@contrast/agent 4.18.0 → 4.19.2

package/changelog.config.js

@@ -0,0 +1,56 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+module.exports = {
+  jira: {
+    baseUrl: `https://${process.env.JIRA_HOST}`,
+    ticketIDPattern: /(NODE+-?[0-9]{4})/i,
+    excludeIssueTypes: ['Sub-task', 'Release'],
+    api: {
+      host: process.env.JIRA_HOST,
+      email: process.env.JIRA_EMAIL,
+      token: process.env.JIRA_TOKEN
+    }
+  },
+  hideEmptyBlocks: true,
+  template: `## <%= process.env.VERSION -%>
+
+<% blockTickets = tickets.all.filter((t) => !t.reverted); -%>
+<% if (blockTickets.length > 0 || !options.hideEmptyBlocks) { -%>
+### Jira Tickets
+---------------------
+<% blockTickets.forEach(ticket => { -%>
+  * <<%= ticket.fields.issuetype.name %>> - <%- ticket.fields.summary %>
+    [<%= ticket.key %>](<%= jira.baseUrl + '/browse/' + ticket.key %>)
+<% }); -%>
+<% if (!blockTickets.length) {%> ~ None ~ <% } %>
+<% } -%>
+<% blockNoTickets = commits.noTickets; -%>
+<% if (blockNoTickets.length > 0 || !options.hideEmptyBlocks) { -%>
+
+### Other Commits
+---------------------
+<% blockNoTickets.forEach(commit => { -%>
+  * <%= commit.slackUser ? '@'+commit.slackUser.name : commit.authorName %> - <<%= commit.revision.substr(0, 7) %>> - <%= commit.summary %>
+<% }); -%>
+<% if (!blockNoTickets.length) {%> ~ None ~ <% } %>
+<% } -%>
+<% blockPendingByOwner = tickets.pendingByOwner; -%>
+<% if (blockPendingByOwner.length > 0 || !options.hideEmptyBlocks) { -%>
+<% } -%>
+--------------------
+`
+};

package/lib/assess/models/call-context.js

@@ -20,6 +20,7 @@ const tracker = require('../../tracker');
 const stackFactory = require('../../core/stacktrace').singleton;
 const distringuish = require('@contrast/distringuish-prebuilt');
 const { PROXY_TARGET } = require('../../../lib/constants');
+const TagRange = require('../models/tag-range');
 
 /**
  * Holds information about the call context of a function
@@ -102,6 +103,22 @@ module.exports = class CallContext {
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
   }
 
+  static getDisplayRange(arg) {
+    if (tracker.getData(arg)) {
+      return new TagRange(0, arg.length - 1, 'untrusted');
+    }
+
+    if (arg && typeof arg === 'object') {
+      for (let key in arg) {
+        if (tracker.getData(arg[key])) {
+          const start = CallContext.valueString(arg).indexOf(arg[key]);
+          return new TagRange(start, start + arg[key].length - 1, 'untrusted');
+        }
+      }
+    }
+    return {}
+  }
+
   set result(result) {
     this.__result = CallContext.valueString(result);
     this.resultTracked = CallContext.isTracked(result);
@@ -113,6 +130,7 @@ module.exports = class CallContext {
   set args(args) {
     this.__args = args.map(CallContext.valueString);
     this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
+    this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
   }
 
   get args() {

package/lib/assess/propagators/joi/index.js

@@ -15,6 +15,7 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 module.exports.handle = function() {
+  require('./keys');
   require('./boolean');
   require('./number');
   require('./values');

package/lib/assess/propagators/joi/keys.js

@@ -0,0 +1,72 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
+} = require('../../../constants');
+const { isObject } = require('../utils');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' },
+  (joi) => {
+    patcher.patch(joi.__proto__, 'keys', {
+      name: 'joi.keys',
+      alwaysRun: true,
+      patchType: ASSESS_PROPAGATOR,
+      pre(data) {
+        if (!data || !data.args) return;
+        const value = data.args[0];
+        if (value) {
+          traverseObject(data.obj.$_root, value, value);
+        }
+      },
+    });
+  }
+);
+
+const traverseObject = (joi, currentValue, originalInput, currentPath = []) => {
+  if (joi.isSchema(currentValue) || joi.isExpression(currentValue)) return;
+  if (joi.isRef(currentValue)) {
+    const referenceInstance = currentValue;
+
+    const targetSchemaInstace = currentValue.path.reduce(
+      (acc, value) => acc[value] || acc,
+      originalInput
+    );
+
+    if (!targetSchemaInstace) return;
+
+    if (!targetSchemaInstace.__CONTRAST__) {
+      Object.defineProperty(targetSchemaInstace, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          refInstances: {},
+        },
+        writable: true,
+      });
+    }
+
+    targetSchemaInstace.__CONTRAST__.refInstances[currentPath.join('.')] = referenceInstance;
+  }
+
+  if (isObject(currentValue)) {
+    for (const [objKey, objValue] of Object.entries(currentValue)) {
+      traverseObject(joi, objValue, originalInput, [...currentPath, objKey]);
+    }
+  }
+};

package/lib/assess/propagators/joi/string-base.js

@@ -25,6 +25,7 @@ const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const agent = require('../../../agent');
+const { setProxyTaggedString, getContrastData } = require('../utils');
 
 const areThereRules = (obj) =>
   obj &&
@@ -43,7 +44,35 @@ function instrumentJoiString(string) {
       name: 'joi.string.validate',
       patchType: ASSESS_PROPAGATOR,
       post(data) {
-        const trackingData = tracker.getData(data.args[0]);
+        const input = data.args[0];
+        const contrastData = getContrastData(data);
+        const doesSchemaHaveReferences = !!contrastData;
+
+        let trackingData = tracker.getData(input);
+
+        if (!trackingData && !data.result && doesSchemaHaveReferences) {
+          const proxyTaggedString = setProxyTaggedString(
+            contrastData,
+            input,
+            tracker
+          );
+
+          trackingData = tracker.getData(proxyTaggedString);
+
+          Object.values(contrastData.refInstances).forEach(
+            (referenceInstance) => {
+              Object.defineProperty(referenceInstance, '__CONTRAST__', {
+                enumerable: false,
+                configurable: true,
+                value: {
+                  proxyTaggedString,
+                },
+                writable: true,
+              });
+            }
+          );
+        }
+
         if (
           areThereRules(data.args[1]) &&
           data.args[1].schema._rules.find((rule) => rule.name === 'pattern') &&
@@ -51,11 +80,11 @@ function instrumentJoiString(string) {
         )
           return;
 
-        if (data.result === undefined && trackingData) {
+        if (!data.result && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
+            new TagRange(0, input.length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),

package/lib/assess/propagators/joi/string-schema.js

@@ -18,12 +18,13 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const tracker = require('../../../tracker');
+const { setProxyTaggedString, getContrastData } = require('../utils');
 
 const VALIDATORS = {
   base64: 'alphanum-space-hyphen',
@@ -36,7 +37,7 @@ const VALIDATORS = {
   creditCard: 'limited-chars',
   ip: 'limited-chars',
   hostname: 'alphanum-space-hyphen',
-  domain: 'alphanum-space-hyphen'
+  domain: 'alphanum-space-hyphen',
 };
 
 requireHook.resolve(
@@ -96,12 +97,12 @@ function reTrackCoercedValue(coerce, rule) {
           trackedArgsData: argContrastProperties,
           tagRanges: tracked.props.tagRanges,
           target: 'R',
-          joiMethod: rule
+          joiMethod: rule,
         });
 
         data.result = { value: tracked.str };
       }
-    }
+    },
   });
 }
 
@@ -119,27 +120,53 @@ function wrapRuleAsValidator(rules, rule, tagName) {
       }
 
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties) {
+
+      const contrastData = getContrastData(data);
+      const doesSchemaHaveReferences = !!contrastData;
+
+      if (!argContrastProperties && !doesSchemaHaveReferences) {
         return;
       }
 
-      const strContrastProperties = tracker.getData(result);
+      let trackingData = tracker.getData(result);
+
+      if (!trackingData && doesSchemaHaveReferences) {
+        const proxyTaggedString = setProxyTaggedString(
+          contrastData,
+          result,
+          tracker
+        );
+        trackingData = tracker.getData(proxyTaggedString);
+
+        Object.values(contrastData.refInstances).forEach(
+          (referenceInstance) => {
+            Object.defineProperty(referenceInstance, '__CONTRAST__', {
+              enumerable: false,
+              configurable: true,
+              value: {
+                proxyTaggedString,
+              },
+              writable: true,
+            });
+          }
+        );
+      }
 
-      if (strContrastProperties) {
-        strContrastProperties.tagRanges = tagRangeUtil.add(
-          strContrastProperties.tagRanges,
+      if (trackingData) {
+        trackingData.tagRanges = tagRangeUtil.add(
+          trackingData.tagRanges,
           new TagRange(0, result.length - 1, tagName)
         );
 
-        strContrastProperties.event = createPropagationEvent({
+        trackingData.event = createPropagationEvent({
           data,
-          trackedArgsData: argContrastProperties,
-          tagRanges: strContrastProperties.tagRanges,
+          trackedArgsData: trackingData,
+          tagRanges: trackingData.tagRanges,
           target: 'A',
-          joiMethod: rule
+          joiMethod: rule,
         });
       }
-    }
+    },
   });
 }
 
@@ -148,7 +175,7 @@ function createPropagationEvent({
   trackedArgsData,
   tagRanges,
   target,
-  joiMethod
+  joiMethod,
 }) {
   const { event: lastEvent } = trackedArgsData;
 
@@ -160,7 +187,7 @@ function createPropagationEvent({
     signature,
     tagRanges,
     source: 'P',
-    target
+    target,
   });
 
   event.parents.push(lastEvent);

package/lib/assess/propagators/joi/values.js

@@ -18,7 +18,7 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const tagRangeUtil = require('../../models/tag-range/util');
@@ -41,9 +41,9 @@ function instrumentJoiValues(values) {
     name: 'joi.values',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      let {
+      const {
         args: [value],
-        result
+        result,
       } = data;
 
       // value not found during lookup
@@ -52,12 +52,21 @@ function instrumentJoiValues(values) {
       }
 
       if (result.ref) {
-        handler(result.value, value, data);
+        const resultValue = result.ref.__CONTRAST__
+          ? result.ref.__CONTRAST__.proxyTaggedString
+          : result.value;
+
+        handler(resultValue, value, data);
+
+        if (result.ref.__CONTRAST__) {
+          delete result.ref.__CONTRAST__;
+        }
+
       } else if (_.isString(result.value)) {
         // use case is .valid() - safe
         result.value = tracker.untrack(result.value) || result.value;
       }
-    }
+    },
   });
 }
 
@@ -118,7 +127,7 @@ function getRefHandler(resolvedTrackData, refTrackData) {
  */
 function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
   const {
-    args: [value]
+    args: [value],
   } = data;
   data.result.value = toUntrackedString(value);
 }
@@ -131,9 +140,10 @@ function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleBothTracked(data, resolvedTrackData, refTrackData) {
-  let {
-    args: [value, , prefs],
-    result
+  let value = data.args[0];
+  const {
+    args: [, , prefs],
+    result,
   } = data;
 
   // We can't reliably validate values that get adjusted
@@ -160,9 +170,10 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
-  let {
-    args: [value, , prefs],
-    result
+  let value = data.args[0];
+  const {
+    args: [, , prefs],
+    result,
   } = data;
 
   if (prefs.convert) {
@@ -221,7 +232,7 @@ function copyValidationHistory(targetTrackData, refTrackData) {
  */
 function buildEventsAndTagsToReplay(joiEvents) {
   const hist = [];
-  const tagRangesSeen = new WeakSet(_.get(joiEvents, `0.parents.0.tagRanges`));
+  const tagRangesSeen = new WeakSet(_.get(joiEvents, '0.parents.0.tagRanges'));
 
   for (const event of joiEvents) {
     const newEventRanges = [];
@@ -239,7 +250,7 @@ function buildEventsAndTagsToReplay(joiEvents) {
     if (newEventRanges.length) {
       hist.push({
         event,
-        tagRanges: newEventRanges
+        tagRanges: newEventRanges,
       });
     }
   }

package/lib/assess/propagators/utils.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 /**
  * Propagation Utility
  *
@@ -41,7 +43,7 @@ function deepOrigValue(val, max = 10) {
   function walk(item, depth) {
     if (Array.isArray(item) && depth < max) {
       depth++;
-      return item.map(function(item) {
+      return item.map(function (item) {
         return walk(item, depth);
       });
     }
@@ -94,18 +96,53 @@ function getArgValue({ arg, inclusive, allowNegatives = true, sourceLength }) {
  */
 function sortParamTypes(params, args, sourceLength) {
   const paramTypes = {};
-  params.forEach(function(param) {
+  params.forEach(function (param) {
     paramTypes[param.type] = getArgValue({
       arg: args[param.index],
       inclusive: param.inclusive,
       allowNegatives: param.allowNegatives,
-      sourceLength
+      sourceLength,
     });
   });
 
   return paramTypes;
 }
 
+/**
+ * Checks whether the input is an object
+ * @param {*} value
+ * @return {boolean}
+ */
+function isObject(value) {
+  if (typeof value === 'object' && !Array.isArray(value) && value !== null) {
+    return true;
+  }
+
+  return false;
+}
+
+function setProxyTaggedString(contrastData, input, tracker) {
+  let proxyTaggedString;
+
+  if (contrastData.proxyTaggedString) {
+    proxyTaggedString = contrastData.proxyTaggedString;
+  } else {
+    const { str } = tracker.track(input);
+    proxyTaggedString = str;
+  }
+
+  contrastData.proxyTaggedString = proxyTaggedString;
+
+  return proxyTaggedString;
+}
+
+function getContrastData(data) {
+  return data.args[1].schema && data.args[1].schema.__CONTRAST__;
+}
+
 module.exports.origValue = origValue;
 module.exports.deepOrigValue = deepOrigValue;
 module.exports.sortParamTypes = sortParamTypes;
+module.exports.isObject = isObject;
+module.exports.setProxyTaggedString = setProxyTaggedString;
+module.exports.getContrastData = getContrastData;

package/lib/core/async-storage/hooks/{mongodb-core.js → mongodb.js}

@@ -25,10 +25,11 @@ const utils = require('./utils');
  * Hooks a method to properly bind to AsyncStorage
  * @param {Object} prototype to hook
  * @param {String} method to hook
+ * @param {String} patchName of the patch
  */
-function hookMethod(prototype, method) {
-  patcher.patch(prototype, method, {
-    name: `mongodb-core.${prototype.constructor.name}.prototype`,
+function hookMethod(obj, method, patchName) {
+  patcher.patch(obj, method, {
+    name: patchName,
     patchType: ASYNC_CONTEXT,
     alwaysRun: true,
     pre: (data) => {
@@ -42,17 +43,18 @@ function hookMethod(prototype, method) {
 }
 
 /**
- * Registers the hooks for mongdb-core
+ * Registers the hooks for mongodb and mongodb-core
  */
 function init() {
-  logger.info('applying non-policy hook: mongodb-core');
+  logger.info('applying non-policy hook: mongodb');
 
   requireHook.resolve(
     { name: 'mongodb-core', file: 'lib/topologies/server.js' },
     (server) => {
       const methods = ['command', 'insert', 'update', 'remove', 'logout'];
       for (const method of methods) {
-        hookMethod(server.prototype, method);
+        const name = `mongodb-core.${server.prototype.constructor.name}.prototype`;
+        hookMethod(server.prototype, method, name);
       }
     }
   );
@@ -60,9 +62,43 @@ function init() {
   requireHook.resolve(
     { name: 'mongodb-core', file: 'lib/cursor.js' },
     (cursor) => {
-      hookMethod(cursor.prototype, 'next');
+      const name = `mongodb-core.${cursor.prototype.constructor.name}.prototype`;
+      hookMethod(cursor.prototype, 'next', name);
     }
   );
+
+  requireHook.resolve(
+    {
+      name: 'mongodb',
+      file: 'lib/topologies/server.js',
+      version: '>=3.3.0 <4.0.0'
+    },
+    (server) =>
+      patcher.patch(server, {
+        name: 'mongodb.Server',
+        patchType: ASYNC_CONTEXT,
+        alwaysRun: true,
+        post: (data) => {
+          const methods = ['command', 'insert', 'update', 'remove'];
+          for (const method of methods) {
+            hookMethod(data.result, method, 'mongodb.Server');
+          }
+        }
+      })
+  );
+
+  requireHook.resolve(
+    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
+    (cursor) =>
+      patcher.patch(cursor, {
+        name: 'mongodb.Cursor',
+        patchType: ASYNC_CONTEXT,
+        alwaysRun: true,
+        post: (data) => {
+          hookMethod(data.result, '_next', 'mongodb.Cursor');
+        }
+      })
+  );
 }
 
 module.exports = init;

package/lib/core/config/util.js

@@ -323,6 +323,10 @@ function mergePM2Envs() {
     .concat(Object.entries(pm2_env))
     .concat(['DEBUG', 'PGHOST', 'PGPORT']);
 
+  const pm2ConfigPath =
+    pm2_env.env.CONTRAST_CONFIG_PATH || pm2_env.CONTRAST_CONFIG_PATH;
+  if (pm2ConfigPath) process.env.CONTRAST_CONFIG_PATH = pm2ConfigPath;
+
   objectEntries.forEach(([key, value]) => {
     if (
       !process.env[key] &&

package/lib/instrumentation.js

@@ -129,7 +129,7 @@ function protectModeFeatures({ agent, reporter }) {
       // needs the || '.' for testing...
       const logDir = agent.config.agent.node.analysis_log_dir || '.';
       const agentLib = new lib.Agent(
-        { enableLogging: true, logDir, logLevel: "INFO" }
+        { enableLogging: true, logDir, logLevel: 'INFO' }
       );
       // attach the constants so lib.Agent() isn't exposed.
       for (const c in lib.constants) {
@@ -159,7 +159,7 @@ function protectModeFeatures({ agent, reporter }) {
 function nonPolicyHooks(agent) {
   require('./core/async-storage/hooks/bluebird')();
   require('./core/async-storage/hooks/redis')();
-  require('./core/async-storage/hooks/mongodb-core')();
+  require('./core/async-storage/hooks/mongodb')();
   require('./core/async-storage/hooks/mysql')();
   require('./hooks/require');
   require('./hooks/cluster')(agent);

package/lib/reporter/models/finding/event.js

@@ -102,6 +102,12 @@ class Event {
       this.args.push(
         new ObjectDTM(event.context.args[i], event.context.argsTracked[i])
       );
+      if (event.tagRanges[i] 
+        && event.context.argsDisplayRanges
+        && Object.keys(event.context.argsDisplayRanges[i]).length
+        ) {
+        event.tagRanges[i] = event.context.argsDisplayRanges[i];
+      }
     }
 
     if (event.code) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.18.0",
+  "version": "4.19.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",