npm - @contrast/assess - Versions diffs - 1.1.0 - Mend

@contrast/assess 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/lib/dataflow/propagation/install/mysql-connection-escape.js ADDED Viewed

@@ -0,0 +1,111 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  createFullLengthCopyTags
+} = require('../../tag-utils');
+const { patchType, createModuleLabel } = require('../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  function createPostHook(eventName, objectValue) {
+    return function(data) {
+      const { args, result, hooked, orig } = data;
+      if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+      const argInfo = tracker.getData(args[0]);
+      if (!argInfo) return;
+      const resultInfo = tracker.getData(result);
+      const history = [argInfo];
+      const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+      newTags['sql-encoded'] = [0, result.length - 1];
+      const event = createPropagationEvent({
+        name: eventName,
+        object: {
+          value: objectValue,
+          isTracked: false
+        },
+        result: {
+          value: resultInfo ? resultInfo.value : result,
+          isTracked: true
+        },
+        args: [{ value: argInfo.value, isTracked: true }],
+        tags: newTags,
+        addedTags: ['sql-encoded'],
+        history,
+        stacktraceOpts: {
+          constructorOpt: hooked,
+          prependFrames: [orig]
+        },
+      });
+      if (!event) return;
+      if (resultInfo) {
+        Object.assign(resultInfo, event);
+      }
+      const { extern } = resultInfo || tracker.track(result, event);
+      if (extern) {
+        data.result = extern;
+      }
+    };
+  }
+  return core.assess.dataflow.propagation.mysqlEscape = {
+    install() {
+      ['mysql', 'mysql2'].forEach((lib) => {
+        depHooks.resolve({ name: lib }, (mysql, version) => {
+          patcher.patch(mysql, 'escape', {
+            name: `${lib}.escape`,
+            patchType,
+            post: createPostHook(`${lib}.escape`, `${createModuleLabel(lib, version)}`)
+          });
+        });
+      });
+      depHooks.resolve({ name: 'mysql', file: 'lib/Connection.js' }, (mysqlConnection, version) => {
+        patcher.patch(mysqlConnection.prototype, 'escape', {
+          name: 'mysql.Connection.prototype.escape',
+          patchType,
+          post: createPostHook('mysql/lib/Connection.escape', `[${createModuleLabel('mysql', version)}].Connection`)
+        });
+      });
+      depHooks.resolve({ name: 'mysql2', file: 'lib/connection.js' }, (mysqlConnection, version) => {
+        patcher.patch(mysqlConnection.prototype, 'escape', {
+          name: 'mysql.Connection.prototype.escape',
+          patchType,
+          post: createPostHook('mysql2/lib/connection.Connection.escape', `[${createModuleLabel('mysql2', version)}].Connection`)
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/pug/index.js ADDED Viewed

@@ -0,0 +1,64 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const store = { lock: true, name: 'assess:propagators:pug-compile' };
+  const {
+    scopes: { sources, instrumentation },
+    patcher, logger, rewriter, depHooks,
+  } = core;
+  const rewriterOpts = { isModule: false, wrap: false };
+  const pugInstrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'pug', file: 'lib/index.js' },
+        (pug) => patcher.patch(pug, 'compile', {
+          name: 'pug.compile',
+          patchType,
+          pre(data) {
+            if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const opts = data.args[1] || {};
+            const plugins = opts.plugins || [];
+            plugins.push({
+              postCodeGen: (value, options) => {
+                try {
+                  return instrumentation.run(store,
+                    () => rewriter.rewrite(value, rewriterOpts).code
+                  );
+                } catch (e) {
+                  logger.warn(`Failed to rewrite pug code. ${e}`);
+                  return value;
+                }
+              }
+            });
+            opts.plugins = plugins;
+            data.args[1] = opts;
+          },
+        })
+      );
+    }
+  };
+  core.assess.dataflow.propagation.pugInstrumentation = pugInstrumentation;
+  return core.assess.dataflow.propagation.pugInstrumentation;
+};

package/lib/dataflow/propagation/install/pug-runtime-escape.js ADDED Viewed

@@ -0,0 +1,89 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  createFullLengthCopyTags
+} = require('../../tag-utils');
+const { patchType, createModuleLabel } = require('../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.pugRuntimeEscape = {
+    install() {
+      depHooks.resolve({ name: 'pug-runtime' }, (pugRuntime, version) => {
+        patcher.patch(pugRuntime, 'escape', {
+          name: 'pug-runtime.escape',
+          patchType,
+          post(data) {
+            const { args, result, hooked, orig } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const argInfo = tracker.getData(args[0]);
+            if (!argInfo) return;
+            const resultInfo = tracker.getData(result);
+            const history = [argInfo];
+            const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+            newTags['weak-url-encoded'] = [0, result.length - 1];
+            const event = createPropagationEvent({
+              name: 'pug-runtime.escape',
+              object: {
+                value: createModuleLabel('pug-runtime', version),
+                isTracked: false
+              },
+              result: {
+                value: resultInfo ? resultInfo.value : result,
+                isTracked: true
+              },
+              args: [{ value: argInfo.value, isTracked: true }],
+              tags: newTags,
+              addedTags: ['weak-url-encoded'],
+              history,
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+            if (!event) return;
+            if (resultInfo) {
+              Object.assign(resultInfo, event);
+            }
+            const { extern } = resultInfo || tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/sql-template-strings.js ADDED Viewed

@@ -0,0 +1,103 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType, createModuleLabel } = require('../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.sqlTemplateStrings = {
+    install() {
+      depHooks.resolve({ name: 'sql-template-strings' }, (sqlTemplateStrings, version) => {
+        patcher.patch(sqlTemplateStrings, 'SQL', {
+          name: 'sql-template-strings.SQL',
+          patchType,
+          post(data) {
+            const { args, result, hooked, orig } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const argInfo = tracker.getData(args[0]);
+            if (!argInfo) return;
+            const isResultStringsArray = Array.isArray(result.strings);
+            const resultStrings = isResultStringsArray ? result.strings : [result.strings];
+            [...resultStrings, ...result.values].forEach((resultValue, idx) => {
+              const resultInfo = tracker.getData(resultValue);
+              if (!resultInfo) return;
+              const history = [argInfo];
+              // const newTags = createFullLengthCopyTags(argInfo.tags, resultValue.length);
+              const newTags = { ...resultInfo.tags };
+              newTags['sql-encoded'] = [0, resultValue.length - 1];
+              const event = createPropagationEvent({
+                name: 'sql-template-strings.SQL',
+                object: {
+                  value: createModuleLabel('sql-template-strings', version),
+                  isTracked: false
+                },
+                result: {
+                  value: resultInfo ? resultInfo.value : resultValue,
+                  isTracked: true
+                },
+                args: [{ value: argInfo.value, isTracked: true }],
+                tags: newTags,
+                addedTags: ['sql-encoded'],
+                history,
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+              });
+              if (!event) return;
+              if (resultInfo) {
+                Object.assign(resultInfo, event);
+              }
+              const { extern } = resultInfo || tracker.track(resultValue, event);
+              if (extern) {
+                if (idx === 0 && !isResultStringsArray) {
+                  data.result.strings = extern;
+                }
+                if (idx < resultStrings.length && isResultStringsArray) {
+                  data.result.strings[idx] = extern;
+                }
+                if (idx >= resultStrings.length) {
+                  data.result.values[idx - resultStrings.length] = extern;
+                }
+              }
+            });
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/concat.js ADDED Viewed

@@ -0,0 +1,108 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  createAppendTags
+} = require('../../../tag-utils');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.stringInstrumentation.concat = {
+    install() {
+      patcher.patch(String.prototype, 'concat', {
+        name: 'String.prototype.concat',
+        patchType,
+        post(data) {
+          const { args, obj, result, hooked, orig } = data;
+          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          const rInfo = tracker.getData(result);
+          if (rInfo) {
+            // this may happen w/ trackedStr.concat('') => trackedStr
+            return;
+          }
+          const argsData = [];
+          const objInfo = tracker.getData(obj);
+          const history = objInfo ? new Set([objInfo]) : new Set();
+          const newTags = { ...objInfo?.tags };
+          let globalOffset = typeof obj !== 'function' ? obj.length : 0;
+          for (const str of args) {
+            const strInfo = tracker.getData(str);
+            if (strInfo) {
+              const strTags = strInfo?.tags || {};
+              history.add(strInfo);
+              Object.assign(newTags, createAppendTags(newTags, strTags, globalOffset));
+            }
+            argsData.push({
+              value: strInfo?.value ?? str,
+              isTracked: !!strInfo
+            });
+            globalOffset += str.length;
+          }
+          if (history.size) {
+            const event = createPropagationEvent({
+              name: 'String.prototype.concat',
+              object: {
+                value: objInfo?.value || String(obj),
+                isTracked: !!objInfo
+              },
+              result: {
+                value: result,
+                isTracked: true
+              },
+              args: argsData,
+              tags: newTags,
+              history: Array.from(history),
+              source: objInfo ? (history.size > 1 ? 'A' : 'O') : 'P',
+              target: 'R',
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+            if (!event) return;
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.concat = patcher.unwrap(String.prototype.concat);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/format-methods.js ADDED Viewed

@@ -0,0 +1,83 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.stringInstrumentation.formatMethods = {
+    install() {
+      ['toLowerCase', 'toUpperCase', 'toLocaleLowerCase', 'toLocaleUpperCase'].forEach((method) => {
+        patcher.patch(String.prototype, method, {
+          name: `String.prototype.${method}`,
+          patchType,
+          post(data) {
+            const { obj, result, hooked, orig } = data;
+            if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const objInfo = tracker.getData(obj);
+            if (!objInfo) return;
+            const history = [objInfo];
+            const event = createPropagationEvent({
+              name: `String.prototype.${method}`,
+              object: {
+                value: objInfo.value,
+                isTracked: true
+              },
+              result: {
+                value: result,
+                isTracked: true
+              },
+              args: [],
+              tags: objInfo.tags,
+              history,
+              source: 'O',
+              target: 'R',
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+            if (!event) return;
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        });
+      });
+    },
+    uninstall() {
+      ['toLowerCase', 'toUpperCase', 'toLocaleLowerCase', 'toLocaleUpperCase'].forEach((method) => {
+        String.prototype[method] = patcher.unwrap(String.prototype[method]);
+      });
+    },
+  };
+};