@contrast/agent 4.5.1 → 4.7.1

package/bin/VERSION

@@ -1 +1 @@
-2.27.3
+2.28.5

package/lib/assess/membrane/deserialization-membrane.js

@@ -58,19 +58,18 @@ class DeserializationMembrane extends Membrane {
     });
 
     const tracked = tracker.track(str);
-    const strData = tracker.getData(tracked);
 
-    if (!strData.tracked) {
+    if (!tracked) {
       return str;
     }
 
-    strData.event = event;
+    tracked.props.event = event;
     event.parents.push(this.event);
-    strData.tagRanges = this.tagRanges.map(
+    tracked.props.tagRanges = this.tagRanges.map(
       (t) => new TagRange(0, str.length - 1, t.tag)
     );
 
-    return tracked;
+    return tracked.str;
   }
 }
 

package/lib/assess/membrane/source-membrane.js

@@ -13,7 +13,6 @@ Copyright: 2021 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const _ = require('lodash');
 
 const logger = require('../../core/logger')('contrast:source-membrane');
 const Membrane = require('./index');
@@ -39,14 +38,6 @@ const signature = new Signature({
   isModule: false
 });
 
-const numericCheck = /^[0-9]+$/;
-function isNumeric(input) {
-  // regex from validator.js/lib/isNumeric.js:
-  // https://github.com/validatorjs/validator.js/blob/master/lib/isNumeric.js
-  // do we want to allow symbols (plus/minus sign, decimal point?)
-  return numericCheck.test(input);
-}
-
 module.exports = class SourceMembrane extends Membrane {
   /**
    * @param {object} config agent config to use for array sampling.
@@ -72,9 +63,7 @@ module.exports = class SourceMembrane extends Membrane {
     if (cfg.array_request_sampling) {
       this.sample = cfg.array_request_sampling.enable;
       this.sampleThreshold = cfg.array_request_sampling.threshold;
-      this.sampleInterval = this.sample
-        ? cfg.array_request_sampling.interval
-        : 1;
+      this.sampleInterval = cfg.array_request_sampling.interval || 1;
     }
     // used when a reqSourceEvent must be created because an entire object
     // is being stringified but individual properties are not being referenced
@@ -147,7 +136,7 @@ module.exports = class SourceMembrane extends Membrane {
     if (!this.ensureMetadata(metadata)) {
       return str;
     }
-    const tracked = tracker.track2(str);
+    const tracked = tracker.track(str);
     if (!tracked) {
       return str;
     }
@@ -304,8 +293,7 @@ module.exports = class SourceMembrane extends Membrane {
   /**
    * The `TagRanges` returned  will include the `untrusted` tag. There will be
    * `exclusion:${ruleId}` tags for input exclusions pertaining to specific
-   * rules and whose name matches the property name described in metadata. And
-   * `limited-chars` tags are included if string is numeric.
+   * rules and whose name matches the property name described in metadata.
    * @param {string} str string being tracked by membrane
    * @param {object} metadata metadata about source type and key name
    * @returns {TagRange[]}
@@ -342,10 +330,6 @@ module.exports = class SourceMembrane extends Membrane {
       }
     }
 
-    if (isNumeric(str)) {
-      tagRanges.push(new TagRange(start, stop, 'limited-chars'));
-    }
-
     if (metadata.sourceType === 'header') {
       if (metadata.path.toLocaleLowerCase() !== 'referer') {
         tagRanges.push(new TagRange(start, stop, 'header'));
@@ -368,11 +352,6 @@ module.exports = class SourceMembrane extends Membrane {
   wrapArray(arr, metadata) {
     metadata.isArray = true;
 
-    // if not sampling, treat it as any object. not sampling has 100%
-    // accuracy.
-    if (!this.sample) {
-      return super.wrapArray(arr, metadata);
-    }
     // don't sample more than once
     if (this.wrappedArrays.has(arr)) {
       return arr;
@@ -380,16 +359,20 @@ module.exports = class SourceMembrane extends Membrane {
 
     const limit = Math.min(this.sampleThreshold, arr.length);
 
-    for (let i = 0; i < limit; i++) {
-      if (i % this.sampleInterval === 0 && arr[i]) {
-        const m = _.cloneDeep(metadata);
-        if (m.path) {
-          m.path += `[${i}]`;
-        } else {
-          m.path = `[${i}]`;
+    // if not sampling, treat it as any object. not sampling has 100% accuracy.
+    if (!this.sample || (limit === arr.length && this.sampleInterval === 1)) {
+      return super.wrapObject(arr, metadata);
+    } else if (!this.sampleThreshold) {
+      return arr;
+    } else {
+      const origPath = metadata.path;
+      for (let i = 0; i < limit; i += this.sampleInterval) {
+        if (arr[i]) {
+          const m = Object.assign({}, metadata);
+          m.path = origPath ? `${origPath}[${i}]` : `[${i}]`;
+          const wrapped = this.wrap(arr[i], m);
+          arr[i] = wrapped;
         }
-
-        arr[i] = this.wrap(arr[i], m);
       }
     }
 

package/lib/assess/models/call-context.js

@@ -96,7 +96,7 @@ module.exports = class CallContext {
   }
 
   static isTracked(str) {
-    if (tracker.getData2(str)) {
+    if (tracker.getData(str)) {
       return true;
     }
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);

package/lib/assess/policy/propagators.json

@@ -40,10 +40,18 @@
       "enabled": true,
       "override": "./propagators/JSON/parse.js"
     },
+    "mongoose": {
+      "enabled": true,
+      "override": "./propagators/mongoose"
+    },
     "String": {
       "enabled": true,
       "override": "./propagators/string.js"
     },
+    "Number": {
+      "enabled": true,
+      "override": "./propagators/number.js"
+    },
     "Object": {
       "enabled": true,
       "override": "./propagators/object.js"
@@ -59,13 +67,15 @@
     },
     "mustache.escape": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/mustache/escape.js"
+    },
+    "dust.escapeHtml": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-html.js"
+    },
+    "dust.escapeJs": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-js.js"
     },
     "pug.compile": {
       "enabled": true,
@@ -329,23 +339,11 @@
     },
     "encodeURI": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["weak-url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri.js"
     },
     "encodeURIComponent": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri-component.js"
     },
     "process.__add": {
       "enabled": true,

package/lib/assess/policy/rules.json

@@ -1157,7 +1157,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": ["limited-chars", "alphanum-space-hyphen"],
+                "disallowedTags": ["limited-chars", "alphanum-space-hyphen", "custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1172,7 +1172,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": [],
+                "disallowedTags": ["custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1371,6 +1371,11 @@
       "type": "http",
       "provider": "./sinks/hapi-16-xss"
     },
+    "reflected-xss_dustjs-linkedin": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/dustjs-linkedin-xss"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",

package/lib/assess/policy/signatures.json

@@ -20,6 +20,11 @@
       "methodName": "domainToUnicode",
       "isModule": true
     },
+    "template strings": {
+      "moduleName": "global",
+      "methodName": "ContrastMethods.__contrastTag",
+      "isModule": false
+    },
     "axios": {
       "moduleName": "axios",
       "methodName": "",
@@ -233,6 +238,16 @@
       "methodName": "escape",
       "isModule": true
     },
+    "dust.escapeHtml": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeHtml",
+      "isModule": true
+    },
+    "dust.escapeJs": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeJs",
+      "isModule": true
+    },
     "express.response.send": {
       "moduleName": "express",
       "version": ">=4.0.0",
@@ -632,6 +647,11 @@
       "methodName": "toNamespacedPath",
       "isModule": true
     },
+    "path.normalize": {
+      "moduleName": "path",
+      "methodName": "normalize",
+      "isModule": true
+    },
     "util.format": {
       "moduleName": "util",
       "methodName": "format",
@@ -1298,6 +1318,18 @@
       "methodName": "string.domain",
       "isModule": true
     },
+    "mongoose.string.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.string.doValidateSync",
+      "isModule": true
+    },
+    "mongoose.map.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.map.doValidateSync",
+      "isModule": true
+    },
     "v8.deserialize.serialize": {
       "moduleName": "v8",
       "methodName": "deserialize.serialize",
@@ -1307,6 +1339,16 @@
       "moduleName": "node-serialize",
       "methodName": "unserialize",
       "isModule": true
+    },
+    "dustjs-linkedin": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "pipe",
+      "isModule": true
+    },
+    "Number": {
+      "moduleName": "Number",
+      "methodName": "isNaN",
+      "isModule": false
     }
   }
 }

package/lib/assess/policy/util.js

@@ -89,6 +89,7 @@ utils.isRuleEnabled = function(ruleId) {
  * @param {boolean} enabled	What to set the enabled property to
  */
 utils.setEnabled = function(node, enabled) {
+  /*eslint no-prototype-builtins: "warn"*/
   if (node.hasOwnProperty('enabled')) {
     node.enabled = enabled;
     return true;
@@ -236,7 +237,7 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
       }
     }
   } catch (e) {
-    logger.info(`unable to recurisvely patch ${e}`);
+    logger.info(`unable to recursively patch ${e}`);
   }
 
   return obj;

package/lib/assess/propagators/JSON/parse.js

@@ -41,7 +41,7 @@ module.exports.handle = function() {
     name: ContrastJSON.name,
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
     post(data) {
-      const props = tracker.getData2(data.args[0]);
+      const props = tracker.getData(data.args[0]);
       const { result } = data;
       if (props && result) {
         const membrane = new DeserializationMembrane(data, props);

package/lib/assess/propagators/JSON/stringify.js

@@ -64,7 +64,7 @@ function getUntrustedSpaceProps(space) {
   }
   // otherwise if the space string is tracked then the entire json output inherits
   // the tracked string's tags.
-  const props = tracker.getData2(space);
+  const props = tracker.getData(space);
   if (!props || props.tagRanges.length === 0) {
     return null;
   }
@@ -185,7 +185,7 @@ module.exports.handle = function() {
        */
       function contrastReplacer(key, val) {
         let isTracked = false;
-        const valProperties = tracker.getData2(val);
+        const valProperties = tracker.getData(val);
         if (valProperties && valProperties.tagRanges.length) {
           data.metadata.propagate = true;
           isTracked = true;
@@ -256,7 +256,7 @@ module.exports.handle = function() {
         }
       }
 
-      const tracked = tracker.track2(data.result);
+      const tracked = tracker.track(data.result);
       if (!tracked) {
         return data.result;
       }

package/lib/assess/propagators/array-prototype-join.js

@@ -27,7 +27,7 @@ module.exports.handle = function handle(data) {
     return;
   }
 
-  // this handles join() andd join(undefined)
+  // this handles join() and join(undefined)
   const del = data.args[0] === undefined ? ',' : data.args[0];
 
   const parentEvents = [];
@@ -38,7 +38,7 @@ module.exports.handle = function handle(data) {
 
   let delimiterTracked = false;
 
-  if (delimiterProperties.tracked) {
+  if (delimiterProperties) {
     delimiterTracked = true;
     parentEvents.push(delimiterProperties.event);
     delimiterTagRanges.push(...delimiterProperties.tagRanges);
@@ -56,21 +56,20 @@ module.exports.handle = function handle(data) {
 
   if (delimiterTracked || elementTracked) {
     const tracked = tracker.track(data.result);
-    const metadata = tracker.getData(tracked);
-    if (!metadata.tracked) {
+    if (!tracked) {
       return;
     }
 
-    metadata.event = createEvent(
+    tracked.props.event = createEvent(
       data,
       resultTagRanges,
       parentEvents,
       delimiterTracked,
       elementTracked
     );
-    metadata.tagRanges = resultTagRanges;
+    tracked.props.tagRanges = resultTagRanges;
 
-    data.result = tracked;
+    data.result = tracked.str;
   }
 };
 
@@ -98,7 +97,7 @@ function propagateArrayData(
     const elem = array[i];
     const elemProperties = tracker.getData(elem);
 
-    if (elem && elemProperties.tracked) {
+    if (elem && elemProperties) {
       parentEvents.push(elemProperties.event);
 
       targetData.elementTracked = true;

package/lib/assess/propagators/common.js

@@ -62,7 +62,7 @@ const escapeRegExp = (str) => {
  */
 const addTagRangesWithOffset = (metadata, arg) => {
   const argData = tracker.getData(arg);
-  if (argData.tracked) {
+  if (argData) {
     tagRangeUtil.addAllWithOffsetInPlace(
       metadata.tagRanges,
       argData.tagRanges,
@@ -115,10 +115,12 @@ const createEvent = ({ tagRanges, method, parents }, data) => {
  */
 const trackResult = (metadata, data) => {
   if (metadata.tagRanges.length) {
-    data.result = tracker.track(data.result);
-    const trackedMeta = tracker.getData(data.result);
-    trackedMeta.tagRanges = metadata.tagRanges;
-    trackedMeta.event = createEvent(metadata, data);
+    const tracked = tracker.track(data.result);
+    if (tracked) {
+      tracked.props.tagRanges = metadata.tagRanges;
+      tracked.props.event = createEvent(metadata, data);  
+      data.result = tracked.str;
+    }
   }
 };
 

package/lib/assess/propagators/dustjs/escape-html.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'html-encoded', 'dustjs-linkedin.escapeHtml');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/dustjs/escape-js.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'javascript-encoded', 'dustjs-linkedin.escapeJs');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri-component.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'url-encoded', 'global.encodeURIComponent');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'weak-url-encoded', 'global.encodeURI');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/handlebars-escape-expresssion.js

@@ -48,7 +48,7 @@ function patchUtilsExport(utilsExport) {
     alwaysRun: true,
     post(data) {
       const trackData = tracker.getData(data.result);
-      if (trackData.tracked) {
+      if (trackData) {
         trackData.tagRanges = tagRangeUtil.add(
           trackData.tagRanges,
           new TagRange(0, data.result.length - 1, 'html-encoded')

package/lib/assess/propagators/index.js

@@ -128,8 +128,6 @@ const generateHookWrappers = (agent, policyNode, key) => {
     } else {
       ({ pre, post } = provider.handle);
     }
-
-    propagatorDescriptor.provider = provider.handle;
   } else {
     // generic propagator
     post = new Propagator(agent, propagatorDescriptor);

package/lib/assess/propagators/joi/boolean.js

@@ -42,7 +42,7 @@ function instrumentJoiBoolean(boolean) {
         if (
           data.result &&
           typeof data.result.value === 'boolean' &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/expression.js

@@ -32,7 +32,7 @@ function instrumentJoiExpression(expression) {
     patchType: ASSESS_PROPAGATOR,
     post(data) {
       const trackingData = tracker.getData(data.args[0]);
-      if (trackingData.tracked && data.result._template) {
+      if (trackingData && data.result._template) {
         trackingData.tagRanges = tagRangeUtil.add(
           trackingData.tagRanges,
           new TagRange(0, data.args[0].length - 1, 'html-encoded')

package/lib/assess/propagators/joi/number.js

@@ -41,7 +41,7 @@ function instrumentJoiNumber(number) {
           data.result &&
           data.result.value &&
           !data.result.errors &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/string-base.js

@@ -37,7 +37,7 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
-        if (data.result === undefined && trackingData.tracked) {
+        if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,