@contrast/assess 1.17.0 → 1.19.0

package/lib/constants.js

@@ -0,0 +1,26 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const InstrumentationType = {
+  SOURCE: 'source',
+  PROPAGATOR: 'propagator',
+  RULE: 'rule',
+};
+
+module.exports = {
+  InstrumentationType,
+};

package/lib/crypto-analysis/common.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  PATCH_TYPE: 'assess-cryptographic-analysis',
+};

package/lib/crypto-analysis/index.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  callChildComponentMethodsSync,
+} = require('@contrast/common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ */
+module.exports = function(core) {
+  const cryptoAnalysis = core.assess.cryptoAnalysis = {
+    installers: {},
+    install() {
+      callChildComponentMethodsSync(cryptoAnalysis.installers, 'install');
+    },
+    report(event) {
+      core.messages.emit(Event.ASSESS_CRYPTO_ANALYSIS_FINDING, event);
+    },
+  };
+
+  require('./install/crypto')(core);
+  require('./install/math')(core);
+
+  return cryptoAnalysis;
+};

package/lib/crypto-analysis/install/crypto.js

@@ -0,0 +1,151 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { inspect } = require('util');
+const {
+  Rule,
+  isString,
+  toLowerCase,
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+
+const SAFE_HASH_ALGORITHMS = new Set([
+  'RSA-SHA1-2',
+  'RSA-SHA224',
+  'RSA-SHA256',
+  'RSA-SHA384',
+  'RSA-SHA512',
+  'sha224',
+  'sha224WithRSAEncryption',
+  'sha256',
+  'sha256WithRSAEncryption',
+  'sha384',
+  'sha384WithRSAEncryption',
+  'sha512'
+]);
+const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort'];
+const SAFE_CIPHER_ALGORITHM_PREFIXES = ['des-ede', 'id-aes', 'aes', 'rsa'];
+
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    config,
+    depHooks,
+    logger,
+    patcher,
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+  } = core;
+
+  const installer = core.assess.cryptoAnalysis.installers.crypto = {
+    install() {
+      depHooks.resolve({ name: 'crypto' }, (_export) => {
+        patcher.patch(_export, 'createHash', {
+          name: 'crypto.createHash',
+          patchType,
+          post(data) {
+            const [alg] = data.args;
+
+            if (
+              !isString(alg) ||
+              !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) ||
+              SAFE_HASH_ALGORITHMS.has(alg)
+            ) return;
+
+            const event = eventFactory.createCryptoAnalysisEvent({
+              args: [{ tracked: false, value: alg }],
+              context: `crypto.createHash(${inspect(alg)})`,
+              methodName: 'createHash',
+              moduleName: 'crypto',
+              name: 'crypto.createHash',
+              object: { tracked: false, value: 'crypto' },
+              result: { tracked: false, value: 'Hash' },
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+
+            if (!event) return;
+
+            // check stacktrace for trusted libraries
+            if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+              const { stack } = new Error(event.stacktraceOpts);
+              for (const lib of SAFE_HASH_LIBS) {
+                if (stack.indexOf(lib) >= 0) return;
+              }
+            } else {
+              for (const { file } of event.stack) {
+                for (const lib of SAFE_HASH_LIBS) {
+                  logger.trace(`skipping reporting for ${Rule.CRYPTO_BAD_MAC} - trusting ${lib}`);
+                  if (file.indexOf(lib) >= 0) return;
+                }
+              }
+            }
+
+            cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_MAC });
+          },
+        });
+
+        for (const method of ['createCipher', 'createCipheriv']) {
+          patcher.patch(_export, method, {
+            name: `crypto.${method}`,
+            patchType,
+            post(data) {
+              const [alg] = data.args;
+              if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_CIPHERS)) return;
+
+              const algLower = toLowerCase(alg);
+              for (const prefix of SAFE_CIPHER_ALGORITHM_PREFIXES) {
+                if (algLower.indexOf(prefix) === 0) return;
+              }
+
+              const event = eventFactory.createCryptoAnalysisEvent({
+                args: [{ tracked: false, value: alg }],
+                context: `crypto.${method}(${inspect(alg)})`,
+                methodName: method,
+                moduleName: 'crypto',
+                name: `crypto.${method}`,
+                object: { tracked: false, value: 'crypto' },
+                result: { tracked: false, value: 'Cipher' },
+                source: 'P0',
+                stacktraceOpts: {
+                  constructorOpt: data.hooked,
+                }
+              });
+
+              if (!event) return;
+
+              cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_CIPHERS });
+            }
+          });
+        }
+      });
+    },
+  };
+
+  return installer;
+};

package/lib/crypto-analysis/install/math.js

@@ -0,0 +1,99 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Rule } = require('@contrast/common');
+const { InstrumentationType } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+
+const { CRYPTO_WEAK_RANDOMNESS: ruleId } = Rule;
+const { RULE } = InstrumentationType;
+
+const SAFE_RANDOM_LIBS = [
+  'node_modules/node-uuid/',
+  'browserify'
+];
+
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+    config,
+    logger,
+    patcher,
+  } = core;
+
+  core.assess.cryptoAnalysis.installers.math = {
+    install() {
+      patcher.patch(Math, 'random', {
+        name: 'global.Math.random',
+        patchType,
+        post(data) {
+          if (!getSourceContext(RULE, ruleId)) return;
+
+          const event = eventFactory.createCryptoAnalysisEvent({
+            args: [],
+            context: 'Math.random()',
+            methodName: 'random',
+            moduleName: 'global.Math',
+            name: 'global.Math.random',
+            object: { tracked: false, value: 'global.Math' },
+            result: { tracked: false, value: `${data.result}` },
+            source: 'A',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            }
+          });
+
+          if (!event) return;
+
+          // check stacktrace for trusted libraries
+          if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+            const { stack } = new Error(event.stacktraceOpts);
+            for (const lib of SAFE_RANDOM_LIBS) {
+              if (stack.indexOf(lib) >= 0) return;
+            }
+          } else {
+            for (const { file } of event.stack) {
+              for (const lib of SAFE_RANDOM_LIBS) {
+                if (file.indexOf(lib) >= 0) {
+                  logger.trace(`skipping reporting for ${ruleId} - trusting ${lib}`);
+                  return;
+                }
+              }
+            }
+          }
+
+          cryptoAnalysis.report({ finding: event, ruleId });
+        },
+      });
+    },
+    uninstall() {
+      Math.random = patcher.unwrap(Math.random);
+    },
+  };
+
+  return core.assess.cryptoAnalysis.installers.math;
+};

package/lib/dataflow/propagation/index.js

@@ -24,6 +24,7 @@ module.exports = function(core) {
   require('./install/ejs')(core);
   require('./install/mongoose')(core);
   require('./install/pug')(core);
+  require('./install/sequelize')(core);
   require('./install/string')(core);
   require('./install/url')(core);
   require('./install/validator')(core);
@@ -42,12 +43,12 @@ module.exports = function(core) {
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
   require('./install/querystring')(core);
-  require('./install/sequelize')(core);
   require('./install/JSON')(core);
   require('./install/path')(core);
   require('./install/reg-exp-prototype-exec')(core);
   require('./install/joi')(core);
   require('./install/send')(core);
+  require('./install/util-format')(core);
 
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -59,8 +59,18 @@ module.exports = function (core) {
 
   function createEvent(data, value, newTags, reviver, strInfo) {
     const method = 'JSON.parse';
+    const eventArgs = [
+      {
+        value: data.args[0],
+        tracked: true,
+      },
+      reviver && {
+        value: reviver.toString(),
+        tracked: false,
+      }
+    ].filter(Boolean);
     return createPropagationEvent({
-      context: method,
+      context: `${method}(${eventArgs.map((arg) => `'${arg.value}'`)})`,
       name: method,
       history: [strInfo],
       moduleName: 'JSON',
@@ -69,16 +79,7 @@ module.exports = function (core) {
         value: inspect(data.obj),
         tracked: false,
       },
-      args: [
-        {
-          value: data.args[0],
-          tracked: true,
-        },
-        reviver && {
-          value: reviver.toString(),
-          tracked: false,
-        },
-      ].filter(Boolean),
+      args: eventArgs,
       result: {
         value,
         tracked: true,

package/lib/dataflow/propagation/install/JSON/stringify.js

@@ -148,7 +148,7 @@ module.exports = function(core) {
         }
       }
 
-      metadata.history.add(metadata[id]);
+      metadata.history.add(metadata.strInfos[id]);
       // replace the canary with the starting quote
       return '"';
     });

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -102,7 +102,7 @@ module.exports = function(core) {
               },
               args,
               tags: newTags,
-              history: Array.from(history),
+              history: Array.from(history).map((el) => Object.assign({}, el)),
               source: delimiterInfo ? (history.size > 1 ? 'A' : 'P') : 'O',
               target: 'R',
               stacktraceOpts: {

package/lib/dataflow/propagation/install/ejs/escape-xml.js

@@ -21,7 +21,7 @@ const {
 const {
   createFullLengthCopyTags
 } = require('../../../tag-utils');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -61,7 +61,7 @@ module.exports = function(core) {
               moduleName: 'ejs',
               methodName: 'escapeXML',
               object: {
-                value: `[${createModuleLabel('ejs', version)}].utils`,
+                value: 'ejs.utils',
                 tracked: false
               },
               result: {

package/lib/dataflow/propagation/install/ejs/index.js

@@ -25,6 +25,7 @@ module.exports = function(core) {
   };
 
   require('./escape-xml')(core);
+  require('./template')(core);
 
   return ejsInstrumentation;
 };

package/lib/dataflow/propagation/install/ejs/template.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { EOL } = require('os');
+const { join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ *  rewriter: import('@contrast/rewriter').Rewriter,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function(core) {
+  const {
+    assess: { getSourceContext },
+    depHooks,
+    logger,
+    patcher,
+    rewriter,
+  } = core;
+
+  const REWRITE_OPTS = { inject: false, wrap: false };
+  const WRAPPER_PREFIX = join([
+    'function tempWrapper() {',
+    'function __append(s) { if (s !== undefined && s !== null) __output += s }'
+  ], EOL);
+  const WRAPPER_SUFFIX = join([
+    EOL,
+    'return __output;',
+    '}',
+  ], EOL);
+
+  return core.assess.dataflow.propagation.ejsInstrumentation.template = {
+    /**
+     * inject our own rewritten version of __append():
+     *   function __append() { // unrewritten }
+     *   function __append() { // rewritten }
+     */
+    install() {
+      depHooks.resolve({ name: 'ejs', version: '>=2.6.2' }, (_export, version) => {
+        const name = 'ejs.Template.prototype.generateSource';
+        patcher.patch(_export.Template.prototype, 'generateSource', {
+          name,
+          patchType,
+          post(data) {
+            if (!getSourceContext(PROPAGATOR)) return;
+
+            try {
+              const { code } = rewriter.rewrite(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
+              data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
+            } catch (err) {
+              logger.error({ err, source: data.obj.source }, 'error occurred while rewriting ejs source');
+            }
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/sequelize/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const component = core.assess.dataflow.propagation.sequelizeInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(component, 'install');
+    },
+  };
+
+  require('./query-generator')(core);
+  require('./sql-string')(core);
+
+  return component;
+};

package/lib/dataflow/propagation/install/sequelize/query-generator.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const {
+  DataflowTag: { SQL_ENCODED }
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+const DIALECTS = [
+  // 'db2',
+  // 'mariadb',
+  'mssql',
+  'mysql',
+  // 'oracle',
+  'postgres',
+  // 'snowflake',
+  'sqlite',
+];
+
+module.exports = function(core) {
+  const {
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  return core.assess.dataflow.propagation.sequelizeInstrumentation.queryGenerators = {
+    install() {
+      for (const dialect of DIALECTS) {
+        depHooks.resolve(
+          { name: 'sequelize', file: `lib/dialects/${dialect}/query-generator.js` },
+          (_export) => {
+            const constructor = _export.name;
+
+            patcher.patch(_export.prototype, 'quoteIdentifier', {
+              name: `sequelize.${constructor}.prototype.quoteIdentifier`,
+              patchType,
+              post(data) {
+                const strInfo = tracker.getData(data.result);
+                if (!strInfo) return;
+
+                const { value } = strInfo;
+                const event = createPropagationEvent({
+                  // context: ``,
+                  args: [{ tracked: true, value: data.args[0] }],
+                  history: [strInfo],
+                  moduleName: 'sequelize',
+                  methodName: `${constructor}.prototype.quoteIdentifier`,
+                  object: { tracked: false, value: constructor },
+                  source: 'P',
+                  result: { tracked: true, value },
+                  tags: {
+                    ...strInfo.tags,
+                    [SQL_ENCODED]: [0, value.length - 1],
+                  },
+                  target: 'R',
+                  name: 'foo',
+                });
+
+                if (event) {
+                  const { extern } = tracker.track(value, event);
+                  if (extern) {
+                    data.result = extern;
+                  }
+                }
+              }
+            });
+          }
+        );
+      }
+    },
+    uninstall() {}
+  };
+};

package/lib/dataflow/propagation/install/{sequelize.js → sequelize/sql-string.js}

@@ -19,7 +19,7 @@ const {
   isString,
   DataflowTag: { SQL_ENCODED },
 } = require('@contrast/common');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType, createModuleLabel } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -50,7 +50,7 @@ module.exports = function(core) {
     return Array.from(matches, (match) => ({ [match[1]]: match.index }));
   }
 
-  return core.assess.dataflow.propagation.sequelizeInstrumentation = {
+  return core.assess.dataflow.propagation.sequelizeInstrumentation.sqlString = {
     install() {
       depHooks.resolve(
         { name: 'sequelize', file: 'lib/sql-string.js' },
@@ -89,7 +89,7 @@ module.exports = function(core) {
                 moduleName: 'sequelize',
                 methodName: 'escape',
                 object: {
-                  value: createModuleLabel('sequelize/lib/sql-string.escape', version),
+                  value: 'sequelize/lib/sql-string.js',
                   tracked: false,
                 },
                 result: {