npm - @contrast/assess - Versions diffs - 1.63.0 → 1.65.0 - Mend

@contrast/assess 1.63.0 → 1.65.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/lib/{session-configuration → configuration-analysis}/common.js RENAMED Viewed

@@ -15,5 +15,5 @@
 'use strict';
 module.exports = {
-  patchType: 'session-configuration'
+  patchType: 'configuration'
 };

package/lib/{session-configuration → configuration-analysis}/handlers.js RENAMED Viewed

@@ -17,15 +17,15 @@
 const {
   Event,
-  SessionConfigurationRule,
+  ConfigurationRule,
   isString,
 } = require('@contrast/common');
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+const { HTTPONLY, SECURE_FLAG_MISSING, GRAPHQL_INTROSPECTION } = ConfigurationRule;
 module.exports = function (core) {
   const {
-    assess: { sessionConfiguration },
+    assess: { configurationAnalysis },
     messages,
   } = core;
@@ -40,7 +40,7 @@ module.exports = function (core) {
   }
   /**
-   * @param {SessionConfigurationRule} ruleId
+   * @param {ConfigurationRule} ruleId
    * @param {import('@contrast/assess').SourceContext} sourceContext
    * @returns {import('@contrast/assess').SessionRuleState}
    */
@@ -67,7 +67,7 @@ module.exports = function (core) {
   function handle(ruleId, sourceContext, cookie, sessionEvent) {
     const state = ensureState(ruleId, sourceContext);
-    if (!sourceContext?.policy?.enabledRules?.has?.(ruleId) || state.reported) return;
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
     for (const value of ensureIterable(cookie)) {
       if (state.valuesAnalyzed.has(value)) continue;
@@ -76,7 +76,7 @@ module.exports = function (core) {
       if (!isVulnerable(ruleId, value)) continue;
       else {
-        sessionConfiguration.reportFindings({
+        configurationAnalysis.reportFindings({
           ruleId,
           sinkEvent: sessionEvent,
           properties: {
@@ -89,17 +89,30 @@ module.exports = function (core) {
     }
   }
-  sessionConfiguration.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
     handle(HTTPONLY, sourceContext, cookie, sessionEvent);
   };
-  sessionConfiguration.handleSecure = function (sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleSecure = function (sourceContext, cookie, sessionEvent) {
     handle(SECURE_FLAG_MISSING, sourceContext, cookie, sessionEvent);
   };
-  sessionConfiguration.reportFindings = function (finding) {
-    messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, finding);
+  configurationAnalysis.handleGraphqlIntrospection = function (sourceContext, sessionEvent, value) {
+    const ruleId = GRAPHQL_INTROSPECTION;
+    const state = ensureState(ruleId, sourceContext);
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
+    configurationAnalysis.reportFindings({
+      ruleId,
+      sinkEvent: sessionEvent,
+      evidence: value
+    });
+    state.reported = true;
+  };
+  configurationAnalysis.reportFindings = function (finding) {
+    messages.emit(Event.ASSESS_CONFIGURATION_FINDING, finding);
   };
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/lib/{session-configuration → configuration-analysis}/index.js RENAMED Viewed

@@ -18,17 +18,19 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
-  const sessionConfiguration = core.assess.sessionConfiguration = {};
+  const configurationAnalysis = core.assess.configurationAnalysis = {};
   require('./handlers')(core);
+  require('./install/apollo-server')(core);
+  require('./install/graphql-yoga')(core);
   require('./install/express-session')(core);
   require('./install/fastify-cookie')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
-  sessionConfiguration.install = function() {
-    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  configurationAnalysis.install = function() {
+    callChildComponentMethodsSync(configurationAnalysis, 'install');
   };
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/lib/configuration-analysis/install/apollo-server.js ADDED Viewed

@@ -0,0 +1,92 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+  const apolloServer = core.assess.configurationAnalysis.apolloServer = {};
+  apolloServer.install = function () {
+    return depHooks.resolve({ name: '@apollo/server', version: '>=4', file: 'dist/cjs' }, (xport) => {
+      if (!xport.ApolloServer) return;
+      patcher.patch(xport, 'ApolloServer', {
+        name: '@apollo/server.ApolloServer',
+        patchType,
+        post(data) {
+          if (!data.args[0]?.introspection) return;
+          const options = { introspection: true };
+          const optionsString = inspect(options);
+          const sessionEvent = createSessionEvent({
+            args: [{
+              tracked: false,
+              value: optionsString,
+            }],
+            context: optionsString,
+            name: '@apollo/server',
+            moduleName: 'ApolloServer',
+            methodName: '',
+            object: {
+              tracked: false,
+              value: 'ApolloServer',
+            },
+            result: {
+              tracked: false,
+            },
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+            framework: 'graphql',
+          });
+          patcher.patch(data.result, 'executeHTTPGraphQLRequest', {
+            name: 'ApolloServer.executeHTTPGraphQLRequest',
+            patchType,
+            post(data) {
+              const sourceContext = getSourceContext();
+              if (!sourceContext) return;
+              handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+            }
+          });
+        }
+      });
+    });
+  };
+  return apolloServer;
+};

package/lib/{session-configuration → configuration-analysis}/install/express-session.js RENAMED Viewed

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
-  const expressSession = core.assess.sessionConfiguration.expressSession = {};
+  const expressSession = core.assess.configurationAnalysis.expressSession = {};
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session', version: '<2' }, (session) => {

package/lib/{session-configuration → configuration-analysis}/install/fastify-cookie.js RENAMED Viewed

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
-  return core.assess.sessionConfiguration.fastifyCookie = {
+  return core.assess.configurationAnalysis.fastifyCookie = {
     install () {
       depHooks.resolve({ name: '@fastify/cookie', version: '<12' }, (_export) => {
         const patched = patcher.patch(_export, {

package/lib/configuration-analysis/install/graphql-yoga.js ADDED Viewed

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+  const graphqlYoga = core.assess.configurationAnalysis.graphqlYoga = {};
+  graphqlYoga.install = function () {
+    return depHooks.resolve({ name: '@graphql-yoga/plugin-disable-introspection', version: '*', file: 'cjs' }, (xport) => patcher.patch(xport, 'useDisableIntrospection', {
+      name: '@graphql-yoga/plugin-disable-introspection.useDisableIntrospection',
+      patchType,
+      post(data) {
+        const options = data.args[0];
+        const optionsString = inspect(options);
+        patcher.patch(data.result, 'onValidate', {
+          name: 'onValidate',
+          patchType,
+          pre(data) {
+            patcher.patch(data.args[0], 'addValidationRule', {
+              name: 'addValidationRule',
+              patchType,
+              post(data) {
+                const sourceContext = getSourceContext();
+                if (!sourceContext) return;
+                const sessionEvent = createSessionEvent({
+                  args: [{
+                    tracked: false,
+                    value: optionsString,
+                  }],
+                  context: optionsString,
+                  name: '@graphql-yoga',
+                  moduleName: 'plugin-disable-introspection',
+                  methodName: 'addValidationRule',
+                  object: {
+                    tracked: false,
+                    value: 'plugin-disable-introspection',
+                  },
+                  result: {
+                    tracked: false,
+                  },
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                  },
+                  framework: 'graphql',
+                });
+                handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+              }
+            });
+          }
+        });
+      }
+    }));
+  };
+  return graphqlYoga;
+};

package/lib/{session-configuration → configuration-analysis}/install/hapi.js RENAMED Viewed

@@ -21,7 +21,7 @@ module.exports = function (core) {
     assess: {
       inspect, // TODO NODE-3455: remove
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -31,7 +31,7 @@ module.exports = function (core) {
     scopes: { sources },
   } = core;
-  const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
+  const hapiSession = core.assess.configurationAnalysis.hapiSession = {};
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {

package/lib/{session-configuration → configuration-analysis}/install/koa.js RENAMED Viewed

@@ -28,7 +28,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -37,9 +37,9 @@ module.exports = function (core) {
     patcher,
   } = core;
-  return core.assess.sessionConfiguration.koa = {
+  return core.assess.configurationAnalysis.koa = {
     install () {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
         patcher.patch(Koa.prototype, 'use', {
           name: 'Koa.Application',
           patchType,

package/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -89,7 +89,7 @@ module.exports = function(core) {
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
-              methodName: 'prototype.substring',
+              methodName: `prototype.${method}`,
               get context() {
                 return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
               },

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -45,24 +45,19 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
-      if (!value?.length) {
-        return null;
-      }
+      if (!value?.length) return null;
       const stop = value.length - 1;
-      const tags = {
-        [DataflowTag.UNTRUSTED]: [0, stop]
-      };
+      const tags = { [DataflowTag.UNTRUSTED]: [0, stop] };
-      if (tagNames) {
-        for (const tag of tagNames) {
+      if (tagNames)
+        for (const tag of tagNames)
           tags[tag] = [0, stop];
-        }
-      }
-      if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
-        tags[DataflowTag.HEADER] = [0, stop];
-      }
+      if (
+        inputType === InputType.HEADER &&
+        StringPrototypeToLowerCase.call(fieldName) === 'referer'
+      ) tags[DataflowTag.HEADER] = [0, stop];
       return tags;
     };
@@ -81,6 +76,7 @@ module.exports = Core.makeComponent({
       stacktraceOpts,
       data,
       sourceContext,
+      onEvent,
     }) {
       if (!data) return;
@@ -89,14 +85,7 @@ module.exports = Core.makeComponent({
         return null;
       }
-      // url exclusion
-      if (!sourceContext.policy) {
-        return null;
-      }
-      if (!context) {
-        context = inputType;
-      }
+      if (!context) context = inputType;
       const { policy: requestPolicy } = sourceContext;
       const max = config.assess.max_context_source_events;
@@ -111,10 +100,13 @@ module.exports = Core.makeComponent({
       }
       function createEvent({ fieldName, pathName, value, excludedRules }) {
-        const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        let tagNames;
+        if (excludedRules) {
+          tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
-        return eventFactory.createSourceEvent({
+        const eventData = {
           context: `${context}.${pathName}`,
           name,
           fieldName,
@@ -123,11 +115,19 @@ module.exports = Core.makeComponent({
           inputType,
           tags: sources.createTags({ inputType, fieldName, value, tagNames }),
           result: { tracked: true, value },
-        });
+        };
+        const event = eventFactory.createSourceEvent(eventData);;
+        if (event && onEvent) onEvent(event, fieldName, pathName);
+        return event;
       }
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-        const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+        const inputPolicy = requestPolicy.getInputPolicy(InputType.BODY);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
         if (!track) {
           core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
           return;
@@ -135,6 +135,7 @@ module.exports = Core.makeComponent({
         const event = createEvent({ pathName: 'body', value: data, fieldName: '', excludedRules });
         if (event) {
+          if (onEvent) onEvent(event);
           tracker.track(data, event);
         }
@@ -149,7 +150,10 @@ module.exports = Core.makeComponent({
           return true;
         }
-        const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const inputPolicy = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
         if (!track) {
           core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
           return;

package/lib/dataflow/sources/index.js CHANGED Viewed

@@ -29,12 +29,14 @@ module.exports = function (core) {
   require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
+  core.initComponentSync(require('./install/fastify-websocket'));
   require('./install/formidable1')(core);
   require('./install/graphql-http')(core);
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
   require('./install/multer1')(core);
+  core.initComponentSync(require('./install/socket.io'));
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/fastify-websocket.js ADDED Viewed

@@ -0,0 +1,63 @@
+'use strict';
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+const COMPONENT_NAME = 'assess.dataflow.sources.fastifyWebsocketInstrumentation';
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new FastifyWebsocketAssessSource(core),
+});
+class FastifyWebsocketAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+  /**
+   * Deploys @fastify/websocket instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+    depHooks.resolve({ name: '@fastify/websocket', version: '*' }, (fws) => {
+      // patch exported function
+      return patcher.patch(fws, {
+        name: '@fastify/websocket',
+        patchType,
+        post(data) {
+          // the plugin decorates fastify with the ws.WebSocketServer instance.
+          // we use the connection event to get reference to connecting
+          // WebSockets, and track when they emit message buffers.
+          data.args[0].websocketServer?.on?.('connection', (socket) => {
+            socket.on('message', function handler(data) {
+              const sourceContext = assess.getSourceContext();
+              // this should be present since sources run 'upgrade' requests in request scope
+              if (!sourceContext) return;
+              // this will track the emitted buffer
+              assess.dataflow.sources.handle({
+                data,
+                name: 'fastify-websocket',
+                inputType: InputType.WEBSOCKET,
+                stacktraceOpts: { constructorOpt: handler },
+                sourceContext,
+                onEvent(event) {
+                  event.context = 'WebSocket.on("message", ...args)';
+                  event.args = [{ value: 'args.0', tracked: true }];
+                },
+              });
+            });
+          });
+        }
+      });
+    });
+  }
+};