npm - @contrast/assess - Versions diffs - 1.7.0 → 1.9.0 - Mend

@contrast/assess 1.7.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -68,6 +68,57 @@ function atomicSubset(tags, subsetStart, len) {
   return ret;
 }
+function atomicMerge(firstTagRanges, secondTagRanges) {
+  const mergedRanges = [];
+  let i = 0;
+  let j = 0;
+  while (i < firstTagRanges.length && j < secondTagRanges.length) {
+    const start1 = firstTagRanges[i];
+    const end1 = firstTagRanges[i + 1];
+    const start2 = secondTagRanges[j];
+    const end2 = secondTagRanges[j + 1];
+    if (end1 < start2) {
+      mergedRanges.push(start1, end1);
+      i += 2;
+    } else if (end2 < start1) {
+      mergedRanges.push(start2, end2);
+      j += 2;
+    } else {
+      const mergedStart = Math.min(start1, start2);
+      const mergedEnd = Math.max(end1, end2);
+      mergedRanges.push(mergedStart, mergedEnd);
+      i += 2;
+      j += 2;
+    }
+  }
+  while (i < firstTagRanges.length) {
+    mergedRanges.push(firstTagRanges[i], firstTagRanges[i + 1]);
+    i += 2;
+  }
+  while (j < secondTagRanges.length) {
+    mergedRanges.push(secondTagRanges[j], secondTagRanges[j + 1]);
+    j += 2;
+  }
+  // Merge adjacent ranges
+  const finalMergedRanges = [];
+  for (let k = 0; k < mergedRanges.length; k += 2) {
+    const start = mergedRanges[k];
+    let end = mergedRanges[k + 1];
+    while (k + 2 < mergedRanges.length && mergedRanges[k + 2] - end === 1) {
+      end = mergedRanges[k + 3];
+      k += 2;
+    }
+    finalMergedRanges.push(start, end);
+  }
+  return finalMergedRanges;
+}
 function createAppendTags(firstTags, secondTags, offset) {
   const ret = Object.create(null);
   const firstTagsObject = ensureObject(firstTags);
@@ -83,6 +134,29 @@ function createAppendTags(firstTags, secondTags, offset) {
   return Object.keys(ret).length ? ret : null;
 }
+function createOverlappingTags(tags, startIndex, endIndex) {
+  const overlappingTags = {};
+  Object.entries(tags).forEach(([tag, tagRanges]) => {
+    const overlappingRanges = [];
+    for (let i = 0; i < tagRanges.length; i += 2) {
+      const start = tagRanges[i];
+      const end = tagRanges[i + 1];
+      if (end >= startIndex && start <= endIndex) {
+        overlappingRanges.push([start, end]);
+      }
+    }
+    if (overlappingRanges.length > 0) {
+      overlappingTags[tag] = overlappingRanges;
+    }
+  });
+  return overlappingTags;
+}
 /**
  * assumes:
  *  - no mutation of arguments
@@ -115,8 +189,25 @@ function createFullLengthCopyTags(tags, resultLength) {
   return Object.keys(ret).length ? ret : null;
 }
+function createMergedTags(firstTags, secondTags) {
+  const ret = Object.create(null);
+  const firstTagsObject = ensureObject(firstTags);
+  const secondTagsObject = ensureObject(secondTags);
+  const tagNames = new Set([...Object.keys(firstTagsObject), ...Object.keys(secondTagsObject)]);
+  for (const tagName of tagNames) {
+    const newTagRanges = atomicMerge(ensureTagsImmutable(firstTagsObject, tagName), ensureTagsImmutable(secondTagsObject, tagName));
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+  return Object.keys(ret).length ? ret : null;
+}
 module.exports = {
   createSubsetTags,
   createAppendTags,
-  createFullLengthCopyTags
+  createFullLengthCopyTags,
+  createMergedTags,
+  createOverlappingTags
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -34,7 +34,8 @@ module.exports = function tracker(core) {
   function getData(value) {
     if (typeof value === 'string') {
-      return distringuish.getProperties(value);
+      const props = distringuish.getProperties(value);
+      return props?.untracked ? null : props;
     }
     return objMap.get(value) || null;
@@ -126,11 +127,10 @@ module.exports = function tracker(core) {
     if (typeof value === 'string') {
       const props = distringuish.getProperties(value);
       if (props) {
-        Object.assign(props, {
-          history: [],
-          tags: {},
-        });
-        delete props.resultTracked;
+        for (const key of Object.keys(props)) {
+          delete props[key];
+        }
+        props.untracked = true;
       }
       return distringuish.internalize(value);
     }

package/lib/index.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { callChildComponentMethodsSync } = require('@contrast/common');
+const sessionConfiguration = require('./session-configuration');
 const dataflow = require('./dataflow');
 const responseScanning = require('./response-scanning');
@@ -26,6 +27,7 @@ module.exports = function assess(core) {
   // Does this order matter? Probably not
   // 1. dataflow
+  sessionConfiguration(core);
   dataflow(core);
   responseScanning(core);

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { join, substring, toLowerCase, split, trim } = require('@contrast/common');
+const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
 //
 // General HTML utils
@@ -32,7 +32,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? string.replace(reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }

package/lib/session-configuration/index.js ADDED Viewed

@@ -0,0 +1,34 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+module.exports = function(core) {
+  const { messages } = core;
+  const sessionConfiguration = core.assess.sessionConfiguration = {
+    reportFindings(_sourceContext, vulnerabilityMetadata) {
+      messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, vulnerabilityMetadata);
+    },
+  };
+  require('./install/http')(core);
+  sessionConfiguration.install = function() {
+    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  };
+  return sessionConfiguration;
+};

package/lib/session-configuration/install/http.js ADDED Viewed

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { SessionConfigurationRule, split, toLowerCase } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      sessionConfiguration: {
+        reportFindings
+      }
+    }
+  } = core;
+  const http = core.assess.sessionConfiguration.httpInstrumentation = {};
+  const patchType = 'session-configuration';
+  http.install = function() {
+    [
+      { name: 'http', responseObj: 'ServerResponse' },
+      { name: 'https', responseObj: 'ServerResponse' },
+      { name: 'http2', responseObj: 'Http2ServerResponse' }
+    ].forEach(({ name, responseObj }) => {
+      depHooks.resolve({ name }, (module) => {
+        patcher.patch(module[responseObj].prototype, 'setHeader', {
+          name: `${name}.${responseObj}.prototype.setHeader`,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            const [key, val] = data.args;
+            if (key === 'Set-Cookie') {
+              const [cookies] = val;
+              const parsedCookies = split(toLowerCase(cookies), '; ');
+              if (!parsedCookies.includes('httponly')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.HTTPONLY,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+              if (!parsedCookies.includes('secure')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.SECURE_FLAG_MISSING,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+            }
+          }
+        });
+      });
+    });
+  };
+  return http;
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.10.0",
+    "@contrast/common": "1.12.0",
     "parseurl": "^1.3.3"
   }
 }