npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/dataflow/sources/install/formidable1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,8 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const inputType = InputType.MULTIPART_VALUE;
 module.exports = (core) => {
   const {
     depHooks,
@@ -25,8 +27,8 @@ module.exports = (core) => {
     logger,
     assess: { dataflow: { sources } },
   } = core;
-  const name = 'Formidable.IncomingForm.prototype.parse';
+  const name = 'Formidable.IncomingForm.prototype.parse';
   // Patch `formidable`
   function install() {
@@ -35,16 +37,16 @@ module.exports = (core) => {
         name,
         patchType,
         pre(data) {
+          const { funcKey } = data;
           const sourceContext = core.scopes.sources.getStore()?.assess;
-          const inputType = InputType.MULTIPART_VALUE;
           if (!sourceContext) {
-            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
             return;
           }
           if (sourceContext.parsedBody) {
-            logger.trace({ inputType, name }, 'values already tracked');
+            logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
@@ -68,7 +70,7 @@ module.exports = (core) => {
                 });
                 sourceContext.parsedBody = true;
               } catch (err) {
-                logger.error({ err, inputType, name }, 'unable to handle source');
+                logger.error({ err, inputType, funcKey }, 'unable to handle source');
               }
             }

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,12 +17,17 @@
 const { patchType } = require('../common');
 const { toLowerCase, InputType } = require('@contrast/common');
-module.exports = function(core) {
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
+module.exports = function (core) {
   const {
-    scopes,
+    assess: { dataflow, makeSourceContext },
     instrumentation: { instrument },
-    assess: { dataflow },
     patcher,
+    scopes,
   } = core;
   const logger = core.logger.child('contrast:assess');
@@ -34,19 +39,20 @@ module.exports = function(core) {
   function around(next, data) {
     const [type] = data.args;
-    if (type !== 'request') {
-      return next();
-    }
+    if (type !== 'request') return next();
     try {
       const [, req, res] = data.args;
       const store = scopes.sources.getStore();
       if (!store) {
-        logger.debug('cannot acquire store for assess request handling');
-        return next();
+        // this would indicate that sources did not install correctly
+        throw new Error('async request store not found');
       }
+      store.assess = makeSourceContext(req, res);
+      if (!store.assess) return;
       patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
@@ -86,27 +92,7 @@ module.exports = function(core) {
         });
       }
-      let uriPath, queries;
-      const ix = req.url.indexOf('?');
-      if (ix >= 0) {
-        uriPath = req.url.slice(0, ix);
-        queries = req.url.slice(ix + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-      const headers = {};
       const sourceName = 'ClientRequest';
-      store.assess = {
-        responseData: {},
-        sourceEventsCount: 0,
-        propagationEventsCount: 0,
-        findings: {},
-      };
       const sourceInfo = {
         name: sourceName,
         stacktraceOpts: {
@@ -135,30 +121,16 @@ module.exports = function(core) {
         try {
           dataflow.sources.handle(sourceData);
         } catch (err) {
-          logger.error({ err, inputType, name: sourceName }, 'unable to handle http source');
+          logger.error({ err, inputType, sourceName }, 'unable to handle http source');
         }
       });
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
         const header = toLowerCase(req.rawHeaders[i]);
-        headers[header] = req.rawHeaders[i + 1];
         req.rawHeaders[i + 1] = req.headers[header];
       }
-      const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
-      store.assess.reqData = {
-        ip: req.socket.remoteAddress,
-        httpVersion: req.httpVersion,
-        method: req.method,
-        headers,
-        uriPath,
-        queries,
-        contentType,
-      };
     } catch (err) {
-      logger.error({ err }, 'Error during assess request handling');
+      logger.error({ err, funcKey: data.funcKey }, 'Error during Assess request handling');
     }
     setImmediate(() => {

package/lib/dataflow/sources/install/koa/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -22,6 +22,7 @@ module.exports = function(core) {
   require('./koa2')(core);
   require('./koa-bodyparsers')(core);
+  require('./koa-multer')(core);
   require('./koa-routers')(core);
   koaSources.install = function install() {

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -28,25 +28,26 @@ module.exports = (core) => {
   // Patch `koa-body` v4.x.x and `koa-bodyparser` v5.x.x packages
   function install() {
-    ['koa-body', 'koa-bodyparser'].forEach(function (packageName) {
-      depHooks.resolve({ name: packageName }, (koaBody) => patcher.patch(koaBody, {
-        name: packageName,
+    ['koa-body', 'koa-bodyparser'].forEach((name) => {
+      depHooks.resolve({ name }, (koaBody) => patcher.patch(koaBody, {
+        name,
         patchType,
         post(data) {
           data.result = patcher.patch(data.result, {
-            name: packageName,
+            name,
             patchType,
             pre(data) {
+              const { funcKey } = data;
               const sourceContext = core.scopes.sources.getStore()?.assess;
               const [ctx, origNext] = data.args;
               if (!sourceContext) {
-                logger.error({ name: packageName }, 'unable to handle source. Missing `sourceContext`');
+                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
                 return;
               }
               if (sourceContext.parsedBody) {
-                logger.trace({ name: packageName }, 'values already tracked');
+                logger.trace({ funcKey }, 'values already tracked');
                 return;
               }
@@ -61,7 +62,7 @@ module.exports = (core) => {
                 try {
                   sources.handle({
                     context: 'ctx.request.body',
-                    name: packageName,
+                    name,
                     inputType,
                     stacktraceOpts: {
                       constructorOpt: contrastNext,
@@ -72,7 +73,7 @@ module.exports = (core) => {
                   sourceContext.parsedBody = !!Object.keys(ctx.request.body).length;
                 } catch (err) {
-                  logger.error({ err, inputType, name: packageName }, 'unable to handle Koa source');
+                  logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
                 }
                 await origNext(origErr);

package/lib/dataflow/sources/install/koa/koa-multer.js ADDED Viewed

@@ -0,0 +1,102 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { InputType } = require('@contrast/common');
+module.exports = (core) => {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes,
+    assess: { dataflow: { sources } },
+  } = core;
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
+    function handle(context, data, key) {
+      try {
+        sources.handle({
+          context,
+          data,
+          keys: [key],
+          name: 'multer',
+          inputType: InputType.BODY,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt,
+          },
+        });
+      } catch (err) {
+        logger.error({ err }, 'error handling Koa multer Assess dataflow %s.%s source', context, key);
+      }
+    }
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
+    }
+  }
+  function install() {
+    ['koa-multer', '@koa/multer'].forEach((name) => {
+      depHooks.resolve(
+        { name }, (_export) => {
+          const origMulter = _export;
+          return patcher.patch(_export, {
+            name,
+            patchType,
+            post(data) {
+              const { args, hooked } = data;
+              const instance = origMulter.apply(this, args);
+              const origMake = instance._makeMiddleware;
+              instance._makeMiddleware = function _makeMiddleware(...args) {
+                const origMulterMiddleware = origMake.apply(this, args);
+                return function multerMiddleware(req, res, origNext) {
+                  const next = function(...args) {
+                    handler(req, hooked);
+                    return origNext.apply(this, args);
+                  };
+                  return origMulterMiddleware.apply(this, [req, res, next]);
+                };
+              };
+              data.result = instance;
+            }
+          });
+        }
+      );
+    });
+  }
+  const koaMulterInstrumentation = sources.koaInstrumentation.koaMulter = {
+    install
+  };
+  return koaMulterInstrumentation;
+};

package/lib/dataflow/sources/install/koa/koa-routers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -32,22 +32,20 @@ module.exports = (core) => {
       depHooks.resolve(
         { name: router, file: 'lib/layer.js' },
         (layer) => {
-          const name = `[${router}].layer.prototype`;
           layer.prototype = patcher.patch(layer.prototype, 'params', {
-            name,
+            name: `[${router}].layer.prototype`,
             patchType,
-            post({ orig, hooked, result }) {
+            post({ orig, hooked, result, name, funcKey }) {
               const sourceContext = core.scopes.sources.getStore()?.assess;
               const inputType = InputType.URL_PARAMETER;
               if (!sourceContext) {
-                logger.error({ name, inputType }, 'unable to handle source. Missing `sourceContext`');
+                logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
                 return;
               }
               if (sourceContext.parsedParams) {
-                logger.trace({ name, inputType }, 'values already tracked');
+                logger.trace({ inputType, funcKey }, 'values already tracked');
                 return;
               }
@@ -66,7 +64,7 @@ module.exports = (core) => {
                 sourceContext.parsedParams = Boolean(Object.keys(result).length);
               } catch (err) {
-                logger.error({ err, inputType, name }, 'unable to handle Koa source');
+                logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
               }
             }
           });

package/lib/dataflow/sources/install/koa/koa2.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,8 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../../common');
+const inputType = InputType.QUERYSTRING;
 /**
  * Function that exports an install method to patch Koa framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
@@ -36,58 +38,60 @@ module.exports = (core) => {
    */
   function install() {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
-      function contrastStartMiddleware(ctx, next) {
-        const name = 'Koa.Application';
-        const sourceContext = core.scopes.sources.getStore()?.assess;
-        const inputType = InputType.QUERYSTRING;
+      const createMiddleware = ({ name, funcKey }) => {
+        const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
-        if (!sourceContext) {
-          logger.error({ name, inputType }, 'unable to handle Koa source. Missing `sourceContext`');
-          return next();
-        }
-        // We check the contents mainly to trigger the getter for `ctx.query`
-        // that is eventually set up by `koa-qs`
-        if (ctx.query) {
-          if (sourceContext.parsedQuery) {
-            logger.trace({ name, inputType }, 'values already tracked');
+          if (!sourceContext) {
+            logger.error({ inputType, funcKey }, 'unable to handle Koa source. Missing `sourceContext`');
             return next();
           }
-          try {
-            sources.handle({
-              context: 'ctx.query',
-              data: ctx.query,
-              inputType,
-              name,
-              stacktraceOpts: {
-                constructorOpt: contrastStartMiddleware,
-              },
-              sourceContext
-            });
-            sourceContext.parsedQuery = true;
-          } catch (err) {
-            logger.error({ err, inputType, name }, 'unable to handle Koa source');
+          // We check the contents mainly to trigger the getter for `ctx.query`
+          // that is eventually set up by `koa-qs`
+          if (ctx.query) {
+            if (sourceContext.parsedQuery) {
+              logger.trace({ inputType, funcKey }, 'values already tracked');
+              return next();
+            }
+            try {
+              sources.handle({
+                context: 'ctx.query',
+                data: ctx.query,
+                inputType,
+                name,
+                stacktraceOpts: {
+                  constructorOpt: contrastStartMiddleware,
+                },
+                sourceContext
+              });
+              sourceContext.parsedQuery = true;
+            } catch (err) {
+              logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
+            }
           }
-        }
-        return next();
-      }
+          return next();
+        };
+        // mark these middleware as ours
+        contrastStartMiddleware._isContrastStartMiddleware = true;
-      // mark these middleware as ours
-      contrastStartMiddleware._isContrastStartMiddleware = true;
+        return contrastStartMiddleware;
+      };
       patcher.patch(Koa.prototype, 'use', {
         name: 'Koa.Application',
         patchType,
-        pre({ obj: app }) {
+        pre({ obj: app, name, funcKey }) {
           // if not already inserted, insert the initial middleware.
           if (
             app.middleware &&
-              (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
+            (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
           ) {
-            app.middleware.splice(0, 0, contrastStartMiddleware);
+            app.middleware.unshift(createMiddleware({ name, funcKey }));
           }
         }
       });

package/lib/dataflow/sources/install/multer1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -23,36 +23,20 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess,
-    scopes: { wrap },
+    assess: { dataflow: { sources } },
+    scopes,
   } = core;
-  function handleFile(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['file'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.file source');
-    }
-  }
+  function handler(req, constructorOpt) {
+    const sourceContext = scopes.sources.getStore()?.assess;
+    if (!sourceContext) return;
-  function handleFiles(sourceContext, constructorOpt, req) {
-    let i;
-    for (i = 0; i < req.files.length; i++) {
+    function handle(context, data, key) {
       try {
-        assess.dataflow.sources.handle({
-          context: 'req.files',
-          data: req.files[i],
-          keys: [i],
+        sources.handle({
+          context,
+          data,
+          keys: [key],
           name: 'multer',
           inputType: InputType.BODY,
           sourceContext,
@@ -61,26 +45,22 @@ module.exports = (core) => {
           },
         });
       } catch (err) {
-        logger.error({ err }, 'error handling multer Assess dataflow req.files[%s] source', i);
+        logger.error({ err }, 'error handling multer Assess dataflow %s.%s source', context, key);
       }
     }
-  }
-  function handleBody(sourceContext, constructorOpt, req) {
-    try {
-      assess.dataflow.sources.handle({
-        context: 'req',
-        data: req,
-        keys: ['body'],
-        name: 'multer',
-        inputType: InputType.BODY,
-        sourceContext,
-        stacktraceOpts: {
-          constructorOpt,
-        },
-      });
-    } catch (err) {
-      logger.error({ err }, 'error handling multer Assess dataflow req.body source');
+    if (req.file) {
+      handle('req', req, 'file');
+    }
+    if (Array.isArray(req.files)) {
+      for (let i = 0; i < req.files.length; i++) {
+        handle('req.files', req.files[i], i);
+      }
+    }
+    if (req.body && Object.keys(req.body).length) {
+      handle('req', req, 'body');
     }
   }
@@ -97,14 +77,8 @@ module.exports = (core) => {
               patchType,
               pre(data) {
                 const [req, , next, hooked] = data.args;
-                const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) return;
-                data.args[2] = wrap(function (...args) {
-                  if (req.file) handleFile(sourceContext, hooked, req);
-                  if (Array.isArray(req.files)) handleFiles(sourceContext, hooked, req);
-                  if (req.body && Object.keys(req.body).length) handleBody(sourceContext, hooked, req.body);
+                data.args[2] = scopes.wrap(function (...args) {
+                  handler(req, hooked);
                   next(...args);
                 });
               },

package/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,8 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const inputType = InputType.QUERYSTRING;
 module.exports = (core) => {
   const {
     depHooks,
@@ -33,17 +35,16 @@ module.exports = (core) => {
       (qs) => patcher.patch(qs, 'parse', {
         name,
         patchType,
-        post({ args, hooked, orig, result }) {
+        post({ args, hooked, orig, result, funcKey }) {
           const sourceContext = core.scopes.sources.getStore()?.assess;
-          const inputType = InputType.QUERYSTRING;
           if (!sourceContext) {
-            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
             return;
           }
           if (sourceContext.parsedQuery) {
-            logger.trace({ inputType, name }, 'values already tracked');
+            logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
@@ -67,7 +68,7 @@ module.exports = (core) => {
               sourceContext.parsedQuery = true;
             } catch (err) {
-              logger.error({ err, inputType, name }, 'unable to handle source');
+              logger.error({ err, inputType, funcKey }, 'unable to handle source');
             }
           }
         }