@contrast/assess 1.18.0 → 1.19.0

package/lib/constants.js

@@ -0,0 +1,26 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const InstrumentationType = {
+  SOURCE: 'source',
+  PROPAGATOR: 'propagator',
+  RULE: 'rule',
+};
+
+module.exports = {
+  InstrumentationType,
+};

package/lib/crypto-analysis/common.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  PATCH_TYPE: 'assess-cryptographic-analysis',
+};

package/lib/crypto-analysis/index.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  callChildComponentMethodsSync,
+} = require('@contrast/common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ */
+module.exports = function(core) {
+  const cryptoAnalysis = core.assess.cryptoAnalysis = {
+    installers: {},
+    install() {
+      callChildComponentMethodsSync(cryptoAnalysis.installers, 'install');
+    },
+    report(event) {
+      core.messages.emit(Event.ASSESS_CRYPTO_ANALYSIS_FINDING, event);
+    },
+  };
+
+  require('./install/crypto')(core);
+  require('./install/math')(core);
+
+  return cryptoAnalysis;
+};

package/lib/crypto-analysis/install/crypto.js

@@ -0,0 +1,151 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { inspect } = require('util');
+const {
+  Rule,
+  isString,
+  toLowerCase,
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+
+const SAFE_HASH_ALGORITHMS = new Set([
+  'RSA-SHA1-2',
+  'RSA-SHA224',
+  'RSA-SHA256',
+  'RSA-SHA384',
+  'RSA-SHA512',
+  'sha224',
+  'sha224WithRSAEncryption',
+  'sha256',
+  'sha256WithRSAEncryption',
+  'sha384',
+  'sha384WithRSAEncryption',
+  'sha512'
+]);
+const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort'];
+const SAFE_CIPHER_ALGORITHM_PREFIXES = ['des-ede', 'id-aes', 'aes', 'rsa'];
+
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    config,
+    depHooks,
+    logger,
+    patcher,
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+  } = core;
+
+  const installer = core.assess.cryptoAnalysis.installers.crypto = {
+    install() {
+      depHooks.resolve({ name: 'crypto' }, (_export) => {
+        patcher.patch(_export, 'createHash', {
+          name: 'crypto.createHash',
+          patchType,
+          post(data) {
+            const [alg] = data.args;
+
+            if (
+              !isString(alg) ||
+              !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) ||
+              SAFE_HASH_ALGORITHMS.has(alg)
+            ) return;
+
+            const event = eventFactory.createCryptoAnalysisEvent({
+              args: [{ tracked: false, value: alg }],
+              context: `crypto.createHash(${inspect(alg)})`,
+              methodName: 'createHash',
+              moduleName: 'crypto',
+              name: 'crypto.createHash',
+              object: { tracked: false, value: 'crypto' },
+              result: { tracked: false, value: 'Hash' },
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+
+            if (!event) return;
+
+            // check stacktrace for trusted libraries
+            if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+              const { stack } = new Error(event.stacktraceOpts);
+              for (const lib of SAFE_HASH_LIBS) {
+                if (stack.indexOf(lib) >= 0) return;
+              }
+            } else {
+              for (const { file } of event.stack) {
+                for (const lib of SAFE_HASH_LIBS) {
+                  logger.trace(`skipping reporting for ${Rule.CRYPTO_BAD_MAC} - trusting ${lib}`);
+                  if (file.indexOf(lib) >= 0) return;
+                }
+              }
+            }
+
+            cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_MAC });
+          },
+        });
+
+        for (const method of ['createCipher', 'createCipheriv']) {
+          patcher.patch(_export, method, {
+            name: `crypto.${method}`,
+            patchType,
+            post(data) {
+              const [alg] = data.args;
+              if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_CIPHERS)) return;
+
+              const algLower = toLowerCase(alg);
+              for (const prefix of SAFE_CIPHER_ALGORITHM_PREFIXES) {
+                if (algLower.indexOf(prefix) === 0) return;
+              }
+
+              const event = eventFactory.createCryptoAnalysisEvent({
+                args: [{ tracked: false, value: alg }],
+                context: `crypto.${method}(${inspect(alg)})`,
+                methodName: method,
+                moduleName: 'crypto',
+                name: `crypto.${method}`,
+                object: { tracked: false, value: 'crypto' },
+                result: { tracked: false, value: 'Cipher' },
+                source: 'P0',
+                stacktraceOpts: {
+                  constructorOpt: data.hooked,
+                }
+              });
+
+              if (!event) return;
+
+              cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_CIPHERS });
+            }
+          });
+        }
+      });
+    },
+  };
+
+  return installer;
+};

package/lib/crypto-analysis/install/math.js

@@ -0,0 +1,99 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Rule } = require('@contrast/common');
+const { InstrumentationType } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+
+const { CRYPTO_WEAK_RANDOMNESS: ruleId } = Rule;
+const { RULE } = InstrumentationType;
+
+const SAFE_RANDOM_LIBS = [
+  'node_modules/node-uuid/',
+  'browserify'
+];
+
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+    config,
+    logger,
+    patcher,
+  } = core;
+
+  core.assess.cryptoAnalysis.installers.math = {
+    install() {
+      patcher.patch(Math, 'random', {
+        name: 'global.Math.random',
+        patchType,
+        post(data) {
+          if (!getSourceContext(RULE, ruleId)) return;
+
+          const event = eventFactory.createCryptoAnalysisEvent({
+            args: [],
+            context: 'Math.random()',
+            methodName: 'random',
+            moduleName: 'global.Math',
+            name: 'global.Math.random',
+            object: { tracked: false, value: 'global.Math' },
+            result: { tracked: false, value: `${data.result}` },
+            source: 'A',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            }
+          });
+
+          if (!event) return;
+
+          // check stacktrace for trusted libraries
+          if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+            const { stack } = new Error(event.stacktraceOpts);
+            for (const lib of SAFE_RANDOM_LIBS) {
+              if (stack.indexOf(lib) >= 0) return;
+            }
+          } else {
+            for (const { file } of event.stack) {
+              for (const lib of SAFE_RANDOM_LIBS) {
+                if (file.indexOf(lib) >= 0) {
+                  logger.trace(`skipping reporting for ${ruleId} - trusting ${lib}`);
+                  return;
+                }
+              }
+            }
+          }
+
+          cryptoAnalysis.report({ finding: event, ruleId });
+        },
+      });
+    },
+    uninstall() {
+      Math.random = patcher.unwrap(Math.random);
+    },
+  };
+
+  return core.assess.cryptoAnalysis.installers.math;
+};

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -59,8 +59,18 @@ module.exports = function (core) {
 
   function createEvent(data, value, newTags, reviver, strInfo) {
     const method = 'JSON.parse';
+    const eventArgs = [
+      {
+        value: data.args[0],
+        tracked: true,
+      },
+      reviver && {
+        value: reviver.toString(),
+        tracked: false,
+      }
+    ].filter(Boolean);
     return createPropagationEvent({
-      context: method,
+      context: `${method}(${eventArgs.map((arg) => `'${arg.value}'`)})`,
       name: method,
       history: [strInfo],
       moduleName: 'JSON',
@@ -69,16 +79,7 @@ module.exports = function (core) {
         value: inspect(data.obj),
         tracked: false,
       },
-      args: [
-        {
-          value: data.args[0],
-          tracked: true,
-        },
-        reviver && {
-          value: reviver.toString(),
-          tracked: false,
-        },
-      ].filter(Boolean),
+      args: eventArgs,
       result: {
         value,
         tracked: true,

package/lib/dataflow/propagation/install/JSON/stringify.js

@@ -148,7 +148,7 @@ module.exports = function(core) {
         }
       }
 
-      metadata.history.add(metadata[id]);
+      metadata.history.add(metadata.strInfos[id]);
       // replace the canary with the starting quote
       return '"';
     });

package/lib/dataflow/propagation/install/ejs/escape-xml.js

@@ -21,7 +21,7 @@ const {
 const {
   createFullLengthCopyTags
 } = require('../../../tag-utils');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -61,7 +61,7 @@ module.exports = function(core) {
               moduleName: 'ejs',
               methodName: 'escapeXML',
               object: {
-                value: `[${createModuleLabel('ejs', version)}].utils`,
+                value: 'ejs.utils',
                 tracked: false
               },
               result: {

package/lib/dataflow/propagation/install/ejs/index.js

@@ -25,6 +25,7 @@ module.exports = function(core) {
   };
 
   require('./escape-xml')(core);
+  require('./template')(core);
 
   return ejsInstrumentation;
 };

package/lib/dataflow/propagation/install/ejs/template.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { EOL } = require('os');
+const { join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ *  rewriter: import('@contrast/rewriter').Rewriter,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function(core) {
+  const {
+    assess: { getSourceContext },
+    depHooks,
+    logger,
+    patcher,
+    rewriter,
+  } = core;
+
+  const REWRITE_OPTS = { inject: false, wrap: false };
+  const WRAPPER_PREFIX = join([
+    'function tempWrapper() {',
+    'function __append(s) { if (s !== undefined && s !== null) __output += s }'
+  ], EOL);
+  const WRAPPER_SUFFIX = join([
+    EOL,
+    'return __output;',
+    '}',
+  ], EOL);
+
+  return core.assess.dataflow.propagation.ejsInstrumentation.template = {
+    /**
+     * inject our own rewritten version of __append():
+     *   function __append() { // unrewritten }
+     *   function __append() { // rewritten }
+     */
+    install() {
+      depHooks.resolve({ name: 'ejs', version: '>=2.6.2' }, (_export, version) => {
+        const name = 'ejs.Template.prototype.generateSource';
+        patcher.patch(_export.Template.prototype, 'generateSource', {
+          name,
+          patchType,
+          post(data) {
+            if (!getSourceContext(PROPAGATOR)) return;
+
+            try {
+              const { code } = rewriter.rewrite(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
+              data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
+            } catch (err) {
+              logger.error({ err, source: data.obj.source }, 'error occurred while rewriting ejs source');
+            }
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/util-format.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const { patchType } = require('../common');
-const { inspect, isString } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createAppendTags } = require('../../tag-utils');
 
 module.exports = function(core) {
@@ -47,7 +47,13 @@ module.exports = function(core) {
             const history = [];
             const eventArgs = [];
             const formatChars = args[0].includes('%') ? args[0].match(/[^%]+/g).map((x) => x[0]) : [];
-            let i = formatChars.length > 0 ? 1 : 0;
+            let i = 0;
+
+            if (formatChars.length > 0) {
+              i = 1;
+              eventArgs.push({ value: args[0], tracked: false });
+            }
+
             for (i; i < args.length; i++) {
               let arg = args[i];
               const formatChar = formatChars[i - 1];
@@ -80,7 +86,7 @@ module.exports = function(core) {
               name,
               moduleName: 'util',
               methodName: 'format',
-              context: `util.format(${inspect(args.join(', '))})`,
+              context: `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`,
               object: {
                 value: 'util',
                 tracked: false

package/lib/dataflow/sinks/install/child-process.js

@@ -17,19 +17,25 @@
 const {
   DataflowTag: { UNTRUSTED },
   join,
-  Rule,
+  Rule: { CMD_INJECTION: ruleId },
   isString,
   inspect,
 } = require('@contrast/common');
-
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -92,7 +98,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
 
@@ -178,7 +184,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }
@@ -193,10 +199,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
 
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];
@@ -233,10 +239,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command, secondArg, thirdArg] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command, secondArg, thirdArg] = data.args;
+              if (!command || !isString(command)) return;
 
               commandCheck(
                 name,
@@ -257,10 +263,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
 
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
 
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];

package/lib/dataflow/sinks/install/eval.js

@@ -25,8 +25,9 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
@@ -37,13 +38,21 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function (core) {
   const {
     config,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -63,19 +72,12 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.eval',
         patchType,
         pre({ args, orig }) {
-          const store = sources.getStore()?.assess;
+          if (!getSourceContext(RULE, ruleId)) return;
+
           const script = args[0];
-          if (
-            !store ||
-            instrumentation.isLocked() ||
-            !script ||
-            !isString(script)
-          ) {
-            return;
-          }
+          if (!script || !isString(script)) return;
 
           const strInfo = tracker.getData(script);
-
           if (!strInfo) return;
 
           const isArgVulnerable = isVulnerable(
@@ -93,7 +95,7 @@ module.exports = function (core) {
 
             reportSafePositive({
               name: 'eval',
-              ruleId: UNSAFE_CODE_EXECUTION,
+              ruleId,
               safeTags: foundSafeTags,
               strInfo: safeStrInfo,
             });
@@ -120,7 +122,7 @@ module.exports = function (core) {
 
             if (event) {
               reportFindings({
-                ruleId: UNSAFE_CODE_EXECUTION,
+                ruleId,
                 sinkEvent: event,
               });
             }