@contrast/assess 1.13.0 → 1.14.0

package/lib/dataflow/propagation/install/joi/string-schema.js

@@ -18,9 +18,8 @@
 const {
   DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
   inspect,
-  join,
-  split,
 } = require('@contrast/common');
+const { handleReferences } = require('./utils');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const VALIDATORS = {
@@ -44,7 +43,12 @@ module.exports = function(core) {
     patcher,
     assess: {
       eventFactory: { createPropagationEvent },
-      dataflow: { tracker },
+      dataflow: {
+        tracker, propagation: {
+          joiInstrumentation
+        }
+      },
+
     },
   } = core;
 
@@ -92,18 +96,6 @@ module.exports = function(core) {
     return propagationFn;
   }
 
-  function getRefInstancesTrackingData(obj, refInstancesPaths) {
-    return refInstancesPaths
-      .map((referenceInstance) => {
-        const value = split(referenceInstance, '.').reduce(
-          (acc, v) => acc[v] || acc,
-          obj
-        );
-        return tracker.getData(value);
-      })
-      .filter(Boolean);
-  }
-
   function patchValidator(
     validatorObj,
     patchName,
@@ -125,19 +117,6 @@ module.exports = function(core) {
         )
           return;
 
-        const contrastData = schema?.schema?.__CONTRAST__;
-        let refTargetPath = join(schema.state.path, '.');
-        const inReferenceTargetPath = join(schema.state.path.slice(0, -1), '.');
-        if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
-          refTargetPath = join(
-            schema.state.path.slice(0, -1),
-            '.'
-          );
-        }
-        const references = contrastData?.refTargets[refTargetPath];
-
-        const strInfo = tracker.getData(input);
-
         const inspectedSchema = inspect(schema);
         const validation = definePropagation(
           validatorName,
@@ -145,27 +124,9 @@ module.exports = function(core) {
           inspectedSchema,
           data.orig
         );
-        if (references?.length) {
-          getRefInstancesTrackingData(
-            schema.state.ancestors[schema.state.ancestors.length - 1],
-            references
-          ).forEach((refMetadata) => {
-            let { eventualValidations } = refMetadata;
-            if (!eventualValidations) {
-              eventualValidations = { [refTargetPath]: [validation] };
-            } else if (!eventualValidations[refTargetPath]) {
-              eventualValidations[refTargetPath] = [validation];
-            } else if (
-              !eventualValidations[refTargetPath].find(
-                (v) => v.name === tagName
-              )
-            ) {
-              eventualValidations[refTargetPath].push(validation);
-            }
+        const strInfo = tracker.getData(input);
 
-            refMetadata.eventualValidations = eventualValidations;
-          });
-        }
+        handleReferences(tracker, schema, validation);
 
         if (strInfo) {
           validation(strInfo);
@@ -221,6 +182,8 @@ module.exports = function(core) {
           },
         });
 
+        if (!event) return;
+
         const { extern } = tracker.track(result.value, event);
 
         if (extern) {
@@ -230,7 +193,7 @@ module.exports = function(core) {
     });
   }
 
-  return (core.assess.dataflow.propagation.joiInstrumentation.stringSchema = {
+  return (joiInstrumentation.stringSchema = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
@@ -238,7 +201,10 @@ module.exports = function(core) {
           const stringTypePrototype = Object.getPrototypeOf(stringType);
           const definition = stringTypePrototype?._definition;
           const rules = definition?.rules || {};
+          const coerce = definition?.coerce;
 
+          stringTypePrototype && joiInstrumentation.patchValidateAsync(stringTypePrototype, 'string.external');
+          definition && joiInstrumentation.patchCustomValidate(definition, 'string');
           patchValidator(
             definition,
             'joi.string.validate',
@@ -257,8 +223,6 @@ module.exports = function(core) {
             }
           }
 
-          const coerce = definition?.coerce;
-
           if (coerce && rules['isoDate']) {
             reTrackCoercedValue(coerce);
           }

package/lib/dataflow/propagation/install/joi/utils.js

@@ -0,0 +1,111 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { split, DataflowTag: { CUSTOM_VALIDATED }, join } = require('@contrast/common');
+
+function getRefInstancesTrackingData(tracker, obj, refInstancesPaths) {
+  return refInstancesPaths
+    .map((referenceInstance) => {
+      const value = split(referenceInstance, '.').reduce(
+        (acc, v) => acc[v] || acc,
+        obj
+      );
+      return tracker.getData(value);
+    })
+    .filter(Boolean);
+}
+
+function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
+  const { inspectedSecondArg, origFn, methodName, target } = metadata;
+
+  if (!strInfo) return;
+
+  const event = createPropagationEvent({
+    addedTags: [CUSTOM_VALIDATED],
+    name: `Joi.${methodName}`,
+    moduleName: 'joi',
+    methodName,
+    history: [{ ...strInfo }],
+    object: {
+      tracked: false,
+      value: `Joi.${methodName}`,
+    },
+    args: [
+      { tracked: true, value: strInfo.value },
+      inspectedSecondArg && { tracked: false, value: inspectedSecondArg },
+    ].filter(Boolean),
+    result: {
+      tracked: target === 'R',
+      value: target === 'R' ? strInfo.value : undefined
+    },
+    source: 'P0',
+    tags: {
+      ...strInfo.tags,
+      [CUSTOM_VALIDATED]: [0, strInfo.value.length - 1],
+    },
+    target,
+    stacktraceOpts: {
+      prependFrames: [origFn],
+    },
+  });
+
+  if (event) {
+    Object.assign(strInfo, event);
+  }
+}
+
+function handleReferences(tracker, schema, validationFn) {
+  const contrastData = schema?.schema?.__CONTRAST__;
+  let refTargetPath = contrastData && join(schema.state.path, '.');
+  const inReferenceTargetPath = contrastData && join(schema.state.path.slice(0, -1), '.');
+  if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
+    refTargetPath = join(
+      schema.state.path.slice(0, -1),
+      '.'
+    );
+  }
+  const references = contrastData?.refTargets[refTargetPath];
+
+  if (references?.length) {
+    getRefInstancesTrackingData(
+      tracker,
+      schema.state.ancestors[schema.state.ancestors.length - 1],
+      references
+    ).forEach((refMetadata) => {
+      let { eventualValidations } = refMetadata;
+      if (!eventualValidations) {
+        eventualValidations = { [refTargetPath]: [validationFn] };
+      } else if (!eventualValidations[refTargetPath]) {
+        eventualValidations[refTargetPath] = [validationFn];
+      } else if (
+        !eventualValidations[refTargetPath].find(
+          (v) => v.name === CUSTOM_VALIDATED
+        )
+      ) {
+        eventualValidations[refTargetPath].push(validationFn);
+      }
+
+      refMetadata.eventualValidations = eventualValidations;
+    });
+  }
+}
+
+module.exports = {
+  getRefInstancesTrackingData,
+  tagCustomValidatedString,
+  handleReferences
+};

package/lib/dataflow/propagation/install/joi/values.js

@@ -54,20 +54,33 @@ module.exports = function(core) {
           prefs: inspect(prefs),
           orig: data.orig
         };
-        const targetAbsolutePath = join(result.ref.absolute(state), '.');
 
-        if (isString(value)) {
-          validateStringValue(value, result.value, result.ref, targetAbsolutePath, metadata);
-        } else if (isNonEmptyObject(value)) {
-          traverseValues(value, (path, _type, v) => {
-            validateStringValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
-          });
+
+        if (result.ref) {
+          const targetAbsolutePath = join(result.ref.absolute(state), '.');
+
+          if (isString(value)) {
+            validateStringReferenceValue(value, result.value, result.ref, targetAbsolutePath, metadata);
+          } else if (isNonEmptyObject(value)) {
+            traverseValues(value, (path, _type, v) => {
+              validateStringReferenceValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
+            });
+          }
+        } else if (data.obj?._values.has(data.result?.value)) {
+          if (isString(value)) {
+            // Should we untrack the argument too?
+            tracker.untrack(result.value);
+          } else if (isNonEmptyObject(result.value)) {
+            traverseValues(value, (_path, _type, v) => {
+              tracker.untrack(v);
+            });
+          }
         }
       },
     });
   }
 
-  function validateStringValue(value, resValue, ref, targetAbsolutePath, metadata, path = []) {
+  function validateStringReferenceValue(value, resValue, ref, targetAbsolutePath, metadata, path = []) {
     const strInfo = ref && tracker.getData(value);
     const resStringValue = path.reduce((acc, val) => acc[val] || acc, resValue);
 

package/lib/dataflow/propagation/install/path/basename.js

@@ -102,9 +102,7 @@ module.exports = function(core) {
                 },
               });
 
-              if (!event) {
-                return;
-              }
+              if (!event) return;
 
               const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/path/join-and-resolve.js

@@ -118,9 +118,7 @@ module.exports = function(core) {
                   },
                 });
 
-                if (!event) {
-                  return;
-                }
+                if (!event) return;
 
                 const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/path/normalize.js

@@ -101,9 +101,7 @@ module.exports = function(core) {
                 },
               });
 
-              if (!event) {
-                return;
-              }
+              if (!event) return;
 
               const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js

@@ -45,7 +45,7 @@ module.exports = function(core) {
       context: `'${obj}'.exec('${strInfo.value}')`,
       history: [strInfo],
       object: {
-        value: obj,
+        value: 'RegExp',
         tracked: false,
       },
       args: [
@@ -162,11 +162,12 @@ module.exports = function(core) {
                 metadata
               });
 
-              if (event) {
-                const { extern } = tracker.track(res, event);
-                if (extern) {
-                  result.groups[key] = extern;
-                }
+              if (!event) return;
+
+              const { extern } = tracker.track(res, event);
+
+              if (extern) {
+                result.groups[key] = extern;
               }
             });
           }

package/lib/dataflow/propagation/install/string/match-all.js

@@ -195,11 +195,12 @@ module.exports = function(core) {
                   });
                 }
 
-                if (event) {
-                  const { extern } = tracker.track(res, event);
-                  if (extern) {
-                    resValue.groups[key] = extern;
-                  }
+                if (!event) return;
+
+                const { extern } = tracker.track(res, event);
+
+                if (extern) {
+                  resValue.groups[key] = extern;
                 }
               });
             }

package/lib/dataflow/propagation/install/string/match.js

@@ -30,6 +30,7 @@ module.exports = function(core) {
       },
     },
   } = core;
+
   const name = 'String.prototype.match';
 
   function getPropagationEvent(data, res, objInfo, start) {
@@ -49,7 +50,7 @@ module.exports = function(core) {
       moduleName: 'String',
       methodName: 'prototype.match',
       context: `'${objInfo.value}'.match(${args[0].value})`,
-      history: [objInfo],
+      history: [{ ...objInfo }],
       object: {
         value: objInfo.value,
         tracked: true,
@@ -131,11 +132,12 @@ module.exports = function(core) {
               event = getPropagationEvent(data, res, objInfo, start);
             }
 
-            if (event) {
-              const { extern } = tracker.track(res, event);
-              if (extern) {
-                data.result[i] = extern;
-              }
+            if (!event) continue;
+
+            const { extern } = tracker.track(res, event);
+
+            if (extern) {
+              data.result[i] = extern;
             }
           }
           if (hasCaptureGroups && result.groups) {
@@ -153,11 +155,12 @@ module.exports = function(core) {
                 event = getPropagationEvent(data, res, objInfo, start);
               }
 
-              if (event) {
-                const { extern } = tracker.track(res, event);
-                if (extern) {
-                  data.result.groups[key] = extern;
-                }
+              if (!event) return;
+
+              const { extern } = tracker.track(res, event);
+
+              if (extern) {
+                data.result.groups[key] = extern;
               }
             });
           }

package/lib/dataflow/propagation/install/string/replace.js

@@ -199,11 +199,12 @@ module.exports = function(core) {
             target: 'R',
           });
 
-          if (event) {
-            const { extern } = tracker.track(result, event);
-            if (extern) {
-              data.result = extern;
-            }
+          if (!event) return;
+
+          const { extern } = tracker.track(result, event);
+
+          if (extern) {
+            data.result = extern;
           }
         }
       });

package/lib/dataflow/propagation/install/string/slice.js

@@ -98,6 +98,9 @@ module.exports = function(core) {
               prependFrames: [orig]
             }
           });
+
+          if (!event) return;
+
           const { extern } = tracker.track(result, event);
 
           if (extern) {

package/lib/dataflow/propagation/install/string/split.js

@@ -95,11 +95,12 @@ module.exports = function(core) {
                 target: 'R'
               });
 
-              if (event) {
-                const { extern } = tracker.track(res, event);
-                if (extern) {
-                  data.result[i] = extern;
-                }
+              if (!event) continue;
+
+              const { extern } = tracker.track(res, event);
+
+              if (extern) {
+                data.result[i] = extern;
               }
             }
           }

package/lib/dataflow/propagation/install/string/substring.js

@@ -108,9 +108,7 @@ module.exports = function(core) {
               target: 'R',
             });
 
-            if (!event) {
-              return;
-            }
+            if (!event) return;
 
             const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/string/trim.js

@@ -82,6 +82,8 @@ module.exports = function(core) {
         target: 'R'
       });
 
+      if (!event) return;
+
       const { extern } = tracker.track(result, event);
 
       if (extern) {

package/lib/dataflow/propagation/install/url/parse.js

@@ -106,16 +106,11 @@ module.exports = function(core) {
                         prependFrames: [orig]
                       },
                     });
-                    if (!event) return;
 
-                    if (partInfo) {
-                      Object.assign(partInfo, event);
-                    }
-                    const { extern } = partInfo || tracker.track(part, event);
+                    if (!event) return;
 
-                    if (extern) {
-                      result[key] = extern;
-                    }
+                    Object.assign(partInfo, event);
+                    result[key] = substr;
                   }
                 } else {
                   traverse(substr, url, key, 0);

package/lib/dataflow/propagation/install/url/searchParams.js

@@ -90,10 +90,8 @@ module.exports = function(core) {
                   if (event) Object.assign(paramInfo, event);
                 }
 
-                const trackedKey = keyInfo?.extern;
-                const trackedParam = paramInfo?.extern;
-                if (trackedKey) result.delete(key);
-                result.set(trackedKey || key, trackedParam || param);
+                if (keyInfo) result.delete(key);
+                result.set(key, param);
               });
             }
 
@@ -106,11 +104,13 @@ module.exports = function(core) {
                 if (!event) return;
 
                 Object.assign(paramInfo, event);
-                const { extern } = paramInfo || tracker.track(params[key], event);
+                let value = params[key];
 
-                if (extern) {
-                  result.set(key, extern);
+                if (!paramInfo) {
+                  ({ extern: value } = tracker.track(params[key], event));
                 }
+
+                result.set(key, value);
               });
             }
 

package/lib/dataflow/propagation/install/validator/hooks.js

@@ -132,13 +132,13 @@ module.exports = function(core) {
                   'R'
                 );
                 let resultTracked = tracker.getData(data.result);
-                if (!resultTracked) {
-                  resultTracked = tracker.track(data.result, event);
-                  if (resultTracked.extern) data.result = resultTracked.extern;
-                }
+
                 if (event) {
+                  resultTracked = resultTracked || tracker.track(data.result, event);
                   Object.assign(resultTracked, event);
                 }
+
+                if (resultTracked.extern) data.result = resultTracked.extern;
               }
             }
           }));

package/lib/dataflow/sinks/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     messages,
@@ -30,7 +30,7 @@ module.exports = function(core) {
   const sinkScopes = {
     [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
     [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage(),
-    ['unsafe-code-execution']: new AsyncLocalStorage()
+    [Rule.UNSAFE_CODE_EXECUTION]: new AsyncLocalStorage()
   };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
@@ -83,7 +83,7 @@ module.exports = function(core) {
   require('./install/sqlite3')(core);
   require('./install/vm')(core);
 
-  sinks.install = function() {
+  sinks.install = function () {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');
   };