@contrast/assess 1.7.0 → 1.9.0

package/lib/dataflow/sinks/install/mongodb.js

@@ -47,11 +47,16 @@ const collectionMethods = [
   'updateMany',
   'deleteOne',
   'deleteMany',
+  'aggregate',
+  'mapReduce',
+  'group'
 ];
 const dbMethods = [
   'command',
-  'eval'
+  'eval',
+  'aggregate'
 ];
+const methodsWithNestedCalls = ['findOne', 'eval', 'group'];
 
 const querySafeTags = [
   ALPHANUM_SPACE_HYPHEN,
@@ -80,7 +85,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
 
-  instr.getVulnerabilityInfo = function getVulnerabilityInfo(query) {
+  instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
     let vulnInfo = null;
     let reportSafe = null;
 
@@ -103,10 +108,10 @@ module.exports = function(core) {
       const strInfo = tracker.getData(value);
       if (strInfo) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
-          vulnInfo = { path, strInfo };
+          vulnInfo = { path: [...path], strInfo };
           return true; // halts traversal
         } else {
-          reportSafe = { path, strInfo };
+          reportSafe = { path: [...path], strInfo };
         }
       }
     });
@@ -114,6 +119,204 @@ module.exports = function(core) {
     return { vulnInfo, reportSafe };
   };
 
+  instr.getAggregateVulnerabilityInfo = function getAggregateVulnerabilityInfo(aggregation) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (!isNonEmptyObject(aggregation)) return { vulnInfo, reportSafe };
+
+    traverseValues(aggregation, (path, _type, value) => {
+      const accumulatorFuncProps = [
+        'init',
+        'merge',
+        'accumulate',
+        'finalize'
+      ];
+      const lastIdx = path.length - 1;
+      if (
+        (path[lastIdx - 1] === '$function' && path[lastIdx] === 'body') ||
+        (path[lastIdx - 1] === '$accumulator' && accumulatorFuncProps.includes(path[lastIdx]))
+      ) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  instr.getMapReduceVulnerabilityInfo = function getMapReduceVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (argIdx !== 2 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+
+      return { vulnInfo, reportSafe };
+    }
+
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+
+    traverseValues(argToCheck, (path, _type, value) => {
+      const vulnerableProps = [
+        'query',
+        'finalize',
+      ];
+      if (vulnerableProps.includes(path[0])) {
+        const strInfo = tracker.getData(value);
+        if (strInfo) {
+          if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+            vulnInfo = { path: [...path], strInfo };
+            return true; // halts traversal
+          } else {
+            reportSafe = { path: [...path], strInfo };
+          }
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  instr.getGroupVulnerabilityInfo = function getGroupVulnerabilityInfo(argToCheck, argIdx) {
+    let vulnInfo = null;
+    let reportSafe = null;
+
+    if (argIdx !== 1 && isString(argToCheck)) {
+      const strInfo = tracker.getData(argToCheck);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { strInfo };
+        } else {
+          reportSafe = { strInfo };
+        }
+      }
+
+      return { vulnInfo, reportSafe };
+    }
+
+    if (!isNonEmptyObject(argToCheck)) return { vulnInfo, reportSafe };
+
+    traverseValues(argToCheck, (path, _type, value) => {
+      const strInfo = tracker.getData(value);
+      if (strInfo) {
+        if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
+          vulnInfo = { path: [...path], strInfo };
+          return true; // halts traversal
+        } else {
+          reportSafe = { path: [...path], strInfo };
+        }
+      }
+    });
+
+    return { vulnInfo, reportSafe };
+  };
+
+  function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
+    const argsIdxsToCheck = vulnerableArgIdxs || [0];
+    return function(next, data) {
+      const { obj, args: origArgs } = data;
+      const sourceCtx = sources.getStore()?.assess;
+
+      if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
+        return next();
+      }
+
+      let vulnInfo;
+      let reportSafe;
+      let vulnArgIdx;
+      const safeReports = [];
+
+      try {
+        for (const argIdx of argsIdxsToCheck) {
+          ({ vulnInfo, reportSafe } = getInfoMethod(origArgs[argIdx], argIdx));
+
+          if (vulnInfo) {
+            vulnArgIdx = argIdx;
+            break;
+          }
+          if (reportSafe) safeReports.push({ ...reportSafe, argIdx });
+        }
+
+        if (!vulnInfo) {
+          if (safeReports.length && config.assess.safe_positives.enable) {
+            const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
+            const strInfo = safeReports.map((report) => {
+              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+
+              return {
+                value: inspect(origArgs[report.argIdx], { depth: 4 }),
+                tags
+              };
+            });
+
+            reportSafePositive({
+              name,
+              ruleId: NOSQL_INJECTION_MONGO,
+              safeTags: safeTags.length === 1 ? safeTags[0] : safeTags,
+              strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
+            });
+          }
+
+          return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+        }
+
+        const { path, strInfo } = vulnInfo;
+        const objName = getObjectName(obj, entity);
+        const args = origArgs.map((arg, idx) => ({
+          value: isString(arg) ? arg : inspect(arg, { depth: 4 }),
+          tracked: idx === vulnArgIdx,
+        }));
+
+        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
+        const sinkEvent = createSinkEvent({
+          args,
+          context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
+          history: [strInfo],
+          object: {
+            tracked: false,
+            value: `mongodb.${entity}`,
+          },
+          name,
+          moduleName: 'mongodb',
+          methodName: `${entity}.prototype.${method}`,
+          result: {
+            tracked: false,
+            value: resultVal,
+          },
+          source: `P${vulnArgIdx}`,
+          stacktraceOpts: {
+            constructorOpt: data.hooked,
+          },
+          tags,
+        });
+
+        if (sinkEvent) {
+          reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
+        }
+      } catch (err) {
+        core.logger.error({ name, err }, 'assess sink analysis failed');
+      }
+
+      return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+    };
+  }
+
   instr.install = function() {
     depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
       patchCollection(mongodb, version);
@@ -133,78 +336,31 @@ module.exports = function(core) {
         continue;
       }
 
-      patcher.patch(proto, method, {
-        name,
-        patchType,
-        around(next, data) {
-          const { obj, args: origArgs } = data;
-          const sourceCtx = sources.getStore()?.assess;
-
-          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-            return next();
-          }
-
-          const argIdx = 0;
-          try {
-            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
-
-            if (!vulnInfo) {
-              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
-                name,
-                ruleId: NOSQL_INJECTION_MONGO,
-                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
-                strInfo: {
-                  value: inspect(origArgs[argIdx]),
-                  tags: getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])),
-                },
-              });
-              return method === 'findOne' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
-            }
-
-            const { path, strInfo } = vulnInfo;
-            const objName = getObjectName(obj);
-            const args = origArgs.map((arg, idx) => ({
-              value: inspect(arg),
-              tracked: idx === argIdx,
-            }));
-
-            const tags = getAdjustedQueryTags(path, strInfo, args[argIdx].value);
-            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-            const sinkEvent = createSinkEvent({
-              args,
-              context: `${objName}.${method}(${args.map((a) => a.value)})`,
-              history: [strInfo],
-              object: {
-                tracked: false,
-                value: 'mongodb.Collection',
-              },
-              name,
-              result: {
-                tracked: false,
-                value: resultVal,
-              },
-              source: `P${argIdx}`,
-              stacktraceOpts: {
-                constructorOpt: data.hooked,
-              },
-              tags,
-            });
-
-            if (sinkEvent) {
-              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
-            }
-          } catch (err) {
-            core.logger.error({ name, err }, 'assess sink analysis failed');
-          }
-
-          if (method === 'findOne') {
-            // `findOne` will call `find` so don't analyze in nested call
-            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
-          }
-
-          return next();
-        },
-      });
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else if (method === 'mapReduce') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getMapReduceVulnerabilityInfo, [0, 1, 2])
+        });
+      } else if (method === 'group') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getGroupVulnerabilityInfo, [0, 1, 3])
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Collection', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
     }
   }
 
@@ -218,79 +374,19 @@ module.exports = function(core) {
         continue;
       }
 
-      patcher.patch(proto, method, {
-        name,
-        patchType,
-        around(next, data) {
-          const { obj, args: origArgs } = data;
-          const sourceCtx = sources.getStore()?.assess;
-
-          if (isLocked(NOSQL_INJECTION_MONGO) || instrumentation.isLocked() || !sourceCtx) {
-            return next();
-          }
-
-          const argIdx = 0;
-          try {
-            const { vulnInfo, reportSafe } = instr.getVulnerabilityInfo(origArgs[argIdx]);
-
-            if (!vulnInfo) {
-              const tags = reportSafe?.path ? getAdjustedQueryTags(reportSafe.path, reportSafe.strInfo, inspect(origArgs[argIdx])) : reportSafe?.strInfo?.tags;
-              reportSafe && config.assess.safe_positives.enable && reportSafePositive({
-                name,
-                ruleId: NOSQL_INJECTION_MONGO,
-                safeTags: filterSafeTags(querySafeTags, reportSafe.strInfo),
-                strInfo: {
-                  value: inspect(origArgs[argIdx]),
-                  tags
-                },
-              });
-              return method === 'eval' ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
-            }
-
-            const { path, strInfo } = vulnInfo;
-            const objName = getObjectName(obj, 'Db');
-            const args = origArgs.map((arg, idx) => ({
-              value: isString(arg) ? arg : inspect(arg),
-              tracked: idx === argIdx,
-            }));
-
-            const tags = path ? getAdjustedQueryTags(path, strInfo, args[argIdx].value) : strInfo?.tags;
-            const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
-            const sinkEvent = createSinkEvent({
-              args,
-              context: `${objName}.${method}(${args.map((a) => a.value)})`,
-              history: [strInfo],
-              object: {
-                tracked: false,
-                value: 'mongodb.Db',
-              },
-              name,
-              result: {
-                tracked: false,
-                value: resultVal,
-              },
-              source: `P${argIdx}`,
-              stacktraceOpts: {
-                constructorOpt: data.hooked,
-              },
-              tags,
-            });
-
-            if (sinkEvent) {
-              reportFindings({ ruleId: NOSQL_INJECTION_MONGO, sinkEvent });
-            }
-          } catch (err) {
-            core.logger.error({ name, err }, 'assess sink analysis failed');
-          }
-
-          if (method === 'eval') {
-            // `eval` will call `command` so don't analyze in nested call
-            return runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next());
-          }
-
-          return next();
-        },
-      });
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getAggregateVulnerabilityInfo)
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook('Db', name, method, instr.getQueryVulnerabilityInfo)
+        });
+      }
     }
   }
 
@@ -310,6 +406,10 @@ module.exports = function(core) {
     const { tags } = strInfo;
     let idx = -1;
     for (const str of [...path, strInfo.value]) {
+      // This is the case with the `.aggregate` method
+      // where the argument is an array
+      if (str === 0) continue;
+
       idx = argString.indexOf(str, idx);
       if (idx == -1) {
         idx = -1;

package/lib/dataflow/sinks/install/mssql.js

@@ -30,7 +30,7 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -44,7 +44,7 @@ module.exports = function (core) {
     },
   } = core;
 
-  const pre = (name, obj, version) => (data) => {
+  const pre = (name, method, obj, version) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -60,6 +60,9 @@ module.exports = function (core) {
 
     const event = createSinkEvent({
       name,
+      moduleName: 'mssql',
+      methodName: `PreparedStatement.prototype.${method}`,
+      context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
       history: [strInfo],
       object: {
         value: `[${createModuleLabel('mssql', version)}].${obj}`,
@@ -75,6 +78,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
 
@@ -96,6 +100,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/prepared-statement.prototype.prepare',
+              'prepare',
               'PreparedStatement',
               version,
             ),
@@ -111,6 +116,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/request.prototype.batch',
+              'batch',
               'Request',
               version,
             ),
@@ -121,6 +127,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/request.prototype.query',
+              'query',
               'Request',
               version,
             ),

package/lib/dataflow/sinks/install/mysql.js

@@ -28,6 +28,7 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
+  inspect
 } = require('@contrast/common');
 
 const safeTags = [
@@ -39,7 +40,7 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -63,7 +64,7 @@ module.exports = function (core) {
     }
   }
 
-  const pre = (module, file, obj) => (data) => {
+  const pre = (module, file, obj, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -81,6 +82,9 @@ module.exports = function (core) {
 
     const event = createSinkEvent({
       name: `${module}/${file}`,
+      moduleName: module,
+      methodName: `prototype.${method}`,
+      context: `${module}.${method}(${inspect(data.args[0])})`,
       history: [strInfo],
       object: {
         value: `${module}.${obj}`,
@@ -96,6 +100,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
 
@@ -115,7 +120,7 @@ module.exports = function (core) {
           patcher.patch(Connection.prototype, 'query', {
             name: 'Connection.prototype.query',
             patchType,
-            pre: pre('mysql', 'lib/Connection.query', 'Connection')
+            pre: pre('mysql', 'lib/Connection.query', 'Connection', 'query')
           });
         },
       );
@@ -126,7 +131,7 @@ module.exports = function (core) {
             patcher.patch(connection.prototype, `${method}`, {
               name: `connection.prototype.${method}`,
               patchType,
-              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection')
+              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection', method)
             });
           });
         },

package/lib/dataflow/sinks/install/postgres.js

@@ -19,11 +19,11 @@ const util = require('util');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
   Rule: { SQL_INJECTION: ruleId },
-  isString
+  isString,
 } = require('@contrast/common');
 const { filterSafeTags, patchType } = require('../common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     config,
     depHooks,
@@ -74,6 +74,8 @@ module.exports = function (core) {
         context: `${objValue}.query(${arg0Val})`,
         history: [strInfo],
         name: methodSignature,
+        moduleName: `${methodSignature.includes('pool') ? 'pg-pool' : 'pg'}`,
+        methodName: 'Connection.prototype.query',
         object: {
           tracked: false,
           value: objValue,
@@ -86,6 +88,7 @@ module.exports = function (core) {
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked,
+          prependFrames: [data.orig]
         },
       });
 
@@ -108,7 +111,7 @@ module.exports = function (core) {
     }
   };
 
-  postgres.install = function () {
+  postgres.install = function() {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },

package/lib/dataflow/sinks/install/sequelize.js

@@ -28,7 +28,7 @@ const {
 } = require('@contrast/common');
 const { patchType, filterSafeTags } = require('../common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -54,7 +54,7 @@ module.exports = function (core) {
 
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
 
-  sequelize.install = function () {
+  sequelize.install = function() {
     const sequelizeQueryPatchName = 'sequelize.prototype.query';
     depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
       patcher.patch(sequelize.prototype, 'query', {
@@ -69,7 +69,7 @@ module.exports = function (core) {
 
           try {
             const queryInfo = tracker.getData(query);
-            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+            const isVulnerableQuery = queryInfo && isVulnerable(requiredTag, safeTags, queryInfo.tags);
 
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
@@ -94,8 +94,8 @@ module.exports = function (core) {
               typeof args[0] === 'string' ? args[0] : inspect(args[0]);
             const inspectedOptions = args[1] ? inspect(args[1]) : '';
             const contextArgs = args[1]
-              ? `${sqlValue}, ${inspectedOptions}`
-              : sqlValue;
+              ? `'${sqlValue}', ${inspectedOptions}`
+              : `'${sqlValue}'`;
 
             const reportedArgs = [{ value: sqlValue, tracked: true }];
             args[1] &&
@@ -104,6 +104,8 @@ module.exports = function (core) {
             const event = createSinkEvent({
               context: `sequelize.prototype.query(${contextArgs})`,
               name: sequelizeQueryPatchName,
+              moduleName: 'sequelize',
+              methodName: 'prototype.query',
               history: [queryInfo],
               object: {
                 value: 'sequelize.prototype',

package/lib/dataflow/sinks/install/sqlite3.js

@@ -29,7 +29,7 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -43,7 +43,7 @@ module.exports = function (core) {
     },
   } = core;
 
-  const pre = (name) => (data) => {
+  const pre = (name, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -59,6 +59,9 @@ module.exports = function (core) {
 
     const event = createSinkEvent({
       name,
+      moduleName: 'sqlite3',
+      methodName: `Database.prototype.${method}`,
+      context: `db.${method}('${strInfo.value}')`,
       history: [strInfo],
       object: {
         value: '[Module<sqlite3>].Database',
@@ -74,6 +77,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
 
@@ -93,7 +97,7 @@ module.exports = function (core) {
           patcher.patch(sqlite3.Database.prototype, method, {
             name,
             patchType,
-            pre: pre(name)
+            pre: pre(name, method)
           });
         });
       });