npm - @contrast/agent - Versions diffs - 4.6.0 → 4.9.0 - Mend

@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/propagators/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -62,7 +62,7 @@ const escapeRegExp = (str) => {
  */
 const addTagRangesWithOffset = (metadata, arg) => {
   const argData = tracker.getData(arg);
-  if (argData.tracked) {
+  if (argData) {
     tagRangeUtil.addAllWithOffsetInPlace(
       metadata.tagRanges,
       argData.tagRanges,
@@ -115,10 +115,12 @@ const createEvent = ({ tagRanges, method, parents }, data) => {
  */
 const trackResult = (metadata, data) => {
   if (metadata.tagRanges.length) {
-    data.result = tracker.track(data.result);
-    const trackedMeta = tracker.getData(data.result);
-    trackedMeta.tagRanges = metadata.tagRanges;
-    trackedMeta.event = createEvent(metadata, data);
+    const tracked = tracker.track(data.result);
+    if (tracked) {
+      tracked.props.tagRanges = metadata.tagRanges;
+      tracked.props.event = createEvent(metadata, data);
+      data.result = tracked.str;
+    }
   }
 };

package/lib/assess/propagators/dustjs/escape-html.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'html-encoded', 'dustjs-linkedin.escapeHtml');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/dustjs/escape-js.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'javascript-encoded', 'dustjs-linkedin.escapeJs');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/ejs-template-generate-source.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/encode-uri/encode-uri-component.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'url-encoded', 'global.encodeURIComponent');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'weak-url-encoded', 'global.encodeURI');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/handlebars-compile.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/handlebars-escape-expresssion.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -48,7 +48,7 @@ function patchUtilsExport(utilsExport) {
     alwaysRun: true,
     post(data) {
       const trackData = tracker.getData(data.result);
-      if (trackData.tracked) {
+      if (trackData) {
         trackData.tagRanges = tagRangeUtil.add(
           trackData.tagRanges,
           new TagRange(0, data.result.length - 1, 'html-encoded')

package/lib/assess/propagators/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -128,8 +128,6 @@ const generateHookWrappers = (agent, policyNode, key) => {
     } else {
       ({ pre, post } = provider.handle);
     }
-    propagatorDescriptor.provider = provider.handle;
   } else {
     // generic propagator
     post = new Propagator(agent, propagatorDescriptor);

package/lib/assess/propagators/joi/boolean.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -42,7 +42,7 @@ function instrumentJoiBoolean(boolean) {
         if (
           data.result &&
           typeof data.result.value === 'boolean' &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/expression.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -32,7 +32,7 @@ function instrumentJoiExpression(expression) {
     patchType: ASSESS_PROPAGATOR,
     post(data) {
       const trackingData = tracker.getData(data.args[0]);
-      if (trackingData.tracked && data.result._template) {
+      if (trackingData && data.result._template) {
         trackingData.tagRanges = tagRangeUtil.add(
           trackingData.tagRanges,
           new TagRange(0, data.args[0].length - 1, 'html-encoded')

package/lib/assess/propagators/joi/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/joi/number.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ function instrumentJoiNumber(number) {
           data.result &&
           data.result.value &&
           !data.result.errors &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/string-base.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -37,7 +37,7 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
-        if (data.result === undefined && trackingData.tracked) {
+        if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,

package/lib/assess/propagators/joi/string-schema.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -79,29 +79,28 @@ function reTrackCoercedValue(coerce, rule) {
       }
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
-      const str = tracker.track(result.value);
-      const strContrastProperties = tracker.getData(str);
+      const tracked = tracker.track(result.value);
-      if (strContrastProperties.tracked) {
-        strContrastProperties.tagRanges = tagRangeUtil.add(
-          strContrastProperties.tagRanges,
-          new TagRange(0, str.length - 1, 'untrusted')
+      if (tracked) {
+        tracked.props.tagRanges = tagRangeUtil.add(
+          tracked.props.tagRanges,
+          new TagRange(0, tracked.str.length - 1, 'untrusted')
         );
-        strContrastProperties.event = createPropagationEvent({
+        tracked.props.event = createPropagationEvent({
           data,
           trackedArgsData: argContrastProperties,
-          tagRanges: strContrastProperties.tagRanges,
+          tagRanges: tracked.props.tagRanges,
           target: 'R',
           joiMethod: rule
         });
-      }
-      data.result = { value: str };
+        data.result = { value: tracked.str };
+      }
     }
   });
 }
@@ -120,13 +119,13 @@ function wrapRuleAsValidator(rules, rule, tagName) {
       }
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
       const strContrastProperties = tracker.getData(result);
-      if (strContrastProperties.tracked) {
+      if (strContrastProperties) {
         strContrastProperties.tagRanges = tagRangeUtil.add(
           strContrastProperties.tagRanges,
           new TagRange(0, result.length - 1, tagName)

package/lib/assess/propagators/joi/values.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ function instrumentJoiValues(values) {
     name: 'joi.values',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      const {
+      let {
         args: [value],
         result
       } = data;
@@ -51,25 +51,40 @@ function instrumentJoiValues(values) {
         return;
       }
-      const resultIsString = _.isString(result.value);
-      const argIsString = _.isString(value);
       if (result.ref) {
-        // result === false means ref resolution failed
-        if (resultIsString && argIsString) {
-          const resolvedTrackData = tracker.getData(result.value);
-          const refTrackData = tracker.getData(value);
-          const handler = getRefHandler(resolvedTrackData, refTrackData);
-          handler && handler(data, resolvedTrackData, refTrackData);
-        }
-      } else if (resultIsString) {
+        handler(result.value, value, data);
+      } else if (_.isString(result.value)) {
         // use case is .valid() - safe
-        tracker.untrack(result.value);
+        result.value = tracker.untrack(result.value) || result.value;
       }
     }
   });
 }
+const stringHandler = (resultValue, argValue, data) => {
+  const resultIsString = _.isString(resultValue);
+  const argIsString = _.isString(argValue);
+  if (resultIsString && argIsString) {
+    const resolvedTrackData = tracker.getData(resultValue);
+    const refTrackData = tracker.getData(argValue);
+    const handler = getRefHandler(resolvedTrackData, refTrackData);
+    handler && handler(data, resolvedTrackData, refTrackData);
+  }
+};
+const handler = (resultValue, argValue, data) => {
+  if (_.isString(resultValue)) {
+    return stringHandler(resultValue, argValue, data);
+  }
+  if (_.isObject(resultValue)) {
+    for (const [key, value] of Object.entries(resultValue)) {
+      handler(value, argValue[key], data);
+    }
+  }
+};
 /**
  * Depending on which values are tracked, ref and/or target, returns the
  * appropriate function to handle the scenario.
@@ -79,14 +94,14 @@ function instrumentJoiValues(values) {
  */
 function getRefHandler(resolvedTrackData, refTrackData) {
   // 4 Cases
-  if (!resolvedTrackData.tracked) {
-    if (!refTrackData.tracked) {
+  if (!resolvedTrackData) {
+    if (!refTrackData) {
       return null;
     } else {
       return handleRefOnlyTracked;
     }
   } else {
-    if (refTrackData.tracked) {
+    if (refTrackData) {
       return handleBothTracked;
     } else {
       return handleTargetOnlyTracked;
@@ -116,7 +131,7 @@ function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleBothTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -127,8 +142,8 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
   }
   if (result.ref.map) {
-    tracker.untrack(data.result.value);
-    tracker.untrack(value);
+    data.result.value = tracker.untrack(data.result.value) || data.result.value;
+    value = tracker.untrack(value) || value;
   } else {
     copyValidationHistory(resolvedTrackData, refTrackData);
     if (prefs.convert) {
@@ -145,7 +160,7 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -164,8 +179,8 @@ function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
   } else {
     // if map is used we can trust - like .valid()
     if (result.ref.map) {
-      if (!tracker.getData(result.value).tracked) {
-        tracker.untrack(value);
+      if (!tracker.getData(result.value)) {
+        value = tracker.untrack(value) || value;
       }
     } else {
       logger.debug(

package/lib/assess/propagators/manager.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -112,13 +112,14 @@ module.exports = function Propagator(agent, propagationDescriptor) {
     // move the tags to the result of propagator
     if (event.tagRanges.length > 0 && validTarget === data.result) {
-      data.result = tracker.track(data.result);
-      const resultContrastProperties = tracker.getData(data.result);
-      resultContrastProperties.tracked = true;
-      resultContrastProperties.tagRanges = event.tagRanges;
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        tracked.props.tagRanges = event.tagRanges;
+        tracked.props.event = event;
+        data.result = tracked.str;
+      }
       event.parents.push(...sourceEvents);
-      resultContrastProperties.event = event;
     }
     logger.trace('%s2%s %s --> %s', source, target, sources, [validTarget]);
   };
@@ -206,7 +207,7 @@ function createAppendTagRanges(data) {
   if (isString(data.obj)) {
     offset = data.obj.length;
     const sourceProps = tracker.getData(data.obj);
-    if (sourceProps.tracked) {
+    if (sourceProps) {
       tagRangeUtil.addAllInPlace(newTags, sourceProps.tagRanges);
     }
   }
@@ -214,7 +215,7 @@ function createAppendTagRanges(data) {
   for (const arg of data.args) {
     if (arg) {
       const props = tracker.getData(arg);
-      if (props.tracked) {
+      if (props) {
         tagRangeUtil.addAllWithOffsetInPlace(newTags, props.tagRanges, offset);
       }
@@ -339,7 +340,7 @@ function getSourcesMetadata(sources) {
 function isSourceTracked(sourceName, source) {
   if (source) {
     const contrastProperties = tracker.getData(source);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
   return false;
@@ -384,7 +385,7 @@ function getTrackedSources(sources, skipNested) {
 function isTargetTracked(target, hasTags) {
   if (hasTags) {
     const contrastProperties = tracker.getData(target);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
   return false;
@@ -457,7 +458,8 @@ function getValidSources(sources) {
     const sourceContrastProperties = tracker.getData(source);
     if (
       isString(source) &&
-      !(sourceContrastProperties && sourceContrastProperties.tracked)
+      (!sourceContrastProperties ||
+        (sourceContrastProperties && !sourceContrastProperties.tracked))
     ) {
       return false;
     }

package/lib/assess/propagators/mongoose/helpers.js ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const hasUserDefinedValidator = (data) =>
+  data.obj.validators.some((validator) => validator.type === 'user defined');
+module.exports = {
+  hasUserDefinedValidator
+};

package/lib/assess/propagators/mongoose/index.js ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+module.exports.handle = () => {
+  require('./map');
+  require('./string');
+};

package/lib/assess/propagators/mongoose/map.js ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+const { hasUserDefinedValidator } = require('./helpers');
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.map.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (!hasUserDefinedValidator(data)) return;
+      for (const value of data.args[0].values()) {
+        const trackingData = tracker.track(value);
+        if (!trackingData) return;
+        const { props } = trackingData;
+        const stringLength = value.length - 1;
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+        );
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'string-type-checked')
+        );
+        props.event = new PropagationEvent({
+          context: new CallContext(data),
+          signature: new Signature('mongoose.map.doValidateSync'),
+          tagRanges: props.tagRanges,
+          source: 'P',
+          target: 'A',
+          parents: [props.event]
+        });
+      }
+    }
+  });
+};
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    doValidateSyncPatcher(SchemaMap);
+  }
+);