@contrast/assess 1.28.0 → 1.28.1

package/lib/dataflow/propagation/install/string/slice.js

@@ -13,9 +13,9 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
-const { inspect, join } = require('@contrast/common');
+const { join } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -72,8 +72,8 @@ module.exports = function(core) {
           if (!tags) return;
 
           const args = origArgs.map((arg) => ({
-            value: inspect(arg),
-            tracked: false
+            tracked: false,
+            value: getAdjustedUntrackedValue(arg)
           }));
 
           const event = createPropagationEvent({

package/lib/dataflow/propagation/install/string/split.js

@@ -15,9 +15,9 @@
 
 'use strict';
 
-const { join, inspect } = require('@contrast/common');
+const { join } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -54,17 +54,16 @@ module.exports = function(core) {
 
           const args = origArgs.map((arg) => {
             const argInfo = tracker.getData(arg);
-            return {
-              value: argInfo ? argInfo.value : inspect(arg),
-              tracked: !!argInfo
-            };
+            return argInfo ?
+                { tracked: true, value: argInfo.value } :
+                { tracked: false, value: `'${arg}'` };
           });
 
           const event = eventFactory.createPropagationEvent({
             name,
             moduleName: 'String',
             methodName: 'prototype.split',
-            context: `'${objInfo.value}'.split(${join(args.map(a => a.value), ', ')})`,
+            context: `'${objInfo.value}'.split(${join(args.map(a => a.value))})`,
             history: [objInfo],
             object: {
               value: obj,
@@ -73,7 +72,7 @@ module.exports = function(core) {
             args,
             tags: {},
             result: {
-              value: join(result),
+              value: getAdjustedUntrackedValue(result),
               tracked: false
             },
             stacktraceOpts: {
@@ -95,9 +94,13 @@ module.exports = function(core) {
             const objSubstrInfo = tracker.getData(objSubstr);
             if (objSubstrInfo) {
               const tags = createSubsetTags(objInfo.tags, start, res.length);
-              if (!tags) continue;
 
-              const metadata = { ...event, tags };
+              if (!tags) continue;
+              const metadata = {
+                ...event,
+                result: { tracked: true, value: res },
+                tags,
+              };
               eventFactory.createdEvents.add(metadata);
               const { extern } = tracker.track(res, metadata);
 
@@ -114,4 +117,3 @@ module.exports = function(core) {
     },
   };
 };
-

package/lib/dataflow/propagation/install/string/substring.js

@@ -15,9 +15,9 @@
 
 'use strict';
 
-const { join, inspect } = require('@contrast/common');
+const { join } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -82,14 +82,15 @@ module.exports = function(core) {
             if (!tags) return;
 
             const args = origArgs.map((arg) => ({
-              value: inspect(arg),
-              tracked: false
+              tracked: false,
+              value: getAdjustedUntrackedValue(arg)
             }));
+
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
               methodName: 'prototype.substring',
-              context: `'${objInfo.value}'.substring(${join(args.map(a => a.value), ', ')})`,
+              context: `'${objInfo.value}'.substring(${join(args.map(a => a.value))})`,
               history: [objInfo],
               object: {
                 value: obj,

package/lib/dataflow/propagation/install/url/parse.js

@@ -16,7 +16,6 @@
 'use strict';
 
 const { patchType } = require('../../common');
-const { inspect } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -24,6 +23,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/propagation/install/url/searchParams.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const { patchType } = require('../../common');
-const { inspect, isString } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -24,6 +24,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/propagation/install/url/url.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const { inspect } = require('@contrast/common');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -24,6 +23,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/sinks/install/child-process.js

@@ -19,7 +19,6 @@ const {
   join,
   Rule: { CMD_INJECTION: ruleId },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -35,6 +34,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/express/reflected-xss.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { REFLECTED_XSS: ruleId },
   DataflowTag: {
@@ -52,14 +51,13 @@ module.exports = function(core) {
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings, reportSafePositive }
+        sinks: { isVulnerable, reportFindings, reportSafePositive, isSafeContentType }
       },
       ruleScopes,
     },
   } = core;
 
   const reflectedXss = core.assess.dataflow.sinks.express.reflectedXss = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,
@@ -81,7 +79,11 @@ module.exports = function(core) {
           name,
           patchType,
           around: (next, data) => {
-            if (!getSourceContext(RULE, ruleId)) return next();
+            const sourceContext = getSourceContext(RULE, ruleId);
+            if (!sourceContext) return next();
+
+            const { contentType } = sourceContext.responseData;
+            if (contentType && isSafeContentType(contentType)) return next();
 
             const [str] = data.args;
 
@@ -96,7 +98,7 @@ module.exports = function(core) {
                   tracked: true,
                   value: strInfo.value,
                 }],
-                context: `response.${method}(${inspect(strInfo.value)})`,
+                context: `response.${method}('${strInfo.value}')`,
                 history: [strInfo],
                 name,
                 moduleName: 'express',

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.express.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -65,6 +64,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -76,8 +76,6 @@ module.exports = function(core) {
   const unvalidatedRedirect =
     (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/fs.js

@@ -25,7 +25,6 @@ const {
   },
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
-  inspect,
   isString,
   join,
 } = require('@contrast/common');
@@ -36,6 +35,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/function.js

@@ -17,7 +17,6 @@
 
 const {
   isString,
-  inspect,
   join,
   DataflowTag: {
     UNTRUSTED,
@@ -47,6 +46,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.hapi.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/http/request.js

@@ -17,7 +17,6 @@
 
 const Url = require('url');
 const {
-  inspect,
   isString,
   DataflowTag: {
     UNTRUSTED,
@@ -46,6 +45,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -104,11 +104,12 @@ module.exports = function(core) {
           pre(data) {
             if (!getSourceContext(RULE, ruleId)) return;
 
-            const [req] = data.args;
-            if (!req) return;
+            // url <string> |<URL>
+            const [urlArg] = data.args;
+            if (!urlArg) return;
 
             ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
-              const value = getValueFromReq(req, key);
+              const value = getValueFromReq(urlArg, key);
               if (!value) return;
 
               const strInfo = tracker.getData(value);
@@ -116,7 +117,7 @@ module.exports = function(core) {
 
               if (containsTrustedLib(strInfo.stack)) return;
 
-              const arg0 = isString(req) ? req : inspect(req);
+              const arg0 = isString(urlArg) ? urlArg : inspect(urlArg);
               const idx = arg0.indexOf(value);
               const urlTags = createAppendTags({}, strInfo.tags, idx);
 

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -47,6 +46,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  const inspect = patcher.unwrap(util.inspect);
+
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/libxmljs.js

@@ -23,7 +23,6 @@ const {
     ALPHANUM_SPACE_HYPHEN,
     LIMITED_CHARS,
   },
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -48,6 +47,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/marsdb.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const util = require('util');
 const {
   traverseValues,
   Rule: { NOSQL_INJECTION_MONGO: ruleId },
@@ -51,6 +50,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -61,7 +61,6 @@ module.exports = function (core) {
   } = core;
 
   const instr = core.assess.dataflow.sinks.marsdb = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   function getVulnerabilityInfo(query) {
     let vulnInfo = null;

package/lib/dataflow/sinks/install/mongodb.js

@@ -28,7 +28,6 @@ const {
   isNonEmptyObject,
   traverseValues,
   isString,
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
@@ -83,6 +82,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/mysql.js

@@ -28,7 +28,6 @@ const {
     UNTRUSTED
   },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
@@ -54,6 +53,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/postgres.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     CUSTOM_VALIDATED,
@@ -43,6 +42,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -60,8 +60,6 @@ module.exports = function(core) {
     CUSTOM_ENCODED,
   ];
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature) => (data) => {

package/lib/dataflow/sinks/install/sequelize.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
@@ -42,6 +41,7 @@ module.exports = function (core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -59,7 +59,6 @@ module.exports = function (core) {
     CUSTOM_ENCODED
   ];
   const requiredTag = UNTRUSTED;
-  const inspect = patcher.unwrap(util.inspect);
 
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
 

package/lib/dataflow/sinks/install/vm.js

@@ -25,7 +25,6 @@ const {
     LIMITED_CHARS,
   },
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
-  inspect,
   isNonEmptyObject,
   isString,
   join,
@@ -56,6 +55,7 @@ module.exports = function (core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/tag-utils.js

@@ -520,6 +520,21 @@ function createEscapeTagRanges(input, result, tags) {
   return ret;
 }
 
+/**
+ * In reporting args, object, and return values, often the exact value isn't important.
+ * For untracked values that appear in call contexts it can be enough to just try to
+ * report the type of the arg/obj/result.
+ *  Example: the call
+ *  http.request('http://tracked-url', { method: 'post' });
+ *  would have event context string limited to
+ *  http.request('http://tracked-url,Object);
+ *
+ * @param {any} origValue value of event result, object, or arg
+ * @returns {string} the adjusted value for reporting
+ */
+function getAdjustedUntrackedValue(origValue) {
+  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof arg);
+}
 
 module.exports = {
   createSubsetTags,
@@ -529,5 +544,6 @@ module.exports = {
   createTagsWithExclusion,
   createAdjustedQueryTags,
   createOverlappingTags,
-  createEscapeTagRanges
+  createEscapeTagRanges,
+  getAdjustedUntrackedValue,
 };

package/lib/index.js

@@ -15,9 +15,12 @@
 
 'use strict';
 
+const { inspect } = require('util');
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function assess(core) {
+  const { scopes: { instrumentation } } = core;
+
   const assess = core.assess = {
     install() {
       if (!core.config.getEffectiveValue('assess.enable')) {
@@ -30,6 +33,16 @@ module.exports = function assess(core) {
     },
   };
 
+  // todo: this is temporary fix for using inspect during creation of event
+  // data. once all uses of inspect are refactored out of remaining sinks and
+  // propagators etc, this can also be removed.
+  const store = { lock: true, name: 'assess.inspect' };
+  assess.inspect = function(val, opts) {
+    return instrumentation.isLocked() ?
+      inspect(val, opts) :
+      instrumentation.run(store, inspect, val, opts);
+  };
+
   require('./rule-scopes')(core);
   require('./get-policy')(core);
   require('./make-source-context')(core);

package/lib/session-configuration/install/express-session.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const util = require('util');
 const { toLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
@@ -27,6 +26,7 @@ const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
@@ -40,8 +40,6 @@ module.exports = function (core) {
 
   const expressSession = core.assess.sessionConfiguration.expressSession = {};
 
-  const inspect = patcher.unwrap(util.inspect);
-
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session' }, (session) => {
       // Return the hooked function as the export.

package/lib/session-configuration/install/fastify-cookie.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const { inspect } = require('util');
 const { toLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
@@ -27,6 +26,7 @@ const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {

package/lib/session-configuration/install/hapi.js

@@ -14,12 +14,12 @@
  */
 'use strict';
 
-const util = require('util');
 const { patchType } = require('../common');
 
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
         handleHttpOnly,
@@ -33,8 +33,6 @@ module.exports = function (core) {
 
   const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
 
-  const inspect = patcher.unwrap(util.inspect);
-
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {
       ['server', 'Server'].forEach((server) => {