npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,10 +17,17 @@
 const { patchType } = require('../common');
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    UNTRUSTED,
+  },
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const safeTags = [
   SQL_ENCODED,
@@ -29,12 +36,19 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -44,12 +58,11 @@ module.exports = function(core) {
   } = core;
   const pre = (name, method) => (data) => {
-    const store = sources.getStore()?.assess;
     if (
-      !store ||
+      !getSourceContext(RULE, ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
-      isLocked(SQL_INJECTION)
+      isLocked(ruleId)
     ) return;
     const strInfo = tracker.getData(data.args[0]);
@@ -83,7 +96,7 @@ module.exports = function(core) {
     if (event) {
       reportFindings({
-        ruleId: SQL_INJECTION,
+        ruleId,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -16,7 +16,6 @@
 'use strict';
 const { patchType, filterSafeTags } = require('../common');
 const {
-  isString,
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
@@ -25,14 +24,17 @@ const {
     CUSTOM_VALIDATED,
     LIMITED_CHARS,
   },
-  Rule: { UNSAFE_CODE_EXECUTION },
-  isNonEmptyObject,
+  Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   inspect,
-  traverseValues,
+  isNonEmptyObject,
+  isString,
   join,
   split,
+  traverseValues,
 } = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAdjustedQueryTags } = require('../../tag-utils');
 const safeTags = [
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
@@ -41,13 +43,20 @@ const safeTags = [
   LIMITED_CHARS,
 ];
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+ */
 module.exports = function (core) {
   const {
     config,
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -133,14 +142,7 @@ module.exports = function (core) {
   }
   function around(next, { args: origArgs, hooked, orig, name }) {
-    const store = sources.getStore()?.assess;
-    if (
-      !store ||
-      instrumentation.isLocked() ||
-      isLocked(UNSAFE_CODE_EXECUTION)
-    ) {
-      return next();
-    }
+    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
     const methodPath = split(name, '.');
     const method = methodPath[methodPath.length - 1];
@@ -189,13 +191,13 @@ module.exports = function (core) {
       reportSafePositive({
         name,
-        ruleId: UNSAFE_CODE_EXECUTION,
+        ruleId,
         safeTags: Array.from(foundSafeTags),
         strInfo,
       });
       return name === 'vm.runInNewContext'
-        ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+        ? runInActiveSink(ruleId, () => next())
         : next();
     }
@@ -233,14 +235,14 @@ module.exports = function (core) {
       if (event) {
         reportFindings({
-          ruleId: UNSAFE_CODE_EXECUTION,
+          ruleId,
           sinkEvent: event,
         });
       }
     }
     return name === 'vm.runInNewContext'
-      ? runInActiveSink(UNSAFE_CODE_EXECUTION, () => next())
+      ? runInActiveSink(ruleId, () => next())
       : next();
   }

package/lib/dataflow/sources/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -22,7 +22,7 @@ const {
   join,
 } = require('@contrast/common');
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     assess: {
       eventFactory,
@@ -33,9 +33,10 @@ module.exports = function(core) {
     },
     config,
     createSnapshot,
-    logger,
   } = core;
+  const logger = core.logger.child({ name: 'contrast:sources' });
   const emptyStack = Object.freeze([]);
   sources.createTags = function createTags({ inputType, fieldName = '', value }) {
@@ -55,13 +56,13 @@ module.exports = function(core) {
     return tags;
   };
-  sources.createStacktrace = function(stacktraceOpts) {
+  sources.createStacktrace = function (stacktraceOpts) {
     return config.assess.stacktraces === 'NONE'
       ? emptyStack
       : createSnapshot(stacktraceOpts)();
   };
-  sources.handle = function({
+  sources.handle = function ({
     context,
     keys,
     name,
@@ -73,7 +74,7 @@ module.exports = function(core) {
     if (!data) return;
     if (!sourceContext) {
-      core.logger.trace({ inputType, name }, 'skipping assess source handling - no request context');
+      logger.trace({ inputType, sourceName: name }, 'skipping assess source handling - no request context');
       return null;
     }
@@ -119,7 +120,7 @@ module.exports = function(core) {
       const pathName = join(path, '.');
       if (sourceContext.sourceEventsCount >= max) {
-        core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);
+        logger.trace({ inputType, sourceName: name }, 'exiting assess source handling - %s max events exceeded', max);
         return true;
       }
@@ -136,13 +137,13 @@ module.exports = function(core) {
         const event = createEvent({ pathName, value, fieldName });
         if (!event) {
-          core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
+          logger.warn({ inputType, sourceName: name, pathName, value }, 'unable to create source event');
           return;
         }
         const { extern } = tracker.track(value, event);
         if (extern) {
-          logger.trace({ extern, fieldName, name, inputType }, 'tracked');
+          logger.trace({ extern, fieldName, sourceName: name, inputType }, 'tracked');
           obj[fieldName] = extern;
           sourceContext.sourceEventsCount++;
@@ -152,7 +153,7 @@ module.exports = function(core) {
         if (event) {
           tracker.track(value, event);
         } else {
-          core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
+          logger.warn({ inputType, sourceName: name, pathName, value }, 'unable to create source event');
         }
       }
     });

package/lib/dataflow/sources/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -26,7 +26,7 @@ module.exports = function (core) {
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/body-parser1')(core);
-  require('./install/busboy1')(core);
+  require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);
   require('./install/http')(core);

package/lib/dataflow/sources/install/body-parser1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -29,23 +29,23 @@ const INPUT_TYPES = {
 module.exports = function init(core) {
   const { assess, depHooks, logger, patcher, scopes } = core;
-  const createPreHook = (name) => (data) => {
+  const preHook = (data) => {
     const [req, , next] = data.args;
     data.args[2] = scopes.wrap(function contrastNext(...args) {
       const sourceContext = scopes.sources.getStore()?.assess;
       if (!sourceContext) {
-        logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+        logger.error({ funcKey: data.funcKey }, 'unable to handle source. Missing `sourceContext`');
         return next(...args);
       }
       if (sourceContext.parsedBody) {
-        logger.trace({ name }, 'values already tracked');
+        logger.trace({ funcKey: data.funcKey }, 'values already tracked');
         return next(...args);
       }
       // when using a specific parser, we know the input type.
-      let inputType = INPUT_TYPES[name];
+      let inputType = INPUT_TYPES[data.name];
       // when using `bodyParser()`, determine input type by content type.
       if (!inputType) {
         inputType = req.headers?.['content-type']?.includes('json')
@@ -71,7 +71,7 @@ module.exports = function init(core) {
         assess.dataflow.sources.handle({
           context,
           data: _data,
-          name,
+          name: data.name,
           keys,
           inputType,
           sourceContext,
@@ -82,7 +82,7 @@ module.exports = function init(core) {
         sourceContext.parsedBody = !!Object.keys(_data).length;
       } catch (err) {
-        logger.error({ name, err }, 'unable to handle source');
+        logger.error({ err, funcKey: data.funcKey }, 'unable to handle source');
       }
       return next(...args);
@@ -99,11 +99,10 @@ module.exports = function init(core) {
             name: 'body-parser',
             patchType,
             post(data) {
-              const name = 'body-parser.bodyParser';
               data.result = patcher.patch(data.result, {
-                name,
+                name: 'body-parser.bodyParser',
                 patchType,
-                pre: createPreHook(name),
+                pre: preHook,
               });
             },
           });
@@ -113,11 +112,10 @@ module.exports = function init(core) {
               name: `body-parser.${method}`,
               patchType,
               post(data) {
-                const name = `body-parser.${method}.${method}Parser`;
                 data.result = patcher.patch(data.result, {
-                  name,
+                  name: `body-parser.${method}.${method}Parser`,
                   patchType,
-                  pre: createPreHook(name)
+                  pre: preHook
                 });
               },
             });

package/lib/dataflow/sources/install/{busboy1.js → busboy.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,9 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const inputType = InputType.MULTIPART_VALUE;
+const name = 'busboy';
 module.exports = (core) => {
   const {
     depHooks,
@@ -26,21 +29,18 @@ module.exports = (core) => {
     assess: { dataflow: { sources } },
   } = core;
-  const name = 'busboy';
   function createPreHook(finalEventName) {
-    return function(data) {
-      const { orig, hooked } = data;
+    return function (data) {
+      const { orig, hooked, funcKey } = data;
       const sourceContext = core.scopes.sources.getStore()?.assess;
-      const inputType = InputType.MULTIPART_VALUE;
       if (!sourceContext) {
-        logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+        logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
         return;
       }
       if (sourceContext.parsedBody) {
-        logger.trace({ inputType, name }, 'values already tracked');
+        logger.trace({ inputType, funcKey }, 'values already tracked');
         return;
       }
@@ -67,7 +67,7 @@ module.exports = (core) => {
           data.args[2] = obj[fieldName];
           sourceContext.busboyParsedBody = true;
         } catch (err) {
-          logger.error({ err, inputType, name }, 'unable to handle source');
+          logger.error({ err, inputType, funcKey }, 'unable to handle source');
         }
       }
@@ -88,8 +88,8 @@ module.exports = (core) => {
     });
-    depHooks.resolve({ name, version: '>=1.0.0' }, (busboy) => patcher.patch(
-      busboy, {
+    depHooks.resolve({ name, version: '>=1.0.0' }, (busboy) =>
+      patcher.patch(busboy, {
         name,
         patchType,
         post(data) {
@@ -99,14 +99,14 @@ module.exports = (core) => {
             pre: createPreHook('close')
           });
         }
-      }
-    ));
+      })
+    );
   }
-  const busboy1Instrumentation = sources.busboy1Instrumentation = {
+  const busboyInstrumentation = sources.busboyInstrumentation = {
     install
   };
-  return busboy1Instrumentation;
+  return busboyInstrumentation;
 };

package/lib/dataflow/sources/install/cookie-parser1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -36,17 +36,18 @@ module.exports = function init(core) {
                 name,
                 patchType,
                 pre(data) {
+                  const { funcKey } = data;
                   const [req, , next] = data.args;
                   data.args[2] = function contrastNext(...args) {
                     const sourceContext = scopes.sources.getStore()?.assess;
                     if (!sourceContext) {
-                      logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                      logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
                       return;
                     }
                     if (sourceContext.parsedCookies) {
-                      logger.trace({ name }, 'cookies already tracked');
+                      logger.trace({ funcKey }, 'cookies already tracked');
                     } else if (req.cookies) {
                       try {
                         assess.dataflow.sources.handle({
@@ -62,12 +63,12 @@ module.exports = function init(core) {
                         sourceContext.parsedCookies = !!Object.keys(req.cookies).length;
                       } catch (err) {
-                        logger.error({ name, err }, 'unable to handle source');
+                        logger.error({ err, funcKey }, 'unable to handle source');
                       }
                     }
                     if (sourceContext.parsedSignedCookies) {
-                      logger.trace({ name }, 'signedCookies already tracked');
+                      logger.trace({ funcKey }, 'signedCookies already tracked');
                     } else if (req.signedCookies) {
                       try {
                         assess.dataflow.sources.handle({
@@ -83,7 +84,7 @@ module.exports = function init(core) {
                         sourceContext.parsedSignedCookies = !!Object.keys(req.signedCookies).length;
                       } catch (err) {
-                        logger.error({ name, err }, 'unable to handle source');
+                        logger.error({ err, funcKey }, 'unable to handle source');
                       }
                     }

package/lib/dataflow/sources/install/express/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/express/params.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -16,7 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { patchType } = require('../../../propagation/common');
+const { patchType } = require('../../common');
 module.exports = function init(core) {
   const { depHooks, patcher, logger } = core;
@@ -30,25 +30,24 @@ module.exports = function init(core) {
           patcher.patch(Layer.prototype, 'match', {
             name,
             patchType,
-            post(data) {
-              const layer = data.obj;
+            post({ obj: layer, result, orig, hooked, funcKey }) {
               // we can exit early if
               //  the layer doesn't match the request or
               //  the layer doesn't recognize any parameters
-              if (!data.result || !layer.keys || layer.keys.length === 0) {
+              if (!result || !layer.keys || layer.keys.length === 0) {
                 return;
               }
               const sourceContext = core.scopes.sources.getStore()?.assess;
               if (!sourceContext) {
-                logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
                 return;
               }
               if (sourceContext.parsedParams) {
-                logger.trace({ name }, 'values already tracked');
+                logger.trace({ funcKey }, 'values already tracked');
                 return;
               }
@@ -58,15 +57,15 @@ module.exports = function init(core) {
                   name,
                   inputType: InputType.PARAMETER_VALUE,
                   stacktraceOpts: {
-                    constructorOpt: data.hooked,
-                    prependFrames: [data.orig]
+                    constructorOpt: hooked,
+                    prependFrames: [orig]
                   },
                   data: layer.params,
                   sourceContext
                 });
                 sourceContext.parsedParams = true;
               } catch (err) {
-                logger.error({ err, name }, 'unable to handle source');
+                logger.error({ err, funcKey }, 'unable to handle source');
               }
             }
           });

package/lib/dataflow/sources/install/express/parsedUrl.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -31,9 +31,8 @@ module.exports = function (core) {
       depHooks.resolve({ name: 'fastify', version: '>=3.0.0' }, (fastify) => patcher.patch(fastify, {
         name: 'fastify.constructor',
         patchType,
-        post({ result: server }) {
+        post({ result: server, funcKey }) {
           server.addHook('preValidation', function preValidationHandler(request, reply, done) {
-            const name = 'fastify.preValidation';
             const bodyType = request?.headers?.['content-type']?.includes('/json')
               ? InputType.JSON_VALUE
               : typeof request.body == 'object'
@@ -42,7 +41,7 @@ module.exports = function (core) {
             const sourceContext = core.scopes.sources.getStore()?.assess;
             if (!sourceContext) {
-              logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+              logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
               return;
             }
@@ -52,7 +51,7 @@ module.exports = function (core) {
               { key: 'body', inputType: bodyType, alreadyTrackedFlag: 'parsedBody' }
             ].forEach(({ key, inputType, alreadyTrackedFlag }) => {
               if (sourceContext[alreadyTrackedFlag]) {
-                logger.trace({ inputType, name }, 'values already tracked');
+                logger.trace({ inputType, funcKey }, 'values already tracked');
                 return;
               }
@@ -61,14 +60,14 @@ module.exports = function (core) {
                   context: `req.${key}`,
                   data: request[key],
                   inputType,
-                  name,
+                  name: 'fastify.preValidation',
                   stacktraceOpts: {
                     constructorOpt: preValidationHandler,
                   },
                   sourceContext
                 });
               } catch (err) {
-                logger.error({ err, inputType, name }, 'unable to handle Fastify source');
+                logger.error({ err, inputType, funcKey }, 'unable to handle Fastify source');
               }
             });

package/lib/dataflow/sources/install/fastify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial