master ← hmkklol:pr1/foundation-security-fixes
已打开 11:20PM - 24 Apr 26 UTC
hmkklol
+4787
-1937
## What Resubmitting the deobfuscation expansion in smaller PRs after the origi…nal got auto-closed for hitting the 150k diff char limit. Also rolls in the four issues Gemini Code Assist flagged on the original. This is PR 1/5: webcrack hardening + shared config/utils. The rest follow. ## The fixes **Sandbox escape via `node:vm` fallback** (`webcrack.ts`) We were falling back to `node:vm.createContext()` when `isolated-vm` wasn't available. That's not a sandbox — `this.constructor.constructor('return process')()` walks straight out. Killed the fallback. If `isolated-vm` is missing we log a warning and pass `sandbox: false` so webcrack skips eval-based string-array decoding. Don't process untrusted samples without isolated-vm installed. **Path traversal in `outputDir`** (`webcrack.ts`) `path.resolve(outputDir)` followed by `rm(savedTo, { recursive: true, force: true })` was effectively `rm -rf` on attacker-controlled input. Added a containment check (`startsWith(cwd + sep)`) plus a `realpath()` pass so a symlinked outputDir pointing outside cwd gets rejected. Non-existent paths are fine — there's nothing to symlink yet. ## What else is in here - `DeobfuscationConfig` — shared constants, timeout guards, input size limits - `DeobfuscationPipeline` — base pipeline orchestration - `ProApiClient` — JavaScript Obfuscator Pro API integration - Refreshed types, utils, config, logger, and CI workflow - Updated README with new deobfuscation capabilities ## Test plan - [ ] webcrack runs with `isolated-vm` installed and uses it - [ ] webcrack runs without `isolated-vm` and warns instead of falling back to vm - [ ] outputDir of `../foo` rejected - [ ] outputDir of `/etc/foo` rejected - [ ] outputDir that resolves through a symlink outside cwd rejected - [ ] outputDir inside cwd succeeds and saves artifacts - [ ] vitest green, oxlint clean Closes the four findings from the original PR's review thread. ## Summary by Sourcery Harden webcrack sandboxing and HTTP health endpoint, introduce a structured deobfuscation pipeline with optional Obfuscator.io Pro API integration, and tighten configuration, logging, and filesystem security across the project. New Features: - Add a configurable deobfuscation pipeline that chains unpacking, AST-based cleanup, and webcrack, with detailed step tracking and readability scoring. - Integrate optional Obfuscator.io Pro API support via ProApiClient, including CLI flags and env-based configuration for Pro features. - Extend deobfuscation capabilities with detection/handling of additional obfuscation types (e.g., base64/hex encoding, JSFuck, jsdecode, proxy/with obfuscation) and richer AST optimizations. - Add secure file utilities and logger file output support for writing logs and cache data with restrictive permissions. - Expose new validation config surface for runtime and transport tuning, including structured env validation and failure on invalid configuration. Bug Fixes: - Remove insecure node:vm fallback from webcrack sandbox usage and add path traversal/symlink escape protections for output directories. - Prevent HTTP health endpoint from leaking token budget details and gate verbose output behind auth and a query flag. - Handle malformed URLEncoding more safely in deobfuscation by downgrading specific URI errors to warnings instead of generic failures. Enhancements: - Broaden bundle support in webcrack and deobfuscation types to include vite, rollup, parcel and generic bundle identifiers. - Strengthen deobfuscator error reporting with structured JSON error payloads from AST and VM deobfuscation failures. - Improve config validation with stricter schemas for URLs, ports, API keys, numeric ranges, and path safety, and fail fast on invalid env. - Refine obfuscation detection and readability scoring heuristics for more nuanced analysis of input code. - Allow deobfuscators that use ExecutionSandbox to accept an injected sandbox instance for better testability and reuse. - Enhance HTTP transport with centralized security headers (except for health checks) and a slightly expanded health handler interface. - Update logger to support levelled file logging while redacting sensitive values and preserving MCP stdout semantics. Build: - Adjust dependencies to add deobfuscation-related tooling (AST, HTTP, DB, rate limiting) and dev utilities like nodemon, while updating some existing versions. CI: - Extend CI workflow with a security audit step using pnpm audit before running tests and linters. Documentation: - Document CLI and environment configuration for Obfuscator.io Pro API usage in the README, including examples for tokens and versions. Tests: - Add and update tests for config validation, logger file output, webcrack path handling, new obfuscation detectors, VM deobfuscator behavior, and Pro API client integration paths to keep coverage over new functionality.
不想多说啥了整个项目一窍不通提的pr比整个src都大回复我的评论也是纯ai写的
还有这个plan都没打勾你没看过吗
同样5个push全都是force-push我问问了lefthook我就是强制配置所有测试都要通过的覆盖率得达标才可以push非要强制push是连test都过不了吗
还有联系方式啥都能写是吧欢迎打爆7/24小时available的+1 (555) 123-4567
2 个帖子 - 2 位参与者