npm - @contrast/assess - Versions diffs - 1.8.0 → 1.10.0 - Mend

@contrast/assess 1.8.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/lib/dataflow/propagation/install/parse-int.js ADDED Viewed

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../common');
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation, sources },
+    patcher,
+    assess: {
+      dataflow: { tracker }
+    }
+  } = core;
+  const name = 'global.parseInt';
+  return core.assess.dataflow.propagation.parseIntInstrumentation = {
+    install() {
+      patcher.patch(global, 'parseInt', {
+        name,
+        patchType,
+        post(data) {
+          const { args: [value], result } = data;
+          if (
+            isNaN(result) ||
+            !value ||
+            !isString(value) ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked() ||
+            !tracker.getData(value)
+          ) return;
+          // todo NODE-3118 to handle when value has trailing non-integer values
+          tracker.untrack(value);
+          logger.trace({ sanitizer: name, value }, 'untracked a string value');
+        }
+      });
+    },
+    uninstall() {
+      global.parseInt = patcher.unwrap(global.parseInt);
+    },
+  };
+};

package/lib/dataflow/propagation/install/path/basename.js ADDED Viewed

@@ -0,0 +1,124 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString, join } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  excludeExtensionDotFromTags,
+  createBasenameTagsInResult,
+} = require('./common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.propagation.pathInstrumentation.basename = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+          patcher.patch(path[os], 'basename', {
+            name: `path.${os}.basename`,
+            patchType,
+            post(data) {
+              const { args: origArgs, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+              const [pathStr, suffixStr] = origArgs;
+              if (!pathStr || !isString(pathStr)) return;
+              const strInfo = tracker.getData(pathStr);
+              if (!strInfo) return;
+              const suffixInfo = tracker.getData(suffixStr);
+              const args = [
+                { value: strInfo.value, tracked: true },
+                suffixStr && { value: suffixInfo ? suffixInfo.value : suffixStr, tracked: !!suffixInfo }
+              ].filter(Boolean);
+              let tags = createBasenameTagsInResult({
+                argStr: strInfo.value,
+                argTags: strInfo.tags,
+                suffixStr,
+                result,
+                isWin32
+              });
+              tags = excludeExtensionDotFromTags({
+                result,
+                tags,
+                isWin32,
+              });
+              const event = tags && createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'basename',
+                context: `path.basename(${join(args.map(a => `'${a.value}'`))})`,
+                history: [strInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args,
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+              if (!event) {
+                return;
+              }
+              const { extern } = tracker.track(result, event);
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+  return core.assess.dataflow.propagation.pathInstrumentation.basename;
+};

package/lib/dataflow/propagation/install/path/common.js ADDED Viewed

@@ -0,0 +1,176 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { matchAll, substring, replace } = require('@contrast/common');
+const {
+  createSubsetTags,
+  createAppendTags,
+  createMergedTags,
+  createTagsWithExclusion,
+} = require('../../../tag-utils');
+const posixRegExp = /(?:^|\/)([^/]+?)(?=(?:\/|$))/g;
+// Windows accepts both '/' and '\' as path separators
+const win32RegExp = /(?:^|\/|\\)([^/\\]+?)(?=(?:\/|\\|$))/g;
+function createBasenameTagsInResult({
+  argStr,
+  argTags,
+  suffixStr,
+  result,
+  isWin32,
+}) {
+  const segments = Array.from(
+    matchAll(argStr, isWin32 ? win32RegExp : posixRegExp)
+  );
+  const basename = segments[segments.length - 1][1];
+  const isExtensionRemoved = suffixStr && basename.includes(suffixStr);
+  const startIdx = isExtensionRemoved
+    ? argStr.lastIndexOf(`${result}${suffixStr}`)
+    : argStr.lastIndexOf(result);
+  return createSubsetTags(argTags, startIdx, result.length);
+}
+/**
+ * createArgTagsInResult()
+ *
+ * "Transfers" the tags from a path method argument to the result.
+ * This method needs to be called on all arguments in reverse order
+ *
+ * @param {Object} input
+ * @param {String} input.argStr the argument string value
+ * @param {Object} input.argTags the tags object of the argument
+ * @param {Object} input.argTags the tags object of the argument
+ * @param {String} input.result the result string value
+ * @param {Number} input.lastIndex the index from wich we should look
+ *                 for (backwards) for a segment match usually
+ *                 starting with the argument length
+ * @param {Boolean} input.isWin32 a boolean for the platform
+ */
+function createArgTagsInResult({
+  argStr,
+  argTags,
+  result,
+  lastIndex,
+  isWin32,
+}) {
+  let newTags = {};
+  let tempTags = Object.assign({}, argTags);
+  // The matched segments are going to be the segments between
+  // the separators eventually including
+  // only 1 path separator at the start
+  const matchedSegments = Array.from(
+    matchAll(argStr, isWin32 ? win32RegExp : posixRegExp)
+  ).reverse();
+  for (let i = 0; i < matchedSegments.length; i++) {
+    if (lastIndex < 0) break;
+    const [match, segment] = matchedSegments[i];
+    let { index: startIdx } = matchedSegments[i];
+    if (
+      ['.', '..'].includes(segment) &&
+      result.substring(lastIndex - segment.length, lastIndex + 1) !== segment
+    )
+      continue;
+    let idxInResult = result.lastIndexOf(segment, lastIndex);
+    if (idxInResult === -1) continue;
+    /*
+     * Up to the call to `createSubsetTags` the logic is
+     * mainly accounting for two things:
+     * - eventual separators that are transfered to the result
+     * - Windows replacing '/' with '\' thus making it non-user supplied
+     *   and required to be excluded from the tags
+     */
+    const replacedSeparatorsIdxs = [];
+    const previousSegmentIdx =
+      i === matchedSegments.length - 1 ? 0 : matchedSegments[i + 1].index;
+    const previousSegmentLength =
+      i === matchedSegments.length - 1 ? 0 : matchedSegments[i + 1][0].length;
+    const segmentStartIdx = startIdx + match.length - segment.length;
+    const separators =
+      substring(
+        argStr,
+        previousSegmentIdx + previousSegmentLength,
+        segmentStartIdx
+      ) || '';
+    const separatorsInResult = isWin32
+      ? replace(separators, /\//g, (_match, idx) => {
+        replacedSeparatorsIdxs.push(startIdx - idx);
+        return '\\';
+      })
+      : separators;
+    let foundInResultLength = segment.length;
+    let sepIdxInResult;
+    const separatorsLastIdx = separators.length - 1;
+    for (let j = separatorsLastIdx; j >= 0; j--) {
+      if (j === separators.length - 1) {
+        sepIdxInResult = idxInResult + j - separators.length;
+      } else {
+        --sepIdxInResult;
+      }
+      if (result[sepIdxInResult] === separatorsInResult[j]) {
+        idxInResult--;
+        foundInResultLength++;
+      } else if (j === separatorsLastIdx) {
+        startIdx++;
+      }
+    }
+    lastIndex = idxInResult - 1;
+    if (replacedSeparatorsIdxs.length) {
+      replacedSeparatorsIdxs.forEach((idx) => {
+        tempTags = createTagsWithExclusion(tempTags, [idx, idx]);
+      });
+    }
+    const segmentTags = createSubsetTags(
+      tempTags,
+      startIdx,
+      foundInResultLength
+    );
+    const tagsInResult = createAppendTags({}, segmentTags, idxInResult);
+    newTags = createMergedTags(newTags, tagsInResult);
+  }
+  return {
+    newTags,
+    lastIndex,
+  };
+}
+function excludeExtensionDotFromTags({ result, tags, isWin32 }) {
+  const extensionDotIdx = result.lastIndexOf('.');
+  const separatorLastIdx = result.lastIndexOf(isWin32 ? '\\' : '/');
+  return extensionDotIdx > separatorLastIdx
+    ? createTagsWithExclusion(tags, [extensionDotIdx, extensionDotIdx])
+    : tags;
+}
+module.exports = {
+  createBasenameTagsInResult,
+  createArgTagsInResult,
+  excludeExtensionDotFromTags,
+};

package/lib/dataflow/propagation/install/path/index.js ADDED Viewed

@@ -0,0 +1,32 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const pathInstrumentation = core.assess.dataflow.propagation.pathInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(pathInstrumentation, 'install');
+    },
+  };
+  require('./basename')(core);
+  require('./normalize')(core);
+  require('./join-and-resolve')(core);
+  return pathInstrumentation;
+};

package/lib/dataflow/propagation/install/path/join-and-resolve.js ADDED Viewed

@@ -0,0 +1,141 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString, join } = require('@contrast/common');
+const { createMergedTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult,
+  excludeExtensionDotFromTags,
+} = require('./common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.propagation.pathInstrumentation.joinAndResolve = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const method of ['join', 'resolve']) {
+          for (const os of ['posix', 'win32']) {
+            const name = `path.${os}.${method}`;
+            const isWin32 = os === 'win32';
+            patcher.patch(path[os], method, {
+              name,
+              patchType,
+              post(data) {
+                const { args: origArgs, result, hooked, orig } = data;
+                if (
+                  !result ||
+                  !sources.getStore()?.assess ||
+                  instrumentation.isLocked()
+                )
+                  return;
+                const pathSegments = [...origArgs].reverse();
+                const args = [];
+                const history = [];
+                if (!pathSegments.length) return;
+                let fullTags = {};
+                let lastIndex = result.length;
+                for (const segment of pathSegments) {
+                  let newTags = {};
+                  const argInfo = isString(segment) && tracker.getData(segment);
+                  if (!argInfo) {
+                    args.unshift({ value: segment, tracked: false });
+                    continue;
+                  }
+                  args.unshift({ value: argInfo.value, tracked: true });
+                  history.unshift(argInfo);
+                  ({ newTags, lastIndex } = createArgTagsInResult({
+                    argStr: segment,
+                    argTags: argInfo.tags,
+                    result,
+                    lastIndex,
+                    isWin32,
+                  }));
+                  fullTags = createMergedTags(fullTags, newTags);
+                }
+                fullTags = excludeExtensionDotFromTags({
+                  result,
+                  tags: fullTags,
+                  isWin32,
+                });
+                if (!fullTags || !Object.keys(fullTags).length) return;
+                const event = createPropagationEvent({
+                  name,
+                  moduleName: 'path',
+                  methodName: method,
+                  context: `path.${method}(${join(args
+                    .map((a) => `'${a.value}'`), ',')})`,
+                  history,
+                  object: {
+                    value: 'path',
+                    isTracked: false,
+                  },
+                  args,
+                  result: {
+                    value: result,
+                    tracked: true,
+                  },
+                  tags: fullTags,
+                  source: 'P',
+                  target: 'R',
+                  stacktraceOpts: {
+                    constructorOpt: hooked,
+                    prependFrames: [orig],
+                  },
+                });
+                if (!event) {
+                  return;
+                }
+                const { extern } = tracker.track(result, event);
+                if (extern) {
+                  data.result = extern;
+                }
+              },
+            });
+          }
+        }
+      });
+    },
+  };
+  return core.assess.dataflow.propagation.pathInstrumentation.joinAndResolve;
+};

package/lib/dataflow/propagation/install/path/normalize.js ADDED Viewed

@@ -0,0 +1,123 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { isString } = require('@contrast/common');
+const { patchType } = require('../../common');
+const {
+  createArgTagsInResult,
+  excludeExtensionDotFromTags,
+} = require('./common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.propagation.pathInstrumentation.normalize = {
+    install() {
+      depHooks.resolve({ name: 'path' }, (path) => {
+        for (const os of ['posix', 'win32']) {
+          const isWin32 = os === 'win32';
+          patcher.patch(path[os], 'normalize', {
+            name: `path.${os}.normalize`,
+            patchType,
+            post(data) {
+              const { args, result, name, hooked, orig } = data;
+              if (
+                !result ||
+                !sources.getStore()?.assess ||
+                instrumentation.isLocked()
+              )
+                return;
+              const pathStr = args[0];
+              if (!pathStr || !isString(pathStr)) return;
+              const strInfo = tracker.getData(pathStr);
+              if (!strInfo) return;
+              let { newTags } = createArgTagsInResult({
+                argStr: pathStr,
+                argTags: strInfo?.tags || {},
+                result,
+                lastIndex: result.length,
+                isWin32,
+              });
+              newTags = excludeExtensionDotFromTags({
+                result,
+                tags: newTags,
+                isWin32,
+              });
+              const event = createPropagationEvent({
+                name,
+                moduleName: 'path',
+                methodName: 'normalize',
+                context: `path.normalize('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'path',
+                  isTracked: false,
+                },
+                args: [
+                  {
+                    value: strInfo.value,
+                    tracked: true,
+                  },
+                ],
+                result: {
+                  value: result,
+                  tracked: true,
+                },
+                tags: newTags,
+                source: 'P',
+                target: 'R',
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+              if (!event) {
+                return;
+              }
+              const { extern } = tracker.track(result, event);
+              if (extern) {
+                data.result = extern;
+              }
+            },
+          });
+        }
+      });
+    },
+  };
+  return core.assess.dataflow.propagation.pathInstrumentation.normalize;
+};

package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED Viewed

@@ -36,8 +36,10 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.pugRuntimeEscape = {
     install() {
       depHooks.resolve({ name: 'pug-runtime' }, (pugRuntime, version) => {
+        const name = 'pug-runtime.escape';
         patcher.patch(pugRuntime, 'escape', {
-          name: 'pug-runtime.escape',
+          name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
@@ -54,7 +56,10 @@ module.exports = function(core) {
             newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
             const event = createPropagationEvent({
-              name: 'pug-runtime.escape',
+              name,
+              moduleName: 'pug-runtime',
+              methodName: 'escape',
+              context: `pugRuntime.escape('${argInfo.value}')`,
               object: {
                 value: createModuleLabel('pug-runtime', version),
                 tracked: false
@@ -67,6 +72,8 @@ module.exports = function(core) {
               tags: newTags,
               addedTags: [WEAK_URL_ENCODED],
               history,
+              source: 'P',
+              target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
                 prependFrames: [orig]