@contrast/assess 1.4.0 → 1.5.0

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -0,0 +1,113 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const unvalidatedRedirect =
+    (core.assess.dataflow.sinks.koa.unvalidatedRedirect = {});
+
+  const inspect = patcher.unwrap(util.inspect);
+
+  const safeTags = [
+    'limited-chars',
+    'url-encoded',
+    'html-encoded',
+    'custom-validated',
+    'custom-encoded'
+  ];
+  const requiredTag = 'untrusted';
+
+  unvalidatedRedirect.install = function () {
+    depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
+      patcher.patch(Response, 'redirect', {
+        name: 'Koa.Response.redirect',
+        patchType,
+        pre(data) {
+          const assessStore = sources.getStore()?.assess;
+          if (!assessStore) return;
+
+          let [url] = data.args;
+
+          if (url === 'back') {
+            url = data.obj.ctx.get('Referrer') || data.args[1];
+          }
+
+          if (!url || !isString(url)) return;
+
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+
+          let urlPathTags = strInfo.tags;
+
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+          }
+
+          if (urlPathTags && isVulnerable(requiredTag, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.redirect(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name: 'Koa.Response.redirect',
+              object: {
+                tracked: false,
+                value: 'Koa.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId: 'unvalidated-redirect',
+                sinkEvent: event,
+              });
+            }
+          }
+        }
+      });
+    });
+  };
+
+  return unvalidatedRedirect;
+};

package/lib/dataflow/sinks/install/mssql.js

@@ -54,12 +54,12 @@ module.exports = function (core) {
       history: [strInfo],
       object: {
         value: `[${createModuleLabel('mssql', version)}].${obj}`,
-        isTracked: false,
+        tracked: false,
       },
       args: [
         {
           value: strInfo.value,
-          isTracked: true,
+          tracked: true,
         },
       ],
       tags: strInfo.tags,
@@ -69,10 +69,12 @@ module.exports = function (core) {
       },
     });
 
-    reportFindings({
-      ruleId: Rule.SQL_INJECTION,
-      metadata: event,
-    });
+    if (event) {
+      reportFindings({
+        ruleId: Rule.SQL_INJECTION,
+        sinkEvent: event,
+      });
+    }
   };
 
   core.assess.dataflow.sinks.mssql = {

package/lib/dataflow/sinks/install/postgres.js

@@ -15,8 +15,8 @@
 
 'use strict';
 
+const util = require('util');
 const { Rule, isString } = require('@contrast/common');
-const { createModuleLabel } = require('../../propagation/common');
 const { patchType } = require('../common');
 
 module.exports = function (core) {
@@ -33,8 +33,6 @@ module.exports = function (core) {
     },
   } = core;
 
-  const postgres = core.assess.dataflow.sinks.postgres = {};
-
   const safeTags = [
     'sql-encoded',
     'limited-chars',
@@ -42,31 +40,41 @@ module.exports = function (core) {
     'custom-encoded',
   ];
   const requiredTag = 'untrusted';
+  const inspect = patcher.unwrap(util.inspect);
+
+  const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature, version, mod, obj) => (data) => {
     const assessStore = sources.getStore()?.assess;
     if (!assessStore) return;
 
-    const query = data.args[0]?.text || data.args[0];
+    const [arg0] = data.args;
+    const query = arg0?.text || arg0;
     if (!query || !isString(query)) return;
 
     const strInfo = tracker.getData(query);
     if (!strInfo) return;
 
+    const objValue = methodSignature.includes('native') ? 'pg.native.Client' : 'pg.Client';
+    const arg0Val = inspect(arg0);
+
     if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
-        name: methodSignature,
+        args: [{
+          tracked: true,
+          value: strInfo.value,
+        }],
+        context: `${objValue}.query(${arg0Val})`,
         history: [strInfo],
+        name: methodSignature,
         object: {
-          value: `[${createModuleLabel(mod, version)}].${obj}`,
-          isTracked: false,
+          tracked: false,
+          value: objValue,
+        },
+        result: {
+          tracked: false,
+          value: 'Promise',
         },
-        args: [
-          {
-            value: strInfo.value,
-            isTracked: true,
-          },
-        ],
         tags: strInfo.tags,
         source: 'P0',
         stacktraceOpts: {
@@ -74,10 +82,12 @@ module.exports = function (core) {
         },
       });
 
-      reportFindings({
-        ruleId: Rule.SQL_INJECTION,
-        metadata: event,
-      });
+      if (event) {
+        reportFindings({
+          ruleId: Rule.SQL_INJECTION,
+          sinkEvent: event,
+        });
+      }
     }
   };
 

package/lib/dataflow/sinks/install/sqlite3.js

@@ -0,0 +1,94 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../common');
+const { Rule, isString } = require('@contrast/common');
+
+const SAFE_TAGS = [
+  'sql-encoded',
+  'limited-chars',
+  'custom-validated',
+  'custom-encoded',
+];
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const pre = (name) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store || !data.args[0] || !isString(data.args[0])) return;
+
+    const strInfo = tracker.getData(data.args[0]);
+    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+      return;
+    }
+
+    const event = createSinkEvent({
+      name,
+      history: [strInfo],
+      object: {
+        value: '[Module<sqlite3>].Database',
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+      ],
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        contructorOpt: data.hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.SQL_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  };
+
+  core.assess.dataflow.sinks.sqlite3 = {
+    install() {
+      depHooks.resolve({ name: 'sqlite3' }, sqlite3 => {
+        ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
+          const name = `sqlite3.Database.prototype.${method}`;
+          patcher.patch(sqlite3.Database.prototype, method, {
+            name,
+            patchType,
+            pre: pre(name)
+          });
+        });
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.sqlite3;
+};

package/lib/dataflow/sources/handler.js

@@ -55,25 +55,23 @@ module.exports = function(core) {
   };
 
   sources.handle = function({
+    context,
     name,
     inputType = 'unknown',
     stacktraceOpts,
     data,
+    sourceContext
   }) {
     if (!data) return;
 
     const max = config.assess.max_context_source_events;
-    const sourceContext = core.scopes.sources.getStore()?.assess;
 
     if (!sourceContext) {
       core.logger.trace({ inputType, name }, 'skipping assess source handling - no request context');
       return null;
     }
 
-    // todo: NODE-2789
-    const stack = config.assess.stacktraces === 'NONE'
-      ? emptyStack
-      : createSnapshot(stacktraceOpts)();
+    let stack;
 
     traverseValues(data, (path, type, value, obj) => {
       if (sourceContext.sourceEventsCount >= max) {
@@ -82,10 +80,15 @@ module.exports = function(core) {
       }
 
       if (isString(value) && value.length) {
+        stack = stack || config.assess.stacktraces === 'NONE'
+          ? emptyStack
+          : createSnapshot(stacktraceOpts)();
         const key = path[path.length - 1];
         const pathName = path.join('.');
         const event = createSourceEvent({
+          context: `${context}.${pathName}`,
           name,
+          fieldName: key,
           pathName,
           stack,
           inputType,
@@ -100,7 +103,7 @@ module.exports = function(core) {
 
         const { extern } = tracker.track(value, event);
         if (extern) {
-          logger.trace({ extern, key, inputType }, 'tracked');
+          logger.trace({ extern, key, name, inputType }, 'tracked');
           obj[key] = extern;
           sourceContext.sourceEventsCount++;
         }

package/lib/dataflow/sources/index.js

@@ -23,8 +23,17 @@ module.exports = function(core) {
   // API
   require('./handler')(core);
   // installers
+  // general
   require('./install/http')(core);
+
+  // frameworks and frameworks specific libraries
   require('./install/fastify')(core);
+  require('./install/koa')(core);
+
+  // libraries
+  require('./install/busboy1')(core);
+  require('./install/formidable1')(core);
+  require('./install/qs6')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/busboy1.js

@@ -0,0 +1,112 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+
+  const name = 'busboy';
+
+  function createPreHook(finalEventName) {
+    return function(data) {
+      const { orig, hooked } = data;
+      const sourceContext = core.scopes.sources.getStore()?.assess;
+      const inputType = InputType.MULTIPART_VALUE;
+
+      if (!sourceContext) {
+        logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+        return;
+      }
+
+      if (sourceContext.parsedBody) {
+        logger.trace({ inputType, name }, 'values already tracked');
+        return;
+      }
+
+      const [eventName, fieldName, fieldValue] = data.args;
+
+      if (eventName === 'field' && fieldName && fieldValue) {
+        const obj = {
+          [fieldName]: fieldValue
+        };
+
+        try {
+          sources.handle({
+            context: 'req.body',
+            name,
+            inputType,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            },
+            data: obj,
+            sourceContext
+          });
+
+          data.args[2] = obj[fieldName];
+          sourceContext.busboyParsedBody = true;
+        } catch (err) {
+          logger.error({ err, inputType, name }, 'unable to handle source');
+        }
+      }
+
+      if (eventName === finalEventName && sourceContext.busboyParsedBody) {
+        sourceContext.parsedBody = true;
+      }
+    };
+  }
+
+  // Patch `busboy`
+  function install() {
+    depHooks.resolve({ name, version: '<1.0.0' }, (busboy) => {
+      patcher.patch(busboy.prototype, 'emit', {
+        name: 'busboy.prototype.emit',
+        patchType,
+        pre: createPreHook('finish')
+      });
+    });
+
+
+    depHooks.resolve({ name, version: '>=1.0.0' }, (busboy) => patcher.patch(
+      busboy, {
+        name,
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, 'emit', {
+            name: 'busboy.emit',
+            patchType,
+            pre: createPreHook('close')
+          });
+        }
+      }
+    ));
+  }
+
+  const busboy1Instrumentation = sources.busboy1Instrumentation = {
+    install
+  };
+
+  return busboy1Instrumentation;
+};
+

package/lib/dataflow/sources/install/fastify/fastify.js

@@ -31,50 +31,44 @@ module.exports = function(core) {
       depHooks.resolve({ name: 'fastify', version: '>=3.0.0' }, (fastify) => patcher.patch(fastify, {
         name: 'fastify.constructor',
         patchType,
-        post({ orig, result: server }) {
-          server.addHook('onRequest', function handler(request, reply, done) {
-            const name = 'fastify.onRequest';
-            const inputType = InputType.HEADER;
-
-            try {
-              sources.handle({
-                data: request.raw.headers,
-                inputType,
-                name,
-                stacktraceOpts: {
-                  constructorOpt: handler
-                }
-              });
-
-            } catch (err) {
-              logger.error({ err, inputType, name }, 'unable to handle fastify source');
-            }
-
-            done();
-          });
-
+        post({ result: server }) {
           server.addHook('preValidation', function preValidationHandler(request, reply, done) {
             const name = 'fastify.preValidation';
             const bodyType = request?.headers?.['content-type']?.includes('/json')
               ? InputType.JSON_VALUE
-              : InputType.PARAMETER_VALUE;
+              : typeof request.body == 'object'
+                ? InputType.PARAMETER_VALUE
+                : InputType.BODY;
+            const sourceContext = core.scopes.sources.getStore()?.assess;
+
+            if (!sourceContext) {
+              logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+              return;
+            }
 
             [
-              { key: 'query', inputType: InputType.PARAMETER_VALUE },
-              { key: 'params', inputType: InputType.URL_PARAMETER },
-              { key: 'body', inputType: bodyType }
-            ].forEach(({ key, inputType }) => {
+              { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },
+              { key: 'params', inputType: InputType.URL_PARAMETER, alreadyTrackedFlag: 'parsedParams' },
+              { key: 'body', inputType: bodyType, alreadyTrackedFlag: 'parsedBody' }
+            ].forEach(({ key, inputType, alreadyTrackedFlag }) => {
+              if (sourceContext[alreadyTrackedFlag]) {
+                logger.trace({ inputType, name }, 'values already tracked');
+                return;
+              }
+
               try {
                 sources.handle({
+                  context: `req.${key}`,
                   data: request[key],
                   inputType,
                   name,
                   stacktraceOpts: {
                     constructorOpt: preValidationHandler,
-                  }
+                  },
+                  sourceContext
                 });
               } catch (err) {
-                logger.error({ err, inputType, name }, 'unable to handle fastify source');
+                logger.error({ err, inputType, name }, 'unable to handle Fastify source');
               }
             });
 

package/lib/dataflow/sources/install/fastify/index.js

@@ -18,14 +18,13 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  const sources = core.assess.dataflow.sources.fastifyInstrumentation = {};
+  const fastifySources = core.assess.dataflow.sources.fastifyInstrumentation = {};
 
   require('./fastify')(core);
-  require('./cookie')(core);
 
-  sources.install = function install() {
-    callChildComponentMethodsSync(sources, 'install');
+  fastifySources.install = function install() {
+    callChildComponentMethodsSync(fastifySources, 'install');
   };
 
-  return sources;
+  return fastifySources;
 };

package/lib/dataflow/sources/install/formidable1.js

@@ -0,0 +1,91 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    assess: { dataflow: { sources } },
+  } = core;
+  const name = 'Formidable.IncomingForm.prototype.parse';
+
+
+  // Patch `formidable`
+  function install() {
+    depHooks.resolve({ name: 'formidable' }, (formidable) => {
+      formidable.IncomingForm.prototype.parse = patcher.patch(formidable.IncomingForm.prototype.parse, {
+        name,
+        patchType,
+        pre(data) {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const inputType = InputType.MULTIPART_VALUE;
+
+          if (!sourceContext) {
+            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            return;
+          }
+
+          if (sourceContext.parsedBody) {
+            logger.trace({ inputType, name }, 'values already tracked');
+            return;
+          }
+
+          const origCb = data.args[1];
+
+          data.args[1] = function hookedCb(...cbArgs) {
+            const [, fields] = cbArgs;
+
+            if (fields) {
+              try {
+                sources.handle({
+                  context: 'req.body',
+                  name,
+                  inputType,
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  data: fields,
+                  sourceContext
+                });
+                sourceContext.parsedBody = true;
+              } catch (err) {
+                logger.error({ err, inputType, name }, 'unable to handle source');
+              }
+            }
+
+            if (origCb && typeof origCb === 'function') {
+              origCb.apply(this, cbArgs);
+            }
+          };
+        }
+      });
+
+      return formidable;
+    });
+  }
+
+  const formidable1Instrumentation = sources.formidable1Instrumentation = {
+    install
+  };
+
+  return formidable1Instrumentation;
+};