outputWarnings;
+    assert.strictEqual(outputWarnings.length, 1);
+    assert.deepEqual(firstWarning.kind, "data-exfiltration");
+    assert.strictEqual(firstWarning.value, "os.userInfo, os.networkInterfaces");
+    assert.strictEqual(firstWarning.location?.length, 3);
+  });
+
+  test("should not generate a warning when serializing return value of every function call", () => {
+    const code = `
+     function foo (){
+        return "foo";
+     }
+     JSON.stringify(foo()); 
+    `;
+    const { warnings: outputWarnings } = new AstAnalyser(
+      {
+        optionalWarnings: true
+      }
+    ).analyse(code);
+
+    assert.strictEqual(outputWarnings.length, 0);
+  });
+
+  test("should not generate a warning when os is not imported", () => {
+    const code = `
+     const os = {
+        userInfo(){
+            return {};
+        },
+        cpus(){
+            return [];
+        },
+        networkInterfaces(){
+            return [];
+        }
+        
+     }
+     JSON.stringify(os.userInfo()); 
+     JSON.stringify(os.networkInterfaces()); 
+     JSON.stringify(os.cpus()); 
+    `;
+    const { warnings: outputWarnings } = new AstAnalyser(
+      {
+        optionalWarnings: true
+      }
+    ).analyse(code);
+
+    assert.strictEqual(outputWarnings.length, 0);
+  });
+
+  test("should not generate a warning when dns is not imported", () => {
+    const code = `
+     const dns = {
+        getServers(){
+            return [];
+        }
+     }
+     JSON.stringify(getServers()); 
+    `;
+    const { warnings: outputWarnings } = new AstAnalyser(
+      {
+        optionalWarnings: true
+      }
+    ).analyse(code);
+
+    assert.strictEqual(outputWarnings.length, 0);
+  });
+});

workspaces/js-x-ray/test/probes/fixtures/dataExfiltration/directCallExpression/dns.getServers.js

@@ -0,0 +1,5 @@
+const { getServers } = require("dns");
+
+const stringify = JSON.stringify;
+
+stringify(getServers());

workspaces/js-x-ray/test/probes/fixtures/dataExfiltration/directCallExpression/os.cpus.js

@@ -0,0 +1,5 @@
+const { cpus } = require("os");
+
+const stringify = JSON.stringify;
+
+stringify(cpus());

workspaces/js-x-ray/test/probes/fixtures/dataExfiltration/directCallExpression/os.networkInterfaces.js

@@ -0,0 +1,5 @@
+const { networkInterfaces } = require("os");
+
+const stringify = JSON.stringify;
+
+stringify(networkInterfaces());