refactor(probe/isLiteral): implement a new ShadyURL class with ipaddr.js (#423)

* refactor(probe/isLiteral): implement a new ShadyURL class with ipaddr.js

* chore: remove duplicate .cd domain

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: fraxken

.changeset/sweet-cobras-carry.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": minor
+---
+
+Implement a new ShadyURL class with ipaddr.js to detect malicious URL/ips

workspaces/js-x-ray/package.json

@@ -50,6 +50,7 @@
     "@nodesecure/tracer": "^3.0.0",
     "digraph-js": "2.2.4",
     "frequency-set": "^2.1.0",
+    "ipaddr.js": "2.2.0",
     "meriyah": "^6.0.0",
     "safe-regex": "^2.1.1",
     "ts-pattern": "^5.0.6"

workspaces/js-x-ray/src/ShadyURL.ts

@@ -0,0 +1,50 @@
+// Import Third-party Dependencies
+import ipaddress from "ipaddr.js";
+
+// CONSTANTS
+const kShadyLinkRegExps = [
+  /(http[s]?:\/\/(bit\.ly|ipinfo\.io|httpbin\.org|api\.ipify\.org).*)$/,
+  /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|ws|icu|cam|uno|email|stream))$/
+];
+
+export class ShadyURL {
+  static isSafe(
+    input: string
+  ): boolean {
+    if (!URL.canParse(input)) {
+      return true;
+    }
+
+    const parsedUrl = new URL(input);
+    const hostname = parsedUrl.hostname;
+    if (ipaddress.isValid(hostname)) {
+      if (this.#isPrivateIPAddress(hostname)) {
+        return true;
+      }
+    }
+
+    const scheme = parsedUrl.protocol.replace(":", "");
+    if (scheme !== "https") {
+      return false;
+    }
+
+    return kShadyLinkRegExps.every((regex) => !regex.test(input));
+  }
+
+  static #isPrivateIPAddress(
+    ipAddress: string
+  ): boolean {
+    let ip = ipaddress.parse(ipAddress);
+
+    if (ip instanceof ipaddress.IPv6 && ip.isIPv4MappedAddress()) {
+      ip = ip.toIPv4Address();
+    }
+
+    const range = ip.range();
+    if (range !== "unicast") {
+      return true;
+    }
+
+    return false;
+  }
+}

workspaces/js-x-ray/src/probes/isLiteral.ts

@@ -8,23 +8,11 @@ import type { ESTree } from "meriyah";
 // Import Internal Dependencies
 import { SourceFile } from "../SourceFile.js";
 import { generateWarning } from "../warnings.js";
+import { ShadyURL } from "../ShadyURL.js";
 import type { Literal } from "../types/estree.js";
 
-const kMapRegexIps = Object.freeze({
-  // eslint-disable-next-line @stylistic/max-len
-  regexIPv4: /^(https?:\/\/)(?!127\.)(?!.*:(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9])\.)(?!.*:(?:25[6-9])\.(?:25[6-9])\.(?:25[6-9])\.(?:0{1,3}|25[6-9]))((?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])(?::\d{1,5})?(\/[^\s]*)?$/,
-  regexIPv6: /^(https?:\/\/)(\[[0-9A-Fa-f:]+\])(?::\d{1,5})?(\/[^\s]*)?$/
-});
-
 // CONSTANTS
 const kNodeDeps = new Set(builtinModules);
-const kShadyLinkRegExps = [
-  kMapRegexIps.regexIPv4,
-  kMapRegexIps.regexIPv6,
-  /(http[s]?:\/\/(bit\.ly|ipinfo\.io|httpbin\.org|api\.ipify\.org).*)$/,
-  /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/
-];
-
 /**
  * @description Search for Literal AST Node
  * @see https://github.com/estree/estree/blob/master/es5.md#literal
@@ -67,16 +55,14 @@ function main(
   }
   // Else we are checking all other string with our suspect method
   else {
-    for (const regex of kShadyLinkRegExps) {
-      if (regex.test(node.value)) {
-        sourceFile.warnings.push(
-          generateWarning(
-            "shady-link", { value: node.value, location }
-          )
-        );
+    if (!ShadyURL.isSafe(node.value)) {
+      sourceFile.warnings.push(
+        generateWarning(
+          "shady-link", { value: node.value, location }
+        )
+      );
 
-        return;
-      }
+      return;
     }
 
     sourceFile.analyzeLiteral(node);

workspaces/js-x-ray/test/ShadyURL.spec.ts

@@ -0,0 +1,238 @@
+// Import Node.js Dependencies
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+// Import Internal Dependencies
+import { ShadyURL } from "../src/ShadyURL.js";
+
+describe("ShadyURL.isSafe()", () => {
+  describe("when input is not a valid URL", () => {
+    it("should return true for an invalid URL", () => {
+      assert.equal(ShadyURL.isSafe("not-a-url"), true);
+    });
+
+    it("should return true for an empty string", () => {
+      assert.equal(ShadyURL.isSafe(""), true);
+    });
+
+    it("should return true for a malformed URL", () => {
+      assert.equal(ShadyURL.isSafe("http://"), true);
+    });
+  });
+
+  describe("when URL contains an IP address", () => {
+    describe("private IP addresses", () => {
+      it("should return true for localhost IPv4", () => {
+        assert.equal(ShadyURL.isSafe("https://127.0.0.1/path"), true);
+      });
+
+      it("should return true for private IPv4 (10.x.x.x)", () => {
+        assert.equal(ShadyURL.isSafe("https://10.0.0.1/path"), true);
+      });
+
+      it("should return true for private IPv4 (192.168.x.x)", () => {
+        assert.equal(ShadyURL.isSafe("https://192.168.1.1/path"), true);
+      });
+
+      it("should return true for private IPv4 (172.16.x.x)", () => {
+        assert.equal(ShadyURL.isSafe("https://172.16.0.1/path"), true);
+      });
+
+      it("should return true for IPv6 loopback address", () => {
+        assert.equal(ShadyURL.isSafe("https://[::1]/path"), true);
+      });
+
+      it("should return true for IPv4-mapped IPv6 private address", () => {
+        assert.equal(ShadyURL.isSafe("https://[::ffff:127.0.0.1]/path"), true);
+      });
+
+      it("should return true for IPv4-mapped IPv6 private address (192.168.x.x)", () => {
+        assert.equal(ShadyURL.isSafe("https://[::ffff:192.168.1.1]/path"), true);
+      });
+    });
+
+    describe("public IP addresses", () => {
+      it("should return false for public IPv4 with HTTP", () => {
+        assert.equal(ShadyURL.isSafe("http://8.8.8.8/path"), false);
+      });
+
+      it("should return true for public IPv4 with HTTPS", () => {
+        assert.equal(ShadyURL.isSafe("https://8.8.8.8/path"), true);
+      });
+
+      it("should return false for public IPv6 with HTTP", () => {
+        assert.equal(ShadyURL.isSafe("http://[2001:4860:4860::8888]/path"), false);
+      });
+
+      it("should return true for public IPv6 with HTTPS", () => {
+        assert.equal(ShadyURL.isSafe("https://[2001:4860:4860::8888]/path"), true);
+      });
+    });
+  });
+
+  describe("when URL scheme is not HTTPS", () => {
+    it("should return false for HTTP URL", () => {
+      assert.equal(ShadyURL.isSafe("http://example.com"), false);
+    });
+
+    it("should return false for FTP URL", () => {
+      assert.equal(ShadyURL.isSafe("ftp://example.com"), false);
+    });
+  });
+
+  describe("when URL matches shady link patterns", () => {
+    describe("known shady domains", () => {
+      it("should return false for bit.ly", () => {
+        assert.equal(ShadyURL.isSafe("https://bit.ly/abc123"), false);
+      });
+
+      it("should return false for ipinfo.io", () => {
+        assert.equal(ShadyURL.isSafe("https://ipinfo.io/json"), false);
+      });
+
+      it("should return false for httpbin.org", () => {
+        assert.equal(ShadyURL.isSafe("https://httpbin.org/get"), false);
+      });
+
+      it("should return false for api.ipify.org", () => {
+        assert.equal(ShadyURL.isSafe("https://api.ipify.org"), false);
+      });
+    });
+
+    describe("suspicious TLDs", () => {
+      it("should return false for .link TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.link"), false);
+      });
+
+      it("should return false for .xyz TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.xyz"), false);
+      });
+
+      it("should return false for .tk TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.tk"), false);
+      });
+
+      it("should return false for .ml TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.ml"), false);
+      });
+
+      it("should return false for .ga TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.ga"), false);
+      });
+
+      it("should return false for .cf TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.cf"), false);
+      });
+
+      it("should return false for .gq TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.gq"), false);
+      });
+
+      it("should return false for .pw TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.pw"), false);
+      });
+
+      it("should return false for .top TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.top"), false);
+      });
+
+      it("should return false for .club TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.club"), false);
+      });
+
+      it("should return false for .mw TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.mw"), false);
+      });
+
+      it("should return false for .bd TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.bd"), false);
+      });
+
+      it("should return false for .ke TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.ke"), false);
+      });
+
+      it("should return false for .am TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.am"), false);
+      });
+
+      it("should return false for .sbs TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.sbs"), false);
+      });
+
+      it("should return false for .date TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.date"), false);
+      });
+
+      it("should return false for .quest TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.quest"), false);
+      });
+
+      it("should return false for .cd TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.cd"), false);
+      });
+
+      it("should return false for .bid TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.bid"), false);
+      });
+
+      it("should return false for .ws TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.ws"), false);
+      });
+
+      it("should return false for .icu TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.icu"), false);
+      });
+
+      it("should return false for .cam TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.cam"), false);
+      });
+
+      it("should return false for .uno TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.uno"), false);
+      });
+
+      it("should return false for .email TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.email"), false);
+      });
+
+      it("should return false for .stream TLD", () => {
+        assert.equal(ShadyURL.isSafe("https://malicious.stream"), false);
+      });
+    });
+  });
+
+  describe("when URL is safe", () => {
+    it("should return true for a standard HTTPS URL", () => {
+      assert.equal(ShadyURL.isSafe("https://example.com"), true);
+    });
+
+    it("should return true for a HTTPS URL with path", () => {
+      assert.equal(ShadyURL.isSafe("https://example.com/path/to/resource"), true);
+    });
+
+    it("should return true for a HTTPS URL with query params", () => {
+      assert.equal(ShadyURL.isSafe("https://example.com?foo=bar"), true);
+    });
+
+    it("should return true for npm registry URL", () => {
+      assert.equal(ShadyURL.isSafe("https://registry.npmjs.org/package"), true);
+    });
+
+    it("should return true for GitHub URL", () => {
+      assert.equal(ShadyURL.isSafe("https://github.com/NodeSecure/js-x-ray"), true);
+    });
+
+    it("should return true for .com TLD", () => {
+      assert.equal(ShadyURL.isSafe("https://safe-website.com"), true);
+    });
+
+    it("should return true for .org TLD", () => {
+      assert.equal(ShadyURL.isSafe("https://safe-website.org"), true);
+    });
+
+    it("should return true for .io TLD (not in shady list)", () => {
+      assert.equal(ShadyURL.isSafe("https://safe-website.io"), true);
+    });
+  });
+});