Skip to content

feat(probes): add isUnsafeSpawn #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

feat(probes): add isUnsafeSpawn #327

wants to merge 10 commits into from

Conversation

tony-go
Copy link
Member

@tony-go tony-go commented May 27, 2025
edited
Loading

I would like to introduce isUnsafeSpwan probe.

I had the idea earlier in the day reading a book on macOS malware where authors try to detect if SIP is enabled (csrutil).

I noticed a bunch of commands that could be suspicious if passed in spawn/exec.

I imaged something where we could have a bunch of specific commands we could mark as suspicious.

My concerns is "What about false positives?" Maybe we would like to have a probe that could take a list of commands and add warnings only for these cases.

@fraxken
Copy link
Member

fraxken commented May 27, 2025

I don't worry much about false positive (we could still see in the real world if there is a lot or not). And CLI settings still propose to disable them (I think I will push to make experimental warning disable by default).

@fraxken
Copy link
Member

fraxken commented May 27, 2025

Opened an issue in CLI: NodeSecure/cli#493

fraxken
fraxken reviewed May 27, 2025
View reviewed changes
@fraxken fraxken mentioned this pull request Jun 2, 2025
Open
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 10, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 9db1db3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

tony-go
tony-go commented Jun 10, 2025
View reviewed changes
fraxken
fraxken reviewed Jun 10, 2025
View reviewed changes
fraxken
fraxken reviewed Jun 10, 2025
View reviewed changes
@tony-go
Copy link
Member Author

tony-go commented Jun 13, 2025

Now let's update doc and readme

tony-go added 2 commits June 13, 2025 09:23
@tony-go
doc: add unsafe-spawn
2ede3c1 
Signed-off-by: Tony Gorez <[email protected]>
@tony-go
doc: update readme
0a1502a 
Signed-off-by: Tony Gorez <[email protected]>
@tony-go tony-go marked this pull request as ready for review June 13, 2025 07:28
@tony-go tony-go requested a review from fraxken June 13, 2025 07:28
fraxken
fraxken reviewed Jun 13, 2025
View reviewed changes
README.md
@@ -133,6 +134,7 @@ This section describe all the possible warnings returned by JSXRay. Click on the
| [unsafe-import](./docs/unsafe-import.md) | ❌ | Unable to follow an import (require, require.resolve) statement/expr. |
| [unsafe-regex](./docs/unsafe-regex.md) | ❌ | A RegEx as been detected as unsafe and may be used for a ReDoS Attack. |
| [unsafe-stmt](./docs//unsafe-stmt.md) | ❌ | Usage of dangerous statement like `eval()` or `Function("")`. |
| [unsafe-sapwn](./docs//unsafe-spawn.md) | ❌ | Usage of suspicious commands in `child_process.spawn()`.|
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| [unsafe-sapwn](./docs//unsafe-spawn.md) || Usage of suspicious commands in `child_process.spawn()`.|
| [unsafe-spawn](./docs//unsafe-spawn.md) || Usage of suspicious commands in `child_process.spawn()`.|

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the double slash is wrong (can you fix it for unsafe-stmt ?)

[unsafe-spawn](./docs//unsafe-spawn.md) -> [unsafe-spawn](./docs/unsafe-spawn.md)

docs/unsafe-spawn.md

| Code | Severity | i18n | Experimental |
| --- | --- | --- | :-: |
| unsafe-spwan | `Warning` | `sast_warnings.unsafe_spawn` | ✅ |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| unsafe-spwan | `Warning` | `sast_warnings.unsafe_spawn` ||
| unsafe-spawn | `Warning` | `sast_warnings.unsafe_spawn` ||

@fraxken fraxken requested a review from PierreDemailly June 13, 2025 09:39
fraxken
fraxken reviewed Jun 13, 2025
View reviewed changes
src/warnings.js
@@ -51,6 +51,11 @@ export const warnings = Object.freeze({
i18n: "sast_warnings.shady_link",
severity: "Warning",
experimental: false
},
"unsafe-spawn": {
i18n: "sast_warnings.unsafe-spawn",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
i18n: "sast_warnings.unsafe-spawn",
i18n: "sast_warnings.unsafe_spawn",

PierreDemailly
PierreDemailly reviewed Jun 13, 2025
View reviewed changes
src/probes/isUnsafeSpawn.js
const kUnsafeCommands = ["csrutil"];

function isUnsafeCommand(command) {
return Boolean(kUnsafeCommands.find((unsafeCommand) => command.includes(unsafeCommand)));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return Boolean(kUnsafeCommands.find((unsafeCommand) => command.includes(unsafeCommand)));
return kUnsafeCommands.some((unsafeCommand) => command.includes(unsafeCommand));

src/probes/isUnsafeSpawn.js
// Import Internal Dependencies
import { ProbeSignals } from "../ProbeRunner.js";

const kUnsafeCommands = ["csrutil"];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const kUnsafeCommands = ["csrutil"];
// CONSTANTS
const kUnsafeCommands = ["csrutil"];

test/probes/isUnsafeSpawn.spec.js
@@ -0,0 +1,68 @@
// Import Node.js Dependencies
import { test } from "node:test";
import assert from "node:assert";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
import assert from "node:assert";
import assert from "node:assert/strict";

We try to either use assert.strictEqual or node:assert/strict (which make assert.equal to be assert.strictEqual)

@tony-go
Copy link
Member Author

tony-go commented Jun 13, 2025

@fraxken I propose a unsafe-command instead. WDYT? (that one would contain exec and spawn)

@fraxken
Copy link
Member

fraxken commented Jun 13, 2025

@fraxken I propose a unsafe-command instead. WDYT? (that one would contain exec and spawn)

Good for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fraxken fraxken fraxken left review comments

@PierreDemailly PierreDemailly PierreDemailly left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tony-go @fraxken @PierreDemailly