@contrast/agent 4.5.0 → 4.7.0

package/bin/VERSION

@@ -1 +1 @@
-2.26.0
+2.28.0

package/lib/assess/membrane/source-membrane.js

@@ -39,14 +39,6 @@ const signature = new Signature({
   isModule: false
 });
 
-const numericCheck = /^[0-9]+$/;
-function isNumeric(input) {
-  // regex from validator.js/lib/isNumeric.js:
-  // https://github.com/validatorjs/validator.js/blob/master/lib/isNumeric.js
-  // do we want to allow symbols (plus/minus sign, decimal point?)
-  return numericCheck.test(input);
-}
-
 module.exports = class SourceMembrane extends Membrane {
   /**
    * @param {object} config agent config to use for array sampling.
@@ -294,10 +286,9 @@ module.exports = class SourceMembrane extends Membrane {
     if (!(metadata.sourceType && metadata.path)) {
       return false;
     }
-    const koaQueryString = metadata.path.match(/(\w+)=/);
-    if (koaQueryString) {
-      // get 1st capture group, fall back to `metadata.path` if for some reason this does not exist
-      metadata.path = koaQueryString[1] || metadata.path;
+    const koaQueryString = metadata.path.split('=');
+    if (koaQueryString[1]) {
+      metadata.path = koaQueryString[0];
     }
     return true;
   }
@@ -305,8 +296,7 @@ module.exports = class SourceMembrane extends Membrane {
   /**
    * The `TagRanges` returned  will include the `untrusted` tag. There will be
    * `exclusion:${ruleId}` tags for input exclusions pertaining to specific
-   * rules and whose name matches the property name described in metadata. And
-   * `limited-chars` tags are included if string is numeric.
+   * rules and whose name matches the property name described in metadata.
    * @param {string} str string being tracked by membrane
    * @param {object} metadata metadata about source type and key name
    * @returns {TagRange[]}
@@ -343,10 +333,6 @@ module.exports = class SourceMembrane extends Membrane {
       }
     }
 
-    if (isNumeric(str)) {
-      tagRanges.push(new TagRange(start, stop, 'limited-chars'));
-    }
-
     if (metadata.sourceType === 'header') {
       if (metadata.path.toLocaleLowerCase() !== 'referer') {
         tagRanges.push(new TagRange(start, stop, 'header'));

package/lib/assess/policy/propagators.json

@@ -59,13 +59,15 @@
     },
     "mustache.escape": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/mustache/escape.js"
+    },
+    "dust.escapeHtml": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-html.js"
+    },
+    "dust.escapeJs": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-js.js"
     },
     "pug.compile": {
       "enabled": true,
@@ -329,23 +331,11 @@
     },
     "encodeURI": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["weak-url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri.js"
     },
     "encodeURIComponent": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri-component.js"
     },
     "process.__add": {
       "enabled": true,

package/lib/assess/policy/rules.json

@@ -1371,6 +1371,11 @@
       "type": "http",
       "provider": "./sinks/hapi-16-xss"
     },
+    "reflected-xss_dustjs-linkedin": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/dustjs-linkedin-xss"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",

package/lib/assess/policy/signatures.json

@@ -233,6 +233,16 @@
       "methodName": "escape",
       "isModule": true
     },
+    "dust.escapeHtml": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeHtml",
+      "isModule": true
+    },
+    "dust.escapeJs": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeJs",
+      "isModule": true
+    },
     "express.response.send": {
       "moduleName": "express",
       "version": ">=4.0.0",
@@ -1307,6 +1317,11 @@
       "moduleName": "node-serialize",
       "methodName": "unserialize",
       "isModule": true
+    },
+    "dustjs-linkedin": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "pipe",
+      "isModule": true
     }
   }
 }

package/lib/assess/propagators/dustjs/escape-html.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'html-encoded', 'dustjs-linkedin.escapeHtml');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/dustjs/escape-js.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'javascript-encoded', 'dustjs-linkedin.escapeJs');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri-component.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'url-encoded', 'global.encodeURIComponent');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'weak-url-encoded', 'global.encodeURI');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/index.js

@@ -128,8 +128,6 @@ const generateHookWrappers = (agent, policyNode, key) => {
     } else {
       ({ pre, post } = provider.handle);
     }
-
-    propagatorDescriptor.provider = provider.handle;
   } else {
     // generic propagator
     post = new Propagator(agent, propagatorDescriptor);

package/lib/assess/propagators/joi/values.js

@@ -51,18 +51,9 @@ function instrumentJoiValues(values) {
         return;
       }
 
-      const resultIsString = _.isString(result.value);
-      const argIsString = _.isString(value);
-
       if (result.ref) {
-        // result === false means ref resolution failed
-        if (resultIsString && argIsString) {
-          const resolvedTrackData = tracker.getData(result.value);
-          const refTrackData = tracker.getData(value);
-          const handler = getRefHandler(resolvedTrackData, refTrackData);
-          handler && handler(data, resolvedTrackData, refTrackData);
-        }
-      } else if (resultIsString) {
+        handler(result.value, value, data);
+      } else if (_.isString(result.value)) {
         // use case is .valid() - safe
         tracker.untrack(result.value);
       }
@@ -70,6 +61,30 @@ function instrumentJoiValues(values) {
   });
 }
 
+const stringHandler = (resultValue, argValue, data) => {
+  const resultIsString = _.isString(resultValue);
+  const argIsString = _.isString(argValue);
+
+  if (resultIsString && argIsString) {
+    const resolvedTrackData = tracker.getData(resultValue);
+    const refTrackData = tracker.getData(argValue);
+    const handler = getRefHandler(resolvedTrackData, refTrackData);
+    handler && handler(data, resolvedTrackData, refTrackData);
+  }
+};
+
+const handler = (resultValue, argValue, data) => {
+  if (_.isString(resultValue)) {
+    return stringHandler(resultValue, argValue, data);
+  }
+
+  if (_.isObject(resultValue)) {
+    for (const [key, value] of Object.entries(resultValue)) {
+      handler(value, argValue[key], data);
+    }
+  }
+};
+
 /**
  * Depending on which values are tracked, ref and/or target, returns the
  * appropriate function to handle the scenario.

package/lib/assess/propagators/mustache/escape.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'html-encoded', 'mustache.escape');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/path/common.js

@@ -19,7 +19,6 @@ const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const tracker = require('../../../tracker');
 const path = require('path');
-let trackingSeparators;
 
 /**
  * Splits string by separator
@@ -31,8 +30,9 @@ let trackingSeparators;
  */
 function splitString(str, win32) {
   // windows treats both (forward and backward) slashes as separators
-  const posixRegEx = trackingSeparators ? /(?=\/)/g : /(\/)/g;
-  const win32RegEx = trackingSeparators ? /(?=[/\\])/g : /[/\\]/g;
+  const posixRegEx = /(?=\/)/g;
+  const win32RegEx = /(?=[/\\])/g;
+
   if (win32) {
     str = str.replace(/\//g, '\\').split(win32RegEx);
   } else {
@@ -55,29 +55,26 @@ function splitString(str, win32) {
  *
  * @param {Object} meta object of metadata from result/arg
  * @param {(segmentOffset: number) => boolean} meta.evaluator expression to determine the proper position of segment in string
- * @param {number} meta.offset offset of full arg from result of path.resolve
  * @param {string} meta.str result from path.resolve or arg
+ * @param {number} offset offset of full arg from result of path.resolve
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function getSegmentOffset({ str, offset, evaluator }, segment, win32) {
+function getSegmentOffset({ str, evaluator }, offset, segment, win32) {
   // as the segments in each arg and in the result get traversed,
   // winnow away the string to ensure we are finding the proper
   // segment within the path
   const substr = str.substring(offset);
   let segmentOffset = substr.indexOf(segment);
   // If tracking separators, evaluator will fail on extensions
-  if (trackingSeparators && substr === `.${segment}`) {
+  if (substr === `.${segment}`) {
     return segmentOffset + offset;
   }
   // Adjust offset if the segment does not start with a separator
   const { sep } = path[win32 ? 'win32' : 'posix'];
-  if (
-    trackingSeparators &&
-    substr.startsWith(sep) &&
-    !segment.startsWith(sep)
-  ) {
+  if (substr.startsWith(sep) && !segment.startsWith(sep)) {
     segmentOffset--;
   }
+
   return evaluator(segmentOffset) ? segmentOffset + offset : -1;
 }
 
@@ -90,7 +87,12 @@ function getSegmentOffset({ str, offset, evaluator }, segment, win32) {
  */
 function isWithinTag(str, start, tag) {
   const stop = str.length - 1 + start;
-  return tag.overlaps({ start, stop, tag: tag.tag });
+
+  return (
+    (stop <= tag.stop && stop >= tag.start) ||
+    (start >= tag.start && start <= tag.stop) ||
+    (tag.start >= start && tag.start <= stop)
+  );
 }
 
 /**
@@ -103,6 +105,7 @@ function isWithinTag(str, start, tag) {
  */
 function adjustStart({ tag, argOffset, offset }) {
   const start = tag.start - argOffset;
+
   return start > 0 ? start + offset : offset;
 }
 
@@ -154,16 +157,13 @@ function maybeUpdateResultMeta({ index, arg, resultMeta }) {
 }
 
 /**
- * Encapsulates moving the resultOffset based on a segment
+ * Calculates a new offset based on a segment
  *
- * @param {Object} resultMeta metadata from result of path.resolve
- * @param {Object} argMeta metadata for a given argument
+ * @param {Object} offset offset of the object
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function calculateNewOffset(resultMeta, argMeta, segment) {
-  const separatorOffset = trackingSeparators ? 0 : 1;
-  resultMeta.offset = resultMeta.offset + segment.length + separatorOffset;
-  argMeta.offset = argMeta.offset + segment.length + separatorOffset;
+function calculateNewOffset(offset, segment) {
+  return offset + segment.length;
 }
 
 /**
@@ -173,10 +173,89 @@ function calculateNewOffset(resultMeta, argMeta, segment) {
  * @param {string} segment path segment to check
  * @return {boolean}
  */
-function applicableSegment(segment) {
+function isApplicableSegment(segment) {
   return segment !== '.' && segment !== '..' && segment !== '';
 }
 
+/**
+ * Filters invalid segments like those that are not part of the end result.
+ * It also calculates additional offset.
+ *
+ * @param {*} segments splitted path into segments
+ * @param {Object} resultMeta metadata from result of path.resolve
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
+ * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ */
+function filterSegmentsAndCalculateOffset(
+  segments,
+  resultMeta,
+  data,
+  index,
+  win32
+) {
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  const isFirstIteration = index === 0;
+  const validSegments = [];
+  let additionalOffset = 0;
+
+  segments.reduce(
+    // eslint-disable-next-line complexity
+    (accumulator, segment) => {
+      let hasChange = false;
+      if (!isApplicableSegment(segment)) return accumulator;
+
+      if (!accumulator.isModified && !isFirstIteration) {
+        const previousArg = data.args[index - 1];
+
+        const sepAdded = !segment.startsWith(sep) && !previousArg.endsWith(sep);
+        const sepTaken = segment.startsWith(sep) && previousArg.endsWith(sep);
+        accumulator.isModified = sepAdded || sepTaken;
+        hasChange = sepAdded || sepTaken;
+        additionalOffset = hasChange ? (sepAdded ? 1 : -1) : 0;
+      }
+
+      const offset = getSegmentOffset(
+        resultMeta,
+        accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
+        segment,
+        win32
+      );
+
+      // no reason to proceed if segment is not in final result
+      if (offset === -1) {
+        if (hasChange) {
+          additionalOffset = 0;
+          accumulator.isModified = false;
+        }
+
+        return accumulator;
+      }
+
+      // in case we have a file we need to increment the offset
+      if (resultMeta.str[offset + segment.length] === '.') {
+        accumulator.fileDotSeparator = 1;
+      }
+
+      validSegments.push(segment);
+      accumulator.offset = calculateNewOffset(accumulator.offset, segment);
+      accumulator.isModified = true;
+
+      return accumulator;
+    },
+    {
+      offset: resultMeta.offset,
+      fileDotSeparator: 0,
+      isModified: false
+    }
+  );
+
+  return {
+    additionalOffset,
+    segments: validSegments
+  };
+}
+
 /**
  * Moves the tag ranges properly based on if a path segment exists in the
  * result
@@ -184,43 +263,66 @@ function applicableSegment(segment) {
  * @param {Object} resultMeta metadata for the result
  * @param {Object} argMeta meta for a given argument
  * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
  */
-function adjustTagsToPart(resultMeta, argMeta, win32) {
+function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
   const { str, tagRanges } = argMeta;
-  const segments = splitString(str, win32);
-  const newTags = [];
-  segments.forEach((segment) => {
-    if (!applicableSegment(segment)) {
-      return;
-    }
-    const offset = getSegmentOffset(resultMeta, segment, win32);
-    // no reason to proceed if segment is not in final result
-    if (offset === -1) {
-      return;
-    }
+  const { segments, additionalOffset } = filterSegmentsAndCalculateOffset(
+    splitString(str, win32),
+    resultMeta,
+    data,
+    index,
+    win32
+  );
+
+  // updating the offset
+  resultMeta.offset += additionalOffset;
+
+  return segments.reduce((newTags, segment) => {
+    const offset = getSegmentOffset(
+      resultMeta,
+      resultMeta.offset,
+      segment,
+      win32
+    );
+
+    const argOffset = getSegmentOffset(argMeta, argMeta.offset, segment, win32);
 
-    const argOffset = getSegmentOffset(argMeta, segment, win32);
+    // updating the offset
+    resultMeta.offset = calculateNewOffset(resultMeta.offset, segment);
+    argMeta.offset = calculateNewOffset(argMeta.offset, segment);
 
-    calculateNewOffset(resultMeta, argMeta, segment);
+    // in case we have a file we need to increment the offset
+    if (resultMeta.str[offset + segment.length] === '.') {
+      resultMeta.offset += 1;
+    }
 
     tagRanges.forEach((tag) => {
-      if (isWithinTag(segment, argOffset, tag)) {
-        const start = adjustStart({ tag, argOffset, offset });
-        const stop = adjustStop({ tag, argOffset, offset, segment });
+      if (!isWithinTag(segment, argOffset, tag)) return;
 
-        newTags.push(new TagRange(start, stop, tag.tag));
-      }
+      const start = adjustStart({
+        tag,
+        argOffset,
+        offset
+      });
+      const stop = adjustStop({
+        tag,
+        argOffset,
+        offset,
+        segment
+      });
+
+      newTags.push(new TagRange(start, stop, tag.tag));
     });
-  });
 
-  return newTags;
+    return newTags;
+  }, []);
 }
 
-function propagate({ resultMeta, data, win32, trackSeparators }) {
-  trackingSeparators = trackSeparators;
+function propagate({ resultMeta, data, win32 }) {
   if (!resultMeta.evaluator) {
-    resultMeta.evaluator = (segmentOffset) =>
-      segmentOffset === (trackingSeparators ? 0 : 1);
+    resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
   }
 
   data.args.forEach((arg, index) => {
@@ -234,13 +336,20 @@ function propagate({ resultMeta, data, win32, trackSeparators }) {
       tagRanges: argData.tracked ? argData.tagRanges : []
     };
 
-    const targetTagRanges = adjustTagsToPart(resultMeta, argMeta, win32);
+    const targetTagRanges = adjustTagsToPart(
+      resultMeta,
+      argMeta,
+      win32,
+      data,
+      index
+    );
 
     if (targetTagRanges.length > 0) {
       resultMeta.parents.push(argData.event);
       tagRangeUtil.addAllInPlace(resultMeta.tagRanges, targetTagRanges);
     }
   });
+
   trackResult(resultMeta, data);
 }
 

package/lib/assess/propagators/path/join.js

@@ -31,7 +31,11 @@ function hookPath(path) {
           resultMeta.offset = 0;
           resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
         }
-        propagate({ data, resultMeta, win32: os === 'win32' });
+        propagate({
+          data,
+          resultMeta,
+          win32: os === 'win32'
+        });
       }
     });
   }

package/lib/assess/propagators/path/normalize.js

@@ -46,8 +46,7 @@ module.exports.handle = function handle() {
           propagate({
             resultMeta,
             data,
-            win32: os === 'win32',
-            trackSeparators: true
+            win32: os === 'win32'
           });
         }
       });