refactor(probe/isSerializeEnv): trace re-assignment of JSON.stringy & process.env (#369)

* refactor(probe/isSerializeEnv): trace re-assignment of JSON.stringy & process.env

* Update workspaces/js-x-ray/test/probes/isSerializeEnv.spec.ts

Co-authored-by: Tony Gorez <gorez.tony@gmail.com>

---------

Co-authored-by: Tony Gorez <gorez.tony@gmail.com>

Author: clemgbld

.changeset/clean-mails-search.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": minor
+---
+
+refactor(probe/isSerializeEnv): trace re-assignment of JSON.stringy & process.env

workspaces/js-x-ray/src/probes/isSerializeEnv.ts

@@ -19,10 +19,17 @@ import { ProbeSignals } from "../ProbeRunner.js";
  * JSON.stringify(process[`env`])
  */
 function validateNode(
-  node: ESTree.Node
+  node: ESTree.Node,
+  { tracer }: SourceFile
 ): [boolean, any?] {
   const id = getCallExpressionIdentifier(node);
-  if (id !== "JSON.stringify") {
+
+  if (id === null) {
+    return [false];
+  }
+  const data = tracer.getDataFromIdentifier(id);
+
+  if (data === null || data.identifierOrMemberExpr !== "JSON.stringify") {
     return [false];
   }
 
@@ -39,6 +46,13 @@ function validateNode(
     }
   }
 
+  if (firstArg.type === "Identifier") {
+    const data = tracer.getDataFromIdentifier("process.env");
+    if (data !== null && data.assignmentMemory.includes(firstArg.name)) {
+      return [true];
+    }
+  }
+
   return [false];
 }
 
@@ -57,9 +71,18 @@ function main(
   return ProbeSignals.Skip;
 }
 
+function initialize(sourceFile: SourceFile) {
+  sourceFile.tracer.trace("process.env", {
+    followConsecutiveAssignment: true
+  }).trace("JSON.stringify", {
+    followConsecutiveAssignment: true
+  });
+}
+
 export default {
   name: "isSerializeEnv",
   validateNode,
+  initialize,
   main,
   breakOnMatch: false
 };

workspaces/js-x-ray/test/probes/isSerializeEnv.spec.ts

@@ -39,6 +39,47 @@ test("should detect JSON.stringify(process[\"env\"])", () => {
   assert.strictEqual(warning.value, "JSON.stringify(process.env)");
 });
 
+test("should detect process.env reassignment", () => {
+  const str = `
+  const env = process.env;
+  JSON.stringify(env);
+`;
+  const ast = parseScript(str);
+  const sastAnalysis = getSastAnalysis(str, isSerializeEnv).execute(ast.body);
+
+  assert.strictEqual(sastAnalysis.warnings().length, 1);
+  const warning = sastAnalysis.getWarning("serialize-environment");
+  assert.strictEqual(warning.kind, "serialize-environment");
+  assert.strictEqual(warning.value, "JSON.stringify(process.env)");
+});
+
+test("should not detect process.env", () => {
+  const str = `
+  const env = {};
+  const env2 = process.env;
+  JSON.stringify(env);
+`;
+  const ast = parseScript(str);
+  const sastAnalysis = getSastAnalysis(str, isSerializeEnv).execute(ast.body);
+
+  assert.strictEqual(sastAnalysis.warnings().length, 0);
+});
+
+test("should be able to detect reassigned JSON.stringify", () => {
+  const str = `
+  const stringify = JSON.stringify;
+  const env = process.env;
+  stringify(env);
+`;
+  const ast = parseScript(str);
+  const sastAnalysis = getSastAnalysis(str, isSerializeEnv).execute(ast.body);
+
+  assert.strictEqual(sastAnalysis.warnings().length, 1);
+  const warning = sastAnalysis.getWarning("serialize-environment");
+  assert.strictEqual(warning.kind, "serialize-environment");
+  assert.strictEqual(warning.value, "JSON.stringify(process.env)");
+});
+
 test("should not detect other JSON.stringify calls", () => {
   const str = "JSON.stringify({ foo: 'bar' })";
   const ast = parseScript(str);