npm - @contrast/assess - Versions diffs - 1.7.0 → 1.8.0 - Mend

@contrast/assess 1.7.0 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/lib/dataflow/propagation/index.js +2 -0
package/lib/dataflow/propagation/install/JSON/index.js +33 -0
package/lib/dataflow/propagation/install/JSON/stringify.js +290 -0
package/lib/dataflow/propagation/install/buffer.js +79 -0
package/lib/dataflow/sinks/install/mongodb.js +247 -149
package/lib/dataflow/sources/handler.js +140 -26
package/lib/dataflow/sources/index.js +2 -7
package/lib/dataflow/sources/install/body-parser1.js +19 -6
package/lib/dataflow/sources/install/express/index.js +4 -1
package/lib/dataflow/sources/install/express/params.js +81 -0
package/lib/dataflow/sources/install/express/parsedUrl.js +87 -0
package/lib/dataflow/sources/install/http.js +32 -18
package/lib/dataflow/sources/install/querystring.js +75 -0
package/lib/dataflow/tag-utils.js +68 -1
package/package.json +2 -2

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -47,11 +47,16 @@ const collectionMethods = [
   'updateMany',
   'deleteOne',
   'deleteMany',
+  'aggregate',
+  'mapReduce',
+  'group'
 ];
 const dbMethods = [
   'command',
-  'eval'
+  'eval',
+  'aggregate'
 ];
+const methodsWithNestedCalls = ['findOne', 'eval', 'group'];
 const querySafeTags = [
   ALPHANUM_SPACE_HYPHEN,
@@ -80,7 +85,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
-  instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
+  instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
     let vulnInfo = null;
     let reportSafe = null;
@@ -103,10 +108,10 @@ module.exports = function(core) {
       const strInfo = tracker.getData(value);
       if (strInfo) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
-          vulnInfo = { path, strInfo };
+          vulnInfo = { path: [...path], strInfo };
           return true; // halts traversal
         } else {
-          reportSafe = { path, strInfo };
+          reportSafe = { path: [...path], strInfo };
         }
       }
     });
@@ -114,6 +119,202 @@ module.exports = function(core) {
     return { vulnInfo, reportSafe };
   };
+  instr.getAggregateVulnerabilityInfo = function getAggregateVulnerabilityInfo(aggregation) {
+    let vulnInfo = null;
+    let reportSafe = null;
+    if (!isNonEmptyObject(aggregation)) return { vulnInfo, reportSafe };
+    traverseValues(aggregation, (path, _type, value) => {
+      const accumulatorFuncProps = [
+        'init',
+        'merge',
+        'accumulate',
+        'finalize'
+      ];
+      const lastIdx = path.length - 1;
+      if (
+        (path[lastIdx - 1] === '$function' && path[lastIdx] === 'body') ||
+        (path[lastIdx - 1] === '$accumulator' && accumulatorFuncProps.includes(path[lastIdx]))
+      ) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+    return { vulnInfo, reportSafe };
+  };
+  instr.getMapReduceVulnerabilityInfo = function getMapReduceVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+    if (argIdx !== 2 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+      return { vulnInfo, reportSafe };
+    }
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+    traverseValues(argToCheck, (path, _type, value) => {
+      const vulnerableProps = [
+        'query',
+        'finalize',
+      ];
+      if (vulnerableProps.includes(path[0])) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+    return { vulnInfo, reportSafe };
+  };
+  instr.getGroupVulnerabilityInfo = function getGroupVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+    if (argIdx !== 1 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+      return { vulnInfo, reportSafe };
+    }
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+    traverseValues(argToCheck, (path, _type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { path: [...path], strInfo };
+          return true; // halts traversal
+        } else {
+          reportSafe = { path: [...path], strInfo };
+        }
+      }
+    });
+    return { vulnInfo, reportSafe };
+  };
+  function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
+    const argsIdxsToCheck = vulnerableArgIdxs || [0];
+    return function(next, data) {
+      const { obj, args: origArgs } = data;
+      const sourceCtx = sources.getStore()?.assess;
+      if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
+        return next();
+      }
+      let vulnInfo;
+      let reportSafe;
+      let vulnArgIdx;
+      const safeReports = [];
+      try {
+        for (const argIdx of argsIdxsToCheck) {
+          ({ vulnInfo, reportSafe } = getInfoMethod(origArgs[argIdx], argIdx));
+          if (vulnInfo) {
+            vulnArgIdx = argIdx;
+            break;
+          }
+          if (reportSafe) safeReports.push({ ...reportSafe, argIdx });
+        }
+        if (!vulnInfo) {
+          if (safeReports.length && config.assess.safe_positives.enable) {
+            const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
+            const strInfo = safeReports.map((report) => {
+              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+              return {
+                value: inspect(origArgs[report.argIdx], { depth: 4 }),
+                tags
+              };
+            });
+            reportSafePositive({
+              name,
+              ruleId: NOSQL_INJECTION_MONGO,
+              safeTags: safeTags.length === 1 ? safeTags[0] : safeTags,
+              strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
+            });
+          }
+          return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+        }
+        const { path, strInfo } = vulnInfo;
+        const objName = getObjectName(obj, entity);
+        const args = origArgs.map((arg, idx) => ({
+          value: isString(arg) ? arg : inspect(arg, { depth: 4 }),
+          tracked: idx === vulnArgIdx,
+        }));
+        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+        const sinkEvent = createSinkEvent({
+          args,
+          context: `${objName}.${method}(${args.map((a) => a.value)})`,
+          history: [strInfo],
+          object: {
+            tracked: false,
+            value: `mongodb.${entity}`,
+          },
+          name,
+          result: {
+            tracked: false,
+            value: resultVal,
+          },
+          source: `P${vulnArgIdx}`,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+          },
+          tags,
+        });
+        if (sinkEvent) {
+          reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+        }
+      } catch (err) {
+        core.logger.error({ name, err }, 'assess sink analysis failed');
+      }
+      return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+    };
+  }
   instr.install = function() {
     depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
       patchCollection(mongodb, version);
@@ -133,78 +334,31 @@ module.exports = function(core) {
         continue;
       }
-      patcher.patch(proto, method, {
-        name,
-        patchType,
-        around(next, data) {
-          const { obj, args: origArgs } = data;
-          const sourceCtx = sources.getStore()?.assess;
-          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-            return next();
-          }
-          const argIdx = 0;
-          try {
-            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
-            if (!vulnInfo) {
-              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
-                name,
-                ruleId: NOSQL_INJECTION_MONGO,
-                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
-                strInfo: {
-                  value: inspect(origArgs[argIdx]),
-                  tags: getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])),
-                },
-              });
-              return method === 'findOne' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
-            }
-            const { path, strInfo } = vulnInfo;
-            const objName = getObjectName(obj);
-            const args = origArgs.map((arg, idx) => ({
-              value: inspect(arg),
-              tracked: idx === argIdx,
-            }));
-            const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
-            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-            const sinkEvent = createSinkEvent({
-              args,
-              context: `${objName}.${method}(${args.map((a) => a.value)})`,
-              history: [strInfo],
-              object: {
-                tracked: false,
-                value: 'mongodb.Collection',
-              },
-              name,
-              result: {
-                tracked: false,
-                value: resultVal,
-              },
-              source: `P${argIdx}`,
-              stacktraceOpts: {
-                constructorOpt: data.hooked,
-              },
-              tags,
-            });
-            if (sinkEvent) {
-              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
-            }
-          } catch (err) {
-            core.logger.error({ name, err }, 'assess sink analysis failed');
-          }
-          if (method === 'findOne') {
-            // `findOne` will call `find` so don't analyze in nested call
-            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
-          }
-          return next();
-        },
-      });
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else if (method === 'mapReduce') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getMapReduceVulnerabilityInfo, [0, 1, 2])
+        });
+      } else if (method === 'group') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getGroupVulnerabilityInfo, [0, 1, 3])
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
     }
   }
@@ -218,79 +372,19 @@ module.exports = function(core) {
         continue;
       }
-      patcher.patch(proto, method, {
-        name,
-        patchType,
-        around(next, data) {
-          const { obj, args: origArgs } = data;
-          const sourceCtx = sources.getStore()?.assess;
-          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-            return next();
-          }
-          const argIdx = 0;
-          try {
-            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
-            if (!vulnInfo) {
-              const tags = reportSafe?.path ? getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])) : reportSafe?.strInfo?.tags;
-              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
-                name,
-                ruleId: NOSQL_INJECTION_MONGO,
-                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
-                strInfo: {
-                  value: inspect(origArgs[argIdx]),
-                  tags
-                },
-              });
-              return method === 'eval' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
-            }
-            const { path, strInfo } = vulnInfo;
-            const objName = getObjectName(obj, 'Db');
-            const args = origArgs.map((arg, idx) => ({
-              value: isString(arg) ? arg : inspect(arg),
-              tracked: idx === argIdx,
-            }));
-            const tags = path ? getAdjustedQueryTags(path, strInfo, args[argIdx].value) : strInfo?.tags;
-            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-            const sinkEvent = createSinkEvent({
-              args,
-              context: `${objName}.${method}(${args.map((a) => a.value)})`,
-              history: [strInfo],
-              object: {
-                tracked: false,
-                value: 'mongodb.Db',
-              },
-              name,
-              result: {
-                tracked: false,
-                value: resultVal,
-              },
-              source: `P${argIdx}`,
-              stacktraceOpts: {
-                constructorOpt: data.hooked,
-              },
-              tags,
-            });
-            if (sinkEvent) {
-              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
-            }
-          } catch (err) {
-            core.logger.error({ name, err }, 'assess sink analysis failed');
-          }
-          if (method === 'eval') {
-            // `eval` will call `command` so don't analyze in nested call
-            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
-          }
-          return next();
-        },
-      });
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
     }
   }
@@ -310,6 +404,10 @@ module.exports = function(core) {
     const { tags } = strInfo;
     let idx = -1;
     for (const str of [...path, strInfo.value]) {
+      // This is the case with the `.aggregate` method
+      // where the argument is an array
+      if (str === 0) continue;
       idx = argString.indexOf(str, idx);
       if (idx == -1) {
         idx = -1;

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,7 +19,6 @@ const {
   InputType,
   DataflowTag,
   isString,
-  traverseValues
 } = require('@contrast/common');
 module.exports = function(core) {
@@ -28,17 +27,17 @@ module.exports = function(core) {
       dataflow: {
         sources,
         tracker,
-        eventFactory: { createSourceEvent }
+        eventFactory
       }
     },
-    createSnapshot,
     config,
+    createSnapshot,
     logger,
   } = core;
   const emptyStack = Object.freeze([]);
-  sources.createTags = function createTags({ inputType, key, value }) {
+  sources.createTags = function createTags({ inputType, fieldName = '', value }) {
     if (!value?.length) {
       return null;
     }
@@ -48,25 +47,30 @@ module.exports = function(core) {
       [DataflowTag.UNTRUSTED]: [0, stop]
     };
-    if (inputType === InputType.HEADER && key.toLowerCase() === 'referer') {
+    if (inputType === InputType.HEADER && fieldName.toLowerCase() === 'referer') {
       tags[DataflowTag.HEADER] = [0, stop];
     }
     return tags;
   };
+  sources.createStacktrace = function(stacktraceOpts) {
+    return config.assess.stacktraces === 'NONE'
+      ? emptyStack
+      : createSnapshot(stacktraceOpts)();
+  };
   sources.handle = function({
     context,
+    keys,
     name,
     inputType = InputType.UNKNOWN,
     stacktraceOpts,
     data,
-    sourceContext
+    sourceContext,
   }) {
     if (!data) return;
-    const max = config.assess.max_context_source_events;
     if (!sourceContext) {
       core.logger.trace({ inputType, name }, 'skipping assess source handling - no request context');
       return null;
@@ -76,31 +80,60 @@ module.exports = function(core) {
       context = inputType;
     }
+    const max = config.assess.max_context_source_events;
+    let _data = data;
     let stack;
-    traverseValues(data, (path, type, value, obj) => {
+    if (keys) {
+      _data = {};
+      for (const key of keys) {
+        _data[key] = data[key];
+      }
+    }
+    function createEvent({ fieldName, pathName, value }) {
+      // create the stacktrace once per call to .handle()
+      stack || (stack = sources.createStacktrace(stacktraceOpts));
+      return eventFactory.createSourceEvent({
+        context: `${context}.${pathName}`,
+        name,
+        fieldName,
+        pathName,
+        stack,
+        inputType,
+        tags: sources.createTags({ inputType, fieldName, value }),
+        result: { tracked: true, value },
+      });
+    }
+    if (Buffer.isBuffer(data) && !tracker.getData(data)) {
+      const event = createEvent({ pathName: 'body', value: data, fieldName: '' });
+      if (event) {
+        tracker.track(data, event);
+      }
+      return;
+    }
+    traverse(_data, (path, fieldName, value, obj) => {
+      const pathName = path.join('.');
       if (sourceContext.sourceEventsCount >= max) {
         core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);
         return true;
       }
       if (isString(value) && value.length) {
-        stack = stack || config.assess.stacktraces === 'NONE'
-          ? emptyStack
-          : createSnapshot(stacktraceOpts)();
-        const key = path[path.length - 1];
-        const pathName = path.join('.');
-        const event = createSourceEvent({
-          context: `${context}.${pathName}`,
-          name,
-          fieldName: key,
-          pathName,
-          stack,
-          inputType,
-          tags: sources.createTags({ inputType, key, value }),
-          result: { tracked: true, value },
-        });
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          // TODO: confirm this "layering-on" approach is what we want
+          // when the value is tracked the handler wins out and we "re-tracks" the value with new source
+          // event metadata. without this step tracker would complain about value already being tracked.
+          // alternatively we could treat this more like a propagation event and update existing metadata.
+          value = strInfo.value;
+        }
+        const event = createEvent({ pathName, value, fieldName });
         if (!event) {
           core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
           return;
@@ -108,15 +141,96 @@ module.exports = function(core) {
         const { extern } = tracker.track(value, event);
         if (extern) {
-          logger.trace({ extern, key, name, inputType }, 'tracked');
-          obj[key] = extern;
+          logger.trace({ extern, fieldName, name, inputType }, 'tracked');
+          obj[fieldName] = extern;
           sourceContext.sourceEventsCount++;
         }
+      } else if (Buffer.isBuffer(value) && !tracker.getData(value)) {
+        const event = createEvent({ pathName, value, fieldName });
+        if (event) {
+          tracker.track(value, event);
+        } else {
+          core.logger.warn({ inputType, name, pathName, value }, 'unable to create source event');
+        }
       }
     });
+    if (keys) {
+      for (const key of keys) {
+        data[key] = _data[key];
+      }
+    }
     return data;
   };
   return sources;
 };
+/**
+ * A custom traversal function for handling source value tracking efficiently.
+ * Implementation was adapted from traversal methods in @contrast/common.
+ * @param {any} target object to traverse
+ * @param {function} cb function<path, key, value, obj>
+ * @param {string[]} path path of node being visted; constructed of nested keys
+ * @param {boolean} halt whether to halt traversal; determined by callback
+ * @param {Set} visited used to dedupe circular references
+ */
+function traverse(target, cb, path = [], visited = new Set()) {
+  if (isTraversable(target)) {
+    for (const key in target) {
+      path.push(key);
+      const value = target[key];
+      if (visited.has(value)) {
+        path.pop();
+        break;
+      }
+      if (isVisitable(value)) {
+        const halt = cb(path, key, value, target) === false;
+        if (halt) {
+          return;
+        }
+      }
+      if (isTraversable(value)) {
+        visited.add(value);
+        traverse(value, cb, path, visited);
+      }
+      path.pop();
+    }
+  }
+}
+/**
+ * Visit strings, buffers, basic objects and arrays.
+ * @param {any} value the value to check
+ * @returns {boolean}
+ */
+function isVisitable(value) {
+  if (!value) return false;
+  return value.constructor?.name === 'String' ||
+    value.constructor?.name === 'Buffer' ||
+    (typeof value === 'object' && !value.constructor);
+}
+/**
+ * The criteria for traversal is a strict as possible. We only traverse plain
+ * objects and arrays and objects created via Object.create(null).
+ * @param {any} value the value to check
+ * @returns {boolean}
+ */
+function isTraversable(value) {
+  if (!value || typeof value !== 'object') return false;
+  return value.constructor?.name === 'Object' ||
+    value.constructor?.name === 'Array' ||
+    !value.constructor;
+}
+module.exports.traverse = traverse;