@contrast/assess 1.8.0 → 1.10.0

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -32,7 +32,7 @@ const { createSubsetTags } = require('../../../tag-utils');
 
 const ruleId = 'unvalidated-redirect';
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -59,7 +59,7 @@ module.exports = function (core) {
     URL_ENCODED,
   ];
 
-  unvalidatedRedirect.install = function () {
+  unvalidatedRedirect.install = function() {
     depHooks.resolve({ name: 'express', file: 'lib/response' }, (Response) => {
       const name = 'Express.Response.location';
       patcher.patch(Response, 'location', {
@@ -81,7 +81,7 @@ module.exports = function (core) {
 
           let urlPathTags = strInfo.tags;
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
 
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
@@ -92,7 +92,9 @@ module.exports = function (core) {
               }],
               context: `response.location(${inspect(strInfo.value)})`,
               history: [strInfo],
-              name: 'Express.Response.location',
+              name,
+              moduleName: 'express',
+              methodName: 'Response.location',
               object: {
                 tracked: false,
                 value: 'Express.Response',
@@ -105,6 +107,7 @@ module.exports = function (core) {
               source: 'P0',
               stacktraceOpts: {
                 constructorOpt: data.hooked,
+                prependFrames: [data.orig]
               },
             });
 

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -31,6 +31,7 @@ const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
 
 const ruleId = 'unvalidated-redirect';
+
 const getURLArgument = (args) => {
   if (!Array.isArray(args)) {
     return { index: null, url: undefined };
@@ -50,7 +51,7 @@ const getURLArgument = (args) => {
   };
 };
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     config,
     depHooks,
@@ -77,9 +78,9 @@ module.exports = function (core) {
     URL_ENCODED,
   ];
 
-  unvalidatedRedirect.install = function () {
+  unvalidatedRedirect.install = function() {
     const name = 'fastify.Reply.prototype.redirect';
-    depHooks.resolve({ name: 'fastify', file: 'lib/reply' }, (Reply, version) => {
+    depHooks.resolve({ name: 'fastify', file: 'lib/reply' }, (Reply) => {
       patcher.patch(Reply.prototype, 'redirect', {
         name,
         patchType,
@@ -98,7 +99,7 @@ module.exports = function (core) {
           let urlPathTags = strInfo.tags;
           const urlPathEndIdx = url.indexOf('?');
           if (urlPathEndIdx > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx + 1);
           }
 
           if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
@@ -119,7 +120,9 @@ module.exports = function (core) {
               args,
               context: `reply.redirect(${inspect(strInfo.value)})`,
               history: [strInfo],
-              name: 'fastify.reply.redirect',
+              name,
+              moduleName: 'fastify',
+              methodName: 'reply.redirect',
               object: {
                 tracked: false,
                 value: 'fastify.Reply',
@@ -132,6 +135,7 @@ module.exports = function (core) {
               source: `P${valueIndex}`,
               stacktraceOpts: {
                 constructorOpt: data.hooked,
+                prependFrames: [data.orig]
               },
             });
 

package/lib/dataflow/sinks/install/fs.js

@@ -15,9 +15,22 @@
 
 'use strict';
 const { patchType } = require('../common');
-const { FS_METHODS, Rule, isString, DataflowTag: { URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH, UNTRUSTED } } = require('@contrast/common');
+const {
+  FS_METHODS,
+  Rule,
+  isString,
+  DataflowTag: {
+    URL_ENCODED,
+    LIMITED_CHARS,
+    ALPHANUM_SPACE_HYPHEN,
+    SAFE_PATH,
+    UNTRUSTED,
+  },
+  inspect,
+  join,
+} = require('@contrast/common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -31,7 +44,12 @@ module.exports = function (core) {
     },
   } = core;
 
-  const safeTags = [URL_ENCODED, LIMITED_CHARS, ALPHANUM_SPACE_HYPHEN, SAFE_PATH];
+  const safeTags = [
+    URL_ENCODED,
+    LIMITED_CHARS,
+    ALPHANUM_SPACE_HYPHEN,
+    SAFE_PATH,
+  ];
 
   function getValues(indices, args) {
     return indices.reduce((acc, idx) => {
@@ -41,33 +59,47 @@ module.exports = function (core) {
     }, []);
   }
 
-  const pre = (name, indices) => (data) => {
+  const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
+    const { name: methodName, indices } = method;
     const store = sources.getStore()?.assess;
     if (!store) return;
 
     const values = getValues(indices, data.args);
     if (!values.length) return;
 
-    const args = [];
+    const args = values.map((v) => {
+      const strInfo = tracker.getData(v);
+      return {
+        value: strInfo ? strInfo.value : v,
+        tracked: !!strInfo,
+        strInfo
+      };
+    });
     for (let i = 0; i < values.length; i++) {
-      const strInfo = tracker.getData(values[i]);
-      args.push({ value: strInfo ? strInfo.value : values[i], isTracked: !!strInfo });
+      const { strInfo } = args[i];
       if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
         continue;
       }
 
       const event = createSinkEvent({
         name,
+        moduleName,
+        methodName: fullMethodName || methodName,
+        context: `${name}(${join(
+          args.map((a) => inspect(a.value)),
+          ', '
+        )})`,
         history: [strInfo],
         object: {
           value: 'fs',
-          isTracked: false,
+          tracked: false,
         },
-        args,
+        args: args.map(({ value, tracked }) => ({ value, tracked })),
         tags: strInfo.tags,
         source: `P${i}`,
         stacktraceOpts: {
           contructorOpt: data.hooked,
+          prependFrames: [data.orig],
         },
       });
 
@@ -90,7 +122,7 @@ module.exports = function (core) {
             patcher.patch(fs, method.name, {
               name,
               patchType,
-              pre: pre(name, method.indices)
+              pre: pre(name, method),
             });
           }
 
@@ -101,7 +133,7 @@ module.exports = function (core) {
               patcher.patch(fs, syncName, {
                 name,
                 patchType,
-                pre: pre(name, method.indices)
+                pre: pre(name, method, 'fs', syncName),
               });
             }
           }
@@ -111,7 +143,7 @@ module.exports = function (core) {
             patcher.patch(fs.promises, method.name, {
               name,
               patchType,
-              pre: pre(name, method.indices)
+              pre: pre(name, method, 'fs.promises'),
             });
           }
         }
@@ -124,7 +156,7 @@ module.exports = function (core) {
             patcher.patch(fsPromises, method.name, {
               name,
               patchType,
-              pre: pre(name, method.indices)
+              pre: pre(name, method, 'fsPromises'),
             });
           }
         }

package/lib/dataflow/sinks/install/function.js

@@ -0,0 +1,160 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isString,
+  inspect,
+  join,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  core.assess.dataflow.sinks.contrastFunction = {
+    install() {
+      if (!global.ContrastMethods?.Function) {
+        logger.error(
+          'Cannot install `Function` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+
+      Object.assign(global.ContrastMethods, {
+        Function: patcher.patch(global.ContrastMethods.Function, {
+          name: 'global.ContrastMethods.Function',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const fnBody = origArgs[origArgs.length - 1];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !fnBody ||
+              !isString(fnBody)
+            )
+              return;
+
+            const strInfo = tracker.getData(fnBody);
+
+            if (!strInfo) return;
+
+            const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+
+            if (isArgVulnerable) {
+              const args = origArgs.map((arg, idx) => {
+                if (idx === origArgs.length - 1) {
+                  return {
+                    value: strInfo.value,
+                    tracked: true,
+                    inspectedValue: `'${strInfo.value}'`,
+                  };
+                }
+
+                const inspectedValue = inspect(arg);
+                const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
+
+                return {
+                  value: argInfo ? argInfo.value : inspectedValue,
+                  tracked: !!argInfo,
+                  inspectedValue
+                };
+              });
+              const event = createSinkEvent({
+                name,
+                context: `${name}(${join(
+                  args.map((a) => a.inspectedValue),
+                  ', '
+                )})`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'Function',
+                args: args.map((a) => ({
+                  value: a.value,
+                  tracked: a.tracked,
+                })),
+                tags: strInfo.tags,
+                source: `P${origArgs.length - 1}`,
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.contrastFunction;
+};

package/lib/dataflow/sinks/install/http/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const http = core.assess.dataflow.sinks.http = {};
+
+  require('./request')(core);
+  require('./server-response')(core);
+
+  http.install = function() {
+    callChildComponentMethodsSync(http, 'install');
+  };
+
+  return http;
+};

package/lib/dataflow/sinks/install/http/request.js

@@ -0,0 +1,152 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  inspect,
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  }
+} = require('@contrast/common');
+const Url = require('url');
+const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
+const { patchType } = require('../../common');
+const { createAppendTags } = require('../../../tag-utils');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          reportFindings
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const http = core.assess.dataflow.sinks.http.request = {};
+
+  const safeTags = [
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  ];
+
+  function getValueFromReq(value, key) {
+    if (isString(value)) {
+      const url = new Url.URL(value);
+      if (isString(url[key])) {
+        return url[key];
+      }
+    }
+
+    if (isString(value[key])) {
+      return value[key];
+    }
+  }
+
+  function containsTrustedLib(stack) {
+    for (const { file } of stack) {
+      for (const trusted of trustedLibs) {
+        if (trusted.exec(file)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  http.install = function() {
+    ['http', 'https'].forEach((moduleName) => {
+      depHooks.resolve({ name: moduleName }, (module) => {
+        const name = `${moduleName}.request`;
+        const methodName = 'request';
+        patcher.patch(module, methodName, {
+          name,
+          patchType,
+          pre(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+
+            const [req] = data.args;
+            if (!req) return;
+
+            ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
+              const value = getValueFromReq(req, key);
+              if (!value) return;
+
+              const strInfo = tracker.getData(value);
+              if (!strInfo) return;
+
+              if (containsTrustedLib(strInfo.stack)) return;
+
+              const arg0 = isString(req) ? req : inspect(req);
+              const idx = arg0.indexOf(value);
+              const urlTags = createAppendTags({}, strInfo.tags, idx);
+
+              if (urlTags && isVulnerable(UNTRUSTED, safeTags, urlTags)) {
+                const event = createSinkEvent({
+                  name,
+                  moduleName,
+                  methodName: 'request',
+                  context: `${moduleName}.request(${arg0})`,
+                  history: [strInfo],
+                  object: {
+                    tracked: false,
+                    value: moduleName
+                  },
+                  args: [{
+                    value: arg0,
+                    tracked: true
+                  }],
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  tags: urlTags,
+                });
+
+                if (event) {
+                  reportFindings({
+                    ruleId: 'ssrf',
+                    sinkEvent: event
+                  });
+                }
+              }
+            });
+          }
+        });
+      });
+    });
+  };
+
+  return http;
+};

package/lib/dataflow/sinks/install/{http.js → http/server-response.js}

@@ -31,7 +31,7 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
-const { patchType, filterSafeTags } = require('../common');
+const { patchType, filterSafeTags } = require('../../common');
 
 module.exports = function(core) {
   const {
@@ -52,7 +52,7 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const http = core.assess.dataflow.sinks.http = {};
+  const http = core.assess.dataflow.sinks.http.serverResponse = {};
 
   const safeTags = [
     ALPHANUM_SPACE_HYPHEN,
@@ -86,9 +86,11 @@ module.exports = function(core) {
           value: strInfo.value,
           tracked: true
         }],
-        context: `res.${method}(${strInfo.value})`,
+        context: `res.${method}('${strInfo.value}')`,
         history: [strInfo],
         name,
+        moduleName: 'http',
+        methodName: `ServerResponse.prototype.${method}`,
         object: {
           tracked: false,
           value: 'http.ServerResponse'
@@ -99,7 +101,8 @@ module.exports = function(core) {
         },
         source: 'P0',
         stacktraceOpts: {
-          constructorOpt: data.hooked
+          constructorOpt: data.hooked,
+          prependFrames: [data.orig]
         },
         tags: strInfo.tags,
       });

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -32,7 +32,7 @@ const { filterSafeTags, patchType } = require('../../common');
 
 const ruleId = 'unvalidated-redirect';
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -59,11 +59,11 @@ module.exports = function (core) {
     URL_ENCODED,
   ];
 
-  unvalidatedRedirect.install = function () {
+  unvalidatedRedirect.install = function() {
     depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
       const name = 'Koa.Response.redirect';
       patcher.patch(Response, 'redirect', {
-        name: 'Koa.Response.redirect',
+        name,
         patchType,
         pre(data) {
           const assessStore = sources.getStore()?.assess;
@@ -84,7 +84,7 @@ module.exports = function (core) {
           let urlPathTags = strInfo.tags;
 
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
 
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {
@@ -104,7 +104,9 @@ module.exports = function (core) {
               args,
               context: `response.redirect(${inspect(strInfo.value)})`,
               history: [strInfo],
-              name: 'Koa.Response.redirect',
+              name,
+              moduleName: 'koa',
+              methodName: 'Response.redirect',
               object: {
                 tracked: false,
                 value: 'Koa.Response',
@@ -117,6 +119,7 @@ module.exports = function (core) {
               source: `P${isBackRoute ? 1 : 0}`,
               stacktraceOpts: {
                 constructorOpt: data.hooked,
+                prependFrames: [data.orig]
               },
             });
 

package/lib/dataflow/sinks/install/marsdb.js

@@ -102,6 +102,8 @@ module.exports = function(core) {
         const sinkEvent = createSinkEvent({
           args,
           context: `marsdb.Collection.${method}(${args.map((a) => a.value)})`,
+          moduleName: 'marsdb',
+          methodName: `Collection.prototype.${method}`,
           history: [strInfo],
           object: {
             tracked: false,
@@ -112,6 +114,7 @@ module.exports = function(core) {
           source: `P${argIdx}`,
           stacktraceOpts: {
             constructorOpt: data.hooked,
+            prependFrames: [data.orig]
           },
           tags: strInfo.tags,
         });