npm - @contrast/assess - Versions diffs - 1.8.0 → 1.10.0 - Mend

@contrast/assess 1.8.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -80,7 +80,7 @@ module.exports = function(core) {
         pre(data) {
           const [name = '', value] = data.args;
           if (toLowerCase(name) === 'content-type' && value) {
-            store.assess.responseData.contentType = value;
+            scopes.sources.getStore().assess.responseData.contentType = value;
           }
         }
       });

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -44,7 +44,7 @@ function atomicAppend(firstTagRanges, secondTagRanges, offset) {
 function atomicSubset(tags, subsetStart, len) {
   const ret = [];
-  const subsetStop = subsetStart + len;
+  const subsetStop = subsetStart + len - 1;
   for (let idx = 0; idx < tags.length - 1; idx += 2) {
     const tagStart = tags[idx];
@@ -119,6 +119,42 @@ function atomicMerge(firstTagRanges, secondTagRanges) {
   return finalMergedRanges;
 }
+function atomicExclude(tags, exclusionRange) {
+  const ret = [];
+  const [exclusionStart, exclusionStop] = exclusionRange;
+  for (let idx = 0; idx < tags.length - 1; idx += 2) {
+    const tagStart = tags[idx];
+    const tagStop = tags[idx + 1];
+    if (tagStop < exclusionStart) {
+      ret.push(tagStart, tagStop);
+      // exlusion is below - continue to check next range
+      continue;
+    }
+    if (tagStart > exclusionStop) {
+      ret.push(...tags.slice(idx));
+      // all other ranges are above exclusion so we can stop
+      break;
+    }
+    if (exclusionStart <= tagStart && exclusionStop < tagStop) {
+      ret.push(exclusionStop + 1, tagStop);
+    }
+    if (exclusionStart > tagStart) {
+      ret.push(tagStart, exclusionStart - 1);
+      if (exclusionStop < tagStop) {
+        ret.push(exclusionStop + 1, tagStop);
+      }
+    }
+  }
+  return ret;
+}
 function createAppendTags(firstTags, secondTags, offset) {
   const ret = Object.create(null);
   const firstTagsObject = ensureObject(firstTags);
@@ -134,6 +170,29 @@ function createAppendTags(firstTags, secondTags, offset) {
   return Object.keys(ret).length ? ret : null;
 }
+function createOverlappingTags(tags, startIndex, endIndex) {
+  const overlappingTags = {};
+  Object.entries(tags).forEach(([tag, tagRanges]) => {
+    const overlappingRanges = [];
+    for (let i = 0; i < tagRanges.length; i += 2) {
+      const start = tagRanges[i];
+      const end = tagRanges[i + 1];
+      if (end >= startIndex && start <= endIndex) {
+        overlappingRanges.push([start, end]);
+      }
+    }
+    if (overlappingRanges.length > 0) {
+      overlappingTags[tag] = overlappingRanges;
+    }
+  });
+  return overlappingTags;
+}
 /**
  * assumes:
  *  - no mutation of arguments
@@ -181,9 +240,43 @@ function createMergedTags(firstTags, secondTags) {
   return Object.keys(ret).length ? ret : null;
 }
+function createTagsWithExclusion(tags, exclusionRange) {
+  if (!exclusionRange.length) return;
+  const ret = Object.create(null);
+  const tagsObject = ensureObject(tags);
+  for (const tagName of Object.keys(tagsObject)) {
+    const newTagRanges = atomicExclude(ensureTagsImmutable(tagsObject, tagName), exclusionRange);
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+  return Object.keys(ret).length ? ret : null;
+}
+function createAdjustedQueryTags(path, tags, value, argString) {
+  let idx = -1;
+  for (const str of [...path, value]) {
+    // This is the case where the argument is an array
+    if (str === 0) continue;
+    idx = argString.indexOf(str, idx);
+    if (idx == -1) {
+      idx = -1;
+      break;
+    }
+  }
+  return idx > 0 ? createAppendTags([], tags, idx) : [...tags];
+}
 module.exports = {
   createSubsetTags,
   createAppendTags,
   createFullLengthCopyTags,
-  createMergedTags
+  createMergedTags,
+  createTagsWithExclusion,
+  createAdjustedQueryTags,
+  createOverlappingTags
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -34,7 +34,8 @@ module.exports = function tracker(core) {
   function getData(value) {
     if (typeof value === 'string') {
-      return distringuish.getProperties(value);
+      const props = distringuish.getProperties(value);
+      return props?.untracked ? null : props;
     }
     return objMap.get(value) || null;
@@ -126,11 +127,10 @@ module.exports = function tracker(core) {
     if (typeof value === 'string') {
       const props = distringuish.getProperties(value);
       if (props) {
-        Object.assign(props, {
-          history: [],
-          tags: {},
-        });
-        delete props.resultTracked;
+        for (const key of Object.keys(props)) {
+          delete props[key];
+        }
+        props.untracked = true;
       }
       return distringuish.internalize(value);
     }

package/lib/index.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { callChildComponentMethodsSync } = require('@contrast/common');
+const sessionConfiguration = require('./session-configuration');
 const dataflow = require('./dataflow');
 const responseScanning = require('./response-scanning');
@@ -26,6 +27,7 @@ module.exports = function assess(core) {
   // Does this order matter? Probably not
   // 1. dataflow
+  sessionConfiguration(core);
   dataflow(core);
   responseScanning(core);

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { join, substring, toLowerCase, split, trim } = require('@contrast/common');
+const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
 //
 // General HTML utils
@@ -32,7 +32,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? string.replace(reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }

package/lib/session-configuration/index.js ADDED Viewed

@@ -0,0 +1,34 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+module.exports = function(core) {
+  const { messages } = core;
+  const sessionConfiguration = core.assess.sessionConfiguration = {
+    reportFindings(_sourceContext, vulnerabilityMetadata) {
+      messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, vulnerabilityMetadata);
+    },
+  };
+  require('./install/http')(core);
+  sessionConfiguration.install = function() {
+    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  };
+  return sessionConfiguration;
+};

package/lib/session-configuration/install/http.js ADDED Viewed

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { SessionConfigurationRule, split, toLowerCase } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      sessionConfiguration: {
+        reportFindings
+      }
+    }
+  } = core;
+  const http = core.assess.sessionConfiguration.httpInstrumentation = {};
+  const patchType = 'session-configuration';
+  http.install = function() {
+    [
+      { name: 'http', responseObj: 'ServerResponse' },
+      { name: 'https', responseObj: 'ServerResponse' },
+      { name: 'http2', responseObj: 'Http2ServerResponse' }
+    ].forEach(({ name, responseObj }) => {
+      depHooks.resolve({ name }, (module) => {
+        patcher.patch(module[responseObj].prototype, 'setHeader', {
+          name: `${name}.${responseObj}.prototype.setHeader`,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            const [key, val] = data.args;
+            if (key === 'Set-Cookie') {
+              const [cookies] = val;
+              const parsedCookies = split(toLowerCase(cookies), '; ');
+              if (!parsedCookies.includes('httponly')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.HTTPONLY,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+              if (!parsedCookies.includes('secure')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.SECURE_FLAG_MISSING,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+            }
+          }
+        });
+      });
+    });
+  };
+  return http;
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.8.0",
+  "version": "1.10.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.11.0",
+    "@contrast/common": "1.13.0",
     "parseurl": "^1.3.3"
   }
 }