@appland/scanner 1.68.0 → 1.70.0

package/CHANGELOG.md

@@ -1,3 +1,31 @@
+# [@appland/scanner-v1.70.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.1...@appland/scanner-v1.70.0) (2022-08-31)
+
+
+### Bug Fixes
+
+* Don't attempt to destructure an undefined value ([b46e358](https://github.com/applandinc/appmap-js/commit/b46e358cf0fd0cc56a7f465268f87f219ab13c55))
+
+
+### Features
+
+* Add scan for presence of JWT signature verification ([a2b382b](https://github.com/applandinc/appmap-js/commit/a2b382bd571cfbc0fcdfa389ad382536f85eb671))
+* Add scanner for usage of JWT with the `none` algorithm ([025ac89](https://github.com/applandinc/appmap-js/commit/025ac89f0538d5b4bfed7f36e3d09788f2a38076))
+
+# [@appland/scanner-v1.69.1](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.0...@appland/scanner-v1.69.1) (2022-08-29)
+
+
+### Bug Fixes
+
+* Add missing dependencies ([97a5d02](https://github.com/applandinc/appmap-js/commit/97a5d02ff161b52200430d2123d8d9ab62037220))
+* Don't attempt to resolve a remote app ID if running in watch mode ([8f21ff1](https://github.com/applandinc/appmap-js/commit/8f21ff1a3bc86292f70a2cd1446f682e525869aa))
+
+# [@appland/scanner-v1.69.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.68.0...@appland/scanner-v1.69.0) (2022-08-23)
+
+
+### Features
+
+* Track specific untrusted data in unsafe deserialization rule ([d14fd4f](https://github.com/applandinc/appmap-js/commit/d14fd4f65fcbabfebdaf0d10dcae71dc563bc1fa))
+
 # [@appland/scanner-v1.68.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.67.0...@appland/scanner-v1.68.0) (2022-08-19)
 
 

package/built/cli/scan/command.js

@@ -75,7 +75,7 @@ exports.default = {
             if (appmapDir)
                 yield (0, validateFile_1.default)('directory', appmapDir);
             let appId = appIdArg;
-            if (!reportAllFindings)
+            if (!watch && !reportAllFindings)
                 appId = yield (0, resolveAppId_1.default)(appIdArg, appmapDir);
             if (watch) {
                 const watchAppMapDir = appmapDir;

package/built/rules/deserializationOfUntrustedData.js

@@ -3,46 +3,62 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const models_1 = require("@appland/models");
 const url_1 = require("url");
 const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
-const precedingEvents_1 = __importDefault(require("./lib/precedingEvents"));
-const sanitizesData_1 = __importDefault(require("./lib/sanitizesData"));
-function allArgumentsSanitized(rootEvent, event) {
-    return (event.parameters || [])
-        .filter((parameter) => parameter.object_id)
-        .every((parameter) => {
-        for (const candidate of (0, precedingEvents_1.default)(rootEvent, event)) {
-            if ((0, sanitizesData_1.default)(candidate.event, parameter.object_id, DeserializeSanitize)) {
-                return true;
-            }
-        }
-        return false;
-    });
+const analyzeDataFlow_1 = __importDefault(require("./lib/analyzeDataFlow"));
+function valueHistory(value) {
+    const events = [];
+    const queue = [value];
+    for (;;) {
+        const current = queue.shift();
+        if (!current)
+            break;
+        const { origin, parents } = current;
+        if (!events.includes(origin))
+            events.push(origin);
+        queue.push(...parents);
+    }
+    return events;
+}
+function wasSanitized(value) {
+    return valueHistory(value).some(({ labels }) => labels.has(DeserializeSanitize));
 }
-function build() {
-    function matcher(rootEvent) {
-        for (const event of new models_1.EventNavigator(rootEvent).descendants()) {
-            // events: //*[@authorization && truthy?(returnValue) && not(preceding::*[@authentication]) && not(descendant::*[@authentication])]
-            if (event.event.labels.has(DeserializeUnsafe) &&
-                !event.event.ancestors().find((ancestor) => ancestor.labels.has(DeserializeSafe))) {
-                if (allArgumentsSanitized(rootEvent, event.event)) {
-                    return;
-                }
-                else {
-                    return [
-                        {
-                            event: event.event,
-                            message: `${event.event} deserializes untrusted data`,
-                        },
-                    ];
-                }
+function formatHistories(values) {
+    const histories = values.map(valueHistory);
+    return Object.fromEntries(histories.flatMap((history, input) => history.map((event, idx) => [`origin[${input}][${idx}]`, event])));
+}
+function label(name) {
+    return ({ labels }) => labels.has(name);
+}
+function matcher(startEvent) {
+    const flow = (0, analyzeDataFlow_1.default)([...(startEvent.message || [])], startEvent);
+    const results = [];
+    const sanitizedValues = new Set();
+    for (const [event, values] of flow) {
+        if (event.labels.has(DeserializeSanitize)) {
+            for (const v of values)
+                sanitizedValues.add(v);
+            continue;
+        }
+        if (!event.labels.has(DeserializeUnsafe))
+            continue;
+        const unsanitized = new Set(values.filter((v) => !(wasSanitized(v) || sanitizedValues.has(v))));
+        // remove any that have been passed into a safe deserialization function
+        for (const ancestor of event.ancestors().filter(label(DeserializeSafe))) {
+            for (const v of flow.get(ancestor) || []) {
+                unsanitized.delete(v);
             }
         }
+        const remaining = [...unsanitized];
+        if (remaining.length === 0)
+            continue;
+        results.push({
+            event: event,
+            message: `deserializes untrusted data: ${remaining.map(({ value: { value } }) => value)}`,
+            participatingEvents: formatHistories(remaining),
+        });
     }
-    return {
-        matcher,
-    };
+    return results;
 }
 const DeserializeUnsafe = 'deserialize.unsafe';
 const DeserializeSafe = 'deserialize.safe';
@@ -53,11 +69,12 @@ exports.default = {
     labels: [DeserializeUnsafe, DeserializeSafe, DeserializeSanitize],
     impactDomain: 'Security',
     enumerateScope: false,
+    scope: 'http_server_request',
     references: {
         'CWE-502': new url_1.URL('https://cwe.mitre.org/data/definitions/502.html'),
         'Ruby Security': new url_1.URL('https://docs.ruby-lang.org/en/3.0/doc/security_rdoc.html'),
     },
     description: (0, parseRuleDescription_1.default)('deserializationOfUntrustedData'),
     url: 'https://appland.com/docs/analysis/rules-reference.html#deserialization-of-untrusted-data',
-    build,
+    build: () => ({ matcher }),
 };

package/built/rules/jwtAlgorithmNone.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+function getHeader(jwt) {
+    try {
+        const [header] = jwt.split('.');
+        const decodedHeader = Buffer.from(header, 'base64').toString('utf-8');
+        return JSON.parse(decodedHeader);
+    }
+    catch (_a) {
+        // the JWT is malformed
+        return undefined;
+    }
+}
+class JwtAlgoritmNoneLogic {
+    matcher(event) {
+        if (!event.returnValue)
+            return;
+        const matches = new Array();
+        const { value: jwt } = event.returnValue;
+        const header = getHeader(jwt);
+        if ((header === null || header === void 0 ? void 0 : header.alg) === 'none') {
+            matches.push({ event, message: 'Encoded JWT using the `none` algorithm' });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.encode');
+    }
+}
+class JwtAlgoritmNone {
+    constructor() {
+        this.id = 'jwt-algorithm-none';
+        this.title = "JWT 'none' algorithm";
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtAlgorithmNone');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-algorithm-none';
+    }
+    build() {
+        return new JwtAlgoritmNoneLogic();
+    }
+}
+exports.default = new JwtAlgoritmNone();

package/built/rules/jwtUnverifiedSignature.js

@@ -0,0 +1,84 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Labels = void 0;
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+const models_1 = require("@appland/models");
+var Labels;
+(function (Labels) {
+    Labels["SignatureVerify"] = "jwt.signature.verify";
+    Labels["JwtDecode"] = "jwt.decode";
+})(Labels = exports.Labels || (exports.Labels = {}));
+// Attempt to identify and return a JWT from an array of parameters
+function findJwt(parameters) {
+    if (!parameters)
+        return;
+    for (const param of parameters) {
+        const tokens = param.value.split('.');
+        if (tokens.length !== 3)
+            return;
+        const [header, payload, signature] = tokens;
+        return { header, payload, signature };
+    }
+}
+// Check if `obj` matches the JWT by value or by reference (receiverId)
+function matchJwt(obj, jwt, receiverId) {
+    const byValue = jwt !== undefined && obj.value.startsWith(`${jwt.header}.${jwt.payload}`);
+    const byReference = receiverId !== undefined && receiverId === obj.object_id;
+    return byValue || byReference;
+}
+class JwtUnverifiedSignatureLogic {
+    matcher(event) {
+        var _a, _b, _c;
+        if (event.labels.has(Labels.SignatureVerify)) {
+            // This method is marked both as decode and signature verify. It is compliant.
+            return;
+        }
+        let verified = false;
+        let receiverId;
+        const jwt = findJwt(event.parameters);
+        const matches = new Array();
+        // Don't track the receiver if it's static. We'll find references of the decoded JWT passed by
+        // function parameter instead.
+        if (!event.isStatic) {
+            receiverId = (_a = event.receiver) === null || _a === void 0 ? void 0 : _a.object_id;
+        }
+        for (const { event: child } of new models_1.EventNavigator(event).following()) {
+            if (!child.labels.has(Labels.SignatureVerify)) {
+                continue;
+            }
+            const matchesReceiver = receiverId !== undefined && receiverId === ((_b = child.receiver) === null || _b === void 0 ? void 0 : _b.object_id);
+            const matchesParameter = (_c = child.parameters) === null || _c === void 0 ? void 0 : _c.find((param) => matchJwt(param, jwt, receiverId));
+            if (matchesReceiver || matchesParameter) {
+                verified = true;
+                break;
+            }
+        }
+        if (!verified) {
+            matches.push({
+                event,
+                message: 'JWT signature is not validated',
+            });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.decode');
+    }
+}
+class JwtUnverifiedSignature {
+    constructor() {
+        this.id = 'jwt-unverified-signature';
+        this.title = 'Unverified signature';
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtUnverifiedSignature');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-unverified-signature';
+    }
+    build() {
+        return new JwtUnverifiedSignatureLogic();
+    }
+}
+exports.default = new JwtUnverifiedSignature();

package/built/rules/lib/analyzeDataFlow.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function matches(template, value) {
+    if (template.object_id && template.object_id === value.object_id)
+        return true;
+    if (template.value && template.value === value.value)
+        return true;
+    return false;
+}
+class Matcher {
+    constructor(root, data) {
+        this.tracked = new Map();
+        for (const value of data)
+            this.add(value, root, []);
+    }
+    add(value, origin, parents) {
+        if (isPrimitive(value))
+            return;
+        this.tracked.set(value, { value, origin, parents });
+    }
+    match(value) {
+        if (isPrimitive(value))
+            return null;
+        for (const [probe, history] of this.tracked) {
+            if (matches(probe, value))
+                return history;
+        }
+        return null;
+    }
+    matches(values) {
+        return compact(values.map(this.match.bind(this)));
+    }
+}
+function isPrimitive(value) {
+    // we don't want to record any nulls,
+    // booleans or small strings and numbers
+    return !value.value || value.value.length < 6;
+}
+function isNotNullOrUndefined(x) {
+    return x !== undefined && x !== null;
+}
+function compact(x) {
+    return x.filter(isNotNullOrUndefined);
+}
+/**
+ * Tracks flow of data across the execution trace, identifying all function
+ * calls which have a tracked object as its receiver or one of the parameters.
+ * Any value such a function returns will also then become tracked.
+ * The origin chain of all values is recorded, so full provenience up to
+ * the starting set can be reconstructed.
+ * @param trackedData Initial data to track.
+ * @param startEvent The root event of the analysis.
+ * @returns Events which have a tracked piece of data as an input, each
+ * associated with the list of such inputs.
+ */
+function analyzeDataFlow(trackedData, startEvent) {
+    const matcher = new Matcher(startEvent, trackedData);
+    const events = new Map([
+        [startEvent, matcher.matches(trackedData)],
+    ]);
+    startEvent.traverse({
+        onEnter(event) {
+            const inputs = compact([...(event.parameters || []), event.receiver]);
+            const matches = matcher.matches(inputs);
+            if (matches.length === 0)
+                return;
+            events.set(event, matches);
+        },
+        onExit({ callEvent, returnValue }) {
+            if (!returnValue)
+                return;
+            const parents = events.get(callEvent);
+            if (!parents)
+                return;
+            matcher.add(returnValue, callEvent, parents);
+        },
+    });
+    return events;
+}
+exports.default = analyzeDataFlow;

package/built/rules/lib/util.js

@@ -101,7 +101,7 @@ exports.parseValue = parseValue;
 const isTruthy = (valueObj) => !isFalsey(valueObj);
 exports.isTruthy = isTruthy;
 function providesAuthentication(event, label) {
-    return event.returnValue && event.labels.has(label) && isTruthy(event.returnValue);
+    return !!event.returnValue && event.labels.has(label) && isTruthy(event.returnValue);
 }
 exports.providesAuthentication = providesAuthentication;
 function ideLink(filePath, ide, eventId) {

package/doc/rules/deserialization-of-untrusted-data.md

@@ -10,18 +10,35 @@ labels:
   - deserialize.unsafe
   - deserialize.safe
   - deserialize.sanitize
+scope: http_server_request
 ---
 
 Finds occurrances of deserialization in which the mechanism employed is known to be unsafe, and the
-data is not known to be trusted.
+data comes from an untrusted source and hasn't passed through a sanitization mechanism.
 
 ### Rule logic
 
-Finds all events labeled `deserialize.unsafe`, that are not a descendant of an event labeled
-`deserialize.safe`. For each of these events, all event parameters are checked.
+Finds all events labeled `deserialize.unsafe` that receive tainted data (as
+determined by object identity or string value) as an input.
 
-Each parameter whose type is `string` or `object` is verified to ensure that it's trusted. For data
-to be trusted, it must be the return value of a function labeled `deserialize.sanitize`.
+For each of these events; checks if all the inputs have been sanitized.
+
+Data that has been passed to a function labeled `deserialize.sanitize` is
+assumed to be sanitized from this point onwards. Such a function could either
+check the value is sanitized (note no verification is currently done to ensure
+this result is checked) or return the transformed value after any necessary sanitization.
+
+Data passed to a function labeled `deserialized.safe` is considered in all
+functions called by it (down the callstack). Functions that first sanitize data
+and then use an unsafe deserialization function should carry this label.
+
+The set of tracked tainted data initially includes the HTTP message parameters
+and is expanded to include any non-primitive (ie. longer than 5 characters)
+observed outputs of functions that consume tainted data.
+
+The reliability of this rule now depends on completeness of the AppMap.
+If there is a data transformation that is	not captured it's invisible to the
+rule and will result in failure to associate it with the tracked untrusted data.
 
 ### Notes
 
@@ -30,9 +47,12 @@ that executes code shortly after deserialization.
 
 ### Resolution
 
-If you can guarantee that you are using unsafe deserialization in a safe way, but it's not possible
-to obtain the raw data from a function labeled `deserialize.sanitize`, you can wrap the
-deserialization in a function labeled `deserialize.safe`.
+Consider if the library you're using offers a safe deserialization function variant that you can
+use instead. Using unsafe functions is only rarely needed and typically requires a good reason.
+
+If you need to use the unsafe function, make sure you're able to handle unexpected input safely.
+Sanitize the data thoroughly first; label the sanitization function with `deserialize.sanitize` label
+or wrap the whole sanitization and deserialization logic in a function labeled `deserialize.safe`.
 
 If you need to deserialize untrusted data, JSON is often a good choice as it is only capable of
 returning ‘primitive’ types such as strings, arrays, hashes, numbers and nil. If you need to

package/doc/rules/jwt-algorithm-none.md

@@ -0,0 +1,25 @@
+---
+rule: jwt-algorithm-none
+name: Jwt algorithm none
+title: JWT 'none' algorithm
+impactDomain: Security
+---
+
+Finds usage of unsecured JWTs which use the `none` algorithm. When declaring this algorithm, there
+is no signature contained within the token that may be cryptographically verified. As a result, the
+data encoded within the token may be easily forged.
+
+### Rule logic
+
+Any function which encodes a new JWT will have its return value checked for presence of the `none`
+algorithm within the token header.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-algorithm-none
+```

package/doc/rules/jwt-unverified-signature.md

@@ -0,0 +1,24 @@
+---
+rule: jwt-unverified-signature
+name: Jwt unverified signature
+title: Unverified signature
+impactDomain: Security
+---
+
+Finds cases where a JWT is decoded but the signature is never verified. Without proper signature
+verification, the service will unknowingly accept arbitrary token payloads from any origin.
+
+### Rule logic
+
+Following a function call to decode a JWT, a subsequent function call to verify the token signature
+is expected.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-unverified-signature
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.68.0",
+  "version": "1.70.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -56,19 +56,21 @@
   },
   "dependencies": {
     "@appland/client": "^1.3.0",
-    "@appland/models": "^1.16.1",
+    "@appland/models": "^1.18.1",
     "@appland/openapi": "1.0.2",
     "@appland/sql-parser": "^1.5.0",
     "@types/cli-progress": "^3.9.2",
     "ajv": "^8.8.2",
     "applicationinsights": "^2.1.4",
     "async": "^3.2.3",
+    "boxen": "^5.0.1",
     "chalk": "^4.1.2",
     "chokidar": "applandinc/chokidar#fix/new-file-new-directory-race-on-linux",
     "cli-progress": "^3.11.0",
     "conf": "^10.0.2",
     "form-data": "^4.0.0",
     "glob": "7.2.3",
+    "inquirer": "^8.1.2",
     "js-yaml": "^4.1.0",
     "lru-cache": "^6.0.0",
     "minimatch": "^3.0.4",