@contrast/assess 1.8.0 → 1.10.0

package/lib/dataflow/sinks/install/mongodb.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -28,7 +27,8 @@ const {
   Rule: { NOSQL_INJECTION_MONGO },
   isNonEmptyObject,
   traverseValues,
-  isString
+  isString,
+  inspect
 } = require('@contrast/common');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
@@ -82,7 +82,6 @@ module.exports = function(core) {
     }
   } = core;
 
-  const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
 
   instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
@@ -256,7 +255,7 @@ module.exports = function(core) {
           if (safeReports.length && config.assess.safe_positives.enable) {
             const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
             const strInfo = safeReports.map((report) => {
-              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+              const tags = report.path ? utils.createAdjustedQueryTags(report.path, report.strInfo.tags, report.strInfo.value, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
 
               return {
                 value: inspect(origArgs[report.argIdx], { depth: 4 }),
@@ -282,17 +281,19 @@ module.exports = function(core) {
           tracked: idx === vulnArgIdx,
         }));
 
-        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const tags = path ? utils.createAdjustedQueryTags(path, strInfo.tags, strInfo.value, args[vulnArgIdx].value) : strInfo?.tags;
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
-          context: `${objName}.${method}(${args.map((a) => a.value)})`,
+          context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
           history: [strInfo],
           object: {
             tracked: false,
             value: `mongodb.${entity}`,
           },
           name,
+          moduleName: 'mongodb',
+          methodName: `${entity}.prototype.${method}`,
           result: {
             tracked: false,
             value: resultVal,
@@ -399,22 +400,4 @@ module.exports = function(core) {
 
     return name;
   }
-
-  function getAdjustedQueryTags(path, strInfo, argString) {
-    const { tags } = strInfo;
-    let idx = -1;
-    for (const str of [...path, strInfo.value]) {
-      // This is the case with the `.aggregate` method
-      // where the argument is an array
-      if (str === 0) continue;
-
-      idx = argString.indexOf(str, idx);
-      if (idx == -1) {
-        idx = -1;
-        break;
-      }
-    }
-
-    return idx > 0 ? utils.createAppendTags([], tags, idx) : strInfo.tags;
-  }
 };

package/lib/dataflow/sinks/install/mssql.js

@@ -21,7 +21,7 @@ const {
   isString
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
-const { patchType } = require('../common');
+const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
   SQL_ENCODED,
@@ -30,21 +30,24 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
-module.exports = function (core) {
+const ruleId = SQL_INJECTION;
+
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
+    config,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, isLocked, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
   } = core;
 
-  const pre = (name, obj, version) => (data) => {
+  const pre = (name, method, obj, version) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -54,34 +57,48 @@ module.exports = function (core) {
     ) return;
 
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
-      return;
-    }
+    if (!strInfo) return;
 
-    const event = createSinkEvent({
-      name,
-      history: [strInfo],
-      object: {
-        value: `[${createModuleLabel('mssql', version)}].${obj}`,
-        tracked: false,
-      },
-      args: [
-        {
-          value: strInfo.value,
-          tracked: true,
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+      const event = createSinkEvent({
+        name,
+        moduleName: 'mssql',
+        methodName: `PreparedStatement.prototype.${method}`,
+        context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
+        history: [strInfo],
+        object: {
+          value: `[${createModuleLabel('mssql', version)}].${obj}`,
+          tracked: false,
         },
-      ],
-      tags: strInfo.tags,
-      source: 'P0',
-      stacktraceOpts: {
-        contructorOpt: data.hooked,
-      },
-    });
+        args: [
+          {
+            value: strInfo.value,
+            tracked: true,
+          },
+        ],
+        tags: strInfo.tags,
+        source: 'P0',
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+          prependFrames: [data.orig]
+        },
+      });
 
-    if (event) {
-      reportFindings({
-        ruleId: SQL_INJECTION,
-        sinkEvent: event,
+      if (event) {
+        reportFindings({
+          ruleId: SQL_INJECTION,
+          sinkEvent: event,
+        });
+      }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          tags: strInfo.tags,
+          value: strInfo.value,
+        }
       });
     }
   };
@@ -96,6 +113,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/prepared-statement.prototype.prepare',
+              'prepare',
               'PreparedStatement',
               version,
             ),
@@ -111,6 +129,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/request.prototype.batch',
+              'batch',
               'Request',
               version,
             ),
@@ -121,6 +140,7 @@ module.exports = function (core) {
             patchType,
             pre: pre(
               'mssql/lib/base/request.prototype.query',
+              'query',
               'Request',
               version,
             ),

package/lib/dataflow/sinks/install/mysql.js

@@ -28,6 +28,7 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
+  inspect
 } = require('@contrast/common');
 
 const safeTags = [
@@ -39,7 +40,7 @@ const safeTags = [
   LIMITED_CHARS,
 ];
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -63,7 +64,7 @@ module.exports = function (core) {
     }
   }
 
-  const pre = (module, file, obj) => (data) => {
+  const pre = (module, file, obj, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -81,6 +82,9 @@ module.exports = function (core) {
 
     const event = createSinkEvent({
       name: `${module}/${file}`,
+      moduleName: module,
+      methodName: `prototype.${method}`,
+      context: `${module}.${method}(${inspect(data.args[0])})`,
       history: [strInfo],
       object: {
         value: `${module}.${obj}`,
@@ -96,6 +100,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
 
@@ -115,7 +120,7 @@ module.exports = function (core) {
           patcher.patch(Connection.prototype, 'query', {
             name: 'Connection.prototype.query',
             patchType,
-            pre: pre('mysql', 'lib/Connection.query', 'Connection')
+            pre: pre('mysql', 'lib/Connection.query', 'Connection', 'query')
           });
         },
       );
@@ -126,7 +131,7 @@ module.exports = function (core) {
             patcher.patch(connection.prototype, `${method}`, {
               name: `connection.prototype.${method}`,
               patchType,
-              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection')
+              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection', method)
             });
           });
         },

package/lib/dataflow/sinks/install/postgres.js

@@ -19,11 +19,11 @@ const util = require('util');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
   Rule: { SQL_INJECTION: ruleId },
-  isString
+  isString,
 } = require('@contrast/common');
 const { filterSafeTags, patchType } = require('../common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     config,
     depHooks,
@@ -74,6 +74,8 @@ module.exports = function (core) {
         context: `${objValue}.query(${arg0Val})`,
         history: [strInfo],
         name: methodSignature,
+        moduleName: `${methodSignature.includes('pool') ? 'pg-pool' : 'pg'}`,
+        methodName: 'Connection.prototype.query',
         object: {
           tracked: false,
           value: objValue,
@@ -86,6 +88,7 @@ module.exports = function (core) {
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked,
+          prependFrames: [data.orig]
         },
       });
 
@@ -108,7 +111,7 @@ module.exports = function (core) {
     }
   };
 
-  postgres.install = function () {
+  postgres.install = function() {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },

package/lib/dataflow/sinks/install/sequelize.js

@@ -28,7 +28,7 @@ const {
 } = require('@contrast/common');
 const { patchType, filterSafeTags } = require('../common');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -54,7 +54,7 @@ module.exports = function (core) {
 
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
 
-  sequelize.install = function () {
+  sequelize.install = function() {
     const sequelizeQueryPatchName = 'sequelize.prototype.query';
     depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
       patcher.patch(sequelize.prototype, 'query', {
@@ -69,7 +69,7 @@ module.exports = function (core) {
 
           try {
             const queryInfo = tracker.getData(query);
-            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+            const isVulnerableQuery = queryInfo && isVulnerable(requiredTag, safeTags, queryInfo.tags);
 
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
@@ -94,8 +94,8 @@ module.exports = function (core) {
               typeof args[0] === 'string' ? args[0] : inspect(args[0]);
             const inspectedOptions = args[1] ? inspect(args[1]) : '';
             const contextArgs = args[1]
-              ? `${sqlValue}, ${inspectedOptions}`
-              : sqlValue;
+              ? `'${sqlValue}', ${inspectedOptions}`
+              : `'${sqlValue}'`;
 
             const reportedArgs = [{ value: sqlValue, tracked: true }];
             args[1] &&
@@ -104,6 +104,8 @@ module.exports = function (core) {
             const event = createSinkEvent({
               context: `sequelize.prototype.query(${contextArgs})`,
               name: sequelizeQueryPatchName,
+              moduleName: 'sequelize',
+              methodName: 'prototype.query',
               history: [queryInfo],
               object: {
                 value: 'sequelize.prototype',

package/lib/dataflow/sinks/install/sqlite3.js

@@ -29,7 +29,7 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -43,7 +43,7 @@ module.exports = function (core) {
     },
   } = core;
 
-  const pre = (name) => (data) => {
+  const pre = (name, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -59,6 +59,9 @@ module.exports = function (core) {
 
     const event = createSinkEvent({
       name,
+      moduleName: 'sqlite3',
+      methodName: `Database.prototype.${method}`,
+      context: `db.${method}('${strInfo.value}')`,
       history: [strInfo],
       object: {
         value: '[Module<sqlite3>].Database',
@@ -74,6 +77,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
 
@@ -93,7 +97,7 @@ module.exports = function (core) {
           patcher.patch(sqlite3.Database.prototype, method, {
             name,
             patchType,
-            pre: pre(name)
+            pre: pre(name, method)
           });
         });
       });

package/lib/dataflow/sinks/install/vm.js

@@ -0,0 +1,276 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType, filterSafeTags } = require('../common');
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+  isNonEmptyObject,
+  inspect,
+  traverseValues,
+  join,
+  split,
+} = require('@contrast/common');
+const { createAdjustedQueryTags } = require('../../tag-utils');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+
+module.exports = function(core) {
+  const {
+    config,
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          runInActiveSink,
+          isLocked,
+          reportFindings,
+          reportSafePositive,
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  function accumulateArgsInfo(origArgs, idxsToCheck) {
+    const argsInfo = [];
+    for (let i = 0; i < origArgs.length; i++) {
+      const arg = origArgs[i];
+      const infoObj = {
+        isStringArg: isString(arg),
+        idx: i,
+        sanitizedStrInfos: [],
+        sanitizedStrPaths: []
+      };
+
+      if (
+        !arg ||
+        !idxsToCheck.includes(i) ||
+        (!infoObj.isStringArg && !isNonEmptyObject(arg))
+      ) {
+        const inspectedArg = inspect(origArgs[i]);
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+        argsInfo.push(infoObj);
+
+        continue;
+      }
+
+      if (infoObj.isStringArg) {
+        const strInfo = tracker.getData(arg);
+        infoObj.strInfo = strInfo;
+        infoObj.argsValue = {
+          value: strInfo ? strInfo.value : arg,
+          tracked: !!strInfo,
+        };
+        infoObj.ctxValue = `"${strInfo?.value || arg}"`;
+        infoObj.isVulnerableArg =
+          strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+        if (strInfo && !infoObj.isVulnerableArg) {
+          infoObj.sanitizedStrInfos.push(strInfo);
+          infoObj.isSanitizedArg = true;
+        }
+      } else {
+        traverseValues(
+          arg,
+          (path, _type, value) => {
+            const strInfo = tracker.getData(value);
+            infoObj.strInfo = strInfo;
+            infoObj.isVulnerableArg =
+              strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+            if (infoObj.isVulnerableArg) {
+              infoObj.vulnerableArgPath = [...path];
+              return true;
+            } else if (strInfo) {
+              infoObj.sanitizedStrInfos.push(strInfo);
+              infoObj.sanitizedStrPaths.push([...path]);
+              infoObj.isSanitizedArg = true;
+            }
+          },
+          100
+        );
+
+        const inspectedArg = inspect(arg);
+
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+      }
+
+      argsInfo.push(infoObj);
+    }
+
+    return argsInfo;
+  }
+
+  function around(next, { args: origArgs, hooked, orig, name }) {
+    const store = sources.getStore()?.assess;
+    if (
+      !store ||
+      instrumentation.isLocked() ||
+      isLocked('unsafe-code-execution')
+    ) {
+      return next();
+    }
+
+    const methodPath = split(name, '.');
+    const method = methodPath[methodPath.length - 1];
+    const idxsToCheck = method === 'runInNewContext' ? [0, 1] : [0];
+    const argsInfo = accumulateArgsInfo(origArgs, idxsToCheck);
+    const vulnerableArg = argsInfo.find((arg) => arg.isVulnerableArg);
+    const sanitizedArgs = argsInfo.filter((arg) => arg.isSanitizedArg);
+
+    if (!vulnerableArg && sanitizedArgs.length && config.assess.safe_positives.enable) {
+      const foundSafeTags = sanitizedArgs.reduce((a, c) => {
+        const tags = [];
+
+        c.sanitizedStrInfos.forEach((i) => {
+          tags.push(filterSafeTags(safeTags, i));
+        });
+
+        tags.forEach((tag) => a.add(...tag));
+        return a;
+      }, new Set());
+      const strInfo = sanitizedArgs.map((arg) => {
+        const value = inspect(origArgs[arg.idx], { depth: 4 });
+        const tags = [];
+        const strValues = [];
+        arg.sanitizedStrInfos.forEach((info, idx) => {
+          strValues.push(info.value);
+          if (arg.isStringArg) {
+            tags.push(info.tags);
+          } else {
+            tags.push(
+              createAdjustedQueryTags(
+                arg.sanitizedStrPaths[idx] || [],
+                info.tags,
+                info.value,
+                value
+              )
+            );
+          }
+        });
+
+        return {
+          value,
+          strValues,
+          tags,
+        };
+      });
+
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: Array.from(foundSafeTags),
+        strInfo,
+      });
+
+      return name === 'vm.runInNewContext'
+        ? runInActiveSink('unsafe-code-execution', () => next())
+        : next();
+    }
+
+    if (vulnerableArg) {
+      const event = createSinkEvent({
+        name,
+        context: `${name}(${join(
+          argsInfo.map((a) => a.ctxValue),
+          ', '
+        )})`,
+        history: [vulnerableArg.strInfo],
+        object: {
+          value: methodPath.includes('prototype')
+            ? 'vm.Script.prototype'
+            : 'vm',
+          tracked: false,
+        },
+        moduleName: 'vm',
+        methodName: method,
+        args: argsInfo.map((a) => a.argsValue),
+        tags: vulnerableArg.vulnerableArgPath?.length
+          ? createAdjustedQueryTags(
+            vulnerableArg.vulnerableArgPath,
+            vulnerableArg.strInfo.tags,
+            vulnerableArg.strInfo.value,
+            vulnerableArg.argsValue.value
+          )
+          : vulnerableArg.strInfo.tags,
+        source: `P${vulnerableArg.idx}`,
+        stacktraceOpts: {
+          contructorOpt: hooked,
+          prependFrames: [orig],
+        },
+      });
+
+      if (event) {
+        reportFindings({
+          ruleId,
+          sinkEvent: event,
+        });
+      }
+    }
+
+    return name === 'vm.runInNewContext'
+      ? runInActiveSink('unsafe-code-execution', () => next())
+      : next();
+  }
+
+  core.assess.dataflow.sinks.vm = {
+    install() {
+      depHooks.resolve({ name: 'vm' }, (vm) => {
+        [
+          'Script',
+          'createScript',
+          'runInContext',
+          'runInThisContext',
+          'createContext',
+          'runInNewContext',
+        ].forEach((method) => {
+          const name = `vm.${method}`;
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            around,
+          });
+        });
+
+        patcher.patch(vm.Script.prototype, 'runInNewContext', {
+          name: 'vm.Script.prototype.runInNewContext',
+          patchType,
+          around,
+        });
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.vm;
+};

package/lib/dataflow/sources/handler.js

@@ -19,6 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
+  join,
 } = require('@contrast/common');
 
 module.exports = function(core) {
@@ -115,7 +116,7 @@ module.exports = function(core) {
     }
 
     traverse(_data, (path, fieldName, value, obj) => {
-      const pathName = path.join('.');
+      const pathName = join(path, '.');
 
       if (sourceContext.sourceEventsCount >= max) {
         core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);