@contrast/agent 4.7.0 → 4.7.1

package/lib/assess/propagators/mongoose/map.js

@@ -0,0 +1,74 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+const { hasUserDefinedValidator } = require('./helpers');
+
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.map.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || data.obj.options.of.name !== 'String') return;
+
+      if (!hasUserDefinedValidator(data)) return;
+
+      for (const value of data.args[0].values()) {
+        const trackingData = tracker.track(value);
+
+        if (!trackingData) return;
+
+        const { props } = trackingData;
+        const stringLength = value.length - 1;
+
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+        );
+
+        props.tagRanges = tagRangeUtil.add(
+          props.tagRanges,
+          new TagRange(0, stringLength, 'string-type-checked')
+        );
+
+        props.event = new PropagationEvent({
+          context: new CallContext(data),
+          signature: new Signature('mongoose.map.doValidateSync'),
+          tagRanges: props.tagRanges,
+          source: 'P',
+          target: 'A',
+          parents: [props.event]
+        });
+      }
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/assess/propagators/mongoose/string.js

@@ -0,0 +1,104 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+const { hasUserDefinedValidator } = require('./helpers');
+
+const enumPatcher = (SchemaString) => {
+  patcher.patch(SchemaString.prototype, 'enum', {
+    alwaysRun: true,
+    name: 'mongoose.string.enum',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (!data.result) return;
+
+      const enumValidator = data.result.validators.find(
+        (validator) => validator.type === 'enum'
+      );
+
+      if (!enumValidator) return;
+
+      patcher.patch(enumValidator, 'validator', {
+        alwaysRun: true,
+        name: 'mongoose.string.enumValidator',
+        patchType: ASSESS_PROPAGATOR,
+        post(data) {
+          if (!data.result) return;
+
+          tracker.untrack(data.args[0]);
+        }
+      });
+    }
+  });
+};
+
+const doValidateSyncPatcher = (SchemaString) => {
+  patcher.patch(SchemaString.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.string.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result) return;
+
+      if (!hasUserDefinedValidator(data)) return;
+
+      const trackingData = tracker.track(data.args[0]);
+      if (!trackingData) return;
+
+      const { props } = trackingData;
+      const incomingStringLength = data.args[0].length - 1;
+
+      props.tagRanges = tagRangeUtil.add(
+        props.tagRanges,
+        new TagRange(
+          0,
+          incomingStringLength,
+          'custom-validated-nosql-injection'
+        )
+      );
+
+      props.tagRanges = tagRangeUtil.add(
+        props.tagRanges,
+        new TagRange(0, incomingStringLength, 'string-type-checked')
+      );
+
+      props.event = new PropagationEvent({
+        context: new CallContext(data),
+        signature: new Signature('mongoose.string.doValidateSync'),
+        tagRanges: props.tagRanges,
+        source: 'P',
+        target: 'A',
+        parents: [props.event]
+      });
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
+  (SchemaString) => {
+    enumPatcher(SchemaString);
+    doValidateSyncPatcher(SchemaString);
+  }
+);

package/lib/assess/propagators/number.js

@@ -0,0 +1,54 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../tracker.js');
+const patcher = require('../../hooks/patcher.js');
+const { PATCH_TYPES } = require('../../constants');
+const tagRangeUtil = require('../models/tag-range/util');
+const TagRange = require('../models/tag-range');
+const ContrastNumber = require('../../core/rewrite/injections').get('Number');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+
+function handle() {
+  ContrastNumber.enable();
+
+  patcher.patch(ContrastNumber.value, {
+    name: 'Number',
+    patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+    post(data) {
+      const trackingData = tracker.getData(data.args[0]);
+
+      if (!Number.isNaN(data.result) && trackingData) {
+        const { event } = trackingData;
+        trackingData.tagRanges = tagRangeUtil.add(
+          trackingData.tagRanges,
+          new TagRange(0, data.args[0].length - 1, 'limited-chars')
+        );
+
+        trackingData.event = new PropagationEvent({
+          context: new CallContext(data),
+          signature: new Signature('Number'),
+          tagRanges: trackingData.tagRanges,
+          source: 'P',
+          target: 'P',
+          parents: [event]
+        });
+      }
+    }
+  });
+}
+
+module.exports = { handle };

package/lib/assess/propagators/object.js

@@ -41,18 +41,17 @@ function handle() {
       }
 
       const argContrastProperties = tracker.getData(arg);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
 
-      const str = tracker.track(data.result);
-      const strContrastProperties = tracker.getData(str);
-      if (strContrastProperties.tracked) {
-        strContrastProperties.event = argContrastProperties.event;
-        strContrastProperties.tagRanges = strContrastProperties.tagRanges.concat(
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        tracked.props.event = argContrastProperties.event;
+        tracked.props.tagRanges = tracked.props.tagRanges.concat(
           argContrastProperties.tagRanges
         );
-        data.result = str;
+        data.result = tracked.str;
       }
     }
   });

package/lib/assess/propagators/path/basename.js

@@ -45,7 +45,7 @@ module.exports.handle = function handle() {
           if (!path || !data.result) return;
 
           const trackingData = tracker.getData(path);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
 
           if (extension) {
             const extIndex = _path.lastIndexOf(extension);
@@ -68,19 +68,20 @@ module.exports.handle = function handle() {
           // no tags propagated to the result
           if (!tagRanges.length) return;
 
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          const tracked = tracker.track(data.result);
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;  
+          }
         }
       });
     }

package/lib/assess/propagators/path/common.js

@@ -333,7 +333,7 @@ function propagate({ resultMeta, data, win32 }) {
       evaluator: (segmentOffset) => segmentOffset > -1,
       offset: 0,
       str: arg,
-      tagRanges: argData.tracked ? argData.tagRanges : []
+      tagRanges: argData ? argData.tagRanges : []
     };
 
     const targetTagRanges = adjustTagsToPart(

package/lib/assess/propagators/path/dirname.js

@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
           if (!data.args[0]) return;
 
           const trackingData = tracker.getData(data.args[0]);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
 
           // path.dirname() does a slice at 0 to the calculated end separator
           const tagRanges = createSubsetTagRanges({
@@ -57,19 +57,20 @@ module.exports.handle = function handle() {
 
           if (!tagRanges.length) return;
 
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
+          const tracked = tracker.track(data.result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;  
+          }
         }
       });
     }

package/lib/assess/propagators/path/extname.js

@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
           if (!data.args[0] || !data.result) return;
 
           const trackingData = tracker.getData(data.args[0]);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
 
           // The path.extname() implementation does a substr on the argument
           // based on the calculated index of the last dot
@@ -62,19 +62,20 @@ module.exports.handle = function handle() {
           // no tags propagated to the result
           if (!tagRanges.length) return;
 
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
+          const tracked = tracker.track(data.result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;  
+          }
         }
       });
     }

package/lib/assess/propagators/path/parse.js

@@ -24,7 +24,7 @@ const propagate = function propagate(data) {
   const props = tracker.getData(data.args[0]);
   const { result } = data;
 
-  if (props.tracked && result) {
+  if (props && result) {
     const membrane = new DeserializationMembrane(data, props);
     data.result = membrane.wrap(result);
   }

package/lib/assess/propagators/path/relative.js

@@ -35,7 +35,7 @@ const provider = {
     const { args, result } = data;
     const trackData = tracker.getData(args[1]);
 
-    if (!trackData.tracked) {
+    if (!trackData) {
       return;
     }
 
@@ -61,10 +61,12 @@ const provider = {
         },
         data
       );
-      data.result = tracker.track(data.result);
-      const resultTrackData = tracker.getData(data.result);
-      resultTrackData.tagRanges = shiftedRanges;
-      resultTrackData.event = event;
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        data.result = tracked.str;
+        tracked.props.tagRanges = shiftedRanges;
+        tracked.props.event = event;
+      }
     }
   },
   /**

package/lib/assess/propagators/querystring/escape.js

@@ -21,34 +21,36 @@ const qsUtils = require('./utils');
 
 function handler(data) {
   const input = data.args[0];
+  const trackedData = tracker.getData(input);
 
-  if (!input || !tracker.getData(input).tracked) {
+  if (!input || !trackedData) {
     return;
   }
 
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((tag) => {
+  trackedData.tagRanges.forEach((tag) => {
     tagRanges.push(qsUtils.adjustRangeEscape(tag, 0, input));
   });
   tagRanges.push(new TagRange(0, data.result.length - 1, 'url-encoded'));
 
-  const result = tracker.track(data.result);
-  const trackData = tracker.getData(result);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature('querystring.escape'),
-    source: 'P',
-    target: 'R',
-    tagRanges,
-    tags: ['url-encoded']
-  });
-  data.result = result;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature('querystring.escape'),
+      source: 'P',
+      target: 'R',
+      tagRanges,
+      tags: ['url-encoded']
+    });
+    data.result = tracked.str;
+  }
 }
 
 module.exports.handle = handler;

package/lib/assess/propagators/querystring/parse.js

@@ -47,9 +47,11 @@ function getUnescapeWrapper(data, unescape) {
 
     // track the part w/ trimmed ranges if applicable
     if (tagRanges.length) {
-      result = tracker.track(part);
-      resultData = tracker.getData(result);
-      resultData.tagRanges = tagRanges;
+      const tracked = tracker.track(part);
+      if (tracked) {
+        result = tracked.str;
+        tracked.props.tagRanges = tagRanges;
+      }
     } else {
       result = part;
     }
@@ -58,7 +60,7 @@ function getUnescapeWrapper(data, unescape) {
     result = Scopes.runInAllowAllScope(() => unescape(result));
     resultData = tracker.getData(result);
 
-    if (resultData.tracked) {
+    if (resultData) {
       resultData.event = new PropagationEvent({
         context: new CallContext({
           ...data,
@@ -91,7 +93,7 @@ function pre(data) {
   }
   const trackingData = tracker.getData(input);
 
-  if (!trackingData.tracked) {
+  if (!trackingData) {
     return;
   }
 

package/lib/assess/propagators/querystring/stringify.js

@@ -129,7 +129,7 @@ class OnEscapeHandler {
     // set current key for reference if when array-valued
     this.currentKey = {
       value: escaped,
-      tagRanges: trackingData.tracked ? trackingData.tagRanges : null
+      tagRanges: trackingData ? trackingData.tagRanges : null
     };
 
     // capture track info before updating state
@@ -175,7 +175,7 @@ class OnEscapeHandler {
       this.offset += this.currentKey.value.length + this.eqLen;
     }
 
-    if (trackingData.tracked) {
+    if (trackingData) {
       ret.push({
         offset: this.offset,
         tagRanges: trackingData.tagRanges,
@@ -279,34 +279,35 @@ function post(data) {
   }
 
   const tracked = tracker.track(data.result);
-  const trackData = tracker.getData(tracked);
 
   if (data.state.escape === querystring.escape) {
     data.state.tagRanges.push(
       new TagRange(0, data.result.length - 1, 'url-encoded')
     );
   }
-  const sorted = _.sortBy(data.state.tagRanges, 'start');
-  trackData.tagRanges = [];
-  tagRangeUtil.addAllInPlace(trackData.tagRanges, sorted);
-
-  // stringify / encode
-  const method = data.funcKey.split('.')[1];
-
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      args: data.state.origArgs,
-      obj: null
-    }),
-    parents: Array.from(data.state.events),
-    signature: new Signature(`querystring.${method}`),
-    source: 'P',
-    tagRanges: trackData.tagRanges,
-    target: 'R',
-    tags: ['url-encoded']
-  });
-  data.result = tracked;
+  if (tracked) {
+    const sorted = _.sortBy(data.state.tagRanges, 'start');
+    tracked.props.tagRanges = [];
+    tagRangeUtil.addAllInPlace(tracked.props.tagRanges, sorted);
+  
+    // stringify / encode
+    const method = data.funcKey.split('.')[1];
+  
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        args: data.state.origArgs,
+        obj: null
+      }),
+      parents: Array.from(data.state.events),
+      signature: new Signature(`querystring.${method}`),
+      source: 'P',
+      tagRanges: tracked.props.tagRanges,
+      target: 'R',
+      tags: ['url-encoded']
+    });
+    data.result = tracked.str;
+  }
 }
 
 module.exports.handle = { pre, post };

package/lib/assess/propagators/querystring/unescape.js

@@ -20,14 +20,15 @@ const qsUtils = require('./utils');
 
 function handler(data) {
   const input = data.args[0];
+  const trackedData = tracker.getData(input);
 
-  if (!input || !tracker.getData(input).tracked) {
+  if (!input || !trackedData) {
     return;
   }
 
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((tag) => {
+  trackedData.tagRanges.forEach((tag) => {
     if (tag.tag === 'url-encoded') {
       return;
     }
@@ -37,22 +38,23 @@ function handler(data) {
     return;
   }
 
-  const trackedResult = tracker.track(data.result);
-  const trackData = tracker.getData(trackedResult);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature('querystring.unescape'),
-    source: 'P',
-    tagRanges,
-    target: 'R',
-    untags: ['url-encoded']
-  });
-  data.result = trackedResult;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature('querystring.unescape'),
+      source: 'P',
+      tagRanges,
+      target: 'R',
+      untags: ['url-encoded']
+    });
+    data.result = tracked.str;  
+  }
 }
 
 module.exports.handle = handler;

package/lib/assess/propagators/sequelize/sql-string-escape.js

@@ -35,7 +35,7 @@ module.exports.handle = function() {
         post(data) {
           const trackingData = tracker.getData(data.result);
 
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }