npm - @contrast/assess - Versions diffs - 1.10.0 → 1.12.0 - Mend

@contrast/assess 1.10.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (119) hide show

package/lib/dataflow/propagation/install/mongoose/schema-mixed.js ADDED Viewed

@@ -0,0 +1,162 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { userDefinedType } = require('./common');
+const { traverseValues, DataflowTag, substring } = require('@contrast/common');
+module.exports = function (core) {
+  const {
+    config: { assess },
+    scopes: { sources },
+    patcher,
+    depHooks,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: {
+        tracker,
+        propagation: { mongooseInstrumentation },
+      },
+    },
+  } = core;
+  const schemaMixed = {};
+  mongooseInstrumentation.schemaMixed = schemaMixed;
+  const handleString = (strInfo, orig, value, name) => {
+    const methodName = substring(name, name.indexOf('.') + 1);
+    // copy because we mutate the metadata value inline
+    const history = [{ ...strInfo }];
+    const event = createPropagationEvent({
+      addedTags: [DataflowTag.CUSTOM_VALIDATED],
+      name,
+      moduleName: 'mongoose',
+      methodName,
+      history,
+      object: {
+        tracked: false,
+        value: 'mongoose.SchemaMixed',
+      },
+      args: [{ tracked: true, value: strInfo.value }],
+      result: {
+        tracked: false,
+        value: undefined,
+      },
+      source: 'P0',
+      tags: {
+        ...strInfo.tags,
+        [DataflowTag.CUSTOM_VALIDATED]: [0, value.length - 1],
+      },
+      target: 'P0',
+      stacktraceOpts: {
+        prependFrames: [orig],
+      },
+    });
+    if (!event) return;
+    // in case the event type changed e.g. Source->Propagation
+    for (const key of Object.keys(strInfo)) {
+      if (key === 'value' || key === 'extern') continue;
+      delete strInfo[key];
+    }
+    Object.assign(strInfo, event);
+  };
+  const mixedInstrumentation = (data, name) => {
+    const hasCustomValidator = data.obj.validators.some(
+      (validator) => validator.type === userDefinedType
+    );
+    if (!hasCustomValidator) return;
+    const { orig, args } = data;
+    const input = args[0];
+    const inputType = typeof input;
+    if (inputType !== 'string' && inputType !== 'object') return;
+    if (inputType === 'string') {
+      const strInfo = tracker.getData(input);
+      if (!strInfo) return;
+      return handleString(strInfo, orig, input, name);
+    }
+    const weakMapOfStrInfo = new WeakMap();
+    traverseValues(input, (path, type, value) => {
+      const strInfo = tracker.getData(value);
+      if (!strInfo || weakMapOfStrInfo.has(strInfo)) return;
+      weakMapOfStrInfo.set(strInfo, true);
+      handleString(strInfo, orig, value, name);
+    });
+  };
+  schemaMixed.install = function () {
+    depHooks.resolve(
+      { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
+      (SchemaMixed) => {
+        const doValidateSyncName = 'mongoose.mixed.prototype.doValidateSync';
+        patcher.patch(SchemaMixed.prototype, 'doValidateSync', {
+          name: doValidateSyncName,
+          patchType,
+          post: (data) => {
+            if (
+              !assess.trust_custom_validators ||
+              data.result ||
+              !sources.getStore()?.assess
+            ) {
+              return;
+            }
+            mixedInstrumentation(data, doValidateSyncName);
+          },
+        });
+        // called when `Model.validate(data)` static method is used, as well as `model.validate()` instance method
+        const doValidateName = 'mongoose.mixed.prototype.doValidate';
+        patcher.patch(SchemaMixed.prototype, 'doValidate', {
+          name: doValidateName,
+          patchType,
+          pre: (data) => {
+            if (!assess.trust_custom_validators || !sources.getStore()?.assess) {
+              return;
+            }
+            const [value, cb] = data.args;
+            if (!value || typeof cb !== 'function') {
+              return;
+            }
+            data.args[1] = patcher.patch(cb, {
+              name: doValidateName,
+              patchType,
+              pre({ args: [err] }) {
+                if (err) return;
+                mixedInstrumentation(data, doValidateName);
+              },
+            });
+          },
+        });
+      }
+    );
+  };
+  return schemaMixed;
+};

package/lib/dataflow/propagation/install/mongoose/schema-string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,32 +17,21 @@
 const { DataflowTag, substring } = require('@contrast/common');
 const { patchType } = require('../../common');
+const { userDefinedType } = require('./common');
-module.exports = function(core) {
+module.exports = function (core) {
   const {
+    config: {
+      assess: { trust_custom_validators },
+    },
     scopes: { sources },
     patcher,
     depHooks,
     assess: {
-      dataflow: {
-        tracker,
-        eventFactory: { createPropagationEvent }
-      }
-    }
-  } = core;
-  return core.assess.dataflow.propagation.mongooseInstrumentation.schemaString = {
-    install() {
-      depHooks.resolve(
-        { name: 'mongoose', file: 'lib/schema/string.js', version: '>=6.0.0' },
-        (SchemaString) => {
-          patchEnum(SchemaString);
-          patchDoValidate(SchemaString);
-          patchDoValidateSync(SchemaString);
-        }
-      );
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
     },
-  };
+  } = core;
   function patchEnum(SchemaString) {
     patcher.patch(SchemaString.prototype, 'enum', {
@@ -67,9 +56,9 @@ module.exports = function(core) {
             if (data.result) {
               tracker.untrack(data.args[0]);
             }
-          }
+          },
         });
-      }
+      },
     });
   }
@@ -81,16 +70,38 @@ module.exports = function(core) {
       patchType,
       pre(data) {
         const [value, cb] = data.args;
-        if (value && typeof cb === 'function' && sources.getStore()?.assess) {
-          data.args[1] = patcher.patch(cb, {
-            name,
-            patchType,
-            pre({ args: [err] }) {
-              if (!err) propagate(name, data.orig, value);
-            }
-          });
+        if (!value || typeof cb !== 'function' || !sources.getStore()?.assess) {
+          return;
         }
-      }
+        const hasCustomValidator = data.obj.validators.some(
+          (validator) => validator.type === userDefinedType
+        );
+        data.args[1] = patcher.patch(cb, {
+          name,
+          patchType,
+          pre(data) {
+            const {
+              args: [err],
+            } = data;
+            if (!err) {
+              propagate(
+                name,
+                data.orig,
+                value,
+                trust_custom_validators
+                  ? hasCustomValidator
+                  : false
+              );
+            }
+            if (err && err.kind === userDefinedType)
+              propagate(name, data.orig, value, false);
+          },
+        });
+      },
     });
   }
@@ -99,16 +110,34 @@ module.exports = function(core) {
     patcher.patch(SchemaString.prototype, 'doValidateSync', {
       name,
       patchType,
-      post({ orig, args: [value] }) {
-        if (value?.length) {
-          propagate(name, orig, value);
+      post(data) {
+        const {
+          args: [value],
+          result
+        } = data;
+        const hasCustomValidator = data.obj.validators.some(
+          (validator) => validator.type === userDefinedType
+        );
+        if (!result) {
+          propagate(
+            name,
+            data.orig,
+            value,
+            trust_custom_validators
+              ? hasCustomValidator
+              : false
+          );
         }
-      }
-    });
+        if (result && result.kind === userDefinedType)
+          propagate(name, data.orig, value, false);
+      },
+    });
   }
-  function propagate(name, orig, value) {
+  function propagate(name, orig, value, customValidated = false) {
     const strInfo = tracker.getData(value);
     if (!strInfo) return;
@@ -116,7 +145,10 @@ module.exports = function(core) {
     // copy because we mutate the metadata value inline
     const history = [{ ...strInfo }];
     const event = createPropagationEvent({
-      addedTags: [DataflowTag.STRING_TYPE_CHECKED],
+      addedTags: [
+        DataflowTag.STRING_TYPE_CHECKED,
+        customValidated ? DataflowTag.CUSTOM_VALIDATED : null,
+      ].filter(Boolean),
       name,
       moduleName: 'mongoose',
       methodName,
@@ -134,11 +166,14 @@ module.exports = function(core) {
       tags: {
         ...strInfo.tags,
         [DataflowTag.STRING_TYPE_CHECKED]: [0, value.length - 1],
+        ...(customValidated
+          ? { [DataflowTag.CUSTOM_VALIDATED]: [0, value.length - 1] }
+          : {}),
       },
       target: 'P0',
       stacktraceOpts: {
         prependFrames: [orig],
-      }
+      },
     });
     if (!event) {
@@ -153,4 +188,21 @@ module.exports = function(core) {
     Object.assign(strInfo, event);
   }
+  return core.assess.dataflow.propagation.mongooseInstrumentation.schemaString = {
+    install() {
+      depHooks.resolve(
+        {
+          name: 'mongoose',
+          file: 'lib/schema/string.js',
+          version: '>=6.0.0',
+        },
+        (SchemaString) => {
+          patchEnum(SchemaString);
+          patchDoValidate(SchemaString);
+          patchDoValidateSync(SchemaString);
+        }
+      );
+    },
+  };
 };

package/lib/dataflow/propagation/install/mysql-connection-escape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -29,7 +29,8 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
-      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
     }
   } = core;

package/lib/dataflow/propagation/install/parse-int.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/path/basename.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -27,10 +27,8 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
-      dataflow: {
-        tracker,
-        eventFactory: { createPropagationEvent },
-      },
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
     },
   } = core;

package/lib/dataflow/propagation/install/path/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/path/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/path/join-and-resolve.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -28,10 +28,8 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
-      dataflow: {
-        tracker,
-        eventFactory: { createPropagationEvent },
-      },
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
     },
   } = core;

package/lib/dataflow/propagation/install/path/normalize.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -27,10 +27,8 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
-      dataflow: {
-        tracker,
-        eventFactory: { createPropagationEvent },
-      },
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
     },
   } = core;

package/lib/dataflow/propagation/install/pug/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -29,7 +29,8 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
-      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
     }
   } = core;

package/lib/dataflow/propagation/install/querystring/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/querystring/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -31,7 +31,8 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
-      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
     }
   } = core;

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js ADDED Viewed

@@ -0,0 +1,180 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { inspect } = require('@contrast/common');
+const { createSubsetTags } = require('../../tag-utils');
+const { patchType } = require('../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+  function createPropagationEventForMatch({
+    strInfo,
+    startIdx,
+    match,
+    untrackedResult,
+    metadata,
+  }) {
+    const tags = createSubsetTags(strInfo.tags, startIdx, match.length);
+    const { name, obj, hooked, orig } = metadata;
+    return createPropagationEvent({
+      name,
+      moduleName: 'RegExp',
+      methodName: 'prototype.exec',
+      context: `'${obj}'.exec('${strInfo.value}')`,
+      history: [strInfo],
+      object: {
+        value: obj,
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+      ],
+      tags,
+      result: {
+        value: inspect(untrackedResult),
+        tracked: false,
+      },
+      stacktraceOpts: {
+        constructorOpt: hooked,
+        prependFrames: [orig],
+      },
+      source: 'P',
+      target: 'R',
+    });
+  }
+  return (core.assess.dataflow.propagation.regExpExec = {
+    install() {
+      const name = 'RegExp.prototype.exec';
+      patcher.patch(RegExp.prototype, 'exec', {
+        name,
+        patchType,
+        post(data) {
+          const { args, obj, result, hooked, orig } = data;
+          if (
+            !obj ||
+            !args[0] ||
+            !result?.length ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return;
+          const strInfo = tracker.getData(args[0]);
+          if (!strInfo) return;
+          const untrackedResult = [...result];
+          untrackedResult.groups = result.groups && { ...result.groups };
+          untrackedResult.input = strInfo.value;
+          untrackedResult.index = result.index;
+          result.indices && (untrackedResult.indices = result.indices);
+          let searchIdx = result.index;
+          const metadata = { name, obj, hooked, orig };
+          for (let i = 0; i < result.length; i++) {
+            let match = result[i];
+            if (!match) continue;
+            if (match === args[0]) {
+              // There is a case where the match
+              // is the whole original string in which case the value here is
+              // externalized and we need to make sure to track
+              // the non-exterrnalized one
+              match = strInfo.value;
+            }
+            const startIdx = strInfo.value.indexOf(match, searchIdx);
+            const event = createPropagationEventForMatch({
+              strInfo,
+              startIdx,
+              match,
+              untrackedResult,
+              metadata
+            });
+            if (i > 0) {
+              // The first match is the full match of the regex so we cannot
+              // increment the search index.
+              // Every match after the first will occur in order of appearance
+              // in the original string so we should increment the search index
+              searchIdx = startIdx + match.length;
+            }
+            if (!event) continue;
+            const { extern } = tracker.track(match, event);
+            if (extern) {
+              result[i] = extern;
+            }
+          }
+          if (result.groups) {
+            Object.keys(result.groups).forEach((key) => {
+              let res = result.groups[key];
+              if (!res) return;
+              if (res === args[0]) {
+                // There is a case where the match
+                // is the whole original string in which case the value here is
+                // externalized and we need to make sure to track
+                // the non-exterrnalized one
+                res = strInfo.value;
+              }
+              const startIdx = strInfo.value.indexOf(res, result.index);
+              const event = createPropagationEventForMatch({
+                strInfo,
+                startIdx,
+                match: res,
+                untrackedResult,
+                metadata
+              });
+              if (event) {
+                const { extern } = tracker.track(res, event);
+                if (extern) {
+                  result.groups[key] = extern;
+                }
+              }
+            });
+          }
+        },
+      });
+    },
+    uninstall() {
+      RegExp.prototype.exec = patcher.unwrap(RegExp.prototype.exec);
+    },
+  });
+};