doc(warnings): add doc for perf

Author: clemgbld

README.md

@@ -36,6 +36,7 @@ Most of the time these hackers will try to hide the behaviour of their codes as
 - Highlight common attack patterns and API usages.
 - Capable to follow the usage of dangerous Node.js globals.
 - Detect obfuscated code and when possible the tool that has been used.
+- Detect potential performance issues.
 
 ## Getting Started
 
@@ -106,7 +107,8 @@ type WarningName = "parsing-error"
 | "weak-crypto"
 | "unsafe-import"
 | "unsafe-command"
-| "shady-link";
+| "shady-link"
+| "perf";
 
 declare const warnings: Record<WarningName, {
   i18n: string;
@@ -142,6 +144,7 @@ This section describe all the possible warnings returned by JSXRay. Click on the
 | [obfuscated-code](./docs/obfuscated-code.md) | ✔️ | There's a very high probability that the code is obfuscated. |
 | [weak-crypto](./docs/weak-crypto.md) | ❌ | The code probably contains a weak crypto algorithm (md5, sha1...) |
 | [shady-link](./docs/shady-link.md) | ❌ | The code contains shady/unsafe link |
+| [perf](./docs/perf.md) | ✔️ | The code probably contains performance issues. |
 
 ## Workspaces
 

docs/perf.md

@@ -0,0 +1,21 @@
+# Perf 
+
+| Code | Severity | i18n | Experimental |
+| --- | --- | --- | :-: |
+| perf | `Warning` | `sast_warnings.perf` | ✔️ |
+
+## Introduction
+
+An **experimental** warning capable of detecting potential performance issues.
+
+Such as of the synchronous API from Node.js core such as `fs` or `child_process` that can freeze the event loop. 
+
+[Node.js - Overview of Blocking vs Non-Blocking](https://nodejs.org/en/learn/asynchronous-work/overview-of-blocking-vs-non-blocking)
+
+## Example
+
+```js
+import fs from 'fs';
+
+const data = fs.readFileSync('/foo.txt'); 
+```

src/SourceFile.js

@@ -26,87 +26,113 @@ export class SourceFile {
     this.tracer = new VariableTracer()
       .enableDefaultTracing()
       .trace("crypto.createHash", {
-        followConsecutiveAssignment: true, 
+        followConsecutiveAssignment: true,
         moduleName: "crypto"
       }).trace("crypto.pbkdf2Sync", {
-        followConsecutiveAssignment: true ,
+        followConsecutiveAssignment: true,
         moduleName: "crypto"
-      }).trace("crypto.scryptSync", {
-        followConsecutiveAssignment: true, 
+      })
+      .trace("crypto.scryptSync", {
+        followConsecutiveAssignment: true,
         moduleName: "crypto"
-      }).trace("crypto.generateKeyPairSync", {
+      })
+      .trace("crypto.generateKeyPairSync", {
         followConsecutiveAssignment: true,
         moduleName: "crypto"
-      }).trace("fs.readFileSync", {
+      })
+      .trace("fs.readFileSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.writeFileSync", {
+      })
+      .trace("fs.writeFileSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.appendFileSync", {
+      })
+      .trace("fs.appendFileSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.readSync", {
+      })
+      .trace("fs.readSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.writeSync", {
+      })
+      .trace("fs.writeSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.readdirSync", {
+      })
+      .trace("fs.readdirSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.statSync", {
+      })
+      .trace("fs.statSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.mkdirSync", {
+      })
+      .trace("fs.mkdirSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.renameSync", {
+      })
+      .trace("fs.renameSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.unlinkSync", {
+      })
+      .trace("fs.unlinkSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.symlinkSync", {
+      })
+      .trace("fs.symlinkSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.openSync", {
+      })
+      .trace("fs.openSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.fstatSync", {
+      })
+      .trace("fs.fstatSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.linkSync", {
+      })
+      .trace("fs.linkSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("fs.realpathSync", {
+      })
+      .trace("fs.realpathSync", {
         followConsecutiveAssignment: true,
         moduleName: "fs"
-      }).trace("child_process.execSync", {
+      })
+      .trace("child_process.execSync", {
         followConsecutiveAssignment: true,
         moduleName: "child_process"
-      }).trace("child_process.spawnSync", {
+      })
+      .trace("child_process.spawnSync", {
         followConsecutiveAssignment: true,
         moduleName: "child_process"
-      }).trace("child_process.execFileSync", {
+      })
+      .trace("child_process.execFileSync", {
         followConsecutiveAssignment: true,
         moduleName: "child_process"
-      }).trace("zlib.deflateSync", {
+      })
+      .trace("zlib.deflateSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
-      }).trace("zlib.inflateSync", {
+      })
+      .trace("zlib.inflateSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
-      }).trace("zlib.gzipSync", {
+      })
+      .trace("zlib.gzipSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
-      }).trace("zlib.gunzipSync", {
+      })
+      .trace("zlib.gunzipSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
-      }).trace("zlib.brotliCompressSync", {
+      })
+      .trace("zlib.brotliCompressSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
-      }).trace("zlib.brotliDecompressSync", {
+      })
+      .trace("zlib.brotliDecompressSync", {
         followConsecutiveAssignment: true,
         moduleName: "zlib"
       });

src/probes/isPerfConcern.js

@@ -2,7 +2,7 @@
 import { getCallExpressionIdentifier } from "@nodesecure/estree-ast-utils";
 
 // Constants
-const kModules = ['fs', 'crypto', 'child_process', 'zlib'];
+const kModules = ["fs", "crypto", "child_process", "zlib"];
 
 function validateNode(node, { tracer }) {
   const id = getCallExpressionIdentifier(node, { tracer });
@@ -16,12 +16,12 @@ function validateNode(node, { tracer }) {
 }
 
 function main(node, { sourceFile }) {
-    sourceFile.addWarning("perf", node.callee.name, node.loc);
+  sourceFile.addWarning("perf", node.callee.name, node.loc);
 }
 
 export default {
   name: "isPerfConcern",
   validateNode,
   main,
-  breakOnMatch: false 
+  breakOnMatch: false
 };

src/warnings.js

@@ -56,6 +56,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.unsafe-command",
     severity: "Warning",
     experimental: true
+  },
+  perf: {
+    i18n: "sast_warnings.perf",
+    severity: "Warning",
+    experimental: true
   }
 });
 

test/probes/isPerfConcern.spec.js

@@ -9,8 +9,7 @@ import { AstAnalyser } from "../../index.js";
 const FIXTURE_URL = new URL("fixtures/perfConcern/", import.meta.url);
 
 describe("isPerfConcern", () => {
-
-test("it should report a warning in case of *Sync(...params)` usage", async() => {
+  test("it should report a warning in case of *Sync(...params)` usage", async() => {
     const fixturesDir = new URL("directCallExpression/", FIXTURE_URL);
     const fixtureFiles = await fs.readdir(fixturesDir);
 
@@ -40,34 +39,32 @@ test("it should report a warning in case of *Sync(...params)` usage", async() =>
     }
   });
 
-  
-
   test("it should NOT report a warning when relevant module is not imported", () => {
     const codes = [`
     const fs = {
       readFileSync() {}
     }
     fs.readFileSync('foo.txt');
   `,
-  `
+    `
     const crypto = {
       generateKeyPairSync() {}
     }
     crypto.generateKeyPairSync('foo.txt');
   `,
-  `
+    `
     const child_process = {
       execSync() {}
     }
     child_process.execSync('ls -la');
   `,
-`
+    `
     const zlib = {
       gzipSync() {}
     }
     zlib.gzipSync(Buffer.from("text","utf-8"));
   `
-];
+    ];
     for (const code of codes) {
       const { warnings: outputWarnings } = new AstAnalyser().analyse(code);
       assert.strictEqual(outputWarnings.length, 0);