@contrast/assess 1.16.1 → 1.18.0

package/lib/dataflow/propagation/install/path/toNamespacedPath.js

@@ -0,0 +1,128 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult,
+  excludeExtensionDotFromTags
+} = require('./common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  core.assess.dataflow.propagation.pathInstrumentation.toNamespacedPath = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+
+          patcher.patch(path[os], 'toNamespacedPath', {
+            name: `path.${os}.toNamespacedPath`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const pathStr = args[0];
+
+              if (!pathStr || !isString(pathStr)) return;
+
+              const strInfo = tracker.getData(pathStr);
+              const resultInfo = tracker.getData(result);
+
+              if (!strInfo) return;
+
+              let { tags } = strInfo;
+              if (os === 'win32') {
+                let { newTags } = createArgTagsInResult({
+                  argStr: pathStr,
+                  argTags: strInfo?.tags || {},
+                  result,
+                  lastIndex: result.length,
+                  isWin32: true,
+                });
+
+                newTags = excludeExtensionDotFromTags({
+                  result,
+                  tags: newTags,
+                  isWin32: true
+                });
+
+                tags = newTags;
+              }
+
+              const event = tags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'toNamespacedPath',
+                context: `path.toNamespacedPath('${strInfo.value}')`,
+                history: [{ ...strInfo }],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: strInfo.value,
+                    tracked: true,
+                  },
+                ],
+                result: {
+                  value: resultInfo ? resultInfo.value : result,
+                  tracked: true,
+                },
+                tags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              if (resultInfo) {
+                Object.assign(resultInfo, event);
+              }
+
+              const { extern } = resultInfo || tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.propagation.pathInstrumentation.toNamespacedPath;
+};

package/lib/dataflow/propagation/install/querystring/escape.js

@@ -0,0 +1,97 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { inspect } = require('util');
+const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
+    },
+    depHooks,
+    patcher,
+    scopes,
+  } = core;
+
+  return core.assess.dataflow.propagation.querystringInstrumentation.escape = {
+    install() {
+      depHooks.resolve({ name: 'querystring' }, (_export) => {
+        patcher.patch(_export, 'escape', {
+          name: 'querystring.escape',
+          patchType,
+          post(data) {
+            const [value] = data.args;
+            if (!value?.length || !data.result?.length) return value;
+
+            const strInfo = tracker.getData(value);
+            if (!strInfo) return;
+
+            const sourceContext = scopes.sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            let tags;
+            if (value !== data.result) {
+              tags = createFullLengthCopyTags({
+                ...strInfo.tags,
+                [URL_ENCODED]: [0, 0],
+              }, data.result.length);
+            } else {
+              tags = {
+                ...strInfo.tags,
+                [URL_ENCODED]: [0, data.result.length - 1],
+              };
+            }
+
+            const argVal = inspect(strInfo.value);
+            const event = createPropagationEvent({
+              args: [{ tracked: true, value: argVal }],
+              context: `querystring.escape(${argVal})`,
+              history: [strInfo],
+              moduleName: 'querystring',
+              methodName: 'escape',
+              object: { tracked: false, value: 'querystring' },
+              result: { tracked: true, value: data.result },
+              name: 'querystring.escape',
+              source: 'P',
+              tags,
+              target: 'R',
+            });
+
+            if (event) {
+              const retInfo = tracker.getData(data.result);
+              let extern;
+
+              // if no transformation took place this will happen
+              if (retInfo) {
+                extern = tracker.track(retInfo.value, event)?.extern;
+              } else {
+                extern = tracker.track(data.result, event)?.extern;
+              }
+
+              if (extern) data.result = extern;
+            }
+          },
+        });
+      });
+    },
+    uninstall() {
+    }
+  };
+};

package/lib/dataflow/propagation/install/querystring/index.js

@@ -24,7 +24,9 @@ module.exports = function(core) {
     }
   };
 
+  require('./escape')(core);
   require('./parse')(core);
+  require('./stringify')(core);
 
   return querystringInstrumentation;
 };

package/lib/dataflow/propagation/install/querystring/stringify.js

@@ -0,0 +1,158 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const querystring = require('querystring');
+const { inspect } = require('util');
+const { isString } = require('@contrast/common');
+const utils = require('../../../tag-utils');
+const { patchType } = require('../../common');
+
+const moduleName = 'querystring';
+
+module.exports = function(core) {
+  const {
+    assess: {
+      dataflow: { tracker },
+      eventFactory: { createPropagationEvent },
+    },
+    depHooks,
+    patcher,
+    scopes,
+  } = core;
+
+  /**
+   * Adds custom encoding function to capture key/value tags and history during stringification
+   */
+  function pre(data) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
+
+    const [input] = data.args;
+    const escape = typeof data.args[3]?.encodeURIComponent === 'function'
+      ? data.args[3].encodeURIComponent
+      : querystring.escape;
+
+    let [, sep, equals] = data.args;
+    // check this
+    if (!isString(sep)) sep = '&';
+    if (!isString(equals)) equals = '=';
+
+    let counter = 0;
+    let offset = 0;
+    const keyState = {
+      value: '',
+      lastCount: 0,
+      nextCount: 0,
+      strInfo: null,
+    };
+
+    // state for post hook
+    data._args = [...data.args];
+    data._history = new Set();
+    data._tags = {};
+
+    // todo NODE-2835: account for custom encoding functions to apply URL_ENCODED
+    function encodeURIComponent(...args) {
+      const [rawValue] = args;
+      const encodedValue = escape(args[0]);
+
+      if (counter === keyState.nextCount) {
+        keyState.value = encodedValue;
+        keyState.lastCount = keyState.nextCount;
+        keyState.nextCount = counter + (Array.isArray(input[rawValue]) ? input[rawValue].length + 1 : 2);
+        keyState.strInfo = tracker.getData(encodedValue);
+      } else {
+        const strInfo = tracker.getData(encodedValue);
+
+        // capture key tags and increment counter for [key]=
+        if (keyState.strInfo) {
+          data._tags = utils.createAppendTags(data._tags, keyState.strInfo.tags, offset);
+          data._history.add(keyState.strInfo);
+        }
+        offset += keyState.value.length + equals.length;
+
+        // capture value tags and increment counter for [value]&
+        if (strInfo) {
+          const tags = Object.create(null);
+          for (const tag of Object.keys(strInfo.tags)) {
+            tags[tag] = [0, encodedValue.length - 1];
+          }
+
+          data._tags = utils.createAppendTags(data._tags, tags, offset);
+          data._history.add(strInfo);
+        }
+        offset += encodedValue.length + sep.length;
+      }
+
+      counter++;
+
+      return encodedValue;
+    }
+
+    data.args[3] = { ...data.args[3], encodeURIComponent };
+  }
+
+  /**
+   * if history/tags were captured, build event and track result
+   */
+  function post(data) {
+    if (!data._history?.size) return;
+
+    const { name } = data;
+    const args = data._args.map((a, i) => ({ tracked: i === 0, value: inspect(a) }));
+    const argString = args.reduce((acc, arg, i, arr) => acc + arg.value + (i === arr.length - 1 ? '' : ', '), '');
+    const context = `${name}(${argString})`;
+    const event = createPropagationEvent({
+      context,
+      args,
+      name,
+      moduleName,
+      // since this is an alias, it is always 'stringify'
+      methodName: data.orig.name,
+      history: Array.from(data._history),
+      object: { tracked: false, value: moduleName },
+      result: { tracked: true, value: data.result },
+      source: 'P',
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig],
+      },
+      tags: data._tags,
+      target: 'R',
+    });
+
+    if (event) {
+      const { extern } = tracker.track(data.result, event);
+      if (extern) data.result = extern;
+    }
+  }
+
+  return core.assess.dataflow.propagation.querystringInstrumentation.stringify = {
+    install() {
+      depHooks.resolve({ name: moduleName }, (_export) => {
+        for (const methodName of ['encode', 'stringify']) {
+          patcher.patch(_export, methodName, {
+            name: `querystring.${methodName}`,
+            patchType,
+            pre,
+            post
+          });
+        }
+      });
+    },
+    uninstall() { }
+  };
+};

package/lib/dataflow/propagation/install/sequelize/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const component = core.assess.dataflow.propagation.sequelizeInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(component, 'install');
+    },
+  };
+
+  require('./query-generator')(core);
+  require('./sql-string')(core);
+
+  return component;
+};

package/lib/dataflow/propagation/install/sequelize/query-generator.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const {
+  DataflowTag: { SQL_ENCODED }
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+const DIALECTS = [
+  // 'db2',
+  // 'mariadb',
+  'mssql',
+  'mysql',
+  // 'oracle',
+  'postgres',
+  // 'snowflake',
+  'sqlite',
+];
+
+module.exports = function(core) {
+  const {
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  return core.assess.dataflow.propagation.sequelizeInstrumentation.queryGenerators = {
+    install() {
+      for (const dialect of DIALECTS) {
+        depHooks.resolve(
+          { name: 'sequelize', file: `lib/dialects/${dialect}/query-generator.js` },
+          (_export) => {
+            const constructor = _export.name;
+
+            patcher.patch(_export.prototype, 'quoteIdentifier', {
+              name: `sequelize.${constructor}.prototype.quoteIdentifier`,
+              patchType,
+              post(data) {
+                const strInfo = tracker.getData(data.result);
+                if (!strInfo) return;
+
+                const { value } = strInfo;
+                const event = createPropagationEvent({
+                  // context: ``,
+                  args: [{ tracked: true, value: data.args[0] }],
+                  history: [strInfo],
+                  moduleName: 'sequelize',
+                  methodName: `${constructor}.prototype.quoteIdentifier`,
+                  object: { tracked: false, value: constructor },
+                  source: 'P',
+                  result: { tracked: true, value },
+                  tags: {
+                    ...strInfo.tags,
+                    [SQL_ENCODED]: [0, value.length - 1],
+                  },
+                  target: 'R',
+                  name: 'foo',
+                });
+
+                if (event) {
+                  const { extern } = tracker.track(value, event);
+                  if (extern) {
+                    data.result = extern;
+                  }
+                }
+              }
+            });
+          }
+        );
+      }
+    },
+    uninstall() {}
+  };
+};

package/lib/dataflow/propagation/install/{sequelize.js → sequelize/sql-string.js}

@@ -19,7 +19,7 @@ const {
   isString,
   DataflowTag: { SQL_ENCODED },
 } = require('@contrast/common');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType, createModuleLabel } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -50,7 +50,7 @@ module.exports = function(core) {
     return Array.from(matches, (match) => ({ [match[1]]: match.index }));
   }
 
-  return core.assess.dataflow.propagation.sequelizeInstrumentation = {
+  return core.assess.dataflow.propagation.sequelizeInstrumentation.sqlString = {
     install() {
       depHooks.resolve(
         { name: 'sequelize', file: 'lib/sql-string.js' },
@@ -89,7 +89,7 @@ module.exports = function(core) {
                 moduleName: 'sequelize',
                 methodName: 'escape',
                 object: {
-                  value: createModuleLabel('sequelize/lib/sql-string.escape', version),
+                  value: 'sequelize/lib/sql-string.js',
                   tracked: false,
                 },
                 result: {

package/lib/dataflow/propagation/install/string/concat.js

@@ -43,7 +43,6 @@ module.exports = function(core) {
           if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
 
           const rInfo = tracker.getData(result);
-
           if (rInfo) {
             // this may happen w/ trackedStr.concat('') => trackedStr
             return;
@@ -77,7 +76,7 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: 'prototype.concat',
-              context: `${inspect(objInfo?.value) || String(obj)}.concat(${join(argsData.map(d => d.value), ', ')})`,
+              context: `${inspect(objInfo?.value) || String(obj)}.concat(${inspect(join(argsData.map(d => d.value)), ', ')})`,
               object: {
                 value: objInfo?.value || String(obj),
                 tracked: !!objInfo
@@ -98,7 +97,6 @@ module.exports = function(core) {
             });
 
             if (!event) return;
-
             const { extern } = tracker.track(result, event);
 
             if (extern) {

package/lib/dataflow/propagation/install/string/trim.js

@@ -51,15 +51,10 @@ module.exports = function(core) {
 
       const history = [objInfo];
       const start = presetStart || obj.indexOf(result);
-      const newTags = {};
       const objTags = objInfo.tags || {};
-      Object.assign(newTags, createSubsetTags(objTags, start, result.length));
+      const newTags = createSubsetTags(objTags, start, result.length);
 
-      if (!newTags.untrusted) {
-        return;
-      }
-
-      const event = createPropagationEvent({
+      const event = newTags && createPropagationEvent({
         name: `String.prototype.${methodName}`,
         moduleName: 'String',
         methodName: `prototype.${methodName}`,