@contrast/assess 1.28.1 → 1.29.0

package/lib/dataflow/sources/install/restify/jsonBodyParser.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { JSON_VALUE } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.jsonBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/jsonBodyParser.js', version: '>=8' },
+        (jsonBodyParser) => patcher.patch(jsonBodyParser, {
+          name: 'restify.plugins.jsonBodyParser',
+          patchType,
+          post(data) {
+            const { args: [opts] } = data;
+            const index = data.result.length - 1;
+
+            data.result[index] = patcher.patch(data.result[index], {
+              name: 'restify.plugins.jsonBodyParser.parseJson',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: JSON_VALUE,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  if (opts?.mapParams) {
+                    // we don't check for parsedParams first since these clobber
+                    try {
+                      sources.handle({
+                        context: 'req.params',
+                        data: req.params,
+                        inputType: JSON_VALUE,
+                        name,
+                        stacktraceOpts: {
+                          constructorOpt: contrastNext,
+                        },
+                        sourceContext,
+                      });
+
+                      sourceContext.parsedParams = true;
+                    } catch (err) {
+                      logger.error({ err, funcKey }, 'unable to handle Restify source');
+                    }
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          },
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/router.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { URL_PARAMETER } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.router = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/router.js', version: '>=8' },
+        (Router) => {
+          patcher.patch(Router.prototype, 'lookup', {
+            name: 'restify.Router.prototype.lookup',
+            patchType,
+            post({ args: [req], hooked, orig, name, funcKey }) {
+              const sourceContext = getSourceContext(SOURCE);
+
+              if (!sourceContext) {
+                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedParams) {
+                logger.trace({ funcKey }, 'values already tracked');
+                return;
+              }
+
+              try {
+                sources.handle({
+                  context: 'req.params',
+                  data: req.params,
+                  inputType: URL_PARAMETER,
+                  name,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig],
+                  },
+                  sourceContext,
+                });
+
+                sourceContext.parsedParams = true;
+              } catch (err) {
+                logger.error({ err, funcKey }, 'unable to handle Restify source');
+              }
+            },
+          });
+        },
+      );
+    },
+  };
+};

package/lib/dataflow/tag-utils.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { split } = require('@contrast/common');
+const { StringPrototypeSplit } = require('@contrast/common');
 
 //
 // This module implements tag range manipulation functions. There are generally
@@ -485,8 +485,8 @@ function createAdjustedQueryTags(path, tags, value, argString) {
  * - "?test=str","%3Ftest%3Dstr",{"UNTRUSTED":[0,8]} => {"UNTRUSTED":[3,6,10,12]}
  */
 function createEscapeTagRanges(input, result, tags) {
-  const inputArr = split(input, '');
-  const escapedArr = split(result, '');
+  const inputArr = StringPrototypeSplit.call(input, '');
+  const escapedArr = StringPrototypeSplit.call(result, '');
   const overlap = inputArr.filter((x) => {
     if (escapedArr.includes(x)) {
       return x;
@@ -533,7 +533,7 @@ function createEscapeTagRanges(input, result, tags) {
  * @returns {string} the adjusted value for reporting
  */
 function getAdjustedUntrackedValue(origValue) {
-  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof arg);
+  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof origValue);
 }
 
 module.exports = {

package/lib/dataflow/tracker.js

@@ -108,6 +108,7 @@ module.exports = function tracker(core) {
       }
 
       objMap.set(value, metadata);
+      metadata.value = value;
 
       return metadata;
     }

package/lib/event-factory.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { InputType, match } = require('@contrast/common');
+const { InputType, StringPrototypeMatch } = require('@contrast/common');
 const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
 const SOURCE_EVENT_MSG = 'Source event not created: %s';
 const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
@@ -113,12 +113,12 @@ module.exports = function (core) {
       return null;
     }
 
-    if (!source || !match(source, ANNOTATION_REGEX)) {
+    if (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid source');
       return null;
     }
 
-    if (!target || !match(target, ANNOTATION_REGEX)) {
+    if (!target || !StringPrototypeMatch.call(target, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid target');
       return null;
     }

package/lib/get-policy.js

@@ -22,7 +22,7 @@ const {
   Rule,
   ResponseScanningRule,
   SessionConfigurationRule,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 
 const ASSESS_RULES = Object.values({
@@ -279,7 +279,7 @@ class UrlExclusion {
         }
       }
       if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${join(regexSegments, '|')}$`);
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
       }
     }
   }

package/lib/index.d.ts

@@ -17,6 +17,20 @@ import {
   Rule,
   SessionConfigurationRule,
 } from '@contrast/common';
+import { Core as _Core } from '@contrast/core';
+
+export interface Core extends _Core {
+  config: Config;
+  logger: Logger;
+  depHooks: RequireHook;
+  patcher: Patcher
+  rewriter: Rewriter;
+  scopes: Scopes;
+  deadzones: Deadzones;
+  reporter: ReporterBus;
+  instrumentation: any;
+  metrics: any;
+}
 
 export enum InstrumentationType {
   SOURCE = 'source',
@@ -62,3 +76,7 @@ export interface Assess {
 }
 
 export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;
+
+declare function init(core: Core): Assess;
+
+export = init;

package/lib/make-source-context.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 
 /**
  * @param {{
@@ -48,7 +48,7 @@ module.exports = function(core) {
       // copy to avoid storing tracked values
       const headers = { ...req.headers };
       if (headers['content-type']) {
-        contentType = toLowerCase(headers['content-type']);
+        contentType = StringPrototypeToLowerCase.call(headers['content-type']);
       }
 
       return {

package/lib/response-scanning/handlers/index.js

@@ -16,9 +16,9 @@
 'use strict';
 
 const {
-  toLowerCase,
-  stringify,
-  substring,
+  StringPrototypeToLowerCase,
+  JSONStringify,
+  StringPrototypeSubstring,
   ResponseScanningRule
 } = require('@contrast/common');
 const {
@@ -130,7 +130,7 @@ module.exports = function(core) {
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
         vulnerabilityMetadata: {
-          data: stringify(instructions)
+          data: JSONStringify(instructions)
         }
       });
     }
@@ -144,7 +144,7 @@ module.exports = function(core) {
     let hasFrameBusting = false;
 
     if (xFrameHeaders) {
-      const xFrameHeadersLC = toLowerCase(xFrameHeaders);
+      const xFrameHeadersLC = StringPrototypeToLowerCase.call(xFrameHeaders);
       hasFrameBusting =
         xFrameHeadersLC.indexOf('deny') > -1 ||
         xFrameHeadersLC.indexOf('sameorigin') > -1;
@@ -220,16 +220,16 @@ module.exports = function(core) {
     let maxAge;
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       const flag = header.indexOf('max-age');
       if (flag > -1) {
         const equal = header.indexOf('=', flag);
         if (equal > -1) {
           const semicolon = header.indexOf(';', equal);
           if (semicolon > -1) {
-            maxAge = substring(header, equal + 1, semicolon);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1, semicolon);
           } else {
-            maxAge = substring(header, equal + 1);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1);
           }
         }
       }
@@ -252,7 +252,7 @@ module.exports = function(core) {
     let header = responseHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       if (header === 'nosniff') {
         return;
       }
@@ -273,7 +273,7 @@ module.exports = function(core) {
     let header = responseHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
 
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,

package/lib/response-scanning/handlers/utils.js

@@ -15,7 +15,14 @@
 
 'use strict';
 
-const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
+const {
+  ArrayPrototypeJoin,
+  StringPrototypeSubstring,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
+  StringPrototypeTrim,
+  StringPrototypeReplace
+} = require('@contrast/common');
 
 //
 // General HTML utils
@@ -32,7 +39,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? StringPrototypeReplace.call(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }
 
@@ -54,7 +61,7 @@ function getElements(htmlTag, content = '') {
     [htmlTagRangeStart, htmlTagRangeLength] = getHtmlTagRange(htmlTag, content, offset);
     if (htmlTagRangeStart >= 0) {
       offset = htmlTagRangeStart + htmlTagRangeLength;
-      elements.push(substring(content, htmlTagRangeStart, offset));
+      elements.push(StringPrototypeSubstring.call(content, htmlTagRangeStart, offset));
     }
   } while (htmlTagRangeStart >= 0);
 
@@ -69,7 +76,7 @@ function isHtmlContent(responseHeaders) {
   }
 
   // we may want to do a case-insensitive search through object keys here
-  const contentType = toLowerCase(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
+  const contentType = StringPrototypeToLowerCase.call(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
 
   return (
     !contentType ||
@@ -88,7 +95,7 @@ function isParseableResponse(responseHeaders) {
   // we may want to do a case-insensitive search through object keys here
   let contentType =
     responseHeaders['Content-Type'] || responseHeaders['content-type'];
-  if (contentType) contentType = toLowerCase(contentType);
+  if (contentType) contentType = StringPrototypeToLowerCase.call(contentType);
 
   return (
     !contentType ||
@@ -123,7 +130,7 @@ function getAttribute(attribute, htmlTag = '') {
     }
   }
 
-  return substring(htmlTag, attrStart, attrEnd);
+  return StringPrototypeSubstring.call(htmlTag, attrStart, attrEnd);
 }
 
 /**
@@ -213,16 +220,16 @@ function checkCacheControlValue(value = '') {
     let noStore = false;
 
     value.forEach((directive) => {
-      if (toLowerCase(directive).includes('no-cache')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-cache')) {
         noCache = true;
       }
-      if (toLowerCase(directive).includes('no-store')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-store')) {
         noStore = true;
       }
     });
     return [noCache, noStore];
   } else {
-    value = toLowerCase(value);
+    value = StringPrototypeToLowerCase.call(value);
     return [value.includes('no-cache'), value.includes('no-store')];
   }
 }
@@ -317,7 +324,7 @@ function formatSource({
   }
 
   data[`${key}Secure`] = isSecure;
-  data[`${key}Value`] = join(sources, ' ');
+  data[`${key}Value`] = ArrayPrototypeJoin.call(sources, ' ');
 }
 
 /**
@@ -325,8 +332,8 @@ function formatSource({
  */
 function policyParser(policy) {
   const result = {};
-  for (const directive of split(policy, ';')) {
-    const [directiveKey, ...directiveValue] = split(trim(directive), /\s+/g);
+  for (const directive of StringPrototypeSplit.call(policy, ';')) {
+    const [directiveKey, ...directiveValue] = StringPrototypeSplit.call(StringPrototypeTrim.call(directive), /\s+/g);
     if (
       directiveKey &&
       !Object.prototype.hasOwnProperty.call(result, directiveKey)

package/lib/response-scanning/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { split, substring, toLowerCase, trim } = require('@contrast/common');
+const { StringPrototypeSplit, StringPrototypeSubstring, StringPrototypeToLowerCase, StringPrototypeTrim } = require('@contrast/common');
 
 /**
  * @param {{
@@ -46,13 +46,13 @@ module.exports = function(core) {
 
   function parseHeaders(rawHeaders) {
     const headersToParse = rawHeaders || '';
-    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
+    const headersArray = StringPrototypeSplit.call(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');
 
       if (idx > -1) {
-        const name = toLowerCase(substring(header, 0, idx));
-        const value = trim(substring(header, idx + 1));
+        const name = StringPrototypeToLowerCase.call(StringPrototypeSubstring.call(header, 0, idx));
+        const value = StringPrototypeTrim.call(StringPrototypeSubstring.call(header, idx + 1));
         const currentValue = acc[name];
         acc[name] = currentValue
           ? Array.isArray(currentValue)
@@ -100,7 +100,7 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: parseHeaders(data.result._header),
             };
 
@@ -118,7 +118,7 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: parseHeaders(data.result._header),
             };
 
@@ -141,7 +141,7 @@ module.exports = function(core) {
 
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: data.obj[headersSymbol],
             };
 
@@ -160,7 +160,7 @@ module.exports = function(core) {
 
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: data.result[headersSymbol],
             };
 
@@ -169,57 +169,7 @@ module.exports = function(core) {
         });
       }
 
-      // patching the stream object
-      ['createServer', 'createSecureServer'].forEach((server) => {
-        patcher.patch(http2, server, {
-          name: `http2.${server}`,
-          patchType,
-          post(data) {
-            // The other option is once again to patch the `emit` method of the server
-            // similar to how we patch it for creating sources, but take action only on
-            // `stream` events. I chose the currentt approach because the hook will only
-            // run on a `stream` event instead of checking and returning on each `request`
-            // connect.
-            data.result._events = patcher.patch(data.result._events, 'stream', {
-              name: 'stream',
-              patchType: 'stream-patch',
-              pre(data) {
-                patcher.patch(data.args[0], 'write', {
-                  name: 'Http2Stream.write',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    writeHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-
-                patcher.patch(data.args[0], 'end', {
-                  name: 'Http2Stream.end',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    endHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-              }
-            });
-          }
-        });
-      });
+      // todo: patching the stream object (NODE-3467)
     });
   };
 

package/lib/session-configuration/install/express-session.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -102,7 +102,7 @@ module.exports = function (core) {
                 name: 'http.setHeader',
                 patchType,
                 pre({ args: [key, value] }) {
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   if (checkForHTTPOnly) {
                     handleHttpOnly(sourceContext, value, sessionEvent);

package/lib/session-configuration/install/fastify-cookie.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -82,7 +82,7 @@ module.exports = function (core) {
                 name: 'fastify.Reply.header',
                 pre(data) {
                   const [key, value] = data.args;
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   const sourceContext = getSourceContext();
                   if (!sourceContext) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.28.1",
+  "version": "1.29.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,14 +11,14 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.18.0"
+    "node": ">= 16.9.1"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.0",
-    "@contrast/distringuish": "^4.4.0",
+    "@contrast/common": "1.21.1",
+    "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }
 }