@contrast/agent 4.12.2 → 4.13.0

package/esm.mjs

@@ -24,45 +24,14 @@ if (enabled) {
 await loader.resetArgs(process.argv[0], process.argv[1]);
 const { readFile } = require('fs').promises;
 
-const path = require('path');
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
 const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
 const helpers = require(`./lib/hooks/module/helpers.js`);
-const parent = require('parent-package-json');
+const getType = require(`./lib/util/get-file-type.js`);
 
 const loadedFromCache = new Set();
 
-function getType(url) {
-  const {protocol, pathname} = new URL(url);
-
-  let parentType = 'commonjs';
-  try {
-    parentType = parent(pathname).parse().type;
-  } catch (err) {
-    // Node assumes `commonjs ` if there's no `type` set in package.json
-  }
-
-  if (protocol === 'node:') {
-    return 'builtin';
-  }
-  if (protocol === 'file:') {
-    const ext = path.extname(pathname);
-    if (
-      ext === '.mjs' || 
-      (ext === '.js' && parentType === 'module')
-    ){
-        return 'module';
-      } 
-    else if (
-      ext === '.cjs' || 
-      (ext === '.js' && parentType !== 'module')
-    ){
-        return 'commonjs';
-      }
-  }
-  return 'unknown';
-}
 /**
  * The `getSource` hook is used to provide a custom method for retrieving source
  * code. In our case, we check for previously rewritten ESM files in our cache

package/lib/assess/sinks/dynamo.js

@@ -23,15 +23,20 @@ const ruleId = 'nosql-injection-dynamodb';
 const disallowedTags = [
   'limited-chars',
   'alphanum-space-hyphen',
-  'string-type-checked'
+  'string-type-checked',
 ];
 const requiredTags = ['untrusted'];
 const moduleName = 'aws-sdk';
-const relevantKeys = [
-  'ExpressionAttributeValues',
-  'ExclusiveStartKey',
-  'ScanFilter'
-];
+const moduleNameV3 = '@aws-sdk/client-dynamodb';
+const relevantKeys = {
+  v2: ['ExpressionAttributeValues', 'ExclusiveStartKey', 'ScanFilter'],
+  v3: [
+    'ComparisonOperator',
+    'FilterExpression',
+    'ProjectionExpression',
+    'ScanFilter',
+  ],
+};
 const requests = new WeakSet();
 
 // map data types to methods for extracting
@@ -46,24 +51,27 @@ const dataTypes = {
   M: 'object',
   L: 'collection',
   NULL: 'value',
-  BOOL: 'value'
+  BOOL: 'value',
 };
 
 /**
  * Extracts all values from either a dynamo document client or client
  *
  * @param {Object} payload dynamo scan payload
- * @param {string} mode client or docClient
+ * @param {string} mode client, docClient or command (for aws sdk v3)
+ * @param {string} version DynamoDB SDK version
  * @return {Array} all string values from payload
  */
-function extractValues(payload = {}, mode) {
+function extractValues(payload = {}, mode = null, version = 'v2') {
   return _.flatten(
-    relevantKeys.map((key) => {
+    relevantKeys[version].map((key) => {
+      if (payload[key] === undefined) return;
+      if (typeof payload[key] === 'string') return payload[key];
       const values = _.values(payload[key]);
       const extractionMethod =
         mode === 'client' ? findTypedValues.bind(this) : findValues.bind(this);
       return _.flattenDeep(extractionMethod(values));
-    })
+    }),
   );
 }
 
@@ -76,7 +84,7 @@ function extractValues(payload = {}, mode) {
  */
 function findTypedValues(values) {
   return _.map(values, (value) => {
-    const type = Object.keys(value)[0];
+    const [type] = Object.keys(value);
     switch (dataTypes[type]) {
       case 'value':
         return value[type];
@@ -106,13 +114,13 @@ function notTrackable(value) {
 }
 
 /**
- * Extracts all strings from a dynanmo document client payload
+ * Extracts all strings from a dynamo document client payload
  *
  * Note: There are other data types dynamo supports
- * to cast to AttributeValue types but we currently
+ * to cast to AttributeValue types, but we currently
  * do not track null, Boolean, Number, Buffer(a few types here)
  *
- * @param {Object} values for all keys in ExpressionAttributeValues, ExclusiveStartKey or ScanFilter
+ * @param {Object} values for all keys in relevant properties
  * @return {Array} all values
  */
 function findValues(values) {
@@ -138,7 +146,7 @@ module.exports = ({ common }) => {
   /**
    * Registers the hooks for client and document client scan
    */
-  dynamoSink.handle = function() {
+  dynamoSink.handle = function () {
     moduleHook.resolve({ name: moduleName }, (aws) => {
       const client = aws.DynamoDB.prototype;
 
@@ -160,24 +168,25 @@ module.exports = ({ common }) => {
               return;
             }
 
-            // since this is instrumenting a wrapper we only want to to say the args
+            // since this is instrumenting a wrapper we only want to say the args
             // were the 2nd arg which is the dynamo db payload
             const ctxtData = {
               args: [data.args[1]],
               obj: data.obj,
-              result: data.result
+              result: data.result,
             };
-            const values = extractValues(data.args[1], 'client');
+
+            const values = extractValues(data.args[1], 'client', 'v2');
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.prototype.scan',
-              data: ctxtData
+              data: ctxtData,
             });
           }
-        }
+        },
       });
-      // DocumentClient added in aws-sdk 2.2.  Some customers still on more
-      // ancient versions
+
+      // DocumentClient added in aws-sdk 2.2.
       if (aws.DynamoDB.DocumentClient) {
         const docClient = aws.DynamoDB.DocumentClient.prototype;
         /**
@@ -192,32 +201,58 @@ module.exports = ({ common }) => {
             if (data.args[0] === 'scan') {
               requests.add(data.args[1]);
             }
-          }
+          },
         });
 
         patcher.patch(docClient, 'scan', {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           post(data) {
-            const values = extractValues(data.args[0], 'docClient');
+            const values = extractValues(data.args[0], 'docClient', 'v2');
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.DocumentClient.prototype.scan',
-              data
+              data,
             });
-          }
+          },
         });
       }
     });
 
+    moduleHook.resolve({ name: moduleNameV3 }, (aws) => {
+      const client = aws.DynamoDBClient.prototype;
+
+      patcher.patch(client, 'send', {
+        name: `${moduleNameV3}.ScanCommand.prototype`,
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        alwaysRun: true,
+        post(data) {
+          if (!AsyncStorage.getContext()) return;
+
+          if (data.args[0] instanceof aws.ScanCommand) {
+            const values = extractValues(
+              data.args[0].input,
+              'docClient',
+              'v3',
+            ).filter(Boolean);
+            dynamoSink.check({
+              data,
+              values,
+              methodName: 'DynamoDBClient.ScanCommand',
+            });
+          }
+        },
+      });
+    });
+
     return dynamoSink;
   };
 
-  dynamoSink.check = function({ data, values, methodName }) {
+  dynamoSink.check = function ({ data, values, methodName }) {
     const vulnerableString = _.compact(
       values.map((input) =>
-        isVulnerable({ disallowedTags, requiredTags, input })
-      )
+        isVulnerable({ disallowedTags, requiredTags, input }),
+      ),
     );
 
     if (vulnerableString.length) {

package/lib/assess/static/read-findings-from-cache.js

@@ -0,0 +1,40 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../agent-emitter');
+const logger = require('../../core/logger')('contrast:rules:static');
+const fs = require('fs');
+
+
+module.exports = (agent) => {
+  const cacheDir = agent.getCacheDir();
+
+  if (cacheDir && fs.existsSync(cacheDir)) {
+    try {
+      const { findings } = JSON.parse(fs.readFileSync(`${cacheDir}/contrast-static-findings.json`));
+      if (findings && findings.length) {
+        findings.forEach((finding) => {
+          const { ruleId } = finding;
+          const { source, lineNumber, codeSource } = finding.props;
+          agentEmitter.emit('finding', finding);
+          logger.debug('%s: %s:%d %s', ruleId, source, lineNumber, codeSource);
+        });
+      }
+    } catch {
+      logger.debug('No valid cli-rewriter static findings file found. If you\'ve used cli-rewriter feature static findings will be missing');
+    }
+  }
+};

package/lib/assess/technologies/index.js

@@ -12,17 +12,16 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
+/*
+  These technologies should also exist in teamserver/teamserver-app/src/main/resources/flowmap/technologies.json
+  Databases and loggers will be listed as "Service", frameworks, templating and transpilers as "Presentation"
+  Transpilers are grouped as "Transpiled JavaScript" and templates as "Templating"
+*/
+
 const technologies = {
-  databases: [
-    // mysql
-    'mysql',
-    // postgres
-    'pg',
-    // mongo
-    'mongodb',
-    // rethink
-    'rethinkdb'
-  ],
+  databases: ['mysql', 'pg', 'mongodb', 'rethinkdb'],
   http: [
     '@hapi/hapi',
     'hapi',
@@ -32,16 +31,16 @@ const technologies = {
     'restify',
     'loopback',
     'kraken-js',
-    'sails'
+    'sails',
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],
   mvc: ['meteor'],
-  transpilers: ['babel', 'escodegen'] // XXX is this necessary?
+  transpilers: ['babel', 'escodegen'],
 };
 
 let all = [];
-Object.keys(technologies).forEach(function(type) {
+Object.keys(technologies).forEach(function (type) {
   all = all.concat(technologies[type]);
 });
 

package/lib/cli-rewriter/index.js

@@ -26,11 +26,13 @@ const loggerFactory = require('../core/logger');
 const configOptions = require('../core/config/options');
 const configUtil = require('../core/config/util');
 const { ContrastAgent } = require('../agent');
+const agentEmitter = require('../agent-emitter');
 const moduleHelper = require('../hooks/module/helpers');
 const injections = require('../core/rewrite/injections');
 
 const readFile = util.promisify(fs.readFile);
 const LOGGER_NS = 'contrast:cli-rewriter';
+const getType = require('../util/get-file-type');
 
 class CLIRewriter {
   /**
@@ -53,6 +55,7 @@ class CLIRewriter {
     }
 
     this.initAgent();
+    this.initStaticRulesVisitors();
     this.initRewriter();
   }
 
@@ -75,9 +78,10 @@ class CLIRewriter {
     loggerFactory.init(this.config);
 
     const cacheEnabled = this.config.get('agent.node.rewrite_cache.enable');
-    if (!cacheEnabled) {
+    const assessEnabled = this.config.get('assess.enable');
+    if (!cacheEnabled || !assessEnabled) {
       this.logger.error(
-        `fatal configuration error: contrast-transpile requires 'agent.node.rewrite_cache.enable=true'`
+        'fatal configuration error: contrast-transpile requires \'agent.node.rewrite_cache.enable=true\' AND \'assess.enable=true'
       );
       process.exit(1);
     }
@@ -94,9 +98,34 @@ class CLIRewriter {
     this.agent = new ContrastAgent();
     this.agent.config = this.config;
     this.agent.staticVisitors.push(CLIRewriter.requireDetector);
+    this.agent.staticVisitors.push(CLIRewriter.importDetector);
     this.agent.appInfo = new AppInfo(this.entrypoint, this.config);
   }
 
+  initStaticRulesVisitors() {
+    const { logger } = this;
+    const cacheDir = this.agent.getCacheDir();
+    const findingsFilePath = `${cacheDir}/contrast-static-findings.json`;
+    const rule = require('../assess/static/hardcoded')({ agent: this.agent });
+    const policy = require('../assess/policy/non-dataflow-rules.json');
+
+    agentEmitter.on('finding', function writeFindingToAFile (finding) {
+      try {
+        if (!fs.existsSync(findingsFilePath)) {
+          if (!fs.existsSync(cacheDir)) {
+            fs.mkdirSync(cacheDir, { recursive: true });
+          }
+          fs.writeFileSync(findingsFilePath, '{\n"findings":\n[\n');
+        }
+        fs.appendFileSync(`${cacheDir}/contrast-static-findings.json`, `${JSON.stringify(finding)},\n`);
+      } catch (error) {
+        logger.error('Error writing to static findings file. Static finding won\'t be reported. Error: %s', error);
+      }
+    });
+    rule.handle(policy.rules['hardcoded-password'], 'hardcoded-password');
+    rule.handle(policy.rules['hardcoded-key'], 'hardcoded-key');
+  }
+
   /**
    * Loads babel rewriter and utils an initializes them.
    */
@@ -119,9 +148,23 @@ class CLIRewriter {
   async rewrite() {
     const parent = CLIRewriter.getModuleData(this.filename);
     const start = Date.now();
+    const cacheDir = this.agent.getCacheDir();
+    const findingsFilePath = `${cacheDir}/contrast-static-findings.json`;
 
     await this.traverse(this.filename, parent);
 
+    if (fs.existsSync(findingsFilePath)) {
+      try {
+        const findingsFileSize = fs.statSync(findingsFilePath).size;
+        if (findingsFileSize > 20) {
+          fs.truncateSync(findingsFilePath, findingsFileSize - 2);
+        }
+        fs.appendFileSync(findingsFilePath, '\n]\n}');
+      } catch (error) {
+        this.logger.error('Error formatting static findings file. Static findings won\'t be reported. Error: %s', error);
+      }
+    }
+
     this.logger.info('rewriting complete [%ss]', (Date.now() - start) / 1000);
   }
 
@@ -133,13 +176,14 @@ class CLIRewriter {
    * @param {object} parent parent module data
    */
   async traverse(filename, parent) {
-    const fileDependencies = await this.visitDependency(filename);
+    const type = getType(filename);
+    const fileDependencies = await this.visitDependency(filename, type);
 
     return Promise.all(
       fileDependencies.map((request) => {
         try {
           const _filename = Module._resolveFilename(request, parent);
-          if (_filename.endsWith('.js')) {
+          if (_filename.endsWith('.js') || _filename.endsWith('.mjs')) {
             const _parent = CLIRewriter.getModuleData(_filename);
             return this.traverse(_filename, _parent);
           }
@@ -162,7 +206,7 @@ class CLIRewriter {
    * @param {string} filename name of file to rewrite / cache
    * @returns {array[string]} list of the file's dependencies
    */
-  async visitDependency(filename) {
+  async visitDependency(filename, type) {
     if (this.visited.has(filename)) {
       return [];
     }
@@ -170,7 +214,9 @@ class CLIRewriter {
     this.visited.add(filename);
 
     const content = await readFile(filename, 'utf8');
-    const rewriteData = this.rewriter.rewriteFile(content, filename);
+    const rewriteData = this.rewriter.rewriteFile(content, filename, {
+      sourceType: type
+    });
 
     if (rewriteData.code) {
       await moduleHelper.cacheWithSourceMap(this.agent, filename, rewriteData);
@@ -213,6 +259,19 @@ class CLIRewriter {
       }
     }
   }
+
+  /**
+   * Added to agent's static visitors. Runs during rewriting to detect import
+   * calls to discover dependencies.
+   * @param {object} node AST node being visited during rewrite
+   * @param {string} filename file being rewritten
+   * @param {object} state rewriter state
+   */
+  static importDetector(node, filename, state) {
+    if (node.type === 'ImportDeclaration') {
+      state.deps.push(node.source.extra.rawValue);
+    }
+  }
 }
 
 /**

package/lib/core/config/options.js

@@ -411,6 +411,12 @@ const agent = [
     fn: castBoolean,
     desc: 'do agent-native input analysis prior to any external analysis',
   },
+  {
+    name: 'agent.node.analysis_log_dir',
+    arg: '<path>',
+    default: '.',
+    desc: 'directory to use for the native input analysis log file'
+  },
   {
     name: 'agent.node.unsafe.deadzones',
     arg: '<modules>',

package/lib/core/config/util.js

@@ -15,6 +15,7 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 const _ = require('lodash');
 
+const os = require('os');
 const process = require('process');
 const path = require('path');
 const fs = require('fs');
@@ -24,7 +25,6 @@ const stringify = require('json-stable-stringify');
 const common = require('./options');
 const configOptions = common.options;
 const { configPathEnvVars } = common;
-const fileFinder = require('../../util/file-finder');
 const util = module.exports;
 
 /**
@@ -143,37 +143,23 @@ class Config {
 
 /**
  * Find location of config given options and name of config file
- * @param {Object} cliOptions
- * @param {string} cliOptions.script
- * @param {string} filename
  * @return {string|void} path, if valid
  */
-function checkConfigPath({ script }, filename) {
-  const configDir =
-    require('os').platform() === 'win32'
-      ? `${process.env['ProgramData']}\\contrast`
-      : '/etc/contrast';
-  const guesses = [
-    // try to find in cwd
-    { dir: process.cwd(), attempts: 1 },
-
-    // try to find in /etc/contrast/.. or %ProgramData%\contrast\..
-    { dir: configDir, attempts: 1 },
-
-    // The directory of the application under test such as node_modules/mocha/bin or server.
-    { dir: path.dirname(script) },
-
-    // The directory of this Contrast agent module, assuming it
-    // came packaged with an enterprise-wide contrast.json.
-    { dir: path.resolve(__dirname, '..', '..'), attempts: 1 }
-  ];
-
-  for (const guess of guesses) {
-    const configPath = fileFinder.findFile(guess.dir, filename, guess.attempts);
-    if (configPath) return configPath;
+function checkConfigPath() {
+  const configDir = os.platform() === 'win32'
+    ? `${process.env['ProgramData']}\\contrast`
+    : '/etc/contrast';
+
+  for (const dir of [process.cwd(), configDir]) {
+    const checkPath = path.resolve(dir, 'contrast_security.yaml');
+    if (fs.existsSync(checkPath)) {
+      return checkPath;
+    }
   }
+  return;
 }
 
+
 /**
  * @param {Object} cliOptions
  * @param {string} cliOptions.script
@@ -185,11 +171,7 @@ function getConfigPath(cliOptions) {
     cliOptions.configFile ||
     process.env[configPathEnvVars.path] ||
     process.env[configPathEnvVars.deprecated] ||
-    checkConfigPath(cliOptions, 'contrast_security.yaml') ||
-    checkConfigPath(cliOptions, 'contrast_security.yml') ||
-    checkConfigPath(cliOptions, 'contrast.yaml') ||
-    checkConfigPath(cliOptions, 'contrast.yml') ||
-    checkConfigPath(cliOptions, 'contrast.json')
+    checkConfigPath()
   );
 }
 
@@ -312,7 +294,7 @@ function mergeCliOptions(cliOptions, logger) {
     // set from default
     if (value === undefined) {
       if (required) {
-        logger.error(`Missing required option '%s'`, name);
+        logger.error('Missing required option \'%s\'', name);
         return options;
       }
 

package/lib/core/exclusions/input.js

@@ -29,7 +29,8 @@ const generalizedInputTypes = {
   [INPUT_TYPES.COOKIE_VALUE]: EXCLUSION_INPUT_TYPES.COOKIE,
   [INPUT_TYPES.HEADER]: EXCLUSION_INPUT_TYPES.HEADER,
   [INPUT_TYPES.PARAMETER_NAME]: EXCLUSION_INPUT_TYPES.PARAMETER,
-  [INPUT_TYPES.PARAMETER_VALUE]: EXCLUSION_INPUT_TYPES.PARAMETER
+  [INPUT_TYPES.PARAMETER_VALUE]: EXCLUSION_INPUT_TYPES.PARAMETER,
+  [INPUT_TYPES.URL_PARAMETER]: EXCLUSION_INPUT_TYPES.PARAMETER
 };
 const { BODY, PARAMETER, QUERYSTRING } = EXCLUSION_INPUT_TYPES;
 
@@ -47,6 +48,10 @@ class InputExclusion extends UrlExclusion {
     this.inputName = dtm.inputName;
   }
 
+  shouldExclude(ruleId, type, name) {
+    return this.appliesToProtectRule(ruleId) && this.appliesToInputType(type) && this.matches(name);
+  }
+
   appliesToInputType(type) {
     return (
       this.inputType === InputExclusion.generalizeInputType(type) ||

package/lib/core/express/index.js

@@ -237,7 +237,7 @@ class ExpressFramework {
 
     if (!app || !app.defaultConfiguration) {
       logger.error(
-        `non-express application mistakenly registered`,
+        'non-express application mistakenly registered',
         new Error().stack,
       );
       return;
@@ -336,9 +336,7 @@ class ExpressFramework {
     }, 'textParser');
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
-      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
-        type: INPUT_TYPES.BODY,
-      });
+      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
       next();
     }, 'urlencodedParser');