@contrast/assess 1.4.0 → 1.6.0

package/lib/dataflow/event-factory.js

@@ -16,7 +16,7 @@
 'use strict';
 
 
-const { InputType } = require('@contrast/common');
+const { InputType, signatures } = require('@contrast/common');
 const annotationRegExp = /^(A|O|R|P|P\d+)$/;
 
 module.exports = function(core) {
@@ -25,10 +25,8 @@ module.exports = function(core) {
     config,
     logger,
     scopes: { sources },
-    assess: {
-      dataflow: { signatures }
-    }
   } = core;
+
   const eventFactory = core.assess.dataflow.eventFactory = {};
 
   eventFactory.createdEvents = new WeakSet();
@@ -36,9 +34,10 @@ module.exports = function(core) {
   eventFactory.createSourceEvent = function(data = {}) {
     const {
       name,
-      result = { value: null, isTracked: false },
+      result = { value: null, tracked: false },
       tags,
       inputType,
+      stack,
     } = data;
 
     const baseMessage = 'Source event not created: %s';
@@ -63,6 +62,13 @@ module.exports = function(core) {
       return null;
     }
 
+
+    if (!stack || !Array.isArray(stack)) {
+      logger.debug({ data }, baseMessage, 'invalid stack');
+      return null;
+    }
+
+    data.time = Date.now();
     eventFactory.createdEvents.add(data);
 
     return data;
@@ -72,9 +78,10 @@ module.exports = function(core) {
     const {
       name = '',
       history = [],
-      object = { value: null, isTracked: false },
+      object = { value: null, tracked: false },
       args = [],
-      result = { value: null, isTracked: false },
+      context,
+      result = { value: null, tracked: false },
       tags = {},
       addedTags = [],
       removedTags = [],
@@ -123,18 +130,19 @@ module.exports = function(core) {
     }
 
     const event = {
-      time: Date.now(),
+      addedTags,
+      args,
+      context,
       history,
       name,
       object,
-      args,
-      result,
-      tags,
-      addedTags,
       removedTags,
+      result,
       source,
+      stack,
+      tags,
       target,
-      stack
+      time: Date.now(),
     };
 
     eventFactory.createdEvents.add(event);
@@ -145,50 +153,56 @@ module.exports = function(core) {
 
   eventFactory.createSinkEvent = function(data) {
     const {
+      context,
       name = '',
       history = [],
-      object = { value: null, isTracked: false },
+      object = { value: null, tracked: false },
       args = [],
-      result = { value: null, isTracked: false },
+      result = { value: null, tracked: false },
       tags = {},
       source,
       stacktraceOpts
     } = data;
-    const sourceContext = sources.getStore()?.assess;
 
+    const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) {
-      logger.debug('No sourceContext found during Sink event creation');
+      logger.debug('no sourceContext found during sink event creation');
       return null;
     }
-
     const signature = signatures.get(name);
-
+    if (!signature) {
+      logger.debug({ name }, 'no signature found for sink event name');
+      return null;
+    }
+    if (!history.length) {
+      logger.debug({ data }, 'empty history for sink event');
+      return null;
+    }
     if (
-      !signature ||
-      !history.length ||
       ((source && !source.match(annotationRegExp)) || (!source && !signature.source))
     ) {
-      logger.debug({ data }, 'Wrong sink event data submited. Sink event not created');
+      logger.debug({ data }, 'malformed or missing sink event source field');
       return null;
     }
 
     let stack;
     if (config.assess.stacktraces !== 'NONE') {
-      stack = createSnapshot(stacktraceOpts);
+      stack = createSnapshot(stacktraceOpts)();
     } else {
       stack = [];
     }
 
     const event = {
-      time: Date.now(),
+      args,
+      context,
       history,
       name,
       object,
-      args,
       result,
-      tags,
       source,
-      stack
+      stack,
+      tags,
+      time: Date.now(),
     };
 
     eventFactory.createdEvents.add(event);
@@ -198,59 +212,3 @@ module.exports = function(core) {
 
   return eventFactory;
 };
-
-
-// Sample event data
-// const e = {
-//   // we need the time the event occurred
-//   time: '1234',
-//   history: ['argsTrackedInfo'],
-//   name: 'ContrastMethods.add', // as this method is used to rewrite not only `+` but `+=` too
-//   context: {
-//     obj: null,
-//     args: ['...args'],
-//     resultTracked: 'result'
-//   },
-//   stack: 'createSnapshot()',
-//   tags: 'newTags',
-//   // we need a property with add/removed tags
-//   addedTags: [],
-//   removedTags: [],
-//   // we need info for the source and the targeto
-//   source: 'A | P | O | R',
-//   target: 'A | P | O | R',
-//   // optional code property for the propagation through the ContrastMethods
-//   code: 'const a = b + c',
-//   // we need a signature property
-//   signature: {
-//     // in v4 we are storing all the signatures in a json file,
-//     // so we get the values from there and format them accordingly
-//   }
-// };
-
-// Sample payload for a discovered vulnerability
-// const payload = {
-//   created: Date.now(),
-//   events: [
-//     {
-//       action: e.addedTags.length || e.removedTags.length ? 'TAG' : `${e.source}2${e.target}`,
-//       args: e.context.args, // they will be "expanded" before reporting
-//       code: e.code,
-//       eventSources: [], // only for SourceEvents
-//       fieldName: '', // we don't set it in v4
-//       object: e.context.obj, // again it will be expanded later
-//       parentObjectsIds: [], // we don't set it in v4
-//       properties: [], // not needed for dataflow
-//       ret: e.context.resultTracked,
-//       signature: e.signature,
-//       source: e.source,
-//       stacktrace: e.stack,
-//       tags: e.addedTags.join(), // in v4 we set all tags here, idk why
-//       taintRanges: e.tags.map(), // the tag ranges we want highlighted in ContrastUI
-//       target: e.target,
-//       thread: process.pid,
-//       time: e.time,
-//       type: e.addedTags.length || e.removedTags.length ? 'TAG' : 'PROPAGATION'
-//     }
-//   ]
-// };

package/lib/dataflow/index.js

@@ -20,7 +20,6 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const dataflow = core.assess.dataflow = {};
 
-  require('./signatures')(core);
   require('./event-factory')(core);
   require('./tracker')(core);
   require('./sources')(core);

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -83,15 +83,15 @@ module.exports = function(core) {
               name: 'Array.prototype.join',
               object: {
                 value: originalJoin.call(obj),
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
               args: [{
                 value: delimiterInfo ? delimiterInfo.value : delimiter,
-                isTracked: !!delimiterInfo
+                tracked: !!delimiterInfo
               }],
               tags: newTags,
               history: Array.from(history),

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -15,10 +15,11 @@
 
 'use strict';
 
+const util = require('util');
 const {
   createAppendTags
 } = require('../../../tag-utils');
-const { patchType, createObjectLabel } = require('../../common');
+const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -29,13 +30,15 @@ module.exports = function(core) {
     }
   } = core;
 
+  const inspect = patcher.unwrap(util.inspect);
+
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {
     install() {
       patcher.patch(global.ContrastMethods, 'add', {
         name: 'ContrastMethods.add',
         patchType,
         post(data) {
-          const { args, result, hooked, orig } = data;
+          const { args, result, hooked } = data;
           if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
 
           const rInfo = tracker.getData(result);
@@ -61,32 +64,36 @@ module.exports = function(core) {
           }
 
           if (history.length) {
+            const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
+            const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
             const event = createPropagationEvent({
-              name: 'ContrastMethods.add',
-              history,
-              object: {
-                value: createObjectLabel('ContrastMethods'),
-                isTracked: false
-              },
               args: [
                 {
-                  value: args[0],
-                  isTracked: !!leftStringInfo
+                  tracked: !!leftStringInfo,
+                  value: leftArg
                 },
                 {
-                  value: args[1],
-                  isTracked: !!rightStringInfo
+                  tracked: !!rightStringInfo,
+                  value: rightArg,
                 }
               ],
+              context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
+              history,
+              object: {
+                value: 'String Addition',
+                tracked: false
+              },
+              name: 'ContrastMethods.add',
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
-              tags: newTags,
+              source: 'P',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
-              }
+              },
+              tags: newTags,
+              target: 'R',
             });
             const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/contrast-methods/tag.js

@@ -48,45 +48,53 @@ module.exports = function (core) {
             return;
           }
 
-          const [strings, ...args] = data.args;
-          const argsData = [
-            strings.map((str) => ({
-              value: str,
-              isTracked: false,
-            })),
-          ];
-
+          const [strings, ...expressions] = data.args;
+          const args = [];
           const history = new Set();
-          args.forEach((arg) => {
-            const argData = tracker.getData(arg);
-            argsData.push({
-              value: argData?.value ?? arg,
-              isTracked: !!argData,
+          let context = '';
+
+          // interleave hard-coded strings and interpolated expressions
+          for (let i = 0; i < strings.length; i++) {
+            const str = strings[i];
+            args.push({
+              tracked: false,
+              value: str,
             });
-            if (argData) history.add(argData);
-          });
+            context += str;
+
+            if (i < strings.length - 1) {
+              const argData = tracker.getData(expressions[i]);
+              if (argData) history.add(argData);
+              const value = argData ? argData.value : expressions[i];
+              args.push({
+                tracked: !!argData,
+                value,
+              });
+              context += `\${expr${i}}`;
+            }
+          }
 
           Object.assign(
             resultData,
             createPropagationEvent({
-              name: 'ContrastMethods.tag',
+              args,
+              context: `\`${context}\``,
               history: Array.from(history),
               object: {
-                value: 'ContrastMethods@0000',
-                isTracked: false,
+                tracked: false,
+                value: 'Template Literal',
               },
-              args: argsData,
               result: {
+                tracked: true,
                 value: resultData.value,
-                isTracked: true,
               },
-              tags: resultData.tags,
+              name: 'ContrastMethods.tag',
               source: 'P',
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: data.hooked,
-                prependFrames: [data.orig],
               },
+              tags: resultData.tags,
             }),
           );
         },

package/lib/dataflow/propagation/install/decode-uri-component.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -47,7 +50,7 @@ module.exports = function(core) {
           // the result is not tracked, so we don't need to check for that
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
-          delete newTags['url-encoded'];
+          delete newTags[URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;
 
@@ -55,16 +58,16 @@ module.exports = function(core) {
             name: 'global.decodeURIComponent',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            removedTags: ['url-encoded'],
+            removedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/ejs/escape-xml.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../../tag-utils');
@@ -48,21 +51,21 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['weak-url-encoded'] = [0, result.length - 1];
+            newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'ejs.utils.escapeXML',
               object: {
                 value: `[${createModuleLabel('ejs', version)}].utils`,
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
-              addedTags: ['weak-url-encoded'],
+              addedTags: [WEAK_URL_ENCODED],
               history,
               stacktraceOpts: {
                 constructorOpt: hooked,

package/lib/dataflow/propagation/install/encode-uri-component.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
             name: 'global.encodeURIComponent',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
             addedTags: ['url-encoded'],

package/lib/dataflow/propagation/install/escape-html.js

@@ -15,10 +15,13 @@
 
 'use strict';
 
+const {
+  DataflowTag: { HTML_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
@@ -48,22 +51,22 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['html-encoded'] = [0, result.length - 1];
+            newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'escape-html',
               object: {
-                value: createModuleLabel('escape-html', version),
-                isTracked: false
+                value: 'escape-html',
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               history,
-              addedTags: ['html-encoded'],
+              addedTags: [HTML_ENCODED],
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]

package/lib/dataflow/propagation/install/escape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -46,22 +49,22 @@ module.exports = function(core) {
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-          newTags['weak-url-encoded'] = [0, result.length - 1];
+          newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
           const event = createPropagationEvent({
             name: 'global.escape',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: resultInfo ? resultInfo.value : result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            addedTags: ['weak-url-encoded'],
+            addedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { HTML_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -48,21 +51,21 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['html-encoded'] = [0, result.length - 1];
+            newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'handlebars.Utils.escapeExpression',
               object: {
                 value: `[${createModuleLabel('handlebars', version)}].Utils`,
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
-              addedTags: ['html-encoded'],
+              addedTags: [HTML_ENCODED],
               history,
               stacktraceOpts: {
                 constructorOpt: hooked,

package/lib/dataflow/propagation/install/mysql-connection-escape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { SQL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -43,21 +46,21 @@ module.exports = function(core) {
       const history = [argInfo];
       const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-      newTags['sql-encoded'] = [0, result.length - 1];
+      newTags[SQL_ENCODED] = [0, result.length - 1];
 
       const event = createPropagationEvent({
         name: eventName,
         object: {
           value: objectValue,
-          isTracked: false
+          tracked: false
         },
         result: {
           value: resultInfo ? resultInfo.value : result,
-          isTracked: true
+          tracked: true
         },
-        args: [{ value: argInfo.value, isTracked: true }],
+        args: [{ value: argInfo.value, tracked: true }],
         tags: newTags,
-        addedTags: ['sql-encoded'],
+        addedTags: [SQL_ENCODED],
         history,
         stacktraceOpts: {
           constructorOpt: hooked,

package/lib/dataflow/propagation/install/pug-runtime-escape.js

@@ -54,13 +54,13 @@ module.exports = function(core) {
               name: 'pug-runtime.escape',
               object: {
                 value: createModuleLabel('pug-runtime', version),
-                isTracked: false
+                tracked: false
               },
               result: {
                 value: resultInfo ? resultInfo.value : result,
-                isTracked: true
+                tracked: true
               },
-              args: [{ value: argInfo.value, isTracked: true }],
+              args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               addedTags: ['weak-url-encoded'],
               history,