@contrast/assess 1.9.0 → 1.10.0

package/lib/dataflow/propagation/install/url/index.js

@@ -28,6 +28,7 @@ module.exports = function(core) {
   };
 
   require('./domain-parsers')(core);
+  require('./url')(core);
 
   return urlInstrumentation;
 };

package/lib/dataflow/propagation/install/url/url.js

@@ -0,0 +1,228 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { inspect } = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+
+  const keys = [
+    'href',
+    [
+      'origin',
+      'protocol',
+      'username',
+      'password',
+      'host',
+      [
+        'hostname',
+        'port'
+      ],
+      'pathname',
+      'search',
+      'searchParams',
+      'hash'
+    ]
+  ];
+
+  function getPropagationEvent(strInfo, partInfo, data) {
+    const args = data.args.map((v) => {
+      const strInfo = tracker.getData(v);
+      return {
+        value: strInfo ? strInfo.value : v,
+        tracked: !!strInfo
+      };
+    });
+
+    return createPropagationEvent({
+      name: 'url.URL',
+      moduleName: 'url',
+      methodName: 'URL',
+      context: `url.URL('${strInfo.value}')`,
+      object: {
+        value: 'url',
+        tracked: false
+      },
+      result: {
+        value: inspect(data.result),
+        tracked: true
+      },
+      args,
+      tags: partInfo.tags,
+      history: [partInfo],
+      source: 'P',
+      target: 'R',
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    });
+  }
+
+  return core.assess.dataflow.propagation.urlInstrumentation.url = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url) => {
+        const name = 'url.URL';
+        patcher.patch(url, 'URL', {
+          name,
+          patchType,
+          post(data) {
+            const { args, result } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+
+            const [input, basename] = args;
+            let url = input;
+            if (basename && url !== result.toString()) {
+              const isAbsoluteURL = url.indexOf('://') > 0 || url.indexOf('//') === 0;
+              if (isAbsoluteURL) {
+                const splitUrl = url.split(new RegExp('(?=//)', 'g'));
+                let endOfSlashes = splitUrl.length === 1 ? true : false;
+                let newUrl = splitUrl[0] === result.protocol ? splitUrl[0] : basename.split(/(?<=:)/)[0];
+                for (let i = 0; i < splitUrl.length; i++) {
+                  if (endOfSlashes) {
+                    newUrl = newUrl.concat(splitUrl[i]);
+                  }
+                  if (splitUrl[i] === '/' && splitUrl[i + 1] !== '/') {
+                    endOfSlashes = true;
+                  }
+                }
+                url = newUrl;
+              } else {
+                url = basename.concat(url);
+              }
+            }
+            const strInfo = tracker.getData(url);
+            if (!strInfo) return;
+
+            const searchParamsProxy = new Proxy(data.result.searchParams, {
+              set(obj, prop, value) {
+                return Reflect.set(obj, prop, value);
+              },
+              get(obj, prop, receiver) {
+                const val = obj[prop];
+                if (val instanceof Function) {
+                  return function (query) {
+                    if (typeof query === 'string') {
+                      const trackedProp = Reflect.get(obj, `_contrast_${query}`);
+                      if (trackedProp) return trackedProp;
+                    }
+                    return val.apply(this === receiver ? obj : this, query);
+                  };
+                }
+                return Reflect.get(obj, prop, receiver);
+              }
+            });
+
+            const proxy = new Proxy(data.result, {
+              set(obj, prop, value) {
+                return Reflect.set(obj, prop, value);
+              },
+              get(obj, prop) {
+                if (prop === 'searchParams') {
+                  return searchParamsProxy;
+                }
+                if (prop === 'toString' || prop === 'toJSON') {
+                  return function() {
+                    return Reflect.get(obj, '_contrast_href');
+                  };
+                }
+                if (typeof prop === 'string') {
+                  const trackedProp = Reflect.get(obj, `_contrast_${prop}`);
+                  if (trackedProp) return trackedProp;
+                }
+                return Reflect.get(obj, prop);
+              }
+            });
+
+            const traverse = function(href, url, keys, idx = 0) {
+              let substr = href;
+              keys.forEach((key) => {
+                if (typeof key === 'string' && key !== 'searchParams') {
+                  const part = url[key];
+                  if (part !== 'null') {
+
+                    if (key === 'origin') {
+                      const [protocol, originWithoutProtocol] = part.split(new RegExp('(?<=//)'));
+                      const idx1 = href.indexOf(protocol);
+                      const idx2 = href.indexOf(originWithoutProtocol, idx - 1);
+                      substr = href.substring(idx1, idx1 + protocol.length).concat(href.substring(idx2, idx2 + originWithoutProtocol.length));
+                    } else {
+                      const index = href.indexOf(part, idx - 1);
+                      substr = href.substring(index, index + part.length);
+                      idx += part.length;
+                    }
+
+                    const partInfo = tracker.getData(substr);
+                    if (!partInfo) return;
+
+                    const event = getPropagationEvent(strInfo, partInfo, data);
+                    if (!event) return;
+
+                    if (partInfo) {
+                      Object.assign(partInfo, event);
+                    }
+                    const { extern } = partInfo || tracker.track(part, event);
+
+                    if (extern) {
+                      proxy[`_contrast_${key}`] = extern;
+                    }
+                  }
+                } else if (key === 'searchParams') {
+                  const queries = proxy.search.split('&');
+                  queries.forEach((query) => {
+                    const startIdx = query.indexOf('?') + 1;
+                    const endIdx = query.indexOf('=');
+                    const queryName = query.substring(startIdx, endIdx);
+                    const queryString = query.substring(endIdx + 1, query.length);
+                    const queryStringInfo = tracker.getData(queryString);
+                    if (!queryStringInfo) return;
+
+                    const event = getPropagationEvent(strInfo, queryStringInfo, data);
+
+                    if (!event) return;
+
+                    if (queryStringInfo) {
+                      Object.assign(queryStringInfo, event);
+                    }
+                    const { extern } = queryStringInfo || tracker.track(queryString, event);
+
+                    if (extern) {
+                      searchParamsProxy[`_contrast_${queryName}`] = extern;
+                    }
+                  });
+                } else {
+                  traverse(substr, url, key, 0);
+                }
+              });
+            };
+
+            traverse(url, result, keys, 0);
+            data.result = proxy;
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/sinks/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     logger,
     messages,
@@ -29,7 +29,8 @@ module.exports = function (core) {
 
   const sinkScopes = {
     [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
-    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage()
+    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage(),
+    ['unsafe-code-execution']: new AsyncLocalStorage()
   };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
@@ -65,19 +66,22 @@ module.exports = function (core) {
     }
   };
 
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
+  require('./install/eval')(core);
   require('./install/fs')(core);
+  require('./install/function')(core);
   require('./install/http')(core);
+  require('./install/marsdb')(core);
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
-  require('./install/marsdb')(core);
-  require('./install/express')(core);
+  require('./install/vm')(core);
 
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/eval.js

@@ -0,0 +1,138 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  core.assess.dataflow.sinks.contrastEval = {
+    install() {
+      if (!global.ContrastMethods?.eval) {
+        logger.error(
+          'Cannot install `eval` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+
+      Object.assign(global.ContrastMethods, {
+        eval: patcher.patch(global.ContrastMethods.eval, {
+          name: 'global.ContrastMethods.eval',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const script = origArgs[0];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !script ||
+              !isString(script)
+            )
+              return;
+
+            const strInfo = tracker.getData(script);
+
+            if (!strInfo) return;
+
+            const isArgVulnerable = isVulnerable(
+              UNTRUSTED,
+              safeTags,
+              strInfo.tags
+            );
+
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+
+            if (isArgVulnerable) {
+              const event = createSinkEvent({
+                name,
+                context: `${name}('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'eval',
+                args: [{ value: strInfo.value, tracked: true }],
+                tags: strInfo.tags,
+                source: 'P0',
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.contrastEval;
+};

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -81,7 +81,7 @@ module.exports = function(core) {
 
           let urlPathTags = strInfo.tags;
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
 
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -31,6 +31,7 @@ const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
 
 const ruleId = 'unvalidated-redirect';
+
 const getURLArgument = (args) => {
   if (!Array.isArray(args)) {
     return { index: null, url: undefined };
@@ -98,7 +99,7 @@ module.exports = function(core) {
           let urlPathTags = strInfo.tags;
           const urlPathEndIdx = url.indexOf('?');
           if (urlPathEndIdx > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx + 1);
           }
 
           if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/fs.js

@@ -71,7 +71,7 @@ module.exports = function(core) {
       const strInfo = tracker.getData(v);
       return {
         value: strInfo ? strInfo.value : v,
-        isTracked: !!strInfo,
+        tracked: !!strInfo,
         strInfo
       };
     });
@@ -92,9 +92,9 @@ module.exports = function(core) {
         history: [strInfo],
         object: {
           value: 'fs',
-          isTracked: false,
+          tracked: false,
         },
-        args: args.map(({ value, isTracked }) => ({ value, isTracked })),
+        args: args.map(({ value, tracked }) => ({ value, tracked })),
         tags: strInfo.tags,
         source: `P${i}`,
         stacktraceOpts: {

package/lib/dataflow/sinks/install/function.js

@@ -0,0 +1,160 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isString,
+  inspect,
+  join,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+
+  core.assess.dataflow.sinks.contrastFunction = {
+    install() {
+      if (!global.ContrastMethods?.Function) {
+        logger.error(
+          'Cannot install `Function` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+
+      Object.assign(global.ContrastMethods, {
+        Function: patcher.patch(global.ContrastMethods.Function, {
+          name: 'global.ContrastMethods.Function',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const fnBody = origArgs[origArgs.length - 1];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !fnBody ||
+              !isString(fnBody)
+            )
+              return;
+
+            const strInfo = tracker.getData(fnBody);
+
+            if (!strInfo) return;
+
+            const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+
+            if (isArgVulnerable) {
+              const args = origArgs.map((arg, idx) => {
+                if (idx === origArgs.length - 1) {
+                  return {
+                    value: strInfo.value,
+                    tracked: true,
+                    inspectedValue: `'${strInfo.value}'`,
+                  };
+                }
+
+                const inspectedValue = inspect(arg);
+                const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
+
+                return {
+                  value: argInfo ? argInfo.value : inspectedValue,
+                  tracked: !!argInfo,
+                  inspectedValue
+                };
+              });
+              const event = createSinkEvent({
+                name,
+                context: `${name}(${join(
+                  args.map((a) => a.inspectedValue),
+                  ', '
+                )})`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'Function',
+                args: args.map((a) => ({
+                  value: a.value,
+                  tracked: a.tracked,
+                })),
+                tags: strInfo.tags,
+                source: `P${origArgs.length - 1}`,
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+
+  return core.assess.dataflow.sinks.contrastFunction;
+};

package/lib/dataflow/sinks/install/http/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const http = core.assess.dataflow.sinks.http = {};
+
+  require('./request')(core);
+  require('./server-response')(core);
+
+  http.install = function() {
+    callChildComponentMethodsSync(http, 'install');
+  };
+
+  return http;
+};