npm - @contrast/assess - Versions diffs - 1.1.0 - Mend

@contrast/assess 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/lib/dataflow/propagation/install/string/html-methods.js ADDED Viewed

@@ -0,0 +1,163 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  createAppendTags
+} = require('../../../tag-utils');
+const { patchType } = require('../../common');
+const htmlTagsLengths = {
+  anchor: 11,
+  big: 5,
+  blink: 7,
+  italics: 3,
+  small: 7,
+  strike: 8,
+  sub: 5,
+  fixed: 4
+};
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  function adjustTags(method, objTags, argLength, argTags = null) {
+    let offset;
+    if (method === 'anchor') {
+      let newArgTags = {};
+      offset = htmlTagsLengths[method] + argLength;
+      if (argTags) {
+        newArgTags = createAppendTags({}, argTags, 9);
+      }
+      return createAppendTags(newArgTags, objTags, offset);
+    }
+    offset = htmlTagsLengths[method];
+    return createAppendTags({}, objTags, offset);
+  }
+  return core.assess.dataflow.propagation.stringInstrumentation.htmlMethods = {
+    install() {
+      patcher.patch(String.prototype, 'anchor', {
+        name: 'String.prototype.anchor',
+        patchType,
+        post(data) {
+          const { args, obj, result, hooked, orig } = data;
+          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          const objInfo = tracker.getData(obj);
+          const history = objInfo ? new Set([objInfo]) : new Set();
+          const arg = args[0]?.toString();
+          const argInfo = arg && tracker.getData(arg);
+          if (argInfo) {
+            history.add(argInfo);
+          }
+          if (history.size) {
+            const event = createPropagationEvent({
+              name: 'String.prototype.anchor',
+              object: {
+                value: objInfo?.value || String(obj),
+                isTracked: !!objInfo
+              },
+              result: {
+                value: result,
+                isTracked: true
+              },
+              args: [
+                { value: arg, isTracked: !!argInfo }
+              ],
+              tags: adjustTags('anchor', objInfo?.tags, `${arg}`.length, argInfo?.tags),
+              history: Array.from(history),
+              source: objInfo ? (history.size > 1 ? 'A' : 'O') : 'P',
+              target: 'R',
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+            if (!event) return;
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        },
+      });
+      ['big', 'blink', 'italics', 'small', 'strike', 'sub', 'fixed'].forEach((method) => {
+        patcher.patch(String.prototype, method, {
+          name: `String.prototype.${method}`,
+          patchType,
+          post(data) {
+            const { obj, result, hooked, orig } = data;
+            if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const objInfo = tracker.getData(obj);
+            if (!objInfo) return;
+            const history = [objInfo];
+            const event = createPropagationEvent({
+              name: `String.prototype.${method}`,
+              object: {
+                value: objInfo.value,
+                isTracked: true
+              },
+              result: {
+                value: result,
+                isTracked: true
+              },
+              args: [],
+              tags: adjustTags(method, objInfo.tags),
+              history,
+              source: 'O',
+              target: 'R',
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+            if (!event) return;
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        });
+      });
+    },
+    uninstall() {
+      ['anchor', 'big', 'blink', 'italics', 'small', 'strike', 'sub', 'fixed'].forEach((method) => {
+        String.prototype[method] = patcher.unwrap(String.prototype[method]);
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/index.js ADDED Viewed

@@ -0,0 +1,38 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const stringInstrumentation = core.assess.dataflow.propagation.stringInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(stringInstrumentation, 'install');
+    },
+    uninstall() {
+      callChildComponentMethodsSync(stringInstrumentation, 'uninstall');
+    }
+  };
+  require('./concat')(core);
+  require('./replace')(core);
+  require('./substring')(core);
+  require('./trim')(core);
+  require('./html-methods')(core);
+  require('./format-methods')(core);
+  return stringInstrumentation;
+};

package/lib/dataflow/propagation/install/string/replace.js ADDED Viewed

@@ -0,0 +1,197 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
+module.exports = function(core) {
+  const {
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    },
+    scopes: { sources, instrumentation }
+  } = core;
+  function parseArgs(args) {
+    // [match, p1, p2, ..., matchIdx, str, ?groups]
+    const match = args[0];
+    const len = args.length;
+    const lastEl = args[len - 1];
+    const hasNamedGroup = typeof lastEl === 'object';
+    const captureGroups = args.slice(1, hasNamedGroup ? -3 : -2);
+    const matchIdx = args[hasNamedGroup ? len - 3 : len - 2];
+    const str = hasNamedGroup ? args[len - 2] : lastEl;
+    const namedGroups = hasNamedGroup ? lastEl : null;
+    return { match, captureGroups, matchIdx, str, namedGroups };
+  }
+  function replaceSpecialCharacters(replacement, { captureGroups, match, str, namedGroups }) {
+    const origReplace = patcher.unwrap(String.prototype.replace);
+    let ret = replacement;
+    [
+      {
+        regex: /\$\$/g,
+        replace: '$'
+      },
+      {
+        regex: /\$&/g,
+        replace: match
+      },
+      {
+        regex: /\$`/g,
+        replace: str.substring(0, str.indexOf(match))
+      },
+      {
+        regex: /\$'/g,
+        replace: str.substring(str.indexOf(match) + match.length, str.length)
+      }
+    ].forEach(({ regex, replace }) => {
+      if (ret && ret.match(regex)) {
+        // If the match string is tracked, we can actually use the patched replace
+        // to keep track of its tag ranges
+        if (tracker.getData(replace)) {
+          ret = ret.replace(regex, replace);
+        } else {
+          ret = origReplace.call(ret, regex, replace);
+        }
+      }
+    });
+    const numberedGroupMatches = replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
+    if (numberedGroupMatches) {
+      numberedGroupMatches.forEach((numberedGroup) => {
+        const group = Number(numberedGroup.substring(1));
+        ret = origReplace.call(ret, numberedGroup, captureGroups[group - 1]);
+      });
+    }
+    if (namedGroups) {
+      for (const name in namedGroups) {
+        ret = origReplace.call(ret, `$${name}`, namedGroups[name]);
+      }
+    }
+    return ret;
+  }
+  function getReplacementInfo(data, replacerArgs, parsedArgs) {
+    let replacement = data._replacementType === 'function' ?
+      data._replacement.call(global, ...replacerArgs) :
+      data._replacement;
+    replacement = replaceSpecialCharacters(String(replacement), parsedArgs);
+    data._replacementInfo = tracker.getData(replacement);
+    if (data._replacement) {
+      data._history.add(data._replacementInfo);
+    }
+    return { replacement, replacementInfo: data._replacementInfo };
+  }
+  function getReplacer(data) {
+    return function replacer(...args) {
+      const parsedArgs = parseArgs(args);
+      const { match, matchIdx, str } = parsedArgs;
+      const { _accumOffset, _accumTags } = data;
+      const { replacement, replacementInfo } = getReplacementInfo(data, args, parsedArgs);
+      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + matchIdx - 1);
+      const postTags = createSubsetTags(_accumTags, _accumOffset + matchIdx + match.length, str.length - matchIdx - match.length);
+      data._accumOffset += (replacement.length - match.length);
+      if (preTags || postTags || replacementInfo) {
+        data._accumTags = createAppendTags(
+          createAppendTags(preTags, replacementInfo?.tags, _accumOffset + matchIdx),
+          postTags,
+          data._accumOffset + matchIdx + match.length
+        );
+      } else {
+        data._accumTags = {};
+      }
+      return replacement;
+    };
+  }
+  return core.assess.dataflow.propagation.stringInstrumentation.replace = {
+    install() {
+      patcher.patch(String.prototype, 'replace', {
+        name: 'String.prototype.replace',
+        patchType,
+        pre(data) {
+          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          // setup state
+          data._objInfo = tracker.getData(data.obj);
+          data._replacement = data.args[1];
+          data._replacementType = typeof data._replacement;
+          data._history = data._objInfo ? new Set([data._objInfo]) : new Set();
+          data._accumTags = data._objInfo?.tags || {};
+          data._accumOffset = 0;
+          data.args[1] = getReplacer(data);
+        },
+        post(data) {
+          if (
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked() ||
+            !data.result ||
+            !data._accumTags?.untrusted
+          ) return;
+          const { _replacementInfo, obj, args, result, hooked, orig } = data;
+          const event = createPropagationEvent({
+            name: 'String.prototype.replace',
+            history: Array.from(data._history),
+            object: {
+              value: obj,
+              isTracked: !!data._objInfo
+            },
+            args: [{
+              value: args[0].toString(),
+              isTracked: !!tracker.getData(args[0])
+            },
+            {
+              value: data._replacement,
+              isTracked: !!_replacementInfo
+            }],
+            result: {
+              value: result,
+              isTracked: true
+            },
+            tags: data._accumTags,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            },
+            source: data._objInfo ? (data._history.size > 1 ? 'A' : 'O') : 'P',
+            target: 'R',
+          });
+          if (event) {
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        }
+      });
+    },
+    uninstall() {
+      String.prototype.replace = patcher.unwrap(String.prototype.replace);
+    }
+  };
+};

package/lib/dataflow/propagation/install/string/substring.js ADDED Viewed

@@ -0,0 +1,117 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { createSubsetTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  function calculateSubsetRangeForSubstr({ args, result }) {
+    const startIdx = args[0] || 0;
+    const subsetLen = args[1] === undefined ? result.length - startIdx - 1 : args[1] - 1;
+    return {
+      startIdx,
+      subsetLen
+    };
+  }
+  function calculateSubsetRangeForSubstring({ obj, args }) {
+    const hasSingleArg = args[1] === undefined;
+    const startIdx = hasSingleArg ? args[0] : Math.min(...args);
+    const subsetLen = (hasSingleArg ? obj.length - args[0] : Math.abs(args[1] - args[0])) - 1;
+    return {
+      startIdx,
+      subsetLen
+    };
+  }
+  const calculateSubsetRange = {
+    substr: calculateSubsetRangeForSubstr,
+    substring: calculateSubsetRangeForSubstring
+  };
+  return core.assess.dataflow.propagation.stringInstrumentation.substring = {
+    install() {
+      ['substr', 'substring'].forEach((method) => {
+        patcher.patch(String.prototype, method, {
+          name: `String.prototype.${method}`,
+          patchType,
+          post(data) {
+            const { obj, args, result, name, hooked, orig } = data;
+            if (!result || !sources.getStore() || instrumentation.isLocked()) return;
+            const objInfo = tracker.getData(obj);
+            if (!objInfo) return;
+            const rInfo = tracker.getData(result);
+            if (rInfo) {
+              // this may happen w/ trackedStr.substring(0) => trackedStr
+              return;
+            }
+            const { startIdx, subsetLen } = calculateSubsetRange[method](data);
+            const tags = createSubsetTags(objInfo.tags, startIdx, subsetLen);
+            if (!tags) return;
+            const event = createPropagationEvent({
+              name,
+              history: [objInfo],
+              object: {
+                value: obj,
+                isTracked: true,
+              },
+              args: args.map((arg) => ({
+                value: arg.toString(),
+                isTracked: false
+              })),
+              result: {
+                value: result,
+                isTracked: true
+              },
+              tags,
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              }
+            });
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          },
+        });
+      });
+    },
+    uninstall() {
+      String.prototype.substr = patcher.unwrap(String.prototype.substr);
+      String.prototype.substring = patcher.unwrap(String.prototype.substring);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/trim.js ADDED Viewed

@@ -0,0 +1,115 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  createSubsetTags,
+} = require('../../../tag-utils');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  function createPostHook(methodName, presetStart) {
+    return function(data) {
+      const { obj, result, hooked, orig } = data;
+      if (!result?.length || !sources.getStore()?.assess || instrumentation.isLocked()) {
+        return;
+      }
+      const rInfo = tracker.getData(result);
+      if (rInfo) {
+        // this may happen w/ 'trackedStr'.trim() => 'trackedStr'
+        return;
+      }
+      const objInfo = tracker.getData(obj);
+      if (!objInfo) {
+        return;
+      }
+      const history = [objInfo];
+      const start = presetStart || obj.indexOf(result);
+      const newTags = {};
+      const objTags = objInfo.tags || {};
+      Object.assign(newTags, createSubsetTags(objTags, start, result.length - 1));
+      if (!newTags.untrusted) {
+        return;
+      }
+      const event = createPropagationEvent({
+        name: `String.prototype.${methodName}`,
+        history,
+        object: {
+          value: obj,
+          isTracked: true
+        },
+        result: {
+          value: result,
+          isTracked: true
+        },
+        tags: newTags,
+        stacktraceOpts: {
+          constructorOpt: hooked,
+          prependFrames: [orig]
+        },
+        source: 'O',
+        target: 'R'
+      });
+      const { extern } = tracker.track(result, event);
+      if (extern) {
+        data.result = extern;
+      }
+    };
+  }
+  return core.assess.dataflow.propagation.stringInstrumentation.trim = {
+    install() {
+      patcher.patch(String.prototype, 'trim', {
+        name: 'String.prototype.trim',
+        patchType,
+        post: createPostHook('trim'),
+      });
+      patcher.patch(String.prototype, 'trimStart', {
+        name: 'String.prototype.trimStart',
+        patchType,
+        post: createPostHook('trimStart')
+      });
+      patcher.patch(String.prototype, 'trimEnd', {
+        name: 'String.prototype.trimEnd',
+        patchType,
+        post: createPostHook('trimEnd', 0),
+      });
+    },
+    uninstall() {
+      String.prototype.trim = patcher.unwrap(String.prototype.trim);
+      String.prototype.trimStart = patcher.unwrap(String.prototype.trimStart);
+      String.prototype.trimEnd = patcher.unwrap(String.prototype.trimEnd);
+    },
+  };
+};