amoeller
commented
5 months ago That should be possible indeed - the kind of functionality you describe is under development at Coana which uses Jelly for JavaScript/TypeScript analysis.
Closed marcgreen closed 5 months ago
First, thanks a ton for your research and open sourcing your code.
Do you think it's feasible to use jelly for a special case of taint tracking? I'm specifically looking to programmatically determine if some javascript code will read data from the filesystem (or from a particular application api; a known function call) and then send the data somewhere via a network call. Obviously also need to track things like evaluating arbitrary code (this by itself would be enough of a flag to warrant a human in the loop; so can just monitor the eval() set of functions I think) and execution of OS/shell commands (eg to make network calls that way), which I think also has a finite set of function calls I could monitor.
Would this "just" be a matter of adding support to track the function calls I'm interested in? Or do you see other obstacles in the way as well?
For a bit more context: I'm building a security tool that will lessen the burden for maintainers to review new open source code for data exfiltration that is trying to be snuck in. The idea is to "snapshot" the call graph at a known-good point in time (after a one-time in-depth manual review), and then compare that against incoming PRs, and ping a human if the new call graph does potentially suspicious things.
Thanks in advance!