npm - @contrast/agent - Versions diffs - 4.7.0 → 4.9.1 - Mend

@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/propagators/validator/init-hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -90,7 +90,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(0, data.args[0].length - 1, validators[validator])
@@ -131,7 +131,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               trackingData.tagRanges = [];
               trackingData.tracked = false;
             }
@@ -154,36 +154,36 @@ module.exports.handle = function() {
         function post(data) {
           // if not tracked then it can't be untrusted, so don't start
           // tracking this string.
-          if (!tracker.getData(data.args[0]).tracked) return;
+          const inputData = tracker.getData(data.args[0]);
+          if (!inputData) return;
           const tag = sanitizers[sanitizer];
-          // get existing tracker data
-          const inputData = tracker.getData(data.args[0]);
           // are the input and output of the sanitizer the same?
           if (data.args[0] !== data.result) {
             let needsTag = true;
             // the input and output strings are not the same. start tracking the output.
-            const result = tracker.track(data.result);
-            const resultData = tracker.getData(result);
+            const tracked = tracker.track(data.result);
             // copy the input tags to the result, adjusting the range.
-            const stop = data.result.length - 1;
-            for (let i = 0; i < inputData.tagRanges.length; i++) {
-              resultData.tagRanges[i] = new TagRange(
-                0,
-                stop,
-                inputData.tagRanges[i].tag
-              );
-              if (inputData.tagRanges[i].tag === tag) {
-                needsTag = false;
+            if (tracked) {
+              const stop = data.result.length - 1;
+              for (let i = 0; i < inputData.tagRanges.length; i++) {
+                tracked.props.tagRanges[i] = new TagRange(
+                  0,
+                  stop,
+                  inputData.tagRanges[i].tag
+                );
+                if (inputData.tagRanges[i].tag === tag) {
+                  needsTag = false;
+                }
               }
+              if (needsTag) {
+                tracked.props.tagRanges.push(
+                  new TagRange(0, stop, sanitizers[sanitizer])
+                );
+              }
+              data.result = tracked.str;
             }
-            if (needsTag) {
-              resultData.tagRanges.push(
-                new TagRange(0, stop, sanitizers[sanitizer])
-              );
-            }
-            data.result = result;
           } else {
             // the input and output strings are the same, so the output is already being
             // tracked. if the tag is already present adjust the bounds otherwise add the

package/lib/assess/propagators/validator/validator-methods.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -63,7 +63,6 @@ module.exports = {
     isMagnetURI: 'alphanum-space-hyphen',
     isMD5: 'alphanum-space-hyphen',
     isMobilePhone: 'limited-chars',
-    isMongoId: 'alphanum-space-hyphen',
     isNumeric: 'limited-chars',
     isOctal: 'alphanum-space-hyphen',
     isPassportNumber: 'limited-chars',

package/lib/assess/response-scanning/app-activity.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/autocomplete-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cache-controls-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/clickjacking-control-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/events.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/httponly.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/secure-flag-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-header-insecure.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/hsts-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/powered-by.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/parameter-pollution.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/parseable-response-emitter.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/route-coverage.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/session.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/response-scanning.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/xss.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sources.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -78,7 +78,9 @@ module.exports = (agent) => {
     // get the tags, event from dataflow actions ONLY
     if (sinkType === DATAFLOW) {
       const contrastProps = tracker.getData(input);
-      ({ tagRanges, event } = contrastProps);
+      if (contrastProps) {
+        ({ tagRanges, event } = contrastProps);
+      }
     }
     const sink = new SinkEvent({
@@ -189,7 +191,7 @@ module.exports = (agent) => {
         ) {
           const trackData = tracker.getData(value);
-          if (!trackData.tracked) {
+          if (!trackData) {
             return;
           }
@@ -415,9 +417,12 @@ module.exports = (agent) => {
           : common.nonDataflowVulnerableCheck({ sink });
       const checkedArgs = isVulnCheck(stack, result, args);
-      return Array.isArray(checkedArgs)
-        ? reduceConditions(checkedArgs, conditions.mode)
-        : checkedArgs;
+      if (Array.isArray(checkedArgs) && checkedArgs.length > 0) {
+        const mode = conditions ? conditions.mode : 'and';
+        return reduceConditions(checkedArgs, mode);
+      } else {
+        return checkedArgs;
+      }
     };
     /**

package/lib/assess/sinks/dustjs-linkedin-xss.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/dynamo.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/hapi-16-xss.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/libxmljs-xxe.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -34,7 +34,7 @@ module.exports = ({ common, signature }) => ({
     }
     const contrastProps = tracker.getData(xmlString);
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return;
     }

package/lib/assess/sinks/mongodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -39,7 +39,8 @@ const ruleId = 'nosql-injection';
 const disallowedTags = [
   'limited-chars',
   'alphanum-space-hyphen',
-  'string-type-checked'
+  'string-type-checked',
+  'custom-validated-nosql-injection'
 ];
 const requiredTags = ['untrusted'];

package/lib/assess/sinks/rethinkdb-nosql-injection.js ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const moduleHook = require('../../hooks/require');
+const { CallContext, Signature } = require('../models');
+const {
+  RULES: { NOSQL_INJECTION }
+} = require('../../constants');
+const filterSignature = new Signature({
+  moduleName: 'rethinkdb.RDBVal',
+  methodName: 'filter',
+  isModule: true
+});
+const matchSignature = new Signature({
+  moduleName: 'rethinkdb.RDBVal',
+  methodName: 'match',
+  isModule: true
+});
+const moduleName = 'rethinkdb';
+class Handler {
+  constructor({ report, isVulnerable, requiredTags }) {
+    this._isVulnerable = isVulnerable;
+    this.report = report;
+    this.requiredTags = requiredTags;
+    this.disallowedTags = [
+      'alphanum-space-hyphen',
+      'limited-chars',
+      'custom-validated',
+      'custom-encoded-nosql-injection',
+      'custom-validated-nosql-injection'
+    ];
+  }
+  isVulnerable(input) {
+    const { requiredTags, disallowedTags } = this;
+    return this._isVulnerable({
+      input,
+      ruleId: NOSQL_INJECTION,
+      disallowedTags,
+      requiredTags,
+      searchDepth: 5
+    });
+  }
+  handle() {
+    moduleHook.resolve({ name: moduleName }, (rethinkdb) =>
+      this.handleRequire(rethinkdb)
+    );
+  }
+  patchRethinkDb(rethinkdb) {
+    const self = this;
+    patcher.patch(rethinkdb, 'table', {
+      name: moduleName,
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post(data) {
+        self.patchTableMethod(data.result);
+      }
+    });
+  }
+  /**
+   * Patch the table method and through it gain access to the object
+   * prototype that holds the vulnerable `match` and `filter` methods
+   */
+  patchTableMethod(tableObject) {
+    const RDBValObject = Object.getPrototypeOf(tableObject.args[0]);
+    const TermBaseObject = Object.getPrototypeOf(RDBValObject);
+    const self = this;
+    patcher.patch(TermBaseObject, 'match', {
+      name: 'TermBase.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post({ args: [str], hooked, obj }) {
+        if (self.isVulnerable(str)) {
+          self.report({
+            ruleId: NOSQL_INJECTION,
+            signature: matchSignature,
+            input: str,
+            ctxt: new CallContext({
+              obj,
+              args: [str],
+              result: str,
+              stackOpts: {
+                constructorOpt: hooked
+              }
+            })
+          });
+        }
+      }
+    });
+    patcher.patch(TermBaseObject, 'filter', {
+      name: 'TermBase.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post({ args: [str], hooked, obj }) {
+        if (self.isVulnerable(str)) {
+          self.report({
+            ruleId: NOSQL_INJECTION,
+            signature: filterSignature,
+            input: str,
+            ctxt: new CallContext({
+              obj,
+              args: [str],
+              result: str,
+              stackOpts: {
+                constructorOpt: hooked
+              }
+            })
+          });
+        }
+      }
+    });
+  }
+  handleRequire(rethinkdb) {
+    this.patchRethinkDb(rethinkdb);
+    return rethinkdb;
+  }
+}
+module.exports = ({ common }) => new Handler(common);
+module.exports.Handler = Handler;

package/lib/assess/sinks/ssrf-url.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -64,7 +64,7 @@ module.exports = ({ common: { isVulnerable } }) => {
     const contrastProps = tracker.getData(input);
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return false;
     }