@contrast/assess 1.17.0 → 1.19.0

package/lib/dataflow/sinks/install/vm.js

@@ -16,7 +16,6 @@
 'use strict';
 const { patchType, filterSafeTags } = require('../common');
 const {
-  isString,
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
@@ -25,14 +24,17 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
-  isNonEmptyObject,
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   inspect,
-  traverseValues,
+  isNonEmptyObject,
+  isString,
   join,
   split,
+  traverseValues,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAdjustedQueryTags } = require('../../tag-utils');
+
 const safeTags = [
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
@@ -41,13 +43,20 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function (core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -133,14 +142,7 @@ module.exports = function (core) {
   }
 
   function around(next, { args: origArgs, hooked, orig, name }) {
-    const store = sources.getStore()?.assess;
-    if (
-      !store ||
-      instrumentation.isLocked() ||
-      isLocked(UNSAFE_CODE_EXECUTION)
-    ) {
-      return next();
-    }
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
 
     const methodPath = split(name, '.');
     const method = methodPath[methodPath.length - 1];
@@ -189,13 +191,13 @@ module.exports = function (core) {
 
       reportSafePositive({
         name,
-        ruleId: UNSAFE_CODE_EXECUTION,
+        ruleId,
         safeTags: Array.from(foundSafeTags),
         strInfo,
       });
 
       return name === 'vm.runInNewContext'
-        ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+        ? runInActiveSink(ruleId, () => next())
         : next();
     }
 
@@ -233,14 +235,14 @@ module.exports = function (core) {
 
       if (event) {
         reportFindings({
-          ruleId: UNSAFE_CODE_EXECUTION,
+          ruleId,
           sinkEvent: event,
         });
       }
     }
 
     return name === 'vm.runInNewContext'
-      ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+      ? runInActiveSink(ruleId, () => next())
       : next();
   }
 

package/lib/dataflow/sources/install/http.js

@@ -17,12 +17,17 @@
 const { patchType } = require('../common');
 const { toLowerCase, InputType } = require('@contrast/common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
 module.exports = function(core) {
   const {
-    scopes,
+    assess: { dataflow, makeSourceContext },
     instrumentation: { instrument },
-    assess: { dataflow },
     patcher,
+    scopes,
   } = core;
 
   const logger = core.logger.child('contrast:assess');
@@ -34,19 +39,20 @@ module.exports = function(core) {
   function around(next, data) {
     const [type] = data.args;
 
-    if (type !== 'request') {
-      return next();
-    }
+    if (type !== 'request') return next();
 
     try {
       const [, req, res] = data.args;
       const store = scopes.sources.getStore();
 
       if (!store) {
-        logger.debug('cannot acquire store for assess request handling');
-        return next();
+        // this would indicate that sources did not install correctly
+        throw new Error('async request store not found');
       }
 
+      store.assess = makeSourceContext(req, res);
+      if (!store.assess) return;
+
       patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
@@ -86,27 +92,7 @@ module.exports = function(core) {
         });
       }
 
-      let uriPath, queries;
-      const ix = req.url.indexOf('?');
-
-      if (ix >= 0) {
-        uriPath = req.url.slice(0, ix);
-        queries = req.url.slice(ix + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-
-      const headers = {};
       const sourceName = 'ClientRequest';
-
-      store.assess = {
-        responseData: {},
-        sourceEventsCount: 0,
-        propagationEventsCount: 0,
-        findings: {},
-      };
-
       const sourceInfo = {
         name: sourceName,
         stacktraceOpts: {
@@ -141,24 +127,10 @@ module.exports = function(core) {
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
         const header = toLowerCase(req.rawHeaders[i]);
-        headers[header] = req.rawHeaders[i + 1];
         req.rawHeaders[i + 1] = req.headers[header];
       }
-
-      const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
-
-      store.assess.reqData = {
-        ip: req.socket.remoteAddress,
-        httpVersion: req.httpVersion,
-        method: req.method,
-        headers,
-        uriPath,
-        queries,
-        contentType,
-      };
-
     } catch (err) {
-      logger.error({ err }, 'Error during assess request handling');
+      logger.error({ err }, 'Error during Assess request handling');
     }
 
     setImmediate(() => {

package/lib/dataflow/sources/install/koa/index.js

@@ -22,6 +22,7 @@ module.exports = function(core) {
 
   require('./koa2')(core);
   require('./koa-bodyparsers')(core);
+  require('./koa-multer')(core);
   require('./koa-routers')(core);
 
   koaSources.install = function install() {

package/lib/dataflow/sources/install/koa/koa-multer.js

@@ -0,0 +1,102 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../../common');
+const { InputType } = require('@contrast/common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
+
+    function handle(context, data, key) {
+      try {
+        sources.handle({
+          context,
+          data,
+          keys: [key],
+          name: 'multer',
+          inputType: InputType.BODY,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt,
+          },
+        });
+      } catch (err) {
+        logger.error({ err }, 'error handling Koa multer Assess dataflow %s.%s source', context, key);
+      }
+    }
+
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
+    }
+  }
+
+  function install() {
+    ['koa-multer', '@koa/multer'].forEach((name) => {
+      depHooks.resolve(
+        { name }, (_export) => {
+          const origMulter = _export;
+          return patcher.patch(_export, {
+            name,
+            patchType,
+            post(data) {
+              const { args, hooked } = data;
+              const instance = origMulter.apply(this, args);
+              const origMake = instance._makeMiddleware;
+              instance._makeMiddleware = function _makeMiddleware(...args) {
+                const origMulterMiddleware = origMake.apply(this, args);
+                return function multerMiddleware(req, res, origNext) {
+
+                  const next = function(...args) {
+                    handler(req, hooked);
+                    return origNext.apply(this, args);
+                  };
+                  return origMulterMiddleware.apply(this, [req, res, next]);
+                };
+              };
+              data.result = instance;
+            }
+          });
+        }
+      );
+    });
+  }
+
+  const koaMulterInstrumentation = sources.koaInstrumentation.koaMulter = {
+    install
+  };
+
+  return koaMulterInstrumentation;
+};

package/lib/dataflow/sources/install/multer1.js

@@ -23,36 +23,20 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess,
-    scopes: { wrap },
+    assess: { dataflow: { sources } },
+    scopes,
   } = core;
 
-  function handleFile(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['file'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.file source');
-    }
-  }
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
 
-  function handleFiles(sourceContext, constructorOpt, req) {
-    let i;
-    for (i = 0; i < req.files.length; i++) {
+    function handle(context, data, key) {
       try {
-        assess.dataflow.sources.handle({
-          context: 'req.files',
-          data: req.files[i],
-          keys: [i],
+        sources.handle({
+          context,
+          data,
+          keys: [key],
           name: 'multer',
           inputType: InputType.BODY,
           sourceContext,
@@ -61,26 +45,22 @@ module.exports = (core) => {
           },
         });
       } catch (err) {
-        logger.error({ err }, 'error handling multer Assess dataflow req.files[%s] source', i);
+        logger.error({ err }, 'error handling multer Assess dataflow %s.%s source', context, key);
       }
     }
-  }
 
-  function handleBody(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['body'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.body source');
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
     }
   }
 
@@ -97,14 +77,8 @@ module.exports = (core) => {
               patchType,
               pre(data) {
                 const [req, , next, hooked] = data.args;
-
-                const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) return;
-
-                data.args[2] = wrap(function (...args) {
-                  if (req.file) handleFile(sourceContext, hooked, req);
-                  if (Array.isArray(req.files)) handleFiles(sourceContext, hooked, req);
-                  if (req.body && Object.keys(req.body).length) handleBody(sourceContext, hooked, req.body);
+                data.args[2] = scopes.wrap(function (...args) {
+                  handler(req, hooked);
                   next(...args);
                 });
               },

package/lib/dataflow/sources/install/querystring.js

@@ -32,10 +32,7 @@ module.exports = (core) => {
             const sourceContext = core.scopes.sources.getStore()?.assess;
             const inputType = InputType.QUERYSTRING;
 
-            if (!sourceContext) {
-              logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
-              return;
-            }
+            if (!sourceContext) return;
 
             if (sourceContext.parsedQuery) {
               logger.trace({ name }, 'values already tracked');

package/lib/event-factory.js

@@ -270,5 +270,52 @@ module.exports = function(core) {
     return event;
   };
 
+
+  /**
+   * @param {{
+   *  context: string,
+   *  name: string,
+   *  moduleName: string,
+   *  methodName: string,
+   *  object: { value: any, tracked: boolean },
+   *  args: any[],
+   *  result: { value: vany, tracked: boolean },
+   *  source: string,
+   *  stacktraceOpts: { constructorOpt?: Function},
+   * }} data
+   * @returns {any}
+   */
+  eventFactory.createCryptoAnalysisEvent = function(data) {
+    const {
+      name = '',
+      source,
+      stacktraceOpts,
+    } = data;
+
+    if (!name) {
+      logger.debug({ data }, 'no sink event name');
+      return null;
+    }
+
+    if (!source || !source.match(annotationRegExp)) {
+      logger.debug({ data }, 'malformed or missing sink event source field');
+      return null;
+    }
+
+    let stack;
+    if (config.assess.stacktraces !== 'NONE') {
+      stack = createSnapshot(stacktraceOpts)();
+    } else {
+      stack = [];
+    }
+
+    data.stack = stack;
+    data.time = Date.now();
+
+    eventFactory.createdEvents.add(data);
+
+    return data;
+  };
+
   return eventFactory;
 };

package/lib/get-policy.js

@@ -0,0 +1,68 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Rule,
+  ResponseScanningRule,
+  SessionConfigurationRule,
+  Event,
+} = require('@contrast/common');
+
+const rulesIds = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...SessionConfigurationRule,
+});
+
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function assess(core) {
+  const { logger, messages } = core;
+
+  const enabledRules = new Set(rulesIds);
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+    if (!msg.assess) return;
+
+    for (const ruleId of rulesIds) {
+      const enable = msg.assess[ruleId]?.enable;
+      if (enable === true) {
+        enabledRules.add(ruleId);
+        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+      } else if (enable === false) {
+        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
+        enabledRules.delete(ruleId);
+      }
+    }
+    logger.info({
+      enabledRules: Array.from(enabledRules)
+    }, 'Assess policy updated');
+  });
+
+  return core.assess.getPolicy = function getPolicy() {
+    // creates copy of local policy for request store
+    return {
+      enabledRules: new Set(enabledRules),
+    };
+  };
+};

package/lib/get-source-context.js

@@ -0,0 +1,62 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InstrumentationType } = require('./constants');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    config,
+    scopes: { sources, instrumentation },
+    assess: { ruleScopes },
+  } = core;
+
+  /**
+   * @param {import('./constants.js').InstrumentationType} type
+   * @returns {import('@contrast/assess').SourceContext|null} the assess store
+   */
+  return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
+    const ctx = sources.getStore()?.assess;
+
+    if (!ctx || instrumentation.isLocked()) return null;
+
+    switch (type) {
+      case InstrumentationType.PROPAGATOR: {
+        if (ctx.propagationEventsCount > config.assess.max_propagation_events) return null;
+        break;
+      }
+      case InstrumentationType.SOURCE: {
+        if (ctx.sourceEventsCount > config.assess.max_context_source_events) return null;
+        break;
+      }
+      case InstrumentationType.RULE: {
+        const [ruleId] = rest;
+        if (!ruleId) break;
+        if (!ctx.policy.enabledRules.has(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+        break;
+      }
+    }
+
+    return ctx;
+  };
+};

package/lib/index.d.ts

@@ -0,0 +1,50 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { Rule } from '@contrast/common';
+
+export enum InstrumentationType {
+  SOURCE = 'source',
+  PROPAGATOR = 'propagator',
+  RULE = 'rule',
+}
+
+export interface SourceContext {
+  reqData: object,
+  responseData: {
+    contentType: string,
+  },
+  policy: {
+    enabledRules: Set<string>,
+  }
+}
+
+export interface Policy {
+  enabledRules: Set<Rule>,
+}
+
+export interface RuleScopes {
+  run(ruleId: Rule, cb: void): void;
+  isLocked(ruleId: Rule): boolean;
+}
+
+export interface Assess {
+  getPolicy(): Policy,
+  getSourceContext(instrType?: InstrumentationType, opts?: any): SourceContext,
+  makeSourceContext(req: IncomingMessage, res: ServerResponse): SourceContext,
+  ruleScopes: RuleScopes,
+}
+
+export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;