npm - @contrast/assess - Versions diffs - 1.1.0 - Mend

@contrast/assess 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/lib/dataflow/sinks/common.js ADDED Viewed

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = {
+  patchType: 'assess-dataflow-sink'
+};

package/lib/dataflow/sinks/index.js ADDED Viewed

@@ -0,0 +1,44 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+const { isVulnerable } = require('../utils/is-vulnerable');
+const { isSafeContentType } = require('../utils/is-safe-content-type');
+module.exports = function (core) {
+  const {
+    messages
+  } = core;
+  const sinks = core.assess.dataflow.sinks = {
+    isVulnerable,
+    isSafeContentType,
+    reportFindings(data) {
+      messages.emit(Event.ASSESS_DATAFLOW_FINDING, data);
+    },
+  };
+  require('./install/http')(core);
+  require('./install/postgres')(core);
+  require('./install/fastify')(core);
+  sinks.install = function() {
+    callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');
+  };
+  return sinks;
+};

package/lib/dataflow/sinks/install/fastify/index.js ADDED Viewed

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const fastify = core.assess.dataflow.sinks.fastify = {};
+  require('./unvalidated-redirect')(core);
+  fastify.install = function() {
+    callChildComponentMethodsSync(fastify, 'install');
+  };
+  return fastify;
+};

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js ADDED Viewed

@@ -0,0 +1,107 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { createModuleLabel } = require('../../../propagation/common');
+const { patchType } = require('../../common');
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const unvalidatedRedirect =
+    (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
+  const safeTags = [
+    'limited-chars',
+    'url-encoded',
+    'html-encoded',
+    'custom-validated',
+    'custom-encoded'
+  ];
+  const requiredTag = 'untrusted';
+  /**
+   * Patches `Reply.prototype.redirect` for
+   * `unvalidated-redirect` checking
+   *
+   * @param {Fastify.Reply} Reply outgoing response
+   */
+  const registerUnvalidatedRedirectHandler = (Reply, version) => {
+    patcher.patch(Reply.prototype, 'redirect', {
+      name: 'fastify.Reply.prototype.redirect',
+      patchType,
+      post(data) {
+        const assessStore = sources.getStore()?.assess;
+        if (!assessStore) return;
+        const [code] = data.args;
+        // url can be first or second argument
+        const url = typeof code === 'string' ? code : data.args[1];
+        if (!url || !isString(url)) return;
+        const strInfo = tracker.getData(url);
+        if (!strInfo) return;
+        if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+          const event = createSinkEvent({
+            name: 'fastify.reply.redirect',
+            object: `[${createModuleLabel('fastify', version)}].Reply`,
+            history: [strInfo],
+            args: [{
+              value: strInfo.value,
+              isTracked: true
+            }],
+            result: {
+              value: url,
+              isTracked: true,
+            },
+            tags: strInfo.tags,
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+          });
+          reportFindings({
+            ruleId: 'unvalidated-redirect',
+            metadata: event,
+          });
+        }
+      },
+    });
+  };
+  unvalidatedRedirect.install = function () {
+    depHooks.resolve(
+      { name: 'fastify', file: 'lib/reply' },
+      registerUnvalidatedRedirectHandler
+    );
+  };
+  return unvalidatedRedirect;
+};

package/lib/dataflow/sinks/install/http.js ADDED Viewed

@@ -0,0 +1,119 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { Rule } = require('@contrast/common');
+const { createObjectLabel } = require('../../propagation/common');
+const { patchType } = require('../common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, isSafeContentType },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const http = core.assess.dataflow.sinks.http = {};
+  const safeTags = [
+    'alphanum-space-hyphen',
+    'cookie',
+    'header',
+    'limited-chars',
+    'html-encoded',
+    'sql-encoded',
+    'url-encoded',
+    'weak-url-encoded',
+    'custom-validated',
+    'custom-encoded'
+  ];
+  const requiredTag = 'untrusted';
+  const preHook = (name) => (data) => {
+    const sourceContext = sources.getStore()?.assess;
+    if (!sourceContext) return;
+    const payload = data.args[0];
+    if (!payload) return;
+    const strInfo = tracker.getData(payload);
+    if (!strInfo) return;
+    const { contentType } = sourceContext.responseData;
+    if (contentType && isSafeContentType(contentType)) return;
+    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+      const event = createSinkEvent({
+        ruleId: Rule.REFLECTED_XSS,
+        name,
+        history: [strInfo],
+        object: {
+          isTracked: false,
+          value: createObjectLabel('http.ServerResponse')
+        },
+        args: [{
+          value: strInfo.value,
+          isTracked: true
+        }],
+        result: {
+          value: null,
+          isTracked: false,
+        },
+        tags: strInfo.tags,
+        source: 'P0',
+        stacktraceOpts: {
+          constructorOpt: data.hooked
+        }
+      });
+      if (event) {
+        reportFindings({
+          ruleId: 'reflected-xss',
+          metadata: event
+        });
+      }
+    }
+  };
+  http.install = function() {
+    depHooks.resolve({ name: 'http' }, (http) => {
+      {
+        const name = 'http.ServerResponse.prototype.write';
+        patcher.patch(http.ServerResponse.prototype, 'write', {
+          name,
+          patchType,
+          pre: preHook(name),
+        });
+      }
+      {
+        const name = 'http.ServerResponse.prototype.end';
+        patcher.patch(http.ServerResponse.prototype, 'end', {
+          name,
+          patchType,
+          pre: preHook(name),
+        });
+      }
+    });
+  };
+  return http;
+};

package/lib/dataflow/sinks/install/postgres/index.js ADDED Viewed

@@ -0,0 +1,129 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const util = require('util');
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const postgres = core.assess.dataflow.sinks.postgres = {};
+  const safeTags = [
+    'sql-encoded',
+    'limited-chars',
+    'custom-validated',
+    'custom-encoded',
+  ];
+  const requiredTag = 'untrusted';
+  const preHook = (methodSignature) => (data) => {
+    const assessStore = sources.getStore()?.assess;
+    if (!assessStore) return;
+    const query = data.args[0]?.text || data.args[0];
+    if (!query || !isString(query)) return;
+    const strInfo = tracker.getData(query);
+    if (!strInfo) return;
+    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+      const event = createSinkEvent({
+        name: methodSignature,
+        history: [strInfo],
+        args: [
+          {
+            value: util.inspect(data.args[0]),
+            isTracked: true,
+          },
+        ],
+        result: {
+          value: data.result,
+          isTracked: false,
+        },
+        tags: strInfo.tags,
+        source: 'P0',
+        stacktraceOpts: {
+          constructorOpt: data.hooked,
+        },
+      });
+      reportFindings({
+        ruleId: 'sql-injection',
+        metadata: event,
+      });
+    }
+  };
+  postgres.install = function () {
+    const pgClientQueryPatchName = 'pg.Client.prototype.query';
+    depHooks.resolve({ name: 'pg', file: 'lib/client.js' }, client => {
+      patcher.patch(client.prototype, 'query', {
+        name: pgClientQueryPatchName,
+        patchType,
+        pre: preHook('pg/lib/client.prototype.query'),
+      });
+    });
+    const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
+    depHooks.resolve({ name: 'pg', file: 'lib/native/client.js' }, (client) => {
+      patcher.patch(client.prototype, 'query', {
+        name: pgNativeClientQueryPatchName,
+        patchType,
+        pre: preHook('pg/lib/native/client.prototype.query'),
+      });
+    });
+    const pgClientPatchName = `${patchType}:${pgClientQueryPatchName}.query`;
+    const pgNativeClientPatchName = `${patchType}:${pgNativeClientQueryPatchName}.query`;
+    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
+      const name = 'pg-pool.Pool.prototype.query';
+      patcher.patch(pool.prototype, 'query', {
+        name,
+        patchType,
+        pre: (data) => {
+          const funcKeys = patcher.hooks.get(
+            data.obj.Client?.prototype?.query
+          )?.funcKeys;
+          if (
+            funcKeys &&
+            (funcKeys.has(pgClientPatchName) || funcKeys.has(pgNativeClientPatchName))
+          ) {
+            return;
+          }
+          preHook(name)(data);
+        },
+      });
+    });
+  };
+  return postgres;
+};

package/lib/dataflow/sources/common.js ADDED Viewed

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = {
+  patchType: 'assess-dataflow-source',
+};

package/lib/dataflow/sources/handler.js ADDED Viewed

@@ -0,0 +1,114 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString, traverseValues } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    assess: {
+      dataflow: {
+        sources,
+        tracker,
+        eventFactory: { createSourceEvent }
+      }
+    },
+    createSnapshot,
+    config,
+    logger,
+  } = core;
+  const emptyStack = Object.freeze([]);
+  sources.createTags = function createTags({ inputType, key, value }) {
+    if (!value?.length) {
+      return null;
+    }
+    const stop = value.length - 1;
+    const tags = {
+      untrusted: [0, stop]
+    };
+    if (inputType === 'header' && key.toLowerCase() === 'referer') {
+      tags.header = [0, stop];
+    }
+    if (inputType === 'cookie') {
+      tags.cookie = [0, stop];
+    }
+    return tags;
+  };
+  sources.handle = function({
+    name,
+    inputType = 'unknown',
+    stacktraceOpts,
+    data,
+  }) {
+    if (!data) return;
+    const max = config.assess.max_context_source_events;
+    const sourceContext = core.scopes.sources.getStore()?.assess;
+    if (!sourceContext) {
+      core.logger.trace({ inputType, name }, 'skipping assess source handling - no request context');
+      return null;
+    }
+    // todo: NODE-2789
+    const stack = config.assess.stacktraces === 'NONE'
+      ? emptyStack
+      : createSnapshot(stacktraceOpts)();
+    traverseValues(data, (path, type, value, obj) => {
+      if (sourceContext.sourceEventsCount >= max) {
+        core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);
+        return true;
+      }
+      if (isString(value) && value.length) {
+        const key = path[path.length - 1];
+        const pathName = path.join('.');
+        const event = createSourceEvent({
+          name,
+          pathName,
+          stack,
+          inputType,
+          tags: sources.createTags({ inputType, key, value }),
+          result: { tracked: true, value },
+        });
+        if (!event) {
+          core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
+          return;
+        }
+        const { extern } = tracker.track(value, event);
+        if (extern) {
+          logger.trace({ extern, key, inputType }, 'tracked');
+          obj[key] = extern;
+          sourceContext.sourceEventsCount++;
+        }
+      }
+    });
+    return data;
+  };
+  return sources;
+};

package/lib/dataflow/sources/index.js ADDED Viewed

@@ -0,0 +1,35 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const sources = core.assess.dataflow.sources = {};
+  // API
+  require('./handler')(core);
+  // installers
+  require('./install/http')(core);
+  require('./install/fastify')(core);
+  require('./install/qs')(core);
+  sources.install = function install() {
+    callChildComponentMethodsSync(sources, 'install');
+  };
+  return sources;
+};

package/lib/dataflow/sources/install/fastify/cookie.js ADDED Viewed

@@ -0,0 +1,61 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    assess: { dataflow: { sources } },
+  } = core;
+  const source = sources.fastifyInstrumentation.cookie = {
+    install() {
+      [
+        '@fastify/cookie',
+        'fastify-cookie'
+      ].forEach((moduleName) => {
+        depHooks.resolve({ name: moduleName }, (lib) => patcher.patch(lib, {
+          name: `${moduleName}.constructor`,
+          patchType,
+          post({ args: [server] }) {
+            const name = 'fastifyServer.parseCookie';
+            patcher.patch(server, 'parseCookie', {
+              name,
+              patchType,
+              post({ hooked, orig, result: cookies }) {
+                sources.handle({
+                  name,
+                  inputType: InputType.COOKIE_VALUE,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig]
+                  },
+                  data: cookies,
+                });
+              }
+            });
+          }
+        }));
+      });
+    }
+  };
+  return source;
+};