@contrast/assess 1.14.0 → 1.16.0

package/lib/dataflow/propagation/install/JSON/parse-fn.js

@@ -217,7 +217,7 @@ function processInput(input) {
     return number(input, 0);
   }
 
-  if (firstElement === '"') {
+  if (firstElement === '"' && lastElement === '"') {
     return string(input, 1);
   }
 
@@ -228,7 +228,7 @@ function processInput(input) {
     case 'null':
       return nully();
     default:
-      throw new Error('bad JSON');
+      return string(input, 0);
   }
 }
 

package/lib/dataflow/propagation/install/decode-uri-component.js

@@ -53,6 +53,9 @@ module.exports = function(core) {
           // the result is not tracked, so we don't need to check for that
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+
+          if (!newTags) return;
+
           delete newTags[URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;

package/lib/dataflow/propagation/install/escape-html.js

@@ -51,7 +51,7 @@ module.exports = function(core) {
             if (!argInfo) return;
 
             const resultInfo = tracker.getData(result);
-            const history = [argInfo];
+            const history = [{ ...argInfo }];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
             newTags[HTML_ENCODED] = [0, result.length - 1];

package/lib/dataflow/propagation/install/path/dirname.js

@@ -0,0 +1,112 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult
+} = require('./common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  core.assess.dataflow.propagation.pathInstrumentation.dirname = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+
+          patcher.patch(path[os], 'dirname', {
+            name: `path.${os}.dirname`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const pathStr = args[0];
+
+              if (!pathStr || !isString(pathStr)) return;
+
+              const strInfo = tracker.getData(pathStr);
+
+              if (!strInfo) return;
+
+              const { newTags } = createArgTagsInResult({
+                argStr: pathStr,
+                argTags: strInfo?.tags || {},
+                result,
+                lastIndex: result.length,
+                isWin32,
+              });
+
+              const event = newTags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'dirname',
+                context: `path.dirname('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: strInfo.value,
+                    tracked: true,
+                  },
+                ],
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags: newTags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              const { extern } = tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.propagation.pathInstrumentation.dirname;
+};

package/lib/dataflow/propagation/install/path/index.js

@@ -25,8 +25,10 @@ module.exports = function(core) {
   };
 
   require('./basename')(core);
-  require('./normalize')(core);
+  require('./dirname')(core);
   require('./join-and-resolve')(core);
+  require('./normalize')(core);
+  require('./relative')(core);
 
   return pathInstrumentation;
 };

package/lib/dataflow/propagation/install/path/relative.js

@@ -0,0 +1,123 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult,
+  excludeExtensionDotFromTags,
+} = require('./common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  core.assess.dataflow.propagation.pathInstrumentation.relative = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+
+          patcher.patch(path[os], 'relative', {
+            name: `path.${os}.relative`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const [fromStr, toStr] = args;
+
+              if (!toStr || !isString(toStr)) return;
+              const fromStrInfo = tracker.getData(fromStr);
+              const toStrInfo = tracker.getData(toStr);
+
+              if (!toStrInfo) return;
+
+              let { newTags } = createArgTagsInResult({
+                argStr: toStr,
+                argTags: toStrInfo?.tags || {},
+                result,
+                lastIndex: result.length,
+                isWin32
+              });
+
+              newTags = excludeExtensionDotFromTags({
+                result,
+                tags: newTags,
+                isWin32,
+              });
+
+              const event = newTags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'relative',
+                context: `path.relative('${fromStr}', '${toStr}')`,
+                history: [toStrInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: fromStrInfo?.value || fromStr,
+                    tracked: !!fromStrInfo,
+                  },
+                  {
+                    value: toStrInfo?.value,
+                    tracked: !!toStrInfo,
+                  }
+                ],
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags: newTags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              const { extern } = tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.propagation.pathInstrumentation.relative;
+};

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js

@@ -36,6 +36,8 @@ module.exports = function(core) {
     metadata,
   }) {
     const tags = createSubsetTags(strInfo.tags, startIdx, match.length);
+    if (!tags) return null;
+
     const { name, obj, hooked, orig } = metadata;
 
     return createPropagationEvent({

package/lib/dataflow/propagation/install/validator/hooks.js

@@ -17,8 +17,11 @@
 const { validators, untrackers, sanitizers, custom } = require('./methods');
 const { patchType } = require('../../common');
 
-module.exports = function(core) {
+function getPatcherArgs(obj) {
+  return typeof obj === 'object' ? [obj, 'default'] : [obj];
+}
 
+module.exports = function (core) {
   const {
     depHooks,
     patcher,
@@ -62,9 +65,8 @@ module.exports = function(core) {
         depHooks.resolve(
           { name: 'validator', file: `lib/${validator}` },
           (index) => {
-            const patchFn = typeof index === 'object' ? index.default : index;
             const name = `validator.${validator}`;
-            return patcher.patch(patchFn, {
+            return patcher.patch(...getPatcherArgs(index), {
               name,
               patchType,
               post(data) {
@@ -98,7 +100,7 @@ module.exports = function(core) {
       untrackers.forEach((untracker) => {
         depHooks.resolve(
           { name: 'validator', file: `lib/${untracker}` },
-          (index) => patcher.patch(index.default, {
+          (index) => patcher.patch(...getPatcherArgs(index), {
             name: `validator.${untracker}`,
             patchType,
             post(data) {
@@ -115,7 +117,7 @@ module.exports = function(core) {
       for (const sanitizer in sanitizers) {
         depHooks.resolve(
           { name: 'validator', file: `lib/${sanitizer}` },
-          (index) => patcher.patch(index.default, {
+          (index) => patcher.patch(...getPatcherArgs(index), {
             name: `validator.${sanitizer}`,
             patchType,
             post(data) {
@@ -147,7 +149,7 @@ module.exports = function(core) {
       for (const method in custom) {
         depHooks.resolve(
           { name: 'validator', file: `lib/${method}` },
-          (index) => patcher.patch(index.default, {
+          (index) => patcher.patch(...getPatcherArgs(index), {
             name: `validator.${method}`,
             patchType,
             post(data) {

package/lib/dataflow/sinks/index.js

@@ -73,6 +73,7 @@ module.exports = function (core) {
   require('./install/eval')(core);
   require('./install/fs')(core);
   require('./install/function')(core);
+  require('./install/libxmljs')(core);
   require('./install/http')(core);
   require('./install/marsdb')(core);
   require('./install/mongodb')(core);

package/lib/dataflow/sinks/install/libxmljs.js

@@ -0,0 +1,128 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../common');
+const {
+  Rule: { XXE },
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+  },
+  inspect
+} = require('@contrast/common');
+
+const safeTags = [
+  LIMITED_CHARS,
+  ALPHANUM_SPACE_HYPHEN
+];
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings }
+      },
+    },
+  } = core;
+
+  const handler = (moduleName, newApi) => (module) => {
+    const checkOptions = newApi
+      ? (opts) => !opts?.noent && !opts?.replaceEntities
+      : (opts) => !opts?.noent;
+
+    const methods = newApi
+      ? ['parseXml', 'parseXmlAsync']
+      : ['parseXml', 'parseXmlString'];
+
+    methods.forEach((method) => {
+      patcher.patch(module, method, {
+        name: `${moduleName}.${method}`,
+        patchType,
+        pre(data) {
+          const store = sources.getStore()?.assess;
+          if (
+            !store ||
+            !data.args[0] ||
+            instrumentation.isLocked()
+          ) return;
+
+          const [xmlString, opts] = data.args;
+
+          if (!xmlString || !isString(xmlString) || checkOptions(opts)) {
+            return;
+          }
+
+          const strInfo = tracker.getData(xmlString);
+          if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+            return;
+          }
+
+          const event = createSinkEvent({
+            name: `${moduleName}.${method}`,
+            moduleName,
+            methodName: method,
+            context: `${moduleName}.${method}(${strInfo.value}, ${inspect(opts)})`,
+            history: [strInfo],
+            object: {
+              value: moduleName,
+              tracked: false,
+            },
+            args: [
+              {
+                value: strInfo.value,
+                tracked: true,
+              },
+            ],
+            tags: strInfo.tags,
+            source: 'P0',
+            stacktraceOpts: {
+              contructorOpt: data.hooked,
+              prependFrames: [data.orig]
+            },
+          });
+
+          if (event) {
+            reportFindings({
+              ruleId: XXE,
+              sinkEvent: event,
+            });
+          }
+        }
+      });
+    });
+  };
+
+  core.assess.dataflow.sinks.libxmljs = {
+    install() {
+      // libxmljs changed its API in version 1.0.0
+      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler('libxmljs', true));
+
+      // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
+      depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler('libxmljs', false));
+      depHooks.resolve({ name: 'libxmljs2' }, handler('libxmljs2', false));
+    },
+  };
+
+  return core.assess.dataflow.sinks.libxmljs;
+};

package/lib/dataflow/sources/index.js

@@ -32,6 +32,7 @@ module.exports = function (core) {
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
+  require('./install/multer1')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/multer1.js

@@ -0,0 +1,119 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess,
+    scopes: { wrap },
+  } = core;
+
+  function handleFile(sourceContext, constructorOpt, req) {
+    try {
+      assess.dataflow.sources.handle({
+        context: 'req',
+        data: req,
+        keys: ['file'],
+        name: 'multer',
+        inputType: InputType.BODY,
+        sourceContext,
+        stacktraceOpts: {
+          constructorOpt,
+        },
+      });
+    } catch (err) {
+      logger.error({ err }, 'error handling multer Assess dataflow req.file source');
+    }
+  }
+
+  function handleFiles(sourceContext, constructorOpt, req) {
+    let i;
+    for (i = 0; i < req.files.length; i++) {
+      try {
+        assess.dataflow.sources.handle({
+          context: 'req.files',
+          data: req.files[i],
+          keys: [i],
+          name: 'multer',
+          inputType: InputType.BODY,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt,
+          },
+        });
+      } catch (err) {
+        logger.error({ err }, 'error handling multer Assess dataflow req.files[%s] source', i);
+      }
+    }
+  }
+
+  function handleBody(sourceContext, constructorOpt, req) {
+    try {
+      assess.dataflow.sources.handle({
+        context: 'req',
+        data: req,
+        keys: ['body'],
+        name: 'multer',
+        inputType: InputType.BODY,
+        sourceContext,
+        stacktraceOpts: {
+          constructorOpt,
+        },
+      });
+    } catch (err) {
+      logger.error({ err }, 'error handling multer Assess dataflow req.body source');
+    }
+  }
+
+  const multer1Instrumentation = (core.assess.dataflow.sources.multer1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'multer', file: 'lib/make-middleware.js' },
+        (_export) => patcher.patch(_export, {
+          name: 'multer._makeMiddleware',
+          patchType,
+          post(data) {
+            data.result = patcher.patch(data.result, {
+              name: 'multerMiddleware',
+              patchType,
+              pre(data) {
+                const [req, , next, hooked] = data.args;
+
+                const sourceContext = core.scopes.sources.getStore()?.assess;
+                if (!sourceContext) return;
+
+                data.args[2] = wrap(function (...args) {
+                  if (req.file) handleFile(sourceContext, hooked, req);
+                  if (Array.isArray(req.files)) handleFiles(sourceContext, hooked, req);
+                  if (req.body && Object.keys(req.body).length) handleBody(sourceContext, hooked, req.body);
+                  next(...args);
+                });
+              },
+            });
+          },
+        }));
+
+    },
+  });
+
+  return multer1Instrumentation;
+};

package/lib/index.js

@@ -22,21 +22,23 @@ const responseScanning = require('./response-scanning');
 const eventFactory = require('./event-factory');
 
 module.exports = function assess(core) {
-  if (!core.config.assess.enable) return;
-
   const assess = core.assess = {};
 
-  // Does this order matter? Probably not
-  // 1. dataflow
   eventFactory(core);
   dataflow(core);
   responseScanning(core);
   sessionConfiguration(core);
 
-  // crypto
-  // static (in coordination with rewriter)
+  // todo
+  // crypto rule implementations
+  // static rule implementations in coordination with (CLI) rewriter
 
   assess.install = function() {
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      core.logger.debug('assess is disabled, skipping installation');
+      return;
+    }
+
     core.rewriter.install('assess');
     callChildComponentMethodsSync(core.assess, 'install');
   };

package/lib/session-configuration/handlers.js

@@ -34,7 +34,7 @@ module.exports = function (core) {
     sessionConfiguration.reportFindings(sourceContext, {
       ruleId,
       sinkEvent,
-      props: {
+      properties: {
         evidence: cookieValue,
       },
     });

package/lib/session-configuration/index.js

@@ -22,6 +22,7 @@ module.exports = function(core) {
 
   require('./handlers')(core);
   require('./install/express-session')(core);
+  require('./install/hapi')(core);
 
   sessionConfiguration.install = function() {
     callChildComponentMethodsSync(sessionConfiguration, 'install');

package/lib/session-configuration/install/hapi.js

@@ -0,0 +1,108 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const util = require('util');
+const { patchType } = require('../common');
+
+module.exports = function (core) {
+  const {
+    assess: {
+      eventFactory: { createSessionEvent },
+      sessionConfiguration: {
+        handleHttpOnly,
+        handleSecure,
+      },
+    },
+    depHooks,
+    patcher,
+    scopes: { sources },
+  } = core;
+
+  const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
+
+  const inspect = patcher.unwrap(util.inspect);
+
+  hapiSession.install = function () {
+
+    return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <21' }, (hapi) => {
+      ['server', 'Server'].forEach((server) => {
+        patcher.patch(hapi, server, {
+          name: `hapi.${server}`,
+          patchType,
+          post(data) {
+            patcher.patch(data.result, 'state', {
+              name: 'state',
+              patchType,
+              post(data) {
+    
+                const options = data.args[1];
+    
+                const httpOnly = Object.prototype.hasOwnProperty.call(options, 'isHttpOnly') ? options.isHttpOnly : true;
+                const isSecure = Object.prototype.hasOwnProperty.call(options, 'isSecure') ? options.isSecure : true;
+    
+                if (httpOnly && isSecure) return;
+    
+                const sessionEvent = createSessionEvent({
+                  args: [{
+                    tracked: false,
+                    value: inspect(options),
+                  }],
+                  context: `state(${inspect(data.args)})`,
+                  history: [],
+                  name: `hapi.${server}.state`,
+                  moduleName: 'hapi',
+                  methodName: '',
+                  object: {
+                    tracked: false,
+                    value: `hapi.${server}`,
+                  },
+                  result: {
+                    tracked: false,
+                    value: undefined,
+                  },
+                  source: 'P1',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                  },
+                  framework: 'hapi',
+                  options
+                });
+    
+                data.obj.ext('onPostResponse', ({ response: { headers } }) => {
+                  const value = headers?.['set-cookie']?.[0];
+                  if (!value) return;
+    
+                  const sourceContext = sources.getStore()?.assess;
+                  if (!sourceContext) return;
+    
+                  if (!httpOnly) {
+                    handleHttpOnly(sourceContext, `set-cookie: ${value}`, sessionEvent);
+                  }
+    
+                  if (!isSecure) {
+                    handleSecure(sourceContext, `set-cookie: ${value}`, sessionEvent);
+                  }
+                });
+              }
+            });
+          }
+        });  
+      });
+    });
+  };
+
+  return hapiSession;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.14.0",
+  "version": "1.16.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",