npm - @contrast/assess - Versions diffs - 1.8.0 → 1.10.0 - Mend

@contrast/assess 1.8.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/lib/dataflow/propagation/install/url/url.js ADDED Viewed

@@ -0,0 +1,228 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { inspect } = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  const keys = [
+    'href',
+    [
+      'origin',
+      'protocol',
+      'username',
+      'password',
+      'host',
+      [
+        'hostname',
+        'port'
+      ],
+      'pathname',
+      'search',
+      'searchParams',
+      'hash'
+    ]
+  ];
+  function getPropagationEvent(strInfo, partInfo, data) {
+    const args = data.args.map((v) => {
+      const strInfo = tracker.getData(v);
+      return {
+        value: strInfo ? strInfo.value : v,
+        tracked: !!strInfo
+      };
+    });
+    return createPropagationEvent({
+      name: 'url.URL',
+      moduleName: 'url',
+      methodName: 'URL',
+      context: `url.URL('${strInfo.value}')`,
+      object: {
+        value: 'url',
+        tracked: false
+      },
+      result: {
+        value: inspect(data.result),
+        tracked: true
+      },
+      args,
+      tags: partInfo.tags,
+      history: [partInfo],
+      source: 'P',
+      target: 'R',
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    });
+  }
+  return core.assess.dataflow.propagation.urlInstrumentation.url = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url) => {
+        const name = 'url.URL';
+        patcher.patch(url, 'URL', {
+          name,
+          patchType,
+          post(data) {
+            const { args, result } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const [input, basename] = args;
+            let url = input;
+            if (basename && url !== result.toString()) {
+              const isAbsoluteURL = url.indexOf('://') > 0 || url.indexOf('//') === 0;
+              if (isAbsoluteURL) {
+                const splitUrl = url.split(new RegExp('(?=//)', 'g'));
+                let endOfSlashes = splitUrl.length === 1 ? true : false;
+                let newUrl = splitUrl[0] === result.protocol ? splitUrl[0] : basename.split(/(?<=:)/)[0];
+                for (let i = 0; i < splitUrl.length; i++) {
+                  if (endOfSlashes) {
+                    newUrl = newUrl.concat(splitUrl[i]);
+                  }
+                  if (splitUrl[i] === '/' && splitUrl[i + 1] !== '/') {
+                    endOfSlashes = true;
+                  }
+                }
+                url = newUrl;
+              } else {
+                url = basename.concat(url);
+              }
+            }
+            const strInfo = tracker.getData(url);
+            if (!strInfo) return;
+            const searchParamsProxy = new Proxy(data.result.searchParams, {
+              set(obj, prop, value) {
+                return Reflect.set(obj, prop, value);
+              },
+              get(obj, prop, receiver) {
+                const val = obj[prop];
+                if (val instanceof Function) {
+                  return function (query) {
+                    if (typeof query === 'string') {
+                      const trackedProp = Reflect.get(obj, `_contrast_${query}`);
+                      if (trackedProp) return trackedProp;
+                    }
+                    return val.apply(this === receiver ? obj : this, query);
+                  };
+                }
+                return Reflect.get(obj, prop, receiver);
+              }
+            });
+            const proxy = new Proxy(data.result, {
+              set(obj, prop, value) {
+                return Reflect.set(obj, prop, value);
+              },
+              get(obj, prop) {
+                if (prop === 'searchParams') {
+                  return searchParamsProxy;
+                }
+                if (prop === 'toString' || prop === 'toJSON') {
+                  return function() {
+                    return Reflect.get(obj, '_contrast_href');
+                  };
+                }
+                if (typeof prop === 'string') {
+                  const trackedProp = Reflect.get(obj, `_contrast_${prop}`);
+                  if (trackedProp) return trackedProp;
+                }
+                return Reflect.get(obj, prop);
+              }
+            });
+            const traverse = function(href, url, keys, idx = 0) {
+              let substr = href;
+              keys.forEach((key) => {
+                if (typeof key === 'string' && key !== 'searchParams') {
+                  const part = url[key];
+                  if (part !== 'null') {
+                    if (key === 'origin') {
+                      const [protocol, originWithoutProtocol] = part.split(new RegExp('(?<=//)'));
+                      const idx1 = href.indexOf(protocol);
+                      const idx2 = href.indexOf(originWithoutProtocol, idx - 1);
+                      substr = href.substring(idx1, idx1 + protocol.length).concat(href.substring(idx2, idx2 + originWithoutProtocol.length));
+                    } else {
+                      const index = href.indexOf(part, idx - 1);
+                      substr = href.substring(index, index + part.length);
+                      idx += part.length;
+                    }
+                    const partInfo = tracker.getData(substr);
+                    if (!partInfo) return;
+                    const event = getPropagationEvent(strInfo, partInfo, data);
+                    if (!event) return;
+                    if (partInfo) {
+                      Object.assign(partInfo, event);
+                    }
+                    const { extern } = partInfo || tracker.track(part, event);
+                    if (extern) {
+                      proxy[`_contrast_${key}`] = extern;
+                    }
+                  }
+                } else if (key === 'searchParams') {
+                  const queries = proxy.search.split('&');
+                  queries.forEach((query) => {
+                    const startIdx = query.indexOf('?') + 1;
+                    const endIdx = query.indexOf('=');
+                    const queryName = query.substring(startIdx, endIdx);
+                    const queryString = query.substring(endIdx + 1, query.length);
+                    const queryStringInfo = tracker.getData(queryString);
+                    if (!queryStringInfo) return;
+                    const event = getPropagationEvent(strInfo, queryStringInfo, data);
+                    if (!event) return;
+                    if (queryStringInfo) {
+                      Object.assign(queryStringInfo, event);
+                    }
+                    const { extern } = queryStringInfo || tracker.track(queryString, event);
+                    if (extern) {
+                      searchParamsProxy[`_contrast_${queryName}`] = extern;
+                    }
+                  });
+                } else {
+                  traverse(substr, url, key, 0);
+                }
+              });
+            };
+            traverse(url, result, keys, 0);
+            data.result = proxy;
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -30,9 +30,12 @@ module.exports = function(core) {
   function createValidatorPropagationEvent(method, data, trackingData, newTags, target) {
     return createPropagationEvent({
       name: `validator.${method}`,
+      moduleName: 'validator',
+      methodName: method,
+      context: `validator.${method}('${trackingData.value}')`,
       history: [{ ...trackingData }],
       args: [{
-        value: data.args[0],
+        value: trackingData.value,
         tracked: true
       }],
       result: {
@@ -59,8 +62,9 @@ module.exports = function(core) {
           { name: 'validator', file: `lib/${validator}` },
           (index) => {
             const patchFn = typeof index === 'object' ? index.default : index;
+            const name = `validator.${validator}`;
             return patcher.patch(patchFn, {
-              name: `validator.${validator}`,
+              name,
               patchType,
               post(data) {
                 const matches = validator === 'matches';

package/lib/dataflow/sinks/index.js CHANGED Viewed

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     logger,
     messages,
@@ -29,7 +29,8 @@ module.exports = function (core) {
   const sinkScopes = {
     [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
-    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage()
+    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage(),
+    ['unsafe-code-execution']: new AsyncLocalStorage()
   };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
@@ -65,19 +66,22 @@ module.exports = function (core) {
     }
   };
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
+  require('./install/eval')(core);
   require('./install/fs')(core);
+  require('./install/function')(core);
   require('./install/http')(core);
+  require('./install/marsdb')(core);
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
-  require('./install/marsdb')(core);
-  require('./install/express')(core);
+  require('./install/vm')(core);
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/child-process.js CHANGED Viewed

@@ -15,13 +15,16 @@
 'use strict';
 const {
-  DataflowTag: { UNTRUSTED }
+  DataflowTag: { UNTRUSTED },
+  join,
+  Rule,
+  isString,
+  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../common');
-const { Rule, isString, inspect } = require('@contrast/common');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -37,38 +40,53 @@ module.exports = function (core) {
   const safeTags = [];
-  function commandCheck(name, command, secondArg, thirdArg, hooked) {
+  function commandCheck(
+    name,
+    method,
+    command,
+    secondArg,
+    thirdArg,
+    hooked,
+    orig
+  ) {
     const strInfo = tracker.getData(command);
-    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) return {
-      strInfo: null,
-      reported: false
-    };
+    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags))
+      return {
+        strInfo: null,
+        reported: false,
+      };
+    const args = [
+      {
+        value: strInfo.value,
+        tracked: true,
+      },
+      secondArg && {
+        value: inspect(secondArg),
+        tracked: false,
+      },
+      thirdArg && {
+        value: inspect(thirdArg),
+        tracked: false,
+      },
+    ].filter(Boolean);
     const event = createSinkEvent({
       name,
+      moduleName: 'child_process',
+      methodName: method,
+      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [strInfo],
       object: {
         value: 'child_process',
         tracked: false,
       },
-      args: [
-        {
-          value: strInfo.value,
-          tracked: true,
-        },
-        (secondArg && {
-          value: inspect(secondArg),
-          tracked: false
-        }),
-        (thirdArg && {
-          value: inspect(thirdArg),
-          tracked: false
-        })
-      ].filter(Boolean),
+      args,
       tags: strInfo.tags,
       source: 'P0',
       stacktraceOpts: {
         constructorOpt: hooked,
+        prependFrames: [orig],
       },
     });
@@ -80,24 +98,33 @@ module.exports = function (core) {
       return {
         strInfo,
-        reported: true
+        reported: true,
       };
     }
     return {
       strInfo,
-      reported: false
+      reported: false,
     };
   }
-  function argumentsCheck(name, command, commandInfo, args, options, hooked) {
-    if (!Array.isArray(args) || !args?.length) return;
+  function argumentsCheck(
+    name,
+    method,
+    command,
+    commandInfo,
+    origArgs,
+    options,
+    hooked,
+    orig
+  ) {
+    if (!Array.isArray(origArgs) || !origArgs?.length) return;
     const trackedArgs = [];
     let vulnerableArgIdx;
-    for (let i = 0; i < args.length; i++) {
-      const trackData = tracker.getData(args[i]);
+    for (let i = 0; i < origArgs.length; i++) {
+      const trackData = tracker.getData(origArgs[i]);
       trackedArgs.push(trackData);
@@ -116,31 +143,36 @@ module.exports = function (core) {
     if (vulnerableArgIdx != 0 && !vulnerableArgIdx) return;
+    const args = [
+      {
+        value: commandInfo?.value || command,
+        tracked: !!commandInfo,
+      },
+      {
+        value: inspect(origArgs),
+        tracked: true,
+      },
+      {
+        value: inspect(options),
+        tracked: false,
+      },
+    ];
     const event = createSinkEvent({
       name,
+      moduleName: 'child_process',
+      methodName: method,
+      context: `child_process.${method}(${join(args.map((a, idx) => idx === 0 ? `'${a.value}'` : a.value), ', ')})`,
       history: [trackedArgs[vulnerableArgIdx]],
       object: {
         value: 'child_process',
         tracked: false,
       },
-      args: [
-        {
-          value: commandInfo?.value || command,
-          tracked: !!commandInfo,
-        },
-        {
-          value: inspect(args),
-          tracked: true
-        },
-        {
-          value: inspect(options),
-          tracked: false
-        }
-      ],
+      args,
       tags: trackedArgs[vulnerableArgIdx].tags,
       source: 'P1',
       stacktraceOpts: {
         contructorOpt: hooked,
+        prependFrames: [orig],
       },
     });
@@ -154,7 +186,7 @@ module.exports = function (core) {
   core.assess.dataflow.sinks.cmdInjection = {
     install() {
-      depHooks.resolve({ name: 'child_process' }, cp => {
+      depHooks.resolve({ name: 'child_process' }, (cp) => {
         ['spawn', 'spawnSync'].forEach((method) => {
           const name = `child_process.${method}`;
           patcher.patch(cp, method, {
@@ -169,12 +201,29 @@ module.exports = function (core) {
               const cpArgs = Array.isArray(data.args[1]) && data.args[1];
               const options = cpArgs ? data.args[2] : data.args[1];
-              const cmdCheck = commandCheck(name, command, cpArgs, options, data.hooked);
+              const cmdCheck = commandCheck(
+                name,
+                method,
+                command,
+                cpArgs,
+                options,
+                data.hooked,
+                data.orig
+              );
               if (cmdCheck.reported || !options?.shell) return;
-              argumentsCheck(name, command, cmdCheck.strInfo, cpArgs, options, data.hooked);
-            }
+              argumentsCheck(
+                name,
+                method,
+                command,
+                cmdCheck.strInfo,
+                cpArgs,
+                options,
+                data.hooked,
+                data.orig
+              );
+            },
           });
         });
@@ -189,8 +238,16 @@ module.exports = function (core) {
               if (!store || !command || !isString(command)) return;
-              commandCheck(name, command, secondArg, thirdArg, data.hooked);
-            }
+              commandCheck(
+                name,
+                method,
+                command,
+                secondArg,
+                thirdArg,
+                data.hooked,
+                data.orig
+              );
+            },
           });
         });
@@ -212,8 +269,17 @@ module.exports = function (core) {
               const cmdInfo = tracker.getData(command);
-              argumentsCheck(name, command, cmdInfo, cpArgs, options, data.hooked);
-            }
+              argumentsCheck(
+                name,
+                method,
+                command,
+                cmdInfo,
+                cpArgs,
+                options,
+                data.hooked,
+                data.orig
+              );
+            },
           });
         });
       });

package/lib/dataflow/sinks/install/eval.js ADDED Viewed

@@ -0,0 +1,138 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.sinks.contrastEval = {
+    install() {
+      if (!global.ContrastMethods?.eval) {
+        logger.error(
+          'Cannot install `eval` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+      Object.assign(global.ContrastMethods, {
+        eval: patcher.patch(global.ContrastMethods.eval, {
+          name: 'global.ContrastMethods.eval',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const script = origArgs[0];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !script ||
+              !isString(script)
+            )
+              return;
+            const strInfo = tracker.getData(script);
+            if (!strInfo) return;
+            const isArgVulnerable = isVulnerable(
+              UNTRUSTED,
+              safeTags,
+              strInfo.tags
+            );
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+            if (isArgVulnerable) {
+              const event = createSinkEvent({
+                name,
+                context: `${name}('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'eval',
+                args: [{ value: strInfo.value, tracked: true }],
+                tags: strInfo.tags,
+                source: 'P0',
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.contrastEval;
+};