@contrast/assess 1.6.0 → 1.8.0

package/lib/dataflow/propagation/install/sequelize.js

@@ -0,0 +1,310 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isString,
+  DataflowTag: { SQL_ENCODED },
+} = require('@contrast/common');
+const { patchType, createModuleLabel } = require('../common');
+
+module.exports = function (core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+      },
+    },
+  } = core;
+
+  function getFormatPostions(str) {
+    const positions = [];
+    let index = -1;
+
+    while ((index = str.indexOf('?', index + 1)) !== -1) {
+      positions.push(index);
+    }
+
+    return positions;
+  }
+
+  function getFormatNamedParametersPositions(str) {
+    const regex = /:(\w+)(?=[\s,;)]|$)/g;
+    const matches = str.matchAll(regex);
+
+    return Array.from(matches, (match) => ({ [match[1]]: match.index }));
+  }
+
+  return (core.assess.dataflow.propagation.sequelizeInstrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'sequelize', file: 'lib/sql-string.js' },
+        (sqlString, version) => {
+          const origEscape = sqlString.escape;
+
+          patcher.patch(sqlString, 'escape', {
+            name: 'sequelize.escape',
+            patchType,
+            post(data) {
+              const { args, result, hooked, orig } = data;
+
+              if (
+                !result ||
+                !args[0] ||
+                !isString(args[0]) ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              ) return;
+
+              const argInfo = tracker.getData(args[0]);
+
+              if (!argInfo) return;
+
+              const resultInfo = tracker.getData(result);
+              if (!resultInfo) return;
+              const history = [argInfo];
+              const newTags = { ...resultInfo.tags };
+
+              newTags[SQL_ENCODED] = [0, result.length - 1];
+
+              const event = createPropagationEvent({
+                context: 'sequelize.escape',
+                name: 'sequelize/lib/sql-string.escape',
+                object: {
+                  value: createModuleLabel('sequelize/lib/sql-string.escape', version),
+                  tracked: false,
+                },
+                result: {
+                  value: resultInfo.value,
+                  tracked: true,
+                },
+                args: [{ value: argInfo.value, tracked: true }],
+                tags: newTags,
+                addedTags: [SQL_ENCODED],
+                source: 'P',
+                target: 'R',
+                history,
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              Object.assign(resultInfo, event);
+            },
+          });
+
+          patcher.patch(sqlString, 'format', {
+            name: 'Sequelize.Utils.format',
+            patchType,
+            post(data) {
+              const { args, result, hooked, orig } = data;
+              if (
+                !result ||
+                !args[0] ||
+                !isString(args[0]) ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const resultInfo = tracker.getData(result);
+              if (!resultInfo) {
+                return;
+              }
+
+              const positions = getFormatPostions(data.args[0]);
+              const firstArgInfo = tracker.getData(data.args[0]);
+
+              if (!positions.length) {
+                return;
+              }
+
+              const replacements = [].concat(data.args[1]);
+              let replacementsTrakced = false;
+              const [, , timezone, dialect] = data.args;
+              const len = positions.length;
+
+              const history = new Set();
+              const newTags = { ...resultInfo.tags };
+
+              for (let i = 0; i < len; i++) {
+                const replacementInfo = tracker.getData(replacements[i]);
+                // we don't need to run in a no instrumentation scope here since
+                // patcher will do so automatically since we're in a post hook
+                const escapedVal = origEscape(
+                  replacements[i],
+                  timezone,
+                  dialect,
+                  true // true is required to get format function behavior.
+                );
+
+                if (replacementInfo) {
+                  history.add(replacementInfo);
+                  newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
+                  replacementsTrakced = replacementsTrakced || true;
+                  newTags[SQL_ENCODED].push(positions[i], positions[i] + escapedVal.length - 1);
+                }
+                //update the string replacement poisitions based on current val length - it's replacing a ? in the origional string
+                if (i < len - 1) {
+                  for (let j = i + 1; j < len; j++) {
+                    positions[j] = positions[j] + escapedVal.length - 1;
+                  }
+                }
+              }
+
+              const event = createPropagationEvent({
+                context: 'Sequelize.Utils.format',
+                name: 'sequelize/lib/sql-string.format',
+                object: {
+                  value: createModuleLabel('sequelize/lib/sql-string.format', version),
+                  tracked: false,
+                },
+                result: {
+                  value: resultInfo.value,
+                  tracked: true,
+                },
+                args: [
+                  { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
+                  { value: replacements, tracked: replacementsTrakced },
+                  { value: timezone, tracked: false },
+                  { value: dialect, tracked: false }
+                ],
+                tags: newTags,
+                source: 'P1',
+                target: 'R',
+                addedTags: [SQL_ENCODED],
+                history: Array.from(history),
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              Object.assign(resultInfo, event);
+            },
+          });
+
+          patcher.patch(sqlString, 'formatNamedParameters', {
+            name: 'Sequelize.Utils.formatNamedParameters',
+            patchType,
+            post(data) {
+              const { args, result, hooked, orig } = data;
+
+              if (
+                !result ||
+                !args[0] ||
+                !isString(args[0]) ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+
+              const resultInfo = tracker.getData(result);
+              if (!resultInfo) {
+                return;
+              }
+
+              const positions = getFormatNamedParametersPositions(data.args[0]);
+              const firstArgInfo = tracker.getData(data.args[0]);
+
+              if (!positions.length) {
+                return;
+              }
+
+              const replacements = Object.assign({}, data.args[1]);
+              let replacementsTrakced = false;
+              const [, , timezone, dialect] = data.args;
+              const len = positions.length;
+
+              const history = new Set();
+              const newTags = { ...resultInfo.tags };
+
+              for (let i = 0; i < len; i++) {
+                const replacementKey = Object.keys(positions[i])[0];
+                const replacementInfo = tracker.getData(replacements[replacementKey]);
+                const escapedVal = origEscape(
+                  replacements[replacementKey],
+                  timezone,
+                  dialect,
+                  true // true is required to get format function behavior.
+                );
+
+                if (replacementInfo) {
+                  history.add(replacementInfo);
+                  newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
+                  replacementsTrakced = replacementsTrakced || true;
+                  newTags[SQL_ENCODED].push(Object.values(positions[i])[0], Object.values(positions[i])[0] + escapedVal.length - 1);
+                }
+
+                //update the string replacement poisitions based on current val length - it's replacing a :key with the string
+                if (i < len - 1) {
+                  for (let j = i + 1; j < len; j++) {
+                    const nextKey = Object.keys(positions[j])[0];
+                    positions[j] = {
+                      [nextKey]:
+                        positions[j][nextKey] - (replacementKey.length + 1) + escapedVal.length // add 1 for the ':'
+                    };
+                  }
+                }
+              }
+
+              const event = createPropagationEvent({
+                context: 'Sequelize.Utils.formatNamedParameters',
+                name: 'sequelize/lib/sql-string.formatNamedParameters',
+                object: {
+                  value: createModuleLabel('sequelize/lib/sql-string.formatNamedParameters', version),
+                  tracked: false,
+                },
+                result: {
+                  value: resultInfo.value,
+                  tracked: true,
+                },
+                args: [
+                  { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
+                  { value: replacements, tracked: replacementsTrakced },
+                  { value: timezone, tracked: false },
+                  { value: dialect, tracked: false }
+                ],
+                tags: newTags,
+                source: 'P1',
+                target: 'R',
+                addedTags: [SQL_ENCODED],
+                history: Array.from(history),
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (!event) return;
+
+              Object.assign(resultInfo, event);
+            },
+          });
+        }
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/sql-template-strings.js

@@ -15,6 +15,9 @@
 
 'use strict';
 
+const {
+  DataflowTag: { SQL_ENCODED }
+} = require('@contrast/common');
 const { patchType, createModuleLabel } = require('../common');
 
 module.exports = function(core) {
@@ -48,10 +51,8 @@ module.exports = function(core) {
               const resultInfo = tracker.getData(resultValue);
               if (!resultInfo) return;
               const history = [argInfo];
-              // const newTags = createFullLengthCopyTags(argInfo.tags, resultValue.length);
               const newTags = { ...resultInfo.tags };
-
-              newTags['sql-encoded'] = [0, resultValue.length - 1];
+              newTags[SQL_ENCODED] = [0, resultValue.length - 1];
 
               const event = createPropagationEvent({
                 name: 'sql-template-strings.SQL',
@@ -65,7 +66,7 @@ module.exports = function(core) {
                 },
                 args: [{ value: argInfo.value, tracked: true }],
                 tags: newTags,
-                addedTags: ['sql-encoded'],
+                addedTags: [SQL_ENCODED],
                 history,
                 stacktraceOpts: {
                   constructorOpt: hooked,

package/lib/dataflow/propagation/install/string/match.js

@@ -87,7 +87,7 @@ module.exports = function(core) {
           const hasCaptureGroups = 'groups' in result;
           for (let i = 0; i < result.length; i++) {
             const res = result[i];
-            if (!res) continue;
+            if (!res || res === obj) continue;
             const start = obj.indexOf(res, idx);
             idx += hasCaptureGroups ? 0 : res.length;
             const event = getPropagationEvent(data, res, objInfo, start);
@@ -101,7 +101,7 @@ module.exports = function(core) {
           if (hasCaptureGroups && result.groups) {
             Object.keys(result.groups).forEach((key) => {
               const res = result.groups[key];
-              if (!res) return;
+              if (!res || res === obj) return;
               const start = obj.indexOf(res);
               const event = getPropagationEvent(data, res, objInfo, start);
               if (event) {

package/lib/dataflow/propagation/install/string/replace.js

@@ -42,7 +42,7 @@ module.exports = function(core) {
     const namedGroups = hasNamedGroup ? lastEl : null;
     return { match, captureGroups, matchIdx, str, namedGroups };
   }
-  function replaceSpecialCharacters(replacement, { captureGroups, match, str, namedGroups }) {
+  function replaceSpecialCharacters(replacement, { captureGroups, match, str, namedGroups }, replacementType) {
     const origReplace = patcher.unwrap(String.prototype.replace);
     let ret = replacement;
     [
@@ -74,7 +74,7 @@ module.exports = function(core) {
       }
     });
 
-    const numberedGroupMatches = replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
+    const numberedGroupMatches = replacementType !== 'function' && replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
     if (numberedGroupMatches) {
       numberedGroupMatches.forEach((numberedGroup) => {
         const group = Number(numberedGroup.substring(1));
@@ -95,7 +95,7 @@ module.exports = function(core) {
       data._replacement.call(global, ...replacerArgs) :
       data._replacement;
 
-    replacement = replaceSpecialCharacters(String(replacement), parsedArgs);
+    replacement = replaceSpecialCharacters(String(replacement), parsedArgs, data._replacementType);
 
     data._replacementInfo = tracker.getData(replacement);
     if (data._replacement) {
@@ -152,9 +152,14 @@ module.exports = function(core) {
             instrumentation.isLocked() ||
             !data.result ||
             // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
-            !data._accumTags?.[UNTRUSTED]
+            !data._accumTags?.[UNTRUSTED] ||
+            !!tracker.getData(data.result)
           ) return;
 
+          if (data.obj === data.result) {
+            return;
+          }
+
           const { _replacementInfo, obj, args, result, hooked, orig } = data;
 
           const event = createPropagationEvent({

package/lib/dataflow/sinks/common.js

@@ -16,5 +16,14 @@
 'use strict';
 
 module.exports = {
-  patchType: 'assess-dataflow-sink'
+  patchType: 'assess-dataflow-sink',
+
+  /**
+   * @param {string[]} safeTags array of sink's safe tags
+   * @param {object} strInfo tracked string info
+   * @returns {string[]} filtered list of safe tags found on tracked string data
+   */
+  filterSafeTags(safeTags, strInfo) {
+    return safeTags.filter((t) => !!strInfo.tags?.[t]);
+  },
 };

package/lib/dataflow/sinks/index.js

@@ -15,19 +15,33 @@
 
 'use strict';
 
-const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+const { AsyncLocalStorage } = require('async_hooks');
+const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common');
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
 
 module.exports = function (core) {
   const {
+    logger,
     messages,
     scopes: { sources }
   } = core;
 
+  const sinkScopes = {
+    [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
+    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage()
+  };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
     isSafeContentType,
+    reportSafePositive(data) {
+      const store = sources.getStore();
+      // these events need source correlation
+      messages.emit(Event.ASSESS_DATAFLOW_SAFE_POSITIVE, {
+        sourceInfo: store?.sourceInfo,
+        ...data
+      });
+    },
     reportFindings(data) {
       const store = sources.getStore();
       // these events need source correlation
@@ -36,6 +50,19 @@ module.exports = function (core) {
         ...data
       });
     },
+    runInActiveSink(rule, cb) {
+      if (sinkScopes[rule]) {
+        return sinkScopes[rule].run({ locked: true }, cb);
+      } else {
+        logger.error('Sink scope for %s rule does not exist', rule);
+        return cb();
+      }
+    },
+    isLocked(rule) {
+      if (!sinkScopes[rule]) return false;
+
+      return sinkScopes[rule].getStore()?.locked;
+    }
   };
 
   require('./install/fastify')(core);
@@ -47,8 +74,10 @@ module.exports = function (core) {
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
+  require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
   require('./install/marsdb')(core);
+  require('./install/express')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/express/index.js

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const express = core.assess.dataflow.sinks.express = {};
+
+  require('./unvalidated-redirect')(core);
+
+  express.install = function() {
+    callChildComponentMethodsSync(express, 'install');
+  };
+
+  return express;
+};

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -0,0 +1,134 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  },
+  isString
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+
+const ruleId = 'unvalidated-redirect';
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const unvalidatedRedirect =
+    (core.assess.dataflow.sinks.express.unvalidatedRedirect = {});
+
+  const inspect = patcher.unwrap(util.inspect);
+
+  const safeTags = [
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED,
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    URL_ENCODED,
+  ];
+
+  unvalidatedRedirect.install = function () {
+    depHooks.resolve({ name: 'express', file: 'lib/response' }, (Response) => {
+      const name = 'Express.Response.location';
+      patcher.patch(Response, 'location', {
+        name: 'Express.Response.location',
+        patchType,
+        pre: (data) => {
+          const assessStore = sources.getStore()?.assess;
+          if (!assessStore) return;
+
+          let [url] = data.args;
+          if (url === 'back') {
+            url = data.obj.req.get('Referrer');
+          }
+
+          if (!url || !isString(url)) return;
+
+          const strInfo = tracker.getData(url);
+          if (!strInfo) return;
+
+          let urlPathTags = strInfo.tags;
+          if (url.indexOf('?') > -1) {
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+          }
+
+          if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
+            const event = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.location(${inspect(strInfo.value)})`,
+              history: [strInfo],
+              name: 'Express.Response.location',
+              object: {
+                tracked: false,
+                value: 'Express.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: urlPathTags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId,
+                sinkEvent: event,
+              });
+            }
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
+          }
+        },
+      });
+    });
+  };
+
+  return unvalidatedRedirect;
+};