@contrast/assess 1.5.0 → 1.6.0

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -16,7 +16,17 @@
 'use strict';
 
 const util = require('util');
-const { isString } = require('@contrast/common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags } = require('../../../tag-utils');
 
@@ -39,13 +49,12 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
-    'limited-chars',
-    'url-encoded',
-    'html-encoded',
-    'custom-validated',
-    'custom-encoded'
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
 
   /**
    * Patches `Reply.prototype.redirect` for
@@ -70,6 +79,8 @@ module.exports = function (core) {
         const strInfo = tracker.getData(url);
         if (!strInfo) return;
 
+        // todo: how does different tag logic play into display ranges?
+
         let urlPathTags = strInfo.tags;
         const urlPathEndIdx = url.indexOf('?');
 
@@ -77,7 +88,7 @@ module.exports = function (core) {
           urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
         }
 
-        if (isVulnerable(requiredTag, safeTags, urlPathTags)) {
+        if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
           const event = createSinkEvent({
             args: [{
               tracked: true,

package/lib/dataflow/sinks/install/fs.js

@@ -0,0 +1,136 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../common');
+const { FS_METHODS, Rule, isString, DataflowTag: { URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH, UNTRUSTED } } = require('@contrast/common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH];
+
+  function getValues(indices, args) {
+    return indices.reduce((acc, idx) => {
+      const value = args[idx];
+      if (value && isString(value)) acc.push(value);
+      return acc;
+    }, []);
+  }
+
+  const pre = (name, indices) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store) return;
+
+    const values = getValues(indices, data.args);
+    if (!values.length) return;
+
+    const args = [];
+    for (let i = 0; i < values.length; i++) {
+      const strInfo = tracker.getData(values[i]);
+      args.push({ value: strInfo ? strInfo.value : values[i], isTracked: !!strInfo });
+      if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+        continue;
+      }
+
+      const event = createSinkEvent({
+        name,
+        history: [strInfo],
+        object: {
+          value: 'fs',
+          isTracked: false,
+        },
+        args,
+        tags: strInfo.tags,
+        source: `P${i}`,
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+        },
+      });
+
+      if (event) {
+        reportFindings({
+          ruleId: Rule.PATH_TRAVERSAL,
+          sinkEvent: event,
+        });
+      }
+    }
+  };
+
+  core.assess.dataflow.sinks.pathTraversal = {
+    install() {
+      depHooks.resolve({ name: 'fs' }, (fs) => {
+        for (const method of FS_METHODS) {
+          // not all methods are available on every OS or Node version.
+          if (fs[method.name]) {
+            const name = `fs.${method.name}`;
+            patcher.patch(fs, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+
+          if (method.sync) {
+            const syncName = `${method.name}Sync`;
+            if (fs[syncName]) {
+              const name = `fs.${syncName}`;
+              patcher.patch(fs, syncName, {
+                name,
+                patchType,
+                pre: pre(name, method.indices)
+              });
+            }
+          }
+
+          if (method.promises && fs.promises && fs.promises[method.name]) {
+            const name = `fs.promises.${method.name}`;
+            patcher.patch(fs.promises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+
+      depHooks.resolve({ name: 'fs/promises' }, (fsPromises) => {
+        for (const method of FS_METHODS) {
+          if (method.promises && fsPromises[method.name]) {
+            const name = `fsPromises.${method.name}`;
+            patcher.patch(fsPromises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.pathTraversal;
+};

package/lib/dataflow/sinks/install/http.js

@@ -15,7 +15,22 @@
 
 'use strict';
 
-const { Rule } = require('@contrast/common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
+  },
+  Rule,
+} = require('@contrast/common');
 const { patchType } = require('../common');
 
 module.exports = function(core) {
@@ -34,18 +49,17 @@ module.exports = function(core) {
   const http = core.assess.dataflow.sinks.http = {};
 
   const safeTags = [
-    'alphanum-space-hyphen',
-    'cookie',
-    'header',
-    'limited-chars',
-    'html-encoded',
-    'sql-encoded',
-    'url-encoded',
-    'weak-url-encoded',
-    'custom-validated',
-    'custom-encoded'
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
 
   const preHook = (name, method) => (data) => {
     const sourceContext = sources.getStore()?.assess;
@@ -60,7 +74,7 @@ module.exports = function(core) {
     const { contentType } = sourceContext.responseData;
     if (contentType && isSafeContentType(contentType)) return;
 
-    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
           value: strInfo.value,

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -16,7 +16,17 @@
 'use strict';
 
 const util = require('util');
-const { isString } = require('@contrast/common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags } = require('../../../tag-utils');
 
@@ -39,13 +49,12 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
-    'limited-chars',
-    'url-encoded',
-    'html-encoded',
-    'custom-validated',
-    'custom-encoded'
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
 
   unvalidatedRedirect.install = function () {
     depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
@@ -73,7 +82,7 @@ module.exports = function (core) {
             urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
           }
 
-          if (urlPathTags && isVulnerable(requiredTag, safeTags, urlPathTags)) {
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
             const event = createSinkEvent({
               args: [{
                 tracked: true,

package/lib/dataflow/sinks/install/marsdb.js

@@ -0,0 +1,135 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const util = require('util');
+const { patchType } = require('../common');
+const {
+  traverseValues,
+  Rule,
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+    UNTRUSTED,
+    STRING_TYPE_CHECKED,
+    CUSTOM_VALIDATED_NOSQL_INJECTION,
+  },
+} = require('@contrast/common');
+
+const collectionMethods = ['find', 'findOne', 'update', 'remove'];
+const querySafeTags = [
+  LIMITED_CHARS,
+  ALPHANUM_SPACE_HYPHEN,
+  STRING_TYPE_CHECKED,
+  CUSTOM_VALIDATED_NOSQL_INJECTION,
+];
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const instr = core.assess.dataflow.sinks.marsdb = {};
+  const inspect = patcher.unwrap(util.inspect);
+
+  function getVulnerabilityInfo(query) {
+    let vulnInfo = null;
+    if (!query) return vulnInfo;
+
+    traverseValues(query, (path, type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+        vulnInfo = { path, strInfo };
+        return true;
+      }
+    });
+
+    return vulnInfo;
+  }
+
+  function patchCollection(marsdb, method) {
+    const proto = marsdb.Collection.prototype;
+    const name = `marsdb.Collection.prototype.${method}`;
+
+    if (!proto[method]) {
+      logger.trace({ name }, `marsdb method ${method} not found!`);
+      return;
+    }
+
+    patcher.patch(proto, method, {
+      name,
+      patchType,
+      around(next, data) {
+        const sourceCtx = sources.getStore()?.assess;
+        if (!sourceCtx || instrumentation.isLocked()) {
+          return next();
+        }
+
+        const argIdx = 0;
+        const result = getVulnerabilityInfo(data.args[argIdx]);
+        if (!result) {
+          return next();
+        }
+
+        const { strInfo } = result;
+        const args = data.args.map((arg, idx) => ({
+          value: inspect(arg),
+          tracked: idx === argIdx,
+        }));
+
+        const sinkEvent = createSinkEvent({
+          args,
+          context: `marsdb.Collection.${method}(${args.map((a) => a.value)})`,
+          history: [strInfo],
+          object: {
+            tracked: false,
+            value: 'marsdb.Collection',
+          },
+          name,
+          result: strInfo.result,
+          source: `P${argIdx}`,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+          },
+          tags: strInfo.tags,
+        });
+
+        if (sinkEvent) {
+          reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+        }
+
+        return next();
+      },
+    });
+  }
+
+  instr.install = function() {
+    depHooks.resolve({ name: 'marsdb' }, (marsdb) => {
+      collectionMethods.forEach((method) => patchCollection(marsdb, method));
+    });
+  };
+
+  return instr;
+};

package/lib/dataflow/sinks/install/mongodb.js

@@ -0,0 +1,205 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED_NOSQL_INJECTION,
+    LIMITED_CHARS,
+    STRING_TYPE_CHECKED,
+  },
+  Rule,
+  isNonEmptyObject,
+  traverseValues
+} = require('@contrast/common');
+const utils = require('../../tag-utils');
+const { patchType } = require('../common');
+
+const collectionMethods = [
+  'find',
+  'findOne',
+  'findAndModify',
+  'findOneAndDelete',
+  'findOneAndReplace',
+  'findOneAndUpdate',
+  'remove',
+  'replaceOne',
+  'update',
+  'updateOne',
+  'updateMany',
+  'deleteOne',
+  'deleteMany',
+];
+
+const querySafeTags = [
+  ALPHANUM_SPACE_HYPHEN,
+  CUSTOM_VALIDATED_NOSQL_INJECTION,
+  LIMITED_CHARS,
+  STRING_TYPE_CHECKED,
+];
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent }
+      }
+    }
+  } = core;
+
+  const inspect = patcher.unwrap(util.inspect);
+  const instr = core.assess.dataflow.sinks.mongodb = {};
+
+  instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
+    let vulnInfo = null;
+
+    if (!isNonEmptyObject(query)) return vulnInfo;
+
+    traverseValues(query, (path, type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+        vulnInfo = { path, strInfo };
+        return true; // halts traversal
+      }
+    });
+
+    return vulnInfo;
+  };
+
+  instr.install = function() {
+    depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
+      patchCollection(mongodb, version);
+      patchDatabase(mongodb, version);
+    });
+  };
+
+  return instr;
+
+  function patchCollection(mongodb, version) {
+    for (const method of collectionMethods) {
+
+      const proto = mongodb.Collection.prototype;
+      const name = `mongodb.Collection.prototype.${method}`;
+
+      if (!proto[method]) {
+
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+
+      patcher.patch(proto, method, {
+        name,
+        patchType,
+        around(next, data) {
+          const { obj, args } = data;
+          const sourceCtx = sources.getStore()?.assess;
+
+          if (instrumentation.isLocked() || !sourceCtx) {
+            return next();
+          }
+
+          const argIdx = 0;
+          try {
+            const vulnInfo = instr.getVulnerabilityInfo(args[argIdx]);
+            if (vulnInfo) {
+              const { path, strInfo } = vulnInfo;
+              const objName = getObjectName(obj);
+              const args = data.args.map((arg, idx) => ({
+                value: inspect(arg),
+                tracked: idx === argIdx,
+              }));
+
+              const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
+              const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+              const sinkEvent = createSinkEvent({
+                args,
+                context: `${objName}.${method}(${args.map((a) => a.value)})`,
+                history: [strInfo],
+                object: {
+                  tracked: false,
+                  value: 'mongodb.Collection',
+                },
+                name,
+                result: {
+                  tracked: false,
+                  value: resultVal,
+                },
+                source: `P${argIdx}`,
+                stacktraceOpts: {
+                  constructorOpt: data.hooked,
+                },
+                tags,
+              });
+
+              if (sinkEvent) {
+                reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
+              }
+            }
+          } catch (err) {
+            core.logger.error({ name, err }, 'assess sink analysis failed');
+          }
+
+          if (method === 'findOne') {
+            // `findOne` will call `find` so don't analyze in nested call
+            const store = { name, lock: true };
+            const ret = instrumentation.run(store, next);
+            // but unlock for when callback args run or returned Promises resolve/reject
+            store.lock = false;
+            return ret;
+          }
+
+          return next();
+        },
+      });
+    }
+  }
+
+
+  function patchDatabase(mongodb, version) {
+    // todo
+  }
+
+  function getObjectName(obj) {
+    let name = '';
+    name += obj.s?.namespace?.db || 'db';
+    name += '.';
+    name += obj.s?.namespace?.collection || 'collection';
+    return name;
+  }
+
+  function getAdjustedQueryTags(path, strInfo, argString) {
+    const { tags } = strInfo;
+    let idx = -1;
+    for (const str of [...path, strInfo.value]) {
+      idx = argString.indexOf(str, idx);
+      if (idx == -1) {
+        idx = -1;
+        break;
+      }
+    }
+
+    return idx > 0 ? utils.createAppendTags([], tags, idx) : strInfo.tags;
+  }
+};

package/lib/dataflow/sinks/install/mssql.js

@@ -15,15 +15,19 @@
 
 'use strict';
 
-const { Rule, isString } = require('@contrast/common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule,
+  isString
+} = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType } = require('../common');
 
-const SAFE_TAGS = [
-  'sql-encoded',
-  'limited-chars',
-  'custom-validated',
-  'custom-encoded',
+const safeTags = [
+  SQL_ENCODED,
+  LIMITED_CHARS,
+  CUSTOM_VALIDATED,
+  CUSTOM_ENCODED,
 ];
 
 module.exports = function (core) {
@@ -45,7 +49,7 @@ module.exports = function (core) {
     if (!store || !data.args[0] || !isString(data.args[0])) return;
 
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       return;
     }