npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/dataflow/sinks/install/libxmljs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,9 +15,8 @@
 'use strict';
-const { patchType } = require('../common');
 const {
-  Rule: { XXE },
+  Rule: { XXE: ruleId },
   isString,
   DataflowTag: {
     UNTRUSTED,
@@ -26,18 +25,29 @@ const {
   },
   inspect
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
 const safeTags = [
   LIMITED_CHARS,
   ALPHANUM_SPACE_HYPHEN
 ];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ *  messages: import('@contrast/common').Messages,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -60,12 +70,7 @@ module.exports = function(core) {
         name: `${moduleName}.${method}`,
         patchType,
         pre(data) {
-          const store = sources.getStore()?.assess;
-          if (
-            !store ||
-            !data.args[0] ||
-            instrumentation.isLocked()
-          ) return;
+          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
           const [xmlString, opts] = data.args;
@@ -104,7 +109,7 @@ module.exports = function(core) {
           if (event) {
             reportFindings({
-              ruleId: XXE,
+              ruleId,
               sinkEvent: event,
             });
           }

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,10 +15,9 @@
 'use strict';
 const util = require('util');
-const { patchType } = require('../common');
 const {
   traverseValues,
-  Rule,
+  Rule: { NOSQL_INJECTION_MONGO: ruleId },
   DataflowTag: {
     ALPHANUM_SPACE_HYPHEN,
     LIMITED_CHARS,
@@ -27,6 +26,8 @@ const {
     CUSTOM_VALIDATED_NOSQL_INJECTION,
   },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
 const collectionMethods = ['find', 'findOne', 'update', 'remove'];
 const querySafeTags = [
@@ -36,13 +37,20 @@ const querySafeTags = [
   CUSTOM_VALIDATED_NOSQL_INJECTION,
 ];
-module.exports = function(core) {
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function (core) {
   const {
     depHooks,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -74,7 +82,7 @@ module.exports = function(core) {
     const name = `marsdb.Collection.prototype.${method}`;
     if (!proto[method]) {
-      logger.trace({ name }, `marsdb method ${method} not found!`);
+      logger.trace('method %s not found - skipping instrumentation', name);
       return;
     }
@@ -82,10 +90,7 @@ module.exports = function(core) {
       name,
       patchType,
       around(next, data) {
-        const sourceCtx = sources.getStore()?.assess;
-        if (!sourceCtx || instrumentation.isLocked()) {
-          return next();
-        }
+        if (!getSourceContext(RULE, ruleId)) return next();
         const argIdx = 0;
         const result = getVulnerabilityInfo(data.args[argIdx]);
@@ -120,7 +125,7 @@ module.exports = function(core) {
         });
         if (sinkEvent) {
-          reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+          reportFindings({ ruleId, sinkEvent });
         }
         return next();
@@ -128,7 +133,7 @@ module.exports = function(core) {
     });
   }
-  instr.install = function() {
+  instr.install = function () {
     depHooks.resolve({ name: 'marsdb' }, (marsdb) => {
       collectionMethods.forEach((method) => patchCollection(marsdb, method));
     });

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -24,12 +24,13 @@ const {
     LIMITED_CHARS,
     STRING_TYPE_CHECKED,
   },
-  Rule: { NOSQL_INJECTION_MONGO },
+  Rule: { NOSQL_INJECTION_MONGO: ruleId },
   isNonEmptyObject,
   traverseValues,
   isString,
   inspect
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
@@ -66,19 +67,28 @@ const querySafeTags = [
   STRING_TYPE_CHECKED,
 ];
-module.exports = function(core) {
+/**
+ *
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function (core) {
   const {
     config,
     depHooks,
     logger,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive }
-      }
+        sinks: { isVulnerable, reportFindings, reportSafePositive }
+      },
+      ruleScopes,
     }
   } = core;
@@ -227,18 +237,14 @@ module.exports = function(core) {
   function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
-    return function(next, data) {
-      const { obj, args: origArgs } = data;
-      const sourceCtx = sources.getStore()?.assess;
-      if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-        return next();
-      }
+    return function (next, data) {
+      if (!getSourceContext(RULE, ruleId)) return next();
+      const { obj, args: origArgs } = data;
+      const safeReports = [];
       let vulnInfo;
       let reportSafe;
       let vulnArgIdx;
-      const safeReports = [];
       try {
         for (const argIdx of argsIdxsToCheck) {
@@ -272,13 +278,15 @@ module.exports = function(core) {
             reportSafePositive({
               name,
-              ruleId: NOSQL_INJECTION_MONGO,
+              ruleId,
               safeTags,
               strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
             });
           }
-          return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+          return methodsWithNestedCalls.includes(method)
+            ? ruleScopes.run(ruleId, async () => await next())
+            : next();
         }
         const { path, strInfo } = vulnInfo;
@@ -313,17 +321,19 @@ module.exports = function(core) {
         });
         if (sinkEvent) {
-          reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+          reportFindings({ ruleId, sinkEvent });
         }
       } catch (err) {
-        core.logger.error({ name, err }, 'assess sink analysis failed');
+        core.logger.error({ err, funcKey: data.funcKey }, 'assess sink analysis failed');
       }
-      return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+      return methodsWithNestedCalls.includes(method)
+        ? ruleScopes.run(ruleId, async () => await next())
+        : next();
     };
   }
-  instr.install = function() {
+  instr.install = function () {
     depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
       patchCollection(mongodb, version);
       patchDatabase(mongodb, version);
@@ -336,7 +346,7 @@ module.exports = function(core) {
       const name = `mongodb.Collection.prototype.${method}`;
       if (!proto[method]) {
-        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        logger.trace({ version }, 'method %s not found - skipping instrumentation', name);
         continue;
       }
@@ -374,7 +384,7 @@ module.exports = function(core) {
       const name = `mongodb.Db.prototype.${method}`;
       if (!proto[method]) {
-        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        logger.trace({ version }, 'method %s not found - skipping instrumentation', name);
         continue;
       }

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -16,10 +16,17 @@
 'use strict';
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
@@ -30,15 +37,20 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
-const ruleId = SQL_INJECTION;
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -48,12 +60,11 @@ module.exports = function(core) {
   } = core;
   const pre = (name, method, obj, version) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
     const strInfo = tracker.getData(data.args[0]);
@@ -86,7 +97,7 @@ module.exports = function(core) {
       if (event) {
         reportFindings({
-          ruleId: SQL_INJECTION,
+          ruleId,
           sinkEvent: event,
         });
       }

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,8 +17,7 @@
 const { patchType } = require('../common');
 const {
-  Rule: { SQL_INJECTION },
-  isString,
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     CUSTOM_ENCODED_SQL_INJECTION,
     CUSTOM_ENCODED,
@@ -28,8 +27,10 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
-  inspect
+  isString,
+  inspect,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const safeTags = [
   CUSTOM_ENCODED_SQL_INJECTION,
@@ -40,12 +41,19 @@ const safeTags = [
   LIMITED_CHARS,
 ];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -65,11 +73,10 @@ module.exports = function(core) {
   }
   const pre = (module, file, obj, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
     const val = getValueFromArgs(data.args);
@@ -106,7 +113,7 @@ module.exports = function(core) {
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/node-serialize.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,21 +15,29 @@
 'use strict';
-const { patchType } = require('../common');
 const {
-  Rule: { UNTRUSTED_DESERIALIZATION },
+  Rule: { UNTRUSTED_DESERIALIZATION: ruleId },
   isString,
   DataflowTag: {
     UNTRUSTED
   }
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -45,23 +53,13 @@ module.exports = function(core) {
           name: 'node-serialize.unserialize',
           patchType,
           pre(data) {
-            const store = sources.getStore()?.assess;
-            if (
-              !store ||
-              !data.args[0] ||
-              instrumentation.isLocked()
-            ) return;
+            if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
             const [input] = data.args;
-            if (!isString(input)) {
-              return;
-            }
+            if (!isString(input)) return;
             const strInfo = tracker.getData(input);
-            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) {
-              return;
-            }
+            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) return;
             const sinkEvent = createSinkEvent({
               name: 'node-serialize.unserialize',
@@ -89,7 +87,7 @@ module.exports = function(core) {
             if (sinkEvent) {
               reportFindings({
-                ruleId: UNTRUSTED_DESERIALIZATION,
+                ruleId,
                 sinkEvent,
               });
             }

package/lib/dataflow/sinks/install/postgres.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,19 +17,33 @@
 const util = require('util');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { filterSafeTags, patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -50,8 +64,7 @@ module.exports = function(core) {
   const postgres = core.assess.dataflow.sinks.postgres = {};
   const preHook = (methodSignature) => (data) => {
-    const assessStore = sources.getStore()?.assess;
-    if (!assessStore || isLocked(ruleId)) return;
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return;
     const [arg0] = data.args;
     const query = arg0?.text || arg0;

package/lib/dataflow/sinks/install/sequelize.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,7 +17,7 @@
 const util = require('util');
 const {
-  Rule: { SQL_INJECTION },
+  Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
     UNTRUSTED,
     SQL_ENCODED,
@@ -26,15 +26,23 @@ const {
     CUSTOM_ENCODED,
   },
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
-module.exports = function(core) {
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
+module.exports = function (core) {
   const {
     depHooks,
     patcher,
     config,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -54,17 +62,15 @@ module.exports = function(core) {
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
-  sequelize.install = function() {
-    const sequelizeQueryPatchName = 'sequelize.prototype.query';
+  sequelize.install = function () {
     depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
       patcher.patch(sequelize.prototype, 'query', {
-        name: sequelizeQueryPatchName,
+        name: 'sequelize.prototype.query',
         patchType,
         around(next, data) {
-          const { args, hooked, orig } = data;
-          const sourceContext = sources.getStore()?.assess;
-          if (!sourceContext || !args[0]) return next();
+          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return next();
+          const { args, hooked, orig } = data;
           const query = typeof args[0] === 'string' ? args[0] : args[0].query;
           try {
@@ -73,8 +79,8 @@ module.exports = function(core) {
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
-                name: sequelizeQueryPatchName,
-                ruleId: SQL_INJECTION,
+                name: data.name,
+                ruleId,
                 safeTags: filterSafeTags(safeTags, queryInfo),
                 strInfo: {
                   value: queryInfo?.value,
@@ -87,7 +93,7 @@ module.exports = function(core) {
               !queryInfo ||
               !isVulnerableQuery
             ) {
-              return runInActiveSink(SQL_INJECTION, async () => await next());
+              return runInActiveSink(ruleId, async () => await next());
             }
             const sqlValue =
@@ -103,7 +109,7 @@ module.exports = function(core) {
             const event = createSinkEvent({
               context: `sequelize.prototype.query(${contextArgs})`,
-              name: sequelizeQueryPatchName,
+              name: data.name,
               moduleName: 'sequelize',
               methodName: 'prototype.query',
               history: [queryInfo],
@@ -122,19 +128,19 @@ module.exports = function(core) {
             if (event) {
               reportFindings({
-                ruleId: SQL_INJECTION,
+                ruleId,
                 sinkEvent: event,
               });
             }
             /* c8 ignore next 3 */
           } catch (err) {
             core.logger.error(
-              { name: sequelizeQueryPatchName, err },
+              { err, funcKey: data.funcKey },
               'assess sink analysis failed'
             );
           }
-          return runInActiveSink(SQL_INJECTION, async () => await next());
+          return runInActiveSink(ruleId, async () => await next());
         },
       });
     });