feat(probe/unsafe-command): detect uname command (#376)

* feat(probes): handle uname command in unsafe-command probe

Signed-off-by: Tony Gorez <[email protected]>

* test(probes): add truncated aog-checker payload

Signed-off-by: Tony Gorez <[email protected]>

* chore: add change set

Signed-off-by: Tony Gorez <[email protected]>

---------

Signed-off-by: Tony Gorez <[email protected]>

Author: tony-go

.changeset/dark-garlics-lay.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": patch
+---
+
+Handle uname as unsafe-command

workspaces/js-x-ray/src/probes/isUnsafeCommand.ts

@@ -8,7 +8,7 @@ import { ProbeSignals } from "../ProbeRunner.js";
 import { isLiteral } from "../types/estree.js";
 
 // CONSTANTS
-const kUnsafeCommands = ["csrutil"];
+const kUnsafeCommands = ["csrutil", "uname"];
 
 function isUnsafeCommand(
   command: string

workspaces/js-x-ray/test/probes/isUnsafeCommand.spec.ts

@@ -89,3 +89,28 @@ test("should not detect non suspicious command", () => {
     assert.equal(sastAnalysis.warnings().length, 0);
   });
 });
+
+// Note: Until we can safely test with actual malware samples,
+// these tests uses a truncated snippet from a known malicious package.
+
+test("aog-checker detection", () => {
+  // Ref: https://socket.dev/npm/package/aog-checker/files/99.99.99/index.js
+  const maliciousCode = `
+	  const { execSync } = require("child_process");
+    // truncated ...
+    let uname = "";
+    try {
+      uname = execSync("uname -a").toString().trim();
+    } catch (e) {
+      uname = "N/A";
+    }
+  `;
+
+  const ast = parseScript(maliciousCode);
+  const sastAnalysis = getSastAnalysis(maliciousCode, isUnsafeCommand)
+    .execute(ast.body);
+
+  const result = sastAnalysis.getWarning(kWarningUnsafeCommand);
+  assert.equal(result.kind, kWarningUnsafeCommand);
+  assert.equal(result.value, "uname -a");
+});