@contrast/assess 1.7.0 → 1.9.0

package/lib/dataflow/propagation/install/encode-uri-component.js

@@ -34,8 +34,10 @@ module.exports = function(core) {
 
   return core.assess.dataflow.propagation.encodeURIComponent = {
     install() {
+      const name = 'global.encodeURIComponent';
+
       patcher.patch(global, 'encodeURIComponent', {
-        name: 'global.encodeURIComponent',
+        name,
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
           newTags[URL_ENCODED] = [0, result.length - 1];
 
           const event = createPropagationEvent({
-            name: 'global.encodeURIComponent',
+            name,
+            moduleName: 'global',
+            methodName: 'encodeURIComponent',
+            context: `encodeURIComponent('${argInfo.value}')`,
             object: {
               value: createObjectLabel('global'),
               tracked: false
@@ -66,6 +71,8 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
+            source: 'P',
+            target: 'R',
             addedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,

package/lib/dataflow/propagation/install/escape-html.js

@@ -35,9 +35,11 @@ module.exports = function(core) {
 
   return core.assess.dataflow.propagation.escapeHtml = {
     install() {
-      depHooks.resolve({ name: 'escape-html' }, (escapeHtml, version) =>
-        patcher.patch(escapeHtml, {
-          name: 'escape-html',
+      depHooks.resolve({ name: 'escape-html' }, (escapeHtml) => {
+        const name = 'escape-html';
+
+        return patcher.patch(escapeHtml, {
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
             newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
-              name: 'escape-html',
+              name,
+              moduleName: 'escape-html',
+              methodName: '',
+              context: `escapeHtml(${argInfo.value})`,
               object: {
                 value: 'escape-html',
                 tracked: false
@@ -66,6 +71,8 @@ module.exports = function(core) {
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               history,
+              source: 'P',
+              target: 'R',
               addedTags: [HTML_ENCODED],
               stacktraceOpts: {
                 constructorOpt: hooked,
@@ -85,7 +92,8 @@ module.exports = function(core) {
               data.result = extern;
             }
           }
-        })
+        });
+      }
       );
     },
   };

package/lib/dataflow/propagation/install/escape.js

@@ -34,8 +34,10 @@ module.exports = function(core) {
 
   return core.assess.dataflow.propagation.escape = {
     install() {
+      const name = 'global.escape';
+
       patcher.patch(global, 'escape', {
-        name: 'global.escape',
+        name,
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
@@ -52,7 +54,10 @@ module.exports = function(core) {
           newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
           const event = createPropagationEvent({
-            name: 'global.escape',
+            name,
+            moduleName: 'global',
+            methodName: 'escape',
+            context: `escape('${argInfo.value}')`,
             object: {
               value: createObjectLabel('global'),
               tracked: false
@@ -64,6 +69,8 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
+            source: 'P',
+            target: 'R',
             addedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js

@@ -21,7 +21,7 @@ const {
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 
 module.exports = function(core) {
   const {
@@ -36,8 +36,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.handlebarsEscapeExpression = {
     install() {
       depHooks.resolve({ name: 'handlebars', version: '>=4.0.0' }, (handlebars, version) => {
+        const name = 'handlebars.Utils.escapeExpression';
+
         patcher.patch(handlebars.Utils, 'escapeExpression', {
-          name: 'handlebars.Utils.escapeExpression',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,9 +56,12 @@ module.exports = function(core) {
             newTags[HTML_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
-              name: 'handlebars.Utils.escapeExpression',
+              name,
+              moduleName: 'handlebars',
+              methodName: 'Utils.escapeExpression',
+              context: `${name}('${argInfo.value}')`,
               object: {
-                value: `[${createModuleLabel('handlebars', version)}].Utils`,
+                value: 'handlebars.Utils',
                 tracked: false
               },
               result: {
@@ -67,6 +72,8 @@ module.exports = function(core) {
               tags: newTags,
               addedTags: [HTML_ENCODED],
               history,
+              source: 'P',
+              target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]

package/lib/dataflow/propagation/install/isnumeric-0.js

@@ -0,0 +1,59 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.isnumericInstrumentation = {
+    install() {
+      const name = 'isnumeric';
+
+      depHooks.resolve({ name, version: '<1.0.0' }, (_export, { version }) => {
+        const fullName = `${name}@${version}`;
+        return patcher.patch(_export, {
+          name,
+          patchType,
+          post(data) {
+            const { args: [value], result } = data;
+            if (
+              !result ||
+              !value ||
+              !isString(value) ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked() ||
+              !tracker.getData(value)
+            ) return;
+
+            tracker.untrack(value);
+            logger.trace({ sanitizer: fullName, value }, 'untracked a string value');
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/mongoose/index.js

@@ -0,0 +1,36 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const c = require('@contrast/common');
+
+module.exports = function(core) {
+  const component = core.assess.dataflow.propagation.mongooseInstrumentation = {
+    install() {
+      c.callChildComponentMethodsSync(component, 'install');
+    }
+  };
+
+  // todo NODE-3103
+  // require('./schema-map')(core);
+
+  // todo NODE-3102
+  // require('./schema-mixed')(core);
+
+  require('./schema-string')(core);
+
+  return component;
+};

package/lib/dataflow/propagation/install/mongoose/schema-string.js

@@ -0,0 +1,156 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { DataflowTag, substring } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent }
+      }
+    }
+  } = core;
+
+  return core.assess.dataflow.propagation.mongooseInstrumentation.schemaString = {
+    install() {
+      depHooks.resolve(
+        { name: 'mongoose', file: 'lib/schema/string.js', version: '>=6.0.0' },
+        (SchemaString) => {
+          patchEnum(SchemaString);
+          patchDoValidate(SchemaString);
+          patchDoValidateSync(SchemaString);
+        }
+      );
+    },
+  };
+
+  function patchEnum(SchemaString) {
+    patcher.patch(SchemaString.prototype, 'enum', {
+      name: 'mongoose.SchemaString.prototype.enum',
+      patchType,
+      post(data) {
+        if (!data.result) return;
+
+        const enumValidator = data.result.validators.find(
+          (validator) => validator.type === 'enum'
+        );
+
+        if (!enumValidator) return;
+
+        patcher.patch(enumValidator, 'validator', {
+          name: 'mongoose.SchemaString.prototype.enum.validator',
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            if (data.result) {
+              tracker.untrack(data.args[0]);
+            }
+          }
+        });
+      }
+    });
+  }
+
+  function patchDoValidate(SchemaString) {
+    // called when `Model.validate(data)` static method is used, as well as `model.validate()` instance method
+    const name = 'mongoose.SchemaString.prototype.doValidate';
+    patcher.patch(SchemaString.prototype, 'doValidate', {
+      name,
+      patchType,
+      pre(data) {
+        const [value, cb] = data.args;
+        if (value && typeof cb === 'function' && sources.getStore()?.assess) {
+          data.args[1] = patcher.patch(cb, {
+            name,
+            patchType,
+            pre({ args: [err] }) {
+              if (!err) propagate(name, data.orig, value);
+            }
+          });
+        }
+      }
+    });
+  }
+
+  function patchDoValidateSync(SchemaString) {
+    const name = 'mongoose.SchemaString.prototype.doValidateSync';
+    patcher.patch(SchemaString.prototype, 'doValidateSync', {
+      name,
+      patchType,
+      post({ orig, args: [value] }) {
+        if (value?.length) {
+          propagate(name, orig, value);
+        }
+      }
+    });
+
+  }
+
+  function propagate(name, orig, value) {
+    const strInfo = tracker.getData(value);
+    if (!strInfo) return;
+
+    const methodName = substring(name, name.indexOf('.') + 1);
+    // copy because we mutate the metadata value inline
+    const history = [{ ...strInfo }];
+    const event = createPropagationEvent({
+      addedTags: [DataflowTag.STRING_TYPE_CHECKED],
+      name,
+      moduleName: 'mongoose',
+      methodName,
+      history,
+      object: {
+        tracked: false,
+        value: 'mongoose.SchemaString',
+      },
+      args: [{ tracked: true, value: strInfo.value }],
+      result: {
+        tracked: false,
+        value: undefined,
+      },
+      source: 'P0',
+      tags: {
+        ...strInfo.tags,
+        [DataflowTag.STRING_TYPE_CHECKED]: [0, value.length - 1],
+      },
+      target: 'P0',
+      stacktraceOpts: {
+        prependFrames: [orig],
+      }
+    });
+
+    if (!event) {
+      return;
+    }
+
+    // in case the event type changed e.g. Source->Propagation
+    for (const key of Object.keys(strInfo)) {
+      if (key === 'value' || key === 'extern') continue;
+      delete strInfo[key];
+    }
+
+    Object.assign(strInfo, event);
+  }
+};

package/lib/dataflow/propagation/install/mysql-connection-escape.js

@@ -50,6 +50,9 @@ module.exports = function(core) {
 
       const event = createPropagationEvent({
         name: eventName,
+        moduleName: 'mysql',
+        methodName: 'escape',
+        context: `mysql.escape('${argInfo.value}')`,
         object: {
           value: objectValue,
           tracked: false
@@ -62,6 +65,8 @@ module.exports = function(core) {
         tags: newTags,
         addedTags: [SQL_ENCODED],
         history,
+        source: 'P',
+        target: 'R',
         stacktraceOpts: {
           constructorOpt: hooked,
           prependFrames: [orig]

package/lib/dataflow/propagation/install/parse-int.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../common');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation, sources },
+    patcher,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+
+  const name = 'global.parseInt';
+
+  return core.assess.dataflow.propagation.parseIntInstrumentation = {
+    install() {
+      patcher.patch(global, 'parseInt', {
+        name,
+        patchType,
+        post(data) {
+          const { args: [value], result } = data;
+          if (
+            isNaN(result) ||
+            !value ||
+            !isString(value) ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked() ||
+            !tracker.getData(value)
+          ) return;
+
+          // todo NODE-3118 to handle when value has trailing non-integer values
+
+          tracker.untrack(value);
+          logger.trace({ sanitizer: name, value }, 'untracked a string value');
+        }
+      });
+    },
+    uninstall() {
+      global.parseInt = patcher.unwrap(global.parseInt);
+    },
+  };
+};

package/lib/dataflow/propagation/install/pug-runtime-escape.js

@@ -36,8 +36,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.pugRuntimeEscape = {
     install() {
       depHooks.resolve({ name: 'pug-runtime' }, (pugRuntime, version) => {
+        const name = 'pug-runtime.escape';
+
         patcher.patch(pugRuntime, 'escape', {
-          name: 'pug-runtime.escape',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
             newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
 
             const event = createPropagationEvent({
-              name: 'pug-runtime.escape',
+              name,
+              moduleName: 'pug-runtime',
+              methodName: 'escape',
+              context: `pugRuntime.escape('${argInfo.value}')`,
               object: {
                 value: createModuleLabel('pug-runtime', version),
                 tracked: false
@@ -67,6 +72,8 @@ module.exports = function(core) {
               tags: newTags,
               addedTags: [WEAK_URL_ENCODED],
               history,
+              source: 'P',
+              target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]

package/lib/dataflow/propagation/install/querystring/parse.js

@@ -15,10 +15,11 @@
 
 'use strict';
 
-const util = require('util');
 const querystring = require('querystring');
 const {
-  DataflowTag: { URL_ENCODED }
+  DataflowTag: { URL_ENCODED },
+  inspect,
+  join
 } = require('@contrast/common');
 
 const { patchType } = require('../../common');
@@ -46,20 +47,21 @@ module.exports = function(core) {
       if (!tagRanges) return result;
 
       const resultInfo = tracker.getData(result);
+      const [, ...restOfArgsValues] = data.origArgs.map(inspect);
       const event = createPropagationEvent({
         name: data.name,
+        context: `querystring.parse('${trackingData.value}', ${join(restOfArgsValues, ', ')})`,
+        moduleName: 'querystring',
+        methodName: 'parse',
         history: [trackingData],
         object: {
           value: part,
           tracked: true,
         },
-        args: data.origArgs.map((arg) => {
-          const argInfo = tracker.getData(arg);
-          return {
-            value: argInfo ? argInfo.value : util.inspect(arg),
-            tracked: !!argInfo
-          };
-        }),
+        args: data.origArgs.map((_arg, idx) => ({
+          value: idx === 0 ? trackingData.value : restOfArgsValues[idx - 1],
+          tracked: !!idx === 0
+        })),
         result: {
           value: result,
           tracked: !!resultInfo

package/lib/dataflow/propagation/install/sequelize.js

@@ -21,7 +21,7 @@ const {
 } = require('@contrast/common');
 const { patchType, createModuleLabel } = require('../common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     scopes: { sources, instrumentation },
     patcher,
@@ -58,9 +58,10 @@ module.exports = function (core) {
         { name: 'sequelize', file: 'lib/sql-string.js' },
         (sqlString, version) => {
           const origEscape = sqlString.escape;
+          const name = 'sequelize.escape';
 
           patcher.patch(sqlString, 'escape', {
-            name: 'sequelize.escape',
+            name,
             patchType,
             post(data) {
               const { args, result, hooked, orig } = data;
@@ -85,8 +86,10 @@ module.exports = function (core) {
               newTags[SQL_ENCODED] = [0, result.length - 1];
 
               const event = createPropagationEvent({
-                context: 'sequelize.escape',
+                context: `sequelize.escape('${argInfo.value}')`,
                 name: 'sequelize/lib/sql-string.escape',
+                moduleName: 'sequelize',
+                methodName: 'escape',
                 object: {
                   value: createModuleLabel('sequelize/lib/sql-string.escape', version),
                   tracked: false,

package/lib/dataflow/propagation/install/sql-template-strings.js

@@ -33,8 +33,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.sqlTemplateStrings = {
     install() {
       depHooks.resolve({ name: 'sql-template-strings' }, (sqlTemplateStrings, version) => {
+        const name = 'sql-template-strings.SQL';
+
         patcher.patch(sqlTemplateStrings, 'SQL', {
-          name: 'sql-template-strings.SQL',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -55,7 +57,10 @@ module.exports = function(core) {
               newTags[SQL_ENCODED] = [0, resultValue.length - 1];
 
               const event = createPropagationEvent({
-                name: 'sql-template-strings.SQL',
+                name,
+                moduleName: 'sql-template-strings',
+                methodName: 'SQL',
+                context: `SQL\`${argInfo.value}\``,
                 object: {
                   value: createModuleLabel('sql-template-strings', version),
                   tracked: false
@@ -68,6 +73,8 @@ module.exports = function(core) {
                 tags: newTags,
                 addedTags: [SQL_ENCODED],
                 history,
+                source: 'P',
+                target: 'R',
                 stacktraceOpts: {
                   constructorOpt: hooked,
                   prependFrames: [orig]

package/lib/dataflow/propagation/install/string/concat.js

@@ -18,6 +18,7 @@
 const {
   createAppendTags
 } = require('../../../tag-utils');
+const { join, inspect } = require('@contrast/common');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -31,8 +32,10 @@ module.exports = function(core) {
 
   return core.assess.dataflow.propagation.stringInstrumentation.concat = {
     install() {
+      const name = 'String.prototype.concat';
+
       patcher.patch(String.prototype, 'concat', {
-        name: 'String.prototype.concat',
+        name,
         patchType,
         post(data) {
           const { args, obj, result, hooked, orig } = data;
@@ -70,7 +73,10 @@ module.exports = function(core) {
 
           if (history.size) {
             const event = createPropagationEvent({
-              name: 'String.prototype.concat',
+              name,
+              moduleName: 'String',
+              methodName: 'prototype.concat',
+              context: `${inspect(objInfo?.value) || String(obj)}.concat(${join(argsData.map(d => d.value), ', ')})`,
               object: {
                 value: objInfo?.value || String(obj),
                 tracked: !!objInfo

package/lib/dataflow/propagation/install/string/format-methods.js

@@ -29,8 +29,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.stringInstrumentation.formatMethods = {
     install() {
       ['toLowerCase', 'toUpperCase', 'toLocaleLowerCase', 'toLocaleUpperCase'].forEach((method) => {
+        const name = `String.prototype.${method}`;
+
         patcher.patch(String.prototype, method, {
-          name: `String.prototype.${method}`,
+          name,
           patchType,
           post(data) {
             const { obj, result, hooked, orig } = data;
@@ -43,7 +45,10 @@ module.exports = function(core) {
             const history = [objInfo];
 
             const event = createPropagationEvent({
-              name: `String.prototype.${method}`,
+              name,
+              moduleName: 'String',
+              methodName: `prototype.${method}`,
+              context: `'${objInfo.value}'.${method}()`,
               object: {
                 value: objInfo.value,
                 tracked: true