@contrast/assess 1.70.1 → 1.71.1

package/lib/dataflow/propagation/index.js

@@ -22,6 +22,7 @@ module.exports = function(core) {
 
   require('./install/contrast-methods')(core);
   require('./install/ejs')(core);
+  core.initComponentSync(require('./install/jsonwebtoken'));
   require('./install/mongoose')(core);
   require('./install/pug')(core);
   require('./install/sequelize')(core);

package/lib/dataflow/propagation/install/jsonwebtoken.js

@@ -0,0 +1,333 @@
+/*
+
+ * Copyright: 2026 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { kComponentName, ComponentBase } = require('@contrast/core/lib/ioc/core');
+const { isString, set, traverseValues, primordials } = require('@contrast/common');
+const { createFullLengthCopyTags } = require('../../tag-utils');
+const { patchType } = require('../common');
+
+const COMPONENT_NAME = 'assess.dataflow.propagation.jsonwebtoken';
+const OBJECT_DTM = Object.freeze({ value: 'jsonwebtoken', tracked: false });
+const MODULE_NAME = 'jsonwebtoken';
+const METHODS = {
+  DECODE: 'decode',
+  VERIFY: 'verify',
+  SIGN: 'sign',
+};
+const SOURCE = 'A';
+const TARGET = 'R';
+
+module.exports = class Instrumentation extends ComponentBase {
+
+  static [kComponentName] = COMPONENT_NAME;
+
+  /** calls around hook's next callback in no-instrumentation scope */
+  _execNext(next) {
+    return this.core.scopes.instrumentation.isLocked() ?
+      next() :
+      this.core.scopes.instrumentation.run({ lock: true, name: COMPONENT_NAME }, next);
+  }
+
+  /**
+   * The expected API usage for all methods puts callbacks at position 2 or 3.
+   *   jwt.sign(payload, secretOrPrivateKey, [options, callback])
+   *   jwt.verify(token, secretOrPublicKey, [options, callback])
+   */
+  _getCallbackIdx(args) {
+    if (typeof args[2] == 'function') return 2;
+    if (typeof args[3] == 'function') return 3;
+    return null;
+  }
+
+  /**
+   * Traverses parsed object to track values with tags from token input.
+   * Used by decode and verify instrumentation.
+   */
+  _traverseAndTrack(target, argStrInfo, data, methodName) {
+    const self = this;
+    const {
+      assess: { dataflow: { tracker } }
+    } = self.core;
+
+    traverseValues(target, (path, type, value) => {
+      if (isString(value) && value.length) {
+
+        const p = primordials.ArrayPrototypeJoin.call(path, '.');
+        const pEvent = self._makeEvent({
+          methodName,
+          result: { tracked: true, value },
+          args: [{ value: argStrInfo.value, tracked: true }],
+          tags: createFullLengthCopyTags(argStrInfo.tags, value.length),
+          history: [argStrInfo],
+          stacktraceOpts: { constructorOpt: data.hooked, },
+        });
+        if (pEvent) {
+          const resultStrInfo = tracker.track(value, pEvent);
+          if (resultStrInfo) {
+            set(target, p, resultStrInfo.extern);
+          }
+        }
+      }
+    });
+  }
+
+  _makeEvent(obj) {
+    obj.object = OBJECT_DTM;
+    obj.name = COMPONENT_NAME;
+    obj.moduleName = MODULE_NAME;
+    obj.source = SOURCE;
+    obj.target = TARGET;
+    return this.core.assess.eventFactory.createPropagationEvent(obj);
+  }
+
+  install() {
+    this.core.depHooks.resolve({ name: MODULE_NAME, version: '9', }, (xports, meta) => {
+      this.patchDecode(xports);
+      this.patchSign(xports);
+      this.patchVerify(xports);
+    });
+  }
+
+  patchDecode(xports) {
+    const self = this;
+    const {
+      assess: { getPropagatorContext, dataflow: { tracker } },
+      patcher,
+    } = this.core;
+
+    patcher.patch(xports, METHODS.DECODE, {
+      name: `${MODULE_NAME}.${METHODS.DECODE}`,
+      patchType,
+      around(next, data) {
+        const ctx = getPropagatorContext();
+        const strInfo = tracker.getData(data.args[0]);
+
+        let ret = self._execNext(next);
+
+        if (ctx && strInfo) {
+          if (typeof ret == 'object') {
+            self._traverseAndTrack(ret, strInfo, data, METHODS.DECODE);
+          } else if (isString(ret)) {
+            const event = self._makeEvent({
+              methodName: METHODS.DECODE,
+              result: { tracked: true, value: ret },
+              args: [{ value: strInfo.value, tracked: true }],
+              tags: createFullLengthCopyTags(strInfo.tags, ret.length),
+              history: [strInfo],
+              stacktraceOpts: { constructorOpt: data.hooked, },
+            });
+            if (event) {
+              const resultStrInfo = tracker.track(ret, event);
+              if (resultStrInfo) {
+                ret = resultStrInfo.extern;
+              }
+            }
+          }
+        }
+
+        return ret;
+      },
+    });
+  }
+
+  patchSign(xports) {
+    const self = this;
+    const {
+      assess: { getPropagatorContext, dataflow: { tracker } },
+      patcher,
+      scopes,
+    } = this.core;
+
+    const ARGS_DTM = [{ value: '[Obejct]', tracked: true }];
+
+    function _collectTagNames(set, strInfo) {
+      if (strInfo?.tags)
+        for (const t of Object.keys(strInfo.tags))
+          set.add(t);
+    }
+
+    function _makeTagsObj(tagSet, len) {
+      return Array.from(tagSet).reduce((acc, t) => {
+        acc[t] = [0, len];
+        return acc;
+      }, Object.create(null));
+    }
+
+    patcher.patch(xports, METHODS.SIGN, {
+      name: `${MODULE_NAME}.${METHODS.SIGN}`,
+      patchType,
+      around(next, data) {
+        const ctx = getPropagatorContext();
+        const callbackIdx = self._getCallbackIdx(data.args);
+        let tagSet;
+        let historySet;
+
+        // collect all tags from all of the payload object (or string) values
+        // check if we're in request scope
+        if (ctx && typeof data.args[0] == 'object') {
+          tagSet = new Set();
+          historySet = new Set();
+          traverseValues(data.args[0], (path, type, value) => {
+            const info = tracker.getData(value);
+            if (info?.tags) {
+              historySet.add(info);
+              for (const tag of Object.keys(info.tags)) {
+                tagSet.add(tag);
+              }
+            }
+          });
+        } else if (ctx && isString(data.args[0])) {
+          tagSet = new Set();
+          const info = tracker.getData(data.args[0]);
+          _collectTagNames(set, info);
+        }
+
+        if (callbackIdx) {
+          // always run in no-instrumentation even if we're not in request scope
+          const o = data.args[callbackIdx];
+          data.args[callbackIdx] = function () {
+            if (arguments[1] && tagSet) {
+              // track result if if parsing was successful and there are tags on payload
+              const event = self._makeEvent({
+                methodName: METHODS.SIGN,
+                result: { tracked: true, value: arguments[1] },
+                args: ARGS_DTM,
+                tags: _makeTagsObj(tagSet, arguments[1].length - 1),
+                history: Array.from(historySet),
+                stacktraceOpts: { constructorOpt: o, },
+              });
+              if (event) {
+                const strInfo = tracker.track(arguments[1], event);
+                if (strInfo) {
+                  arguments[1] = strInfo.extern;
+                }
+              }
+            }
+            // ensure instrumentation resumes in callback
+            const store = scopes.instrumentation.getStore();
+            if (store?.lock && store?.name == COMPONENT_NAME) store.lock = false;
+            return scopes.instrumentation.run(store, o, ...arguments);
+          };
+        }
+
+        let ret = self._execNext(next);
+
+        if (tagSet && !callbackIdx) {
+          // track result if if parsing was successful and there are tags on payload
+          const event = self._makeEvent({
+            methodName: METHODS.SIGN,
+            result: { tracked: true, value: ret },
+            args: ARGS_DTM,
+            tags: _makeTagsObj(tagSet, ret.length - 1),
+            history: Array.from(historySet),
+            stacktraceOpts: { constructorOpt: data.hooked, },
+          });
+
+          if (event) {
+            const strInfo = tracker.track(ret, event);
+            if (strInfo) {
+              ret = strInfo.extern;
+            }
+          }
+        }
+
+        return ret;
+      },
+    });
+  }
+
+  /**
+   * Turns off instrumentation within jsonwebtoken.verify(token, secret[, callback]),
+   * but ensures that any values in the parsed token results are tracked accordingly.
+   */
+  patchVerify(xports) {
+    const self = this;
+    const {
+      assess: { getPropagatorContext, dataflow: { tracker } },
+      patcher,
+      scopes,
+    } = this.core;
+
+    patcher.patch(xports, METHODS.VERIFY, {
+      patchType,
+      name: `${MODULE_NAME}.${METHODS.VERIFY}`,
+      around(next, data) {
+        const { args } = data;
+        const ctx = getPropagatorContext();
+        const strInfo = tracker.getData(args[0]); // args[0] = token;
+        const callbackIdx = self._getCallbackIdx(args);
+
+        if (callbackIdx) {
+          // always run in no-instrumentation even if we're not in request scope
+          const o = args[callbackIdx];
+          args[callbackIdx] = function() {
+            if (ctx) {
+              if (typeof arguments[1] == 'object') {
+                self._traverseAndTrack(arguments[1], strInfo, data, METHODS.VERIFY);
+              } else if (isString(arguments[1])) {
+                const event = self._makeEvent({
+                  methodName: METHODS.VERIFY,
+                  result: { tracked: true, value: arguments[1] },
+                  args: [{ value: strInfo.value, tracked: true }],
+                  tags: createFullLengthCopyTags(strInfo.tags, arguments[1].length),
+                  history: [strInfo],
+                  stacktraceOpts: { constructorOpt: data.hooked, },
+                });
+                if (event) {
+                  const resultStrInfo = tracker.track(arguments[1], event);
+                  if (resultStrInfo) {
+                    arguments[1] = resultStrInfo.extern;
+                  }
+                }
+              }
+            }
+            // ensure instrumentation resumes in callback
+            const store = scopes.instrumentation.getStore();
+            if (store?.lock && store?.name == COMPONENT_NAME) store.lock = false;
+            return scopes.instrumentation.run(store, o, ...arguments);
+          };
+        }
+
+        let ret = self._execNext(next);
+
+        // if no callback was used, track here in "post" hook
+        if (ctx && callbackIdx == null) {
+          if (typeof ret == 'object') {
+            self._traverseAndTrack(ret, strInfo, data, METHODS.VERIFY);
+          } else if (isString(ret)) {
+            const event = self._makeEvent({
+              methodName: METHODS.VERIFY,
+              result: { tracked: true, value: ret },
+              args: [{ value: strInfo.value, tracked: true }],
+              tags: createFullLengthCopyTags(strInfo.tags, ret.length),
+              history: [strInfo],
+              stacktraceOpts: { constructorOpt: data.hooked, },
+            });
+            if (event) {
+              const resultStrInfo = tracker.track(ret, event);
+              if (resultStrInfo) {
+                ret = resultStrInfo.extern;
+              }
+            }
+          }
+        }
+
+        return ret;
+      },
+    });
+  }
+};

package/lib/dataflow/sinks/install/mongodb.js

@@ -373,7 +373,13 @@ module.exports = function (core) {
   }
 
   instr.install = function () {
-    depHooks.resolve({ name: 'mongodb', version: '<7' }, (mongodb, version) => {
+    depHooks.resolve({ name: 'mongodb', version: '<7' }, (mongodb, meta) => {
+      if (!mongodb.Collection || !mongodb.Db) {
+        meta.rerun();
+        return;
+      }
+
+      const { version } = meta;
       patchCollection(mongodb, version);
       patchDatabase(mongodb, version);
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.70.1",
+  "version": "1.71.1",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,18 +21,18 @@
   },
   "dependencies": {
     "@contrast/common": "1.41.1",
-    "@contrast/config": "1.58.1",
-    "@contrast/core": "1.63.1",
-    "@contrast/dep-hooks": "1.32.1",
+    "@contrast/config": "1.58.2",
+    "@contrast/core": "1.63.2",
+    "@contrast/dep-hooks": "1.32.2",
     "@contrast/distringuish": "6.0.2",
-    "@contrast/instrumentation": "1.42.1",
-    "@contrast/logger": "1.36.1",
-    "@contrast/patcher": "1.35.1",
-    "@contrast/rewriter": "1.40.1",
-    "@contrast/route-coverage": "1.56.1",
-    "@contrast/scopes": "1.33.1",
-    "@contrast/sources": "1.9.1",
-    "@contrast/stack-trace-factory": "1.3.1",
+    "@contrast/instrumentation": "1.42.2",
+    "@contrast/logger": "1.36.2",
+    "@contrast/patcher": "1.35.2",
+    "@contrast/rewriter": "1.40.2",
+    "@contrast/route-coverage": "1.56.2",
+    "@contrast/scopes": "1.33.2",
+    "@contrast/sources": "1.9.2",
+    "@contrast/stack-trace-factory": "1.3.2",
     "semver": "7.6.0"
   }
 }