@contrast/assess 1.6.0 → 1.7.0

package/lib/dataflow/sinks/install/sqlite3.js

@@ -18,7 +18,7 @@
 const { patchType } = require('../common');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION },
   isString
 } = require('@contrast/common');
 
@@ -37,7 +37,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -45,7 +45,12 @@ module.exports = function (core) {
 
   const pre = (name) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      !isString(data.args[0]) ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const strInfo = tracker.getData(data.args[0]);
     if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
@@ -74,7 +79,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sources/handler.js

@@ -72,6 +72,10 @@ module.exports = function(core) {
       return null;
     }
 
+    if (!context) {
+      context = inputType;
+    }
+
     let stack;
 
     traverseValues(data, (path, type, value, obj) => {

package/lib/dataflow/sources/index.js

@@ -17,7 +17,7 @@
 
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const sources = core.assess.dataflow.sources = {};
 
   // API
@@ -27,11 +27,14 @@ module.exports = function(core) {
   require('./install/http')(core);
 
   // frameworks and frameworks specific libraries
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
 
   // libraries
+  require('./install/body-parser1')(core);
   require('./install/busboy1')(core);
+  require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);
   require('./install/qs6')(core);
 

package/lib/dataflow/sources/install/body-parser1.js

@@ -0,0 +1,120 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+const METHODS = ['json', 'raw', 'text', 'urlencoded'];
+const INPUT_TYPES = {
+  'body-parser.json.jsonParser': InputType.JSON_VALUE,
+  'body-parser.raw.rawParser': InputType.BODY,
+  'body-parser.text.textParser': InputType.BODY,
+  'body-parser.urlencoded.urlencodedParser': InputType.PARAMETER_VALUE,
+};
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  const createPreHook = (name) => (data) => {
+    const [req, , next] = data.args;
+    data.args[2] = function contrastNext(...args) {
+      const sourceContext = scopes.sources.getStore()?.assess;
+
+      if (!sourceContext) {
+        logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+        return;
+      }
+
+      if (sourceContext.parsedBody) {
+        logger.trace({ name }, 'values already tracked');
+        return;
+      }
+
+      // when using a specific parser, we know the input type.
+      let inputType = INPUT_TYPES[name];
+      // when using `bodyParser()`, determine input type by content type.
+      if (!inputType) {
+        inputType = req.headers?.['content-type']?.includes('json')
+          ? InputType.JSON_VALUE
+          : req.headers?.['content-type']?.includes('urlencoded')
+            ? InputType.PARAMETER_VALUE
+            : InputType.BODY;
+      }
+
+      try {
+        assess.dataflow.sources.handle({
+          context: 'req.body',
+          name,
+          inputType,
+          stacktraceOpts: {
+            constructorOpt: contrastNext
+          },
+          data: req.body,
+          sourceContext,
+        });
+
+        sourceContext.parsedBody = !!Object.keys(req.body).length;
+      } catch (err) {
+        logger.error({ name, err }, 'unable to handle source');
+      }
+
+      return next(...args);
+    };
+  };
+
+  assess.dataflow.sources.bodyParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'body-parser', version: '>=1.0.0' },
+        /** @param {import('body-parser').BodyParser} bodyParser */
+        (bodyParser) => {
+          bodyParser = patcher.patch(bodyParser, {
+            name: 'body-parser',
+            patchType,
+            post(data) {
+              const name = 'body-parser.bodyParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre: createPreHook(name),
+              });
+            },
+          });
+
+          METHODS.forEach((method) => {
+            patcher.patch(bodyParser, method, {
+              name: `body-parser.${method}`,
+              patchType,
+              post(data) {
+                const name = `body-parser.${method}.${method}Parser`;
+                data.result = patcher.patch(data.result, {
+                  name,
+                  patchType,
+                  pre: createPreHook(name)
+                });
+              },
+            });
+          });
+
+          return bodyParser;
+        }
+      );
+    }
+  };
+
+  return assess.dataflow.sources.bodyParser1Instrumentation;
+};

package/lib/dataflow/sources/install/cookie-parser1.js

@@ -0,0 +1,101 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  assess.dataflow.sources.cookieParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'cookie-parser', version: '>=1.0.0' },
+        /** @param {import('cookie-parser')} cookieParser */
+        (cookieParser) =>
+          patcher.patch(cookieParser, {
+            name: 'cookie-parser',
+            patchType,
+            post(data) {
+              const name = 'cookie-parser.cookieParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre(data) {
+                  const [req, , next] = data.args;
+                  data.args[2] = function contrastNext(...args) {
+                    const sourceContext = scopes.sources.getStore()?.assess;
+
+                    if (!sourceContext) {
+                      logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                      return;
+                    }
+
+                    if (sourceContext.parsedCookies) {
+                      logger.trace({ name }, 'cookies already tracked');
+                    } else if (req.cookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.cookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.cookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedCookies = !!Object.keys(req.cookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    if (sourceContext.parsedSignedCookies) {
+                      logger.trace({ name }, 'signedCookies already tracked');
+                    } else if (req.signedCookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.signedCookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.signedCookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedSignedCookies = !!Object.keys(req.signedCookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    return next(...args);
+                  };
+                },
+              });
+            },
+          })
+      );
+    }
+  };
+
+  return assess.dataflow.sources.cookieParser1Instrumentation;
+};

package/lib/dataflow/sources/install/express/index.js

@@ -0,0 +1,28 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function init(core) {
+  core.assess.dataflow.sources.expressInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    }
+  };
+
+  return core.assess.dataflow.sources.expressInstrumentation;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -14,8 +14,8 @@
   },
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
-    "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.9.0",
+    "@contrast/scopes": "1.4.0",
+    "@contrast/common": "1.10.0",
     "parseurl": "^1.3.3"
   }
 }