@contrast/assess 1.4.0 → 1.5.0

package/lib/dataflow/event-factory.js

@@ -16,7 +16,7 @@
 'use strict';
 
 
-const { InputType } = require('@contrast/common');
+const { InputType, signatures } = require('@contrast/common');
 const annotationRegExp = /^(A|O|R|P|P\d+)$/;
 
 module.exports = function(core) {
@@ -25,10 +25,8 @@ module.exports = function(core) {
     config,
     logger,
     scopes: { sources },
-    assess: {
-      dataflow: { signatures }
-    }
   } = core;
+
   const eventFactory = core.assess.dataflow.eventFactory = {};
 
   eventFactory.createdEvents = new WeakSet();
@@ -36,9 +34,10 @@ module.exports = function(core) {
   eventFactory.createSourceEvent = function(data = {}) {
     const {
       name,
-      result = { value: null, isTracked: false },
+      result = { value: null, tracked: false },
       tags,
       inputType,
+      stack,
     } = data;
 
     const baseMessage = 'Source event not created: %s';
@@ -63,6 +62,13 @@ module.exports = function(core) {
       return null;
     }
 
+
+    if (!stack || !Array.isArray(stack)) {
+      logger.debug({ data }, baseMessage, 'invalid stack');
+      return null;
+    }
+
+    data.time = Date.now();
     eventFactory.createdEvents.add(data);
 
     return data;
@@ -72,9 +78,10 @@ module.exports = function(core) {
     const {
       name = '',
       history = [],
-      object = { value: null, isTracked: false },
+      object = { value: null, tracked: false },
       args = [],
-      result = { value: null, isTracked: false },
+      context,
+      result = { value: null, tracked: false },
       tags = {},
       addedTags = [],
       removedTags = [],
@@ -123,18 +130,19 @@ module.exports = function(core) {
     }
 
     const event = {
-      time: Date.now(),
+      addedTags,
+      args,
+      context,
       history,
       name,
       object,
-      args,
-      result,
-      tags,
-      addedTags,
       removedTags,
+      result,
       source,
+      stack,
+      tags,
       target,
-      stack
+      time: Date.now(),
     };
 
     eventFactory.createdEvents.add(event);
@@ -145,24 +153,24 @@ module.exports = function(core) {
 
   eventFactory.createSinkEvent = function(data) {
     const {
+      context,
       name = '',
       history = [],
-      object = { value: null, isTracked: false },
+      object = { value: null, tracked: false },
       args = [],
-      result = { value: null, isTracked: false },
+      result = { value: null, tracked: false },
       tags = {},
       source,
       stacktraceOpts
     } = data;
-    const sourceContext = sources.getStore()?.assess;
 
+    const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) {
       logger.debug('No sourceContext found during Sink event creation');
       return null;
     }
 
     const signature = signatures.get(name);
-
     if (
       !signature ||
       !history.length ||
@@ -174,21 +182,22 @@ module.exports = function(core) {
 
     let stack;
     if (config.assess.stacktraces !== 'NONE') {
-      stack = createSnapshot(stacktraceOpts);
+      stack = createSnapshot(stacktraceOpts)();
     } else {
       stack = [];
     }
 
     const event = {
-      time: Date.now(),
+      args,
+      context,
       history,
       name,
       object,
-      args,
       result,
-      tags,
       source,
-      stack
+      stack,
+      tags,
+      time: Date.now(),
     };
 
     eventFactory.createdEvents.add(event);
@@ -198,59 +207,3 @@ module.exports = function(core) {
 
   return eventFactory;
 };
-
-
-// Sample event data
-// const e = {
-//   // we need the time the event occurred
-//   time: '1234',
-//   history: ['argsTrackedInfo'],
-//   name: 'ContrastMethods.add', // as this method is used to rewrite not only `+` but `+=` too
-//   context: {
-//     obj: null,
-//     args: ['...args'],
-//     resultTracked: 'result'
-//   },
-//   stack: 'createSnapshot()',
-//   tags: 'newTags',
-//   // we need a property with add/removed tags
-//   addedTags: [],
-//   removedTags: [],
-//   // we need info for the source and the targeto
-//   source: 'A | P | O | R',
-//   target: 'A | P | O | R',
-//   // optional code property for the propagation through the ContrastMethods
-//   code: 'const a = b + c',
-//   // we need a signature property
-//   signature: {
-//     // in v4 we are storing all the signatures in a json file,
-//     // so we get the values from there and format them accordingly
-//   }
-// };
-
-// Sample payload for a discovered vulnerability
-// const payload = {
-//   created: Date.now(),
-//   events: [
-//     {
-//       action: e.addedTags.length || e.removedTags.length ? 'TAG' : `${e.source}2${e.target}`,
-//       args: e.context.args, // they will be "expanded" before reporting
-//       code: e.code,
-//       eventSources: [], // only for SourceEvents
-//       fieldName: '', // we don't set it in v4
-//       object: e.context.obj, // again it will be expanded later
-//       parentObjectsIds: [], // we don't set it in v4
-//       properties: [], // not needed for dataflow
-//       ret: e.context.resultTracked,
-//       signature: e.signature,
-//       source: e.source,
-//       stacktrace: e.stack,
-//       tags: e.addedTags.join(), // in v4 we set all tags here, idk why
-//       taintRanges: e.tags.map(), // the tag ranges we want highlighted in ContrastUI
-//       target: e.target,
-//       thread: process.pid,
-//       time: e.time,
-//       type: e.addedTags.length || e.removedTags.length ? 'TAG' : 'PROPAGATION'
-//     }
-//   ]
-// };

package/lib/dataflow/index.js

@@ -20,7 +20,6 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const dataflow = core.assess.dataflow = {};
 
-  require('./signatures')(core);
   require('./event-factory')(core);
   require('./tracker')(core);
   require('./sources')(core);

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -83,15 +83,15 @@ module.exports = function(core) {
               name: 'Array.prototype.join',
               object: {
                 value: originalJoin.call(obj),
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
               args: [{
                 value: delimiterInfo ? delimiterInfo.value : delimiter,
-                isTracked: !!delimiterInfo
+                tracked: !!delimiterInfo
               }],
               tags: newTags,
               history: Array.from(history),

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -15,10 +15,11 @@
 
 'use strict';
 
+const util = require('util');
 const {
   createAppendTags
 } = require('../../../tag-utils');
-const { patchType, createObjectLabel } = require('../../common');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -29,13 +30,15 @@ module.exports = function(core) {
     }
   } = core;
 
+  const inspect = patcher.unwrap(util.inspect);
+
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {
     install() {
       patcher.patch(global.ContrastMethods, 'add', {
         name: 'ContrastMethods.add',
         patchType,
         post(data) {
-          const { args, result, hooked, orig } = data;
+          const { args, result, hooked } = data;
           if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
 
           const rInfo = tracker.getData(result);
@@ -61,32 +64,36 @@ module.exports = function(core) {
           }
 
           if (history.length) {
+            const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
+            const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
             const event = createPropagationEvent({
-              name: 'ContrastMethods.add',
-              history,
-              object: {
-                value: createObjectLabel('ContrastMethods'),
-                isTracked: false
-              },
               args: [
                 {
-                  value: args[0],
-                  isTracked: !!leftStringInfo
+                  tracked: !!leftStringInfo,
+                  value: leftArg
                 },
                 {
-                  value: args[1],
-                  isTracked: !!rightStringInfo
+                  tracked: !!rightStringInfo,
+                  value: rightArg,
                 }
               ],
+              context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
+              history,
+              object: {
+                value: 'String Addition',
+                tracked: false
+              },
+              name: 'ContrastMethods.add',
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
-              tags: newTags,
+              source: 'P',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
-              }
+              },
+              tags: newTags,
+              target: 'R',
             });
             const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/contrast-methods/tag.js

@@ -48,45 +48,53 @@ module.exports = function (core) {
             return;
           }
 
-          const [strings, ...args] = data.args;
-          const argsData = [
-            strings.map((str) => ({
-              value: str,
-              isTracked: false,
-            })),
-          ];
-
+          const [strings, ...expressions] = data.args;
+          const args = [];
           const history = new Set();
-          args.forEach((arg) => {
-            const argData = tracker.getData(arg);
-            argsData.push({
-              value: argData?.value ?? arg,
-              isTracked: !!argData,
+          let context = '';
+
+          // interleave hard-coded strings and interpolated expressions
+          for (let i = 0; i < strings.length; i++) {
+            const str = strings[i];
+            args.push({
+              tracked: false,
+              value: str,
             });
-            if (argData) history.add(argData);
-          });
+            context += str;
+
+            if (i < strings.length - 1) {
+              const argData = tracker.getData(expressions[i]);
+              if (argData) history.add(argData);
+              const value = argData ? argData.value : expressions[i];
+              args.push({
+                tracked: !!argData,
+                value,
+              });
+              context += `\${expr${i}}`;
+            }
+          }
 
           Object.assign(
             resultData,
             createPropagationEvent({
-              name: 'ContrastMethods.tag',
+              args,
+              context: `\`${context}\``,
               history: Array.from(history),
               object: {
-                value: 'ContrastMethods@0000',
-                isTracked: false,
+                tracked: false,
+                value: 'Template Literal',
               },
-              args: argsData,
               result: {
+                tracked: true,
                 value: resultData.value,
-                isTracked: true,
               },
-              tags: resultData.tags,
+              name: 'ContrastMethods.tag',
               source: 'P',
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: data.hooked,
-                prependFrames: [data.orig],
               },
+              tags: resultData.tags,
             }),
           );
         },

package/lib/dataflow/propagation/install/decode-uri-component.js

@@ -55,13 +55,13 @@ module.exports = function(core) {
             name: 'global.decodeURIComponent',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
             removedTags: ['url-encoded'],

package/lib/dataflow/propagation/install/ejs/escape-xml.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
               name: 'ejs.utils.escapeXML',
               object: {
                 value: `[${createModuleLabel('ejs', version)}].utils`,
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               addedTags: ['weak-url-encoded'],
               history,

package/lib/dataflow/propagation/install/encode-uri-component.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
             name: 'global.encodeURIComponent',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
             addedTags: ['url-encoded'],

package/lib/dataflow/propagation/install/escape-html.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
               name: 'escape-html',
               object: {
                 value: createModuleLabel('escape-html', version),
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               history,
               addedTags: ['html-encoded'],

package/lib/dataflow/propagation/install/escape.js

@@ -52,13 +52,13 @@ module.exports = function(core) {
             name: 'global.escape',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: resultInfo ? resultInfo.value : result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
             addedTags: ['weak-url-encoded'],

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
               name: 'handlebars.Utils.escapeExpression',
               object: {
                 value: `[${createModuleLabel('handlebars', version)}].Utils`,
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               addedTags: ['html-encoded'],
               history,

package/lib/dataflow/propagation/install/mysql-connection-escape.js

@@ -49,13 +49,13 @@ module.exports = function(core) {
         name: eventName,
         object: {
           value: objectValue,
-          isTracked: false
+          tracked: false
         },
         result: {
           value: resultInfo ? resultInfo.value : result,
-          isTracked: true
+          tracked: true
         },
-        args: [{ value: argInfo.value, isTracked: true }],
+        args: [{ value: argInfo.value, tracked: true }],
         tags: newTags,
         addedTags: ['sql-encoded'],
         history,

package/lib/dataflow/propagation/install/pug-runtime-escape.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
               name: 'pug-runtime.escape',
               object: {
                 value: createModuleLabel('pug-runtime', version),
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               addedTags: ['weak-url-encoded'],
               history,

package/lib/dataflow/propagation/install/querystring/parse.js

@@ -46,18 +46,18 @@ module.exports = function(core) {
         history: [trackingData],
         object: {
           value: part,
-          isTracked: true,
+          tracked: true,
         },
         args: data.origArgs.map((arg) => {
           const argInfo = tracker.getData(arg);
           return {
             value: argInfo ? argInfo.value : util.inspect(arg),
-            isTracked: !!argInfo
+            tracked: !!argInfo
           };
         }),
         result: {
           value: result,
-          isTracked: !!resultInfo
+          tracked: !!resultInfo
         },
         tags: tagRanges,
         stacktraceOpts: {

package/lib/dataflow/propagation/install/sql-template-strings.js

@@ -57,13 +57,13 @@ module.exports = function(core) {
                 name: 'sql-template-strings.SQL',
                 object: {
                   value: createModuleLabel('sql-template-strings', version),
-                  isTracked: false
+                  tracked: false
                 },
                 result: {
                   value: resultInfo ? resultInfo.value : resultValue,
-                  isTracked: true
+                  tracked: true
                 },
-                args: [{ value: argInfo.value, isTracked: true }],
+                args: [{ value: argInfo.value, tracked: true }],
                 tags: newTags,
                 addedTags: ['sql-encoded'],
                 history,

package/lib/dataflow/propagation/install/string/concat.js

@@ -62,10 +62,10 @@ module.exports = function(core) {
 
             argsData.push({
               value: strInfo?.value ?? str,
-              isTracked: !!strInfo
+              tracked: !!strInfo
             });
 
-            globalOffset += str.length;
+            globalOffset += `${str}`.length;
           }
 
           if (history.size) {
@@ -73,11 +73,11 @@ module.exports = function(core) {
               name: 'String.prototype.concat',
               object: {
                 value: objInfo?.value || String(obj),
-                isTracked: !!objInfo
+                tracked: !!objInfo
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: argsData,
               tags: newTags,

package/lib/dataflow/propagation/install/string/format-methods.js

@@ -46,11 +46,11 @@ module.exports = function(core) {
               name: `String.prototype.${method}`,
               object: {
                 value: objInfo.value,
-                isTracked: true
+                tracked: true
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [],
               tags: objInfo.tags,

package/lib/dataflow/propagation/install/string/html-methods.js

@@ -78,14 +78,14 @@ module.exports = function(core) {
               name: 'String.prototype.anchor',
               object: {
                 value: objInfo?.value || String(obj),
-                isTracked: !!objInfo
+                tracked: !!objInfo
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [
-                { value: arg, isTracked: !!argInfo }
+                { value: arg, tracked: !!argInfo }
               ],
               tags: adjustTags('anchor', objInfo?.tags, `${arg}`.length, argInfo?.tags),
               history: Array.from(history),
@@ -126,11 +126,11 @@ module.exports = function(core) {
               name: `String.prototype.${method}`,
               object: {
                 value: objInfo.value,
-                isTracked: true
+                tracked: true
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [],
               tags: adjustTags(method, objInfo.tags),

package/lib/dataflow/propagation/install/string/index.js

@@ -33,6 +33,7 @@ module.exports = function(core) {
   require('./match')(core);
   require('./replace')(core);
   require('./split')(core);
+  require('./slice')(core);
   require('./substring')(core);
   require('./trim')(core);