npm - @contrast/assess - Versions diffs - 1.8.0 → 1.9.0 - Mend

@contrast/assess 1.8.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -28,6 +28,7 @@ const {
     LIMITED_CHARS,
     UNTRUSTED
   },
+  inspect
 } = require('@contrast/common');
 const safeTags = [
@@ -39,7 +40,7 @@ const safeTags = [
   LIMITED_CHARS,
 ];
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -63,7 +64,7 @@ module.exports = function (core) {
     }
   }
-  const pre = (module, file, obj) => (data) => {
+  const pre = (module, file, obj, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -81,6 +82,9 @@ module.exports = function (core) {
     const event = createSinkEvent({
       name: `${module}/${file}`,
+      moduleName: module,
+      methodName: `prototype.${method}`,
+      context: `${module}.${method}(${inspect(data.args[0])})`,
       history: [strInfo],
       object: {
         value: `${module}.${obj}`,
@@ -96,6 +100,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
@@ -115,7 +120,7 @@ module.exports = function (core) {
           patcher.patch(Connection.prototype, 'query', {
             name: 'Connection.prototype.query',
             patchType,
-            pre: pre('mysql', 'lib/Connection.query', 'Connection')
+            pre: pre('mysql', 'lib/Connection.query', 'Connection', 'query')
           });
         },
       );
@@ -126,7 +131,7 @@ module.exports = function (core) {
             patcher.patch(connection.prototype, `${method}`, {
               name: `connection.prototype.${method}`,
               patchType,
-              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection')
+              pre: pre('mysql2', `lib/connection.Connection.${method}`, 'connection', method)
             });
           });
         },

package/lib/dataflow/sinks/install/postgres.js CHANGED Viewed

@@ -19,11 +19,11 @@ const util = require('util');
 const {
   DataflowTag: { UNTRUSTED, SQL_ENCODED, LIMITED_CHARS, CUSTOM_VALIDATED, CUSTOM_ENCODED },
   Rule: { SQL_INJECTION: ruleId },
-  isString
+  isString,
 } = require('@contrast/common');
 const { filterSafeTags, patchType } = require('../common');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     config,
     depHooks,
@@ -74,6 +74,8 @@ module.exports = function (core) {
         context: `${objValue}.query(${arg0Val})`,
         history: [strInfo],
         name: methodSignature,
+        moduleName: `${methodSignature.includes('pool') ? 'pg-pool' : 'pg'}`,
+        methodName: 'Connection.prototype.query',
         object: {
           tracked: false,
           value: objValue,
@@ -86,6 +88,7 @@ module.exports = function (core) {
         source: 'P0',
         stacktraceOpts: {
           constructorOpt: data.hooked,
+          prependFrames: [data.orig]
         },
       });
@@ -108,7 +111,7 @@ module.exports = function (core) {
     }
   };
-  postgres.install = function () {
+  postgres.install = function() {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
       { name: 'pg', file: 'lib/client.js' },

package/lib/dataflow/sinks/install/sequelize.js CHANGED Viewed

@@ -28,7 +28,7 @@ const {
 } = require('@contrast/common');
 const { patchType, filterSafeTags } = require('../common');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -54,7 +54,7 @@ module.exports = function (core) {
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
-  sequelize.install = function () {
+  sequelize.install = function() {
     const sequelizeQueryPatchName = 'sequelize.prototype.query';
     depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
       patcher.patch(sequelize.prototype, 'query', {
@@ -69,7 +69,7 @@ module.exports = function (core) {
           try {
             const queryInfo = tracker.getData(query);
-            const isVulnerableQuery = isVulnerable(requiredTag, safeTags, queryInfo.tags);
+            const isVulnerableQuery = queryInfo && isVulnerable(requiredTag, safeTags, queryInfo.tags);
             if (queryInfo && !isVulnerableQuery && config.assess.safe_positives.enable) {
               reportSafePositive({
@@ -94,8 +94,8 @@ module.exports = function (core) {
               typeof args[0] === 'string' ? args[0] : inspect(args[0]);
             const inspectedOptions = args[1] ? inspect(args[1]) : '';
             const contextArgs = args[1]
-              ? `${sqlValue}, ${inspectedOptions}`
-              : sqlValue;
+              ? `'${sqlValue}', ${inspectedOptions}`
+              : `'${sqlValue}'`;
             const reportedArgs = [{ value: sqlValue, tracked: true }];
             args[1] &&
@@ -104,6 +104,8 @@ module.exports = function (core) {
             const event = createSinkEvent({
               context: `sequelize.prototype.query(${contextArgs})`,
               name: sequelizeQueryPatchName,
+              moduleName: 'sequelize',
+              methodName: 'prototype.query',
               history: [queryInfo],
               object: {
                 value: 'sequelize.prototype',

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -29,7 +29,7 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -43,7 +43,7 @@ module.exports = function (core) {
     },
   } = core;
-  const pre = (name) => (data) => {
+  const pre = (name, method) => (data) => {
     const store = sources.getStore()?.assess;
     if (
       !store ||
@@ -59,6 +59,9 @@ module.exports = function (core) {
     const event = createSinkEvent({
       name,
+      moduleName: 'sqlite3',
+      methodName: `Database.prototype.${method}`,
+      context: `db.${method}('${strInfo.value}')`,
       history: [strInfo],
       object: {
         value: '[Module<sqlite3>].Database',
@@ -74,6 +77,7 @@ module.exports = function (core) {
       source: 'P0',
       stacktraceOpts: {
         contructorOpt: data.hooked,
+        prependFrames: [data.orig]
       },
     });
@@ -93,7 +97,7 @@ module.exports = function (core) {
           patcher.patch(sqlite3.Database.prototype, method, {
             name,
             patchType,
-            pre: pre(name)
+            pre: pre(name, method)
           });
         });
       });

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,6 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
+  join,
 } = require('@contrast/common');
 module.exports = function(core) {
@@ -115,7 +116,7 @@ module.exports = function(core) {
     }
     traverse(_data, (path, fieldName, value, obj) => {
-      const pathName = path.join('.');
+      const pathName = join(path, '.');
       if (sourceContext.sourceEventsCount >= max) {
         core.logger.trace({ inputType, name }, 'exiting assess source handling - %s max events exceeded', max);

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -80,7 +80,7 @@ module.exports = function(core) {
         pre(data) {
           const [name = '', value] = data.args;
           if (toLowerCase(name) === 'content-type' && value) {
-            store.assess.responseData.contentType = value;
+            scopes.sources.getStore().assess.responseData.contentType = value;
           }
         }
       });

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -134,6 +134,29 @@ function createAppendTags(firstTags, secondTags, offset) {
   return Object.keys(ret).length ? ret : null;
 }
+function createOverlappingTags(tags, startIndex, endIndex) {
+  const overlappingTags = {};
+  Object.entries(tags).forEach(([tag, tagRanges]) => {
+    const overlappingRanges = [];
+    for (let i = 0; i < tagRanges.length; i += 2) {
+      const start = tagRanges[i];
+      const end = tagRanges[i + 1];
+      if (end >= startIndex && start <= endIndex) {
+        overlappingRanges.push([start, end]);
+      }
+    }
+    if (overlappingRanges.length > 0) {
+      overlappingTags[tag] = overlappingRanges;
+    }
+  });
+  return overlappingTags;
+}
 /**
  * assumes:
  *  - no mutation of arguments
@@ -185,5 +208,6 @@ module.exports = {
   createSubsetTags,
   createAppendTags,
   createFullLengthCopyTags,
-  createMergedTags
+  createMergedTags,
+  createOverlappingTags
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -34,7 +34,8 @@ module.exports = function tracker(core) {
   function getData(value) {
     if (typeof value === 'string') {
-      return distringuish.getProperties(value);
+      const props = distringuish.getProperties(value);
+      return props?.untracked ? null : props;
     }
     return objMap.get(value) || null;
@@ -126,11 +127,10 @@ module.exports = function tracker(core) {
     if (typeof value === 'string') {
       const props = distringuish.getProperties(value);
       if (props) {
-        Object.assign(props, {
-          history: [],
-          tags: {},
-        });
-        delete props.resultTracked;
+        for (const key of Object.keys(props)) {
+          delete props[key];
+        }
+        props.untracked = true;
       }
       return distringuish.internalize(value);
     }

package/lib/index.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { callChildComponentMethodsSync } = require('@contrast/common');
+const sessionConfiguration = require('./session-configuration');
 const dataflow = require('./dataflow');
 const responseScanning = require('./response-scanning');
@@ -26,6 +27,7 @@ module.exports = function assess(core) {
   // Does this order matter? Probably not
   // 1. dataflow
+  sessionConfiguration(core);
   dataflow(core);
   responseScanning(core);

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { join, substring, toLowerCase, split, trim } = require('@contrast/common');
+const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
 //
 // General HTML utils
@@ -32,7 +32,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? string.replace(reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }

package/lib/session-configuration/index.js ADDED Viewed

@@ -0,0 +1,34 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync, Event } = require('@contrast/common');
+module.exports = function(core) {
+  const { messages } = core;
+  const sessionConfiguration = core.assess.sessionConfiguration = {
+    reportFindings(_sourceContext, vulnerabilityMetadata) {
+      messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, vulnerabilityMetadata);
+    },
+  };
+  require('./install/http')(core);
+  sessionConfiguration.install = function() {
+    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  };
+  return sessionConfiguration;
+};

package/lib/session-configuration/install/http.js ADDED Viewed

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { SessionConfigurationRule, split, toLowerCase } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      sessionConfiguration: {
+        reportFindings
+      }
+    }
+  } = core;
+  const http = core.assess.sessionConfiguration.httpInstrumentation = {};
+  const patchType = 'session-configuration';
+  http.install = function() {
+    [
+      { name: 'http', responseObj: 'ServerResponse' },
+      { name: 'https', responseObj: 'ServerResponse' },
+      { name: 'http2', responseObj: 'Http2ServerResponse' }
+    ].forEach(({ name, responseObj }) => {
+      depHooks.resolve({ name }, (module) => {
+        patcher.patch(module[responseObj].prototype, 'setHeader', {
+          name: `${name}.${responseObj}.prototype.setHeader`,
+          patchType,
+          post(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            const [key, val] = data.args;
+            if (key === 'Set-Cookie') {
+              const [cookies] = val;
+              const parsedCookies = split(toLowerCase(cookies), '; ');
+              if (!parsedCookies.includes('httponly')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.HTTPONLY,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+              if (!parsedCookies.includes('secure')) {
+                reportFindings(sourceContext, {
+                  ruleId: SessionConfigurationRule.SECURE_FLAG_MISSING,
+                  props: {
+                    evidence: cookies
+                  }
+                });
+              }
+            }
+          }
+        });
+      });
+    });
+  };
+  return http;
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.11.0",
+    "@contrast/common": "1.12.0",
     "parseurl": "^1.3.3"
   }
 }