@contrast/assess 1.5.0 → 1.7.0

package/lib/dataflow/propagation/install/string/replace.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
 const { patchType } = require('../../common');
 const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 
@@ -39,7 +42,7 @@ module.exports = function(core) {
     const namedGroups = hasNamedGroup ? lastEl : null;
     return { match, captureGroups, matchIdx, str, namedGroups };
   }
-  function replaceSpecialCharacters(replacement, { captureGroups, match, str, namedGroups }) {
+  function replaceSpecialCharacters(replacement, { captureGroups, match, str, namedGroups }, replacementType) {
     const origReplace = patcher.unwrap(String.prototype.replace);
     let ret = replacement;
     [
@@ -71,7 +74,7 @@ module.exports = function(core) {
       }
     });
 
-    const numberedGroupMatches = replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
+    const numberedGroupMatches = replacementType !== 'function' && replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
     if (numberedGroupMatches) {
       numberedGroupMatches.forEach((numberedGroup) => {
         const group = Number(numberedGroup.substring(1));
@@ -92,7 +95,7 @@ module.exports = function(core) {
       data._replacement.call(global, ...replacerArgs) :
       data._replacement;
 
-    replacement = replaceSpecialCharacters(String(replacement), parsedArgs);
+    replacement = replaceSpecialCharacters(String(replacement), parsedArgs, data._replacementType);
 
     data._replacementInfo = tracker.getData(replacement);
     if (data._replacement) {
@@ -148,9 +151,15 @@ module.exports = function(core) {
             !sources.getStore()?.assess ||
             instrumentation.isLocked() ||
             !data.result ||
-            !data._accumTags?.untrusted
+            // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
+            !data._accumTags?.[UNTRUSTED] ||
+            !!tracker.getData(data.result)
           ) return;
 
+          if (data.obj === data.result) {
+            return;
+          }
+
           const { _replacementInfo, obj, args, result, hooked, orig } = data;
 
           const event = createPropagationEvent({

package/lib/dataflow/propagation/install/unescape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -45,7 +48,7 @@ module.exports = function(core) {
           const resultInfo = tracker.getData(result);
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
-          delete newTags['weak-url-encoded'];
+          delete newTags[WEAK_URL_ENCODED];
 
           if (!Object.keys(newTags).length) return;
 
@@ -62,7 +65,7 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            removedTags: ['weak-url-encoded'],
+            removedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/validator/methods.js

@@ -15,57 +15,66 @@
 
 'use strict';
 
+const {
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+  }
+} = require('@contrast/common');
+
 module.exports = {
   validators: {
-    isAfter: 'alphanum-space-hyphen',
-    isAlpha: 'alphanum-space-hyphen',
-    isAlphanumeric: 'alphanum-space-hyphen',
-    isBase32: 'alphanum-space-hyphen',
-    isBase58: 'alphanum-space-hyphen',
-    isBase64: 'alphanum-space-hyphen',
-    isBefore: 'alphanum-space-hyphen',
-    isBIC: 'alphanum-space-hyphen',
-    isBoolean: 'limited-chars',
-    isBtcAddress: 'alphanum-space-hyphen',
-    isCreditCard: 'limited-chars',
-    isDate: 'limited-chars',
-    isDecimal: 'limited-chars',
-    isEAN: 'limited-chars',
-    isEthereumAddress: 'alphanum-space-hyphen',
-    isFloat: 'limited-chars',
-    isHash: 'alphanum-space-hyphen',
-    isHexadecimal: 'alphanum-space-hyphen',
-    isHexColor: 'alphanum-space-hyphen',
-    isHSL: 'alphanum-space-hyphen',
-    isIBAN: 'limited-chars',
-    isIdentityCard: 'alphanum-space-hyphen',
-    isIMEI: 'limited-chars',
-    isInt: 'limited-chars',
-    isIP: 'limited-chars',
-    isIPRange: 'limited-chars',
-    isISBN: 'limited-chars',
-    isISIN: 'limited-chars',
-    isISO8601: 'alphanum-space-hyphen',
-    isISO31661Alpha2: 'alphanum-space-hyphen',
-    isISO31661Alpha3: 'alphanum-space-hyphen',
-    isISRC: 'alphanum-space-hyphen',
-    isISSN: 'limited-chars',
-    isJWT: 'alphanum-space-hyphen',
-    isLatLong: 'limited-chars',
-    isLicensePlate: 'alphanum-space-hyphen',
-    isMACAddress: 'alphanum-space-hyphen',
-    isMagnetURI: 'alphanum-space-hyphen',
-    isMD5: 'alphanum-space-hyphen',
-    isMobilePhone: 'limited-chars',
-    isNumeric: 'limited-chars',
-    isOctal: 'alphanum-space-hyphen',
-    isPassportNumber: 'limited-chars',
-    isPostalCode: 'limited-chars',
-    isSemVer: 'limited-chars',
-    isTaxID: 'limited-chars',
-    isUUID: 'alphanum-space-hyphen',
-    isVAT: 'alphanum-space-hyphen',
-    matches: 'custom-validated'
+    isAfter: ALPHANUM_SPACE_HYPHEN,
+    isAlpha: ALPHANUM_SPACE_HYPHEN,
+    isAlphanumeric: ALPHANUM_SPACE_HYPHEN,
+    isBase32: ALPHANUM_SPACE_HYPHEN,
+    isBase58: ALPHANUM_SPACE_HYPHEN,
+    isBase64: ALPHANUM_SPACE_HYPHEN,
+    isBefore: ALPHANUM_SPACE_HYPHEN,
+    isBIC: ALPHANUM_SPACE_HYPHEN,
+    isBoolean: LIMITED_CHARS,
+    isBtcAddress: ALPHANUM_SPACE_HYPHEN,
+    isCreditCard: LIMITED_CHARS,
+    isDate: LIMITED_CHARS,
+    isDecimal: LIMITED_CHARS,
+    isEAN: LIMITED_CHARS,
+    isEthereumAddress: ALPHANUM_SPACE_HYPHEN,
+    isFloat: LIMITED_CHARS,
+    isHash: ALPHANUM_SPACE_HYPHEN,
+    isHexadecimal: ALPHANUM_SPACE_HYPHEN,
+    isHexColor: ALPHANUM_SPACE_HYPHEN,
+    isHSL: ALPHANUM_SPACE_HYPHEN,
+    isIBAN: LIMITED_CHARS,
+    isIdentityCard: ALPHANUM_SPACE_HYPHEN,
+    isIMEI: LIMITED_CHARS,
+    isInt: LIMITED_CHARS,
+    isIP: LIMITED_CHARS,
+    isIPRange: LIMITED_CHARS,
+    isISBN: LIMITED_CHARS,
+    isISIN: LIMITED_CHARS,
+    isISO8601: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha2: ALPHANUM_SPACE_HYPHEN,
+    isISO31661Alpha3: ALPHANUM_SPACE_HYPHEN,
+    isISRC: ALPHANUM_SPACE_HYPHEN,
+    isISSN: LIMITED_CHARS,
+    isJWT: ALPHANUM_SPACE_HYPHEN,
+    isLatLong: LIMITED_CHARS,
+    isLicensePlate: ALPHANUM_SPACE_HYPHEN,
+    isMACAddress: ALPHANUM_SPACE_HYPHEN,
+    isMagnetURI: ALPHANUM_SPACE_HYPHEN,
+    isMD5: ALPHANUM_SPACE_HYPHEN,
+    isMobilePhone: LIMITED_CHARS,
+    isNumeric: LIMITED_CHARS,
+    isOctal: ALPHANUM_SPACE_HYPHEN,
+    isPassportNumber: LIMITED_CHARS,
+    isPostalCode: LIMITED_CHARS,
+    isSemVer: LIMITED_CHARS,
+    isTaxID: LIMITED_CHARS,
+    isUUID: ALPHANUM_SPACE_HYPHEN,
+    isVAT: ALPHANUM_SPACE_HYPHEN,
+    matches: CUSTOM_VALIDATED,
   },
   untrackers: [
     'equals',
@@ -74,9 +83,9 @@ module.exports = {
     'isRFC3339'
   ],
   sanitizers: {
-    escape: 'html-encoded'
+    escape: HTML_ENCODED
   },
   custom: {
-    isEmail: 'limited-chars'
+    isEmail: LIMITED_CHARS
   }
 };

package/lib/dataflow/sinks/common.js

@@ -16,5 +16,14 @@
 'use strict';
 
 module.exports = {
-  patchType: 'assess-dataflow-sink'
+  patchType: 'assess-dataflow-sink',
+
+  /**
+   * @param {string[]} safeTags array of sink's safe tags
+   * @param {object} strInfo tracked string info
+   * @returns {string[]} filtered list of safe tags found on tracked string data
+   */
+  filterSafeTags(safeTags, strInfo) {
+    return safeTags.filter((t) => !!strInfo.tags?.[t]);
+  },
 };

package/lib/dataflow/sinks/index.js

@@ -15,19 +15,33 @@
 
 'use strict';
 
-const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+const { AsyncLocalStorage } = require('async_hooks');
+const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common');
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
 
 module.exports = function (core) {
   const {
+    logger,
     messages,
     scopes: { sources }
   } = core;
 
+  const sinkScopes = {
+    [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
+    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage()
+  };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
     isSafeContentType,
+    reportSafePositive(data) {
+      const store = sources.getStore();
+      // these events need source correlation
+      messages.emit(Event.ASSESS_DATAFLOW_SAFE_POSITIVE, {
+        sourceInfo: store?.sourceInfo,
+        ...data
+      });
+    },
     reportFindings(data) {
       const store = sources.getStore();
       // these events need source correlation
@@ -36,15 +50,34 @@ module.exports = function (core) {
         ...data
       });
     },
+    runInActiveSink(rule, cb) {
+      if (sinkScopes[rule]) {
+        return sinkScopes[rule].run({ locked: true }, cb);
+      } else {
+        logger.error('Sink scope for %s rule does not exist', rule);
+        return cb();
+      }
+    },
+    isLocked(rule) {
+      if (!sinkScopes[rule]) return false;
+
+      return sinkScopes[rule].getStore()?.locked;
+    }
   };
 
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
+  require('./install/fs')(core);
   require('./install/http')(core);
+  require('./install/mongodb')(core);
   require('./install/mssql')(core);
+  require('./install/mysql')(core);
   require('./install/postgres')(core);
+  require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
+  require('./install/marsdb')(core);
+  require('./install/express')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/child-process.js

@@ -14,8 +14,12 @@
  */
 
 'use strict';
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+
 const { patchType } = require('../common');
-const { Rule, isString } = require('@contrast/common');
+const { Rule, isString, inspect } = require('@contrast/common');
 
 module.exports = function (core) {
   const {
@@ -31,14 +35,14 @@ module.exports = function (core) {
     },
   } = core;
 
-  const pre = (name) => (data) => {
-    const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+  const safeTags = [];
 
-    const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', [], strInfo.tags)) {
-      return;
-    }
+  function commandCheck(name, command, secondArg, thirdArg, hooked) {
+    const strInfo = tracker.getData(command);
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) return {
+      strInfo: null,
+      reported: false
+    };
 
     const event = createSinkEvent({
       name,
@@ -52,11 +56,19 @@ module.exports = function (core) {
           value: strInfo.value,
           tracked: true,
         },
-      ],
+        (secondArg && {
+          value: inspect(secondArg),
+          tracked: false
+        }),
+        (thirdArg && {
+          value: inspect(thirdArg),
+          tracked: false
+        })
+      ].filter(Boolean),
       tags: strInfo.tags,
       source: 'P0',
       stacktraceOpts: {
-        contructorOpt: data.hooked,
+        constructorOpt: hooked,
       },
     });
 
@@ -65,18 +77,143 @@ module.exports = function (core) {
         ruleId: Rule.CMD_INJECTION,
         sinkEvent: event,
       });
+
+      return {
+        strInfo,
+        reported: true
+      };
     }
-  };
+
+    return {
+      strInfo,
+      reported: false
+    };
+  }
+
+  function argumentsCheck(name, command, commandInfo, args, options, hooked) {
+    if (!Array.isArray(args) || !args?.length) return;
+
+    const trackedArgs = [];
+    let vulnerableArgIdx;
+
+    for (let i = 0; i < args.length; i++) {
+      const trackData = tracker.getData(args[i]);
+
+      trackedArgs.push(trackData);
+
+      if (!trackData) {
+        continue;
+      }
+
+      if (
+        !vulnerableArgIdx &&
+        vulnerableArgIdx != 0 &&
+        isVulnerable(UNTRUSTED, safeTags, trackData.tags)
+      ) {
+        vulnerableArgIdx = i;
+      }
+    }
+
+    if (vulnerableArgIdx != 0 && !vulnerableArgIdx) return;
+
+    const event = createSinkEvent({
+      name,
+      history: [trackedArgs[vulnerableArgIdx]],
+      object: {
+        value: 'child_process',
+        tracked: false,
+      },
+      args: [
+        {
+          value: commandInfo?.value || command,
+          tracked: !!commandInfo,
+        },
+        {
+          value: inspect(args),
+          tracked: true
+        },
+        {
+          value: inspect(options),
+          tracked: false
+        }
+      ],
+      tags: trackedArgs[vulnerableArgIdx].tags,
+      source: 'P1',
+      stacktraceOpts: {
+        contructorOpt: hooked,
+      },
+    });
+
+    if (event) {
+      reportFindings({
+        ruleId: Rule.CMD_INJECTION,
+        sinkEvent: event,
+      });
+    }
+  }
 
   core.assess.dataflow.sinks.cmdInjection = {
     install() {
       depHooks.resolve({ name: 'child_process' }, cp => {
-        ['spawn', 'spawnSync', 'exec', 'execSync'].forEach((method) => {
+        ['spawn', 'spawnSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              const cmdCheck = commandCheck(name, command, cpArgs, options, data.hooked);
+
+              if (cmdCheck.reported || !options?.shell) return;
+
+              argumentsCheck(name, command, cmdCheck.strInfo, cpArgs, options, data.hooked);
+            }
+          });
+        });
+
+        ['exec', 'execSync'].forEach((method) => {
+          const name = `child_process.${method}`;
+          patcher.patch(cp, method, {
+            name,
+            patchType,
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command, secondArg, thirdArg] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              commandCheck(name, command, secondArg, thirdArg, data.hooked);
+            }
+          });
+        });
+
+        ['execFile', 'execFileSync'].forEach((method) => {
           const name = `child_process.${method}`;
           patcher.patch(cp, method, {
             name,
             patchType,
-            pre: pre(name)
+            pre(data) {
+              const store = sources.getStore()?.assess;
+              const [command] = data.args;
+
+              if (!store || !command || !isString(command)) return;
+
+              const cpArgs = Array.isArray(data.args[1]) && data.args[1];
+              const options = cpArgs ? data.args[2] : data.args[1];
+
+              if (!options?.shell) return;
+
+              const cmdInfo = tracker.getData(command);
+
+              argumentsCheck(name, command, cmdInfo, cpArgs, options, data.hooked);
+            }
           });
         });
       });

package/lib/dataflow/sinks/install/express/index.js

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const express = core.assess.dataflow.sinks.express = {};
+
+  require('./unvalidated-redirect')(core);
+
+  express.install = function() {
+    callChildComponentMethodsSync(express, 'install');
+  };
+
+  return express;
+};

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -0,0 +1,134 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+const ruleId = 'unvalidated-redirect';
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const unvalidatedRedirect =
+    (core.assess.dataflow.sinks.express.unvalidatedRedirect = {});
+
+  const inspect = patcher.unwrap(util.inspect);
+
+  const safeTags = [
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+
+  unvalidatedRedirect.install = function () {
+    depHooks.resolve({ name: 'express', file: 'lib/response' }, (Response) => {
+      const name = 'Express.Response.location';
+      patcher.patch(Response, 'location', {
+        name: 'Express.Response.location',
+        patchType,
+        pre: (data) => {
+          const assessStore = sources.getStore()?.assess;
+          if (!assessStore) return;
+
+          let [url] = data.args;
+          if (url === 'back') {
+            url = data.obj.req.get('Referrer');
+          }
+
+          if (!url || !isString(url)) return;
+
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+
+          let urlPathTags = strInfo.tags;
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+          }
+
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.location(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name: 'Express.Response.location',
+              object: {
+                tracked: false,
+                value: 'Express.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId,
+                sinkEvent: event,
+              });
+            }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
+          }
+        },
+      });
+    });
+  };
+
+  return unvalidatedRedirect;
+};