use super::*;
use crate::labels::{label_node, SanitizerDef, SinkDef, SourceDef};
pub fn default_label_set() -> LabelSet {
LabelSet {
sources: vec![
SourceDef { id: "process-env".into(), pattern: "process.env".into(), category: "credential".into() },
SourceDef { id: "process-argv".into(), pattern: "process.argv".into(), category: "cli".into() },
SourceDef { id: "process-stdin".into(), pattern: "process.stdin".into(), category: "cli".into() },
SourceDef { id: "process-platform".into(), pattern: "process.platform".into(), category: "system".into() },
SourceDef { id: "fs-read".into(), pattern: "fs.readFileSync".into(), category: "file".into() },
SourceDef { id: "fs-read2".into(), pattern: "fs.readFile".into(), category: "file".into() },
SourceDef { id: "fs-readdir".into(), pattern: "fs.readdirSync".into(), category: "file".into() },
SourceDef { id: "fs-readdir2".into(), pattern: "fs.readdir".into(), category: "file".into() },
SourceDef { id: "buffer-from".into(), pattern: "Buffer.from".into(), category: "buffer".into() },
SourceDef { id: "atob".into(), pattern: "atob".into(), category: "buffer".into() },
SourceDef { id: "btoa".into(), pattern: "btoa".into(), category: "buffer".into() },
SourceDef { id: "net-socket".into(), pattern: "net.Socket".into(), category: "network-input".into() },
SourceDef { id: "http-create-server".into(), pattern: "http.createServer".into(), category: "http".into() },
SourceDef { id: "https-create-server".into(), pattern: "https.createServer".into(), category: "http".into() },
SourceDef { id: "https-get-response".into(), pattern: "https.get".into(), category: "network-input".into() },
SourceDef { id: "http-get-response".into(), pattern: "http.get".into(), category: "network-input".into() },
SourceDef { id: "https-request-response".into(), pattern: "https.request".into(), category: "network-input".into() },
SourceDef { id: "http-request-response".into(), pattern: "http.request".into(), category: "network-input".into() },
SourceDef { id: "net-connect-response".into(), pattern: "net.connect".into(), category: "network-input".into() },
SourceDef { id: "request-body".into(), pattern: "request.body".into(), category: "http".into() },
SourceDef { id: "request-query".into(), pattern: "request.query".into(), category: "http".into() },
SourceDef { id: "request-params".into(), pattern: "request.params".into(), category: "http".into() },
SourceDef { id: "request-headers".into(), pattern: "request.headers".into(), category: "http".into() },
SourceDef { id: "request-cookies".into(), pattern: "request.cookies".into(), category: "http".into() },
SourceDef { id: "os-hostname".into(), pattern: "os.hostname".into(), category: "system".into() },
SourceDef { id: "os-userinfo".into(), pattern: "os.userInfo".into(), category: "system".into() },
SourceDef { id: "os-platform".into(), pattern: "os.platform".into(), category: "system".into() },
SourceDef { id: "os-networkinterfaces".into(), pattern: "os.networkInterfaces".into(), category: "system".into() },
SourceDef { id: "os-cpus".into(), pattern: "os.cpus".into(), category: "system".into() },
SourceDef { id: "crypto-random-bytes".into(), pattern: "crypto.randomBytes".into(), category: "crypto".into() },
SourceDef { id: "npm-preinstall".into(), pattern: "preinstall".into(), category: "npm-script".into() },
SourceDef { id: "npm-postinstall".into(), pattern: "postinstall".into(), category: "npm-script".into() },
SourceDef { id: "npm-install".into(), pattern: "install".into(), category: "npm-script".into() },
SourceDef { id: "file-npmrc".into(), pattern: ".npmrc".into(), category: "sensitive-file".into() },
SourceDef { id: "file-ssh-dir".into(), pattern: ".ssh/".into(), category: "sensitive-file".into() },
SourceDef { id: "file-wallet".into(), pattern: "wallet.dat".into(), category: "sensitive-file".into() },
SourceDef { id: "file-aws-creds".into(), pattern: ".aws/credentials".into(), category: "sensitive-file".into() },
SourceDef { id: "file-docker-config".into(), pattern: ".docker/config.json".into(), category: "sensitive-file".into() },
SourceDef { id: "file-kube-config".into(), pattern: ".kube/config".into(), category: "sensitive-file".into() },
SourceDef { id: "file-gitconfig".into(), pattern: ".gitconfig".into(), category: "sensitive-file".into() },
SourceDef { id: "file-bash-history".into(), pattern: ".bash_history".into(), category: "sensitive-file".into() },
SourceDef { id: "file-chrome-cookies".into(), pattern: "Cookies".into(), category: "sensitive-file".into() },
SourceDef { id: "file-chrome-login".into(), pattern: "Login Data".into(), category: "sensitive-file".into() },
SourceDef { id: "file-passwd".into(), pattern: "/etc/passwd".into(), category: "sensitive-file".into() },
SourceDef { id: "file-shadow".into(), pattern: "/etc/shadow".into(), category: "sensitive-file".into() },
SourceDef { id: "shell-curl".into(), pattern: "curl".into(), category: "shell".into() },
SourceDef { id: "shell-wget".into(), pattern: "wget".into(), category: "shell".into() },
SourceDef { id: "shell-xmrig".into(), pattern: "xmrig".into(), category: "shell".into() },
SourceDef { id: "shell-schtasks".into(), pattern: "schtasks".into(), category: "shell".into() },
SourceDef { id: "shell-reg-add".into(), pattern: "reg add".into(), category: "shell".into() },
SourceDef { id: "shell-powershell".into(), pattern: "powershell".into(), category: "shell".into() },
],
sinks: vec![
SinkDef { id: "eval".into(), pattern: "eval".into(), category: "exec".into() },
SinkDef { id: "function-ctor".into(), pattern: "Function".into(), category: "exec".into() },
SinkDef { id: "exec".into(), pattern: "child_process.exec".into(), category: "exec".into() },
SinkDef { id: "exec-sync".into(), pattern: "child_process.execSync".into(), category: "exec".into() },
SinkDef { id: "spawn".into(), pattern: "child_process.spawn".into(), category: "exec".into() },
SinkDef { id: "spawn-sync".into(), pattern: "child_process.spawnSync".into(), category: "exec".into() },
SinkDef { id: "exec-file".into(), pattern: "child_process.execFile".into(), category: "exec".into() },
SinkDef { id: "exec-file-sync".into(), pattern: "child_process.execFileSync".into(), category: "exec".into() },
SinkDef { id: "fork".into(), pattern: "child_process.fork".into(), category: "exec".into() },
SinkDef { id: "vm-run-in-new-context".into(), pattern: "vm.runInNewContext".into(), category: "exec".into() },
SinkDef { id: "vm-run-in-context".into(), pattern: "vm.runInThisContext".into(), category: "exec".into() },
SinkDef { id: "vm-script-run".into(), pattern: "vm.Script".into(), category: "exec".into() },
SinkDef { id: "set-timeout".into(), pattern: "setTimeout".into(), category: "exec".into() },
SinkDef { id: "set-interval".into(), pattern: "setInterval".into(), category: "exec".into() },
SinkDef { id: "set-immediate".into(), pattern: "setImmediate".into(), category: "exec".into() },
SinkDef { id: "process-next-tick".into(), pattern: "process.nextTick".into(), category: "exec".into() },
SinkDef { id: "module-resolve-filename".into(), pattern: "module._resolveFilename".into(), category: "exec".into() },
SinkDef { id: "fetch".into(), pattern: "fetch".into(), category: "network".into() },
SinkDef { id: "http-request".into(), pattern: "http.request".into(), category: "network".into() },
SinkDef { id: "https-request".into(), pattern: "https.request".into(), category: "network".into() },
SinkDef { id: "https-get".into(), pattern: "https.get".into(), category: "network".into() },
SinkDef { id: "http-get".into(), pattern: "http.get".into(), category: "network".into() },
SinkDef { id: "net-connect".into(), pattern: "net.connect".into(), category: "network".into() },
SinkDef { id: "net-create-connection".into(), pattern: "net.createConnection".into(), category: "network".into() },
SinkDef { id: "dns-lookup".into(), pattern: "dns.lookup".into(), category: "network".into() },
SinkDef { id: "dns-resolve".into(), pattern: "dns.resolve".into(), category: "network".into() },
SinkDef { id: "dns-resolve4".into(), pattern: "dns.resolve4".into(), category: "network".into() },
SinkDef { id: "dns-resolve6".into(), pattern: "dns.resolve6".into(), category: "network".into() },
SinkDef { id: "dns-resolveCname".into(), pattern: "dns.resolveCname".into(), category: "network".into() },
SinkDef { id: "dns-resolveMx".into(), pattern: "dns.resolveMx".into(), category: "network".into() },
SinkDef { id: "dns-resolveTxt".into(), pattern: "dns.resolveTxt".into(), category: "network".into() },
SinkDef { id: "dns-resolveNs".into(), pattern: "dns.resolveNs".into(), category: "network".into() },
SinkDef { id: "dns-resolveSrv".into(), pattern: "dns.resolveSrv".into(), category: "network".into() },
SinkDef { id: "websocket-send".into(), pattern: "WebSocket".into(), category: "network".into() },
SinkDef { id: "xmlhttprequest".into(), pattern: "XMLHttpRequest".into(), category: "network".into() },
SinkDef { id: "navigator-sendbeacon".into(), pattern: "navigator.sendBeacon".into(), category: "network".into() },
SinkDef { id: "net-create-server".into(), pattern: "net.createServer".into(), category: "network".into() },
SinkDef { id: "fs-write-file-sync".into(), pattern: "fs.writeFileSync".into(), category: "file".into() },
SinkDef { id: "fs-write-file".into(), pattern: "fs.writeFile".into(), category: "file".into() },
SinkDef { id: "fs-append-file".into(), pattern: "fs.appendFile".into(), category: "file".into() },
SinkDef { id: "fs-append-file-sync".into(), pattern: "fs.appendFileSync".into(), category: "file".into() },
SinkDef { id: "fs-create-write-stream".into(), pattern: "fs.createWriteStream".into(), category: "file".into() },
SinkDef { id: "fs-copy-file".into(), pattern: "fs.copyFile".into(), category: "file".into() },
SinkDef { id: "fs-rename".into(), pattern: "fs.rename".into(), category: "file".into() },
SinkDef { id: "shell-sh".into(), pattern: "shell:sh".into(), category: "exec".into() },
SinkDef { id: "shell-bash".into(), pattern: "shell:bash".into(), category: "exec".into() },
SinkDef { id: "shell-eval".into(), pattern: "shell:eval".into(), category: "exec".into() },
SinkDef { id: "shell-exec".into(), pattern: "shell:exec".into(), category: "exec".into() },
SinkDef { id: "sql-query".into(), pattern: "db.query".into(), category: "sql".into() },
SinkDef { id: "sql-raw".into(), pattern: "sequelize.query".into(), category: "sql".into() },
SinkDef { id: "sql-knex-raw".into(), pattern: "knex.raw".into(), category: "sql".into() },
SinkDef { id: "sql-exec".into(), pattern: "connection.execute".into(), category: "sql".into() },
SinkDef { id: "sql-pool-query".into(), pattern: "pool.query".into(), category: "sql".into() },
SinkDef { id: "xss-res-send".into(), pattern: "res.send".into(), category: "xss".into() },
SinkDef { id: "xss-res-write".into(), pattern: "res.write".into(), category: "xss".into() },
SinkDef { id: "xss-innerhtml".into(), pattern: "innerHTML".into(), category: "xss".into() },
SinkDef { id: "xss-document-write".into(), pattern: "document.write".into(), category: "xss".into() },
],
sanitizers: vec![
SanitizerDef { id: "parse-int".into(), pattern: "parseInt".into() },
SanitizerDef { id: "parse-float".into(), pattern: "parseFloat".into() },
SanitizerDef { id: "number-ctor".into(), pattern: "Number".into() },
SanitizerDef { id: "boolean-ctor".into(), pattern: "Boolean".into() },
SanitizerDef { id: "encode-uri-component".into(), pattern: "encodeURIComponent".into() },
SanitizerDef { id: "encode-uri".into(), pattern: "encodeURI".into() },
SanitizerDef { id: "escape".into(), pattern: "escape".into() },
SanitizerDef { id: "validator-escape".into(), pattern: "validator.escape".into() },
SanitizerDef { id: "validator-sanitize".into(), pattern: "validator.trim".into() },
SanitizerDef { id: "dompurify-sanitize".into(), pattern: "DOMPurify.sanitize".into() },
SanitizerDef { id: "xss".into(), pattern: "xss".into() },
SanitizerDef { id: "sanitize-html".into(), pattern: "sanitizeHtml".into() },
SanitizerDef { id: "he-encode".into(), pattern: "he.encode".into() },
SanitizerDef { id: "lodash-escape".into(), pattern: "_.escape".into() },
SanitizerDef { id: "console-log".into(), pattern: "console.log".into() },
SanitizerDef { id: "console-error".into(), pattern: "console.error".into() },
SanitizerDef { id: "console-warn".into(), pattern: "console.warn".into() },
SanitizerDef { id: "console-info".into(), pattern: "console.info".into() },
SanitizerDef { id: "console-debug".into(), pattern: "console.debug".into() },
SanitizerDef { id: "path-basename".into(), pattern: "path.basename".into() },
SanitizerDef { id: "path-normalize".into(), pattern: "path.normalize".into() },
SanitizerDef { id: "escape-html".into(), pattern: "escapeHtml".into() },
SanitizerDef { id: "entities-encode".into(), pattern: "entities.encode".into() },
],
}
}
pub(crate) fn apply_labels(graph: &mut TaintGraph, label_set: &LabelSet) {
let count = graph.node_count();
for id in 0..count as u32 {
if let Some(node) = graph.node(id) {
let label = label_node(label_set, &node.name)
.or_else(|| node.alias.as_deref().and_then(|alias| label_node(label_set, alias)));
if let Some(label) = label {
if let Some(n) = graph.node_mut(id) {
n.label = Some(label);
}
}
}
}
}