@contrast/assess 1.18.0 → 1.19.0

package/lib/dataflow/sinks/install/mysql.js

@@ -17,8 +17,7 @@
 
 const { patchType } = require('../common');
 const {
-  Rule: { SQL_INJECTION },
-  isString,
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     CUSTOM_ENCODED_SQL_INJECTION,
     CUSTOM_ENCODED,
@@ -28,8 +27,10 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
-  inspect
+  isString,
+  inspect,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
   CUSTOM_ENCODED_SQL_INJECTION,
@@ -40,12 +41,19 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -65,11 +73,10 @@ module.exports = function(core) {
   }
 
   const pre = (module, file, obj, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
 
     const val = getValueFromArgs(data.args);
@@ -106,7 +113,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/node-serialize.js

@@ -15,21 +15,29 @@
 
 'use strict';
 
-const { patchType } = require('../common');
 const {
-  Rule: { UNTRUSTED_DESERIALIZATION },
+  Rule: { UNTRUSTED_DESERIALIZATION: ruleId },
   isString,
   DataflowTag: {
     UNTRUSTED
   }
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -45,23 +53,13 @@ module.exports = function(core) {
           name: 'node-serialize.unserialize',
           patchType,
           pre(data) {
-            const store = sources.getStore()?.assess;
-            if (
-              !store ||
-              !data.args[0] ||
-              instrumentation.isLocked()
-            ) return;
+            if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
 
             const [input] = data.args;
-
-            if (!isString(input)) {
-              return;
-            }
+            if (!isString(input)) return;
 
             const strInfo = tracker.getData(input);
-            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) {
-              return;
-            }
+            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) return;
 
             const sinkEvent = createSinkEvent({
               name: 'node-serialize.unserialize',
@@ -89,7 +87,7 @@ module.exports = function(core) {
 
             if (sinkEvent) {
               reportFindings({
-                ruleId: UNTRUSTED_DESERIALIZATION,
+                ruleId,
                 sinkEvent,
               });
             }

package/lib/dataflow/sinks/install/postgres.js

@@ -17,19 +17,33 @@
 
 const util = require('util');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { filterSafeTags, patchType } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -50,8 +64,7 @@ module.exports = function(core) {
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature) => (data) => {
-    const assessStore = sources.getStore()?.assess;
-    if (!assessStore || isLocked(ruleId)) return;
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return;
 
     const [arg0] = data.args;
     const query = arg0?.text || arg0;

package/lib/dataflow/sinks/install/sequelize.js

@@ -17,7 +17,7 @@
 
 const util = require('util');
 const {
-  Rule: { SQL_INJECTION },
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     UNTRUSTED,
     SQL_ENCODED,
@@ -26,15 +26,23 @@ const {
     CUSTOM_ENCODED,
   },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -61,10 +69,9 @@ module.exports = function(core) {
         name: sequelizeQueryPatchName,
         patchType,
         around(next, data) {
-          const { args, hooked, orig } = data;
-          const sourceContext = sources.getStore()?.assess;
-          if (!sourceContext || !args[0]) return next();
+          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return next();
 
+          const { args, hooked, orig } = data;
           const query = typeof args[0] === 'string' ? args[0] : args[0].query;
 
           try {
@@ -74,7 +81,7 @@ module.exports = function(core) {
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
                 name: sequelizeQueryPatchName,
-                ruleId: SQL_INJECTION,
+                ruleId,
                 safeTags: filterSafeTags(safeTags, queryInfo),
                 strInfo: {
                   value: queryInfo?.value,
@@ -87,7 +94,7 @@ module.exports = function(core) {
               !queryInfo ||
               !isVulnerableQuery
             ) {
-              return runInActiveSink(SQL_INJECTION, async () => await next());
+              return runInActiveSink(ruleId, async () => await next());
             }
 
             const sqlValue =
@@ -122,7 +129,7 @@ module.exports = function(core) {
 
             if (event) {
               reportFindings({
-                ruleId: SQL_INJECTION,
+                ruleId,
                 sinkEvent: event,
               });
             }
@@ -134,7 +141,7 @@ module.exports = function(core) {
             );
           }
 
-          return runInActiveSink(SQL_INJECTION, async () => await next());
+          return runInActiveSink(ruleId, async () => await next());
         },
       });
     });

package/lib/dataflow/sinks/install/sqlite3.js

@@ -17,10 +17,17 @@
 
 const { patchType } = require('../common');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
   SQL_ENCODED,
@@ -29,12 +36,19 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -44,12 +58,11 @@ module.exports = function(core) {
   } = core;
 
   const pre = (name, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
 
     const strInfo = tracker.getData(data.args[0]);
@@ -83,7 +96,7 @@ module.exports = function(core) {
 
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/vm.js

@@ -16,7 +16,6 @@
 'use strict';
 const { patchType, filterSafeTags } = require('../common');
 const {
-  isString,
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
@@ -25,14 +24,17 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
-  isNonEmptyObject,
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   inspect,
-  traverseValues,
+  isNonEmptyObject,
+  isString,
   join,
   split,
+  traverseValues,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAdjustedQueryTags } = require('../../tag-utils');
+
 const safeTags = [
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
@@ -41,13 +43,20 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function (core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -133,14 +142,7 @@ module.exports = function (core) {
   }
 
   function around(next, { args: origArgs, hooked, orig, name }) {
-    const store = sources.getStore()?.assess;
-    if (
-      !store ||
-      instrumentation.isLocked() ||
-      isLocked(UNSAFE_CODE_EXECUTION)
-    ) {
-      return next();
-    }
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
 
     const methodPath = split(name, '.');
     const method = methodPath[methodPath.length - 1];
@@ -189,13 +191,13 @@ module.exports = function (core) {
 
       reportSafePositive({
         name,
-        ruleId: UNSAFE_CODE_EXECUTION,
+        ruleId,
         safeTags: Array.from(foundSafeTags),
         strInfo,
       });
 
       return name === 'vm.runInNewContext'
-        ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+        ? runInActiveSink(ruleId, () => next())
         : next();
     }
 
@@ -233,14 +235,14 @@ module.exports = function (core) {
 
       if (event) {
         reportFindings({
-          ruleId: UNSAFE_CODE_EXECUTION,
+          ruleId,
           sinkEvent: event,
         });
       }
     }
 
     return name === 'vm.runInNewContext'
-      ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+      ? runInActiveSink(ruleId, () => next())
       : next();
   }
 

package/lib/dataflow/sources/install/http.js

@@ -17,12 +17,17 @@
 const { patchType } = require('../common');
 const { toLowerCase, InputType } = require('@contrast/common');
 
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
 module.exports = function(core) {
   const {
-    scopes,
+    assess: { dataflow, makeSourceContext },
     instrumentation: { instrument },
-    assess: { dataflow },
     patcher,
+    scopes,
   } = core;
 
   const logger = core.logger.child('contrast:assess');
@@ -34,19 +39,20 @@ module.exports = function(core) {
   function around(next, data) {
     const [type] = data.args;
 
-    if (type !== 'request') {
-      return next();
-    }
+    if (type !== 'request') return next();
 
     try {
       const [, req, res] = data.args;
       const store = scopes.sources.getStore();
 
       if (!store) {
-        logger.debug('cannot acquire store for assess request handling');
-        return next();
+        // this would indicate that sources did not install correctly
+        throw new Error('async request store not found');
       }
 
+      store.assess = makeSourceContext(req, res);
+      if (!store.assess) return;
+
       patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
@@ -86,27 +92,7 @@ module.exports = function(core) {
         });
       }
 
-      let uriPath, queries;
-      const ix = req.url.indexOf('?');
-
-      if (ix >= 0) {
-        uriPath = req.url.slice(0, ix);
-        queries = req.url.slice(ix + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-
-      const headers = {};
       const sourceName = 'ClientRequest';
-
-      store.assess = {
-        responseData: {},
-        sourceEventsCount: 0,
-        propagationEventsCount: 0,
-        findings: {},
-      };
-
       const sourceInfo = {
         name: sourceName,
         stacktraceOpts: {
@@ -141,24 +127,10 @@ module.exports = function(core) {
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
         const header = toLowerCase(req.rawHeaders[i]);
-        headers[header] = req.rawHeaders[i + 1];
         req.rawHeaders[i + 1] = req.headers[header];
       }
-
-      const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
-
-      store.assess.reqData = {
-        ip: req.socket.remoteAddress,
-        httpVersion: req.httpVersion,
-        method: req.method,
-        headers,
-        uriPath,
-        queries,
-        contentType,
-      };
-
     } catch (err) {
-      logger.error({ err }, 'Error during assess request handling');
+      logger.error({ err }, 'Error during Assess request handling');
     }
 
     setImmediate(() => {

package/lib/dataflow/sources/install/koa/index.js

@@ -22,6 +22,7 @@ module.exports = function(core) {
 
   require('./koa2')(core);
   require('./koa-bodyparsers')(core);
+  require('./koa-multer')(core);
   require('./koa-routers')(core);
 
   koaSources.install = function install() {

package/lib/dataflow/sources/install/koa/koa-multer.js

@@ -0,0 +1,102 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../../common');
+const { InputType } = require('@contrast/common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
+
+    function handle(context, data, key) {
+      try {
+        sources.handle({
+          context,
+          data,
+          keys: [key],
+          name: 'multer',
+          inputType: InputType.BODY,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt,
+          },
+        });
+      } catch (err) {
+        logger.error({ err }, 'error handling Koa multer Assess dataflow %s.%s source', context, key);
+      }
+    }
+
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
+    }
+  }
+
+  function install() {
+    ['koa-multer', '@koa/multer'].forEach((name) => {
+      depHooks.resolve(
+        { name }, (_export) => {
+          const origMulter = _export;
+          return patcher.patch(_export, {
+            name,
+            patchType,
+            post(data) {
+              const { args, hooked } = data;
+              const instance = origMulter.apply(this, args);
+              const origMake = instance._makeMiddleware;
+              instance._makeMiddleware = function _makeMiddleware(...args) {
+                const origMulterMiddleware = origMake.apply(this, args);
+                return function multerMiddleware(req, res, origNext) {
+
+                  const next = function(...args) {
+                    handler(req, hooked);
+                    return origNext.apply(this, args);
+                  };
+                  return origMulterMiddleware.apply(this, [req, res, next]);
+                };
+              };
+              data.result = instance;
+            }
+          });
+        }
+      );
+    });
+  }
+
+  const koaMulterInstrumentation = sources.koaInstrumentation.koaMulter = {
+    install
+  };
+
+  return koaMulterInstrumentation;
+};