@contrast/agent 4.5.1 → 4.7.1

package/lib/assess/propagators/url/url-url.js

@@ -71,6 +71,9 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   }
 
   const hostData = tracker.getData(urlObj._contrast_host);
+  if (!hostData) {
+    return;
+  }
   const hostnameTags = tagRangeUtil.trim(hostData.tagRanges, 0, splitIndex - 1);
   const portTags = tagRangeUtil.trim(
     hostData.tagRanges,
@@ -81,21 +84,25 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
 
   if (hostnameTags.length > 0) {
     const hostnameTracked = tracker.track(hostname);
-    tracker.getData(hostnameTracked).tagRanges = hostnameTags;
-    urlObj._contrast_hostname = hostnameTracked;
-    event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = hostnameTags;
-    tracker.getData(hostnameTracked).event = event;
+    if (hostnameTracked) {
+      hostnameTracked.props.tagRanges = hostnameTags;
+      urlObj._contrast_hostname = hostnameTracked.str;
+      event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = hostnameTags;
+      hostnameTracked.props.event = event;  
+    }
   }
   if (portTags.length > 0) {
     const portTracked = tracker.track(port);
-    tracker.getData(portTracked).tagRanges = portTags;
-    urlObj._contrast_port = portTracked;
-    event = createEvent('url.URL', stack, portTags, port, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = portTags;
-    tracker.getData(portTracked).event = event;
+    if (portTracked) {
+      portTracked.props.tagRanges = portTags;
+      urlObj._contrast_port = portTracked.str;
+      event = createEvent('url.URL', stack, portTags, port, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = portTags;
+      portTracked.props.event = event;  
+    }
   }
 }
 
@@ -136,26 +143,28 @@ function joinProperties(urlObj, sourceProps, separators) {
   }
 
   // copy tag ranges
-  const result = tracker.track(value);
   let valIdx = 0;
   sepIdx = 0;
   let tags = [];
 
   for (const prop of sourceProps) {
-    if (urlObj[`_contrast_${prop}`]) {
+    const trackedPropData = tracker.getData(urlObj[`_contrast_${prop}`]);
+    if (trackedPropData) {
       tags = tagRangeUtil.addAll(
         tags,
         offsetTagRanges(
-          tracker.getData(urlObj[`_contrast_${prop}`]).tagRanges,
+          trackedPropData.tagRanges,
           valIdx
         )
       );
     }
     valIdx += urlObj[prop].length + separators[sepIdx++].length;
   }
-
-  tracker.getData(result).tagRanges = tags;
-  return result;
+  const tracked = tracker.track(value);
+  if (tracked) {
+    tracked.props.tagRanges = tags;
+    return tracked.str;  
+  }
 }
 
 /**
@@ -172,7 +181,8 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   //
 
   const trackedOrigin = joinProperties(urlObj, SET_ORIGIN_TAGS, ['//', '']);
-  if (tracker.getData(trackedOrigin).tagRanges.length === 0) {
+  const trackedOriginData = tracker.getData(trackedOrigin);
+  if (!trackedOriginData || trackedOriginData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_origin = trackedOrigin;
@@ -180,14 +190,14 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   const event = createEvent(
     'url.URL',
     stack,
-    tracker.getData(trackedOrigin).tagRanges,
+    trackedOriginData.tagRanges,
     trackedOrigin,
     args,
     urlObj
   );
   event.parents.push(sourceEvent);
-  event.tagRanges = tracker.getData(trackedOrigin).tagRanges;
-  tracker.getData(trackedOrigin).event = event;
+  event.tagRanges = trackedOriginData.tagRanges;
+  trackedOriginData.event = event;
 }
 
 /**
@@ -221,7 +231,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
 
   const joinedHref = joinProperties(urlObj, properties, separators);
   const joinedHrefData = tracker.getData(joinedHref);
-  if (joinedHrefData.tagRanges.length === 0) {
+  if (!joinedHrefData || joinedHrefData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_href = joinedHref;
@@ -235,7 +245,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   );
   event.parents.push(sourceEvent);
   event.tagRanges = joinedHrefData.tagRanges;
-  tracker.getData(urlObj._contrast_href).event = event;
+  joinedHrefData.event = event;
 }
 
 /**
@@ -300,21 +310,22 @@ function copyTagsSingleSource(sourceTagRanges, sourceEvent, data) {
     copied = true;
     const trackedKey = `_contrast_${key}`;
     const tracked = tracker.track(val);
-    const trackedData = tracker.getData(tracked);
-    trackedData.tagRanges = trimmed;
-    urlObj[trackedKey] = tracked;
-
-    // only create the stack once because stack creation is expensive
-    stack =
-      stack ||
-      stackFactory.createSnapshot({
-        constructorOpt: data.hooked
-      })();
-
-    event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = trimmed;
-    trackedData.event = event;
+    if (tracked) {
+      tracked.props.tagRanges = trimmed;
+      urlObj[trackedKey] = tracked.str;
+  
+      // only create the stack once because stack creation is expensive
+      stack =
+        stack ||
+        stackFactory.createSnapshot({
+          constructorOpt: data.hooked
+        })();
+  
+      event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = trimmed;
+      tracked.props.event = event;  
+    }
   }
 
   if (!copied) {
@@ -351,10 +362,7 @@ function callUnwrapped(input) {
  */
 function skipTracking(inputData, baseData) {
   // if neither input or base are tracked we can just skip tracking
-  if (
-    (!inputData.tracked && baseData && !baseData.tracked) ||
-    (!inputData.tracked && !baseData)
-  ) {
+  if (!inputData && !baseData) {
     return true;
   }
   return false;

package/lib/assess/propagators/util/format.js

@@ -266,7 +266,7 @@ const propagate = function propagate(util, data) {
   };
 
   const fmtStrMeta = tracker.getData(fmtStr);
-  if (fmtStrMeta.tracked) {
+  if (fmtStrMeta) {
     resultMeta.fmtStrTagRanges = fmtStrMeta.tagRanges.map((tagRange) =>
       tagRangeWithOriginals(
         new TagRange(tagRange.start, tagRange.stop, tagRange.tag)

package/lib/assess/propagators/v8/init-hooks.js

@@ -63,7 +63,7 @@ module.exports.handle = function handle() {
         if (tracked) {
           // it was behind a membrane
           data.result[TRACKED] = tracked;
-        } else if (tracker.getData2(data.args[0])) {
+        } else if (tracker.getData(data.args[0])) {
           // it was a tracked string
           data.result[TRACKED] = data.args[0];
         }
@@ -80,13 +80,13 @@ module.exports.handle = function handle() {
           return;
         }
 
-        const sTracking = tracker.getData2(tracked);
+        const sTracking = tracker.getData(tracked);
         // if the argument was a tracked string then the result should
         // have the same tags. i don't know that the length of a string
         // can change as a result of deserialize(serialize()) but best
         // to be safe.
         if (sTracking) {
-          const resultTracking = tracker.track2(data.result);
+          const resultTracking = tracker.track(data.result);
           if (!resultTracking) {
             // there's nothing to do if tracking failed on the result. it should
             // only do so on a zero-length string, but node works in mysterious ways.

package/lib/assess/propagators/validator/init-hooks.js

@@ -90,7 +90,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(0, data.args[0].length - 1, validators[validator])
@@ -131,7 +131,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               trackingData.tagRanges = [];
               trackingData.tracked = false;
             }
@@ -154,36 +154,36 @@ module.exports.handle = function() {
         function post(data) {
           // if not tracked then it can't be untrusted, so don't start
           // tracking this string.
-          if (!tracker.getData(data.args[0]).tracked) return;
+          const inputData = tracker.getData(data.args[0]);
+          if (!inputData) return;
 
           const tag = sanitizers[sanitizer];
-          // get existing tracker data
-          const inputData = tracker.getData(data.args[0]);
 
           // are the input and output of the sanitizer the same?
           if (data.args[0] !== data.result) {
             let needsTag = true;
             // the input and output strings are not the same. start tracking the output.
-            const result = tracker.track(data.result);
-            const resultData = tracker.getData(result);
+            const tracked = tracker.track(data.result);
             // copy the input tags to the result, adjusting the range.
-            const stop = data.result.length - 1;
-            for (let i = 0; i < inputData.tagRanges.length; i++) {
-              resultData.tagRanges[i] = new TagRange(
-                0,
-                stop,
-                inputData.tagRanges[i].tag
-              );
-              if (inputData.tagRanges[i].tag === tag) {
-                needsTag = false;
+            if (tracked) {
+              const stop = data.result.length - 1;
+              for (let i = 0; i < inputData.tagRanges.length; i++) {
+                tracked.props.tagRanges[i] = new TagRange(
+                  0,
+                  stop,
+                  inputData.tagRanges[i].tag
+                );
+                if (inputData.tagRanges[i].tag === tag) {
+                  needsTag = false;
+                }
               }
+              if (needsTag) {
+                tracked.props.tagRanges.push(
+                  new TagRange(0, stop, sanitizers[sanitizer])
+                );
+              }
+              data.result = tracked.str;
             }
-            if (needsTag) {
-              resultData.tagRanges.push(
-                new TagRange(0, stop, sanitizers[sanitizer])
-              );
-            }
-            data.result = result;
           } else {
             // the input and output strings are the same, so the output is already being
             // tracked. if the tag is already present adjust the bounds otherwise add the

package/lib/assess/sinks/common.js

@@ -78,7 +78,9 @@ module.exports = (agent) => {
     // get the tags, event from dataflow actions ONLY
     if (sinkType === DATAFLOW) {
       const contrastProps = tracker.getData(input);
-      ({ tagRanges, event } = contrastProps);
+      if (contrastProps) {
+        ({ tagRanges, event } = contrastProps);
+      }
     }
 
     const sink = new SinkEvent({
@@ -189,7 +191,7 @@ module.exports = (agent) => {
         ) {
           const trackData = tracker.getData(value);
 
-          if (!trackData.tracked) {
+          if (!trackData) {
             return;
           }
 
@@ -415,9 +417,12 @@ module.exports = (agent) => {
           : common.nonDataflowVulnerableCheck({ sink });
 
       const checkedArgs = isVulnCheck(stack, result, args);
-      return Array.isArray(checkedArgs)
-        ? reduceConditions(checkedArgs, conditions.mode)
-        : checkedArgs;
+      if (Array.isArray(checkedArgs) && checkedArgs.length > 0) {
+        const mode = conditions ? conditions.mode : 'and';
+        return reduceConditions(checkedArgs, mode);
+      } else {
+        return checkedArgs;
+      }
     };
 
     /**

package/lib/assess/sinks/dustjs-linkedin-xss.js

@@ -0,0 +1,131 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const moduleHook = require('../../hooks/require');
+const { CallContext, Signature } = require('../models');
+const {
+  RULES: { REFLECTED_XSS }
+} = require('../../constants');
+
+const signature = new Signature({
+  moduleName: 'http.ClientResponse',
+  methodName: 'write',
+  isModule: true
+});
+const moduleName = 'dustjs-linkedin';
+
+class Handler {
+  constructor({ report, isVulnerable, requiredTags, xss: { disallowedTags } }) {
+    this._isVulnerable = isVulnerable;
+    this.report = report;
+    this.requiredTags = requiredTags;
+    this.disallowedTags = disallowedTags;
+  }
+
+  isVulnerable(input) {
+    const { requiredTags, disallowedTags } = this;
+    const ret = this._isVulnerable({
+      input,
+      ruleId: REFLECTED_XSS,
+      disallowedTags,
+      requiredTags
+    });
+    return ret;
+  }
+
+  handle() {
+    moduleHook.resolve({ name: moduleName }, (dust) =>
+      this.handleRequire(dust)
+    );
+  }
+
+  getType(obj) {
+    return obj && obj.constructor && obj.constructor.name;
+  }
+
+  isResponseType(typeName) {
+    return typeName === 'ServerResponse';
+  }
+
+  patchDust(dust) {
+    const self = this;
+    patcher.patch(dust, 'stream', {
+      name: moduleName,
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post(data) {
+        self.patchStream(data.result);
+      }
+    });
+  }
+
+  /**
+   * Patch the pipe method and check wether the stream is targeting a
+   * response instance. If so, add the instance to the set of streams
+   * we should follow.
+   */
+  patchStream(streamInstance) {
+    const self = this;
+    patcher.patch(streamInstance, 'pipe', {
+      name: 'dust.Stream.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      pre({ args: [maybeRes] }) {
+        self.patchStreamTarget(maybeRes);
+      }
+    });
+  }
+
+  patchStreamTarget(target) {
+    const self = this;
+    const typeName = self.getType(target);
+
+    if (self.isResponseType(typeName)) {
+      patcher.patch(target, 'write', {
+        name: 'dust.pipeTarget',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        alwaysRun: true,
+        post({ args: [str], hooked }) {
+          if (self.isVulnerable(str)) {
+            self.report({
+              ruleId: REFLECTED_XSS,
+              signature,
+              input: str,
+              ctxt: new CallContext({
+                obj: typeName,
+                args: [str],
+                result: str,
+                stackOpts: {
+                  constructorOpt: hooked
+                }
+              })
+            });
+          }
+        }
+      });
+    }
+  }
+
+  handleRequire(dust) {
+    this.patchDust(dust);
+    return dust;
+  }
+}
+
+module.exports = ({ common }) => new Handler(common);
+module.exports.Handler = Handler;

package/lib/assess/sinks/libxmljs-xxe.js

@@ -34,7 +34,7 @@ module.exports = ({ common, signature }) => ({
     }
 
     const contrastProps = tracker.getData(xmlString);
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return;
     }
 

package/lib/assess/sinks/mongodb.js

@@ -39,7 +39,8 @@ const ruleId = 'nosql-injection';
 const disallowedTags = [
   'limited-chars',
   'alphanum-space-hyphen',
-  'string-type-checked'
+  'string-type-checked',
+  'custom-validated-nosql-injection'
 ];
 const requiredTags = ['untrusted'];
 

package/lib/assess/sinks/ssrf-url.js

@@ -64,7 +64,7 @@ module.exports = ({ common: { isVulnerable } }) => {
 
     const contrastProps = tracker.getData(input);
 
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return false;
     }
 

package/lib/constants.js

@@ -108,8 +108,11 @@ const RULES = {
     'cmd-injection-semantic-chained-commands',
   CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS:
     'cmd-injection-semantic-dangerous-paths',
-  IP_DENYLIST: 'ip-blacklist',
+  IP_DENYLIST: 'ip-denylist',
   METHOD_TAMPERING: 'method-tampering',
+  // The following is not a known rule in TS and is only used by SR when
+  // reporting certain analysis results. We convert to nosqli before reporting
+  NOSQL_EXPANSION: 'nosql-expansion',
   NOSQL_INJECTION: 'nosql-injection',
   PATH_TRAVERSAL: 'path-traversal',
   REFLECTED_XSS: 'reflected-xss',

package/lib/core/arch-components/dynamodb.js

@@ -18,7 +18,6 @@ const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
-const _ = require('lodash');
 
 ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
   patcher.patch(AWS.DynamoDB.prototype, 'makeRequest', {
@@ -27,7 +26,7 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
     alwaysRun: true,
     post(ctx) {
       try {
-        const endpoint = _.get(this, 'endpoint');
+        const { endpoint } = this;
         agentEmitter.emit('architectureComponent', {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),

package/lib/core/arch-components/dynamodbv3.js

@@ -0,0 +1,44 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const logger = require('../logger')('contrast:arch-component');
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+
+function emitArchitectureComponent(endpoint) {
+  agentEmitter.emit('architectureComponent', {
+    vendor: 'DynamoDB',
+    url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
+    remoteHost: '',
+    remotePort: endpoint.port
+  });
+}
+
+ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
+  patcher.patch(AWS.DynamoDBClient.prototype, 'send', {
+    name: 'DynamoDBv3.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      try {
+        this.config.endpoint().then(emitArchitectureComponent);
+      } catch (err) {
+        logger.warn('unable to report DynamoDB architecture component\n', err);
+      }
+    }
+  });
+});

package/lib/core/arch-components/index.js

@@ -17,3 +17,4 @@ require('./mysql');
 require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
+require('./dynamodbv3');

package/lib/core/arch-components/rethinkdb.js

@@ -0,0 +1,53 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+const logger = require('../logger')('contrast:arch-component');
+
+ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+  patcher.patch(rethinkdb, 'connect', {
+    name: 'rethinkdb.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      ctx.result
+        .then((res) => {
+          if (res.open) {
+            const url =
+              res.host == 'localhost'
+                ? 'http://localhost'
+                : new URL(res.host).toString();
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'RethinkDB',
+              url,
+              remotePort: res.port
+            });
+          } else {
+            logger.warn('unable to open RethinkDB connection');
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report RethinkDB architecture component\n%o',
+            err
+          );
+        });
+    }
+  });
+});

package/lib/core/config/options.js

@@ -284,7 +284,7 @@ const agent = [
   {
     name: 'agent.node.array_request_sampling.enable',
     arg: '[false]',
-    default: true,
+    default: false,
     fn: castBoolean,
     desc: 'enable sampling of array members for dataflow'
   },
@@ -483,7 +483,8 @@ const agent = [
     arg: '<limit>',
     default: 10,
     fn: parseNum,
-    desc: 'set limit for stack trace size'
+    desc:
+      'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
   {
     name: 'agent.polling.app_activity_ms',

package/lib/core/rewrite/injections.js

@@ -131,6 +131,14 @@ const injections = {
       name: 'String',
       patchType: PATCH_TYPES.INJECTION
     })
+  ),
+  Number: new Injection(
+    'Number',
+    'ContrastNumber',
+    patcher.patch(global.Number, {
+      name: 'Number',
+      patchType: PATCH_TYPES.INJECTION
+    })
   )
 };
 

package/lib/core/stacktrace.js

@@ -15,11 +15,12 @@ Copyright: 2021 Contrast Security, Inc
 'use strict';
 
 const semver = require('semver');
+const agent = require('../agent');
 const process = require('process');
 const sourceMap = require('../util/source-map');
 const _isAgentPath = require('../util/is-agent-path');
 
-const STACK_TRACE_LIMIT = 25;
+const STACK_TRACE_LIMIT = agent.config.agent.stack_trace_limit;
 const EVAL_ORIGIN_REGEX = /\((.*?):(\d+):\d+\)/;
 const EVENTS_FILE = semver.gte(process.version, '16.0.0')
   ? 'node:events'