npm - @contrast/agent - Versions diffs - 4.6.0 → 4.9.0 - Mend

@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/models/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/propagation-event.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/signature.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/sink-event.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/source-event.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -32,6 +32,7 @@ module.exports = class SourceEvent extends BaseEvent {
    * @param {boolean}     opts.isArray true if req.body is an array (from JSON body).
    */
   constructor({
+    code,
     context,
     name,
     signature,
@@ -43,6 +44,7 @@ module.exports = class SourceEvent extends BaseEvent {
     eventSources = [{ sourceType: type.toUpperCase(), sourceName: name }]
   } = {}) {
     super(context, signature, tagRanges);
+    this.code = code;
     this.target = target;
     this.eventSources = eventSources;
     this.parents = [];
@@ -65,6 +67,10 @@ module.exports = class SourceEvent extends BaseEvent {
   mapCustomMethods() {
     const type = this.eventSources[0].sourceType.toLowerCase();
     const name = this.eventSources[0].sourceName;
+    if (this.code) {
+      return;
+    }
     if (this.isRequestObject) {
       this.code = `const ${type} = req.${type}`;
     } else if (this.isArray) {

package/lib/assess/models/tag-range/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/tag-range/relationships.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/models/tag-range/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/policy/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/policy/init.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/policy/propagators.json CHANGED Viewed

@@ -40,10 +40,18 @@
       "enabled": true,
       "override": "./propagators/JSON/parse.js"
     },
+    "mongoose": {
+      "enabled": true,
+      "override": "./propagators/mongoose"
+    },
     "String": {
       "enabled": true,
       "override": "./propagators/string.js"
     },
+    "Number": {
+      "enabled": true,
+      "override": "./propagators/number.js"
+    },
     "Object": {
       "enabled": true,
       "override": "./propagators/object.js"
@@ -59,33 +67,15 @@
     },
     "mustache.escape": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/mustache/escape.js"
     },
     "dust.escapeHtml": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/dustjs/escape-html.js"
     },
     "dust.escapeJs": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["javascript-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/dustjs/escape-js.js"
     },
     "pug.compile": {
       "enabled": true,
@@ -349,23 +339,11 @@
     },
     "encodeURI": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["weak-url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri.js"
     },
     "encodeURIComponent": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri-component.js"
     },
     "process.__add": {
       "enabled": true,

package/lib/assess/policy/rules.json CHANGED Viewed

@@ -1157,7 +1157,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": ["limited-chars", "alphanum-space-hyphen"],
+                "disallowedTags": ["limited-chars", "alphanum-space-hyphen", "custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1172,7 +1172,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": [],
+                "disallowedTags": ["custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1371,6 +1371,16 @@
       "type": "http",
       "provider": "./sinks/hapi-16-xss"
     },
+    "reflected-xss_dustjs-linkedin": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/dustjs-linkedin-xss"
+    },
+    "nosql-injection-rethinkdb": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/rethinkdb-nosql-injection"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",
@@ -1399,6 +1409,30 @@
             ]
           }
         },
+        "express.response.push": {
+          "type": "dataflow",
+          "enabled": true,
+          "stackTrustedLibs": [],
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "disallowedTags": [
+                  "cookie",
+                  "header",
+                  "limited-chars",
+                  "alphanum-space-hyphen",
+                  "html-encoded",
+                  "sql-encoded",
+                  "url-encoded",
+                  "weak-url-encoded"
+                ],
+                "requiredTags": ["untrusted"]
+              }
+            ]
+          }
+        },
         "swig.compile": {
           "type": "dataflow",
           "enabled": true,

package/lib/assess/policy/signatures.json CHANGED Viewed

@@ -20,6 +20,11 @@
       "methodName": "domainToUnicode",
       "isModule": true
     },
+    "template strings": {
+      "moduleName": "global",
+      "methodName": "ContrastMethods.__contrastTag",
+      "isModule": false
+    },
     "axios": {
       "moduleName": "axios",
       "methodName": "",
@@ -249,6 +254,12 @@
       "methodName": "response.send",
       "isModule": true
     },
+    "express.response.push": {
+      "moduleName": "express",
+      "version": ">=4.0.0",
+      "methodName": "response.push",
+      "isModule": true
+    },
     "express.response.set": {
       "moduleName": "express",
       "version": ">=4.0.0",
@@ -642,6 +653,11 @@
       "methodName": "toNamespacedPath",
       "isModule": true
     },
+    "path.normalize": {
+      "moduleName": "path",
+      "methodName": "normalize",
+      "isModule": true
+    },
     "util.format": {
       "moduleName": "util",
       "methodName": "format",
@@ -1140,12 +1156,6 @@
       "methodName": "isMobilePhone",
       "isModule": true
     },
-    "validator.isMongoId": {
-      "moduleName": "validator",
-      "version": ">=13.0.0",
-      "methodName": "isMongoId",
-      "isModule": true
-    },
     "validator.isNumeric": {
       "moduleName": "validator",
       "version": ">=13.0.0",
@@ -1308,6 +1318,18 @@
       "methodName": "string.domain",
       "isModule": true
     },
+    "mongoose.string.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.string.doValidateSync",
+      "isModule": true
+    },
+    "mongoose.map.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.map.doValidateSync",
+      "isModule": true
+    },
     "v8.deserialize.serialize": {
       "moduleName": "v8",
       "methodName": "deserialize.serialize",
@@ -1317,6 +1339,16 @@
       "moduleName": "node-serialize",
       "methodName": "unserialize",
       "isModule": true
+    },
+    "dustjs-linkedin": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "pipe",
+      "isModule": true
+    },
+    "Number": {
+      "moduleName": "Number",
+      "methodName": "isNaN",
+      "isModule": false
     }
   }
 }

package/lib/assess/policy/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -89,6 +89,7 @@ utils.isRuleEnabled = function(ruleId) {
  * @param {boolean} enabled	What to set the enabled property to
  */
 utils.setEnabled = function(node, enabled) {
+  /*eslint no-prototype-builtins: "warn"*/
   if (node.hasOwnProperty('enabled')) {
     node.enabled = enabled;
     return true;
@@ -236,7 +237,7 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
       }
     }
   } catch (e) {
-    logger.info(`unable to recurisvely patch ${e}`);
+    logger.info(`unable to recursively patch ${e}`);
   }
   return obj;

package/lib/assess/propagators/JSON/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ module.exports.handle = function() {
     name: ContrastJSON.name,
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
     post(data) {
-      const props = tracker.getData2(data.args[0]);
+      const props = tracker.getData(data.args[0]);
       const { result } = data;
       if (props && result) {
         const membrane = new DeserializationMembrane(data, props);

package/lib/assess/propagators/JSON/stringify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -23,10 +23,16 @@ const crypto = require('crypto');
 const TagRange = require('../../models/tag-range');
 const tracker = require('../../../tracker.js');
 const { isString } = require('../../../util/is-string');
-const { PropagationEvent, Signature, CallContext } = require('../../models');
+const {
+  PropagationEvent,
+  Signature,
+  CallContext,
+  SourceEvent
+} = require('../../models');
 const ContrastJSON = require('../../../core/rewrite/injections').get('JSON');
 const Debraner = require('../../membrane/debraner');
 const { PROXY_TARGET } = require('../../../constants');
+const { trackedObjects } = require('../../sources/event-handler');
 const sig = new Signature({
   moduleName: 'JSON',
@@ -64,7 +70,7 @@ function getUntrustedSpaceProps(space) {
   }
   // otherwise if the space string is tracked then the entire json output inherits
   // the tracked string's tags.
-  const props = tracker.getData2(space);
+  const props = tracker.getData(space);
   if (!props || props.tagRanges.length === 0) {
     return null;
   }
@@ -125,6 +131,7 @@ function patchReplacer(replacer) {
 }
 let patched = false;
 module.exports.handle = function() {
   if (patched) {
     return;
@@ -136,7 +143,7 @@ module.exports.handle = function() {
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
     pre(data) {
-      const [, , space] = data.args;
+      const [obj, , space] = data.args;
       let [input, replacer] = data.args;
       replacer = patchReplacer(replacer);
@@ -148,11 +155,24 @@ module.exports.handle = function() {
         spaceProps: undefined,
         target: undefined,
         membrane: undefined,
-        debraner: undefined
+        debraner: undefined,
+        sourcesMap: {}
       };
+      if (trackedObjects.has(obj)) {
+        const { type } = trackedObjects.get(obj);
+        data.metadata.sourcesMap[type] = obj;
+      }
       // is the argument behind a membrane? try getting { target, membrane }.
       const braned = input && input[PROXY_TARGET];
+      const isSourceObject = input && trackedObjects.has(input);
+      if (isSourceObject) {
+        data.metadata.propagate = true;
+      }
       // next two are used by the replacer function
       let safeKeys;
       if (braned) {
@@ -183,9 +203,17 @@ module.exports.handle = function() {
        * @param {string} key
        * @param {string} value
        */
+      // eslint-disable-next-line complexity
       function contrastReplacer(key, val) {
+        if (trackedObjects.has(obj)) {
+          const { type } = trackedObjects.get(obj);
+          if (!data.metadata.sourcesMap[type]) {
+            data.metadata.sourcesMap[type] = obj;
+          }
+        }
         let isTracked = false;
-        const valProperties = tracker.getData2(val);
+        const valProperties = tracker.getData(val);
         if (valProperties && valProperties.tagRanges.length) {
           data.metadata.propagate = true;
           isTracked = true;
@@ -206,7 +234,7 @@ module.exports.handle = function() {
             // make skeletal version of valProperties with only the tagRanges prop.
             data.metadata[id] =
               // eslint-disable-next-line prettier/prettier
-              { tagRanges: [new TagRange(0, value.length - 1, '')] };
+            { tagRanges: [new TagRange(0, value.length - 1, '')] };
             value = `${canary}${id}~${value}`;
             id++;
           }
@@ -229,6 +257,7 @@ module.exports.handle = function() {
       if (!data.metadata.propagate) {
         return data.result;
       }
       // restore the proxies to the argument
       const { debraner } = data.metadata;
       if (debraner) {
@@ -256,12 +285,47 @@ module.exports.handle = function() {
         }
       }
-      const tracked = tracker.track2(data.result);
+      const tracked = tracker.track(data.result);
       if (!tracked) {
         return data.result;
       }
       data.result = tracked.str;
       const { props } = tracked;
+      const customSources = [];
+      Object.keys(data.metadata.sourcesMap).forEach((k) => {
+        const objData = trackedObjects.get(data.metadata.sourcesMap[k]);
+        const { type, path, stackOpts } = objData;
+        const obj = data.metadata.sourcesMap[type];
+        customSources.push(
+          new SourceEvent({
+            context: new CallContext({
+              obj,
+              args: data.args,
+              result: data.result,
+              stackOpts
+            }),
+            signature: new Signature({
+              moduleName: 'http.req',
+              methodName: 'on.end',
+              args: undefined,
+              return: undefined,
+              isModule: false
+            }),
+            tagRanges,
+            source: 'A',
+            target: 'R',
+            name: path,
+            type,
+            isRequestObject: true
+          })
+        );
+      });
       props.tagRanges = tagRanges;
       // restore the original arguments so reporting shows user's signature.
       data.args = metadata.origArgs;
@@ -270,8 +334,12 @@ module.exports.handle = function() {
       // always exist, even if an empty array, for production code.
       if (metadata.sourceEvents && !metadata.sourceEvents.length) {
         // eslint-disable-next-line prettier/prettier
-        const { sourceEvents, braned: { membrane } } = data.metadata;
-        sourceEvents.push(membrane.makeReqSourceEvent(data.result.length));
+        const { sourceEvents, braned } = data.metadata;
+        if (braned) {
+          sourceEvents.push(
+            braned.membrane.makeReqSourceEvent(data.result.length)
+          );
+        }
       }
       props.event = new PropagationEvent({
@@ -280,7 +348,9 @@ module.exports.handle = function() {
         tagRanges: props.tagRanges,
         source: 'P',
         target: 'R',
-        parents: data.metadata.sourceEvents
+        parents: customSources.length
+          ? customSources
+          : data.metadata.sourceEvents
       });
       return data.result;

package/lib/assess/propagators/ajv/conditionals.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/evaluator-shim.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/json-schema-type-evaluators.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/object-walk.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/refs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/schema-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/array-prototype-join.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -27,7 +27,7 @@ module.exports.handle = function handle(data) {
     return;
   }
-  // this handles join() andd join(undefined)
+  // this handles join() and join(undefined)
   const del = data.args[0] === undefined ? ',' : data.args[0];
   const parentEvents = [];
@@ -38,7 +38,7 @@ module.exports.handle = function handle(data) {
   let delimiterTracked = false;
-  if (delimiterProperties.tracked) {
+  if (delimiterProperties) {
     delimiterTracked = true;
     parentEvents.push(delimiterProperties.event);
     delimiterTagRanges.push(...delimiterProperties.tagRanges);
@@ -56,21 +56,20 @@ module.exports.handle = function handle(data) {
   if (delimiterTracked || elementTracked) {
     const tracked = tracker.track(data.result);
-    const metadata = tracker.getData(tracked);
-    if (!metadata.tracked) {
+    if (!tracked) {
       return;
     }
-    metadata.event = createEvent(
+    tracked.props.event = createEvent(
       data,
       resultTagRanges,
       parentEvents,
       delimiterTracked,
       elementTracked
     );
-    metadata.tagRanges = resultTagRanges;
+    tracked.props.tagRanges = resultTagRanges;
-    data.result = tracked;
+    data.result = tracked.str;
   }
 };
@@ -98,7 +97,7 @@ function propagateArrayData(
     const elem = array[i];
     const elemProperties = tracker.getData(elem);
-    if (elem && elemProperties.tracked) {
+    if (elem && elemProperties) {
       parentEvents.push(elemProperties.event);
       targetData.elementTracked = true;