npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright: 2023 Contrast Security, Inc
+Copyright: 2024 Contrast Security, Inc
 Contact: support@contrastsecurity.com
 License: Commercial

package/lib/constants.js ADDED Viewed

@@ -0,0 +1,26 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const InstrumentationType = {
+  SOURCE: 'source',
+  PROPAGATOR: 'propagator',
+  RULE: 'rule',
+};
+module.exports = {
+  InstrumentationType,
+};

package/lib/crypto-analysis/common.js ADDED Viewed

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+module.exports = {
+  PATCH_TYPE: 'assess-cryptographic-analysis',
+};

package/lib/crypto-analysis/index.js ADDED Viewed

@@ -0,0 +1,44 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  Event,
+  callChildComponentMethodsSync,
+} = require('@contrast/common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ */
+module.exports = function(core) {
+  const cryptoAnalysis = core.assess.cryptoAnalysis = {
+    installers: {},
+    install() {
+      callChildComponentMethodsSync(cryptoAnalysis.installers, 'install');
+    },
+    report(event) {
+      core.messages.emit(Event.ASSESS_CRYPTO_ANALYSIS_FINDING, event);
+    },
+  };
+  require('./install/crypto')(core);
+  require('./install/math')(core);
+  return cryptoAnalysis;
+};

package/lib/crypto-analysis/install/crypto.js ADDED Viewed

@@ -0,0 +1,156 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { inspect } = require('util');
+const {
+  Rule,
+  isString,
+  toLowerCase,
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+const SAFE_HASH_ALGORITHMS = new Set([
+  'RSA-SHA1-2',
+  'RSA-SHA224',
+  'RSA-SHA256',
+  'RSA-SHA384',
+  'RSA-SHA512',
+  'sha224',
+  'sha224WithRSAEncryption',
+  'sha256',
+  'sha256WithRSAEncryption',
+  'sha384',
+  'sha384WithRSAEncryption',
+  'sha512'
+]);
+const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort'];
+const SAFE_CIPHER_ALGORITHM_PREFIXES = ['des-ede', 'id-aes', 'aes', 'rsa'];
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    config,
+    depHooks,
+    logger,
+    patcher,
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+  } = core;
+  const installer = core.assess.cryptoAnalysis.installers.crypto = {
+    install() {
+      depHooks.resolve({ name: 'crypto' }, (_export) => {
+        patcher.patch(_export, 'createHash', {
+          name: 'crypto.createHash',
+          patchType,
+          post(data) {
+            const [alg] = data.args;
+            if (
+              !isString(alg) ||
+              !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) ||
+              SAFE_HASH_ALGORITHMS.has(alg)
+            ) return;
+            const event = eventFactory.createCryptoAnalysisEvent({
+              args: [{ tracked: false, value: alg }],
+              context: `crypto.createHash(${inspect(alg)})`,
+              methodName: 'createHash',
+              moduleName: 'crypto',
+              name: 'crypto.createHash',
+              object: { tracked: false, value: 'crypto' },
+              result: { tracked: false, value: 'Hash' },
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+            if (!event) return;
+            // check stacktrace for trusted libraries
+            if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+              const { stack } = new Error(event.stacktraceOpts);
+              for (const lib of SAFE_HASH_LIBS) {
+                if (stack.indexOf(lib) >= 0) return;
+              }
+            } else {
+              for (const { file } of event.stack) {
+                for (const lib of SAFE_HASH_LIBS) {
+                  logger.trace(
+                    { funcKey: data.funcKey },
+                    'skipping reporting for %s - trusting %s',
+                    Rule.CRYPTO_BAD_MAC,
+                    lib
+                  );
+                  if (file.indexOf(lib) >= 0) return;
+                }
+              }
+            }
+            cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_MAC });
+          },
+        });
+        for (const method of ['createCipher', 'createCipheriv']) {
+          patcher.patch(_export, method, {
+            name: `crypto.${method}`,
+            patchType,
+            post(data) {
+              const [alg] = data.args;
+              if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_CIPHERS)) return;
+              const algLower = toLowerCase(alg);
+              for (const prefix of SAFE_CIPHER_ALGORITHM_PREFIXES) {
+                if (algLower.indexOf(prefix) === 0) return;
+              }
+              const event = eventFactory.createCryptoAnalysisEvent({
+                args: [{ tracked: false, value: alg }],
+                context: `crypto.${method}(${inspect(alg)})`,
+                methodName: method,
+                moduleName: 'crypto',
+                name: `crypto.${method}`,
+                object: { tracked: false, value: 'crypto' },
+                result: { tracked: false, value: 'Cipher' },
+                source: 'P0',
+                stacktraceOpts: {
+                  constructorOpt: data.hooked,
+                }
+              });
+              if (!event) return;
+              cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_CIPHERS });
+            }
+          });
+        }
+      });
+    },
+  };
+  return installer;
+};

package/lib/crypto-analysis/install/math.js ADDED Viewed

@@ -0,0 +1,104 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { Rule } = require('@contrast/common');
+const { InstrumentationType } = require('../../constants');
+const { PATCH_TYPE: patchType } = require('../common');
+const { CRYPTO_WEAK_RANDOMNESS: ruleId } = Rule;
+const { RULE } = InstrumentationType;
+const SAFE_RANDOM_LIBS = [
+  'node_modules/node-uuid/',
+  'browserify'
+];
+/**
+ * @param {{
+ *  config: import('@contrast/config').Config,
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      eventFactory,
+      cryptoAnalysis,
+      getSourceContext,
+    },
+    config,
+    logger,
+    patcher,
+  } = core;
+  core.assess.cryptoAnalysis.installers.math = {
+    install() {
+      patcher.patch(Math, 'random', {
+        name: 'global.Math.random',
+        patchType,
+        post(data) {
+          if (!getSourceContext(RULE, ruleId)) return;
+          const event = eventFactory.createCryptoAnalysisEvent({
+            args: [],
+            context: 'Math.random()',
+            methodName: 'random',
+            moduleName: 'global.Math',
+            name: 'global.Math.random',
+            object: { tracked: false, value: 'global.Math' },
+            result: { tracked: false, value: `${data.result}` },
+            source: 'A',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            }
+          });
+          if (!event) return;
+          // check stacktrace for trusted libraries
+          if (config.getEffectiveValue('assess.stacktraces') === 'NONE') {
+            const { stack } = new Error(event.stacktraceOpts);
+            for (const lib of SAFE_RANDOM_LIBS) {
+              if (stack.indexOf(lib) >= 0) return;
+            }
+          } else {
+            for (const { file } of event.stack) {
+              for (const lib of SAFE_RANDOM_LIBS) {
+                if (file.indexOf(lib) >= 0) {
+                  logger.trace(
+                    { funcKey: data.funcKey },
+                    'skipping reporting for %s - trusting %s',
+                    ruleId,
+                    lib,
+                  );
+                  return;
+                }
+              }
+            }
+          }
+          cryptoAnalysis.report({ finding: event, ruleId });
+        },
+      });
+    },
+    uninstall() {
+      Math.random = patcher.unwrap(Math.random);
+    },
+  };
+  return core.assess.cryptoAnalysis.installers.math;
+};

package/lib/dataflow/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/JSON/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/JSON/parse-fn.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/JSON/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -59,8 +59,18 @@ module.exports = function (core) {
   function createEvent(data, value, newTags, reviver, strInfo) {
     const method = 'JSON.parse';
+    const eventArgs = [
+      {
+        value: data.args[0],
+        tracked: true,
+      },
+      reviver && {
+        value: reviver.toString(),
+        tracked: false,
+      }
+    ].filter(Boolean);
     return createPropagationEvent({
-      context: method,
+      context: `${method}(${eventArgs.map((arg) => `'${arg.value}'`)})`,
       name: method,
       history: [strInfo],
       moduleName: 'JSON',
@@ -69,16 +79,7 @@ module.exports = function (core) {
         value: inspect(data.obj),
         tracked: false,
       },
-      args: [
-        {
-          value: data.args[0],
-          tracked: true,
-        },
-        reviver && {
-          value: reviver.toString(),
-          tracked: false,
-        },
-      ].filter(Boolean),
+      args: eventArgs,
       result: {
         value,
         tracked: true,
@@ -141,8 +142,8 @@ module.exports = function (core) {
           try {
             keyValueIndexes = getKeyValueIndexes(input);
-          } catch (error) {
-            logger.warn({ error, string: input }, 'JSON.parse() propagation failed');
+          } catch (err) {
+            logger.warn({ err, funcKey: data.funcKey, string: input }, 'JSON.parse() propagation failed');
           }
           if (keyValueIndexes.length === 0) return;

package/lib/dataflow/propagation/install/JSON/stringify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -148,7 +148,7 @@ module.exports = function(core) {
         }
       }
-      metadata.history.add(metadata[id]);
+      metadata.history.add(metadata.strInfos[id]);
       // replace the canary with the starting quote
       return '"';
     });

package/lib/dataflow/propagation/install/array-prototype-join.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/buffer.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/contrast-methods/add.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/contrast-methods/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/contrast-methods/number.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,7 +18,7 @@
 const { isString } = require('@contrast/common');
 const { patchType } = require('../../common');
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     scopes: { instrumentation, sources },
@@ -43,11 +43,12 @@ module.exports = function(core) {
             !isString(value) ||
             !sources.getStore()?.assess ||
             instrumentation.isLocked() ||
+            // why not just do this first? won't need check for NaN, !value, !isString, etc.
             !tracker.getData(value)
           ) return;
           tracker.untrack(value);
-          logger.trace({ sanitizer: name, value }, 'untracked a string value');
+          logger.trace({ funcKey: data.funcKey, sanitizer: name, value }, 'untracked a string value');
         }
       });
     },

package/lib/dataflow/propagation/install/contrast-methods/string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/contrast-methods/tag.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/decode-uri-component.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/ejs/escape-xml.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -21,7 +21,7 @@ const {
 const {
   createFullLengthCopyTags
 } = require('../../../tag-utils');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
@@ -61,7 +61,7 @@ module.exports = function(core) {
               moduleName: 'ejs',
               methodName: 'escapeXML',
               object: {
-                value: `[${createModuleLabel('ejs', version)}].utils`,
+                value: 'ejs.utils',
                 tracked: false
               },
               result: {

package/lib/dataflow/propagation/install/ejs/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -25,6 +25,7 @@ module.exports = function(core) {
   };
   require('./escape-xml')(core);
+  require('./template')(core);
   return ejsInstrumentation;
 };

package/lib/dataflow/propagation/install/ejs/template.js ADDED Viewed

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { EOL } = require('os');
+const { join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ *  rewriter: import('@contrast/rewriter').Rewriter,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function (core) {
+  const {
+    assess: { getSourceContext },
+    depHooks,
+    logger,
+    patcher,
+    rewriter,
+  } = core;
+  const REWRITE_OPTS = { inject: false, wrap: false };
+  const WRAPPER_PREFIX = join([
+    'function tempWrapper() {',
+    'function __append(s) { if (s !== undefined && s !== null) __output += s }'
+  ], EOL);
+  const WRAPPER_SUFFIX = join([
+    EOL,
+    'return __output;',
+    '}',
+  ], EOL);
+  return core.assess.dataflow.propagation.ejsInstrumentation.template = {
+    /**
+     * inject our own rewritten version of __append():
+     *   function __append() { // unrewritten }
+     *   function __append() { // rewritten }
+     */
+    install() {
+      depHooks.resolve({ name: 'ejs', version: '>=2.6.2' }, (_export, version) => {
+        patcher.patch(_export.Template.prototype, 'generateSource', {
+          name: 'ejs.Template.prototype.generateSource',
+          patchType,
+          post(data) {
+            if (!getSourceContext(PROPAGATOR)) return;
+            try {
+              const { code } = rewriter.rewrite(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
+              data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
+            } catch (err) {
+              logger.error(
+                { err, funcKey: data.funcKey, source: data.obj.source },
+                'error occurred while rewriting ejs source'
+              );
+            }
+          }
+        });
+      });
+    },
+  };
+};