├── custom_sink.txt ├── custom_source.txt ├── custom_userinput.txt ├── .gitignore ├── client ├── js │ ├── go.js │ ├── coderoadservice.js │ ├── locationctrl.js │ ├── lib │ │ ├── utils.js │ │ ├── angular-route-1.2.13.min.js │ │ ├── localforage.min.js │ │ └── walk.js │ ├── main.js~ │ ├── main.js │ ├── scanworker.js │ ├── rulesctrl.js │ ├── build │ │ ├── test │ │ │ ├── dumper.coffee │ │ │ ├── controller.coffee │ │ │ └── traverse.coffee │ │ ├── execute.js │ │ └── graph │ │ │ └── dndTree.js │ ├── experimentctrl.js │ ├── scanservice.js │ └── coderoadctrl.js~ ├── img │ ├── Gear.png │ ├── glyphicons-halflings.png │ └── glyphicons-halflings-white.png ├── fonts │ ├── FontAwesome.otf │ ├── fontawesome-webfont.eot │ ├── fontawesome-webfont.ttf │ └── fontawesome-webfont.woff ├── partials │ ├── coderoad.html~ │ ├── rules.html │ ├── experiment.html │ ├── experiment.html~ │ └── scan.html ├── rules.readme.md ├── css │ ├── angular-csp.css │ ├── prettify.css │ ├── dashboard.css │ ├── app.css~ │ ├── c3.css │ ├── codemirror-mdn.css │ ├── codemirror.css │ └── app.css ├── index.html └── vectors │ ├── v1.txt │ ├── v4.txt │ └── v2.txt ├── App ├── reload.js └── a │ └── ajdsoijdgv │ └── time.js ├── LICENSE-scanjs ├── Copyright ├── scanjs_LICENSE ├── package.json ├── jsprime_LICENSE ├── jsprime_README.md └── scanjs_README.md ├── Examples Test Files └── time.js ├── server.js ├── package.json ├── LICENSE ├── LICENSE-jsprime ├── README.md ├── common ├── template_rules.json └── scan.js └── jspwn.js /custom_sink.txt: -------------------------------------------------------------------------------- 1 | test_sink -------------------------------------------------------------------------------- /custom_source.txt: -------------------------------------------------------------------------------- 1 | test_source -------------------------------------------------------------------------------- /custom_userinput.txt: -------------------------------------------------------------------------------- 1 | test_user_input -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | /nbproject/ 3 | *~ 4 | -------------------------------------------------------------------------------- /client/js/go.js: -------------------------------------------------------------------------------- 1 | document.write(''); 2 | -------------------------------------------------------------------------------- /client/img/Gear.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/img/Gear.png -------------------------------------------------------------------------------- /client/fonts/FontAwesome.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/fonts/FontAwesome.otf -------------------------------------------------------------------------------- /client/fonts/fontawesome-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/fonts/fontawesome-webfont.eot -------------------------------------------------------------------------------- /client/fonts/fontawesome-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/fonts/fontawesome-webfont.ttf -------------------------------------------------------------------------------- /client/fonts/fontawesome-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/fonts/fontawesome-webfont.woff -------------------------------------------------------------------------------- /client/img/glyphicons-halflings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/img/glyphicons-halflings.png -------------------------------------------------------------------------------- /client/img/glyphicons-halflings-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dvolvox/JSpwn/HEAD/client/img/glyphicons-halflings-white.png -------------------------------------------------------------------------------- /client/js/coderoadservice.js: -------------------------------------------------------------------------------- 1 | scanjsModule.factory('Data', ['$rootScope', '$http', function($rootScope, $http) { 2 | 3 | 4 | 5 | 6 | 7 | }]); -------------------------------------------------------------------------------- /client/partials/coderoad.html~: -------------------------------------------------------------------------------- 1 |
2 |

Hello {{getname()}}


3 |
4 |
5 | 6 | -------------------------------------------------------------------------------- /App/reload.js: -------------------------------------------------------------------------------- 1 | function reload() { 2 | var redir = location.hash.split("#")[1]; 3 | if (redir){ 4 | x = document.getElementsByTagName('iframe'); 5 | x[0].setAttribute('src',redir); 6 | }} -------------------------------------------------------------------------------- /LICENSE-scanjs: -------------------------------------------------------------------------------- 1 | This Source Code Form is subject to the terms of the Mozilla Public 2 | License, v. 2.0. If a copy of the MPL was not distributed with this 3 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 | -------------------------------------------------------------------------------- /App/a/ajdsoijdgv/time.js: -------------------------------------------------------------------------------- 1 | function timedMsg(callback){ 2 | if(callback){ 3 | var t=setTimeout(eval('callback'),3000); 4 | return 0; 5 | }} 6 | function fire(){ 7 | var call = location.hash.split("#")[1]; 8 | timedMsg(call); 9 | } -------------------------------------------------------------------------------- /Copyright/scanjs_LICENSE: -------------------------------------------------------------------------------- 1 | This Source Code Form is subject to the terms of the Mozilla Public 2 | License, v. 2.0. If a copy of the MPL was not distributed with this 3 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 | -------------------------------------------------------------------------------- /Examples Test Files/time.js: -------------------------------------------------------------------------------- 1 | function timedMsg(callback){ 2 | if(callback){ 3 | var t=setTimeout(eval('callback'),3000); 4 | return 0; 5 | }} 6 | function fire(){ 7 | var call = location.hash.split("#")[1]; 8 | timedMsg(call); 9 | } -------------------------------------------------------------------------------- /client/rules.readme.md: -------------------------------------------------------------------------------- 1 | Rules maintained here: 2 | https://docs.google.com/a/mozilla.com/spreadsheets/d/1T14mvMMAspnvhKXxPNRBiV0x6QKZsXr8_b7eXJvEf_A/edit?alt=json#gid=0 3 | 4 | Converted to JSON with http://shancarter.github.io/mr-data-converter/ 5 | 6 | -------------------------------------------------------------------------------- /client/js/locationctrl.js: -------------------------------------------------------------------------------- 1 | scanjsModule.controller('LocationCtrl', ['$scope', '$location', function LocationCtrl($scope, $location) { 2 | $scope.tabBtnClass = function (page) { 3 | var current = $location.path().substring(1) || 'scan'; 4 | //console.log("l", $location.hash(), "ls", $location.hash().substring(2)) 5 | return page === current ? 'active' : ''; 6 | } 7 | }]); -------------------------------------------------------------------------------- /client/css/angular-csp.css: -------------------------------------------------------------------------------- 1 | /* Include this file in your html if you are using the CSP mode. */ 2 | 3 | @charset "UTF-8"; 4 | 5 | [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], 6 | .ng-cloak, .x-ng-cloak, 7 | .ng-hide { 8 | display: none !important; 9 | } 10 | 11 | ng\:form { 12 | display: block; 13 | } 14 | 15 | .ng-animate-block-transitions { 16 | transition:0s all!important; 17 | -webkit-transition:0s all!important; 18 | } 19 | -------------------------------------------------------------------------------- /client/js/lib/utils.js: -------------------------------------------------------------------------------- 1 | 2 | //Array.find polyfill 3 | if (!Array.prototype.find) { 4 | Object.defineProperty(Array.prototype, 'find', { 5 | enumerable: false, 6 | configurable: false, 7 | writable: false, 8 | value: function(predicate) { 9 | for (var i=0; i < this.length; i++) { 10 | if (predicate(this[i], i, this)) { 11 | return this[i]; 12 | } 13 | } 14 | return void 0; 15 | } 16 | }); 17 | } -------------------------------------------------------------------------------- /server.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | var static = require("node-static"); 3 | var file = new static.Server('.', { 4 | headers: { 5 | "Content-Security-Policy": "default-src 'self'; object-src 'none'; img-src 'self' data:; script-src 'self' 'unsafe-eval'", 6 | } 7 | }); 8 | 9 | const PORT = process.env.PORT || 4000; 10 | require ('http').createServer(function (req, res) { 11 | req.addListener('end', function () { 12 | file.serve(req, res); 13 | }).resume(); 14 | }).listen(PORT); 15 | 16 | console.log("> node-static is listening on http://127.0.0.1:"+PORT+"/client/#/scan"); 17 | -------------------------------------------------------------------------------- /client/js/main.js~: -------------------------------------------------------------------------------- 1 | var scanjsModule = angular.module('scanjs', ['ui.bootstrap', 'ngRoute']); 2 | 3 | scanjsModule.config(['$routeProvider', 4 | function($routeProvider) { 5 | $routeProvider. 6 | when('/scan', { 7 | templateUrl: 'partials/scan.html', 8 | controller: 'ScanCtrl' 9 | }). 10 | when('/rules', { 11 | templateUrl: 'partials/rules.html', 12 | controller: 'RuleListCtrl' 13 | }). 14 | when('/experiment', { 15 | templateUrl: 'partials/experiment.html', 16 | controller: 'ExperimentCtrl' 17 | }). 18 | otherwise({ 19 | redirectTo: '/scan' 20 | }); 21 | }]); -------------------------------------------------------------------------------- /client/css/prettify.css: -------------------------------------------------------------------------------- 1 | .pln{color:#000}@media screen{.str{color:#080}.kwd{color:#008}.com{color:#800}.typ{color:#606}.lit{color:#066}.pun,.opn,.clo{color:#660}.tag{color:#008}.atn{color:#606}.atv{color:#080}.dec,.var{color:#606}.fun{color:red}}@media print,projection{.str{color:#060}.kwd{color:#006;font-weight:bold}.com{color:#600;font-style:italic}.typ{color:#404;font-weight:bold}.lit{color:#044}.pun,.opn,.clo{color:#440}.tag{color:#006;font-weight:bold}.atn{color:#404}.atv{color:#060}}pre.prettyprint{padding:2px;border:1px solid #888}ol.linenums{margin-top:0;margin-bottom:0}li.L0,li.L1,li.L2,li.L3,li.L5,li.L6,li.L7,li.L8{list-style-type:none}li.L1,li.L3,li.L5,li.L7,li.L9{background:#eee} -------------------------------------------------------------------------------- /client/js/main.js: -------------------------------------------------------------------------------- 1 | var scanjsModule = angular.module('scanjs', ['ui.bootstrap', 'ngRoute']); 2 | 3 | scanjsModule.config(['$routeProvider', 4 | function($routeProvider) { 5 | $routeProvider. 6 | when('/scan', { 7 | templateUrl: 'partials/scan.html', 8 | controller: 'ScanCtrl' 9 | }). 10 | when('/rules', { 11 | templateUrl: 'partials/rules.html', 12 | controller: 'RuleListCtrl' 13 | }). 14 | when('/experiment', { 15 | templateUrl: 'partials/experiment.html', 16 | controller: 'ExperimentCtrl' 17 | }). 18 | otherwise({ 19 | redirectTo: '/scan/client' 20 | }); 21 | }]); 22 | -------------------------------------------------------------------------------- /Copyright/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "scanjs", 3 | "version": "0.0.2", 4 | "description": "Static analysis tool for javascript codebases", 5 | "main": "scanner.js", 6 | "bin": { 7 | "scanjs": "./scanner.js", 8 | "scanjs-server": "./server.js" 9 | }, 10 | "preferGlobal": true, 11 | "repository": { 12 | "type": "git", 13 | "url": "https://github.com/mozilla/scanjs.git" 14 | }, 15 | "keywords": [ 16 | "scanjs", 17 | "code-analysis", 18 | "javascript", 19 | "static-analysis" 20 | ], 21 | "author": "Paul Theriault, Frederik Braun, Rob Fletcher", 22 | "license": "MPL", 23 | "dependencies": { 24 | "acorn": "~0.3.0", 25 | "tern": "~0.5.0", 26 | "optimist": "~0.5.2", 27 | "jszip": "~2.2.0", 28 | "node-static": "~0.7.3", 29 | "js-beautify":"~1.4.2" 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "JSpwn", 3 | "version": "0.0.1", 4 | "description": "Static analysis tool for javascript codebases", 5 | "main": "scanner.js", 6 | "bin": { 7 | "scanjs": "./scanner.js", 8 | "scanjs-server": "./server.js" 9 | }, 10 | "preferGlobal": true, 11 | "repository": { 12 | "type": "git", 13 | "url": "https://github.com/Etraud123/JSpwn" 14 | }, 15 | "keywords": [ 16 | "scanjs", 17 | "code-analysis", 18 | "javascript", 19 | "static-analysis" 20 | ], 21 | "author": "Duarte Monteiro", 22 | "license": "MIT", 23 | "dependencies": { 24 | "acorn": "~0.3.0", 25 | "tern": "~0.5.0", 26 | "optimist": "~0.5.2", 27 | "jszip": "~2.2.0", 28 | "node-static": "~0.7.3", 29 | "js-beautify": "~1.4.2" 30 | }, 31 | "scripts": { 32 | "start": "node server.js" 33 | }, 34 | "bugs": { 35 | "url": "https://github.com/Etraud123/JSpwn/issues" 36 | }, 37 | "homepage": "https://github.com/Etraud123/JSpwn", 38 | "devDependencies": {} 39 | } 40 | -------------------------------------------------------------------------------- /client/js/scanworker.js: -------------------------------------------------------------------------------- 1 | /* this makes sure that console.log can be used, even if it is undefined. 2 | We won't see the message though, since this kind of postMessage isn't handled in scanservice.js */ 3 | if (typeof console === "undefined") { 4 | console = {}; 5 | console.log = function consoleShim(mesg) { 6 | postMessage({'type':'log', 'message': mesg}); 7 | } 8 | } 9 | 10 | importScripts('lib/acorn.js', 11 | 'lib/walk.js', 12 | 'lib/acorn_loose.js', 13 | '../../common/scan.js'); 14 | 15 | //load default rules 16 | //ScanJS.loadRulesFile("../../common/rules.json") 17 | 18 | onmessage = function (evt) { 19 | if (evt.data.call === 'scan') { 20 | var args = evt.data.arguments; 21 | var source = args[0]; 22 | var rules; 23 | 24 | var file = args[1]; 25 | var findings = ScanJS.scan(source,file); 26 | postMessage({"filename": file, "findings": findings}); 27 | } 28 | else if(evt.data.call === 'updateRules'){ 29 | console.log('scanworker.js: Loaded '+evt.data.rules.length+" rules.") 30 | ScanJS.loadRules(evt.data.rules) 31 | } 32 | }; 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | /* 2 | The MIT License (MIT) 3 | 4 | Copyright (c) 2014 Duarte Monteiro (duarteetraud@gmail.com) 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy of 7 | this software and associated documentation files (the "Software"), to deal in 8 | the Software without restriction, including without limitation the rights to 9 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 10 | the Software, and to permit persons to whom the Software is furnished to do so, 11 | subject to the following conditions: 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 16 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 17 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 18 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 19 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20 | */ -------------------------------------------------------------------------------- /LICENSE-jsprime: -------------------------------------------------------------------------------- 1 | /* 2 | The MIT License (MIT) 3 | 4 | Copyright (c) 2013 Nishant Das Patnaik (nishant.dp@gmail.com) 5 | Copyright (c) 2013 Sarathi Sabyasachi Sahoo (sarathisahoo@gmail.com) 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy of 8 | this software and associated documentation files (the "Software"), to deal in 9 | the Software without restriction, including without limitation the rights to 10 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 11 | the Software, and to permit persons to whom the Software is furnished to do so, 12 | subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 19 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 20 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 21 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 23 | */ 24 | -------------------------------------------------------------------------------- /Copyright/jsprime_LICENSE: -------------------------------------------------------------------------------- 1 | /* 2 | The MIT License (MIT) 3 | 4 | Copyright (c) 2013 Nishant Das Patnaik (nishant.dp@gmail.com) 5 | Copyright (c) 2013 Sarathi Sabyasachi Sahoo (sarathisahoo@gmail.com) 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy of 8 | this software and associated documentation files (the "Software"), to deal in 9 | the Software without restriction, including without limitation the rights to 10 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 11 | the Software, and to permit persons to whom the Software is furnished to do so, 12 | subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 19 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 20 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 21 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 23 | */ 24 | -------------------------------------------------------------------------------- /client/js/rulesctrl.js: -------------------------------------------------------------------------------- 1 | scanjsModule.controller('RuleListCtrl', ['$scope', 'ScanSvc', function RuleListCtrl($scope, ScanSvc) { 2 | $scope.rulesFile = "../common/rules.json"; 3 | $scope.rules = []; //JSON rules object 4 | 5 | document.getElementById("rule-file-input").addEventListener("change", function (evt) { 6 | $scope.handleFileUpload(this.files); 7 | }); 8 | 9 | function loadRulesFile(rulesFile) { 10 | //TODO rewrite with $http() 11 | var request = new XMLHttpRequest(); 12 | request.open('GET', rulesFile); 13 | 14 | request.onload = function () { 15 | if (request.status >= 200 && request.status < 400) { 16 | $scope.rules = JSON.parse(request.responseText); 17 | 18 | ScanSvc.loadRules($scope.rules); 19 | } else { 20 | console.log('Error loading ' + rules) 21 | } 22 | $scope.$apply(); 23 | }; 24 | 25 | request.onerror = function () { 26 | console.log('Connection error while loading ' + rulesFile) 27 | }; 28 | request.send(); 29 | } 30 | 31 | $scope.handleFileUpload = function handleFileUpload(fileList) { 32 | 33 | $scope.rulesFile = fileList[0].name; 34 | 35 | var reader = new FileReader(); 36 | reader.onload = function () { 37 | $scope.rules = JSON.parse(this.result); 38 | ScanSvc.loadRules($scope.rules); 39 | $scope.$apply(); 40 | } 41 | 42 | reader.readAsText(fileList[0]) 43 | }; 44 | 45 | loadRulesFile($scope.rulesFile); 46 | }]); 47 | -------------------------------------------------------------------------------- /client/partials/rules.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 | 5 | 6 |
7 |

Load new rules

8 | Load a JSON rules file to change rules: 9 | 10 |

Current rules

11 | Number of Rules: {{rules.length}} 12 |
13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 29 | 30 | 31 |
Rule NameRule DescriptionRule Definition
{{rule.name}}{{rule.desc}} 27 | 
{{rule.source}}
28 |
32 |
33 |
34 |
35 |
36 |
-------------------------------------------------------------------------------- /client/css/dashboard.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Base structure 3 | */ 4 | 5 | /* Move down content because we have a fixed navbar that is 50px tall */ 6 | body { 7 | padding-top: 50px; 8 | } 9 | 10 | /* 11 | * Global add-ons 12 | */ 13 | 14 | .sub-header { 15 | padding-bottom: 10px; 16 | border-bottom: 1px solid #eee; 17 | } 18 | 19 | 20 | /* 21 | * Sidebar 22 | */ 23 | 24 | /* Hide for mobile, show later */ 25 | .sidebar { 26 | display: none; 27 | } 28 | @media (min-width: 768px) { 29 | .sidebar { 30 | position: fixed; 31 | top: 51px; 32 | bottom: 0; 33 | left: 0; 34 | z-index: 1000; 35 | display: block; 36 | padding: 20px; 37 | overflow-x: hidden; 38 | overflow-y: auto; /* Scrollable contents if viewport is shorter than content. */ 39 | background-color: #EAEFF2; 40 | border-right: 1px solid #eee; 41 | } 42 | } 43 | 44 | /* Sidebar navigation */ 45 | .nav-sidebar { 46 | margin-right: -21px; /* 20px padding + 1px border */ 47 | margin-bottom: 20px; 48 | margin-left: -20px; 49 | } 50 | .nav-sidebar > li > a { 51 | padding-right: 20px; 52 | padding-left: 20px; 53 | } 54 | .nav-sidebar > .active > a { 55 | color: #fff; 56 | background-color: #00539F; 57 | } 58 | 59 | 60 | /* 61 | * Main content 62 | */ 63 | 64 | .main { 65 | padding: 20px; 66 | } 67 | @media (min-width: 768px) { 68 | .main { 69 | padding-right: 40px; 70 | padding-left: 40px; 71 | } 72 | } 73 | .main .page-header { 74 | margin-top: 0; 75 | } 76 | 77 | 78 | /* 79 | * Placeholder dashboard ideas 80 | */ 81 | 82 | .placeholders { 83 | margin-bottom: 30px; 84 | text-align: center; 85 | } 86 | .placeholders h4 { 87 | margin-bottom: 0; 88 | } 89 | .placeholder { 90 | margin-bottom: 20px; 91 | } 92 | .placeholder img { 93 | display: inline-block; 94 | border-radius: 50%; 95 | } 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Copyright 2 | ===== 3 | 4 | Duarte Monteiro (etraud123) JSPwn 5 | 6 | Nishant Das Patnaik (nishant.dp@) JsPrime 7 | 8 | Paul Theriault (pauljt) Scanjs 9 | 10 | Introduction 11 | ===== 12 | 13 | This Application was built in a month under a Summer Internship at Blip.pt (BetFair). A special thanks to AppSec team @ blip.pt and Betfair for all the good feedback and ideas for future implementations. 14 | 15 | JSpwn 16 | ===== 17 | 18 | JavaScript Code Analysis 19 | 20 | JSPwn is a modified version of Scanjs + JSPrime. 21 | This tool allow the developers to detect Sinks And Sources of their Applications and find XSS vulnerabilities and DOM XSS (Beta). 22 | 23 | With the engine of ScanJS to detect vulnerabilities and the code flux feature of JSprime, this app has the compatibility of detect the vulnerabilities point and backtrack the code. 24 | 25 | Video: https://www.youtube.com/watch?v=RWE3852ubH0& 26 | 27 | Example 28 | ===== 29 | 30 | *GUI 31 | 32 | [1]$ cd jspwn-master 33 | 34 | [2]$ npm install 35 | 36 | [3]$ node server.js. 37 | 38 | Go to: http://localhost:4000/client/#/scan. 39 | 40 | Select File from folder. 41 | 42 | Enable REGEXP Custom. 43 | 44 | Press "Scan" 45 | 46 | *CLI 47 | 48 | Usage: $node jspwn.js -t [path/to/app] -j [for json output] 49 | 50 | 51 | Note: Output is automatic generated 52 | 53 | Custom Scanning 54 | ====== 55 | 56 | FOR WEB INTERFACE VERSION :: 57 | 58 | Source Array: Analyzer.js:26 59 | Sink Array: Analyzer.js:27 60 | 61 | Regex: scanctrl.js: 44/45/46 62 | 63 | User-Input-Validator: scanctrl.js:865 64 | 65 | Attack-vector: scanctrl.js:900 66 | 67 | FOR CLI VERSION :: 68 | 69 | Add -c argument for loading custom rules from file: 70 | 71 | custom_userinput.txt 72 | 73 | custom_source.txt 74 | 75 | custom_sink.txt 76 | 77 | Future Features 78 | ====== 79 | > Developing a browser extension for JSpwn 80 | -------------------------------------------------------------------------------- /client/js/build/test/dumper.coffee: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2013 Yusuke Suzuki 2 | # 3 | # Redistribution and use in source and binary forms, with or without 4 | # modification, are permitted provided that the following conditions are met: 5 | # 6 | # * Redistributions of source code must retain the above copyright 7 | # notice, this list of conditions and the following disclaimer. 8 | # * Redistributions in binary form must reproduce the above copyright 9 | # notice, this list of conditions and the following disclaimer in the 10 | # documentation and/or other materials provided with the distribution. 11 | # 12 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 13 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15 | # ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 16 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 17 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 18 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 19 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 20 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 21 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | 23 | 'use strict' 24 | 25 | estraverse = require '..' 26 | 27 | module.exports = class Dumper 28 | constructor: -> 29 | @logs = [] 30 | 31 | log: (str) -> 32 | @logs.push str 33 | 34 | result: -> 35 | @logs.join '\n' 36 | 37 | @dump: (tree) -> 38 | dumper = new Dumper 39 | 40 | estraverse.traverse tree, 41 | enter: (node) -> 42 | dumper.log("enter - #{node.type}") 43 | 44 | leave: (node) -> 45 | dumper.log("leave - #{node.type}") 46 | 47 | dumper.result() 48 | -------------------------------------------------------------------------------- /client/js/experimentctrl.js: -------------------------------------------------------------------------------- 1 | scanjsModule.controller('ExperimentCtrl', ['$scope', 'ScanSvc', function ExperimentCtrl($scope, ScanSvc) { 2 | if (!document.getElementById("experiment-mirror").children.length) { 3 | $scope.codeMirror = new CodeMirror(document.getElementById('experiment-mirror'), { 4 | mode: 'javascript', 5 | lineNumbers: true, 6 | theme: 'mdn-like', 7 | value: "bar.foo\nfoo=something\nbaz.bar=stuff\nfoo(something)\nfoo.bar\nfoo.bar()\neval(test)\nfoo.innerHTML=danger", 8 | tabsize: 2, 9 | styleActiveLine: true 10 | }); 11 | } 12 | $scope.results=[]; 13 | $scope.ready=false; 14 | $scope.rule="eval()" 15 | 16 | var ruleData={ 17 | "name": "manual rule", 18 | "source": $scope.rule, 19 | "testhit": $scope.rule, 20 | "testmiss": "", 21 | "desc": "Manual input.", 22 | "threat": "example" 23 | }; 24 | 25 | $scope.runScan = function () { 26 | $scope.results=[]; 27 | code = $scope.codeMirror.getValue(); 28 | ScanJS.loadRules(ScanSvc.rules); 29 | $scope.results=ScanJS.scan(code); 30 | $scope.lastScan=$scope.runScan; 31 | }; 32 | 33 | 34 | $scope.runManualScan = function () { 35 | ruleData.source=$scope.rule; 36 | ScanJS.loadRules([ruleData]); 37 | 38 | $scope.results=[]; 39 | code = $scope.codeMirror.getValue(); 40 | //put ast on global variable for debugging purposes. 41 | try{ 42 | window.ast=acorn.parse(code); 43 | }catch(e){ 44 | 45 | } 46 | //ScanJS.setResultCallback(found); 47 | $scope.results=ScanJS.scan(code); 48 | $scope.lastScan=$scope.runManualScan; 49 | }; 50 | 51 | $scope.showResult = function (filename,line, col) { 52 | document.querySelector("#code-mirror-wrapper").classList.toggle("hidden",false); 53 | $scope.codeMirror.setCursor(line - 1, col || 0); 54 | $scope.codeMirror.focus(); 55 | }; 56 | 57 | $scope.add_placeholder_char = function() { 58 | $scope.rule += '$_any'; 59 | } 60 | $scope.lastScan=$scope.runScan; 61 | 62 | }]); 63 | -------------------------------------------------------------------------------- /client/js/scanservice.js: -------------------------------------------------------------------------------- 1 | scanjsModule.factory('ScanSvc', ['$rootScope', '$http', function($rootScope, $http) { 2 | var ScanService = { 3 | //results:[], 4 | ready:false, 5 | rules:null, 6 | init:function(rules){ 7 | this.rules=rules; 8 | this.ready=true; 9 | }, 10 | newScan: function(file,source) { 11 | var fileName = file || 'inline'; 12 | this.scanWorker.postMessage({call: 'scan', arguments: [source, fileName]}); 13 | }, 14 | addResults: function(results) { 15 | $rootScope.$broadcast('NewResults', results); 16 | }, 17 | loadRules:function(ruleData){ 18 | this.rules=ruleData; 19 | this.scanWorker.postMessage({call: 'updateRules', rules: ruleData}); 20 | } 21 | }; 22 | ScanService.scanWorker = new Worker("js/scanworker.js"); 23 | ScanService.scanWorker.addEventListener("message", function (evt) { 24 | if (('findings' in evt.data) && ('filename' in evt.data)) { 25 | if (evt.data.findings.length > 0) { 26 | if (evt.data.findings[0].type == 'error') { 27 | $rootScope.$broadcast('ScanError', evt.data.findings[0]) 28 | return; 29 | } 30 | } 31 | ScanService.addResults(evt.data); 32 | } 33 | else if ('error' in evt.data) { 34 | // This is for errors in the worker, not in the scanning. 35 | // Exceptions (like SyntaxErrors) when scanning files 36 | // are in the findings. 37 | var exception = evt.data.error; 38 | if (e instanceof SyntaxError) { 39 | $rootScope.$broadcast('ScanError', {filename: evt.data.filename, name: exception.name, loc: exception.loc, message: exception.message }) 40 | } else { 41 | throw e; // keep throwing unexpected things. 42 | } 43 | } 44 | }); 45 | 46 | ScanService.scanWorker.onerror = function (e) { console.log('ScanWorker Error: ', e) }; 47 | 48 | $http({method: 'GET', url: "../common/rules.json"}). 49 | success(function(data, status, headers, config) { 50 | ScanService.loadRules(data); 51 | }); 52 | 53 | return ScanService; 54 | }]); 55 | -------------------------------------------------------------------------------- /client/partials/experiment.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 | 10 | 11 | 12 | 13 | 14 |
15 |
16 |
17 | 18 |
19 |
20 |
21 |
22 |

23 | Results 24 |

25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 37 | 38 | 40 | 41 |
LineRuleSourceDescription of Issue
Line {{result.line}} 36 | {{result.rule.name }}{{result.rule.source }}{{result.rule.desc}} 39 |
42 |
43 |
44 | -------------------------------------------------------------------------------- /client/partials/experiment.html~: -------------------------------------------------------------------------------- 1 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 57 | 58 | 59 |
60 | 61 | -------------------------------------------------------------------------------- /Copyright/jsprime_README.md: -------------------------------------------------------------------------------- 1 | Authors 2 | ========= 3 | Nishant Das Patnaik (nishant.dp@) 4 | 5 | Sarathi Sabyasachi Sahoo (sarathisahoo@) 6 | 7 | Introduction 8 | =============== 9 | Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps. 10 | 11 | But the problem is, many developers practice in-secure coding which leads to many clients side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A javascript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat. 12 | 13 | I would like to highlight some of the interesting features of the tool below: 14 | 15 | JS Library Aware Source & Sinks 16 | 17 | Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks. 18 | 19 | Variable & Function Tracing (This feature is a part of our code flow analysis algorithm) 20 | 21 | Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm) 22 | 23 | Known filter function aware 24 | 25 | OOP & Protoype Compliant 26 | 27 | Minimum False Positive alerts 28 | 29 | Supports minified javascript 30 | 31 | Blazing fast performance 32 | 33 | Point and Click :-) (my personal favorite) 34 | 35 | Upcoming features: 36 | 37 | Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation; http://code.google.com/p/ra2-dom-xss-scanner) 38 | 39 | ECMAScript family support (ActionScript 3, Node.JS, WinJS) 40 | 41 | Links 42 | ===== 43 | Test Cases Document URL: http://goo.gl/vf61Km 44 | 45 | Sources & Sinks Document URL: http://goo.gl/olzYM4 46 | 47 | BlackHat Slide: http://www.slideshare.net/nishantdp/jsprime-bhusa13new 48 | 49 | 50 | Usage 51 | ======= 52 | Web Client 53 | ---------- 54 | Open "index.html" in your browser. 55 | 56 | Server-Side (Node.JS) 57 | --------------------- 58 | 1. In the terminal type "node server.js" 59 | 2. Go to 127.0.0.1:8888 in your browser. 60 | 61 | -------------------------------------------------------------------------------- /client/css/c3.css: -------------------------------------------------------------------------------- 1 | /*-- Chart --*/ 2 | 3 | .c3 svg { 4 | font: 10px sans-serif; 5 | } 6 | .c3 path, .c3 line { 7 | fill: none; 8 | stroke: #000; 9 | } 10 | .c3 text { 11 | -webkit-user-select: none; 12 | -moz-user-select: none; 13 | user-select: none; 14 | } 15 | 16 | .c3-legend-item-tile, 17 | .c3-xgrid-focus, 18 | .c3-ygrid, 19 | .c3-event-rect, 20 | .c3-bars path { 21 | shape-rendering: crispEdges; 22 | } 23 | 24 | .c3-chart-arc path { 25 | stroke: #fff; 26 | 27 | } 28 | .c3-chart-arc text { 29 | fill: #fff; 30 | font-size: 13px; 31 | } 32 | 33 | /*-- Axis --*/ 34 | 35 | .c3-axis-x .tick { 36 | } 37 | .c3-axis-x-label { 38 | } 39 | 40 | .c3-axis-y .tick { 41 | } 42 | .c3-axis-y-label { 43 | } 44 | 45 | .c3-axis-y2 .tick { 46 | } 47 | .c3-axis-y2-label { 48 | } 49 | 50 | /*-- Grid --*/ 51 | 52 | .c3-grid line { 53 | stroke: #aaa; 54 | } 55 | .c3-grid text { 56 | fill: #aaa; 57 | } 58 | .c3-xgrid, .c3-ygrid { 59 | stroke-dasharray: 3 3; 60 | } 61 | .c3-xgrid-focus { 62 | } 63 | 64 | /*-- Text on Chart --*/ 65 | 66 | .c3-text { 67 | } 68 | 69 | .c3-text.c3-empty { 70 | fill: #808080; 71 | font-size: 2em; 72 | } 73 | 74 | /*-- Line --*/ 75 | 76 | .c3-line { 77 | stroke-width: 1px; 78 | } 79 | /*-- Point --*/ 80 | 81 | .c3-circle._expanded_ { 82 | stroke-width: 1px; 83 | stroke: white; 84 | } 85 | .c3-selected-circle { 86 | fill: white; 87 | stroke-width: 2px; 88 | } 89 | 90 | /*-- Bar --*/ 91 | 92 | .c3-bar { 93 | stroke-width: 0; 94 | } 95 | .c3-bar._expanded_ { 96 | fill-opacity: 0.75; 97 | } 98 | 99 | /*-- Arc --*/ 100 | 101 | .c3-chart-arcs-title { 102 | font-size: 1.3em; 103 | } 104 | 105 | /*-- Focus --*/ 106 | 107 | .c3-target.c3-focused path.c3-line, .c3-target.c3-focused path.c3-step { 108 | stroke-width: 2px; 109 | } 110 | 111 | /*-- Region --*/ 112 | 113 | .c3-region { 114 | fill: steelblue; 115 | fill-opacity: .1; 116 | } 117 | 118 | /*-- Brush --*/ 119 | 120 | .c3-brush .extent { 121 | fill-opacity: .1; 122 | } 123 | 124 | /*-- Select - Drag --*/ 125 | 126 | .c3-dragarea { 127 | } 128 | 129 | /*-- Legend --*/ 130 | 131 | .c3-legend-item { 132 | font-size: 12px; 133 | } 134 | 135 | .c3-legend-background { 136 | opacity: 0.75; 137 | fill: white; 138 | stroke: lightgray; 139 | stroke-width: 1 140 | } 141 | 142 | /*-- Tooltip --*/ 143 | 144 | .c3-tooltip { 145 | border-collapse:collapse; 146 | border-spacing:0; 147 | background-color:#fff; 148 | empty-cells:show; 149 | -webkit-box-shadow: 7px 7px 12px -9px rgb(119,119,119); 150 | -moz-box-shadow: 7px 7px 12px -9px rgb(119,119,119); 151 | box-shadow: 7px 7px 12px -9px rgb(119,119,119); 152 | opacity: 0.9; 153 | } 154 | .c3-tooltip tr { 155 | border:1px solid #CCC; 156 | } 157 | .c3-tooltip th { 158 | background-color: #aaa; 159 | font-size:14px; 160 | padding:2px 5px; 161 | text-align:left; 162 | color:#FFF; 163 | } 164 | .c3-tooltip td { 165 | font-size:13px; 166 | padding: 3px 6px; 167 | background-color:#fff; 168 | border-left:1px dotted #999; 169 | } 170 | .c3-tooltip td > span { 171 | display: inline-block; 172 | width: 10px; 173 | height: 10px; 174 | margin-right: 6px; 175 | } 176 | .c3-tooltip td.value{ 177 | text-align: right; 178 | } 179 | 180 | .c3-area { 181 | stroke-width: 0; 182 | opacity: 0.2; 183 | } 184 | 185 | .c3-chart-arcs .c3-chart-arcs-background { 186 | fill: #e0e0e0; 187 | stroke: none; 188 | } 189 | .c3-chart-arcs .c3-chart-arcs-gauge-unit { 190 | fill: #000; 191 | font-size: 16px; 192 | } 193 | .c3-chart-arcs .c3-chart-arcs-gauge-max { 194 | fill: #777; 195 | } 196 | .c3-chart-arcs .c3-chart-arcs-gauge-min { 197 | fill: #777; 198 | } 199 | 200 | .c3-chart-arc .c3-gauge-value { 201 | fill: #000; 202 | font-size: 28px; 203 | } 204 | -------------------------------------------------------------------------------- /client/js/lib/angular-route-1.2.13.min.js: -------------------------------------------------------------------------------- 1 | /* 2 | AngularJS v1.2.13 3 | (c) 2010-2014 Google, Inc. http://angularjs.org 4 | License: MIT 5 | */ 6 | (function(h,e,A){'use strict';function u(w,q,k){return{restrict:"ECA",terminal:!0,priority:400,transclude:"element",link:function(a,c,b,f,n){function y(){l&&(l.$destroy(),l=null);g&&(k.leave(g),g=null)}function v(){var b=w.current&&w.current.locals;if(e.isDefined(b&&b.$template)){var b=a.$new(),f=w.current;g=n(b,function(d){k.enter(d,null,g||c,function(){!e.isDefined(t)||t&&!a.$eval(t)||q()});y()});l=f.scope=b;l.$emit("$viewContentLoaded");l.$eval(h)}else y()}var l,g,t=b.autoscroll,h=b.onload||""; 7 | a.$on("$routeChangeSuccess",v);v()}}}function z(e,h,k){return{restrict:"ECA",priority:-400,link:function(a,c){var b=k.current,f=b.locals;c.html(f.$template);var n=e(c.contents());b.controller&&(f.$scope=a,f=h(b.controller,f),b.controllerAs&&(a[b.controllerAs]=f),c.data("$ngControllerController",f),c.children().data("$ngControllerController",f));n(a)}}}h=e.module("ngRoute",["ng"]).provider("$route",function(){function h(a,c){return e.extend(new (e.extend(function(){},{prototype:a})),c)}function q(a, 8 | e){var b=e.caseInsensitiveMatch,f={originalPath:a,regexp:a},h=f.keys=[];a=a.replace(/([().])/g,"\\$1").replace(/(\/)?:(\w+)([\?\*])?/g,function(a,e,b,c){a="?"===c?c:null;c="*"===c?c:null;h.push({name:b,optional:!!a});e=e||"";return""+(a?"":e)+"(?:"+(a?e:"")+(c&&"(.+?)"||"([^/]+)")+(a||"")+")"+(a||"")}).replace(/([\/$\*])/g,"\\$1");f.regexp=RegExp("^"+a+"$",b?"i":"");return f}var k={};this.when=function(a,c){k[a]=e.extend({reloadOnSearch:!0},c,a&&q(a,c));if(a){var b="/"==a[a.length-1]?a.substr(0,a.length- 9 | 1):a+"/";k[b]=e.extend({redirectTo:a},q(b,c))}return this};this.otherwise=function(a){this.when(null,a);return this};this.$get=["$rootScope","$location","$routeParams","$q","$injector","$http","$templateCache","$sce",function(a,c,b,f,n,q,v,l){function g(){var d=t(),m=r.current;if(d&&m&&d.$$route===m.$$route&&e.equals(d.pathParams,m.pathParams)&&!d.reloadOnSearch&&!x)m.params=d.params,e.copy(m.params,b),a.$broadcast("$routeUpdate",m);else if(d||m)x=!1,a.$broadcast("$routeChangeStart",d,m),(r.current= 10 | d)&&d.redirectTo&&(e.isString(d.redirectTo)?c.path(u(d.redirectTo,d.params)).search(d.params).replace():c.url(d.redirectTo(d.pathParams,c.path(),c.search())).replace()),f.when(d).then(function(){if(d){var a=e.extend({},d.resolve),c,b;e.forEach(a,function(d,c){a[c]=e.isString(d)?n.get(d):n.invoke(d)});e.isDefined(c=d.template)?e.isFunction(c)&&(c=c(d.params)):e.isDefined(b=d.templateUrl)&&(e.isFunction(b)&&(b=b(d.params)),b=l.getTrustedResourceUrl(b),e.isDefined(b)&&(d.loadedTemplateUrl=b,c=q.get(b, 11 | {cache:v}).then(function(a){return a.data})));e.isDefined(c)&&(a.$template=c);return f.all(a)}}).then(function(c){d==r.current&&(d&&(d.locals=c,e.copy(d.params,b)),a.$broadcast("$routeChangeSuccess",d,m))},function(c){d==r.current&&a.$broadcast("$routeChangeError",d,m,c)})}function t(){var a,b;e.forEach(k,function(f,k){var p;if(p=!b){var s=c.path();p=f.keys;var l={};if(f.regexp)if(s=f.regexp.exec(s)){for(var g=1,q=s.length;g 4 | Report bugs/issues here: https://github.com/marijnh/CodeMirror/issues 5 | GitHub: @peterkroon 6 | 7 | The mdn-like theme is inspired on the displayed code examples at: https://developer.mozilla.org/en-US/docs/Web/CSS/animation 8 | 9 | */ 10 | .cm-s-mdn-like.CodeMirror { color: #999; font-family: monospace; background-color: #fff; } 11 | .cm-s-mdn-like .CodeMirror-selected { background: #cfc !important; } 12 | 13 | .cm-s-mdn-like .CodeMirror-gutters { background: #f8f8f8; border-left: 6px solid rgba(0,83,159,0.65); color: #333; } 14 | .cm-s-mdn-like .CodeMirror-linenumber { color: #aaa; margin-left: 3px; } 15 | div.cm-s-mdn-like .CodeMirror-cursor { border-left: 2px solid #222; } 16 | 17 | .cm-s-mdn-like .cm-keyword { color: #6262FF; } 18 | .cm-s-mdn-like .cm-atom { color: #F90; } 19 | .cm-s-mdn-like .cm-number { color: #ca7841; } 20 | .cm-s-mdn-like .cm-def { color: #8DA6CE; } 21 | .cm-s-mdn-like span.cm-variable-2, .cm-s-mdn-like span.cm-tag { color: #690; } 22 | .cm-s-mdn-like span.cm-variable-3, .cm-s-mdn-like span.cm-def { color: #07a; } 23 | 24 | .cm-s-mdn-like .cm-variable { color: #07a; } 25 | .cm-s-mdn-like .cm-property { color: #905; } 26 | .cm-s-mdn-like .cm-qualifier { color: #690; } 27 | 28 | .cm-s-mdn-like .cm-operator { color: #cda869; } 29 | .cm-s-mdn-like .cm-comment { color:#777; font-weight:normal; } 30 | .cm-s-mdn-like .cm-string { color:#07a; font-style:italic; } 31 | .cm-s-mdn-like .cm-string-2 { color:#bd6b18; } /*?*/ 32 | .cm-s-mdn-like .cm-meta { color: #000; } /*?*/ 33 | .cm-s-mdn-like .cm-builtin { color: #9B7536; } /*?*/ 34 | .cm-s-mdn-like .cm-tag { color: #997643; } 35 | .cm-s-mdn-like .cm-attribute { color: #d6bb6d; } /*?*/ 36 | .cm-s-mdn-like .cm-header { color: #FF6400; } 37 | .cm-s-mdn-like .cm-hr { color: #AEAEAE; } 38 | .cm-s-mdn-like .cm-link { color:#ad9361; font-style:italic; text-decoration:none; } 39 | .cm-s-mdn-like .cm-error { border-bottom: 1px solid red; } 40 | 41 | div.cm-s-mdn-like .CodeMirror-activeline-background {background: #efefff;} 42 | div.cm-s-mdn-like span.CodeMirror-matchingbracket {outline:1px solid grey; color: inherit;} 43 | 44 | .cm-s-mdn-like.CodeMirror { background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFcAAAAyCAYAAAAp8UeFAAAHvklEQVR42s2b63bcNgyEQZCSHCdt2vd/0tWF7I+Q6XgMXiTtuvU5Pl57ZQKkKHzEAOtF5KeIJBGJ8uvL599FRFREZhFx8DeXv8trn68RuGaC8TRfo3SNp9dlDDHedyLyTUTeRWStXKPZrjtpZxaRw5hPqozRs1N8/enzIiQRWcCgy4MUA0f+XWliDhyL8Lfyvx7ei/Ae3iQFHyw7U/59pQVIMEEPEz0G7XiwdRjzSfC3UTtz9vchIntxvry5iMgfIhJoEflOz2CQr3F5h/HfeFe+GTdLaKcu9L8LTeQb/R/7GgbsfKedyNdoHsN31uRPWrfZ5wsj/NzzRQHuToIdU3ahwnsKPxXCjJITuOsi7XLc7SG/v5GdALs7wf8JjTFiB5+QvTEfRyGOfX3Lrx8wxyQi3sNq46O7QahQiCsRFgqddjBouVEHOKDgXAQHD9gJCr5sMKkEdjwsarG/ww3BMHBU7OBjXnzdyY7SfCxf5/z6ATccrwlKuwC/jhznnPF4CgVzhhVf4xp2EixcBActO75iZ8/fM9zAs2OMzKdslgXWJ9XG8PQoOAMA5fGcsvORgv0doBXyHrCwfLJAOwo71QLNkb8n2Pl6EWiR7OCibtkPaz4Kc/0NNAze2gju3zOwekALDaCFPI5vjPFmgGY5AZqyGEvH1x7QfIb8YtxMnA/b+QQ0aQDAwc6JMFg8CbQZ4qoYEEHbRwNojuK3EHwd7VALSgq+MNDKzfT58T8qdpADrgW0GmgcAS1lhzztJmkAzcPNOQbsWEALBDSlMKUG0Eq4CLAQWvEVQ9WU57gZJwZtgPO3r9oBTQ9WO8TjqXINx8R0EYpiZEUWOF3FxkbJkgU9B2f41YBrIj5ZfsQa0M5kTgiAAqM3ShXLgu8XMqcrQBvJ0CL5pnTsfMB13oB8athpAq2XOQmcGmoACCLydx7nToa23ATaSIY2ichfOdPTGxlasXMLaL0MLZAOwAKIM+y8CmicobGdCcbbK9DzN+yYGVoNNI5iUKTMyYOjPse4A8SM1MmcXgU0toOq1yO/v8FOxlASyc7TgeYaAMBJHcY1CcCwGI/TK4AmDbDyKYBBtFUkRwto8gygiQEaByFgJ00BH2M8JWwQS1nafDXQCidWyOI8AcjDCSjCLk8ngObuAm3JAHAdubAmOaK06V8MNEsKPJOhobSprwQa6gD7DclRQdqcwL4zxqgBrQcabUiBLclRDKAlWp+etPkBaNMA0AKlrHwTdEByZAA4GM+SNluSY6wAzcMNewxmgig5Ks0nkrSpBvSaQHMdKTBAnLojOdYyGpQ254602ZILPdTD1hdlggdIm74jbTp8vDwF5ZYUeLWGJpWsh6XNyXgcYwVoJQTEhhTYkxzZjiU5npU2TaB979TQehlaAVq4kaGpiPwwwLkYUuBbQwocyQTv1tA0+1UFWoJF3iv1oq+qoSk8EQdJmwHkziIF7oOZk14EGitibAdjLYYK78H5vZOhtWpoI0ATGHs0Q8OMb4Ey+2bU2UYztCtA0wFAs7TplGLRVQCcqaFdGSPCeTI1QNIC52iWNzof6Uib7xjEp07mNNoUYmVosVItHrHzRlLgBn9LFyRHaQCtVUMbtTNhoXWiTOO9k/V8BdAc1Oq0ArSQs6/5SU0hckNy9NnXqQY0PGYo5dWJ7nINaN6o958FWin27aBaWRka1r5myvLOAm0j30eBJqCxHLReVclxhxOEN2JfDWjxBtAC7MIH1fVaGdoOp4qJYDgKtKPSFNID2gSnGldrCqkFZ+5UeQXQBIRrSwocbdZYQT/2LwRahBPBXoHrB8nxaGROST62DKUbQOMMzZIC9abkuELfQzQALWTnDNAm8KHWFOJgJ5+SHIvTPcmx1xQyZRhNL5Qci689aXMEaN/uNIWkEwDAvFpOZmgsBaaGnbs1NPa1Jm32gBZAIh1pCtG7TSH4aE0y1uVY4uqoFPisGlpP2rSA5qTecWn5agK6BzSpgAyD+wFaqhnYoSZ1Vwr8CmlTQbrcO3ZaX0NAEyMbYaAlyquFoLKK3SPby9CeVUPThrSJmkCAE0CrKUQadi4DrdSlWhmah0YL9z9vClH59YGbHx1J8VZTyAjQepJjmXwAKTDQI3omc3p1U4gDUf6RfcdYfrUp5ClAi2J3Ba6UOXGo+K+bQrjjssitG2SJzshaLwMtXgRagUNpYYoVkMSBLM+9GGiJZMvduG6DRZ4qc04DMPtQQxOjEtACmhO7K1AbNbQDEggZyJwscFpAGwENhoBeUwh3bWolhe8BTYVKxQEWrSUn/uhcM5KhvUu/+eQu0Lzhi+VrK0PrZZNDQKs9cpYUuFYgMVpD4/NxenJTiMCNqdUEUf1qZWjppLT5qSkkUZbCwkbZMSuVnu80hfSkzRbQeqCZSAh6huR4VtoM2gHAlLf72smuWgE+VV7XpE25Ab2WFDgyhnSuKbs4GuGzCjR+tIoUuMFg3kgcWKLTwRqanJQ2W00hAsenfaApRC42hbCvK1SlE0HtE9BGgneJO+ELamitD1YjjOYnNYVcraGhtKkW0EqVVeDx733I2NH581k1NNxNLG0i0IJ8/NjVaOZ0tYZ2Vtr0Xv7tPV3hkWp9EFkgS/J0vosngTaSoaG06WHi+xObQkaAdlbanP8B2+2l0f90LmUAAAAASUVORK5CYII=); } 45 | -------------------------------------------------------------------------------- /client/js/build/execute.js: -------------------------------------------------------------------------------- 1 | /* 2 | JSPrime v0.1 beta 3 | ================= 4 | The MIT License (MIT) 5 | 6 | Copyright (c) 2013 Nishant Das Patnaik (nishant.dp@gmail.com) 7 | Copyright (c) 2013 Sarathi Sabyasachi Sahoo (sarathisahoo@gmail.com) 8 | 9 | Permission is hereby granted, free of charge, to any person obtaining a copy of 10 | this software and associated documentation files (the "Software"), to deal in 11 | the Software without restriction, including without limitation the rights to 12 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 13 | the Software, and to permit persons to whom the Software is furnished to do so, 14 | subject to the following conditions: 15 | 16 | The above copyright notice and this permission notice shall be included in all 17 | copies or substantial portions of the Software. 18 | 19 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 20 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 21 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 22 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 23 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 24 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 25 | */ 26 | var msg = "DOM XSS Confirmed !!"; 27 | var domInject = []; 28 | var domInjectSource = []; 29 | 30 | function executeJSPrime() { 31 | var sOrangeData = document.getElementById('aOrangeData').value; 32 | var sOtherData = document.getElementById('aOtherData').value; 33 | var sRedData = document.getElementById('aRedData').value; 34 | var sSink = document.getElementById('aSink').value; 35 | var sSource = document.getElementById('aSource').value; 36 | 37 | var aOrangeData = sOrangeData.split(","); 38 | var aOtherData = sOtherData.split(","); 39 | var aRedData = sRedData.split(","); 40 | domInject = sSink.split(","); 41 | domInjectSource = sSource.split(","); 42 | 43 | var aScr = document.getElementsByTagName('script')[0].innerHTML.split("\n"); 44 | 45 | var aDuplicate = []; 46 | for (var i = 0; i < aOrangeData.length - 1; i++) { 47 | var tempData; 48 | try { 49 | if (aDuplicate.indexOf(sOtherData[i]) != -1) 50 | continue; 51 | aDuplicate.push(sOtherData[i]); 52 | 53 | var data = aScr[parseInt(aOrangeData[i])]; 54 | var aSource = data.split("="); 55 | aSource[1] = "\"alert('" + msg + "');//\""; 56 | 57 | data = aSource.join("="); 58 | tempData = data; 59 | eval(data); 60 | } catch (err) { 61 | try { 62 | if (err.message.indexOf("is not defined") != -1) { 63 | var newVar = err.message.replace(" is not defined", ""); 64 | eval("var " + newVar); 65 | eval(tempData); 66 | } 67 | } catch (err2) { 68 | //alert(err2); 69 | } 70 | } 71 | } 72 | 73 | for (var j = 0; j < 2; j++) { 74 | var tempData; 75 | var aDuplicate = []; 76 | for (var i = 0; i < aOtherData.length - 1; i++) { 77 | try { 78 | if (aDuplicate.indexOf(aOtherData[i]) != -1) 79 | continue; 80 | aDuplicate.push(aOtherData[i]); 81 | 82 | var data = aScr[parseInt(aOtherData[i])]; 83 | if (eval(data) == undefined); { 84 | if (j == 1) { 85 | var aSource = data.split("="); 86 | aSource[1] = "\"alert('" + msg + "');//\""; 87 | data = aSource.join("="); 88 | eval(data); 89 | } 90 | } 91 | tempData = data; 92 | } catch (err) { 93 | try { 94 | if (err.message.indexOf("is not defined") != -1) { 95 | var newVar = err.message.replace(" is not defined", ""); 96 | eval("var " + newVar); 97 | eval(tempData); 98 | } 99 | } catch (err2) { 100 | //alert(err2); 101 | } 102 | } 103 | } 104 | } 105 | 106 | for (var i = 0; i < aRedData.length - 1; i++) { 107 | var tempData; 108 | try { 109 | var data = aScr[parseInt(aRedData[i])]; 110 | var aSource = data.split("="); 111 | for (var j = 0; j < domInject.length; j++) { 112 | if (aSource[0].indexOf(domInject[j]) != -1) { 113 | aSource[0] = "document.getElementsByTagName('body')[0].innerHTML"; 114 | for (var k = 0; k < domInjectSource.length; k++) { 115 | if (aSource[1].indexOf(domInjectSource[k]) != -1) { 116 | aSource[1] = "\"alert('" + msg + "');//\""; 117 | } 118 | } 119 | data = aSource.join("="); 120 | } 121 | } 122 | tempData = data; 123 | eval(data); 124 | } catch (err) { 125 | try { 126 | if (err.message.indexOf("is not defined") != -1) { 127 | var newVar = err.message.replace(" is not defined", ""); 128 | eval("var " + newVar); 129 | eval(tempData); 130 | } 131 | } catch (err2) { 132 | //alert(err2); 133 | } 134 | } 135 | } 136 | 137 | /* 138 | try 139 | { 140 | eval(aScr[7]); 141 | } 142 | catch(err) 143 | { 144 | alert(err); 145 | } 146 | */ 147 | 148 | } 149 | -------------------------------------------------------------------------------- /client/css/codemirror.css: -------------------------------------------------------------------------------- 1 | /* BASICS */ 2 | 3 | .CodeMirror { 4 | /* Set height, width, borders, and global font properties here */ 5 | font-family: monospace; 6 | height: 300px; 7 | } 8 | .CodeMirror-scroll { 9 | /* Set scrolling behaviour here */ 10 | overflow: auto; 11 | } 12 | 13 | /* PADDING */ 14 | 15 | .CodeMirror-lines { 16 | padding: 4px 0; /* Vertical padding around content */ 17 | } 18 | .CodeMirror pre { 19 | padding: 0 4px; /* Horizontal padding of content */ 20 | } 21 | 22 | .CodeMirror-scrollbar-filler, .CodeMirror-gutter-filler { 23 | background-color: white; /* The little square between H and V scrollbars */ 24 | } 25 | 26 | /* GUTTER */ 27 | 28 | .CodeMirror-gutters { 29 | border-right: 1px solid #ddd; 30 | background-color: #f7f7f7; 31 | white-space: nowrap; 32 | } 33 | .CodeMirror-linenumbers {} 34 | .CodeMirror-linenumber { 35 | padding: 0 3px 0 5px; 36 | min-width: 20px; 37 | text-align: right; 38 | color: #999; 39 | -moz-box-sizing: content-box; 40 | box-sizing: content-box; 41 | } 42 | 43 | /* CURSOR */ 44 | 45 | .CodeMirror div.CodeMirror-cursor { 46 | border-left: 1px solid black; 47 | z-index: 3; 48 | } 49 | /* Shown when moving in bi-directional text */ 50 | .CodeMirror div.CodeMirror-secondarycursor { 51 | border-left: 1px solid silver; 52 | } 53 | .CodeMirror.cm-keymap-fat-cursor div.CodeMirror-cursor { 54 | width: auto; 55 | border: 0; 56 | background: #7e7; 57 | z-index: 1; 58 | } 59 | /* Can style cursor different in overwrite (non-insert) mode */ 60 | .CodeMirror div.CodeMirror-cursor.CodeMirror-overwrite {} 61 | 62 | .cm-tab { display: inline-block; } 63 | 64 | .CodeMirror-ruler { 65 | border-left: 1px solid #ccc; 66 | position: absolute; 67 | } 68 | 69 | /* DEFAULT THEME */ 70 | 71 | .cm-s-default .cm-keyword {color: #708;} 72 | .cm-s-default .cm-atom {color: #219;} 73 | .cm-s-default .cm-number {color: #164;} 74 | .cm-s-default .cm-def {color: #00f;} 75 | .cm-s-default .cm-variable {color: black;} 76 | .cm-s-default .cm-variable-2 {color: #05a;} 77 | .cm-s-default .cm-variable-3 {color: #085;} 78 | .cm-s-default .cm-property {color: black;} 79 | .cm-s-default .cm-operator {color: black;} 80 | .cm-s-default .cm-comment {color: #a50;} 81 | .cm-s-default .cm-string {color: #a11;} 82 | .cm-s-default .cm-string-2 {color: #f50;} 83 | .cm-s-default .cm-meta {color: #555;} 84 | .cm-s-default .cm-qualifier {color: #555;} 85 | .cm-s-default .cm-builtin {color: #30a;} 86 | .cm-s-default .cm-bracket {color: #997;} 87 | .cm-s-default .cm-tag {color: #170;} 88 | .cm-s-default .cm-attribute {color: #00c;} 89 | .cm-s-default .cm-header {color: blue;} 90 | .cm-s-default .cm-quote {color: #090;} 91 | .cm-s-default .cm-hr {color: #999;} 92 | .cm-s-default .cm-link {color: #00c;} 93 | 94 | .cm-negative {color: #d44;} 95 | .cm-positive {color: #292;} 96 | .cm-header, .cm-strong {font-weight: bold;} 97 | .cm-em {font-style: italic;} 98 | .cm-link {text-decoration: underline;} 99 | 100 | .cm-s-default .cm-error {color: #f00;} 101 | .cm-invalidchar {color: #f00;} 102 | 103 | div.CodeMirror span.CodeMirror-matchingbracket {color: #0f0;} 104 | div.CodeMirror span.CodeMirror-nonmatchingbracket {color: #f22;} 105 | .CodeMirror-activeline-background {background: #e8f2ff;} 106 | 107 | /* STOP */ 108 | 109 | /* The rest of this file contains styles related to the mechanics of 110 | the editor. You probably shouldn't touch them. */ 111 | 112 | .CodeMirror { 113 | line-height: 1; 114 | position: relative; 115 | overflow: hidden; 116 | background: white; 117 | color: black; 118 | } 119 | 120 | .CodeMirror-scroll { 121 | /* 30px is the magic margin used to hide the element's real scrollbars */ 122 | /* See overflow: hidden in .CodeMirror */ 123 | margin-bottom: -30px; margin-right: -30px; 124 | padding-bottom: 30px; 125 | height: 100%; 126 | outline: none; /* Prevent dragging from highlighting the element */ 127 | position: relative; 128 | -moz-box-sizing: content-box; 129 | box-sizing: content-box; 130 | } 131 | .CodeMirror-sizer { 132 | position: relative; 133 | border-right: 30px solid transparent; 134 | -moz-box-sizing: content-box; 135 | box-sizing: content-box; 136 | } 137 | 138 | /* The fake, visible scrollbars. Used to force redraw during scrolling 139 | before actuall scrolling happens, thus preventing shaking and 140 | flickering artifacts. */ 141 | .CodeMirror-vscrollbar, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-gutter-filler { 142 | position: absolute; 143 | z-index: 6; 144 | display: none; 145 | } 146 | .CodeMirror-vscrollbar { 147 | right: 0; top: 0; 148 | overflow-x: hidden; 149 | overflow-y: scroll; 150 | } 151 | .CodeMirror-hscrollbar { 152 | bottom: 0; left: 0; 153 | overflow-y: hidden; 154 | overflow-x: scroll; 155 | } 156 | .CodeMirror-scrollbar-filler { 157 | right: 0; bottom: 0; 158 | } 159 | .CodeMirror-gutter-filler { 160 | left: 0; bottom: 0; 161 | } 162 | 163 | .CodeMirror-gutters { 164 | position: absolute; left: 0; top: 0; 165 | padding-bottom: 30px; 166 | z-index: 3; 167 | } 168 | .CodeMirror-gutter { 169 | white-space: normal; 170 | height: 100%; 171 | -moz-box-sizing: content-box; 172 | box-sizing: content-box; 173 | padding-bottom: 30px; 174 | margin-bottom: -32px; 175 | display: inline-block; 176 | /* Hack to make IE7 behave */ 177 | *zoom:1; 178 | *display:inline; 179 | } 180 | .CodeMirror-gutter-elt { 181 | position: absolute; 182 | cursor: default; 183 | z-index: 4; 184 | } 185 | 186 | .CodeMirror-lines { 187 | cursor: text; 188 | } 189 | .CodeMirror pre { 190 | /* Reset some styles that the rest of the page might have set */ 191 | -moz-border-radius: 0; -webkit-border-radius: 0; border-radius: 0; 192 | border-width: 0; 193 | background: transparent; 194 | font-family: inherit; 195 | font-size: inherit; 196 | margin: 0; 197 | white-space: pre; 198 | word-wrap: normal; 199 | line-height: inherit; 200 | color: inherit; 201 | z-index: 2; 202 | position: relative; 203 | overflow: visible; 204 | } 205 | .CodeMirror-wrap pre { 206 | word-wrap: break-word; 207 | white-space: pre-wrap; 208 | word-break: normal; 209 | } 210 | 211 | .CodeMirror-linebackground { 212 | position: absolute; 213 | left: 0; right: 0; top: 0; bottom: 0; 214 | z-index: 0; 215 | } 216 | 217 | .CodeMirror-linewidget { 218 | position: relative; 219 | z-index: 2; 220 | overflow: auto; 221 | } 222 | 223 | .CodeMirror-widget {} 224 | 225 | .CodeMirror-wrap .CodeMirror-scroll { 226 | overflow-x: hidden; 227 | } 228 | 229 | .CodeMirror-measure { 230 | position: absolute; 231 | width: 100%; 232 | height: 0; 233 | overflow: hidden; 234 | visibility: hidden; 235 | } 236 | .CodeMirror-measure pre { position: static; } 237 | 238 | .CodeMirror div.CodeMirror-cursor { 239 | position: absolute; 240 | visibility: hidden; 241 | border-right: none; 242 | width: 0; 243 | } 244 | .CodeMirror-focused div.CodeMirror-cursor { 245 | visibility: visible; 246 | } 247 | 248 | .CodeMirror-selected { background: #d9d9d9; } 249 | .CodeMirror-focused .CodeMirror-selected { background: #d7d4f0; } 250 | 251 | .cm-searching { 252 | background: #ffa; 253 | background: rgba(255, 255, 0, .4); 254 | } 255 | 256 | /* IE7 hack to prevent it from returning funny offsetTops on the spans */ 257 | .CodeMirror span { *vertical-align: text-bottom; } 258 | 259 | @media print { 260 | /* Hide the cursor when printing */ 261 | .CodeMirror div.CodeMirror-cursor { 262 | visibility: hidden; 263 | } 264 | } 265 | -------------------------------------------------------------------------------- /client/js/build/test/traverse.coffee: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2013 Yusuke Suzuki 2 | # 3 | # Redistribution and use in source and binary forms, with or without 4 | # modification, are permitted provided that the following conditions are met: 5 | # 6 | # * Redistributions of source code must retain the above copyright 7 | # notice, this list of conditions and the following disclaimer. 8 | # * Redistributions in binary form must reproduce the above copyright 9 | # notice, this list of conditions and the following disclaimer in the 10 | # documentation and/or other materials provided with the distribution. 11 | # 12 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 13 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15 | # ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 16 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 17 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 18 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 19 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 20 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 21 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | 23 | 'use strict' 24 | 25 | Dumper = require './dumper' 26 | expect = require('chai').expect 27 | 28 | describe 'object expression', -> 29 | it 'properties', -> 30 | tree = 31 | type: 'ObjectExpression' 32 | properties: [{ 33 | type: 'Property' 34 | key: 35 | type: 'Identifier' 36 | name: 'a' 37 | value: 38 | type: 'Identifier' 39 | name: 'a' 40 | }] 41 | 42 | expect(Dumper.dump(tree)).to.be.equal """ 43 | enter - ObjectExpression 44 | enter - Property 45 | enter - Identifier 46 | leave - Identifier 47 | enter - Identifier 48 | leave - Identifier 49 | leave - Property 50 | leave - ObjectExpression 51 | """ 52 | 53 | it 'properties without type', -> 54 | tree = 55 | type: 'ObjectExpression' 56 | properties: [{ 57 | key: 58 | type: 'Identifier' 59 | name: 'a' 60 | value: 61 | type: 'Identifier' 62 | name: 'a' 63 | }] 64 | 65 | expect(Dumper.dump(tree)).to.be.equal """ 66 | enter - ObjectExpression 67 | enter - undefined 68 | enter - Identifier 69 | leave - Identifier 70 | enter - Identifier 71 | leave - Identifier 72 | leave - undefined 73 | leave - ObjectExpression 74 | """ 75 | 76 | describe 'object pattern', -> 77 | it 'properties', -> 78 | tree = 79 | type: 'ObjectPattern' 80 | properties: [{ 81 | type: 'Property' 82 | key: 83 | type: 'Identifier' 84 | name: 'a' 85 | value: 86 | type: 'Identifier' 87 | name: 'a' 88 | }] 89 | 90 | expect(Dumper.dump(tree)).to.be.equal """ 91 | enter - ObjectPattern 92 | enter - Property 93 | enter - Identifier 94 | leave - Identifier 95 | enter - Identifier 96 | leave - Identifier 97 | leave - Property 98 | leave - ObjectPattern 99 | """ 100 | 101 | it 'properties without type', -> 102 | tree = 103 | type: 'ObjectPattern' 104 | properties: [{ 105 | key: 106 | type: 'Identifier' 107 | name: 'a' 108 | value: 109 | type: 'Identifier' 110 | name: 'a' 111 | }] 112 | 113 | expect(Dumper.dump(tree)).to.be.equal """ 114 | enter - ObjectPattern 115 | enter - undefined 116 | enter - Identifier 117 | leave - Identifier 118 | enter - Identifier 119 | leave - Identifier 120 | leave - undefined 121 | leave - ObjectPattern 122 | """ 123 | 124 | describe 'try statement', -> 125 | it 'old interface', -> 126 | tree = 127 | type: 'TryStatement' 128 | handlers: [{ 129 | type: 'BlockStatement' 130 | body: [] 131 | }] 132 | finalizer: 133 | type: 'BlockStatement' 134 | body: [] 135 | 136 | expect(Dumper.dump(tree)).to.be.equal """ 137 | enter - TryStatement 138 | enter - BlockStatement 139 | leave - BlockStatement 140 | enter - BlockStatement 141 | leave - BlockStatement 142 | leave - TryStatement 143 | """ 144 | 145 | it 'new interface', -> 146 | tree = 147 | type: 'TryStatement' 148 | handler: [{ 149 | type: 'BlockStatement' 150 | body: [] 151 | }] 152 | guardedHandlers: null 153 | finalizer: 154 | type: 'BlockStatement' 155 | body: [] 156 | 157 | expect(Dumper.dump(tree)).to.be.equal """ 158 | enter - TryStatement 159 | enter - BlockStatement 160 | leave - BlockStatement 161 | enter - BlockStatement 162 | leave - BlockStatement 163 | leave - TryStatement 164 | """ 165 | 166 | describe 'arrow function expression', -> 167 | it 'traverse', -> 168 | tree = 169 | type: 'ArrowFunctionExpression' 170 | params: [{ 171 | type: 'Identifier' 172 | name: 'a' 173 | }] 174 | defaults: [{ 175 | type: 'Literal' 176 | value: 20 177 | }] 178 | rest: { 179 | type: 'Identifier' 180 | name: 'rest' 181 | } 182 | body: 183 | type: 'BlockStatement' 184 | body: [] 185 | 186 | expect(Dumper.dump(tree)).to.be.equal """ 187 | enter - ArrowFunctionExpression 188 | enter - Identifier 189 | leave - Identifier 190 | enter - Literal 191 | leave - Literal 192 | enter - Identifier 193 | leave - Identifier 194 | enter - BlockStatement 195 | leave - BlockStatement 196 | leave - ArrowFunctionExpression 197 | """ 198 | 199 | describe 'function expression', -> 200 | it 'traverse', -> 201 | tree = 202 | type: 'FunctionExpression' 203 | params: [{ 204 | type: 'Identifier' 205 | name: 'a' 206 | }] 207 | defaults: [{ 208 | type: 'Literal' 209 | value: 20 210 | }] 211 | rest: { 212 | type: 'Identifier' 213 | name: 'rest' 214 | } 215 | body: 216 | type: 'BlockStatement' 217 | body: [] 218 | 219 | expect(Dumper.dump(tree)).to.be.equal """ 220 | enter - FunctionExpression 221 | enter - Identifier 222 | leave - Identifier 223 | enter - Literal 224 | leave - Literal 225 | enter - Identifier 226 | leave - Identifier 227 | enter - BlockStatement 228 | leave - BlockStatement 229 | leave - FunctionExpression 230 | """ 231 | 232 | describe 'function declaration', -> 233 | it 'traverse', -> 234 | tree = 235 | type: 'FunctionDeclaration' 236 | id: { 237 | type: 'Identifier' 238 | name: 'decl' 239 | } 240 | params: [{ 241 | type: 'Identifier' 242 | name: 'a' 243 | }] 244 | defaults: [{ 245 | type: 'Literal' 246 | value: 20 247 | }] 248 | rest: { 249 | type: 'Identifier' 250 | name: 'rest' 251 | } 252 | body: 253 | type: 'BlockStatement' 254 | body: [] 255 | 256 | expect(Dumper.dump(tree)).to.be.equal """ 257 | enter - FunctionDeclaration 258 | enter - Identifier 259 | leave - Identifier 260 | enter - Identifier 261 | leave - Identifier 262 | enter - Literal 263 | leave - Literal 264 | enter - Identifier 265 | leave - Identifier 266 | enter - BlockStatement 267 | leave - BlockStatement 268 | leave - FunctionDeclaration 269 | """ 270 | 271 | -------------------------------------------------------------------------------- /client/css/app.css: -------------------------------------------------------------------------------- 1 | @import url("bootstrap.css"); 2 | @import url("dashboard.css"); 3 | @import url("codemirror.css"); 4 | @import url("codemirror-mdn.css"); 5 | @import url("prettify.css"); 6 | @import url("font-awesome.css"); 7 | 8 | html, body { 9 | height: 100%; 10 | width: 100%; 11 | } 12 | 13 | pre.prettyprint{ 14 | width: auto; 15 | max-width: 600px; 16 | overflow: auto; 17 | font-size: x-small; 18 | } 19 | 20 | .navbar { 21 | background: #4D4E53; 22 | } 23 | 24 | .nav > li > a:hover, 25 | .nav > li > a:focus { 26 | background-color: #0095DD; 27 | } 28 | 29 | a { 30 | cursor:pointer; 31 | } 32 | 33 | .sidebar { 34 | background-color: #EAEFF2; 35 | } 36 | 37 | .jumbotron { 38 | background: #D4DDE4; 39 | } 40 | 41 | .table { 42 | border: 1px solid #EAEFF2; 43 | } 44 | 45 | .table-striped > tbody > tr:nth-child(odd) > td, 46 | .table-striped > tbody > tr:nth-child(odd) > th { 47 | background-color: #EAEFF2; 48 | } 49 | 50 | .sidebar-inputfiles{ 51 | font-size: x-small; 52 | } 53 | 54 | .CodeMirror { 55 | border: 1px solid #EAEFF2; 56 | height:500px; 57 | } 58 | 59 | .badge { 60 | margin: 3px 3px 3px 3px; 61 | } 62 | 63 | @-webkit-keyframes rotating { 64 | 0% { 65 | -webkit-transform: rotate(0deg); 66 | color: #333; 67 | } 68 | 25% { 69 | -webkit-transform: rotate(90deg); 70 | color: #70706F; 71 | } 72 | 50% { 73 | -webkit-transform: rotate(180deg); 74 | color: #ADADAB; 75 | } 76 | 75% { 77 | -webkit-transform: rotate(270deg); 78 | color: #EAEAE7; 79 | } 80 | 100% { 81 | -webkit-transform: rotate(360deg); 82 | color: #333; 83 | } 84 | } 85 | 86 | @keyframes rotating { 87 | 0% { 88 | transform: rotate(0deg); 89 | color: #333; 90 | } 91 | 25% { 92 | transform: rotate(90deg); 93 | color: #70706F; 94 | } 95 | 50% { 96 | transform: rotate(180deg); 97 | color: #ADADAB; 98 | } 99 | 75% { 100 | transform: rotate(270deg); 101 | color: #EAEAE7; 102 | } 103 | 100% { 104 | transform: rotate(360deg); 105 | color: #333; 106 | } 107 | } 108 | 109 | .rotating { 110 | margin: 5px 3px 0 3px; 111 | -webkit-animation: rotating 1s linear infinite; 112 | animation: rotating 1s linear infinite; 113 | } 114 | .fixed { 115 | position: fixed; 116 | min-width: 45%; 117 | } 118 | 119 | .regin{ 120 | width:100%; 121 | } 122 | 123 | #sys{ 124 | float:right; 125 | color:green; 126 | } 127 | 128 | /*Active Source*/ 129 | .active_source{ 130 | background: #ffc04c; 131 | color: black; 132 | } 133 | 134 | /*Active variable*/ 135 | .active_variable{ 136 | background: #ffff4c; 137 | color: black; 138 | } 139 | 140 | /*Non active variable*/ 141 | .non_active_variable{ 142 | background: grey; 143 | color: black; 144 | } 145 | 146 | /*Non acvtive source*/ 147 | .non_active_source{ 148 | background: BurlyWood; 149 | color: black; 150 | } 151 | 152 | /*Active function*/ 153 | .active_function{ 154 | background: #ff7fff; 155 | color: black; 156 | } 157 | 158 | /*active sink*/ 159 | .active_sink{ 160 | background: #ff6666; 161 | color: black; 162 | } 163 | 164 | #results_cr{ 165 | margin-top: 10px; 166 | float:left; 167 | width: 40%; 168 | } 169 | #results_cr_v{ 170 | margin-top: 10px; 171 | float:left; 172 | width: 60%; 173 | } 174 | 175 | #sub_1{ 176 | width: 100%; 177 | float:left; 178 | background: #ffc04c; 179 | color:black; 180 | border:1 px solid black; 181 | border-radius: 5px; 182 | padding:5px; 183 | margin-left:4px; 184 | margin-top:4px; 185 | text-align:center; 186 | height: 33px; 187 | } 188 | 189 | #sub_2{ 190 | width: 100%; 191 | float:left; 192 | background: #ffff4c; 193 | color:black; 194 | border:1 px solid black; 195 | border-radius: 5px; 196 | padding:5px; 197 | margin-left:4px; 198 | margin-top:4px; 199 | text-align:center; 200 | height: 33px; 201 | } 202 | 203 | #sub_3{ 204 | width: 100%; 205 | float:left; 206 | background: grey; 207 | color:black; 208 | border:1 px solid black; 209 | border-radius: 5px; 210 | padding:5px; 211 | margin-left:4px; 212 | margin-top:4px; 213 | text-align:center; 214 | height: 33px; 215 | } 216 | 217 | #sub_4{ 218 | width: 100%; 219 | float:left; 220 | background: BurlyWood; 221 | color:black; 222 | border:1 px solid black; 223 | border-radius: 5px; 224 | padding:5px; 225 | margin-left:4px; 226 | margin-top:4px; 227 | text-align:center; 228 | height: 33px; 229 | } 230 | 231 | #sub_5{ 232 | width: 100%; 233 | float:left; 234 | background: #ff7fff; 235 | color:black; 236 | border:1 px solid black; 237 | border-radius: 5px; 238 | padding:5px; 239 | margin-left:4px; 240 | margin-top:4px; 241 | text-align:center; 242 | height: 33px; 243 | } 244 | 245 | #sub_6{ 246 | width: 100%; 247 | float:left; 248 | background: #ff6666; 249 | color:black; 250 | border:1 px solid black; 251 | border-radius: 5px; 252 | padding:5px; 253 | margin-left:4px; 254 | margin-top:4px; 255 | text-align:center; 256 | height: 33px; 257 | } 258 | 259 | #sub_1_v{ 260 | width: 99%; 261 | float:left; 262 | color:black; 263 | border:1px #ffc04c solid; 264 | border-radius: 5px; 265 | padding:5px; 266 | margin-left:7px; 267 | margin-top:4px; 268 | text-align:center; 269 | height: 33px; 270 | } 271 | 272 | #sub_2_v{ 273 | width: 99%; 274 | float:left; 275 | color:black; 276 | border:1px #ffff4c solid; 277 | border-radius: 5px; 278 | padding:5px; 279 | margin-left:7px; 280 | margin-top:4px; 281 | text-align:center; 282 | height: 33px; 283 | } 284 | 285 | #sub_3_v{ 286 | width: 99%; 287 | float:left; 288 | color:black; 289 | border:1px grey solid; 290 | border-radius: 5px; 291 | padding:5px; 292 | margin-left:7px; 293 | margin-top:4px; 294 | text-align:center; 295 | height: 33px; 296 | } 297 | 298 | #sub_4_v{ 299 | width: 99%; 300 | float:left; 301 | color:black; 302 | border:1px BurlyWood solid; 303 | border-radius: 5px; 304 | padding:5px; 305 | margin-left:7px; 306 | margin-top:4px; 307 | text-align:center; 308 | height: 33px; 309 | } 310 | 311 | #sub_5_v{ 312 | width: 99%; 313 | float:left; 314 | color:black; 315 | border:1px #ff7fff solid; 316 | border-radius: 5px; 317 | padding:5px; 318 | margin-left:7px; 319 | margin-top:4px; 320 | text-align:center; 321 | height: 33px; 322 | } 323 | 324 | #sub_6_v{ 325 | width: 99%; 326 | float:left; 327 | color:black; 328 | border:1px #ff6666 solid; 329 | border-radius: 5px; 330 | padding:5px; 331 | margin-left:7px; 332 | margin-top:5px; 333 | text-align:center; 334 | } 335 | 336 | 337 | .fade-hide, .fade-show { 338 | -webkit-transition:all cubic-bezier(0.250, 0.460, 0.450, 0.940) 1s; 339 | -moz-transition:all cubic-bezier(0.250, 0.460, 0.450, 0.940) 1s; 340 | -o-transition:all cubic-bezier(0.250, 0.460, 0.450, 0.940) 1s; 341 | transition:all cubic-bezier(0.250, 0.460, 0.450, 0.940) 1s; 342 | } 343 | .fade-hide { 344 | opacity:1; 345 | } 346 | .fade-hide.fade-hide-active { 347 | opacity:0; 348 | } 349 | .fade-show { 350 | opacity:0; 351 | } 352 | .fade-show.fade-show-active { 353 | opacity:1; 354 | } 355 | 356 | #sub_1_v_h{ 357 | width: 99%; 358 | float:left; 359 | color:black; 360 | border:3px #ffc04c solid; 361 | border-radius: 5px; 362 | padding:5px; 363 | margin-left:7px; 364 | margin-top:3px; 365 | text-align:center; 366 | height: 33px; 367 | } 368 | 369 | #sub_2_v_h{ 370 | width: 99%; 371 | float:left; 372 | color:black; 373 | border:3px #ffff4c solid; 374 | border-radius: 5px; 375 | padding:5px; 376 | margin-left:7px; 377 | margin-top:3px; 378 | text-align:center; 379 | height: 33px; 380 | } 381 | 382 | #sub_3_v_h{ 383 | width: 99%; 384 | float:left; 385 | color:black; 386 | border:3px grey solid; 387 | border-radius: 5px; 388 | padding:5px; 389 | margin-left:7px; 390 | margin-top:3px; 391 | text-align:center; 392 | height: 33px; 393 | } 394 | 395 | #sub_4_v_h{ 396 | width: 99%; 397 | float:left; 398 | color:black; 399 | border:3px BurlyWood solid; 400 | border-radius: 5px; 401 | padding:5px; 402 | margin-left:7px; 403 | margin-top:3px; 404 | text-align:center; 405 | height: 33px; 406 | } 407 | 408 | #sub_5_v_h{ 409 | width: 99%; 410 | float:left; 411 | color:black; 412 | border:3px #ff7fff solid; 413 | border-radius: 5px; 414 | padding:5px; 415 | margin-left:7px; 416 | margin-top:3px; 417 | text-align:center; 418 | height: 33px; 419 | } 420 | 421 | #sub_6_v_h{ 422 | width: 99%; 423 | float:left; 424 | color:black; 425 | border:3px #ff6666 solid; 426 | border-radius: 5px; 427 | padding:5px; 428 | margin-left:7px; 429 | margin-top:3px; 430 | text-align:center; 431 | } 432 | 433 | #showlines{ 434 | display:inline; 435 | } 436 | 437 | #nested-table{ 438 | margin-bottom: 0px; 439 | } 440 | #expanded-data { 441 | margin-left: 20px; 442 | } 443 | 444 | #stay_inline{ 445 | width: 100%; 446 | } 447 | 448 | #chart{ 449 | float:left; 450 | width: 50%; 451 | height: 200px; 452 | } 453 | 454 | #chart2{ 455 | float:left; 456 | width: 50%; 457 | height: 200px; 458 | } 459 | 460 | #legenda{ 461 | width: 100%; 462 | height: 60px; 463 | } 464 | 465 | #active_sources{ 466 | float:left; 467 | width: 50%; 468 | } 469 | 470 | #payloads{ 471 | float:left; 472 | width: 50%; 473 | } -------------------------------------------------------------------------------- /client/vectors/v4.txt: -------------------------------------------------------------------------------- 1 | 1) 141 | 142 | 69) 147 | 148 | 72) 149 | 150 | 73) 151 | 152 | 74) click 153 | 154 | 75) 155 | 156 | 76) 169 | 170 | 83) 171 | 172 | 84) 173 | 174 | 85) 179 | 180 | 88) --!> 189 | 190 | 93) 191 | 192 | 94)
x 193 | 194 | 95) "> 195 | 196 | 96)