@contrast/assess 1.28.0 → 1.29.0

package/lib/crypto-analysis/install/crypto.js

@@ -15,11 +15,10 @@
 
 'use strict';
 
-const { inspect } = require('util');
 const {
   Rule,
   isString,
-  toLowerCase,
+  StringPrototypeToLowerCase,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../constants');
 const { PATCH_TYPE: patchType } = require('../common');
@@ -54,6 +53,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory,
       cryptoAnalysis,
       getSourceContext,
@@ -123,7 +123,7 @@ module.exports = function (core) {
               const [alg] = data.args;
               if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_CIPHERS)) return;
 
-              const algLower = toLowerCase(alg);
+              const algLower = StringPrototypeToLowerCase.call(alg);
               for (const prefix of SAFE_CIPHER_ALGORITHM_PREFIXES) {
                 if (algLower.indexOf(prefix) === 0) return;
               }

package/lib/dataflow/propagation/install/JSON/parse-fn.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { trim } = require('@contrast/common');
+const { StringPrototypeTrim } = require('@contrast/common');
 
 function isNumber(value) {
   return !isNaN(value);
@@ -31,7 +31,7 @@ function array(input, index, accumulator) {
       break;
     }
 
-    if (trim(cv) === '' || (valueIndexes.length > 0 && cv === ',')) {
+    if (StringPrototypeTrim.call(cv) === '' || (valueIndexes.length > 0 && cv === ',')) {
       index += 1;
       continue;
     }
@@ -136,7 +136,7 @@ function object(value, index, accumulator) {
     }
 
     if (
-      trim(cv) === '' ||
+      StringPrototypeTrim.call(cv) === '' ||
       (cv === ':' && keyIndexesLength > 0) ||
       (cv === ',' && areKeysEqualToValues)
     ) {
@@ -214,10 +214,10 @@ function getStartEndIndices(input) {
   let startCharIdx = 0;
   let endCharIdx = input.length - 1;
 
-  while (!trim(input[startCharIdx])) {
+  while (!StringPrototypeTrim.call(input[startCharIdx])) {
     startCharIdx++;
   }
-  while (!trim(input[endCharIdx])) {
+  while (!StringPrototypeTrim.call(input[endCharIdx])) {
     endCharIdx--;
   }
   return [startCharIdx, endCharIdx];

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const { getKeyValueIndices } = require('./parse-fn');
@@ -75,7 +75,7 @@ module.exports = function (core) {
       moduleName: 'JSON',
       methodName: 'parse',
       object: {
-        value: inspect(data.obj),
+        value: 'JSON',
         tracked: false,
       },
       args: eventArgs,
@@ -97,7 +97,7 @@ module.exports = function (core) {
   return core.assess.dataflow.propagation.jsonInstrumentation.parse = {
     install() {
       patcher.patch(JSON, 'parse', {
-        name: 'JSON.prototype.parse',
+        name: 'JSON.parse',
         patchType,
         pre(data) {
           if (!data.args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;

package/lib/dataflow/propagation/install/JSON/stringify.js

@@ -16,14 +16,19 @@
 'use strict';
 
 const {
-  createMergedTags
-} = require('../../../tag-utils');
-const { isString, inspect, replace, match, matchAll, slice } = require('@contrast/common');
-const { patchType } = require('../../common');
+  isString,
+  ArrayPrototypeSlice,
+  StringPrototypeReplace,
+  StringPrototypeMatch,
+  StringPrototypeMatchAll,
+  StringPrototypeSlice,
+} = require('@contrast/common');
 const crypto = require('crypto');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 
 function makeCanary() {
-  return replace(
+  return StringPrototypeReplace.call(
     crypto
       .randomBytes(12)
       .toString('base64'),
@@ -84,12 +89,12 @@ module.exports = function(core) {
   function getUntrustedSpaceProps(space) {
     // it can't be a problem if it's not a string, if the string is all spaces, or
     // if the string is zero length.
-    if (!isString(space) || match(space, /^\s+$/) || !space) {
+    if (!isString(space) || StringPrototypeMatch.call(space, /^\s+$/) || !space) {
       return null;
     }
 
 
-    const props = tracker.getData(slice(space, 0, 10));
+    const props = tracker.getData(StringPrototypeSlice.call(space, 0, 10));
     if (!props || !Object.keys(props.tags).length) {
       return null;
     }
@@ -100,10 +105,10 @@ module.exports = function(core) {
 
   function createSpaceTagRanges(result, metadata) {
     const tags = {};
-    const spaceValue = slice(metadata.origArgs[2], 0, 10);
+    const spaceValue = StringPrototypeSlice.call(metadata.origArgs[2], 0, 10);
     const { spaceProps: { tags: spacePropsTags } } = metadata;
 
-    const spaces = Array.from(matchAll(result, new RegExp(`(?<=\\n)(${spaceValue})+?(?=\\d|"|null|]|})`, 'g')));
+    const spaces = Array.from(StringPrototypeMatchAll.call(result, new RegExp(`(?<=\\n)(${spaceValue})+?(?=\\d|"|null|]|})`, 'g')));
 
     for (const space of spaces) {
       const match = space[0];
@@ -132,7 +137,7 @@ module.exports = function(core) {
     let canaryReplacementDiff = 0;
     // for each marker in the stringify's result, remove the marker and
     // create a TagRange for the value.
-    return replace(result, metadata.regex, (m, id, offset) => {
+    return StringPrototypeReplace.call(result, metadata.regex, (m, id, offset) => {
       // adjust offset by total characters removed so far
       offset = offset - canaryReplacementDiff + 1;
       // we don't replace the opening " in the regex - that just makes sure
@@ -157,7 +162,7 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.jsonInstrumentation.stringify = {
     install() {
       patcher.patch(JSON, 'stringify', {
-        name: 'JSON.prototype.stringify',
+        name: 'JSON.stringify',
         patchType,
         pre(data) {
           if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
@@ -169,7 +174,7 @@ module.exports = function(core) {
           // context used by the post hook.
           data.metadata = {
             history: new Set(),
-            origArgs: data.args.slice(),
+            origArgs: ArrayPrototypeSlice.call(data.args),
             strInfos: {},
             propagate: false,
             regex,
@@ -246,21 +251,23 @@ module.exports = function(core) {
             methodName: 'stringify',
             history: Array.from(metadata.history),
             object: {
-              value: inspect(data.obj),
+              value: 'JSON',
               tracked: false
             },
             args: [
               {
-                value: inspect(metadata.origArgs[0]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[0]),
                 tracked: false
               },
               (metadata.origArgs[1] && {
-                value: inspect(metadata.origArgs[1]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[1]),
                 tracked: false
               }),
               (metadata.origArgs[2] && {
-                value: inspect(metadata.origArgs[2]),
-                tracked: !!metadata.spaceProps
+                tracked: !!metadata.spaceProps,
+                value: metadata.spaceProps ?
+                  `'${metadata.origArgs[2]}'` :
+                  getAdjustedUntrackedValue(metadata.origArgs[2]),
               })
             ].filter(Boolean),
             result: {

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { isString, join, inspect } = require('@contrast/common');
+const { isString, ArrayPrototypeJoin, UtilInspect } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -79,7 +79,7 @@ module.exports = function(core) {
           const initHistory = delimiterInfo ? new Set([delimiterInfo]) : new Set();
           const { newTags, newHistory: history } = accumulateTags(obj, {}, 0, initHistory, delimiterLength, delimiterInfo?.tags);
           const object = {
-            value: obj && join(obj),
+            value: obj && ArrayPrototypeJoin.call(obj),
             tracked: false
           };
 
@@ -93,7 +93,7 @@ module.exports = function(core) {
               name,
               moduleName: 'Array',
               methodName: 'prototype.join',
-              context: `${object.value}.join('${inspect(args[0].value) || ''})`,
+              context: `${object.value}.join('${UtilInspect(args[0].value) || ''})`,
               object,
               result: {
                 value: resultInfo ? resultInfo.value : result,

package/lib/dataflow/propagation/install/buffer.js

@@ -14,14 +14,16 @@
  */
 'use strict';
 
+const { isString, ArrayPrototypeJoin, StringPrototypeSubstring } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { getAdjustedUntrackedValue } = require('../../tag-utils');
 const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
     assess: {
       getSourceContext,
-      eventFactory,
+      eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },
     patcher,
@@ -30,6 +32,7 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.bufferInstrumentation = {
     install() {
       const name = 'global.Buffer.prototype.toString';
+      const bufferToString = patcher.unwrap(Buffer.prototype.toString);
 
       patcher.patch(global.Buffer.prototype, 'toString', {
         patchType,
@@ -44,7 +47,7 @@ module.exports = function(core) {
             return;
           }
 
-          const event = eventFactory.createPropagationEvent({
+          const event = createPropagationEvent({
             args: data.args.map((a) => ({ tracked: false, value: a })),
             moduleName: 'Buffer',
             methodName: 'prototype.toString',
@@ -74,8 +77,63 @@ module.exports = function(core) {
           }
         }
       });
+
+      patcher.patch(global.Buffer, 'from', {
+        patchType,
+        name,
+        post(data) {
+          const firstArg = data.args[0];
+          const argType = isString(firstArg) ? 'string' : Buffer.isBuffer(firstArg) ? 'buffer' : null;
+          // this method supports a number of type overloads. we handle when first arg matches these
+          const typeSupported = argType == 'string' || argType == 'buffer';
+
+          if (
+            !data.args[0] ||
+            !typeSupported ||
+            !getSourceContext(PROPAGATOR)
+          ) return;
+
+          const trkInfo = tracker.getData(data.args[0]);
+          if (trkInfo) {
+            const args = data.args.map((arg, i) => {
+              if (i == 0) {
+                const value = argType == 'string' ? arg : bufferToString.call(arg);
+                // todo (NODE-3455): make sure tag ranges are included in substring
+                return { tracked: true, value: StringPrototypeSubstring.call(value, 0, 50) };
+              } else {
+                return { tracked: false, value: getAdjustedUntrackedValue(arg) };
+              }
+            });
+
+            const event = createPropagationEvent({
+              args,
+              moduleName: 'Buffer',
+              methodName: 'from',
+              context: `Buffer.from(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+              object: { tracked: true, value: 'Buffer' },
+              history: [trkInfo],
+              name,
+              result: {
+                tracked: true,
+                value: args[0].value,
+              },
+              source: 'P0',
+              tags: trkInfo.tags,
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+                prependFrames: [data.orig]
+              },
+              target: 'R',
+            });
+            if (event) {
+              tracker.track(data.result, event);
+            }
+          }
+        },
+      });
     },
     uninstall() {
+      global.Buffer.from = patcher.unwrap(global.Buffer.from);
       global.Buffer.prototype.toString = patcher.unwrap(global.Buffer.prototype.toString);
     }
   };

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -15,21 +15,19 @@
 
 'use strict';
 
-const util = require('util');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
 
 module.exports = function(core) {
   const {
-    patcher,
     assess: {
+      inspect,
       getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
 
-  const inspect = patcher.unwrap(util.inspect);
   const origSym = Symbol('ContrastMethods.add.orig');
 
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {

package/lib/dataflow/propagation/install/ejs/template.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const { EOL } = require('os');
-const { join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 
@@ -39,11 +39,11 @@ module.exports = function (core) {
 
   /** @type {import('@contrast/rewriter').RewriteOpts} */
   const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, trim: true };
-  const WRAPPER_PREFIX = join([
+  const WRAPPER_PREFIX = ArrayPrototypeJoin.call([
     'function tempWrapper() {',
     'function __append(s) { if (s !== undefined && s !== null) __output += s }'
   ], EOL);
-  const WRAPPER_SUFFIX = join([
+  const WRAPPER_SUFFIX = ArrayPrototypeJoin.call([
     EOL,
     'return __output;',
     '}',

package/lib/dataflow/propagation/install/joi/boolean.js

@@ -17,7 +17,6 @@
 
 const {
   DataflowTag: { ALPHANUM_SPACE_HYPHEN },
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 
@@ -27,6 +26,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/expression.js

@@ -17,7 +17,6 @@
 
 const {
   DataflowTag: { HTML_ENCODED },
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 
@@ -27,6 +26,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/index.js

@@ -20,7 +20,6 @@ const {
   isString,
   isNonEmptyObject,
   traverseValues,
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { tagCustomValidatedString, handleReferences } = require('./utils');
@@ -30,6 +29,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/keys.js

@@ -16,7 +16,8 @@
 'use strict';
 
 const {
-  isNonEmptyObject, join,
+  isNonEmptyObject,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 
@@ -39,16 +40,16 @@ module.exports = function(core) {
       });
     }
 
-    let path = join(refTargetPath, '.');
+    let path = ArrayPrototypeJoin.call(refTargetPath, '.');
 
     if (isInReference) {
-      path = join(refTargetPath.slice(0, -1), '.');
+      path = ArrayPrototypeJoin.call(refTargetPath.slice(0, -1), '.');
       schema.__CONTRAST__.inReferenceTargets.add(path);
       refPath = refPath.slice(0, -1);
     }
 
     const refs = schema.__CONTRAST__.refTargets[path] || [];
-    refs.push(join(refPath, '.'));
+    refs.push(ArrayPrototypeJoin.call(refPath, '.'));
     schema.__CONTRAST__.refTargets[path] = refs;
   }
 

package/lib/dataflow/propagation/install/joi/number.js

@@ -17,7 +17,6 @@
 
 const {
   DataflowTag: { LIMITED_CHARS },
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 
@@ -27,6 +26,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/string-schema.js

@@ -17,11 +17,11 @@
 
 const {
   DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
-  inspect,
 } = require('@contrast/common');
-const { handleReferences } = require('./utils');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
+const { handleReferences } = require('./utils');
+
 const VALIDATORS = {
   base64: ALPHANUM_SPACE_HYPHEN,
   guid: ALPHANUM_SPACE_HYPHEN,
@@ -42,6 +42,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker, propagation: {

package/lib/dataflow/propagation/install/joi/utils.js

@@ -15,12 +15,16 @@
 
 'use strict';
 
-const { split, DataflowTag: { CUSTOM_VALIDATED }, join } = require('@contrast/common');
+const {
+  StringPrototypeSplit,
+  ArrayPrototypeJoin,
+  DataflowTag: { CUSTOM_VALIDATED }
+} = require('@contrast/common');
 
 function getRefInstancesTrackingData(tracker, obj, refInstancesPaths) {
   return refInstancesPaths
     .map((referenceInstance) => {
-      const value = split(referenceInstance, '.').reduce(
+      const value = StringPrototypeSplit.call(referenceInstance, '.').reduce(
         (acc, v) => acc[v] || acc,
         obj
       );
@@ -70,10 +74,10 @@ function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
 
 function handleReferences(tracker, schema, validationFn) {
   const contrastData = schema?.schema?.__CONTRAST__;
-  let refTargetPath = contrastData && join(schema.state.path, '.');
-  const inReferenceTargetPath = contrastData && join(schema.state.path.slice(0, -1), '.');
+  let refTargetPath = contrastData && ArrayPrototypeJoin.call(schema.state.path, '.');
+  const inReferenceTargetPath = contrastData && ArrayPrototypeJoin.call(schema.state.path.slice(0, -1), '.');
   if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
-    refTargetPath = join(
+    refTargetPath = ArrayPrototypeJoin.call(
       schema.state.path.slice(0, -1),
       '.'
     );

package/lib/dataflow/propagation/install/joi/values.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const {
-  isNonEmptyObject, isString, inspect, traverseValues, join
+  isNonEmptyObject, isString, traverseValues, ArrayPrototypeJoin
 } = require('@contrast/common');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -27,6 +27,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -57,13 +58,13 @@ module.exports = function(core) {
 
 
         if (result.ref) {
-          const targetAbsolutePath = join(result.ref.absolute(state), '.');
+          const targetAbsolutePath = ArrayPrototypeJoin.call(result.ref.absolute(state), '.');
 
           if (isString(value)) {
             validateStringReferenceValue(value, result.value, result.ref, targetAbsolutePath, metadata);
           } else if (isNonEmptyObject(value)) {
             traverseValues(value, (path, _type, v) => {
-              validateStringReferenceValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
+              validateStringReferenceValue(v, result.value, result.ref, ArrayPrototypeJoin.call([...targetAbsolutePath, ...path], '.'), metadata, path);
             });
           }
         } else if (data.obj?._values.has(data.result?.value)) {

package/lib/dataflow/propagation/install/mongoose/schema-map.js

@@ -15,7 +15,7 @@
 'use strict';
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
-const { traverseValues, DataflowTag, substring } = require('@contrast/common');
+const { traverseValues, DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
 
 module.exports = function (core) {
   const {
@@ -36,7 +36,7 @@ module.exports = function (core) {
   mongooseInstrumentation.schemaMap = schemaMap;
 
   const handleString = (strInfo, orig, value, name) => {
-    const methodName = substring(name, name.indexOf('.') + 1);
+    const methodName = StringPrototypeSubstring.call(name, name.indexOf('.') + 1);
 
     // copy because we mutate the metadata value inline
     const history = [{ ...strInfo }];

package/lib/dataflow/propagation/install/mongoose/schema-mixed.js

@@ -15,7 +15,7 @@
 'use strict';
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
-const { traverseValues, DataflowTag, substring } = require('@contrast/common');
+const { traverseValues, DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
 
 module.exports = function (core) {
   const {
@@ -36,7 +36,7 @@ module.exports = function (core) {
   mongooseInstrumentation.schemaMixed = schemaMixed;
 
   const handleString = (strInfo, orig, value, name) => {
-    const methodName = substring(name, name.indexOf('.') + 1);
+    const methodName = StringPrototypeSubstring.call(name, name.indexOf('.') + 1);
 
     // copy because we mutate the metadata value inline
     const history = [{ ...strInfo }];

package/lib/dataflow/propagation/install/mongoose/schema-string.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { DataflowTag, substring } = require('@contrast/common');
+const { DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
 
@@ -141,7 +141,7 @@ module.exports = function (core) {
     const strInfo = tracker.getData(value);
     if (!strInfo) return;
 
-    const methodName = substring(name, name.indexOf('.') + 1);
+    const methodName = StringPrototypeSubstring.call(name, name.indexOf('.') + 1);
     // copy because we mutate the metadata value inline
     const history = [{ ...strInfo }];
     const event = createPropagationEvent({

package/lib/dataflow/propagation/install/path/basename.js

@@ -14,7 +14,7 @@
  */
 
 'use strict';
-const { isString, join } = require('@contrast/common');
+const { isString, ArrayPrototypeJoin } = require('@contrast/common');
 const { patchType } = require('../../common');
 const {
   excludeExtensionDotFromTags,
@@ -82,7 +82,7 @@ module.exports = function(core) {
                 name,
                 moduleName: 'path',
                 methodName: 'basename',
-                context: `path.basename(${join(args.map(a => `'${a.value}'`))})`,
+                context: `path.basename(${ArrayPrototypeJoin.call(args.map(a => `'${a.value}'`))})`,
                 history: [strInfo],
                 object: {
                   value: 'path',