@contrast/assess 1.28.0 → 1.29.0

package/lib/dataflow/propagation/install/url/searchParams.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const { patchType } = require('../../common');
-const { inspect, isString } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -24,6 +24,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/propagation/install/url/url.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const { inspect } = require('@contrast/common');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -24,6 +23,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/sinks/index.js

@@ -82,6 +82,7 @@ module.exports = function (core) {
   require('./install/mysql')(core);
   require('./install/node-serialize')(core);
   require('./install/postgres')(core);
+  require('./install/restify')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
   require('./install/vm')(core);

package/lib/dataflow/sinks/install/child-process.js

@@ -16,10 +16,9 @@
 'use strict';
 const {
   DataflowTag: { UNTRUSTED },
-  join,
+  ArrayPrototypeJoin,
   Rule: { CMD_INJECTION: ruleId },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -35,6 +34,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -81,7 +81,7 @@ module.exports = function(core) {
       name,
       moduleName: 'child_process',
       methodName: method,
-      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
+      context: `child_process.${method}(${ArrayPrototypeJoin.call(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [strInfo],
       object: {
         value: 'child_process',
@@ -167,7 +167,7 @@ module.exports = function(core) {
       name,
       moduleName: 'child_process',
       methodName: method,
-      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
+      context: `child_process.${method}(${ArrayPrototypeJoin.call(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [trackedArgs[vulnerableArgIdx]],
       object: {
         value: 'child_process',

package/lib/dataflow/sinks/install/express/reflected-xss.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { REFLECTED_XSS: ruleId },
   DataflowTag: {
@@ -52,14 +51,13 @@ module.exports = function(core) {
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings, reportSafePositive }
+        sinks: { isVulnerable, reportFindings, reportSafePositive, isSafeContentType }
       },
       ruleScopes,
     },
   } = core;
 
   const reflectedXss = core.assess.dataflow.sinks.express.reflectedXss = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,
@@ -81,7 +79,11 @@ module.exports = function(core) {
           name,
           patchType,
           around: (next, data) => {
-            if (!getSourceContext(RULE, ruleId)) return next();
+            const sourceContext = getSourceContext(RULE, ruleId);
+            if (!sourceContext) return next();
+
+            const { contentType } = sourceContext.responseData;
+            if (contentType && isSafeContentType(contentType)) return next();
 
             const [str] = data.args;
 
@@ -96,7 +98,7 @@ module.exports = function(core) {
                   tracked: true,
                   value: strInfo.value,
                 }],
-                context: `response.${method}(${inspect(strInfo.value)})`,
+                context: `response.${method}('${strInfo.value}')`,
                 history: [strInfo],
                 name,
                 moduleName: 'express',

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.express.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -65,6 +64,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -76,8 +76,6 @@ module.exports = function(core) {
   const unvalidatedRedirect =
     (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/fs.js

@@ -25,9 +25,8 @@ const {
   },
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
-  inspect,
   isString,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
@@ -36,6 +35,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -87,7 +87,7 @@ module.exports = function(core) {
         name,
         moduleName,
         methodName: fullMethodName || methodName,
-        context: `${name}(${join(
+        context: `${name}(${ArrayPrototypeJoin.call(
           args.map((a) => inspect(a.value)),
           ', '
         )})`,

package/lib/dataflow/sinks/install/function.js

@@ -17,8 +17,7 @@
 
 const {
   isString,
-  inspect,
-  join,
+  ArrayPrototypeJoin,
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
@@ -47,6 +46,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -114,7 +114,7 @@ module.exports = function (core) {
             });
             const event = createSinkEvent({
               name,
-              context: `${name}(${join(
+              context: `${name}(${ArrayPrototypeJoin.call(
                 args.map((a) => a.inspectedValue),
                 ', '
               )})`,

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.hapi.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/http/request.js

@@ -17,7 +17,6 @@
 
 const Url = require('url');
 const {
-  inspect,
   isString,
   DataflowTag: {
     UNTRUSTED,
@@ -46,6 +45,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -104,11 +104,12 @@ module.exports = function(core) {
           pre(data) {
             if (!getSourceContext(RULE, ruleId)) return;
 
-            const [req] = data.args;
-            if (!req) return;
+            // url <string> |<URL>
+            const [urlArg] = data.args;
+            if (!urlArg) return;
 
             ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
-              const value = getValueFromReq(req, key);
+              const value = getValueFromReq(urlArg, key);
               if (!value) return;
 
               const strInfo = tracker.getData(value);
@@ -116,7 +117,7 @@ module.exports = function(core) {
 
               if (containsTrustedLib(strInfo.stack)) return;
 
-              const arg0 = isString(req) ? req : inspect(req);
+              const arg0 = isString(urlArg) ? urlArg : inspect(urlArg);
               const idx = arg0.indexOf(value);
               const urlTags = createAppendTags({}, strInfo.tags, idx);
 

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -47,6 +46,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  const inspect = patcher.unwrap(util.inspect);
+
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/libxmljs.js

@@ -23,7 +23,6 @@ const {
     ALPHANUM_SPACE_HYPHEN,
     LIMITED_CHARS,
   },
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -48,6 +47,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/marsdb.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const util = require('util');
 const {
   traverseValues,
   Rule: { NOSQL_INJECTION_MONGO: ruleId },
@@ -51,6 +50,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -61,7 +61,6 @@ module.exports = function (core) {
   } = core;
 
   const instr = core.assess.dataflow.sinks.marsdb = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   function getVulnerabilityInfo(query) {
     let vulnInfo = null;

package/lib/dataflow/sinks/install/mongodb.js

@@ -28,7 +28,6 @@ const {
   isNonEmptyObject,
   traverseValues,
   isString,
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
@@ -83,6 +82,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/mysql.js

@@ -28,7 +28,6 @@ const {
     UNTRUSTED
   },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
@@ -54,6 +53,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/postgres.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     CUSTOM_VALIDATED,
@@ -43,6 +42,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -60,8 +60,6 @@ module.exports = function(core) {
     CUSTOM_ENCODED,
   ];
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature) => (data) => {

package/lib/dataflow/sinks/install/restify.js

@@ -0,0 +1,208 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString,
+  ArrayPrototypeJoin,
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { createAppendTags } = require('../../tag-utils');
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    assess: {
+      getSourceContext,
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings /*reportSafePositive*/ }
+      },
+      inspect,
+    },
+  } = core;
+
+  const OPTION_FIELDS = ['hostname', 'pathname'];
+  const SAFE_TAGS = [
+    `excluded:${ruleId}`,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+
+  function createCommonEventData(data) {
+    return {
+      name: 'restify.Response.redirect',
+      moduleName: 'restify',
+      methodName: 'Response.redirect',
+      object: {
+        tracked: false,
+        value: 'restify.Response',
+      },
+      result: {
+        tracked: false,
+        value: undefined,
+      },
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    };
+  }
+
+  /**
+   * Called when tracked values are on options object argument.
+   * Will return the args coerced to strings values, and the adjusted ranges.
+   * @returns {}
+   */
+  function getAdjustedValues(origArgs, vulns, vulnArgIdx) {
+    let result = '{...';
+    let tags;
+
+    vulns.forEach((vuln, i) => {
+      const sep = i == 0 ? '' : ',';
+      result += `${sep}'${vuln.path[vuln.path.length - 1]}':'`;
+      tags = createAppendTags(tags, vuln.strInfo.tags, result.length);
+      result += `${vuln.strInfo.value}'`;
+    });
+
+    result += '...}';
+
+    const args = origArgs.map((a, i) => i == vulnArgIdx ?
+        { tracked: true, value: result } :
+        { tracked: false, value: a?.constructor?.name || typeof a });
+
+    return { args, tags };
+  }
+
+  return core.assess.dataflow.sinks.restify = {
+    install() {
+      // restify adds functionality to the built-in response via this patch function.
+      // once it returns the request, it'll have been decorated with redirect() method.
+      depHooks.resolve({ name: 'restify', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
+        name: 'restify.response.patch',
+        patchType,
+        post(data) {
+          patcher.patch(data.args[0].prototype, 'redirect', {
+            patchType,
+            name: 'restify.Response.redirect',
+            pre(data) {
+              if (!getSourceContext(RULE, ruleId)) return;
+
+              let vulnArgIdx;
+              let vulnArgIsString = true;
+
+              if (isString(data.args[0])) {
+                vulnArgIdx = 0; // res.redirect(url, next)
+              } else if (isString(data.args[1])) {
+                vulnArgIdx = 1; // res.redirect(code, url, next)
+              } else if (data.args[0] && typeof data.args[0] === 'object') {
+                vulnArgIdx = 0; // res.redirect(options, next)
+                vulnArgIsString = false;
+              } else {
+                return; // unknown call signature
+              }
+
+              if (vulnArgIsString) {
+                const strInfo = tracker.getData(data.args[vulnArgIdx]);
+                if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                  const args = data.args.map((arg, idx) => ({
+                    tracked: idx === vulnArgIdx,
+                    value: idx === vulnArgIdx ?
+                      inspect(strInfo.value) :
+                        (arg?.constructor?.name ?? typeof strInfo.value)
+                  }));
+
+                  const sinkEvent = createSinkEvent({
+                    args,
+                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    history: [strInfo],
+                    tags: createAppendTags(null, strInfo.tags, 1), // offset by 1 for formatting as string
+                    source: `P${vulnArgIdx}`,
+                    ...createCommonEventData(data),
+                  });
+
+                  if (sinkEvent) {
+                    reportFindings({ ruleId, sinkEvent });
+                  }
+                }
+              } else {
+                const options = data.args[vulnArgIdx];
+                const vulns = [];
+
+                for (const option of OPTION_FIELDS) {
+                  const strInfo = tracker.getData(options?.[option]);
+                  if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                    vulns.push({ path: [option], strInfo });
+                  }
+                }
+
+                if (typeof options.query == 'object') {
+                  for (const [key, value] of Object.entries(options.query)) {
+                    const strInfo = tracker.getData(value);
+                    if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                      vulns.push({ path: ['query', key], strInfo });
+                    }
+                  }
+                }
+
+                if (vulns.length) {
+                  // so events are not duplicated
+                  const history = Array.from(new Set(vulns.map((v) => v.strInfo)));
+                  const { tags, args } = getAdjustedValues(data.args, vulns, vulnArgIdx);
+                  const sinkEvent = createSinkEvent({
+                    args,
+                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    history,
+                    tags,
+                    source: 'P0',
+                    ...createCommonEventData(data),
+
+                  });
+                  if (sinkEvent) {
+                    reportFindings({ ruleId, sinkEvent });
+                  }
+                }
+              }
+            }
+          });
+        }
+      }));
+    }
+  };
+};

package/lib/dataflow/sinks/install/sequelize.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
@@ -42,6 +41,7 @@ module.exports = function (core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -59,7 +59,6 @@ module.exports = function (core) {
     CUSTOM_ENCODED
   ];
   const requiredTag = UNTRUSTED;
-  const inspect = patcher.unwrap(util.inspect);
 
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
 

package/lib/dataflow/sinks/install/vm.js

@@ -25,11 +25,10 @@ const {
     LIMITED_CHARS,
   },
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
-  inspect,
   isNonEmptyObject,
   isString,
-  join,
-  split,
+  ArrayPrototypeJoin,
+  StringPrototypeSplit,
   traverseValues,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
@@ -56,6 +55,7 @@ module.exports = function (core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -144,7 +144,7 @@ module.exports = function (core) {
   function around(next, { args: origArgs, hooked, orig, name }) {
     if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
 
-    const methodPath = split(name, '.');
+    const methodPath = StringPrototypeSplit.call(name, '.');
     const method = methodPath[methodPath.length - 1];
     const idxsToCheck = method === 'runInNewContext' ? [0, 1] : [0];
     const argsInfo = accumulateArgsInfo(origArgs, idxsToCheck);
@@ -204,7 +204,7 @@ module.exports = function (core) {
     if (vulnerableArg) {
       const event = createSinkEvent({
         name,
-        context: `${name}(${join(
+        context: `${name}(${ArrayPrototypeJoin.call(
           argsInfo.map((a) => a.ctxValue),
           ', '
         )})`,