@contrast/agent 4.12.1 → 4.13.1

package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js

@@ -24,8 +24,8 @@ const UserInputFactory = require('../../../reporter/models/utils/user-input-fact
 const DangerousPathsScanner = require('./dangerous-paths-scanner');
 
 class CMDInjectionSemanticDangerousPathsRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this.id = 'cmd-injection-semantic-dangerous-paths';
     this.name = 'Command Injection Dangerous Paths';
     this.applicableSinks = [SINK_TYPES.COMMAND];
@@ -66,6 +66,36 @@ class CMDInjectionSemanticDangerousPathsRule extends Rule {
     }
   }
 
+  /**
+   * Check for dangerous paths in the input command using the agent library.
+   * @param {ApplicationContext} event Sink event
+   * @param {Request} request Request model
+   * @param {Samples} samples Samples cache
+   */
+  evaluateAtSinkForLib({ event, request, samples }) {
+    const { data: command } = event;
+    const containsDangerousPath = this.agent.agentLib.containsDangerousPath(
+      command
+    );
+    if (containsDangerousPath) {
+      const sample = this.createAndSaveSample({
+        input: UserInputFactory.makeOne({ value: command }),
+        attributes: { effective: true },
+        classification: IMPORTANCE.DEFINITE,
+        event,
+        samples,
+        request
+      });
+
+      this.appendAttackDetails(sample, {
+        command,
+        findings: [CMD_INJECTION_SEMANTIC_TYPES.PATH_ARGUMENT]
+      });
+
+      this.blockRequest(sample);
+    }
+  }
+
   /**
    * Builds the details for TS UI rendering.
    * @param   {Sample} sample   N/a in this rule's case

package/lib/protect/rules/index.js

@@ -28,13 +28,37 @@ const {
 } = require('./common');
 
 class Rule {
-  constructor(policy = { mode: NO_ACTION }) {
+  /**
+   * Rules that need to make use of the agent lib can also take
+   * a second argument: `agent' which is a reference to the agent object.
+   */
+  constructor(policy, agent) {
+    if (!policy) {
+      policy = { mode: NO_ACTION };
+    }
     this.policy = policy;
 
     this.blockAtEntry = policy.mode === BLOCK_AT_PERIMETER;
     this.id = policy.id;
     this.mode = policy.mode;
     this.name = policy.name;
+    this.applicableInputs = [];
+    this.applicableSinks = [];
+    this.agent = agent;
+    const config = (this.agent && this.agent.config) || { agent: { node: {} } };
+
+    this.agentLibEnabled =
+      config.agent.node.native_input_analysis &&
+      config.agent.node.speedracer_input_analysis;
+
+    if (this.agentLibEnabled) {
+      this.evaluator = null;
+    }
+
+    // override this value if the rule uses agent library input analysis.
+    // all rules that agentLibBit applies to use this field with the single
+    // exception of nosqli which uses node input analysis.
+    this.usesLibInputAnalysis = false;
 
     // Samples --> {}
     // This lets us manage non-sample state for each rule. This
@@ -66,10 +90,7 @@ class Rule {
    * @returns {Boolean}
    */
   appliesToInputType(type, name) {
-    return (
-      _.isEmpty(this.applicableInputs) ||
-      _.includes(this.applicableInputs, type)
-    );
+    return this.applicableInputs.length === 0 || this.applicableInputs.includes(type);
   }
 
   /**
@@ -79,11 +100,7 @@ class Rule {
    * @returns {Boolean}
    */
   appliesToSink(type) {
-    if (!this.applicableSinks) {
-      return false;
-    }
-
-    return _.includes(this.applicableSinks, type);
+    return this.applicableSinks.includes(type);
   }
 
   /**
@@ -105,12 +122,6 @@ class Rule {
       return this.signature;
     }
 
-    if (!this.evaluator) {
-      throw new Error(
-        `Rule ${this.id} has no custom evaluator for signature-matching/classification`
-      );
-    }
-
     return this.evaluator;
   }
 
@@ -144,6 +155,7 @@ class Rule {
     const name = sample.input ? sample.input.name : '<anon>';
     const type = sample.input ? sample.input.type : '<no-type>';
 
+    // TODO: should this be ||?
     if (!this.blockAtEntry && !sample.effective) {
       return;
     }
@@ -172,6 +184,10 @@ class Rule {
   preFilterUserInput(input, event, samples) {
     const evaluator = this.getEvaluator();
 
+    if (!evaluator) {
+      return;
+    }
+
     // This is to support the newer API accepting a UserInput,
     let evaluation;
     if (this.signature) {
@@ -188,7 +204,7 @@ class Rule {
       samples
     });
 
-    if (_.get(sample, 'confirmedAttack') === true) {
+    if (sample && sample.confirmedAttack === true && this.mode === BLOCK_AT_PERIMETER) {
       this.blockRequest(sample);
     }
   }
@@ -247,7 +263,7 @@ class Rule {
 
     logger.debug(`${classifiedAs}: ${id} - ${type}.${name}.${value}`);
     if (classifiedAs === IMPORTANCE.NONE) {
-      return;
+      return null;
     }
 
     const sample = samples.addRuleSample({
@@ -277,8 +293,8 @@ class Rule {
       // for CEF extensions
       outcome: this.getAttackStatus(sample),
       pri: this.id,
-      request: _.get(sample, 'request.uri', '').replace(/ /g, '<space>'),
-      spt: _.get(sample, 'request.port', ''),
+      request: (sample.request.uri || '').replace(/ /g, '<space>'),
+      spt: sample.request.port || '',
       requestMethod: sample.request.method,
       src: sample.request.ip,
       value: sample.input.value
@@ -329,7 +345,12 @@ class Rule {
    */
   appendAttackDetails(sample, findings) {
     sample.effective = true;
-    sample.details = this.buildDetails(sample, findings);
+
+    if (!(this.usesLibInputAnalysis && this.agentLibEnabled) || !this.buildDetailsForLib) {
+      sample.details = this.buildDetails(sample, findings);
+    } else {
+      sample.details = this.buildDetailsForLib(sample, findings);
+    }
   }
 }
 

package/lib/protect/rules/ip-denylist/ip-denylist-rule.js

@@ -26,8 +26,8 @@ const {
 const Rule = require('../');
 
 class IpDenylistRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this._analyzer = new IpAnalyzer(policy.data);
     // TODO: This should go away with CONTRAST-34184
     this._analyzer.on('expired', (expired) => {

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -13,8 +13,8 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-/* eslint-disable complexity */
 const _ = require('lodash');
+const util = require('util');
 
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
@@ -32,12 +32,12 @@ const ScannerKit = new Map([
   [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
   [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
-const SubstringFinder = require('../base-scanner/substring-finder');
 
 class NoSqlInjectionRule extends require('../') {
-  constructor(policy = {}) {
+  // eslint-disable-next-line default-param-last
+  constructor(policy = {}, agent) {
     policy.inputParseDepth = 3;
-    super(policy);
+    super(policy, agent);
 
     this._scanners = new Map();
 
@@ -52,56 +52,65 @@ class NoSqlInjectionRule extends require('../') {
       INPUT_TYPES.QUERYSTRING,
       INPUT_TYPES.XML_VALUE,
       INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
+      INPUT_TYPES.URL_PARAMETER,
+      INPUT_TYPES.BODY,
+      INPUT_TYPES.MULTIPART_VALUE,
     ];
+
+    // POST bodies are handled by the lib.
+    // if lib is disabled, node input analysis needs to handle this.
+    if (!this.agentLibEnabled) {
+      this.applicableInputs.push(INPUT_TYPES.BODY);
+    }
+
     this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
+
+    // explicitly set to false so that this rule will continue to use node input analysis.
+    this.usesLibInputAnalysis = false;
   }
 
+  /**
+   * Evaluates the sink data by scanning the document object for repeated instances
+   * of the saved input object/strings. This applies to both string injection and
+   * object expansion.
+   * @param {SinkEvent} event             Emitted by database drivers/wrappers/ORMs
+   * @param {Set}       applicableSamples set of Samples applicable to rule.
+   */
+  // eslint-disable-next-line complexity
   evaluateAtSink({ event, applicableSamples }) {
-    if (_.isEmpty(applicableSamples) || !event.data) {
+    if (applicableSamples.size == 0 || !event.data) {
       return;
     }
 
-    if (typeof event.data === 'object') {
+    const { data } = event;
+    if (typeof data === 'object') {
       for (const sample of applicableSamples) {
-        const requestData = this.getRequestData(sample.input);
-        if (!requestData) {
+        const doc = this.getInput(sample);
+        if (!doc) {
           return;
         }
-        let found;
-        traverse(event.data, (key, value) => {
-          if (found) {
+
+        let evalResult = null;
+        traverse(data, (key, value) => {
+          if (evalResult) {
             return;
           }
 
-          Object.keys(requestData).some((reqKey) => {
-            if (value[reqKey] === requestData[reqKey]) {
-              found = reqKey;
-              return true;
+          // check for _exact_ match under clause for saved user input
+          for (const queryClause of Object.keys(doc)) {
+            if (key === queryClause) {
+              if (_.isEqual(value, doc[queryClause])) {
+                evalResult = this.buildFinding(data, queryClause, doc);
+              }
             }
-          });
+          }
         });
 
-        if (found) {
-          const query = require('util').inspect(event.data, false, null);
-
-          let injection;
-          for (const location of new SubstringFinder(query, found)) {
-            if (location) {
-              injection = {
-                input: found,
-                location,
-                query
-              };
-              break;
-            }
-          }
-          if (injection) {
-            this.appendAttackDetails(sample, injection);
-            sample.captureAppContext(event);
-            logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
-            this.blockRequest(sample);
-          }
+        if (evalResult) {
+          this.appendAttackDetails(sample, evalResult);
+          sample.captureAppContext(event);
+          logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+          this.blockRequest(sample);
         }
       }
     } else if (typeof event.data === 'string' || event.data instanceof String) {
@@ -120,6 +129,47 @@ class NoSqlInjectionRule extends require('../') {
     }
   }
 
+  /**
+   * Depending on the sample's data, collect the query clause and object
+   * for a given input sample. Handles both body inputs and other types.
+   * If the library is enabled and the input is a JSON body, it will parse
+   * query clauses out and pass them in _inputInfoForSink.
+   * @param   {Sample} sample applicable sample for nosqli
+   * @returns {Object}        relevant query clause and doc object to search for.
+   */
+  getInput(sample) {
+    if (!_.isEmpty(sample._inputInfoForSink)) {
+      return {
+        [sample._inputInfoForSink.queryClause]: sample._inputInfoForSink.docObject
+      };
+    }
+
+    const reqData = this.getRequestData(sample.input);
+
+    return reqData;
+  }
+
+  /**
+   * Build the query object based on the inputs passed and stringify them for reporting.
+   * @param {String} queryClause the mongo query clause (ex: $ne, $where, etc.)
+   * @param {Object} docObject   the document object passed to the mongo function.
+   */
+  buildFinding(queryObject, queryClause, docObject) {
+    // this input string being generated is kinda duplicate work from the input stage
+    // but it is only really hit when a nosqli is found, so I'm not sure its a big deal.
+    const input = util.inspect(docObject, false, null);
+    const query = util.inspect(queryObject, false, null);
+    // this substring being generated is some duplicate work.
+    const start = query.indexOf(input);
+    return {
+      input,
+      // account for query clause, ':' and ' '.
+      start: start - queryClause.length - 2,
+      end: start + (queryClause.length + 2),
+      query
+    };
+  }
+
   /**
    * Given the sample's user input object, will read the value from the request
    * from the async storage context.
@@ -149,7 +199,7 @@ class NoSqlInjectionRule extends require('../') {
       this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
-      pathArray.push('body', ..._documentPath.split('.'));
+      pathArray.push('query', ..._documentPath.split('.'));
     }
 
     let data;
@@ -213,9 +263,24 @@ class NoSqlInjectionRule extends require('../') {
       return null;
     }
 
+    // if it's not the old node format, then it's the agent-lib format.
+    // yeah, i know it's ugly.
+    if (!findings.boundary) {
+      const { start, end, query } = findings;
+      return {
+        start,
+        end,
+        // since there are no actual `token boundary overruns' in nosqli,
+        // are these not the exact same as start and end?
+        boundaryOverrunIndex: end,
+        inputBoundaryIndex: start,
+        query
+      };
+    }
+
     const { boundary, location, query } = findings;
     let inputBoundaryIndex, boundaryOverrunIndex;
-    const start = location[0];
+    const start = location[0]; // eslint-disable-line
     const end = location[1] + 1;
 
     if (boundary) {

package/lib/protect/rules/path-traversal/path-traversal-rule.js

@@ -41,7 +41,10 @@ class PathTraversalRule extends Rule {
       INPUT_TYPES.URI,
       INPUT_TYPES.URL_PARAMETER
     ];
+
     this.applicableSinks = [SINK_TYPES.FILE_PATH];
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**

package/lib/protect/rules/rule-factory.js

@@ -27,7 +27,6 @@ const DEFAULT_SETTINGS = { serverFeatures: { defend: { enabled: false } } };
  * implemented, we add its constructor path to provide support.
  */
 const ctors = {
-  /* eslint-disable prettier/prettier */
   // protect rules
   [RULES.CMD_INJECTION]: require('./cmd-injection/cmdinjection-rule'),
   [RULES.CMD_INJECTION_COMMAND_BACKDOORS]: require('./cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule'),
@@ -46,15 +45,15 @@ const ctors = {
   [RULES.BOT_BLOCKER]: require('./bot-blocker/bot-blocker-rule'),
   [RULES.IP_DENYLIST]: require('./ip-denylist/ip-denylist-rule'),
   [RULES.VIRTUAL_PATCH]: require('./virtual-patch/virtual-patch-rule'),
-  /* eslint-enable */
 };
 
 class ProtectRuleFactory {
-  constructor({ featureSet = DEFAULT_SETTINGS, enabled }) {
+  constructor({ featureSet = DEFAULT_SETTINGS, enabled, agent }) {
     this.featureSet = featureSet;
     this.settings = {
       exceptions: []
     };
+    this.agent = agent;
     this.policies = {};
     this.signatures = new SignatureKit();
 
@@ -180,7 +179,7 @@ class ProtectRuleFactory {
    */
   IpDenylist() {
     const policy = this.policies[RULES.IP_DENYLIST];
-    return new ctors[RULES.IP_DENYLIST](policy);
+    return new ctors[RULES.IP_DENYLIST](policy, this.agent);
   }
 
   /**
@@ -189,7 +188,7 @@ class ProtectRuleFactory {
    */
   BotBlocker() {
     const policy = this.policies[RULES.BOT_BLOCKER];
-    return new ctors[RULES.BOT_BLOCKER](policy);
+    return new ctors[RULES.BOT_BLOCKER](policy, this.agent);
   }
 
   /**
@@ -198,7 +197,7 @@ class ProtectRuleFactory {
    */
   VirtualPatchRules() {
     return this.policies[RULES.VIRTUAL_PATCH].map(
-      (policy) => new ctors[RULES.VIRTUAL_PATCH](policy)
+      (policy) => new ctors[RULES.VIRTUAL_PATCH](policy, this.agent)
     );
   }
 
@@ -224,7 +223,7 @@ class ProtectRuleFactory {
       policy.enable_rep = enableRep;
 
       if (ProtectRuleFactory.shouldBuildRule(policy)) {
-        const rule = new ctors[id](policy);
+        const rule = new ctors[id](policy, this.agent);
         rule.signature = this.signatures.get(id);
         memo.push(rule);
       }

package/lib/protect/rules/signatures/signature.js

@@ -162,6 +162,9 @@ const createPatterns = (patternDefs) =>
 class Signature {
   constructor(definition) {
     this.name = definition.name;
+    // the following is undefined if the rule is not an input to the
+    // agent-lib score functions.
+    this.agentLibBit = definition.agentLibBit;
     this.keywordSearchers = normalizeScores(
       createKeywords(definition.keywordsList)
     );

package/lib/protect/rules/sqli/sql-injection-rule.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const _ = require('lodash');
-
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { IMPORTANCE, INPUT_TYPES, SINK_TYPES } = require('../common');
 const isGenericComplicated = require('./generic-complicated');
@@ -38,8 +37,8 @@ const ScannerKit = new Map([
 ]);
 
 class SQLInjectionRule extends require('../') {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
 
     this._scanners = new Map();
 
@@ -57,15 +56,29 @@ class SQLInjectionRule extends require('../') {
       INPUT_TYPES.QUERYSTRING,
       INPUT_TYPES.XML_VALUE,
       INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
+      INPUT_TYPES.URL_PARAMETER,
     ];
     this.applicableSinks = [SINK_TYPES.SQL_QUERY];
+
+    // if not using agentLib this constructor is done.
+    if (!agent.agentLib) {
+      return;
+    }
+
+    this.dbFlavors = {};
+    for (const flavor in agent.agentLib.DbType) {
+      this.dbFlavors[flavor.toLowerCase()] = this.agent.agentLib.DbType[flavor];
+    }
+    this.dbFlavorKeys = Object.keys(this.dbFlavors);
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**
    * Evaluates the sink data by scanning the code string for injections
    * by collected sample inputs.
    * @param {SinkEvent} event Emitted by database drivers/wrappers/ORMs
+   * @param {Set(Sample)} applicableSamples Samples matching sql-injection criteria
    */
   evaluateAtSink({ event, applicableSamples }) {
     if (_.isEmpty(applicableSamples) || !event.data) {
@@ -88,9 +101,65 @@ class SQLInjectionRule extends require('../') {
     }
   }
 
+  /**
+   * Evaluates the sink data by scanning the code string for injections
+   * by collected sample inputs. Rather than using the node evaluators,
+   * this takes advantage of the agent-lib.
+   * @param {SinkEvent} event Emitted by database drivers/wrappers/ORMs
+   * @param {Sample[]}  applicableSamples samples that apply to SQL injection.
+   */
+  // eslint-disable-next-line complexity
+  evaluateAtSinkForLib({ event, applicableSamples }) {
+    if (applicableSamples.size == 0 || !event.data) {
+      return;
+    }
+
+    const tag = this.dbFlavorKeys.find((name) => event.tags.has(name));
+    const dialect = this.dbFlavors[tag] || this.dbFlavors.mysql;
+
+    for (const sample of applicableSamples) {
+      let evalResult = null;
+      try {
+        const input = sample.input.value;
+        const sinkData = event.data;
+        const inputIndex = sinkData.indexOf(input);
+
+        if (inputIndex !== -1) {
+          evalResult = this.agent.agentLib.checkSqlInjectionSink(
+            inputIndex,
+            input.length,
+            dialect,
+            sinkData
+          );
+          if (evalResult) {
+            // capture the query for reporting purposes.
+            evalResult.query = sinkData;
+          } else if (inputIndex === 0 && input.length === sinkData.length) {
+            evalResult = {
+              startIndex: 0,
+              endIndex: input.length - 1,
+              overrunIndex: 0,
+              boundaryIndex: 0,
+              sinkData,
+            };
+          }
+        }
+      } catch (e) {
+        logger.info(`Failed to evaluate command-injection sink: ${e}`);
+      }
+
+      if (evalResult) {
+        this.appendAttackDetails(sample, evalResult);
+        sample.captureAppContext(event);
+        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+        this.blockRequest(sample);
+      }
+    }
+  }
+
   /**
    * In addition to using the traditional signature matching, this rule will
-   * also check wether the input has other characteristics that warrant bumping
+   * also check whether the input has other characteristics that warrant bumping
    * an evaluation's importance from NONE -> WORTH_WATCHING.
    * @returns {}
    */
@@ -141,6 +210,30 @@ class SQLInjectionRule extends require('../') {
     };
   }
 
+  /**
+   * Builds details for Sql Injection Attack from agent-lib evaluation
+   * results.
+   * @param   {Sample} sample   The Sample for the attack
+   * @param   {Object} findings The results of the sink analysis
+   * @returns {Object}          The details
+   */
+  buildDetailsForLib(sample, finding) {
+    if (!finding) {
+      return null;
+    }
+
+    const { query } = finding;
+
+    return {
+      start: finding.startIndex,
+      end: finding.endIndex,
+      input: sample.input.toSerializable(),
+      boundaryOverrunIndex: finding.overrunIndex,
+      inputBoundaryIndex: finding.boundaryIndex,
+      query
+    };
+  }
+
   /**
    * Returns the appropriate scanner for the SQL dialect.
    * @param {String} id The id of the scanner

package/lib/protect/rules/sqli/sql-scanner/labels.json

@@ -115,9 +115,6 @@
     ")"  : "operator",
     ","  : "operator",
     "*"  : "operator",
-    "="  : "operator",
-    "^"  : "operator",
-    "!"  : "operator",
 
     ";": "terminator"
   },

package/lib/protect/rules/xss/reflected-xss-rule.js

@@ -14,8 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
-
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
 
@@ -40,6 +38,8 @@ class ReflectedXssRule extends require('../') {
       INPUT_TYPES.URL_PARAMETER
     ];
     this.applicableSinks = [SINK_TYPES.RESPONSE_BODY];
+
+    this.usesLibInputAnalysis = true;
   }
   /**
    * Evaluates a SinkEvent contingent on <code>applicableSinks</code>.
@@ -48,7 +48,7 @@ class ReflectedXssRule extends require('../') {
    * @param {Set<Sample>} params.applicableSamples all (definite and ww) samples for xss
    */
   evaluateAtSink({ event, applicableSamples }) {
-    if (!applicableSamples.size || !_.isString(event.data)) {
+    if (!applicableSamples.size) {
       return;
     }