Skip to content

feat(probes): add unsafe-command #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

feat(probes): add unsafe-command #327

wants to merge 24 commits into from

Conversation

tony-go
Copy link
Member

@tony-go tony-go commented May 27, 2025
edited
Loading

I would like to introduce unsafe-command probe.

I had the idea earlier in the day reading a book on macOS malware where authors try to detect if SIP is enabled (csrutil).

I noticed a bunch of commands that could be suspicious if passed in spawn/exec.

I imaged something where we could have a bunch of specific commands we could mark as suspicious.

My concerns is "What about false positives?" Maybe we would like to have a probe that could take a list of commands and add warnings only for these cases.

@tony-go
feat(probes): add isUnsafeSpawn
101157f 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@fraxken
Copy link
Member

fraxken commented May 27, 2025

I don't worry much about false positive (we could still see in the real world if there is a lot or not). And CLI settings still propose to disable them (I think I will push to make experimental warning disable by default).

@fraxken
Copy link
Member

fraxken commented May 27, 2025

Opened an issue in CLI: NodeSecure/cli#493

fraxken
fraxken reviewed May 27, 2025
View reviewed changes
@fraxken fraxken mentioned this pull request Jun 2, 2025
Open
tony-go added 4 commits June 10, 2025 08:30
@tony-go
refactor(probes): add isUnsafeCommand helper
0f8a00b 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
feat(probes): handle standalone spawn func
a9e7c1e 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
test: add member
27a5848 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
test: add last (missing) case
886827a 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 10, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 38224e2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

tony-go
tony-go commented Jun 10, 2025
View reviewed changes
fraxken
fraxken reviewed Jun 10, 2025
View reviewed changes
fraxken
fraxken reviewed Jun 10, 2025
View reviewed changes
tony-go added 3 commits June 12, 2025 21:49
@tony-go
test: remove child_process member test and skip hide one
3660cce 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
Merge branch 'master' into is-unsafe-spawn
c3206e6
@tony-go
fix: lint
9db1db3 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
Copy link
Member Author

tony-go commented Jun 13, 2025

Now let's update doc and readme

tony-go added 2 commits June 13, 2025 09:23
@tony-go
doc: add unsafe-spawn
2ede3c1 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
doc: update readme
0a1502a 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go tony-go marked this pull request as ready for review June 13, 2025 07:28
@tony-go tony-go requested a review from fraxken June 13, 2025 07:28
fraxken
fraxken reviewed Jun 13, 2025
View reviewed changes
@fraxken fraxken requested a review from PierreDemailly June 13, 2025 09:39
fraxken
fraxken reviewed Jun 13, 2025
View reviewed changes
PierreDemailly
PierreDemailly reviewed Jun 13, 2025
View reviewed changes
@tony-go
Copy link
Member Author

tony-go commented Jun 13, 2025

@fraxken I propose a unsafe-command instead. WDYT? (that one would contain exec and spawn)

@fraxken
Copy link
Member

fraxken commented Jun 13, 2025

@fraxken I propose a unsafe-command instead. WDYT? (that one would contain exec and spawn)

Good for me

tony-go added 3 commits June 16, 2025 22:37
@tony-go
refactor(probes): switch to unsafe-command
37ecb5e 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
fix: lint
7d9f597 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
test(probes): switch assert to strict
656e4f7 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
tony-go added 3 commits June 16, 2025 22:42
@tony-go
fix: add missing comment
2d78a19 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
refactor(probes): simplify isUnsafeCommand helper
58e1e9a 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
doc: fix path in readme
d677a79 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
Copy link
Member Author

tony-go commented Jun 16, 2025

Now I'll add exec cases

@tony-go
test(probes): add exec cases
0265b77 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
tony-go
tony-go commented Jun 16, 2025
View reviewed changes
tony-go
tony-go commented Jun 16, 2025
View reviewed changes
test/probes/isUnsafeCommand.spec.js
assert.equal(sastAnalysis.warnings().length, 0);
});

// Exec
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll realised that I copy paste the same cases. we could add both APIs (exec and spawn) for each cases. I just started with the simplest one :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me just know what do you prefer @fraxken I have no strong opinion.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm if tests are the same then you can probably do a for loop?

tony-go
tony-go commented Jun 16, 2025
View reviewed changes
@tony-go
fix: remove deps
b0975f3 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go tony-go changed the title feat(probes): add isUnsafeSpawn feat(probes): add unsafe-command Jun 16, 2025
@tony-go
fix(probes): rebuild full command for spawned case
08d05fb 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
PierreDemailly
PierreDemailly approved these changes Jun 17, 2025
View reviewed changes
@tony-go
test: use strict assert
aa08db9 
and revert unrelated one

Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@fraxken
Copy link
Member

fraxken commented Jun 17, 2025

Do we also want to detect for synchronous methods? (such as execSync and spawnSync).

@tony-go
Copy link
Member Author

tony-go commented Jun 17, 2025

Do we also want to detect for synchronous methods? (such as execSync and spawnSync).

yeah 🚀 that's a great idea

tony-go added 4 commits June 18, 2025 09:20
@tony-go
feat(probes): add spawnSync and execSync to unsafe-command
f2284dd 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
refactor(probes): add helper to detect func name
6312aed 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
docs(probes): update for sync
1eb157c 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
@tony-go
fix: lint
38224e2 
Signed-off-by: Tony Gorez <gorez.tony@gmail.com>
fraxken
fraxken reviewed Jun 18, 2025
View reviewed changes
test/probes/isUnsafeCommand.spec.js
assert.equal(sastAnalysis.warnings().length, 0);
});

// Exec
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm if tests are the same then you can probably do a for loop?

src/probes/isUnsafeCommand.js
return kUnsafeCommands.some((unsafeCommand) => command.includes(unsafeCommand));
}

function isSpwanOrExec(name) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
function isSpwanOrExec(name) {
function isSpawnOrExec(name) {

src/probes/isUnsafeCommand.js

let command = commandArg.value;
if (typeof command === "string" && isUnsafeCommand(command)) {
// Spwaned command arguments are filled into an Array
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Spwaned command arguments are filled into an Array
// Spawned command arguments are filled into an Array

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fraxken fraxken fraxken left review comments

@PierreDemailly PierreDemailly PierreDemailly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tony-go @fraxken @PierreDemailly