@contrast/agent 4.5.1 → 4.7.1

package/lib/assess/propagators/querystring/unescape.js

@@ -20,14 +20,15 @@ const qsUtils = require('./utils');
 
 function handler(data) {
   const input = data.args[0];
+  const trackedData = tracker.getData(input);
 
-  if (!input || !tracker.getData(input).tracked) {
+  if (!input || !trackedData) {
     return;
   }
 
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((tag) => {
+  trackedData.tagRanges.forEach((tag) => {
     if (tag.tag === 'url-encoded') {
       return;
     }
@@ -37,22 +38,23 @@ function handler(data) {
     return;
   }
 
-  const trackedResult = tracker.track(data.result);
-  const trackData = tracker.getData(trackedResult);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature('querystring.unescape'),
-    source: 'P',
-    tagRanges,
-    target: 'R',
-    untags: ['url-encoded']
-  });
-  data.result = trackedResult;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature('querystring.unescape'),
+      source: 'P',
+      tagRanges,
+      target: 'R',
+      untags: ['url-encoded']
+    });
+    data.result = tracked.str;  
+  }
 }
 
 module.exports.handle = handler;

package/lib/assess/propagators/sequelize/sql-string-escape.js

@@ -35,7 +35,7 @@ module.exports.handle = function() {
         post(data) {
           const trackingData = tracker.getData(data.result);
 
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }
 

package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js

@@ -80,7 +80,7 @@ module.exports.handle = function() {
         patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
         post(data) {
           const trackingData = tracker.getData(data.result);
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }
 

package/lib/assess/propagators/sequelize/sql-string-format.js

@@ -44,7 +44,7 @@ module.exports.handle = function() {
         post(data) {
           // else either the replacement value or a values in the array replacement is being tracked
           const trackingData = tracker.getData(data.result);
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }
 
@@ -59,7 +59,7 @@ module.exports.handle = function() {
           const len = positions.length; // micro optomized since used multiple times
 
           for (let i = 0; i < len; i++) {
-            const isTracked = tracker.getData(replacements[i]).tracked;
+            const props = tracker.getData(replacements[i]);
             // we don't need to run in a no instrumentation scope here since
             // patcher will do so automatically since we're in a post hook
             const escapedVal = getSequelizeString().escape(
@@ -69,7 +69,7 @@ module.exports.handle = function() {
               true // true is required to get format function behavior.
             );
 
-            if (isTracked) {
+            if (props && props.tracked) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(

package/lib/assess/propagators/sequelize/utils.js

@@ -22,8 +22,8 @@ const tracker = require('../../../tracker');
  */
 module.exports.isTracked = function isTracked(value) {
   return Array.isArray(value)
-    ? value.some((v) => typeof v === 'string' && tracker.getData(v).tracked)
-    : tracker.getData(value).tracked;
+    ? value.some((v) => typeof v === 'string' && tracker.getData(v))
+    : !!tracker.getData(value);
 };
 
 /**

package/lib/assess/propagators/string-prototype-replace.js

@@ -115,13 +115,13 @@ function getTrackData(callContext) {
   };
 
   const objData = tracker.getData(callContext.obj);
-  if (objData.tracked) {
+  if (objData) {
     trackData.objData = objData;
     trackData.resultTagRanges = objData.tagRanges.map((r) => r.clone());
   }
 
   const replacerData = tracker.getData(callContext.args[1]);
-  if (replacerData.tracked) {
+  if (replacerData) {
     trackData.replacerData = replacerData;
   }
 
@@ -243,7 +243,7 @@ function getReplacementAndCaptureDynamicTags({ callContext, args }) {
     // Allow propagation within replacer function so we can track return value.
     _replacer = invokeReplacer({ callContext, args, replacer });
     const data = tracker.getData(_replacer);
-    if (data.tracked) {
+    if (data) {
       trackData.dynamicTagRanges = data.tagRanges;
       trackData.dynamicEvents.add(data.event);
     } else {
@@ -297,7 +297,7 @@ function wrapOriginalReplacerArguments({ callContext, args }) {
   // Only wrap arguments that are used by replacer,
   for (let idx = 0; idx < replacer.length; idx++) {
     // and only track if needed
-    if (tracker.getData(args[idx]).tracked) {
+    if (tracker.getData(args[idx])) {
       continue;
     }
     trackReplacerArgAtPath({
@@ -330,20 +330,21 @@ function trackReplacerArgAtPath({ callContext, target, path, tagRanges }) {
         continue;
       }
 
-      const result = tracker.track(_result);
-      const trackData = tracker.getData(result);
-      // TODO: Improve accuracy here by deriving actual ranges from source,
-      // rather than applying "blanket" ranges the length of argument.
-      const tagRange = new TagRange(0, result.length - 1, tag);
-      trackData.tagRanges.push(tagRange);
-      trackData.event = createPropagationEvent({
-        callContext,
-        tagRanges: [tagRange],
-        result
-      });
-
-      captured.add(tag);
-      target[path] = result;
+      const tracked = tracker.track(_result);
+      if (tracked) {
+        // TODO: Improve accuracy here by deriving actual ranges from source,
+        // rather than applying "blanket" ranges the length of argument.
+        const tagRange = new TagRange(0, tracked.str.length - 1, tag);
+        tracked.props.tagRanges.push(tagRange);
+        tracked.props.event = createPropagationEvent({
+          callContext,
+          tagRanges: [tagRange],
+          result: tracked.str
+        });
+
+        captured.add(tag);
+        target[path] = tracked.str;
+      }
     }
   } else if (_.isObject(_result)) {
     for (const path of Object.keys(_result)) {
@@ -582,20 +583,21 @@ function trackFinalResult(callContext) {
     return;
   }
 
-  if (tracker.getData(callContext.result).tracked) {
+  if (tracker.getData(callContext.result)) {
     return;
   }
 
-  const result = tracker.track(callContext.result);
-  callContext.result = result;
+  const tracked = tracker.track(callContext.result);
 
-  const resultData = tracker.getData(result);
-  resultData.event = createPropagationEvent({
-    callContext,
-    tagRanges: trackData.resultTagRanges,
-    result
-  });
-  resultData.tagRanges = trackData.resultTagRanges;
+  if (tracked) {
+    tracked.props.event = createPropagationEvent({
+      callContext,
+      tagRanges: trackData.resultTagRanges,
+      result: tracked.str
+    });
+    tracked.props.tagRanges = trackData.resultTagRanges;  
+    callContext.result = tracked.str;
+  }
 }
 
 /**

package/lib/assess/propagators/string-prototype-split.js

@@ -164,28 +164,27 @@ module.exports.handle = {
           if (tagStart !== null) {
             newTagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
             const tracked = tracker.track(stringPart);
-            const props = tracker.getData(tracked);
-            if (!props.tagRanges) {
-              props.tagRanges = [];
+            if (tracked) {
+              tracked.props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
+              result[i] = tracked.str;  
             }
-            props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
-            result[i] = tracked;
           }
         });
         if (newTagRanges.length > 0) {
           const tracked = tracker.track(stringPart);
-          const props = tracker.getData(tracked);
-          props.tagRanges = newTagRanges;
-          result[i] = tracked;
-          const event = new PropagationEvent({
-            context: ctxt,
-            signature: sig,
-            tagRanges: tracked.tagRanges,
-            source: 'O',
-            target: 'R'
-          });
-          event.parents.push(oldEvent);
-          props.event = event;
+          if (tracked) {
+            tracked.props.tagRanges = newTagRanges;
+            result[i] = tracked.str;
+            const event = new PropagationEvent({
+              context: ctxt,
+              signature: sig,
+              tagRanges: tracked.props.tagRanges,
+              source: 'O',
+              target: 'R'
+            });
+            event.parents.push(oldEvent);
+            tracked.props.event = event;
+          }
         }
       }
       data.result = result;
@@ -225,21 +224,21 @@ function handleEmptySeperator(data, oldTagRanges, oldEvent) {
       if (sharedCharInfo.has(i)) {
         info = sharedCharInfo.get(i);
       } else {
-        const trackedString = tracker.track(char);
-        const trackedProperties = tracker.getData(trackedString);
-
-        const event = new PropagationEvent({
-          context: ctxt,
-          signature: sig,
-          tagRanges: getTagRanges(trackedString),
-          source: 'O',
-          target: 'R'
-        });
-
-        trackedProperties.event = event;
-        info = { event, tagRanges: trackedProperties.tagRanges };
-        sharedCharInfo.set(i, info);
-        result[i] = trackedString;
+        const tracked = tracker.track(char);
+        if (tracked) {
+          const event = new PropagationEvent({
+            context: ctxt,
+            signature: sig,
+            tagRanges: getTagRanges(tracked.str),
+            source: 'O',
+            target: 'R'
+          });
+  
+          tracked.props.event = event;
+          info = { event, tagRanges: tracked.props.tagRanges };
+          sharedCharInfo.set(i, info);
+          result[i] = tracked.str;  
+        }
       }
 
       info.tagRanges.push(new TagRange(0, 0, tag.tag));
@@ -257,10 +256,11 @@ function transferTracking(origString, resultArray) {
 
   for (let i = 0; i < resultArray.length; i++) {
     const tracked = tracker.track(resultArray[i]);
-    const trackedProperties = tracker.getData(tracked);
-    trackedProperties.tagRanges = getTagRanges(origString);
-    trackedProperties.event = getEvent(origString);
-    resultArray[i] = tracked;
+    if (tracked) {
+      tracked.props.tagRanges = getTagRanges(origString);
+      tracked.props.event = getEvent(origString);
+      resultArray[i] = tracked.str;  
+    }
   }
   return resultArray;
 }

package/lib/assess/propagators/string-prototype-trim.js

@@ -25,7 +25,7 @@ const signature = new Signature('String.prototype.trim');
 function handle(data) {
   const { obj, result } = data;
   const sourceMetadata = tracker.getData(obj);
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
 
@@ -43,21 +43,19 @@ function handle(data) {
   }
 
   const tracked = tracker.track(result);
-  const trackedData = tracker.getData(tracked);
-  if (!trackedData.tracked) {
-    return;
+  if (tracked) {
+    tracked.props.tagRanges = targetRanges;
+    const context = new CallContext(data);
+    const event = new PropagationEvent({
+      context,
+      signature,
+      tagRanges: targetRanges,
+      source: 'O',
+      target: 'R'
+    });
+    event.parents.push(sourceEvent);
+    tracked.props.event = event;
+  
+    data.result = tracked.str;  
   }
-  trackedData.tagRanges = targetRanges;
-  const context = new CallContext(data);
-  const event = new PropagationEvent({
-    context,
-    signature,
-    tagRanges: targetRanges,
-    source: 'O',
-    target: 'R'
-  });
-  event.parents.push(sourceEvent);
-  trackedData.event = event;
-
-  data.result = tracked;
 }

package/lib/assess/propagators/string.js

@@ -41,30 +41,26 @@ function handle() {
 
       // Checks if the string literal form of the new String object is tracked.
       // If so, we will want to copy the existing tag ranges below.
-      if (data.obj && !argData.tracked) {
+      if (data.obj && !argData) {
         argData = tracker.getData(data.result.toString());
       }
 
-      if (!arg || !argData.tracked) {
+      if (!arg || !argData) {
         return;
       }
 
-      const newStr = tracker.track(data.result);
-      const newStrData = tracker.getData(newStr);
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        // In a constructor context, data.obj is set to the new String object.
+        // When a new String object is instantiated we must copy the existing tag
+        // ranges from the string literal to the new String object.
+        if (data.obj) {
+          tracked.props.event = argData.event;
+          tracked.props.tagRanges = tracked.props.tagRanges.concat(argData.tagRanges);
+        }
 
-      if (!newStrData.tracked) {
-        return;
-      }
-
-      // In a constructor context, data.obj is set to the new String object.
-      // When a new String object is instantiated we must copy the existing tag
-      // ranges from the string literal to the new String object.
-      if (data.obj) {
-        newStrData.event = argData.event;
-        newStrData.tagRanges = newStrData.tagRanges.concat(argData.tagRanges);
+        data.result = tracked.str;
       }
-
-      data.result = newStr;
     }
   });
 }

package/lib/assess/propagators/template-escape.js

@@ -0,0 +1,87 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../tracker');
+const TagRange = require('../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+
+function getEscapedTagRanges(input, result, start, stop, tag) {
+  const textArr = input.split('').slice(start, stop + 1);
+  const escapedArr = result.split('');
+  const overlap = textArr.filter((x) => {
+    if (escapedArr.includes(x)) {
+      return x;
+    }
+  });
+  if (overlap.length === 0) {
+    return [];
+  }
+  const newTagRanges = [];
+  let firstIndex = escapedArr.indexOf(overlap[0]);
+  let currIndex = firstIndex;
+  let nextIndex;
+  for (let i = 1; i < overlap.length; i++) {
+    nextIndex = escapedArr.indexOf(overlap[i], currIndex + 1);
+    if (nextIndex !== currIndex + 1) {
+      newTagRanges.push(new TagRange(firstIndex, currIndex, tag));
+      firstIndex = nextIndex;
+    }
+    if (i === overlap.length - 1) {
+      newTagRanges.push(new TagRange(firstIndex, nextIndex, tag));
+    }
+    currIndex = nextIndex;
+  }
+  return newTagRanges;
+}
+
+function propagator(data, tagName, signatureName) {
+  const input = data.args[0];
+
+  const trackedData = tracker.getData(input);
+
+  if (!input || !trackedData) {
+    return;
+  }
+
+  // adjust tag ranges
+  const tagRanges = [];
+  trackedData.tagRanges.forEach((range) => {
+    const { start, stop, tag } = range;
+    tagRanges.push(
+      ...getEscapedTagRanges(input, data.result, start, stop, tag)
+    );
+  });
+  tagRanges.push(new TagRange(0, data.result.length - 1, tagName));
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature(signatureName),
+      source: 'P',
+      target: 'R',
+      tagRanges,
+      tags: tagName
+    });
+    data.result = tracked.str;  
+  }
+}
+
+module.exports.propagate = propagator;

package/lib/assess/propagators/templates.js

@@ -21,10 +21,9 @@ const tracker = require('../../tracker.js');
 
 const { PropagationEvent, Signature, CallContext } = require('../models');
 const { isString } = require('../../util/is-string');
+const injections = require('../../core/rewrite/injections');
 
-const ContrastMethods = require('../../core/rewrite/injections').get(
-  'ContrastMethods'
-);
+const ContrastMethods = injections.get('ContrastMethods');
 
 /**
  * In order to propagate through template literals, we leverage rewriting to
@@ -76,17 +75,17 @@ function __contrastTag(...args) {
   });
 
   if (tagRanges.length > 0) {
-    result = tracker.track(result);
-    const resultContrastProperties = tracker.getData(result);
-    if (resultContrastProperties.tracked) {
+    const tracked = tracker.track(result);
+    if (tracked) {
       buildProperties(
-        resultContrastProperties,
+        tracked.props,
         tagRanges,
         expressions,
-        result,
+        tracked.str,
         strings,
         sourceEvents
       );
+      result = tracked.str;
     }
   }
 
@@ -144,18 +143,18 @@ function buildProperties(props, tagRanges, exps, result, strings, events) {
  */
 function moveTags(exp, sourceEvents, tagRanges, offset) {
   const contrastProperties = tracker.getData(exp);
-  const tracked = contrastProperties.tracked || tagRanges.length > 0;
+  const tracked = contrastProperties || tagRanges.length > 0;
   if (!tracked) {
     return tagRanges;
   }
 
-  const event = contrastProperties.tracked && contrastProperties.event;
+  const event = contrastProperties && contrastProperties.event;
   if (event) {
     sourceEvents.push(event);
   }
 
   let newTagRanges = [];
-  if (contrastProperties.tracked) newTagRanges = contrastProperties.tagRanges;
+  if (contrastProperties) newTagRanges = contrastProperties.tagRanges;
 
   return tagRangeUtil.addAllWithOffset(tagRanges, newTagRanges, offset);
 }

package/lib/assess/propagators/url/url-prototype-parse.js

@@ -45,7 +45,7 @@ function handle(data) {
   const address = data.args[0];
   const sourceMetadata = tracker.getData(address);
 
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
 
@@ -71,9 +71,8 @@ function propagate(sourceMetadata, address, data) {
 
     if (part && typeof part === 'string' && part !== '') {
       const tracked = tracker.track(part);
-      const trackedData = tracker.getData(tracked);
 
-      if (!trackedData.tracked) {
+      if (!tracked) {
         continue;
       }
 
@@ -105,10 +104,10 @@ function propagate(sourceMetadata, address, data) {
       );
       event.parents.push(sourceEvent);
 
-      trackedData.tagRanges = targetTagRanges;
-      trackedData.event = event;
+      tracked.props.tagRanges = targetTagRanges;
+      tracked.props.event = event;
 
-      url[key] = tracked;
+      url[key] = tracked.str;
     }
   }
 }