Test for obsfucation/identify obsfucation attempts

[tofumatt]

Currently we test for identifiers (#44), as the previous validator does. This leaves us open to obsfucation of restricted identifiers, eg:

var m = "m";
var o = "o";
var z = "z";
var idb = "IndexedDB";
var tricksterVariable = m + o + z + idb;
// Bad!
var myDatabase = window[tricksterVariable];

We need to statically analyse variable paths and find out their eventual values if they're used to dynamically call a function.

Failing this: we need to identify heuristics that we can use to say that obfuscation appears likely and alert the reviewer for closer manual inspection.

[magopian]

If there's a way to detect obfuscation (and minification!), and the validator returns a flag or something in the result, then that would help the backend tell the user he needs to either not minify/obfuscate, or at least attach the (unminified/unobfuscated) source code for reviewers.

[tofumatt]

Discussion on dev-js-tech-engine list, including mention of Caja: https://groups.google.com/forum/#!topic/mozilla.dev.tech.js-engine/qpALgoOftRw

[tofumatt]

I'm gonna close this as essentially way too big a project (people have done thesis papers on this and still concluded "it's really hard").