@contrast/assess 1.28.0 → 1.29.0

package/lib/dataflow/sources/handler.js

@@ -19,7 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 
 module.exports = function (core) {
@@ -137,7 +137,7 @@ module.exports = function (core) {
     }
 
     traverse(_data, (path, fieldName, value, obj) => {
-      const pathName = join(path, '.');
+      const pathName = ArrayPrototypeJoin.call(path, '.');
 
       if (sourceContext.sourceEventsCount >= max) {
         logger.trace({ inputType, sourceName: name }, 'exiting assess source handling - %s max events exceeded', max);

package/lib/dataflow/sources/index.js

@@ -26,6 +26,7 @@ module.exports = function (core) {
   require('./install/fastify')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
+  require('./install/restify')(core);
   require('./install/body-parser1')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);

package/lib/dataflow/sources/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 const { patchType } = require('../common');
-const { toLowerCase, InputType } = require('@contrast/common');
+const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
 
 /**
  * @param {{
@@ -65,13 +65,13 @@ module.exports = function (core) {
               const key = obj[i];
               const value = obj[i + 1];
 
-              if (toLowerCase(key) === 'content-type') {
+              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
-              if (toLowerCase(key) === 'content-type') {
+              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
@@ -85,7 +85,7 @@ module.exports = function (core) {
           patchType,
           pre(data) {
             const [name = '', value] = data.args;
-            if (toLowerCase(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
+            if (StringPrototypeToLowerCase.call(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
               store.assess.responseData.contentType = value;
             }
           }

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js

@@ -0,0 +1,85 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { BODY } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.fieldedTextBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/fieldedTextBodyParser.js', version: '>=8' },
+        (fieldedTextBodyParser) => patcher.patch(fieldedTextBodyParser, {
+          name: 'restify.plugins.fieldedTextBodyParser',
+          patchType,
+          post(data) {
+            data.result = patcher.patch(data.result, {
+              name: 'restify.plugins.fieldedTextBodyParser.parseFieldedText',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: BODY,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          }
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/index.js

@@ -0,0 +1,32 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function init(core) {
+  core.assess.dataflow.sources.restifyInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    },
+  };
+
+  require('./fieldedTextBodyParser')(core);
+  require('./jsonBodyParser')(core);
+  require('./router')(core);
+
+  return core.assess.dataflow.sources.restifyInstrumentation;
+};

package/lib/dataflow/sources/install/restify/jsonBodyParser.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { JSON_VALUE } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.jsonBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/jsonBodyParser.js', version: '>=8' },
+        (jsonBodyParser) => patcher.patch(jsonBodyParser, {
+          name: 'restify.plugins.jsonBodyParser',
+          patchType,
+          post(data) {
+            const { args: [opts] } = data;
+            const index = data.result.length - 1;
+
+            data.result[index] = patcher.patch(data.result[index], {
+              name: 'restify.plugins.jsonBodyParser.parseJson',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: JSON_VALUE,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  if (opts?.mapParams) {
+                    // we don't check for parsedParams first since these clobber
+                    try {
+                      sources.handle({
+                        context: 'req.params',
+                        data: req.params,
+                        inputType: JSON_VALUE,
+                        name,
+                        stacktraceOpts: {
+                          constructorOpt: contrastNext,
+                        },
+                        sourceContext,
+                      });
+
+                      sourceContext.parsedParams = true;
+                    } catch (err) {
+                      logger.error({ err, funcKey }, 'unable to handle Restify source');
+                    }
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          },
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/router.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { URL_PARAMETER } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.router = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/router.js', version: '>=8' },
+        (Router) => {
+          patcher.patch(Router.prototype, 'lookup', {
+            name: 'restify.Router.prototype.lookup',
+            patchType,
+            post({ args: [req], hooked, orig, name, funcKey }) {
+              const sourceContext = getSourceContext(SOURCE);
+
+              if (!sourceContext) {
+                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedParams) {
+                logger.trace({ funcKey }, 'values already tracked');
+                return;
+              }
+
+              try {
+                sources.handle({
+                  context: 'req.params',
+                  data: req.params,
+                  inputType: URL_PARAMETER,
+                  name,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig],
+                  },
+                  sourceContext,
+                });
+
+                sourceContext.parsedParams = true;
+              } catch (err) {
+                logger.error({ err, funcKey }, 'unable to handle Restify source');
+              }
+            },
+          });
+        },
+      );
+    },
+  };
+};

package/lib/dataflow/tag-utils.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { split } = require('@contrast/common');
+const { StringPrototypeSplit } = require('@contrast/common');
 
 //
 // This module implements tag range manipulation functions. There are generally
@@ -485,8 +485,8 @@ function createAdjustedQueryTags(path, tags, value, argString) {
  * - "?test=str","%3Ftest%3Dstr",{"UNTRUSTED":[0,8]} => {"UNTRUSTED":[3,6,10,12]}
  */
 function createEscapeTagRanges(input, result, tags) {
-  const inputArr = split(input, '');
-  const escapedArr = split(result, '');
+  const inputArr = StringPrototypeSplit.call(input, '');
+  const escapedArr = StringPrototypeSplit.call(result, '');
   const overlap = inputArr.filter((x) => {
     if (escapedArr.includes(x)) {
       return x;
@@ -520,6 +520,21 @@ function createEscapeTagRanges(input, result, tags) {
   return ret;
 }
 
+/**
+ * In reporting args, object, and return values, often the exact value isn't important.
+ * For untracked values that appear in call contexts it can be enough to just try to
+ * report the type of the arg/obj/result.
+ *  Example: the call
+ *  http.request('http://tracked-url', { method: 'post' });
+ *  would have event context string limited to
+ *  http.request('http://tracked-url,Object);
+ *
+ * @param {any} origValue value of event result, object, or arg
+ * @returns {string} the adjusted value for reporting
+ */
+function getAdjustedUntrackedValue(origValue) {
+  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof origValue);
+}
 
 module.exports = {
   createSubsetTags,
@@ -529,5 +544,6 @@ module.exports = {
   createTagsWithExclusion,
   createAdjustedQueryTags,
   createOverlappingTags,
-  createEscapeTagRanges
+  createEscapeTagRanges,
+  getAdjustedUntrackedValue,
 };

package/lib/dataflow/tracker.js

@@ -108,6 +108,7 @@ module.exports = function tracker(core) {
       }
 
       objMap.set(value, metadata);
+      metadata.value = value;
 
       return metadata;
     }

package/lib/event-factory.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { InputType, match } = require('@contrast/common');
+const { InputType, StringPrototypeMatch } = require('@contrast/common');
 const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
 const SOURCE_EVENT_MSG = 'Source event not created: %s';
 const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
@@ -113,12 +113,12 @@ module.exports = function (core) {
       return null;
     }
 
-    if (!source || !match(source, ANNOTATION_REGEX)) {
+    if (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid source');
       return null;
     }
 
-    if (!target || !match(target, ANNOTATION_REGEX)) {
+    if (!target || !StringPrototypeMatch.call(target, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid target');
       return null;
     }

package/lib/get-policy.js

@@ -22,7 +22,7 @@ const {
   Rule,
   ResponseScanningRule,
   SessionConfigurationRule,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 
 const ASSESS_RULES = Object.values({
@@ -279,7 +279,7 @@ class UrlExclusion {
         }
       }
       if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${join(regexSegments, '|')}$`);
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
       }
     }
   }

package/lib/index.d.ts

@@ -17,6 +17,20 @@ import {
   Rule,
   SessionConfigurationRule,
 } from '@contrast/common';
+import { Core as _Core } from '@contrast/core';
+
+export interface Core extends _Core {
+  config: Config;
+  logger: Logger;
+  depHooks: RequireHook;
+  patcher: Patcher
+  rewriter: Rewriter;
+  scopes: Scopes;
+  deadzones: Deadzones;
+  reporter: ReporterBus;
+  instrumentation: any;
+  metrics: any;
+}
 
 export enum InstrumentationType {
   SOURCE = 'source',
@@ -62,3 +76,7 @@ export interface Assess {
 }
 
 export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;
+
+declare function init(core: Core): Assess;
+
+export = init;

package/lib/index.js

@@ -15,9 +15,12 @@
 
 'use strict';
 
+const { inspect } = require('util');
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function assess(core) {
+  const { scopes: { instrumentation } } = core;
+
   const assess = core.assess = {
     install() {
       if (!core.config.getEffectiveValue('assess.enable')) {
@@ -30,6 +33,16 @@ module.exports = function assess(core) {
     },
   };
 
+  // todo: this is temporary fix for using inspect during creation of event
+  // data. once all uses of inspect are refactored out of remaining sinks and
+  // propagators etc, this can also be removed.
+  const store = { lock: true, name: 'assess.inspect' };
+  assess.inspect = function(val, opts) {
+    return instrumentation.isLocked() ?
+      inspect(val, opts) :
+      instrumentation.run(store, inspect, val, opts);
+  };
+
   require('./rule-scopes')(core);
   require('./get-policy')(core);
   require('./make-source-context')(core);

package/lib/make-source-context.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 
 /**
  * @param {{
@@ -48,7 +48,7 @@ module.exports = function(core) {
       // copy to avoid storing tracked values
       const headers = { ...req.headers };
       if (headers['content-type']) {
-        contentType = toLowerCase(headers['content-type']);
+        contentType = StringPrototypeToLowerCase.call(headers['content-type']);
       }
 
       return {

package/lib/response-scanning/handlers/index.js

@@ -16,9 +16,9 @@
 'use strict';
 
 const {
-  toLowerCase,
-  stringify,
-  substring,
+  StringPrototypeToLowerCase,
+  JSONStringify,
+  StringPrototypeSubstring,
   ResponseScanningRule
 } = require('@contrast/common');
 const {
@@ -130,7 +130,7 @@ module.exports = function(core) {
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
         vulnerabilityMetadata: {
-          data: stringify(instructions)
+          data: JSONStringify(instructions)
         }
       });
     }
@@ -144,7 +144,7 @@ module.exports = function(core) {
     let hasFrameBusting = false;
 
     if (xFrameHeaders) {
-      const xFrameHeadersLC = toLowerCase(xFrameHeaders);
+      const xFrameHeadersLC = StringPrototypeToLowerCase.call(xFrameHeaders);
       hasFrameBusting =
         xFrameHeadersLC.indexOf('deny') > -1 ||
         xFrameHeadersLC.indexOf('sameorigin') > -1;
@@ -220,16 +220,16 @@ module.exports = function(core) {
     let maxAge;
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       const flag = header.indexOf('max-age');
       if (flag > -1) {
         const equal = header.indexOf('=', flag);
         if (equal > -1) {
           const semicolon = header.indexOf(';', equal);
           if (semicolon > -1) {
-            maxAge = substring(header, equal + 1, semicolon);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1, semicolon);
           } else {
-            maxAge = substring(header, equal + 1);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1);
           }
         }
       }
@@ -252,7 +252,7 @@ module.exports = function(core) {
     let header = responseHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       if (header === 'nosniff') {
         return;
       }
@@ -273,7 +273,7 @@ module.exports = function(core) {
     let header = responseHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
 
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,