@contrast/assess 1.15.0 → 1.16.1

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -130,31 +130,28 @@ module.exports = function (core) {
         name: 'JSON.prototype.parse',
         patchType,
         pre(data) {
-          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
-          const input = data.args[0];
+          if (!data.args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          const [input, reviver] = data.args;
 
           const strInfo = tracker.getData(input);
           if (!strInfo) return;
 
-          const reviver = data.args[1];
           const stack = [];
-          let keyValueIndexes;
+          let keyValueIndexes = [];
 
           try {
             keyValueIndexes = getKeyValueIndexes(input);
           } catch (error) {
             logger.warn({ error, string: input }, 'JSON.parse() propagation failed');
-            keyValueIndexes = [];
           }
 
-          // Error found, continue without instrumentation
           if (keyValueIndexes.length === 0) return;
 
           let i = 0;
           function contrastParseReviver(key, value) {
             const { value: [startIndex, endIndex] } = keyValueIndexes[i];
 
-            if (!isString(value)) {
+            if (!value || !isString(value)) {
               return reviver ? reviver(key, value) : value;
             }
 
@@ -173,7 +170,7 @@ module.exports = function (core) {
           }
 
           data.args[1] = function (key, value) {
-            if (typeof value === 'object') {
+            if (value && typeof value === 'object') {
               applyValuesToObject(value, stack);
             }
 

package/lib/dataflow/propagation/install/decode-uri-component.js

@@ -53,6 +53,9 @@ module.exports = function(core) {
           // the result is not tracked, so we don't need to check for that
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+
+          if (!newTags) return;
+
           delete newTags[URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;

package/lib/dataflow/propagation/install/path/dirname.js

@@ -0,0 +1,112 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult
+} = require('./common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  core.assess.dataflow.propagation.pathInstrumentation.dirname = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+
+          patcher.patch(path[os], 'dirname', {
+            name: `path.${os}.dirname`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const pathStr = args[0];
+
+              if (!pathStr || !isString(pathStr)) return;
+
+              const strInfo = tracker.getData(pathStr);
+
+              if (!strInfo) return;
+
+              const { newTags } = createArgTagsInResult({
+                argStr: pathStr,
+                argTags: strInfo?.tags || {},
+                result,
+                lastIndex: result.length,
+                isWin32,
+              });
+
+              const event = newTags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'dirname',
+                context: `path.dirname('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: strInfo.value,
+                    tracked: true,
+                  },
+                ],
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags: newTags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              const { extern } = tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.propagation.pathInstrumentation.dirname;
+};

package/lib/dataflow/propagation/install/path/index.js

@@ -25,8 +25,10 @@ module.exports = function(core) {
   };
 
   require('./basename')(core);
-  require('./normalize')(core);
+  require('./dirname')(core);
   require('./join-and-resolve')(core);
+  require('./normalize')(core);
+  require('./relative')(core);
 
   return pathInstrumentation;
 };

package/lib/dataflow/propagation/install/path/relative.js

@@ -0,0 +1,123 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult,
+  excludeExtensionDotFromTags,
+} = require('./common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  core.assess.dataflow.propagation.pathInstrumentation.relative = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+
+          patcher.patch(path[os], 'relative', {
+            name: `path.${os}.relative`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const [fromStr, toStr] = args;
+
+              if (!toStr || !isString(toStr)) return;
+              const fromStrInfo = tracker.getData(fromStr);
+              const toStrInfo = tracker.getData(toStr);
+
+              if (!toStrInfo) return;
+
+              let { newTags } = createArgTagsInResult({
+                argStr: toStr,
+                argTags: toStrInfo?.tags || {},
+                result,
+                lastIndex: result.length,
+                isWin32
+              });
+
+              newTags = excludeExtensionDotFromTags({
+                result,
+                tags: newTags,
+                isWin32,
+              });
+
+              const event = newTags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'relative',
+                context: `path.relative('${fromStr}', '${toStr}')`,
+                history: [toStrInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: fromStrInfo?.value || fromStr,
+                    tracked: !!fromStrInfo,
+                  },
+                  {
+                    value: toStrInfo?.value,
+                    tracked: !!toStrInfo,
+                  }
+                ],
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags: newTags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              const { extern } = tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.propagation.pathInstrumentation.relative;
+};

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js

@@ -36,6 +36,8 @@ module.exports = function(core) {
     metadata,
   }) {
     const tags = createSubsetTags(strInfo.tags, startIdx, match.length);
+    if (!tags) return null;
+
     const { name, obj, hooked, orig } = metadata;
 
     return createPropagationEvent({

package/lib/dataflow/sinks/index.js

@@ -73,6 +73,7 @@ module.exports = function (core) {
   require('./install/eval')(core);
   require('./install/fs')(core);
   require('./install/function')(core);
+  require('./install/libxmljs')(core);
   require('./install/http')(core);
   require('./install/marsdb')(core);
   require('./install/mongodb')(core);

package/lib/dataflow/sinks/install/libxmljs.js

@@ -0,0 +1,128 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../common');
+const {
+  Rule: { XXE },
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+  },
+  inspect
+} = require('@contrast/common');
+
+const safeTags = [
+  LIMITED_CHARS,
+  ALPHANUM_SPACE_HYPHEN
+];
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings }
+      },
+    },
+  } = core;
+
+  const handler = (moduleName, newApi) => (module) => {
+    const checkOptions = newApi
+      ? (opts) => !opts?.noent && !opts?.replaceEntities
+      : (opts) => !opts?.noent;
+
+    const methods = newApi
+      ? ['parseXml', 'parseXmlAsync']
+      : ['parseXml', 'parseXmlString'];
+
+    methods.forEach((method) => {
+      patcher.patch(module, method, {
+        name: `${moduleName}.${method}`,
+        patchType,
+        pre(data) {
+          const store = sources.getStore()?.assess;
+          if (
+            !store ||
+            !data.args[0] ||
+            instrumentation.isLocked()
+          ) return;
+
+          const [xmlString, opts] = data.args;
+
+          if (!xmlString || !isString(xmlString) || checkOptions(opts)) {
+            return;
+          }
+
+          const strInfo = tracker.getData(xmlString);
+          if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+            return;
+          }
+
+          const event = createSinkEvent({
+            name: `${moduleName}.${method}`,
+            moduleName,
+            methodName: method,
+            context: `${moduleName}.${method}(${strInfo.value}, ${inspect(opts)})`,
+            history: [strInfo],
+            object: {
+              value: moduleName,
+              tracked: false,
+            },
+            args: [
+              {
+                value: strInfo.value,
+                tracked: true,
+              },
+            ],
+            tags: strInfo.tags,
+            source: 'P0',
+            stacktraceOpts: {
+              contructorOpt: data.hooked,
+              prependFrames: [data.orig]
+            },
+          });
+
+          if (event) {
+            reportFindings({
+              ruleId: XXE,
+              sinkEvent: event,
+            });
+          }
+        }
+      });
+    });
+  };
+
+  core.assess.dataflow.sinks.libxmljs = {
+    install() {
+      // libxmljs changed its API in version 1.0.0
+      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler('libxmljs', true));
+
+      // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
+      depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler('libxmljs', false));
+      depHooks.resolve({ name: 'libxmljs2' }, handler('libxmljs2', false));
+    },
+  };
+
+  return core.assess.dataflow.sinks.libxmljs;
+};

package/lib/dataflow/sources/index.js

@@ -32,6 +32,7 @@ module.exports = function (core) {
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
+  require('./install/multer1')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/multer1.js

@@ -0,0 +1,119 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess,
+    scopes: { wrap },
+  } = core;
+
+  function handleFile(sourceContext, constructorOpt, req) {
+    try {
+      assess.dataflow.sources.handle({
+        context: 'req',
+        data: req,
+        keys: ['file'],
+        name: 'multer',
+        inputType: InputType.BODY,
+        sourceContext,
+        stacktraceOpts: {
+          constructorOpt,
+        },
+      });
+    } catch (err) {
+      logger.error({ err }, 'error handling multer Assess dataflow req.file source');
+    }
+  }
+
+  function handleFiles(sourceContext, constructorOpt, req) {
+    let i;
+    for (i = 0; i < req.files.length; i++) {
+      try {
+        assess.dataflow.sources.handle({
+          context: 'req.files',
+          data: req.files[i],
+          keys: [i],
+          name: 'multer',
+          inputType: InputType.BODY,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt,
+          },
+        });
+      } catch (err) {
+        logger.error({ err }, 'error handling multer Assess dataflow req.files[%s] source', i);
+      }
+    }
+  }
+
+  function handleBody(sourceContext, constructorOpt, req) {
+    try {
+      assess.dataflow.sources.handle({
+        context: 'req',
+        data: req,
+        keys: ['body'],
+        name: 'multer',
+        inputType: InputType.BODY,
+        sourceContext,
+        stacktraceOpts: {
+          constructorOpt,
+        },
+      });
+    } catch (err) {
+      logger.error({ err }, 'error handling multer Assess dataflow req.body source');
+    }
+  }
+
+  const multer1Instrumentation = (core.assess.dataflow.sources.multer1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'multer', file: 'lib/make-middleware.js' },
+        (_export) => patcher.patch(_export, {
+          name: 'multer._makeMiddleware',
+          patchType,
+          post(data) {
+            data.result = patcher.patch(data.result, {
+              name: 'multerMiddleware',
+              patchType,
+              pre(data) {
+                const [req, , next, hooked] = data.args;
+
+                const sourceContext = core.scopes.sources.getStore()?.assess;
+                if (!sourceContext) return;
+
+                data.args[2] = wrap(function (...args) {
+                  if (req.file) handleFile(sourceContext, hooked, req);
+                  if (Array.isArray(req.files)) handleFiles(sourceContext, hooked, req);
+                  if (req.body && Object.keys(req.body).length) handleBody(sourceContext, hooked, req.body);
+                  next(...args);
+                });
+              },
+            });
+          },
+        }));
+
+    },
+  });
+
+  return multer1Instrumentation;
+};

package/lib/index.js

@@ -22,21 +22,23 @@ const responseScanning = require('./response-scanning');
 const eventFactory = require('./event-factory');
 
 module.exports = function assess(core) {
-  if (!core.config.assess.enable) return;
-
   const assess = core.assess = {};
 
-  // Does this order matter? Probably not
-  // 1. dataflow
   eventFactory(core);
   dataflow(core);
   responseScanning(core);
   sessionConfiguration(core);
 
-  // crypto
-  // static (in coordination with rewriter)
+  // todo
+  // crypto rule implementations
+  // static rule implementations in coordination with (CLI) rewriter
 
   assess.install = function() {
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      core.logger.debug('assess is disabled, skipping installation');
+      return;
+    }
+
     core.rewriter.install('assess');
     callChildComponentMethodsSync(core.assess, 'install');
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.15.0",
+  "version": "1.16.1",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",