@contrast/agent 4.8.0 → 4.10.1

package/lib/assess/propagators/mongoose/mixed.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
+
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.mixed.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || !hasUserDefinedValidator(data)) return;
+
+      const input = data.args[0];
+      const inputType = typeof input;
+
+      if (inputType !== 'string' && inputType !== 'object') return;
+
+      let values;
+      if (inputType === 'string') {
+        values = [input];
+      } else if (Array.isArray(input)) {
+        values = input;
+      } else if (input instanceof Map) {
+        values = input.values();
+      } else {
+        values = Object.values(input);
+      }
+
+      tagCustomValidatedValues(values, data, tracker, tagRangeUtil);
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/assess/propagators/mongoose/string.js

@@ -24,6 +24,7 @@ const {
 const TagRange = require('../../models/tag-range');
 const { CallContext, PropagationEvent, Signature } = require('../../models');
 const { hasUserDefinedValidator } = require('./helpers');
+const agent = require('../../../agent');
 
 const enumPatcher = (SchemaString) => {
   patcher.patch(SchemaString.prototype, 'enum', {
@@ -98,6 +99,13 @@ const doValidateSyncPatcher = (SchemaString) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
   (SchemaString) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     enumPatcher(SchemaString);
     doValidateSyncPatcher(SchemaString);
   }

package/lib/assess/sinks/rethinkdb-nosql-injection.js

@@ -0,0 +1,142 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const moduleHook = require('../../hooks/require');
+const { CallContext, Signature } = require('../models');
+const {
+  RULES: { NOSQL_INJECTION }
+} = require('../../constants');
+
+const filterSignature = new Signature({
+  moduleName: 'rethinkdb.RDBVal',
+  methodName: 'filter',
+  isModule: true
+});
+const matchSignature = new Signature({
+  moduleName: 'rethinkdb.RDBVal',
+  methodName: 'match',
+  isModule: true
+});
+const moduleName = 'rethinkdb';
+
+class Handler {
+  constructor({ report, isVulnerable, requiredTags }) {
+    this._isVulnerable = isVulnerable;
+    this.report = report;
+    this.requiredTags = requiredTags;
+    this.disallowedTags = [
+      'alphanum-space-hyphen',
+      'limited-chars',
+      'custom-validated',
+      'custom-encoded-nosql-injection',
+      'custom-validated-nosql-injection'
+    ];
+  }
+
+  isVulnerable(input) {
+    const { requiredTags, disallowedTags } = this;
+    return this._isVulnerable({
+      input,
+      ruleId: NOSQL_INJECTION,
+      disallowedTags,
+      requiredTags,
+      searchDepth: 5
+    });
+  }
+
+  handle() {
+    moduleHook.resolve({ name: moduleName }, (rethinkdb) =>
+      this.handleRequire(rethinkdb)
+    );
+  }
+
+  patchRethinkDb(rethinkdb) {
+    const self = this;
+    patcher.patch(rethinkdb, 'table', {
+      name: moduleName,
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post(data) {
+        self.patchTableMethod(data.result);
+      }
+    });
+  }
+
+  /**
+   * Patch the table method and through it gain access to the object
+   * prototype that holds the vulnerable `match` and `filter` methods
+   */
+  patchTableMethod(tableObject) {
+    const RDBValObject = Object.getPrototypeOf(tableObject.args[0]);
+    const TermBaseObject = Object.getPrototypeOf(RDBValObject);
+    const self = this;
+
+    patcher.patch(TermBaseObject, 'match', {
+      name: 'TermBase.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post({ args: [str], hooked, obj }) {
+        if (self.isVulnerable(str)) {
+          self.report({
+            ruleId: NOSQL_INJECTION,
+            signature: matchSignature,
+            input: str,
+            ctxt: new CallContext({
+              obj,
+              args: [str],
+              result: str,
+              stackOpts: {
+                constructorOpt: hooked
+              }
+            })
+          });
+        }
+      }
+    });
+    patcher.patch(TermBaseObject, 'filter', {
+      name: 'TermBase.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post({ args: [str], hooked, obj }) {
+        if (self.isVulnerable(str)) {
+          self.report({
+            ruleId: NOSQL_INJECTION,
+            signature: filterSignature,
+            input: str,
+            ctxt: new CallContext({
+              obj,
+              args: [str],
+              result: str,
+              stackOpts: {
+                constructorOpt: hooked
+              }
+            })
+          });
+        }
+      }
+    });
+  }
+
+  handleRequire(rethinkdb) {
+    this.patchRethinkDb(rethinkdb);
+    return rethinkdb;
+  }
+}
+
+module.exports = ({ common }) => new Handler(common);
+module.exports.Handler = Handler;

package/lib/assess/sources/event-handler.js

@@ -0,0 +1,307 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const logger = require('../../core/logger')('contrast:assess.sources');
+const { PATCH_TYPES } = require('../../constants');
+const { CallContext, SourceEvent } = require('../models');
+const TraceEventSource = require('../../reporter/models/trace-event-source');
+const { AsyncStorage, KEYS } = require('../../core/async-storage');
+const TagRange = require('../models/tag-range');
+const patcher = require('../../hooks/patcher');
+const tracker = require('../../tracker');
+const parseurl = require('parseurl');
+
+const SOURCE_EVENT_MAX = 250;
+const trackedObjects = new WeakMap();
+
+class SourceEventHandler {
+  constructor({
+    config = {
+      agent: {
+        node: {
+          array_request_sampling: {
+            enable: true,
+            threshold: 50,
+            interval: 5
+          }
+        }
+      }
+    },
+    ensureReq = true,
+    exclusions,
+    stackOpts,
+    snapshot,
+    signature,
+    type = 'UNKNOWN'
+  } = {}) {
+    this.config = config;
+    this.exclusions = exclusions;
+    this.type = type;
+    this.snapshot = snapshot;
+    this.signature = signature;
+    this.stackOpts = stackOpts;
+    this.ensureReq = ensureReq;
+    this.samplingEnabled = config.agent.node.array_request_sampling.enable;
+    this.samplingThreshold = config.agent.node.array_request_sampling.threshold;
+    this.samplingInterval = this.samplingEnabled
+      ? config.agent.node.array_request_sampling.interval
+      : 1;
+
+    this.inputExclusions = [];
+    this.urlExclusions = [];
+    this.skipEvent = false;
+    this.sourceEventCount = 0;
+
+    this.init();
+  }
+
+  init() {
+    // values reused in functions
+    this.req = AsyncStorage.get(KEYS.REQ);
+
+    // NODE-1431: prevents crashing when req is not present in AsyncStorage.
+    if (!this.req) {
+      if (!this.ensureReq) return;
+
+      this.skipEvent = true;
+      logger.debug(
+        'failed to handle source event for type: %s; request not present in async storage',
+        this.type
+      );
+    }
+
+    if (!this.exclusions) return;
+
+    const { pathname } = parseurl(this.req);
+
+    this.inputExclusions = this.exclusions
+      .getInputExclusions('assess')
+      .reduce((acc, e) => {
+        if (!e.matchesUrl(pathname)) return acc;
+
+        // `isNamed` is false for exclusion types such as BODY and QUERYSTRING which
+        // apply to the entire set of params not only those by a specified name. Also
+        // is true if the input name is set to wildcard "*" meaning it should apply to
+        // all values. In each case there's no need to wrap if all rules are excluded.
+        if (!this.skipEvent && e.appliesToAllAssessRules() && !e.isNamed) {
+          logExclusionMessage(e, this.type);
+          this.skipEvent = true;
+        }
+
+        acc.push(e);
+        return acc;
+      }, []);
+
+    this.urlExclusions = this.exclusions
+      .getUrlExclusions('assess')
+      .reduce((acc, e) => {
+        if (!e.matchesUrl(pathname)) return acc;
+
+        if (!this.skipEvent && e.appliesToAllAssessRules()) {
+          logExclusionMessage(e, this.type);
+          this.skipEvent = true;
+        }
+
+        acc.push(e);
+        return acc;
+      }, []);
+  }
+
+  /**
+   *
+   * @param {object} param
+   * @param {object} param.obj usually the incoming message
+   * @param {string} param.prop obj[prop] is containing user-controlled data
+   */
+  handle({ obj, prop }) {
+    this.typeKey = prop;
+
+    if (this.skipEvent) return;
+
+    this.traverseAndTrack({ obj, key: prop });
+  }
+
+  // eslint-disable-next-line complexity
+  traverseAndTrack({ obj, key, path = [] }) {
+    const value = obj[key];
+
+    if (!value) return;
+
+    if (this.sourceEventCount > SOURCE_EVENT_MAX) {
+      logger.debug('max sources exceeded for %s', this.type);
+      return;
+    }
+
+    if (Array.isArray(value)) {
+      const limit = Math.min(value.length, this.samplingThreshold);
+
+      trackedObjects.set(value, { ...this, path, key });
+
+      for (let i = 0; i < limit; i += this.samplingInterval) {
+        this.traverseAndTrack({
+          obj: value,
+          key: i,
+          path: [...path, i]
+        });
+      }
+    } else if (Buffer.isBuffer(value)) {
+      this.sourceEventCount++;
+      patcher.patch(value, 'toString', {
+        name: 'Buffer.toString',
+        alwaysRun: true,
+        patchType: PATCH_TYPES.MISC,
+        post: (wrapCtx) => {
+          this.trackStringProp({
+            obj: wrapCtx,
+            key: 'result',
+            path
+          });
+        }
+      });
+    } else if (typeof value === 'string' || value instanceof String) {
+      this.sourceEventCount++;
+      this.trackStringProp({ obj, key, path });
+    } else if (typeof value === 'object') {
+      trackedObjects.set(value, { ...this, path, key });
+
+      for (const objKey of Object.keys(value)) {
+        this.traverseAndTrack({
+          obj: value,
+          path: [...path, objKey],
+          key: objKey
+        });
+      }
+    }
+  }
+
+  trackStringProp({ obj, key, path, value = obj[key] }) {
+    const trackData = tracker.track(value);
+    if (!trackData) {
+      return;
+    }
+
+    const name = path.join('.');
+    const { props, str: result } = trackData;
+
+    props.tagRanges = this.getTagRanges({ name, result });
+    props.event = new SourceEvent({
+      context: new CallContext({
+        obj: 'IncomingMessage {}',
+        args: [`${this.typeKey}.${name}`],
+        result,
+        stackOpts: this.stackOpts
+      }),
+      code: `req.${this.typeKey}.${name}`,
+      signature: this.signature,
+      tagRanges: props.tagRanges,
+      target: 'R',
+      type: this.type,
+      name
+    });
+
+    // NOTE: this used to happen on access in SourceMembrane.onString(), though we
+    // should be able to determine access of source value during dataflow - when a
+    // source is tracked into PROPAGATION or SINK event.
+    storeSource({ type: this.type, name: key });
+
+    obj[key] = result;
+  }
+
+  getTagRanges({ result, name }) {
+    const stop = result.length - 1;
+    const tagRanges = [new TagRange(0, stop, 'untrusted')];
+
+    const typeLowerCase = this.type.toLowerCase();
+    const nameLowerCase = name.toLocaleLowerCase();
+
+    if (typeLowerCase === 'header' && nameLowerCase !== 'referer') {
+      tagRanges.push(new TagRange(0, stop, 'header'));
+    }
+
+    if (typeLowerCase === 'cookie') {
+      tagRanges.push(new TagRange(0, stop, 'cookie'));
+    }
+
+    if (!this.inputExclusions.length) {
+      return tagRanges;
+    }
+
+    const rules = new Set();
+
+    /* 
+      Maybe it's pointless because we set skipEvent to true if appliesToAllAssessRules
+      and we won't get here
+    */
+    const exclusions = this.inputExclusions.filter(
+      (e) => !e.appliesToAllAssessRules()
+    );
+
+    for (const exclusion of exclusions) {
+      if (!exclusion.matches(name)) {
+        continue;
+      }
+
+      for (const ruleId of exclusion.assessmentRulesList) {
+        logger.debug(
+          'excluding %s %s value from %s (%s)',
+          this.type,
+          name,
+          ruleId,
+          exclusion.name
+        );
+
+        if (!rules.has(ruleId)) {
+          tagRanges.push(new TagRange(0, stop, `exclusion:${ruleId}`));
+        }
+
+        rules.add(ruleId);
+      }
+    }
+
+    return tagRanges;
+  }
+}
+
+function storeSource({ type, name }) {
+  let storedSources = AsyncStorage.get(KEYS.SOURCES);
+
+  if (!storedSources) {
+    // if this is the first source stored on the request, initialize a map
+    // and set the storedSources to be a reference to the new, empty map.
+    storedSources = new Map();
+    AsyncStorage.set(KEYS.SOURCES, storedSources);
+  }
+
+  // there are cases where AsyncStorage context is out of sync, add defensive code so we don't
+  // crash.
+  if (storedSources) {
+    // save event for route coverage (data pulled in for RouteInfo object)
+    // only want to save unique values
+    storedSources.set(`${type}-${name}`, new TraceEventSource({ type, name }));
+  }
+}
+
+function logExclusionMessage(exclusion, type) {
+  const { name } = exclusion;
+  logger.debug(
+    'excluding %s inputs from all assess rules (%s)',
+    type.toLowerCase(),
+    name
+  );
+}
+
+module.exports.SourceEventHandler = SourceEventHandler;
+module.exports.trackedObjects = trackedObjects;

package/lib/assess/sources/index.js

@@ -26,9 +26,12 @@ const parseurl = require('parseurl');
 const {
   EXCLUSION_INPUT_TYPES: { BODY, HEADER, PARAMETER, QUERYSTRING, COOKIE }
 } = require('../../constants');
+const { Signature } = require('../models');
 
 const sources = module.exports;
 
+const { SourceEventHandler } = require('./event-handler');
+
 /**
  * Registers sources for assess instrumentation
  */
@@ -60,19 +63,104 @@ sources.track = function(type, parent, key, membrane) {
  */
 sources.registerListeners = function({ config, exclusions }) {
   agentEmitter.on('assess.body', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      config,
+      exclusions,
+      obj,
+      prop,
+      data: obj[prop],
+      type: BODY
+    });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: HEADER
+    });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, PARAMETER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        PARAMETER,
+        obj,
+        prop
+      );
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: PARAMETER
+    });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, QUERYSTRING, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        QUERYSTRING,
+        obj,
+        prop
+      );
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: QUERYSTRING
+    });
   });
+
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      type: COOKIE
+    });
+  });
+
+  // might be helpful for clients to send add'l values in event arg
+  //   - stackOpts: elide frames from function ref in client instrumentation
+  //   - signature: rather than create shared one in the handler
+  //   - or stack snapshot function - could share among SourceEvents
+  //   - call context to share among SourceEvents
+  agentEmitter.on('assess.source', ({ obj, prop, type, signature }) => {
+    if (!signature) {
+      signature = new Signature({
+        moduleName: 'Object',
+        methodName: 'getter',
+        args: [prop],
+        return: 'String',
+        isModule: false
+      });
+    }
+
+    new SourceEventHandler({
+      config,
+      exclusions,
+      signature,
+      type,
+      stackOpts: undefined,
+      snapshot: undefined
+    }).handle({ obj, prop });
   });
 };
 

package/lib/assess/spdy/index.js

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const AssessSinks = require('./sinks');
+
+module.exports = class SpdyInstrumentation {
+  constructor(agent) {
+    new AssessSinks(agent);
+  }
+};