@contrast/assess 1.1.0 → 1.2.0

package/lib/dataflow/propagation/index.js

@@ -20,15 +20,15 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const propagation = core.assess.dataflow.propagation = {};
 
-  require('./install/string')(core);
-  require('./install/array-prototype-join')(core);
-  require('./install/pug')(core);
   require('./install/contrast-methods')(core);
-  require('./install/validator')(core);
-  require('./install/url')(core);
   require('./install/ejs')(core);
-  require('./install/encode-uri-component')(core);
+  require('./install/pug')(core);
+  require('./install/string')(core);
+  require('./install/url')(core);
+  require('./install/validator')(core);
+  require('./install/array-prototype-join')(core);
   require('./install/decode-uri-component')(core);
+  require('./install/encode-uri-component')(core);
   require('./install/escape-html')(core);
   require('./install/escape')(core);
   require('./install/handlebars-utils-escape-expression')(core);
@@ -37,7 +37,6 @@ module.exports = function(core) {
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
 
-
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');
   };

package/lib/dataflow/propagation/install/contrast-methods/index.js

@@ -29,6 +29,7 @@ module.exports = function(core) {
 
   require('./add')(core);
   require('./tag')(core);
+  require('./string')(core);
 
   return contrastMethodsInstrumentation;
 };

package/lib/dataflow/propagation/install/contrast-methods/string.js

@@ -0,0 +1,56 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.contrastMethodsInstrumentation.string = {
+    install() {
+      patcher.patch(global.ContrastMethods, 'String', {
+        name: 'ContrastMethods.String',
+        patchType,
+        post(data) {
+          if (!data.result || !sources.getStore() || instrumentation.isLocked()) return;
+
+          const arg = data.args[0];
+          let argInfo = tracker.getData(arg);
+
+          if (data.obj && !argInfo) {
+            argInfo = tracker.getData(data.result.toString());
+          }
+
+          if (!arg || !argInfo) {
+            return;
+          }
+
+          const { extern } = tracker.track(data.result, argInfo);
+          if (extern) {
+            data.result = extern;
+          }
+        }
+      });
+    }
+  };
+};

package/lib/dataflow/propagation/install/string/index.js

@@ -33,6 +33,7 @@ module.exports = function(core) {
   require('./trim')(core);
   require('./html-methods')(core);
   require('./format-methods')(core);
+  require('./split')(core);
 
   return stringInstrumentation;
 };

package/lib/dataflow/propagation/install/string/split.js

@@ -0,0 +1,108 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../../common');
+const { join } = require('@contrast/common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.stringInstrumentation.split = {
+    install() {
+      const name = 'String.prototype.split';
+
+      patcher.patch(String.prototype, 'split', {
+        name,
+        patchType,
+        post(data) {
+          const { name, args, obj, result, hooked, orig } = data;
+          if (
+            !obj ||
+            !result ||
+            args.length === 0 ||
+            result.length === 0 ||
+            !sources.getStore() ||
+            typeof obj !== 'string' ||
+            instrumentation.isLocked() ||
+            (args.length === 1 && args[0] == null)
+          ) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          let idx = 0;
+          for (let i = 0; i < result.length; i++) {
+            const res = result[i];
+            const start = obj.indexOf(res, idx);
+            idx += res.length;
+            const objSubstr = obj.substring(start, start + res.length);
+            const objSubstrInfo = tracker.getData(objSubstr);
+            if (objSubstrInfo) {
+              const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+              if (!tags) continue;
+
+              const event = createPropagationEvent({
+                name,
+                history: [objInfo],
+                object: {
+                  value: obj,
+                  isTracked: true,
+                },
+                args: args.map((arg) => {
+                  const argInfo = tracker.getData(arg);
+                  return {
+                    value: argInfo ? argInfo.value : arg.toString(),
+                    isTracked: !!argInfo
+                  };
+                }),
+                tags,
+                result: {
+                  value: join(result),
+                  isTracked: false
+                },
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+                source: 'O',
+                target: 'R'
+              });
+
+              if (event) {
+                const { extern } = tracker.track(res, event);
+                if (extern) {
+                  data.result[i] = extern;
+                }
+              }
+            }
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.split = patcher.unwrap(String.prototype.split);
+    },
+  };
+};

package/lib/dataflow/sources/index.js

@@ -25,7 +25,6 @@ module.exports = function(core) {
   // installers
   require('./install/http')(core);
   require('./install/fastify')(core);
-  require('./install/qs')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/http.js

@@ -15,6 +15,7 @@
 
 'use strict';
 const { patchType } = require('../common');
+const { toLowerCase } = require('@contrast/common');
 
 // This is only just initiating an async storage for the http source
 // TODO Tracking the user input
@@ -59,13 +60,13 @@ module.exports = function(core) {
               const key = obj[i];
               const value = obj[i + 1];
 
-              if (key.toLowerCase() === 'content-type') {
+              if (toLowerCase(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
-              if (key.toLowerCase() === 'content-type') {
+              if (toLowerCase(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
@@ -79,7 +80,7 @@ module.exports = function(core) {
         patchType,
         pre(data) {
           const [name = '', value] = data.args;
-          if (name.toLowerCase() === 'content-type' && value) {
+          if (toLowerCase(name) === 'content-type' && value) {
             store.assess.responseData.contentType = value;
           }
         }
@@ -99,11 +100,11 @@ module.exports = function(core) {
       const headers = {};
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
-        const header = req.rawHeaders[i].toLowerCase();
+        const header = toLowerCase(req.rawHeaders[i]);
         headers[header] = req.rawHeaders[i + 1];
       }
 
-      const contentType = headers['content-type']?.toLowerCase();
+      const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
       const reqData = {
         ip: req.socket.remoteAddress,
         httpVersion: req.httpVersion,
@@ -125,7 +126,9 @@ module.exports = function(core) {
       logger.error({ err }, 'Error during assess request handling');
     }
 
-    return next();
+    setImmediate(() => {
+      next.call(data.obj, ...data.args);
+    });
   }
 
   function install() {

package/lib/index.js

@@ -15,21 +15,26 @@
 
 'use strict';
 
+const { callChildComponentMethodsSync } = require('@contrast/common');
 const dataflow = require('./dataflow');
+const responseScanning = require('./response-scanning');
 
 module.exports = function assess(core) {
+  if (!core.config.assess.enable) return;
+
   const assess = core.assess = {};
 
   // Does this order matter? Probably not
   // 1. dataflow
   dataflow(core);
+  responseScanning(core);
 
-  // response-scanning
   // crypto
   // static (in coordination with rewriter)
 
   assess.install = function() {
-    core.assess.dataflow.install();
+    core.rewriter.install('assess');
+    callChildComponentMethodsSync(core.assess, 'install');
   };
 
   return assess;

package/lib/response-scanning/handlers/index.js

@@ -0,0 +1,274 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  escapeHtml,
+  isHtmlContent,
+  getElements,
+  getAttribute,
+  isParseableResponse,
+  checkCacheControlValue,
+  checkMetaTags,
+  getCspHeaders,
+  checkCspSources
+} = require('./utils');
+const { toLowerCase, substring, ResponseScanningRule } = require('@contrast/common');
+
+module.exports = function(core) {
+  const {
+    assess: {
+      responseScanning,
+      responseScanning: {
+        reportFindings
+      }
+    }
+  } = core;
+
+  responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
+    if (!isHtmlContent(responseHeaders)) {
+      return;
+    }
+
+    const elements = getElements('form', responseBody);
+
+    for (let i = 0; i < elements.length; i++) {
+      const autocomplete = getAttribute('autocomplete', elements[i]);
+      if (autocomplete !== 'off') {
+        reportFindings(sourceContext,
+          {
+            ruleId: ResponseScanningRule.AUTOCOMPLETE_MISSING,
+            vulnerabilityMetadata: {
+              attribute: autocomplete,
+              html: escapeHtml(elements[i]),
+              start: 0,
+              end: elements[i].length
+            }
+          });
+        break;
+      }
+    }
+  };
+
+  responseScanning.handleCacheControlsMissing = function(sourceContext, { responseHeaders, responseBody }) {
+    const instructions = [];
+
+    // de-dupe; this will be re-emitted for parseableBody handlers anyway
+    if (isParseableResponse(responseHeaders) && !responseBody) {
+      return;
+    }
+    const cacheControlHeader = responseHeaders['cache-control'];
+
+    // save the Pragma Header
+    if (responseHeaders['pragma']) {
+      instructions.push({
+        type: 'Header',
+        name: 'pragma',
+        value: responseHeaders['pragma']
+      });
+    }
+
+    if (cacheControlHeader) {
+      const [containsNoCache, containsNoStore] = checkCacheControlValue(
+        cacheControlHeader
+      );
+
+      // got everything from header so we don't care about meta tags
+      if (containsNoCache && containsNoStore) {
+        return;
+      } else {
+        // save the instructions in case meta tags are missing
+        instructions.push({
+          type: 'Header',
+          name: 'cache-control',
+          value: cacheControlHeader
+        });
+      }
+    }
+
+    // we checked the headers now time to check the HTML content
+    checkMetaTags({ body: responseBody, cacheControlHeader, instructions });
+
+    if (instructions.length) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
+        vulnerabilityMetadata: {
+          data: JSON.stringify(instructions)
+        }
+      });
+    }
+  };
+
+  responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+    // look for x-frame-options headers with deny or sameorigin
+    const xFrameHeaders = responseHeaders['x-frame-options'];
+    let hasFrameBusting = false;
+
+    if (xFrameHeaders) {
+      const xFrameHeadersLC = toLowerCase(xFrameHeaders);
+      hasFrameBusting =
+        xFrameHeadersLC.indexOf('deny') > -1 ||
+        xFrameHeadersLC.indexOf('sameorigin') > -1;
+    }
+
+    if (!hasFrameBusting) {
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CLICKJACKING_CONTROL_MISSING });
+    }
+  };
+
+  responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+    // look for form tag with missing action attribute.
+    // ex: <form method="post">..
+    const elements = getElements('form', responseBody);
+
+    for (let i = 0; i < elements.length; i++) {
+      const action = getAttribute('action', elements[i]);
+      if (!action) {
+        reportFindings(sourceContext, {
+          ruleId: ResponseScanningRule.PARAMETER_POLLUTION,
+          vulnerabilityMetadata: {
+            attribute: action,
+            html: escapeHtml(elements[i])
+          }
+        });
+      }
+    }
+  };
+
+  /**
+ * Checks the response headers for the CSP. If found, and insecure, will return
+ * the evidence for reporting.
+ *
+ * @param   {Object}        responseHeaders - HTTP headers object.
+ * @returns {Object}                        - Evidence for insecure CSP header.
+ */
+  responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
+    const cspHeaders = getCspHeaders(responseHeaders);
+
+    // Don't report if not set; this report belongs to 'csp-header-missing'
+    if (!cspHeaders) {
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
+      return;
+    }
+
+    const vulnerabilityMetadata = checkCspSources(cspHeaders);
+
+    if (vulnerabilityMetadata.insecure) {
+      // We do this because TS API will expect these keys (although it is a typo)
+      // When they fix the API we can remove this
+      vulnerabilityMetadata.refererSecure = vulnerabilityMetadata.referrerSecure;
+      vulnerabilityMetadata.refererValue = vulnerabilityMetadata.referrerValue;
+
+      delete vulnerabilityMetadata.insecure;
+      delete vulnerabilityMetadata.referrerSecure;
+      delete vulnerabilityMetadata.referrerValue;
+
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_INSECURE, vulnerabilityMetadata });
+    }
+  };
+
+  responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+    let header = responseHeaders['strict-transport-security'];
+    let maxAge;
+
+    if (header) {
+      header = toLowerCase(header);
+      const flag = header.indexOf('max-age');
+      if (flag > -1) {
+        const equal = header.indexOf('=', flag);
+        if (equal > -1) {
+          const semicolon = header.indexOf(';', equal);
+          if (semicolon > -1) {
+            maxAge = substring(header, equal + 1, semicolon);
+          } else {
+            maxAge = substring(header, equal + 1);
+          }
+        }
+      }
+    }
+
+    if (!(parseInt(maxAge) > 0)) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.HSTS_HEADER_MISSING,
+        vulnerabilityMetadata: {
+          data: maxAge || ''
+        }
+      });
+    }
+  };
+
+  responseScanning.handlePoweredByHeader = function(sourceContext, { responseHeaders }) {
+    const headerName = 'x-powered-by';
+    let header = responseHeaders[headerName];
+
+    if (header) {
+      header = toLowerCase(header);
+
+      const instructions = [
+        {
+          type: 'Header',
+          name: headerName,
+          value: header
+        }
+      ];
+
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.POWERED_BY_HEADER,
+        vulnerabilityMetadata: {
+          data: JSON.stringify(instructions)
+        }
+      });
+    }
+  };
+
+  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    const headerName = 'x-content-type-options';
+    let header = responseHeaders[headerName];
+
+    if (header) {
+      header = toLowerCase(header);
+      if (header === 'nosniff') {
+        return;
+      }
+    }
+
+    reportFindings(sourceContext, {
+      ruleId: ResponseScanningRule.XCONTENTTYPE_HEADER_MISSING,
+      vulnerabilityMetadata: {
+        data: header || ''
+      }
+    });
+  };
+
+  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
+    const header = responseHeaders['x-xss-protection'];
+
+    // This header is set by default, so `header` should always be present.
+    if (header && header.startsWith('1')) {
+      return;
+    }
+
+    reportFindings(sourceContext, {
+      ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
+      vulnerabilityMetadata: {
+        data: header
+      }
+    });
+  };
+
+  return responseScanning;
+};
+