@contrast/assess 1.17.0 → 1.19.0

package/lib/dataflow/propagation/install/util-format.js

@@ -0,0 +1,126 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../common');
+const { isString } = require('@contrast/common');
+const { createAppendTags } = require('../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.utilFormat = {
+    install() {
+      depHooks.resolve({ name: 'util' }, (util) => {
+        const name = 'util.format';
+
+        return patcher.patch(util, 'format', {
+          name,
+          patchType,
+          post(data) {
+            const { args, result, hooked, orig } = data;
+            if (!result || !args[0] || !isString(args[0]) || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+
+            let idx = 0;
+            let newTags = {};
+            const history = [];
+            const eventArgs = [];
+            const formatChars = args[0].includes('%') ? args[0].match(/[^%]+/g).map((x) => x[0]) : [];
+            let i = 0;
+
+            if (formatChars.length > 0) {
+              i = 1;
+              eventArgs.push({ value: args[0], tracked: false });
+            }
+
+            for (i; i < args.length; i++) {
+              let arg = args[i];
+              const formatChar = formatChars[i - 1];
+              if (typeof arg === 'object') {
+
+                if (formatChar === 'j') {
+                  arg = JSON.stringify(arg);
+                } else if (formatChar.toLowerCase() === 'o') {
+                  // TO-DO: NODE-3235
+                }
+              }
+              const currIdx = result.indexOf(arg, idx);
+              if (currIdx > -1) {
+                idx = currIdx + arg.length;
+              } else {
+                continue;
+              }
+
+              const argInfo = tracker.getData(arg);
+              if (!argInfo) continue;
+
+              newTags = createAppendTags(newTags, argInfo.tags, currIdx);
+
+              history.push({ ...argInfo });
+              eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
+            }
+
+            const resultInfo = tracker.getData(result);
+            const event = createPropagationEvent({
+              name,
+              moduleName: 'util',
+              methodName: 'format',
+              context: `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`,
+              object: {
+                value: 'util',
+                tracked: false
+              },
+              result: {
+                value: resultInfo ? resultInfo.value : result,
+                tracked: true
+              },
+              args: eventArgs,
+              tags: newTags,
+              history,
+              source: 'P',
+              target: 'R',
+              stacktraceOpts: {
+                constructorOpt: hooked,
+                prependFrames: [orig]
+              },
+            });
+
+            if (!event) return;
+
+            if (resultInfo) {
+              Object.assign(resultInfo, event);
+            } else {
+              const { extern } = tracker.track(result, event);
+
+              if (extern) {
+                data.result = extern;
+              }
+            }
+          }
+        });
+      }
+      );
+    },
+  };
+};

package/lib/dataflow/sinks/index.js

@@ -79,6 +79,7 @@ module.exports = function (core) {
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
+  require('./install/node-serialize')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);

package/lib/dataflow/sinks/install/child-process.js

@@ -17,19 +17,25 @@
 const {
   DataflowTag: { UNTRUSTED },
   join,
-  Rule,
+  Rule: { CMD_INJECTION: ruleId },
   isString,
   inspect,
 } = require('@contrast/common');
-
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -92,7 +98,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
 
@@ -178,7 +184,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }
@@ -193,10 +199,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
 
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];
@@ -233,10 +239,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command, secondArg, thirdArg] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command, secondArg, thirdArg] = data.args;
+              if (!command || !isString(command)) return;
 
               commandCheck(
                 name,
@@ -257,10 +263,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
 
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];

package/lib/dataflow/sinks/install/eval.js

@@ -25,8 +25,9 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
@@ -37,13 +38,21 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function (core) {
   const {
     config,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -63,19 +72,12 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.eval',
         patchType,
         pre({ args, orig }) {
-          const store = sources.getStore()?.assess;
+          if (!getSourceContext(RULE, ruleId)) return;
+
           const script = args[0];
-          if (
-            !store ||
-            instrumentation.isLocked() ||
-            !script ||
-            !isString(script)
-          ) {
-            return;
-          }
+          if (!script || !isString(script)) return;
 
           const strInfo = tracker.getData(script);
-
           if (!strInfo) return;
 
           const isArgVulnerable = isVulnerable(
@@ -93,7 +95,7 @@ module.exports = function (core) {
 
             reportSafePositive({
               name: 'eval',
-              ruleId: UNSAFE_CODE_EXECUTION,
+              ruleId,
               safeTags: foundSafeTags,
               strInfo: safeStrInfo,
             });
@@ -120,7 +122,7 @@ module.exports = function (core) {
 
             if (event) {
               reportFindings({
-                ruleId: UNSAFE_CODE_EXECUTION,
+                ruleId,
                 sinkEvent: event,
               });
             }

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -17,6 +17,7 @@
 
 const util = require('util');
 const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED,
@@ -27,18 +28,25 @@ const {
   },
   isString
 } = require('@contrast/common');
-const { patchType, filterSafeTags } = require('../../common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
+const { patchType, filterSafeTags } = require('../../common');
 
-const ruleId = 'unvalidated-redirect';
-
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -46,9 +54,8 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const unvalidatedRedirect =
-    (core.assess.dataflow.sinks.express.unvalidatedRedirect = {});
 
+  const unvalidatedRedirect = core.assess.dataflow.sinks.express.unvalidatedRedirect = {};
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
@@ -66,8 +73,7 @@ module.exports = function(core) {
         name: 'Express.Response.location',
         patchType,
         pre: (data) => {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
 
           let [url] = data.args;
           if (url === 'back') {

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -17,6 +17,7 @@
 
 const util = require('util');
 const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED,
@@ -27,11 +28,10 @@ const {
   },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
 
-const ruleId = 'unvalidated-redirect';
-
 const getURLArgument = (args) => {
   if (!Array.isArray(args)) {
     return { index: null, url: undefined };
@@ -51,13 +51,21 @@ const getURLArgument = (args) => {
   };
 };
 
+/**
+ *
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -85,8 +93,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
 
           const { url, index: valueIndex } = getURLArgument(data.args);
           if (!url || !isString(url)) return;

package/lib/dataflow/sinks/install/fs.js

@@ -16,9 +16,6 @@
 'use strict';
 const { patchType } = require('../common');
 const {
-  FS_METHODS,
-  Rule,
-  isString,
   DataflowTag: {
     URL_ENCODED,
     LIMITED_CHARS,
@@ -26,16 +23,20 @@ const {
     SAFE_PATH,
     UNTRUSTED,
   },
+  FS_METHODS,
+  Rule: { PATH_TRAVERSAL: ruleId },
   inspect,
+  isString,
   join,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { instrumentation, sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -61,8 +62,7 @@ module.exports = function(core) {
 
   const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
     const { name: methodName, indices } = method;
-    const store = sources.getStore()?.assess;
-    if (!store || instrumentation.isLocked()) return;
+    if (!getSourceContext(RULE, ruleId)) return;
 
     const values = getValues(indices, data.args);
     if (!values.length) return;
@@ -105,7 +105,7 @@ module.exports = function(core) {
 
       if (event) {
         reportFindings({
-          ruleId: Rule.PATH_TRAVERSAL,
+          ruleId,
           sinkEvent: event,
         });
       }

package/lib/dataflow/sinks/install/function.js

@@ -27,8 +27,9 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION }
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId }
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
@@ -44,8 +45,8 @@ module.exports = function (core) {
     config,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -65,15 +66,10 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.Function',
         patchType,
         pre({ args: origArgs, hooked, orig, name }) {
-          const store = sources.getStore()?.assess;
+          if (!getSourceContext(RULE, ruleId)) return;
+
           const fnBody = origArgs[origArgs.length - 1];
-          if (
-            !store ||
-            instrumentation.isLocked() ||
-            !fnBody ||
-            !isString(fnBody)
-          )
-            return;
+          if (!fnBody || !isString(fnBody)) return;
 
           const strInfo = tracker.getData(fnBody);
 
@@ -90,7 +86,7 @@ module.exports = function (core) {
 
             reportSafePositive({
               name,
-              ruleId: UNSAFE_CODE_EXECUTION,
+              ruleId,
               safeTags: foundSafeTags,
               strInfo: safeStrInfo,
             });
@@ -142,7 +138,7 @@ module.exports = function (core) {
 
             if (event) {
               reportFindings({
-                ruleId: UNSAFE_CODE_EXECUTION,
+                ruleId,
                 sinkEvent: event,
               });
             }

package/lib/dataflow/sinks/install/http/request.js

@@ -15,6 +15,7 @@
 
 'use strict';
 
+const Url = require('url');
 const {
   inspect,
   isString,
@@ -25,19 +26,27 @@ const {
     CUSTOM_VALIDATED_SSRF,
     CUSTOM_VALIDATED,
     LIMITED_CHARS
-  }
+  },
+  Rule: { SSRF: ruleId },
 } = require('@contrast/common');
-const Url = require('url');
-const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
-const { patchType } = require('../../common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+
+const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -92,8 +101,7 @@ module.exports = function(core) {
           name,
           patchType,
           pre(data) {
-            const sourceContext = sources.getStore()?.assess;
-            if (!sourceContext) return;
+            if (!getSourceContext(RULE, ruleId)) return;
 
             const [req] = data.args;
             if (!req) return;
@@ -136,7 +144,7 @@ module.exports = function(core) {
 
                 if (event) {
                   reportFindings({
-                    ruleId: 'ssrf',
+                    ruleId,
                     sinkEvent: event
                   });
                 }

package/lib/dataflow/sinks/install/http/server-response.js

@@ -31,15 +31,24 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
+
 const { patchType, filterSafeTags } = require('../../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -68,7 +77,7 @@ module.exports = function(core) {
   ];
 
   const preHook = (name, method) => (data) => {
-    const sourceContext = sources.getStore()?.assess;
+    const sourceContext = getSourceContext(RULE, ruleId);
     if (!sourceContext) return;
 
     const payload = data.args[0];

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -25,20 +25,29 @@ const {
     LIMITED_CHARS,
     URL_ENCODED,
   },
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
 
-const ruleId = 'unvalidated-redirect';
-
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -46,11 +55,8 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const unvalidatedRedirect =
-    (core.assess.dataflow.sinks.koa.unvalidatedRedirect = {});
 
   const inspect = patcher.unwrap(util.inspect);
-
   const safeTags = [
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
@@ -59,6 +65,8 @@ module.exports = function(core) {
     URL_ENCODED,
   ];
 
+  const unvalidatedRedirect = core.assess.dataflow.sinks.koa.unvalidatedRedirect = {};
+
   unvalidatedRedirect.install = function() {
     depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
       const name = 'Koa.Response.redirect';
@@ -66,8 +74,7 @@ module.exports = function(core) {
         name,
         patchType,
         pre(data) {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
 
           let isBackRoute = false;
           let [url] = data.args;