@contrast/assess 1.5.0 → 1.6.0

package/lib/dataflow/event-factory.js

@@ -166,17 +166,22 @@ module.exports = function(core) {
 
     const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) {
-      logger.debug('No sourceContext found during Sink event creation');
+      logger.debug('no sourceContext found during sink event creation');
       return null;
     }
-
     const signature = signatures.get(name);
+    if (!signature) {
+      logger.debug({ name }, 'no signature found for sink event name');
+      return null;
+    }
+    if (!history.length) {
+      logger.debug({ data }, 'empty history for sink event');
+      return null;
+    }
     if (
-      !signature ||
-      !history.length ||
       ((source && !source.match(annotationRegExp)) || (!source && !signature.source))
     ) {
-      logger.debug({ data }, 'Wrong sink event data submited. Sink event not created');
+      logger.debug({ data }, 'malformed or missing sink event source field');
       return null;
     }
 

package/lib/dataflow/propagation/install/decode-uri-component.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -47,7 +50,7 @@ module.exports = function(core) {
           // the result is not tracked, so we don't need to check for that
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
-          delete newTags['url-encoded'];
+          delete newTags[URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;
 
@@ -64,7 +67,7 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            removedTags: ['url-encoded'],
+            removedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/ejs/escape-xml.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['weak-url-encoded'] = [0, result.length - 1];
+            newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'ejs.utils.escapeXML',
@@ -62,7 +65,7 @@ module.exports = function(core) {
               },
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
-              addedTags: ['weak-url-encoded'],
+              addedTags: [WEAK_URL_ENCODED],
               history,
               stacktraceOpts: {
                 constructorOpt: hooked,

package/lib/dataflow/propagation/install/escape-html.js

@@ -15,10 +15,13 @@
 
 'use strict';
 
+const {
+  DataflowTag: { HTML_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
@@ -48,12 +51,12 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['html-encoded'] = [0, result.length - 1];
+            newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'escape-html',
               object: {
-                value: createModuleLabel('escape-html', version),
+                value: 'escape-html',
                 tracked: false
               },
               result: {
@@ -63,7 +66,7 @@ module.exports = function(core) {
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               history,
-              addedTags: ['html-encoded'],
+              addedTags: [HTML_ENCODED],
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]

package/lib/dataflow/propagation/install/escape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -46,7 +49,7 @@ module.exports = function(core) {
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-          newTags['weak-url-encoded'] = [0, result.length - 1];
+          newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
           const event = createPropagationEvent({
             name: 'global.escape',
@@ -61,7 +64,7 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            addedTags: ['weak-url-encoded'],
+            addedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { HTML_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['html-encoded'] = [0, result.length - 1];
+            newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'handlebars.Utils.escapeExpression',
@@ -62,7 +65,7 @@ module.exports = function(core) {
               },
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
-              addedTags: ['html-encoded'],
+              addedTags: [HTML_ENCODED],
               history,
               stacktraceOpts: {
                 constructorOpt: hooked,

package/lib/dataflow/propagation/install/mysql-connection-escape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { SQL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -43,7 +46,7 @@ module.exports = function(core) {
       const history = [argInfo];
       const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-      newTags['sql-encoded'] = [0, result.length - 1];
+      newTags[SQL_ENCODED] = [0, result.length - 1];
 
       const event = createPropagationEvent({
         name: eventName,
@@ -57,7 +60,7 @@ module.exports = function(core) {
         },
         args: [{ value: argInfo.value, tracked: true }],
         tags: newTags,
-        addedTags: ['sql-encoded'],
+        addedTags: [SQL_ENCODED],
         history,
         stacktraceOpts: {
           constructorOpt: hooked,

package/lib/dataflow/propagation/install/querystring/parse.js

@@ -14,8 +14,13 @@
  */
 
 'use strict';
+
 const util = require('util');
 const querystring = require('querystring');
+const {
+  DataflowTag: { URL_ENCODED }
+} = require('@contrast/common');
+
 const { patchType } = require('../../common');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 
@@ -73,9 +78,9 @@ module.exports = function(core) {
           event.tags = createAppendTags(event.tags, resultInfo.tags, 0);
           Object.assign(resultInfo, event);
         }
-        if (event.tags['url-encoded']) {
-          delete event.tags['url-encoded'];
-          event.removedTags = ['url-encoded'];
+        if (event.tags[URL_ENCODED]) {
+          delete event.tags[URL_ENCODED];
+          event.removedTags = [URL_ENCODED];
         }
         const { extern } = resultInfo || tracker.track(result, event);
         if (extern) {

package/lib/dataflow/propagation/install/string/replace.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 
@@ -148,7 +151,8 @@ module.exports = function(core) {
             !sources.getStore()?.assess ||
             instrumentation.isLocked() ||
             !data.result ||
-            !data._accumTags?.untrusted
+            // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
+            !data._accumTags?.[UNTRUSTED]
           ) return;
 
           const { _replacementInfo, obj, args, result, hooked, orig } = data;

package/lib/dataflow/propagation/install/unescape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -45,7 +48,7 @@ module.exports = function(core) {
           const resultInfo = tracker.getData(result);
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
-          delete newTags['weak-url-encoded'];
+          delete newTags[WEAK_URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;
 
@@ -62,7 +65,7 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            removedTags: ['weak-url-encoded'],
+            removedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/validator/methods.js

@@ -15,57 +15,66 @@
 
 'use strict';
 
+const {
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+  }
+} = require('@contrast/common');
+
 module.exports = {
   validators: {
-    isAfter: 'alphanum-space-hyphen',
-    isAlpha: 'alphanum-space-hyphen',
-    isAlphanumeric: 'alphanum-space-hyphen',
-    isBase32: 'alphanum-space-hyphen',
-    isBase58: 'alphanum-space-hyphen',
-    isBase64: 'alphanum-space-hyphen',
-    isBefore: 'alphanum-space-hyphen',
-    isBIC: 'alphanum-space-hyphen',
-    isBoolean: 'limited-chars',
-    isBtcAddress: 'alphanum-space-hyphen',
-    isCreditCard: 'limited-chars',
-    isDate: 'limited-chars',
-    isDecimal: 'limited-chars',
-    isEAN: 'limited-chars',
-    isEthereumAddress: 'alphanum-space-hyphen',
-    isFloat: 'limited-chars',
-    isHash: 'alphanum-space-hyphen',
-    isHexadecimal: 'alphanum-space-hyphen',
-    isHexColor: 'alphanum-space-hyphen',
-    isHSL: 'alphanum-space-hyphen',
-    isIBAN: 'limited-chars',
-    isIdentityCard: 'alphanum-space-hyphen',
-    isIMEI: 'limited-chars',
-    isInt: 'limited-chars',
-    isIP: 'limited-chars',
-    isIPRange: 'limited-chars',
-    isISBN: 'limited-chars',
-    isISIN: 'limited-chars',
-    isISO8601: 'alphanum-space-hyphen',
-    isISO31661Alpha2: 'alphanum-space-hyphen',
-    isISO31661Alpha3: 'alphanum-space-hyphen',
-    isISRC: 'alphanum-space-hyphen',
-    isISSN: 'limited-chars',
-    isJWT: 'alphanum-space-hyphen',
-    isLatLong: 'limited-chars',
-    isLicensePlate: 'alphanum-space-hyphen',
-    isMACAddress: 'alphanum-space-hyphen',
-    isMagnetURI: 'alphanum-space-hyphen',
-    isMD5: 'alphanum-space-hyphen',
-    isMobilePhone: 'limited-chars',
-    isNumeric: 'limited-chars',
-    isOctal: 'alphanum-space-hyphen',
-    isPassportNumber: 'limited-chars',
-    isPostalCode: 'limited-chars',
-    isSemVer: 'limited-chars',
-    isTaxID: 'limited-chars',
-    isUUID: 'alphanum-space-hyphen',
-    isVAT: 'alphanum-space-hyphen',
-    matches: 'custom-validated'
+    isAfter: ALPHANUM_SPACE_HYPHEN,
+    isAlpha: ALPHANUM_SPACE_HYPHEN,
+    isAlphanumeric: ALPHANUM_SPACE_HYPHEN,
+    isBase32: ALPHANUM_SPACE_HYPHEN,
+    isBase58: ALPHANUM_SPACE_HYPHEN,
+    isBase64: ALPHANUM_SPACE_HYPHEN,
+    isBefore: ALPHANUM_SPACE_HYPHEN,
+    isBIC: ALPHANUM_SPACE_HYPHEN,
+    isBoolean: LIMITED_CHARS,
+    isBtcAddress: ALPHANUM_SPACE_HYPHEN,
+    isCreditCard: LIMITED_CHARS,
+    isDate: LIMITED_CHARS,
+    isDecimal: LIMITED_CHARS,
+    isEAN: LIMITED_CHARS,
+    isEthereumAddress: ALPHANUM_SPACE_HYPHEN,
+    isFloat: LIMITED_CHARS,
+    isHash: ALPHANUM_SPACE_HYPHEN,
+    isHexadecimal: ALPHANUM_SPACE_HYPHEN,
+    isHexColor: ALPHANUM_SPACE_HYPHEN,
+    isHSL: ALPHANUM_SPACE_HYPHEN,
+    isIBAN: LIMITED_CHARS,
+    isIdentityCard: ALPHANUM_SPACE_HYPHEN,
+    isIMEI: LIMITED_CHARS,
+    isInt: LIMITED_CHARS,
+    isIP: LIMITED_CHARS,
+    isIPRange: LIMITED_CHARS,
+    isISBN: LIMITED_CHARS,
+    isISIN: LIMITED_CHARS,
+    isISO8601: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha2: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha3: ALPHANUM_SPACE_HYPHEN,
+    isISRC: ALPHANUM_SPACE_HYPHEN,
+    isISSN: LIMITED_CHARS,
+    isJWT: ALPHANUM_SPACE_HYPHEN,
+    isLatLong: LIMITED_CHARS,
+    isLicensePlate: ALPHANUM_SPACE_HYPHEN,
+    isMACAddress: ALPHANUM_SPACE_HYPHEN,
+    isMagnetURI: ALPHANUM_SPACE_HYPHEN,
+    isMD5: ALPHANUM_SPACE_HYPHEN,
+    isMobilePhone: LIMITED_CHARS,
+    isNumeric: LIMITED_CHARS,
+    isOctal: ALPHANUM_SPACE_HYPHEN,
+    isPassportNumber: LIMITED_CHARS,
+    isPostalCode: LIMITED_CHARS,
+    isSemVer: LIMITED_CHARS,
+    isTaxID: LIMITED_CHARS,
+    isUUID: ALPHANUM_SPACE_HYPHEN,
+    isVAT: ALPHANUM_SPACE_HYPHEN,
+    matches: CUSTOM_VALIDATED,
   },
   untrackers: [
     'equals',
@@ -74,9 +83,9 @@ module.exports = {
     'isRFC3339'
   ],
   sanitizers: {
-    escape: 'html-encoded'
+    escape: HTML_ENCODED
   },
   custom: {
-    isEmail: 'limited-chars'
+    isEmail: LIMITED_CHARS
   }
 };

package/lib/dataflow/sinks/index.js

@@ -41,10 +41,14 @@ module.exports = function (core) {
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
+  require('./install/fs')(core);
   require('./install/http')(core);
+  require('./install/mongodb')(core);
   require('./install/mssql')(core);
+  require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sqlite3')(core);
+  require('./install/marsdb')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/child-process.js

@@ -14,8 +14,12 @@
  */
 
 'use strict';
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+
 const { patchType } = require('../common');
-const { Rule, isString } = require('@contrast/common');
+const { Rule, isString, inspect } = require('@contrast/common');
 
 module.exports = function (core) {
   const {
@@ -31,14 +35,14 @@ module.exports = function (core) {
     },
   } = core;
 
-  const pre = (name) => (data) => {
-    const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+  const safeTags = [];
 
-    const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', [], strInfo.tags)) {
-      return;
-    }
+  function commandCheck(name, command, secondArg, thirdArg, hooked) {
+    const strInfo = tracker.getData(command);
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) return {
+      strInfo: null,
+      reported: false
+    };
 
     const event = createSinkEvent({
       name,
@@ -52,11 +56,19 @@ module.exports = function (core) {
           value: strInfo.value,
           tracked: true,
         },
-      ],
+        (secondArg && {
+          value: inspect(secondArg),
+          tracked: false
+        }),
+        (thirdArg && {
+          value: inspect(thirdArg),
+          tracked: false
+        })
+      ].filter(Boolean),
       tags: strInfo.tags,
       source: 'P0',
       stacktraceOpts: {
-        contructorOpt: data.hooked,
+        constructorOpt: hooked,
       },
     });
 
@@ -65,18 +77,143 @@ module.exports = function (core) {
         ruleId: Rule.CMD_INJECTION,
         sinkEvent: event,
       });
+
+      return {
+        strInfo,
+        reported: true
+      };
     }
-  };
+
+    return {
+      strInfo,
+      reported: false
+    };
+  }
+
+  function argumentsCheck(name, command, commandInfo, args, options, hooked) {
+    if (!Array.isArray(args) || !args?.length) return;
+
+    const trackedArgs = [];
+    let vulnerableArgIdx;
+
+    for (let i = 0; i < args.length; i++) {
+      const trackData = tracker.getData(args[i]);
+
+      trackedArgs.push(trackData);
+
+      if (!trackData) {
+        continue;
+      }
+
+      if (
+        !vulnerableArgIdx &&
+        vulnerableArgIdx != 0 &&
+        isVulnerable(UNTRUSTED, safeTags, trackData.tags)
+      ) {
+        vulnerableArgIdx = i;
+      }
+    }
+
+    if (vulnerableArgIdx != 0 && !vulnerableArgIdx) return;
+
+    const event = createSinkEvent({
+      name,
+      history: [trackedArgs[vulnerableArgIdx]],
+      object: {
+        value: 'child_process',
+        tracked: false,
+      },
+      args: [
+        {
+          value: commandInfo?.value || command,
+          tracked: !!commandInfo,
+        },
+        {
+          value: inspect(args),
+          tracked: true
+        },
+        {
+          value: inspect(options),
+          tracked: false
+        }
+      ],
+      tags: trackedArgs[vulnerableArgIdx].tags,
+      source: 'P1',
+      stacktraceOpts: {
+        contructorOpt: hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.CMD_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  }
 
   core.assess.dataflow.sinks.cmdInjection = {
     install() {
       depHooks.resolve({ name: 'child_process' }, cp => {
-        ['spawn', 'spawnSync', 'exec', 'execSync'].forEach((method) => {
+        ['spawn', 'spawnSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              const cmdCheck = commandCheck(name, command, cpArgs, options, data.hooked);
+
+              if (cmdCheck.reported || !options?.shell) return;
+
+              argumentsCheck(name, command, cmdCheck.strInfo, cpArgs, options, data.hooked);
+            }
+          });
+        });
+
+        ['exec', 'execSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command, secondArg, thirdArg] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              commandCheck(name, command, secondArg, thirdArg, data.hooked);
+            }
+          });
+        });
+
+        ['execFile', 'execFileSync'].forEach((method) => {
           const name = `child_process.${method}`;
           patcher.patch(cp, method, {
             name,
             patchType,
-            pre: pre(name)
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              if (!options?.shell) return;
+
+              const cmdInfo = tracker.getData(command);
+
+              argumentsCheck(name, command, cmdInfo, cpArgs, options, data.hooked);
+            }
           });
         });
       });