@contrast/assess 1.12.0 → 1.14.0

package/LICENSE

@@ -0,0 +1,12 @@
+Copyright: 2023 Contrast Security, Inc
+Contact: support@contrastsecurity.com
+License: Commercial
+
+NOTICE: This Software and the patented inventions embodied within may only be
+used as part of Contrast Security’s commercial offerings. Even though it is
+made available through public repositories, use of this Software is subject to
+the applicable End User Licensing Agreement found at
+https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+between Contrast Security and the End User. The Software may not be reverse
+engineered, modified, repackaged, sold, redistributed or otherwise used in a
+way not consistent with the End User License Agreement.

package/lib/dataflow/propagation/index.js

@@ -45,6 +45,8 @@ module.exports = function(core) {
   require('./install/JSON')(core);
   require('./install/path')(core);
   require('./install/reg-exp-prototype-exec')(core);
+  require('./install/joi')(core);
+  require('./install/send')(core);
 
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');

package/lib/dataflow/propagation/install/buffer.js

@@ -63,11 +63,12 @@ module.exports = function(core) {
             target: 'R',
           });
 
-          if (event) {
-            const { extern } = tracker.track(result, event);
-            if (extern) {
-              data.result = extern;
-            }
+          if (!event) return;
+
+          const { extern } = tracker.track(result, event);
+
+          if (extern) {
+            data.result = extern;
           }
         }
       });

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -98,6 +98,9 @@ module.exports = function(core) {
               tags: newTags,
               target: 'R',
             });
+
+            if (!event) return;
+
             const { extern } = tracker.track(result, event);
 
             if (extern) {

package/lib/dataflow/propagation/install/joi/any.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    assess: {
+      dataflow: {
+        propagation: { joiInstrumentation },
+      },
+    },
+  } = core;
+
+  joiInstrumentation.any = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/any', version: '>=17.0.0' },
+        (exp) => {
+          const anyTypePrototype = Object.getPrototypeOf(exp);
+          const def = anyTypePrototype?._definition;
+
+          anyTypePrototype &&
+            joiInstrumentation.patchValidateAsync(
+              anyTypePrototype,
+              'any.external'
+            );
+          def && joiInstrumentation.patchCustomValidate(def, 'any');
+        }
+      );
+    },
+  };
+};

package/lib/dataflow/propagation/install/joi/boolean.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  DataflowTag: { ALPHANUM_SPACE_HYPHEN },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  /**
+   * Patch Joi's boolean coerce function so it tags the input w/
+   * alphanum-space-hyphen if the coercion was successful. Tag is added when
+   * conditions are met.
+   * @param {Object} the boolean export
+   */
+  function instrumentJoiBoolean(boolean) {
+    const def = Object.getPrototypeOf(boolean)?._definition;
+    def &&
+      patcher.patch(def.coerce, 'method', {
+        name: 'joi.boolean.coerce',
+        patchType,
+        post(data) {
+          if (
+            !data.result?.value ||
+            typeof data.result.value !== 'boolean' ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return;
+
+          const argInfo = tracker.getData(data.args[0]);
+
+          if (!argInfo) return;
+
+          const event = createPropagationEvent({
+            name: 'Joi.boolean.coerce',
+            moduleName: 'joi',
+            methodName: 'boolean.coerce',
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: 'Joi.boolean',
+            },
+            args: [
+              { tracked: true, value: argInfo.value },
+              {
+                tracked: false,
+                value: {
+                  ...inspect(data.args[1]),
+                  original: argInfo.value,
+                },
+              },
+            ],
+            result: {
+              tracked: false,
+              value: data.result,
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [ALPHANUM_SPACE_HYPHEN]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        },
+      });
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.booleanCoerce = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/boolean.js', version: '>=17.0.0' },
+        instrumentJoiBoolean
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/expression.js

@@ -0,0 +1,99 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  DataflowTag: { HTML_ENCODED },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  /**
+   * Patch joi.expression so that it tags input with html-encoded if rendered
+   * @param {Object} expression
+   */
+  function instrumentJoiExpression(joi, method) {
+    return patcher.patch(joi, method, {
+      name: `joi.${method}`,
+      patchType,
+      post(data) {
+        if (
+          !data.result ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+
+        const argInfo = tracker.getData(data.args[0]);
+
+        if (argInfo && data.result._template) {
+          const event = createPropagationEvent({
+            addedTags: [HTML_ENCODED],
+            name: `Joi.${method}`,
+            moduleName: 'joi',
+            methodName: method,
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: `Joi.${method}`,
+            },
+            args: [{ tracked: true, value: argInfo.value }],
+            result: {
+              tracked: false,
+              value: inspect({ ...data.result, source: argInfo.value }),
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [HTML_ENCODED]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        }
+      },
+    });
+  }
+
+  core.assess.dataflow.propagation.joiInstrumentation.expression = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/index.js', version: '>=17.0.0' },
+        (joi) => {
+          instrumentJoiExpression(joi, 'expression');
+          instrumentJoiExpression(joi, 'x');
+        }
+      );
+    },
+  };
+};

package/lib/dataflow/propagation/install/joi/index.js

@@ -0,0 +1,172 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  callChildComponentMethodsSync,
+  isString,
+  isNonEmptyObject,
+  traverseValues,
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+const { tagCustomValidatedString, handleReferences } = require('./utils');
+
+module.exports = function(core) {
+  const {
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  const joiInstrumentation =
+    (core.assess.dataflow.propagation.joiInstrumentation = {
+      install() {
+        callChildComponentMethodsSync(joiInstrumentation, 'install');
+      },
+      uninstall() {
+        callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
+      },
+      patchValidateAsync(parentObj, parentObjType) {
+        patcher.patch(parentObj, 'validateAsync', {
+          name: `Joi.${parentObjType}.validateAsync`,
+          patchType,
+          post(data) {
+            const childNodes = data.obj?.$_terms.items?.length
+              ? data.obj.$_terms.items
+              : data.obj?.$_terms.keys?.length
+                ? data.obj.$_terms.keys
+                : null;
+
+            if (
+              (!childNodes && !data.obj?.$_terms?.externals?.length) ||
+              (childNodes &&
+                !childNodes.find((i) => {
+                  const schema = i?.schema || i;
+                  return schema.$_terms?.externals?.length;
+                })) ||
+              !core.config.assess.trust_custom_validators ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked()
+            )
+              return;
+
+            data.result.then((result) => {
+              const metadata = {
+                origFn: data.orig,
+                methodName: parentObjType,
+                target: 'R',
+              };
+
+              if (isString(result)) {
+                tagCustomValidatedString(
+                  createPropagationEvent,
+                  tracker.getData(result),
+                  metadata
+                );
+              } else if (isNonEmptyObject(result)) {
+                traverseValues(result, (_path, _key, value) => {
+                  tagCustomValidatedString(
+                    createPropagationEvent,
+                    tracker.getData(value),
+                    metadata
+                  );
+                });
+              }
+            })
+              .catch(err => err);
+          },
+        });
+      },
+      patchCustomValidate(parentObj, objName) {
+        patcher.patch(parentObj.rules.custom, 'validate', {
+          name: `joi.${objName}.custom.valdiate`,
+          patchType,
+          post(data) {
+            const {
+              args: [input, schema],
+              result,
+              orig,
+            } = data;
+
+            if (
+              !result ||
+              !input ||
+              (result.value === input &&
+                (result.messages?.source || result.local?.error)) ||
+              !core.config.assess.trust_custom_validators ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked()
+            )
+              return;
+
+            const inspectedSecondArg = inspect(schema);
+            const metadata = {
+              origFn: orig,
+              inspectedSecondArg,
+              methodName: `${objName}.custom.validate`,
+              target: 'R',
+            };
+            const validation = (trackingInfo) => {
+              tagCustomValidatedString(
+                createPropagationEvent,
+                trackingInfo,
+                metadata
+              );
+            };
+
+            handleReferences(tracker, schema, validation);
+
+            if (isString(result)) {
+              validation(tracker.getData(result));
+              input === result &&
+                tagCustomValidatedString(
+                  createPropagationEvent,
+                  tracker.getData(input),
+                  { ...metadata, target: 'P0' }
+                );
+            } else if (isNonEmptyObject(result)) {
+              traverseValues(result, (path, _key, value) => {
+                const argValue = path.reduce((obj, k) => obj[k] || obj, input);
+
+                validation(tracker.getData(result));
+                argValue === value &&
+                  tagCustomValidatedString(
+                    createPropagationEvent,
+                    tracker.getData(argValue),
+                    { ...metadata, target: 'P0' }
+                  );
+              });
+            }
+          },
+        });
+      },
+    });
+
+  require('./any')(core);
+  require('./expression')(core);
+  require('./keys')(core);
+  require('./object')(core);
+  require('./string-schema')(core);
+  require('./number')(core);
+  require('./boolean')(core);
+  require('./values')(core);
+
+  return joiInstrumentation;
+};

package/lib/dataflow/propagation/install/joi/keys.js

@@ -0,0 +1,140 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isNonEmptyObject, join,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+  } = core;
+
+  function addMetadata(schema, refTargetPath, refPath, isInReference) {
+    if (!schema.__CONTRAST__) {
+      Object.defineProperty(schema, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          inReferenceTargets: new Set(),
+          refTargets: {}
+        },
+        writable: true,
+      });
+    }
+
+    let path = join(refTargetPath, '.');
+
+    if (isInReference) {
+      path = join(refTargetPath.slice(0, -1), '.');
+      schema.__CONTRAST__.inReferenceTargets.add(path);
+      refPath = refPath.slice(0, -1);
+    }
+
+    const refs = schema.__CONTRAST__.refTargets[path] || [];
+    refs.push(join(refPath, '.'));
+    schema.__CONTRAST__.refTargets[path] = refs;
+  }
+
+  function traverseChildSchemas(schema, refTargetPath, currentPath, refOpts) {
+    const traversable = schema.type === 'object' ? schema._ids._byKey.entries() : Object.entries(schema.$_terms.items);
+
+    for (const [childKey, item] of traversable) {
+      const value = schema.type === 'object' ? item.schema : item;
+      const newRefTargetPath = [...refTargetPath, childKey];
+      const newCurrentPath = [...currentPath, childKey];
+
+      if (value.type === 'string') {
+        addMetadata(value, newRefTargetPath, newCurrentPath, refOpts.in);
+      } else if (value.type === 'object') {
+        traverseChildSchemas(value, newRefTargetPath, newCurrentPath, refOpts);
+      }
+    }
+  }
+
+  function traverseSchemas(
+    joi,
+    currentSchema,
+    obj,
+    ancestorRef = [],
+    currentPath = [],
+  ) {
+    ancestorRef.unshift(obj);
+    if (joi.isSchema(currentSchema) || joi.isExpression(currentSchema)) return;
+    if (currentSchema && joi.isRef(currentSchema) && !currentSchema.__CONTRAST__?.isVisited) {
+      const targetSchemaRef = currentSchema.path.reduce((acc, value) => {
+        let ret = acc?.[value] || acc;
+
+        if (joi.isSchema(acc)) {
+          ret = acc?.$_terms?.keys.find(i => i.key === value);
+        }
+
+        return ret;
+      }, ancestorRef[currentSchema.ancestor - 1]);
+
+      const refTargetPath = currentSchema.absolute({ path: currentPath });
+      const targetSchemaInstace =
+        typeof targetSchemaRef?.schema === 'object'
+          ? targetSchemaRef.schema
+          : targetSchemaRef;
+
+      if (!targetSchemaInstace) return;
+
+      if (['object', 'array'].includes(targetSchemaInstace.type)) {
+        traverseChildSchemas(targetSchemaInstace, refTargetPath, currentPath, currentSchema);
+      } else {
+        addMetadata(targetSchemaInstace, refTargetPath, currentPath);
+      }
+      Object.defineProperty(currentSchema, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          isVisited: true,
+        },
+        writable: true
+      });
+    } else {
+      if (isNonEmptyObject(currentSchema)) {
+        for (const [objKey, objValue] of Object.entries(currentSchema)) {
+          traverseSchemas(joi, objValue, currentSchema, ancestorRef, [...currentPath, objKey]);
+        }
+      }
+    }
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.keys = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' },
+        (joi) => {
+          patcher.patch(Object.getPrototypeOf(joi), 'keys', {
+            name: 'joi.keys',
+            patchType,
+            pre(data) {
+              const [value] = data.args;
+              const joi = data.obj.$_root;
+
+              traverseSchemas(joi, value, value);
+            },
+          });
+        }
+      );
+    },
+  });
+};