npm - @contrast/assess - Versions diffs - 1.8.0 → 1.10.0 - Mend

@contrast/assess 1.8.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/lib/dataflow/propagation/install/contrast-methods/number.js ADDED Viewed

@@ -0,0 +1,58 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation, sources },
+    patcher,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+  const name = 'ContrastMethods.Number';
+  return core.assess.dataflow.propagation.contrastMethodsInstrumentation.number = {
+    install() {
+      patcher.patch(global.ContrastMethods, 'Number', {
+        name,
+        patchType,
+        post(data) {
+          const { args: [value], result } = data;
+          if (
+            isNaN(result) ||
+            !value ||
+            !isString(value) ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked() ||
+            !tracker.getData(value)
+          ) return;
+          tracker.untrack(value);
+          logger.trace({ sanitizer: name, value }, 'untracked a string value');
+        }
+      });
+    },
+    uninstall() {
+      global.ContrastMethods.Number = patcher.unwrap(global.Number);
+    },
+  };
+};

package/lib/dataflow/propagation/install/contrast-methods/string.js CHANGED Viewed

@@ -15,30 +15,42 @@
 'use strict';
+const { DataflowTag } = require('@contrast/common');
 const { patchType } = require('../../common');
+function metadataUpdate(strInfo, event) {
+  for (const key of Object.keys(strInfo)) {
+    if (key === 'value' || key === 'extern') continue;
+    delete strInfo[key];
+  }
+  Object.assign(strInfo, event);
+}
 module.exports = function(core) {
   const {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
       dataflow: {
-        tracker
+        tracker,
+        eventFactory: { createPropagationEvent },
       },
     }
   } = core;
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.string = {
     install() {
+      const name = 'ContrastMethods.String';
       patcher.patch(global.ContrastMethods, 'String', {
-        name: 'ContrastMethods.String',
+        name,
         patchType,
         post(data) {
           if (!data.result || !sources.getStore() || instrumentation.isLocked()) return;
           const arg = data.args[0];
           let argInfo = tracker.getData(arg);
-          if (tracker.getData(data.result)) return;
+          const objInfo = tracker.getData(data.obj);
           if (data.obj && !argInfo) {
             argInfo = tracker.getData(data.result.toString());
@@ -48,10 +60,45 @@ module.exports = function(core) {
             return;
           }
-          const { extern } = tracker.track(data.result, argInfo);
+          const history = [{ ...argInfo }];
+          const strLength = typeof arg === 'string' ? arg.length : arg.toString().length;
+          const event = createPropagationEvent({
+            addedTags: [DataflowTag.STRING_TYPE_CHECKED],
+            name,
+            moduleName: 'global',
+            methodName: 'ContrastMethods.String',
+            context: `${name}('${argInfo.value}')`,
+            history,
+            object: {
+              tracked: !!objInfo,
+              value: objInfo ? objInfo.value : data.obj,
+            },
+            args: [{ tracked: true, value: argInfo.value }],
+            source: 'P',
+            tags: {
+              ...argInfo.tags,
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, strLength - 1],
+            },
+            target: 'R',
+            stacktraceOpts: {
+              prependFrames: [data.orig],
+            },
+            result: {
+              value: data.result,
+              tracked: true
+            },
+          });
+          if (!event) {
+            return;
+          }
+          const resultInfo = tracker.getData(data.result);
-          if (extern) {
-            data.result = extern;
+          if (resultInfo) {
+            metadataUpdate(resultInfo, event);
+          } else {
+            metadataUpdate(argInfo, event);
           }
         }
       });

package/lib/dataflow/propagation/install/contrast-methods/tag.js CHANGED Viewed

@@ -17,7 +17,7 @@
 const { patchType } = require('../../common');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     assess: {
       dataflow: {
@@ -79,6 +79,8 @@ module.exports = function (core) {
             createPropagationEvent({
               args,
               context: `\`${context}\``,
+              moduleName: 'global',
+              methodName: 'ContrastMethods.tag',
               history: Array.from(history),
               object: {
                 tracked: false,

package/lib/dataflow/propagation/install/decode-uri-component.js CHANGED Viewed

@@ -34,8 +34,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.decodeURIComponent = {
     install() {
+      const name = 'global.decodeURIComponent';
       patcher.patch(global, 'decodeURIComponent', {
-        name: 'global.decodeURIComponent',
+        name,
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
@@ -55,7 +57,10 @@ module.exports = function(core) {
           if (!Object.keys(newTags).length) return;
           const event = createPropagationEvent({
-            name: 'global.decodeURIComponent',
+            name,
+            moduleName: 'global',
+            methodName: 'decodeURIComponent',
+            context: `decodeURIComponent('${argInfo.value}')`,
             object: {
               value: createObjectLabel('global'),
               tracked: false
@@ -67,6 +72,8 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
+            source: 'P',
+            target: 'R',
             removedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,

package/lib/dataflow/propagation/install/ejs/escape-xml.js CHANGED Viewed

@@ -36,8 +36,9 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.ejsInstrumentation.escapeXML = {
     install() {
       depHooks.resolve({ name: 'ejs', file: 'lib/utils.js', version: '>=2.6.2' }, (ejsUtils, version) => {
+        const name = 'ejs.utils.escapeXML';
         patcher.patch(ejsUtils, 'escapeXML', {
-          name: 'ejs.utils.escapeXML',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,7 +55,10 @@ module.exports = function(core) {
             newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
             const event = createPropagationEvent({
-              name: 'ejs.utils.escapeXML',
+              name,
+              context: `ejs.utils.escapeXML('${argInfo.value}')`,
+              moduleName: 'ejs',
+              methodName: 'escapeXML',
               object: {
                 value: `[${createModuleLabel('ejs', version)}].utils`,
                 tracked: false
@@ -71,6 +75,8 @@ module.exports = function(core) {
                 constructorOpt: hooked,
                 prependFrames: [orig]
               },
+              source: 'P',
+              target: 'R',
             });
             if (!event) return;

package/lib/dataflow/propagation/install/encode-uri-component.js CHANGED Viewed

@@ -34,8 +34,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.encodeURIComponent = {
     install() {
+      const name = 'global.encodeURIComponent';
       patcher.patch(global, 'encodeURIComponent', {
-        name: 'global.encodeURIComponent',
+        name,
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
           newTags[URL_ENCODED] = [0, result.length - 1];
           const event = createPropagationEvent({
-            name: 'global.encodeURIComponent',
+            name,
+            moduleName: 'global',
+            methodName: 'encodeURIComponent',
+            context: `encodeURIComponent('${argInfo.value}')`,
             object: {
               value: createObjectLabel('global'),
               tracked: false
@@ -66,6 +71,8 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
+            source: 'P',
+            target: 'R',
             addedTags: [URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,

package/lib/dataflow/propagation/install/escape-html.js CHANGED Viewed

@@ -35,9 +35,11 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.escapeHtml = {
     install() {
-      depHooks.resolve({ name: 'escape-html' }, (escapeHtml, version) =>
-        patcher.patch(escapeHtml, {
-          name: 'escape-html',
+      depHooks.resolve({ name: 'escape-html' }, (escapeHtml) => {
+        const name = 'escape-html';
+        return patcher.patch(escapeHtml, {
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
             newTags[HTML_ENCODED] = [0, result.length - 1];
             const event = createPropagationEvent({
-              name: 'escape-html',
+              name,
+              moduleName: 'escape-html',
+              methodName: '',
+              context: `escapeHtml(${argInfo.value})`,
               object: {
                 value: 'escape-html',
                 tracked: false
@@ -66,6 +71,8 @@ module.exports = function(core) {
               args: [{ value: argInfo.value, tracked: true }],
               tags: newTags,
               history,
+              source: 'P',
+              target: 'R',
               addedTags: [HTML_ENCODED],
               stacktraceOpts: {
                 constructorOpt: hooked,
@@ -85,7 +92,8 @@ module.exports = function(core) {
               data.result = extern;
             }
           }
-        })
+        });
+      }
       );
     },
   };

package/lib/dataflow/propagation/install/escape.js CHANGED Viewed

@@ -34,8 +34,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.escape = {
     install() {
+      const name = 'global.escape';
       patcher.patch(global, 'escape', {
-        name: 'global.escape',
+        name,
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
@@ -52,7 +54,10 @@ module.exports = function(core) {
           newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
           const event = createPropagationEvent({
-            name: 'global.escape',
+            name,
+            moduleName: 'global',
+            methodName: 'escape',
+            context: `escape('${argInfo.value}')`,
             object: {
               value: createObjectLabel('global'),
               tracked: false
@@ -64,6 +69,8 @@ module.exports = function(core) {
             args: [{ value: argInfo.value, tracked: true }],
             tags: newTags,
             history,
+            source: 'P',
+            target: 'R',
             addedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js CHANGED Viewed

@@ -21,7 +21,7 @@ const {
 const {
   createFullLengthCopyTags
 } = require('../../tag-utils');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 module.exports = function(core) {
   const {
@@ -36,8 +36,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.handlebarsEscapeExpression = {
     install() {
       depHooks.resolve({ name: 'handlebars', version: '>=4.0.0' }, (handlebars, version) => {
+        const name = 'handlebars.Utils.escapeExpression';
         patcher.patch(handlebars.Utils, 'escapeExpression', {
-          name: 'handlebars.Utils.escapeExpression',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,9 +56,12 @@ module.exports = function(core) {
             newTags[HTML_ENCODED] = [0, result.length - 1];
             const event = createPropagationEvent({
-              name: 'handlebars.Utils.escapeExpression',
+              name,
+              moduleName: 'handlebars',
+              methodName: 'Utils.escapeExpression',
+              context: `${name}('${argInfo.value}')`,
               object: {
-                value: `[${createModuleLabel('handlebars', version)}].Utils`,
+                value: 'handlebars.Utils',
                 tracked: false
               },
               result: {
@@ -67,6 +72,8 @@ module.exports = function(core) {
               tags: newTags,
               addedTags: [HTML_ENCODED],
               history,
+              source: 'P',
+              target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]

package/lib/dataflow/propagation/install/isnumeric-0.js ADDED Viewed

@@ -0,0 +1,59 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../common');
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.isnumericInstrumentation = {
+    install() {
+      const name = 'isnumeric';
+      depHooks.resolve({ name, version: '<1.0.0' }, (_export, { version }) => {
+        const fullName = `${name}@${version}`;
+        return patcher.patch(_export, {
+          name,
+          patchType,
+          post(data) {
+            const { args: [value], result } = data;
+            if (
+              !result ||
+              !value ||
+              !isString(value) ||
+              !sources.getStore()?.assess ||
+              instrumentation.isLocked() ||
+              !tracker.getData(value)
+            ) return;
+            tracker.untrack(value);
+            logger.trace({ sanitizer: fullName, value }, 'untracked a string value');
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/mongoose/index.js ADDED Viewed

@@ -0,0 +1,36 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const c = require('@contrast/common');
+module.exports = function(core) {
+  const component = core.assess.dataflow.propagation.mongooseInstrumentation = {
+    install() {
+      c.callChildComponentMethodsSync(component, 'install');
+    }
+  };
+  // todo NODE-3103
+  // require('./schema-map')(core);
+  // todo NODE-3102
+  // require('./schema-mixed')(core);
+  require('./schema-string')(core);
+  return component;
+};

package/lib/dataflow/propagation/install/mongoose/schema-string.js ADDED Viewed

@@ -0,0 +1,156 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { DataflowTag, substring } = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent }
+      }
+    }
+  } = core;
+  return core.assess.dataflow.propagation.mongooseInstrumentation.schemaString = {
+    install() {
+      depHooks.resolve(
+        { name: 'mongoose', file: 'lib/schema/string.js', version: '>=6.0.0' },
+        (SchemaString) => {
+          patchEnum(SchemaString);
+          patchDoValidate(SchemaString);
+          patchDoValidateSync(SchemaString);
+        }
+      );
+    },
+  };
+  function patchEnum(SchemaString) {
+    patcher.patch(SchemaString.prototype, 'enum', {
+      name: 'mongoose.SchemaString.prototype.enum',
+      patchType,
+      post(data) {
+        if (!data.result) return;
+        const enumValidator = data.result.validators.find(
+          (validator) => validator.type === 'enum'
+        );
+        if (!enumValidator) return;
+        patcher.patch(enumValidator, 'validator', {
+          name: 'mongoose.SchemaString.prototype.enum.validator',
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            if (data.result) {
+              tracker.untrack(data.args[0]);
+            }
+          }
+        });
+      }
+    });
+  }
+  function patchDoValidate(SchemaString) {
+    // called when `Model.validate(data)` static method is used, as well as `model.validate()` instance method
+    const name = 'mongoose.SchemaString.prototype.doValidate';
+    patcher.patch(SchemaString.prototype, 'doValidate', {
+      name,
+      patchType,
+      pre(data) {
+        const [value, cb] = data.args;
+        if (value && typeof cb === 'function' && sources.getStore()?.assess) {
+          data.args[1] = patcher.patch(cb, {
+            name,
+            patchType,
+            pre({ args: [err] }) {
+              if (!err) propagate(name, data.orig, value);
+            }
+          });
+        }
+      }
+    });
+  }
+  function patchDoValidateSync(SchemaString) {
+    const name = 'mongoose.SchemaString.prototype.doValidateSync';
+    patcher.patch(SchemaString.prototype, 'doValidateSync', {
+      name,
+      patchType,
+      post({ orig, args: [value] }) {
+        if (value?.length) {
+          propagate(name, orig, value);
+        }
+      }
+    });
+  }
+  function propagate(name, orig, value) {
+    const strInfo = tracker.getData(value);
+    if (!strInfo) return;
+    const methodName = substring(name, name.indexOf('.') + 1);
+    // copy because we mutate the metadata value inline
+    const history = [{ ...strInfo }];
+    const event = createPropagationEvent({
+      addedTags: [DataflowTag.STRING_TYPE_CHECKED],
+      name,
+      moduleName: 'mongoose',
+      methodName,
+      history,
+      object: {
+        tracked: false,
+        value: 'mongoose.SchemaString',
+      },
+      args: [{ tracked: true, value: strInfo.value }],
+      result: {
+        tracked: false,
+        value: undefined,
+      },
+      source: 'P0',
+      tags: {
+        ...strInfo.tags,
+        [DataflowTag.STRING_TYPE_CHECKED]: [0, value.length - 1],
+      },
+      target: 'P0',
+      stacktraceOpts: {
+        prependFrames: [orig],
+      }
+    });
+    if (!event) {
+      return;
+    }
+    // in case the event type changed e.g. Source->Propagation
+    for (const key of Object.keys(strInfo)) {
+      if (key === 'value' || key === 'extern') continue;
+      delete strInfo[key];
+    }
+    Object.assign(strInfo, event);
+  }
+};

package/lib/dataflow/propagation/install/mysql-connection-escape.js CHANGED Viewed

@@ -50,6 +50,9 @@ module.exports = function(core) {
       const event = createPropagationEvent({
         name: eventName,
+        moduleName: 'mysql',
+        methodName: 'escape',
+        context: `mysql.escape('${argInfo.value}')`,
         object: {
           value: objectValue,
           tracked: false
@@ -62,6 +65,8 @@ module.exports = function(core) {
         tags: newTags,
         addedTags: [SQL_ENCODED],
         history,
+        source: 'P',
+        target: 'R',
         stacktraceOpts: {
           constructorOpt: hooked,
           prependFrames: [orig]