DEV Community

Thomas.G for NodeSecure

Posted on • Edited on

5 3

JS-X-Ray 3.0

Hello!

I have been working every night of the week on a new major version of my open-source JavaScript SAST JS-X-Ray. I've been looking forward to making significant changes to the code for several months now...

Why ?

Because I'm still learning every day and the project has grown quite large since 2.0.0. Also when I started the project I lacked a certain rigor in the way I documented the code (and also on some speculations).

It became necessary to make changes in order to continue to evolve the project.

So what's new ?

sec-literal

npm i sec-literal
Enter fullscreen mode Exit fullscreen mode

I started to work on a package to analyze ESTree Literals and JavaScript strings. This is a very important part that could be separated in its own package (which simplifies my documentation and testing).

Some of the features of this package:

  • Detect Hexadecimal, Base64 and Unicode sequences.
  • Detect patterns (prefix, suffix) on groups of identifiers.
  • Detect suspicious string and return advanced metrics on it (with char diversity etc).

It's a start... I plan to extend the features of the package in the coming months (but also to re-invest some time in documentation and testing).

new project structure

image

Still very far from the perfection I imagine but it's a good start. The code had become messy and it was almost impossible to reason properly.

The new version is now much easier to maintain and evolve. I will surely continue to improve it for the next major release.

More documentation, more tests

I took advantage of the refacto to reinsert a whole set of documentation and unit tests. It also allowed me to fix a number of issues that had not been resolved in version 2.3.

Obfuscation detection is hard

I knew it! But I swear to you that it is much more complex than anyone can imagine. I had to rewind my steps several times.

But if there were no challenges it wouldn't be fun.

ESM Import evaluation

Version 3 now throw an unsafe-import for import with javascript code evaluation.

import 'data:text/javascript;base64,Y29uc29sZS5sb2coJ2hlbGxvIHdvcmxkJyk7Cg==';
Enter fullscreen mode Exit fullscreen mode

For more info: https://2ality.com/2019/10/eval-via-import.html

Conclusion

Nothing incredible for this new version. But the project continues to progress step by step and I hope to be able to add a whole bunch of new detections by the end of the year.

Best Regards,
Thomas

Top comments (1)

Collapse
 
tonygo profile image
tonygo

Good job Thomas 👏 👏 👏 !

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more