@contrast/agent 4.12.2 → 4.14.0

package/lib/assess/propagators/path/common.js

@@ -59,23 +59,31 @@ function splitString(str, win32) {
  * @param {number} offset offset of full arg from result of path.resolve
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function getSegmentOffset({ str, evaluator }, offset, segment, win32) {
+// eslint-disable-next-line complexity
+function getSegmentOffset({ meta: { str, evaluator }, offset, segment, win32, validateAgainstResult }) {
   // as the segments in each arg and in the result get traversed,
   // winnow away the string to ensure we are finding the proper
   // segment within the path
   const substr = str.substring(offset);
-  let segmentOffset = substr.indexOf(segment);
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  let segmentOffset;
+  // Sometimes the segment starts with a separator, but the path method removes the initial separator if the path is not absolute
+  if (validateAgainstResult && segment.startsWith(sep) && offset == 0 && !['\\', '/', '.'].includes(substr[0]) && !['\\', '/'].includes(segment)) {
+    segment = segment.slice(1);
+  }
+  segmentOffset = substr.indexOf(segment);
+
   // If tracking separators, evaluator will fail on extensions
   if (substr === `.${segment}`) {
-    return segmentOffset + offset;
+    return { offset: segmentOffset + offset, value: segment };
   }
+
   // Adjust offset if the segment does not start with a separator
-  const { sep } = path[win32 ? 'win32' : 'posix'];
   if (substr.startsWith(sep) && !segment.startsWith(sep)) {
     segmentOffset--;
   }
 
-  return evaluator(segmentOffset) ? segmentOffset + offset : -1;
+  return { offset: evaluator(segmentOffset) ? segmentOffset + offset : -1, value: segment };
 }
 
 /**
@@ -215,15 +223,19 @@ function filterSegmentsAndCalculateOffset(
         additionalOffset = hasChange ? (sepAdded ? 1 : -1) : 0;
       }
 
-      const offset = getSegmentOffset(
-        resultMeta,
-        accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
+
+      const validatedSegment = getSegmentOffset({
+        meta: resultMeta,
+        offset: accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
         segment,
-        win32
-      );
+        win32,
+        validateAgainstResult: true
+      });
+
+      const { offset: segmentOffset, value: segmentValue } = validatedSegment;
 
       // no reason to proceed if segment is not in final result
-      if (offset === -1) {
+      if (segmentOffset === -1) {
         if (hasChange) {
           additionalOffset = 0;
           accumulator.isModified = false;
@@ -233,12 +245,11 @@ function filterSegmentsAndCalculateOffset(
       }
 
       // in case we have a file we need to increment the offset
-      if (resultMeta.str[offset + segment.length] === '.') {
+      if (resultMeta.str[segmentOffset + segmentValue.length] === '.') {
         accumulator.fileDotSeparator = 1;
       }
-
-      validSegments.push(segment);
-      accumulator.offset = calculateNewOffset(accumulator.offset, segment);
+      validSegments.push(validatedSegment);
+      accumulator.offset = calculateNewOffset(accumulator.offset, segmentValue);
       accumulator.isModified = true;
 
       return accumulator;
@@ -280,26 +291,20 @@ function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
   resultMeta.offset += additionalOffset;
 
   return segments.reduce((newTags, segment) => {
-    const offset = getSegmentOffset(
-      resultMeta,
-      resultMeta.offset,
-      segment,
-      win32
-    );
-
-    const argOffset = getSegmentOffset(argMeta, argMeta.offset, segment, win32);
+    const { offset, value: segmentValue } = segment;
+    const { offset: argOffset } = getSegmentOffset({ meta: argMeta, offset: argMeta.offset, segment: segmentValue, win32, validateAgainstResult: false });
 
     // updating the offset
-    resultMeta.offset = calculateNewOffset(resultMeta.offset, segment);
-    argMeta.offset = calculateNewOffset(argMeta.offset, segment);
+    resultMeta.offset = calculateNewOffset(resultMeta.offset, segmentValue);
+    argMeta.offset = calculateNewOffset(argMeta.offset, segmentValue);
 
     // in case we have a file we need to increment the offset
-    if (resultMeta.str[offset + segment.length] === '.') {
+    if (resultMeta.str[offset + segment.value.length] === '.') {
       resultMeta.offset += 1;
     }
 
     tagRanges.forEach((tag) => {
-      if (!isWithinTag(segment, argOffset, tag)) return;
+      if (!isWithinTag(segmentValue, argOffset, tag)) return;
 
       const start = adjustStart({
         tag,
@@ -310,7 +315,7 @@ function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
         tag,
         argOffset,
         offset,
-        segment
+        segment: segmentValue
       });
 
       newTags.push(new TagRange(start, stop, tag.tag));
@@ -327,6 +332,7 @@ function propagate({ resultMeta, data, win32 }) {
 
   data.args.forEach((arg, index) => {
     const argData = tracker.getData(arg);
+
     maybeUpdateResultMeta({ resultMeta, index, arg });
 
     const argMeta = {
@@ -354,7 +360,10 @@ function propagate({ resultMeta, data, win32 }) {
 }
 
 function getResultMeta(data, method) {
-  const offset = path.win32.isAbsolute(data.args[0]) ? 0 : process.cwd().length;
+  let offset = 0;
+  if (method === 'resolve' && !path.win32.isAbsolute(data.args[0])) {
+    offset = process.cwd().length;
+  }
 
   return {
     method: `path.${method}`,

package/lib/assess/propagators/path/resolve.js

@@ -19,6 +19,7 @@ const patcher = require('../../../hooks/patcher');
 const { PATCH_TYPES } = require('../../../constants');
 const { propagate, absolutePath, getResultMeta } = require('./common');
 
+
 /**
  * Entry point to propagator provider
  * This instruments path.resolve on

package/lib/assess/propagators/sequelize/utils.js

@@ -30,8 +30,7 @@ module.exports.isTracked = function isTracked(value) {
  * Function to get sql-string export. Caches the export on first call.
  */
 module.exports.getSequelizeString = function() {
-  // eslint-disable-next-line node/no-unpublished-require
-  const data = require('sequelize/lib/sql-string');
+  const data = require('sequelize/lib/sql-string'); // eslint-disable-line node/no-unpublished-require
   module.exports.getSequelizeString = () => data;
   return data;
 };

package/lib/assess/propagators/v8/init-hooks.js

@@ -14,7 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-// eslint-disable-next-line no-unused-vars
 const logger = require('../../../core/logger')('contrast:v8:propagator');
 const tracker = require('../../../tracker');
 const patcher = require('../../../hooks/patcher');

package/lib/assess/sinks/dynamo.js

@@ -23,15 +23,20 @@ const ruleId = 'nosql-injection-dynamodb';
 const disallowedTags = [
   'limited-chars',
   'alphanum-space-hyphen',
-  'string-type-checked'
+  'string-type-checked',
 ];
 const requiredTags = ['untrusted'];
 const moduleName = 'aws-sdk';
-const relevantKeys = [
-  'ExpressionAttributeValues',
-  'ExclusiveStartKey',
-  'ScanFilter'
-];
+const moduleNameV3 = '@aws-sdk/client-dynamodb';
+const relevantKeys = {
+  v2: ['ExpressionAttributeValues', 'ExclusiveStartKey', 'ScanFilter'],
+  v3: [
+    'ComparisonOperator',
+    'FilterExpression',
+    'ProjectionExpression',
+    'ScanFilter',
+  ],
+};
 const requests = new WeakSet();
 
 // map data types to methods for extracting
@@ -46,24 +51,27 @@ const dataTypes = {
   M: 'object',
   L: 'collection',
   NULL: 'value',
-  BOOL: 'value'
+  BOOL: 'value',
 };
 
 /**
  * Extracts all values from either a dynamo document client or client
  *
  * @param {Object} payload dynamo scan payload
- * @param {string} mode client or docClient
+ * @param {string} mode client, docClient or command (for aws sdk v3)
+ * @param {string} version DynamoDB SDK version
  * @return {Array} all string values from payload
  */
-function extractValues(payload = {}, mode) {
+function extractValues(payload = {}, mode = null, version = 'v2') {
   return _.flatten(
-    relevantKeys.map((key) => {
+    relevantKeys[version].map((key) => {
+      if (payload[key] === undefined) return;
+      if (typeof payload[key] === 'string') return payload[key];
       const values = _.values(payload[key]);
       const extractionMethod =
         mode === 'client' ? findTypedValues.bind(this) : findValues.bind(this);
       return _.flattenDeep(extractionMethod(values));
-    })
+    }),
   );
 }
 
@@ -76,7 +84,7 @@ function extractValues(payload = {}, mode) {
  */
 function findTypedValues(values) {
   return _.map(values, (value) => {
-    const type = Object.keys(value)[0];
+    const [type] = Object.keys(value);
     switch (dataTypes[type]) {
       case 'value':
         return value[type];
@@ -106,13 +114,13 @@ function notTrackable(value) {
 }
 
 /**
- * Extracts all strings from a dynanmo document client payload
+ * Extracts all strings from a dynamo document client payload
  *
  * Note: There are other data types dynamo supports
- * to cast to AttributeValue types but we currently
+ * to cast to AttributeValue types, but we currently
  * do not track null, Boolean, Number, Buffer(a few types here)
  *
- * @param {Object} values for all keys in ExpressionAttributeValues, ExclusiveStartKey or ScanFilter
+ * @param {Object} values for all keys in relevant properties
  * @return {Array} all values
  */
 function findValues(values) {
@@ -138,7 +146,7 @@ module.exports = ({ common }) => {
   /**
    * Registers the hooks for client and document client scan
    */
-  dynamoSink.handle = function() {
+  dynamoSink.handle = function () {
     moduleHook.resolve({ name: moduleName }, (aws) => {
       const client = aws.DynamoDB.prototype;
 
@@ -160,24 +168,25 @@ module.exports = ({ common }) => {
               return;
             }
 
-            // since this is instrumenting a wrapper we only want to to say the args
+            // since this is instrumenting a wrapper we only want to say the args
             // were the 2nd arg which is the dynamo db payload
             const ctxtData = {
               args: [data.args[1]],
               obj: data.obj,
-              result: data.result
+              result: data.result,
             };
-            const values = extractValues(data.args[1], 'client');
+
+            const values = extractValues(data.args[1], 'client', 'v2');
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.prototype.scan',
-              data: ctxtData
+              data: ctxtData,
             });
           }
-        }
+        },
       });
-      // DocumentClient added in aws-sdk 2.2.  Some customers still on more
-      // ancient versions
+
+      // DocumentClient added in aws-sdk 2.2.
       if (aws.DynamoDB.DocumentClient) {
         const docClient = aws.DynamoDB.DocumentClient.prototype;
         /**
@@ -192,32 +201,58 @@ module.exports = ({ common }) => {
             if (data.args[0] === 'scan') {
               requests.add(data.args[1]);
             }
-          }
+          },
         });
 
         patcher.patch(docClient, 'scan', {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           post(data) {
-            const values = extractValues(data.args[0], 'docClient');
+            const values = extractValues(data.args[0], 'docClient', 'v2');
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.DocumentClient.prototype.scan',
-              data
+              data,
             });
-          }
+          },
         });
       }
     });
 
+    moduleHook.resolve({ name: moduleNameV3 }, (aws) => {
+      const client = aws.DynamoDBClient.prototype;
+
+      patcher.patch(client, 'send', {
+        name: `${moduleNameV3}.ScanCommand.prototype`,
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        alwaysRun: true,
+        post(data) {
+          if (!AsyncStorage.getContext()) return;
+
+          if (data.args[0] instanceof aws.ScanCommand) {
+            const values = extractValues(
+              data.args[0].input,
+              'docClient',
+              'v3',
+            ).filter(Boolean);
+            dynamoSink.check({
+              data,
+              values,
+              methodName: 'DynamoDBClient.ScanCommand',
+            });
+          }
+        },
+      });
+    });
+
     return dynamoSink;
   };
 
-  dynamoSink.check = function({ data, values, methodName }) {
+  dynamoSink.check = function ({ data, values, methodName }) {
     const vulnerableString = _.compact(
       values.map((input) =>
-        isVulnerable({ disallowedTags, requiredTags, input })
-      )
+        isVulnerable({ disallowedTags, requiredTags, input }),
+      ),
     );
 
     if (vulnerableString.length) {

package/lib/assess/static/hardcoded.js

@@ -22,7 +22,7 @@ const logger = require('../../core/logger')('contrast:rules:static');
 const _ = require('lodash');
 const generate = require('@babel/generator').default;
 const { createHash } = require('../../util/trace-util');
-const natives = process.binding('natives'); // eslint-disable-line node/no-deprecated-api
+const natives = process.binding('natives');
 
 module.exports = ({ agent }) => {
   const rule = {};
@@ -62,8 +62,8 @@ module.exports = ({ agent }) => {
       hash: createHash([ruleId, filename, lineNum]),
       // some empty props required for backwards compatibility
       props: {
-        value: "''", // eslint-disable-line
-        signature: "''", // eslint-disable-line
+        value: "''",
+        signature: "''",
         access: 1,
         name,
         className: '""',

package/lib/assess/static/read-findings-from-cache.js

@@ -0,0 +1,40 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../agent-emitter');
+const logger = require('../../core/logger')('contrast:rules:static');
+const fs = require('fs');
+
+
+module.exports = (agent) => {
+  const cacheDir = agent.getCacheDir();
+
+  if (cacheDir && fs.existsSync(cacheDir)) {
+    try {
+      const { findings } = JSON.parse(fs.readFileSync(`${cacheDir}/contrast-static-findings.json`));
+      if (findings && findings.length) {
+        findings.forEach((finding) => {
+          const { ruleId } = finding;
+          const { source, lineNumber, codeSource } = finding.props;
+          agentEmitter.emit('finding', finding);
+          logger.debug('%s: %s:%d %s', ruleId, source, lineNumber, codeSource);
+        });
+      }
+    } catch {
+      logger.debug('No valid cli-rewriter static findings file found. If you\'ve used cli-rewriter feature static findings will be missing');
+    }
+  }
+};

package/lib/assess/technologies/index.js

@@ -12,17 +12,16 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
+/*
+  These technologies should also exist in teamserver/teamserver-app/src/main/resources/flowmap/technologies.json
+  Databases and loggers will be listed as "Service", frameworks, templating and transpilers as "Presentation"
+  Transpilers are grouped as "Transpiled JavaScript" and templates as "Templating"
+*/
+
 const technologies = {
-  databases: [
-    // mysql
-    'mysql',
-    // postgres
-    'pg',
-    // mongo
-    'mongodb',
-    // rethink
-    'rethinkdb'
-  ],
+  databases: ['mysql', 'pg', 'mongodb', 'rethinkdb'],
   http: [
     '@hapi/hapi',
     'hapi',
@@ -32,16 +31,16 @@ const technologies = {
     'restify',
     'loopback',
     'kraken-js',
-    'sails'
+    'sails',
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],
   mvc: ['meteor'],
-  transpilers: ['babel', 'escodegen'] // XXX is this necessary?
+  transpilers: ['babel', 'escodegen'],
 };
 
 let all = [];
-Object.keys(technologies).forEach(function(type) {
+Object.keys(technologies).forEach(function (type) {
   all = all.concat(technologies[type]);
 });
 

package/lib/cli-rewriter/index.js

@@ -26,11 +26,13 @@ const loggerFactory = require('../core/logger');
 const configOptions = require('../core/config/options');
 const configUtil = require('../core/config/util');
 const { ContrastAgent } = require('../agent');
+const agentEmitter = require('../agent-emitter');
 const moduleHelper = require('../hooks/module/helpers');
 const injections = require('../core/rewrite/injections');
 
 const readFile = util.promisify(fs.readFile);
 const LOGGER_NS = 'contrast:cli-rewriter';
+const getType = require('../util/get-file-type');
 
 class CLIRewriter {
   /**
@@ -53,6 +55,7 @@ class CLIRewriter {
     }
 
     this.initAgent();
+    this.initStaticRulesVisitors();
     this.initRewriter();
   }
 
@@ -75,9 +78,10 @@ class CLIRewriter {
     loggerFactory.init(this.config);
 
     const cacheEnabled = this.config.get('agent.node.rewrite_cache.enable');
-    if (!cacheEnabled) {
+    const assessEnabled = this.config.get('assess.enable');
+    if (!cacheEnabled || !assessEnabled) {
       this.logger.error(
-        `fatal configuration error: contrast-transpile requires 'agent.node.rewrite_cache.enable=true'`
+        'fatal configuration error: contrast-transpile requires \'agent.node.rewrite_cache.enable=true\' AND \'assess.enable=true'
       );
       process.exit(1);
     }
@@ -94,9 +98,34 @@ class CLIRewriter {
     this.agent = new ContrastAgent();
     this.agent.config = this.config;
     this.agent.staticVisitors.push(CLIRewriter.requireDetector);
+    this.agent.staticVisitors.push(CLIRewriter.importDetector);
     this.agent.appInfo = new AppInfo(this.entrypoint, this.config);
   }
 
+  initStaticRulesVisitors() {
+    const { logger } = this;
+    const cacheDir = this.agent.getCacheDir();
+    const findingsFilePath = `${cacheDir}/contrast-static-findings.json`;
+    const rule = require('../assess/static/hardcoded')({ agent: this.agent });
+    const policy = require('../assess/policy/non-dataflow-rules.json');
+
+    agentEmitter.on('finding', function writeFindingToAFile (finding) {
+      try {
+        if (!fs.existsSync(findingsFilePath)) {
+          if (!fs.existsSync(cacheDir)) {
+            fs.mkdirSync(cacheDir, { recursive: true });
+          }
+          fs.writeFileSync(findingsFilePath, '{\n"findings":\n[\n');
+        }
+        fs.appendFileSync(`${cacheDir}/contrast-static-findings.json`, `${JSON.stringify(finding)},\n`);
+      } catch (error) {
+        logger.error('Error writing to static findings file. Static finding won\'t be reported. Error: %s', error);
+      }
+    });
+    rule.handle(policy.rules['hardcoded-password'], 'hardcoded-password');
+    rule.handle(policy.rules['hardcoded-key'], 'hardcoded-key');
+  }
+
   /**
    * Loads babel rewriter and utils an initializes them.
    */
@@ -119,9 +148,23 @@ class CLIRewriter {
   async rewrite() {
     const parent = CLIRewriter.getModuleData(this.filename);
     const start = Date.now();
+    const cacheDir = this.agent.getCacheDir();
+    const findingsFilePath = `${cacheDir}/contrast-static-findings.json`;
 
     await this.traverse(this.filename, parent);
 
+    if (fs.existsSync(findingsFilePath)) {
+      try {
+        const findingsFileSize = fs.statSync(findingsFilePath).size;
+        if (findingsFileSize > 20) {
+          fs.truncateSync(findingsFilePath, findingsFileSize - 2);
+        }
+        fs.appendFileSync(findingsFilePath, '\n]\n}');
+      } catch (error) {
+        this.logger.error('Error formatting static findings file. Static findings won\'t be reported. Error: %s', error);
+      }
+    }
+
     this.logger.info('rewriting complete [%ss]', (Date.now() - start) / 1000);
   }
 
@@ -133,13 +176,14 @@ class CLIRewriter {
    * @param {object} parent parent module data
    */
   async traverse(filename, parent) {
-    const fileDependencies = await this.visitDependency(filename);
+    const type = getType(filename);
+    const fileDependencies = await this.visitDependency(filename, type);
 
     return Promise.all(
       fileDependencies.map((request) => {
         try {
           const _filename = Module._resolveFilename(request, parent);
-          if (_filename.endsWith('.js')) {
+          if (_filename.endsWith('.js') || _filename.endsWith('.mjs')) {
             const _parent = CLIRewriter.getModuleData(_filename);
             return this.traverse(_filename, _parent);
           }
@@ -162,7 +206,7 @@ class CLIRewriter {
    * @param {string} filename name of file to rewrite / cache
    * @returns {array[string]} list of the file's dependencies
    */
-  async visitDependency(filename) {
+  async visitDependency(filename, type) {
     if (this.visited.has(filename)) {
       return [];
     }
@@ -170,7 +214,9 @@ class CLIRewriter {
     this.visited.add(filename);
 
     const content = await readFile(filename, 'utf8');
-    const rewriteData = this.rewriter.rewriteFile(content, filename);
+    const rewriteData = this.rewriter.rewriteFile(content, filename, {
+      sourceType: type
+    });
 
     if (rewriteData.code) {
       await moduleHelper.cacheWithSourceMap(this.agent, filename, rewriteData);
@@ -213,6 +259,19 @@ class CLIRewriter {
       }
     }
   }
+
+  /**
+   * Added to agent's static visitors. Runs during rewriting to detect import
+   * calls to discover dependencies.
+   * @param {object} node AST node being visited during rewrite
+   * @param {string} filename file being rewritten
+   * @param {object} state rewriter state
+   */
+  static importDetector(node, filename, state) {
+    if (node.type === 'ImportDeclaration') {
+      state.deps.push(node.source.extra.rawValue);
+    }
+  }
 }
 
 /**