npm - @contrast/agent - Versions diffs - 4.5.2 → 4.8.0 - Mend

@contrast/agent 4.5.2 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/lib/assess/propagators/joi/string-schema.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -79,29 +79,28 @@ function reTrackCoercedValue(coerce, rule) {
       }
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
-      const str = tracker.track(result.value);
-      const strContrastProperties = tracker.getData(str);
+      const tracked = tracker.track(result.value);
-      if (strContrastProperties.tracked) {
-        strContrastProperties.tagRanges = tagRangeUtil.add(
-          strContrastProperties.tagRanges,
-          new TagRange(0, str.length - 1, 'untrusted')
+      if (tracked) {
+        tracked.props.tagRanges = tagRangeUtil.add(
+          tracked.props.tagRanges,
+          new TagRange(0, tracked.str.length - 1, 'untrusted')
         );
-        strContrastProperties.event = createPropagationEvent({
+        tracked.props.event = createPropagationEvent({
           data,
           trackedArgsData: argContrastProperties,
-          tagRanges: strContrastProperties.tagRanges,
+          tagRanges: tracked.props.tagRanges,
           target: 'R',
           joiMethod: rule
         });
-      }
-      data.result = { value: str };
+        data.result = { value: tracked.str };
+      }
     }
   });
 }
@@ -120,13 +119,13 @@ function wrapRuleAsValidator(rules, rule, tagName) {
       }
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
       const strContrastProperties = tracker.getData(result);
-      if (strContrastProperties.tracked) {
+      if (strContrastProperties) {
         strContrastProperties.tagRanges = tagRangeUtil.add(
           strContrastProperties.tagRanges,
           new TagRange(0, result.length - 1, tagName)

package/lib/assess/propagators/joi/values.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ function instrumentJoiValues(values) {
     name: 'joi.values',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      const {
+      let {
         args: [value],
         result
       } = data;
@@ -51,25 +51,40 @@ function instrumentJoiValues(values) {
         return;
       }
-      const resultIsString = _.isString(result.value);
-      const argIsString = _.isString(value);
       if (result.ref) {
-        // result === false means ref resolution failed
-        if (resultIsString && argIsString) {
-          const resolvedTrackData = tracker.getData(result.value);
-          const refTrackData = tracker.getData(value);
-          const handler = getRefHandler(resolvedTrackData, refTrackData);
-          handler && handler(data, resolvedTrackData, refTrackData);
-        }
-      } else if (resultIsString) {
+        handler(result.value, value, data);
+      } else if (_.isString(result.value)) {
         // use case is .valid() - safe
-        tracker.untrack(result.value);
+        result.value = tracker.untrack(result.value) || result.value;
       }
     }
   });
 }
+const stringHandler = (resultValue, argValue, data) => {
+  const resultIsString = _.isString(resultValue);
+  const argIsString = _.isString(argValue);
+  if (resultIsString && argIsString) {
+    const resolvedTrackData = tracker.getData(resultValue);
+    const refTrackData = tracker.getData(argValue);
+    const handler = getRefHandler(resolvedTrackData, refTrackData);
+    handler && handler(data, resolvedTrackData, refTrackData);
+  }
+};
+const handler = (resultValue, argValue, data) => {
+  if (_.isString(resultValue)) {
+    return stringHandler(resultValue, argValue, data);
+  }
+  if (_.isObject(resultValue)) {
+    for (const [key, value] of Object.entries(resultValue)) {
+      handler(value, argValue[key], data);
+    }
+  }
+};
 /**
  * Depending on which values are tracked, ref and/or target, returns the
  * appropriate function to handle the scenario.
@@ -79,14 +94,14 @@ function instrumentJoiValues(values) {
  */
 function getRefHandler(resolvedTrackData, refTrackData) {
   // 4 Cases
-  if (!resolvedTrackData.tracked) {
-    if (!refTrackData.tracked) {
+  if (!resolvedTrackData) {
+    if (!refTrackData) {
       return null;
     } else {
       return handleRefOnlyTracked;
     }
   } else {
-    if (refTrackData.tracked) {
+    if (refTrackData) {
       return handleBothTracked;
     } else {
       return handleTargetOnlyTracked;
@@ -116,7 +131,7 @@ function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleBothTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -127,8 +142,8 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
   }
   if (result.ref.map) {
-    tracker.untrack(data.result.value);
-    tracker.untrack(value);
+    data.result.value = tracker.untrack(data.result.value) || data.result.value;
+    value = tracker.untrack(value) || value;
   } else {
     copyValidationHistory(resolvedTrackData, refTrackData);
     if (prefs.convert) {
@@ -145,7 +160,7 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -164,8 +179,8 @@ function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
   } else {
     // if map is used we can trust - like .valid()
     if (result.ref.map) {
-      if (!tracker.getData(result.value).tracked) {
-        tracker.untrack(value);
+      if (!tracker.getData(result.value)) {
+        value = tracker.untrack(value) || value;
       }
     } else {
       logger.debug(

package/lib/assess/propagators/manager.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -112,13 +112,14 @@ module.exports = function Propagator(agent, propagationDescriptor) {
     // move the tags to the result of propagator
     if (event.tagRanges.length > 0 && validTarget === data.result) {
-      data.result = tracker.track(data.result);
-      const resultContrastProperties = tracker.getData(data.result);
-      resultContrastProperties.tracked = true;
-      resultContrastProperties.tagRanges = event.tagRanges;
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        tracked.props.tagRanges = event.tagRanges;
+        tracked.props.event = event;
+        data.result = tracked.str;
+      }
       event.parents.push(...sourceEvents);
-      resultContrastProperties.event = event;
     }
     logger.trace('%s2%s %s --> %s', source, target, sources, [validTarget]);
   };
@@ -206,7 +207,7 @@ function createAppendTagRanges(data) {
   if (isString(data.obj)) {
     offset = data.obj.length;
     const sourceProps = tracker.getData(data.obj);
-    if (sourceProps.tracked) {
+    if (sourceProps) {
       tagRangeUtil.addAllInPlace(newTags, sourceProps.tagRanges);
     }
   }
@@ -214,7 +215,7 @@ function createAppendTagRanges(data) {
   for (const arg of data.args) {
     if (arg) {
       const props = tracker.getData(arg);
-      if (props.tracked) {
+      if (props) {
         tagRangeUtil.addAllWithOffsetInPlace(newTags, props.tagRanges, offset);
       }
@@ -339,7 +340,7 @@ function getSourcesMetadata(sources) {
 function isSourceTracked(sourceName, source) {
   if (source) {
     const contrastProperties = tracker.getData(source);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
   return false;
@@ -384,7 +385,7 @@ function getTrackedSources(sources, skipNested) {
 function isTargetTracked(target, hasTags) {
   if (hasTags) {
     const contrastProperties = tracker.getData(target);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
   return false;
@@ -457,7 +458,8 @@ function getValidSources(sources) {
     const sourceContrastProperties = tracker.getData(source);
     if (
       isString(source) &&
-      !(sourceContrastProperties && sourceContrastProperties.tracked)
+      (!sourceContrastProperties ||
+        (sourceContrastProperties && !sourceContrastProperties.tracked))
     ) {
       return false;
     }

package/lib/assess/propagators/mongoose/helpers.js ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const hasUserDefinedValidator = (data) =>
+  data.obj.validators.some((validator) => validator.type === 'user defined');
+module.exports = {
+  hasUserDefinedValidator
+};

package/lib/assess/propagators/mongoose/index.js ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+module.exports.handle = () => {
+  require('./map');
+  require('./string');
+};

package/lib/assess/propagators/mongoose/map.js ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+const { hasUserDefinedValidator } = require('./helpers');
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.map.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (!hasUserDefinedValidator(data)) return;
+      for (const value of data.args[0].values()) {
+        const trackingData = tracker.track(value);
+        if (!trackingData) return;
+        const { props } = trackingData;
+        const stringLength = value.length - 1;
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+        );
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'string-type-checked')
+        );
+        props.event = new PropagationEvent({
+          context: new CallContext(data),
+          signature: new Signature('mongoose.map.doValidateSync'),
+          tagRanges: props.tagRanges,
+          source: 'P',
+          target: 'A',
+          parents: [props.event]
+        });
+      }
+    }
+  });
+};
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/assess/propagators/mongoose/string.js ADDED Viewed

@@ -0,0 +1,104 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+const { hasUserDefinedValidator } = require('./helpers');
+const enumPatcher = (SchemaString) => {
+  patcher.patch(SchemaString.prototype, 'enum', {
+    alwaysRun: true,
+    name: 'mongoose.string.enum',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (!data.result) return;
+      const enumValidator = data.result.validators.find(
+        (validator) => validator.type === 'enum'
+      );
+      if (!enumValidator) return;
+      patcher.patch(enumValidator, 'validator', {
+        alwaysRun: true,
+        name: 'mongoose.string.enumValidator',
+        patchType: ASSESS_PROPAGATOR,
+        post(data) {
+          if (!data.result) return;
+          tracker.untrack(data.args[0]);
+        }
+      });
+    }
+  });
+};
+const doValidateSyncPatcher = (SchemaString) => {
+  patcher.patch(SchemaString.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.string.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result) return;
+      if (!hasUserDefinedValidator(data)) return;
+      const trackingData = tracker.track(data.args[0]);
+      if (!trackingData) return;
+      const { props } = trackingData;
+      const incomingStringLength = data.args[0].length - 1;
+      props.tagRanges = tagRangeUtil.add(
+        props.tagRanges,
+        new TagRange(
+          0,
+          incomingStringLength,
+          'custom-validated-nosql-injection'
+        )
+      );
+      props.tagRanges = tagRangeUtil.add(
+        props.tagRanges,
+        new TagRange(0, incomingStringLength, 'string-type-checked')
+      );
+      props.event = new PropagationEvent({
+        context: new CallContext(data),
+        signature: new Signature('mongoose.string.doValidateSync'),
+        tagRanges: props.tagRanges,
+        source: 'P',
+        target: 'A',
+        parents: [props.event]
+      });
+    }
+  });
+};
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
+  (SchemaString) => {
+    enumPatcher(SchemaString);
+    doValidateSyncPatcher(SchemaString);
+  }
+);

package/lib/assess/propagators/mustache/escape.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'html-encoded', 'mustache.escape');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/number.js ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const tracker = require('../../tracker.js');
+const patcher = require('../../hooks/patcher.js');
+const { PATCH_TYPES } = require('../../constants');
+const tagRangeUtil = require('../models/tag-range/util');
+const TagRange = require('../models/tag-range');
+const ContrastNumber = require('../../core/rewrite/injections').get('Number');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+function handle() {
+  ContrastNumber.enable();
+  patcher.patch(ContrastNumber.value, {
+    name: 'Number',
+    patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+    post(data) {
+      const trackingData = tracker.getData(data.args[0]);
+      if (!Number.isNaN(data.result) && trackingData) {
+        const { event } = trackingData;
+        trackingData.tagRanges = tagRangeUtil.add(
+          trackingData.tagRanges,
+          new TagRange(0, data.args[0].length - 1, 'limited-chars')
+        );
+        trackingData.event = new PropagationEvent({
+          context: new CallContext(data),
+          signature: new Signature('Number'),
+          tagRanges: trackingData.tagRanges,
+          source: 'P',
+          target: 'P',
+          parents: [event]
+        });
+      }
+    }
+  });
+}
+module.exports = { handle };

package/lib/assess/propagators/object.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,18 +41,17 @@ function handle() {
       }
       const argContrastProperties = tracker.getData(arg);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
-      const str = tracker.track(data.result);
-      const strContrastProperties = tracker.getData(str);
-      if (strContrastProperties.tracked) {
-        strContrastProperties.event = argContrastProperties.event;
-        strContrastProperties.tagRanges = strContrastProperties.tagRanges.concat(
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        tracked.props.event = argContrastProperties.event;
+        tracked.props.tagRanges = tracked.props.tagRanges.concat(
           argContrastProperties.tagRanges
         );
-        data.result = str;
+        data.result = tracked.str;
       }
     }
   });

package/lib/assess/propagators/path/basename.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -45,7 +45,7 @@ module.exports.handle = function handle() {
           if (!path || !data.result) return;
           const trackingData = tracker.getData(path);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
           if (extension) {
             const extIndex = _path.lastIndexOf(extension);
@@ -68,19 +68,20 @@ module.exports.handle = function handle() {
           // no tags propagated to the result
           if (!tagRanges.length) return;
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          const tracked = tracker.track(data.result);
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;
+          }
         }
       });
     }

package/lib/assess/propagators/path/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -333,7 +333,7 @@ function propagate({ resultMeta, data, win32 }) {
       evaluator: (segmentOffset) => segmentOffset > -1,
       offset: 0,
       str: arg,
-      tagRanges: argData.tracked ? argData.tagRanges : []
+      tagRanges: argData ? argData.tagRanges : []
     };
     const targetTagRanges = adjustTagsToPart(