npm - @contrast/assess - Versions diffs - 1.9.0 → 1.11.0 - Mend

@contrast/assess 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/lib/dataflow/sinks/install/function.js ADDED Viewed

@@ -0,0 +1,160 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  isString,
+  inspect,
+  join,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+} = require('@contrast/common');
+const { patchType, filterSafeTags } = require('../common');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+module.exports = function(core) {
+  const {
+    config,
+    logger,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: { isVulnerable, reportFindings, reportSafePositive },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  core.assess.dataflow.sinks.contrastFunction = {
+    install() {
+      if (!global.ContrastMethods?.Function) {
+        logger.error(
+          'Cannot install `Function` instrumentation - Contrast method DNE'
+        );
+        return;
+      }
+      Object.assign(global.ContrastMethods, {
+        Function: patcher.patch(global.ContrastMethods.Function, {
+          name: 'global.ContrastMethods.Function',
+          patchType,
+          pre({ args: origArgs, hooked, orig, name }) {
+            const store = sources.getStore()?.assess;
+            const fnBody = origArgs[origArgs.length - 1];
+            if (
+              !store ||
+              instrumentation.isLocked() ||
+              !fnBody ||
+              !isString(fnBody)
+            )
+              return;
+            const strInfo = tracker.getData(fnBody);
+            if (!strInfo) return;
+            const isArgVulnerable = isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+            if (!isArgVulnerable && config.assess.safe_positives.enable) {
+              const foundSafeTags = filterSafeTags(safeTags, strInfo);
+              const safeStrInfo = {
+                value: strInfo.value,
+                tags: strInfo.tags,
+              };
+              reportSafePositive({
+                name,
+                ruleId,
+                safeTags: foundSafeTags,
+                strInfo: safeStrInfo,
+              });
+            }
+            if (isArgVulnerable) {
+              const args = origArgs.map((arg, idx) => {
+                if (idx === origArgs.length - 1) {
+                  return {
+                    value: strInfo.value,
+                    tracked: true,
+                    inspectedValue: `'${strInfo.value}'`,
+                  };
+                }
+                const inspectedValue = inspect(arg);
+                const argInfo = arg && isString(arg) ? tracker.getData(arg) : null;
+                return {
+                  value: argInfo ? argInfo.value : inspectedValue,
+                  tracked: !!argInfo,
+                  inspectedValue
+                };
+              });
+              const event = createSinkEvent({
+                name,
+                context: `${name}(${join(
+                  args.map((a) => a.inspectedValue),
+                  ', '
+                )})`,
+                history: [strInfo],
+                object: {
+                  value: 'global.ContrastMethods',
+                  tracked: false,
+                },
+                moduleName: 'global.ContrastMethods',
+                methodName: 'Function',
+                args: args.map((a) => ({
+                  value: a.value,
+                  tracked: a.tracked,
+                })),
+                tags: strInfo.tags,
+                source: `P${origArgs.length - 1}`,
+                stacktraceOpts: {
+                  contructorOpt: hooked,
+                  prependFrames: [orig],
+                },
+              });
+              if (event) {
+                reportFindings({
+                  ruleId,
+                  sinkEvent: event,
+                });
+              }
+            }
+          },
+        }),
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.contrastFunction;
+};

package/lib/dataflow/sinks/install/http/index.js ADDED Viewed

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { callChildComponentMethodsSync } = require('@contrast/common');
+module.exports = function(core) {
+  const http = core.assess.dataflow.sinks.http = {};
+  require('./request')(core);
+  require('./server-response')(core);
+  http.install = function() {
+    callChildComponentMethodsSync(http, 'install');
+  };
+  return http;
+};

package/lib/dataflow/sinks/install/http/request.js ADDED Viewed

@@ -0,0 +1,152 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  inspect,
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  }
+} = require('@contrast/common');
+const Url = require('url');
+const trustedLibs = [/^(?!.*(newrelic)).*http.*$/];
+const { patchType } = require('../../common');
+const { createAppendTags } = require('../../../tag-utils');
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          reportFindings
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  const http = core.assess.dataflow.sinks.http.request = {};
+  const safeTags = [
+    CUSTOM_ENCODED_SSRF,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_SSRF,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS
+  ];
+  function getValueFromReq(value, key) {
+    if (isString(value)) {
+      const url = new Url.URL(value);
+      if (isString(url[key])) {
+        return url[key];
+      }
+    }
+    if (isString(value[key])) {
+      return value[key];
+    }
+  }
+  function containsTrustedLib(stack) {
+    for (const { file } of stack) {
+      for (const trusted of trustedLibs) {
+        if (trusted.exec(file)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  http.install = function() {
+    ['http', 'https'].forEach((moduleName) => {
+      depHooks.resolve({ name: moduleName }, (module) => {
+        const name = `${moduleName}.request`;
+        const methodName = 'request';
+        patcher.patch(module, methodName, {
+          name,
+          patchType,
+          pre(data) {
+            const sourceContext = sources.getStore()?.assess;
+            if (!sourceContext) return;
+            const [req] = data.args;
+            if (!req) return;
+            ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
+              const value = getValueFromReq(req, key);
+              if (!value) return;
+              const strInfo = tracker.getData(value);
+              if (!strInfo) return;
+              if (containsTrustedLib(strInfo.stack)) return;
+              const arg0 = isString(req) ? req : inspect(req);
+              const idx = arg0.indexOf(value);
+              const urlTags = createAppendTags({}, strInfo.tags, idx);
+              if (urlTags && isVulnerable(UNTRUSTED, safeTags, urlTags)) {
+                const event = createSinkEvent({
+                  name,
+                  moduleName,
+                  methodName: 'request',
+                  context: `${moduleName}.request(${arg0})`,
+                  history: [strInfo],
+                  object: {
+                    tracked: false,
+                    value: moduleName
+                  },
+                  args: [{
+                    value: arg0,
+                    tracked: true
+                  }],
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                    prependFrames: [data.orig]
+                  },
+                  tags: urlTags,
+                });
+                if (event) {
+                  reportFindings({
+                    ruleId: 'ssrf',
+                    sinkEvent: event
+                  });
+                }
+              }
+            });
+          }
+        });
+      });
+    });
+  };
+  return http;
+};

package/lib/dataflow/sinks/install/{http.js → http/server-response.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -31,7 +31,7 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
-const { patchType, filterSafeTags } = require('../common');
+const { patchType, filterSafeTags } = require('../../common');
 module.exports = function(core) {
   const {
@@ -52,7 +52,7 @@ module.exports = function(core) {
       },
     },
   } = core;
-  const http = core.assess.dataflow.sinks.http = {};
+  const http = core.assess.dataflow.sinks.http.serverResponse = {};
   const safeTags = [
     ALPHANUM_SPACE_HYPHEN,

package/lib/dataflow/sinks/install/koa/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -84,7 +84,7 @@ module.exports = function(core) {
           let urlPathTags = strInfo.tags;
           if (url.indexOf('?') > -1) {
-            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?'));
+            urlPathTags = createSubsetTags(strInfo.tags, 0, url.indexOf('?') + 1);
           }
           if (urlPathTags && isVulnerable(UNTRUSTED, safeTags, urlPathTags)) {

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,7 +15,6 @@
 'use strict';
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -28,7 +27,8 @@ const {
   Rule: { NOSQL_INJECTION_MONGO },
   isNonEmptyObject,
   traverseValues,
-  isString
+  isString,
+  inspect
 } = require('@contrast/common');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
@@ -82,20 +82,19 @@ module.exports = function(core) {
     }
   } = core;
-  const inspect = patcher.unwrap(util.inspect);
   const instr = core.assess.dataflow.sinks.mongodb = {};
   instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(query) {
+    const reportSafe = [];
     let vulnInfo = null;
-    let reportSafe = null;
     if (isString(query)) {
       const strInfo = tracker.getData(query);
       if (strInfo) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
           vulnInfo = { strInfo };
-        } else {
-          reportSafe = { strInfo };
+        } else if (config.assess.safe_positives.enable) {
+          reportSafe.push({ strInfo });
         }
       }
@@ -110,8 +109,8 @@ module.exports = function(core) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
           vulnInfo = { path: [...path], strInfo };
           return true; // halts traversal
-        } else {
-          reportSafe = { path: [...path], strInfo };
+        } else if (config.assess.safe_positives.enable) {
+          reportSafe.push({ path: [...path], strInfo });
         }
       }
     });
@@ -120,8 +119,8 @@ module.exports = function(core) {
   };
   instr.getAggregateVulnerabilityInfo = function getAggregateVulnerabilityInfo(aggregation) {
+    const reportSafe = [];
     let vulnInfo = null;
-    let reportSafe = null;
     if (!isNonEmptyObject(aggregation)) return { vulnInfo, reportSafe };
@@ -142,8 +141,8 @@ module.exports = function(core) {
           if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
             vulnInfo = { path: [...path], strInfo };
             return true; // halts traversal
-          } else {
-            reportSafe = { path: [...path], strInfo };
+          } else if (config.assess.safe_positives.enable) {
+            reportSafe.push({ path: [...path], strInfo });
           }
         }
       }
@@ -153,16 +152,16 @@ module.exports = function(core) {
   };
   instr.getMapReduceVulnerabilityInfo = function getMapReduceVulnerabilityInfo(argToCheck, argIdx) {
+    const reportSafe = [];
     let vulnInfo = null;
-    let reportSafe = null;
     if (argIdx !== 2 && isString(argToCheck)) {
       const strInfo = tracker.getData(argToCheck);
       if (strInfo) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
           vulnInfo = { strInfo };
-        } else {
-          reportSafe = { strInfo };
+        } else if (config.assess.safe_positives.enable) {
+          reportSafe.push({ strInfo });
         }
       }
@@ -182,8 +181,8 @@ module.exports = function(core) {
           if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
             vulnInfo = { path: [...path], strInfo };
             return true; // halts traversal
-          } else {
-            reportSafe = { path: [...path], strInfo };
+          } else if (config.assess.safe_positives.enable) {
+            reportSafe.push({ path: [...path], strInfo });
           }
         }
       }
@@ -193,16 +192,16 @@ module.exports = function(core) {
   };
   instr.getGroupVulnerabilityInfo = function getGroupVulnerabilityInfo(argToCheck, argIdx) {
+    const reportSafe = [];
     let vulnInfo = null;
-    let reportSafe = null;
     if (argIdx !== 1 && isString(argToCheck)) {
       const strInfo = tracker.getData(argToCheck);
       if (strInfo) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
           vulnInfo = { strInfo };
-        } else {
-          reportSafe = { strInfo };
+        } else if (config.assess.safe_positives.enable) {
+          reportSafe.push({ strInfo });
         }
       }
@@ -217,8 +216,8 @@ module.exports = function(core) {
         if (isVulnerable(UNTRUSTED, querySafeTags, strInfo.tags)) {
           vulnInfo = { path: [...path], strInfo };
           return true; // halts traversal
-        } else {
-          reportSafe = { path: [...path], strInfo };
+        } else if (config.assess.safe_positives.enable) {
+          reportSafe.push({ path: [...path], strInfo });
         }
       }
     });
@@ -249,14 +248,21 @@ module.exports = function(core) {
             vulnArgIdx = argIdx;
             break;
           }
-          if (reportSafe) safeReports.push({ ...reportSafe, argIdx });
+          if (config.assess.safe_positives.enable && reportSafe.length) {
+            reportSafe.forEach(el => safeReports.push({ ...el, argIdx }));
+          }
         }
         if (!vulnInfo) {
           if (safeReports.length && config.assess.safe_positives.enable) {
-            const safeTags = safeReports.map((report) => filterSafeTags(querySafeTags, report.strInfo));
+            const safeTags = safeReports
+              .map((report) => filterSafeTags(querySafeTags, report.strInfo))
+              .flat()
+              .filter((value, index, self) => index === self.indexOf(value));
             const strInfo = safeReports.map((report) => {
-              const tags = report.path ? getAdjustedQueryTags(report.path, report.strInfo, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
+              const tags = report.path ? utils.createAdjustedQueryTags(report.path, report.strInfo.tags, report.strInfo.value, inspect(origArgs[report.argIdx], { depth: 4 })) : report.strInfo?.tags;
               return {
                 value: inspect(origArgs[report.argIdx], { depth: 4 }),
@@ -267,7 +273,7 @@ module.exports = function(core) {
             reportSafePositive({
               name,
               ruleId: NOSQL_INJECTION_MONGO,
-              safeTags: safeTags.length === 1 ? safeTags[0] : safeTags,
+              safeTags,
               strInfo: strInfo.length === 1 ? strInfo[0] : strInfo
             });
           }
@@ -282,7 +288,7 @@ module.exports = function(core) {
           tracked: idx === vulnArgIdx,
         }));
-        const tags = path ? getAdjustedQueryTags(path, strInfo, args[vulnArgIdx].value) : strInfo?.tags;
+        const tags = path ? utils.createAdjustedQueryTags(path, strInfo.tags, strInfo.value, args[vulnArgIdx].value) : strInfo?.tags;
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
@@ -324,8 +330,6 @@ module.exports = function(core) {
     });
   };
-  return instr;
   function patchCollection(mongodb, version) {
     for (const method of collectionMethods) {
       const proto = mongodb.Collection.prototype;
@@ -402,21 +406,5 @@ module.exports = function(core) {
     return name;
   }
-  function getAdjustedQueryTags(path, strInfo, argString) {
-    const { tags } = strInfo;
-    let idx = -1;
-    for (const str of [...path, strInfo.value]) {
-      // This is the case with the `.aggregate` method
-      // where the argument is an array
-      if (str === 0) continue;
-      idx = argString.indexOf(str, idx);
-      if (idx == -1) {
-        idx = -1;
-        break;
-      }
-    }
-    return idx > 0 ? utils.createAppendTags([], tags, idx) : strInfo.tags;
-  }
+  return instr;
 };