@contrast/assess 1.1.0

package/lib/dataflow/propagation/install/unescape.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  createFullLengthCopyTags
+} = require('../../tag-utils');
+const { patchType, createObjectLabel } = require('../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.unescape = {
+    install() {
+      patcher.patch(global, 'unescape', {
+        name: 'global.unescape',
+        patchType,
+        post(data) {
+          const { args, result, hooked, orig } = data;
+          if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+
+          const argInfo = tracker.getData(args[0]);
+
+          if (!argInfo) return;
+
+          const resultInfo = tracker.getData(result);
+          const history = [argInfo];
+          const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+          delete newTags['weak-url-encoded'];
+
+          if (!Object.keys(newTags).length) return;
+
+          const event = createPropagationEvent({
+            name: 'global.unescape',
+            object: {
+              value: createObjectLabel('global'),
+              isTracked: false
+            },
+            result: {
+              value: resultInfo ? resultInfo.value : result,
+              isTracked: true
+            },
+            args: [{ value: argInfo.value, isTracked: true }],
+            tags: newTags,
+            history,
+            removedTags: ['weak-url-encoded'],
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            },
+          });
+
+          if (!event) return;
+
+          if (resultInfo) {
+            Object.assign(resultInfo, event);
+          }
+
+          const { extern } = tracker.track(result, event);
+
+          if (extern) {
+            data.result = extern;
+          }
+        }
+      });
+    },
+    uninstall() {
+      global.unescape = patcher.unwrap(global.unescape);
+    },
+  };
+};

package/lib/dataflow/propagation/install/url/domain-parsers.js

@@ -0,0 +1,89 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  createFullLengthCopyTags
+} = require('../../../tag-utils');
+const { patchType, createModuleLabel } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.urlInstrumentation.domainParsers = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url, version) => {
+        ['domainToASCII', 'domainToUnicode'].forEach((method) => {
+          patcher.patch(url, method, {
+            name: `url.${method}`,
+            patchType,
+            post(data) {
+              const { args, result, hooked, orig } = data;
+              if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+
+              const argInfo = tracker.getData(args[0]);
+
+              if (!argInfo) return;
+
+              const resultInfo = tracker.getData(result);
+              const history = [argInfo];
+
+              const event = createPropagationEvent({
+                name: `url.${method}`,
+                object: {
+                  value: createModuleLabel('url', version),
+                  isTracked: false
+                },
+                result: {
+                  value: resultInfo ? resultInfo.value : result,
+                  isTracked: true
+                },
+                args: [{ value: argInfo.value, isTracked: true }],
+                tags: createFullLengthCopyTags(argInfo.tags, result.length) || [],
+                history,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+              });
+
+              if (!event) return;
+
+              if (resultInfo) {
+                Object.assign(resultInfo, event);
+              }
+
+              const { extern } = resultInfo || tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            }
+          });
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/url/index.js

@@ -0,0 +1,33 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const urlInstrumentation = core.assess.dataflow.propagation.urlInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(urlInstrumentation, 'install');
+    },
+    uninstall() {
+      callChildComponentMethodsSync(urlInstrumentation, 'uninstall');
+    }
+  };
+
+  require('./domain-parsers')(core);
+
+  return urlInstrumentation;
+};

package/lib/dataflow/propagation/install/validator/hooks.js

@@ -0,0 +1,172 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { validators, untrackers, sanitizers, custom } = require('./methods');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+
+  const {
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function createValidatorPropagationEvent(method, data, trackingData, newTags, target) {
+    return createPropagationEvent({
+      name: `validator.${method}`,
+      history: [{ ...trackingData }],
+      args: [{
+        value: data.args[0],
+        isTracked: true
+      }],
+      result: {
+        value: data.result,
+        isTracked: !!tracker.getData(data.result)
+      },
+      tags: {
+        ...trackingData.tags,
+        ...newTags
+      },
+      stacktraceData: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+      source: 'P1',
+      target
+    });
+  }
+
+  return {
+    install() {
+      for (const validator in validators) {
+        depHooks.resolve(
+          { name: 'validator', file: `lib/${validator}` },
+          (index) => {
+            const patchFn = typeof index === 'object' ? index.default : index;
+            return patcher.patch(patchFn, {
+              name: `validator.${validator}`,
+              patchType,
+              post(data) {
+                const matches = validator === 'matches';
+                if (
+                  data.result &&
+                  (!matches || (matches && core.config.assess.trust_custom_validators))
+                ) {
+                  const trackingData = tracker.getData(data.args[0]);
+                  if (trackingData) {
+                    const newTags = {};
+                    const tagName = validators[validator];
+                    newTags[tagName] = [0, data.args[0].length - 1];
+                    const event = createValidatorPropagationEvent(
+                      validator,
+                      data,
+                      trackingData,
+                      newTags,
+                      'P'
+                    );
+                    if (event) {
+                      Object.assign(trackingData, event);
+                    }
+                  }
+                }
+              }
+            });
+          });
+      }
+
+      untrackers.forEach((untracker) => {
+        depHooks.resolve(
+          { name: 'validator', file: `lib/${untracker}` },
+          (index) => patcher.patch(index.default, {
+            name: `validator.${untracker}`,
+            patchType,
+            post(data) {
+              if (data.result) {
+                const trackingData = tracker.getData(data.args[0]);
+                if (trackingData) {
+                  tracker.untrack(data.args[0]);
+                }
+              }
+            }
+          }));
+      });
+
+      for (const sanitizer in sanitizers) {
+        depHooks.resolve(
+          { name: 'validator', file: `lib/${sanitizer}` },
+          (index) => patcher.patch(index.default, {
+            name: `validator.${sanitizer}`,
+            patchType,
+            post(data) {
+              const trackingData = tracker.getData(data.args[0]);
+              if (trackingData) {
+                const newTags = {};
+                const tagName = sanitizers[sanitizer];
+                newTags[tagName] = [0, data.result.length - 1];
+                const event = createValidatorPropagationEvent(
+                  sanitizer,
+                  data,
+                  trackingData,
+                  newTags,
+                  'R'
+                );
+                let resultTracked = tracker.getData(data.result);
+                if (!resultTracked) {
+                  resultTracked = tracker.track(data.result, event);
+                  if (resultTracked.extern) data.result = resultTracked.extern;
+                }
+                if (event) {
+                  Object.assign(resultTracked, event);
+                }
+              }
+            }
+          }));
+      }
+
+      for (const method in custom) {
+        depHooks.resolve(
+          { name: 'validator', file: `lib/${method}` },
+          (index) => patcher.patch(index.default, {
+            name: `validator.${method}`,
+            patchType,
+            post(data) {
+              const options = data.args[1];
+              const trackingData = tracker.getData(data.args[0]);
+
+              if (data.result && trackingData && !options?.allow_display_name && !options?.require_display_name) {
+                const newTags = {};
+                const tagName = custom[method];
+                newTags[tagName] = [0, data.args[0].length - 1];
+                const event = createValidatorPropagationEvent(
+                  method,
+                  data,
+                  trackingData,
+                  newTags,
+                  'P'
+                );
+                if (event) {
+                  Object.assign(trackingData, event);
+                }
+              }
+            }
+          }));
+      }
+    }
+  };
+};

package/lib/dataflow/propagation/install/validator/index.js

@@ -0,0 +1,28 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const validatorInstr = require('./hooks')(core);
+
+  const validatorInstrumentation = core.assess.dataflow.propagation.validatorInstrumentation = {
+    install() {
+      validatorInstr.install();
+    }
+  };
+
+  return validatorInstrumentation;
+};

package/lib/dataflow/propagation/install/validator/methods.js

@@ -0,0 +1,82 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  validators: {
+    isAfter: 'alphanum-space-hyphen',
+    isAlpha: 'alphanum-space-hyphen',
+    isAlphanumeric: 'alphanum-space-hyphen',
+    isBase32: 'alphanum-space-hyphen',
+    isBase58: 'alphanum-space-hyphen',
+    isBase64: 'alphanum-space-hyphen',
+    isBefore: 'alphanum-space-hyphen',
+    isBIC: 'alphanum-space-hyphen',
+    isBoolean: 'limited-chars',
+    isBtcAddress: 'alphanum-space-hyphen',
+    isCreditCard: 'limited-chars',
+    isDate: 'limited-chars',
+    isDecimal: 'limited-chars',
+    isEAN: 'limited-chars',
+    isEthereumAddress: 'alphanum-space-hyphen',
+    isFloat: 'limited-chars',
+    isHash: 'alphanum-space-hyphen',
+    isHexadecimal: 'alphanum-space-hyphen',
+    isHexColor: 'alphanum-space-hyphen',
+    isHSL: 'alphanum-space-hyphen',
+    isIBAN: 'limited-chars',
+    isIdentityCard: 'alphanum-space-hyphen',
+    isIMEI: 'limited-chars',
+    isInt: 'limited-chars',
+    isIP: 'limited-chars',
+    isIPRange: 'limited-chars',
+    isISBN: 'limited-chars',
+    isISIN: 'limited-chars',
+    isISO8601: 'alphanum-space-hyphen',
+    isISO31661Alpha2: 'alphanum-space-hyphen',
+    isISO31661Alpha3: 'alphanum-space-hyphen',
+    isISRC: 'alphanum-space-hyphen',
+    isISSN: 'limited-chars',
+    isJWT: 'alphanum-space-hyphen',
+    isLatLong: 'limited-chars',
+    isLicensePlate: 'alphanum-space-hyphen',
+    isMACAddress: 'alphanum-space-hyphen',
+    isMagnetURI: 'alphanum-space-hyphen',
+    isMD5: 'alphanum-space-hyphen',
+    isMobilePhone: 'limited-chars',
+    isNumeric: 'limited-chars',
+    isOctal: 'alphanum-space-hyphen',
+    isPassportNumber: 'limited-chars',
+    isPostalCode: 'limited-chars',
+    isSemVer: 'limited-chars',
+    isTaxID: 'limited-chars',
+    isUUID: 'alphanum-space-hyphen',
+    isVAT: 'alphanum-space-hyphen',
+    matches: 'custom-validated'
+  },
+  untrackers: [
+    'equals',
+    'isIn',
+    'isMimeType',
+    'isRFC3339'
+  ],
+  sanitizers: {
+    escape: 'html-encoded'
+  },
+  custom: {
+    isEmail: 'limited-chars'
+  }
+};