@contrast/assess 1.17.0 → 1.19.0

package/lib/index.js

@@ -16,32 +16,33 @@
 'use strict';
 
 const { callChildComponentMethodsSync } = require('@contrast/common');
-const sessionConfiguration = require('./session-configuration');
-const dataflow = require('./dataflow');
-const responseScanning = require('./response-scanning');
-const eventFactory = require('./event-factory');
 
 module.exports = function assess(core) {
-  const assess = core.assess = {};
+  const assess = core.assess = {
+    install() {
+      if (!core.config.getEffectiveValue('assess.enable')) {
+        core.logger.debug('assess is disabled, skipping installation');
+        return;
+      }
+
+      core.rewriter.install('assess');
+      callChildComponentMethodsSync(core.assess, 'install');
+    },
+  };
 
-  eventFactory(core);
-  dataflow(core);
-  responseScanning(core);
-  sessionConfiguration(core);
+  require('./rule-scopes')(core);
+  require('./get-policy')(core);
+  require('./make-source-context')(core);
+  require('./get-source-context')(core);
+  require('./event-factory')(core);
+  require('./crypto-analysis')(core);
+  require('./dataflow')(core);
+  require('./response-scanning')(core);
+  require('./session-configuration')(core);
 
   // todo
   // crypto rule implementations
   // static rule implementations in coordination with (CLI) rewriter
 
-  assess.install = function() {
-    if (!core.config.getEffectiveValue('assess.enable')) {
-      core.logger.debug('assess is disabled, skipping installation');
-      return;
-    }
-
-    core.rewriter.install('assess');
-    callChildComponentMethodsSync(core.assess, 'install');
-  };
-
   return assess;
 };

package/lib/make-source-context.js

@@ -0,0 +1,74 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { toLowerCase } = require('@contrast/common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    assess: { getPolicy },
+    logger,
+  } = core;
+
+  return core.assess.makeSourceContext = function (req, res) {
+    let contentType, queries, uriPath;
+
+    try {
+      const ix = req.url.indexOf('?');
+      if (ix >= 0) {
+        uriPath = req.url.slice(0, ix);
+        queries = req.url.slice(ix + 1);
+      } else {
+        uriPath = req.url;
+        queries = '';
+      }
+
+      // copy to avoid storing tracked values
+      const headers = { ...req.headers };
+      if (headers['content-type']) {
+        contentType = toLowerCase(headers['content-type']);
+      }
+
+      return {
+        propagationEventsCount: 0,
+        sourceEventsCount: 0,
+        policy: getPolicy(),
+        reqData: {
+          ip: req.socket.remoteAddress,
+          httpVersion: req.httpVersion,
+          method: req.method,
+          headers,
+          uriPath,
+          queries,
+          contentType,
+        },
+        responseData: {}
+      };
+    } catch (err) {
+      logger.error(
+        { err },
+        'unable to construct assess store. assess will be disabled for request.'
+      );
+      return null;
+    }
+  };
+};

package/lib/response-scanning/handlers/index.js

@@ -33,6 +33,19 @@ const {
   checkCspSources
 } = require('./utils');
 
+const {
+  AUTOCOMPLETE_MISSING,
+  CACHE_CONTROLS_MISSING,
+  CLICKJACKING_CONTROL_MISSING,
+  CSP_HEADER_MISSING,
+  CSP_HEADER_INSECURE,
+  HSTS_HEADER_MISSING,
+  PARAMETER_POLLUTION,
+  XCONTENTTYPE_HEADER_MISSING,
+  X_POWERED_BY_HEADER,
+  XXSPROTECTION_HEADER_DISABLED,
+} = ResponseScanningRule;
+
 module.exports = function(core) {
   const {
     assess: {
@@ -44,7 +57,10 @@ module.exports = function(core) {
   } = core;
 
   responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
-    if (!isHtmlContent(responseHeaders)) {
+    if (
+      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !isHtmlContent(responseHeaders)
+    ) {
       return;
     }
 
@@ -72,7 +88,10 @@ module.exports = function(core) {
     const instructions = [];
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
-    if (isParseableResponse(responseHeaders) && !responseBody) {
+    if (
+      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      (isParseableResponse(responseHeaders) && !responseBody)
+    ) {
       return;
     }
     const cacheControlHeader = responseHeaders['cache-control'];
@@ -118,6 +137,8 @@ module.exports = function(core) {
   };
 
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
+
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = responseHeaders['x-frame-options'];
     let hasFrameBusting = false;
@@ -135,6 +156,8 @@ module.exports = function(core) {
   };
 
   responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
+
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
     const elements = getElements('form', responseBody);
@@ -154,21 +177,23 @@ module.exports = function(core) {
   };
 
   /**
- * Checks the response headers for the CSP. If found, and insecure, will return
- * the evidence for reporting.
- *
- * @param   {Object}        responseHeaders - HTTP headers object.
- * @returns {Object}                        - Evidence for insecure CSP header.
- */
+   * Checks the response headers for the CSP. If found, and insecure, will return
+   * the evidence for reporting.
+   *
+   * @param   {Object}        responseHeaders - HTTP headers object.
+   * @returns {Object}                        - Evidence for insecure CSP header.
+   */
   responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
     const cspHeaders = getCspHeaders(responseHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders) {
+    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
 
+    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
+
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
 
     if (vulnerabilityMetadata.insecure) {
@@ -189,6 +214,8 @@ module.exports = function(core) {
   };
 
   responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
+
     let header = responseHeaders['strict-transport-security'];
     let maxAge;
 
@@ -219,6 +246,8 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
+
     const headerName = 'x-content-type-options';
     let header = responseHeaders[headerName];
 
@@ -237,44 +266,42 @@ module.exports = function(core) {
     });
   };
 
-  // NODE-3135
   responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
+
     const headerName = 'x-powered-by';
     let header = responseHeaders[headerName];
 
     if (header) {
       header = toLowerCase(header);
 
-      const instructions = [
-        {
-          type: 'Header',
-          name: headerName,
-          value: header
-        }
-      ];
-
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
         vulnerabilityMetadata: {
-          data: JSON.stringify(instructions)
+          platform: header,
         }
       });
     }
   };
 
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
-    const header = responseHeaders['x-xss-protection'];
+    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
 
-    if (header?.startsWith?.('1')) return;
+    const header = responseHeaders['x-xss-protection'];
 
-    reportFindings(sourceContext, {
-      ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
-      vulnerabilityMetadata: {
-        data: header,
-      }
-    });
+    if (header && !header.startsWith('1')) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
+        vulnerabilityMetadata: {
+          data: header,
+        }
+      });
+    }
   };
 
+  function isEnabled(ruleId, sourceContext) {
+    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
+  }
+
   return responseScanning;
 };
-

package/lib/response-scanning/install/http.js

@@ -17,12 +17,17 @@
 
 const { split, substring, toLowerCase, trim } = require('@contrast/common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       responseScanning: {
         handleAutoCompleteMissing,
         handleCacheControlsMissing,
@@ -36,6 +41,7 @@ module.exports = function(core) {
       }
     }
   } = core;
+
   const http = core.assess.responseScanning.httpInstrumentation = {};
 
   function parseHeaders(rawHeaders) {
@@ -90,7 +96,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
 
             const evaluationContext = {
@@ -108,7 +114,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
 
             const evaluationContext = {
@@ -130,7 +136,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
 
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
@@ -149,7 +155,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
 
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
@@ -182,7 +188,7 @@ module.exports = function(core) {
                   name: 'Http2Stream.write',
                   patchType,
                   post(data) {
-                    const sourceContext = sources.getStore()?.assess;
+                    const sourceContext = getSourceContext();
                     if (!sourceContext) return;
 
                     const evaluationContext = {
@@ -198,7 +204,7 @@ module.exports = function(core) {
                   name: 'Http2Stream.end',
                   patchType,
                   post(data) {
-                    const sourceContext = sources.getStore()?.assess;
+                    const sourceContext = getSourceContext();
                     if (!sourceContext) return;
 
                     const evaluationContext = {

package/lib/rule-scopes.js

@@ -0,0 +1,48 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { AsyncLocalStorage } = require('async_hooks');
+/**
+ * @param {Object} core
+ * @param {import('@contrast/assess').Assess} core.assess
+ */
+module.exports = function (core) {
+
+  /** @type {Map<Rule,AsyncLocalStorage>} */
+  const scopes = new Map();
+  /** @type {{locked:boolean}}*/
+  const store = Object.freeze({ locked: true });
+
+  return core.assess.ruleScopes = {
+    /**
+     * @param {import('@contrast/common').Rule} ruleId
+     * @param {functionn} cb
+     */
+    run(ruleId, cb) {
+      if (!scopes.has(ruleId)) scopes.set(ruleId, new AsyncLocalStorage());
+      return scopes.get(ruleId).run(store, cb);
+    },
+
+    /**
+     * @param {Rule} ruleId
+     */
+    isLocked(ruleId) {
+      return !!scopes.get(ruleId)?.getStore?.()?.locked;
+    }
+  };
+
+};

package/lib/session-configuration/handlers.js

@@ -27,9 +27,10 @@ module.exports = function (core) {
   } = core;
 
   const checkCookieValue = (ruleId, sinkEvent, cookieValue, sourceContext) => {
-    if (cookieValue.includes(ruleId === HTTPONLY ? 'httponly' : 'secure')) {
-      return;
-    }
+    if (
+      !sourceContext.policy?.enabledRules?.has(ruleId) ||
+      cookieValue.includes(ruleId === HTTPONLY ? 'httponly' : 'secure')
+    ) return;
 
     sessionConfiguration.reportFindings(sourceContext, {
       ruleId,

package/lib/session-configuration/install/express-session.js

@@ -18,9 +18,16 @@ const util = require('util');
 const { toLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
 module.exports = function (core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
         handleHttpOnly,
@@ -29,7 +36,6 @@ module.exports = function (core) {
     },
     depHooks,
     patcher,
-    scopes: { sources },
   } = core;
 
   const expressSession = core.assess.sessionConfiguration.expressSession = {};
@@ -100,7 +106,7 @@ module.exports = function (core) {
             pre(data) {
               const [, res] = data.args;
 
-              const sourceContext = sources.getStore()?.assess;
+              const sourceContext = getSourceContext();
               if (!sourceContext) return;
 
               patcher.patch(res, 'setHeader', {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.17.0",
+  "version": "1.19.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.15.1",
+    "@contrast/common": "1.16.0",
     "@contrast/distringuish": "^4.4.0",
     "@contrast/scopes": "1.4.0"
   }