npm - @contrast/assess - Versions diffs - 1.4.0 → 1.6.0 - Mend

@contrast/assess 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js ADDED Viewed

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const unvalidatedRedirect =
+    (core.assess.dataflow.sinks.koa.unvalidatedRedirect = {});
+  const inspect = patcher.unwrap(util.inspect);
+  const safeTags = [
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+  unvalidatedRedirect.install = function () {
+    depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
+      patcher.patch(Response, 'redirect', {
+        name: 'Koa.Response.redirect',
+        patchType,
+        pre(data) {
+          const assessStore = sources.getStore()?.assess;
+          if (!assessStore) return;
+          let [url] = data.args;
+          if (url === 'back') {
+            url = data.obj.ctx.get('Referrer') || data.args[1];
+          }
+          if (!url || !isString(url)) return;
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+          let urlPathTags = strInfo.tags;
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+          }
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.redirect(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name: 'Koa.Response.redirect',
+              object: {
+                tracked: false,
+                value: 'Koa.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+            if (event) {
+              reportFindings({
+                ruleId: 'unvalidated-redirect',
+                sinkEvent: event,
+              });
+            }
+          }
+        }
+      });
+    });
+  };
+  return unvalidatedRedirect;
+};

package/lib/dataflow/sinks/install/marsdb.js ADDED Viewed

@@ -0,0 +1,135 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const util = require('util');
+const { patchType } = require('../common');
+const {
+  traverseValues,
+  Rule,
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+    UNTRUSTED,
+    STRING_TYPE_CHECKED,
+    CUSTOM_VALIDATED_NOSQL_INJECTION,
+  },
+} = require('@contrast/common');
+const collectionMethods = ['find', 'findOne', 'update', 'remove'];
+const querySafeTags = [
+  LIMITED_CHARS,
+  ALPHANUM_SPACE_HYPHEN,
+  STRING_TYPE_CHECKED,
+  CUSTOM_VALIDATED_NOSQL_INJECTION,
+];
+module.exports = function(core) {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const instr = core.assess.dataflow.sinks.marsdb = {};
+  const inspect = patcher.unwrap(util.inspect);
+  function getVulnerabilityInfo(query) {
+    let vulnInfo = null;
+    if (!query) return vulnInfo;
+    traverseValues(query, (path, type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+        vulnInfo = { path, strInfo };
+        return true;
+      }
+    });
+    return vulnInfo;
+  }
+  function patchCollection(marsdb, method) {
+    const proto = marsdb.Collection.prototype;
+    const name = `marsdb.Collection.prototype.${method}`;
+    if (!proto[method]) {
+      logger.trace({ name }, `marsdb method ${method} not found!`);
+      return;
+    }
+    patcher.patch(proto, method, {
+      name,
+      patchType,
+      around(next, data) {
+        const sourceCtx = sources.getStore()?.assess;
+        if (!sourceCtx || instrumentation.isLocked()) {
+          return next();
+        }
+        const argIdx = 0;
+        const result = getVulnerabilityInfo(data.args[argIdx]);
+        if (!result) {
+          return next();
+        }
+        const { strInfo } = result;
+        const args = data.args.map((arg, idx) => ({
+          value: inspect(arg),
+          tracked: idx === argIdx,
+        }));
+        const sinkEvent = createSinkEvent({
+          args,
+          context: `marsdb.Collection.${method}(${args.map((a) => a.value)})`,
+          history: [strInfo],
+          object: {
+            tracked: false,
+            value: 'marsdb.Collection',
+          },
+          name,
+          result: strInfo.result,
+          source: `P${argIdx}`,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+          },
+          tags: strInfo.tags,
+        });
+        if (sinkEvent) {
+          reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+        }
+        return next();
+      },
+    });
+  }
+  instr.install = function() {
+    depHooks.resolve({ name: 'marsdb' }, (marsdb) => {
+      collectionMethods.forEach((method) => patchCollection(marsdb, method));
+    });
+  };
+  return instr;
+};

package/lib/dataflow/sinks/install/mongodb.js ADDED Viewed

@@ -0,0 +1,205 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED_NOSQL_INJECTION,
+    LIMITED_CHARS,
+    STRING_TYPE_CHECKED,
+  },
+  Rule,
+  isNonEmptyObject,
+  traverseValues
+} = require('@contrast/common');
+const utils = require('../../tag-utils');
+const { patchType } = require('../common');
+const collectionMethods = [
+  'find',
+  'findOne',
+  'findAndModify',
+  'findOneAndDelete',
+  'findOneAndReplace',
+  'findOneAndUpdate',
+  'remove',
+  'replaceOne',
+  'update',
+  'updateOne',
+  'updateMany',
+  'deleteOne',
+  'deleteMany',
+];
+const querySafeTags = [
+  ALPHANUM_SPACE_HYPHEN,
+  CUSTOM_VALIDATED_NOSQL_INJECTION,
+  LIMITED_CHARS,
+  STRING_TYPE_CHECKED,
+];
+module.exports = function(core) {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent }
+      }
+    }
+  } = core;
+  const inspect = patcher.unwrap(util.inspect);
+  const instr = core.assess.dataflow.sinks.mongodb = {};
+  instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
+    let vulnInfo = null;
+    if (!isNonEmptyObject(query)) return vulnInfo;
+    traverseValues(query, (path, type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+        vulnInfo = { path, strInfo };
+        return true; // halts traversal
+      }
+    });
+    return vulnInfo;
+  };
+  instr.install = function() {
+    depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
+      patchCollection(mongodb, version);
+      patchDatabase(mongodb, version);
+    });
+  };
+  return instr;
+  function patchCollection(mongodb, version) {
+    for (const method of collectionMethods) {
+      const proto = mongodb.Collection.prototype;
+      const name = `mongodb.Collection.prototype.${method}`;
+      if (!proto[method]) {
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+      patcher.patch(proto, method, {
+        name,
+        patchType,
+        around(next, data) {
+          const { obj, args } = data;
+          const sourceCtx = sources.getStore()?.assess;
+          if (instrumentation.isLocked() || !sourceCtx) {
+            return next();
+          }
+          const argIdx = 0;
+          try {
+            const vulnInfo = instr.getVulnerabilityInfo(args[argIdx]);
+            if (vulnInfo) {
+              const { path, strInfo } = vulnInfo;
+              const objName = getObjectName(obj);
+              const args = data.args.map((arg, idx) => ({
+                value: inspect(arg),
+                tracked: idx === argIdx,
+              }));
+              const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
+              const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+              const sinkEvent = createSinkEvent({
+                args,
+                context: `${objName}.${method}(${args.map((a) => a.value)})`,
+                history: [strInfo],
+                object: {
+                  tracked: false,
+                  value: 'mongodb.Collection',
+                },
+                name,
+                result: {
+                  tracked: false,
+                  value: resultVal,
+                },
+                source: `P${argIdx}`,
+                stacktraceOpts: {
+                  constructorOpt: data.hooked,
+                },
+                tags,
+              });
+              if (sinkEvent) {
+                reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+              }
+            }
+          } catch (err) {
+            core.logger.error({ name, err }, 'assess sink analysis failed');
+          }
+          if (method === 'findOne') {
+            // `findOne` will call `find` so don't analyze in nested call
+            const store = { name, lock: true };
+            const ret = instrumentation.run(store, next);
+            // but unlock for when callback args run or returned Promises resolve/reject
+            store.lock = false;
+            return ret;
+          }
+          return next();
+        },
+      });
+    }
+  }
+  function patchDatabase(mongodb, version) {
+    // todo
+  }
+  function getObjectName(obj) {
+    let name = '';
+    name += obj.s?.namespace?.db || 'db';
+    name += '.';
+    name += obj.s?.namespace?.collection || 'collection';
+    return name;
+  }
+  function getAdjustedQueryTags(path, strInfo, argString) {
+    const { tags } = strInfo;
+    let idx = -1;
+    for (const str of [...path, strInfo.value]) {
+      idx = argString.indexOf(str, idx);
+      if (idx == -1) {
+        idx = -1;
+        break;
+      }
+    }
+    return idx > 0 ? utils.createAppendTags([], tags, idx) : strInfo.tags;
+  }
+};

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -15,15 +15,19 @@
 'use strict';
-const { Rule, isString } = require('@contrast/common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule,
+  isString
+} = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType } = require('../common');
-const SAFE_TAGS = [
-  'sql-encoded',
-  'limited-chars',
-  'custom-validated',
-  'custom-encoded',
+const safeTags = [
+  SQL_ENCODED,
+  LIMITED_CHARS,
+  CUSTOM_VALIDATED,
+  CUSTOM_ENCODED,
 ];
 module.exports = function (core) {
@@ -45,7 +49,7 @@ module.exports = function (core) {
     if (!store || !data.args[0] || !isString(data.args[0])) return;
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       return;
     }
@@ -54,12 +58,12 @@ module.exports = function (core) {
       history: [strInfo],
       object: {
         value: `[${createModuleLabel('mssql', version)}].${obj}`,
-        isTracked: false,
+        tracked: false,
       },
       args: [
         {
           value: strInfo.value,
-          isTracked: true,
+          tracked: true,
         },
       ],
       tags: strInfo.tags,
@@ -69,10 +73,12 @@ module.exports = function (core) {
       },
     });
-    reportFindings({
-      ruleId: Rule.SQL_INJECTION,
-      metadata: event,
-    });
+    if (event) {
+      reportFindings({
+        ruleId: Rule.SQL_INJECTION,
+        sinkEvent: event,
+      });
+    }
   };
   core.assess.dataflow.sinks.mssql = {

package/lib/dataflow/sinks/install/mysql.js ADDED Viewed

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+const { Rule, isString, DataflowTag: { CUSTOM_ENCODED_SQL_INJECTION, CUSTOM_ENCODED, CUSTOM_VALIDATED_SQL_INJECTION, CUSTOM_VALIDATED, SQL_ENCODED, LIMITED_CHARS, UNTRUSTED } } = require('@contrast/common');
+const safeTags = [
+  CUSTOM_ENCODED_SQL_INJECTION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_SQL_INJECTION,
+  CUSTOM_VALIDATED,
+  SQL_ENCODED,
+  LIMITED_CHARS,
+];
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  function getValueFromArgs([value]) {
+    if (isString(value)) {
+      return value;
+    }
+    if (isString(value.sql)) {
+      return value.sql;
+    }
+  }
+  const pre = (module, file, obj) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store || !data.args[0]) return;
+    const val = getValueFromArgs(data.args);
+    if (!val) return;
+    const strInfo = tracker.getData(val);
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+      return;
+    }
+    const event = createSinkEvent({
+      name: `${module}/${file}`,
+      history: [strInfo],
+      object: {
+        value: `${module}.${obj}`,
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+      ],
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        contructorOpt: data.hooked,
+      },
+    });
+    if (event) {
+      reportFindings({
+        ruleId: Rule.SQL_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  };
+  core.assess.dataflow.sinks.mysql = {
+    install() {
+      depHooks.resolve(
+        { name: 'mysql', file: 'lib/Connection' },
+        (Connection) => {
+          patcher.patch(Connection.prototype, 'query', {
+            name: 'Connection.prototype.query',
+            patchType,
+            pre: pre('mysql', 'lib/Connection.query', 'Connection')
+          });
+        },
+      );
+      depHooks.resolve(
+        { name: 'mysql2', file: 'lib/connection' },
+        (connection) => {
+          ['query', 'execute'].forEach((method) => {
+            patcher.patch(connection.prototype, `${method}`, {
+              name: `connection.prototype.${method}`,
+              patchType,
+              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection')
+            });
+          });
+        },
+      );
+    },
+  };
+  return core.assess.dataflow.sinks.mysql;
+};