@contrast/assess 1.4.0 → 1.6.0

package/lib/dataflow/sinks/install/child-process.js

@@ -0,0 +1,224 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+
+const { patchType } = require('../common');
+const { Rule, isString, inspect } = require('@contrast/common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [];
+
+  function commandCheck(name, command, secondArg, thirdArg, hooked) {
+    const strInfo = tracker.getData(command);
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) return {
+      strInfo: null,
+      reported: false
+    };
+
+    const event = createSinkEvent({
+      name,
+      history: [strInfo],
+      object: {
+        value: 'child_process',
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+        (secondArg && {
+          value: inspect(secondArg),
+          tracked: false
+        }),
+        (thirdArg && {
+          value: inspect(thirdArg),
+          tracked: false
+        })
+      ].filter(Boolean),
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        constructorOpt: hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.CMD_INJECTION,
+        sinkEvent: event,
+      });
+
+      return {
+        strInfo,
+        reported: true
+      };
+    }
+
+    return {
+      strInfo,
+      reported: false
+    };
+  }
+
+  function argumentsCheck(name, command, commandInfo, args, options, hooked) {
+    if (!Array.isArray(args) || !args?.length) return;
+
+    const trackedArgs = [];
+    let vulnerableArgIdx;
+
+    for (let i = 0; i < args.length; i++) {
+      const trackData = tracker.getData(args[i]);
+
+      trackedArgs.push(trackData);
+
+      if (!trackData) {
+        continue;
+      }
+
+      if (
+        !vulnerableArgIdx &&
+        vulnerableArgIdx != 0 &&
+        isVulnerable(UNTRUSTED, safeTags, trackData.tags)
+      ) {
+        vulnerableArgIdx = i;
+      }
+    }
+
+    if (vulnerableArgIdx != 0 && !vulnerableArgIdx) return;
+
+    const event = createSinkEvent({
+      name,
+      history: [trackedArgs[vulnerableArgIdx]],
+      object: {
+        value: 'child_process',
+        tracked: false,
+      },
+      args: [
+        {
+          value: commandInfo?.value || command,
+          tracked: !!commandInfo,
+        },
+        {
+          value: inspect(args),
+          tracked: true
+        },
+        {
+          value: inspect(options),
+          tracked: false
+        }
+      ],
+      tags: trackedArgs[vulnerableArgIdx].tags,
+      source: 'P1',
+      stacktraceOpts: {
+        contructorOpt: hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.CMD_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  }
+
+  core.assess.dataflow.sinks.cmdInjection = {
+    install() {
+      depHooks.resolve({ name: 'child_process' }, cp => {
+        ['spawn', 'spawnSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              const cmdCheck = commandCheck(name, command, cpArgs, options, data.hooked);
+
+              if (cmdCheck.reported || !options?.shell) return;
+
+              argumentsCheck(name, command, cmdCheck.strInfo, cpArgs, options, data.hooked);
+            }
+          });
+        });
+
+        ['exec', 'execSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command, secondArg, thirdArg] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              commandCheck(name, command, secondArg, thirdArg, data.hooked);
+            }
+          });
+        });
+
+        ['execFile', 'execFileSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              if (!options?.shell) return;
+
+              const cmdInfo = tracker.getData(command);
+
+              argumentsCheck(name, command, cmdInfo, cpArgs, options, data.hooked);
+            }
+          });
+        });
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.cmdInjection;
+};

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -15,9 +15,20 @@
 
 'use strict';
 
-const { isString } = require('@contrast/common');
-const { createModuleLabel } = require('../../../propagation/common');
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
 const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
 
 module.exports = function (core) {
   const {
@@ -35,14 +46,15 @@ module.exports = function (core) {
   const unvalidatedRedirect =
     (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
 
+  const inspect = patcher.unwrap(util.inspect);
+
   const safeTags = [
-    'limited-chars',
-    'url-encoded',
-    'html-encoded',
-    'custom-validated',
-    'custom-encoded'
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
 
   /**
    * Patches `Reply.prototype.redirect` for
@@ -67,33 +79,45 @@ module.exports = function (core) {
         const strInfo = tracker.getData(url);
         if (!strInfo) return;
 
-        if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+        // todo: how does different tag logic play into display ranges?
+
+        let urlPathTags = strInfo.tags;
+        const urlPathEndIdx = url.indexOf('?');
+
+        if (urlPathEndIdx > -1) {
+          urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+        }
+
+        if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
           const event = createSinkEvent({
-            name: 'fastify.reply.redirect',
-            object: {
-              value: `[${createModuleLabel('fastify', version)}].Reply`,
-              isTracked: false,
-            },
-            history: [strInfo],
             args: [{
+              tracked: true,
               value: strInfo.value,
-              isTracked: true
             }],
+            context: `reply.redirect(${inspect(strInfo.value)})`,
+            history: [strInfo],
+            name: 'fastify.reply.redirect',
+            object: {
+              tracked: false,
+              value: 'fastify.Reply',
+            },
             result: {
-              value: url,
-              isTracked: true,
+              tracked: false,
+              value: undefined,
             },
-            tags: strInfo.tags,
+            tags: urlPathTags,
             source: 'P0',
             stacktraceOpts: {
               constructorOpt: data.hooked,
             },
           });
 
-          reportFindings({
-            ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
-            metadata: event,
-          });
+          if (event) {
+            reportFindings({
+              ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
+              sinkEvent: event,
+            });
+          }
         }
       },
     });

package/lib/dataflow/sinks/install/fs.js

@@ -0,0 +1,136 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../common');
+const { FS_METHODS, Rule, isString, DataflowTag: { URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH, UNTRUSTED } } = require('@contrast/common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH];
+
+  function getValues(indices, args) {
+    return indices.reduce((acc, idx) => {
+      const value = args[idx];
+      if (value && isString(value)) acc.push(value);
+      return acc;
+    }, []);
+  }
+
+  const pre = (name, indices) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store) return;
+
+    const values = getValues(indices, data.args);
+    if (!values.length) return;
+
+    const args = [];
+    for (let i = 0; i < values.length; i++) {
+      const strInfo = tracker.getData(values[i]);
+      args.push({ value: strInfo ? strInfo.value : values[i], isTracked: !!strInfo });
+      if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+        continue;
+      }
+
+      const event = createSinkEvent({
+        name,
+        history: [strInfo],
+        object: {
+          value: 'fs',
+          isTracked: false,
+        },
+        args,
+        tags: strInfo.tags,
+        source: `P${i}`,
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+        },
+      });
+
+      if (event) {
+        reportFindings({
+          ruleId: Rule.PATH_TRAVERSAL,
+          sinkEvent: event,
+        });
+      }
+    }
+  };
+
+  core.assess.dataflow.sinks.pathTraversal = {
+    install() {
+      depHooks.resolve({ name: 'fs' }, (fs) => {
+        for (const method of FS_METHODS) {
+          // not all methods are available on every OS or Node version.
+          if (fs[method.name]) {
+            const name = `fs.${method.name}`;
+            patcher.patch(fs, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+
+          if (method.sync) {
+            const syncName = `${method.name}Sync`;
+            if (fs[syncName]) {
+              const name = `fs.${syncName}`;
+              patcher.patch(fs, syncName, {
+                name,
+                patchType,
+                pre: pre(name, method.indices)
+              });
+            }
+          }
+
+          if (method.promises && fs.promises && fs.promises[method.name]) {
+            const name = `fs.promises.${method.name}`;
+            patcher.patch(fs.promises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+
+      depHooks.resolve({ name: 'fs/promises' }, (fsPromises) => {
+        for (const method of FS_METHODS) {
+          if (method.promises && fsPromises[method.name]) {
+            const name = `fsPromises.${method.name}`;
+            patcher.patch(fsPromises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.pathTraversal;
+};

package/lib/dataflow/sinks/install/http.js

@@ -15,8 +15,22 @@
 
 'use strict';
 
-const { Rule } = require('@contrast/common');
-const { createObjectLabel } = require('../../propagation/common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
+  },
+  Rule,
+} = require('@contrast/common');
 const { patchType } = require('../common');
 
 module.exports = function(core) {
@@ -35,20 +49,19 @@ module.exports = function(core) {
   const http = core.assess.dataflow.sinks.http = {};
 
   const safeTags = [
-    'alphanum-space-hyphen',
-    'cookie',
-    'header',
-    'limited-chars',
-    'html-encoded',
-    'sql-encoded',
-    'url-encoded',
-    'weak-url-encoded',
-    'custom-validated',
-    'custom-encoded'
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
 
-  const preHook = (name) => (data) => {
+  const preHook = (name, method) => (data) => {
     const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) return;
 
@@ -61,34 +74,35 @@ module.exports = function(core) {
     const { contentType } = sourceContext.responseData;
     if (contentType && isSafeContentType(contentType)) return;
 
-    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
-        ruleId: Rule.REFLECTED_XSS,
-        name,
-        history: [strInfo],
-        object: {
-          isTracked: false,
-          value: createObjectLabel('http.ServerResponse')
-        },
         args: [{
           value: strInfo.value,
-          isTracked: true
+          tracked: true
         }],
+        context: `res.${method}(${strInfo.value})`,
+        history: [strInfo],
+        name,
+        object: {
+          tracked: false,
+          value: 'http.ServerResponse'
+        },
         result: {
-          value: null,
-          isTracked: false,
+          value: data.result,
+          tracked: false,
         },
-        tags: strInfo.tags,
+        ruleId: Rule.REFLECTED_XSS,
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked
-        }
+        },
+        tags: strInfo.tags,
       });
 
       if (event) {
         reportFindings({
           ruleId: 'reflected-xss',
-          metadata: event
+          sinkEvent: event
         });
       }
     }
@@ -98,18 +112,20 @@ module.exports = function(core) {
     depHooks.resolve({ name: 'http' }, (http) => {
       {
         const name = 'http.ServerResponse.prototype.write';
-        patcher.patch(http.ServerResponse.prototype, 'write', {
+        const method = 'write';
+        patcher.patch(http.ServerResponse.prototype, method, {
           name,
           patchType,
-          pre: preHook(name),
+          pre: preHook(name, method),
         });
       }
       {
         const name = 'http.ServerResponse.prototype.end';
-        patcher.patch(http.ServerResponse.prototype, 'end', {
+        const method = 'end';
+        patcher.patch(http.ServerResponse.prototype, method, {
           name,
           patchType,
-          pre: preHook(name),
+          pre: preHook(name, method),
         });
       }
     });

package/lib/dataflow/sinks/install/koa/index.js

@@ -0,0 +1,30 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const koa = core.assess.dataflow.sinks.koa = {};
+
+  require('./unvalidated-redirect')(core);
+
+  koa.install = function() {
+    callChildComponentMethodsSync(koa, 'install');
+  };
+
+  return koa;
+};