@contrast/assess 1.2.0 → 1.4.0

package/lib/dataflow/propagation/index.js

@@ -36,6 +36,7 @@ module.exports = function(core) {
   require('./install/pug-runtime-escape')(core);
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
+  require('./install/querystring')(core);
 
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');

package/lib/dataflow/propagation/install/querystring/index.js

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const querystringInstrumentation = core.assess.dataflow.propagation.querystringInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(querystringInstrumentation, 'install');
+    }
+  };
+
+  require('./parse')(core);
+
+  return querystringInstrumentation;
+};

package/lib/dataflow/propagation/install/querystring/parse.js

@@ -0,0 +1,124 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const util = require('util');
+const querystring = require('querystring');
+const { patchType } = require('../../common');
+const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function getUnescapeWrapper(data, unescape) {
+    const input = data.args[0];
+    const { trackingData } = data;
+
+    function unescapeWrapper(part) {
+      let result = unescape(part);
+      const start = input.indexOf(part, data.idx);
+      const tagRanges = createSubsetTags(trackingData.tags, start, result.length - 1);
+
+      if (!tagRanges) return result;
+
+      const resultInfo = tracker.getData(result);
+      const event = createPropagationEvent({
+        name: data.name,
+        history: [trackingData],
+        object: {
+          value: part,
+          isTracked: true,
+        },
+        args: data.origArgs.map((arg) => {
+          const argInfo = tracker.getData(arg);
+          return {
+            value: argInfo ? argInfo.value : util.inspect(arg),
+            isTracked: !!argInfo
+          };
+        }),
+        result: {
+          value: result,
+          isTracked: !!resultInfo
+        },
+        tags: tagRanges,
+        stacktraceOpts: {
+          constructorOpt: data.hooked,
+          prependFrames: [data.orig]
+        },
+        source: 'P',
+        target: 'R'
+      });
+
+      if (event) {
+        if (resultInfo) {
+          event.tags = createAppendTags(event.tags, resultInfo.tags, 0);
+          Object.assign(resultInfo, event);
+        }
+        if (event.tags['url-encoded']) {
+          delete event.tags['url-encoded'];
+          event.removedTags = ['url-encoded'];
+        }
+        const { extern } = resultInfo || tracker.track(result, event);
+        if (extern) {
+          result = extern;
+        }
+
+      }
+      data.idx = start + part.length;
+      return result;
+    }
+    return unescapeWrapper;
+  }
+
+  return core.assess.dataflow.propagation.querystringInstrumentation.parse = {
+    install() {
+      depHooks.resolve({ name: 'querystring' }, (module) => {
+        ['parse', 'decode'].forEach((method) => {
+          patcher.patch(module, method, {
+            name: `querystring.${method}`,
+            patchType,
+            pre(data) {
+              if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+              const input = data.args[0];
+              if (!input) {
+                return;
+              }
+              const trackingData = tracker.getData(input);
+              if (!trackingData) {
+                return;
+              }
+
+              data.idx = 0;
+              data.origArgs = data.args;
+              data.trackingData = trackingData;
+
+              data.args[3] = {
+                ...data.args[3],
+                decodeURIComponent: getUnescapeWrapper(data, data.args?.[3]?.decodeURIComponent || querystring.unescape)
+              };
+            }
+          });
+        });
+      });
+    }
+  };
+};

package/lib/dataflow/propagation/install/string/index.js

@@ -28,12 +28,13 @@ module.exports = function(core) {
   };
 
   require('./concat')(core);
+  require('./format-methods')(core);
+  require('./html-methods')(core);
+  require('./match')(core);
   require('./replace')(core);
+  require('./split')(core);
   require('./substring')(core);
   require('./trim')(core);
-  require('./html-methods')(core);
-  require('./format-methods')(core);
-  require('./split')(core);
 
   return stringInstrumentation;
 };

package/lib/dataflow/propagation/install/string/match.js

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function getPropagationEvent(data, res, objInfo, start) {
+    const { name, args, result, hooked, orig } = data;
+    const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+    if (!tags) return;
+
+    return createPropagationEvent({
+      name,
+      history: [objInfo],
+      object: {
+        value: objInfo.value,
+        isTracked: true,
+      },
+      args: args.map((arg) => {
+        const argInfo = tracker.getData(arg);
+        return {
+          value: argInfo ? argInfo.value : arg.toString(),
+          isTracked: !!argInfo
+        };
+      }),
+      tags,
+      result: {
+        value: join(result),
+        isTracked: false
+      },
+      stacktraceOpts: {
+        constructorOpt: hooked,
+        prependFrames: [orig]
+      },
+      source: 'O',
+      target: 'R'
+    });
+  }
+
+  return core.assess.dataflow.propagation.stringInstrumentation.match = {
+    install() {
+      const name = 'String.prototype.match';
+
+      patcher.patch(String.prototype, 'match', {
+        name,
+        patchType,
+        post(data) {
+          const { args, obj, result } = data;
+          if (
+            !obj ||
+            !result ||
+            args.length === 0 ||
+            result.length === 0 ||
+            !sources.getStore() ||
+            typeof obj !== 'string' ||
+            instrumentation.isLocked() ||
+            (args.length === 1 && args[0] == null)
+          ) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          let idx = 0;
+          const hasCaptureGroups = 'groups' in result;
+          for (let i = 0; i < result.length; i++) {
+            const res = result[i];
+            if (!res) continue;
+            const start = obj.indexOf(res, idx);
+            idx += hasCaptureGroups ? 0 : res.length;
+            const event = getPropagationEvent(data, res, objInfo, start);
+            if (event) {
+              const { extern } = tracker.track(res, event);
+              if (extern) {
+                data.result[i] = extern;
+              }
+            }
+          }
+          if (hasCaptureGroups && result.groups) {
+            Object.keys(result.groups).forEach((key) => {
+              const res = result.groups[key];
+              if (!res) return;
+              const start = obj.indexOf(res);
+              const event = getPropagationEvent(data, res, objInfo, start);
+              if (event) {
+                const { extern } = tracker.track(res, event);
+                if (extern) {
+                  data.result.groups[key] = extern;
+                }
+              }
+            });
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.match = patcher.unwrap(String.prototype.match);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/split.js

@@ -106,3 +106,4 @@ module.exports = function(core) {
     },
   };
 };
+

package/lib/dataflow/{signatures.js → signatures/index.js}

@@ -17,6 +17,7 @@
 
 module.exports = function(core) {
   const signaturesMap = core.assess.dataflow.signatures = new Map([
+    ...require('./mssql.js'),
     [
       'Url.prototype.parse',
       {
@@ -932,6 +933,16 @@ module.exports = function(core) {
         target: 'R'
       }
     ],
+    [
+      'String.prototype.match',
+      {
+        moduleName: 'String',
+        methodName: 'prototype.match',
+        isModule: false,
+        source: 'O',
+        target: 'R'
+      }
+    ],
     [
       'sqlite3.Database.prototype.all',
       {
@@ -986,33 +997,6 @@ module.exports = function(core) {
         isModule: true
       }
     ],
-    [
-      'mssql/lib/base/prepared-statement.prototype.prepare',
-      {
-        moduleName: 'mssql',
-        version: '>=6.4.0',
-        methodName: 'PreparedStatement.prototype.prepare',
-        isModule: true
-      }
-    ],
-    [
-      'mssql/lib/base/request.prototype.batch',
-      {
-        moduleName: 'mssql',
-        version: '>=6.4.0',
-        methodName: 'Request.prototype.batch',
-        isModule: true
-      }
-    ],
-    [
-      'mssql/lib/base/request.prototype.query',
-      {
-        moduleName: 'mssql',
-        version: '>=6.4.0',
-        methodName: 'Request.prototype.query',
-        isModule: true
-      }
-    ],
     [
       'path.format',
       {

package/lib/dataflow/signatures/mssql.js

@@ -0,0 +1,49 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = [
+  [
+    'mssql/lib/base/prepared-statement.prototype.prepare',
+    {
+      moduleName: 'mssql',
+      version: '>=6.4.0',
+      filename: 'lib/base/prepared-statement.js',
+      methodName: 'PreparedStatement.prototype.prepare',
+      isModule: true,
+    },
+  ],
+  [
+    'mssql/lib/base/request.prototype.batch',
+    {
+      moduleName: 'mssql',
+      version: '>=6.4.0',
+      filename: 'lib/base/request.js',
+      methodName: 'Request.prototype.batch',
+      isModule: true,
+    },
+  ],
+  [
+    'mssql/lib/base/request.prototype.query',
+    {
+      moduleName: 'mssql',
+      version: '>=6.4.0',
+      filename: 'lib/base/request.js',
+      methodName: 'Request.prototype.query',
+      isModule: true,
+    },
+  ],
+];

package/lib/dataflow/sinks/index.js

@@ -32,9 +32,10 @@ module.exports = function (core) {
     },
   };
 
+  require('./install/fastify')(core);
   require('./install/http')(core);
+  require('./install/mssql')(core);
   require('./install/postgres')(core);
-  require('./install/fastify')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -70,7 +70,10 @@ module.exports = function (core) {
         if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
           const event = createSinkEvent({
             name: 'fastify.reply.redirect',
-            object: `[${createModuleLabel('fastify', version)}].Reply`,
+            object: {
+              value: `[${createModuleLabel('fastify', version)}].Reply`,
+              isTracked: false,
+            },
             history: [strInfo],
             args: [{
               value: strInfo.value,
@@ -88,7 +91,7 @@ module.exports = function (core) {
           });
 
           reportFindings({
-            ruleId: 'unvalidated-redirect',
+            ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
             metadata: event,
           });
         }

package/lib/dataflow/sinks/install/mssql.js

@@ -0,0 +1,123 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Rule, isString } = require('@contrast/common');
+const { createModuleLabel } = require('../../propagation/common');
+const { patchType } = require('../common');
+
+const SAFE_TAGS = [
+  'sql-encoded',
+  'limited-chars',
+  'custom-validated',
+  'custom-encoded',
+];
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const pre = (name, obj, version) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store || !data.args[0] || !isString(data.args[0])) return;
+
+    const strInfo = tracker.getData(data.args[0]);
+    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+      return;
+    }
+
+    const event = createSinkEvent({
+      name,
+      history: [strInfo],
+      object: {
+        value: `[${createModuleLabel('mssql', version)}].${obj}`,
+        isTracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          isTracked: true,
+        },
+      ],
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        contructorOpt: data.hooked,
+      },
+    });
+
+    reportFindings({
+      ruleId: Rule.SQL_INJECTION,
+      metadata: event,
+    });
+  };
+
+  core.assess.dataflow.sinks.mssql = {
+    install() {
+      depHooks.resolve(
+        { name: 'mssql', file: 'lib/base/prepared-statement.js' },
+        (PreparedStatement, version) => {
+          patcher.patch(PreparedStatement.prototype, 'prepare', {
+            name: 'PreparedStatement.prototype.prepare',
+            patchType,
+            pre: pre(
+              'mssql/lib/base/prepared-statement.prototype.prepare',
+              'PreparedStatement',
+              version,
+            ),
+          });
+        },
+      );
+
+      depHooks.resolve(
+        { name: 'mssql', file: 'lib/base/request.js' },
+        (Request, version) => {
+          patcher.patch(Request.prototype, 'batch', {
+            name: 'Request.prototype.batch',
+            patchType,
+            pre: pre(
+              'mssql/lib/base/request.prototype.batch',
+              'Request',
+              version,
+            ),
+          });
+
+          patcher.patch(Request.prototype, 'query', {
+            name: 'Request.prototype.query',
+            patchType,
+            pre: pre(
+              'mssql/lib/base/request.prototype.query',
+              'Request',
+              version,
+            ),
+          });
+        },
+      );
+    },
+  };
+
+  return core.assess.dataflow.sinks.mssql;
+};

package/lib/dataflow/sinks/install/{postgres/index.js → postgres.js}

@@ -15,9 +15,9 @@
 
 'use strict';
 
-const { isString } = require('@contrast/common');
-const { patchType } = require('../../common');
-const util = require('util');
+const { Rule, isString } = require('@contrast/common');
+const { createModuleLabel } = require('../../propagation/common');
+const { patchType } = require('../common');
 
 module.exports = function (core) {
   const {
@@ -43,7 +43,7 @@ module.exports = function (core) {
   ];
   const requiredTag = 'untrusted';
 
-  const preHook = (methodSignature) => (data) => {
+  const preHook = (methodSignature, version, mod, obj) => (data) => {
     const assessStore = sources.getStore()?.assess;
     if (!assessStore) return;
 
@@ -57,16 +57,16 @@ module.exports = function (core) {
       const event = createSinkEvent({
         name: methodSignature,
         history: [strInfo],
+        object: {
+          value: `[${createModuleLabel(mod, version)}].${obj}`,
+          isTracked: false,
+        },
         args: [
           {
-            value: util.inspect(data.args[0]),
+            value: strInfo.value,
             isTracked: true,
           },
         ],
-        result: {
-          value: data.result,
-          isTracked: false,
-        },
         tags: strInfo.tags,
         source: 'P0',
         stacktraceOpts: {
@@ -75,7 +75,7 @@ module.exports = function (core) {
       });
 
       reportFindings({
-        ruleId: 'sql-injection',
+        ruleId: Rule.SQL_INJECTION,
         metadata: event,
       });
     }
@@ -83,43 +83,50 @@ module.exports = function (core) {
 
   postgres.install = function () {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
-    depHooks.resolve({ name: 'pg', file: 'lib/client.js' }, client => {
-      patcher.patch(client.prototype, 'query', {
-        name: pgClientQueryPatchName,
-        patchType,
-        pre: preHook('pg/lib/client.prototype.query'),
-      });
-    });
+    depHooks.resolve(
+      { name: 'pg', file: 'lib/client.js' },
+      (client, version) => {
+        patcher.patch(client.prototype, 'query', {
+          name: pgClientQueryPatchName,
+          patchType,
+          pre: preHook('pg/lib/client.prototype.query', version, 'pg', 'Client'),
+        });
+      },
+    );
 
     const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
-    depHooks.resolve({ name: 'pg', file: 'lib/native/client.js' }, (client) => {
-      patcher.patch(client.prototype, 'query', {
-        name: pgNativeClientQueryPatchName,
-        patchType,
-        pre: preHook('pg/lib/native/client.prototype.query'),
-      });
-    });
+    depHooks.resolve(
+      { name: 'pg', file: 'lib/native/client.js' },
+      (client, version) => {
+        patcher.patch(client.prototype, 'query', {
+          name: pgNativeClientQueryPatchName,
+          patchType,
+          pre: preHook('pg/lib/native/client.prototype.query', version, 'pg', 'native.Client'),
+        });
+      },
+    );
 
     const pgClientPatchName = `${patchType}:${pgClientQueryPatchName}.query`;
     const pgNativeClientPatchName = `${patchType}:${pgNativeClientQueryPatchName}.query`;
-    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
+    depHooks.resolve({ name: 'pg-pool' }, (pool, version) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,
         patchType,
         pre: (data) => {
           const funcKeys = patcher.hooks.get(
-            data.obj.Client?.prototype?.query
+            data.obj.Client?.prototype?.query,
           )?.funcKeys;
 
           if (
             funcKeys &&
-            (funcKeys.has(pgClientPatchName) || funcKeys.has(pgNativeClientPatchName))
+            (funcKeys.has(pgClientPatchName) ||
+              funcKeys.has(pgNativeClientPatchName))
           ) {
             return;
           }
 
-          preHook(name)(data);
+          preHook(name, version, 'pg-pool', 'Pool')(data);
         },
       });
     });

package/lib/dataflow/sources/install/http.js

@@ -132,43 +132,15 @@ module.exports = function(core) {
   }
 
   function install() {
-    [{
-      moduleName: 'http'
-    },
-    {
-      moduleName: 'https'
-    },
-    {
-      moduleName: 'spdy'
-    },
-    {
-      moduleName: 'http2',
-      patchObjectsProps: [
-        {
-          methods: ['createServer', 'createSecureServer'],
-          patchType,
-          patchObjects: [
-            {
-              name: 'Server.prototype',
-              methods: ['emit'],
-              patchType,
-              around
-            }
-          ]
-        }
-      ]
-    }].forEach(({ moduleName, patchObjectsProps }) => {
-      const patchObjects = patchObjectsProps || [
-        {
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrument({
+        moduleName,
+        patchObjects: [{
           name: 'Server.prototype',
           methods: ['emit'],
           patchType,
           around
-        }
-      ];
-      instrument({
-        moduleName,
-        patchObjects
+        }]
       });
     });
   }

package/lib/dataflow/tracker.js

@@ -16,6 +16,7 @@
 'use strict';
 
 const distringuish = require('@contrast/distringuish');
+const { isString } = require('@contrast/common');
 
 module.exports = function tracker(core) {
   const {
@@ -66,11 +67,35 @@ module.exports = function tracker(core) {
         return { extern: null };
       }
 
-      const extern = distringuish.externalize(value);
-      /* c8 ignore next 5 */
-      if (!extern) {
+      let extern = distringuish.externalize(value);
+
+      if (extern == 2) {
+        // Try work-around for some wrong/unknown encoding
+        extern = distringuish.externalize(Buffer.from(value).toString());
+      }
+
+      if (!extern || !isString(extern)) {
+        let errMsg;
+        switch (extern) {
+          case 1:
+            errMsg = 'zero-length string was passed';
+            break;
+          case 2:
+            errMsg = 'non-two-byte encoded string was passed';
+            break;
+          case 3:
+            errMsg = 'distringuish was unable to convert a MaybeLocal to Local';
+            break;
+          case 4:
+            errMsg = 'distinguish\'s isExternal call returned false';
+            break;
+          default:
+            errMsg = 'unknown error while trying to externalize the string was encountered';
+            break;
+        }
+
         const err = new Error();
-        logger.error({ err, value }, 'tracker.track was unable to externalize');
+        logger.error({ err, value }, `tracker.track was unable to externalize because ${errMsg}`);
         return { extern: null };
       }
 

package/lib/response-scanning/install/http.js

@@ -60,6 +60,27 @@ module.exports = function(core) {
 
   const patchType = 'response-scanning';
 
+  function writeHookChecks(sourceContext, evaluationContext) {
+    // Check only the rules concerning the response body
+    handleAutoCompleteMissing(sourceContext, evaluationContext);
+    handleCacheControlsMissing(sourceContext, evaluationContext);
+    handleParameterPollution(sourceContext, evaluationContext);
+    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+  }
+
+  function endHookChecks(sourceContext, evaluationContext) {
+    // Check all the response scanning rules
+    handleAutoCompleteMissing(sourceContext, evaluationContext);
+    handleCacheControlsMissing(sourceContext, evaluationContext);
+    handleClickJackingControlsMissing(sourceContext, evaluationContext);
+    handleParameterPollution(sourceContext, evaluationContext);
+    handleCspHeader(sourceContext, evaluationContext);
+    handleHstsHeaderMissing(sourceContext, evaluationContext);
+    handlePoweredByHeader(sourceContext, evaluationContext);
+    handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
+    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+  }
+
   http.install = function() {
     depHooks.resolve({ name: 'http' }, (http) => {
       {
@@ -76,11 +97,7 @@ module.exports = function(core) {
               responseHeaders: parseHeaders(data.result._header),
             };
 
-            // Check only the rules concerning the response body
-            handleAutoCompleteMissing(sourceContext, evaluationContext);
-            handleCacheControlsMissing(sourceContext, evaluationContext);
-            handleParameterPollution(sourceContext, evaluationContext);
-            handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+            writeHookChecks(sourceContext, evaluationContext);
           }
         });
       }
@@ -98,19 +115,104 @@ module.exports = function(core) {
               responseHeaders: parseHeaders(data.result._header),
             };
 
-            // Check all the response scanning rules
-            handleAutoCompleteMissing(sourceContext, evaluationContext);
-            handleCacheControlsMissing(sourceContext, evaluationContext);
-            handleClickJackingControlsMissing(sourceContext, evaluationContext);
-            handleParameterPollution(sourceContext, evaluationContext);
-            handleCspHeader(sourceContext, evaluationContext);
-            handleHstsHeaderMissing(sourceContext, evaluationContext);
-            handlePoweredByHeader(sourceContext, evaluationContext);
-            handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
-            handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+            endHookChecks(sourceContext, evaluationContext);
+          }
+        });
+      }
+    });
+
+    depHooks.resolve({ name: 'http2' }, (http2) => {
+      // Patching the response object
+      {
+        const name = 'http2.Http2ServerResponse.prototype.write';
+        patcher.patch(http2.Http2ServerResponse.prototype, 'write', {
+          name,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
+            const evaluationContext = {
+              responseBody: toLowerCase(data.args[0] || ''),
+              responseHeaders: data.obj[headersSymbol],
+            };
+
+            writeHookChecks(sourceContext, evaluationContext);
+          }
+        });
+      }
+      {
+        const name = 'http2.Http2ServerResponse.prototype.end';
+        patcher.patch(http2.Http2ServerResponse.prototype, 'end', {
+          name,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
+            const evaluationContext = {
+              responseBody: toLowerCase(data.args[0] || ''),
+              responseHeaders: data.result[headersSymbol],
+            };
+
+            endHookChecks(sourceContext, evaluationContext);
           }
         });
       }
+
+      // patching the stream object
+      ['createServer', 'createSecureServer'].forEach((server) => {
+        patcher.patch(http2, server, {
+          name: `http2.${server}`,
+          patchType,
+          post(data) {
+            // The other option is once again to patch the `emit` method of the server
+            // similar to how we patch it for creating sources, but take action only on
+            // `stream` events. I chose the currentt approach because the hook will only
+            // run on a `stream` event instead of checking and returning on each `request`
+            // connect.
+            data.result._events = patcher.patch(data.result._events, 'stream', {
+              name: 'stream',
+              patchType: 'stream-patch',
+              pre(data) {
+                patcher.patch(data.args[0], 'write', {
+                  name: 'Http2Stream.write',
+                  patchType,
+                  post(data) {
+                    const sourceContext = sources.getStore()?.assess;
+                    if (!sourceContext) return;
+
+                    const evaluationContext = {
+                      responseBody: toLowerCase(data.args[0] || ''),
+                      responseHeaders: data.obj.sentHeaders,
+                    };
+
+                    writeHookChecks(sourceContext, evaluationContext);
+                  }
+                });
+
+                patcher.patch(data.args[0], 'end', {
+                  name: 'Http2Stream.end',
+                  patchType,
+                  post(data) {
+                    const sourceContext = sources.getStore()?.assess;
+                    if (!sourceContext) return;
+
+                    const evaluationContext = {
+                      responseBody: toLowerCase(data.args[0] || ''),
+                      responseHeaders: data.obj.sentHeaders,
+                    };
+
+                    endHookChecks(sourceContext, evaluationContext);
+                  }
+                });
+              }
+            });
+          }
+        });
+      });
     });
   };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.5.0",
+    "@contrast/common": "1.7.0",
     "parseurl": "^1.3.3"
   }
 }