@contrast/assess 1.6.0 → 1.8.0

package/lib/dataflow/sinks/install/sequelize.js

@@ -0,0 +1,142 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const util = require('util');
+const {
+  Rule: { SQL_INJECTION },
+  DataflowTag: {
+    UNTRUSTED,
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    config,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, runInActiveSink, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  const safeTags = [
+    SQL_ENCODED,
+    LIMITED_CHARS,
+    CUSTOM_VALIDATED,
+    CUSTOM_ENCODED
+  ];
+  const requiredTag = UNTRUSTED;
+  const inspect = patcher.unwrap(util.inspect);
+
+  const sequelize = (core.assess.dataflow.sinks.sequelize = {});
+
+  sequelize.install = function () {
+    const sequelizeQueryPatchName = 'sequelize.prototype.query';
+    depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
+      patcher.patch(sequelize.prototype, 'query', {
+        name: sequelizeQueryPatchName,
+        patchType,
+        around(next, data) {
+          const { args, hooked, orig } = data;
+          const sourceContext = sources.getStore()?.assess;
+          if (!sourceContext || !args[0]) return next();
+
+          const query = typeof args[0] === 'string' ? args[0] : args[0].query;
+
+          try {
+            const queryInfo = tracker.getData(query);
+            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+
+            if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
+              reportSafePositive({
+                name: sequelizeQueryPatchName,
+                ruleId: SQL_INJECTION,
+                safeTags: filterSafeTags(safeTags, queryInfo),
+                strInfo: {
+                  value: queryInfo?.value,
+                  tags: queryInfo.tags,
+                },
+              });
+            }
+
+            if (
+              !queryInfo ||
+              !isVulnerableQuery
+            ) {
+              return runInActiveSink(SQL_INJECTION, async () => await next());
+            }
+
+            const sqlValue =
+              typeof args[0] === 'string' ? args[0] : inspect(args[0]);
+            const inspectedOptions = args[1] ? inspect(args[1]) : '';
+            const contextArgs = args[1]
+              ? `${sqlValue}, ${inspectedOptions}`
+              : sqlValue;
+
+            const reportedArgs = [{ value: sqlValue, tracked: true }];
+            args[1] &&
+              reportedArgs.push({ value: inspectedOptions, tracked: false });
+
+            const event = createSinkEvent({
+              context: `sequelize.prototype.query(${contextArgs})`,
+              name: sequelizeQueryPatchName,
+              history: [queryInfo],
+              object: {
+                value: 'sequelize.prototype',
+                tracked: false,
+              },
+              args: reportedArgs,
+              tags: queryInfo?.tags,
+              source: 'P0',
+              stacktraceOpts: {
+                contructorOpt: hooked,
+                prependFrames: [orig],
+              },
+            });
+
+            if (event) {
+              reportFindings({
+                ruleId: SQL_INJECTION,
+                sinkEvent: event,
+              });
+            }
+            /* c8 ignore next 3 */
+          } catch (err) {
+            core.logger.error(
+              { name: sequelizeQueryPatchName, err },
+              'assess sink analysis failed'
+            );
+          }
+
+          return runInActiveSink(SQL_INJECTION, async () => await next());
+        },
+      });
+    });
+  };
+
+  return sequelize;
+};

package/lib/dataflow/sinks/install/sqlite3.js

@@ -18,7 +18,7 @@
 const { patchType } = require('../common');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
-  Rule,
+  Rule: { SQL_INJECTION },
   isString
 } = require('@contrast/common');
 
@@ -37,7 +37,7 @@ module.exports = function (core) {
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings },
         eventFactory: { createSinkEvent },
       },
     },
@@ -45,7 +45,12 @@ module.exports = function (core) {
 
   const pre = (name) => (data) => {
     const store = sources.getStore()?.assess;
-    if (!store || !data.args[0] || !isString(data.args[0])) return;
+    if (
+      !store ||
+      !data.args[0] ||
+      !isString(data.args[0]) ||
+      isLocked(SQL_INJECTION)
+    ) return;
 
     const strInfo = tracker.getData(data.args[0]);
     if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
@@ -74,7 +79,7 @@ module.exports = function (core) {
 
     if (event) {
       reportFindings({
-        ruleId: Rule.SQL_INJECTION,
+        ruleId: SQL_INJECTION,
         sinkEvent: event,
       });
     }

package/lib/dataflow/sources/handler.js

@@ -19,7 +19,6 @@ const {
   InputType,
   DataflowTag,
   isString,
-  traverseValues
 } = require('@contrast/common');
 
 module.exports = function(core) {
@@ -28,17 +27,17 @@ module.exports = function(core) {
       dataflow: {
         sources,
         tracker,
-        eventFactory: { createSourceEvent }
+        eventFactory
       }
     },
-    createSnapshot,
     config,
+    createSnapshot,
     logger,
   } = core;
 
   const emptyStack = Object.freeze([]);
 
-  sources.createTags = function createTags({ inputType, key, value }) {
+  sources.createTags = function createTags({ inputType, fieldName = '', value }) {
     if (!value?.length) {
       return null;
     }
@@ -48,55 +47,93 @@ module.exports = function(core) {
       [DataflowTag.UNTRUSTED]: [0, stop]
     };
 
-    if (inputType === InputType.HEADER && key.toLowerCase() === 'referer') {
+    if (inputType === InputType.HEADER && fieldName.toLowerCase() === 'referer') {
       tags[DataflowTag.HEADER] = [0, stop];
     }
 
     return tags;
   };
 
+  sources.createStacktrace = function(stacktraceOpts) {
+    return config.assess.stacktraces === 'NONE'
+      ? emptyStack
+      : createSnapshot(stacktraceOpts)();
+  };
+
   sources.handle = function({
     context,
+    keys,
     name,
     inputType = InputType.UNKNOWN,
     stacktraceOpts,
     data,
-    sourceContext
+    sourceContext,
   }) {
     if (!data) return;
 
-    const max = config.assess.max_context_source_events;
-
     if (!sourceContext) {
       core.logger.trace({ inputType, name }, 'skipping assess source handling - no request context');
       return null;
     }
 
+    if (!context) {
+      context = inputType;
+    }
+
+    const max = config.assess.max_context_source_events;
+    let _data = data;
     let stack;
 
-    traverseValues(data, (path, type, value, obj) => {
+    if (keys) {
+      _data = {};
+      for (const key of keys) {
+        _data[key] = data[key];
+      }
+    }
+
+    function createEvent({ fieldName, pathName, value }) {
+      // create the stacktrace once per call to .handle()
+      stack || (stack = sources.createStacktrace(stacktraceOpts));
+      return eventFactory.createSourceEvent({
+        context: `${context}.${pathName}`,
+        name,
+        fieldName,
+        pathName,
+        stack,
+        inputType,
+        tags: sources.createTags({ inputType, fieldName, value }),
+        result: { tracked: true, value },
+      });
+    }
+
+    if (Buffer.isBuffer(data) && !tracker.getData(data)) {
+      const event = createEvent({ pathName: 'body', value: data, fieldName: '' });
+      if (event) {
+        tracker.track(data, event);
+      }
+      return;
+    }
+
+    traverse(_data, (path, fieldName, value, obj) => {
+      const pathName = path.join('.');
+
       if (sourceContext.sourceEventsCount >= max) {
         core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);
         return true;
       }
 
       if (isString(value) && value.length) {
-        stack = stack || config.assess.stacktraces === 'NONE'
-          ? emptyStack
-          : createSnapshot(stacktraceOpts)();
-        const key = path[path.length - 1];
-        const pathName = path.join('.');
-        const event = createSourceEvent({
-          context: `${context}.${pathName}`,
-          name,
-          fieldName: key,
-          pathName,
-          stack,
-          inputType,
-          tags: sources.createTags({ inputType, key, value }),
-          result: { tracked: true, value },
-        });
+        const strInfo = tracker.getData(value);
+
+        if (strInfo) {
+          // TODO: confirm this "layering-on" approach is what we want
+          // when the value is tracked the handler wins out and we "re-tracks" the value with new source
+          // event metadata. without this step tracker would complain about value already being tracked.
+          // alternatively we could treat this more like a propagation event and update existing metadata.
+          value = strInfo.value;
+        }
 
+        const event = createEvent({ pathName, value, fieldName });
         if (!event) {
           core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
           return;
@@ -104,15 +141,96 @@ module.exports = function(core) {
 
         const { extern } = tracker.track(value, event);
         if (extern) {
-          logger.trace({ extern, key, name, inputType }, 'tracked');
-          obj[key] = extern;
+          logger.trace({ extern, fieldName, name, inputType }, 'tracked');
+          obj[fieldName] = extern;
+
           sourceContext.sourceEventsCount++;
         }
+      } else if (Buffer.isBuffer(value) && !tracker.getData(value)) {
+        const event = createEvent({ pathName, value, fieldName });
+        if (event) {
+          tracker.track(value, event);
+        } else {
+          core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
+        }
       }
     });
 
+    if (keys) {
+      for (const key of keys) {
+        data[key] = _data[key];
+      }
+    }
+
     return data;
   };
 
   return sources;
 };
+
+/**
+ * A custom traversal function for handling source value tracking efficiently.
+ * Implementation was adapted from traversal methods in @contrast/common.
+ * @param {any} target object to traverse
+ * @param {function} cb function<path, key, value, obj>
+ * @param {string[]} path path of node being visted; constructed of nested keys
+ * @param {boolean} halt whether to halt traversal; determined by callback
+ * @param {Set} visited used to dedupe circular references
+ */
+function traverse(target, cb, path = [], visited = new Set()) {
+  if (isTraversable(target)) {
+    for (const key in target) {
+      path.push(key);
+
+      const value = target[key];
+
+      if (visited.has(value)) {
+        path.pop();
+        break;
+      }
+
+      if (isVisitable(value)) {
+        const halt = cb(path, key, value, target) === false;
+        if (halt) {
+          return;
+        }
+      }
+
+      if (isTraversable(value)) {
+        visited.add(value);
+        traverse(value, cb, path, visited);
+      }
+
+      path.pop();
+    }
+  }
+}
+
+/**
+ * Visit strings, buffers, basic objects and arrays.
+ * @param {any} value the value to check
+ * @returns {boolean}
+ */
+function isVisitable(value) {
+  if (!value) return false;
+
+  return value.constructor?.name === 'String' ||
+    value.constructor?.name === 'Buffer' ||
+    (typeof value === 'object' && !value.constructor);
+}
+
+/**
+ * The criteria for traversal is a strict as possible. We only traverse plain
+ * objects and arrays and objects created via Object.create(null).
+ * @param {any} value the value to check
+ * @returns {boolean}
+ */
+function isTraversable(value) {
+  if (!value || typeof value !== 'object') return false;
+
+  return value.constructor?.name === 'Object' ||
+    value.constructor?.name === 'Array' ||
+    !value.constructor;
+}
+
+module.exports.traverse = traverse;

package/lib/dataflow/sources/index.js

@@ -17,23 +17,21 @@
 
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const sources = core.assess.dataflow.sources = {};
 
-  // API
   require('./handler')(core);
-  // installers
-  // general
-  require('./install/http')(core);
 
-  // frameworks and frameworks specific libraries
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
-
-  // libraries
+  require('./install/body-parser1')(core);
   require('./install/busboy1')(core);
+  require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);
+  require('./install/http')(core);
   require('./install/qs6')(core);
+  require('./install/querystring')(core);
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/body-parser1.js

@@ -0,0 +1,133 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+const METHODS = ['json', 'raw', 'text', 'urlencoded'];
+const INPUT_TYPES = {
+  'body-parser.json.jsonParser': InputType.JSON_VALUE,
+  'body-parser.raw.rawParser': InputType.BODY,
+  'body-parser.text.textParser': InputType.BODY,
+  'body-parser.urlencoded.urlencodedParser': InputType.PARAMETER_VALUE,
+};
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  const createPreHook = (name) => (data) => {
+    const [req, , next] = data.args;
+    data.args[2] = function contrastNext(...args) {
+      const sourceContext = scopes.sources.getStore()?.assess;
+
+      if (!sourceContext) {
+        logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+        return next(...args);
+      }
+
+      if (sourceContext.parsedBody) {
+        logger.trace({ name }, 'values already tracked');
+        return next(...args);
+      }
+
+      // when using a specific parser, we know the input type.
+      let inputType = INPUT_TYPES[name];
+      // when using `bodyParser()`, determine input type by content type.
+      if (!inputType) {
+        inputType = req.headers?.['content-type']?.includes('json')
+          ? InputType.JSON_VALUE
+          : req.headers?.['content-type']?.includes('urlencoded')
+            ? InputType.PARAMETER_VALUE
+            : InputType.BODY;
+      }
+
+      let keys;
+      let _data = req.body;
+      let context = 'req.body';
+      const isString = typeof _data === 'string';
+      const isBuffer = Buffer.isBuffer(_data);
+
+      if (isString || isBuffer) {
+        context = 'req';
+        keys = ['body'];
+        _data = req;
+      }
+
+      try {
+        assess.dataflow.sources.handle({
+          context,
+          data: _data,
+          name,
+          keys,
+          inputType,
+          sourceContext,
+          stacktraceOpts: {
+            constructorOpt: contrastNext
+          },
+        });
+
+        sourceContext.parsedBody = !!Object.keys(_data).length;
+      } catch (err) {
+        logger.error({ name, err }, 'unable to handle source');
+      }
+
+      return next(...args);
+    };
+  };
+
+  assess.dataflow.sources.bodyParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'body-parser', version: '>=1.0.0' },
+        /** @param {import('body-parser').BodyParser} bodyParser */
+        (bodyParser) => {
+          bodyParser = patcher.patch(bodyParser, {
+            name: 'body-parser',
+            patchType,
+            post(data) {
+              const name = 'body-parser.bodyParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre: createPreHook(name),
+              });
+            },
+          });
+
+          METHODS.forEach((method) => {
+            patcher.patch(bodyParser, method, {
+              name: `body-parser.${method}`,
+              patchType,
+              post(data) {
+                const name = `body-parser.${method}.${method}Parser`;
+                data.result = patcher.patch(data.result, {
+                  name,
+                  patchType,
+                  pre: createPreHook(name)
+                });
+              },
+            });
+          });
+
+          return bodyParser;
+        }
+      );
+    }
+  };
+
+  return assess.dataflow.sources.bodyParser1Instrumentation;
+};

package/lib/dataflow/sources/install/cookie-parser1.js

@@ -0,0 +1,101 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = function init(core) {
+  const { assess, depHooks, logger, patcher, scopes } = core;
+
+  assess.dataflow.sources.cookieParser1Instrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'cookie-parser', version: '>=1.0.0' },
+        /** @param {import('cookie-parser')} cookieParser */
+        (cookieParser) =>
+          patcher.patch(cookieParser, {
+            name: 'cookie-parser',
+            patchType,
+            post(data) {
+              const name = 'cookie-parser.cookieParser';
+              data.result = patcher.patch(data.result, {
+                name,
+                patchType,
+                pre(data) {
+                  const [req, , next] = data.args;
+                  data.args[2] = function contrastNext(...args) {
+                    const sourceContext = scopes.sources.getStore()?.assess;
+
+                    if (!sourceContext) {
+                      logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                      return;
+                    }
+
+                    if (sourceContext.parsedCookies) {
+                      logger.trace({ name }, 'cookies already tracked');
+                    } else if (req.cookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.cookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.cookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedCookies = !!Object.keys(req.cookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    if (sourceContext.parsedSignedCookies) {
+                      logger.trace({ name }, 'signedCookies already tracked');
+                    } else if (req.signedCookies) {
+                      try {
+                        assess.dataflow.sources.handle({
+                          context: 'req.signedCookies',
+                          name,
+                          inputType: InputType.COOKIE_VALUE,
+                          stacktraceOpts: {
+                            constructorOpt: contrastNext
+                          },
+                          data: req.signedCookies,
+                          sourceContext,
+                        });
+
+                        sourceContext.parsedSignedCookies = !!Object.keys(req.signedCookies).length;
+                      } catch (err) {
+                        logger.error({ name, err }, 'unable to handle source');
+                      }
+                    }
+
+                    return next(...args);
+                  };
+                },
+              });
+            },
+          })
+      );
+    }
+  };
+
+  return assess.dataflow.sources.cookieParser1Instrumentation;
+};