npm - @contrast/assess - Versions diffs - 1.9.0 → 1.10.0 - Mend

@contrast/assess 1.9.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/lib/dataflow/sinks/install/http/request.js ADDED Viewed

@@ -0,0 +1,152 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  inspect,
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  }
+} = require('@contrast/common');
+const Url = require('url');
+const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
+const { patchType } = require('../../common');
+const { createAppendTags } = require('../../../tag-utils');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          reportFindings
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const http = core.assess.dataflow.sinks.http.request = {};
+  const safeTags = [
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  ];
+  function getValueFromReq(value, key) {
+    if (isString(value)) {
+      const url = new Url.URL(value);
+      if (isString(url[key])) {
+        return url[key];
+      }
+    }
+    if (isString(value[key])) {
+      return value[key];
+    }
+  }
+  function containsTrustedLib(stack) {
+    for (const { file } of stack) {
+      for (const trusted of trustedLibs) {
+        if (trusted.exec(file)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  http.install = function() {
+    ['http', 'https'].forEach((moduleName) => {
+      depHooks.resolve({ name: moduleName }, (module) => {
+        const name = `${moduleName}.request`;
+        const methodName = 'request';
+        patcher.patch(module, methodName, {
+          name,
+          patchType,
+          pre(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            const [req] = data.args;
+            if (!req) return;
+            ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
+              const value = getValueFromReq(req, key);
+              if (!value) return;
+              const strInfo = tracker.getData(value);
+              if (!strInfo) return;
+              if (containsTrustedLib(strInfo.stack)) return;
+              const arg0 = isString(req) ? req : inspect(req);
+              const idx = arg0.indexOf(value);
+              const urlTags = createAppendTags({}, strInfo.tags, idx);
+              if (urlTags && isVulnerable(UNTRUSTED, safeTags, urlTags)) {
+                const event = createSinkEvent({
+                  name,
+                  moduleName,
+                  methodName: 'request',
+                  context: `${moduleName}.request(${arg0})`,
+                  history: [strInfo],
+                  object: {
+                    tracked: false,
+                    value: moduleName
+                  },
+                  args: [{
+                    value: arg0,
+                    tracked: true
+                  }],
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  tags: urlTags,
+                });
+                if (event) {
+                  reportFindings({
+                    ruleId: 'ssrf',
+                    sinkEvent: event
+                  });
+                }
+              }
+            });
+          }
+        });
+      });
+    });
+  };
+  return http;
+};

package/lib/dataflow/sinks/install/{http.js → http/server-response.js} RENAMED Viewed

@@ -31,7 +31,7 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
-const { patchType, filterSafeTags } = require('../common');
+const { patchType, filterSafeTags } = require('../../common');
 module.exports = function(core) {
   const {
@@ -52,7 +52,7 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const http = core.assess.dataflow.sinks.http = {};
+  const http = core.assess.dataflow.sinks.http.serverResponse = {};
   const safeTags = [
     ALPHANUM_SPACE_HYPHEN,

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -84,7 +84,7 @@ module.exports = function(core) {
           let urlPathTags = strInfo.tags;
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -28,7 +27,8 @@ const {
   Rule: { NOSQL_INJECTION_MONGO },
   isNonEmptyObject,
   traverseValues,
-  isString
+  isString,
+  inspect
 } = require('@contrast/common');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
@@ -82,7 +82,6 @@ module.exports = function(core) {
     }
   } = core;
-  const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
   instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
@@ -256,7 +255,7 @@ module.exports = function(core) {
           if (safeReports.length && config.assess.safe_positives.enable) {
             const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
             const strInfo = safeReports.map((report) => {
-              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+              const tags = report.path ? utils.createAdjustedQueryTags(report.path, report.strInfo.tags, report.strInfo.value, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
               return {
                 value: inspect(origArgs[report.argIdx], { depth: 4 }),
@@ -282,7 +281,7 @@ module.exports = function(core) {
           tracked: idx === vulnArgIdx,
         }));
-        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const tags = path ? utils.createAdjustedQueryTags(path, strInfo.tags, strInfo.value, args[vulnArgIdx].value) : strInfo?.tags;
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
@@ -401,22 +400,4 @@ module.exports = function(core) {
     return name;
   }
-  function getAdjustedQueryTags(path, strInfo, argString) {
-    const { tags } = strInfo;
-    let idx = -1;
-    for (const str of [...path, strInfo.value]) {
-      // This is the case with the `.aggregate` method
-      // where the argument is an array
-      if (str === 0) continue;
-      idx = argString.indexOf(str, idx);
-      if (idx == -1) {
-        idx = -1;
-        break;
-      }
-    }
-    return idx > 0 ? utils.createAppendTags([], tags, idx) : strInfo.tags;
-  }
 };

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -21,7 +21,7 @@ const {
   isString
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
-const { patchType } = require('../common');
+const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
   SQL_ENCODED,
@@ -30,15 +30,18 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
+const ruleId = SQL_INJECTION;
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
+    config,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, isLocked, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -54,38 +57,48 @@ module.exports = function(core) {
     ) return;
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
-      return;
-    }
+    if (!strInfo) return;
-    const event = createSinkEvent({
-      name,
-      moduleName: 'mssql',
-      methodName: `PreparedStatement.prototype.${method}`,
-      context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
-      history: [strInfo],
-      object: {
-        value: `[${createModuleLabel('mssql', version)}].${obj}`,
-        tracked: false,
-      },
-      args: [
-        {
-          value: strInfo.value,
-          tracked: true,
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+      const event = createSinkEvent({
+        name,
+        moduleName: 'mssql',
+        methodName: `PreparedStatement.prototype.${method}`,
+        context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
+        history: [strInfo],
+        object: {
+          value: `[${createModuleLabel('mssql', version)}].${obj}`,
+          tracked: false,
         },
-      ],
-      tags: strInfo.tags,
-      source: 'P0',
-      stacktraceOpts: {
-        contructorOpt: data.hooked,
-        prependFrames: [data.orig]
-      },
-    });
+        args: [
+          {
+            value: strInfo.value,
+            tracked: true,
+          },
+        ],
+        tags: strInfo.tags,
+        source: 'P0',
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+          prependFrames: [data.orig]
+        },
+      });
-    if (event) {
-      reportFindings({
-        ruleId: SQL_INJECTION,
-        sinkEvent: event,
+      if (event) {
+        reportFindings({
+          ruleId: SQL_INJECTION,
+          sinkEvent: event,
+        });
+      }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          tags: strInfo.tags,
+          value: strInfo.value,
+        }
       });
     }
   };

package/lib/dataflow/sinks/install/vm.js ADDED Viewed

@@ -0,0 +1,276 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType, filterSafeTags } = require('../common');
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+  isNonEmptyObject,
+  inspect,
+  traverseValues,
+  join,
+  split,
+} = require('@contrast/common');
+const { createAdjustedQueryTags } = require('../../tag-utils');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+module.exports = function(core) {
+  const {
+    config,
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          runInActiveSink,
+          isLocked,
+          reportFindings,
+          reportSafePositive,
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  function accumulateArgsInfo(origArgs, idxsToCheck) {
+    const argsInfo = [];
+    for (let i = 0; i < origArgs.length; i++) {
+      const arg = origArgs[i];
+      const infoObj = {
+        isStringArg: isString(arg),
+        idx: i,
+        sanitizedStrInfos: [],
+        sanitizedStrPaths: []
+      };
+      if (
+        !arg ||
+        !idxsToCheck.includes(i) ||
+        (!infoObj.isStringArg && !isNonEmptyObject(arg))
+      ) {
+        const inspectedArg = inspect(origArgs[i]);
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+        argsInfo.push(infoObj);
+        continue;
+      }
+      if (infoObj.isStringArg) {
+        const strInfo = tracker.getData(arg);
+        infoObj.strInfo = strInfo;
+        infoObj.argsValue = {
+          value: strInfo ? strInfo.value : arg,
+          tracked: !!strInfo,
+        };
+        infoObj.ctxValue = `"${strInfo?.value || arg}"`;
+        infoObj.isVulnerableArg =
+          strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+        if (strInfo && !infoObj.isVulnerableArg) {
+          infoObj.sanitizedStrInfos.push(strInfo);
+          infoObj.isSanitizedArg = true;
+        }
+      } else {
+        traverseValues(
+          arg,
+          (path, _type, value) => {
+            const strInfo = tracker.getData(value);
+            infoObj.strInfo = strInfo;
+            infoObj.isVulnerableArg =
+              strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+            if (infoObj.isVulnerableArg) {
+              infoObj.vulnerableArgPath = [...path];
+              return true;
+            } else if (strInfo) {
+              infoObj.sanitizedStrInfos.push(strInfo);
+              infoObj.sanitizedStrPaths.push([...path]);
+              infoObj.isSanitizedArg = true;
+            }
+          },
+          100
+        );
+        const inspectedArg = inspect(arg);
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+      }
+      argsInfo.push(infoObj);
+    }
+    return argsInfo;
+  }
+  function around(next, { args: origArgs, hooked, orig, name }) {
+    const store = sources.getStore()?.assess;
+    if (
+      !store ||
+      instrumentation.isLocked() ||
+      isLocked('unsafe-code-execution')
+    ) {
+      return next();
+    }
+    const methodPath = split(name, '.');
+    const method = methodPath[methodPath.length - 1];
+    const idxsToCheck = method === 'runInNewContext' ? [0, 1] : [0];
+    const argsInfo = accumulateArgsInfo(origArgs, idxsToCheck);
+    const vulnerableArg = argsInfo.find((arg) => arg.isVulnerableArg);
+    const sanitizedArgs = argsInfo.filter((arg) => arg.isSanitizedArg);
+    if (!vulnerableArg && sanitizedArgs.length && config.assess.safe_positives.enable) {
+      const foundSafeTags = sanitizedArgs.reduce((a, c) => {
+        const tags = [];
+        c.sanitizedStrInfos.forEach((i) => {
+          tags.push(filterSafeTags(safeTags, i));
+        });
+        tags.forEach((tag) => a.add(...tag));
+        return a;
+      }, new Set());
+      const strInfo = sanitizedArgs.map((arg) => {
+        const value = inspect(origArgs[arg.idx], { depth: 4 });
+        const tags = [];
+        const strValues = [];
+        arg.sanitizedStrInfos.forEach((info, idx) => {
+          strValues.push(info.value);
+          if (arg.isStringArg) {
+            tags.push(info.tags);
+          } else {
+            tags.push(
+              createAdjustedQueryTags(
+                arg.sanitizedStrPaths[idx] || [],
+                info.tags,
+                info.value,
+                value
+              )
+            );
+          }
+        });
+        return {
+          value,
+          strValues,
+          tags,
+        };
+      });
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: Array.from(foundSafeTags),
+        strInfo,
+      });
+      return name === 'vm.runInNewContext'
+        ? runInActiveSink('unsafe-code-execution', () => next())
+        : next();
+    }
+    if (vulnerableArg) {
+      const event = createSinkEvent({
+        name,
+        context: `${name}(${join(
+          argsInfo.map((a) => a.ctxValue),
+          ', '
+        )})`,
+        history: [vulnerableArg.strInfo],
+        object: {
+          value: methodPath.includes('prototype')
+            ? 'vm.Script.prototype'
+            : 'vm',
+          tracked: false,
+        },
+        moduleName: 'vm',
+        methodName: method,
+        args: argsInfo.map((a) => a.argsValue),
+        tags: vulnerableArg.vulnerableArgPath?.length
+          ? createAdjustedQueryTags(
+            vulnerableArg.vulnerableArgPath,
+            vulnerableArg.strInfo.tags,
+            vulnerableArg.strInfo.value,
+            vulnerableArg.argsValue.value
+          )
+          : vulnerableArg.strInfo.tags,
+        source: `P${vulnerableArg.idx}`,
+        stacktraceOpts: {
+          contructorOpt: hooked,
+          prependFrames: [orig],
+        },
+      });
+      if (event) {
+        reportFindings({
+          ruleId,
+          sinkEvent: event,
+        });
+      }
+    }
+    return name === 'vm.runInNewContext'
+      ? runInActiveSink('unsafe-code-execution', () => next())
+      : next();
+  }
+  core.assess.dataflow.sinks.vm = {
+    install() {
+      depHooks.resolve({ name: 'vm' }, (vm) => {
+        [
+          'Script',
+          'createScript',
+          'runInContext',
+          'runInThisContext',
+          'createContext',
+          'runInNewContext',
+        ].forEach((method) => {
+          const name = `vm.${method}`;
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            around,
+          });
+        });
+        patcher.patch(vm.Script.prototype, 'runInNewContext', {
+          name: 'vm.Script.prototype.runInNewContext',
+          patchType,
+          around,
+        });
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.vm;
+};