feat: implement pipelines with built-in deobfuscate

Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

chore: add changeset

Author: fraxken

.changeset/grumpy-insects-love.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": patch
+---
+
+Implement new pipeline mechanism with a built-in deobfuscate

workspaces/js-x-ray/src/AstAnalyser.ts

@@ -17,11 +17,14 @@ import {
   SourceFile,
   type SourceFlags
 } from "./SourceFile.js";
-import { isOneLineExpressionExport } from "./utils/index.js";
 import { JsSourceParser, type SourceParser } from "./JsSourceParser.js";
 import { ProbeRunner, type Probe } from "./ProbeRunner.js";
 import { walkEnter } from "./walker/index.js";
 import * as trojan from "./obfuscators/trojan-source.js";
+import {
+  isOneLineExpressionExport
+} from "./utils/index.js";
+import type { Pipeline } from "./pipelines/pipeline.js";
 
 export interface Dependency {
   unsafe: boolean;
@@ -85,6 +88,7 @@ export interface AstAnalyserOptions {
    * @default false
    */
   optionalWarnings?: boolean | Iterable<OptionalWarningName>;
+  pipelines?: Pipeline[];
 }
 
 export interface PrepareSourceOptions {
@@ -94,14 +98,17 @@ export interface PrepareSourceOptions {
 export class AstAnalyser {
   parser: SourceParser;
   probes: Probe[];
+  pipelines: Pipeline[] = [];
 
   constructor(options: AstAnalyserOptions = {}) {
     const {
       customProbes = [],
       optionalWarnings = false,
-      skipDefaultProbes = false
+      skipDefaultProbes = false,
+      pipelines = []
     } = options;
 
+    this.pipelines = pipelines;
     this.parser = options.customParser ?? new JsSourceParser();
 
     let probes = ProbeRunner.Defaults;
@@ -129,6 +136,24 @@ export class AstAnalyser {
     this.probes = probes;
   }
 
+  #runPipelines(
+    body: ESTree.Program["body"]
+  ): ESTree.Program["body"] {
+    const runnedPipelines = new Set<string>();
+    let updatedBody = body;
+
+    for (const pipeline of this.pipelines) {
+      if (runnedPipelines.has(pipeline.name)) {
+        continue;
+      }
+
+      updatedBody = pipeline.walk(updatedBody);
+      runnedPipelines.add(pipeline.name);
+    }
+
+    return updatedBody;
+  }
+
   analyse(
     str: string,
     options: RuntimeOptions = {}
@@ -144,6 +169,8 @@ export class AstAnalyser {
     const body = this.parser.parse(this.prepareSource(str, { removeHTMLComments }), {
       isEcmaScriptModule: Boolean(module)
     });
+
+    const updatedBody = this.#runPipelines(body);
     const source = new SourceFile();
     if (trojan.verify(str)) {
       source.warnings.push(
@@ -161,7 +188,7 @@ export class AstAnalyser {
     }
 
     // we walk each AST Nodes, this is a purely synchronous I/O
-    walkEnter(body, function walk(node) {
+    walkEnter(updatedBody, function walk(node) {
       // Skip the root of the AST.
       if (Array.isArray(node)) {
         return;

workspaces/js-x-ray/src/index.ts

@@ -3,3 +3,4 @@ export * from "./JsSourceParser.js";
 export * from "./AstAnalyser.js";
 export * from "./EntryFilesAnalyser.js";
 export * from "./SourceFile.js";
+export * from "./pipelines/index.js";

workspaces/js-x-ray/src/pipelines/deobfuscate.ts

@@ -0,0 +1,52 @@
+// Import Third-party Dependencies
+import type { ESTree } from "meriyah";
+import { match } from "ts-pattern";
+import { joinArrayExpression } from "@nodesecure/estree-ast-utils";
+
+// Import Internal Dependencies
+import { walkEnter } from "../walker/index.js";
+import { type Pipeline } from "./pipeline.js";
+
+export class Deobfuscate implements Pipeline {
+  name = "deobfuscate";
+
+  #withCallExpression(
+    node: ESTree.CallExpression
+  ): ESTree.Node | void {
+    const value = joinArrayExpression(node);
+    if (value !== null) {
+      return {
+        type: "Literal",
+        value,
+        raw: value
+      };
+    }
+
+    return void 0;
+  }
+
+  walk(body: ESTree.Program["body"]): ESTree.Program["body"] {
+    const self = this;
+    walkEnter(body, function walk(node): void {
+      if (Array.isArray(node)) {
+        return;
+      }
+
+      const replaceNode = (newNode: ESTree.Node | void) => {
+        if (newNode === undefined) {
+          return;
+        }
+        this.replace(newNode);
+        this.skip();
+      };
+
+      match(node)
+        .with({ type: "CallExpression" }, (node) => {
+          replaceNode(self.#withCallExpression(node));
+        })
+        .otherwise(() => void 0);
+    });
+
+    return body;
+  }
+}

workspaces/js-x-ray/src/pipelines/index.ts

@@ -0,0 +1,11 @@
+// Import Internal Dependencies
+import { Deobfuscate } from "./deobfuscate.js";
+import type { Pipeline } from "./pipeline.js";
+
+export const Pipelines = {
+  deobfuscate: Deobfuscate
+} as const;
+
+export type {
+  Pipeline
+};

workspaces/js-x-ray/src/pipelines/pipeline.ts

@@ -0,0 +1,10 @@
+// Import Third-party Dependencies
+import type { ESTree } from "meriyah";
+
+export interface Pipeline {
+  name: string;
+
+  walk(
+    body: ESTree.Program["body"]
+  ): ESTree.Program["body"];
+}

workspaces/js-x-ray/test/Pipelines.spec.ts

@@ -0,0 +1,85 @@
+// Import Node.js Dependencies
+import { describe, mock, test } from "node:test";
+import assert from "node:assert";
+
+// Import Internal Dependencies
+import {
+  AstAnalyser,
+  JsSourceParser,
+  Pipelines
+} from "../src/index.js";
+import {
+  getWarningKind
+} from "./utils/index.js";
+
+describe("AstAnalyser pipelines", () => {
+  test("should iterate once on the pipeline", () => {
+    const pipeline = {
+      name: "test-pipeline",
+      walk: mock.fn((body) => body)
+    };
+
+    const analyser = new AstAnalyser({
+      customParser: new JsSourceParser(),
+      pipelines: [
+        pipeline,
+        pipeline
+      ]
+    });
+
+    analyser.analyse(`return "Hello World";`);
+
+    assert.strictEqual(pipeline.walk.mock.callCount(), 1);
+    assert.deepEqual(
+      pipeline.walk.mock.calls[0].arguments[0],
+      [
+        {
+          type: "ReturnStatement",
+          argument: {
+            type: "Literal",
+            value: "Hello World",
+            raw: "\"Hello World\"",
+            loc: {
+              start: {
+                line: 1,
+                column: 7
+              },
+              end: {
+                line: 1,
+                column: 20
+              }
+            }
+          },
+          loc: {
+            start: {
+              line: 1,
+              column: 0
+            },
+            end: {
+              line: 1,
+              column: 21
+            }
+          }
+        }
+      ]
+    );
+  });
+
+  test("should find a shady-url by using the built-in deobfuscate pipeline", () => {
+    const analyser = new AstAnalyser({
+      customParser: new JsSourceParser(),
+      pipelines: [
+        new Pipelines.deobfuscate()
+      ]
+    });
+
+    const { warnings } = analyser.analyse(`
+      const URL = ["http://", ["77", "244", "210", "1"].join("."), "/script"].join("");
+    `);
+
+    assert.deepEqual(
+      getWarningKind(warnings),
+      ["shady-link"].sort()
+    );
+  });
+});