@contrast/assess 1.27.1 → 1.28.0

package/lib/constants.js

@@ -16,9 +16,9 @@
 'use strict';
 
 const InstrumentationType = {
-  SOURCE: 'source',
-  PROPAGATOR: 'propagator',
-  RULE: 'rule',
+  SOURCE: 'SOURCE',
+  PROPAGATOR: 'PROPAGATOR',
+  RULE: 'RULE',
 };
 
 module.exports = {

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -15,17 +15,16 @@
 
 'use strict';
 
-const {
-  createAppendTags
-} = require('../../tag-utils');
-const { patchType } = require('../common');
 const { isString, join, inspect } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createAppendTags } = require('../../tag-utils');
+const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -71,7 +70,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args: origArgs, obj, result, hooked, orig } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !(getSourceContext(PROPAGATOR))) return;
 
           const resultInfo = tracker.getData(result);
           const delimiter = origArgs[0] === undefined ? ',' : origArgs[0];

package/lib/dataflow/propagation/install/buffer.js

@@ -14,11 +14,13 @@
  */
 'use strict';
 
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory,
       dataflow: { tracker }
     },
@@ -35,7 +37,7 @@ module.exports = function(core) {
         post(data) {
           const { hooked, obj, orig, result } = data;
 
-          if (!result) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
 
           const bufferInfo = tracker.getData(obj);
           if (!bufferInfo) {

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -16,102 +16,105 @@
 'use strict';
 
 const util = require('util');
-const {
-  createAppendTags
-} = require('../../../tag-utils');
-const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createAppendTags } = require('../../../tag-utils');
 
 module.exports = function(core) {
   const {
-    scopes: { instrumentation, sources },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
 
   const inspect = patcher.unwrap(util.inspect);
+  const origSym = Symbol('ContrastMethods.add.orig');
 
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {
     install() {
-      patcher.patch(global.ContrastMethods, 'add', {
-        name: 'ContrastMethods.add',
-        patchType,
-        post(data) {
-          const { args, result, hooked } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+      // + is fast and typically called often. therefore we patch ContrastMethods.add
+      // manually instead of using patcher. this propagator is the only
+      // patch for it, so we don't have to worry about managing patch execution order
+      // (which patcher would do).
+      const { add } = global.ContrastMethods;
+      global.ContrastMethods.add = function(...args) {
+        // first get result, then following logic acts as post-hook in patcher speak
+        const result = add(...args);
 
-          const rInfo = tracker.getData(result);
-          if (rInfo) {
-            // this may happen w/ '' + 'tracked' => 'tracked'
-            return;
-          }
+        if (!result || !getSourceContext(PROPAGATOR)) return result;
 
-          const leftStringInfo = tracker.getData(args[0]);
-          const rightStringInfo = tracker.getData(args[1]);
+        const rInfo = tracker.getData(result);
+        if (rInfo) {
+          // this may happen w/ '' + 'tracked' => 'tracked'
+          return result;
+        }
 
-          let newTags = {};
-          const history = [];
+        const leftStringInfo = tracker.getData(args[0]);
+        const rightStringInfo = tracker.getData(args[1]);
 
-          if (leftStringInfo) {
-            history.push(leftStringInfo);
-            newTags = leftStringInfo.tags || {};
-          }
+        let newTags = {};
+        const history = [];
 
-          if (rightStringInfo) {
-            history.push(rightStringInfo);
-            newTags = createAppendTags(newTags, rightStringInfo.tags, args[0].length);
-          }
+        if (leftStringInfo) {
+          history.push(leftStringInfo);
+          newTags = leftStringInfo.tags || {};
+        }
 
-          if (history.length) {
-            const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
-            const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
-            const event = createPropagationEvent({
-              args: [
-                {
-                  tracked: !!leftStringInfo,
-                  value: leftArg
-                },
-                {
-                  tracked: !!rightStringInfo,
-                  value: rightArg,
-                }
-              ],
-              context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
-              moduleName: 'global',
-              methodName: 'ContrastMethods.add',
-              history,
-              object: {
-                value: 'String Addition',
-                tracked: false
-              },
-              name: 'ContrastMethods.add',
-              result: {
-                value: result,
-                tracked: true
-              },
-              source: 'P',
-              stacktraceOpts: {
-                constructorOpt: hooked,
-              },
-              tags: newTags,
-              target: 'R',
-            });
+        if (rightStringInfo) {
+          history.push(rightStringInfo);
+          newTags = createAppendTags(newTags, rightStringInfo.tags, args[0].length);
+        }
 
-            if (!event) return;
+        if (history.length) {
+          const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
+          const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
+          const event = createPropagationEvent({
+            args: [
+              {
+                tracked: !!leftStringInfo,
+                value: leftArg
+              },
+              {
+                tracked: !!rightStringInfo,
+                value: rightArg,
+              }
+            ],
+            context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
+            moduleName: 'global',
+            methodName: 'ContrastMethods.add',
+            history,
+            object: {
+              value: 'String Addition',
+              tracked: false
+            },
+            name: 'ContrastMethods.add',
+            result: {
+              value: result,
+              tracked: true
+            },
+            source: 'P',
+            stacktraceOpts: {
+              constructorOpt: add,
+            },
+            tags: newTags,
+            target: 'R',
+          });
 
+          if (event) {
             const { extern } = tracker.track(result, event);
-
-            if (extern) {
-              data.result = extern;
-            }
+            if (extern) return extern;
           }
         }
-      });
+
+        return result;
+      };
+      global.ContrastMethods.add[origSym] = add;
     },
     uninstall() {
-      global.ContrastMethods.add = patcher.unwrap(global.ContrastMethods.add);
+      const orig = global.ContrastMethods.add[origSym];
+      if (orig) global.ContrastMethods.add = orig;
     },
   };
 };

package/lib/dataflow/propagation/install/contrast-methods/number.js

@@ -16,14 +16,15 @@
 'use strict';
 
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 
 module.exports = function (core) {
   const {
     logger,
-    scopes: { instrumentation, sources },
     patcher,
     assess: {
+      getSourceContext,
       dataflow: { tracker }
     }
   } = core;
@@ -38,13 +39,11 @@ module.exports = function (core) {
         post(data) {
           const { args: [value], result } = data;
           if (
+            !tracker.getData(value) ||
             isNaN(result) ||
             !value ||
             !isString(value) ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked() ||
-            // why not just do this first? won't need check for NaN, !value, !isString, etc.
-            !tracker.getData(value)
+            !getSourceContext(PROPAGATOR)
           ) return;
 
           tracker.untrack(value);

package/lib/dataflow/propagation/install/contrast-methods/string.js

@@ -16,6 +16,7 @@
 'use strict';
 
 const { DataflowTag } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 
 function metadataUpdate(strInfo, event) {
@@ -29,9 +30,9 @@ function metadataUpdate(strInfo, event) {
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     }
@@ -44,7 +45,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          if (!data.result || !sources.getStore() || instrumentation.isLocked()) return;
+          if (!data.result || !getSourceContext(PROPAGATOR)) return;
 
           const arg = data.args[0];
           let argInfo = tracker.getData(arg);

package/lib/dataflow/propagation/install/contrast-methods/tag.js

@@ -15,16 +15,17 @@
 
 'use strict';
 
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
     patcher,
-    scopes: { sources, instrumentation },
   } = core;
 
   const tag = {
@@ -33,11 +34,7 @@ module.exports = function(core) {
         name: 'ContrastMethods.tag',
         patchType,
         post(data) {
-          if (
-            !data.result ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
-          ) {
+          if (!data.result || !getSourceContext(PROPAGATOR)) {
             return;
           }
 

package/lib/dataflow/propagation/install/string/concat.js

@@ -15,17 +15,16 @@
 
 'use strict';
 
-const {
-  createAppendTags
-} = require('../../../tag-utils');
 const { join, inspect } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createAppendTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -40,7 +39,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, obj, result, hooked, orig } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
 
           const rInfo = tracker.getData(result);
           if (rInfo) {

package/lib/dataflow/propagation/install/string/html-methods.js

@@ -15,10 +15,9 @@
 
 'use strict';
 
-const {
-  createAppendTags
-} = require('../../../tag-utils');
 const { inspect } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createAppendTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const htmlTagsLengths = {
   anchor: 11,
@@ -33,9 +32,9 @@ const htmlTagsLengths = {
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -65,7 +64,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, obj, result, hooked, orig } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
 
           const objInfo = tracker.getData(obj);
           const history = objInfo ? new Set([objInfo]) : new Set();
@@ -122,7 +121,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { obj, result, hooked, orig } = data;
-            if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !getSourceContext(PROPAGATOR)) return;
 
             const objInfo = tracker.getData(obj);
 

package/lib/dataflow/propagation/install/string/match-all.js

@@ -15,14 +15,15 @@
 
 'use strict';
 const { inspect } = require('@contrast/common');
-const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker,
@@ -75,7 +76,7 @@ module.exports = function(core) {
     });
   }
 
-  return (stringInstrumentation.matchAll = {
+  return stringInstrumentation.matchAll = {
     install() {
       patcher.patch(String.prototype, 'matchAll', {
         name,
@@ -87,8 +88,7 @@ module.exports = function(core) {
             !obj ||
             !args[0] ||
             typeof obj !== 'string' ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
+            !getSourceContext(PROPAGATOR)
           )
             return origFn();
 
@@ -233,5 +233,5 @@ module.exports = function(core) {
     uninstall() {
       String.prototype.matchAll = patcher.unwrap(String.prototype.matchAll);
     },
-  });
+  };
 };

package/lib/dataflow/propagation/install/string/replace.js

@@ -18,20 +18,22 @@
 const {
   DataflowTag: { UNTRUSTED },
   match: origMatch,
+  inspect,
+  join,
   substring
 } = require('@contrast/common');
-const { inspect, join } = require('@contrast/common');
-const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },
-    scopes: { sources, instrumentation }
   } = core;
 
   function parseArgs(args) {
@@ -141,7 +143,7 @@ module.exports = function(core) {
         name,
         patchType,
         pre(data) {
-          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!getSourceContext(PROPAGATOR)) return;
 
           // setup state
           data._objInfo = tracker.getData(data.obj);
@@ -155,8 +157,6 @@ module.exports = function(core) {
         },
         post(data) {
           if (
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked() ||
             !data.result ||
             // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
             !data._accumTags?.[UNTRUSTED] ||

package/lib/dataflow/propagation/install/string/slice.js

@@ -13,15 +13,16 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
-const { patchType } = require('../../common');
 const { inspect, join } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -55,7 +56,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { name, args: origArgs, obj, result, hooked, orig } = data;
-          if (!result || !sources.getStore() || instrumentation.isLocked()) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
 
           const objInfo = tracker.getData(obj);
           if (!objInfo) return;

package/lib/dataflow/propagation/install/string/split.js

@@ -15,16 +15,16 @@
 
 'use strict';
 
-const { patchType } = require('../../common');
 const { join, inspect } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
-
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory,
       dataflow: { tracker }
     }
@@ -44,10 +44,9 @@ module.exports = function(core) {
             !result ||
             origArgs.length === 0 ||
             result.length === 0 ||
-            !sources.getStore() ||
             typeof obj !== 'string' ||
-            instrumentation.isLocked() ||
-            (origArgs.length === 1 && origArgs[0] == null)
+            (origArgs.length === 1 && origArgs[0] == null) ||
+            !getSourceContext(PROPAGATOR)
           ) return;
 
           const objInfo = tracker.getData(obj);

package/lib/dataflow/propagation/install/string/substring.js

@@ -15,15 +15,16 @@
 
 'use strict';
 
-const { createSubsetTags } = require('../../../tag-utils');
 const { join, inspect } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -63,7 +64,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { obj, args: origArgs, result, name, hooked, orig } = data;
-            if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !getSourceContext(PROPAGATOR)) return;
 
             const objInfo = tracker.getData(obj);
             if (!objInfo) return;
@@ -125,4 +126,3 @@ module.exports = function(core) {
     },
   };
 };
-

package/lib/dataflow/propagation/install/string/trim.js

@@ -15,16 +15,15 @@
 
 'use strict';
 
-const {
-  createSubsetTags,
-} = require('../../../tag-utils');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -34,7 +33,7 @@ module.exports = function(core) {
     return function(data) {
       const { obj, result, hooked, orig } = data;
 
-      if (!result?.length || !sources.getStore()?.assess || instrumentation.isLocked()) {
+      if (!result?.length || !getSourceContext(PROPAGATOR)) {
         return;
       }
       const rInfo = tracker.getData(result);

package/lib/dataflow/sinks/install/mongodb.js

@@ -236,6 +236,49 @@ module.exports = function (core) {
     return { vulnInfo, reportSafe };
   };
 
+  /**
+   * Truncate `arg` values for reporting and get the adjusted `tags`.
+   * If an argument isn't directly relevant to the vulnerability, we report it by its type.
+   * If it is relevant, we truncate the value if it is an object or array, but not if it is a string.
+   * Ex1: Array truncations will look like `[...'<key>':'<value>'...]`
+   * Ex2: Object truncations will look like `{...'<key>':'<value>'...}`
+   * In the above examples, `key` will be the last value in the path array, and `value` should be the
+   * containing the injection. So whether the argument is a string or an object, the actual string value
+   * leading to the injection will not be truncated.
+   */
+  function getAdjustedFields(origArgs, vulnInfo, vulnArgIdx) {
+    const { path, strInfo } = vulnInfo;
+    const coercedArgs = [];
+    let prefix = '';
+    let suffix = '';
+
+    if (path) {
+      let openChar, closeChar;
+      if (Array.isArray(origArgs[vulnArgIdx])) {
+        openChar = '[';
+        closeChar = ']';
+      } else {
+        openChar = '{';
+        closeChar = '}';
+      }
+      prefix = `${openChar}...'${path[path.length - 1]}':'`;
+      suffix = `'...${closeChar}`;
+    }
+
+    for (let i = 0; i < origArgs.length; i++) {
+      if (i === vulnArgIdx) {
+        coercedArgs.push({ value: `${prefix}${strInfo.value}${suffix}`, tracked: true });
+      } else {
+        coercedArgs.push({ value: origArgs[i]?.constructor?.name ?? typeof origArgs[i], tracked: false });
+      }
+    }
+
+    return {
+      args: coercedArgs,
+      tags: prefix ? utils.createAppendTags(null, strInfo.tags, prefix.length) : strInfo.tags,
+    };
+  }
+
   function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
     return function (next, data) {
@@ -290,19 +333,13 @@ module.exports = function (core) {
             : next();
         }
 
-        const { path, strInfo } = vulnInfo;
         const objName = getObjectName(obj, entity);
-        const args = origArgs.map((arg, idx) => ({
-          value: isString(arg) ? arg : inspect(arg, { depth: 4 }),
-          tracked: idx === vulnArgIdx,
-        }));
-
-        const tags = path ? utils.createAdjustedQueryTags(path, strInfo.tags, strInfo.value, args[vulnArgIdx].value) : strInfo?.tags;
+        const { args, tags } = getAdjustedFields(origArgs, vulnInfo, vulnArgIdx);
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
           context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
-          history: [strInfo],
+          history: [vulnInfo.strInfo],
           object: {
             tracked: false,
             value: `mongodb.${entity}`,

package/lib/dataflow/sources/install/body-parser1.js

@@ -16,6 +16,7 @@
 'use strict';
 
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 
 const METHODS = ['json', 'raw', 'text', 'urlencoded'];
@@ -27,12 +28,18 @@ const INPUT_TYPES = {
 };
 
 module.exports = function init(core) {
-  const { assess, depHooks, logger, patcher, scopes } = core;
+  const {
+    scopes,
+    assess: { dataflow, getSourceContext },
+    depHooks,
+    logger,
+    patcher,
+  } = core;
 
   const preHook = (data) => {
     const [req, , next] = data.args;
     data.args[2] = scopes.wrap(function contrastNext(...args) {
-      const sourceContext = scopes.sources.getStore()?.assess;
+      const sourceContext = getSourceContext(SOURCE);
 
       if (!sourceContext) {
         logger.error({ funcKey: data.funcKey }, 'unable to handle source. Missing `sourceContext`');
@@ -68,7 +75,7 @@ module.exports = function init(core) {
       }
 
       try {
-        assess.dataflow.sources.handle({
+        dataflow.sources.handle({
           context,
           data: _data,
           name: data.name,
@@ -89,7 +96,7 @@ module.exports = function init(core) {
     });
   };
 
-  assess.dataflow.sources.bodyParser1Instrumentation = {
+  core.assess.dataflow.sources.bodyParser1Instrumentation = {
     install() {
       depHooks.resolve(
         { name: 'body-parser', version: '>=1.0.0' },
@@ -127,5 +134,5 @@ module.exports = function init(core) {
     }
   };
 
-  return assess.dataflow.sources.bodyParser1Instrumentation;
+  return core.assess.dataflow.sources.bodyParser1Instrumentation;
 };

package/lib/dataflow/sources/install/cookie-parser1.js

@@ -16,10 +16,11 @@
 'use strict';
 
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 
 module.exports = function init(core) {
-  const { assess, depHooks, logger, patcher, scopes } = core;
+  const { assess, depHooks, logger, patcher } = core;
 
   assess.dataflow.sources.cookieParser1Instrumentation = {
     install() {
@@ -39,11 +40,11 @@ module.exports = function init(core) {
                   const { funcKey } = data;
                   const [req, , next] = data.args;
                   data.args[2] = function contrastNext(...args) {
-                    const sourceContext = scopes.sources.getStore()?.assess;
+                    const sourceContext = assess.getSourceContext(SOURCE);
 
                     if (!sourceContext) {
                       logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                      return;
+                      return next(...args);
                     }
 
                     if (sourceContext.parsedCookies) {

package/lib/dataflow/sources/install/http.js

@@ -102,6 +102,21 @@ module.exports = function (core) {
         sourceContext: store.assess
       };
 
+      // track the headers and the url.
+      //
+      // note that req.headers and req.headersDistinct are now (as of v15.1.0)
+      // lazily computed using an accessor property.
+      //
+      // there is no need to track headersDistinct because they are not
+      // referenced prior to this point. and, when they are referenced, node
+      // populates them with references to the (what will be after code below)
+      // already-tracked values in rawHeaders. But headers have already been
+      // referenced by node before the 'request' event is emitted by the server,
+      // so headers need to be tracked independently of rawHeaders. The way
+      // node handles the headers is convoluted; it's easier/safer to track the
+      // headers as they are. An attacker could use knowledge of node's handling
+      // to craft their attack.
+      //
       [
         {
           context: 'req.headers',
@@ -117,18 +132,57 @@ module.exports = function (core) {
           ...sourceInfo,
         }
       ].forEach((sourceData) => {
-        const { inputType } = sourceData;
         try {
           dataflow.sources.handle(sourceData);
         } catch (err) {
+          const { inputType } = sourceData;
           logger.error({ err, inputType, sourceName }, 'unable to handle http source');
         }
       });
 
-      for (let i = 0; i < req.rawHeaders.length; i += 2) {
-        const header = toLowerCase(req.rawHeaders[i]);
-        req.rawHeaders[i + 1] = req.headers[header];
+
+      //
+      // now track the rawHeaders. headers are complicated because they appear
+      // three times: headers, headersDistinct, and rawHeaders and we want to
+      // create only one event per header value. that turns out not to be as
+      // easy/possible as it sounds, due to the way node handles req.headers.
+      //
+      // see node's lib/_http_incoming.js for details. interesting optimizations
+      // and quirky handling per the RFC. some duplicate headers are joined by
+      // default, some are not.
+      //
+      // but we have to track rawHeaders. they are copied to a separate array
+      // because the dataflow.sources.handle() doesn't know about an array where
+      // only odd indexes are to be tracked.
+      //
+      // even though we could track the rawHeaders' keys, we don't because they
+      // are not used by any application that i'm aware of. it's easy enough to
+      // add here if we find there is an edge case where the application bypasses
+      // headers and headersDistinct and uses rawHeaders directly.
+      //
+      const headerValues = [];
+      for (let i = 1; i < req.rawHeaders.length; i += 2) {
+        headerValues.push(req.rawHeaders[i]);
+      }
+
+      try {
+        dataflow.sources.handle({
+          context: 'req.headers',
+          inputType: InputType.HEADER,
+          data: headerValues,
+          ...sourceInfo,
+        });
+      } catch (err) {
+        logger.error({ err, inputType: InputType.HEADER, sourceName }, 'unable to handle http source');
       }
+
+      //
+      // now that the raw headers are tracked, put each tracked value back
+      //
+      for (let i = 0; i < headerValues.length; i++) {
+        req.rawHeaders[(i << 1) + 1] = headerValues[i];
+      }
+
     } catch (err) {
       logger.error({ err, funcKey: data.funcKey }, 'Error during Assess request handling');
     }

package/lib/dataflow/sources/install/qs6.js

@@ -15,17 +15,19 @@
 
 'use strict';
 
-const { InputType } = require('@contrast/common');
+const { InputType: { QUERYSTRING: inputType } } = require('@contrast/common');
 const { patchType } = require('../common');
-
-const inputType = InputType.QUERYSTRING;
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 
 module.exports = (core) => {
   const {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
 
   // Patch `qs`
@@ -36,7 +38,7 @@ module.exports = (core) => {
         name,
         patchType,
         post({ args, hooked, orig, result, funcKey }) {
-          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const sourceContext = getSourceContext(SOURCE);
 
           if (!sourceContext) {
             logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');

package/lib/dataflow/sources/install/querystring.js

@@ -17,9 +17,15 @@
 
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 
 module.exports = (core) => {
-  const { depHooks, patcher, logger } = core;
+  const {
+    assess: { getSourceContext },
+    depHooks,
+    patcher,
+    logger,
+  } = core;
 
   core.assess.dataflow.sources.querystringInstrumentation = {
     install() {
@@ -29,7 +35,7 @@ module.exports = (core) => {
           name,
           patchType,
           post({ args, hooked, orig, result, funcKey }) {
-            const sourceContext = core.scopes.sources.getStore()?.assess;
+            const sourceContext = getSourceContext(SOURCE);
             const inputType = InputType.QUERYSTRING;
 
             if (!sourceContext) return;

package/lib/dataflow/tag-utils.js

@@ -14,6 +14,8 @@
  */
 'use strict';
 
+const { split } = require('@contrast/common');
+
 //
 // This module implements tag range manipulation functions. There are generally
 // two types of functions:
@@ -461,8 +463,7 @@ function createAdjustedQueryTags(path, tags, value, argString) {
       break;
     }
   }
-
-  return idx >= 0 ? createAppendTags([], tags, idx) : [...tags];
+  return idx >= 0 ? createAppendTags([], tags, idx) : { ...tags };
 }
 
 /**
@@ -484,8 +485,8 @@ function createAdjustedQueryTags(path, tags, value, argString) {
  * - "?test=str","%3Ftest%3Dstr",{"UNTRUSTED":[0,8]} => {"UNTRUSTED":[3,6,10,12]}
  */
 function createEscapeTagRanges(input, result, tags) {
-  const inputArr = input.split('');
-  const escapedArr = result.split('');
+  const inputArr = split(input, '');
+  const escapedArr = split(result, '');
   const overlap = inputArr.filter((x) => {
     if (escapedArr.includes(x)) {
       return x;

package/lib/get-source-context.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
     const ctx = sources.getStore()?.assess;
 
     // policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
-    if (!ctx || !ctx?.policy || instrumentation.isLocked()) return null;
+    if (!ctx?.policy || instrumentation.isLocked()) return null;
 
     switch (type) {
       case InstrumentationType.PROPAGATOR: {
@@ -50,6 +50,7 @@ module.exports = function(core) {
         if (ctx.sourceEventsCount > config.assess.max_context_source_events) return null;
         break;
       }
+
       case InstrumentationType.RULE: {
         const [ruleId] = rest;
         if (!ruleId) break;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.27.1",
+  "version": "1.28.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.20.1",
+    "@contrast/common": "1.21.0",
     "@contrast/distringuish": "^4.4.0",
     "@contrast/scopes": "1.4.1"
   }