@contrast/agent 4.14.0 → 4.16.0

package/README.md

@@ -108,4 +108,4 @@ api:
 | api.service_key | Contrast user account service key                                           |
 | api.url         | Address of the Contrast installation you would like your agent to report to |
 
-For detailed installation and configuration instructions, see the [Node.js Agent documentation](https://docs.contrastsecurity.com/installation-nodeconfig.html).
+For detailed installation and configuration instructions, see the [Node.js Agent documentation](https://docs.contrastsecurity.com/en/install-node-js.html).

package/bin/VERSION

@@ -1 +1 @@
-2.28.17
+2.28.19

package/lib/assess/propagators/validator/init-hooks.js

@@ -22,6 +22,7 @@ const moduleHook = require('../../../hooks/require');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
+const agent = require('../../../agent');
 
 /**
  * this override propagator instruments each of the classes of methods
@@ -88,7 +89,7 @@ module.exports.handle = function() {
       { name: 'validator', file: `lib/${validator}` },
       (index, meta) => {
         function post(data) {
-          if (data.result) {
+          if (data.result && (validator !== 'matches' || (validator === 'matches' && agent.config.assess.trust_custom_validators))) {
             const trackingData = tracker.getData(data.args[0]);
             if (trackingData) {
               tagRangeUtil.addInPlace(

package/lib/assess/propagators/validator/validator-methods.js

@@ -72,7 +72,8 @@ module.exports = {
     isSemVer: 'limited-chars',
     isTaxID: 'limited-chars',
     isUUID: 'alphanum-space-hyphen',
-    isVAT: 'alphanum-space-hyphen'
+    isVAT: 'alphanum-space-hyphen',
+    matches: 'string-type-checked'
   },
   untrackers: [
     // these methods have the tag 'trusted' which the node-agent doesn't support.

package/lib/assess/sinks/dynamo.js

@@ -26,34 +26,38 @@ const disallowedTags = [
   'string-type-checked',
 ];
 const requiredTags = ['untrusted'];
-const moduleName = 'aws-sdk';
-const moduleNameV3 = '@aws-sdk/client-dynamodb';
-const relevantKeys = {
-  v2: ['ExpressionAttributeValues', 'ExclusiveStartKey', 'ScanFilter'],
-  v3: [
-    'ComparisonOperator',
-    'FilterExpression',
-    'ProjectionExpression',
-    'ScanFilter',
-  ],
-};
-const requests = new WeakSet();
 
-// map data types to methods for extracting
-// values
-const dataTypes = {
-  S: 'value',
-  N: 'value',
-  B: 'value',
-  SS: 'array',
-  NS: 'array',
-  BS: 'array',
-  M: 'object',
-  L: 'collection',
-  NULL: 'value',
-  BOOL: 'value',
+/*
+*  Schema of attributes the Node Agent is looking for user-controlled data
+*  The only exception to the rule so far is the ScanFilter in ScanCommand.
+*  It has nested schema too. So far we are only reporting a NoSQL Injection
+*  if ComparisonOperator within the ScanFilter is user-controlled.
+*  ScanFilter is handled individually in extractValues function
+* */
+const trackSchemaCommands = {
+  'scan': {
+    attributes: [
+      'ExpressionAttributeValues',
+      'ExclusiveStartKey',
+      'ScanFilter'
+    ]
+  },
+  'executeStatement': { attributes: ['Statement'] },
+  'ScanCommand': {
+    attributes: [
+      'ComparisonOperator',
+      'FilterExpression',
+      'ProjectionExpression',
+      'ScanFilter',
+    ]
+  },
+  'ExecuteStatementCommand': {
+    attributes: ['Statement']
+  }
 };
 
+const requests = new WeakSet();
+
 /**
  * Extracts all values from either a dynamo document client or client
  *
@@ -62,44 +66,25 @@ const dataTypes = {
  * @param {string} version DynamoDB SDK version
  * @return {Array} all string values from payload
  */
-function extractValues(payload = {}, mode = null, version = 'v2') {
+function extractValues(command, payload = {}) {
   return _.flatten(
-    relevantKeys[version].map((key) => {
-      if (payload[key] === undefined) return;
+    trackSchemaCommands[command].attributes.map((key) => {
+      if (payload[key] == undefined) return;
       if (typeof payload[key] === 'string') return payload[key];
+
+      // ScanFilter is an exception. It is almost safe for any nested attribute
+      if (key === 'ScanFilter') {
+        // collect the values from ComparisonOperator attributes ONLY
+        return getComparisonValues(payload[key]);
+      }
+
       const values = _.values(payload[key]);
-      const extractionMethod =
-        mode === 'client' ? findTypedValues.bind(this) : findValues.bind(this);
+      const extractionMethod = findValues.bind(this);
       return _.flattenDeep(extractionMethod(values));
     }),
   );
 }
 
-/**
- * Extracts all strings from a dynamo client payload
- * Note: Each key is typed so we need to properly extract keys based on AttributeValue types
- *
- * @param {Object} values for all keys in ExpressionAttributeValues, ExclusiveStartKey or ScanFilter
- * @return {Array} all values
- */
-function findTypedValues(values) {
-  return _.map(values, (value) => {
-    const [type] = Object.keys(value);
-    switch (dataTypes[type]) {
-      case 'value':
-        return value[type];
-      case 'array':
-        return _.values(value[type]);
-      case 'object': {
-        const values = _.values(value[type]);
-        return findTypedValues(values);
-      }
-      case 'collection':
-        return findTypedValues(value[type]);
-    }
-  });
-}
-
 /**
  * We only track strings. some data types
  * can contain strings as keys or values but
@@ -139,6 +124,27 @@ function findValues(values) {
   });
 }
 
+/**
+ * Check if key exists in ScanFilter bject and return the value if so
+ * Each element of ScanFilter is an object with predictable structure
+ * "Genre": {
+ *   "AttributeValueList":[ {"S":"Rock"} ],
+ *   "ComparisonOperator": "EQ"
+ * }
+ *
+ * @param {Object} values for all keys in a given payload
+ * @param {String} key name we are looking the value of
+ * @return {Any} if value is found for a given key
+ */
+const getComparisonValues = (obj) => Object.keys(obj).map(field => {
+  if (typeof obj[field] === 'object' && Object.prototype.hasOwnProperty.call(
+    obj[field],
+    'ComparisonOperator'
+  )) {
+    return obj[field].ComparisonOperator;
+  }
+});
+
 module.exports = ({ common }) => {
   const { isVulnerable, report } = common;
 
@@ -147,11 +153,11 @@ module.exports = ({ common }) => {
    * Registers the hooks for client and document client scan
    */
   dynamoSink.handle = function () {
-    moduleHook.resolve({ name: moduleName }, (aws) => {
+    moduleHook.resolve({ name: 'aws-sdk' }, (aws) => {
       const client = aws.DynamoDB.prototype;
 
       patcher.patch(client, 'makeRequest', {
-        name: `${moduleName}.DynamoDB.prototype`,
+        name: 'aws-sdk.DynamoDB.prototype',
         patchType: PATCH_TYPES.ASSESS_SINK,
         alwaysRun: true,
         post(data) {
@@ -163,7 +169,8 @@ module.exports = ({ common }) => {
           if (!AsyncStorage.getContext()) {
             return;
           }
-          if (data.args[0] === 'scan') {
+
+          if (Object.keys(trackSchemaCommands).includes(data.args[0]) && data.args[1]) {
             if (requests.has(data.args[1])) {
               return;
             }
@@ -176,10 +183,10 @@ module.exports = ({ common }) => {
               result: data.result,
             };
 
-            const values = extractValues(data.args[1], 'client', 'v2');
+            const values = extractValues(data.args[0], data.args[1]);
             dynamoSink.check({
               values,
-              methodName: 'DynamoDB.prototype.scan',
+              methodName: `DynamoDB.prototype.${data.args[0]}`,
               data: ctxtData,
             });
           }
@@ -198,7 +205,7 @@ module.exports = ({ common }) => {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           pre(data) {
-            if (data.args[0] === 'scan') {
+            if (data.args[0] === 'scan' && data.args[1]) {
               requests.add(data.args[1]);
             }
           },
@@ -208,7 +215,7 @@ module.exports = ({ common }) => {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           post(data) {
-            const values = extractValues(data.args[0], 'docClient', 'v2');
+            const values = extractValues('scan', data.args[0]);
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.DocumentClient.prototype.scan',
@@ -219,27 +226,31 @@ module.exports = ({ common }) => {
       }
     });
 
-    moduleHook.resolve({ name: moduleNameV3 }, (aws) => {
+    moduleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (aws) => {
       const client = aws.DynamoDBClient.prototype;
 
       patcher.patch(client, 'send', {
-        name: `${moduleNameV3}.ScanCommand.prototype`,
+        name: '@aws-sdk/client-dynamodb.ScanCommand.prototype',
         patchType: PATCH_TYPES.ASSESS_SINK,
         alwaysRun: true,
         post(data) {
           if (!AsyncStorage.getContext()) return;
 
-          if (data.args[0] instanceof aws.ScanCommand) {
-            const values = extractValues(
-              data.args[0].input,
-              'docClient',
-              'v3',
-            ).filter(Boolean);
-            dynamoSink.check({
-              data,
-              values,
-              methodName: 'DynamoDBClient.ScanCommand',
-            });
+          if (data.args[0] && data.args[0].constructor && data.args[0].input) {
+            const sendCommand = data.args[0].constructor.name;
+
+            if (Object.keys(trackSchemaCommands).includes(sendCommand)) {
+              const values = extractValues(
+                sendCommand,
+                data.args[0].input
+              ).filter(Boolean);
+
+              dynamoSink.check({
+                data,
+                values,
+                methodName: `DynamoDBClient.${sendCommand}`,
+              });
+            }
           }
         },
       });
@@ -257,7 +268,7 @@ module.exports = ({ common }) => {
 
     if (vulnerableString.length) {
       const ctxt = new CallContext(data);
-      const signature = new Signature({ moduleName, methodName });
+      const signature = new Signature({ moduleName: 'aws-sdk', methodName });
       report({ ruleId, signature, input: vulnerableString[0], ctxt });
     }
   };

package/lib/libraries.js

@@ -124,7 +124,7 @@ const getLibInfo = async (agent, eluEnabled) =>
 
       if (!nodeModsPath) {
         logger.error(
-          `unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location`,
+          'unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location',
           agent.appInfo.path
         );
         return AppUpdate.libraries;

package/lib/protect/errors/handler-async-errors.js

@@ -57,7 +57,7 @@ module.exports.install = function() {
       handledErrors.add(error);
     } else {
       console.warn(
-        `An Unhandled Rejection has been caught by the Contrast Security node-agent instrumentation. Error: ${error}`,
+        'An Unhandled Rejection has been found in the instrumented code:\n%s', error
       );
     }
   }

package/lib/protect/service.js

@@ -37,6 +37,8 @@ const UserInputKit = require('../reporter/models/utils/user-input-kit');
 const UserInputFactory = require('../reporter/models/utils/user-input-factory');
 const blockRequest = require('../util/block-request');
 
+const evalOptions = { preferWorthWatching: true };
+
 class ProtectService {
   /**
    * Configures the service to use the provided agent.
@@ -196,8 +198,6 @@ class ProtectService {
     }
 
     const arg = {
-      rules,
-      preferWorthWatching: true,
       // header names must be lowercase. should this be done in agent-lib?
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
@@ -207,7 +207,7 @@ class ProtectService {
       arg.queries = req.url.slice(questionMark + 1);
     }
 
-    const findings = this.agentLib.scoreRequestConnect(arg);
+    const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);
 
     return findings;
   }
@@ -218,14 +218,12 @@ class ProtectService {
       return {};
     }
     // also, if content-type has multipart...
-    const options = { preferWorthWatching: true };
-
     const bodyBuffer = Buffer.concat(chunks);
 
     const findings = this.agentLib.scoreRequestUnknownBody(
       rules,
       bodyBuffer,
-      options
+      evalOptions
     );
 
     // store body buffer on findings for nosqli sink.
@@ -814,9 +812,9 @@ class ProtectService {
     // for each key, check out the value. the key is set in the code so
     // is not vulnerable.
     for (const key in params) {
-      // items from scoreAtom() are only [{ruleId, score}, ...] because the key
+      // items from scoreAtom() return only [{ruleId, score}, ...] because the key
       // and inputType are already known and there is no path.
-      const items = this.agentLib.scoreAtom(params[key], type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, params[key], type);
       if (!items) {
         continue;
       }
@@ -866,7 +864,7 @@ class ProtectService {
     const filenames = Object.keys(event.data);
 
     for (const filename of filenames) {
-      const items = this.agentLib.scoreAtom(filename, type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, filename, type);
       if (!items) {
         continue;
       }
@@ -900,13 +898,9 @@ class ProtectService {
         queries.unshift(...q); return queries;
       }, []);
 
-    const arg = {
-      rules: rulesMask,
-      preferWorthWatching: true,
-      queries,
-    };
+    const arg = { queries };
 
-    const findings = this.agentLib.scoreRequestConnect(arg);
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
 
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
@@ -922,11 +916,9 @@ class ProtectService {
       acc.unshift(key, value);
       return acc;
     }, []);
-    const findings = this.agentLib.scoreRequestConnect({
-      preferWorthWatching: true,
-      rules: this.getRulesMask(rules),
-      cookies
-    });
+    const rulesMask = this.getRulesMask(rules);
+    const arg = { cookies };
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
       appContext: {},
@@ -1141,7 +1133,7 @@ class ProtectService {
    * @param   {Rule[]} rules Rules from which to build findings
    * @returns {Object[]}     The findings from the rules
    */
-  createFindings(rules, samples) {
+  createFindings(rules = [], samples) {
     const findings = [];
     const speedracer = this.reporter.speedracer &&
       this.config.agent.node.speedracer_input_analysis;
@@ -1172,7 +1164,7 @@ class ProtectService {
     const { _type, _value: input } = finding.sample.input;
     const type = this.agentLib.InputType[_type];
 
-    const alFinding = this.agentLib.scoreAtom(input, type, agentLibBit);
+    const alFinding = this.agentLib.scoreAtom(agentLibBit, input, type);
     if (!alFinding) {
       return false;
     }

package/lib/reporter/models/app-update/library.js

@@ -13,9 +13,10 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const readdir = require('recursive-readdir');
 const LibraryManifest = require('./library-manifest');
 const logger = require('../../../core/logger')('contrast:libraries');
+const fs = require('fs');
+const pathModule = require('path');
 
 module.exports = class Library {
   /**
@@ -53,7 +54,7 @@ module.exports = class Library {
       manifest: this.manifest.toSerializable(),
       usedClassCount: 0,
       classCount: this.fileCount,
-      tags: this.tags
+      tags: this.tags,
     };
   }
 
@@ -88,15 +89,68 @@ module.exports = class Library {
     );
   }
 
+  readdir(path, callback) {
+    if (!callback) {
+      return new Promise((resolve, reject) => {
+        this.readdir(path, (err, data) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(data);
+          }
+        });
+      });
+    }
+
+    let list = [];
+
+    fs.readdir(path, (err, files) => {
+      if (err) {
+        return callback(err);
+      }
+
+      let pending = files.length;
+      if (!pending) {
+        return callback(null, list);
+      }
+
+      files.forEach((file) => {
+        const filePath = pathModule.join(path, file);
+        fs.stat(filePath, (_err, stats) => {
+          if (_err) {
+            return callback(_err);
+          }
+
+          if (stats.isDirectory() && !filePath.endsWith('/node_modules')) {
+            this.readdir(filePath, (__err, res) => {
+              if (__err) {
+                return callback(__err);
+              }
+
+              list = list.concat(res);
+              pending -= 1;
+              if (!pending) {
+                return callback(null, list);
+              }
+            });
+          } else {
+            list.push(filePath);
+            pending -= 1;
+            if (!pending) {
+              return callback(null, list);
+            }
+          }
+        });
+      });
+    });
+  }
+
   /**
    * Counts all the valid files in a module directory
    */
   getComposition() {
     // ignore nested node_modules
-    return readdir(this._path, [
-      `${this._path}/node_modules/*`,
-      `${this._path}/*/node_modules/*`
-    ])
+    return this.readdir(this._path)
       .then((files) => {
         this.fileCount = files.filter((file) =>
           Library.applicableFile(file)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.14.0",
+  "version": "4.16.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -69,14 +69,14 @@
   "repository": {
     "type": "git"
   },
-  "homepage": "https://docs.contrastsecurity.com/installation-node.html#node-overview",
+  "homepage": "https://docs.contrastsecurity.com/en/install-node-js.html",
   "dependencies": {
     "@babel/generator": "^7.12.1",
     "@babel/parser": "^7.12.3",
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^2.2.3",
+    "@contrast/agent-lib": "^3.0.0",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
     "@contrast/fn-inspect": "^2.4.4",
@@ -107,7 +107,6 @@
     "parent-package-json": "^2.0.1",
     "parseurl": "^1.3.3",
     "prom-client": "^12.0.0",
-    "recursive-readdir": "^2.2.2",
     "semver": "^7.3.2",
     "uuid": "^8.3.2",
     "winston": "^3.1.0",