@contrast/assess 1.4.0 → 1.6.0

package/lib/dataflow/propagation/install/querystring/parse.js

@@ -14,8 +14,13 @@
  */
 
 'use strict';
+
 const util = require('util');
 const querystring = require('querystring');
+const {
+  DataflowTag: { URL_ENCODED }
+} = require('@contrast/common');
+
 const { patchType } = require('../../common');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 
@@ -46,18 +51,18 @@ module.exports = function(core) {
         history: [trackingData],
         object: {
           value: part,
-          isTracked: true,
+          tracked: true,
         },
         args: data.origArgs.map((arg) => {
           const argInfo = tracker.getData(arg);
           return {
             value: argInfo ? argInfo.value : util.inspect(arg),
-            isTracked: !!argInfo
+            tracked: !!argInfo
           };
         }),
         result: {
           value: result,
-          isTracked: !!resultInfo
+          tracked: !!resultInfo
         },
         tags: tagRanges,
         stacktraceOpts: {
@@ -73,9 +78,9 @@ module.exports = function(core) {
           event.tags = createAppendTags(event.tags, resultInfo.tags, 0);
           Object.assign(resultInfo, event);
         }
-        if (event.tags['url-encoded']) {
-          delete event.tags['url-encoded'];
-          event.removedTags = ['url-encoded'];
+        if (event.tags[URL_ENCODED]) {
+          delete event.tags[URL_ENCODED];
+          event.removedTags = [URL_ENCODED];
         }
         const { extern } = resultInfo || tracker.track(result, event);
         if (extern) {

package/lib/dataflow/propagation/install/sql-template-strings.js

@@ -57,13 +57,13 @@ module.exports = function(core) {
                 name: 'sql-template-strings.SQL',
                 object: {
                   value: createModuleLabel('sql-template-strings', version),
-                  isTracked: false
+                  tracked: false
                 },
                 result: {
                   value: resultInfo ? resultInfo.value : resultValue,
-                  isTracked: true
+                  tracked: true
                 },
-                args: [{ value: argInfo.value, isTracked: true }],
+                args: [{ value: argInfo.value, tracked: true }],
                 tags: newTags,
                 addedTags: ['sql-encoded'],
                 history,

package/lib/dataflow/propagation/install/string/concat.js

@@ -62,10 +62,10 @@ module.exports = function(core) {
 
             argsData.push({
               value: strInfo?.value ?? str,
-              isTracked: !!strInfo
+              tracked: !!strInfo
             });
 
-            globalOffset += str.length;
+            globalOffset += `${str}`.length;
           }
 
           if (history.size) {
@@ -73,11 +73,11 @@ module.exports = function(core) {
               name: 'String.prototype.concat',
               object: {
                 value: objInfo?.value || String(obj),
-                isTracked: !!objInfo
+                tracked: !!objInfo
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: argsData,
               tags: newTags,

package/lib/dataflow/propagation/install/string/format-methods.js

@@ -46,11 +46,11 @@ module.exports = function(core) {
               name: `String.prototype.${method}`,
               object: {
                 value: objInfo.value,
-                isTracked: true
+                tracked: true
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [],
               tags: objInfo.tags,

package/lib/dataflow/propagation/install/string/html-methods.js

@@ -78,14 +78,14 @@ module.exports = function(core) {
               name: 'String.prototype.anchor',
               object: {
                 value: objInfo?.value || String(obj),
-                isTracked: !!objInfo
+                tracked: !!objInfo
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [
-                { value: arg, isTracked: !!argInfo }
+                { value: arg, tracked: !!argInfo }
               ],
               tags: adjustTags('anchor', objInfo?.tags, `${arg}`.length, argInfo?.tags),
               history: Array.from(history),
@@ -126,11 +126,11 @@ module.exports = function(core) {
               name: `String.prototype.${method}`,
               object: {
                 value: objInfo.value,
-                isTracked: true
+                tracked: true
               },
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               args: [],
               tags: adjustTags(method, objInfo.tags),

package/lib/dataflow/propagation/install/string/index.js

@@ -33,6 +33,7 @@ module.exports = function(core) {
   require('./match')(core);
   require('./replace')(core);
   require('./split')(core);
+  require('./slice')(core);
   require('./substring')(core);
   require('./trim')(core);
 

package/lib/dataflow/propagation/install/string/match.js

@@ -37,19 +37,19 @@ module.exports = function(core) {
       history: [objInfo],
       object: {
         value: objInfo.value,
-        isTracked: true,
+        tracked: true,
       },
       args: args.map((arg) => {
         const argInfo = tracker.getData(arg);
         return {
           value: argInfo ? argInfo.value : arg.toString(),
-          isTracked: !!argInfo
+          tracked: !!argInfo
         };
       }),
       tags,
       result: {
         value: join(result),
-        isTracked: false
+        tracked: false
       },
       stacktraceOpts: {
         constructorOpt: hooked,

package/lib/dataflow/propagation/install/string/replace.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 
@@ -148,7 +151,8 @@ module.exports = function(core) {
             !sources.getStore()?.assess ||
             instrumentation.isLocked() ||
             !data.result ||
-            !data._accumTags?.untrusted
+            // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
+            !data._accumTags?.[UNTRUSTED]
           ) return;
 
           const { _replacementInfo, obj, args, result, hooked, orig } = data;
@@ -158,19 +162,19 @@ module.exports = function(core) {
             history: Array.from(data._history),
             object: {
               value: obj,
-              isTracked: !!data._objInfo
+              tracked: !!data._objInfo
             },
             args: [{
               value: args[0].toString(),
-              isTracked: !!tracker.getData(args[0])
+              tracked: !!tracker.getData(args[0])
             },
             {
               value: data._replacement,
-              isTracked: !!_replacementInfo
+              tracked: !!_replacementInfo
             }],
             result: {
               value: result,
-              isTracked: true
+              tracked: true
             },
             tags: data._accumTags,
             stacktraceOpts: {

package/lib/dataflow/propagation/install/string/slice.js

@@ -0,0 +1,104 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function calculateSubsetRangeForSlice({ obj, args }) {
+    let [start, end] = args;
+    const hasSingleArg = end === undefined;
+
+    if (start < 0 && hasSingleArg || start < 0 && end < 0) {
+      start = obj.length - Math.abs(start);
+      end = obj.length - (Math.abs(end) || 0);
+    } else if (start > 0 && end < 0) {
+      end = obj.length - (Math.abs(end) || 0);
+    }
+
+    const subsetLen = (hasSingleArg ? obj.length - start : Math.abs(end - start)) - 1;
+
+    return {
+      startIdx: start,
+      subsetLen
+    };
+  }
+
+  return core.assess.dataflow.propagation.stringInstrumentation.slice = {
+    install() {
+      const name = 'String.prototype.slice';
+
+      patcher.patch(String.prototype, 'slice', {
+        name,
+        patchType,
+        post(data) {
+          const { name, args, obj, result, hooked, orig } = data;
+          if (!result || !sources.getStore() || instrumentation.isLocked()) return;
+
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return;
+
+          const rInfo = tracker.getData(result);
+          if (rInfo) {
+            // this may happen w/ trackedStr.slice(0) => trackedStr
+            return;
+          }
+
+          const { startIdx, subsetLen } = calculateSubsetRangeForSlice(data);
+          const tags = createSubsetTags(objInfo.tags, startIdx, subsetLen);
+          if (!tags) return;
+
+          const event = createPropagationEvent({
+            name,
+            history: [objInfo],
+            object: {
+              value: obj,
+              tracked: true,
+            },
+            args: args.map((arg) => ({
+              value: arg.toString(),
+              tracked: false
+            })),
+            result: {
+              value: result,
+              tracked: true
+            },
+            tags,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            }
+          });
+          const { extern } = tracker.track(result, event);
+
+          if (extern) {
+            data.result = extern;
+          }
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.slice = patcher.unwrap(String.prototype.slice);
+    },
+  };
+};

package/lib/dataflow/propagation/install/string/split.js

@@ -50,7 +50,7 @@ module.exports = function(core) {
           ) return;
 
           const objInfo = tracker.getData(obj);
-          if (!objInfo) return;
+          if (!objInfo || obj === result[0]) return;
 
           let idx = 0;
           for (let i = 0; i < result.length; i++) {
@@ -68,19 +68,19 @@ module.exports = function(core) {
                 history: [objInfo],
                 object: {
                   value: obj,
-                  isTracked: true,
+                  tracked: true,
                 },
                 args: args.map((arg) => {
                   const argInfo = tracker.getData(arg);
                   return {
                     value: argInfo ? argInfo.value : arg.toString(),
-                    isTracked: !!argInfo
+                    tracked: !!argInfo
                   };
                 }),
                 tags,
                 result: {
                   value: join(result),
-                  isTracked: false
+                  tracked: false
                 },
                 stacktraceOpts: {
                   constructorOpt: hooked,

package/lib/dataflow/propagation/install/string/substring.js

@@ -83,21 +83,23 @@ module.exports = function(core) {
               history: [objInfo],
               object: {
                 value: obj,
-                isTracked: true,
+                tracked: true,
               },
               args: args.map((arg) => ({
                 value: arg.toString(),
-                isTracked: false
+                tracked: false
               })),
               result: {
                 value: result,
-                isTracked: true
+                tracked: true
               },
               tags,
+              source: 'O',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]
-              }
+              },
+              target: 'R',
             });
             const { extern } = tracker.track(result, event);
 

package/lib/dataflow/propagation/install/string/trim.js

@@ -63,11 +63,11 @@ module.exports = function(core) {
         history,
         object: {
           value: obj,
-          isTracked: true
+          tracked: true
         },
         result: {
           value: result,
-          isTracked: true
+          tracked: true
         },
         tags: newTags,
         stacktraceOpts: {

package/lib/dataflow/propagation/install/unescape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -45,7 +48,7 @@ module.exports = function(core) {
           const resultInfo = tracker.getData(result);
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
-          delete newTags['weak-url-encoded'];
+          delete newTags[WEAK_URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;
 
@@ -53,16 +56,16 @@ module.exports = function(core) {
             name: 'global.unescape',
             object: {
               value: createObjectLabel('global'),
-              isTracked: false
+              tracked: false
             },
             result: {
               value: resultInfo ? resultInfo.value : result,
-              isTracked: true
+              tracked: true
             },
-            args: [{ value: argInfo.value, isTracked: true }],
+            args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            removedTags: ['weak-url-encoded'],
+            removedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/url/domain-parsers.js

@@ -52,13 +52,13 @@ module.exports = function(core) {
                 name: `url.${method}`,
                 object: {
                   value: createModuleLabel('url', version),
-                  isTracked: false
+                  tracked: false
                 },
                 result: {
                   value: resultInfo ? resultInfo.value : result,
-                  isTracked: true
+                  tracked: true
                 },
-                args: [{ value: argInfo.value, isTracked: true }],
+                args: [{ value: argInfo.value, tracked: true }],
                 tags: createFullLengthCopyTags(argInfo.tags, result.length) || [],
                 history,
                 source: 'P',

package/lib/dataflow/propagation/install/validator/hooks.js

@@ -33,11 +33,11 @@ module.exports = function(core) {
       history: [{ ...trackingData }],
       args: [{
         value: data.args[0],
-        isTracked: true
+        tracked: true
       }],
       result: {
         value: data.result,
-        isTracked: !!tracker.getData(data.result)
+        tracked: !!tracker.getData(data.result)
       },
       tags: {
         ...trackingData.tags,

package/lib/dataflow/propagation/install/validator/methods.js

@@ -15,57 +15,66 @@
 
 'use strict';
 
+const {
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+  }
+} = require('@contrast/common');
+
 module.exports = {
   validators: {
-    isAfter: 'alphanum-space-hyphen',
-    isAlpha: 'alphanum-space-hyphen',
-    isAlphanumeric: 'alphanum-space-hyphen',
-    isBase32: 'alphanum-space-hyphen',
-    isBase58: 'alphanum-space-hyphen',
-    isBase64: 'alphanum-space-hyphen',
-    isBefore: 'alphanum-space-hyphen',
-    isBIC: 'alphanum-space-hyphen',
-    isBoolean: 'limited-chars',
-    isBtcAddress: 'alphanum-space-hyphen',
-    isCreditCard: 'limited-chars',
-    isDate: 'limited-chars',
-    isDecimal: 'limited-chars',
-    isEAN: 'limited-chars',
-    isEthereumAddress: 'alphanum-space-hyphen',
-    isFloat: 'limited-chars',
-    isHash: 'alphanum-space-hyphen',
-    isHexadecimal: 'alphanum-space-hyphen',
-    isHexColor: 'alphanum-space-hyphen',
-    isHSL: 'alphanum-space-hyphen',
-    isIBAN: 'limited-chars',
-    isIdentityCard: 'alphanum-space-hyphen',
-    isIMEI: 'limited-chars',
-    isInt: 'limited-chars',
-    isIP: 'limited-chars',
-    isIPRange: 'limited-chars',
-    isISBN: 'limited-chars',
-    isISIN: 'limited-chars',
-    isISO8601: 'alphanum-space-hyphen',
-    isISO31661Alpha2: 'alphanum-space-hyphen',
-    isISO31661Alpha3: 'alphanum-space-hyphen',
-    isISRC: 'alphanum-space-hyphen',
-    isISSN: 'limited-chars',
-    isJWT: 'alphanum-space-hyphen',
-    isLatLong: 'limited-chars',
-    isLicensePlate: 'alphanum-space-hyphen',
-    isMACAddress: 'alphanum-space-hyphen',
-    isMagnetURI: 'alphanum-space-hyphen',
-    isMD5: 'alphanum-space-hyphen',
-    isMobilePhone: 'limited-chars',
-    isNumeric: 'limited-chars',
-    isOctal: 'alphanum-space-hyphen',
-    isPassportNumber: 'limited-chars',
-    isPostalCode: 'limited-chars',
-    isSemVer: 'limited-chars',
-    isTaxID: 'limited-chars',
-    isUUID: 'alphanum-space-hyphen',
-    isVAT: 'alphanum-space-hyphen',
-    matches: 'custom-validated'
+    isAfter: ALPHANUM_SPACE_HYPHEN,
+    isAlpha: ALPHANUM_SPACE_HYPHEN,
+    isAlphanumeric: ALPHANUM_SPACE_HYPHEN,
+    isBase32: ALPHANUM_SPACE_HYPHEN,
+    isBase58: ALPHANUM_SPACE_HYPHEN,
+    isBase64: ALPHANUM_SPACE_HYPHEN,
+    isBefore: ALPHANUM_SPACE_HYPHEN,
+    isBIC: ALPHANUM_SPACE_HYPHEN,
+    isBoolean: LIMITED_CHARS,
+    isBtcAddress: ALPHANUM_SPACE_HYPHEN,
+    isCreditCard: LIMITED_CHARS,
+    isDate: LIMITED_CHARS,
+    isDecimal: LIMITED_CHARS,
+    isEAN: LIMITED_CHARS,
+    isEthereumAddress: ALPHANUM_SPACE_HYPHEN,
+    isFloat: LIMITED_CHARS,
+    isHash: ALPHANUM_SPACE_HYPHEN,
+    isHexadecimal: ALPHANUM_SPACE_HYPHEN,
+    isHexColor: ALPHANUM_SPACE_HYPHEN,
+    isHSL: ALPHANUM_SPACE_HYPHEN,
+    isIBAN: LIMITED_CHARS,
+    isIdentityCard: ALPHANUM_SPACE_HYPHEN,
+    isIMEI: LIMITED_CHARS,
+    isInt: LIMITED_CHARS,
+    isIP: LIMITED_CHARS,
+    isIPRange: LIMITED_CHARS,
+    isISBN: LIMITED_CHARS,
+    isISIN: LIMITED_CHARS,
+    isISO8601: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha2: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha3: ALPHANUM_SPACE_HYPHEN,
+    isISRC: ALPHANUM_SPACE_HYPHEN,
+    isISSN: LIMITED_CHARS,
+    isJWT: ALPHANUM_SPACE_HYPHEN,
+    isLatLong: LIMITED_CHARS,
+    isLicensePlate: ALPHANUM_SPACE_HYPHEN,
+    isMACAddress: ALPHANUM_SPACE_HYPHEN,
+    isMagnetURI: ALPHANUM_SPACE_HYPHEN,
+    isMD5: ALPHANUM_SPACE_HYPHEN,
+    isMobilePhone: LIMITED_CHARS,
+    isNumeric: LIMITED_CHARS,
+    isOctal: ALPHANUM_SPACE_HYPHEN,
+    isPassportNumber: LIMITED_CHARS,
+    isPostalCode: LIMITED_CHARS,
+    isSemVer: LIMITED_CHARS,
+    isTaxID: LIMITED_CHARS,
+    isUUID: ALPHANUM_SPACE_HYPHEN,
+    isVAT: ALPHANUM_SPACE_HYPHEN,
+    matches: CUSTOM_VALIDATED,
   },
   untrackers: [
     'equals',
@@ -74,9 +83,9 @@ module.exports = {
     'isRFC3339'
   ],
   sanitizers: {
-    escape: 'html-encoded'
+    escape: HTML_ENCODED
   },
   custom: {
-    isEmail: 'limited-chars'
+    isEmail: LIMITED_CHARS
   }
 };

package/lib/dataflow/sinks/index.js

@@ -21,21 +21,34 @@ const { isSafeContentType } = require('../utils/is-safe-content-type');
 
 module.exports = function (core) {
   const {
-    messages
+    messages,
+    scopes: { sources }
   } = core;
 
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
     isSafeContentType,
     reportFindings(data) {
-      messages.emit(Event.ASSESS_DATAFLOW_FINDING, data);
+      const store = sources.getStore();
+      // these events need source correlation
+      messages.emit(Event.ASSESS_DATAFLOW_FINDING, {
+        sourceInfo: store?.sourceInfo,
+        ...data
+      });
     },
   };
 
   require('./install/fastify')(core);
+  require('./install/koa')(core);
+  require('./install/child-process')(core);
+  require('./install/fs')(core);
   require('./install/http')(core);
+  require('./install/mongodb')(core);
   require('./install/mssql')(core);
+  require('./install/mysql')(core);
   require('./install/postgres')(core);
+  require('./install/sqlite3')(core);
+  require('./install/marsdb')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');