npm - @contrast/assess - Versions diffs - 1.18.0 → 1.19.0 - Mend

@contrast/assess 1.18.0 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/lib/constants.js +26 -0
package/lib/crypto-analysis/common.js +20 -0
package/lib/crypto-analysis/index.js +44 -0
package/lib/crypto-analysis/install/crypto.js +151 -0
package/lib/crypto-analysis/install/math.js +99 -0
package/lib/dataflow/propagation/install/JSON/parse.js +12 -11
package/lib/dataflow/propagation/install/JSON/stringify.js +1 -1
package/lib/dataflow/propagation/install/ejs/escape-xml.js +2 -2
package/lib/dataflow/propagation/install/ejs/index.js +1 -0
package/lib/dataflow/propagation/install/ejs/template.js +77 -0
package/lib/dataflow/propagation/install/util-format.js +9 -3
package/lib/dataflow/sinks/install/child-process.js +20 -14
package/lib/dataflow/sinks/install/eval.js +16 -14
package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +14 -8
package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +12 -5
package/lib/dataflow/sinks/install/fs.js +7 -7
package/lib/dataflow/sinks/install/function.js +8 -12
package/lib/dataflow/sinks/install/http/request.js +16 -8
package/lib/dataflow/sinks/install/http/server-response.js +11 -2
package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +15 -8
package/lib/dataflow/sinks/install/libxmljs.js +15 -10
package/lib/dataflow/sinks/install/marsdb.js +13 -8
package/lib/dataflow/sinks/install/mongodb.js +25 -15
package/lib/dataflow/sinks/install/mssql.js +20 -9
package/lib/dataflow/sinks/install/mysql.js +15 -8
package/lib/dataflow/sinks/install/node-serialize.js +15 -17
package/lib/dataflow/sinks/install/postgres.js +17 -4
package/lib/dataflow/sinks/install/sequelize.js +16 -9
package/lib/dataflow/sinks/install/sqlite3.js +20 -7
package/lib/dataflow/sinks/install/vm.js +19 -17
package/lib/dataflow/sources/install/http.js +14 -42
package/lib/dataflow/sources/install/koa/index.js +1 -0
package/lib/dataflow/sources/install/koa/koa-multer.js +102 -0
package/lib/dataflow/sources/install/multer1.js +25 -51
package/lib/dataflow/sources/install/querystring.js +1 -4
package/lib/event-factory.js +47 -0
package/lib/get-policy.js +68 -0
package/lib/get-source-context.js +62 -0
package/lib/index.d.ts +50 -0
package/lib/index.js +20 -19
package/lib/make-source-context.js +74 -0
package/lib/response-scanning/handlers/index.js +55 -28
package/lib/response-scanning/install/http.js +13 -7
package/lib/rule-scopes.js +48 -0
package/lib/session-configuration/handlers.js +4 -3
package/lib/session-configuration/install/express-session.js +8 -2
package/package.json +2 -2

package/lib/dataflow/sources/install/multer1.js CHANGED Viewed

@@ -23,36 +23,20 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess,
-    scopes: { wrap },
+    assess: { dataflow: { sources } },
+    scopes,
   } = core;
-  function handleFile(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['file'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.file source');
-    }
-  }
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
-  function handleFiles(sourceContext, constructorOpt, req) {
-    let i;
-    for (i = 0; i < req.files.length; i++) {
+    function handle(context, data, key) {
       try {
-        assess.dataflow.sources.handle({
-          context: 'req.files',
-          data: req.files[i],
-          keys: [i],
+        sources.handle({
+          context,
+          data,
+          keys: [key],
           name: 'multer',
           inputType: InputType.BODY,
           sourceContext,
@@ -61,26 +45,22 @@ module.exports = (core) => {
           },
         });
       } catch (err) {
-        logger.error({ err }, 'error handling multer Assess dataflow req.files[%s] source', i);
+        logger.error({ err }, 'error handling multer Assess dataflow %s.%s source', context, key);
       }
     }
-  }
-  function handleBody(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['body'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.body source');
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
     }
   }
@@ -97,14 +77,8 @@ module.exports = (core) => {
               patchType,
               pre(data) {
                 const [req, , next, hooked] = data.args;
-                const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) return;
-                data.args[2] = wrap(function (...args) {
-                  if (req.file) handleFile(sourceContext, hooked, req);
-                  if (Array.isArray(req.files)) handleFiles(sourceContext, hooked, req);
-                  if (req.body && Object.keys(req.body).length) handleBody(sourceContext, hooked, req.body);
+                data.args[2] = scopes.wrap(function (...args) {
+                  handler(req, hooked);
                   next(...args);
                 });
               },

package/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -32,10 +32,7 @@ module.exports = (core) => {
             const sourceContext = core.scopes.sources.getStore()?.assess;
             const inputType = InputType.QUERYSTRING;
-            if (!sourceContext) {
-              logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
-              return;
-            }
+            if (!sourceContext) return;
             if (sourceContext.parsedQuery) {
               logger.trace({ name }, 'values already tracked');

package/lib/event-factory.js CHANGED Viewed

@@ -270,5 +270,52 @@ module.exports = function(core) {
     return event;
   };
+  /**
+   * @param {{
+   *  context: string,
+   *  name: string,
+   *  moduleName: string,
+   *  methodName: string,
+   *  object: { value: any, tracked: boolean },
+   *  args: any[],
+   *  result: { value: vany, tracked: boolean },
+   *  source: string,
+   *  stacktraceOpts: { constructorOpt?: Function},
+   * }} data
+   * @returns {any}
+   */
+  eventFactory.createCryptoAnalysisEvent = function(data) {
+    const {
+      name = '',
+      source,
+      stacktraceOpts,
+    } = data;
+    if (!name) {
+      logger.debug({ data }, 'no sink event name');
+      return null;
+    }
+    if (!source || !source.match(annotationRegExp)) {
+      logger.debug({ data }, 'malformed or missing sink event source field');
+      return null;
+    }
+    let stack;
+    if (config.assess.stacktraces !== 'NONE') {
+      stack = createSnapshot(stacktraceOpts)();
+    } else {
+      stack = [];
+    }
+    data.stack = stack;
+    data.time = Date.now();
+    eventFactory.createdEvents.add(data);
+    return data;
+  };
   return eventFactory;
 };

package/lib/get-policy.js ADDED Viewed

@@ -0,0 +1,68 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  Rule,
+  ResponseScanningRule,
+  SessionConfigurationRule,
+  Event,
+} = require('@contrast/common');
+const rulesIds = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...SessionConfigurationRule,
+});
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function assess(core) {
+  const { logger, messages } = core;
+  const enabledRules = new Set(rulesIds);
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+    if (!msg.assess) return;
+    for (const ruleId of rulesIds) {
+      const enable = msg.assess[ruleId]?.enable;
+      if (enable === true) {
+        enabledRules.add(ruleId);
+        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+      } else if (enable === false) {
+        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
+        enabledRules.delete(ruleId);
+      }
+    }
+    logger.info({
+      enabledRules: Array.from(enabledRules)
+    }, 'Assess policy updated');
+  });
+  return core.assess.getPolicy = function getPolicy() {
+    // creates copy of local policy for request store
+    return {
+      enabledRules: new Set(enabledRules),
+    };
+  };
+};

package/lib/get-source-context.js ADDED Viewed

@@ -0,0 +1,62 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { InstrumentationType } = require('./constants');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    config,
+    scopes: { sources, instrumentation },
+    assess: { ruleScopes },
+  } = core;
+  /**
+   * @param {import('./constants.js').InstrumentationType} type
+   * @returns {import('@contrast/assess').SourceContext|null} the assess store
+   */
+  return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
+    const ctx = sources.getStore()?.assess;
+    if (!ctx || instrumentation.isLocked()) return null;
+    switch (type) {
+      case InstrumentationType.PROPAGATOR: {
+        if (ctx.propagationEventsCount > config.assess.max_propagation_events) return null;
+        break;
+      }
+      case InstrumentationType.SOURCE: {
+        if (ctx.sourceEventsCount > config.assess.max_context_source_events) return null;
+        break;
+      }
+      case InstrumentationType.RULE: {
+        const [ruleId] = rest;
+        if (!ruleId) break;
+        if (!ctx.policy.enabledRules.has(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+        break;
+      }
+    }
+    return ctx;
+  };
+};

package/lib/index.d.ts ADDED Viewed

@@ -0,0 +1,50 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { Rule } from '@contrast/common';
+export enum InstrumentationType {
+  SOURCE = 'source',
+  PROPAGATOR = 'propagator',
+  RULE = 'rule',
+}
+export interface SourceContext {
+  reqData: object,
+  responseData: {
+    contentType: string,
+  },
+  policy: {
+    enabledRules: Set<string>,
+  }
+}
+export interface Policy {
+  enabledRules: Set<Rule>,
+}
+export interface RuleScopes {
+  run(ruleId: Rule, cb: void): void;
+  isLocked(ruleId: Rule): boolean;
+}
+export interface Assess {
+  getPolicy(): Policy,
+  getSourceContext(instrType?: InstrumentationType, opts?: any): SourceContext,
+  makeSourceContext(req: IncomingMessage, res: ServerResponse): SourceContext,
+  ruleScopes: RuleScopes,
+}
+export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;

package/lib/index.js CHANGED Viewed

@@ -16,32 +16,33 @@
 'use strict';
 const { callChildComponentMethodsSync } = require('@contrast/common');
-const sessionConfiguration = require('./session-configuration');
-const dataflow = require('./dataflow');
-const responseScanning = require('./response-scanning');
-const eventFactory = require('./event-factory');
 module.exports = function assess(core) {
-  const assess = core.assess = {};
+  const assess = core.assess = {
+    install() {
+      if (!core.config.getEffectiveValue('assess.enable')) {
+        core.logger.debug('assess is disabled, skipping installation');
+        return;
+      }
+      core.rewriter.install('assess');
+      callChildComponentMethodsSync(core.assess, 'install');
+    },
+  };
-  eventFactory(core);
-  dataflow(core);
-  responseScanning(core);
-  sessionConfiguration(core);
+  require('./rule-scopes')(core);
+  require('./get-policy')(core);
+  require('./make-source-context')(core);
+  require('./get-source-context')(core);
+  require('./event-factory')(core);
+  require('./crypto-analysis')(core);
+  require('./dataflow')(core);
+  require('./response-scanning')(core);
+  require('./session-configuration')(core);
   // todo
   // crypto rule implementations
   // static rule implementations in coordination with (CLI) rewriter
-  assess.install = function() {
-    if (!core.config.getEffectiveValue('assess.enable')) {
-      core.logger.debug('assess is disabled, skipping installation');
-      return;
-    }
-    core.rewriter.install('assess');
-    callChildComponentMethodsSync(core.assess, 'install');
-  };
   return assess;
 };

package/lib/make-source-context.js ADDED Viewed

@@ -0,0 +1,74 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { toLowerCase } = require('@contrast/common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ */
+module.exports = function(core) {
+  const {
+    assess: { getPolicy },
+    logger,
+  } = core;
+  return core.assess.makeSourceContext = function (req, res) {
+    let contentType, queries, uriPath;
+    try {
+      const ix = req.url.indexOf('?');
+      if (ix >= 0) {
+        uriPath = req.url.slice(0, ix);
+        queries = req.url.slice(ix + 1);
+      } else {
+        uriPath = req.url;
+        queries = '';
+      }
+      // copy to avoid storing tracked values
+      const headers = { ...req.headers };
+      if (headers['content-type']) {
+        contentType = toLowerCase(headers['content-type']);
+      }
+      return {
+        propagationEventsCount: 0,
+        sourceEventsCount: 0,
+        policy: getPolicy(),
+        reqData: {
+          ip: req.socket.remoteAddress,
+          httpVersion: req.httpVersion,
+          method: req.method,
+          headers,
+          uriPath,
+          queries,
+          contentType,
+        },
+        responseData: {}
+      };
+    } catch (err) {
+      logger.error(
+        { err },
+        'unable to construct assess store. assess will be disabled for request.'
+      );
+      return null;
+    }
+  };
+};

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -33,6 +33,19 @@ const {
   checkCspSources
 } = require('./utils');
+const {
+  AUTOCOMPLETE_MISSING,
+  CACHE_CONTROLS_MISSING,
+  CLICKJACKING_CONTROL_MISSING,
+  CSP_HEADER_MISSING,
+  CSP_HEADER_INSECURE,
+  HSTS_HEADER_MISSING,
+  PARAMETER_POLLUTION,
+  XCONTENTTYPE_HEADER_MISSING,
+  X_POWERED_BY_HEADER,
+  XXSPROTECTION_HEADER_DISABLED,
+} = ResponseScanningRule;
 module.exports = function(core) {
   const {
     assess: {
@@ -44,7 +57,10 @@ module.exports = function(core) {
   } = core;
   responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
-    if (!isHtmlContent(responseHeaders)) {
+    if (
+      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !isHtmlContent(responseHeaders)
+    ) {
       return;
     }
@@ -72,7 +88,10 @@ module.exports = function(core) {
     const instructions = [];
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
-    if (isParseableResponse(responseHeaders) && !responseBody) {
+    if (
+      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      (isParseableResponse(responseHeaders) && !responseBody)
+    ) {
       return;
     }
     const cacheControlHeader = responseHeaders['cache-control'];
@@ -118,6 +137,8 @@ module.exports = function(core) {
   };
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = responseHeaders['x-frame-options'];
     let hasFrameBusting = false;
@@ -135,6 +156,8 @@ module.exports = function(core) {
   };
   responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
     const elements = getElements('form', responseBody);
@@ -154,21 +177,23 @@ module.exports = function(core) {
   };
   /**
- * Checks the response headers for the CSP. If found, and insecure, will return
- * the evidence for reporting.
- *
- * @param   {Object}        responseHeaders - HTTP headers object.
- * @returns {Object}                        - Evidence for insecure CSP header.
- */
+   * Checks the response headers for the CSP. If found, and insecure, will return
+   * the evidence for reporting.
+   *
+   * @param   {Object}        responseHeaders - HTTP headers object.
+   * @returns {Object}                        - Evidence for insecure CSP header.
+   */
   responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
     const cspHeaders = getCspHeaders(responseHeaders);
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders) {
+    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
+    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
     if (vulnerabilityMetadata.insecure) {
@@ -189,6 +214,8 @@ module.exports = function(core) {
   };
   responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
     let header = responseHeaders['strict-transport-security'];
     let maxAge;
@@ -219,6 +246,8 @@ module.exports = function(core) {
   };
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
     const headerName = 'x-content-type-options';
     let header = responseHeaders[headerName];
@@ -237,44 +266,42 @@ module.exports = function(core) {
     });
   };
-  // NODE-3135
   responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
     const headerName = 'x-powered-by';
     let header = responseHeaders[headerName];
     if (header) {
       header = toLowerCase(header);
-      const instructions = [
-        {
-          type: 'Header',
-          name: headerName,
-          value: header
-        }
-      ];
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
         vulnerabilityMetadata: {
-          data: JSON.stringify(instructions)
+          platform: header,
         }
       });
     }
   };
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
-    const header = responseHeaders['x-xss-protection'];
+    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
-    if (header?.startsWith?.('1')) return;
+    const header = responseHeaders['x-xss-protection'];
-    reportFindings(sourceContext, {
-      ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
-      vulnerabilityMetadata: {
-        data: header,
-      }
-    });
+    if (header && !header.startsWith('1')) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
+        vulnerabilityMetadata: {
+          data: header,
+        }
+      });
+    }
   };
+  function isEnabled(ruleId, sourceContext) {
+    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
+  }
   return responseScanning;
 };