@contrast/assess 1.5.0 → 1.6.0

package/lib/dataflow/sinks/install/mysql.js

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../common');
+const { Rule, isString, DataflowTag: { CUSTOM_ENCODED_SQL_INJECTION, CUSTOM_ENCODED, CUSTOM_VALIDATED_SQL_INJECTION, CUSTOM_VALIDATED, SQL_ENCODED, LIMITED_CHARS, UNTRUSTED } } = require('@contrast/common');
+
+const safeTags = [
+  CUSTOM_ENCODED_SQL_INJECTION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_SQL_INJECTION,
+  CUSTOM_VALIDATED,
+  SQL_ENCODED,
+  LIMITED_CHARS,
+];
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  function getValueFromArgs([value]) {
+    if (isString(value)) {
+      return value;
+    }
+
+    if (isString(value.sql)) {
+      return value.sql;
+    }
+  }
+
+  const pre = (module, file, obj) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store || !data.args[0]) return;
+
+    const val = getValueFromArgs(data.args);
+    if (!val) return;
+
+    const strInfo = tracker.getData(val);
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+      return;
+    }
+
+    const event = createSinkEvent({
+      name: `${module}/${file}`,
+      history: [strInfo],
+      object: {
+        value: `${module}.${obj}`,
+        tracked: false,
+      },
+      args: [
+        {
+          value: strInfo.value,
+          tracked: true,
+        },
+      ],
+      tags: strInfo.tags,
+      source: 'P0',
+      stacktraceOpts: {
+        contructorOpt: data.hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.SQL_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  };
+
+  core.assess.dataflow.sinks.mysql = {
+    install() {
+      depHooks.resolve(
+        { name: 'mysql', file: 'lib/Connection' },
+        (Connection) => {
+          patcher.patch(Connection.prototype, 'query', {
+            name: 'Connection.prototype.query',
+            patchType,
+            pre: pre('mysql', 'lib/Connection.query', 'Connection')
+          });
+        },
+      );
+      depHooks.resolve(
+        { name: 'mysql2', file: 'lib/connection' },
+        (connection) => {
+          ['query', 'execute'].forEach((method) => {
+            patcher.patch(connection.prototype, `${method}`, {
+              name: `connection.prototype.${method}`,
+              patchType,
+              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection')
+            });
+          });
+        },
+      );
+    },
+  };
+
+  return core.assess.dataflow.sinks.mysql;
+};

package/lib/dataflow/sinks/install/postgres.js

@@ -16,7 +16,11 @@
 'use strict';
 
 const util = require('util');
-const { Rule, isString } = require('@contrast/common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule,
+  isString
+} = require('@contrast/common');
 const { patchType } = require('../common');
 
 module.exports = function (core) {
@@ -34,12 +38,12 @@ module.exports = function (core) {
   } = core;
 
   const safeTags = [
-    'sql-encoded',
-    'limited-chars',
-    'custom-validated',
-    'custom-encoded',
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
   ];
-  const requiredTag = 'untrusted';
+
   const inspect = patcher.unwrap(util.inspect);
 
   const postgres = core.assess.dataflow.sinks.postgres = {};
@@ -58,7 +62,7 @@ module.exports = function (core) {
     const objValue = methodSignature.includes('native') ? 'pg.native.Client' : 'pg.Client';
     const arg0Val = inspect(arg0);
 
-    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
           tracked: true,
@@ -116,8 +120,6 @@ module.exports = function (core) {
       },
     );
 
-    const pgClientPatchName = `${patchType}:${pgClientQueryPatchName}.query`;
-    const pgNativeClientPatchName = `${patchType}:${pgNativeClientQueryPatchName}.query`;
     depHooks.resolve({ name: 'pg-pool' }, (pool, version) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
@@ -129,9 +131,8 @@ module.exports = function (core) {
           )?.funcKeys;
 
           if (
-            funcKeys &&
-            (funcKeys.has(pgClientPatchName) ||
-              funcKeys.has(pgNativeClientPatchName))
+            funcKeys?.has(`${patchType}:${pgClientQueryPatchName}`) ||
+            funcKeys?.has(`${patchType}:${pgNativeClientQueryPatchName}`)
           ) {
             return;
           }

package/lib/dataflow/sinks/install/sqlite3.js

@@ -14,14 +14,19 @@
  */
 
 'use strict';
+
 const { patchType } = require('../common');
-const { Rule, isString } = require('@contrast/common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule,
+  isString
+} = require('@contrast/common');
 
-const SAFE_TAGS = [
-  'sql-encoded',
-  'limited-chars',
-  'custom-validated',
-  'custom-encoded',
+const safeTags = [
+  SQL_ENCODED,
+  LIMITED_CHARS,
+  CUSTOM_VALIDATED,
+  CUSTOM_ENCODED,
 ];
 
 module.exports = function (core) {
@@ -43,7 +48,7 @@ module.exports = function (core) {
     if (!store || !data.args[0] || !isString(data.args[0])) return;
 
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       return;
     }
 

package/lib/dataflow/sources/handler.js

@@ -15,7 +15,12 @@
 
 'use strict';
 
-const { isString, traverseValues } = require('@contrast/common');
+const {
+  InputType,
+  DataflowTag,
+  isString,
+  traverseValues
+} = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -40,15 +45,11 @@ module.exports = function(core) {
 
     const stop = value.length - 1;
     const tags = {
-      untrusted: [0, stop]
+      [DataflowTag.UNTRUSTED]: [0, stop]
     };
 
-    if (inputType === 'header' && key.toLowerCase() === 'referer') {
-      tags.header = [0, stop];
-    }
-
-    if (inputType === 'cookie') {
-      tags.cookie = [0, stop];
+    if (inputType === InputType.HEADER && key.toLowerCase() === 'referer') {
+      tags[DataflowTag.HEADER] = [0, stop];
     }
 
     return tags;
@@ -57,7 +58,7 @@ module.exports = function(core) {
   sources.handle = function({
     context,
     name,
-    inputType = 'unknown',
+    inputType = InputType.UNKNOWN,
     stacktraceOpts,
     data,
     sourceContext

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.8.0",
+    "@contrast/common": "1.9.0",
     "parseurl": "^1.3.3"
   }
 }