npm - @contrast/assess - Versions diffs - 1.53.0 → 1.54.1 - Mend

@contrast/assess 1.53.0 → 1.54.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const { createFullLengthCopyTags } = require('../../../tag-utils');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
@@ -40,7 +40,7 @@ module.exports = function(core) {
             patchType,
             usePerf: 'sync',
             post(data) {
-              const { args, result, hooked, orig } = data;
+              const { args, result, hooked } = data;
               if (!result || !args[0] || !getPropagatorContext()) return;
               const argInfo = tracker.getData(args[0]);
@@ -54,9 +54,11 @@ module.exports = function(core) {
                 name,
                 moduleName: 'url',
                 methodName: method,
-                context: `url.${method}('${argInfo.value}')`,
+                get context() {
+                  return `url.${method}('${argInfo.value}')`;
+                },
                 object: {
-                  value: createModuleLabel('url', version),
+                  value: 'url',
                   tracked: false
                 },
                 result: {
@@ -70,7 +72,6 @@ module.exports = function(core) {
                 target: 'R',
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig]
                 },
               });

package/lib/dataflow/propagation/install/url/parse.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -51,12 +52,14 @@ module.exports = function(core) {
     ]
   ];
-  function getPropagationEvent(argInfo, partInfo, { name, result, hooked, orig }, parseQueryString = false) {
+  function getPropagationEvent(argInfo, { value, tags }, { name, result, hooked, orig }, parseQueryString = false) {
     return createPropagationEvent({
       name,
       moduleName: 'url',
       methodName: 'parse',
-      context: `url.parse('${argInfo.value += parseQueryString ? "', true" : ''})`,
+      get context() {
+        return `url.parse('${argInfo.value += parseQueryString ? "', true" : ''})`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -65,14 +68,13 @@ module.exports = function(core) {
         value: inspect(result),
         tracked: true
       },
-      args: [{ value: partInfo.value, tracked: true }],
-      tags: partInfo.tags,
-      history: [{ ...partInfo }],
+      args: [{ value, tracked: true }],
+      tags,
+      history: [{ ...argInfo }],
       source: 'P',
       target: 'R',
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig]
       },
     });
   }
@@ -80,7 +82,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.urlInstrumentation.parse = {
     install() {
       depHooks.resolve({ name: 'url', version: '*' }, (url) => {
         const name = 'url.parse';
         patcher.patch(url, 'parse', {
@@ -98,7 +99,7 @@ module.exports = function(core) {
             const metadata = { name, result, hooked, orig };
             const traverse = function(href, url, keys, idx = 0) {
-              let substr = href;
+              const substr = href;
               keys.forEach((key) => {
                 if (typeof key === 'string') {
                   const part = result[key];
@@ -117,20 +118,19 @@ module.exports = function(core) {
                       });
                       return;
                     } else {
-                      const index = href.indexOf(part, idx - 1);
-                      substr = href.substring(index, index + part.length);
+                      const index = url.href.indexOf(part, idx - 1);
+                      const substrTags = createSubsetTags(argInfo.tags, index, part.length);
+                      if (!substrTags) return;
                       idx += part.length;
-                    }
-                    const partInfo = tracker.getData(substr);
-                    if (!partInfo) return;
+                      const event = getPropagationEvent(argInfo, { value: part, tags: substrTags }, metadata);
-                    const event = getPropagationEvent(argInfo, partInfo, metadata);
+                      if (!event) return;
-                    if (!event) return;
+                      const { extern } = tracker.track(part, event);
-                    Object.assign(partInfo, event);
-                    result[key] = substr;
+                      if (extern) result[key] = extern;
+                    }
                   }
                 } else {
                   traverse(substr, url, key, 0);

package/lib/dataflow/propagation/install/url/searchParams.js CHANGED Viewed

@@ -15,8 +15,8 @@
 'use strict';
-const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll } } = require('@contrast/common');
-const { createAppendTags } = require('../../../tag-utils');
+const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeSubstring } } = require('@contrast/common');
+const { createAppendTags, createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -31,12 +31,14 @@ module.exports = function(core) {
     }
   } = core;
-  function getPropagationEvent(params, paramInfo, data) {
+  function getPropagationEvent(params, tags, data, history) {
     return createPropagationEvent({
       name: 'url.URLSearchParams',
       moduleName: 'url',
       methodName: 'URLSearchParams',
-      context: `url.URLSearchParams('${inspect(params)}')`,
+      get context() {
+        return `url.URLSearchParams('${inspect(params)}')`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -46,13 +48,12 @@ module.exports = function(core) {
         tracked: true
       },
       args: [{ value: inspect(params), tracked: false }],
-      tags: paramInfo.tags,
-      history: [paramInfo],
+      tags,
+      history,
       source: 'P',
       target: 'R',
       stacktraceOpts: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
     });
   }
@@ -73,28 +74,39 @@ module.exports = function(core) {
             const [params] = args;
             if (isString(params)) {
-              params.split('&').forEach((query) => {
+              const paramsInfo = tracker.getData(params);
+              if (!paramsInfo) return;
+              let idx = 0;
+              StringPrototypeSplit.call(params, '&').forEach((query) => {
                 const endIdx = query.indexOf('=');
                 // we don't want to create a propagation event by splitting off
                 // the '?'. so if there start at index 1 else 0.
-                const key = query.substring(query[0] === '?' ? 1 : 0, endIdx);
-                const param = query.substring(endIdx + 1, query.length);
-                const keyInfo = tracker.getData(key);
-                const paramInfo = tracker.getData(param);
-                if (keyInfo) {
-                  const event = getPropagationEvent(params, keyInfo, data);
-                  if (event) Object.assign(keyInfo, event);
+                const keyIdx = query[0] === '?' ? 1 : 0;
+                const key = StringPrototypeSubstring.call(query, keyIdx, endIdx);
+                const param = StringPrototypeSubstring.call(query, endIdx + 1, query.length);
+                idx += params.indexOf(query, idx);
+                const keyTags = createSubsetTags(paramsInfo.tags, idx + keyIdx, key.length);
+                const paramTags = createSubsetTags(paramsInfo.tags, key.length + idx + keyIdx + 1, param.length);
+                if (keyTags) {
+                  const event = getPropagationEvent(params, keyTags, data, [paramsInfo]);
+                  if (event) {
+                    const { extern } = tracker.track(key, event);
+                    if (extern) {
+                      result.delete(key);
+                      result.set(extern, param);
+                    }
+                  }
                 }
-                if (paramInfo) {
-                  const event = getPropagationEvent(params, paramInfo, data);
-                  if (event) Object.assign(paramInfo, event);
+                if (paramTags) {
+                  const event = getPropagationEvent(params, paramTags, data, [paramsInfo]);
+                  if (event) {
+                    const { extern } = tracker.track(param, event);
+                    if (extern) result.set(key, extern);
+                  }
                 }
-                if (keyInfo) result.delete(key);
-                result.set(key, param);
               });
             }
@@ -103,7 +115,7 @@ module.exports = function(core) {
                 const paramInfo = tracker.getData(params[key]);
                 if (!paramInfo) return;
-                const event = getPropagationEvent(params, paramInfo, data);
+                const event = getPropagationEvent(params, paramInfo.tags, data, [paramInfo]);
                 if (!event) return;
                 Object.assign(paramInfo, event);
@@ -167,7 +179,6 @@ module.exports = function(core) {
                 if (Object.keys(finalTags).length) {
                   const event = createPropagationEvent({
-                    args: [],
                     context: `${inspect(params)}.toString()`,
                     moduleName: 'url',
                     methodName: 'URLSearchParams.toString',

package/lib/dataflow/propagation/install/url/url.js CHANGED Viewed

@@ -62,7 +62,9 @@ module.exports = function(core) {
       name: 'url.URL',
       moduleName: 'url',
       methodName: 'URL',
-      context: `url.URL('${strInfo.value}')`,
+      get context() {
+        return `url.URL('${strInfo.value}')`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -78,7 +80,6 @@ module.exports = function(core) {
       target: 'R',
       stacktraceOpts: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
     });
   }

package/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -40,7 +40,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { args, result, hooked, orig } = data;
+            const { args, result, hooked } = data;
             if (!result || !args[0] || !isString(args[0]) || !getPropagatorContext()) return;
             let idx = 0;
@@ -114,7 +114,9 @@ module.exports = function(core) {
               name,
               moduleName: 'util',
               methodName: 'format',
-              context: `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`,
+              get context() {
+                return `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`;
+              },
               object: {
                 value: 'util',
                 tracked: false
@@ -130,7 +132,6 @@ module.exports = function(core) {
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -53,7 +53,6 @@ module.exports = function (core) {
       },
       stacktraceData: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
       source: 'P1',
       target

package/lib/dataflow/sinks/install/eval.js CHANGED Viewed

@@ -104,7 +104,9 @@ module.exports = function (core) {
           if (isArgVulnerable) {
             const event = createSinkEvent({
               name: 'eval',
-              context: `eval('${strInfo.value}')`,
+              get context() {
+                return `eval('${strInfo.value}')`;
+              },
               history: [strInfo],
               object: {
                 value: 'global',

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -113,10 +113,9 @@ module.exports = function (core) {
             });
             const event = createSinkEvent({
               name,
-              context: `${name}(${ArrayPrototypeJoin.call(
-                args.map((a) => a.inspectedValue),
-                ', '
-              )})`,
+              get context() {
+                return `${name}(${ArrayPrototypeJoin.call(args.map((a) => a.inspectedValue), ', ')})`;
+              },
               history: [strInfo],
               object: {
                 value: 'global.ContrastMethods',

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -105,7 +105,9 @@ module.exports = function (core) {
         const sinkEvent = createSinkEvent({
           args,
-          context: `marsdb.Collection.${method}(${args.map((a) => a.value)})`,
+          get context() {
+            return `marsdb.Collection.${method}(${args.map((a) => a.value)})`;
+          },
           moduleName: 'marsdb',
           methodName: `Collection.prototype.${method}`,
           history: [strInfo],

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -337,7 +337,9 @@ module.exports = function (core) {
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
-          context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
+          get context() {
+            return `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`;
+          },
           history: [vulnInfo.strInfo],
           object: {
             tracked: false,

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -26,7 +26,6 @@ const {
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
-const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
@@ -75,10 +74,12 @@ module.exports = function (core) {
         name,
         moduleName: 'mssql',
         methodName: `${obj}.prototype.${method}`,
-        context: `mssql.${obj}.${method}('${strInfo.value}')`,
+        get context() {
+          return `mssql.${obj}.${method}('${strInfo.value}')`;
+        },
         history: [strInfo],
         object: {
-          value: `[${createModuleLabel('mssql', version)}].${obj}`,
+          value: `mssql.${obj}`,
           tracked: false,
         },
         args: [

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -91,7 +91,9 @@ module.exports = function(core) {
       name: `${module}/${file}`,
       moduleName: module,
       methodName: `prototype.${method}`,
-      context: `${module}.${method}(${inspect(data.args[0])})`,
+      get context() {
+        return `${module}.${method}(${inspect(data.args[0])})`;
+      },
       history: [strInfo],
       object: {
         value: `${module}.${obj}`,

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -186,7 +186,9 @@ module.exports = function(core) {
                   const { tags, args } = getAdjustedValues(data.args, vulns, vulnArgIdx);
                   const sinkEvent = createSinkEvent({
                     args,
-                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    get context() {
+                      return `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`;
+                    },
                     history,
                     tags,
                     source: 'P0',

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -74,10 +74,12 @@ module.exports = function(core) {
       name,
       moduleName: 'sqlite3',
       methodName: `Database.prototype.${method}`,
-      context: `db.${method}('${strInfo.value}')`,
+      get context() {
+        return `db.${method}('${strInfo.value}')`;
+      },
       history: [strInfo],
       object: {
-        value: '[Module<sqlite3>].Database',
+        value: 'sqlite3.Database',
         tracked: false,
       },
       args: [

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -205,10 +205,12 @@ module.exports = function (core) {
     if (vulnerableArg) {
       const event = createSinkEvent({
         name,
-        context: `${name}(${ArrayPrototypeJoin.call(
-          argsInfo.map((a) => a.ctxValue),
-          ', '
-        )})`,
+        get context() {
+          return `${name}(${ArrayPrototypeJoin.call(
+            argsInfo.map((a) => a.ctxValue),
+            ', '
+          )})`;
+        },
         history: [vulnerableArg.strInfo],
         object: {
           value: methodPath.includes('prototype')

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,6 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
+  empties,
   primordials: {
     ArrayPrototypeJoin,
     StringPrototypeToLowerCase
@@ -43,8 +44,6 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
-    const emptyStack = Object.freeze([]);
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
       if (!value?.length) {
         return null;
@@ -70,7 +69,7 @@ module.exports = Core.makeComponent({
     sources.createStacktrace = function(stacktraceOpts) {
       return config.assess.stacktraces === 'NONE' || config.assess.stacktraces === 'SINK'
-        ? emptyStack
+        ? empties.ARRAY
         : createSnapshot(stacktraceOpts)();
     };

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -36,14 +36,14 @@ module.exports = function (core) {
         patchType,
         post({ result: server, funcKey }) {
           server.addHook('preValidation', function preValidationHandler(request, reply, done) {
+            const sourceContext = getSourceContext();
+            if (!sourceContext) return done();
             const bodyType = request?.headers?.['content-type']?.includes('/json')
               ? InputType.JSON_VALUE
               : typeof request.body == 'object'
                 ? InputType.PARAMETER_VALUE
                 : InputType.BODY;
-            const sourceContext = getSourceContext();
-            if (!sourceContext) return;
             [
               { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },
@@ -71,7 +71,7 @@ module.exports = function (core) {
               }
             });
-            done();
+            return done();
           });
         },
       }));

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { empties, primordials: { StringPrototypeSplit } } = require('@contrast/common');
+const { empties, primordials: { StringPrototypeSplit, StringPrototypeSubstr } } = require('@contrast/common');
 //
 // This module implements tag range manipulation functions. There are generally
@@ -536,6 +536,19 @@ function getAdjustedUntrackedValue(origValue) {
   return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof origValue);
 }
+/**
+ * Truncation spec: https://github.com/Contrast-Security-Inc/assess-specifications/blob/master/vulnerability/truncate-event-snapshots.md
+ * While the spec calls to truncate the middle of strings, we're going to just chop off the end.
+ * This way we don't have to recalculate all of the tag ranges to adjust for truncating.
+ * @param {string} str input string to be truncated
+ * @param {number} len
+ * @returns {string}
+ */
+function truncateStringValue(str, len = 103) {
+  if (str.length <= len) return str;
+  return `${StringPrototypeSubstr.call(str, 0, len)}...`;
+}
 module.exports = {
   createSubsetTags,
   createAppendTags,
@@ -546,4 +559,5 @@ module.exports = {
   createOverlappingTags,
   createEscapeTagRanges,
   getAdjustedUntrackedValue,
+  truncateStringValue,
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -37,10 +37,6 @@ module.exports = function tracker(core) {
     return objMap.get(value) || null;
   }
-  function isTracked(value) {
-    return distringuish.isExternal(value);
-  }
   function track(value, metadata) {
     let ret = Object.create(null);
@@ -152,6 +148,5 @@ module.exports = function tracker(core) {
     untrack,
     getData,
     getInfo: getData,
-    isTracked,
   };
 };

package/lib/event-factory.js CHANGED Viewed

@@ -45,7 +45,7 @@ module.exports = Core.makeComponent({
     eventFactory.createdEvents = new WeakSet();
-    eventFactory.createSourceEvent = function(data = {}) {
+    eventFactory.createSourceEvent = function(data) {
       if (!data.result?.value) {
         logger.debug(SOURCE_EVENT_MSG, `invalid result: ${data.name}`);
         return null;

package/lib/session-configuration/install/express-session.js CHANGED Viewed

@@ -69,7 +69,6 @@ module.exports = function (core) {
               value: optionsString,
             }],
             context: `expressSession(${optionsString})`,
-            history: [],
             name: 'express.hookedSessionConstructor',
             moduleName: 'express-session',
             methodName: '',

package/lib/session-configuration/install/fastify-cookie.js CHANGED Viewed

@@ -59,7 +59,6 @@ module.exports = function (core) {
                 value: displayArg
               }],
               context: `fastifyCookie(${displayArg})`,
-              history: [],
               name: 'fastifyCookie',
               moduleName: '@fastify/cookie',
               methodName: '',
@@ -71,8 +70,6 @@ module.exports = function (core) {
                 tracked: false,
               },
               source: 'P0',
-              stack: [],
-              tags: {},
               framework: '@fastify/cookie',
             });

package/lib/session-configuration/install/hapi.js CHANGED Viewed

@@ -56,7 +56,6 @@ module.exports = function (core) {
                     value: inspect(options),
                   }],
                   context: `state(${inspect(data.args)})`,
-                  history: [],
                   name: `hapi.${server}.state`,
                   moduleName: 'hapi',
                   methodName: '',

package/lib/session-configuration/install/koa.js CHANGED Viewed

@@ -72,7 +72,6 @@ module.exports = function (core) {
                         value: displayArg
                       }],
                       context: `ctx.cookies.set(${displayArg})`,
-                      history: [],
                       name: 'koaCookie',
                       moduleName: 'koa',
                       methodName: '',
@@ -84,8 +83,6 @@ module.exports = function (core) {
                         tracked: false,
                       },
                       source: 'P',
-                      stack: [],
-                      tags: {},
                       framework: 'koa',
                     });
                     if (!httpOnly) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.53.0",
+  "version": "1.54.1",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.45.0",
-    "@contrast/core": "1.50.0",
-    "@contrast/dep-hooks": "1.19.0",
+    "@contrast/config": "1.46.0",
+    "@contrast/core": "1.51.0",
+    "@contrast/dep-hooks": "1.20.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.29.0",
-    "@contrast/logger": "1.23.0",
-    "@contrast/patcher": "1.22.0",
-    "@contrast/rewriter": "1.26.0",
-    "@contrast/route-coverage": "1.41.0",
-    "@contrast/scopes": "1.20.0",
+    "@contrast/instrumentation": "1.30.0",
+    "@contrast/logger": "1.24.0",
+    "@contrast/patcher": "1.23.0",
+    "@contrast/rewriter": "1.27.0",
+    "@contrast/route-coverage": "1.42.0",
+    "@contrast/scopes": "1.21.0",
     "semver": "^7.6.0"
   }
 }