@contrast/assess 1.12.0 → 1.14.0

package/lib/dataflow/propagation/install/joi/number.js

@@ -0,0 +1,107 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  DataflowTag: { LIMITED_CHARS },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  /**
+   * patch Joi's number coerce function so it tags the input w/ limited-chars if the coercion was successful
+   * @param {Object} the number export
+   */
+  function instrumentJoiNumber(number) {
+    const def = Object.getPrototypeOf(number)?._definition;
+    def &&
+      patcher.patch(def.coerce, 'method', {
+        name: 'joi.number.coerce',
+        patchType,
+        post(data) {
+          if (
+            !data.result?.value ||
+            data.result.errors ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return;
+
+          const argInfo = tracker.getData(data.args[0]);
+
+          if (!argInfo) return;
+
+          const event = createPropagationEvent({
+            name: 'Joi.number.coerce',
+            moduleName: 'joi',
+            methodName: 'number.coerce',
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: 'Joi.number',
+            },
+            args: [
+              { tracked: true, value: argInfo.value },
+              {
+                tracked: false,
+                value: {
+                  ...inspect(data.args[1]),
+                  original: argInfo.value,
+                },
+              },
+            ],
+            result: {
+              tracked: false,
+              value: data.result,
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [LIMITED_CHARS]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        },
+      });
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.numberCoerce = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/number.js', version: '>=17.0.0' },
+        instrumentJoiNumber
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/object.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    assess: {
+      dataflow: {
+        propagation: { joiInstrumentation },
+      },
+    },
+  } = core;
+
+  joiInstrumentation.object = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/object', version: '>=17.0.0' },
+        (exp) => {
+          const objectTypePrototype = Object.getPrototypeOf(exp);
+          const def = objectTypePrototype?._definition;
+
+          objectTypePrototype &&
+            joiInstrumentation.patchValidateAsync(
+              objectTypePrototype,
+              'object.external'
+            );
+          def && joiInstrumentation.patchCustomValidate(def, 'object');
+        }
+      );
+    },
+  };
+};

package/lib/dataflow/propagation/install/joi/string-schema.js

@@ -0,0 +1,233 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
+  inspect,
+} = require('@contrast/common');
+const { handleReferences } = require('./utils');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+const VALIDATORS = {
+  base64: ALPHANUM_SPACE_HYPHEN,
+  guid: ALPHANUM_SPACE_HYPHEN,
+  alphanum: ALPHANUM_SPACE_HYPHEN,
+  hex: ALPHANUM_SPACE_HYPHEN,
+  isoDate: ALPHANUM_SPACE_HYPHEN,
+  isoDuration: ALPHANUM_SPACE_HYPHEN,
+  token: ALPHANUM_SPACE_HYPHEN,
+  creditCard: LIMITED_CHARS,
+  ip: LIMITED_CHARS,
+  hostname: ALPHANUM_SPACE_HYPHEN,
+  domain: ALPHANUM_SPACE_HYPHEN,
+};
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: {
+        tracker, propagation: {
+          joiInstrumentation
+        }
+      },
+
+    },
+  } = core;
+
+  function definePropagation(methodName, tagName, inspectedSchema, origFn) {
+    function propagationFn(strInfo) {
+      const event = createPropagationEvent({
+        addedTags: [tagName],
+        name: `Joi.string.${methodName}`,
+        moduleName: 'joi',
+        methodName: `string.${methodName}`,
+        history: [{ ...strInfo }],
+        object: {
+          tracked: false,
+          value: 'Joi.string',
+        },
+        args: [
+          { tracked: true, value: strInfo.value },
+          { tracked: false, value: inspectedSchema },
+        ],
+        result: {
+          tracked: false,
+          value: undefined,
+        },
+        source: 'P0',
+        tags: {
+          ...strInfo.tags,
+          [tagName]: [0, strInfo.value.length - 1],
+        },
+        target: 'P0',
+        stacktraceOpts: {
+          prependFrames: [origFn],
+        },
+      });
+
+      if (event) {
+        Object.assign(strInfo, event);
+      }
+    }
+
+    Object.defineProperty(propagationFn, 'name', {
+      value: tagName,
+      writable: false,
+    });
+
+    return propagationFn;
+  }
+
+  function patchValidator(
+    validatorObj,
+    patchName,
+    validatorName,
+    tagName,
+  ) {
+    patcher.patch(validatorObj, 'validate', {
+      name: patchName,
+      patchType,
+      post(data) {
+        const [input, schema] = data.args;
+
+        if (
+          !input ||
+          (validatorName !== 'validate' && typeof data.result !== 'string') ||
+          (validatorName === 'validate' && data.result) ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+
+        const inspectedSchema = inspect(schema);
+        const validation = definePropagation(
+          validatorName,
+          tagName,
+          inspectedSchema,
+          data.orig
+        );
+        const strInfo = tracker.getData(input);
+
+        handleReferences(tracker, schema, validation);
+
+        if (strInfo) {
+          validation(strInfo);
+        }
+      },
+    });
+  }
+
+  function reTrackCoercedValue(coerce) {
+    patcher.patch(coerce, 'method', {
+      name: 'joi.string._definition.coerce',
+      patchType,
+      post(data) {
+        const { args, result } = data;
+
+        if (
+          !args[0] ||
+          // currently, we are losing track of coerced isoDate only
+          !args[1].schema.$_getRule('isoDate') ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+
+        const argInfo = tracker.getData(args[0]);
+
+        if (!argInfo) {
+          return;
+        }
+
+        const event = createPropagationEvent({
+          name: 'Joi.string.isoDate.coerce',
+          moduleName: 'joi',
+          methodName: 'string.isDate.coerce',
+          history: [argInfo],
+          object: {
+            tracked: false,
+            value: 'Joi.string',
+          },
+          args: [
+            { tracked: true, value: argInfo.value },
+            { tracked: false, value: inspect(args[1]) },
+          ],
+          result: {
+            tracked: false,
+            value: result,
+          },
+          source: 'P0',
+          tags: createFullLengthCopyTags(argInfo.tags, result.value.length),
+          target: 'R',
+          stacktraceOpts: {
+            prependFrames: [data.orig],
+          },
+        });
+
+        if (!event) return;
+
+        const { extern } = tracker.track(result.value, event);
+
+        if (extern) {
+          data.result.value = extern;
+        }
+      },
+    });
+  }
+
+  return (joiInstrumentation.stringSchema = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
+        (stringType) => {
+          const stringTypePrototype = Object.getPrototypeOf(stringType);
+          const definition = stringTypePrototype?._definition;
+          const rules = definition?.rules || {};
+          const coerce = definition?.coerce;
+
+          stringTypePrototype && joiInstrumentation.patchValidateAsync(stringTypePrototype, 'string.external');
+          definition && joiInstrumentation.patchCustomValidate(definition, 'string');
+          patchValidator(
+            definition,
+            'joi.string.validate',
+            'validate',
+            STRING_TYPE_CHECKED
+          );
+
+          for (const rule in VALIDATORS) {
+            if (rules[rule]) {
+              patchValidator(
+                rules[rule],
+                'joi.string._definition.rules',
+                rule,
+                VALIDATORS[rule],
+              );
+            }
+          }
+
+          if (coerce && rules['isoDate']) {
+            reTrackCoercedValue(coerce);
+          }
+        }
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/utils.js

@@ -0,0 +1,111 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { split, DataflowTag: { CUSTOM_VALIDATED }, join } = require('@contrast/common');
+
+function getRefInstancesTrackingData(tracker, obj, refInstancesPaths) {
+  return refInstancesPaths
+    .map((referenceInstance) => {
+      const value = split(referenceInstance, '.').reduce(
+        (acc, v) => acc[v] || acc,
+        obj
+      );
+      return tracker.getData(value);
+    })
+    .filter(Boolean);
+}
+
+function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
+  const { inspectedSecondArg, origFn, methodName, target } = metadata;
+
+  if (!strInfo) return;
+
+  const event = createPropagationEvent({
+    addedTags: [CUSTOM_VALIDATED],
+    name: `Joi.${methodName}`,
+    moduleName: 'joi',
+    methodName,
+    history: [{ ...strInfo }],
+    object: {
+      tracked: false,
+      value: `Joi.${methodName}`,
+    },
+    args: [
+      { tracked: true, value: strInfo.value },
+      inspectedSecondArg && { tracked: false, value: inspectedSecondArg },
+    ].filter(Boolean),
+    result: {
+      tracked: target === 'R',
+      value: target === 'R' ? strInfo.value : undefined
+    },
+    source: 'P0',
+    tags: {
+      ...strInfo.tags,
+      [CUSTOM_VALIDATED]: [0, strInfo.value.length - 1],
+    },
+    target,
+    stacktraceOpts: {
+      prependFrames: [origFn],
+    },
+  });
+
+  if (event) {
+    Object.assign(strInfo, event);
+  }
+}
+
+function handleReferences(tracker, schema, validationFn) {
+  const contrastData = schema?.schema?.__CONTRAST__;
+  let refTargetPath = contrastData && join(schema.state.path, '.');
+  const inReferenceTargetPath = contrastData && join(schema.state.path.slice(0, -1), '.');
+  if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
+    refTargetPath = join(
+      schema.state.path.slice(0, -1),
+      '.'
+    );
+  }
+  const references = contrastData?.refTargets[refTargetPath];
+
+  if (references?.length) {
+    getRefInstancesTrackingData(
+      tracker,
+      schema.state.ancestors[schema.state.ancestors.length - 1],
+      references
+    ).forEach((refMetadata) => {
+      let { eventualValidations } = refMetadata;
+      if (!eventualValidations) {
+        eventualValidations = { [refTargetPath]: [validationFn] };
+      } else if (!eventualValidations[refTargetPath]) {
+        eventualValidations[refTargetPath] = [validationFn];
+      } else if (
+        !eventualValidations[refTargetPath].find(
+          (v) => v.name === CUSTOM_VALIDATED
+        )
+      ) {
+        eventualValidations[refTargetPath].push(validationFn);
+      }
+
+      refMetadata.eventualValidations = eventualValidations;
+    });
+  }
+}
+
+module.exports = {
+  getRefInstancesTrackingData,
+  tagCustomValidatedString,
+  handleReferences
+};

package/lib/dataflow/propagation/install/joi/values.js

@@ -0,0 +1,154 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isNonEmptyObject, isString, inspect, traverseValues, join
+} = require('@contrast/common');
+const { createMergedTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  function instrumentJoiValues(values) {
+    patcher.patch(values.prototype, 'get', {
+      name: 'joi.values',
+      patchType,
+      post(data) {
+        const {
+          args: [value, state, prefs],
+          result,
+        } = data;
+
+        if (
+          !value ||
+          !result ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        ) return;
+
+        const metadata = {
+          state: inspect(state),
+          prefs: inspect(prefs),
+          orig: data.orig
+        };
+
+
+        if (result.ref) {
+          const targetAbsolutePath = join(result.ref.absolute(state), '.');
+
+          if (isString(value)) {
+            validateStringReferenceValue(value, result.value, result.ref, targetAbsolutePath, metadata);
+          } else if (isNonEmptyObject(value)) {
+            traverseValues(value, (path, _type, v) => {
+              validateStringReferenceValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
+            });
+          }
+        } else if (data.obj?._values.has(data.result?.value)) {
+          if (isString(value)) {
+            // Should we untrack the argument too?
+            tracker.untrack(result.value);
+          } else if (isNonEmptyObject(result.value)) {
+            traverseValues(value, (_path, _type, v) => {
+              tracker.untrack(v);
+            });
+          }
+        }
+      },
+    });
+  }
+
+  function validateStringReferenceValue(value, resValue, ref, targetAbsolutePath, metadata, path = []) {
+    const strInfo = ref && tracker.getData(value);
+    const resStringValue = path.reduce((acc, val) => acc[val] || acc, resValue);
+
+    if (strInfo) {
+      const validations = strInfo.eventualValidations?.[targetAbsolutePath];
+      const mappedValueInfo = ref.map && tracker.getData(resStringValue);
+      const adjustedValueInfo = ref.adjust && tracker.getData(resStringValue);
+
+      if (validations?.length && !ref.map && !ref.adjust) {
+        validations.forEach(validation => validation(strInfo));
+
+        delete strInfo.eventualValidations[targetAbsolutePath];
+        !Object.keys(strInfo.eventualValidations).length && delete strInfo.eventualValidations;
+      }
+
+      if (mappedValueInfo || adjustedValueInfo) {
+        const resultInfo = mappedValueInfo || adjustedValueInfo;
+        const mergedTags = createMergedTags(strInfo.tags, resultInfo.tags);
+        const addedTags = [
+          Object.keys(resultInfo.tags).filter((tag) => !(Object.keys(strInfo.tags).find(t => t === tag))),
+          Object.keys(strInfo.tags).filter((tag) => !(Object.keys(resultInfo.tags).find(t => t === tag)))
+        ];
+
+        [strInfo, resultInfo].forEach((info, idx) => {
+          const event = createPropagationEvent({
+            addedTags: [addedTags[idx]],
+            name: 'Joi.values.get',
+            moduleName: 'joi',
+            methodName: 'values.get',
+            history: [{ ...info }],
+            object: {
+              tracked: false,
+              value: 'Joi.string',
+            },
+            args: [
+              { tracked: true, value: info.value },
+              { tracked: false, value: metadata.state },
+              { tracked: false, value: metadata.prefs },
+            ],
+            result: {
+              tracked: false,
+              value: inspect({ value: resultInfo.value, ref }),
+            },
+            source: 'P0',
+            tags: mergedTags,
+            target: 'A',
+            stacktraceOpts: {
+              prependFrames: [metadata.orig],
+            },
+          });
+
+          if (event) {
+            Object.assign(info, event);
+          }
+        });
+      } else {
+        (ref.map || ref.adjust) && tracker.untrack(value);
+      }
+    }
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.values = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/values.js', version: '>=17.0.0' },
+        instrumentJoiValues
+      );
+    },
+  });
+};
+

package/lib/dataflow/propagation/install/path/basename.js

@@ -102,9 +102,7 @@ module.exports = function(core) {
                 },
               });
 
-              if (!event) {
-                return;
-              }
+              if (!event) return;
 
               const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/path/join-and-resolve.js

@@ -118,9 +118,7 @@ module.exports = function(core) {
                   },
                 });
 
-                if (!event) {
-                  return;
-                }
+                if (!event) return;
 
                 const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/path/normalize.js

@@ -101,9 +101,7 @@ module.exports = function(core) {
                 },
               });
 
-              if (!event) {
-                return;
-              }
+              if (!event) return;
 
               const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/pug/index.js

@@ -16,7 +16,7 @@
 
 const { patchType } = require('../../common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };
   const {
     scopes: { sources, instrumentation },
@@ -28,7 +28,7 @@ module.exports = function(core) {
   const pugInstrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'pug', file: 'lib/index.js' },
+        { name: 'pug' },
         (pug) => patcher.patch(pug, 'compile', {
           name: 'pug.compile',
           patchType,