-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
71 changed files
with
4,880 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| ### 1. Binary dependency detection | ||
| The binary file can't be used as a CommonJS module because it has a shebang (`#! /usr/bin/env node`) at the top, which is an invalid syntax for JavaScript. That is why they are not considered when building a dependency tree of the application. The application fails when it tries to run test binary such as `mocha` because Mininode removed required dependencies. | ||
| - Issue: #65 | ||
| - Commit: _still working on automatic_ | ||
|
|
||
| **Solution**: The idea behind the solution is to install devDependencies as global packages. In this way `mocha` or other executable JS files required for testing will not fail because Mininode will not reduce it. Additionally, because of executable JS files cannot be used as a required module we can remove them from node_modules folder _"safely"_. However, if executable JS files are called indirectly from modules using `child_processes`, our solution will break the application. | ||
|
|
||
| ### 2. Dynamic manipulation of the required module | ||
| Dynamic manipulation happens when the required module is passed to some *dynamic* function. The dynamic function is a function which is not defined inside the requested module. | ||
| ```JavaScript | ||
| var utils = require('utils'); | ||
| foo(utils); // we don't know what will happen inside foo function. | ||
| ``` | ||
|
|
||
| ### 3. Invisible child-parent exporting | ||
| Example: debug module. | ||
| ### 4. Monkey-patching / Extending the required module | ||
| Example: | ||
| ```JavaScript | ||
| // in malware.js | ||
| var express = require(express''); | ||
| express.get = function() { | ||
| // rewrite original get to any functionality | ||
| } | ||
| ``` | ||
| ### 5. Dynamically importing modules | ||
| When require is passed a variable. | ||
| ```JavaScript | ||
| var a = null; | ||
| if (b === 0) | ||
| a = 'bar' | ||
| else | ||
| a = 'foo' | ||
| const c = require(a) | ||
| ``` | ||
|
|
||
| ### 6. Overwriting/renaming the require function | ||
|
|
||
| ### 7. Cross-reference dependencies | ||
| ```JavaScript | ||
| // in index.js | ||
| var foo = require('foo'), bar = require('bar'); | ||
| foo.x() | ||
| bar.a() | ||
| // in foo.js | ||
| var bar = require('bar'); | ||
| exports.x = function(){} | ||
| exports.y = function(){} | ||
| // in bar.js | ||
| var foo = require('foo') | ||
| exports.a = function() {} | ||
| exports.b = function() { | ||
| foo.y() | ||
| } | ||
| ``` | ||
| ### 8. Re-assigning exports (module.exports) to another variable. | ||
| Example: | ||
| ```JavaScript | ||
| var es = exports, flatmap = require('flatmap-stream'); | ||
| es.flatmap = flatmap; | ||
| ``` | ||
| ### 9. Dynamically exporting functionality from module | ||
| There may be diffirent ways to dynamically export the functionality. | ||
| Example: | ||
| ```JavaScript | ||
| var member = 'foo'; | ||
| exports[member]; | ||
| ``` | ||
| ### 10. Requiring module globally | ||
| Example: | ||
| ```JavaScript | ||
| // inside a.js | ||
| let foo = require('foo'); | ||
| bar = require('bar'); // globally requiring | ||
| globalFoo = foo; // global variable | ||
| // inside b.js | ||
| bar.a(); // should detect this. | ||
| globalFoo.b() // should detect this | ||
| ``` | ||
|
|
||
| ### 11. Exporting using Object.defineProperty |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| Copyright (c) 2019, North Carolina State University | ||
| All rights reserved. | ||
|
|
||
| Redistribution and use in source and binary forms, with or without | ||
| modification, are permitted provided that the following conditions are met: | ||
|
|
||
| 1. Redistributions of source code must retain the above copyright notice, | ||
| this list of conditions and the following disclaimer. | ||
| 2. Redistributions in binary form must reproduce the above copyright | ||
| notice, this list of conditions and the following disclaimer in the | ||
| documentation and/or other materials provided with the distribution. | ||
| 3. Neither the name of North Carolina State University nor the names of its | ||
| contributors may be used to endorse or promote products derived from this | ||
| software without specific prior written permission. | ||
|
|
||
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
| AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | ||
| LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
| CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
| SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
| INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
| CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
| POSSIBILITY OF SUCH DAMAGE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Mininode | ||
| Mininode is a CLI tool to reduce the attack surface of the Node.js applications by using static analysis. | ||
|
|
||
|
|
||
|
|
||
| ### Options | ||
| List of command line options that can be passed to mininode. | ||
|
|
||
| - `--dry-run`: just generates mininode.json without modifying the initial application. | ||
| - `--skip-stat`: skips calculating the statistics | ||
| - `--seeds`: seed files from where mininode will start building dependency graph. You can provide many seed files by separating them with colon. | ||
| - `--mode`: reduction mode. The value can be either `soft` or `hard`. In `soft` mode mininode will perform only coarse-grained reduction. While in `hard` mode mininode will perform fine-grained reduction. In general coarse-grained reduction is more reliable, because mininode will not try to reduce unused functions inside the module. Default value: `soft`. | ||
| - `--destination`: the path where mininode will save the reduced Node.js application. The default value: `mininode`. | ||
| - `--silent`: console output is disabled. This will improve the performance of the mininode. | ||
| - `--verbose`: outputs additional information to the console. The default value: `false` | ||
| - `--log`: mininode will generate log file inside, which contains dependency graph of the application in json format. The default value: `true`. | ||
| - `--log-output`: the name of the log file generated by mininode. The default value: `mininode.json`. | ||
| - `--compress-log`: compresses the final log file. By default it will dump everything into log file. In production it is advised to pass the `--compress-log` flag to save space. | ||
| - `--skip-reduction`: if passed mininode will not reduce the JavaScript files. The default value: `false`. | ||
| - `--skip-remove`: if passed mininode will not remove unused JavaScript files. The default value: `false`. | ||
|
|
||
| ### Contributing | ||
| [](https://github.com/Flet/semistandard) | ||
|
|
||
| We are following semistandard. | ||
|
|
Oops, something went wrong.