API obfuscation rule and tests for npm (JS) #640
+250
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Datadog Security Labs Team,
This PR introduces a new rule for GuardDog to catch API obfuscation techniques for JavaScript, covering the npm ecosystem in addition to PyPI (as done in my previous PR #607).
I received quite positive feedback regarding my research on API obfuscation for Python, so I decided to take some time during these holidays (the best time to slow down and catch up on things left behind, right? 😅) to extend my research to JS too.
I have also updated my api_obfuscation repo that contains additional information and test cases.
Last but not least, please note that I haven't yet tested this rule "in the wild" or against large datasets of malicious packages to evaluate the FPR and detection capabilities. I will try to perform this validation in the coming weeks, but the core logic is ready for review and it has been validated through several unit tests included in this PR.
Kind regards and happy new year! 🎆 🥳
Biagio