Hi there static analysis folks! I’m tofumatt, I'm working with Stuart Colville on the new add-ons validator, written in JS.
One of the things we’d like to improve in this validator is the ability to detect rule bypassing via code obfuscation. For example, mozIndexedDB is a deprecated identifier and that is easy to find with a custom ESLint rule. But if someone types: var badDB = ‘m’; badDB += ‘oz’ badDB = badDB + ‘IndexedDB’; var myDeprecatedDB = window[badDB]; The existing validator and our scans for an identifier with AST (using ESLint/ESPrima) don’t catch it. Are there any tools (especially JS ones!) that can be used to at least detect this kind of obfuscation? Without it the validator remains more an advisory/helpful tool than something we could use to automate security validation. Apologies if this is the wrong list; didn’t know exactly who to turn to for this (I’ve also asked security and spidermonkey folks). If I should check with someone specific, please let me know. Cheers, - tofumatt _______________________________________________ dev-static-analysis mailing list [email protected] https://lists.mozilla.org/listinfo/dev-static-analysis
