@contrast/agent 4.8.0 → 4.10.1

package/bin/VERSION

@@ -1 +1 @@
-2.28.5
+2.28.9

package/bootstrap.js

@@ -26,7 +26,16 @@ const orig = Module.runMain;
  * script from cli
  */
 Module.runMain = async function(...args) {
+  const { isMainThread } = require('worker_threads');
+
   try {
+    // Skip instrumenting worker threads.
+    if (!isMainThread) {
+      orig.apply(this, args);
+
+      return;
+    }
+
     const { enabled } = await loader.init(process.argv);
     if (enabled) {
       await loader.bootstrap(process.argv);
@@ -37,9 +46,10 @@ Module.runMain = async function(...args) {
     orig.apply(this, args);
     loader.logTime(appStartTime, 'application');
     loader.logTime(startTime, 'agent & application');
-  
-  } catch(err) {
+  } catch (err) {
+    // eslint-disable-next-line no-console
     console.error(err);
+    // eslint-disable-next-line no-process-exit
     process.exit(-1);
   }
 };

package/esm.mjs

@@ -22,6 +22,7 @@ if (enabled) {
   await loader.bootstrap(process.argv);
 }
 await loader.resetArgs(process.argv[0], process.argv[1]);
+const { readFile } = require('fs').promises;
 
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
@@ -95,3 +96,35 @@ export async function transformSource(source, context, defaultTransformSource) {
     return defaultTransformSource(source, context, defaultTransformSource);
   }
 }
+
+/**
+ * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been 
+ * consolidated into one 'load' hook. The logic is similar to that of transformSource
+ * except that the source is not provided and must be either read in from the file provided
+ * or accessed from the cache.
+ * 
+ * @see https://nodejs.org/dist/latest-v16.x/docs/api/esm.html#loadurl-context-defaultload
+ * @param {string} url
+ * @param {{ format: string, url: string }} context
+ * @param {Function} defaultLoad
+ * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
+ */
+export async function load(url, context, defaultLoad) {
+  const filename = fileURLToPath(url);
+
+  try {
+    const cached = helpers.find(agent, filename);
+    const source = cached || await readFile(filename, 'utf8');
+    const result = rewriter.rewriteFile(source, filename, { sourceType: 'module' });
+    helpers.cacheWithSourceMap(agent, filename, result);
+    return { format: context.format, source: result.code };
+
+  } catch (err) {
+    logger.error(
+      'Failed to load rewritten code for %s, err: %o, rewritten code %s, loading original code.',
+      filename,
+      err
+    );
+    return defaultLoad(url, context, defaultLoad);
+  }
+}

package/lib/assess/index.js

@@ -20,6 +20,7 @@ const KoaFrameworkInstrumentation = require('./koa');
 const HapiFrameworkInstrumentation = require('./hapi');
 const Loopback4FrameworkInstrumentation = require('./loopback4');
 const ExpressFrameworkInstrumentation = require('./express');
+const SpdyFrameworkInstrumentation = require('./spdy');
 const assessSources = require('./sources');
 
 module.exports = function(agent) {
@@ -29,5 +30,6 @@ module.exports = function(agent) {
   new HapiFrameworkInstrumentation(agent);
   new Loopback4FrameworkInstrumentation(agent);
   new ExpressFrameworkInstrumentation(agent);
+  new SpdyFrameworkInstrumentation(agent);
   assessSources.init(agent);
 };

package/lib/assess/models/source-event.js

@@ -32,6 +32,7 @@ module.exports = class SourceEvent extends BaseEvent {
    * @param {boolean}     opts.isArray true if req.body is an array (from JSON body).
    */
   constructor({
+    code,
     context,
     name,
     signature,
@@ -43,6 +44,7 @@ module.exports = class SourceEvent extends BaseEvent {
     eventSources = [{ sourceType: type.toUpperCase(), sourceName: name }]
   } = {}) {
     super(context, signature, tagRanges);
+    this.code = code;
     this.target = target;
     this.eventSources = eventSources;
     this.parents = [];
@@ -65,6 +67,10 @@ module.exports = class SourceEvent extends BaseEvent {
   mapCustomMethods() {
     const type = this.eventSources[0].sourceType.toLowerCase();
     const name = this.eventSources[0].sourceName;
+    if (this.code) {
+      return;
+    }
+
     if (this.isRequestObject) {
       this.code = `const ${type} = req.${type}`;
     } else if (this.isArray) {

package/lib/assess/policy/rules.json

@@ -1376,6 +1376,11 @@
       "type": "http",
       "provider": "./sinks/dustjs-linkedin-xss"
     },
+    "nosql-injection-rethinkdb": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/rethinkdb-nosql-injection"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",
@@ -1404,6 +1409,30 @@
             ]
           }
         },
+        "express.response.push": {
+          "type": "dataflow",
+          "enabled": true,
+          "stackTrustedLibs": [],
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "disallowedTags": [
+                  "cookie",
+                  "header",
+                  "limited-chars",
+                  "alphanum-space-hyphen",
+                  "html-encoded",
+                  "sql-encoded",
+                  "url-encoded",
+                  "weak-url-encoded"
+                ],
+                "requiredTags": ["untrusted"]
+              }
+            ]
+          }
+        },
         "swig.compile": {
           "type": "dataflow",
           "enabled": true,

package/lib/assess/policy/signatures.json

@@ -254,6 +254,12 @@
       "methodName": "response.send",
       "isModule": true
     },
+    "express.response.push": {
+      "moduleName": "express",
+      "version": ">=4.0.0",
+      "methodName": "response.push",
+      "isModule": true
+    },
     "express.response.set": {
       "moduleName": "express",
       "version": ">=4.0.0",

package/lib/assess/propagators/JSON/stringify.js

@@ -23,10 +23,16 @@ const crypto = require('crypto');
 const TagRange = require('../../models/tag-range');
 const tracker = require('../../../tracker.js');
 const { isString } = require('../../../util/is-string');
-const { PropagationEvent, Signature, CallContext } = require('../../models');
+const {
+  PropagationEvent,
+  Signature,
+  CallContext,
+  SourceEvent
+} = require('../../models');
 const ContrastJSON = require('../../../core/rewrite/injections').get('JSON');
 const Debraner = require('../../membrane/debraner');
 const { PROXY_TARGET } = require('../../../constants');
+const { trackedObjects } = require('../../sources/event-handler');
 
 const sig = new Signature({
   moduleName: 'JSON',
@@ -125,6 +131,7 @@ function patchReplacer(replacer) {
 }
 
 let patched = false;
+
 module.exports.handle = function() {
   if (patched) {
     return;
@@ -136,7 +143,7 @@ module.exports.handle = function() {
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
 
     pre(data) {
-      const [, , space] = data.args;
+      const [obj, , space] = data.args;
       let [input, replacer] = data.args;
       replacer = patchReplacer(replacer);
 
@@ -148,11 +155,24 @@ module.exports.handle = function() {
         spaceProps: undefined,
         target: undefined,
         membrane: undefined,
-        debraner: undefined
+        debraner: undefined,
+        sourcesMap: {}
       };
 
+      if (trackedObjects.has(obj)) {
+        const { type } = trackedObjects.get(obj);
+        data.metadata.sourcesMap[type] = obj;
+      }
+
       // is the argument behind a membrane? try getting { target, membrane }.
       const braned = input && input[PROXY_TARGET];
+
+      const isSourceObject = input && trackedObjects.has(input);
+
+      if (isSourceObject) {
+        data.metadata.propagate = true;
+      }
+
       // next two are used by the replacer function
       let safeKeys;
       if (braned) {
@@ -183,7 +203,15 @@ module.exports.handle = function() {
        * @param {string} key
        * @param {string} value
        */
+      // eslint-disable-next-line complexity
       function contrastReplacer(key, val) {
+        if (trackedObjects.has(obj)) {
+          const { type } = trackedObjects.get(obj);
+          if (!data.metadata.sourcesMap[type]) {
+            data.metadata.sourcesMap[type] = obj;
+          }
+        }
+
         let isTracked = false;
         const valProperties = tracker.getData(val);
         if (valProperties && valProperties.tagRanges.length) {
@@ -206,7 +234,7 @@ module.exports.handle = function() {
             // make skeletal version of valProperties with only the tagRanges prop.
             data.metadata[id] =
               // eslint-disable-next-line prettier/prettier
-              { tagRanges: [new TagRange(0, value.length - 1, '')] };
+            { tagRanges: [new TagRange(0, value.length - 1, '')] };
             value = `${canary}${id}~${value}`;
             id++;
           }
@@ -229,6 +257,7 @@ module.exports.handle = function() {
       if (!data.metadata.propagate) {
         return data.result;
       }
+
       // restore the proxies to the argument
       const { debraner } = data.metadata;
       if (debraner) {
@@ -262,6 +291,41 @@ module.exports.handle = function() {
       }
       data.result = tracked.str;
       const { props } = tracked;
+
+      const customSources = [];
+
+      Object.keys(data.metadata.sourcesMap).forEach((k) => {
+        const objData = trackedObjects.get(data.metadata.sourcesMap[k]);
+
+        const { type, path, stackOpts } = objData;
+
+        const obj = data.metadata.sourcesMap[type];
+
+        customSources.push(
+          new SourceEvent({
+            context: new CallContext({
+              obj,
+              args: data.args,
+              result: data.result,
+              stackOpts
+            }),
+            signature: new Signature({
+              moduleName: 'http.req',
+              methodName: 'on.end',
+              args: undefined,
+              return: undefined,
+              isModule: false
+            }),
+            tagRanges,
+            source: 'A',
+            target: 'R',
+            name: path,
+            type,
+            isRequestObject: true
+          })
+        );
+      });
+
       props.tagRanges = tagRanges;
       // restore the original arguments so reporting shows user's signature.
       data.args = metadata.origArgs;
@@ -270,8 +334,12 @@ module.exports.handle = function() {
       // always exist, even if an empty array, for production code.
       if (metadata.sourceEvents && !metadata.sourceEvents.length) {
         // eslint-disable-next-line prettier/prettier
-        const { sourceEvents, braned: { membrane } } = data.metadata;
-        sourceEvents.push(membrane.makeReqSourceEvent(data.result.length));
+        const { sourceEvents, braned } = data.metadata;
+        if (braned) {
+          sourceEvents.push(
+            braned.membrane.makeReqSourceEvent(data.result.length)
+          );
+        }
       }
 
       props.event = new PropagationEvent({
@@ -280,7 +348,9 @@ module.exports.handle = function() {
         tagRanges: props.tagRanges,
         source: 'P',
         target: 'R',
-        parents: data.metadata.sourceEvents
+        parents: customSources.length
+          ? customSources
+          : data.metadata.sourceEvents
       });
 
       return data.result;

package/lib/assess/propagators/joi/any.js

@@ -0,0 +1,48 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object._definition.rules.custom, 'validate', {
+      name: 'joi.any.custom.validate',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (data.result && typeof data.result === 'string') {
+          tracker.untrack(data.result);
+        }
+
+        if (data.args[0] && typeof data.args[0] === 'string') {
+          tracker.untrack(data.args[0]);
+        }
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/index.js

@@ -21,4 +21,6 @@ module.exports.handle = function() {
   require('./string-schema');
   require('./string-base');
   require('./expression');
+  require('./object');
+  require('./any');
 };

package/lib/assess/propagators/joi/object.js

@@ -0,0 +1,61 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+const traverseObjectAndUntrack = (object, incomingInput, result) => {
+  if (object.type === 'object' && object.$_terms.keys) {
+    object.$_terms.keys.forEach(({ key, schema }) => {
+      traverseObjectAndUntrack(schema, incomingInput[key], result[key]);
+    });
+  }
+
+  if (
+    object.type === 'string' &&
+    Array.isArray(object.$_terms.externals) &&
+    object.$_terms.externals.length
+  ) {
+    tracker.untrack(incomingInput);
+    tracker.untrack(result);
+  }
+};
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object.__proto__, 'validateAsync', {
+      name: 'joi.object.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        data.result.then((result) =>
+          traverseObjectAndUntrack(data.obj, data.args[0], result)
+        );
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/string-base.js

@@ -24,6 +24,7 @@ const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
+const agent = require('../../../agent');
 
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
@@ -54,6 +55,21 @@ function instrumentJoiString(string) {
         }
       }
     });
+
+  if (agent.config.agent.trust_custom_validators) {
+    patcher.patch(string.__proto__, 'validateAsync', {
+      name: 'joi.string.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (!data.obj.$_terms.externals.length) return;
+        data.result.then((result) => {
+          tracker.untrack(data.args[0]);
+          tracker.untrack(result);
+        });
+      }
+    });
+  }
 }
 
 requireHook.resolve(

package/lib/assess/propagators/mongoose/helpers.js

@@ -12,9 +12,44 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
 const hasUserDefinedValidator = (data) =>
   data.obj.validators.some((validator) => validator.type === 'user defined');
 
+const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
+  for (const value of values) {
+    if (typeof value !== 'string') continue;
+
+    const trackingData = tracker.track(value);
+
+    if (!trackingData) return;
+
+    const { props } = trackingData;
+    const stringLength = value.length - 1;
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+    );
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'string-type-checked')
+    );
+
+    props.event = new PropagationEvent({
+      context: new CallContext(data),
+      signature: new Signature('mongoose.mixed.doValidateSync'),
+      tagRanges: props.tagRanges,
+      source: 'P',
+      target: 'A',
+      parents: [props.event]
+    });
+  }
+};
 module.exports = {
-  hasUserDefinedValidator
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
 };

package/lib/assess/propagators/mongoose/index.js

@@ -15,4 +15,5 @@ Copyright: 2022 Contrast Security, Inc
 module.exports.handle = () => {
   require('./map');
   require('./string');
+  require('./mixed');
 };

package/lib/assess/propagators/mongoose/map.js

@@ -21,9 +21,11 @@ const tagRangeUtil = require('../../models/tag-range/util');
 const {
   PATCH_TYPES: { ASSESS_PROPAGATOR }
 } = require('../../../constants');
-const TagRange = require('../../models/tag-range');
-const { CallContext, PropagationEvent, Signature } = require('../../models');
-const { hasUserDefinedValidator } = require('./helpers');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
 
 const doValidateSyncPatcher = (SchemaMap) => {
   patcher.patch(SchemaMap.prototype, 'doValidateSync', {
@@ -31,37 +33,16 @@ const doValidateSyncPatcher = (SchemaMap) => {
     name: 'mongoose.map.doValidateSync',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (data.result) return;
 
       if (!hasUserDefinedValidator(data)) return;
 
-      for (const value of data.args[0].values()) {
-        const trackingData = tracker.track(value);
-
-        if (!trackingData) return;
-
-        const { props } = trackingData;
-        const stringLength = value.length - 1;
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
-        );
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'string-type-checked')
-        );
-
-        props.event = new PropagationEvent({
-          context: new CallContext(data),
-          signature: new Signature('mongoose.map.doValidateSync'),
-          tagRanges: props.tagRanges,
-          source: 'P',
-          target: 'A',
-          parents: [props.event]
-        });
-      }
+      tagCustomValidatedValues(
+        data.args[0].values(),
+        data,
+        tracker,
+        tagRangeUtil
+      );
     }
   });
 };
@@ -69,6 +50,13 @@ const doValidateSyncPatcher = (SchemaMap) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
   (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     doValidateSyncPatcher(SchemaMap);
   }
 );