@contrast/assess 1.29.0 → 1.30.0

package/lib/crypto-analysis/install/crypto.js

@@ -24,18 +24,30 @@ const { InstrumentationType: { RULE } } = require('../../constants');
 const { PATCH_TYPE: patchType } = require('../common');
 
 const SAFE_HASH_ALGORITHMS = new Set([
-  'RSA-SHA1-2',
-  'RSA-SHA224',
-  'RSA-SHA256',
-  'RSA-SHA384',
-  'RSA-SHA512',
+  // SHA224
+  'rsa-sha224',
+  'sha-224',
+  'sha2-224',
   'sha224',
-  'sha224WithRSAEncryption',
+  'sha224withrsaencryption',
+  // SHA256
+  'rsa-sha256',
+  'sha-256',
+  'sha2-256',
   'sha256',
-  'sha256WithRSAEncryption',
+  'sha256withrsaencryption',
+  // SHA384
+  'rsa-sha384',
+  'sha-384',
+  'sha2-384',
   'sha384',
-  'sha384WithRSAEncryption',
-  'sha512'
+  'sha384withrsaencryption',
+  // SHA512
+  'rsa-sha512',
+  'sha-512',
+  'sha2-512',
+  'sha512',
+  'sha512withrsaencryption',
 ]);
 const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort'];
 const SAFE_CIPHER_ALGORITHM_PREFIXES = ['des-ede', 'id-aes', 'aes', 'rsa'];
@@ -53,7 +65,6 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
-      inspect, // todo: remove
       eventFactory,
       cryptoAnalysis,
       getSourceContext,
@@ -68,16 +79,14 @@ module.exports = function (core) {
           patchType,
           post(data) {
             const [alg] = data.args;
+            if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC)) return;
 
-            if (
-              !isString(alg) ||
-              !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) ||
-              SAFE_HASH_ALGORITHMS.has(alg)
-            ) return;
+            const algLower = StringPrototypeToLowerCase.call(alg);
+            if (SAFE_HASH_ALGORITHMS.has(algLower)) return;
 
             const event = eventFactory.createCryptoAnalysisEvent({
               args: [{ tracked: false, value: alg }],
-              context: `crypto.createHash(${inspect(alg)})`,
+              context: `crypto.createHash(${algLower})`,
               methodName: 'createHash',
               moduleName: 'crypto',
               name: 'crypto.createHash',
@@ -130,7 +139,7 @@ module.exports = function (core) {
 
               const event = eventFactory.createCryptoAnalysisEvent({
                 args: [{ tracked: false, value: alg }],
-                context: `crypto.${method}(${inspect(alg)})`,
+                context: `crypto.${method}(${algLower})`,
                 methodName: method,
                 moduleName: 'crypto',
                 name: `crypto.${method}`,

package/lib/dataflow/propagation/install/ejs/template.js

@@ -38,7 +38,7 @@ module.exports = function (core) {
   } = core;
 
   /** @type {import('@contrast/rewriter').RewriteOpts} */
-  const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, trim: true };
+  const REWRITE_OPTS = { isModule: false, inject: false, wrap: false };
   const WRAPPER_PREFIX = ArrayPrototypeJoin.call([
     'function tempWrapper() {',
     'function __append(s) { if (s !== undefined && s !== null) __output += s }'

package/lib/dataflow/propagation/install/pug/index.js

@@ -17,7 +17,7 @@
 const { patchType } = require('../../common');
 
 /** @type {import('@contrast/rewriter').RewriteOpts} */
-const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, trim: true };
+const REWRITE_OPTS = { isModule: false, inject: false, wrap: false };
 
 module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };

package/lib/dataflow/propagation/install/url/searchParams.js

@@ -16,7 +16,8 @@
 'use strict';
 
 const { patchType } = require('../../common');
-const { isString } = require('@contrast/common');
+const { isString, StringPrototypeConcat, StringPrototypeReplaceAll } = require('@contrast/common');
+const { createAppendTags } = require('../../../tag-utils');
 
 module.exports = function(core) {
   const {
@@ -74,10 +75,9 @@ module.exports = function(core) {
             if (isString(params)) {
               params.split('&').forEach((query) => {
                 const endIdx = query.indexOf('=');
-                // this is pretty ugly because we don't want to create a propagation
-                // event by splitting off the '?'. so we count on if it's there, we
-                // skip it and if it's not there, we start at index 0.
-                const key = query.substring(query.indexOf('?') + 1, endIdx);
+                // we don't want to create a propagation event by splitting off
+                // the '?'. so if there start at index 1 else 0.
+                const key = query.substring(query[0] === '?' ? 1 : 0, endIdx);
                 const param = query.substring(endIdx + 1, query.length);
 
                 const keyInfo = tracker.getData(key);
@@ -122,17 +122,76 @@ module.exports = function(core) {
               patchType,
               post(data) {
                 const { obj: params } = data;
-                let i = 0;
-                let str = '';
-                params.forEach((val, key) => {
-                  if (i === 0) {
-                    str = key.concat('=', val);
-                  } else {
-                    str = str.concat('&', key, '=', val);
+
+                // params.size doesn't exist until v18.16.0
+                const entries = [...params.entries()];
+                if (!entries.length) {
+                  return;
+                }
+                let finalTags = {};
+                const history = [];
+                //
+                // local function to capture tags and history for entries in URLSearchParams
+                //
+                function createTagsAndHistoryIfNeeded(entry, base) {
+                  // check key
+                  let tracking = tracker.getData(entry[0]);
+                  if (tracking) {
+                    finalTags = createAppendTags(finalTags, tracking.tags, base + 1);
+                    history.push(tracking);
+                  }
+                  // check value
+                  tracking = tracker.getData(entry[1]);
+                  if (tracking) {
+                    // adjust tags to account for the 'key='
+                    finalTags = createAppendTags(finalTags, tracking.tags, base + 2 + entry[0].length);
+                    history.push(tracking);
+                  }
+                }
+
+                // do the first one outside the loop to avoid the &. first base
+                // is -1 because there is no & to account for.
+                let result = StringPrototypeConcat.call(entries[0][0], '=', entries[0][1]);
+                createTagsAndHistoryIfNeeded(entries[0], -1);
+
+                // do remaining entries
+                let base = result.length;
+                for (let i = 1; i < entries.length; i++) {
+                  result = StringPrototypeConcat.call(result, '&', entries[i][0], '=', entries[i][1]);
+                  createTagsAndHistoryIfNeeded(entries[i], base);
+                  base = result.length;
+                }
+
+                result = StringPrototypeReplaceAll.call(result, ' ', '+');
+
+                if (Object.keys(finalTags).length) {
+                  const event = createPropagationEvent({
+                    args: [],
+                    context: `${inspect(params)}.toString()`,
+                    moduleName: 'url',
+                    methodName: 'URLSearchParams.toString',
+                    history,
+                    object: { value: 'URLSearchParams', tracked: false },
+                    name: 'URLSearchParams.toString',
+                    result: {
+                      value: `${inspect(result)}`,
+                      tracked: true
+                    },
+                    source: 'O',
+                    stacktraceOpts: {
+                      constructorOpt: data.hooked, // hide stack above this point
+                    },
+                    tags: finalTags,
+                    target: 'R',
+                  });
+
+                  const { extern } = tracker.track(result, event);
+                  if (extern) {
+                    result = extern;
                   }
-                  i++;
-                });
-                data.result = str;
+                }
+
+                data.result = result;
               }
             });
           }

package/lib/dataflow/sinks/install/http/server-response.js

@@ -77,11 +77,13 @@ module.exports = function(core) {
     WEAK_URL_ENCODED,
   ];
 
-  const preHook = (name, method) => (data) => {
+  const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => {
+    const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`;
+    const name = `${moduleName}.${methodName}`;
     const sourceContext = getSourceContext(RULE, ruleId);
     if (!sourceContext) return;
 
-    const payload = data.args[0];
+    const payload = args[0];
     if (!payload) return;
 
     const strInfo = tracker.getData(payload);
@@ -90,6 +92,7 @@ module.exports = function(core) {
     const { contentType } = sourceContext.responseData;
     if (contentType && isSafeContentType(contentType)) return;
 
+    if (moduleName === 'spdy') response.spdyStream.once('finish', () => response.emit('finish'));
     if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
@@ -99,20 +102,20 @@ module.exports = function(core) {
         context: `res.${method}('${strInfo.value}')`,
         history: [strInfo],
         name,
-        moduleName: 'http',
-        methodName: `ServerResponse.prototype.${method}`,
+        moduleName,
+        methodName,
         object: {
           tracked: false,
-          value: 'http.ServerResponse'
+          value: `${moduleName}.${responseName}`
         },
         result: {
-          value: data.result,
+          value: result,
           tracked: false,
         },
         source: 'P0',
         stacktraceOpts: {
-          constructorOpt: data.hooked,
-          prependFrames: [data.orig]
+          constructorOpt: hooked,
+          prependFrames: [orig]
         },
         tags: strInfo.tags,
       });
@@ -139,21 +142,47 @@ module.exports = function(core) {
   http.install = function() {
     depHooks.resolve({ name: 'http' }, (http) => {
       {
-        const name = 'http.ServerResponse.prototype.write';
         const method = 'write';
         patcher.patch(http.ServerResponse.prototype, method, {
-          name,
+          name: 'http.ServerResponse.prototype.write',
           patchType,
-          pre: preHook(name, method),
+          pre: preHook('http', 'ServerResponse', method),
         });
       }
       {
-        const name = 'http.ServerResponse.prototype.end';
         const method = 'end';
         patcher.patch(http.ServerResponse.prototype, method, {
-          name,
+          name: 'http.ServerResponse.prototype.end',
           patchType,
-          pre: preHook(name, method),
+          pre: preHook('http', 'ServerResponse', method),
+        });
+      }
+    });
+    depHooks.resolve({ name: 'http2' }, (http2) => {
+      {
+        const method = 'write';
+        patcher.patch(http2.Http2ServerResponse.prototype, method, {
+          name: 'http2.Http2ServerResponse.prototype.write',
+          patchType,
+          pre: preHook('http2', 'Http2ServerResponse', method),
+        });
+      }
+      {
+        const method = 'end';
+        patcher.patch(http2.Http2ServerResponse.prototype, method, {
+          name: 'http2.Http2ServerResponse.prototype.end',
+          patchType,
+          pre: preHook('http2', 'Http2ServerResponse', method),
+        });
+      }
+    });
+    depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => {
+      {
+        const method = 'end';
+        patcher.patch(response, method, {
+          name: 'spdy.response.end',
+          patchType,
+          pre: preHook('spdy', 'response', method),
         });
       }
     });

package/lib/response-scanning/handlers/index.js

@@ -56,15 +56,15 @@ module.exports = function(core) {
     }
   } = core;
 
-  responseScanning.handleAutoCompleteMissing = function(sourceContext, { responseHeaders, responseBody }) {
+  responseScanning.handleAutoCompleteMissing = function(sourceContext, resHeaders, resBody) {
     if (
       !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
-      !isHtmlContent(responseHeaders)
+      !isHtmlContent(resHeaders)
     ) {
       return;
     }
 
-    const elements = getElements('form', responseBody);
+    const elements = getElements('form', resBody);
 
     for (let i = 0; i < elements.length; i++) {
       const autocomplete = getAttribute('autocomplete', elements[i]);
@@ -84,24 +84,24 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleCacheControlsMissing = function(sourceContext, { responseHeaders, responseBody }) {
+  responseScanning.handleCacheControlsMissing = function(sourceContext, resHeaders, resBody) {
     const instructions = [];
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
     if (
       !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
-      (isParseableResponse(responseHeaders) && !responseBody)
+      (isParseableResponse(resHeaders) && !resBody)
     ) {
       return;
     }
-    const cacheControlHeader = responseHeaders['cache-control'];
+    const cacheControlHeader = resHeaders['cache-control'];
 
     // save the Pragma Header
-    if (responseHeaders['pragma']) {
+    if (resHeaders['pragma']) {
       instructions.push({
         type: 'Header',
         name: 'pragma',
-        value: responseHeaders['pragma']
+        value: resHeaders['pragma']
       });
     }
 
@@ -124,7 +124,7 @@ module.exports = function(core) {
     }
 
     // we checked the headers now time to check the HTML content
-    checkMetaTags({ body: responseBody, cacheControlHeader, instructions });
+    checkMetaTags({ body: resBody, cacheControlHeader, instructions });
 
     if (instructions.length) {
       reportFindings(sourceContext, {
@@ -136,11 +136,11 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleClickJackingControlsMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleClickJackingControlsMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
 
     // look for x-frame-options headers with deny or sameorigin
-    const xFrameHeaders = responseHeaders['x-frame-options'];
+    const xFrameHeaders = resHeaders['x-frame-options'];
     let hasFrameBusting = false;
 
     if (xFrameHeaders) {
@@ -155,12 +155,12 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleParameterPollution = function(sourceContext, { responseBody }) {
+  responseScanning.handleParameterPollution = function(sourceContext, resBody) {
     if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
 
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
-    const elements = getElements('form', responseBody);
+    const elements = getElements('form', resBody);
 
     for (let i = 0; i < elements.length; i++) {
       const action = getAttribute('action', elements[i]);
@@ -180,11 +180,11 @@ module.exports = function(core) {
    * Checks the response headers for the CSP. If found, and insecure, will return
    * the evidence for reporting.
    *
-   * @param   {Object}        responseHeaders - HTTP headers object.
-   * @returns {Object}                        - Evidence for insecure CSP header.
+   * @param   {Object} resHeaders HTTP headers object.
+   * @returns {Object} Evidence for insecure CSP header.
    */
-  responseScanning.handleCspHeader = function(sourceContext, { responseHeaders }) {
-    const cspHeaders = getCspHeaders(responseHeaders);
+  responseScanning.handleCspHeader = function(sourceContext, resHeaders) {
+    const cspHeaders = getCspHeaders(resHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
     if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
@@ -213,10 +213,10 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleHstsHeaderMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleHstsHeaderMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
 
-    let header = responseHeaders['strict-transport-security'];
+    let header = resHeaders['strict-transport-security'];
     let maxAge;
 
     if (header) {
@@ -245,11 +245,11 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, resHeaders) {
     if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
 
     const headerName = 'x-content-type-options';
-    let header = responseHeaders[headerName];
+    let header = resHeaders[headerName];
 
     if (header) {
       header = StringPrototypeToLowerCase.call(header);
@@ -266,11 +266,11 @@ module.exports = function(core) {
     });
   };
 
-  responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
     if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
 
     const headerName = 'x-powered-by';
-    let header = responseHeaders[headerName];
+    let header = resHeaders[headerName];
 
     if (header) {
       header = StringPrototypeToLowerCase.call(header);
@@ -284,7 +284,7 @@ module.exports = function(core) {
     }
   };
 
-  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, responseHeaders) {
     if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
 
     const header = responseHeaders['x-xss-protection'];

package/lib/response-scanning/install/http.js

@@ -67,25 +67,25 @@ module.exports = function(core) {
 
   const patchType = 'response-scanning';
 
-  function writeHookChecks(sourceContext, evaluationContext) {
+  function writeHookChecks(sourceContext, resHeaders, resBody) {
     // Check only the rules concerning the response body
-    handleAutoCompleteMissing(sourceContext, evaluationContext);
-    handleCacheControlsMissing(sourceContext, evaluationContext);
-    handleParameterPollution(sourceContext, evaluationContext);
-    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+    handleAutoCompleteMissing(sourceContext, resHeaders, resBody);
+    handleCacheControlsMissing(sourceContext, resHeaders, resBody);
+    handleParameterPollution(sourceContext, resBody);
+    handleXxsProtectionHeaderDisabled(sourceContext, resHeaders, resBody);
   }
 
-  function endHookChecks(sourceContext, evaluationContext) {
+  function endHookChecks(sourceContext, resHeaders, resBody) {
     // Check all the response scanning rules
-    handleAutoCompleteMissing(sourceContext, evaluationContext);
-    handleCacheControlsMissing(sourceContext, evaluationContext);
-    handleClickJackingControlsMissing(sourceContext, evaluationContext);
-    handleParameterPollution(sourceContext, evaluationContext);
-    handleCspHeader(sourceContext, evaluationContext);
-    handleHstsHeaderMissing(sourceContext, evaluationContext);
-    handleXPoweredByHeader(sourceContext, evaluationContext);
-    handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
-    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+    handleAutoCompleteMissing(sourceContext, resHeaders, resBody);
+    handleCacheControlsMissing(sourceContext, resHeaders, resBody);
+    handleClickJackingControlsMissing(sourceContext, resHeaders, resBody);
+    handleParameterPollution(sourceContext, resBody);
+    handleCspHeader(sourceContext, resHeaders);
+    handleHstsHeaderMissing(sourceContext, resHeaders);
+    handleXPoweredByHeader(sourceContext, resHeaders);
+    handleXContentTypeHeaderMissing(sourceContext, resHeaders);
+    handleXxsProtectionHeaderDisabled(sourceContext, resHeaders);
   }
 
   http.install = function() {
@@ -98,13 +98,7 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
-            const evaluationContext = {
-              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
-              responseHeaders: parseHeaders(data.result._header),
-            };
-
-            writeHookChecks(sourceContext, evaluationContext);
+            writeHookChecks(sourceContext, parseHeaders(data.result._header), StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
@@ -116,20 +110,14 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
-            const evaluationContext = {
-              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
-              responseHeaders: parseHeaders(data.result._header),
-            };
-
-            endHookChecks(sourceContext, evaluationContext);
+            endHookChecks(sourceContext, parseHeaders(data.result._header), StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
     });
 
     depHooks.resolve({ name: 'http2' }, (http2) => {
-      // Patching the response object
+      // todo: NODE-3467
       {
         const name = 'http2.Http2ServerResponse.prototype.write';
         patcher.patch(http2.Http2ServerResponse.prototype, 'write', {
@@ -138,14 +126,8 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
-            const evaluationContext = {
-              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
-              responseHeaders: data.obj[headersSymbol],
-            };
-
-            writeHookChecks(sourceContext, evaluationContext);
+            writeHookChecks(sourceContext, data.obj[headersSymbol], StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
@@ -159,20 +141,24 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
-            const evaluationContext = {
-              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
-              responseHeaders: data.result[headersSymbol],
-            };
-
-            endHookChecks(sourceContext, evaluationContext);
+            endHookChecks(sourceContext, data.result[headersSymbol], StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
+    });
 
-      // todo: patching the stream object (NODE-3467)
+    depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => {
+      patcher.patch(response, 'end', {
+        name: 'spdy.response.end',
+        patchType: 'test',
+        post(data) {
+          const sourceContext = getSourceContext();
+          if (!sourceContext) return;
+          endHookChecks(sourceContext, data.obj.getHeaders?.(), StringPrototypeToLowerCase.call(data.args[0] || ''));
+        }
+      });
     });
   };
 
   return http;
 };
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.29.0",
+  "version": "1.30.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.1",
+    "@contrast/common": "1.21.3",
     "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }