@contrast/assess 1.6.0 → 1.8.0

package/lib/dataflow/sources/install/express/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function (core) {
+  core.assess.dataflow.sources.expressInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(this, 'install');
+    }
+  };
+
+  require('./params')(core);
+  require('./parsedUrl')(core);
+
+  return core.assess.dataflow.sources.expressInstrumentation;
+};

package/lib/dataflow/sources/install/express/params.js

@@ -0,0 +1,81 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../../propagation/common');
+
+module.exports = function init(core) {
+  const { depHooks, patcher, logger } = core;
+
+  core.assess.dataflow.sources.expressInstrumentation.params = {
+    install() {
+      const name = 'Layer.prototype.match';
+      depHooks.resolve(
+        { name: 'express', file: 'lib/router/layer.js' },
+        (Layer) => {
+          patcher.patch(Layer.prototype, 'match', {
+            name,
+            patchType,
+            post(data) {
+              const layer = data.obj;
+
+              // we can exit early if
+              //  the layer doesn't match the request or
+              //  the layer doesn't recognize any parameters
+              if (!data.result || !layer.keys || layer.keys.length === 0) {
+                return;
+              }
+
+              const sourceContext = core.scopes.sources.getStore()?.assess;
+
+              if (!sourceContext) {
+                logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+                return;
+              }
+
+              if (sourceContext.parsedParams) {
+                logger.trace({ name }, 'values already tracked');
+                return;
+              }
+
+              try {
+                core.assess.dataflow.sources.handle({
+                  context: 'req.params',
+                  name,
+                  inputType: InputType.PARAMETER_VALUE,
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  data: layer.params,
+                  sourceContext
+                });
+                sourceContext.parsedParams = true;
+              } catch (err) {
+                logger.error({ err, name }, 'unable to handle source');
+              }
+            }
+          });
+
+          return Layer;
+        }
+      );
+    }
+  };
+
+  return core.assess.dataflow.sources.expressInstrumentation.params;
+};

package/lib/dataflow/sources/install/express/parsedUrl.js

@@ -0,0 +1,87 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function init(core) {
+  const {
+    assess: {
+      dataflow: { sources }
+    },
+    depHooks,
+    patcher,
+    scopes
+  } = core;
+
+  core.assess.dataflow.sources.expressInstrumentation.parsedUrl = {
+    install() {
+      depHooks.resolve(
+        { name: 'express', file: 'lib/middleware/init.js' },
+        /** @param {import('express/lib/middleware/init')} mw */
+        (mw) => {
+          const name = 'express.middleware.init';
+          patcher.patch(mw, 'init', {
+            name,
+            patchType,
+            post(data) {
+              data.result = patcher.patch(data.result, {
+                name: 'express.middleware.init.expressInit',
+                patchType,
+                pre(data) {
+                  const { args: [req] } = data;
+                  patcher.patch(data.args, '2', {
+                    name: 'express.middleware.init.expressInit.next',
+                    patchType,
+                    pre(data) {
+                      const sourceContext = scopes.sources.getStore()?.assess;
+                      if (!sourceContext) return;
+
+                      const sourceInfo = {
+                        context: 'req._parsedUrl',
+                        data: req._parsedUrl,
+                        name,
+                        sourceContext,
+                        stacktraceOpts: {
+                          constructorOpt: data.hooked
+                        }
+                      };
+
+                      sources.handle({
+                        ...sourceInfo,
+                        inputType: InputType.URI,
+                        keys: ['href', 'path', 'pathname'],
+                      });
+
+                      sources.handle({
+                        ...sourceInfo,
+                        inputType: InputType.QUERYSTRING,
+                        keys: ['query', 'search'],
+                      });
+                    }
+                  });
+                }
+              });
+            }
+          });
+        }
+      );
+    }
+  };
+
+  return core.assess.dataflow.sources.expressInstrumentation.parsedUrl;
+};

package/lib/dataflow/sources/install/http.js

@@ -19,9 +19,9 @@ const { toLowerCase, InputType } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
-    scopes: { sources },
+    scopes,
     instrumentation: { instrument },
-    assess: { dataflow: { sources: dataflowSources } },
+    assess: { dataflow },
     patcher,
   } = core;
 
@@ -40,7 +40,7 @@ module.exports = function(core) {
 
     try {
       const [, req, res] = data.args;
-      const store = sources.getStore();
+      const store = scopes.sources.getStore();
 
       if (!store) {
         logger.debug('cannot acquire store for assess request handling');
@@ -97,7 +97,6 @@ module.exports = function(core) {
       }
 
       const headers = {};
-      const sourceInputType = InputType.HEADER;
       const sourceName = 'ClientRequest';
 
       store.assess = {
@@ -107,22 +106,37 @@ module.exports = function(core) {
         findings: {},
       };
 
-      try {
-        dataflowSources.handle({
+      const sourceInfo = {
+        name: sourceName,
+        stacktraceOpts: {
+          constructorOpt: data.hooked,
+          prependFrames: [data.orig]
+        },
+        sourceContext: store.assess
+      };
+
+      [
+        {
           context: 'req.headers',
+          inputType: InputType.HEADER,
           data: req.headers,
-          inputType: sourceInputType,
-          name: sourceName,
-          stacktraceOpts: {
-            constructorOpt: data.hooked,
-            prependFrames: [data.orig]
-          },
-          sourceContext: store.assess
-        });
-
-      } catch (err) {
-        logger.error({ err, inputType: sourceInputType, name: sourceName }, 'unable to handle http source');
-      }
+          ...sourceInfo,
+        },
+        {
+          context: 'req',
+          keys: ['url'],
+          inputType: InputType.URI,
+          data: req,
+          ...sourceInfo,
+        }
+      ].forEach((sourceData) => {
+        const { inputType } = sourceData;
+        try {
+          dataflow.sources.handle(sourceData);
+        } catch (err) {
+          logger.error({ err, inputType, name: sourceName }, 'unable to handle http source');
+        }
+      });
 
       for (let i = 0; i < req.rawHeaders.length; i += 2) {
         const header = toLowerCase(req.rawHeaders[i]);

package/lib/dataflow/sources/install/querystring.js

@@ -0,0 +1,75 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { InputType } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = (core) => {
+  const { depHooks, patcher, logger } = core;
+
+  core.assess.dataflow.sources.querystringInstrumentation = {
+    install() {
+      const name = 'querystring.parse';
+      depHooks.resolve({ name: 'querystring' },
+        (querystring) => patcher.patch(querystring, 'parse', {
+          name,
+          patchType,
+          post({ args, hooked, orig, result }) {
+            const sourceContext = core.scopes.sources.getStore()?.assess;
+            const inputType = InputType.QUERYSTRING;
+
+            if (!sourceContext) {
+              logger.error({ name }, 'unable to handle source. Missing `sourceContext`');
+              return;
+            }
+
+            if (sourceContext.parsedQuery) {
+              logger.trace({ name }, 'values already tracked');
+              return;
+            }
+
+            // We only run analysis for the `querystring` result when it's used
+            // as the framework's query parser
+            if (sourceContext.reqData?.queries === args[0]) {
+              try {
+                core.assess.dataflow.sources.handle({
+                  context: 'req.query',
+                  name,
+                  inputType,
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig]
+                  },
+                  data: result,
+                  sourceContext
+                });
+
+                // we do not set the `parsedQuery` value here so that frameworks
+                // may handle queries in their own more specific manner.
+              } catch (err) {
+                logger.error({ err, name }, 'unable to handle source');
+              }
+            }
+          }
+        })
+      );
+    }
+  };
+
+  return core.assess.dataflow.sources.querystringInstrumentation;
+};
+

package/lib/dataflow/tag-utils.js

@@ -68,6 +68,57 @@ function atomicSubset(tags, subsetStart, len) {
   return ret;
 }
 
+function atomicMerge(firstTagRanges, secondTagRanges) {
+  const mergedRanges = [];
+  let i = 0;
+  let j = 0;
+
+  while (i < firstTagRanges.length && j < secondTagRanges.length) {
+    const start1 = firstTagRanges[i];
+    const end1 = firstTagRanges[i + 1];
+    const start2 = secondTagRanges[j];
+    const end2 = secondTagRanges[j + 1];
+
+    if (end1 < start2) {
+      mergedRanges.push(start1, end1);
+      i += 2;
+    } else if (end2 < start1) {
+      mergedRanges.push(start2, end2);
+      j += 2;
+    } else {
+      const mergedStart = Math.min(start1, start2);
+      const mergedEnd = Math.max(end1, end2);
+      mergedRanges.push(mergedStart, mergedEnd);
+      i += 2;
+      j += 2;
+    }
+  }
+
+  while (i < firstTagRanges.length) {
+    mergedRanges.push(firstTagRanges[i], firstTagRanges[i + 1]);
+    i += 2;
+  }
+
+  while (j < secondTagRanges.length) {
+    mergedRanges.push(secondTagRanges[j], secondTagRanges[j + 1]);
+    j += 2;
+  }
+
+  // Merge adjacent ranges
+  const finalMergedRanges = [];
+  for (let k = 0; k < mergedRanges.length; k += 2) {
+    const start = mergedRanges[k];
+    let end = mergedRanges[k + 1];
+    while (k + 2 < mergedRanges.length && mergedRanges[k + 2] - end === 1) {
+      end = mergedRanges[k + 3];
+      k += 2;
+    }
+    finalMergedRanges.push(start, end);
+  }
+
+  return finalMergedRanges;
+}
+
 function createAppendTags(firstTags, secondTags, offset) {
   const ret = Object.create(null);
   const firstTagsObject = ensureObject(firstTags);
@@ -115,8 +166,24 @@ function createFullLengthCopyTags(tags, resultLength) {
   return Object.keys(ret).length ? ret : null;
 }
 
+function createMergedTags(firstTags, secondTags) {
+  const ret = Object.create(null);
+  const firstTagsObject = ensureObject(firstTags);
+  const secondTagsObject = ensureObject(secondTags);
+  const tagNames = new Set([...Object.keys(firstTagsObject), ...Object.keys(secondTagsObject)]);
+
+  for (const tagName of tagNames) {
+    const newTagRanges = atomicMerge(ensureTagsImmutable(firstTagsObject, tagName), ensureTagsImmutable(secondTagsObject, tagName));
+
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+
+  return Object.keys(ret).length ? ret : null;
+}
+
 module.exports = {
   createSubsetTags,
   createAppendTags,
-  createFullLengthCopyTags
+  createFullLengthCopyTags,
+  createMergedTags
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -14,8 +14,8 @@
   },
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
-    "@contrast/scopes": "1.3.0",
-    "@contrast/common": "1.9.0",
+    "@contrast/scopes": "1.4.0",
+    "@contrast/common": "1.11.0",
     "parseurl": "^1.3.3"
   }
 }