@contrast/agent 4.13.1 → 4.14.0

package/lib/assess/policy/propagators.json

@@ -13,7 +13,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "url.domainToUnicode": {
@@ -21,7 +21,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "joi": {
@@ -65,6 +65,15 @@
         "type": "all"
       }
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["sql-encoded"],
+      "command": {
+        "type": "all"
+      }
+    },
     "mustache.escape": {
       "enabled": true,
       "provider": "./propagators/mustache/escape.js"
@@ -347,8 +356,8 @@
     },
     "process.__add": {
       "enabled": true,
-      "source":"P",
-      "target":"R",
+      "source": "P",
+      "target": "R",
       "command": {
         "type": "append"
       }

package/lib/assess/policy/rules.json

@@ -388,6 +388,48 @@
             ]
           }
         },
+        "mysql2/lib/connection.Connection.query": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mysql2/lib/connection.Connection.execute": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
         "pg.Connection.prototype.query": {
           "type": "dataflow",
           "enabled": true,

package/lib/assess/policy/signatures.json

@@ -171,6 +171,24 @@
       "methodName": "prototype.query",
       "isModule": true
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.escape",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.query": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.query",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.execute": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.execute",
+      "isModule": true
+    },
     "sequelize.prototype.query": {
       "moduleName": "sequelize",
       "version": ">=5.0.0",

package/lib/assess/propagators/joi/any.js

@@ -32,7 +32,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         if (data.result && typeof data.result === 'string') {
           tracker.untrack(data.result);

package/lib/assess/propagators/joi/object.js

@@ -49,7 +49,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         data.result.then((result) =>
           traverseObjectAndUntrack(data.obj, data.args[0], result),

package/lib/assess/propagators/joi/string-base.js

@@ -26,6 +26,12 @@ const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const agent = require('../../../agent');
 
+const areThereRules = (obj) =>
+  obj &&
+  obj.schema &&
+  Array.isArray(obj.schema._rules) &&
+  obj.schema._rules.length > 0;
+
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
  * @param {Object} string
@@ -38,11 +44,18 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
+        if (
+          areThereRules(data.args[1]) &&
+          data.args[1].schema._rules.find((rule) => rule.name === 'pattern') &&
+          !agent.config.assess.trust_custom_validators
+        )
+          return;
+
         if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked'),
+            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),
@@ -63,7 +76,7 @@ function instrumentJoiString(string) {
     post(data) {
       if (
         !data.obj.$_terms.externals.length ||
-        !agent.config.agent.trust_custom_validators
+        !agent.config.assess.trust_custom_validators
       )
         return;
 
@@ -77,5 +90,5 @@ function instrumentJoiString(string) {
 
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
-  instrumentJoiString,
+  instrumentJoiString
 );

package/lib/assess/propagators/mongoose/map.js

@@ -52,7 +52,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/mixed.js

@@ -61,7 +61,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/string.js

@@ -101,7 +101,7 @@ requireHook.resolve(
   (SchemaString) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/core/async-storage/hooks/mysql.js

@@ -16,13 +16,15 @@ Copyright: 2022 Contrast Security, Inc
 
 const logger = require('../../logger')('contrast:async-storage:hooks');
 const { AsyncStorage } = require('../index');
+const { Scopes } = require('../scopes');
 const { ASYNC_CONTEXT } = require('../../../constants').PATCH_TYPES;
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
+const { bindFnArgAtIndex } = require('./utils');
 
 module.exports = function init() {
   // done only to stub these fns for tests
-  const { patchSequence, patchPool } = module.exports;
+  const { patchSequence, patchPool, patchQuery } = module.exports;
 
   // this callback _must return_ the patched function to set export
   requireHook.resolve(
@@ -36,12 +38,20 @@ module.exports = function init() {
   requireHook.resolve({ name: 'mysql', file: 'lib/Pool.js' }, (Pool) =>
     patchPool(Pool)
   );
+
+  requireHook.resolve(
+    { name: 'mysql2', file: 'lib/commands/query.js' },
+    (Query) => patchQuery(Query)
+  );
 };
 
 module.exports.patchSequence = patchSequence;
 module.exports.sequencePostHook = sequencePostHook;
 module.exports.patchPool = patchPool;
 module.exports.poolPreHook = poolPreHook;
+module.exports.patchQuery = patchQuery;
+module.exports.queryPreHook = queryPreHook;
+module.exports.runInAllowAllScope = runInAllowAllScope;
 
 /**
  * Patches the Sequence constructor which the protocol classes inherit.
@@ -62,12 +72,15 @@ function patchSequence(sequenceCtor) {
  * Typically in a constructor the data.result would be the instance. But mysql
  * has the subclasses e.g. Query, do Sequence.call(this, cb). In this case the
  * data.obj is the instance.
- * @param {object} data.obj sequnce instance
+ * @param {object} data.obj sequence instance
  */
-function sequencePostHook({ obj }) {
+function sequencePostHook({ obj, funcKey: identifier }) {
+  // done only to stub this fn for tests
+  const { runInAllowAllScope } = module.exports;
   try {
     if (obj && obj._callback && typeof obj._callback === 'function') {
-      obj._callback = AsyncStorage.bind(obj._callback);
+      const cb = obj._callback;
+      obj._callback = AsyncStorage.bind(runInAllowAllScope(cb, identifier));
     }
     AsyncStorage.getNamespace().bindEmitter(obj);
   } catch (err) {
@@ -75,6 +88,13 @@ function sequencePostHook({ obj }) {
   }
 }
 
+// Created only for the purpose of testing
+function runInAllowAllScope (cb, identifier) {
+  return function (...args) {
+    return Scopes.runInAllowAllScope(() => cb.call(this, ...args), identifier);
+  };
+}
+
 /**
  * Patches Pool.prototype.getConnection.
  * @param {function} poolCtor Pool constructor fn
@@ -92,12 +112,43 @@ function patchPool(poolCtor) {
  * Binds callback (when present) to cls.
  * @param {object} data.args getConnection arguments
  */
-function poolPreHook({ args }) {
+function poolPreHook({ args, funcKey: identifier }) {
   try {
     if (args.length && typeof args[0] === 'function') {
-      args[0] = AsyncStorage.bind(args[0]);
+      bindFnArgAtIndex({ args, idx: 0, identifier });
     }
   } catch (err) {
     logger.warn('Unable to patch Pool.prototype.getConnection: %o', err);
   }
 }
+
+/**
+ * Patches the Query constructor.
+ * This _must return_ the patched value to set the export in require hook.
+ * @param {function} queryCtor Query constructor fn
+ * @returns {function}
+ */
+function patchQuery(queryCtor) {
+  return patcher.patch(queryCtor, {
+    name: 'mysql2.lib/commands/query.js.Query',
+    patchType: ASYNC_CONTEXT,
+    alwaysRun: true,
+    pre: queryPreHook
+  });
+}
+
+/**
+ * Binds callback (when present) to the context the constructor is called in..
+ * @param {object} data the argument for the preHook
+ * @param {object} data.args the arguments passed to the Query constructor
+ * @param {object} data.funcKey Contrast funcKey identifier for a hooked Query function
+ */
+function queryPreHook({ args, funcKey: identifier }) {
+  try {
+    if (args.length && args[1] && typeof args[1] === 'function') {
+      bindFnArgAtIndex({ args, idx: 1, identifier });
+    }
+  } catch (err) {
+    logger.warn('Unable to patch Query constructor: %o', err);
+  }
+}

package/lib/core/config/options.js

@@ -472,12 +472,6 @@ const agent = [
     fn: parseNum,
     desc: 'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)',
   },
-  {
-    name: 'agent.trust_custom_validators',
-    arg: '<trust-custom-validators>',
-    default: false,
-    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`,
-  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -714,6 +708,12 @@ const assess = [
     fn: castBoolean,
     desc: 'if false, disable assess for this agent. A restart is required to re-enable',
   },
+  {
+    name: 'assess.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: 'trust incoming strings when they pass custom validators (Mongoose, Joi)',
+  },
   {
     name: 'assess.enable_preflight',
     arg: '[false]',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.13.1",
+  "version": "4.14.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -166,6 +166,7 @@
     "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
+    "mysql2": "file:test/mock/mysql2",
     "nock": "^12.0.3",
     "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",