npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/dataflow/sinks/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/child-process.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,19 +17,25 @@
 const {
   DataflowTag: { UNTRUSTED },
   join,
-  Rule,
+  Rule: { CMD_INJECTION: ruleId },
   isString,
   inspect,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -92,7 +98,7 @@ module.exports = function(core) {
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
@@ -178,7 +184,7 @@ module.exports = function(core) {
     if (event) {
       reportFindings({
-        ruleId: Rule.CMD_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }
@@ -193,10 +199,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];
@@ -233,10 +239,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command, secondArg, thirdArg] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
-              if (!store || !command || !isString(command)) return;
+              const [command, secondArg, thirdArg] = data.args;
+              if (!command || !isString(command)) return;
               commandCheck(
                 name,
@@ -257,10 +263,10 @@ module.exports = function(core) {
             name,
             patchType,
             pre(data) {
-              const store = sources.getStore()?.assess;
-              const [command] = data.args;
+              if (!getSourceContext(RULE, ruleId)) return;
-              if (!store || !command || !isString(command)) return;
+              const [command] = data.args;
+              if (!command || !isString(command)) return;
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];

package/lib/dataflow/sinks/install/eval.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -25,8 +25,9 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
@@ -37,13 +38,21 @@ const safeTags = [
   LIMITED_CHARS,
 ];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function (core) {
   const {
     config,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -63,19 +72,12 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.eval',
         patchType,
         pre({ args, orig }) {
-          const store = sources.getStore()?.assess;
+          if (!getSourceContext(RULE, ruleId)) return;
           const script = args[0];
-          if (
-            !store ||
-            instrumentation.isLocked() ||
-            !script ||
-            !isString(script)
-          ) {
-            return;
-          }
+          if (!script || !isString(script)) return;
           const strInfo = tracker.getData(script);
           if (!strInfo) return;
           const isArgVulnerable = isVulnerable(
@@ -93,7 +95,7 @@ module.exports = function (core) {
             reportSafePositive({
               name: 'eval',
-              ruleId: UNSAFE_CODE_EXECUTION,
+              ruleId,
               safeTags: foundSafeTags,
               strInfo: safeStrInfo,
             });
@@ -120,7 +122,7 @@ module.exports = function (core) {
             if (event) {
               reportFindings({
-                ruleId: UNSAFE_CODE_EXECUTION,
+                ruleId,
                 sinkEvent: event,
               });
             }

package/lib/dataflow/sinks/install/express/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,6 +17,7 @@
 const util = require('util');
 const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED,
@@ -27,18 +28,25 @@ const {
   },
   isString
 } = require('@contrast/common');
-const { patchType, filterSafeTags } = require('../../common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
+const { patchType, filterSafeTags } = require('../../common');
-const ruleId = 'unvalidated-redirect';
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -46,9 +54,8 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const unvalidatedRedirect =
-    (core.assess.dataflow.sinks.express.unvalidatedRedirect = {});
+  const unvalidatedRedirect = core.assess.dataflow.sinks.express.unvalidatedRedirect = {};
   const inspect = patcher.unwrap(util.inspect);
   const safeTags = [
@@ -66,8 +73,7 @@ module.exports = function(core) {
         name: 'Express.Response.location',
         patchType,
         pre: (data) => {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
           let [url] = data.args;
           if (url === 'back') {

package/lib/dataflow/sinks/install/fastify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,6 +17,7 @@
 const util = require('util');
 const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED,
@@ -27,11 +28,10 @@ const {
   },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
-const ruleId = 'unvalidated-redirect';
 const getURLArgument = (args) => {
   if (!Array.isArray(args)) {
     return { index: null, url: undefined };
@@ -51,13 +51,21 @@ const getURLArgument = (args) => {
   };
 };
+/**
+ *
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -85,8 +93,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
           const { url, index: valueIndex } = getURLArgument(data.args);
           if (!url || !isString(url)) return;

package/lib/dataflow/sinks/install/fs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -16,9 +16,6 @@
 'use strict';
 const { patchType } = require('../common');
 const {
-  FS_METHODS,
-  Rule,
-  isString,
   DataflowTag: {
     URL_ENCODED,
     LIMITED_CHARS,
@@ -26,16 +23,20 @@ const {
     SAFE_PATH,
     UNTRUSTED,
   },
+  FS_METHODS,
+  Rule: { PATH_TRAVERSAL: ruleId },
   inspect,
+  isString,
   join,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { instrumentation, sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -61,8 +62,7 @@ module.exports = function(core) {
   const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
     const { name: methodName, indices } = method;
-    const store = sources.getStore()?.assess;
-    if (!store || instrumentation.isLocked()) return;
+    if (!getSourceContext(RULE, ruleId)) return;
     const values = getValues(indices, data.args);
     if (!values.length) return;
@@ -105,7 +105,7 @@ module.exports = function(core) {
       if (event) {
         reportFindings({
-          ruleId: Rule.PATH_TRAVERSAL,
+          ruleId,
           sinkEvent: event,
         });
       }

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -27,8 +27,9 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION }
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId }
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
@@ -44,8 +45,8 @@ module.exports = function (core) {
     config,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -65,15 +66,10 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.Function',
         patchType,
         pre({ args: origArgs, hooked, orig, name }) {
-          const store = sources.getStore()?.assess;
+          if (!getSourceContext(RULE, ruleId)) return;
           const fnBody = origArgs[origArgs.length - 1];
-          if (
-            !store ||
-            instrumentation.isLocked() ||
-            !fnBody ||
-            !isString(fnBody)
-          )
-            return;
+          if (!fnBody || !isString(fnBody)) return;
           const strInfo = tracker.getData(fnBody);
@@ -90,7 +86,7 @@ module.exports = function (core) {
             reportSafePositive({
               name,
-              ruleId: UNSAFE_CODE_EXECUTION,
+              ruleId,
               safeTags: foundSafeTags,
               strInfo: safeStrInfo,
             });
@@ -142,7 +138,7 @@ module.exports = function (core) {
             if (event) {
               reportFindings({
-                ruleId: UNSAFE_CODE_EXECUTION,
+                ruleId,
                 sinkEvent: event,
               });
             }

package/lib/dataflow/sinks/install/http/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/http/request.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,6 +15,7 @@
 'use strict';
+const Url = require('url');
 const {
   inspect,
   isString,
@@ -25,19 +26,27 @@ const {
     CUSTOM_VALIDATED_SSRF,
     CUSTOM_VALIDATED,
     LIMITED_CHARS
-  }
+  },
+  Rule: { SSRF: ruleId },
 } = require('@contrast/common');
-const Url = require('url');
-const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
-const { patchType } = require('../../common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -92,8 +101,7 @@ module.exports = function(core) {
           name,
           patchType,
           pre(data) {
-            const sourceContext = sources.getStore()?.assess;
-            if (!sourceContext) return;
+            if (!getSourceContext(RULE, ruleId)) return;
             const [req] = data.args;
             if (!req) return;
@@ -136,7 +144,7 @@ module.exports = function(core) {
                 if (event) {
                   reportFindings({
-                    ruleId: 'ssrf',
+                    ruleId,
                     sinkEvent: event
                   });
                 }

package/lib/dataflow/sinks/install/http/server-response.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -31,15 +31,24 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { patchType, filterSafeTags } = require('../../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -68,7 +77,7 @@ module.exports = function(core) {
   ];
   const preHook = (name, method) => (data) => {
-    const sourceContext = sources.getStore()?.assess;
+    const sourceContext = getSourceContext(RULE, ruleId);
     if (!sourceContext) return;
     const payload = data.args[0];

package/lib/dataflow/sinks/install/koa/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -25,20 +25,29 @@ const {
     LIMITED_CHARS,
     URL_ENCODED,
   },
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
-const ruleId = 'unvalidated-redirect';
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -46,11 +55,8 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const unvalidatedRedirect =
-    (core.assess.dataflow.sinks.koa.unvalidatedRedirect = {});
   const inspect = patcher.unwrap(util.inspect);
   const safeTags = [
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
@@ -59,6 +65,8 @@ module.exports = function(core) {
     URL_ENCODED,
   ];
+  const unvalidatedRedirect = core.assess.dataflow.sinks.koa.unvalidatedRedirect = {};
   unvalidatedRedirect.install = function() {
     depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
       const name = 'Koa.Response.redirect';
@@ -66,8 +74,7 @@ module.exports = function(core) {
         name,
         patchType,
         pre(data) {
-          const assessStore = sources.getStore()?.assess;
-          if (!assessStore) return;
+          if (!getSourceContext(RULE, ruleId)) return;
           let isBackRoute = false;
           let [url] = data.args;