@contrast/assess 1.3.0 → 1.5.0

package/lib/dataflow/propagation/install/string/match.js

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function getPropagationEvent(data, res, objInfo, start) {
+    const { name, args, result, hooked, orig } = data;
+    const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+    if (!tags) return;
+
+    return createPropagationEvent({
+      name,
+      history: [objInfo],
+      object: {
+        value: objInfo.value,
+        tracked: true,
+      },
+      args: args.map((arg) => {
+        const argInfo = tracker.getData(arg);
+        return {
+          value: argInfo ? argInfo.value : arg.toString(),
+          tracked: !!argInfo
+        };
+      }),
+      tags,
+      result: {
+        value: join(result),
+        tracked: false
+      },
+      stacktraceOpts: {
+        constructorOpt: hooked,
+        prependFrames: [orig]
+      },
+      source: 'O',
+      target: 'R'
+    });
+  }
+
+  return core.assess.dataflow.propagation.stringInstrumentation.match = {
+    install() {
+      const name = 'String.prototype.match';
+
+      patcher.patch(String.prototype, 'match', {
+        name,
+        patchType,
+        post(data) {
+          const { args, obj, result } = data;
+          if (
+            !obj ||
+            !result ||
+            args.length === 0 ||
+            result.length === 0 ||
+            !sources.getStore() ||
+            typeof obj !== 'string' ||
+            instrumentation.isLocked() ||
+            (args.length === 1 && args[0] == null)
+          ) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          let idx = 0;
+          const hasCaptureGroups = 'groups' in result;
+          for (let i = 0; i < result.length; i++) {
+            const res = result[i];
+            if (!res) continue;
+            const start = obj.indexOf(res, idx);
+            idx += hasCaptureGroups ? 0 : res.length;
+            const event = getPropagationEvent(data, res, objInfo, start);
+            if (event) {
+              const { extern } = tracker.track(res, event);
+              if (extern) {
+                data.result[i] = extern;
+              }
+            }
+          }
+          if (hasCaptureGroups && result.groups) {
+            Object.keys(result.groups).forEach((key) => {
+              const res = result.groups[key];
+              if (!res) return;
+              const start = obj.indexOf(res);
+              const event = getPropagationEvent(data, res, objInfo, start);
+              if (event) {
+                const { extern } = tracker.track(res, event);
+                if (extern) {
+                  data.result.groups[key] = extern;
+                }
+              }
+            });
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.match = patcher.unwrap(String.prototype.match);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/replace.js

@@ -158,19 +158,19 @@ module.exports = function(core) {
             history: Array.from(data._history),
             object: {
               value: obj,
-              isTracked: !!data._objInfo
+              tracked: !!data._objInfo
             },
             args: [{
               value: args[0].toString(),
-              isTracked: !!tracker.getData(args[0])
+              tracked: !!tracker.getData(args[0])
             },
             {
               value: data._replacement,
-              isTracked: !!_replacementInfo
+              tracked: !!_replacementInfo
             }],
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
             tags: data._accumTags,
             stacktraceOpts: {

package/lib/dataflow/propagation/install/string/slice.js

@@ -0,0 +1,104 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function calculateSubsetRangeForSlice({ obj, args }) {
+    let [start, end] = args;
+    const hasSingleArg = end === undefined;
+
+    if (start < 0 && hasSingleArg || start < 0 && end < 0) {
+      start = obj.length - Math.abs(start);
+      end = obj.length - (Math.abs(end) || 0);
+    } else if (start > 0 && end < 0) {
+      end = obj.length - (Math.abs(end) || 0);
+    }
+
+    const subsetLen = (hasSingleArg ? obj.length - start : Math.abs(end - start)) - 1;
+
+    return {
+      startIdx: start,
+      subsetLen
+    };
+  }
+
+  return core.assess.dataflow.propagation.stringInstrumentation.slice = {
+    install() {
+      const name = 'String.prototype.slice';
+
+      patcher.patch(String.prototype, 'slice', {
+        name,
+        patchType,
+        post(data) {
+          const { name, args, obj, result, hooked, orig } = data;
+          if (!result || !sources.getStore() || instrumentation.isLocked()) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          const rInfo = tracker.getData(result);
+          if (rInfo) {
+            // this may happen w/ trackedStr.slice(0) => trackedStr
+            return;
+          }
+
+          const { startIdx, subsetLen } = calculateSubsetRangeForSlice(data);
+          const tags = createSubsetTags(objInfo.tags, startIdx, subsetLen);
+          if (!tags) return;
+
+          const event = createPropagationEvent({
+            name,
+            history: [objInfo],
+            object: {
+              value: obj,
+              tracked: true,
+            },
+            args: args.map((arg) => ({
+              value: arg.toString(),
+              tracked: false
+            })),
+            result: {
+              value: result,
+              tracked: true
+            },
+            tags,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            }
+          });
+          const { extern } = tracker.track(result, event);
+
+          if (extern) {
+            data.result = extern;
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.slice = patcher.unwrap(String.prototype.slice);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/split.js

@@ -50,7 +50,7 @@ module.exports = function(core) {
           ) return;
 
           const objInfo = tracker.getData(obj);
-          if (!objInfo) return;
+          if (!objInfo || obj === result[0]) return;
 
           let idx = 0;
           for (let i = 0; i < result.length; i++) {
@@ -68,19 +68,19 @@ module.exports = function(core) {
                 history: [objInfo],
                 object: {
                   value: obj,
-                  isTracked: true,
+                  tracked: true,
                 },
                 args: args.map((arg) => {
                   const argInfo = tracker.getData(arg);
                   return {
                     value: argInfo ? argInfo.value : arg.toString(),
-                    isTracked: !!argInfo
+                    tracked: !!argInfo
                   };
                 }),
                 tags,
                 result: {
                   value: join(result),
-                  isTracked: false
+                  tracked: false
                 },
                 stacktraceOpts: {
                   constructorOpt: hooked,

package/lib/dataflow/propagation/install/string/substring.js

@@ -83,21 +83,23 @@ module.exports = function(core) {
               history: [objInfo],
               object: {
                 value: obj,
-                isTracked: true,
+                tracked: true,
               },
               args: args.map((arg) => ({
                 value: arg.toString(),
-                isTracked: false
+                tracked: false
               })),
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               tags,
+              source: 'O',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]
-              }
+              },
+              target: 'R',
             });
             const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/string/trim.js

@@ -63,11 +63,11 @@ module.exports = function(core) {
         history,
         object: {
           value: obj,
-          isTracked: true
+          tracked: true
         },
         result: {
           value: result,
-          isTracked: true
+          tracked: true
         },
         tags: newTags,
         stacktraceOpts: {

package/lib/dataflow/propagation/install/unescape.js

@@ -53,13 +53,13 @@ module.exports = function(core) {
             name: 'global.unescape',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: resultInfo ? resultInfo.value : result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
             removedTags: ['weak-url-encoded'],

package/lib/dataflow/propagation/install/url/domain-parsers.js

@@ -52,13 +52,13 @@ module.exports = function(core) {
                 name: `url.${method}`,
                 object: {
                   value: createModuleLabel('url', version),
-                  isTracked: false
+                  tracked: false
                 },
                 result: {
                   value: resultInfo ? resultInfo.value : result,
-                  isTracked: true
+                  tracked: true
                 },
-                args: [{ value: argInfo.value, isTracked: true }],
+                args: [{ value: argInfo.value, tracked: true }],
                 tags: createFullLengthCopyTags(argInfo.tags, result.length) || [],
                 history,
                 source: 'P',

package/lib/dataflow/propagation/install/validator/hooks.js

@@ -33,11 +33,11 @@ module.exports = function(core) {
       history: [{ ...trackingData }],
       args: [{
         value: data.args[0],
-        isTracked: true
+        tracked: true
       }],
       result: {
         value: data.result,
-        isTracked: !!tracker.getData(data.result)
+        tracked: !!tracker.getData(data.result)
       },
       tags: {
         ...trackingData.tags,

package/lib/dataflow/sinks/index.js

@@ -21,21 +21,30 @@ const { isSafeContentType } = require('../utils/is-safe-content-type');
 
 module.exports = function (core) {
   const {
-    messages
+    messages,
+    scopes: { sources }
   } = core;
 
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
     isSafeContentType,
     reportFindings(data) {
-      messages.emit(Event.ASSESS_DATAFLOW_FINDING, data);
+      const store = sources.getStore();
+      // these events need source correlation
+      messages.emit(Event.ASSESS_DATAFLOW_FINDING, {
+        sourceInfo: store?.sourceInfo,
+        ...data
+      });
     },
   };
 
   require('./install/fastify')(core);
+  require('./install/koa')(core);
+  require('./install/child-process')(core);
   require('./install/http')(core);
   require('./install/mssql')(core);
   require('./install/postgres')(core);
+  require('./install/sqlite3')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/child-process.js

@@ -0,0 +1,87 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../common');
+const { Rule, isString } = require('@contrast/common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const pre = (name) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store || !data.args[0] || !isString(data.args[0])) return;
+
+    const strInfo = tracker.getData(data.args[0]);
+    if (!strInfo || !isVulnerable('untrusted', [], strInfo.tags)) {
+      return;
+    }
+
+    const event = createSinkEvent({
+      name,
+      history: [strInfo],
+      object: {
+        value: 'child_process',
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+      ],
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        contructorOpt: data.hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.CMD_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  };
+
+  core.assess.dataflow.sinks.cmdInjection = {
+    install() {
+      depHooks.resolve({ name: 'child_process' }, cp => {
+        ['spawn', 'spawnSync', 'exec', 'execSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre: pre(name)
+          });
+        });
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.cmdInjection;
+};

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -15,9 +15,10 @@
 
 'use strict';
 
+const util = require('util');
 const { isString } = require('@contrast/common');
-const { createModuleLabel } = require('../../../propagation/common');
 const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
 
 module.exports = function (core) {
   const {
@@ -35,6 +36,8 @@ module.exports = function (core) {
   const unvalidatedRedirect =
     (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
 
+  const inspect = patcher.unwrap(util.inspect);
+
   const safeTags = [
     'limited-chars',
     'url-encoded',
@@ -67,33 +70,43 @@ module.exports = function (core) {
         const strInfo = tracker.getData(url);
         if (!strInfo) return;
 
-        if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+        let urlPathTags = strInfo.tags;
+        const urlPathEndIdx = url.indexOf('?');
+
+        if (urlPathEndIdx > -1) {
+          urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+        }
+
+        if (isVulnerable(requiredTag, safeTags, urlPathTags)) {
           const event = createSinkEvent({
-            name: 'fastify.reply.redirect',
-            object: {
-              value: `[${createModuleLabel('fastify', version)}].Reply`,
-              isTracked: false,
-            },
-            history: [strInfo],
             args: [{
+              tracked: true,
               value: strInfo.value,
-              isTracked: true
             }],
+            context: `reply.redirect(${inspect(strInfo.value)})`,
+            history: [strInfo],
+            name: 'fastify.reply.redirect',
+            object: {
+              tracked: false,
+              value: 'fastify.Reply',
+            },
             result: {
-              value: url,
-              isTracked: true,
+              tracked: false,
+              value: undefined,
             },
-            tags: strInfo.tags,
+            tags: urlPathTags,
             source: 'P0',
             stacktraceOpts: {
               constructorOpt: data.hooked,
             },
           });
 
-          reportFindings({
-            ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
-            metadata: event,
-          });
+          if (event) {
+            reportFindings({
+              ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
+              sinkEvent: event,
+            });
+          }
         }
       },
     });

package/lib/dataflow/sinks/install/http.js

@@ -16,7 +16,6 @@
 'use strict';
 
 const { Rule } = require('@contrast/common');
-const { createObjectLabel } = require('../../propagation/common');
 const { patchType } = require('../common');
 
 module.exports = function(core) {
@@ -48,7 +47,7 @@ module.exports = function(core) {
   ];
   const requiredTag = 'untrusted';
 
-  const preHook = (name) => (data) => {
+  const preHook = (name, method) => (data) => {
     const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) return;
 
@@ -63,32 +62,33 @@ module.exports = function(core) {
 
     if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
-        ruleId: Rule.REFLECTED_XSS,
-        name,
-        history: [strInfo],
-        object: {
-          isTracked: false,
-          value: createObjectLabel('http.ServerResponse')
-        },
         args: [{
           value: strInfo.value,
-          isTracked: true
+          tracked: true
         }],
+        context: `res.${method}(${strInfo.value})`,
+        history: [strInfo],
+        name,
+        object: {
+          tracked: false,
+          value: 'http.ServerResponse'
+        },
         result: {
-          value: null,
-          isTracked: false,
+          value: data.result,
+          tracked: false,
         },
-        tags: strInfo.tags,
+        ruleId: Rule.REFLECTED_XSS,
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked
-        }
+        },
+        tags: strInfo.tags,
       });
 
       if (event) {
         reportFindings({
           ruleId: 'reflected-xss',
-          metadata: event
+          sinkEvent: event
         });
       }
     }
@@ -98,18 +98,20 @@ module.exports = function(core) {
     depHooks.resolve({ name: 'http' }, (http) => {
       {
         const name = 'http.ServerResponse.prototype.write';
-        patcher.patch(http.ServerResponse.prototype, 'write', {
+        const method = 'write';
+        patcher.patch(http.ServerResponse.prototype, method, {
           name,
           patchType,
-          pre: preHook(name),
+          pre: preHook(name, method),
         });
       }
       {
         const name = 'http.ServerResponse.prototype.end';
-        patcher.patch(http.ServerResponse.prototype, 'end', {
+        const method = 'end';
+        patcher.patch(http.ServerResponse.prototype, method, {
           name,
           patchType,
-          pre: preHook(name),
+          pre: preHook(name, method),
         });
       }
     });