npm - @contrast/assess - Versions diffs - 1.11.0 → 1.13.0 - Mend

@contrast/assess 1.11.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (82) hide show

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js CHANGED Viewed

@@ -39,10 +39,10 @@ module.exports = function(core) {
     config,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
+        sinks: { isVulnerable, reportFindings, reportSafePositive }
       },
     },
   } = core;

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED Viewed

@@ -58,10 +58,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/fs.js CHANGED Viewed

@@ -34,12 +34,12 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
+    scopes: { instrumentation, sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, reportFindings },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;
@@ -62,7 +62,7 @@ module.exports = function(core) {
   const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
     const { name: methodName, indices } = method;
     const store = sources.getStore()?.assess;
-    if (!store) return;
+    if (!store || instrumentation.isLocked()) return;
     const values = getValues(indices, data.args);
     if (!values.length) return;

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -46,10 +46,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/http/request.js CHANGED Viewed

@@ -38,13 +38,13 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: {
           isVulnerable,
           reportFindings
         },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/http/server-response.js CHANGED Viewed

@@ -40,6 +40,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: {
@@ -48,7 +49,6 @@ module.exports = function(core) {
           reportSafePositive,
           isSafeContentType
         },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -39,10 +39,10 @@ module.exports = function(core) {
     config,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -43,10 +43,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, reportFindings },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -74,10 +74,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent }
+        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive }
       }
     }
   } = core;

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -39,10 +39,10 @@ module.exports = function(core) {
     config,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -46,10 +46,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, isLocked, reportFindings },
-        eventFactory: { createSinkEvent },
+        sinks: { isVulnerable, isLocked, reportFindings }
       },
     },
   } = core;

package/lib/dataflow/sinks/install/postgres.js CHANGED Viewed

@@ -30,10 +30,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/sequelize.js CHANGED Viewed

@@ -35,10 +35,10 @@ module.exports = function(core) {
     config,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, runInActiveSink, reportFindings, reportSafePositive },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -35,10 +35,10 @@ module.exports = function(core) {
     patcher,
     scopes: { sources },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: { isVulnerable, isLocked, reportFindings },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -48,6 +48,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
         sinks: {
@@ -57,7 +58,6 @@ module.exports = function(core) {
           reportFindings,
           reportSafePositive,
         },
-        eventFactory: { createSinkEvent },
       },
     },
   } = core;

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -25,10 +25,10 @@ const {
 module.exports = function(core) {
   const {
     assess: {
+      eventFactory,
       dataflow: {
         sources,
-        tracker,
-        eventFactory
+        tracker
       }
     },
     config,

package/lib/dataflow/sources/install/body-parser1.js CHANGED Viewed

@@ -31,7 +31,7 @@ module.exports = function init(core) {
   const createPreHook = (name) => (data) => {
     const [req, , next] = data.args;
-    data.args[2] = function contrastNext(...args) {
+    data.args[2] = scopes.wrap(function contrastNext(...args) {
       const sourceContext = scopes.sources.getStore()?.assess;
       if (!sourceContext) {
@@ -86,7 +86,7 @@ module.exports = function init(core) {
       }
       return next(...args);
-    };
+    });
   };
   assess.dataflow.sources.bodyParser1Instrumentation = {

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -18,7 +18,7 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../../common');
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     depHooks,

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -73,17 +73,18 @@ module.exports = function(core) {
         }
       });
-      patcher.patch(res, 'setHeader', {
-        alwaysRun: true,
-        name: 'set-header',
-        patchType,
-        pre(data) {
-          const [name = '', value] = data.args;
-          if (toLowerCase(name) === 'content-type' && value) {
-            scopes.sources.getStore().assess.responseData.contentType = value;
+      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+        patcher.patch(res, 'setHeader', {
+          name: 'set-header',
+          patchType,
+          pre(data) {
+            const [name = '', value] = data.args;
+            if (toLowerCase(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
+              store.assess.responseData.contentType = value;
+            }
           }
-        }
-      });
+        });
+      }
       let uriPath, queries;
       const ix = req.url.indexOf('?');

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -21,11 +21,7 @@ const { isString } = require('@contrast/common');
 module.exports = function tracker(core) {
   const {
     assess: {
-      dataflow: {
-        eventFactory: {
-          createdEvents
-        }
-      }
+      eventFactory: { createdEvents },
     },
     logger
   } = core;

package/lib/{dataflow/event-factory.js → event-factory.js} RENAMED Viewed

@@ -26,7 +26,7 @@ module.exports = function(core) {
     scopes: { sources },
   } = core;
-  const eventFactory = core.assess.dataflow.eventFactory = {};
+  const eventFactory = core.assess.eventFactory = {};
   eventFactory.createdEvents = new WeakSet();
@@ -214,5 +214,61 @@ module.exports = function(core) {
     return event;
   };
+  eventFactory.createSessionEvent = function(data) {
+    const {
+      context,
+      name = '',
+      moduleName,
+      methodName,
+      object = { value: null, tracked: false },
+      args = [],
+      result = { value: null, tracked: false },
+      source,
+      stacktraceOpts,
+      framework,
+      options
+    } = data;
+    if (!name) {
+      logger.debug({ data }, 'no sink event name');
+      return null;
+    }
+    if (
+      (!source || !source.match(annotationRegExp))
+    ) {
+      logger.debug({ data }, 'malformed or missing sink event source field');
+      return null;
+    }
+    let stack;
+    if (config.assess.stacktraces !== 'NONE') {
+      stack = createSnapshot(stacktraceOpts)();
+    } else {
+      stack = [];
+    }
+    const event = {
+      args,
+      context,
+      history: [],
+      name,
+      moduleName,
+      methodName,
+      object,
+      result,
+      source,
+      stack,
+      tags: {},
+      time: Date.now(),
+      framework,
+      options,
+    };
+    eventFactory.createdEvents.add(event);
+    return event;
+  };
   return eventFactory;
 };

package/lib/index.js CHANGED Viewed

@@ -19,6 +19,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 const sessionConfiguration = require('./session-configuration');
 const dataflow = require('./dataflow');
 const responseScanning = require('./response-scanning');
+const eventFactory = require('./event-factory');
 module.exports = function assess(core) {
   if (!core.config.assess.enable) return;
@@ -27,9 +28,10 @@ module.exports = function assess(core) {
   // Does this order matter? Probably not
   // 1. dataflow
-  sessionConfiguration(core);
+  eventFactory(core);
   dataflow(core);
   responseScanning(core);
+  sessionConfiguration(core);
   // crypto
   // static (in coordination with rewriter)

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -38,8 +38,9 @@ module.exports = function(core) {
   } = core;
   const http = core.assess.responseScanning.httpInstrumentation = {};
-  function parseHeaders(rawHeaders = '') {
-    const headersArray = split(rawHeaders, '\r\n').filter(Boolean);
+  function parseHeaders(rawHeaders) {
+    const headersToParse = rawHeaders || '';
+    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');

package/lib/session-configuration/common.js ADDED Viewed

@@ -0,0 +1,19 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = {
+  patchType: 'session-configuration'
+};

package/lib/session-configuration/handlers.js ADDED Viewed

@@ -0,0 +1,86 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  Event,
+  SessionConfigurationRule: { HTTPONLY, SECURE_FLAG_MISSING },
+} = require('@contrast/common');
+module.exports = function (core) {
+  const {
+    assess: { sessionConfiguration },
+    messages,
+  } = core;
+  const checkCookieValue = (ruleId, sinkEvent, cookieValue, sourceContext) => {
+    if (cookieValue.includes(ruleId === HTTPONLY ? 'httponly' : 'secure')) {
+      return;
+    }
+    sessionConfiguration.reportFindings(sourceContext, {
+      ruleId,
+      sinkEvent,
+      props: {
+        evidence: cookieValue,
+      },
+    });
+  };
+  const handleCookie = (
+    sourceContext,
+    cookieValue,
+    ruleId,
+    sessionEvent
+  ) => {
+    if (Array.isArray(cookieValue)) {
+      return cookieValue.forEach((value) =>
+        checkCookieValue(ruleId, sessionEvent, value, sourceContext)
+      );
+    }
+    checkCookieValue(ruleId, sessionEvent, cookieValue, sourceContext);
+  };
+  sessionConfiguration.handleHttpOnly = function (
+    sourceContext,
+    cookieValue,
+    sessionEvent
+  ) {
+    handleCookie(sourceContext, cookieValue, HTTPONLY, sessionEvent);
+  };
+  sessionConfiguration.handleSecure = function (
+    sourceContext,
+    cookieValue,
+    sessionEvent
+  ) {
+    handleCookie(sourceContext, cookieValue, SECURE_FLAG_MISSING, sessionEvent);
+  };
+  // _sourceContext is unused
+  sessionConfiguration.reportFindings = function (
+    _sourceContext,
+    vulnerabilityMetadata
+  ) {
+    messages.emit(
+      Event.ASSESS_SESSION_CONFIGURATION_FINDING,
+      vulnerabilityMetadata
+    );
+  };
+  return sessionConfiguration;
+};

package/lib/session-configuration/index.js CHANGED Viewed

@@ -15,16 +15,13 @@
 'use strict';
-const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
-  const { messages } = core;
-  const sessionConfiguration = core.assess.sessionConfiguration = {
-    reportFindings(_sourceContext, vulnerabilityMetadata) {
-      messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, vulnerabilityMetadata);
-    },
-  };
-  require('./install/http')(core);
+  const sessionConfiguration = core.assess.sessionConfiguration = {};
+  require('./handlers')(core);
+  require('./install/express-session')(core);
   sessionConfiguration.install = function() {
     callChildComponentMethodsSync(sessionConfiguration, 'install');

package/lib/session-configuration/install/express-session.js ADDED Viewed

@@ -0,0 +1,131 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const util = require('util');
+const { toLowerCase } = require('@contrast/common');
+const { patchType } = require('../common');
+module.exports = function (core) {
+  const {
+    assess: {
+      eventFactory: { createSessionEvent },
+      sessionConfiguration: {
+        handleHttpOnly,
+        handleSecure,
+      },
+    },
+    depHooks,
+    patcher,
+    scopes: { sources },
+  } = core;
+  const expressSession = core.assess.sessionConfiguration.expressSession = {};
+  const inspect = patcher.unwrap(util.inspect);
+  expressSession.install = function () {
+    return depHooks.resolve({ name: 'express-session' }, (session) => {
+      // Return the hooked function as the export.
+      const hooked = patcher.patch(session, {
+        name: 'express.hookedSessionConstructor',
+        patchType,
+        post(data) {
+          const options = data.args[0];
+          // obfuscate the cookie secret
+          if (Array.isArray(data.args) && data.args[0] && data.args[0].secret) {
+            data.args[0].secret = '[HIDDEN]';
+          }
+          const { cookie } = options || {};
+          const hasOwnPropertyHttpOnly = cookie && Object.prototype.hasOwnProperty.call(
+            cookie,
+            'httpOnly'
+          );
+          // httpOnly is true by default if it's not provided
+          const checkForHTTPOnly =
+            cookie && hasOwnPropertyHttpOnly
+              ? !(cookie.httpOnly === true)
+              : false;
+          // secure is false by default
+          const checkForSecure = cookie ? !(cookie.secure === true) : true;
+          // skip instrumentation since the options are set correctly
+          if (!checkForHTTPOnly && !checkForSecure) return;
+          const sessionEvent = createSessionEvent({
+            args: [{
+              tracked: false,
+              value: inspect(options),
+            }],
+            context: `expressSession(${inspect(data.args)})`,
+            history: [],
+            name: 'express.hookedSessionConstructor',
+            moduleName: 'express-session',
+            methodName: '',
+            object: {
+              tracked: false,
+              value: 'Express.Response',
+            },
+            result: {
+              tracked: false,
+              value: undefined,
+            },
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+            framework: 'express',
+            options,
+          });
+          patcher.patch(data, 'result', {
+            name: 'express-session.middleware',
+            patchType,
+            pre(data) {
+              const [, res] = data.args;
+              const sourceContext = sources.getStore()?.assess;
+              if (!sourceContext) return;
+              patcher.patch(res, 'setHeader', {
+                name: 'http.setHeader',
+                patchType,
+                pre({ args: [key, value] }) {
+                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (checkForHTTPOnly) {
+                    handleHttpOnly(sourceContext, value, sessionEvent);
+                  }
+                  if (checkForSecure) {
+                    handleSecure(sourceContext, value, sessionEvent);
+                  }
+                }
+              });
+            },
+          });
+        }
+      });
+      return hooked;
+    });
+  };
+  return expressSession;
+};