@contrast/assess 1.8.0 → 1.9.0

package/lib/dataflow/event-factory.js

@@ -15,8 +15,7 @@
 
 'use strict';
 
-
-const { InputType, signatures } = require('@contrast/common');
+const { InputType, match } = require('@contrast/common');
 const annotationRegExp = /^(A|O|R|P|P\d+)$/;
 
 module.exports = function(core) {
@@ -48,7 +47,7 @@ module.exports = function(core) {
     }
 
     if (!name) {
-      logger.debug({ name }, baseMessage, 'invalid name');
+      logger.debug({ data }, baseMessage, 'invalid name');
       return null;
     }
 
@@ -77,6 +76,8 @@ module.exports = function(core) {
   eventFactory.createPropagationEvent = function(data) {
     const {
       name = '',
+      moduleName,
+      methodName,
       history = [],
       object = { value: null, tracked: false },
       args = [],
@@ -102,10 +103,8 @@ module.exports = function(core) {
       return null;
     }
 
-    const signature = signatures.get(name);
-
-    if (!signature) {
-      logger.debug({ name }, 'Propagation event not created: no signature found for this name');
+    if (!name) {
+      logger.debug({ name }, 'Propagation event not created: invalid name');
       return null;
     }
 
@@ -115,8 +114,8 @@ module.exports = function(core) {
     }
 
     if (
-      ((source && !source.match(annotationRegExp)) || (!source && !signature.source)) ||
-      ((target && !target.match(annotationRegExp)) || (!target && !signature.target))
+      (!source || !match(source, annotationRegExp)) ||
+      (!target || !match(target, annotationRegExp))
     ) {
       logger.debug({ name, source, target }, 'Propagation event not created: %s', 'invalid source/target');
       return null;
@@ -135,6 +134,8 @@ module.exports = function(core) {
       context,
       history,
       name,
+      moduleName,
+      methodName,
       object,
       removedTags,
       result,
@@ -155,6 +156,8 @@ module.exports = function(core) {
     const {
       context,
       name = '',
+      moduleName,
+      methodName,
       history = [],
       object = { value: null, tracked: false },
       args = [],
@@ -169,9 +172,8 @@ module.exports = function(core) {
       logger.debug('no sourceContext found during sink event creation');
       return null;
     }
-    const signature = signatures.get(name);
-    if (!signature) {
-      logger.debug({ name }, 'no signature found for sink event name');
+    if (!name) {
+      logger.debug({ data }, 'no sink event name');
       return null;
     }
     if (!history.length) {
@@ -179,7 +181,7 @@ module.exports = function(core) {
       return null;
     }
     if (
-      ((source && !source.match(annotationRegExp)) || (!source && !signature.source))
+      (!source || !source.match(annotationRegExp))
     ) {
       logger.debug({ data }, 'malformed or missing sink event source field');
       return null;
@@ -197,6 +199,8 @@ module.exports = function(core) {
       context,
       history,
       name,
+      moduleName,
+      methodName,
       object,
       result,
       source,

package/lib/dataflow/propagation/index.js

@@ -22,6 +22,7 @@ module.exports = function(core) {
 
   require('./install/contrast-methods')(core);
   require('./install/ejs')(core);
+  require('./install/mongoose')(core);
   require('./install/pug')(core);
   require('./install/string')(core);
   require('./install/url')(core);
@@ -33,7 +34,9 @@ module.exports = function(core) {
   require('./install/escape-html')(core);
   require('./install/escape')(core);
   require('./install/handlebars-utils-escape-expression')(core);
+  require('./install/isnumeric-0')(core);
   require('./install/mysql-connection-escape')(core);
+  require('./install/parse-int')(core);
   require('./install/pug-runtime-escape')(core);
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);

package/lib/dataflow/propagation/install/JSON/index.js

@@ -28,6 +28,7 @@ module.exports = function(core) {
   };
 
   require('./stringify')(core);
+  require('./parse')(core);
 
   return jsonInstrumentation;
 };

package/lib/dataflow/propagation/install/JSON/parse-fn.js

@@ -0,0 +1,248 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { trim } = require('@contrast/common');
+
+function isNumber(value) {
+  return !isNaN(value);
+}
+
+function array(input, index, accumulator) {
+  const startIndex = index - 1;
+  const valueIndexes = [];
+
+  while (index < input.length) {
+    const cv = input[index];
+    if (cv === ']') {
+      index += 1;
+      break;
+    }
+
+    if (trim(cv) === '' || (valueIndexes.length > 0 && cv === ',')) {
+      index += 1;
+      continue;
+    }
+
+    const {
+      startIndex,
+      endIndex,
+      index: nextIndex,
+    } = getValueIndexes(input, index, accumulator);
+
+    valueIndexes.push([startIndex, endIndex]);
+    accumulator.push({ key: [null, null], value: [startIndex, endIndex] });
+
+    index = nextIndex;
+  }
+
+  return {
+    startIndex,
+    endIndex: index - 1,
+    index,
+    accumulator,
+  };
+}
+
+function string(input, index) {
+  const startIndex = index;
+
+  while (index < input.length) {
+    const cv = input[index];
+    if (cv === '\\') {
+      index += 2;
+      continue;
+    }
+
+    if (input[index] !== '"') {
+      index += 1;
+      continue;
+    }
+
+    break;
+  }
+
+  if (startIndex === index) {
+    return { startIndex: null, endIndex: null, index: index + 1 };
+  }
+
+  return { startIndex, endIndex: index - 1, index: index + 1 };
+}
+
+function bool(input, index = 0) {
+  const trueLength = 'true'.length;
+  const falseLength = 'false'.length;
+  let endIndex = 0;
+
+  if (input[index] === 't') {
+    endIndex = index + trueLength - 1;
+  } else {
+    endIndex = index + falseLength - 1;
+  }
+
+  return { startIndex: index, endIndex, index: endIndex + 1 };
+}
+
+function nully(index = 0) {
+  const nullLength = 'null'.length;
+  const endIndex = index + nullLength - 1;
+  return { startIndex: index, endIndex, index: endIndex + 1 };
+}
+
+function number(input, index) {
+  const startIndex = index;
+
+  if (input[startIndex] === '-') {
+    index += 1;
+  }
+
+  while (index < input.length) {
+    if (isNumber(input[index]) || input[index] === '.') {
+      index += 1;
+      continue;
+    }
+
+    break;
+  }
+
+  return { startIndex, endIndex: index - 1, index };
+}
+
+function object(value, index, accumulator) {
+  const startIndex = index - 1;
+  const keyIndexes = [];
+  const valueIndexes = [];
+
+  while (index < value.length) {
+    const cv = value[index];
+    const keyIndexesLength = keyIndexes.length;
+    const valueIndexesLength = valueIndexes.length;
+    const areKeysEqualToValues = keyIndexesLength - valueIndexesLength === 0;
+
+    if (cv === '}' && areKeysEqualToValues) {
+      break;
+    }
+
+    if (
+      trim(cv) === '' ||
+      (cv === ':' && keyIndexesLength > 0) ||
+      (cv === ',' && areKeysEqualToValues)
+    ) {
+      index += 1;
+      continue;
+    }
+
+    // Object key
+    if (cv === '"' && areKeysEqualToValues) {
+      index += 1;
+      const { startIndex, endIndex, index: nextIndex } = string(value, index);
+      keyIndexes.push([startIndex, endIndex]);
+      index = nextIndex;
+
+      continue;
+    }
+
+    const {
+      startIndex,
+      endIndex,
+      index: nextIndex,
+    } = getValueIndexes(value, index, accumulator);
+
+    valueIndexes.push([startIndex, endIndex]);
+    accumulator.push({
+      key: keyIndexes[keyIndexes.length - 1],
+      value: [startIndex, endIndex],
+    });
+
+    index = nextIndex;
+  }
+
+  return {
+    accumulator,
+    startIndex,
+    endIndex: index,
+    index: index + 1,
+  };
+}
+
+function getValueIndexes(value, index, accumulator) {
+  const cv = value[index];
+
+  switch (cv) {
+    case '{':
+      return object(value, index + 1, accumulator);
+    case '"':
+      return string(value, index + 1);
+    case '[':
+      return array(value, index + 1, accumulator);
+    case 't':
+    case 'f':
+      return bool(value, index);
+    case 'n':
+      return nully(index);
+    default:
+      if (cv === '-' || (cv && cv >= 0 && cv <= 9)) {
+        return number(value, index);
+      } else {
+        throw new Error('bad JSON');
+      }
+  }
+}
+
+function processInput(input) {
+  const firstElement = input[0];
+  const lastElement = input[input.length - 1];
+  const accumulator = [];
+
+  if (firstElement === '{' && lastElement === '}') {
+    return object(input, 1, accumulator);
+  }
+
+  if (firstElement === '[' && lastElement === ']') {
+    return array(input, 1, accumulator);
+  }
+
+  if (isNumber(input)) {
+    return number(input, 0);
+  }
+
+  if (firstElement === '"') {
+    return string(input, 1);
+  }
+
+  switch (input) {
+    case 'true':
+    case 'false':
+      return bool(input);
+    case 'null':
+      return nully();
+    default:
+      throw new Error('bad JSON');
+  }
+}
+
+function wrapEndResult({ accumulator, startIndex, endIndex }) {
+  accumulator = accumulator || [];
+  accumulator.push({ key: '', value: [startIndex, endIndex] });
+
+  return accumulator;
+}
+
+function getKeyValueIndexes(input) {
+  return wrapEndResult(processInput(input));
+}
+
+module.exports = {
+  getKeyValueIndexes,
+};

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -0,0 +1,196 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString, inspect } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { getKeyValueIndexes } = require('./parse-fn');
+const {
+  createOverlappingTags
+} = require('../../../tag-utils');
+
+/*
+  When we return a string as a result of a reviver call
+  we loose tracking. We keep the values in a stack and when
+  the reviver gets called with an object - we apply the values
+*/
+const applyValuesToObject = (object, stack) => {
+  let i = 0;
+
+  if (Array.isArray(object)) {
+    i = object.length;
+  } else {
+    i = Object.keys(object).length;
+  }
+
+  while (i > 0) {
+    const { key, value } = stack.pop();
+    if (object[key]) {
+      object[key] = value;
+    }
+
+    i--;
+  }
+};
+
+module.exports = function (core) {
+  const {
+    logger,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+      },
+    },
+  } = core;
+
+  function createEvent(data, value, newTags, reviver, strInfo) {
+    const method = 'JSON.parse';
+    return createPropagationEvent({
+      context: method,
+      name: method,
+      history: [strInfo],
+      moduleName: 'JSON',
+      methodName: 'parse',
+      object: {
+        value: inspect(data.obj),
+        tracked: false,
+      },
+      args: [
+        {
+          value: data.args[0],
+          tracked: true,
+        },
+        reviver && {
+          value: reviver.toString(),
+          tracked: false,
+        },
+      ].filter(Boolean),
+      result: {
+        value,
+        tracked: true,
+      },
+      value,
+      tags: newTags,
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig],
+      },
+      source: 'P0',
+      target: 'R',
+    });
+  }
+
+  function getNewTags(strInfo, startIndex, endIndex) {
+    const overlappingRanges = createOverlappingTags(
+      strInfo.tags,
+      startIndex,
+      endIndex
+    );
+
+    const tags = {};
+    const startingOffset = startIndex;
+    const normalizedEndIndex = endIndex - startingOffset;
+
+    Object.entries(overlappingRanges).forEach(([tag, ranges]) => {
+      tags[tag] = [];
+
+      ranges.forEach(([start, end]) => {
+        const transferredStartIndex = start - startingOffset;
+        const transferredEndIndex = end - startingOffset;
+
+        tags[tag].push(transferredStartIndex < 0 ? 0 : transferredStartIndex);
+        tags[tag].push(
+          transferredEndIndex > normalizedEndIndex
+            ? normalizedEndIndex
+            : transferredEndIndex
+        );
+      });
+    });
+
+    return tags;
+  }
+
+  return (core.assess.dataflow.propagation.jsonInstrumentation.parse = {
+    install() {
+      patcher.patch(JSON, 'parse', {
+        name: 'JSON.prototype.parse',
+        patchType,
+        pre(data) {
+          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          const input = data.args[0];
+
+          const strInfo = tracker.getData(input);
+          if (!strInfo) return;
+
+          const reviver = data.args[1];
+          const stack = [];
+          let keyValueIndexes;
+
+          try {
+            keyValueIndexes = getKeyValueIndexes(input);
+          } catch (error) {
+            logger.warn({ error, string: input }, 'JSON.parse() propagation failed');
+            keyValueIndexes = [];
+          }
+
+          // Error found, continue without instrumentation
+          if (keyValueIndexes.length === 0) return;
+
+          let i = 0;
+          function contrastParseReviver(key, value) {
+            const { value: [startIndex, endIndex] } = keyValueIndexes[i];
+
+            if (!isString(value)) {
+              return reviver ? reviver(key, value) : value;
+            }
+
+            const newTags = getNewTags(strInfo, startIndex, endIndex);
+
+            const event = createEvent(data, value, newTags, reviver, strInfo);
+            if (!event || Object.keys(newTags).length === 0) {
+              return reviver ? reviver(key, value) : value;
+            }
+
+            const { extern } = tracker.track(value, event);
+
+            if (reviver) return reviver(key, extern);
+
+            return extern;
+          }
+
+          data.args[1] = function (key, value) {
+            if (typeof value === 'object') {
+              applyValuesToObject(value, stack);
+            }
+
+            const result = contrastParseReviver(key, value);
+            stack.push({ key, value: result });
+
+            i += 1;
+
+            return result;
+          };
+        },
+      });
+    },
+    uninstall() {
+      JSON.parse = patcher.unwrap(JSON.parse);
+    },
+  });
+};

package/lib/dataflow/propagation/install/JSON/stringify.js

@@ -81,8 +81,8 @@ module.exports = function(core) {
   } = core;
 
   function getUntrustedSpaceProps(space) {
-  // it can't be a problem if it's not a string, if the string is all spaces, or
-  // if the string is zero length.
+    // it can't be a problem if it's not a string, if the string is all spaces, or
+    // if the string is zero length.
     if (!isString(space) || match(space, /^\s+$/) || !space) {
       return null;
     }
@@ -239,8 +239,10 @@ module.exports = function(core) {
 
           const method = 'JSON.stringify';
           const event = createPropagationEvent({
-            context: method,
+            context: `${method}(${ret})`,
             name: method,
+            moduleName: 'JSON',
+            methodName: 'stringify',
             history: Array.from(metadata.history),
             object: {
               value: inspect(data.obj),

package/lib/dataflow/propagation/install/array-prototype-join.js

@@ -19,7 +19,7 @@ const {
   createAppendTags
 } = require('../../tag-utils');
 const { patchType } = require('../common');
-const { isString } = require('@contrast/common');
+const { isString, join, inspect } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -63,36 +63,43 @@ module.exports = function(core) {
 
   return core.assess.dataflow.propagation.arrayJoin = {
     install() {
-      const originalJoin = Array.prototype.join;
+      const name = 'Array.prototype.join';
+
       patcher.patch(Array.prototype, 'join', {
-        name: 'Array.prototype.join',
+        name,
         patchType,
         post(data) {
-          const { args, obj, result, hooked, orig } = data;
+          const { args: origArgs, obj, result, hooked, orig } = data;
           if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
 
           const resultInfo = tracker.getData(result);
-          const delimiter = args[0] === undefined ? ',' : args[0];
+          const delimiter = origArgs[0] === undefined ? ',' : origArgs[0];
           const delimiterLength = delimiter.length;
           const delimiterInfo = tracker.getData(delimiter);
           const initHistory = delimiterInfo ? new Set([delimiterInfo]) : new Set();
           const { newTags, newHistory: history } = accumulateTags(obj, {}, 0, initHistory, delimiterLength, delimiterInfo?.tags);
+          const object = {
+            value: obj && join(obj),
+            tracked: false
+          };
+
+          const args = [{
+            value: delimiterInfo ? delimiterInfo.value : delimiter,
+            tracked: !!delimiterInfo
+          }];
 
           if (history.size) {
             const event = createPropagationEvent({
-              name: 'Array.prototype.join',
-              object: {
-                value: originalJoin.call(obj),
-                tracked: false
-              },
+              name,
+              moduleName: 'Array',
+              methodName: 'prototype.join',
+              context: `${object.value}.join('${inspect(args[0].value) || ''})`,
+              object,
               result: {
                 value: resultInfo ? resultInfo.value : result,
                 tracked: true
               },
-              args: [{
-                value: delimiterInfo ? delimiterInfo.value : delimiter,
-                tracked: !!delimiterInfo
-              }],
+              args,
               tags: newTags,
               history: Array.from(history),
               source: delimiterInfo ? (history.size > 1 ? 'A' : 'P') : 'O',

package/lib/dataflow/propagation/install/buffer.js

@@ -46,6 +46,8 @@ module.exports = function(core) {
 
           const event = eventFactory.createPropagationEvent({
             args: data.args.map((a) => ({ tracked: false, value: a })),
+            moduleName: 'Buffer',
+            methodName: 'prototype.toString',
             context: 'buffer.toString()',
             object: { tracked: true, value: 'Buffer' },
             history: [bufferInfo],

package/lib/dataflow/propagation/install/contrast-methods/add.js

@@ -78,6 +78,8 @@ module.exports = function(core) {
                 }
               ],
               context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
+              moduleName: 'global',
+              methodName: 'ContrastMethods.add',
               history,
               object: {
                 value: 'String Addition',

package/lib/dataflow/propagation/install/contrast-methods/index.js

@@ -28,6 +28,7 @@ module.exports = function(core) {
   };
 
   require('./add')(core);
+  require('./number')(core);
   require('./tag')(core);
   require('./string')(core);