npm - @contrast/assess - Versions diffs - 1.9.0 → 1.11.0 - Mend

@contrast/assess 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/lib/dataflow/propagation/install/url/searchParams.js ADDED Viewed

@@ -0,0 +1,133 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../../common');
+const { inspect, isString } = require('@contrast/common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  function getPropagationEvent(params, paramInfo, data) {
+    return createPropagationEvent({
+      name: 'url.URLSearchParams',
+      moduleName: 'url',
+      methodName: 'URLSearchParams',
+      context: `url.URLSearchParams('${inspect(params)}')`,
+      object: {
+        value: 'url',
+        tracked: false
+      },
+      result: {
+        value: inspect(data.result),
+        tracked: true
+      },
+      args: [{ value: inspect(params), tracked: false }],
+      tags: paramInfo.tags,
+      history: [paramInfo],
+      source: 'P',
+      target: 'R',
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    });
+  }
+  return core.assess.dataflow.propagation.urlInstrumentation.searchParams = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url) => {
+        const name = 'url.URLSearchParams';
+        patcher.patch(url, 'URLSearchParams', {
+          name,
+          patchType,
+          post(data) {
+            const { args, obj, result } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const [params] = args;
+            if (isString(params)) {
+              params.split('&').forEach((query) => {
+                const startIdx = query.indexOf('?') + 1;
+                const endIdx = query.indexOf('=');
+                const key = query.substring(startIdx, endIdx);
+                const param = query.substring(endIdx + 1, query.length);
+                const paramInfo = tracker.getData(param);
+                if (!paramInfo) return;
+                const event = getPropagationEvent(params, paramInfo, data);
+                if (!event);
+                Object.assign(paramInfo, event);
+                const { extern } = paramInfo || tracker.track(param, event);
+                if (extern) {
+                  result.set(key, extern);
+                }
+              });
+            }
+            if (typeof params === 'object') {
+              Object.keys(params).forEach((key) => {
+                const paramInfo = tracker.getData(params[key]);
+                if (!paramInfo) return;
+                const event = getPropagationEvent(params, paramInfo, data);
+                if (!event) return;
+                Object.assign(paramInfo, event);
+                const { extern } = paramInfo || tracker.track(params[key], event);
+                if (extern) {
+                  result.set(key, extern);
+                }
+              });
+            }
+            patcher.patch(obj.prototype, 'toString', {
+              name: 'url.URLSearchParams.toString',
+              patchType,
+              post(data) {
+                const { obj: params } = data;
+                let i = 0;
+                let str = '';
+                params.forEach((val, key) => {
+                  if (i === 0) {
+                    str = key.concat('=', val);
+                  } else {
+                    str = str.concat('&', key, '=', val);
+                  }
+                  i++;
+                });
+                data.result = str;
+              }
+            });
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/url/url.js ADDED Viewed

@@ -0,0 +1,185 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { inspect } = require('@contrast/common');
+const { patchType } = require('../../common');
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    assess: {
+      dataflow: { tracker, eventFactory: { createPropagationEvent } }
+    }
+  } = core;
+  const keys = [
+    'href',
+    [
+      'origin',
+      'protocol',
+      'username',
+      'password',
+      'host',
+      [
+        'hostname',
+        'port'
+      ],
+      'pathname',
+      'search',
+      'hash'
+    ]
+  ];
+  function getPropagationEvent(strInfo, partInfo, data) {
+    const args = data.args.map((v) => {
+      const strInfo = tracker.getData(v);
+      return {
+        value: strInfo ? strInfo.value : v,
+        tracked: !!strInfo
+      };
+    });
+    return createPropagationEvent({
+      name: 'url.URL',
+      moduleName: 'url',
+      methodName: 'URL',
+      context: `url.URL('${strInfo.value}')`,
+      object: {
+        value: 'url',
+        tracked: false
+      },
+      result: {
+        value: inspect(data.result),
+        tracked: true
+      },
+      args,
+      tags: partInfo.tags,
+      history: [partInfo],
+      source: 'P',
+      target: 'R',
+      stacktraceOpts: {
+        constructorOpt: data.hooked,
+        prependFrames: [data.orig]
+      },
+    });
+  }
+  return core.assess.dataflow.propagation.urlInstrumentation.url = {
+    install() {
+      depHooks.resolve({ name: 'url' }, (url) => {
+        const { URLSearchParams } = url;
+        const name = 'url.URL';
+        patcher.patch(url, 'URL', {
+          name,
+          patchType,
+          post(data) {
+            const { args, result } = data;
+            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            const [input, basename] = args;
+            let url = input;
+            if (basename && url !== result.toString()) {
+              const isAbsoluteURL = url.indexOf('://') > 0 || url.indexOf('//') === 0;
+              if (isAbsoluteURL) {
+                const splitUrl = url.split(new RegExp('(?=//)', 'g'));
+                let endOfSlashes = splitUrl.length === 1 ? true : false;
+                let newUrl = splitUrl[0] === result.protocol ? splitUrl[0] : basename.split(/(?<=:)/)[0];
+                for (let i = 0; i < splitUrl.length; i++) {
+                  if (endOfSlashes) {
+                    newUrl = newUrl.concat(splitUrl[i]);
+                  }
+                  if (splitUrl[i] === '/' && splitUrl[i + 1] !== '/') {
+                    endOfSlashes = true;
+                  }
+                }
+                url = newUrl;
+              } else {
+                url = basename.concat(url);
+              }
+            }
+            const strInfo = tracker.getData(url);
+            if (!strInfo) return;
+            const proxy = new Proxy(data.result, {
+              set(obj, prop, value) {
+                return Reflect.set(obj, prop, value);
+              },
+              get(obj, prop) {
+                if (prop === 'toString' || prop === 'toJSON') {
+                  return function() {
+                    return Reflect.get(obj, '_contrast_href');
+                  };
+                }
+                if (typeof prop === 'string') {
+                  const trackedProp = Reflect.get(obj, `_contrast_${prop}`);
+                  if (trackedProp) return trackedProp;
+                }
+                return Reflect.get(obj, prop);
+              }
+            });
+            const traverse = function(href, url, keys, idx = 0) {
+              let substr = href;
+              keys.forEach((key) => {
+                if (typeof key === 'string') {
+                  const part = url[key];
+                  if (part !== 'null') {
+                    if (key === 'origin') {
+                      const [protocol, originWithoutProtocol] = part.split(new RegExp('(?<=//)'));
+                      const idx1 = href.indexOf(protocol);
+                      const idx2 = href.indexOf(originWithoutProtocol, idx - 1);
+                      substr = href.substring(idx1, idx1 + protocol.length).concat(href.substring(idx2, idx2 + originWithoutProtocol.length));
+                    } else {
+                      const index = href.indexOf(part, idx - 1);
+                      substr = href.substring(index, index + part.length);
+                      idx += part.length;
+                    }
+                    const partInfo = tracker.getData(substr);
+                    if (!partInfo) return;
+                    const event = getPropagationEvent(strInfo, partInfo, data);
+                    if (!event) return;
+                    Object.assign(partInfo, event);
+                    const { extern } = tracker.track(part, event);
+                    if (extern) {
+                      proxy[`_contrast_${key}`] = extern;
+                    }
+                  }
+                } else {
+                  traverse(substr, url, key, 0);
+                }
+              });
+            };
+            traverse(url, result, keys, 0);
+            if (proxy.search) {
+              proxy._contrast_searchParams = new URLSearchParams(proxy.search);
+            }
+            data.result = proxy;
+          }
+        });
+      });
+    },
+  };
+};

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/validator/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/propagation/install/validator/methods.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync, Event, Rule } = require('@contrast/common
 const { isVulnerable } = require('../utils/is-vulnerable');
 const { isSafeContentType } = require('../utils/is-safe-content-type');
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     logger,
     messages,
@@ -29,7 +29,8 @@ module.exports = function (core) {
   const sinkScopes = {
     [Rule.SQL_INJECTION]: new AsyncLocalStorage(),
-    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage()
+    [Rule.NOSQL_INJECTION_MONGO]: new AsyncLocalStorage(),
+    ['unsafe-code-execution']: new AsyncLocalStorage()
   };
   const sinks = core.assess.dataflow.sinks = {
     isVulnerable,
@@ -65,19 +66,22 @@ module.exports = function (core) {
     }
   };
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/koa')(core);
   require('./install/child-process')(core);
+  require('./install/eval')(core);
   require('./install/fs')(core);
+  require('./install/function')(core);
   require('./install/http')(core);
+  require('./install/marsdb')(core);
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
-  require('./install/marsdb')(core);
-  require('./install/express')(core);
+  require('./install/vm')(core);
   sinks.install = function() {
     callChildComponentMethodsSync(core.assess.dataflow.sinks, 'install');

package/lib/dataflow/sinks/install/child-process.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/eval.js ADDED Viewed

@@ -0,0 +1,138 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.sinks.contrastEval = {
+    install() {
+      if (!global.ContrastMethods?.eval) {
+        logger.error(
+          'Cannot install `eval` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+      Object.assign(global.ContrastMethods, {
+        eval: patcher.patch(global.ContrastMethods.eval, {
+          name: 'global.ContrastMethods.eval',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const script = origArgs[0];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !script ||
+              !isString(script)
+            )
+              return;
+            const strInfo = tracker.getData(script);
+            if (!strInfo) return;
+            const isArgVulnerable = isVulnerable(
+              UNTRUSTED,
+              safeTags,
+              strInfo.tags
+            );
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+            if (isArgVulnerable) {
+              const event = createSinkEvent({
+                name,
+                context: `${name}('${strInfo.value}')`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'eval',
+                args: [{ value: strInfo.value, tracked: true }],
+                tags: strInfo.tags,
+                source: 'P0',
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.contrastEval;
+};

package/lib/dataflow/sinks/install/express/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -81,7 +81,7 @@ module.exports = function(core) {
           let urlPathTags = strInfo.tags;
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/fastify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -31,6 +31,7 @@ const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
 const ruleId = 'unvalidated-redirect';
 const getURLArgument = (args) => {
   if (!Array.isArray(args)) {
     return { index: null, url: undefined };
@@ -98,7 +99,7 @@ module.exports = function(core) {
           let urlPathTags = strInfo.tags;
           const urlPathEndIdx = url.indexOf('?');
           if (urlPathEndIdx > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx);
+            urlPathTags = createSubsetTags(strInfo.tags, 0, urlPathEndIdx + 1);
           }
           if (isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/fs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -71,7 +71,7 @@ module.exports = function(core) {
       const strInfo = tracker.getData(v);
       return {
         value: strInfo ? strInfo.value : v,
-        isTracked: !!strInfo,
+        tracked: !!strInfo,
         strInfo
       };
     });
@@ -92,9 +92,9 @@ module.exports = function(core) {
         history: [strInfo],
         object: {
           value: 'fs',
-          isTracked: false,
+          tracked: false,
         },
-        args: args.map(({ value, isTracked }) => ({ value, isTracked })),
+        args: args.map(({ value, tracked }) => ({ value, tracked })),
         tags: strInfo.tags,
         source: `P${i}`,
         stacktraceOpts: {