@contrast/assess 1.6.0 → 1.7.0

package/lib/dataflow/sinks/install/mongodb.js

@@ -20,16 +20,18 @@ const {
   DataflowTag: {
     UNTRUSTED,
     ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED,
     CUSTOM_VALIDATED_NOSQL_INJECTION,
     LIMITED_CHARS,
     STRING_TYPE_CHECKED,
   },
-  Rule,
+  Rule: { NOSQL_INJECTION_MONGO },
   isNonEmptyObject,
-  traverseValues
+  traverseValues,
+  isString
 } = require('@contrast/common');
 const utils = require('../../tag-utils');
-const { patchType } = require('../common');
+const { patchType, filterSafeTags } = require('../common');
 
 const collectionMethods = [
   'find',
@@ -46,9 +48,14 @@ const collectionMethods = [
   'deleteOne',
   'deleteMany',
 ];
+const dbMethods = [
+  'command',
+  'eval'
+];
 
 const querySafeTags = [
   ALPHANUM_SPACE_HYPHEN,
+  CUSTOM_VALIDATED,
   CUSTOM_VALIDATED_NOSQL_INJECTION,
   LIMITED_CHARS,
   STRING_TYPE_CHECKED,
@@ -56,6 +63,7 @@ const querySafeTags = [
 
 module.exports = function(core) {
   const {
+    config,
     depHooks,
     logger,
     patcher,
@@ -63,7 +71,7 @@ module.exports = function(core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent }
       }
     }
@@ -74,18 +82,36 @@ module.exports = function(core) {
 
   instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
     let vulnInfo = null;
+    let reportSafe = null;
+
+    if (isString(query)) {
+      const strInfo = tracker.getData(query);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
 
-    if (!isNonEmptyObject(query)) return vulnInfo;
+      return { vulnInfo, reportSafe };
+    }
 
-    traverseValues(query, (path, type, value) => {
+    if (!isNonEmptyObject(query)) return { vulnInfo, reportSafe };
+
+    traverseValues(query, (path, _type, value) => {
       const strInfo = tracker.getData(value);
-      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
-        vulnInfo = { path, strInfo };
-        return true; // halts traversal
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { path, strInfo };
+          return true; // halts traversal
+        } else {
+          reportSafe = { path, strInfo };
+        }
       }
     });
 
-    return vulnInfo;
+    return { vulnInfo, reportSafe };
   };
 
   instr.install = function() {
@@ -99,12 +125,10 @@ module.exports = function(core) {
 
   function patchCollection(mongodb, version) {
     for (const method of collectionMethods) {
-
       const proto = mongodb.Collection.prototype;
       const name = `mongodb.Collection.prototype.${method}`;
 
       if (!proto[method]) {
-
         logger.trace({ name, version }, 'method not found - skipping instrumentation');
         continue;
       }
@@ -113,49 +137,61 @@ module.exports = function(core) {
         name,
         patchType,
         around(next, data) {
-          const { obj, args } = data;
+          const { obj, args: origArgs } = data;
           const sourceCtx = sources.getStore()?.assess;
 
-          if (instrumentation.isLocked() || !sourceCtx) {
+          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
             return next();
           }
 
           const argIdx = 0;
           try {
-            const vulnInfo = instr.getVulnerabilityInfo(args[argIdx]);
-            if (vulnInfo) {
-              const { path, strInfo } = vulnInfo;
-              const objName = getObjectName(obj);
-              const args = data.args.map((arg, idx) => ({
-                value: inspect(arg),
-                tracked: idx === argIdx,
-              }));
-
-              const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
-              const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-              const sinkEvent = createSinkEvent({
-                args,
-                context: `${objName}.${method}(${args.map((a) => a.value)})`,
-                history: [strInfo],
-                object: {
-                  tracked: false,
-                  value: 'mongodb.Collection',
-                },
+            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
+
+            if (!vulnInfo) {
+              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
                 name,
-                result: {
-                  tracked: false,
-                  value: resultVal,
+                ruleId: NOSQL_INJECTION_MONGO,
+                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
+                strInfo: {
+                  value: inspect(origArgs[argIdx]),
+                  tags: getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])),
                 },
-                source: `P${argIdx}`,
-                stacktraceOpts: {
-                  constructorOpt: data.hooked,
-                },
-                tags,
               });
+              return method === 'findOne' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+            }
 
-              if (sinkEvent) {
-                reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
-              }
+            const { path, strInfo } = vulnInfo;
+            const objName = getObjectName(obj);
+            const args = origArgs.map((arg, idx) => ({
+              value: inspect(arg),
+              tracked: idx === argIdx,
+            }));
+
+            const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
+            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+            const sinkEvent = createSinkEvent({
+              args,
+              context: `${objName}.${method}(${args.map((a) => a.value)})`,
+              history: [strInfo],
+              object: {
+                tracked: false,
+                value: 'mongodb.Collection',
+              },
+              name,
+              result: {
+                tracked: false,
+                value: resultVal,
+              },
+              source: `P${argIdx}`,
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+              tags,
+            });
+
+            if (sinkEvent) {
+              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
             }
           } catch (err) {
             core.logger.error({ name, err }, 'assess sink analysis failed');
@@ -163,11 +199,7 @@ module.exports = function(core) {
 
           if (method === 'findOne') {
             // `findOne` will call `find` so don't analyze in nested call
-            const store = { name, lock: true };
-            const ret = instrumentation.run(store, next);
-            // but unlock for when callback args run or returned Promises resolve/reject
-            store.lock = false;
-            return ret;
+            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
           }
 
           return next();
@@ -176,16 +208,101 @@ module.exports = function(core) {
     }
   }
 
-
   function patchDatabase(mongodb, version) {
-    // todo
+    for (const method of dbMethods) {
+      const proto = mongodb.Db.prototype;
+      const name = `mongodb.Db.prototype.${method}`;
+
+      if (!proto[method]) {
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+
+      patcher.patch(proto, method, {
+        name,
+        patchType,
+        around(next, data) {
+          const { obj, args: origArgs } = data;
+          const sourceCtx = sources.getStore()?.assess;
+
+          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
+            return next();
+          }
+
+          const argIdx = 0;
+          try {
+            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
+
+            if (!vulnInfo) {
+              const tags = reportSafe?.path ? getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])) : reportSafe?.strInfo?.tags;
+              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
+                name,
+                ruleId: NOSQL_INJECTION_MONGO,
+                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
+                strInfo: {
+                  value: inspect(origArgs[argIdx]),
+                  tags
+                },
+              });
+              return method === 'eval' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+            }
+
+            const { path, strInfo } = vulnInfo;
+            const objName = getObjectName(obj, 'Db');
+            const args = origArgs.map((arg, idx) => ({
+              value: isString(arg) ? arg : inspect(arg),
+              tracked: idx === argIdx,
+            }));
+
+            const tags = path ? getAdjustedQueryTags(path, strInfo, args[argIdx].value) : strInfo?.tags;
+            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+            const sinkEvent = createSinkEvent({
+              args,
+              context: `${objName}.${method}(${args.map((a) => a.value)})`,
+              history: [strInfo],
+              object: {
+                tracked: false,
+                value: 'mongodb.Db',
+              },
+              name,
+              result: {
+                tracked: false,
+                value: resultVal,
+              },
+              source: `P${argIdx}`,
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+              tags,
+            });
+
+            if (sinkEvent) {
+              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+            }
+          } catch (err) {
+            core.logger.error({ name, err }, 'assess sink analysis failed');
+          }
+
+          if (method === 'eval') {
+            // `eval` will call `command` so don't analyze in nested call
+            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
+          }
+
+          return next();
+        },
+      });
+    }
   }
 
-  function getObjectName(obj) {
+  function getObjectName(obj, entity) {
     let name = '';
     name += obj.s?.namespace?.db || 'db';
-    name += '.';
-    name += obj.s?.namespace?.collection || 'collection';
+
+    if (entity !== 'Db') {
+      name += '.';
+      name += obj.s?.namespace?.collection || 'collection';
+    }
+
     return name;
   }
 

package/lib/dataflow/sinks/install/mssql.js

@@ -17,7 +17,7 @@
 
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION },
   isString
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
@@ -38,7 +38,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -46,7 +46,12 @@ module.exports = function (core) {
 
   const pre = (name, obj, version) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      !isString(data.args[0]) ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const strInfo = tracker.getData(data.args[0]);
     if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
@@ -75,7 +80,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/mysql.js

@@ -16,7 +16,19 @@
 'use strict';
 
 const { patchType } = require('../common');
-const { Rule, isString, DataflowTag: { CUSTOM_ENCODED_SQL_INJECTION, CUSTOM_ENCODED, CUSTOM_VALIDATED_SQL_INJECTION, CUSTOM_VALIDATED, SQL_ENCODED, LIMITED_CHARS, UNTRUSTED } } = require('@contrast/common');
+const {
+  Rule: { SQL_INJECTION },
+  isString,
+  DataflowTag: {
+    CUSTOM_ENCODED_SQL_INJECTION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SQL_INJECTION,
+    CUSTOM_VALIDATED,
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    UNTRUSTED
+  },
+} = require('@contrast/common');
 
 const safeTags = [
   CUSTOM_ENCODED_SQL_INJECTION,
@@ -35,7 +47,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -53,7 +65,11 @@ module.exports = function (core) {
 
   const pre = (module, file, obj) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0]) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const val = getValueFromArgs(data.args);
     if (!val) return;
@@ -85,7 +101,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/postgres.js

@@ -18,20 +18,21 @@
 const util = require('util');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
-const { patchType } = require('../common');
+const { filterSafeTags, patchType } = require('../common');
 
 module.exports = function (core) {
   const {
+    config,
     depHooks,
     patcher,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -48,15 +49,17 @@ module.exports = function (core) {
 
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
-  const preHook = (methodSignature, version, mod, obj) => (data) => {
+  const preHook = (methodSignature) => (data) => {
     const assessStore = sources.getStore()?.assess;
-    if (!assessStore) return;
+    if (!assessStore || isLocked(ruleId)) return;
 
     const [arg0] = data.args;
     const query = arg0?.text || arg0;
     if (!query || !isString(query)) return;
 
     const strInfo = tracker.getData(query);
+    // todo: if the query isn't tracked but users are sending tracked strings in the values
+    // array (args[1]), then shouldn't we report a "safe-positive" event of some kind?
     if (!strInfo) return;
 
     const objValue = methodSignature.includes('native') ? 'pg.native.Client' : 'pg.Client';
@@ -88,10 +91,20 @@ module.exports = function (core) {
 
       if (event) {
         reportFindings({
-          ruleId: Rule.SQL_INJECTION,
+          ruleId,
           sinkEvent: event,
         });
       }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name: methodSignature,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          value: strInfo.value,
+          tags: strInfo.tags,
+        }
+      });
     }
   };
 
@@ -99,11 +112,11 @@ module.exports = function (core) {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/client.prototype.query', version, 'pg', 'Client'),
+          pre: preHook('pg/lib/client.prototype.query'),
         });
       },
     );
@@ -111,16 +124,16 @@ module.exports = function (core) {
     const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/native/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgNativeClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/native/client.prototype.query', version, 'pg', 'native.Client'),
+          pre: preHook('pg/lib/native/client.prototype.query'),
         });
       },
     );
 
-    depHooks.resolve({ name: 'pg-pool' }, (pool, version) => {
+    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,
@@ -137,7 +150,7 @@ module.exports = function (core) {
             return;
           }
 
-          preHook(name, version, 'pg-pool', 'Pool')(data);
+          preHook(name)(data);
         },
       });
     });

package/lib/dataflow/sinks/install/sequelize.js

@@ -0,0 +1,142 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    UNTRUSTED,
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, runInActiveSink, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED
+  ];
+  const requiredTag = UNTRUSTED;
+  const inspect = patcher.unwrap(util.inspect);
+
+  const sequelize = (core.assess.dataflow.sinks.sequelize = {});
+
+  sequelize.install = function () {
+    const sequelizeQueryPatchName = 'sequelize.prototype.query';
+    depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
+      patcher.patch(sequelize.prototype, 'query', {
+        name: sequelizeQueryPatchName,
+        patchType,
+        around(next, data) {
+          const { args, hooked, orig } = data;
+          const sourceContext = sources.getStore()?.assess;
+          if (!sourceContext || !args[0]) return next();
+
+          const query = typeof args[0] === 'string' ? args[0] : args[0].query;
+
+          try {
+            const queryInfo = tracker.getData(query);
+            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+
+            if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
+              reportSafePositive({
+                name: sequelizeQueryPatchName,
+                ruleId: SQL_INJECTION,
+                safeTags: filterSafeTags(safeTags, queryInfo),
+                strInfo: {
+                  value: queryInfo?.value,
+                  tags: queryInfo.tags,
+                },
+              });
+            }
+
+            if (
+              !queryInfo ||
+              !isVulnerableQuery
+            ) {
+              return runInActiveSink(SQL_INJECTION, async () => await next());
+            }
+
+            const sqlValue =
+              typeof args[0] === 'string' ? args[0] : inspect(args[0]);
+            const inspectedOptions = args[1] ? inspect(args[1]) : '';
+            const contextArgs = args[1]
+              ? `${sqlValue}, ${inspectedOptions}`
+              : sqlValue;
+
+            const reportedArgs = [{ value: sqlValue, tracked: true }];
+            args[1] &&
+              reportedArgs.push({ value: inspectedOptions, tracked: false });
+
+            const event = createSinkEvent({
+              context: `sequelize.prototype.query(${contextArgs})`,
+              name: sequelizeQueryPatchName,
+              history: [queryInfo],
+              object: {
+                value: 'sequelize.prototype',
+                tracked: false,
+              },
+              args: reportedArgs,
+              tags: queryInfo?.tags,
+              source: 'P0',
+              stacktraceOpts: {
+                contructorOpt: hooked,
+                prependFrames: [orig],
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId: SQL_INJECTION,
+                sinkEvent: event,
+              });
+            }
+            /* c8 ignore next 3 */
+          } catch (err) {
+            core.logger.error(
+              { name: sequelizeQueryPatchName, err },
+              'assess sink analysis failed'
+            );
+          }
+
+          return runInActiveSink(SQL_INJECTION, async () => await next());
+        },
+      });
+    });
+  };
+
+  return sequelize;
+};