@contrast/assess 1.6.0 → 1.8.0

package/lib/dataflow/sinks/install/mongodb.js

@@ -20,16 +20,18 @@ const {
   DataflowTag: {
     UNTRUSTED,
     ALPHANUM_SPACE_HYPHEN,
+    CUSTOM_VALIDATED,
     CUSTOM_VALIDATED_NOSQL_INJECTION,
     LIMITED_CHARS,
     STRING_TYPE_CHECKED,
   },
-  Rule,
+  Rule: { NOSQL_INJECTION_MONGO },
   isNonEmptyObject,
-  traverseValues
+  traverseValues,
+  isString
 } = require('@contrast/common');
 const utils = require('../../tag-utils');
-const { patchType } = require('../common');
+const { patchType, filterSafeTags } = require('../common');
 
 const collectionMethods = [
   'find',
@@ -45,10 +47,20 @@ const collectionMethods = [
   'updateMany',
   'deleteOne',
   'deleteMany',
+  'aggregate',
+  'mapReduce',
+  'group'
 ];
+const dbMethods = [
+  'command',
+  'eval',
+  'aggregate'
+];
+const methodsWithNestedCalls = ['findOne', 'eval', 'group'];
 
 const querySafeTags = [
   ALPHANUM_SPACE_HYPHEN,
+  CUSTOM_VALIDATED,
   CUSTOM_VALIDATED_NOSQL_INJECTION,
   LIMITED_CHARS,
   STRING_TYPE_CHECKED,
@@ -56,6 +68,7 @@ const querySafeTags = [
 
 module.exports = function(core) {
   const {
+    config,
     depHooks,
     logger,
     patcher,
@@ -63,7 +76,7 @@ module.exports = function(core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, runInActiveSink, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent }
       }
     }
@@ -72,22 +85,236 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
 
-  instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
+  instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
     let vulnInfo = null;
+    let reportSafe = null;
+
+    if (isString(query)) {
+      const strInfo = tracker.getData(query);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
 
-    if (!isNonEmptyObject(query)) return vulnInfo;
+      return { vulnInfo, reportSafe };
+    }
+
+    if (!isNonEmptyObject(query)) return { vulnInfo, reportSafe };
 
-    traverseValues(query, (path, type, value) => {
+    traverseValues(query, (path, _type, value) => {
       const strInfo = tracker.getData(value);
-      if (strInfo && isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
-        vulnInfo = { path, strInfo };
-        return true; // halts traversal
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { path: [...path], strInfo };
+          return true; // halts traversal
+        } else {
+          reportSafe = { path: [...path], strInfo };
+        }
       }
     });
 
-    return vulnInfo;
+    return { vulnInfo, reportSafe };
   };
 
+  instr.getAggregateVulnerabilityInfo = function getAggregateVulnerabilityInfo(aggregation) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (!isNonEmptyObject(aggregation)) return { vulnInfo, reportSafe };
+
+    traverseValues(aggregation, (path, _type, value) => {
+      const accumulatorFuncProps = [
+        'init',
+        'merge',
+        'accumulate',
+        'finalize'
+      ];
+      const lastIdx = path.length - 1;
+      if (
+        (path[lastIdx - 1] === '$function' && path[lastIdx] === 'body') ||
+        (path[lastIdx - 1] === '$accumulator' && accumulatorFuncProps.includes(path[lastIdx]))
+      ) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  instr.getMapReduceVulnerabilityInfo = function getMapReduceVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (argIdx !== 2 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+
+      return { vulnInfo, reportSafe };
+    }
+
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+
+    traverseValues(argToCheck, (path, _type, value) => {
+      const vulnerableProps = [
+        'query',
+        'finalize',
+      ];
+      if (vulnerableProps.includes(path[0])) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  instr.getGroupVulnerabilityInfo = function getGroupVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (argIdx !== 1 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+
+      return { vulnInfo, reportSafe };
+    }
+
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+
+    traverseValues(argToCheck, (path, _type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { path: [...path], strInfo };
+          return true; // halts traversal
+        } else {
+          reportSafe = { path: [...path], strInfo };
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
+    const argsIdxsToCheck = vulnerableArgIdxs || [0];
+    return function(next, data) {
+      const { obj, args: origArgs } = data;
+      const sourceCtx = sources.getStore()?.assess;
+
+      if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
+        return next();
+      }
+
+      let vulnInfo;
+      let reportSafe;
+      let vulnArgIdx;
+      const safeReports = [];
+
+      try {
+        for (const argIdx of argsIdxsToCheck) {
+          ({ vulnInfo, reportSafe } = getInfoMethod(origArgs[argIdx], argIdx));
+
+          if (vulnInfo) {
+            vulnArgIdx = argIdx;
+            break;
+          }
+          if (reportSafe) safeReports.push({ ...reportSafe, argIdx });
+        }
+
+        if (!vulnInfo) {
+          if (safeReports.length && config.assess.safe_positives.enable) {
+            const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
+            const strInfo = safeReports.map((report) => {
+              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+
+              return {
+                value: inspect(origArgs[report.argIdx], { depth: 4 }),
+                tags
+              };
+            });
+
+            reportSafePositive({
+              name,
+              ruleId: NOSQL_INJECTION_MONGO,
+              safeTags: safeTags.length === 1 ? safeTags[0] : safeTags,
+              strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
+            });
+          }
+
+          return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+        }
+
+        const { path, strInfo } = vulnInfo;
+        const objName = getObjectName(obj, entity);
+        const args = origArgs.map((arg, idx) => ({
+          value: isString(arg) ? arg : inspect(arg, { depth: 4 }),
+          tracked: idx === vulnArgIdx,
+        }));
+
+        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+        const sinkEvent = createSinkEvent({
+          args,
+          context: `${objName}.${method}(${args.map((a) => a.value)})`,
+          history: [strInfo],
+          object: {
+            tracked: false,
+            value: `mongodb.${entity}`,
+          },
+          name,
+          result: {
+            tracked: false,
+            value: resultVal,
+          },
+          source: `P${vulnArgIdx}`,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+          },
+          tags,
+        });
+
+        if (sinkEvent) {
+          reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+        }
+      } catch (err) {
+        core.logger.error({ name, err }, 'assess sink analysis failed');
+      }
+
+      return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+    };
+  }
+
   instr.install = function() {
     depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
       patchCollection(mongodb, version);
@@ -99,93 +326,77 @@ module.exports = function(core) {
 
   function patchCollection(mongodb, version) {
     for (const method of collectionMethods) {
-
       const proto = mongodb.Collection.prototype;
       const name = `mongodb.Collection.prototype.${method}`;
 
       if (!proto[method]) {
-
         logger.trace({ name, version }, 'method not found - skipping instrumentation');
         continue;
       }
 
-      patcher.patch(proto, method, {
-        name,
-        patchType,
-        around(next, data) {
-          const { obj, args } = data;
-          const sourceCtx = sources.getStore()?.assess;
-
-          if (instrumentation.isLocked() || !sourceCtx) {
-            return next();
-          }
-
-          const argIdx = 0;
-          try {
-            const vulnInfo = instr.getVulnerabilityInfo(args[argIdx]);
-            if (vulnInfo) {
-              const { path, strInfo } = vulnInfo;
-              const objName = getObjectName(obj);
-              const args = data.args.map((arg, idx) => ({
-                value: inspect(arg),
-                tracked: idx === argIdx,
-              }));
-
-              const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
-              const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-              const sinkEvent = createSinkEvent({
-                args,
-                context: `${objName}.${method}(${args.map((a) => a.value)})`,
-                history: [strInfo],
-                object: {
-                  tracked: false,
-                  value: 'mongodb.Collection',
-                },
-                name,
-                result: {
-                  tracked: false,
-                  value: resultVal,
-                },
-                source: `P${argIdx}`,
-                stacktraceOpts: {
-                  constructorOpt: data.hooked,
-                },
-                tags,
-              });
-
-              if (sinkEvent) {
-                reportFindings({ ruleId: Rule.NOSQL_INJECTION_MONGO, sinkEvent });
-              }
-            }
-          } catch (err) {
-            core.logger.error({ name, err }, 'assess sink analysis failed');
-          }
-
-          if (method === 'findOne') {
-            // `findOne` will call `find` so don't analyze in nested call
-            const store = { name, lock: true };
-            const ret = instrumentation.run(store, next);
-            // but unlock for when callback args run or returned Promises resolve/reject
-            store.lock = false;
-            return ret;
-          }
-
-          return next();
-        },
-      });
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else if (method === 'mapReduce') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getMapReduceVulnerabilityInfo, [0, 1, 2])
+        });
+      } else if (method === 'group') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getGroupVulnerabilityInfo, [0, 1, 3])
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
     }
   }
 
-
   function patchDatabase(mongodb, version) {
-    // todo
+    for (const method of dbMethods) {
+      const proto = mongodb.Db.prototype;
+      const name = `mongodb.Db.prototype.${method}`;
+
+      if (!proto[method]) {
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
+    }
   }
 
-  function getObjectName(obj) {
+  function getObjectName(obj, entity) {
     let name = '';
     name += obj.s?.namespace?.db || 'db';
-    name += '.';
-    name += obj.s?.namespace?.collection || 'collection';
+
+    if (entity !== 'Db') {
+      name += '.';
+      name += obj.s?.namespace?.collection || 'collection';
+    }
+
     return name;
   }
 
@@ -193,6 +404,10 @@ module.exports = function(core) {
     const { tags } = strInfo;
     let idx = -1;
     for (const str of [...path, strInfo.value]) {
+      // This is the case with the `.aggregate` method
+      // where the argument is an array
+      if (str === 0) continue;
+
       idx = argString.indexOf(str, idx);
       if (idx == -1) {
         idx = -1;

package/lib/dataflow/sinks/install/mssql.js

@@ -17,7 +17,7 @@
 
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION },
   isString
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
@@ -38,7 +38,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -46,7 +46,12 @@ module.exports = function (core) {
 
   const pre = (name, obj, version) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      !isString(data.args[0]) ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const strInfo = tracker.getData(data.args[0]);
     if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
@@ -75,7 +80,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/mysql.js

@@ -16,7 +16,19 @@
 'use strict';
 
 const { patchType } = require('../common');
-const { Rule, isString, DataflowTag: { CUSTOM_ENCODED_SQL_INJECTION, CUSTOM_ENCODED, CUSTOM_VALIDATED_SQL_INJECTION, CUSTOM_VALIDATED, SQL_ENCODED, LIMITED_CHARS, UNTRUSTED } } = require('@contrast/common');
+const {
+  Rule: { SQL_INJECTION },
+  isString,
+  DataflowTag: {
+    CUSTOM_ENCODED_SQL_INJECTION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SQL_INJECTION,
+    CUSTOM_VALIDATED,
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    UNTRUSTED
+  },
+} = require('@contrast/common');
 
 const safeTags = [
   CUSTOM_ENCODED_SQL_INJECTION,
@@ -35,7 +47,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -53,7 +65,11 @@ module.exports = function (core) {
 
   const pre = (module, file, obj) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0]) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const val = getValueFromArgs(data.args);
     if (!val) return;
@@ -85,7 +101,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sinks/install/postgres.js

@@ -18,20 +18,21 @@
 const util = require('util');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
-const { patchType } = require('../common');
+const { filterSafeTags, patchType } = require('../common');
 
 module.exports = function (core) {
   const {
+    config,
     depHooks,
     patcher,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -48,15 +49,17 @@ module.exports = function (core) {
 
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
-  const preHook = (methodSignature, version, mod, obj) => (data) => {
+  const preHook = (methodSignature) => (data) => {
     const assessStore = sources.getStore()?.assess;
-    if (!assessStore) return;
+    if (!assessStore || isLocked(ruleId)) return;
 
     const [arg0] = data.args;
     const query = arg0?.text || arg0;
     if (!query || !isString(query)) return;
 
     const strInfo = tracker.getData(query);
+    // todo: if the query isn't tracked but users are sending tracked strings in the values
+    // array (args[1]), then shouldn't we report a "safe-positive" event of some kind?
     if (!strInfo) return;
 
     const objValue = methodSignature.includes('native') ? 'pg.native.Client' : 'pg.Client';
@@ -88,10 +91,20 @@ module.exports = function (core) {
 
       if (event) {
         reportFindings({
-          ruleId: Rule.SQL_INJECTION,
+          ruleId,
           sinkEvent: event,
         });
       }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name: methodSignature,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          value: strInfo.value,
+          tags: strInfo.tags,
+        }
+      });
     }
   };
 
@@ -99,11 +112,11 @@ module.exports = function (core) {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/client.prototype.query', version, 'pg', 'Client'),
+          pre: preHook('pg/lib/client.prototype.query'),
         });
       },
     );
@@ -111,16 +124,16 @@ module.exports = function (core) {
     const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/native/client.js' },
-      (client, version) => {
+      (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgNativeClientQueryPatchName,
           patchType,
-          pre: preHook('pg/lib/native/client.prototype.query', version, 'pg', 'native.Client'),
+          pre: preHook('pg/lib/native/client.prototype.query'),
         });
       },
     );
 
-    depHooks.resolve({ name: 'pg-pool' }, (pool, version) => {
+    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,
@@ -137,7 +150,7 @@ module.exports = function (core) {
             return;
           }
 
-          preHook(name, version, 'pg-pool', 'Pool')(data);
+          preHook(name)(data);
         },
       });
     });