npm - @contrast/assess - Versions diffs - 1.9.0 → 1.11.0 - Mend

@contrast/assess 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/lib/dataflow/propagation/install/string/match-all.js ADDED Viewed

@@ -0,0 +1,236 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { inspect } = require('@contrast/common');
+const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+        propagation: { stringInstrumentation },
+      },
+    },
+  } = core;
+  const name = 'String.prototype.matchAll';
+  function createPropagationEventForMatch({
+    objInfo,
+    startIdx,
+    match,
+    untrackedResult,
+    metadata,
+  }) {
+    const tags = createSubsetTags(objInfo.tags, startIdx, match.length);
+    if (!tags) return;
+    const { arg, hooked, orig } = metadata;
+    return createPropagationEvent({
+      name,
+      moduleName: 'String',
+      methodName: 'prototype.matchAll',
+      context: `'${objInfo.value}'.matcAll(${arg})`,
+      history: [objInfo],
+      object: {
+        value: objInfo.value,
+        tracked: true,
+      },
+      args: [
+        {
+          value: arg,
+          tracked: false,
+        },
+      ],
+      tags,
+      result: {
+        value: inspect(untrackedResult),
+        tracked: false,
+      },
+      stacktraceOpts: {
+        constructorOpt: hooked,
+        prependFrames: [orig],
+      },
+      source: 'O',
+      target: 'R',
+    });
+  }
+  return (stringInstrumentation.matchAll = {
+    install() {
+      patcher.patch(String.prototype, 'matchAll', {
+        name,
+        patchType,
+        around(origFn, data) {
+          const { args, obj, hooked, orig } = data;
+          if (
+            !obj ||
+            !args[0] ||
+            typeof obj !== 'string' ||
+            !sources.getStore()?.assess ||
+            instrumentation.isLocked()
+          )
+            return origFn();
+          const objInfo = tracker.getData(obj);
+          if (!objInfo) return origFn();
+          if (
+            !(args[0] instanceof RegExp) &&
+            typeof args[0][Symbol.matchAll] === 'function'
+          ) {
+            args[0][Symbol.matchAll] =
+              stringInstrumentation.utils.patchCustomMatcher(
+                args[0][Symbol.matchAll],
+                objInfo,
+                args[0],
+                name,
+                patchType
+              );
+            return origFn();
+          }
+          const result = origFn();
+          const newResult = {};
+          function next() {
+            const origRes = core.scopes.instrumentation.run(
+              { lock: true },
+              () => result.next()
+            );
+            if (!origRes?.value) return { done: true };
+            const resValue = origRes.value;
+            const untrackedResult = [...resValue];
+            untrackedResult.groups = resValue.groups && { ...resValue.groups };
+            untrackedResult.input = objInfo.value;
+            untrackedResult.index = resValue.index;
+            resValue.indices && (untrackedResult.indices = resValue.indices);
+            let searchIdx = resValue.index;
+            const metadata = { arg: inspect(args[0]), hooked, orig };
+            for (let i = 0; i < resValue.length; i++) {
+              let match = resValue[i];
+              if (!match) continue;
+              if (match === obj) {
+                // There is a case where the match
+                // is the whole original string in which case the value here is
+                // externalized and we need to make sure to track
+                // the non-exterrnalized one
+                match = objInfo.value;
+              }
+              const startIdx = objInfo.value.indexOf(match, searchIdx);
+              const event = createPropagationEventForMatch({
+                objInfo,
+                startIdx,
+                match,
+                untrackedResult,
+                metadata,
+              });
+              if (i > 0) {
+                searchIdx = startIdx + match.length;
+              }
+              if (!event) continue;
+              const { extern } = tracker.track(match, event);
+              if (extern) {
+                resValue[i] = extern;
+              }
+            }
+            if (resValue.groups) {
+              Object.keys(resValue.groups).forEach((key) => {
+                let res = resValue.groups[key];
+                let event;
+                if (!res) return;
+                if (res === obj) {
+                  res = objInfo.value;
+                  event = createPropagationEventForMatch({
+                    objInfo,
+                    startIdx: 0,
+                    match: res,
+                    untrackedResult,
+                    metadata,
+                  });
+                } else {
+                  const startIdx = objInfo.value.indexOf(res, resValue.index);
+                  event = createPropagationEventForMatch({
+                    objInfo,
+                    startIdx,
+                    match: res,
+                    untrackedResult,
+                    metadata,
+                  });
+                }
+                if (event) {
+                  const { extern } = tracker.track(res, event);
+                  if (extern) {
+                    resValue.groups[key] = extern;
+                  }
+                }
+              });
+            }
+            return { value: resValue, done: origRes.done };
+          }
+          Object.defineProperty(newResult, Symbol.iterator, {
+            enumerable: false,
+            value() {
+              return {
+                next,
+              };
+            },
+          });
+          Object.defineProperty(newResult, Symbol.toStringTag, {
+            enumerable: false,
+            value: 'RegExp String Iterator',
+          });
+          Object.setPrototypeOf(newResult, {
+            ...Object.getPrototypeOf(result),
+            next,
+          });
+          return newResult;
+        },
+      });
+    },
+    uninstall() {
+      String.prototype.matchAll = patcher.unwrap(String.prototype.matchAll);
+    },
+  });
+};

package/lib/dataflow/propagation/install/string/match.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -23,28 +23,32 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
-      dataflow: { tracker, eventFactory: { createPropagationEvent } }
-    }
+      dataflow: {
+        tracker,
+        eventFactory: { createPropagationEvent },
+        propagation: { stringInstrumentation },
+      },
+    },
   } = core;
+  const name = 'String.prototype.match';
   function getPropagationEvent(data, res, objInfo, start) {
-    const { name, args: origArgs, result, hooked, orig } = data;
-    const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+    const { args: origArgs, result, hooked, orig } = data;
+    const tags = createSubsetTags(objInfo.tags, start, res.length);
     if (!tags) return;
-    const args = origArgs.map((arg) => {
-      const argInfo = tracker.getData(arg);
-      return {
-        value: argInfo ? argInfo.value : inspect(arg),
-        tracked: !!argInfo
-      };
-    });
+    const args = [
+      {
+        value: inspect(origArgs[0]),
+        tracked: false,
+      },
+    ];
     return createPropagationEvent({
       name,
       moduleName: 'String',
       methodName: 'prototype.match',
-      context: `'${objInfo.value}'.match(${join(args.map(a => a.value), ', ')})`,
+      context: `'${objInfo.value}'.match(${args[0].value})`,
       history: [objInfo],
       object: {
         value: objInfo.value,
@@ -54,48 +58,79 @@ module.exports = function(core) {
       tags,
       result: {
         value: join(result),
-        tracked: false
+        tracked: false,
       },
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig]
+        prependFrames: [orig],
       },
       source: 'O',
-      target: 'R'
+      target: 'R',
     });
   }
-  return core.assess.dataflow.propagation.stringInstrumentation.match = {
+  return (stringInstrumentation.match = {
     install() {
-      const name = 'String.prototype.match';
       patcher.patch(String.prototype, 'match', {
         name,
         patchType,
-        post(data) {
-          const { args, obj, result } = data;
+        around(origFn, data) {
+          const { args, obj } = data;
           if (
             !obj ||
-            !result ||
-            args.length === 0 ||
-            result.length === 0 ||
-            !sources.getStore() ||
+            !args.length ||
+            !sources.getStore()?.assess ||
             typeof obj !== 'string' ||
             instrumentation.isLocked() ||
-            (args.length === 1 && args[0] == null)
-          ) return;
+            (args.length === 1 && !args[0])
+          )
+            return origFn();
           const objInfo = tracker.getData(obj);
-          if (!objInfo) return;
+          if (!objInfo) return origFn();
+          if (
+            !(args[0] instanceof RegExp) &&
+            typeof args[0][Symbol.match] === 'function'
+          ) {
+            args[0][Symbol.match] =
+              stringInstrumentation.utils.patchCustomMatcher(
+                args[0][Symbol.match],
+                objInfo,
+                args[0],
+                name,
+                patchType
+              );
+            return origFn();
+          }
+          const result = (data.result = core.scopes.instrumentation.run(
+            { lock: true },
+            () => origFn()
+          ));
+          if (!result) return result;
           let idx = 0;
           const hasCaptureGroups = 'groups' in result;
           for (let i = 0; i < result.length; i++) {
-            const res = result[i];
-            if (!res || res === obj) continue;
-            const start = obj.indexOf(res, idx);
-            idx += hasCaptureGroups ? 0 : res.length;
-            const event = getPropagationEvent(data, res, objInfo, start);
+            let res = result[i];
+            let event;
+            if (!res) continue;
+            if (res === obj) {
+              res = objInfo.value;
+              event = getPropagationEvent(data, res, objInfo, 0);
+            } else {
+              const start = obj.indexOf(res, idx);
+              idx += hasCaptureGroups && i === 0 ? 0 : res.length;
+              event = getPropagationEvent(data, res, objInfo, start);
+            }
             if (event) {
               const { extern } = tracker.track(res, event);
               if (extern) {
@@ -105,10 +140,19 @@ module.exports = function(core) {
           }
           if (hasCaptureGroups && result.groups) {
             Object.keys(result.groups).forEach((key) => {
-              const res = result.groups[key];
-              if (!res || res === obj) return;
-              const start = obj.indexOf(res);
-              const event = getPropagationEvent(data, res, objInfo, start);
+              let res = result.groups[key];
+              let event;
+              if (!res) return;
+              if (res === obj) {
+                res = objInfo.value;
+                event = getPropagationEvent(data, res, objInfo, 0);
+              } else {
+                const start = obj.indexOf(res);
+                event = getPropagationEvent(data, res, objInfo, start);
+              }
               if (event) {
                 const { extern } = tracker.track(res, event);
                 if (extern) {
@@ -117,11 +161,13 @@ module.exports = function(core) {
               }
             });
           }
+          return data.result;
         },
       });
     },
     uninstall() {
       String.prototype.match = patcher.unwrap(String.prototype.match);
     },
-  };
+  });
 };

package/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -101,7 +101,7 @@ module.exports = function(core) {
     replacement = replaceSpecialCharacters(String(replacement), parsedArgs, data._replacementType);
     data._replacementInfo = tracker.getData(replacement);
-    if (data._replacement) {
+    if (data._replacementInfo) {
       data._history.add(data._replacementInfo);
     }
     return { replacement, replacementInfo: data._replacementInfo };
@@ -115,7 +115,7 @@ module.exports = function(core) {
       const { _accumOffset, _accumTags } = data;
       const { replacement, replacementInfo } = getReplacementInfo(data, args, parsedArgs);
-      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + matchIdx - 1);
+      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + matchIdx);
       const postTags = createSubsetTags(_accumTags, _accumOffset + matchIdx + match.length, str.length - matchIdx - match.length);
       data._accumOffset += (replacement.length - match.length);
       if (preTags || postTags || replacementInfo) {

package/lib/dataflow/propagation/install/string/slice.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -37,7 +37,7 @@ module.exports = function(core) {
       end = obj.length - (Math.abs(end) || 0);
     }
-    const subsetLen = (hasSingleArg ? obj.length - start : Math.abs(end - start)) - 1;
+    const subsetLen = (hasSingleArg ? obj.length - start : Math.abs(end - start));
     return {
       startIdx: start,

package/lib/dataflow/propagation/install/string/split.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -60,7 +60,7 @@ module.exports = function(core) {
             const objSubstr = obj.substring(start, start + res.length);
             const objSubstrInfo = tracker.getData(objSubstr);
             if (objSubstrInfo) {
-              const tags = createSubsetTags(objInfo.tags, start, res.length - 1);
+              const tags = createSubsetTags(objInfo.tags, start, res.length);
               if (!tags) continue;
               const args = origArgs.map((arg) => {

package/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -30,7 +30,7 @@ module.exports = function(core) {
   function calculateSubsetRangeForSubstr({ args, result }) {
     const startIdx = args[0] || 0;
-    const subsetLen = args[1] === undefined ? result.length - startIdx - 1 : args[1] - 1;
+    const subsetLen = args[1] === undefined ? result.length - startIdx : args[1];
     return {
       startIdx,
@@ -41,7 +41,7 @@ module.exports = function(core) {
   function calculateSubsetRangeForSubstring({ obj, args }) {
     const hasSingleArg = args[1] === undefined;
     const startIdx = hasSingleArg ? args[0] : Math.min(...args);
-    const subsetLen = (hasSingleArg ? obj.length - args[0] : Math.abs(args[1] - args[0])) - 1;
+    const subsetLen = (hasSingleArg ? obj.length - args[0] : Math.abs(args[1] - args[0]));
     return {
       startIdx,

package/lib/dataflow/propagation/install/string/trim.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -52,7 +52,7 @@ module.exports = function(core) {
       const start = presetStart || obj.indexOf(result);
       const newTags = {};
       const objTags = objInfo.tags || {};
-      Object.assign(newTags, createSubsetTags(objTags, start, result.length - 1));
+      Object.assign(newTags, createSubsetTags(objTags, start, result.length));
       if (!newTags.untrusted) {
         return;

package/lib/dataflow/propagation/install/unescape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/url/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -28,6 +28,9 @@ module.exports = function(core) {
   };
   require('./domain-parsers')(core);
+  require('./parse')(core);
+  require('./searchParams')(core);
+  require('./url')(core);
   return urlInstrumentation;
 };

package/lib/dataflow/propagation/install/url/parse.js ADDED Viewed

@@ -0,0 +1,131 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { inspect } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  const keys = [
+    'href',
+    [
+      'protocol',
+      'auth',
+      'host',
+      [
+        'hostname',
+        'port'
+      ],
+      'path',
+      [
+        'pathname',
+        'search',
+        [
+          'query'
+        ]
+      ],
+      'hash'
+    ]
+  ];
+  return core.assess.dataflow.propagation.urlInstrumentation.parse = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url) => {
+        const name = 'url.parse';
+        patcher.patch(url, 'parse', {
+          name,
+          patchType,
+          post(data) {
+            const { args, result, hooked, orig } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const url = args[0];
+            const argInfo = tracker.getData(url);
+            if (!argInfo) return;
+            const traverse = function(href, url, keys, idx = 0) {
+              let substr = href;
+              keys.forEach((key) => {
+                if (typeof key === 'string') {
+                  const part = result[key];
+                  if (part) {
+                    const index = href.indexOf(part, idx - 1);
+                    substr = href.substring(index, index + part.length);
+                    idx += part.length;
+                    const partInfo = tracker.getData(substr);
+                    if (!partInfo) return;
+                    const event = createPropagationEvent({
+                      name,
+                      moduleName: 'url',
+                      methodName: 'parse',
+                      context: `url.parse('${argInfo.value}')`,
+                      object: {
+                        value: 'url',
+                        tracked: false
+                      },
+                      result: {
+                        value: inspect(result),
+                        tracked: true
+                      },
+                      args: [{ value: partInfo.value, tracked: true }],
+                      tags: partInfo.tags,
+                      history: [partInfo],
+                      source: 'P',
+                      target: 'R',
+                      stacktraceOpts: {
+                        constructorOpt: hooked,
+                        prependFrames: [orig]
+                      },
+                    });
+                    if (!event) return;
+                    if (partInfo) {
+                      Object.assign(partInfo, event);
+                    }
+                    const { extern } = partInfo || tracker.track(part, event);
+                    if (extern) {
+                      result[key] = extern;
+                    }
+                  }
+                } else {
+                  traverse(substr, url, key, 0);
+                }
+              });
+            };
+            traverse(url, result, keys, 0);
+          }
+        });
+      });
+    },
+  };
+};