npm - @contrast/assess - Versions diffs - 1.24.1 → 1.25.0 - Mend

@contrast/assess 1.24.1 → 1.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/dataflow/propagation/install/JSON/parse-fn.js +36 -13
package/lib/dataflow/propagation/install/JSON/parse.js +21 -51
package/lib/dataflow/sinks/index.js +1 -0
package/lib/dataflow/sinks/install/hapi/index.js +30 -0
package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js +139 -0
package/lib/session-configuration/install/hapi.js +1 -1
package/package.json +2 -2

package/lib/dataflow/propagation/install/JSON/parse-fn.js CHANGED Viewed

@@ -13,6 +13,7 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
 const { trim } = require('@contrast/common');
 function isNumber(value) {
@@ -200,25 +201,48 @@ function getValueIndexes(value, index, accumulator) {
   }
 }
+/**
+ * JSON strings can have leading and trailing whitespace characters. This will return
+ * the start and end indices of the input's characters that represent actual JSON data.
+ * Examples:
+ * `"hi"` => [0, 3]
+ * ` "hi"\n` => [1, 4]
+ * @param {string} input raw JSON value being parsed
+ * @returns {number[]}
+ */
+function getStartEndIndices(input) {
+  let startCharIdx = 0;
+  let endCharIdx = input.length - 1;
+  while (!trim(input[startCharIdx])) {
+    startCharIdx++;
+  }
+  while (!trim(input[endCharIdx])) {
+    endCharIdx--;
+  }
+  return [startCharIdx, endCharIdx];
+}
 function processInput(input) {
-  const firstElement = input[0];
-  const lastElement = input[input.length - 1];
+  const [startIdx, endIdx] = getStartEndIndices(input);
+  const firstChar = input[startIdx];
+  const lastChar = input[endIdx];
   const accumulator = [];
-  if (firstElement === '{' && lastElement === '}') {
-    return object(input, 1, accumulator);
+  if (firstChar === '{' && lastChar === '}') {
+    return object(input, startIdx + 1, accumulator);
   }
-  if (firstElement === '[' && lastElement === ']') {
-    return array(input, 1, accumulator);
+  if (firstChar === '[' && lastChar === ']') {
+    return array(input, startIdx + 1, accumulator);
   }
   if (isNumber(input)) {
-    return number(input, 0);
+    return number(input, startIdx);
   }
-  if (firstElement === '"' && lastElement === '"') {
-    return string(input, 1);
+  if (firstChar === '"' && lastChar === '"') {
+    return string(input, startIdx + 1);
   }
   switch (input) {
@@ -228,21 +252,20 @@ function processInput(input) {
     case 'null':
       return nully();
     default:
-      return string(input, 0);
+      return string(input, startIdx);
   }
 }
 function wrapEndResult({ accumulator, startIndex, endIndex }) {
   accumulator = accumulator || [];
   accumulator.push({ key: '', value: [startIndex, endIndex] });
   return accumulator;
 }
-function getKeyValueIndexes(input) {
+function getKeyValueIndices(input) {
   return wrapEndResult(processInput(input));
 }
 module.exports = {
-  getKeyValueIndexes,
+  getKeyValueIndices,
 };

package/lib/dataflow/propagation/install/JSON/parse.js CHANGED Viewed

@@ -16,11 +16,9 @@
 'use strict';
 const { isString, inspect } = require('@contrast/common');
+const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
-const { getKeyValueIndexes } = require('./parse-fn');
-const {
-  createOverlappingTags
-} = require('../../../tag-utils');
+const { getKeyValueIndices } = require('./parse-fn');
 /*
   When we return a string as a result of a reviver call
@@ -69,6 +67,7 @@ module.exports = function (core) {
         tracked: false,
       }
     ].filter(Boolean);
     return createPropagationEvent({
       context: `${method}(${eventArgs.map((arg) => `'${arg.value}'`)})`,
       name: method,
@@ -95,37 +94,7 @@ module.exports = function (core) {
     });
   }
-  function getNewTags(strInfo, startIndex, endIndex) {
-    const overlappingRanges = createOverlappingTags(
-      strInfo.tags,
-      startIndex,
-      endIndex
-    );
-    const tags = {};
-    const startingOffset = startIndex;
-    const normalizedEndIndex = endIndex - startingOffset;
-    Object.entries(overlappingRanges).forEach(([tag, ranges]) => {
-      tags[tag] = [];
-      ranges.forEach(([start, end]) => {
-        const transferredStartIndex = start - startingOffset;
-        const transferredEndIndex = end - startingOffset;
-        tags[tag].push(transferredStartIndex < 0 ? 0 : transferredStartIndex);
-        tags[tag].push(
-          transferredEndIndex > normalizedEndIndex
-            ? normalizedEndIndex
-            : transferredEndIndex
-        );
-      });
-    });
-    return tags;
-  }
-  return (core.assess.dataflow.propagation.jsonInstrumentation.parse = {
+  return core.assess.dataflow.propagation.jsonInstrumentation.parse = {
     install() {
       patcher.patch(JSON, 'parse', {
         name: 'JSON.prototype.parse',
@@ -138,36 +107,37 @@ module.exports = function (core) {
           if (!strInfo) return;
           const stack = [];
-          let keyValueIndexes = [];
+          let keyValueIndices = [];
           try {
-            keyValueIndexes = getKeyValueIndexes(input);
+            keyValueIndices = getKeyValueIndices(input);
           } catch (err) {
             logger.warn({ err, funcKey: data.funcKey, string: input }, 'JSON.parse() propagation failed');
           }
-          if (keyValueIndexes.length === 0) return;
+          if (keyValueIndices.length === 0) return;
           let i = 0;
-          function contrastParseReviver(key, value) {
-            const { value: [startIndex, endIndex] } = keyValueIndexes[i];
-            if (!value || !isString(value)) {
+          function contrastParseReviver(key, value) {
+            // if keyValueIndices[i] doesn't exist then getKeyValueIndexes() returned incorrect data
+            if (!value || !isString(value) || !keyValueIndices[i]) {
               return reviver ? reviver(key, value) : value;
             }
-            const newTags = getNewTags(strInfo, startIndex, endIndex);
+            const { value: [startIdx, endIdx] } = keyValueIndices[i];
+            const newTags = createSubsetTags(strInfo.tags, startIdx, endIdx - startIdx + 1);
+            if (newTags) {
+              const event = createEvent(data, value, newTags, reviver, strInfo);
+              if (!event || Object.keys(newTags).length === 0) {
+                return reviver ? reviver(key, value) : value;
+              }
-            const event = createEvent(data, value, newTags, reviver, strInfo);
-            if (!event || Object.keys(newTags).length === 0) {
-              return reviver ? reviver(key, value) : value;
+              const { extern } = tracker.track(value, event);
+              if (extern) return reviver ? reviver(key, extern) : extern;
             }
-            const { extern } = tracker.track(value, event);
-            if (reviver) return reviver(key, extern);
-            return extern;
+            return reviver ? reviver(key, value) : value;
           }
           data.args[1] = function (key, value) {
@@ -188,5 +158,5 @@ module.exports = function (core) {
     uninstall() {
       JSON.parse = patcher.unwrap(JSON.parse);
     },
-  });
+  };
 };

package/lib/dataflow/sinks/index.js CHANGED Viewed

@@ -68,6 +68,7 @@ module.exports = function (core) {
   require('./install/express')(core);
   require('./install/fastify')(core);
+  require('./install/hapi')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
   require('./install/eval')(core);

package/lib/dataflow/sinks/install/hapi/index.js ADDED Viewed

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const hapi = core.assess.dataflow.sinks.hapi = {};
+  require('./unvalidated-redirect')(core);
+  hapi.install = function() {
+    callChildComponentMethodsSync(hapi, 'install');
+  };
+  return hapi;
+};

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js ADDED Viewed

@@ -0,0 +1,139 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const util = require('util');
+const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
+const { patchType, filterSafeTags } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    assess: {
+      getSourceContext,
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive }
+      },
+    },
+  } = core;
+  const unvalidatedRedirect = core.assess.dataflow.sinks.hapi.unvalidatedRedirect = {};
+  const inspect = patcher.unwrap(util.inspect);
+  const safeTags = [
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+  unvalidatedRedirect.install = function() {
+    depHooks.resolve({ name: '@hapi/hapi', file: 'lib/response' }, (Response) => {
+      const name = 'hapi.Response.prototype.redirect';
+      patcher.patch(Response.prototype, 'redirect', {
+        name,
+        patchType,
+        pre: (data) => {
+          if (!getSourceContext(RULE, ruleId)) return;
+          const [url] = data.args;
+          if (!url || !isString(url)) return;
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+          let urlPathTags = strInfo.tags;
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
+          }
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.redirect(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name,
+              moduleName: 'hapi',
+              methodName: 'Response.prototype.redirect',
+              object: {
+                tracked: false,
+                value: 'hapi.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+                prependFrames: [data.orig]
+              },
+            });
+            if (event) {
+              reportFindings({
+                ruleId,
+                sinkEvent: event,
+              });
+            }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
+          }
+        },
+      });
+    });
+  };
+  return unvalidatedRedirect;
+};

package/lib/session-configuration/install/hapi.js CHANGED Viewed

@@ -36,7 +36,7 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
   hapiSession.install = function () {
-    return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <21' }, (hapi) => {
+    return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {
       ['server', 'Server'].forEach((server) => {
         patcher.patch(hapi, server, {
           name: `hapi.${server}`,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.24.1",
+  "version": "1.25.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.18.0",
+    "@contrast/common": "1.19.0",
     "@contrast/distringuish": "^4.4.0",
     "@contrast/scopes": "1.4.0"
   }