npm - @contrast/assess - Versions diffs - 1.18.0 → 1.20.0 - Mend

@contrast/assess 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -33,6 +33,19 @@ const {
   checkCspSources
 } = require('./utils');
+const {
+  AUTOCOMPLETE_MISSING,
+  CACHE_CONTROLS_MISSING,
+  CLICKJACKING_CONTROL_MISSING,
+  CSP_HEADER_MISSING,
+  CSP_HEADER_INSECURE,
+  HSTS_HEADER_MISSING,
+  PARAMETER_POLLUTION,
+  XCONTENTTYPE_HEADER_MISSING,
+  X_POWERED_BY_HEADER,
+  XXSPROTECTION_HEADER_DISABLED,
+} = ResponseScanningRule;
 module.exports = function(core) {
   const {
     assess: {
@@ -44,7 +57,10 @@ module.exports = function(core) {
   } = core;
   responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
-    if (!isHtmlContent(responseHeaders)) {
+    if (
+      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !isHtmlContent(responseHeaders)
+    ) {
       return;
     }
@@ -72,7 +88,10 @@ module.exports = function(core) {
     const instructions = [];
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
-    if (isParseableResponse(responseHeaders) && !responseBody) {
+    if (
+      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      (isParseableResponse(responseHeaders) && !responseBody)
+    ) {
       return;
     }
     const cacheControlHeader = responseHeaders['cache-control'];
@@ -118,6 +137,8 @@ module.exports = function(core) {
   };
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = responseHeaders['x-frame-options'];
     let hasFrameBusting = false;
@@ -135,6 +156,8 @@ module.exports = function(core) {
   };
   responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
     const elements = getElements('form', responseBody);
@@ -154,21 +177,23 @@ module.exports = function(core) {
   };
   /**
- * Checks the response headers for the CSP. If found, and insecure, will return
- * the evidence for reporting.
- *
- * @param   {Object}        responseHeaders - HTTP headers object.
- * @returns {Object}                        - Evidence for insecure CSP header.
- */
+   * Checks the response headers for the CSP. If found, and insecure, will return
+   * the evidence for reporting.
+   *
+   * @param   {Object}        responseHeaders - HTTP headers object.
+   * @returns {Object}                        - Evidence for insecure CSP header.
+   */
   responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
     const cspHeaders = getCspHeaders(responseHeaders);
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders) {
+    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
+    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
     if (vulnerabilityMetadata.insecure) {
@@ -189,6 +214,8 @@ module.exports = function(core) {
   };
   responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
     let header = responseHeaders['strict-transport-security'];
     let maxAge;
@@ -219,6 +246,8 @@ module.exports = function(core) {
   };
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
     const headerName = 'x-content-type-options';
     let header = responseHeaders[headerName];
@@ -237,44 +266,42 @@ module.exports = function(core) {
     });
   };
-  // NODE-3135
   responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
+    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
     const headerName = 'x-powered-by';
     let header = responseHeaders[headerName];
     if (header) {
       header = toLowerCase(header);
-      const instructions = [
-        {
-          type: 'Header',
-          name: headerName,
-          value: header
-        }
-      ];
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
         vulnerabilityMetadata: {
-          data: JSON.stringify(instructions)
+          platform: header,
         }
       });
     }
   };
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
-    const header = responseHeaders['x-xss-protection'];
+    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
-    if (header?.startsWith?.('1')) return;
+    const header = responseHeaders['x-xss-protection'];
-    reportFindings(sourceContext, {
-      ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
-      vulnerabilityMetadata: {
-        data: header,
-      }
-    });
+    if (header && !header.startsWith('1')) {
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
+        vulnerabilityMetadata: {
+          data: header,
+        }
+      });
+    }
   };
+  function isEnabled(ruleId, sourceContext) {
+    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
+  }
   return responseScanning;
 };

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,12 +17,17 @@
 const { split, substring, toLowerCase, trim } = require('@contrast/common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ * }} core
+ */
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     assess: {
+      getSourceContext,
       responseScanning: {
         handleAutoCompleteMissing,
         handleCacheControlsMissing,
@@ -36,6 +41,7 @@ module.exports = function(core) {
       }
     }
   } = core;
   const http = core.assess.responseScanning.httpInstrumentation = {};
   function parseHeaders(rawHeaders) {
@@ -90,7 +96,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
             const evaluationContext = {
@@ -108,7 +114,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
             const evaluationContext = {
@@ -130,7 +136,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
@@ -149,7 +155,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const sourceContext = sources.getStore()?.assess;
+            const sourceContext = getSourceContext();
             if (!sourceContext) return;
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
@@ -182,7 +188,7 @@ module.exports = function(core) {
                   name: 'Http2Stream.write',
                   patchType,
                   post(data) {
-                    const sourceContext = sources.getStore()?.assess;
+                    const sourceContext = getSourceContext();
                     if (!sourceContext) return;
                     const evaluationContext = {
@@ -198,7 +204,7 @@ module.exports = function(core) {
                   name: 'Http2Stream.end',
                   patchType,
                   post(data) {
-                    const sourceContext = sources.getStore()?.assess;
+                    const sourceContext = getSourceContext();
                     if (!sourceContext) return;
                     const evaluationContext = {

package/lib/rule-scopes.js ADDED Viewed

@@ -0,0 +1,48 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { AsyncLocalStorage } = require('async_hooks');
+/**
+ * @param {Object} core
+ * @param {import('@contrast/assess').Assess} core.assess
+ */
+module.exports = function (core) {
+  /** @type {Map<Rule,AsyncLocalStorage>} */
+  const scopes = new Map();
+  /** @type {{locked:boolean}}*/
+  const store = Object.freeze({ locked: true });
+  return core.assess.ruleScopes = {
+    /**
+     * @param {import('@contrast/common').Rule} ruleId
+     * @param {functionn} cb
+     */
+    run(ruleId, cb) {
+      if (!scopes.has(ruleId)) scopes.set(ruleId, new AsyncLocalStorage());
+      return scopes.get(ruleId).run(store, cb);
+    },
+    /**
+     * @param {Rule} ruleId
+     */
+    isLocked(ruleId) {
+      return !!scopes.get(ruleId)?.getStore?.()?.locked;
+    }
+  };
+};

package/lib/session-configuration/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/handlers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -17,69 +17,88 @@
 const {
   Event,
-  SessionConfigurationRule: { HTTPONLY, SECURE_FLAG_MISSING },
+  SessionConfigurationRule,
+  isString,
 } = require('@contrast/common');
+const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
 module.exports = function (core) {
   const {
     assess: { sessionConfiguration },
     messages,
   } = core;
-  const checkCookieValue = (ruleId, sinkEvent, cookieValue, sourceContext) => {
-    if (cookieValue.includes(ruleId === HTTPONLY ? 'httponly' : 'secure')) {
-      return;
+  function* ensureIterable(value) {
+    if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        yield value[i];
+      }
+    } else {
+      yield value;
     }
+  }
-    sessionConfiguration.reportFindings(sourceContext, {
-      ruleId,
-      sinkEvent,
-      properties: {
-        evidence: cookieValue,
-      },
-    });
-  };
-  const handleCookie = (
-    sourceContext,
-    cookieValue,
-    ruleId,
-    sessionEvent
-  ) => {
-    if (Array.isArray(cookieValue)) {
-      return cookieValue.forEach((value) =>
-        checkCookieValue(ruleId, sessionEvent, value, sourceContext)
-      );
+  /**
+   * @param {SessionConfigurationRule} ruleId
+   * @param {import('@contrast/assess').SourceContext} sourceContext
+   * @returns {import('@contrast/assess').SessionRuleState}
+   */
+  function ensureState(ruleId, sourceContext) {
+    if (!sourceContext.ruleState[ruleId]) {
+      sourceContext.ruleState[ruleId] = {
+        reported: false,
+        valuesAnalyzed: new Set(),
+      };
     }
+    return sourceContext.ruleState[ruleId];
+  }
-    checkCookieValue(ruleId, sessionEvent, cookieValue, sourceContext);
-  };
+  function isVulnerable(ruleId, value) {
+    if (!isString(value)) return false;
+    const search = ruleId === HTTPONLY ? 'HttpOnly;'
+      : ruleId === SECURE_FLAG_MISSING ? 'Secure;'
+        : undefined;
+    return search && value.indexOf(search) === -1;
+  }
+  function handle(ruleId, sourceContext, cookie, sessionEvent) {
+    const state = ensureState(ruleId, sourceContext);
+    if (!sourceContext?.policy?.enabledRules?.has?.(ruleId) || state.reported) return;
+    for (const value of ensureIterable(cookie)) {
+      if (state.valuesAnalyzed.has(value)) continue;
+      state.valuesAnalyzed.add(value);
+      if (!isVulnerable(ruleId, value)) continue;
+      else {
+        sessionConfiguration.reportFindings({
+          ruleId,
+          sinkEvent: sessionEvent,
+          properties: {
+            evidence: value,
+          },
+        });
+        state.reported = true;
+        break;
+      }
+    }
+  }
-  sessionConfiguration.handleHttpOnly = function (
-    sourceContext,
-    cookieValue,
-    sessionEvent
-  ) {
-    handleCookie(sourceContext, cookieValue, HTTPONLY, sessionEvent);
+  sessionConfiguration.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
+    handle(HTTPONLY, sourceContext, cookie, sessionEvent);
   };
-  sessionConfiguration.handleSecure = function (
-    sourceContext,
-    cookieValue,
-    sessionEvent
-  ) {
-    handleCookie(sourceContext, cookieValue, SECURE_FLAG_MISSING, sessionEvent);
+  sessionConfiguration.handleSecure = function (sourceContext, cookie, sessionEvent) {
+    handle(SECURE_FLAG_MISSING, sourceContext, cookie, sessionEvent);
   };
-  // _sourceContext is unused
-  sessionConfiguration.reportFindings = function (
-    _sourceContext,
-    vulnerabilityMetadata
-  ) {
-    messages.emit(
-      Event.ASSESS_SESSION_CONFIGURATION_FINDING,
-      vulnerabilityMetadata
-    );
+  sessionConfiguration.reportFindings = function (finding) {
+    messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, finding);
   };
   return sessionConfiguration;

package/lib/session-configuration/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -22,7 +22,9 @@ module.exports = function(core) {
   require('./handlers')(core);
   require('./install/express-session')(core);
+  require('./install/fastify-cookie')(core);
   require('./install/hapi')(core);
+  require('./install/koa')(core);
   sessionConfiguration.install = function() {
     callChildComponentMethodsSync(sessionConfiguration, 'install');

package/lib/session-configuration/install/express-session.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,9 +18,16 @@ const util = require('util');
 const { toLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
 module.exports = function (core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
         handleHttpOnly,
@@ -29,7 +36,6 @@ module.exports = function (core) {
     },
     depHooks,
     patcher,
-    scopes: { sources },
   } = core;
   const expressSession = core.assess.sessionConfiguration.expressSession = {};
@@ -44,36 +50,27 @@ module.exports = function (core) {
         patchType,
         post(data) {
           const options = data.args[0];
-          // obfuscate the cookie secret
-          if (Array.isArray(data.args) && data.args[0] && data.args[0].secret) {
-            data.args[0].secret = '[HIDDEN]';
-          }
-          const { cookie } = options || {};
-          const hasOwnPropertyHttpOnly = cookie && Object.prototype.hasOwnProperty.call(
-            cookie,
-            'httpOnly'
-          );
+          const cookie = options?.cookie || {};
           // httpOnly is true by default if it's not provided
-          const checkForHTTPOnly =
-            cookie && hasOwnPropertyHttpOnly
-              ? !(cookie.httpOnly === true)
-              : false;
+          const checkForHTTPOnly = 'httpOnly' in cookie ? cookie.httpOnly !== true : false;
           // secure is false by default
-          const checkForSecure = cookie ? !(cookie.secure === true) : true;
+          if (!checkForHTTPOnly && cookie?.secure) return;
-          // skip instrumentation since the options are set correctly
-          if (!checkForHTTPOnly && !checkForSecure) return;
+          const displayOptions = {
+            cookie: {
+              httpOnly: cookie?.httpOnly,
+              secure: cookie?.secure
+            }
+          };
+          const optionsString = inspect(displayOptions);
           const sessionEvent = createSessionEvent({
             args: [{
               tracked: false,
-              value: inspect(options),
+              value: optionsString,
             }],
-            context: `expressSession(${inspect(data.args)})`,
+            context: `expressSession(${optionsString})`,
             history: [],
             name: 'express.hookedSessionConstructor',
             moduleName: 'express-session',
@@ -91,7 +88,7 @@ module.exports = function (core) {
               constructorOpt: data.hooked,
             },
             framework: 'express',
-            options,
+            options: displayOptions,
           });
           patcher.patch(data, 'result', {
@@ -100,7 +97,7 @@ module.exports = function (core) {
             pre(data) {
               const [, res] = data.args;
-              const sourceContext = sources.getStore()?.assess;
+              const sourceContext = getSourceContext();
               if (!sourceContext) return;
               patcher.patch(res, 'setHeader', {
@@ -113,7 +110,7 @@ module.exports = function (core) {
                     handleHttpOnly(sourceContext, value, sessionEvent);
                   }
-                  if (checkForSecure) {
+                  if (!cookie?.secure) {
                     handleSecure(sourceContext, value, sessionEvent);
                   }
                 }