@contrast/assess 1.28.1 → 1.29.0

package/lib/dataflow/propagation/install/string/index.js

@@ -15,7 +15,8 @@
 
 'use strict';
 
-const { callChildComponentMethodsSync, split } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
+const { StringPrototypeSplit } = require('@contrast/common');
 const { getAdjustedUntrackedValue } = require('../../../tag-utils');
 
 module.exports = function(core) {
@@ -40,7 +41,7 @@ module.exports = function(core) {
   };
 
   function patchCustomMatcher(matcherFn, objInfo, methodArg, name, patchType) {
-    const [, , methodName] = split(name, '.');
+    const [, , methodName] = StringPrototypeSplit.call(name, '.');
 
     return patcher.patch(matcherFn, {
       name,

package/lib/dataflow/propagation/install/string/match-all.js

@@ -14,7 +14,6 @@
  */
 
 'use strict';
-
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');

package/lib/dataflow/propagation/install/string/match.js

@@ -14,7 +14,7 @@
  */
 
 'use strict';
-const { join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 
@@ -59,7 +59,7 @@ module.exports = function(core) {
       args,
       tags,
       result: {
-        value: join(result),
+        value: ArrayPrototypeJoin.call(result),
         tracked: false,
       },
       stacktraceOpts: {

package/lib/dataflow/propagation/install/string/replace.js

@@ -17,9 +17,9 @@
 
 const {
   DataflowTag: { UNTRUSTED },
-  match: origMatch,
-  join,
-  substring
+  StringPrototypeMatch,
+  ArrayPrototypeJoin,
+  StringPrototypeSubstring,
 } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const {
@@ -73,7 +73,7 @@ module.exports = function(core) {
         replace: str.substring(str.indexOf(match) + match.length, str.length)
       }
     ].forEach(({ regex, replace }) => {
-      if (ret && origMatch(ret, regex)) {
+      if (ret && StringPrototypeMatch.call(ret, regex)) {
         // If the match string is tracked, we can actually use the patched replace
         // to keep track of its tag ranges
         if (tracker.getData(replace)) {
@@ -87,7 +87,7 @@ module.exports = function(core) {
     const numberedGroupMatches = replacementType !== 'function' && replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
     if (numberedGroupMatches) {
       numberedGroupMatches.forEach((numberedGroup) => {
-        const group = Number(substring(numberedGroup, 1));
+        const group = Number(StringPrototypeSubstring.call(numberedGroup, 1));
         ret = origReplace.call(ret, numberedGroup, captureGroups[group - 1] || '');
       });
     }
@@ -187,7 +187,7 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.replace',
-            context: `'${obj}'.replace(${join(args.map(a => a.value))})`,
+            context: `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
             history: Array.from(data._history),
             object: {
               value: obj,

package/lib/dataflow/propagation/install/string/slice.js

@@ -13,7 +13,7 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
-const { join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -80,7 +80,7 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.slice',
-            context: `'${objInfo.value}'.slice(${join(args.map(a => a.value), ', ')})`,
+            context: `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`,
             history: [objInfo],
             object: {
               value: obj,

package/lib/dataflow/propagation/install/string/split.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -63,7 +63,7 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.split',
-            context: `'${objInfo.value}'.split(${join(args.map(a => a.value))})`,
+            context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
             history: [objInfo],
             object: {
               value: obj,

package/lib/dataflow/propagation/install/string/substring.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -90,7 +90,7 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: 'prototype.substring',
-              context: `'${objInfo.value}'.substring(${join(args.map(a => a.value))})`,
+              context: `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
               history: [objInfo],
               object: {
                 value: obj,

package/lib/dataflow/sinks/index.js

@@ -82,6 +82,7 @@ module.exports = function (core) {
   require('./install/mysql')(core);
   require('./install/node-serialize')(core);
   require('./install/postgres')(core);
+  require('./install/restify')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
   require('./install/vm')(core);

package/lib/dataflow/sinks/install/child-process.js

@@ -16,7 +16,7 @@
 'use strict';
 const {
   DataflowTag: { UNTRUSTED },
-  join,
+  ArrayPrototypeJoin,
   Rule: { CMD_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
@@ -81,7 +81,7 @@ module.exports = function(core) {
       name,
       moduleName: 'child_process',
       methodName: method,
-      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
+      context: `child_process.${method}(${ArrayPrototypeJoin.call(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [strInfo],
       object: {
         value: 'child_process',
@@ -167,7 +167,7 @@ module.exports = function(core) {
       name,
       moduleName: 'child_process',
       methodName: method,
-      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
+      context: `child_process.${method}(${ArrayPrototypeJoin.call(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [trackedArgs[vulnerableArgIdx]],
       object: {
         value: 'child_process',

package/lib/dataflow/sinks/install/fs.js

@@ -26,7 +26,7 @@ const {
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
   isString,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
@@ -87,7 +87,7 @@ module.exports = function(core) {
         name,
         moduleName,
         methodName: fullMethodName || methodName,
-        context: `${name}(${join(
+        context: `${name}(${ArrayPrototypeJoin.call(
           args.map((a) => inspect(a.value)),
           ', '
         )})`,

package/lib/dataflow/sinks/install/function.js

@@ -17,7 +17,7 @@
 
 const {
   isString,
-  join,
+  ArrayPrototypeJoin,
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
@@ -114,7 +114,7 @@ module.exports = function (core) {
             });
             const event = createSinkEvent({
               name,
-              context: `${name}(${join(
+              context: `${name}(${ArrayPrototypeJoin.call(
                 args.map((a) => a.inspectedValue),
                 ', '
               )})`,

package/lib/dataflow/sinks/install/restify.js

@@ -0,0 +1,208 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Rule: { UNVALIDATED_REDIRECT: ruleId },
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString,
+  ArrayPrototypeJoin,
+} = require('@contrast/common');
+const { InstrumentationType: { RULE } } = require('../../../constants');
+const { createAppendTags } = require('../../tag-utils');
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  config: import('@contrast/config').Config,
+ *  logger: import('@contrast/logger').Logger,
+ * }} core
+ * @returns {import('@contrast/common').Installable}
+*/
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    assess: {
+      getSourceContext,
+      eventFactory: { createSinkEvent },
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings /*reportSafePositive*/ }
+      },
+      inspect,
+    },
+  } = core;
+
+  const OPTION_FIELDS = ['hostname', 'pathname'];
+  const SAFE_TAGS = [
+    `excluded:${ruleId}`,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+
+  function createCommonEventData(data) {
+    return {
+      name: 'restify.Response.redirect',
+      moduleName: 'restify',
+      methodName: 'Response.redirect',
+      object: {
+        tracked: false,
+        value: 'restify.Response',
+      },
+      result: {
+        tracked: false,
+        value: undefined,
+      },
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    };
+  }
+
+  /**
+   * Called when tracked values are on options object argument.
+   * Will return the args coerced to strings values, and the adjusted ranges.
+   * @returns {}
+   */
+  function getAdjustedValues(origArgs, vulns, vulnArgIdx) {
+    let result = '{...';
+    let tags;
+
+    vulns.forEach((vuln, i) => {
+      const sep = i == 0 ? '' : ',';
+      result += `${sep}'${vuln.path[vuln.path.length - 1]}':'`;
+      tags = createAppendTags(tags, vuln.strInfo.tags, result.length);
+      result += `${vuln.strInfo.value}'`;
+    });
+
+    result += '...}';
+
+    const args = origArgs.map((a, i) => i == vulnArgIdx ?
+        { tracked: true, value: result } :
+        { tracked: false, value: a?.constructor?.name || typeof a });
+
+    return { args, tags };
+  }
+
+  return core.assess.dataflow.sinks.restify = {
+    install() {
+      // restify adds functionality to the built-in response via this patch function.
+      // once it returns the request, it'll have been decorated with redirect() method.
+      depHooks.resolve({ name: 'restify', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
+        name: 'restify.response.patch',
+        patchType,
+        post(data) {
+          patcher.patch(data.args[0].prototype, 'redirect', {
+            patchType,
+            name: 'restify.Response.redirect',
+            pre(data) {
+              if (!getSourceContext(RULE, ruleId)) return;
+
+              let vulnArgIdx;
+              let vulnArgIsString = true;
+
+              if (isString(data.args[0])) {
+                vulnArgIdx = 0; // res.redirect(url, next)
+              } else if (isString(data.args[1])) {
+                vulnArgIdx = 1; // res.redirect(code, url, next)
+              } else if (data.args[0] && typeof data.args[0] === 'object') {
+                vulnArgIdx = 0; // res.redirect(options, next)
+                vulnArgIsString = false;
+              } else {
+                return; // unknown call signature
+              }
+
+              if (vulnArgIsString) {
+                const strInfo = tracker.getData(data.args[vulnArgIdx]);
+                if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                  const args = data.args.map((arg, idx) => ({
+                    tracked: idx === vulnArgIdx,
+                    value: idx === vulnArgIdx ?
+                      inspect(strInfo.value) :
+                        (arg?.constructor?.name ?? typeof strInfo.value)
+                  }));
+
+                  const sinkEvent = createSinkEvent({
+                    args,
+                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    history: [strInfo],
+                    tags: createAppendTags(null, strInfo.tags, 1), // offset by 1 for formatting as string
+                    source: `P${vulnArgIdx}`,
+                    ...createCommonEventData(data),
+                  });
+
+                  if (sinkEvent) {
+                    reportFindings({ ruleId, sinkEvent });
+                  }
+                }
+              } else {
+                const options = data.args[vulnArgIdx];
+                const vulns = [];
+
+                for (const option of OPTION_FIELDS) {
+                  const strInfo = tracker.getData(options?.[option]);
+                  if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                    vulns.push({ path: [option], strInfo });
+                  }
+                }
+
+                if (typeof options.query == 'object') {
+                  for (const [key, value] of Object.entries(options.query)) {
+                    const strInfo = tracker.getData(value);
+                    if (strInfo && isVulnerable(UNTRUSTED, SAFE_TAGS, strInfo.tags)) {
+                      vulns.push({ path: ['query', key], strInfo });
+                    }
+                  }
+                }
+
+                if (vulns.length) {
+                  // so events are not duplicated
+                  const history = Array.from(new Set(vulns.map((v) => v.strInfo)));
+                  const { tags, args } = getAdjustedValues(data.args, vulns, vulnArgIdx);
+                  const sinkEvent = createSinkEvent({
+                    args,
+                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    history,
+                    tags,
+                    source: 'P0',
+                    ...createCommonEventData(data),
+
+                  });
+                  if (sinkEvent) {
+                    reportFindings({ ruleId, sinkEvent });
+                  }
+                }
+              }
+            }
+          });
+        }
+      }));
+    }
+  };
+};

package/lib/dataflow/sinks/install/vm.js

@@ -27,8 +27,8 @@ const {
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   isNonEmptyObject,
   isString,
-  join,
-  split,
+  ArrayPrototypeJoin,
+  StringPrototypeSplit,
   traverseValues,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
@@ -144,7 +144,7 @@ module.exports = function (core) {
   function around(next, { args: origArgs, hooked, orig, name }) {
     if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
 
-    const methodPath = split(name, '.');
+    const methodPath = StringPrototypeSplit.call(name, '.');
     const method = methodPath[methodPath.length - 1];
     const idxsToCheck = method === 'runInNewContext' ? [0, 1] : [0];
     const argsInfo = accumulateArgsInfo(origArgs, idxsToCheck);
@@ -204,7 +204,7 @@ module.exports = function (core) {
     if (vulnerableArg) {
       const event = createSinkEvent({
         name,
-        context: `${name}(${join(
+        context: `${name}(${ArrayPrototypeJoin.call(
           argsInfo.map((a) => a.ctxValue),
           ', '
         )})`,

package/lib/dataflow/sources/handler.js

@@ -19,7 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 
 module.exports = function (core) {
@@ -137,7 +137,7 @@ module.exports = function (core) {
     }
 
     traverse(_data, (path, fieldName, value, obj) => {
-      const pathName = join(path, '.');
+      const pathName = ArrayPrototypeJoin.call(path, '.');
 
       if (sourceContext.sourceEventsCount >= max) {
         logger.trace({ inputType, sourceName: name }, 'exiting assess source handling - %s max events exceeded', max);

package/lib/dataflow/sources/index.js

@@ -26,6 +26,7 @@ module.exports = function (core) {
   require('./install/fastify')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
+  require('./install/restify')(core);
   require('./install/body-parser1')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);

package/lib/dataflow/sources/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 const { patchType } = require('../common');
-const { toLowerCase, InputType } = require('@contrast/common');
+const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
 
 /**
  * @param {{
@@ -65,13 +65,13 @@ module.exports = function (core) {
               const key = obj[i];
               const value = obj[i + 1];
 
-              if (toLowerCase(key) === 'content-type') {
+              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
-              if (toLowerCase(key) === 'content-type') {
+              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
                 store.assess.responseData.contentType = value;
               }
             }
@@ -85,7 +85,7 @@ module.exports = function (core) {
           patchType,
           pre(data) {
             const [name = '', value] = data.args;
-            if (toLowerCase(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
+            if (StringPrototypeToLowerCase.call(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
               store.assess.responseData.contentType = value;
             }
           }

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js

@@ -0,0 +1,85 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { BODY } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.fieldedTextBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/fieldedTextBodyParser.js', version: '>=8' },
+        (fieldedTextBodyParser) => patcher.patch(fieldedTextBodyParser, {
+          name: 'restify.plugins.fieldedTextBodyParser',
+          patchType,
+          post(data) {
+            data.result = patcher.patch(data.result, {
+              name: 'restify.plugins.fieldedTextBodyParser.parseFieldedText',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: BODY,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          }
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/index.js

@@ -0,0 +1,32 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function init(core) {
+  core.assess.dataflow.sources.restifyInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    },
+  };
+
+  require('./fieldedTextBodyParser')(core);
+  require('./jsonBodyParser')(core);
+  require('./router')(core);
+
+  return core.assess.dataflow.sources.restifyInstrumentation;
+};