@contrast/assess 1.1.0

package/lib/dataflow/sources/install/fastify/fastify.js

@@ -0,0 +1,89 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  const source = sources.fastifyInstrumentation.fastify = {
+    install() {
+      depHooks.resolve({ name: 'fastify', version: '>=3.0.0' }, (fastify) => patcher.patch(fastify, {
+        name: 'fastify.constructor',
+        patchType,
+        post({ orig, result: server }) {
+          server.addHook('onRequest', function handler(request, reply, done) {
+            const name = 'fastify.onRequest';
+            const inputType = InputType.HEADER;
+
+            try {
+              sources.handle({
+                data: request.raw.headers,
+                inputType,
+                name,
+                stacktraceOpts: {
+                  constructorOpt: handler
+                }
+              });
+
+            } catch (err) {
+              logger.error({ err, inputType, name }, 'unable to handle fastify source');
+            }
+
+            done();
+          });
+
+          server.addHook('preValidation', function preValidationHandler(request, reply, done) {
+            const name = 'fastify.preValidation';
+            const bodyType = request?.headers?.['content-type']?.includes('/json')
+              ? InputType.JSON_VALUE
+              : InputType.PARAMETER_VALUE;
+
+            [
+              { key: 'query', inputType: InputType.PARAMETER_VALUE },
+              { key: 'params', inputType: InputType.URL_PARAMETER },
+              { key: 'body', inputType: bodyType }
+            ].forEach(({ key, inputType }) => {
+              try {
+                sources.handle({
+                  data: request[key],
+                  inputType,
+                  name,
+                  stacktraceOpts: {
+                    constructorOpt: preValidationHandler,
+                  }
+                });
+              } catch (err) {
+                logger.error({ err, inputType, name }, 'unable to handle fastify source');
+              }
+            });
+
+            done();
+          });
+        },
+      }));
+    }
+  };
+
+  return source;
+};

package/lib/dataflow/sources/install/fastify/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const sources = core.assess.dataflow.sources.fastifyInstrumentation = {};
+
+  require('./fastify')(core);
+  require('./cookie')(core);
+
+  sources.install = function install() {
+    callChildComponentMethodsSync(sources, 'install');
+  };
+
+  return sources;
+};

package/lib/dataflow/sources/install/http.js

@@ -0,0 +1,181 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../common');
+
+// This is only just initiating an async storage for the http source
+// TODO Tracking the user input
+module.exports = function(core) {
+  const {
+    scopes: { sources },
+    instrumentation: { instrument },
+    patcher,
+  } = core;
+
+  const logger = core.logger.child('contrast:assess');
+
+  /**
+   * The around hook for `emit` that
+   * invokes the protect service to do analysis when appropriate.
+   */
+  function around(next, data) {
+    const [type] = data.args;
+
+    if (type !== 'request') {
+      return next();
+    }
+
+    try {
+      const [, req, response] = data.args;
+      const store = sources.getStore();
+
+      if (!store) {
+        logger.debug('cannot acquire store for assess request handling');
+        return next();
+      }
+
+      patcher.patch(response, 'writeHead', {
+        name: 'write-head',
+        patchType,
+        pre(data) {
+          const obj = data.args[data.args.length - 1];
+          if (!obj) return;
+
+          if (Array.isArray(obj)) {
+            for (let i = 0; i < obj.length; i += 2) {
+              const key = obj[i];
+              const value = obj[i + 1];
+
+              if (key.toLowerCase() === 'content-type') {
+                store.assess.responseData.contentType = value;
+              }
+            }
+          } else if (typeof obj === 'object') {
+            for (const [key, value] of Object.entries(obj)) {
+              if (key.toLowerCase() === 'content-type') {
+                store.assess.responseData.contentType = value;
+              }
+            }
+          }
+        }
+      });
+
+      patcher.patch(response, 'setHeader', {
+        alwaysRun: true,
+        name: 'set-header',
+        patchType,
+        pre(data) {
+          const [name = '', value] = data.args;
+          if (name.toLowerCase() === 'content-type' && value) {
+            store.assess.responseData.contentType = value;
+          }
+        }
+      });
+
+      let uriPath, queries;
+      const ix = req.url.indexOf('?');
+
+      if (ix >= 0) {
+        uriPath = req.url.slice(0, ix);
+        queries = req.url.slice(ix + 1);
+      } else {
+        uriPath = req.url;
+        queries = '';
+      }
+
+      const headers = {};
+
+      for (let i = 0; i < req.rawHeaders.length; i += 2) {
+        const header = req.rawHeaders[i].toLowerCase();
+        headers[header] = req.rawHeaders[i + 1];
+      }
+
+      const contentType = headers['content-type']?.toLowerCase();
+      const reqData = {
+        ip: req.socket.remoteAddress,
+        httpVersion: req.httpVersion,
+        method: req.method,
+        headers,
+        uriPath,
+        queries,
+        contentType,
+      };
+
+      store.assess = {
+        reqData,
+        responseData: {},
+        sourceEventsCount: 0,
+        propagationEventsCount: 0,
+        findings: {},
+      };
+    } catch (err) {
+      logger.error({ err }, 'Error during assess request handling');
+    }
+
+    return next();
+  }
+
+  function install() {
+    [{
+      moduleName: 'http'
+    },
+    {
+      moduleName: 'https'
+    },
+    {
+      moduleName: 'spdy'
+    },
+    {
+      moduleName: 'http2',
+      patchObjectsProps: [
+        {
+          methods: ['createServer', 'createSecureServer'],
+          patchType,
+          patchObjects: [
+            {
+              name: 'Server.prototype',
+              methods: ['emit'],
+              patchType,
+              around
+            }
+          ]
+        }
+      ]
+    }].forEach(({ moduleName, patchObjectsProps }) => {
+      const patchObjects = patchObjectsProps || [
+        {
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType,
+          around
+        }
+      ];
+      instrument({
+        moduleName,
+        patchObjects
+      });
+    });
+  }
+
+  function uninstall() {
+    return null;
+  }
+
+  return core.assess.dataflow.sources.httpSourcesInstr = {
+    install,
+    uninstall
+  };
+};

package/lib/dataflow/sources/install/qs.js

@@ -0,0 +1,88 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../common');
+
+module.exports = function(core) {
+  const {
+    createSnapshot,
+    patcher,
+    depHooks,
+    scopes,
+    assess: {
+      dataflow: { tracker, sources },
+    },
+    logger
+  } = core;
+
+  function makeCapturer(opts) {
+    const snapshot = createSnapshot(opts);
+    return function(obj) {
+      obj.stack = snapshot();
+      return obj;
+    };
+  }
+
+  const qsSourcesInstr = sources.qsSourcesInstr = {
+    install() {
+      depHooks.resolve({ name: 'qs' }, (qs) => {
+        patcher.patch(qs, 'parse', {
+          name: 'qs',
+          patchType,
+          post({ args, orig, hooked, result }) {
+            if (result && Object.keys(result).length) {
+              const assessStore = scopes.sources.getStore().assess;
+
+              if (!assessStore) {
+                logger.debug('assessStore not available in `qs` hook');
+              } else {
+                const captureStack = makeCapturer({ constructorOpt: hooked, prependFrames: [orig] });
+
+                // We need to track `qs` result only when it's used as a query parser.
+                // `qs` is used also for parsing bodies, but these cases we handle individually with
+                // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+                // some cases its use is optional and we cannot rely on it.
+                if (assessStore.reqData.queries === args[0]) {
+                  for (const [key, value] of Object.entries(result)) {
+                    // TODO Same as fastify - do we need a try-catch
+                    // and checks for already tracked strings
+                    const { extern } = tracker.track(
+                      value,
+                      captureStack({
+                        inputType: 'query',
+                        name: key,
+                        tags: {
+                          untrusted: [0, value.length - 1],
+                        }
+                      })
+                    );
+
+                    if (extern) {
+                      result[key] = extern;
+                    }
+                  }
+                }
+              }
+            }
+          }
+        });
+      });
+    },
+  };
+
+  return qsSourcesInstr;
+};

package/lib/dataflow/tag-utils.js

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+function ensureTagsImmutable(obj, tagName) {
+  return obj[tagName] ? [...obj[tagName]] : [];
+}
+
+function ensureObject(tags) {
+  return tags ? { ...tags } : {};
+}
+
+function atomicAppend(firstTagRanges, secondTagRanges, offset) {
+  const newTagRanges = [...firstTagRanges];
+
+  for (let i = 0; i < secondTagRanges.length; i++) {
+    secondTagRanges[i] += offset;
+  }
+
+  const firstTagRangesLastEnd = firstTagRanges[firstTagRanges.length - 1];
+
+  if (firstTagRangesLastEnd === secondTagRanges[0] || firstTagRangesLastEnd === secondTagRanges[0] - 1) {
+    newTagRanges.pop();
+    secondTagRanges.shift();
+  }
+
+  newTagRanges.push(...secondTagRanges);
+
+  return newTagRanges;
+}
+
+function atomicSubset(tags, subsetStart, len) {
+  const ret = [];
+  const subsetStop = subsetStart + len;
+
+  for (let idx = 0; idx < tags.length - 1; idx += 2) {
+    const tagStart = tags[idx];
+    const tagStop = tags[idx + 1];
+
+    if (tagStop < subsetStart) {
+      // substr is below - continue to check next range
+      continue;
+    }
+
+    if (tagStart > subsetStop) {
+      // all other tags are above subset so we can stop
+      break;
+    }
+    ret.push(
+      Math.max(tagStart, subsetStart) - subsetStart,
+      Math.min(tagStop, subsetStop) - subsetStart,
+    );
+  }
+
+  return ret;
+}
+
+function createAppendTags(firstTags, secondTags, offset) {
+  const ret = Object.create(null);
+  const firstTagsObject = ensureObject(firstTags);
+  const secondTagsObject = ensureObject(secondTags);
+  const tagNames = new Set([...Object.keys(firstTagsObject), ...Object.keys(secondTagsObject)]);
+
+  for (const tagName of tagNames) {
+    const newTagRanges = atomicAppend(ensureTagsImmutable(firstTagsObject, tagName), ensureTagsImmutable(secondTagsObject, tagName), offset);
+
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+
+  return Object.keys(ret).length ? ret : null;
+}
+
+/**
+ * assumes:
+ *  - no mutation of arguments
+ *  - input ranges will be in non-decreasing order
+ *  - input ranges are "merged"
+ *      i.e. no ranges are adjacent
+ *      i.e. [0, 0, 1, 1] should be [0, 1]
+ *  - return ranges will be merged and in non-decreasing order
+*/
+function createSubsetTags(tags, subsetStart, len) {
+  const ret = Object.create(null);
+
+  for (const tagName of Object.keys(ensureObject(tags))) {
+    const newTagRanges = atomicSubset(ensureTagsImmutable(tags, tagName), subsetStart, len);
+
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+
+  return Object.keys(ret).length ? ret : null;
+}
+
+function createFullLengthCopyTags(tags, resultLength) {
+  if (!resultLength || resultLength <= 0) return null;
+  const ret = Object.create(null);
+
+  for (const tagName of Object.keys(ensureObject(tags))) {
+    ret[tagName] = [0, resultLength - 1];
+  }
+
+  return Object.keys(ret).length ? ret : null;
+}
+
+module.exports = {
+  createSubsetTags,
+  createAppendTags,
+  createFullLengthCopyTags
+};

package/lib/dataflow/tracker.js

@@ -0,0 +1,127 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const distringuish = require('@contrast/distringuish');
+
+module.exports = function tracker(core) {
+  const {
+    assess: {
+      dataflow: {
+        eventFactory: {
+          createdEvents
+        }
+      }
+    },
+    logger
+  } = core;
+
+  const objMap = new WeakMap();
+
+  function getData(value) {
+    if (typeof value === 'string') {
+      return distringuish.getProperties(value);
+    }
+
+    return objMap.get(value) || null;
+  }
+
+  function track(value, metadata) {
+    let ret = Object.create(null);
+
+    if (!value) {
+      const err = new Error();
+      logger.error({ err, value }, 'tracker.track called with invalid argument: value is falsy');
+      return { extern: null };
+    }
+    if (!metadata) {
+      const err = new Error();
+      logger.error({ err, metadata }, 'tracker.track called with invalid argument: metadata is falsy');
+      return { extern: null };
+    }
+
+    if (!createdEvents.has(metadata)) {
+      const err = new Error();
+      logger.error({ err, metadata }, 'tracker.track called without validated metadata');
+      return { extern: null };
+    }
+
+    if (typeof value === 'string') {
+      if (distringuish.getProperties(value)) {
+        const err = new Error();
+        logger.error({ err, value }, 'tracker.track called with a string value that is already tracked');
+        return { extern: null };
+      }
+
+      const extern = distringuish.externalize(value);
+      /* c8 ignore next 5 */
+      if (!extern) {
+        const err = new Error();
+        logger.error({ err, value }, 'tracker.track was unable to externalize');
+        return { extern: null };
+      }
+
+      const externMetadata = distringuish.getProperties(extern);
+      metadata.value = value;
+      metadata.extern = extern;
+
+      ret = Object.assign(externMetadata, metadata);
+
+      return ret;
+    } else if (typeof value === 'object') {
+      const objInfo = objMap.get(value);
+      if (objInfo) {
+        return objInfo;
+      }
+
+      objMap.set(value, metadata);
+
+      return metadata;
+    }
+
+    const err = new Error();
+    logger.error({ err, value }, 'tracker.track called with a value type that is not trackable');
+    return null;
+  }
+
+  function untrack(value) {
+    if (typeof value === 'string') {
+      const props = distringuish.getProperties(value);
+      if (props) {
+        Object.assign(props, {
+          history: [],
+          tags: {},
+        });
+        delete props.resultTracked;
+      }
+      return distringuish.internalize(value);
+    }
+
+    if (typeof value === 'object') {
+      objMap.delete(value);
+      return value;
+    }
+
+    return null;
+  }
+
+  return core.assess.dataflow.tracker = {
+    track,
+    untrack,
+    getData,
+    getInfo: getData,
+  };
+};

package/lib/dataflow/utils/is-safe-content-type.js

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const SAFE_XSS_CONTENT_TYPES = [
+  '/json',
+  '/x-json',
+  '/javascript',
+  '/x-javascript',
+  '/pdf',
+  '/csv'
+];
+
+function isSafeContentType(contentType) {
+  return new RegExp(SAFE_XSS_CONTENT_TYPES.join('|')).test(contentType);
+}
+
+module.exports = { isSafeContentType, SAFE_XSS_CONTENT_TYPES };