HTML Comment Parsing Error

[cccs-kevin]

Hey @NodeSecure!

We at @CybercentreCanada are loving all of the work that you've put into this tool!

A file that we came across recently in the wild has been causing JS-X-Ray to crash, unless we manually tweak the file content (CybercentreCanada/assemblyline-service-jsjaws#370). Obviously this is not ideal, and we would love to have the fix included in JS-X-Ray itself :)

I cannot share the entire file, but here is a screenshot of the initial HTML file:

and a screenshot of the extracted JavaScript that is sent to JS-X-Ray:

There is an opening HTML comment prior to the obfuscated code, and this is ignored when emulated in Node, but crashes the JS-X-Ray tool when the Meriyah library attempts to parse it. Here is the crash log:

file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:182
    throw new ParseError(parser.index, parser.line, parser.column, type, ...params);
          ^

ParseError [SyntaxError]: [1:4]: Unexpected token
    at report (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:182:11)
    at skipSingleHTMLComment (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:708:9)
    at scanSingleToken (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:1825:41)
    at nextToken (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:1736:20)
    at parseModuleItemList (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:4836:5)
    at parseSource (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:4789:16)
    at Module.parseScript (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/meriyah/dist/meriyah.esm.mjs:8821:12)
    at parseScriptExtended (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/@nodesecure/js-x-ray/index.js:92:30)
    at runASTAnalysis (file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/node_modules/@nodesecure/js-x-ray/index.js:29:16)
    at file:///home/<userpath></userpath>/assemblyline-service-jsjaws/tools/js-x-ray-run.js:17:22 {
  index: 4,
  line: 1,
  column: 4,
  description: '[1:4]: Unexpected token',
  loc: { line: 1, column: 4 }
}

When this opening comment is removed, JS-X-Ray works great, parses the file and identifies it as being obfuscated with Obfuscator.io.

Is there anyway that HTML comments () could be removed prior to parsing? We found that closing HTML comments (-->) also cause Meriyah to crash, so it would amazing if they could be ignored / removed once sent to JS-X-Ray.

Let me know what you think!

Kevin

[fraxken]

Hello Kevin,

Can you share an example code here that we can use to reproduce/work? (I mean with no image)

Also for information in the latest major 6 we added support for JSX (and some other improvment to avoid errors with meriyah).

[cccs-kevin]

Bonjour @fraxken,

Attached is a password-protected .zip file (password: infected) that contains a modified version of https://www.virustotal.com/gui/file/019a7a721cbae1400ac08723b07059d4d9f6abf3bcfb144c265be50bbbac154a
where I appended similar HTML comment tokens to the file that I saw in the wild mentioned in my initial comment (019a7a721cbae1400ac08723b07059d4d9f6abf3bcfb144c265be50bbbac154a_modified) as well as the file that when parsed to pure JavaScript and sent to JS-X-Ray causes the crash (a7c95c97c6a337f009d23b366f90f6e478cf1fa5a5f34be99fbd7e15991bb2ae_extracted).

019a7a721cbae1400ac08723b07059d4d9f6abf3bcfb144c265be50bbbac154a_modified.zip

Yes that is great, I'm running @nodesecure/js-x-ray@6.0.1 :)

[cccs-kevin]

Thank you!