npm - @contrast/assess - Versions diffs - 1.5.0 → 1.7.0 - Mend

@contrast/assess 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED Viewed

@@ -16,19 +16,50 @@
 'use strict';
 const util = require('util');
-const { isString } = require('@contrast/common');
-const { patchType } = require('../../common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
+const { filterSafeTags, patchType } = require('../../common');
+const ruleId = 'unvalidated-redirect';
+const getURLArgument = (args) => {
+  if (!Array.isArray(args)) {
+    return { index: null, url: undefined };
+  }
+  // url can be first or second argument
+  if (typeof args[0] === 'string') {
+    return {
+      index: 0,
+      url: args[0]
+    };
+  }
+  return {
+    index: 1,
+    url: args[1]
+  };
+};
 module.exports = function (core) {
   const {
+    config,
     depHooks,
     patcher,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -39,85 +70,92 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
   const safeTags = [
-    'limited-chars',
-    'url-encoded',
-    'html-encoded',
-    'custom-validated',
-    'custom-encoded'
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
-  /**
-   * Patches `Reply.prototype.redirect` for
-   * `unvalidated-redirect` checking
-   *
-   * @param {Fastify.Reply} Reply outgoing response
-   */
-  const registerUnvalidatedRedirectHandler = (Reply, version) => {
-    patcher.patch(Reply.prototype, 'redirect', {
-      name: 'fastify.Reply.prototype.redirect',
-      patchType,
-      post(data) {
-        const assessStore = sources.getStore()?.assess;
-        if (!assessStore) return;
-        const [code] = data.args;
-        // url can be first or second argument
-        const url = typeof code === 'string' ? code : data.args[1];
-        if (!url || !isString(url)) return;
-        const strInfo = tracker.getData(url);
-        if (!strInfo) return;
-        let urlPathTags = strInfo.tags;
-        const urlPathEndIdx = url.indexOf('?');
-        if (urlPathEndIdx > -1) {
-          urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
-        }
-        if (isVulnerable(requiredTag, safeTags, urlPathTags)) {
-          const event = createSinkEvent({
-            args: [{
+  unvalidatedRedirect.install = function () {
+    const name = 'fastify.Reply.prototype.redirect';
+    depHooks.resolve({ name: 'fastify', file: 'lib/reply' }, (Reply, version) => {
+      patcher.patch(Reply.prototype, 'redirect', {
+        name,
+        patchType,
+        post(data) {
+          const assessStore = sources.getStore()?.assess;
+          if (!assessStore) return;
+          const { url, index: valueIndex } = getURLArgument(data.args);
+          if (!url || !isString(url)) return;
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+          // todo: how does different tag logic play into display ranges?
+          let urlPathTags = strInfo.tags;
+          const urlPathEndIdx = url.indexOf('?');
+          if (urlPathEndIdx > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+          }
+          if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const args = [];
+            // in case a status code is provided
+            if (valueIndex) {
+              args.push({
+                tracked: false,
+                value: data.args[0]
+              });
+            }
+            args.push({
               tracked: true,
               value: strInfo.value,
-            }],
-            context: `reply.redirect(${inspect(strInfo.value)})`,
-            history: [strInfo],
-            name: 'fastify.reply.redirect',
-            object: {
-              tracked: false,
-              value: 'fastify.Reply',
-            },
-            result: {
-              tracked: false,
-              value: undefined,
-            },
-            tags: urlPathTags,
-            source: 'P0',
-            stacktraceOpts: {
-              constructorOpt: data.hooked,
-            },
-          });
-          if (event) {
-            reportFindings({
-              ruleId: 'unvalidated-redirect', // add Rule.UNVALIDATED_REDIRECT
-              sinkEvent: event,
+            });
+            const event = createSinkEvent({
+              args,
+              context: `reply.redirect(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name: 'fastify.reply.redirect',
+              object: {
+                tracked: false,
+                value: 'fastify.Reply',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: `P${valueIndex}`,
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+            if (event) {
+              reportFindings({
+                ruleId,
+                sinkEvent: event,
+              });
+            }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
             });
           }
-        }
-      },
+        },
+      });
     });
   };
-  unvalidatedRedirect.install = function () {
-    depHooks.resolve(
-      { name: 'fastify', file: 'lib/reply' },
-      registerUnvalidatedRedirectHandler
-    );
-  };
   return unvalidatedRedirect;
 };

package/lib/dataflow/sinks/install/fs.js ADDED Viewed

@@ -0,0 +1,136 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+const { FS_METHODS, Rule, isString, DataflowTag: { URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH, UNTRUSTED } } = require('@contrast/common');
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const safeTags = [URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH];
+  function getValues(indices, args) {
+    return indices.reduce((acc, idx) => {
+      const value = args[idx];
+      if (value && isString(value)) acc.push(value);
+      return acc;
+    }, []);
+  }
+  const pre = (name, indices) => (data) => {
+    const store = sources.getStore()?.assess;
+    if (!store) return;
+    const values = getValues(indices, data.args);
+    if (!values.length) return;
+    const args = [];
+    for (let i = 0; i < values.length; i++) {
+      const strInfo = tracker.getData(values[i]);
+      args.push({ value: strInfo ? strInfo.value : values[i], isTracked: !!strInfo });
+      if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+        continue;
+      }
+      const event = createSinkEvent({
+        name,
+        history: [strInfo],
+        object: {
+          value: 'fs',
+          isTracked: false,
+        },
+        args,
+        tags: strInfo.tags,
+        source: `P${i}`,
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+        },
+      });
+      if (event) {
+        reportFindings({
+          ruleId: Rule.PATH_TRAVERSAL,
+          sinkEvent: event,
+        });
+      }
+    }
+  };
+  core.assess.dataflow.sinks.pathTraversal = {
+    install() {
+      depHooks.resolve({ name: 'fs' }, (fs) => {
+        for (const method of FS_METHODS) {
+          // not all methods are available on every OS or Node version.
+          if (fs[method.name]) {
+            const name = `fs.${method.name}`;
+            patcher.patch(fs, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+          if (method.sync) {
+            const syncName = `${method.name}Sync`;
+            if (fs[syncName]) {
+              const name = `fs.${syncName}`;
+              patcher.patch(fs, syncName, {
+                name,
+                patchType,
+                pre: pre(name, method.indices)
+              });
+            }
+          }
+          if (method.promises && fs.promises && fs.promises[method.name]) {
+            const name = `fs.promises.${method.name}`;
+            patcher.patch(fs.promises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+      depHooks.resolve({ name: 'fs/promises' }, (fsPromises) => {
+        for (const method of FS_METHODS) {
+          if (method.promises && fsPromises[method.name]) {
+            const name = `fsPromises.${method.name}`;
+            patcher.patch(fsPromises, method.name, {
+              name,
+              patchType,
+              pre: pre(name, method.indices)
+            });
+          }
+        }
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.pathTraversal;
+};

package/lib/dataflow/sinks/install/http.js CHANGED Viewed

@@ -15,18 +15,39 @@
 'use strict';
-const { Rule } = require('@contrast/common');
-const { patchType } = require('../common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
+  },
+  Rule: { REFLECTED_XSS: ruleId },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
 module.exports = function(core) {
   const {
+    config,
     depHooks,
     patcher,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings, isSafeContentType },
+        sinks: {
+          isVulnerable,
+          reportFindings,
+          reportSafePositive,
+          isSafeContentType
+        },
         eventFactory: { createSinkEvent },
       },
     },
@@ -34,18 +55,17 @@ module.exports = function(core) {
   const http = core.assess.dataflow.sinks.http = {};
   const safeTags = [
-    'alphanum-space-hyphen',
-    'cookie',
-    'header',
-    'limited-chars',
-    'html-encoded',
-    'sql-encoded',
-    'url-encoded',
-    'weak-url-encoded',
-    'custom-validated',
-    'custom-encoded'
+    ALPHANUM_SPACE_HYPHEN,
+    COOKIE,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HEADER,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    SQL_ENCODED,
+    URL_ENCODED,
+    WEAK_URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
   const preHook = (name, method) => (data) => {
     const sourceContext = sources.getStore()?.assess;
@@ -60,7 +80,7 @@ module.exports = function(core) {
     const { contentType } = sourceContext.responseData;
     if (contentType && isSafeContentType(contentType)) return;
-    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
           value: strInfo.value,
@@ -77,7 +97,6 @@ module.exports = function(core) {
           value: data.result,
           tracked: false,
         },
-        ruleId: Rule.REFLECTED_XSS,
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked
@@ -87,10 +106,20 @@ module.exports = function(core) {
       if (event) {
         reportFindings({
-          ruleId: 'reflected-xss',
+          ruleId,
           sinkEvent: event
         });
       }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          value: strInfo.value,
+          tags: strInfo.tags,
+        }
+      });
     }
   };

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -16,19 +16,32 @@
 'use strict';
 const util = require('util');
-const { isString } = require('@contrast/common');
-const { patchType } = require('../../common');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
+const { filterSafeTags, patchType } = require('../../common');
+const ruleId = 'unvalidated-redirect';
 module.exports = function (core) {
   const {
     depHooks,
     patcher,
+    config,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -39,16 +52,16 @@ module.exports = function (core) {
   const inspect = patcher.unwrap(util.inspect);
   const safeTags = [
-    'limited-chars',
-    'url-encoded',
-    'html-encoded',
-    'custom-validated',
-    'custom-encoded'
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
   ];
-  const requiredTag = 'untrusted';
   unvalidatedRedirect.install = function () {
     depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
+      const name = 'Koa.Response.redirect';
       patcher.patch(Response, 'redirect', {
         name: 'Koa.Response.redirect',
         patchType,
@@ -56,9 +69,10 @@ module.exports = function (core) {
           const assessStore = sources.getStore()?.assess;
           if (!assessStore) return;
+          let isBackRoute = false;
           let [url] = data.args;
           if (url === 'back') {
+            isBackRoute = true;
             url = data.obj.ctx.get('Referrer') || data.args[1];
           }
@@ -73,12 +87,21 @@ module.exports = function (core) {
             urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
           }
-          if (urlPathTags && isVulnerable(requiredTag, safeTags, urlPathTags)) {
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const args = [];
+            if (isBackRoute) {
+              args.push({
+                tracked: false,
+                value: data.args[0]
+              });
+            }
+            args.push({
+              tracked: true,
+              value: strInfo.value,
+            });
             const event = createSinkEvent({
-              args: [{
-                tracked: true,
-                value: strInfo.value,
-              }],
+              args,
               context: `response.redirect(${inspect(strInfo.value)})`,
               history: [strInfo],
               name: 'Koa.Response.redirect',
@@ -91,7 +114,7 @@ module.exports = function (core) {
                 value: undefined,
               },
               tags: urlPathTags,
-              source: 'P0',
+              source: `P${isBackRoute ? 1 : 0}`,
               stacktraceOpts: {
                 constructorOpt: data.hooked,
               },
@@ -99,10 +122,20 @@ module.exports = function (core) {
             if (event) {
               reportFindings({
-                ruleId: 'unvalidated-redirect',
+                ruleId,
                 sinkEvent: event,
               });
             }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
           }
         }
       });