npm - @contrast/assess - Versions diffs - 1.13.0 → 1.14.0 - Mend

@contrast/assess 1.13.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/lib/dataflow/propagation/install/buffer.js CHANGED Viewed

@@ -63,11 +63,12 @@ module.exports = function(core) {
             target: 'R',
           });
-          if (event) {
-            const { extern } = tracker.track(result, event);
-            if (extern) {
-              data.result = extern;
-            }
+          if (!event) return;
+          const { extern } = tracker.track(result, event);
+          if (extern) {
+            data.result = extern;
           }
         }
       });

package/lib/dataflow/propagation/install/contrast-methods/add.js CHANGED Viewed

@@ -98,6 +98,9 @@ module.exports = function(core) {
               tags: newTags,
               target: 'R',
             });
+            if (!event) return;
             const { extern } = tracker.track(result, event);
             if (extern) {

package/lib/dataflow/propagation/install/joi/any.js ADDED Viewed

@@ -0,0 +1,46 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = function(core) {
+  const {
+    depHooks,
+    assess: {
+      dataflow: {
+        propagation: { joiInstrumentation },
+      },
+    },
+  } = core;
+  joiInstrumentation.any = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/any', version: '>=17.0.0' },
+        (exp) => {
+          const anyTypePrototype = Object.getPrototypeOf(exp);
+          const def = anyTypePrototype?._definition;
+          anyTypePrototype &&
+            joiInstrumentation.patchValidateAsync(
+              anyTypePrototype,
+              'any.external'
+            );
+          def && joiInstrumentation.patchCustomValidate(def, 'any');
+        }
+      );
+    },
+  };
+};

package/lib/dataflow/propagation/install/joi/boolean.js ADDED Viewed

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  DataflowTag: { ALPHANUM_SPACE_HYPHEN },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+  /**
+   * Patch Joi's boolean coerce function so it tags the input w/
+   * alphanum-space-hyphen if the coercion was successful. Tag is added when
+   * conditions are met.
+   * @param {Object} the boolean export
+   */
+  function instrumentJoiBoolean(boolean) {
+    const def = Object.getPrototypeOf(boolean)?._definition;
+    def &&
+      patcher.patch(def.coerce, 'method', {
+        name: 'joi.boolean.coerce',
+        patchType,
+        post(data) {
+          if (
+            !data.result?.value ||
+            typeof data.result.value !== 'boolean' ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return;
+          const argInfo = tracker.getData(data.args[0]);
+          if (!argInfo) return;
+          const event = createPropagationEvent({
+            name: 'Joi.boolean.coerce',
+            moduleName: 'joi',
+            methodName: 'boolean.coerce',
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: 'Joi.boolean',
+            },
+            args: [
+              { tracked: true, value: argInfo.value },
+              {
+                tracked: false,
+                value: {
+                  ...inspect(data.args[1]),
+                  original: argInfo.value,
+                },
+              },
+            ],
+            result: {
+              tracked: false,
+              value: data.result,
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [ALPHANUM_SPACE_HYPHEN]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        },
+      });
+  }
+  return (core.assess.dataflow.propagation.joiInstrumentation.booleanCoerce = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/boolean.js', version: '>=17.0.0' },
+        instrumentJoiBoolean
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/expression.js ADDED Viewed

@@ -0,0 +1,99 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  DataflowTag: { HTML_ENCODED },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+  /**
+   * Patch joi.expression so that it tags input with html-encoded if rendered
+   * @param {Object} expression
+   */
+  function instrumentJoiExpression(joi, method) {
+    return patcher.patch(joi, method, {
+      name: `joi.${method}`,
+      patchType,
+      post(data) {
+        if (
+          !data.result ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+        const argInfo = tracker.getData(data.args[0]);
+        if (argInfo && data.result._template) {
+          const event = createPropagationEvent({
+            addedTags: [HTML_ENCODED],
+            name: `Joi.${method}`,
+            moduleName: 'joi',
+            methodName: method,
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: `Joi.${method}`,
+            },
+            args: [{ tracked: true, value: argInfo.value }],
+            result: {
+              tracked: false,
+              value: inspect({ ...data.result, source: argInfo.value }),
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [HTML_ENCODED]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        }
+      },
+    });
+  }
+  core.assess.dataflow.propagation.joiInstrumentation.expression = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/index.js', version: '>=17.0.0' },
+        (joi) => {
+          instrumentJoiExpression(joi, 'expression');
+          instrumentJoiExpression(joi, 'x');
+        }
+      );
+    },
+  };
+};

package/lib/dataflow/propagation/install/joi/index.js CHANGED Viewed

@@ -15,20 +15,157 @@
 'use strict';
-const { callChildComponentMethodsSync } = require('@contrast/common');
+const {
+  callChildComponentMethodsSync,
+  isString,
+  isNonEmptyObject,
+  traverseValues,
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+const { tagCustomValidatedString, handleReferences } = require('./utils');
 module.exports = function(core) {
-  const joiInstrumentation = core.assess.dataflow.propagation.joiInstrumentation = {
-    install() {
-      callChildComponentMethodsSync(joiInstrumentation, 'install');
+  const {
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
     },
-    uninstall() {
-      callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
-    },
-  };
+  } = core;
+  const joiInstrumentation =
+    (core.assess.dataflow.propagation.joiInstrumentation = {
+      install() {
+        callChildComponentMethodsSync(joiInstrumentation, 'install');
+      },
+      uninstall() {
+        callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
+      },
+      patchValidateAsync(parentObj, parentObjType) {
+        patcher.patch(parentObj, 'validateAsync', {
+          name: `Joi.${parentObjType}.validateAsync`,
+          patchType,
+          post(data) {
+            const childNodes = data.obj?.$_terms.items?.length
+              ? data.obj.$_terms.items
+              : data.obj?.$_terms.keys?.length
+                ? data.obj.$_terms.keys
+                : null;
+            if (
+              (!childNodes && !data.obj?.$_terms?.externals?.length) ||
+              (childNodes &&
+                !childNodes.find((i) => {
+                  const schema = i?.schema || i;
+                  return schema.$_terms?.externals?.length;
+                })) ||
+              !core.config.assess.trust_custom_validators ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked()
+            )
+              return;
+            data.result.then((result) => {
+              const metadata = {
+                origFn: data.orig,
+                methodName: parentObjType,
+                target: 'R',
+              };
+              if (isString(result)) {
+                tagCustomValidatedString(
+                  createPropagationEvent,
+                  tracker.getData(result),
+                  metadata
+                );
+              } else if (isNonEmptyObject(result)) {
+                traverseValues(result, (_path, _key, value) => {
+                  tagCustomValidatedString(
+                    createPropagationEvent,
+                    tracker.getData(value),
+                    metadata
+                  );
+                });
+              }
+            })
+              .catch(err => err);
+          },
+        });
+      },
+      patchCustomValidate(parentObj, objName) {
+        patcher.patch(parentObj.rules.custom, 'validate', {
+          name: `joi.${objName}.custom.valdiate`,
+          patchType,
+          post(data) {
+            const {
+              args: [input, schema],
+              result,
+              orig,
+            } = data;
+            if (
+              !result ||
+              !input ||
+              (result.value === input &&
+                (result.messages?.source || result.local?.error)) ||
+              !core.config.assess.trust_custom_validators ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked()
+            )
+              return;
+            const inspectedSecondArg = inspect(schema);
+            const metadata = {
+              origFn: orig,
+              inspectedSecondArg,
+              methodName: `${objName}.custom.validate`,
+              target: 'R',
+            };
+            const validation = (trackingInfo) => {
+              tagCustomValidatedString(
+                createPropagationEvent,
+                trackingInfo,
+                metadata
+              );
+            };
+            handleReferences(tracker, schema, validation);
+            if (isString(result)) {
+              validation(tracker.getData(result));
+              input === result &&
+                tagCustomValidatedString(
+                  createPropagationEvent,
+                  tracker.getData(input),
+                  { ...metadata, target: 'P0' }
+                );
+            } else if (isNonEmptyObject(result)) {
+              traverseValues(result, (path, _key, value) => {
+                const argValue = path.reduce((obj, k) => obj[k] || obj, input);
+                validation(tracker.getData(result));
+                argValue === value &&
+                  tagCustomValidatedString(
+                    createPropagationEvent,
+                    tracker.getData(argValue),
+                    { ...metadata, target: 'P0' }
+                  );
+              });
+            }
+          },
+        });
+      },
+    });
+  require('./any')(core);
+  require('./expression')(core);
   require('./keys')(core);
+  require('./object')(core);
   require('./string-schema')(core);
+  require('./number')(core);
+  require('./boolean')(core);
   require('./values')(core);
   return joiInstrumentation;

package/lib/dataflow/propagation/install/joi/number.js ADDED Viewed

@@ -0,0 +1,107 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  DataflowTag: { LIMITED_CHARS },
+  inspect,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+  /**
+   * patch Joi's number coerce function so it tags the input w/ limited-chars if the coercion was successful
+   * @param {Object} the number export
+   */
+  function instrumentJoiNumber(number) {
+    const def = Object.getPrototypeOf(number)?._definition;
+    def &&
+      patcher.patch(def.coerce, 'method', {
+        name: 'joi.number.coerce',
+        patchType,
+        post(data) {
+          if (
+            !data.result?.value ||
+            data.result.errors ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return;
+          const argInfo = tracker.getData(data.args[0]);
+          if (!argInfo) return;
+          const event = createPropagationEvent({
+            name: 'Joi.number.coerce',
+            moduleName: 'joi',
+            methodName: 'number.coerce',
+            history: [{ ...argInfo }],
+            object: {
+              tracked: false,
+              value: 'Joi.number',
+            },
+            args: [
+              { tracked: true, value: argInfo.value },
+              {
+                tracked: false,
+                value: {
+                  ...inspect(data.args[1]),
+                  original: argInfo.value,
+                },
+              },
+            ],
+            result: {
+              tracked: false,
+              value: data.result,
+            },
+            source: 'P0',
+            tags: {
+              ...argInfo.tags,
+              [LIMITED_CHARS]: [0, argInfo.value.length - 1],
+            },
+            target: 'P0',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+          });
+          if (event) {
+            Object.assign(argInfo, event);
+          }
+        },
+      });
+  }
+  return (core.assess.dataflow.propagation.joiInstrumentation.numberCoerce = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/number.js', version: '>=17.0.0' },
+        instrumentJoiNumber
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/object.js ADDED Viewed

@@ -0,0 +1,46 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = function(core) {
+  const {
+    depHooks,
+    assess: {
+      dataflow: {
+        propagation: { joiInstrumentation },
+      },
+    },
+  } = core;
+  joiInstrumentation.object = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/object', version: '>=17.0.0' },
+        (exp) => {
+          const objectTypePrototype = Object.getPrototypeOf(exp);
+          const def = objectTypePrototype?._definition;
+          objectTypePrototype &&
+            joiInstrumentation.patchValidateAsync(
+              objectTypePrototype,
+              'object.external'
+            );
+          def && joiInstrumentation.patchCustomValidate(def, 'object');
+        }
+      );
+    },
+  };
+};