@contrast/assess 1.28.1 → 1.29.1

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js

@@ -0,0 +1,85 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { BODY } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.fieldedTextBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/fieldedTextBodyParser.js', version: '>=8' },
+        (fieldedTextBodyParser) => patcher.patch(fieldedTextBodyParser, {
+          name: 'restify.plugins.fieldedTextBodyParser',
+          patchType,
+          post(data) {
+            data.result = patcher.patch(data.result, {
+              name: 'restify.plugins.fieldedTextBodyParser.parseFieldedText',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: BODY,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          }
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/index.js

@@ -0,0 +1,32 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function init(core) {
+  core.assess.dataflow.sources.restifyInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    },
+  };
+
+  require('./fieldedTextBodyParser')(core);
+  require('./jsonBodyParser')(core);
+  require('./router')(core);
+
+  return core.assess.dataflow.sources.restifyInstrumentation;
+};

package/lib/dataflow/sources/install/restify/jsonBodyParser.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { JSON_VALUE } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.jsonBodyParser = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/plugins/jsonBodyParser.js', version: '>=8' },
+        (jsonBodyParser) => patcher.patch(jsonBodyParser, {
+          name: 'restify.plugins.jsonBodyParser',
+          patchType,
+          post(data) {
+            const { args: [opts] } = data;
+            const index = data.result.length - 1;
+
+            data.result[index] = patcher.patch(data.result[index], {
+              name: 'restify.plugins.jsonBodyParser.parseJson',
+              patchType,
+              pre(data) {
+                const { args: [req, , next], name, funcKey } = data;
+
+                data.args[2] = function contrastNext(...args) {
+                  const sourceContext = getSourceContext(SOURCE);
+
+                  if (!sourceContext) {
+                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                    return next(...args);
+                  }
+
+                  if (sourceContext.parsedBody) {
+                    logger.trace({ funcKey }, 'values already tracked');
+                    return next(...args);
+                  }
+
+                  try {
+                    sources.handle({
+                      context: 'req.body',
+                      data: req.body,
+                      inputType: JSON_VALUE,
+                      name,
+                      stacktraceOpts: {
+                        constructorOpt: contrastNext,
+                      },
+                      sourceContext,
+                    });
+
+                    sourceContext.parsedBody = true;
+                  } catch (err) {
+                    logger.error({ err, funcKey }, 'unable to handle Restify source');
+                  }
+
+                  if (opts?.mapParams) {
+                    // we don't check for parsedParams first since these clobber
+                    try {
+                      sources.handle({
+                        context: 'req.params',
+                        data: req.params,
+                        inputType: JSON_VALUE,
+                        name,
+                        stacktraceOpts: {
+                          constructorOpt: contrastNext,
+                        },
+                        sourceContext,
+                      });
+
+                      sourceContext.parsedParams = true;
+                    } catch (err) {
+                      logger.error({ err, funcKey }, 'unable to handle Restify source');
+                    }
+                  }
+
+                  return next(...args);
+                };
+              },
+            });
+          },
+        }),
+      );
+    },
+  };
+};

package/lib/dataflow/sources/install/restify/router.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType: { URL_PARAMETER } } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: {
+      dataflow: { sources },
+      getSourceContext,
+    },
+  } = core;
+
+  return core.assess.dataflow.sources.restifyInstrumentation.router = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/router.js', version: '>=8' },
+        (Router) => {
+          patcher.patch(Router.prototype, 'lookup', {
+            name: 'restify.Router.prototype.lookup',
+            patchType,
+            post({ args: [req], hooked, orig, name, funcKey }) {
+              const sourceContext = getSourceContext(SOURCE);
+
+              if (!sourceContext) {
+                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedParams) {
+                logger.trace({ funcKey }, 'values already tracked');
+                return;
+              }
+
+              try {
+                sources.handle({
+                  context: 'req.params',
+                  data: req.params,
+                  inputType: URL_PARAMETER,
+                  name,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig],
+                  },
+                  sourceContext,
+                });
+
+                sourceContext.parsedParams = true;
+              } catch (err) {
+                logger.error({ err, funcKey }, 'unable to handle Restify source');
+              }
+            },
+          });
+        },
+      );
+    },
+  };
+};

package/lib/dataflow/tag-utils.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { split } = require('@contrast/common');
+const { StringPrototypeSplit } = require('@contrast/common');
 
 //
 // This module implements tag range manipulation functions. There are generally
@@ -485,8 +485,8 @@ function createAdjustedQueryTags(path, tags, value, argString) {
  * - "?test=str","%3Ftest%3Dstr",{"UNTRUSTED":[0,8]} => {"UNTRUSTED":[3,6,10,12]}
  */
 function createEscapeTagRanges(input, result, tags) {
-  const inputArr = split(input, '');
-  const escapedArr = split(result, '');
+  const inputArr = StringPrototypeSplit.call(input, '');
+  const escapedArr = StringPrototypeSplit.call(result, '');
   const overlap = inputArr.filter((x) => {
     if (escapedArr.includes(x)) {
       return x;
@@ -533,7 +533,7 @@ function createEscapeTagRanges(input, result, tags) {
  * @returns {string} the adjusted value for reporting
  */
 function getAdjustedUntrackedValue(origValue) {
-  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof arg);
+  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof origValue);
 }
 
 module.exports = {

package/lib/dataflow/tracker.js

@@ -108,6 +108,7 @@ module.exports = function tracker(core) {
       }
 
       objMap.set(value, metadata);
+      metadata.value = value;
 
       return metadata;
     }

package/lib/event-factory.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { InputType, match } = require('@contrast/common');
+const { InputType, StringPrototypeMatch } = require('@contrast/common');
 const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
 const SOURCE_EVENT_MSG = 'Source event not created: %s';
 const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
@@ -113,12 +113,12 @@ module.exports = function (core) {
       return null;
     }
 
-    if (!source || !match(source, ANNOTATION_REGEX)) {
+    if (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid source');
       return null;
     }
 
-    if (!target || !match(target, ANNOTATION_REGEX)) {
+    if (!target || !StringPrototypeMatch.call(target, ANNOTATION_REGEX)) {
       logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid target');
       return null;
     }

package/lib/get-policy.js

@@ -22,7 +22,7 @@ const {
   Rule,
   ResponseScanningRule,
   SessionConfigurationRule,
-  join,
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
 
 const ASSESS_RULES = Object.values({
@@ -279,7 +279,7 @@ class UrlExclusion {
         }
       }
       if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${join(regexSegments, '|')}$`);
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
       }
     }
   }

package/lib/index.d.ts

@@ -17,6 +17,20 @@ import {
   Rule,
   SessionConfigurationRule,
 } from '@contrast/common';
+import { Core as _Core } from '@contrast/core';
+
+export interface Core extends _Core {
+  config: Config;
+  logger: Logger;
+  depHooks: RequireHook;
+  patcher: Patcher
+  rewriter: Rewriter;
+  scopes: Scopes;
+  deadzones: Deadzones;
+  reporter: ReporterBus;
+  instrumentation: any;
+  metrics: any;
+}
 
 export enum InstrumentationType {
   SOURCE = 'source',
@@ -62,3 +76,7 @@ export interface Assess {
 }
 
 export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;
+
+declare function init(core: Core): Assess;
+
+export = init;

package/lib/make-source-context.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 
 /**
  * @param {{
@@ -48,7 +48,7 @@ module.exports = function(core) {
       // copy to avoid storing tracked values
       const headers = { ...req.headers };
       if (headers['content-type']) {
-        contentType = toLowerCase(headers['content-type']);
+        contentType = StringPrototypeToLowerCase.call(headers['content-type']);
       }
 
       return {

package/lib/response-scanning/handlers/index.js

@@ -16,9 +16,9 @@
 'use strict';
 
 const {
-  toLowerCase,
-  stringify,
-  substring,
+  StringPrototypeToLowerCase,
+  JSONStringify,
+  StringPrototypeSubstring,
   ResponseScanningRule
 } = require('@contrast/common');
 const {
@@ -56,15 +56,15 @@ module.exports = function(core) {
     }
   } = core;
 
-  responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
+  responseScanning.handleAutoCompleteMissing = function(sourceContext, resHeaders, resBody) {
     if (
       !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
-      !isHtmlContent(responseHeaders)
+      !isHtmlContent(resHeaders)
     ) {
       return;
     }
 
-    const elements = getElements('form', responseBody);
+    const elements = getElements('form', resBody);
 
     for (let i = 0; i < elements.length; i++) {
       const autocomplete = getAttribute('autocomplete', elements[i]);
@@ -84,24 +84,24 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleCacheControlsMissing = function(sourceContext, { responseHeaders, responseBody }) {
+  responseScanning.handleCacheControlsMissing = function(sourceContext, resHeaders, resBody) {
     const instructions = [];
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
     if (
       !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
-      (isParseableResponse(responseHeaders) && !responseBody)
+      (isParseableResponse(resHeaders) && !resBody)
     ) {
       return;
     }
-    const cacheControlHeader = responseHeaders['cache-control'];
+    const cacheControlHeader = resHeaders['cache-control'];
 
     // save the Pragma Header
-    if (responseHeaders['pragma']) {
+    if (resHeaders['pragma']) {
       instructions.push({
         type: 'Header',
         name: 'pragma',
-        value: responseHeaders['pragma']
+        value: resHeaders['pragma']
       });
     }
 
@@ -124,27 +124,27 @@ module.exports = function(core) {
     }
 
     // we checked the headers now time to check the HTML content
-    checkMetaTags({ body: responseBody, cacheControlHeader, instructions });
+    checkMetaTags({ body: resBody, cacheControlHeader, instructions });
 
     if (instructions.length) {
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
         vulnerabilityMetadata: {
-          data: stringify(instructions)
+          data: JSONStringify(instructions)
         }
       });
     }
   };
 
-  responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleClickJackingControlsMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
 
     // look for x-frame-options headers with deny or sameorigin
-    const xFrameHeaders = responseHeaders['x-frame-options'];
+    const xFrameHeaders = resHeaders['x-frame-options'];
     let hasFrameBusting = false;
 
     if (xFrameHeaders) {
-      const xFrameHeadersLC = toLowerCase(xFrameHeaders);
+      const xFrameHeadersLC = StringPrototypeToLowerCase.call(xFrameHeaders);
       hasFrameBusting =
         xFrameHeadersLC.indexOf('deny') > -1 ||
         xFrameHeadersLC.indexOf('sameorigin') > -1;
@@ -155,12 +155,12 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+  responseScanning.handleParameterPollution = function(sourceContext, resBody) {
     if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
 
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
-    const elements = getElements('form', responseBody);
+    const elements = getElements('form', resBody);
 
     for (let i = 0; i < elements.length; i++) {
       const action = getAttribute('action', elements[i]);
@@ -180,11 +180,11 @@ module.exports = function(core) {
    * Checks the response headers for the CSP. If found, and insecure, will return
    * the evidence for reporting.
    *
-   * @param   {Object}        responseHeaders - HTTP headers object.
-   * @returns {Object}                        - Evidence for insecure CSP header.
+   * @param   {Object} resHeaders HTTP headers object.
+   * @returns {Object} Evidence for insecure CSP header.
    */
-  responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
-    const cspHeaders = getCspHeaders(responseHeaders);
+  responseScanning.handleCspHeader = function(sourceContext, resHeaders) {
+    const cspHeaders = getCspHeaders(resHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
     if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
@@ -213,23 +213,23 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleHstsHeaderMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
 
-    let header = responseHeaders['strict-transport-security'];
+    let header = resHeaders['strict-transport-security'];
     let maxAge;
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       const flag = header.indexOf('max-age');
       if (flag > -1) {
         const equal = header.indexOf('=', flag);
         if (equal > -1) {
           const semicolon = header.indexOf(';', equal);
           if (semicolon > -1) {
-            maxAge = substring(header, equal + 1, semicolon);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1, semicolon);
           } else {
-            maxAge = substring(header, equal + 1);
+            maxAge = StringPrototypeSubstring.call(header, equal + 1);
           }
         }
       }
@@ -245,14 +245,14 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
 
     const headerName = 'x-content-type-options';
-    let header = responseHeaders[headerName];
+    let header = resHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
       if (header === 'nosniff') {
         return;
       }
@@ -266,14 +266,14 @@ module.exports = function(core) {
     });
   };
 
-  responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
     if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
 
     const headerName = 'x-powered-by';
-    let header = responseHeaders[headerName];
+    let header = resHeaders[headerName];
 
     if (header) {
-      header = toLowerCase(header);
+      header = StringPrototypeToLowerCase.call(header);
 
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
@@ -284,7 +284,7 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, responseHeaders) {
     if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
 
     const header = responseHeaders['x-xss-protection'];