@contrast/assess 1.24.2 → 1.26.0

package/lib/dataflow/propagation/install/ejs/template.js

@@ -37,7 +37,8 @@ module.exports = function (core) {
     rewriter,
   } = core;
 
-  const REWRITE_OPTS = { inject: false, wrap: false };
+  /** @type {import('@contrast/rewriter').RewriteOpts} */
+  const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, trim: true };
   const WRAPPER_PREFIX = join([
     'function tempWrapper() {',
     'function __append(s) { if (s !== undefined && s !== null) __output += s }'
@@ -63,7 +64,7 @@ module.exports = function (core) {
             if (!getSourceContext(PROPAGATOR)) return;
 
             try {
-              const { code } = rewriter.rewrite(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
+              const { code } = rewriter.rewriteSync(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
               data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
             } catch (err) {
               logger.error(

package/lib/dataflow/propagation/install/pug/index.js

@@ -16,6 +16,9 @@
 
 const { patchType } = require('../../common');
 
+/** @type {import('@contrast/rewriter').RewriteOpts} */
+const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, trim: true };
+
 module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };
   const {
@@ -23,8 +26,6 @@ module.exports = function (core) {
     patcher, logger, rewriter, depHooks,
   } = core;
 
-  const rewriterOpts = { isModule: false, wrap: false };
-
   const pugInstrumentation = {
     install() {
       depHooks.resolve(
@@ -42,7 +43,7 @@ module.exports = function (core) {
               postCodeGen: (value, options) => {
                 try {
                   return instrumentation.run(store,
-                    () => rewriter.rewrite(value, rewriterOpts).code
+                    () => rewriter.rewriteSync(value, REWRITE_OPTS).code
                   );
                 } catch (err) {
                   logger.warn({ err, funcKey: data.funcKey }, 'Failed to rewrite pug code');

package/lib/dataflow/sinks/index.js

@@ -68,6 +68,7 @@ module.exports = function (core) {
 
   require('./install/express')(core);
   require('./install/fastify')(core);
+  require('./install/hapi')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
   require('./install/eval')(core);

package/lib/dataflow/sinks/install/hapi/index.js

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const hapi = core.assess.dataflow.sinks.hapi = {};
+
+  require('./unvalidated-redirect')(core);
+
+  hapi.install = function() {
+    callChildComponentMethodsSync(hapi, 'install');
+  };
+
+  return hapi;
+};

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js

@@ -0,0 +1,139 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../../constants');
+const { patchType, filterSafeTags } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    assess: {
+      getSourceContext,
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive }
+      },
+    },
+  } = core;
+
+  const unvalidatedRedirect = core.assess.dataflow.sinks.hapi.unvalidatedRedirect = {};
+  const inspect = patcher.unwrap(util.inspect);
+
+  const safeTags = [
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+
+  unvalidatedRedirect.install = function() {
+    depHooks.resolve({ name: '@hapi/hapi', file: 'lib/response' }, (Response) => {
+      const name = 'hapi.Response.prototype.redirect';
+      patcher.patch(Response.prototype, 'redirect', {
+        name,
+        patchType,
+        pre: (data) => {
+          if (!getSourceContext(RULE, ruleId)) return;
+
+          const [url] = data.args;
+          if (!url || !isString(url)) return;
+
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+
+          let urlPathTags = strInfo.tags;
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
+          }
+
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.redirect(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name,
+              moduleName: 'hapi',
+              methodName: 'Response.prototype.redirect',
+              object: {
+                tracked: false,
+                value: 'hapi.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+                prependFrames: [data.orig]
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId,
+                sinkEvent: event,
+              });
+            }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
+          }
+        },
+      });
+    });
+  };
+
+  return unvalidatedRedirect;
+};

package/lib/get-policy.js

@@ -20,6 +20,8 @@ const {
   ResponseScanningRule,
   SessionConfigurationRule,
   Event,
+  join,
+  toLowerCase,
 } = require('@contrast/common');
 
 const rulesIds = Object.values({
@@ -28,6 +30,38 @@ const rulesIds = Object.values({
   ...SessionConfigurationRule,
 });
 
+function buildUriPathRegExp(urls) {
+  let regExpNeeded = false;
+  for (const url of urls) {
+    if (regExpCheck(url)) {
+      regExpNeeded = true;
+    }
+  }
+  if (regExpNeeded) {
+    const rx = new RegExp(`^${join(urls, '|')}$`);
+
+    return (uriPath) => rx ? rx.test(uriPath) : false;
+  }
+
+  return (uriPath) => urls.some((url) => url === uriPath);
+}
+
+function createUriPathMatcher(urls) {
+  if (urls.length) {
+    return buildUriPathRegExp(urls);
+  } else {
+    return () => true;
+  }
+}
+
+function regExpCheck(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}
+
 /**
  * @param {{
  *  config: import('@contrast/config').Config,
@@ -37,32 +71,102 @@ const rulesIds = Object.values({
  * @returns {import('@contrast/common').Installable}
  */
 module.exports = function assess(core) {
-  const { logger, messages } = core;
+  const { config, logger, messages } = core;
 
   const enabledRules = new Set(rulesIds);
+  const exclusions = {
+    url: [],
+  };
+
+  function compileExclusions(settings) {
+    // reset global exclusion state
+    for (const key of Object.keys(exclusions)) {
+      exclusions[key] = [];
+    }
+
+    const rawDtmList = [
+      // todo: NODE-3281 input exclusions
+      ...(settings?.exclusions?.url || [])
+    ].filter((exclusion) => exclusion.modes.includes('assess'));
+
+    if (!rawDtmList.length) {
+      return;
+    }
+
+    for (const dtm of rawDtmList) {
+      dtm.type = dtm.type || 'URL';
+
+      const { name, assess_rules, urls, type } = dtm;
+      const key = toLowerCase(type);
+      try {
+        const e = {
+          name,
+          rules: new Set(assess_rules),
+        };
+        e.matchesUriPath = createUriPathMatcher(urls);
+        exclusions[key].push(e);
+      } catch (err) {
+        logger.error({ err, dtm }, 'failed to process exclusion');
+      }
+    }
+  }
 
   messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
-    if (!msg.assess) return;
-
-    for (const ruleId of rulesIds) {
-      const enable = msg.assess[ruleId]?.enable;
-      if (enable === true) {
-        enabledRules.add(ruleId);
-        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
-      } else if (enable === false) {
-        if (ruleId === Rule.NOSQL_INJECTION) enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
-        enabledRules.delete(ruleId);
+    if (!config.getEffectiveValue('assess.enable')) return;
+
+    if (msg.assess) {
+      for (const ruleId of rulesIds) {
+        const enable = msg.assess[ruleId]?.enable;
+        if (enable === true) {
+          enabledRules.add(ruleId);
+          if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+        } else if (enable === false) {
+          if (ruleId === Rule.NOSQL_INJECTION) enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
+          enabledRules.delete(ruleId);
+        }
       }
     }
-    logger.info({
-      enabledRules: Array.from(enabledRules)
-    }, 'Assess policy updated');
+
+    if (msg.exclusions) {
+      compileExclusions(msg);
+    }
+
+    logger.info({ enabledRules: Array.from(enabledRules) }, 'Assess policy updated');
   });
 
-  return core.assess.getPolicy = function getPolicy() {
+  /**
+   * This gets called by assess.makeSourceContext(). We return copy of policy to avoid
+   * inconsistent behavior if policy is updated during request handling.
+   */
+  return core.assess.getPolicy = function getPolicy({ uriPath } = {}) {
+    const _enabledRules = new Set(enabledRules);
+
+    // Evaluate url exclusions for current request.
+    // If one matches and applies to all rules, we return `null` for the policy value,
+    // which will disable assess for the request. If specific rules are disabled, we
+    // just removed them from the request policy's set of `enabledRules`.
+    for (const urlExclusion of exclusions.url) {
+      if (urlExclusion.matchesUriPath(uriPath)) {
+        if (!urlExclusion.rules?.size) {
+          core.logger.debug({
+            name: urlExclusion.name
+          }, 'all assess rules disabled by URL exclusion');
+          return null;
+        } else {
+          for (const ruleId of urlExclusion.rules) {
+            if (_enabledRules.has(ruleId)) _enabledRules.delete(ruleId);
+          }
+          core.logger.debug({
+            name: urlExclusion.name,
+            rules: Array.from(urlExclusion.rules),
+          }, 'assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
     // creates copy of local policy for request store
     return {
-      enabledRules: new Set(enabledRules),
+      enabledRules: new Set(_enabledRules),
     };
   };
 };

package/lib/get-source-context.js

@@ -38,7 +38,8 @@ module.exports = function(core) {
   return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
     const ctx = sources.getStore()?.assess;
 
-    if (!ctx || instrumentation.isLocked()) return null;
+    // policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
+    if (!ctx || !ctx?.policy || instrumentation.isLocked()) return null;
 
     switch (type) {
       case InstrumentationType.PROPAGATOR: {

package/lib/make-source-context.js

@@ -54,7 +54,7 @@ module.exports = function(core) {
       return {
         propagationEventsCount: 0,
         sourceEventsCount: 0,
-        policy: getPolicy(),
+        policy: getPolicy({ uriPath }),
         reqData: {
           ip: req.socket.remoteAddress,
           httpVersion: req.httpVersion,

package/lib/session-configuration/install/hapi.js

@@ -36,7 +36,7 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
 
   hapiSession.install = function () {
-    return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <21' }, (hapi) => {
+    return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {
       ['server', 'Server'].forEach((server) => {
         patcher.patch(hapi, server, {
           name: `hapi.${server}`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.24.2",
+  "version": "1.26.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.18.0",
+    "@contrast/common": "1.19.0",
     "@contrast/distringuish": "^4.4.0",
     "@contrast/scopes": "1.4.0"
   }