@contrast/agent 4.13.1 → 4.15.1

package/bin/VERSION

@@ -1 +1 @@
-2.28.17
+2.28.19

package/lib/assess/policy/propagators.json

@@ -13,7 +13,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "url.domainToUnicode": {
@@ -21,7 +21,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "joi": {
@@ -65,6 +65,15 @@
         "type": "all"
       }
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["sql-encoded"],
+      "command": {
+        "type": "all"
+      }
+    },
     "mustache.escape": {
       "enabled": true,
       "provider": "./propagators/mustache/escape.js"
@@ -347,8 +356,8 @@
     },
     "process.__add": {
       "enabled": true,
-      "source":"P",
-      "target":"R",
+      "source": "P",
+      "target": "R",
       "command": {
         "type": "append"
       }

package/lib/assess/policy/rules.json

@@ -388,6 +388,48 @@
             ]
           }
         },
+        "mysql2/lib/connection.Connection.query": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mysql2/lib/connection.Connection.execute": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
         "pg.Connection.prototype.query": {
           "type": "dataflow",
           "enabled": true,

package/lib/assess/policy/signatures.json

@@ -171,6 +171,24 @@
       "methodName": "prototype.query",
       "isModule": true
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.escape",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.query": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.query",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.execute": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.execute",
+      "isModule": true
+    },
     "sequelize.prototype.query": {
       "moduleName": "sequelize",
       "version": ">=5.0.0",

package/lib/assess/propagators/joi/any.js

@@ -32,7 +32,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         if (data.result && typeof data.result === 'string') {
           tracker.untrack(data.result);

package/lib/assess/propagators/joi/object.js

@@ -49,7 +49,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         data.result.then((result) =>
           traverseObjectAndUntrack(data.obj, data.args[0], result),

package/lib/assess/propagators/joi/string-base.js

@@ -26,6 +26,12 @@ const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const agent = require('../../../agent');
 
+const areThereRules = (obj) =>
+  obj &&
+  obj.schema &&
+  Array.isArray(obj.schema._rules) &&
+  obj.schema._rules.length > 0;
+
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
  * @param {Object} string
@@ -38,11 +44,18 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
+        if (
+          areThereRules(data.args[1]) &&
+          data.args[1].schema._rules.find((rule) => rule.name === 'pattern') &&
+          !agent.config.assess.trust_custom_validators
+        )
+          return;
+
         if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked'),
+            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),
@@ -63,7 +76,7 @@ function instrumentJoiString(string) {
     post(data) {
       if (
         !data.obj.$_terms.externals.length ||
-        !agent.config.agent.trust_custom_validators
+        !agent.config.assess.trust_custom_validators
       )
         return;
 
@@ -77,5 +90,5 @@ function instrumentJoiString(string) {
 
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
-  instrumentJoiString,
+  instrumentJoiString
 );

package/lib/assess/propagators/mongoose/map.js

@@ -52,7 +52,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/mixed.js

@@ -61,7 +61,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/string.js

@@ -101,7 +101,7 @@ requireHook.resolve(
   (SchemaString) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/validator/init-hooks.js

@@ -22,6 +22,7 @@ const moduleHook = require('../../../hooks/require');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
+const agent = require('../../../agent');
 
 /**
  * this override propagator instruments each of the classes of methods
@@ -88,7 +89,7 @@ module.exports.handle = function() {
       { name: 'validator', file: `lib/${validator}` },
       (index, meta) => {
         function post(data) {
-          if (data.result) {
+          if (data.result && (validator !== 'matches' || (validator === 'matches' && agent.config.assess.trust_custom_validators))) {
             const trackingData = tracker.getData(data.args[0]);
             if (trackingData) {
               tagRangeUtil.addInPlace(

package/lib/assess/propagators/validator/validator-methods.js

@@ -72,7 +72,8 @@ module.exports = {
     isSemVer: 'limited-chars',
     isTaxID: 'limited-chars',
     isUUID: 'alphanum-space-hyphen',
-    isVAT: 'alphanum-space-hyphen'
+    isVAT: 'alphanum-space-hyphen',
+    matches: 'string-type-checked'
   },
   untrackers: [
     // these methods have the tag 'trusted' which the node-agent doesn't support.

package/lib/core/async-storage/hooks/mysql.js

@@ -16,13 +16,15 @@ Copyright: 2022 Contrast Security, Inc
 
 const logger = require('../../logger')('contrast:async-storage:hooks');
 const { AsyncStorage } = require('../index');
+const { Scopes } = require('../scopes');
 const { ASYNC_CONTEXT } = require('../../../constants').PATCH_TYPES;
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
+const { bindFnArgAtIndex } = require('./utils');
 
 module.exports = function init() {
   // done only to stub these fns for tests
-  const { patchSequence, patchPool } = module.exports;
+  const { patchSequence, patchPool, patchQuery } = module.exports;
 
   // this callback _must return_ the patched function to set export
   requireHook.resolve(
@@ -36,12 +38,20 @@ module.exports = function init() {
   requireHook.resolve({ name: 'mysql', file: 'lib/Pool.js' }, (Pool) =>
     patchPool(Pool)
   );
+
+  requireHook.resolve(
+    { name: 'mysql2', file: 'lib/commands/query.js' },
+    (Query) => patchQuery(Query)
+  );
 };
 
 module.exports.patchSequence = patchSequence;
 module.exports.sequencePostHook = sequencePostHook;
 module.exports.patchPool = patchPool;
 module.exports.poolPreHook = poolPreHook;
+module.exports.patchQuery = patchQuery;
+module.exports.queryPreHook = queryPreHook;
+module.exports.runInAllowAllScope = runInAllowAllScope;
 
 /**
  * Patches the Sequence constructor which the protocol classes inherit.
@@ -62,12 +72,15 @@ function patchSequence(sequenceCtor) {
  * Typically in a constructor the data.result would be the instance. But mysql
  * has the subclasses e.g. Query, do Sequence.call(this, cb). In this case the
  * data.obj is the instance.
- * @param {object} data.obj sequnce instance
+ * @param {object} data.obj sequence instance
  */
-function sequencePostHook({ obj }) {
+function sequencePostHook({ obj, funcKey: identifier }) {
+  // done only to stub this fn for tests
+  const { runInAllowAllScope } = module.exports;
   try {
     if (obj && obj._callback && typeof obj._callback === 'function') {
-      obj._callback = AsyncStorage.bind(obj._callback);
+      const cb = obj._callback;
+      obj._callback = AsyncStorage.bind(runInAllowAllScope(cb, identifier));
     }
     AsyncStorage.getNamespace().bindEmitter(obj);
   } catch (err) {
@@ -75,6 +88,13 @@ function sequencePostHook({ obj }) {
   }
 }
 
+// Created only for the purpose of testing
+function runInAllowAllScope (cb, identifier) {
+  return function (...args) {
+    return Scopes.runInAllowAllScope(() => cb.call(this, ...args), identifier);
+  };
+}
+
 /**
  * Patches Pool.prototype.getConnection.
  * @param {function} poolCtor Pool constructor fn
@@ -92,12 +112,43 @@ function patchPool(poolCtor) {
  * Binds callback (when present) to cls.
  * @param {object} data.args getConnection arguments
  */
-function poolPreHook({ args }) {
+function poolPreHook({ args, funcKey: identifier }) {
   try {
     if (args.length && typeof args[0] === 'function') {
-      args[0] = AsyncStorage.bind(args[0]);
+      bindFnArgAtIndex({ args, idx: 0, identifier });
     }
   } catch (err) {
     logger.warn('Unable to patch Pool.prototype.getConnection: %o', err);
   }
 }
+
+/**
+ * Patches the Query constructor.
+ * This _must return_ the patched value to set the export in require hook.
+ * @param {function} queryCtor Query constructor fn
+ * @returns {function}
+ */
+function patchQuery(queryCtor) {
+  return patcher.patch(queryCtor, {
+    name: 'mysql2.lib/commands/query.js.Query',
+    patchType: ASYNC_CONTEXT,
+    alwaysRun: true,
+    pre: queryPreHook
+  });
+}
+
+/**
+ * Binds callback (when present) to the context the constructor is called in..
+ * @param {object} data the argument for the preHook
+ * @param {object} data.args the arguments passed to the Query constructor
+ * @param {object} data.funcKey Contrast funcKey identifier for a hooked Query function
+ */
+function queryPreHook({ args, funcKey: identifier }) {
+  try {
+    if (args.length && args[1] && typeof args[1] === 'function') {
+      bindFnArgAtIndex({ args, idx: 1, identifier });
+    }
+  } catch (err) {
+    logger.warn('Unable to patch Query constructor: %o', err);
+  }
+}

package/lib/core/config/options.js

@@ -472,12 +472,6 @@ const agent = [
     fn: parseNum,
     desc: 'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)',
   },
-  {
-    name: 'agent.trust_custom_validators',
-    arg: '<trust-custom-validators>',
-    default: false,
-    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`,
-  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -714,6 +708,12 @@ const assess = [
     fn: castBoolean,
     desc: 'if false, disable assess for this agent. A restart is required to re-enable',
   },
+  {
+    name: 'assess.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: 'trust incoming strings when they pass custom validators (Mongoose, Joi)',
+  },
   {
     name: 'assess.enable_preflight',
     arg: '[false]',

package/lib/libraries.js

@@ -124,7 +124,7 @@ const getLibInfo = async (agent, eluEnabled) =>
 
       if (!nodeModsPath) {
         logger.error(
-          `unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location`,
+          'unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location',
           agent.appInfo.path
         );
         return AppUpdate.libraries;

package/lib/protect/service.js

@@ -37,6 +37,8 @@ const UserInputKit = require('../reporter/models/utils/user-input-kit');
 const UserInputFactory = require('../reporter/models/utils/user-input-factory');
 const blockRequest = require('../util/block-request');
 
+const evalOptions = { preferWorthWatching: true };
+
 class ProtectService {
   /**
    * Configures the service to use the provided agent.
@@ -196,8 +198,6 @@ class ProtectService {
     }
 
     const arg = {
-      rules,
-      preferWorthWatching: true,
       // header names must be lowercase. should this be done in agent-lib?
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
@@ -207,7 +207,7 @@ class ProtectService {
       arg.queries = req.url.slice(questionMark + 1);
     }
 
-    const findings = this.agentLib.scoreRequestConnect(arg);
+    const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);
 
     return findings;
   }
@@ -218,14 +218,12 @@ class ProtectService {
       return {};
     }
     // also, if content-type has multipart...
-    const options = { preferWorthWatching: true };
-
     const bodyBuffer = Buffer.concat(chunks);
 
     const findings = this.agentLib.scoreRequestUnknownBody(
       rules,
       bodyBuffer,
-      options
+      evalOptions
     );
 
     // store body buffer on findings for nosqli sink.
@@ -814,9 +812,9 @@ class ProtectService {
     // for each key, check out the value. the key is set in the code so
     // is not vulnerable.
     for (const key in params) {
-      // items from scoreAtom() are only [{ruleId, score}, ...] because the key
+      // items from scoreAtom() return only [{ruleId, score}, ...] because the key
       // and inputType are already known and there is no path.
-      const items = this.agentLib.scoreAtom(params[key], type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, params[key], type);
       if (!items) {
         continue;
       }
@@ -866,7 +864,7 @@ class ProtectService {
     const filenames = Object.keys(event.data);
 
     for (const filename of filenames) {
-      const items = this.agentLib.scoreAtom(filename, type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, filename, type);
       if (!items) {
         continue;
       }
@@ -900,13 +898,9 @@ class ProtectService {
         queries.unshift(...q); return queries;
       }, []);
 
-    const arg = {
-      rules: rulesMask,
-      preferWorthWatching: true,
-      queries,
-    };
+    const arg = { queries };
 
-    const findings = this.agentLib.scoreRequestConnect(arg);
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
 
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
@@ -922,11 +916,9 @@ class ProtectService {
       acc.unshift(key, value);
       return acc;
     }, []);
-    const findings = this.agentLib.scoreRequestConnect({
-      preferWorthWatching: true,
-      rules: this.getRulesMask(rules),
-      cookies
-    });
+    const rulesMask = this.getRulesMask(rules);
+    const arg = { cookies };
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
       appContext: {},
@@ -1172,7 +1164,7 @@ class ProtectService {
     const { _type, _value: input } = finding.sample.input;
     const type = this.agentLib.InputType[_type];
 
-    const alFinding = this.agentLib.scoreAtom(input, type, agentLibBit);
+    const alFinding = this.agentLib.scoreAtom(agentLibBit, input, type);
     if (!alFinding) {
       return false;
     }

package/lib/reporter/models/app-update/library.js

@@ -13,9 +13,10 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const readdir = require('recursive-readdir');
 const LibraryManifest = require('./library-manifest');
 const logger = require('../../../core/logger')('contrast:libraries');
+const fs = require('fs');
+const pathModule = require('path');
 
 module.exports = class Library {
   /**
@@ -53,7 +54,7 @@ module.exports = class Library {
       manifest: this.manifest.toSerializable(),
       usedClassCount: 0,
       classCount: this.fileCount,
-      tags: this.tags
+      tags: this.tags,
     };
   }
 
@@ -88,15 +89,68 @@ module.exports = class Library {
     );
   }
 
+  readdir(path, callback) {
+    if (!callback) {
+      return new Promise((resolve, reject) => {
+        this.readdir(path, (err, data) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(data);
+          }
+        });
+      });
+    }
+
+    let list = [];
+
+    fs.readdir(path, (err, files) => {
+      if (err) {
+        return callback(err);
+      }
+
+      let pending = files.length;
+      if (!pending) {
+        return callback(null, list);
+      }
+
+      files.forEach((file) => {
+        const filePath = pathModule.join(path, file);
+        fs.stat(filePath, (_err, stats) => {
+          if (_err) {
+            return callback(_err);
+          }
+
+          if (stats.isDirectory() && !filePath.endsWith('/node_modules')) {
+            this.readdir(filePath, (__err, res) => {
+              if (__err) {
+                return callback(__err);
+              }
+
+              list = list.concat(res);
+              pending -= 1;
+              if (!pending) {
+                return callback(null, list);
+              }
+            });
+          } else {
+            list.push(filePath);
+            pending -= 1;
+            if (!pending) {
+              return callback(null, list);
+            }
+          }
+        });
+      });
+    });
+  }
+
   /**
    * Counts all the valid files in a module directory
    */
   getComposition() {
     // ignore nested node_modules
-    return readdir(this._path, [
-      `${this._path}/node_modules/*`,
-      `${this._path}/*/node_modules/*`
-    ])
+    return this.readdir(this._path)
       .then((files) => {
         this.fileCount = files.filter((file) =>
           Library.applicableFile(file)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.13.1",
+  "version": "4.15.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -76,7 +76,7 @@
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^2.2.3",
+    "@contrast/agent-lib": "^3.0.0",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
     "@contrast/fn-inspect": "^2.4.4",
@@ -107,7 +107,6 @@
     "parent-package-json": "^2.0.1",
     "parseurl": "^1.3.3",
     "prom-client": "^12.0.0",
-    "recursive-readdir": "^2.2.2",
     "semver": "^7.3.2",
     "uuid": "^8.3.2",
     "winston": "^3.1.0",
@@ -166,6 +165,7 @@
     "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
+    "mysql2": "file:test/mock/mysql2",
     "nock": "^12.0.3",
     "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",