@contrast/assess 1.5.0 → 1.7.0

package/lib/dataflow/sinks/install/postgres.js

@@ -16,49 +16,56 @@
 'use strict';
 
 const util = require('util');
-const { Rule, isString } = require('@contrast/common');
-const { patchType } = require('../common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule: { SQL_INJECTION: ruleId },
+  isString
+} = require('@contrast/common');
+const { filterSafeTags, patchType } = require('../common');
 
 module.exports = function (core) {
   const {
+    config,
     depHooks,
     patcher,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
   } = core;
 
   const safeTags = [
-    'sql-encoded',
-    'limited-chars',
-    'custom-validated',
-    'custom-encoded',
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
   ];
-  const requiredTag = 'untrusted';
+
   const inspect = patcher.unwrap(util.inspect);
 
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
-  const preHook = (methodSignature, version, mod, obj) => (data) => {
+  const preHook = (methodSignature) => (data) => {
     const assessStore = sources.getStore()?.assess;
-    if (!assessStore) return;
+    if (!assessStore || isLocked(ruleId)) return;
 
     const [arg0] = data.args;
     const query = arg0?.text || arg0;
     if (!query || !isString(query)) return;
 
     const strInfo = tracker.getData(query);
+    // todo: if the query isn't tracked but users are sending tracked strings in the values
+    // array (args[1]), then shouldn't we report a "safe-positive" event of some kind?
     if (!strInfo) return;
 
     const objValue = methodSignature.includes('native') ? 'pg.native.Client' : 'pg.Client';
     const arg0Val = inspect(arg0);
 
-    if (isVulnerable(requiredTag, safeTags, strInfo.tags)) {
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
           tracked: true,
@@ -84,10 +91,20 @@ module.exports = function (core) {
 
       if (event) {
         reportFindings({
-          ruleId: Rule.SQL_INJECTION,
+          ruleId,
           sinkEvent: event,
         });
       }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name: methodSignature,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          value: strInfo.value,
+          tags: strInfo.tags,
+        }
+      });
     }
   };
 
@@ -95,11 +112,11 @@ module.exports = function (core) {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/client.prototype.query', version, 'pg', 'Client'),
+          pre: preHook('pg/lib/client.prototype.query'),
         });
       },
     );
@@ -107,18 +124,16 @@ module.exports = function (core) {
     const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/native/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgNativeClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/native/client.prototype.query', version, 'pg', 'native.Client'),
+          pre: preHook('pg/lib/native/client.prototype.query'),
         });
       },
     );
 
-    const pgClientPatchName = `${patchType}:${pgClientQueryPatchName}.query`;
-    const pgNativeClientPatchName = `${patchType}:${pgNativeClientQueryPatchName}.query`;
-    depHooks.resolve({ name: 'pg-pool' }, (pool, version) => {
+    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,
@@ -129,14 +144,13 @@ module.exports = function (core) {
           )?.funcKeys;
 
           if (
-            funcKeys &&
-            (funcKeys.has(pgClientPatchName) ||
-              funcKeys.has(pgNativeClientPatchName))
+            funcKeys?.has(`${patchType}:${pgClientQueryPatchName}`) ||
+            funcKeys?.has(`${patchType}:${pgNativeClientQueryPatchName}`)
           ) {
             return;
           }
 
-          preHook(name, version, 'pg-pool', 'Pool')(data);
+          preHook(name)(data);
         },
       });
     });

package/lib/dataflow/sinks/install/sequelize.js

@@ -0,0 +1,142 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    UNTRUSTED,
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, runInActiveSink, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED
+  ];
+  const requiredTag = UNTRUSTED;
+  const inspect = patcher.unwrap(util.inspect);
+
+  const sequelize = (core.assess.dataflow.sinks.sequelize = {});
+
+  sequelize.install = function () {
+    const sequelizeQueryPatchName = 'sequelize.prototype.query';
+    depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
+      patcher.patch(sequelize.prototype, 'query', {
+        name: sequelizeQueryPatchName,
+        patchType,
+        around(next, data) {
+          const { args, hooked, orig } = data;
+          const sourceContext = sources.getStore()?.assess;
+          if (!sourceContext || !args[0]) return next();
+
+          const query = typeof args[0] === 'string' ? args[0] : args[0].query;
+
+          try {
+            const queryInfo = tracker.getData(query);
+            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+
+            if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
+              reportSafePositive({
+                name: sequelizeQueryPatchName,
+                ruleId: SQL_INJECTION,
+                safeTags: filterSafeTags(safeTags, queryInfo),
+                strInfo: {
+                  value: queryInfo?.value,
+                  tags: queryInfo.tags,
+                },
+              });
+            }
+
+            if (
+              !queryInfo ||
+              !isVulnerableQuery
+            ) {
+              return runInActiveSink(SQL_INJECTION, async () => await next());
+            }
+
+            const sqlValue =
+              typeof args[0] === 'string' ? args[0] : inspect(args[0]);
+            const inspectedOptions = args[1] ? inspect(args[1]) : '';
+            const contextArgs = args[1]
+              ? `${sqlValue}, ${inspectedOptions}`
+              : sqlValue;
+
+            const reportedArgs = [{ value: sqlValue, tracked: true }];
+            args[1] &&
+              reportedArgs.push({ value: inspectedOptions, tracked: false });
+
+            const event = createSinkEvent({
+              context: `sequelize.prototype.query(${contextArgs})`,
+              name: sequelizeQueryPatchName,
+              history: [queryInfo],
+              object: {
+                value: 'sequelize.prototype',
+                tracked: false,
+              },
+              args: reportedArgs,
+              tags: queryInfo?.tags,
+              source: 'P0',
+              stacktraceOpts: {
+                contructorOpt: hooked,
+                prependFrames: [orig],
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId: SQL_INJECTION,
+                sinkEvent: event,
+              });
+            }
+            /* c8 ignore next 3 */
+          } catch (err) {
+            core.logger.error(
+              { name: sequelizeQueryPatchName, err },
+              'assess sink analysis failed'
+            );
+          }
+
+          return runInActiveSink(SQL_INJECTION, async () => await next());
+        },
+      });
+    });
+  };
+
+  return sequelize;
+};

package/lib/dataflow/sinks/install/sqlite3.js

@@ -14,14 +14,19 @@
  */
 
 'use strict';
+
 const { patchType } = require('../common');
-const { Rule, isString } = require('@contrast/common');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
+  Rule: { SQL_INJECTION },
+  isString
+} = require('@contrast/common');
 
-const SAFE_TAGS = [
-  'sql-encoded',
-  'limited-chars',
-  'custom-validated',
-  'custom-encoded',
+const safeTags = [
+  SQL_ENCODED,
+  LIMITED_CHARS,
+  CUSTOM_VALIDATED,
+  CUSTOM_ENCODED,
 ];
 
 module.exports = function (core) {
@@ -32,7 +37,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -40,10 +45,15 @@ module.exports = function (core) {
 
   const pre = (name) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      !isString(data.args[0]) ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable('untrusted', SAFE_TAGS, strInfo.tags)) {
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       return;
     }
 
@@ -69,7 +79,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sources/handler.js

@@ -15,7 +15,12 @@
 
 'use strict';
 
-const { isString, traverseValues } = require('@contrast/common');
+const {
+  InputType,
+  DataflowTag,
+  isString,
+  traverseValues
+} = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -40,15 +45,11 @@ module.exports = function(core) {
 
     const stop = value.length - 1;
     const tags = {
-      untrusted: [0, stop]
+      [DataflowTag.UNTRUSTED]: [0, stop]
     };
 
-    if (inputType === 'header' && key.toLowerCase() === 'referer') {
-      tags.header = [0, stop];
-    }
-
-    if (inputType === 'cookie') {
-      tags.cookie = [0, stop];
+    if (inputType === InputType.HEADER && key.toLowerCase() === 'referer') {
+      tags[DataflowTag.HEADER] = [0, stop];
     }
 
     return tags;
@@ -57,7 +58,7 @@ module.exports = function(core) {
   sources.handle = function({
     context,
     name,
-    inputType = 'unknown',
+    inputType = InputType.UNKNOWN,
     stacktraceOpts,
     data,
     sourceContext
@@ -71,6 +72,10 @@ module.exports = function(core) {
       return null;
     }
 
+    if (!context) {
+      context = inputType;
+    }
+
     let stack;
 
     traverseValues(data, (path, type, value, obj) => {

package/lib/dataflow/sources/index.js

@@ -17,7 +17,7 @@
 
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const sources = core.assess.dataflow.sources = {};
 
   // API
@@ -27,11 +27,14 @@ module.exports = function(core) {
   require('./install/http')(core);
 
   // frameworks and frameworks specific libraries
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
 
   // libraries
+  require('./install/body-parser1')(core);
   require('./install/busboy1')(core);
+  require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);
   require('./install/qs6')(core);
 

package/lib/dataflow/sources/install/body-parser1.js

@@ -0,0 +1,120 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+const METHODS = ['json', 'raw', 'text', 'urlencoded'];
+const INPUT_TYPES = {
+  'body-parser.json.jsonParser': InputType.JSON_VALUE,
+  'body-parser.raw.rawParser': InputType.BODY,
+  'body-parser.text.textParser': InputType.BODY,
+  'body-parser.urlencoded.urlencodedParser': InputType.PARAMETER_VALUE,
+};
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  const createPreHook = (name) => (data) => {
+    const [req, , next] = data.args;
+    data.args[2] = function contrastNext(...args) {
+      const sourceContext = scopes.sources.getStore()?.assess;
+
+      if (!sourceContext) {
+        logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+        return;
+      }
+
+      if (sourceContext.parsedBody) {
+        logger.trace({ name }, 'values already tracked');
+        return;
+      }
+
+      // when using a specific parser, we know the input type.
+      let inputType = INPUT_TYPES[name];
+      // when using `bodyParser()`, determine input type by content type.
+      if (!inputType) {
+        inputType = req.headers?.['content-type']?.includes('json')
+          ? InputType.JSON_VALUE
+          : req.headers?.['content-type']?.includes('urlencoded')
+            ? InputType.PARAMETER_VALUE
+            : InputType.BODY;
+      }
+
+      try {
+        assess.dataflow.sources.handle({
+          context: 'req.body',
+          name,
+          inputType,
+          stacktraceOpts: {
+            constructorOpt: contrastNext
+          },
+          data: req.body,
+          sourceContext,
+        });
+
+        sourceContext.parsedBody = !!Object.keys(req.body).length;
+      } catch (err) {
+        logger.error({ name, err }, 'unable to handle source');
+      }
+
+      return next(...args);
+    };
+  };
+
+  assess.dataflow.sources.bodyParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'body-parser', version: '>=1.0.0' },
+        /** @param {import('body-parser').BodyParser} bodyParser */
+        (bodyParser) => {
+          bodyParser = patcher.patch(bodyParser, {
+            name: 'body-parser',
+            patchType,
+            post(data) {
+              const name = 'body-parser.bodyParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre: createPreHook(name),
+              });
+            },
+          });
+
+          METHODS.forEach((method) => {
+            patcher.patch(bodyParser, method, {
+              name: `body-parser.${method}`,
+              patchType,
+              post(data) {
+                const name = `body-parser.${method}.${method}Parser`;
+                data.result = patcher.patch(data.result, {
+                  name,
+                  patchType,
+                  pre: createPreHook(name)
+                });
+              },
+            });
+          });
+
+          return bodyParser;
+        }
+      );
+    }
+  };
+
+  return assess.dataflow.sources.bodyParser1Instrumentation;
+};

package/lib/dataflow/sources/install/cookie-parser1.js

@@ -0,0 +1,101 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  assess.dataflow.sources.cookieParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'cookie-parser', version: '>=1.0.0' },
+        /** @param {import('cookie-parser')} cookieParser */
+        (cookieParser) =>
+          patcher.patch(cookieParser, {
+            name: 'cookie-parser',
+            patchType,
+            post(data) {
+              const name = 'cookie-parser.cookieParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre(data) {
+                  const [req, , next] = data.args;
+                  data.args[2] = function contrastNext(...args) {
+                    const sourceContext = scopes.sources.getStore()?.assess;
+
+                    if (!sourceContext) {
+                      logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                      return;
+                    }
+
+                    if (sourceContext.parsedCookies) {
+                      logger.trace({ name }, 'cookies already tracked');
+                    } else if (req.cookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.cookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.cookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedCookies = !!Object.keys(req.cookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    if (sourceContext.parsedSignedCookies) {
+                      logger.trace({ name }, 'signedCookies already tracked');
+                    } else if (req.signedCookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.signedCookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.signedCookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedSignedCookies = !!Object.keys(req.signedCookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    return next(...args);
+                  };
+                },
+              });
+            },
+          })
+      );
+    }
+  };
+
+  return assess.dataflow.sources.cookieParser1Instrumentation;
+};

package/lib/dataflow/sources/install/express/index.js

@@ -0,0 +1,28 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function init(core) {
+  core.assess.dataflow.sources.expressInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    }
+  };
+
+  return core.assess.dataflow.sources.expressInstrumentation;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.5.0",
+  "version": "1.7.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -14,8 +14,8 @@
   },
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
-    "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.8.0",
+    "@contrast/scopes": "1.4.0",
+    "@contrast/common": "1.10.0",
     "parseurl": "^1.3.3"
   }
 }