aegis-scan 0.3.0

Supply chain security CLI for npm — detect malicious packages before installing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234

//! Lightweight comment stripping for JavaScript/TypeScript source lines.
//!
//! This module provides a state-machine that tracks multiline `/* ... */`
//! comment blocks across lines and strips single-line `//` comments while
//! respecting string literals (single-quoted, double-quoted, and template
//! literals).  It intentionally does **not** use a full parser — it only needs
//! to be correct enough to prevent commented-out code from triggering pattern
//! matches.

/// Persistent state that must be carried across lines within a single file.
#[derive(Clone, Debug, Default)]
pub struct CommentState {
    /// `true` while we are inside an open `/* ... */` block.
    pub in_block_comment: bool,
}

/// Strip comments from `line`, mutating `state` to track multiline blocks.
///
/// Returns the portion of the line that is *outside* any comment.  The returned
/// string may be empty (the entire line was inside a block comment) or shorter
/// than the original (trailing `//` comment removed, etc.).
///
/// Performance: single pass over the bytes of the line — no allocations when
/// the line contains no comments at all (returns a slice via `Cow` semantics,
/// though we use a simple `String` here for clarity).
pub fn strip_comments(line: &str, state: &mut CommentState) -> String {
    let bytes = line.as_bytes();
    let len = bytes.len();

    // Fast path: if we are NOT in a block comment and the line contains
    // neither '/' nor '*' it cannot start or contain any comment.
    if !state.in_block_comment && !bytes.contains(&b'/') && !bytes.contains(&b'*') {
        return line.to_string();
    }

    let mut result = String::with_capacity(len);
    let mut i = 0;

    while i < len {
        // --- inside a block comment: scan for closing */ ---
        if state.in_block_comment {
            if i + 1 < len && bytes[i] == b'*' && bytes[i + 1] == b'/' {
                state.in_block_comment = false;
                i += 2; // skip past */
            } else {
                i += 1;
            }
            continue;
        }

        let ch = bytes[i];

        // --- string literals: copy verbatim until the closing quote ---
        if ch == b'"' || ch == b'\'' || ch == b'`' {
            let quote = ch;
            result.push(ch as char);
            i += 1;
            while i < len {
                let c = bytes[i];
                result.push(c as char);
                if c == b'\\' {
                    // escaped character — copy next byte too
                    i += 1;
                    if i < len {
                        result.push(bytes[i] as char);
                    }
                } else if c == quote {
                    break;
                }
                i += 1;
            }
            i += 1;
            continue;
        }

        // --- possible comment start ---
        if ch == b'/' && i + 1 < len {
            let next = bytes[i + 1];
            if next == b'/' {
                // single-line comment — rest of line is a comment
                break;
            }
            if next == b'*' {
                // block comment starts
                state.in_block_comment = true;
                i += 2;
                continue;
            }
        }

        // --- regular character ---
        result.push(ch as char);
        i += 1;
    }

    result
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
mod tests {
    use super::*;

    fn strip(line: &str) -> String {
        let mut state = CommentState::default();
        strip_comments(line, &mut state)
    }

    fn strip_multi(lines: &[&str]) -> Vec<String> {
        let mut state = CommentState::default();
        lines
            .iter()
            .map(|l| strip_comments(l, &mut state))
            .collect()
    }

    #[test]
    fn no_comment() {
        assert_eq!(strip("let x = 42;"), "let x = 42;");
    }

    #[test]
    fn single_line_comment() {
        assert_eq!(strip("let x = 1; // comment"), "let x = 1; ");
    }

    #[test]
    fn full_line_comment() {
        assert_eq!(strip("// this is a comment"), "");
    }

    #[test]
    fn inline_block_comment() {
        assert_eq!(strip("let x = /* hidden */ 1;"), "let x =  1;");
    }

    #[test]
    fn block_comment_to_end() {
        let mut state = CommentState::default();
        let r = strip_comments("let x = /* start", &mut state);
        assert_eq!(r, "let x = ");
        assert!(state.in_block_comment);
    }

    #[test]
    fn multiline_block_comment() {
        let results = strip_multi(&[
            "/* this is a",
            "   multiline comment",
            "   eval(dangerous) */",
            "let x = 1;",
        ]);
        assert_eq!(results[0], "");
        assert_eq!(results[1], "");
        assert_eq!(results[2], "");
        assert_eq!(results[3], "let x = 1;");
    }

    #[test]
    fn string_with_double_slash() {
        assert_eq!(
            strip(r#"let url = "http://example.com";"#),
            r#"let url = "http://example.com";"#
        );
    }

    #[test]
    fn string_with_block_comment_chars() {
        assert_eq!(
            strip(r#"let s = "/* not a comment */";"#),
            r#"let s = "/* not a comment */";"#
        );
    }

    #[test]
    fn single_quoted_string_with_comment() {
        assert_eq!(
            strip("let s = '// not a comment';"),
            "let s = '// not a comment';"
        );
    }

    #[test]
    fn template_literal_with_comment() {
        assert_eq!(
            strip("let s = `// not a comment`;"),
            "let s = `// not a comment`;"
        );
    }

    #[test]
    fn escaped_quote_in_string() {
        assert_eq!(
            strip(r#"let s = "he said \"// hi\""; // real comment"#),
            r#"let s = "he said \"// hi\""; "#
        );
    }

    #[test]
    fn hash_comment_not_stripped() {
        // We do not strip # comments — they are not JS comments.
        // The old is_comment_line checked for # but that is a shell thing;
        // in JS files # only appears in shebangs which are line 1.
        assert_eq!(strip("# this stays"), "# this stays");
    }

    #[test]
    fn block_comment_with_eval_inside() {
        let results = strip_multi(&[
            "/*",
            " * eval(something_dangerous)",
            " * new Function('bad')",
            " */",
            "console.log('safe');",
        ]);
        assert_eq!(results[0], "");
        assert_eq!(results[1], "");
        assert_eq!(results[2], "");
        assert_eq!(results[3], "");
        assert_eq!(results[4], "console.log('safe');");
    }

    #[test]
    fn regex_with_slash_not_confused() {
        // This is a tricky case. A regex like /foo/ looks like division.
        // We don't try to parse regexes — but this should at least not crash
        // or strip the line incorrectly.
        let r = strip("let re = /foo/;");
        assert_eq!(r, "let re = /foo/;");
    }
}