feat: add shady-link warning

README.md

@@ -101,7 +101,8 @@ type WarningName = "parsing-error"
 | "suspicious-file"
 | "obfuscated-code"
 | "weak-crypto"
-| "unsafe-import";
+| "unsafe-import"
+| "shady-link";
 
 declare const warnings: Record<WarningName, {
   i18n: string;
@@ -137,6 +138,7 @@ This section describe all the possible warnings returned by JSXRay. Click on the
 | [suspicious-file](./docs/suspicious-file.md) | ✔️ | A suspicious file with more than ten encoded-literal in it |
 | [obfuscated-code](./docs/obfuscated-code.md) | ✔️ | There's a very high probability that the code is obfuscated. |
 | [weak-crypto](./docs/weak-crypto.md) | ✔️ | The code probably contains a weak crypto algorithm (md5, sha1...) |
+| [shady-link](./docs/shady-link.md) | ✔️ | The code contains shady/unsafe link |
 
 ## API
 

docs/shady-link.md

@@ -0,0 +1,16 @@
+# Shady link
+| Code | Severity | i18n | Experimental |
+| --- | --- | --- | :-: |
+| shady-link | `Warning` | `sast_warnings.shady_link` | ✔️ | 
+
+## Introduction
+
+Identify when a Literal (string) contains an URL to a domain with a suspicious extension.
+
+> **Note** credit goes to the [guarddog](https://github.dev/DataDog/guarddog) team.
+
+## Example
+
+```js
+const foo = "http://foo.xyz";
+```

src/probes/isLiteral.js

@@ -37,6 +37,9 @@ function main(node, options) {
       analysis.addWarning("encoded-literal", node.value, node.loc);
     }
   }
+  else if (/(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$/.test(node.value)) {
+    analysis.addWarning("shady-link", node.value, node.loc);
+  }
   // Else we are checking all other string with our suspect method
   else {
     analysis.analyzeLiteral(node);

src/warnings.js

@@ -45,6 +45,11 @@ export const warnings = Object.freeze({
     i18n: "sast_warnings.weak_crypto",
     severity: "Information",
     experimental: true
+  },
+  "shady-link": {
+    i18n: "sast_warnings.shady_link",
+    severity: "Warning",
+    experimental: true
   }
 });
 

test/probes/isLiteral.spec.js

@@ -86,3 +86,15 @@ test("should not throw any warnings without hexadecimal value (and should call a
 
   tape.end();
 });
+
+test("should detect shady link", (tape) => {
+  const str = "const foo = 'http://foobar.link'";
+  const ast = parseScript(str);
+  const sastAnalysis = getSastAnalysis(str, isLiteral).execute(ast.body);
+
+  tape.strictEqual(sastAnalysis.warnings().length, 1);
+  const warning = sastAnalysis.getWarning("shady-link");
+  tape.strictEqual(warning.value, "http://foobar.link");
+
+  tape.end();
+});

types/warnings.d.ts

@@ -15,7 +15,8 @@ type WarningNameWithValue = "parsing-error"
 | "suspicious-literal"
 | "suspicious-file"
 | "obfuscated-code"
-| "weak-crypto";
+| "weak-crypto"
+| "shady-link";
 type WarningName = WarningNameWithValue | "unsafe-import";
 
 type WarningLocation = [[number, number], [number, number]];