@contrast/assess 1.1.1 → 1.2.0

package/lib/dataflow/propagation/index.js

@@ -20,15 +20,15 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const propagation = core.assess.dataflow.propagation = {};
 
-  require('./install/string')(core);
-  require('./install/array-prototype-join')(core);
-  require('./install/pug')(core);
   require('./install/contrast-methods')(core);
-  require('./install/validator')(core);
-  require('./install/url')(core);
   require('./install/ejs')(core);
-  require('./install/encode-uri-component')(core);
+  require('./install/pug')(core);
+  require('./install/string')(core);
+  require('./install/url')(core);
+  require('./install/validator')(core);
+  require('./install/array-prototype-join')(core);
   require('./install/decode-uri-component')(core);
+  require('./install/encode-uri-component')(core);
   require('./install/escape-html')(core);
   require('./install/escape')(core);
   require('./install/handlebars-utils-escape-expression')(core);
@@ -37,7 +37,6 @@ module.exports = function(core) {
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
 
-
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');
   };

package/lib/dataflow/propagation/install/contrast-methods/index.js

@@ -29,6 +29,7 @@ module.exports = function(core) {
 
   require('./add')(core);
   require('./tag')(core);
+  require('./string')(core);
 
   return contrastMethodsInstrumentation;
 };

package/lib/dataflow/propagation/install/contrast-methods/string.js

@@ -0,0 +1,56 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.contrastMethodsInstrumentation.string = {
+    install() {
+      patcher.patch(global.ContrastMethods, 'String', {
+        name: 'ContrastMethods.String',
+        patchType,
+        post(data) {
+          if (!data.result || !sources.getStore() || instrumentation.isLocked()) return;
+
+          const arg = data.args[0];
+          let argInfo = tracker.getData(arg);
+
+          if (data.obj && !argInfo) {
+            argInfo = tracker.getData(data.result.toString());
+          }
+
+          if (!arg || !argInfo) {
+            return;
+          }
+
+          const { extern } = tracker.track(data.result, argInfo);
+          if (extern) {
+            data.result = extern;
+          }
+        }
+      });
+    }
+  };
+};

package/lib/dataflow/propagation/install/string/index.js

@@ -33,6 +33,7 @@ module.exports = function(core) {
   require('./trim')(core);
   require('./html-methods')(core);
   require('./format-methods')(core);
+  require('./split')(core);
 
   return stringInstrumentation;
 };

package/lib/dataflow/propagation/install/string/split.js

@@ -0,0 +1,108 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../../common');
+const { join } = require('@contrast/common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.stringInstrumentation.split = {
+    install() {
+      const name = 'String.prototype.split';
+
+      patcher.patch(String.prototype, 'split', {
+        name,
+        patchType,
+        post(data) {
+          const { name, args, obj, result, hooked, orig } = data;
+          if (
+            !obj ||
+            !result ||
+            args.length === 0 ||
+            result.length === 0 ||
+            !sources.getStore() ||
+            typeof obj !== 'string' ||
+            instrumentation.isLocked() ||
+            (args.length === 1 && args[0] == null)
+          ) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          let idx = 0;
+          for (let i = 0; i < result.length; i++) {
+            const res = result[i];
+            const start = obj.indexOf(res, idx);
+            idx += res.length;
+            const objSubstr = obj.substring(start, start + res.length);
+            const objSubstrInfo = tracker.getData(objSubstr);
+            if (objSubstrInfo) {
+              const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+              if (!tags) continue;
+
+              const event = createPropagationEvent({
+                name,
+                history: [objInfo],
+                object: {
+                  value: obj,
+                  isTracked: true,
+                },
+                args: args.map((arg) => {
+                  const argInfo = tracker.getData(arg);
+                  return {
+                    value: argInfo ? argInfo.value : arg.toString(),
+                    isTracked: !!argInfo
+                  };
+                }),
+                tags,
+                result: {
+                  value: join(result),
+                  isTracked: false
+                },
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+                source: 'O',
+                target: 'R'
+              });
+
+              if (event) {
+                const { extern } = tracker.track(res, event);
+                if (extern) {
+                  data.result[i] = extern;
+                }
+              }
+            }
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.split = patcher.unwrap(String.prototype.split);
+    },
+  };
+};

package/lib/dataflow/sources/index.js

@@ -25,7 +25,6 @@ module.exports = function(core) {
   // installers
   require('./install/http')(core);
   require('./install/fastify')(core);
-  require('./install/qs')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/http.js

@@ -15,6 +15,7 @@
 
 'use strict';
 const { patchType } = require('../common');
+const { toLowerCase } = require('@contrast/common');
 
 // This is only just initiating an async storage for the http source
 // TODO Tracking the user input
@@ -59,13 +60,13 @@ module.exports = function(core) {
               const key = obj[i];
               const value = obj[i + 1];
 
-              if (key.toLowerCase() === 'content-type') {
+              if (toLowerCase(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
-              if (key.toLowerCase() === 'content-type') {
+              if (toLowerCase(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
@@ -79,7 +80,7 @@ module.exports = function(core) {
         patchType,
         pre(data) {
           const [name = '', value] = data.args;
-          if (name.toLowerCase() === 'content-type' && value) {
+          if (toLowerCase(name) === 'content-type' && value) {
             store.assess.responseData.contentType = value;
           }
         }
@@ -99,11 +100,11 @@ module.exports = function(core) {
       const headers = {};
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
-        const header = req.rawHeaders[i].toLowerCase();
+        const header = toLowerCase(req.rawHeaders[i]);
         headers[header] = req.rawHeaders[i + 1];
       }
 
-      const contentType = headers['content-type']?.toLowerCase();
+      const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
       const reqData = {
         ip: req.socket.remoteAddress,
         httpVersion: req.httpVersion,
@@ -125,7 +126,9 @@ module.exports = function(core) {
       logger.error({ err }, 'Error during assess request handling');
     }
 
-    return next();
+    setImmediate(() => {
+      next.call(data.obj, ...data.args);
+    });
   }
 
   function install() {

package/lib/index.js

@@ -15,7 +15,9 @@
 
 'use strict';
 
+const { callChildComponentMethodsSync } = require('@contrast/common');
 const dataflow = require('./dataflow');
+const responseScanning = require('./response-scanning');
 
 module.exports = function assess(core) {
   if (!core.config.assess.enable) return;
@@ -25,14 +27,14 @@ module.exports = function assess(core) {
   // Does this order matter? Probably not
   // 1. dataflow
   dataflow(core);
+  responseScanning(core);
 
-  // response-scanning
   // crypto
   // static (in coordination with rewriter)
 
   assess.install = function() {
     core.rewriter.install('assess');
-    core.assess.dataflow.install();
+    callChildComponentMethodsSync(core.assess, 'install');
   };
 
   return assess;

package/lib/response-scanning/handlers/index.js

@@ -0,0 +1,274 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  escapeHtml,
+  isHtmlContent,
+  getElements,
+  getAttribute,
+  isParseableResponse,
+  checkCacheControlValue,
+  checkMetaTags,
+  getCspHeaders,
+  checkCspSources
+} = require('./utils');
+const { toLowerCase, substring, ResponseScanningRule } = require('@contrast/common');
+
+module.exports = function(core) {
+  const {
+    assess: {
+      responseScanning,
+      responseScanning: {
+        reportFindings
+      }
+    }
+  } = core;
+
+  responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
+    if (!isHtmlContent(responseHeaders)) {
+      return;
+    }
+
+    const elements = getElements('form', responseBody);
+
+    for (let i = 0; i < elements.length; i++) {
+      const autocomplete = getAttribute('autocomplete', elements[i]);
+      if (autocomplete !== 'off') {
+        reportFindings(sourceContext,
+          {
+            ruleId: ResponseScanningRule.AUTOCOMPLETE_MISSING,
+            vulnerabilityMetadata: {
+              attribute: autocomplete,
+              html: escapeHtml(elements[i]),
+              start: 0,
+              end: elements[i].length
+            }
+          });
+        break;
+      }
+    }
+  };
+
+  responseScanning.handleCacheControlsMissing = function(sourceContext, { responseHeaders, responseBody }) {
+    const instructions = [];
+
+    // de-dupe; this will be re-emitted for parseableBody handlers anyway
+    if (isParseableResponse(responseHeaders) && !responseBody) {
+      return;
+    }
+    const cacheControlHeader = responseHeaders['cache-control'];
+
+    // save the Pragma Header
+    if (responseHeaders['pragma']) {
+      instructions.push({
+        type: 'Header',
+        name: 'pragma',
+        value: responseHeaders['pragma']
+      });
+    }
+
+    if (cacheControlHeader) {
+      const [containsNoCache, containsNoStore] = checkCacheControlValue(
+        cacheControlHeader
+      );
+
+      // got everything from header so we don't care about meta tags
+      if (containsNoCache && containsNoStore) {
+        return;
+      } else {
+        // save the instructions in case meta tags are missing
+        instructions.push({
+          type: 'Header',
+          name: 'cache-control',
+          value: cacheControlHeader
+        });
+      }
+    }
+
+    // we checked the headers now time to check the HTML content
+    checkMetaTags({ body: responseBody, cacheControlHeader, instructions });
+
+    if (instructions.length) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
+        vulnerabilityMetadata: {
+          data: JSON.stringify(instructions)
+        }
+      });
+    }
+  };
+
+  responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+    // look for x-frame-options headers with deny or sameorigin
+    const xFrameHeaders = responseHeaders['x-frame-options'];
+    let hasFrameBusting = false;
+
+    if (xFrameHeaders) {
+      const xFrameHeadersLC = toLowerCase(xFrameHeaders);
+      hasFrameBusting =
+        xFrameHeadersLC.indexOf('deny') > -1 ||
+        xFrameHeadersLC.indexOf('sameorigin') > -1;
+    }
+
+    if (!hasFrameBusting) {
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CLICKJACKING_CONTROL_MISSING });
+    }
+  };
+
+  responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+    // look for form tag with missing action attribute.
+    // ex: <form method="post">..
+    const elements = getElements('form', responseBody);
+
+    for (let i = 0; i < elements.length; i++) {
+      const action = getAttribute('action', elements[i]);
+      if (!action) {
+        reportFindings(sourceContext, {
+          ruleId: ResponseScanningRule.PARAMETER_POLLUTION,
+          vulnerabilityMetadata: {
+            attribute: action,
+            html: escapeHtml(elements[i])
+          }
+        });
+      }
+    }
+  };
+
+  /**
+ * Checks the response headers for the CSP. If found, and insecure, will return
+ * the evidence for reporting.
+ *
+ * @param   {Object}        responseHeaders - HTTP headers object.
+ * @returns {Object}                        - Evidence for insecure CSP header.
+ */
+  responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
+    const cspHeaders = getCspHeaders(responseHeaders);
+
+    // Don't report if not set; this report belongs to 'csp-header-missing'
+    if (!cspHeaders) {
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
+      return;
+    }
+
+    const vulnerabilityMetadata = checkCspSources(cspHeaders);
+
+    if (vulnerabilityMetadata.insecure) {
+      // We do this because TS API will expect these keys (although it is a typo)
+      // When they fix the API we can remove this
+      vulnerabilityMetadata.refererSecure = vulnerabilityMetadata.referrerSecure;
+      vulnerabilityMetadata.refererValue = vulnerabilityMetadata.referrerValue;
+
+      delete vulnerabilityMetadata.insecure;
+      delete vulnerabilityMetadata.referrerSecure;
+      delete vulnerabilityMetadata.referrerValue;
+
+      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_INSECURE, vulnerabilityMetadata });
+    }
+  };
+
+  responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+    let header = responseHeaders['strict-transport-security'];
+    let maxAge;
+
+    if (header) {
+      header = toLowerCase(header);
+      const flag = header.indexOf('max-age');
+      if (flag > -1) {
+        const equal = header.indexOf('=', flag);
+        if (equal > -1) {
+          const semicolon = header.indexOf(';', equal);
+          if (semicolon > -1) {
+            maxAge = substring(header, equal + 1, semicolon);
+          } else {
+            maxAge = substring(header, equal + 1);
+          }
+        }
+      }
+    }
+
+    if (!(parseInt(maxAge) > 0)) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.HSTS_HEADER_MISSING,
+        vulnerabilityMetadata: {
+          data: maxAge || ''
+        }
+      });
+    }
+  };
+
+  responseScanning.handlePoweredByHeader = function(sourceContext, { responseHeaders }) {
+    const headerName = 'x-powered-by';
+    let header = responseHeaders[headerName];
+
+    if (header) {
+      header = toLowerCase(header);
+
+      const instructions = [
+        {
+          type: 'Header',
+          name: headerName,
+          value: header
+        }
+      ];
+
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.POWERED_BY_HEADER,
+        vulnerabilityMetadata: {
+          data: JSON.stringify(instructions)
+        }
+      });
+    }
+  };
+
+  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    const headerName = 'x-content-type-options';
+    let header = responseHeaders[headerName];
+
+    if (header) {
+      header = toLowerCase(header);
+      if (header === 'nosniff') {
+        return;
+      }
+    }
+
+    reportFindings(sourceContext, {
+      ruleId: ResponseScanningRule.XCONTENTTYPE_HEADER_MISSING,
+      vulnerabilityMetadata: {
+        data: header || ''
+      }
+    });
+  };
+
+  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
+    const header = responseHeaders['x-xss-protection'];
+
+    // This header is set by default, so `header` should always be present.
+    if (header && header.startsWith('1')) {
+      return;
+    }
+
+    reportFindings(sourceContext, {
+      ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
+      vulnerabilityMetadata: {
+        data: header
+      }
+    });
+  };
+
+  return responseScanning;
+};
+

package/lib/response-scanning/handlers/utils.js

@@ -0,0 +1,394 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { join, substring, toLowerCase, split, trim } = require('@contrast/common');
+
+//
+// General HTML utils
+//
+const htmlEscapes = {
+  '&': '&',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;'
+};
+const reUnescapedHtml = /[&<>"']/g;
+const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
+
+function escapeHtml(string) {
+  return (string && reHasUnescapedHtml.test(string))
+    ? string.replace(reUnescapedHtml, (chr) => htmlEscapes[chr])
+    : (string || '');
+}
+
+function getHtmlTagRange(htmlTag, content, offset) {
+  const htmlTagStart = content.indexOf(`<${htmlTag}`, offset);
+  if (htmlTagStart < 0) return [-1, 0];
+
+  const htmlTagEnd = content.indexOf('>', htmlTagStart);
+  return [htmlTagStart, htmlTagEnd - htmlTagStart + 1];
+}
+
+function getElements(htmlTag, content = '') {
+  const elements = [];
+  let offset = 0;
+  let htmlTagRangeStart = -1;
+  let htmlTagRangeLength = 0;
+
+  do {
+    [htmlTagRangeStart, htmlTagRangeLength] = getHtmlTagRange(htmlTag, content, offset);
+    if (htmlTagRangeStart >= 0) {
+      offset = htmlTagRangeStart + htmlTagRangeLength;
+      elements.push(substring(content, htmlTagRangeStart, offset));
+    }
+  } while (htmlTagRangeStart >= 0);
+
+  return elements;
+}
+
+function isHtmlContent(responseHeaders) {
+  if (!responseHeaders) {
+    // this should never happen, but better safe than sorry;
+    // worst case, we parse image data or something
+    return true;
+  }
+
+  // we may want to do a case-insensitive search through object keys here
+  const contentType = toLowerCase(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
+
+  return (
+    !contentType ||
+    contentType.includes('text') ||
+    contentType.includes('html')
+  );
+}
+
+function isParseableResponse(responseHeaders) {
+  if (!responseHeaders) {
+    // this should never happen, but better safe than sorry;
+    // worst case, we parse image data or something
+    return true;
+  }
+
+  // we may want to do a case-insensitive search through object keys here
+  let contentType =
+    responseHeaders['Content-Type'] || responseHeaders['content-type'];
+  if (contentType) contentType = toLowerCase(contentType);
+
+  return (
+    !contentType ||
+    contentType.includes('text') ||
+    contentType.includes('html') ||
+    contentType.includes('xml') ||
+    contentType.includes('json') ||
+    contentType.includes('soap') ||
+    contentType.includes('pdf')
+  );
+}
+
+function getAttribute(attribute, htmlTag = '') {
+  let attrStart = htmlTag.indexOf(`${attribute}=`);
+  if (attrStart === -1) return undefined;
+
+  attrStart += attribute.length + 1;
+  const quoteChar = htmlTag[attrStart];
+  if (quoteChar === ' ') return undefined;
+
+  let attrEnd = -1;
+  if (quoteChar === '"' || quoteChar === "'") {
+    attrStart += 1;
+    attrEnd = htmlTag.indexOf(quoteChar, attrStart);
+  } else {
+    // handle unquoted <form method=post >
+    attrEnd = htmlTag.indexOf(' ', attrStart);
+
+    // handle unquoted and last attribute <form method=post>
+    if (attrEnd === -1) {
+      attrEnd = htmlTag[htmlTag.length - 2] === '/' ? htmlTag.length - 2 : htmlTag.length - 1;
+    }
+  }
+
+  return substring(htmlTag, attrStart, attrEnd);
+}
+
+/**
+ * Checks if http-equiv is one of the following
+ * below
+ *
+ * @param {String} httpequiv value of http-equiv meta attr
+ */
+function applicableHttpEquiv(httpequiv) {
+  return (
+    httpequiv == 'cache-control' ||
+    httpequiv == 'pragma' ||
+    httpequiv == 'expires'
+  );
+}
+/**
+ * Checks every meta html tag from body for http-equiv attributes.
+ * If attr exists it will check the content attr if http-equiv is cache-control
+ * Otherwise it will add value of attr if cache-control, pragma or expires
+ */
+function checkMetaTags({ body, cacheControlHeader, instructions }) {
+  const metaTags = getElements('meta', body);
+  metaTags.forEach((tag) => {
+    const httpequiv = getAttribute('http-equiv', tag);
+    if (httpequiv) {
+      const content = getAttribute('content', tag);
+      if (httpequiv == 'cache-control') {
+        const [
+          containsMetaNoCache,
+          containsMetaNoStore
+        ] = checkCacheControlValue(content);
+        if (containsMetaNoCache && containsMetaNoStore) {
+          return;
+        }
+
+        const [containsNoCache, containsNoStore] = checkCacheControlValue(
+          cacheControlHeader
+        );
+
+        // got no-store from headers and no-cache from meta
+        // or no-cache from headers and no-store from meta
+        if (
+          (containsNoStore && containsMetaNoCache) ||
+          (containsNoCache && containsMetaNoStore)
+        ) {
+          return;
+        }
+      }
+
+      // if we make it this far push the values into instructions
+      if (applicableHttpEquiv(httpequiv)) {
+        instructions.push({
+          type: 'META tag',
+          name: httpequiv,
+          value: tag
+        });
+      }
+    }
+  });
+}
+
+
+//
+// Utils regarding Content Security Policy headers rules
+//
+
+/**
+ * Terminology for Content Security Policies
+ * See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ *  csp - Content Security Policy
+ *  policy - the entire csp header value
+ *  directive - a specific key of the policy(e.g default-src, media-src)
+ *  sources - the value(s) of the directive(default-src foobar.com;)
+ */
+
+/**
+ * Checks the value of cache-control
+ * either header or meta content attr value
+ * for if it contains no-cache or no-store
+ *
+ * @param {String} value value of cache-control
+ * @return {Array} [no-cache present, no-store present]
+ */
+function checkCacheControlValue(value = '') {
+  if (Array.isArray(value)) {
+    let noCache = false;
+    let noStore = false;
+
+    value.forEach((directive) => {
+      if (toLowerCase(directive).includes('no-cache')) {
+        noCache = true;
+      }
+      if (toLowerCase(directive).includes('no-store')) {
+        noStore = true;
+      }
+    });
+    return [noCache, noStore];
+  } else {
+    value = toLowerCase(value);
+    return [value.includes('no-cache'), value.includes('no-store')];
+  }
+}
+
+/**
+ * Special evaluator for any -src directives
+ * If it is empty and default is secure then it is secure
+ *
+ * @param {Array} sources sources for a given -src directive
+ * @param {Array} defaultSources sources for the default-src directive
+ * @return {Boolean}
+ */
+function isSrcSecure(sources, defaultSources) {
+  return sources.length === 0
+    ? isSourceSecure(defaultSources)
+    : isSourceSecure(sources);
+}
+
+/**
+ * Checks if a given source(s) for a directive is defined and is secure(does not contain a '*')
+ *
+ * @param {Array} sources sources for a given csp directive
+ * @return {Boolean} whether a directive is secure
+ */
+function isSourceSecure(sources) {
+  return (
+    sources.length > 0 &&
+    sources.every((source) => !!source && !/\*/.test(source))
+  );
+}
+
+/**
+ * Evaluator for reflected-xss directive.  Checks if the value is not
+ * equal to 1
+ * Note: If empty it is secure
+ * @param {Array} sources sources for a given csp directive
+ * @return {Boolean} whether a directive is secure
+ */
+function xssCheck(sources) {
+  return sources.every((source) => parseInt(source) === 1);
+}
+
+/**
+ * Evaluator for referrer directive. Checks if value is not *
+ * or contains unsafe-url
+ * @param {Array} sources sources for a given csp directive
+ * @return {Boolean} whether a directive is secure
+ */
+function referrerCheck(sources) {
+  return sources.every((source) => !/unsafe-url|\*/.test(source));
+}
+
+const KNOWN_DIRECTIVES = [
+  { name: 'default-src', camelCasedName: 'defaultSrc', evaluator: isSourceSecure },
+  { name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure },
+  { name: 'child-src', camelCasedName: 'childSrc' },
+  { name: 'connect-src', camelCasedName: 'connectSrc' },
+  { name: 'frame-src', camelCasedName: 'frameSrc' },
+  { name: 'media-src', camelCasedName: 'mediaSrc' },
+  { name: 'object-src', camelCasedName: 'objectSrc' },
+  { name: 'script-src', camelCasedName: 'scriptSrc' },
+  { name: 'style-src', camelCasedName: 'styleSrc' },
+  { name: 'form-action', camelCasedName: 'formAction', evaluator: isSourceSecure },
+  { name: 'frame-ancestors', camelCasedName: 'frameAncestors', evaluator: isSourceSecure },
+  { name: 'plugin-types', camelCasedName: 'pluginTypes', evaluator: isSourceSecure },
+  { name: 'reflected-xss', camelCasedName: 'reflectedXss', evaluator: xssCheck },
+  { name: 'referrer', evaluator: referrerCheck }
+];
+
+/**
+ * Convenience method for formatting a given directive's
+ * secure and value properties. It also camel cases the key
+ * to match the spec for the rule's finding
+ *
+ * @param {Object} params
+ * @param {Object} params.data obj to store the full props object
+ * @param {String} params.key the csp header directive
+ * @param {Array} params.value array of sources for the directive
+ * @param {Boolean} params.isSecure flag indicating if directive is secure
+ */
+function formatSource({
+  data,
+  key,
+  sources = [],
+  defaultSources = [],
+  evaluator = isSrcSecure,
+}) {
+  const isSecure = evaluator(sources, defaultSources);
+
+  if (!isSecure && !data.insecure) {
+    data.insecure = true;
+  }
+
+  data[`${key}Secure`] = isSecure;
+  data[`${key}Value`] = join(sources, ' ');
+}
+
+/**
+ * This will take a Content Security Policy string and parse it
+ */
+function policyParser(policy) {
+  const result = {};
+  for (const directive of split(policy, ';')) {
+    const [directiveKey, ...directiveValue] = split(trim(directive), /\s+/g);
+    if (
+      directiveKey &&
+      !Object.prototype.hasOwnProperty.call(result, directiveKey)
+    ) {
+      result[directiveKey] = directiveValue;
+    }
+  }
+  return result;
+}
+
+/**
+ * This will parse a CSP header value into an object
+ * It will then iterate over all known keys and build
+ * which are secure and which aren't with the values
+ * for each. If a directive is undefined, it assumed
+ * insecure and will provide '' as the value
+ *
+ * See: https://contrast.atlassian.net/wiki/spaces/ENG/pages/805503460/Content-Security-Policy+Header+Misconfigured
+ */
+function checkCspSources(policy) {
+  const csp = policyParser(policy);
+  const data = {};
+
+  KNOWN_DIRECTIVES.forEach(({ name, evaluator, camelCasedName }) => {
+    const sources = csp[name];
+    formatSource({
+      data,
+      defaultSources: csp['default-src'],
+      key: camelCasedName || name,
+      sources,
+      evaluator,
+    });
+  });
+
+  return data;
+}
+
+/**
+ * Extracts the Content Security Policy from headers
+ * in one of the CSP_HEADERS constants
+ *
+ * @param {Object} responseHeaders
+ * @return {*} the csp header value or false(if not present)
+ */
+function getCspHeaders(responseHeaders) {
+  const CSP_HEADERS = [
+    'content-security-policy',
+    'x-content-security-policy',
+    'x-webkit-csp'
+  ];
+  const headerName = CSP_HEADERS.filter((header) => responseHeaders[header]);
+  return headerName.length ? responseHeaders[headerName[0]] : false;
+}
+
+module.exports = {
+  escapeHtml,
+  isHtmlContent,
+  getElements,
+  getAttribute,
+  isParseableResponse,
+  checkCacheControlValue,
+  checkMetaTags,
+  getCspHeaders,
+  checkCspSources
+};

package/lib/response-scanning/index.js

@@ -0,0 +1,36 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+
+module.exports = function(core) {
+  const { messages } = core;
+  const responseScanning = core.assess.responseScanning = {
+    reportFindings(_sourceContext, vulnerabilityMetadata) {
+      messages.emit(Event.ASSESS_RESPONSE_SCANNING_FINDING, vulnerabilityMetadata);
+    },
+  };
+
+  require('./handlers')(core);
+  require('./install/http')(core);
+
+  responseScanning.install = function() {
+    callChildComponentMethodsSync(responseScanning, 'install');
+  };
+
+  return responseScanning;
+};

package/lib/response-scanning/install/http.js

@@ -0,0 +1,119 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { split, substring, toLowerCase, trim } = require('@contrast/common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      responseScanning: {
+        handleAutoCompleteMissing,
+        handleCacheControlsMissing,
+        handleClickJackingControlsMissing,
+        handleParameterPollution,
+        handleCspHeader,
+        handleHstsHeaderMissing,
+        handlePoweredByHeader,
+        handleXContentTypeHeaderMissing,
+        handleXxsProtectionHeaderDisabled,
+      }
+    }
+  } = core;
+  const http = core.assess.responseScanning.httpInstrumentation = {};
+
+  function parseHeaders(rawHeaders = '') {
+    const headersArray = split(rawHeaders, '\r\n').filter(Boolean);
+    return headersArray.reduce((acc, header) => {
+      const idx = header.indexOf(':');
+
+      if (idx > -1) {
+        const name = toLowerCase(substring(header, 0, idx));
+        const value = trim(substring(header, idx + 1));
+        const currentValue = acc[name];
+        acc[name] = currentValue
+          ? Array.isArray(currentValue)
+            ? currentValue.push(value) && currentValue
+            : [currentValue, value]
+          : value;
+      }
+
+      return acc;
+    }, {});
+  }
+
+  const patchType = 'response-scanning';
+
+  http.install = function() {
+    depHooks.resolve({ name: 'http' }, (http) => {
+      {
+        const name = 'http.ServerResponse.prototype.write';
+        patcher.patch(http.ServerResponse.prototype, 'write', {
+          name,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            const evaluationContext = {
+              responseBody: toLowerCase(data.args[0] || ''),
+              responseHeaders: parseHeaders(data.result._header),
+            };
+
+            // Check only the rules concerning the response body
+            handleAutoCompleteMissing(sourceContext, evaluationContext);
+            handleCacheControlsMissing(sourceContext, evaluationContext);
+            handleParameterPollution(sourceContext, evaluationContext);
+            handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+          }
+        });
+      }
+      {
+        const name = 'http.ServerResponse.prototype.end';
+        patcher.patch(http.ServerResponse.prototype, 'end', {
+          name,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            const evaluationContext = {
+              responseBody: toLowerCase(data.args[0] || ''),
+              responseHeaders: parseHeaders(data.result._header),
+            };
+
+            // Check all the response scanning rules
+            handleAutoCompleteMissing(sourceContext, evaluationContext);
+            handleCacheControlsMissing(sourceContext, evaluationContext);
+            handleClickJackingControlsMissing(sourceContext, evaluationContext);
+            handleParameterPollution(sourceContext, evaluationContext);
+            handleCspHeader(sourceContext, evaluationContext);
+            handleHstsHeaderMissing(sourceContext, evaluationContext);
+            handlePoweredByHeader(sourceContext, evaluationContext);
+            handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
+            handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+          }
+        });
+      }
+    });
+  };
+
+  return http;
+};
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.4.1",
+    "@contrast/common": "1.5.0",
     "parseurl": "^1.3.3"
   }
 }

package/lib/dataflow/sources/install/qs.js

@@ -1,88 +0,0 @@
-/*
- * Copyright: 2022 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const { patchType } = require('../common');
-
-module.exports = function(core) {
-  const {
-    createSnapshot,
-    patcher,
-    depHooks,
-    scopes,
-    assess: {
-      dataflow: { tracker, sources },
-    },
-    logger
-  } = core;
-
-  function makeCapturer(opts) {
-    const snapshot = createSnapshot(opts);
-    return function(obj) {
-      obj.stack = snapshot();
-      return obj;
-    };
-  }
-
-  const qsSourcesInstr = sources.qsSourcesInstr = {
-    install() {
-      depHooks.resolve({ name: 'qs' }, (qs) => {
-        patcher.patch(qs, 'parse', {
-          name: 'qs',
-          patchType,
-          post({ args, orig, hooked, result }) {
-            if (result && Object.keys(result).length) {
-              const assessStore = scopes.sources.getStore().assess;
-
-              if (!assessStore) {
-                logger.debug('assessStore not available in `qs` hook');
-              } else {
-                const captureStack = makeCapturer({ constructorOpt: hooked, prependFrames: [orig] });
-
-                // We need to track `qs` result only when it's used as a query parser.
-                // `qs` is used also for parsing bodies, but these cases we handle individually with
-                // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-                // some cases its use is optional and we cannot rely on it.
-                if (assessStore.reqData.queries === args[0]) {
-                  for (const [key, value] of Object.entries(result)) {
-                    // TODO Same as fastify - do we need a try-catch
-                    // and checks for already tracked strings
-                    const { extern } = tracker.track(
-                      value,
-                      captureStack({
-                        inputType: 'query',
-                        name: key,
-                        tags: {
-                          untrusted: [0, value.length - 1],
-                        }
-                      })
-                    );
-
-                    if (extern) {
-                      result[key] = extern;
-                    }
-                  }
-                }
-              }
-            }
-          }
-        });
-      });
-    },
-  };
-
-  return qsSourcesInstr;
-};