@contrast/assess 1.17.0 → 1.19.0

package/lib/dataflow/sinks/install/libxmljs.js

@@ -15,9 +15,8 @@
 
 'use strict';
 
-const { patchType } = require('../common');
 const {
-  Rule: { XXE },
+  Rule: { XXE: ruleId },
   isString,
   DataflowTag: {
     UNTRUSTED,
@@ -26,18 +25,29 @@ const {
   },
   inspect
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
 
 const safeTags = [
   LIMITED_CHARS,
   ALPHANUM_SPACE_HYPHEN
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -60,12 +70,7 @@ module.exports = function(core) {
         name: `${moduleName}.${method}`,
         patchType,
         pre(data) {
-          const store = sources.getStore()?.assess;
-          if (
-            !store ||
-            !data.args[0] ||
-            instrumentation.isLocked()
-          ) return;
+          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
 
           const [xmlString, opts] = data.args;
 
@@ -104,7 +109,7 @@ module.exports = function(core) {
 
           if (event) {
             reportFindings({
-              ruleId: XXE,
+              ruleId,
               sinkEvent: event,
             });
           }

package/lib/dataflow/sinks/install/marsdb.js

@@ -15,10 +15,9 @@
 'use strict';
 
 const util = require('util');
-const { patchType } = require('../common');
 const {
   traverseValues,
-  Rule,
+  Rule: { NOSQL_INJECTION_MONGO: ruleId },
   DataflowTag: {
     ALPHANUM_SPACE_HYPHEN,
     LIMITED_CHARS,
@@ -27,6 +26,8 @@ const {
     CUSTOM_VALIDATED_NOSQL_INJECTION,
   },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
 
 const collectionMethods = ['find', 'findOne', 'update', 'remove'];
 const querySafeTags = [
@@ -36,13 +37,20 @@ const querySafeTags = [
   CUSTOM_VALIDATED_NOSQL_INJECTION,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -82,10 +90,7 @@ module.exports = function(core) {
       name,
       patchType,
       around(next, data) {
-        const sourceCtx = sources.getStore()?.assess;
-        if (!sourceCtx || instrumentation.isLocked()) {
-          return next();
-        }
+        if (!getSourceContext(RULE, ruleId)) return next();
 
         const argIdx = 0;
         const result = getVulnerabilityInfo(data.args[argIdx]);
@@ -120,7 +125,7 @@ module.exports = function(core) {
         });
 
         if (sinkEvent) {
-          reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+          reportFindings({ ruleId, sinkEvent });
         }
 
         return next();

package/lib/dataflow/sinks/install/mongodb.js

@@ -24,12 +24,13 @@ const {
     LIMITED_CHARS,
     STRING_TYPE_CHECKED,
   },
-  Rule: { NOSQL_INJECTION_MONGO },
+  Rule: { NOSQL_INJECTION_MONGO: ruleId },
   isNonEmptyObject,
   traverseValues,
   isString,
   inspect
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
 
@@ -66,19 +67,28 @@ const querySafeTags = [
   STRING_TYPE_CHECKED,
 ];
 
+/**
+ *
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive }
-      }
+        sinks: { isVulnerable, reportFindings, reportSafePositive }
+      },
+      ruleScopes,
     }
   } = core;
 
@@ -228,17 +238,13 @@ module.exports = function(core) {
   function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
     return function(next, data) {
-      const { obj, args: origArgs } = data;
-      const sourceCtx = sources.getStore()?.assess;
-
-      if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-        return next();
-      }
+      if (!getSourceContext(RULE, ruleId)) return next();
 
+      const { obj, args: origArgs } = data;
+      const safeReports = [];
       let vulnInfo;
       let reportSafe;
       let vulnArgIdx;
-      const safeReports = [];
 
       try {
         for (const argIdx of argsIdxsToCheck) {
@@ -272,13 +278,15 @@ module.exports = function(core) {
 
             reportSafePositive({
               name,
-              ruleId: NOSQL_INJECTION_MONGO,
+              ruleId,
               safeTags,
               strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
             });
           }
 
-          return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+          return methodsWithNestedCalls.includes(method)
+            ? ruleScopes.run(ruleId, async () => await next())
+            : next();
         }
 
         const { path, strInfo } = vulnInfo;
@@ -313,13 +321,15 @@ module.exports = function(core) {
         });
 
         if (sinkEvent) {
-          reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+          reportFindings({ ruleId, sinkEvent });
         }
       } catch (err) {
         core.logger.error({ name, err }, 'assess sink analysis failed');
       }
 
-      return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+      return methodsWithNestedCalls.includes(method)
+        ? ruleScopes.run(ruleId, async () => await next())
+        : next();
     };
   }
 

package/lib/dataflow/sinks/install/mssql.js

@@ -16,10 +16,17 @@
 'use strict';
 
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
 
@@ -30,15 +37,20 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
-const ruleId = SQL_INJECTION;
-
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -48,12 +60,11 @@ module.exports = function(core) {
   } = core;
 
   const pre = (name, method, obj, version) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
 
     const strInfo = tracker.getData(data.args[0]);
@@ -86,7 +97,7 @@ module.exports = function(core) {
 
       if (event) {
         reportFindings({
-          ruleId: SQL_INJECTION,
+          ruleId,
           sinkEvent: event,
         });
       }

package/lib/dataflow/sinks/install/mysql.js

@@ -17,8 +17,7 @@
 
 const { patchType } = require('../common');
 const {
-  Rule: { SQL_INJECTION },
-  isString,
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     CUSTOM_ENCODED_SQL_INJECTION,
     CUSTOM_ENCODED,
@@ -28,8 +27,10 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
-  inspect
+  isString,
+  inspect,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
   CUSTOM_ENCODED_SQL_INJECTION,
@@ -40,12 +41,19 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -65,11 +73,10 @@ module.exports = function(core) {
   }
 
   const pre = (module, file, obj, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
 
     const val = getValueFromArgs(data.args);
@@ -106,7 +113,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/node-serialize.js

@@ -0,0 +1,101 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Rule: { UNTRUSTED_DESERIALIZATION: ruleId },
+  isString,
+  DataflowTag: {
+    UNTRUSTED
+  }
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    assess: {
+      getSourceContext,
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings }
+      },
+    },
+  } = core;
+
+  core.assess.dataflow.sinks.nodeSerialize = {
+    install() {
+      depHooks.resolve({ name: 'node-serialize' }, (nodeSerialize) => {
+        patcher.patch(nodeSerialize, 'unserialize', {
+          name: 'node-serialize.unserialize',
+          patchType,
+          pre(data) {
+            if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
+
+            const [input] = data.args;
+            if (!isString(input)) return;
+
+            const strInfo = tracker.getData(input);
+            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) return;
+
+            const sinkEvent = createSinkEvent({
+              name: 'node-serialize.unserialize',
+              moduleName: 'node-serialize',
+              methodName: 'unserialize',
+              context: `node-serialize.unserialize(${strInfo.value})`,
+              history: [strInfo],
+              object: {
+                value: 'node-serialize',
+                tracked: false
+              },
+              args: [
+                {
+                  value: strInfo.value,
+                  tracked: true
+                },
+              ],
+              tags: strInfo.tags,
+              source: 'P0',
+              stacktraceOpts: {
+                contructorOpt: data.hooked,
+                prependFrames: [data.orig]
+              },
+            });
+
+            if (sinkEvent) {
+              reportFindings({
+                ruleId,
+                sinkEvent,
+              });
+            }
+          }
+        });
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.nodeSerialize;
+};

package/lib/dataflow/sinks/install/postgres.js

@@ -17,19 +17,33 @@
 
 const util = require('util');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { filterSafeTags, patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -50,8 +64,7 @@ module.exports = function(core) {
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature) => (data) => {
-    const assessStore = sources.getStore()?.assess;
-    if (!assessStore || isLocked(ruleId)) return;
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return;
 
     const [arg0] = data.args;
     const query = arg0?.text || arg0;

package/lib/dataflow/sinks/install/sequelize.js

@@ -17,7 +17,7 @@
 
 const util = require('util');
 const {
-  Rule: { SQL_INJECTION },
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     UNTRUSTED,
     SQL_ENCODED,
@@ -26,15 +26,23 @@ const {
     CUSTOM_ENCODED,
   },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -61,10 +69,9 @@ module.exports = function(core) {
         name: sequelizeQueryPatchName,
         patchType,
         around(next, data) {
-          const { args, hooked, orig } = data;
-          const sourceContext = sources.getStore()?.assess;
-          if (!sourceContext || !args[0]) return next();
+          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return next();
 
+          const { args, hooked, orig } = data;
           const query = typeof args[0] === 'string' ? args[0] : args[0].query;
 
           try {
@@ -74,7 +81,7 @@ module.exports = function(core) {
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
                 name: sequelizeQueryPatchName,
-                ruleId: SQL_INJECTION,
+                ruleId,
                 safeTags: filterSafeTags(safeTags, queryInfo),
                 strInfo: {
                   value: queryInfo?.value,
@@ -87,7 +94,7 @@ module.exports = function(core) {
               !queryInfo ||
               !isVulnerableQuery
             ) {
-              return runInActiveSink(SQL_INJECTION, async () => await next());
+              return runInActiveSink(ruleId, async () => await next());
             }
 
             const sqlValue =
@@ -122,7 +129,7 @@ module.exports = function(core) {
 
             if (event) {
               reportFindings({
-                ruleId: SQL_INJECTION,
+                ruleId,
                 sinkEvent: event,
               });
             }
@@ -134,7 +141,7 @@ module.exports = function(core) {
             );
           }
 
-          return runInActiveSink(SQL_INJECTION, async () => await next());
+          return runInActiveSink(ruleId, async () => await next());
         },
       });
     });

package/lib/dataflow/sinks/install/sqlite3.js

@@ -17,10 +17,17 @@
 
 const { patchType } = require('../common');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
   SQL_ENCODED,
@@ -29,12 +36,19 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -44,12 +58,11 @@ module.exports = function(core) {
   } = core;
 
   const pre = (name, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
 
     const strInfo = tracker.getData(data.args[0]);
@@ -83,7 +96,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }