@contrast/assess 1.3.0 → 1.5.0

package/lib/dataflow/sources/install/formidable1.js

@@ -0,0 +1,91 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+  const name = 'Formidable.IncomingForm.prototype.parse';
+
+
+  // Patch `formidable`
+  function install() {
+    depHooks.resolve({ name: 'formidable' }, (formidable) => {
+      formidable.IncomingForm.prototype.parse = patcher.patch(formidable.IncomingForm.prototype.parse, {
+        name,
+        patchType,
+        pre(data) {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const inputType = InputType.MULTIPART_VALUE;
+
+          if (!sourceContext) {
+            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            return;
+          }
+
+          if (sourceContext.parsedBody) {
+            logger.trace({ inputType, name }, 'values already tracked');
+            return;
+          }
+
+          const origCb = data.args[1];
+
+          data.args[1] = function hookedCb(...cbArgs) {
+            const [, fields] = cbArgs;
+
+            if (fields) {
+              try {
+                sources.handle({
+                  context: 'req.body',
+                  name,
+                  inputType,
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  data: fields,
+                  sourceContext
+                });
+                sourceContext.parsedBody = true;
+              } catch (err) {
+                logger.error({ err, inputType, name }, 'unable to handle source');
+              }
+            }
+
+            if (origCb && typeof origCb === 'function') {
+              origCb.apply(this, cbArgs);
+            }
+          };
+        }
+      });
+
+      return formidable;
+    });
+  }
+
+  const formidable1Instrumentation = sources.formidable1Instrumentation = {
+    install
+  };
+
+  return formidable1Instrumentation;
+};

package/lib/dataflow/sources/install/http.js

@@ -15,14 +15,13 @@
 
 'use strict';
 const { patchType } = require('../common');
-const { toLowerCase } = require('@contrast/common');
+const { toLowerCase, InputType } = require('@contrast/common');
 
-// This is only just initiating an async storage for the http source
-// TODO Tracking the user input
 module.exports = function(core) {
   const {
     scopes: { sources },
     instrumentation: { instrument },
+    assess: { dataflow: { sources: dataflowSources } },
     patcher,
   } = core;
 
@@ -40,7 +39,7 @@ module.exports = function(core) {
     }
 
     try {
-      const [, req, response] = data.args;
+      const [, req, res] = data.args;
       const store = sources.getStore();
 
       if (!store) {
@@ -48,7 +47,7 @@ module.exports = function(core) {
         return next();
       }
 
-      patcher.patch(response, 'writeHead', {
+      patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
         pre(data) {
@@ -74,7 +73,7 @@ module.exports = function(core) {
         }
       });
 
-      patcher.patch(response, 'setHeader', {
+      patcher.patch(res, 'setHeader', {
         alwaysRun: true,
         name: 'set-header',
         patchType,
@@ -98,14 +97,42 @@ module.exports = function(core) {
       }
 
       const headers = {};
+      const sourceInputType = InputType.HEADER;
+      const sourceName = 'ClientRequest';
+
+      store.assess = {
+        responseData: {},
+        sourceEventsCount: 0,
+        propagationEventsCount: 0,
+        findings: {},
+      };
+
+      try {
+        dataflowSources.handle({
+          context: 'req.headers',
+          data: req.headers,
+          inputType: sourceInputType,
+          name: sourceName,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+            prependFrames: [data.orig]
+          },
+          sourceContext: store.assess
+        });
+
+      } catch (err) {
+        logger.error({ err, inputType: sourceInputType, name: sourceName }, 'unable to handle http source');
+      }
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
         const header = toLowerCase(req.rawHeaders[i]);
         headers[header] = req.rawHeaders[i + 1];
+        req.rawHeaders[i + 1] = req.headers[header];
       }
 
       const contentType = headers['content-type'] && toLowerCase(headers['content-type']);
-      const reqData = {
+
+      store.assess.reqData = {
         ip: req.socket.remoteAddress,
         httpVersion: req.httpVersion,
         method: req.method,
@@ -115,13 +142,6 @@ module.exports = function(core) {
         contentType,
       };
 
-      store.assess = {
-        reqData,
-        responseData: {},
-        sourceEventsCount: 0,
-        propagationEventsCount: 0,
-        findings: {},
-      };
     } catch (err) {
       logger.error({ err }, 'Error during assess request handling');
     }
@@ -132,47 +152,20 @@ module.exports = function(core) {
   }
 
   function install() {
-    [{
-      moduleName: 'http'
-    },
-    {
-      moduleName: 'https'
-    },
-    {
-      moduleName: 'spdy'
-    },
-    {
-      moduleName: 'http2',
-      patchObjectsProps: [
-        {
-          methods: ['createServer', 'createSecureServer'],
-          patchType,
-          patchObjects: [
-            {
-              name: 'Server.prototype',
-              methods: ['emit'],
-              patchType,
-              around
-            }
-          ]
-        }
-      ]
-    }].forEach(({ moduleName, patchObjectsProps }) => {
-      const patchObjects = patchObjectsProps || [
-        {
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrument({
+        moduleName,
+        patchObjects: [{
           name: 'Server.prototype',
           methods: ['emit'],
           patchType,
           around
-        }
-      ];
-      instrument({
-        moduleName,
-        patchObjects
+        }]
       });
     });
   }
 
+  /* c8 ignore next 3 */
   function uninstall() {
     return null;
   }

package/lib/dataflow/sources/install/koa/index.js

@@ -0,0 +1,32 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const koaSources = core.assess.dataflow.sources.koaInstrumentation = {};
+
+  require('./koa2')(core);
+  require('./koa-bodyparsers')(core);
+  require('./koa-routers')(core);
+
+  koaSources.install = function install() {
+    callChildComponentMethodsSync(koaSources, 'install');
+  };
+
+  return koaSources;
+};

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js

@@ -0,0 +1,92 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  // Patch `koa-body` v4.x.x and `koa-bodyparser` v5.x.x packages
+  function install() {
+    ['koa-body', 'koa-bodyparser'].forEach(function (packageName) {
+      depHooks.resolve({ name: packageName }, (koaBody) => patcher.patch(koaBody, {
+        name: packageName,
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: packageName,
+            patchType,
+            pre(data) {
+              const sourceContext = core.scopes.sources.getStore()?.assess;
+              const [ctx, origNext] = data.args;
+
+              if (!sourceContext) {
+                logger.error({ name: packageName }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedBody) {
+                logger.trace({ name: packageName }, 'values already tracked');
+                return;
+              }
+
+
+              data.args[1] = async function contrastNext(origErr) {
+                const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
+                  ? InputType.JSON_VALUE
+                  : typeof ctx.request.body == 'object'
+                    ? InputType.PARAMETER_VALUE
+                    : InputType.BODY;
+
+                try {
+                  sources.handle({
+                    context: 'ctx.request.body',
+                    name: packageName,
+                    inputType,
+                    stacktraceOpts: {
+                      constructorOpt: contrastNext,
+                    },
+                    data: ctx.request.body,
+                    sourceContext
+                  });
+
+                  sourceContext.parsedBody = !!Object.keys(ctx.request.body).length;
+                } catch (err) {
+                  logger.error({ err, inputType, name: packageName }, 'unable to handle Koa source');
+                }
+
+                await origNext(origErr);
+              };
+            }
+          });
+        }
+      }));
+    });
+  }
+
+  const koaBodyparsersInstrumentation = sources.koaInstrumentation.koaBodyparsers = {
+    install
+  };
+
+  return koaBodyparsersInstrumentation;
+};

package/lib/dataflow/sources/install/koa/koa-routers.js

@@ -0,0 +1,84 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  // Patch `koa-router` and `@koa/router` to handle parsed params
+  function install() {
+    ['koa-router', '@koa/router'].forEach(router => {
+      depHooks.resolve(
+        { name: router, file: 'lib/layer.js' },
+        (layer) => {
+          const name = `[${router}].layer.prototype`;
+
+          layer.prototype = patcher.patch(layer.prototype, 'params', {
+            name,
+            patchType,
+            post({ orig, hooked, result }) {
+              const sourceContext = core.scopes.sources.getStore()?.assess;
+              const inputType = InputType.URL_PARAMETER;
+
+              if (!sourceContext) {
+                logger.error({ name, inputType }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedParams) {
+                logger.trace({ name, inputType }, 'values already tracked');
+                return;
+              }
+
+              try {
+                sources.handle({
+                  context: 'ctx.params',
+                  data: result,
+                  inputType,
+                  name,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig]
+                  },
+                  sourceContext
+                });
+
+                sourceContext.parsedParams = Boolean(Object.keys(result).length);
+              } catch (err) {
+                logger.error({ err, inputType, name }, 'unable to handle Koa source');
+              }
+            }
+          });
+
+          return layer;
+        });
+    });
+  }
+
+  const koaRoutersInstrumentation = sources.koaInstrumentation.koaRouters = {
+    install
+  };
+
+  return koaRoutersInstrumentation;
+};

package/lib/dataflow/sources/install/koa/koa2.js

@@ -0,0 +1,103 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+/**
+ * Function that exports an install method to patch Koa framework with our instrumentation
+ * @param {Object} core - the core Contrast object in v5
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  /**
+   * registers a depHook for koa module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
+      function contrastStartMiddleware(ctx, next) {
+        const name = 'Koa.Application';
+        const sourceContext = core.scopes.sources.getStore()?.assess;
+        const inputType = InputType.QUERYSTRING;
+
+        if (!sourceContext) {
+          logger.error({ name, inputType }, 'unable to handle Koa source. Missing `sourceContext`');
+          return next();
+        }
+
+        // We check the contents mainly to trigger the getter for `ctx.query`
+        // that is eventually set up by `koa-qs`
+        if (ctx.query) {
+          if (sourceContext.parsedQuery) {
+            logger.trace({ name, inputType }, 'values already tracked');
+            return next();
+          }
+
+          try {
+            sources.handle({
+              context: 'ctx.query',
+              data: ctx.query,
+              inputType,
+              name,
+              stacktraceOpts: {
+                constructorOpt: contrastStartMiddleware,
+              },
+              sourceContext
+            });
+
+            sourceContext.parsedQuery = true;
+          } catch (err) {
+            logger.error({ err, inputType, name }, 'unable to handle Koa source');
+          }
+        }
+
+        return next();
+      }
+
+      // mark these middleware as ours
+      contrastStartMiddleware._isContrastStartMiddleware = true;
+
+      patcher.patch(Koa.prototype, 'use', {
+        name: 'Koa.Application',
+        patchType,
+        pre({ obj: app }) {
+          // if not already inserted, insert the initial middleware.
+          if (
+            app.middleware &&
+              (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
+          ) {
+            app.middleware.splice(0, 0, contrastStartMiddleware);
+          }
+        }
+      });
+
+    });
+  }
+
+  const koa2Instrumentation = sources.koaInstrumentation.koa2 = {
+    install
+  };
+
+  return koa2Instrumentation;
+};

package/lib/dataflow/sources/install/qs6.js

@@ -0,0 +1,84 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  // Patch `qs`
+  function install() {
+    const name = 'qs.parse';
+    depHooks.resolve({ name: 'qs' },
+      (qs) => patcher.patch(qs, 'parse', {
+        name,
+        patchType,
+        post({ args, hooked, orig, result }) {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const inputType = InputType.QUERYSTRING;
+
+          if (!sourceContext) {
+            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            return;
+          }
+
+          if (sourceContext.parsedQuery) {
+            logger.trace({ inputType, name }, 'values already tracked');
+            return;
+          }
+
+          // We need to run analysis for the `qs` result only when it's used as a query parser.
+          // `qs` is used also for parsing bodies, but these cases we handle individually with
+          // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+          // some cases its use is optional and we cannot rely on it.
+          if (sourceContext.reqData?.queries === args[0]) {
+            try {
+              sources.handle({
+                context: 'req.query',
+                name,
+                inputType,
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+                data: result,
+                sourceContext
+              });
+
+              sourceContext.parsedQuery = true;
+            } catch (err) {
+              logger.error({ err, inputType, name }, 'unable to handle source');
+            }
+          }
+        }
+      })
+    );
+  }
+
+  const qs6Instrumentation = sources.qs6Instrumentation = {
+    install
+  };
+
+  return qs6Instrumentation;
+};
+

package/lib/dataflow/utils/is-vulnerable.js

@@ -15,7 +15,7 @@
 'use strict';
 
 function mergeOverlapRange(overlapTags) {
-  if (overlapTags.length <= 1) return overlapTags;
+  if (overlapTags.length <= 1 && overlapTags[0].length === 2) return overlapTags;
 
   const tagsInTuple = [];
   for (const overTagsCurr of overlapTags) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.6.0",
+    "@contrast/common": "1.8.0",
     "parseurl": "^1.3.3"
   }
 }