@contrast/assess 1.13.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/lib/dataflow/propagation/install/JSON/parse-fn.js +2 -2
  2. package/lib/dataflow/propagation/install/buffer.js +6 -5
  3. package/lib/dataflow/propagation/install/contrast-methods/add.js +3 -0
  4. package/lib/dataflow/propagation/install/escape-html.js +1 -1
  5. package/lib/dataflow/propagation/install/joi/any.js +46 -0
  6. package/lib/dataflow/propagation/install/joi/boolean.js +109 -0
  7. package/lib/dataflow/propagation/install/joi/expression.js +99 -0
  8. package/lib/dataflow/propagation/install/joi/index.js +145 -8
  9. package/lib/dataflow/propagation/install/joi/number.js +107 -0
  10. package/lib/dataflow/propagation/install/joi/object.js +46 -0
  11. package/lib/dataflow/propagation/install/joi/string-schema.js +15 -51
  12. package/lib/dataflow/propagation/install/joi/utils.js +111 -0
  13. package/lib/dataflow/propagation/install/joi/values.js +21 -8
  14. package/lib/dataflow/propagation/install/path/basename.js +1 -3
  15. package/lib/dataflow/propagation/install/path/join-and-resolve.js +1 -3
  16. package/lib/dataflow/propagation/install/path/normalize.js +1 -3
  17. package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +7 -6
  18. package/lib/dataflow/propagation/install/string/match-all.js +6 -5
  19. package/lib/dataflow/propagation/install/string/match.js +14 -11
  20. package/lib/dataflow/propagation/install/string/replace.js +6 -5
  21. package/lib/dataflow/propagation/install/string/slice.js +3 -0
  22. package/lib/dataflow/propagation/install/string/split.js +6 -5
  23. package/lib/dataflow/propagation/install/string/substring.js +1 -3
  24. package/lib/dataflow/propagation/install/string/trim.js +2 -0
  25. package/lib/dataflow/propagation/install/url/parse.js +3 -8
  26. package/lib/dataflow/propagation/install/url/searchParams.js +7 -7
  27. package/lib/dataflow/propagation/install/validator/hooks.js +12 -10
  28. package/lib/dataflow/sinks/index.js +3 -3
  29. package/lib/dataflow/sinks/install/eval.js +63 -67
  30. package/lib/dataflow/sinks/install/function.js +87 -91
  31. package/lib/dataflow/sinks/install/vm.js +7 -7
  32. package/lib/dataflow/tracker.js +1 -3
  33. package/lib/session-configuration/handlers.js +1 -1
  34. package/lib/session-configuration/index.js +1 -0
  35. package/lib/session-configuration/install/hapi.js +108 -0
  36. package/package.json +6 -4
package/lib/dataflow/sinks/install/eval.js CHANGED
@@ -25,10 +25,10 @@ const {
25
25
  CUSTOM_VALIDATED,
26
26
  LIMITED_CHARS,
27
27
  },
28
+ Rule: { UNSAFE_CODE_EXECUTION },
28
29
  } = require('@contrast/common');
29
30
  const { patchType, filterSafeTags } = require('../common');
30
31
 
31
- const ruleId = 'unsafe-code-execution';
32
32
  const safeTags = [
33
33
  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
34
34
  CUSTOM_ENCODED,
@@ -37,7 +37,7 @@ const safeTags = [
37
37
  LIMITED_CHARS,
38
38
  ];
39
39
 
40
- module.exports = function(core) {
40
+ module.exports = function (core) {
41
41
  const {
42
42
  config,
43
43
  logger,
@@ -55,83 +55,79 @@ module.exports = function(core) {
55
55
  core.assess.dataflow.sinks.contrastEval = {
56
56
  install() {
57
57
  if (!global.ContrastMethods?.eval) {
58
- logger.error(
59
- 'Cannot install `eval` instrumentation - Contrast method DNE'
60
- );
58
+ logger.error('Cannot install `eval` instrumentation - Contrast method DNE');
61
59
  return;
62
60
  }
63
61
 
64
- Object.assign(global.ContrastMethods, {
65
- eval: patcher.patch(global.ContrastMethods.eval, {
66
- name: 'global.ContrastMethods.eval',
67
- patchType,
68
- pre({ args: origArgs, hooked, orig, name }) {
69
- const store = sources.getStore()?.assess;
70
- const script = origArgs[0];
71
- if (
72
- !store ||
73
- instrumentation.isLocked() ||
74
- !script ||
75
- !isString(script)
76
- )
77
- return;
62
+ patcher.patch(global.ContrastMethods, 'eval', {
63
+ name: 'global.ContrastMethods.eval',
64
+ patchType,
65
+ pre({ args, orig }) {
66
+ const store = sources.getStore()?.assess;
67
+ const script = args[0];
68
+ if (
69
+ !store ||
70
+ instrumentation.isLocked() ||
71
+ !script ||
72
+ !isString(script)
73
+ ) {
74
+ return;
75
+ }
78
76
 
79
- const strInfo = tracker.getData(script);
77
+ const strInfo = tracker.getData(script);
80
78
 
81
- if (!strInfo) return;
79
+ if (!strInfo) return;
82
80
 
83
- const isArgVulnerable = isVulnerable(
84
- UNTRUSTED,
85
- safeTags,
86
- strInfo.tags
87
- );
81
+ const isArgVulnerable = isVulnerable(
82
+ UNTRUSTED,
83
+ safeTags,
84
+ strInfo.tags
85
+ );
88
86
 
89
- if (!isArgVulnerable && config.assess.safe_positives.enable) {
90
- const foundSafeTags = filterSafeTags(safeTags, strInfo);
91
- const safeStrInfo = {
92
- value: strInfo.value,
93
- tags: strInfo.tags,
94
- };
87
+ if (!isArgVulnerable && config.assess.safe_positives.enable) {
88
+ const foundSafeTags = filterSafeTags(safeTags, strInfo);
89
+ const safeStrInfo = {
90
+ value: strInfo.value,
91
+ tags: strInfo.tags,
92
+ };
95
93
 
96
- reportSafePositive({
97
- name,
98
- ruleId,
99
- safeTags: foundSafeTags,
100
- strInfo: safeStrInfo,
101
- });
102
- }
94
+ reportSafePositive({
95
+ name: 'eval',
96
+ ruleId: UNSAFE_CODE_EXECUTION,
97
+ safeTags: foundSafeTags,
98
+ strInfo: safeStrInfo,
99
+ });
100
+ }
103
101
 
104
- if (isArgVulnerable) {
105
- const event = createSinkEvent({
106
- name,
107
- context: `${name}('${strInfo.value}')`,
108
- history: [strInfo],
109
- object: {
110
- value: 'global.ContrastMethods',
111
- tracked: false,
112
- },
113
- moduleName: 'global.ContrastMethods',
114
- methodName: 'eval',
115
- args: [{ value: strInfo.value, tracked: true }],
116
- tags: strInfo.tags,
117
- source: 'P0',
118
- stacktraceOpts: {
119
- contructorOpt: hooked,
120
- prependFrames: [orig],
121
- },
122
- });
102
+ if (isArgVulnerable) {
103
+ const event = createSinkEvent({
104
+ name: 'eval',
105
+ context: `eval('${strInfo.value}')`,
106
+ history: [strInfo],
107
+ object: {
108
+ value: 'global',
109
+ tracked: false,
110
+ },
111
+ moduleName: 'global',
112
+ methodName: 'eval',
113
+ args: [{ value: strInfo.value, tracked: true }],
114
+ tags: strInfo.tags,
115
+ source: 'P0',
116
+ stacktraceOpts: {
117
+ contructorOpt: orig
118
+ },
119
+ });
123
120
 
124
- if (event) {
125
- reportFindings({
126
- ruleId,
127
- sinkEvent: event,
128
- });
129
- }
121
+ if (event) {
122
+ reportFindings({
123
+ ruleId: UNSAFE_CODE_EXECUTION,
124
+ sinkEvent: event,
125
+ });
130
126
  }
131
- },
132
- }),
127
+ }
128
+ },
133
129
  });
134
- },
130
+ }
135
131
  };
136
132
 
137
133
  return core.assess.dataflow.sinks.contrastEval;
package/lib/dataflow/sinks/install/function.js CHANGED
@@ -27,10 +27,10 @@ const {
27
27
  CUSTOM_VALIDATED,
28
28
  LIMITED_CHARS,
29
29
  },
30
+ Rule: { UNSAFE_CODE_EXECUTION }
30
31
  } = require('@contrast/common');
31
32
  const { patchType, filterSafeTags } = require('../common');
32
33
 
33
- const ruleId = 'unsafe-code-execution';
34
34
  const safeTags = [
35
35
  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
36
36
  CUSTOM_ENCODED,
@@ -39,7 +39,7 @@ const safeTags = [
39
39
  LIMITED_CHARS,
40
40
  ];
41
41
 
42
- module.exports = function(core) {
42
+ module.exports = function (core) {
43
43
  const {
44
44
  config,
45
45
  logger,
@@ -57,103 +57,99 @@ module.exports = function(core) {
57
57
  core.assess.dataflow.sinks.contrastFunction = {
58
58
  install() {
59
59
  if (!global.ContrastMethods?.Function) {
60
- logger.error(
61
- 'Cannot install `Function` instrumentation - Contrast method DNE'
62
- );
60
+ logger.error('Cannot install `Function` instrumentation - Contrast method DNE');
63
61
  return;
64
62
  }
65
63
 
66
- Object.assign(global.ContrastMethods, {
67
- Function: patcher.patch(global.ContrastMethods.Function, {
68
- name: 'global.ContrastMethods.Function',
69
- patchType,
70
- pre({ args: origArgs, hooked, orig, name }) {
71
- const store = sources.getStore()?.assess;
72
- const fnBody = origArgs[origArgs.length - 1];
73
- if (
74
- !store ||
75
- instrumentation.isLocked() ||
76
- !fnBody ||
77
- !isString(fnBody)
78
- )
79
- return;
80
-
81
- const strInfo = tracker.getData(fnBody);
82
-
83
- if (!strInfo) return;
84
-
85
- const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
86
-
87
- if (!isArgVulnerable && config.assess.safe_positives.enable) {
88
- const foundSafeTags = filterSafeTags(safeTags, strInfo);
89
- const safeStrInfo = {
90
- value: strInfo.value,
91
- tags: strInfo.tags,
92
- };
93
-
94
- reportSafePositive({
95
- name,
96
- ruleId,
97
- safeTags: foundSafeTags,
98
- strInfo: safeStrInfo,
99
- });
100
- }
101
-
102
- if (isArgVulnerable) {
103
- const args = origArgs.map((arg, idx) => {
104
- if (idx === origArgs.length - 1) {
105
- return {
106
- value: strInfo.value,
107
- tracked: true,
108
- inspectedValue: `'${strInfo.value}'`,
109
- };
110
- }
111
-
112
- const inspectedValue = inspect(arg);
113
- const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
114
-
64
+ patcher.patch(global.ContrastMethods, 'Function', {
65
+ name: 'global.ContrastMethods.Function',
66
+ patchType,
67
+ pre({ args: origArgs, hooked, orig, name }) {
68
+ const store = sources.getStore()?.assess;
69
+ const fnBody = origArgs[origArgs.length - 1];
70
+ if (
71
+ !store ||
72
+ instrumentation.isLocked() ||
73
+ !fnBody ||
74
+ !isString(fnBody)
75
+ )
76
+ return;
77
+
78
+ const strInfo = tracker.getData(fnBody);
79
+
80
+ if (!strInfo) return;
81
+
82
+ const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
83
+
84
+ if (!isArgVulnerable && config.assess.safe_positives.enable) {
85
+ const foundSafeTags = filterSafeTags(safeTags, strInfo);
86
+ const safeStrInfo = {
87
+ value: strInfo.value,
88
+ tags: strInfo.tags,
89
+ };
90
+
91
+ reportSafePositive({
92
+ name,
93
+ ruleId: UNSAFE_CODE_EXECUTION,
94
+ safeTags: foundSafeTags,
95
+ strInfo: safeStrInfo,
96
+ });
97
+ }
98
+
99
+ if (isArgVulnerable) {
100
+ const args = origArgs.map((arg, idx) => {
101
+ if (idx === origArgs.length - 1) {
115
102
  return {
116
- value: argInfo ? argInfo.value : inspectedValue,
117
- tracked: !!argInfo,
118
- inspectedValue
103
+ value: strInfo.value,
104
+ tracked: true,
105
+ inspectedValue: `'${strInfo.value}'`,
119
106
  };
120
- });
121
- const event = createSinkEvent({
122
- name,
123
- context: `${name}(${join(
124
- args.map((a) => a.inspectedValue),
125
- ', '
126
- )})`,
127
- history: [strInfo],
128
- object: {
129
- value: 'global.ContrastMethods',
130
- tracked: false,
131
- },
132
- moduleName: 'global.ContrastMethods',
133
- methodName: 'Function',
134
- args: args.map((a) => ({
135
- value: a.value,
136
- tracked: a.tracked,
137
- })),
138
- tags: strInfo.tags,
139
- source: `P${origArgs.length - 1}`,
140
- stacktraceOpts: {
141
- contructorOpt: hooked,
142
- prependFrames: [orig],
143
- },
144
- });
145
-
146
- if (event) {
147
- reportFindings({
148
- ruleId,
149
- sinkEvent: event,
150
- });
151
107
  }
108
+
109
+ const inspectedValue = inspect(arg);
110
+ const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
111
+
112
+ return {
113
+ value: argInfo ? argInfo.value : inspectedValue,
114
+ tracked: !!argInfo,
115
+ inspectedValue
116
+ };
117
+ });
118
+ const event = createSinkEvent({
119
+ name,
120
+ context: `${name}(${join(
121
+ args.map((a) => a.inspectedValue),
122
+ ', '
123
+ )})`,
124
+ history: [strInfo],
125
+ object: {
126
+ value: 'global.ContrastMethods',
127
+ tracked: false,
128
+ },
129
+ moduleName: 'global.ContrastMethods',
130
+ methodName: 'Function',
131
+ args: args.map((a) => ({
132
+ value: a.value,
133
+ tracked: a.tracked,
134
+ })),
135
+ tags: strInfo.tags,
136
+ source: `P${origArgs.length - 1}`,
137
+ stacktraceOpts: {
138
+ contructorOpt: hooked,
139
+ prependFrames: [orig],
140
+ },
141
+ });
142
+
143
+ if (event) {
144
+ reportFindings({
145
+ ruleId: UNSAFE_CODE_EXECUTION,
146
+ sinkEvent: event,
147
+ });
152
148
  }
153
- },
154
- }),
149
+ }
150
+ },
155
151
  });
156
- },
152
+ }
157
153
  };
158
154
 
159
155
  return core.assess.dataflow.sinks.contrastFunction;
package/lib/dataflow/sinks/install/vm.js CHANGED
@@ -25,6 +25,7 @@ const {
25
25
  CUSTOM_VALIDATED,
26
26
  LIMITED_CHARS,
27
27
  },
28
+ Rule: { UNSAFE_CODE_EXECUTION },
28
29
  isNonEmptyObject,
29
30
  inspect,
30
31
  traverseValues,
@@ -32,7 +33,6 @@ const {
32
33
  split,
33
34
  } = require('@contrast/common');
34
35
  const { createAdjustedQueryTags } = require('../../tag-utils');
35
- const ruleId = 'unsafe-code-execution';
36
36
  const safeTags = [
37
37
  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
38
38
  CUSTOM_ENCODED,
@@ -41,7 +41,7 @@ const safeTags = [
41
41
  LIMITED_CHARS,
42
42
  ];
43
43
 
44
- module.exports = function(core) {
44
+ module.exports = function (core) {
45
45
  const {
46
46
  config,
47
47
  depHooks,
@@ -137,7 +137,7 @@ module.exports = function(core) {
137
137
  if (
138
138
  !store ||
139
139
  instrumentation.isLocked() ||
140
- isLocked('unsafe-code-execution')
140
+ isLocked(UNSAFE_CODE_EXECUTION)
141
141
  ) {
142
142
  return next();
143
143
  }
@@ -189,13 +189,13 @@ module.exports = function(core) {
189
189
 
190
190
  reportSafePositive({
191
191
  name,
192
- ruleId,
192
+ ruleId: UNSAFE_CODE_EXECUTION,
193
193
  safeTags: Array.from(foundSafeTags),
194
194
  strInfo,
195
195
  });
196
196
 
197
197
  return name === 'vm.runInNewContext'
198
- ? runInActiveSink('unsafe-code-execution', () => next())
198
+ ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
199
199
  : next();
200
200
  }
201
201
 
@@ -233,14 +233,14 @@ module.exports = function(core) {
233
233
 
234
234
  if (event) {
235
235
  reportFindings({
236
- ruleId,
236
+ ruleId: UNSAFE_CODE_EXECUTION,
237
237
  sinkEvent: event,
238
238
  });
239
239
  }
240
240
  }
241
241
 
242
242
  return name === 'vm.runInNewContext'
243
- ? runInActiveSink('unsafe-code-execution', () => next())
243
+ ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
244
244
  : next();
245
245
  }
246
246
 
package/lib/dataflow/tracker.js CHANGED
@@ -98,11 +98,9 @@ module.exports = function tracker(core) {
98
98
 
99
99
  const externMetadata = distringuish.getProperties(extern);
100
100
  metadata.value = value;
101
- metadata.extern = extern;
102
101
 
103
102
  ret = Object.assign(externMetadata, metadata);
104
-
105
- return ret;
103
+ return { ...ret, extern };
106
104
  } else if (typeof value === 'object') {
107
105
  const objInfo = objMap.get(value);
108
106
  if (objInfo) {
package/lib/session-configuration/handlers.js CHANGED
@@ -34,7 +34,7 @@ module.exports = function (core) {
34
34
  sessionConfiguration.reportFindings(sourceContext, {
35
35
  ruleId,
36
36
  sinkEvent,
37
- props: {
37
+ properties: {
38
38
  evidence: cookieValue,
39
39
  },
40
40
  });
package/lib/session-configuration/index.js CHANGED
@@ -22,6 +22,7 @@ module.exports = function(core) {
22
22
 
23
23
  require('./handlers')(core);
24
24
  require('./install/express-session')(core);
25
+ require('./install/hapi')(core);
25
26
 
26
27
  sessionConfiguration.install = function() {
27
28
  callChildComponentMethodsSync(sessionConfiguration, 'install');
package/lib/session-configuration/install/hapi.js ADDED
@@ -0,0 +1,108 @@
1
+ /*
2
+ * Copyright: 2023 Contrast Security, Inc
3
+ * Contact: support@contrastsecurity.com
4
+ * License: Commercial
5
+
6
+ * NOTICE: This Software and the patented inventions embodied within may only be
7
+ * used as part of Contrast Security’s commercial offerings. Even though it is
8
+ * made available through public repositories, use of this Software is subject to
9
+ * the applicable End User Licensing Agreement found at
10
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ * between Contrast Security and the End User. The Software may not be reverse
12
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ * way not consistent with the End User License Agreement.
14
+ */
15
+ 'use strict';
16
+
17
+ const util = require('util');
18
+ const { patchType } = require('../common');
19
+
20
+ module.exports = function (core) {
21
+ const {
22
+ assess: {
23
+ eventFactory: { createSessionEvent },
24
+ sessionConfiguration: {
25
+ handleHttpOnly,
26
+ handleSecure,
27
+ },
28
+ },
29
+ depHooks,
30
+ patcher,
31
+ scopes: { sources },
32
+ } = core;
33
+
34
+ const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
35
+
36
+ const inspect = patcher.unwrap(util.inspect);
37
+
38
+ hapiSession.install = function () {
39
+
40
+ return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <21' }, (hapi) => {
41
+ ['server', 'Server'].forEach((server) => {
42
+ patcher.patch(hapi, server, {
43
+ name: `hapi.${server}`,
44
+ patchType,
45
+ post(data) {
46
+ patcher.patch(data.result, 'state', {
47
+ name: 'state',
48
+ patchType,
49
+ post(data) {
50
+
51
+ const options = data.args[1];
52
+
53
+ const httpOnly = Object.prototype.hasOwnProperty.call(options, 'isHttpOnly') ? options.isHttpOnly : true;
54
+ const isSecure = Object.prototype.hasOwnProperty.call(options, 'isSecure') ? options.isSecure : true;
55
+
56
+ if (httpOnly && isSecure) return;
57
+
58
+ const sessionEvent = createSessionEvent({
59
+ args: [{
60
+ tracked: false,
61
+ value: inspect(options),
62
+ }],
63
+ context: `state(${inspect(data.args)})`,
64
+ history: [],
65
+ name: `hapi.${server}.state`,
66
+ moduleName: 'hapi',
67
+ methodName: '',
68
+ object: {
69
+ tracked: false,
70
+ value: `hapi.${server}`,
71
+ },
72
+ result: {
73
+ tracked: false,
74
+ value: undefined,
75
+ },
76
+ source: 'P1',
77
+ stacktraceOpts: {
78
+ constructorOpt: data.hooked,
79
+ },
80
+ framework: 'hapi',
81
+ options
82
+ });
83
+
84
+ data.obj.ext('onPostResponse', ({ response: { headers } }) => {
85
+ const value = headers?.['set-cookie']?.[0];
86
+ if (!value) return;
87
+
88
+ const sourceContext = sources.getStore()?.assess;
89
+ if (!sourceContext) return;
90
+
91
+ if (!httpOnly) {
92
+ handleHttpOnly(sourceContext, `set-cookie: ${value}`, sessionEvent);
93
+ }
94
+
95
+ if (!isSecure) {
96
+ handleSecure(sourceContext, `set-cookie: ${value}`, sessionEvent);
97
+ }
98
+ });
99
+ }
100
+ });
101
+ }
102
+ });
103
+ });
104
+ });
105
+ };
106
+
107
+ return hapiSession;
108
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/assess",
3
- "version": "1.13.0",
3
+ "version": "1.15.0",
4
4
  "description": "Contrast service providing framework-agnostic Assess support",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -13,10 +13,12 @@
13
13
  "npm": ">=6.13.7 <7 || >= 8.3.1",
14
14
  "node": ">= 14.15.0"
15
15
  },
16
+ "scripts": {
17
+ "test": "../scripts/test.sh"
18
+ },
16
19
  "dependencies": {
20
+ "@contrast/common": "1.15.1",
17
21
  "@contrast/distringuish": "^4.4.0",
18
- "@contrast/scopes": "1.4.0",
19
- "@contrast/common": "1.15.0",
20
- "parseurl": "^1.3.3"
22
+ "@contrast/scopes": "1.4.0"
21
23
  }
22
24
  }