@contrast/assess 1.17.0 → 1.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/dataflow/propagation/index.js +2 -1
- package/lib/dataflow/propagation/install/array-prototype-join.js +1 -1
- package/lib/dataflow/propagation/install/sequelize/index.js +31 -0
- package/lib/dataflow/propagation/install/sequelize/query-generator.js +90 -0
- package/lib/dataflow/propagation/install/{sequelize.js → sequelize/sql-string.js} +3 -3
- package/lib/dataflow/propagation/install/util-format.js +120 -0
- package/lib/dataflow/sinks/index.js +1 -0
- package/lib/dataflow/sinks/install/node-serialize.js +103 -0
- package/package.json +1 -1
|
@@ -24,6 +24,7 @@ module.exports = function(core) {
|
|
|
24
24
|
require('./install/ejs')(core);
|
|
25
25
|
require('./install/mongoose')(core);
|
|
26
26
|
require('./install/pug')(core);
|
|
27
|
+
require('./install/sequelize')(core);
|
|
27
28
|
require('./install/string')(core);
|
|
28
29
|
require('./install/url')(core);
|
|
29
30
|
require('./install/validator')(core);
|
|
@@ -42,12 +43,12 @@ module.exports = function(core) {
|
|
|
42
43
|
require('./install/sql-template-strings')(core);
|
|
43
44
|
require('./install/unescape')(core);
|
|
44
45
|
require('./install/querystring')(core);
|
|
45
|
-
require('./install/sequelize')(core);
|
|
46
46
|
require('./install/JSON')(core);
|
|
47
47
|
require('./install/path')(core);
|
|
48
48
|
require('./install/reg-exp-prototype-exec')(core);
|
|
49
49
|
require('./install/joi')(core);
|
|
50
50
|
require('./install/send')(core);
|
|
51
|
+
require('./install/util-format')(core);
|
|
51
52
|
|
|
52
53
|
propagation.install = function() {
|
|
53
54
|
callChildComponentMethodsSync(propagation, 'install');
|
|
@@ -102,7 +102,7 @@ module.exports = function(core) {
|
|
|
102
102
|
},
|
|
103
103
|
args,
|
|
104
104
|
tags: newTags,
|
|
105
|
-
history: Array.from(history),
|
|
105
|
+
history: Array.from(history).map((el) => Object.assign({}, el)),
|
|
106
106
|
source: delimiterInfo ? (history.size > 1 ? 'A' : 'P') : 'O',
|
|
107
107
|
target: 'R',
|
|
108
108
|
stacktraceOpts: {
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
'use strict';
|
|
17
|
+
|
|
18
|
+
const { callChildComponentMethodsSync } = require('@contrast/common');
|
|
19
|
+
|
|
20
|
+
module.exports = function(core) {
|
|
21
|
+
const component = core.assess.dataflow.propagation.sequelizeInstrumentation = {
|
|
22
|
+
install() {
|
|
23
|
+
callChildComponentMethodsSync(component, 'install');
|
|
24
|
+
},
|
|
25
|
+
};
|
|
26
|
+
|
|
27
|
+
require('./query-generator')(core);
|
|
28
|
+
require('./sql-string')(core);
|
|
29
|
+
|
|
30
|
+
return component;
|
|
31
|
+
};
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const {
|
|
18
|
+
DataflowTag: { SQL_ENCODED }
|
|
19
|
+
} = require('@contrast/common');
|
|
20
|
+
const { patchType } = require('../../common');
|
|
21
|
+
|
|
22
|
+
const DIALECTS = [
|
|
23
|
+
// 'db2',
|
|
24
|
+
// 'mariadb',
|
|
25
|
+
'mssql',
|
|
26
|
+
'mysql',
|
|
27
|
+
// 'oracle',
|
|
28
|
+
'postgres',
|
|
29
|
+
// 'snowflake',
|
|
30
|
+
'sqlite',
|
|
31
|
+
];
|
|
32
|
+
|
|
33
|
+
module.exports = function(core) {
|
|
34
|
+
const {
|
|
35
|
+
assess: {
|
|
36
|
+
eventFactory: { createPropagationEvent },
|
|
37
|
+
dataflow: { tracker }
|
|
38
|
+
},
|
|
39
|
+
depHooks,
|
|
40
|
+
patcher,
|
|
41
|
+
} = core;
|
|
42
|
+
|
|
43
|
+
return core.assess.dataflow.propagation.sequelizeInstrumentation.queryGenerators = {
|
|
44
|
+
install() {
|
|
45
|
+
for (const dialect of DIALECTS) {
|
|
46
|
+
depHooks.resolve(
|
|
47
|
+
{ name: 'sequelize', file: `lib/dialects/${dialect}/query-generator.js` },
|
|
48
|
+
(_export) => {
|
|
49
|
+
const constructor = _export.name;
|
|
50
|
+
|
|
51
|
+
patcher.patch(_export.prototype, 'quoteIdentifier', {
|
|
52
|
+
name: `sequelize.${constructor}.prototype.quoteIdentifier`,
|
|
53
|
+
patchType,
|
|
54
|
+
post(data) {
|
|
55
|
+
const strInfo = tracker.getData(data.result);
|
|
56
|
+
if (!strInfo) return;
|
|
57
|
+
|
|
58
|
+
const { value } = strInfo;
|
|
59
|
+
const event = createPropagationEvent({
|
|
60
|
+
// context: ``,
|
|
61
|
+
args: [{ tracked: true, value: data.args[0] }],
|
|
62
|
+
history: [strInfo],
|
|
63
|
+
moduleName: 'sequelize',
|
|
64
|
+
methodName: `${constructor}.prototype.quoteIdentifier`,
|
|
65
|
+
object: { tracked: false, value: constructor },
|
|
66
|
+
source: 'P',
|
|
67
|
+
result: { tracked: true, value },
|
|
68
|
+
tags: {
|
|
69
|
+
...strInfo.tags,
|
|
70
|
+
[SQL_ENCODED]: [0, value.length - 1],
|
|
71
|
+
},
|
|
72
|
+
target: 'R',
|
|
73
|
+
name: 'foo',
|
|
74
|
+
});
|
|
75
|
+
|
|
76
|
+
if (event) {
|
|
77
|
+
const { extern } = tracker.track(value, event);
|
|
78
|
+
if (extern) {
|
|
79
|
+
data.result = extern;
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
});
|
|
84
|
+
}
|
|
85
|
+
);
|
|
86
|
+
}
|
|
87
|
+
},
|
|
88
|
+
uninstall() {}
|
|
89
|
+
};
|
|
90
|
+
};
|
|
@@ -19,7 +19,7 @@ const {
|
|
|
19
19
|
isString,
|
|
20
20
|
DataflowTag: { SQL_ENCODED },
|
|
21
21
|
} = require('@contrast/common');
|
|
22
|
-
const { patchType, createModuleLabel } = require('
|
|
22
|
+
const { patchType, createModuleLabel } = require('../../common');
|
|
23
23
|
|
|
24
24
|
module.exports = function(core) {
|
|
25
25
|
const {
|
|
@@ -50,7 +50,7 @@ module.exports = function(core) {
|
|
|
50
50
|
return Array.from(matches, (match) => ({ [match[1]]: match.index }));
|
|
51
51
|
}
|
|
52
52
|
|
|
53
|
-
return core.assess.dataflow.propagation.sequelizeInstrumentation = {
|
|
53
|
+
return core.assess.dataflow.propagation.sequelizeInstrumentation.sqlString = {
|
|
54
54
|
install() {
|
|
55
55
|
depHooks.resolve(
|
|
56
56
|
{ name: 'sequelize', file: 'lib/sql-string.js' },
|
|
@@ -89,7 +89,7 @@ module.exports = function(core) {
|
|
|
89
89
|
moduleName: 'sequelize',
|
|
90
90
|
methodName: 'escape',
|
|
91
91
|
object: {
|
|
92
|
-
value:
|
|
92
|
+
value: 'sequelize/lib/sql-string.js',
|
|
93
93
|
tracked: false,
|
|
94
94
|
},
|
|
95
95
|
result: {
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
'use strict';
|
|
17
|
+
|
|
18
|
+
const { patchType } = require('../common');
|
|
19
|
+
const { inspect, isString } = require('@contrast/common');
|
|
20
|
+
const { createAppendTags } = require('../../tag-utils');
|
|
21
|
+
|
|
22
|
+
module.exports = function(core) {
|
|
23
|
+
const {
|
|
24
|
+
scopes: { sources, instrumentation },
|
|
25
|
+
patcher,
|
|
26
|
+
depHooks,
|
|
27
|
+
assess: {
|
|
28
|
+
eventFactory: { createPropagationEvent },
|
|
29
|
+
dataflow: { tracker }
|
|
30
|
+
}
|
|
31
|
+
} = core;
|
|
32
|
+
|
|
33
|
+
return core.assess.dataflow.propagation.utilFormat = {
|
|
34
|
+
install() {
|
|
35
|
+
depHooks.resolve({ name: 'util' }, (util) => {
|
|
36
|
+
const name = 'util.format';
|
|
37
|
+
|
|
38
|
+
return patcher.patch(util, 'format', {
|
|
39
|
+
name,
|
|
40
|
+
patchType,
|
|
41
|
+
post(data) {
|
|
42
|
+
const { args, result, hooked, orig } = data;
|
|
43
|
+
if (!result || !args[0] || !isString(args[0]) || !sources.getStore()?.assess || instrumentation.isLocked()) return;
|
|
44
|
+
|
|
45
|
+
let idx = 0;
|
|
46
|
+
let newTags = {};
|
|
47
|
+
const history = [];
|
|
48
|
+
const eventArgs = [];
|
|
49
|
+
const formatChars = args[0].includes('%') ? args[0].match(/[^%]+/g).map((x) => x[0]) : [];
|
|
50
|
+
let i = formatChars.length > 0 ? 1 : 0;
|
|
51
|
+
for (i; i < args.length; i++) {
|
|
52
|
+
let arg = args[i];
|
|
53
|
+
const formatChar = formatChars[i - 1];
|
|
54
|
+
if (typeof arg === 'object') {
|
|
55
|
+
|
|
56
|
+
if (formatChar === 'j') {
|
|
57
|
+
arg = JSON.stringify(arg);
|
|
58
|
+
} else if (formatChar.toLowerCase() === 'o') {
|
|
59
|
+
// TO-DO: NODE-3235
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
const currIdx = result.indexOf(arg, idx);
|
|
63
|
+
if (currIdx > -1) {
|
|
64
|
+
idx = currIdx + arg.length;
|
|
65
|
+
} else {
|
|
66
|
+
continue;
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
const argInfo = tracker.getData(arg);
|
|
70
|
+
if (!argInfo) continue;
|
|
71
|
+
|
|
72
|
+
newTags = createAppendTags(newTags, argInfo.tags, currIdx);
|
|
73
|
+
|
|
74
|
+
history.push({ ...argInfo });
|
|
75
|
+
eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
const resultInfo = tracker.getData(result);
|
|
79
|
+
const event = createPropagationEvent({
|
|
80
|
+
name,
|
|
81
|
+
moduleName: 'util',
|
|
82
|
+
methodName: 'format',
|
|
83
|
+
context: `util.format(${inspect(args.join(', '))})`,
|
|
84
|
+
object: {
|
|
85
|
+
value: 'util',
|
|
86
|
+
tracked: false
|
|
87
|
+
},
|
|
88
|
+
result: {
|
|
89
|
+
value: resultInfo ? resultInfo.value : result,
|
|
90
|
+
tracked: true
|
|
91
|
+
},
|
|
92
|
+
args: eventArgs,
|
|
93
|
+
tags: newTags,
|
|
94
|
+
history,
|
|
95
|
+
source: 'P',
|
|
96
|
+
target: 'R',
|
|
97
|
+
stacktraceOpts: {
|
|
98
|
+
constructorOpt: hooked,
|
|
99
|
+
prependFrames: [orig]
|
|
100
|
+
},
|
|
101
|
+
});
|
|
102
|
+
|
|
103
|
+
if (!event) return;
|
|
104
|
+
|
|
105
|
+
if (resultInfo) {
|
|
106
|
+
Object.assign(resultInfo, event);
|
|
107
|
+
} else {
|
|
108
|
+
const { extern } = tracker.track(result, event);
|
|
109
|
+
|
|
110
|
+
if (extern) {
|
|
111
|
+
data.result = extern;
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
});
|
|
116
|
+
}
|
|
117
|
+
);
|
|
118
|
+
},
|
|
119
|
+
};
|
|
120
|
+
};
|
|
@@ -79,6 +79,7 @@ module.exports = function (core) {
|
|
|
79
79
|
require('./install/mongodb')(core);
|
|
80
80
|
require('./install/mssql')(core);
|
|
81
81
|
require('./install/mysql')(core);
|
|
82
|
+
require('./install/node-serialize')(core);
|
|
82
83
|
require('./install/postgres')(core);
|
|
83
84
|
require('./install/sequelize')(core);
|
|
84
85
|
require('./install/sqlite3')(core);
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
'use strict';
|
|
17
|
+
|
|
18
|
+
const { patchType } = require('../common');
|
|
19
|
+
const {
|
|
20
|
+
Rule: { UNTRUSTED_DESERIALIZATION },
|
|
21
|
+
isString,
|
|
22
|
+
DataflowTag: {
|
|
23
|
+
UNTRUSTED
|
|
24
|
+
}
|
|
25
|
+
} = require('@contrast/common');
|
|
26
|
+
|
|
27
|
+
module.exports = function(core) {
|
|
28
|
+
const {
|
|
29
|
+
depHooks,
|
|
30
|
+
patcher,
|
|
31
|
+
scopes: { sources, instrumentation },
|
|
32
|
+
assess: {
|
|
33
|
+
eventFactory: { createSinkEvent },
|
|
34
|
+
dataflow: {
|
|
35
|
+
tracker,
|
|
36
|
+
sinks: { isVulnerable, reportFindings }
|
|
37
|
+
},
|
|
38
|
+
},
|
|
39
|
+
} = core;
|
|
40
|
+
|
|
41
|
+
core.assess.dataflow.sinks.nodeSerialize = {
|
|
42
|
+
install() {
|
|
43
|
+
depHooks.resolve({ name: 'node-serialize' }, (nodeSerialize) => {
|
|
44
|
+
patcher.patch(nodeSerialize, 'unserialize', {
|
|
45
|
+
name: 'node-serialize.unserialize',
|
|
46
|
+
patchType,
|
|
47
|
+
pre(data) {
|
|
48
|
+
const store = sources.getStore()?.assess;
|
|
49
|
+
if (
|
|
50
|
+
!store ||
|
|
51
|
+
!data.args[0] ||
|
|
52
|
+
instrumentation.isLocked()
|
|
53
|
+
) return;
|
|
54
|
+
|
|
55
|
+
const [input] = data.args;
|
|
56
|
+
|
|
57
|
+
if (!isString(input)) {
|
|
58
|
+
return;
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
const strInfo = tracker.getData(input);
|
|
62
|
+
if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) {
|
|
63
|
+
return;
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
const sinkEvent = createSinkEvent({
|
|
67
|
+
name: 'node-serialize.unserialize',
|
|
68
|
+
moduleName: 'node-serialize',
|
|
69
|
+
methodName: 'unserialize',
|
|
70
|
+
context: `node-serialize.unserialize(${strInfo.value})`,
|
|
71
|
+
history: [strInfo],
|
|
72
|
+
object: {
|
|
73
|
+
value: 'node-serialize',
|
|
74
|
+
tracked: false
|
|
75
|
+
},
|
|
76
|
+
args: [
|
|
77
|
+
{
|
|
78
|
+
value: strInfo.value,
|
|
79
|
+
tracked: true
|
|
80
|
+
},
|
|
81
|
+
],
|
|
82
|
+
tags: strInfo.tags,
|
|
83
|
+
source: 'P0',
|
|
84
|
+
stacktraceOpts: {
|
|
85
|
+
contructorOpt: data.hooked,
|
|
86
|
+
prependFrames: [data.orig]
|
|
87
|
+
},
|
|
88
|
+
});
|
|
89
|
+
|
|
90
|
+
if (sinkEvent) {
|
|
91
|
+
reportFindings({
|
|
92
|
+
ruleId: UNTRUSTED_DESERIALIZATION,
|
|
93
|
+
sinkEvent,
|
|
94
|
+
});
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
});
|
|
98
|
+
});
|
|
99
|
+
},
|
|
100
|
+
};
|
|
101
|
+
|
|
102
|
+
return core.assess.dataflow.sinks.nodeSerialize;
|
|
103
|
+
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/assess",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.18.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Assess support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|