feat(heuristics): add whitespace check to detect excessive spacing and invisible characters for malware check (#1086)

This PR adds a new heuristic that analyzes code to detect suspicious use of excessive spaces and invisible characters. It checks whether the amount of spacing and invisible Unicode characters exceeds a defined threshold.

Signed-off-by: Amine <[email protected]>
Signed-off-by: Carl Flottmann <[email protected]>
Co-authored-by: Carl Flottmann <[email protected]>

Author: AmineRaouane

src/macaron/resources/pypi_malware_rules/obfuscation.yaml

@@ -311,3 +311,14 @@ rules:
     - pattern: os.writev(...)
     - pattern: os.pwrite(...)
     - pattern: os.pwritev(...)
+
+- id: obfuscation_excessive-spacing
+  metadata:
+    description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code.
+  message: Hidden code after excessive spacing
+  languages:
+  - python
+  severity: ERROR
+  patterns:
+  - pattern-regex: '[\s]{50,}(\S)+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
+  - pattern-not-regex: '"""[\s\S]*"""'

tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/excessive_spacing.py

@@ -0,0 +1,25 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""
+Running this code will not produce any malicious behavior, but code isolation measures are
+in place for safety.
+"""
+
+import sys
+
+# ensure no symbols are exported so this code cannot accidentally be used
+__all__ = []
+sys.exit()
+
+def test_function():
+    """
+    All code to be tested will be defined inside this function, so it is all local to it. This is
+    to isolate the code to be tested, as it exists to replicate the patterns present in malware
+    samples.
+    """
+    sys.exit()
+
+    # excessive spacing obfuscation
+    def excessive_spacing_flow():
+                                                                                                                                                                                                                                                       print("Hello world!")

tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json

@@ -229,6 +229,21 @@
                     "end": 68
                 }
             ]
+        },
+        "src.macaron.resources.pypi_malware_rules.obfuscation_excessive-spacing": {
+            "message": "Hidden code after excessive spacing",
+            "detections": [
+                {
+                    "file": "obfuscation/excessive_spacing.py",
+                    "start": 24,
+                    "end": 25
+                },
+                {
+                   "file": "obfuscation/inline_imports.py",
+                    "start": 27,
+                    "end": 27
+                }
+            ]
         }
     },
     "disabled_sourcecode_rule_findings": {}

tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/inline_imports.py

@@ -24,7 +24,7 @@ def test_function():
     __import__('builtins')
     __import__('subprocess')
     __import__('sys')
-    __import__('os')
+    print("Hello world!")                                                                                                                                                                                                                                                                ;__import__('os')
     __import__('zlib')
     __import__('marshal')
     # these both just import builtins