@contrast/assess 1.6.0 → 1.8.0

package/lib/dataflow/propagation/index.js

@@ -27,6 +27,7 @@ module.exports = function(core) {
   require('./install/url')(core);
   require('./install/validator')(core);
   require('./install/array-prototype-join')(core);
+  require('./install/buffer')(core);
   require('./install/decode-uri-component')(core);
   require('./install/encode-uri-component')(core);
   require('./install/escape-html')(core);
@@ -37,6 +38,8 @@ module.exports = function(core) {
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
   require('./install/querystring')(core);
+  require('./install/sequelize')(core);
+  require('./install/JSON')(core);
 
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');

package/lib/dataflow/propagation/install/JSON/index.js

@@ -0,0 +1,33 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const jsonInstrumentation = core.assess.dataflow.propagation.jsonInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(jsonInstrumentation, 'install');
+    },
+    uninstall() {
+      callChildComponentMethodsSync(jsonInstrumentation, 'uninstall');
+    }
+  };
+
+  require('./stringify')(core);
+
+  return jsonInstrumentation;
+};

package/lib/dataflow/propagation/install/JSON/stringify.js

@@ -0,0 +1,290 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  createMergedTags
+} = require('../../../tag-utils');
+const { isString, inspect, replace, match, matchAll, slice } = require('@contrast/common');
+const { patchType } = require('../../common');
+const crypto = require('crypto');
+
+function makeCanary() {
+  return replace(
+    crypto
+      .randomBytes(12)
+      .toString('base64'),
+    /[+\\]/g,
+    (match) => match === '+' ? '%' : '#'
+  );
+}
+
+const canary = makeCanary();
+const regex = new RegExp(`"${canary}(\\d+)~`, 'g');
+function identity(_key, val) {
+  return val;
+}
+
+function patchReplacer(replacer) {
+  if (Array.isArray(replacer)) {
+    // keys that are numbers get cast to string when they come through the replacer
+    // add '' to the list of keys as that's always the first iteration of replacer, the entire json string
+    const filterKeys = replacer
+      .filter((key) => isString(key) || typeof key === 'number')
+      .concat('')
+      .map((value) => value.toString());
+
+    let nextArray = [];
+    replacer = function(key, value) {
+      // we need to keep track of arrays
+      // and shift each element as the replacer hits it
+      // so we can compare those values are expected
+      // when filtering
+      const nextEl = nextArray.shift();
+      if (Array.isArray(value)) {
+        nextArray = [...value];
+      }
+
+      if (filterKeys.includes(key) || value === nextEl) {
+        return value;
+      }
+    };
+  } else if (typeof replacer === 'function') {
+    // do nothing!
+  } else {
+    replacer = identity;
+  }
+
+  return replacer;
+}
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  function getUntrustedSpaceProps(space) {
+  // it can't be a problem if it's not a string, if the string is all spaces, or
+  // if the string is zero length.
+    if (!isString(space) || match(space, /^\s+$/) || !space) {
+      return null;
+    }
+
+
+    const props = tracker.getData(slice(space, 0, 10));
+    if (!props || !Object.keys(props.tags).length) {
+      return null;
+    }
+
+    return props;
+  }
+
+
+  function createSpaceTagRanges(result, metadata) {
+    const tags = {};
+    const spaceValue = slice(metadata.origArgs[2], 0, 10);
+    const { spaceProps: { tags: spacePropsTags } } = metadata;
+
+    const spaces = Array.from(matchAll(result, new RegExp(`(?<=\\n)(${spaceValue})+?(?=\\d|"|null|]|})`, 'g')));
+
+    for (const space of spaces) {
+      const match = space[0];
+      const { index } = space;
+      for (const tagKey of Object.keys(spacePropsTags)) {
+        if (!tags[tagKey]) {
+          tags[tagKey] = [];
+        }
+
+        if (space !== spaceValue && (spacePropsTags[tagKey].length !== 2 || spacePropsTags[tagKey][1] !== spaceValue.length - 1)) {
+          for (let i = 0; i < match.length / spaceValue.length; i++) {
+            tags[tagKey].push(...spacePropsTags[tagKey].map((rangeIdx) => index + (rangeIdx + i * spaceValue.length)));
+          }
+        } else {
+          tags[tagKey].push(index, index + match.length - 1);
+        }
+      }
+    }
+
+    return tags;
+  }
+
+  function applyCanaryTagRanges(result, metadata, tags) {
+    metadata.sourceEvents = [];
+    // the diff doesn't include the " that opens the regex.
+    let canaryReplacementDiff = 0;
+    // for each marker in the stringify's result, remove the marker and
+    // create a TagRange for the value.
+    return replace(result, metadata.regex, (m, id, offset) => {
+      // adjust offset by total characters removed so far
+      offset = offset - canaryReplacementDiff + 1;
+      // we don't replace the opening " in the regex - that just makes sure
+      // we only find our marker at the start of a string value.
+      canaryReplacementDiff += m.length - 1;
+      for (const tagKey of Object.keys(metadata.strInfos[id].tags)) {
+        if (!tags[tagKey]) {
+          tags[tagKey] = [];
+        }
+
+        for (const tagIdx of metadata.strInfos[id].tags[tagKey]) {
+          tags[tagKey].push(tagIdx + offset);
+        }
+      }
+
+      metadata.history.add(metadata[id]);
+      // replace the canary with the starting quote
+      return '"';
+    });
+  }
+
+  return core.assess.dataflow.propagation.jsonInstrumentation.stringify = {
+    install() {
+      patcher.patch(JSON, 'stringify', {
+        name: 'JSON.prototype.stringify',
+        patchType,
+        pre(data) {
+          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+
+          const [input, , space] = data.args;
+          let [, replacer] = data.args;
+          replacer = patchReplacer(replacer);
+
+          // context used by the post hook.
+          data.metadata = {
+            history: new Set(),
+            origArgs: data.args.slice(),
+            strInfos: {},
+            propagate: false,
+            regex,
+            spaceProps: undefined,
+            target: undefined,
+          };
+
+
+          // if the space can't be trusted then remember space's tracking info so it
+          // can be applied to the entire JSON.stringify result string.
+          const spaceProps = getUntrustedSpaceProps(space);
+          if (spaceProps) {
+            data.metadata.spaceProps = spaceProps;
+            data.metadata.history.add(spaceProps);
+            data.metadata.propagate = true;
+          }
+
+          // each canary tag gets a separate id to make matching easier.
+          let id = 0;
+
+          /**
+           * wraps the replacer method and updates propagate boolean if value of replacer
+           * is tracked
+           *
+           * @param {string} key
+           * @param {string} value
+           */
+          function contrastReplacer(key, val) {
+            const valProperties = tracker.getData(val);
+            if (valProperties && Object.keys(valProperties.tags).length) {
+              data.metadata.propagate = true;
+            }
+
+            let value = replacer.call(this, key, val);
+
+            // keys aren't propagated, so check only the value
+            if (isString(value) && valProperties) {
+              data.metadata.strInfos[id] = valProperties;
+              value = `${canary}${id}~${value}`;
+              id++;
+            }
+            return value;
+          }
+
+          data.args = [input, contrastReplacer, space];
+        },
+        post(data) {
+          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          let tags = {};
+          const vulnerableSources = [];
+          if (!data.metadata?.propagate) {
+            return data.result;
+          }
+
+          const { metadata } = data;
+          const ret = applyCanaryTagRanges(data.result, metadata, tags);
+
+          if (Object.keys(tags).length) {
+            vulnerableSources.push('P0');
+          }
+
+          if (metadata.spaceProps) {
+            tags = createMergedTags(tags, createSpaceTagRanges(ret, metadata));
+            vulnerableSources.push('P2');
+          }
+
+          data.result = ret;
+
+          const method = 'JSON.stringify';
+          const event = createPropagationEvent({
+            context: method,
+            name: method,
+            history: Array.from(metadata.history),
+            object: {
+              value: inspect(data.obj),
+              tracked: false
+            },
+            args: [
+              {
+                value: inspect(metadata.origArgs[0]),
+                tracked: false
+              },
+              (metadata.origArgs[1] && {
+                value: inspect(metadata.origArgs[1]),
+                tracked: false
+              }),
+              (metadata.origArgs[2] && {
+                value: inspect(metadata.origArgs[2]),
+                tracked: !!metadata.spaceProps
+              })
+            ].filter(Boolean),
+            result: {
+              value: ret,
+              tracked: true
+            },
+            tags,
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+              prependFrames: [data.orig]
+            },
+            source: vulnerableSources.length === 1 ? vulnerableSources[0] : 'P',
+            target: 'R',
+          });
+
+          if (!event) return;
+
+          const { extern } = tracker.track(ret, event);
+
+          if (extern) {
+            data.result = extern;
+          }
+        },
+      });
+    },
+    uninstall() {
+      JSON.stringify = patcher.unwrap(JSON.stringify);
+    },
+  };
+};

package/lib/dataflow/propagation/install/buffer.js

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+
+module.exports = function(core) {
+  const {
+    assess: {
+      dataflow: {
+        eventFactory,
+        tracker
+      }
+    },
+    patcher,
+  } = core;
+
+  return core.assess.dataflow.propagation.bufferInstrumentation = {
+    install() {
+      const name = 'global.Buffer.prototype.toString';
+
+      patcher.patch(global.Buffer.prototype, 'toString', {
+        patchType,
+        name,
+        post(data) {
+          const { hooked, obj, orig, result } = data;
+
+          if (!result) return;
+
+          const bufferInfo = tracker.getData(obj);
+          if (!bufferInfo) {
+            return;
+          }
+
+          const event = eventFactory.createPropagationEvent({
+            args: data.args.map((a) => ({ tracked: false, value: a })),
+            context: 'buffer.toString()',
+            object: { tracked: true, value: 'Buffer' },
+            history: [bufferInfo],
+            name,
+            result: {
+              tracked: true,
+              value: result
+            },
+            source: 'O',
+            tags: bufferInfo.tags,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            },
+            target: 'R',
+          });
+
+          if (event) {
+            const { extern } = tracker.track(result, event);
+            if (extern) {
+              data.result = extern;
+            }
+          }
+        }
+      });
+    },
+    uninstall() {
+      global.Buffer.prototype.toString = patcher.unwrap(global.Buffer.prototype.toString);
+    }
+  };
+};

package/lib/dataflow/propagation/install/contrast-methods/string.js

@@ -22,7 +22,9 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
-      dataflow: { tracker }
+      dataflow: {
+        tracker
+      },
     }
   } = core;
 
@@ -36,6 +38,7 @@ module.exports = function(core) {
 
           const arg = data.args[0];
           let argInfo = tracker.getData(arg);
+          if (tracker.getData(data.result)) return;
 
           if (data.obj && !argInfo) {
             argInfo = tracker.getData(data.result.toString());
@@ -46,6 +49,7 @@ module.exports = function(core) {
           }
 
           const { extern } = tracker.track(data.result, argInfo);
+
           if (extern) {
             data.result = extern;
           }

package/lib/dataflow/propagation/install/encode-uri-component.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-          newTags['url-encoded'] = [0, result.length - 1];
+          newTags[URL_ENCODED] = [0, result.length - 1];
 
           const event = createPropagationEvent({
             name: 'global.encodeURIComponent',
@@ -63,7 +66,7 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
-            addedTags: ['url-encoded'],
+            addedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
               prependFrames: [orig]

package/lib/dataflow/propagation/install/pug-runtime-escape.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { WEAK_URL_ENCODED }
+} = require('@contrast/common');
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
             const history = [argInfo];
             const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
 
-            newTags['weak-url-encoded'] = [0, result.length - 1];
+            newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
               name: 'pug-runtime.escape',
@@ -62,7 +65,7 @@ module.exports = function(core) {
               },
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
-              addedTags: ['weak-url-encoded'],
+              addedTags: [WEAK_URL_ENCODED],
               history,
               stacktraceOpts: {
                 constructorOpt: hooked,