@contrast/assess 1.12.0 → 1.14.0

package/lib/dataflow/sinks/install/function.js

@@ -27,10 +27,10 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
+  Rule: { UNSAFE_CODE_EXECUTION }
 } = require('@contrast/common');
 const { patchType, filterSafeTags } = require('../common');
 
-const ruleId = 'unsafe-code-execution';
 const safeTags = [
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
@@ -39,7 +39,7 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     config,
     logger,
@@ -57,103 +57,99 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.contrastFunction = {
     install() {
       if (!global.ContrastMethods?.Function) {
-        logger.error(
-          'Cannot install `Function` instrumentation - Contrast method DNE'
-        );
+        logger.error('Cannot install `Function` instrumentation - Contrast method DNE');
         return;
       }
 
-      Object.assign(global.ContrastMethods, {
-        Function: patcher.patch(global.ContrastMethods.Function, {
-          name: 'global.ContrastMethods.Function',
-          patchType,
-          pre({ args: origArgs, hooked, orig, name }) {
-            const store = sources.getStore()?.assess;
-            const fnBody = origArgs[origArgs.length - 1];
-            if (
-              !store ||
-              instrumentation.isLocked() ||
-              !fnBody ||
-              !isString(fnBody)
-            )
-              return;
-
-            const strInfo = tracker.getData(fnBody);
-
-            if (!strInfo) return;
-
-            const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
-
-            if (!isArgVulnerable && config.assess.safe_positives.enable) {
-              const foundSafeTags = filterSafeTags(safeTags, strInfo);
-              const safeStrInfo = {
-                value: strInfo.value,
-                tags: strInfo.tags,
-              };
-
-              reportSafePositive({
-                name,
-                ruleId,
-                safeTags: foundSafeTags,
-                strInfo: safeStrInfo,
-              });
-            }
-
-            if (isArgVulnerable) {
-              const args = origArgs.map((arg, idx) => {
-                if (idx === origArgs.length - 1) {
-                  return {
-                    value: strInfo.value,
-                    tracked: true,
-                    inspectedValue: `'${strInfo.value}'`,
-                  };
-                }
-
-                const inspectedValue = inspect(arg);
-                const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
-
+      patcher.patch(global.ContrastMethods, 'Function', {
+        name: 'global.ContrastMethods.Function',
+        patchType,
+        pre({ args: origArgs, hooked, orig, name }) {
+          const store = sources.getStore()?.assess;
+          const fnBody = origArgs[origArgs.length - 1];
+          if (
+            !store ||
+            instrumentation.isLocked() ||
+            !fnBody ||
+            !isString(fnBody)
+          )
+            return;
+
+          const strInfo = tracker.getData(fnBody);
+
+          if (!strInfo) return;
+
+          const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+
+          if (!isArgVulnerable && config.assess.safe_positives.enable) {
+            const foundSafeTags = filterSafeTags(safeTags, strInfo);
+            const safeStrInfo = {
+              value: strInfo.value,
+              tags: strInfo.tags,
+            };
+
+            reportSafePositive({
+              name,
+              ruleId: UNSAFE_CODE_EXECUTION,
+              safeTags: foundSafeTags,
+              strInfo: safeStrInfo,
+            });
+          }
+
+          if (isArgVulnerable) {
+            const args = origArgs.map((arg, idx) => {
+              if (idx === origArgs.length - 1) {
                 return {
-                  value: argInfo ? argInfo.value : inspectedValue,
-                  tracked: !!argInfo,
-                  inspectedValue
+                  value: strInfo.value,
+                  tracked: true,
+                  inspectedValue: `'${strInfo.value}'`,
                 };
-              });
-              const event = createSinkEvent({
-                name,
-                context: `${name}(${join(
-                  args.map((a) => a.inspectedValue),
-                  ', '
-                )})`,
-                history: [strInfo],
-                object: {
-                  value: 'global.ContrastMethods',
-                  tracked: false,
-                },
-                moduleName: 'global.ContrastMethods',
-                methodName: 'Function',
-                args: args.map((a) => ({
-                  value: a.value,
-                  tracked: a.tracked,
-                })),
-                tags: strInfo.tags,
-                source: `P${origArgs.length - 1}`,
-                stacktraceOpts: {
-                  contructorOpt: hooked,
-                  prependFrames: [orig],
-                },
-              });
-
-              if (event) {
-                reportFindings({
-                  ruleId,
-                  sinkEvent: event,
-                });
               }
+
+              const inspectedValue = inspect(arg);
+              const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
+
+              return {
+                value: argInfo ? argInfo.value : inspectedValue,
+                tracked: !!argInfo,
+                inspectedValue
+              };
+            });
+            const event = createSinkEvent({
+              name,
+              context: `${name}(${join(
+                args.map((a) => a.inspectedValue),
+                ', '
+              )})`,
+              history: [strInfo],
+              object: {
+                value: 'global.ContrastMethods',
+                tracked: false,
+              },
+              moduleName: 'global.ContrastMethods',
+              methodName: 'Function',
+              args: args.map((a) => ({
+                value: a.value,
+                tracked: a.tracked,
+              })),
+              tags: strInfo.tags,
+              source: `P${origArgs.length - 1}`,
+              stacktraceOpts: {
+                contructorOpt: hooked,
+                prependFrames: [orig],
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId: UNSAFE_CODE_EXECUTION,
+                sinkEvent: event,
+              });
             }
-          },
-        }),
+          }
+        },
       });
-    },
+    }
   };
 
   return core.assess.dataflow.sinks.contrastFunction;

package/lib/dataflow/sinks/install/vm.js

@@ -25,6 +25,7 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
+  Rule: { UNSAFE_CODE_EXECUTION },
   isNonEmptyObject,
   inspect,
   traverseValues,
@@ -32,7 +33,6 @@ const {
   split,
 } = require('@contrast/common');
 const { createAdjustedQueryTags } = require('../../tag-utils');
-const ruleId = 'unsafe-code-execution';
 const safeTags = [
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
@@ -41,7 +41,7 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     config,
     depHooks,
@@ -137,7 +137,7 @@ module.exports = function(core) {
     if (
       !store ||
       instrumentation.isLocked() ||
-      isLocked('unsafe-code-execution')
+      isLocked(UNSAFE_CODE_EXECUTION)
     ) {
       return next();
     }
@@ -189,13 +189,13 @@ module.exports = function(core) {
 
       reportSafePositive({
         name,
-        ruleId,
+        ruleId: UNSAFE_CODE_EXECUTION,
         safeTags: Array.from(foundSafeTags),
         strInfo,
       });
 
       return name === 'vm.runInNewContext'
-        ? runInActiveSink('unsafe-code-execution', () => next())
+        ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
         : next();
     }
 
@@ -233,14 +233,14 @@ module.exports = function(core) {
 
       if (event) {
         reportFindings({
-          ruleId,
+          ruleId: UNSAFE_CODE_EXECUTION,
           sinkEvent: event,
         });
       }
     }
 
     return name === 'vm.runInNewContext'
-      ? runInActiveSink('unsafe-code-execution', () => next())
+      ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
       : next();
   }
 

package/lib/dataflow/sources/install/body-parser1.js

@@ -31,7 +31,7 @@ module.exports = function init(core) {
 
   const createPreHook = (name) => (data) => {
     const [req, , next] = data.args;
-    data.args[2] = function contrastNext(...args) {
+    data.args[2] = scopes.wrap(function contrastNext(...args) {
       const sourceContext = scopes.sources.getStore()?.assess;
 
       if (!sourceContext) {
@@ -86,7 +86,7 @@ module.exports = function init(core) {
       }
 
       return next(...args);
-    };
+    });
   };
 
   assess.dataflow.sources.bodyParser1Instrumentation = {

package/lib/dataflow/sources/install/fastify/fastify.js

@@ -18,7 +18,7 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../../common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     depHooks,

package/lib/dataflow/sources/install/http.js

@@ -73,17 +73,18 @@ module.exports = function(core) {
         }
       });
 
-      patcher.patch(res, 'setHeader', {
-        alwaysRun: true,
-        name: 'set-header',
-        patchType,
-        pre(data) {
-          const [name = '', value] = data.args;
-          if (toLowerCase(name) === 'content-type' && value) {
-            store.assess.responseData.contentType = value;
+      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+        patcher.patch(res, 'setHeader', {
+          name: 'set-header',
+          patchType,
+          pre(data) {
+            const [name = '', value] = data.args;
+            if (toLowerCase(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
+              store.assess.responseData.contentType = value;
+            }
           }
-        }
-      });
+        });
+      }
 
       let uriPath, queries;
       const ix = req.url.indexOf('?');

package/lib/dataflow/tracker.js

@@ -98,11 +98,9 @@ module.exports = function tracker(core) {
 
       const externMetadata = distringuish.getProperties(extern);
       metadata.value = value;
-      metadata.extern = extern;
 
       ret = Object.assign(externMetadata, metadata);
-
-      return ret;
+      return { ...ret, extern };
     } else if (typeof value === 'object') {
       const objInfo = objMap.get(value);
       if (objInfo) {

package/lib/response-scanning/install/http.js

@@ -38,8 +38,9 @@ module.exports = function(core) {
   } = core;
   const http = core.assess.responseScanning.httpInstrumentation = {};
 
-  function parseHeaders(rawHeaders = '') {
-    const headersArray = split(rawHeaders, '\r\n').filter(Boolean);
+  function parseHeaders(rawHeaders) {
+    const headersToParse = rawHeaders || '';
+    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');
 

package/package.json

@@ -1,21 +1,24 @@
 {
   "name": "@contrast/assess",
-  "version": "1.12.0",
-  "description": "",
+  "version": "1.14.0",
+  "description": "Contrast service providing framework-agnostic Assess support",
+  "license": "SEE LICENSE IN LICENSE",
+  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
+  "files": [
+    "lib/"
+  ],
   "main": "lib/index.js",
-  "scripts": {
-    "test": "../scripts/test.sh"
-  },
-  "author": "",
-  "license": "ISC",
+  "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
     "node": ">= 14.15.0"
   },
+  "scripts": {
+    "test": "../scripts/test.sh"
+  },
   "dependencies": {
+    "@contrast/common": "1.15.1",
     "@contrast/distringuish": "^4.4.0",
-    "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.14.0",
-    "parseurl": "^1.3.3"
+    "@contrast/scopes": "1.4.0"
   }
-}
+}