npm - @contrast/assess - Versions diffs - 1.9.0 → 1.11.0 - Mend

@contrast/assess 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -21,7 +21,7 @@ const {
   isString
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
-const { patchType } = require('../common');
+const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
   SQL_ENCODED,
@@ -30,15 +30,18 @@ const safeTags = [
   CUSTOM_ENCODED,
 ];
+const ruleId = SQL_INJECTION;
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
+    config,
     scopes: { sources },
     assess: {
       dataflow: {
         tracker,
-        sinks: { isVulnerable, isLocked, reportFindings },
+        sinks: { isVulnerable, isLocked, reportFindings, reportSafePositive },
         eventFactory: { createSinkEvent },
       },
     },
@@ -54,38 +57,48 @@ module.exports = function(core) {
     ) return;
     const strInfo = tracker.getData(data.args[0]);
-    if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
-      return;
-    }
+    if (!strInfo) return;
-    const event = createSinkEvent({
-      name,
-      moduleName: 'mssql',
-      methodName: `PreparedStatement.prototype.${method}`,
-      context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
-      history: [strInfo],
-      object: {
-        value: `[${createModuleLabel('mssql', version)}].${obj}`,
-        tracked: false,
-      },
-      args: [
-        {
-          value: strInfo.value,
-          tracked: true,
+    if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+      const event = createSinkEvent({
+        name,
+        moduleName: 'mssql',
+        methodName: `PreparedStatement.prototype.${method}`,
+        context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
+        history: [strInfo],
+        object: {
+          value: `[${createModuleLabel('mssql', version)}].${obj}`,
+          tracked: false,
         },
-      ],
-      tags: strInfo.tags,
-      source: 'P0',
-      stacktraceOpts: {
-        contructorOpt: data.hooked,
-        prependFrames: [data.orig]
-      },
-    });
+        args: [
+          {
+            value: strInfo.value,
+            tracked: true,
+          },
+        ],
+        tags: strInfo.tags,
+        source: 'P0',
+        stacktraceOpts: {
+          contructorOpt: data.hooked,
+          prependFrames: [data.orig]
+        },
+      });
-    if (event) {
-      reportFindings({
-        ruleId: SQL_INJECTION,
-        sinkEvent: event,
+      if (event) {
+        reportFindings({
+          ruleId: SQL_INJECTION,
+          sinkEvent: event,
+        });
+      }
+    } else if (config.assess.safe_positives.enable) {
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: filterSafeTags(safeTags, strInfo),
+        strInfo: {
+          tags: strInfo.tags,
+          value: strInfo.value,
+        }
       });
     }
   };

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/postgres.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/sequelize.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sinks/install/vm.js ADDED Viewed

@@ -0,0 +1,276 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType, filterSafeTags } = require('../common');
+const {
+  isString,
+  DataflowTag: {
+    UNTRUSTED,
+    CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_ENCODED,
+    CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+    CUSTOM_VALIDATED,
+    LIMITED_CHARS,
+  },
+  isNonEmptyObject,
+  inspect,
+  traverseValues,
+  join,
+  split,
+} = require('@contrast/common');
+const { createAdjustedQueryTags } = require('../../tag-utils');
+const ruleId = 'unsafe-code-execution';
+const safeTags = [
+  CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_ENCODED,
+  CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,
+  CUSTOM_VALIDATED,
+  LIMITED_CHARS,
+];
+module.exports = function(core) {
+  const {
+    config,
+    depHooks,
+    patcher,
+    scopes: { sources, instrumentation },
+    assess: {
+      dataflow: {
+        tracker,
+        sinks: {
+          isVulnerable,
+          runInActiveSink,
+          isLocked,
+          reportFindings,
+          reportSafePositive,
+        },
+        eventFactory: { createSinkEvent },
+      },
+    },
+  } = core;
+  function accumulateArgsInfo(origArgs, idxsToCheck) {
+    const argsInfo = [];
+    for (let i = 0; i < origArgs.length; i++) {
+      const arg = origArgs[i];
+      const infoObj = {
+        isStringArg: isString(arg),
+        idx: i,
+        sanitizedStrInfos: [],
+        sanitizedStrPaths: []
+      };
+      if (
+        !arg ||
+        !idxsToCheck.includes(i) ||
+        (!infoObj.isStringArg && !isNonEmptyObject(arg))
+      ) {
+        const inspectedArg = inspect(origArgs[i]);
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+        argsInfo.push(infoObj);
+        continue;
+      }
+      if (infoObj.isStringArg) {
+        const strInfo = tracker.getData(arg);
+        infoObj.strInfo = strInfo;
+        infoObj.argsValue = {
+          value: strInfo ? strInfo.value : arg,
+          tracked: !!strInfo,
+        };
+        infoObj.ctxValue = `"${strInfo?.value || arg}"`;
+        infoObj.isVulnerableArg =
+          strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+        if (strInfo && !infoObj.isVulnerableArg) {
+          infoObj.sanitizedStrInfos.push(strInfo);
+          infoObj.isSanitizedArg = true;
+        }
+      } else {
+        traverseValues(
+          arg,
+          (path, _type, value) => {
+            const strInfo = tracker.getData(value);
+            infoObj.strInfo = strInfo;
+            infoObj.isVulnerableArg =
+              strInfo && isVulnerable(UNTRUSTED, safeTags, strInfo.tags);
+            if (infoObj.isVulnerableArg) {
+              infoObj.vulnerableArgPath = [...path];
+              return true;
+            } else if (strInfo) {
+              infoObj.sanitizedStrInfos.push(strInfo);
+              infoObj.sanitizedStrPaths.push([...path]);
+              infoObj.isSanitizedArg = true;
+            }
+          },
+          100
+        );
+        const inspectedArg = inspect(arg);
+        infoObj.argsValue = { value: inspectedArg, tracked: false };
+        infoObj.ctxValue = inspectedArg;
+      }
+      argsInfo.push(infoObj);
+    }
+    return argsInfo;
+  }
+  function around(next, { args: origArgs, hooked, orig, name }) {
+    const store = sources.getStore()?.assess;
+    if (
+      !store ||
+      instrumentation.isLocked() ||
+      isLocked('unsafe-code-execution')
+    ) {
+      return next();
+    }
+    const methodPath = split(name, '.');
+    const method = methodPath[methodPath.length - 1];
+    const idxsToCheck = method === 'runInNewContext' ? [0, 1] : [0];
+    const argsInfo = accumulateArgsInfo(origArgs, idxsToCheck);
+    const vulnerableArg = argsInfo.find((arg) => arg.isVulnerableArg);
+    const sanitizedArgs = argsInfo.filter((arg) => arg.isSanitizedArg);
+    if (!vulnerableArg && sanitizedArgs.length && config.assess.safe_positives.enable) {
+      const foundSafeTags = sanitizedArgs.reduce((a, c) => {
+        const tags = [];
+        c.sanitizedStrInfos.forEach((i) => {
+          tags.push(filterSafeTags(safeTags, i));
+        });
+        tags.forEach((tag) => a.add(...tag));
+        return a;
+      }, new Set());
+      const strInfo = sanitizedArgs.map((arg) => {
+        const value = inspect(origArgs[arg.idx], { depth: 4 });
+        const tags = [];
+        const strValues = [];
+        arg.sanitizedStrInfos.forEach((info, idx) => {
+          strValues.push(info.value);
+          if (arg.isStringArg) {
+            tags.push(info.tags);
+          } else {
+            tags.push(
+              createAdjustedQueryTags(
+                arg.sanitizedStrPaths[idx] || [],
+                info.tags,
+                info.value,
+                value
+              )
+            );
+          }
+        });
+        return {
+          value,
+          strValues,
+          tags,
+        };
+      });
+      reportSafePositive({
+        name,
+        ruleId,
+        safeTags: Array.from(foundSafeTags),
+        strInfo,
+      });
+      return name === 'vm.runInNewContext'
+        ? runInActiveSink('unsafe-code-execution', () => next())
+        : next();
+    }
+    if (vulnerableArg) {
+      const event = createSinkEvent({
+        name,
+        context: `${name}(${join(
+          argsInfo.map((a) => a.ctxValue),
+          ', '
+        )})`,
+        history: [vulnerableArg.strInfo],
+        object: {
+          value: methodPath.includes('prototype')
+            ? 'vm.Script.prototype'
+            : 'vm',
+          tracked: false,
+        },
+        moduleName: 'vm',
+        methodName: method,
+        args: argsInfo.map((a) => a.argsValue),
+        tags: vulnerableArg.vulnerableArgPath?.length
+          ? createAdjustedQueryTags(
+            vulnerableArg.vulnerableArgPath,
+            vulnerableArg.strInfo.tags,
+            vulnerableArg.strInfo.value,
+            vulnerableArg.argsValue.value
+          )
+          : vulnerableArg.strInfo.tags,
+        source: `P${vulnerableArg.idx}`,
+        stacktraceOpts: {
+          contructorOpt: hooked,
+          prependFrames: [orig],
+        },
+      });
+      if (event) {
+        reportFindings({
+          ruleId,
+          sinkEvent: event,
+        });
+      }
+    }
+    return name === 'vm.runInNewContext'
+      ? runInActiveSink('unsafe-code-execution', () => next())
+      : next();
+  }
+  core.assess.dataflow.sinks.vm = {
+    install() {
+      depHooks.resolve({ name: 'vm' }, (vm) => {
+        [
+          'Script',
+          'createScript',
+          'runInContext',
+          'runInThisContext',
+          'createContext',
+          'runInNewContext',
+        ].forEach((method) => {
+          const name = `vm.${method}`;
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            around,
+          });
+        });
+        patcher.patch(vm.Script.prototype, 'runInNewContext', {
+          name: 'vm.Script.prototype.runInNewContext',
+          patchType,
+          around,
+        });
+      });
+    },
+  };
+  return core.assess.dataflow.sinks.vm;
+};

package/lib/dataflow/sources/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/body-parser1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/busboy1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/cookie-parser1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/express/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/express/params.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/express/parsedUrl.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/fastify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/formidable1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa-routers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa2.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -44,7 +44,7 @@ function atomicAppend(firstTagRanges, secondTagRanges, offset) {
 function atomicSubset(tags, subsetStart, len) {
   const ret = [];
-  const subsetStop = subsetStart + len;
+  const subsetStop = subsetStart + len - 1;
   for (let idx = 0; idx < tags.length - 1; idx += 2) {
     const tagStart = tags[idx];
@@ -119,6 +119,42 @@ function atomicMerge(firstTagRanges, secondTagRanges) {
   return finalMergedRanges;
 }
+function atomicExclude(tags, exclusionRange) {
+  const ret = [];
+  const [exclusionStart, exclusionStop] = exclusionRange;
+  for (let idx = 0; idx < tags.length - 1; idx += 2) {
+    const tagStart = tags[idx];
+    const tagStop = tags[idx + 1];
+    if (tagStop < exclusionStart) {
+      ret.push(tagStart, tagStop);
+      // exlusion is below - continue to check next range
+      continue;
+    }
+    if (tagStart > exclusionStop) {
+      ret.push(...tags.slice(idx));
+      // all other ranges are above exclusion so we can stop
+      break;
+    }
+    if (exclusionStart <= tagStart && exclusionStop < tagStop) {
+      ret.push(exclusionStop + 1, tagStop);
+    }
+    if (exclusionStart > tagStart) {
+      ret.push(tagStart, exclusionStart - 1);
+      if (exclusionStop < tagStop) {
+        ret.push(exclusionStop + 1, tagStop);
+      }
+    }
+  }
+  return ret;
+}
 function createAppendTags(firstTags, secondTags, offset) {
   const ret = Object.create(null);
   const firstTagsObject = ensureObject(firstTags);
@@ -204,10 +240,43 @@ function createMergedTags(firstTags, secondTags) {
   return Object.keys(ret).length ? ret : null;
 }
+function createTagsWithExclusion(tags, exclusionRange) {
+  if (!exclusionRange.length) return;
+  const ret = Object.create(null);
+  const tagsObject = ensureObject(tags);
+  for (const tagName of Object.keys(tagsObject)) {
+    const newTagRanges = atomicExclude(ensureTagsImmutable(tagsObject, tagName), exclusionRange);
+    newTagRanges.length && (ret[tagName] = newTagRanges);
+  }
+  return Object.keys(ret).length ? ret : null;
+}
+function createAdjustedQueryTags(path, tags, value, argString) {
+  let idx = -1;
+  for (const str of [...path, value]) {
+    // This is the case where the argument is an array
+    if (str === 0) continue;
+    idx = argString.indexOf(str, idx);
+    if (idx == -1) {
+      idx = -1;
+      break;
+    }
+  }
+  return idx > 0 ? createAppendTags([], tags, idx) : [...tags];
+}
 module.exports = {
   createSubsetTags,
   createAppendTags,
   createFullLengthCopyTags,
   createMergedTags,
+  createTagsWithExclusion,
+  createAdjustedQueryTags,
   createOverlappingTags
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial