@contrast/agent 4.12.2 → 4.13.0

package/lib/hooks/http.js

@@ -75,93 +75,93 @@ const hookServer = (server, agent, id) => {
     const self = this;
     const [event, req, res] = args;
 
-    if (event === 'request') {
-      logger.debug('Received request %s, method %s', req.url, req.method);
-      return scopes.runInRequestScope({
-        agent,
-        req,
-        res,
-        hookResponse(response, agent) {
-          const { writeHead, end } = response;
-          // XXX(ehden): we keep the original method available to call when handling
-          // blocked requests because of MethodTampering or other rules whose sink
-          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-          // when we block to prevent recursing through blocks by setting our own 403.
-          response[WRITE_HEAD] = writeHead;
-          response[END] = end;
-
-          /**
-           * Patch writeHead to emit a sink event before calling writeHead
-           *
-           */
-          patcher.patch(response, 'writeHead', {
-            alwaysRun: true,
-            name: 'write-head',
-            patchType: PATCH_TYPES.PROTECT_SINK,
-            pre(data) {
-              const [statusCode, reason] = data.args;
-              let [, , obj] = data.args;
-              let contentType;
-              if (typeof reason !== 'string') {
-                obj = reason;
-              }
-              if (obj && typeof obj === 'object') {
-                for (const [key, value] of Object.entries(obj)) {
-                  if (key.toLowerCase() === 'content-type') {
-                    contentType = value;
-                  }
+    if (event !== 'request') {
+      return emit.apply(self, args);
+    }
+
+    logger.debug('Received request %s, method %s', req.url, req.method);
+    return scopes.runInRequestScope({
+      agent,
+      req,
+      res,
+      hookResponse(response, agent) {
+        const { writeHead, end } = response;
+        // XXX(ehden): we keep the original method available to call when handling
+        // blocked requests because of MethodTampering or other rules whose sink
+        // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+        // when we block to prevent recursing through blocks by setting our own 403.
+        response[WRITE_HEAD] = writeHead;
+        response[END] = end;
+
+        /**
+         * Patch writeHead to emit a sink event before calling writeHead
+         *
+         */
+        patcher.patch(response, 'writeHead', {
+          alwaysRun: true,
+          name: 'write-head',
+          patchType: PATCH_TYPES.PROTECT_SINK,
+          pre(data) {
+            const [statusCode, reason] = data.args;
+            let [, , obj] = data.args;
+            let contentType;
+            if (typeof reason !== 'string') {
+              obj = reason;
+            }
+            if (obj && typeof obj === 'object') {
+              for (const [key, value] of Object.entries(obj)) {
+                if (key.toLowerCase() === 'content-type') {
+                  contentType = value;
                 }
               }
-              if (contentType) {
-                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-              }
-              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
             }
-          });
-
-          patcher.patch(response, 'setHeader', {
-            alwaysRun: true,
-            name: 'set-header',
-            patchType: PATCH_TYPES.ASYNC_CONTEXT,
-            pre(data) {
-              const [name = '', value] = data.args;
-              if (name.toLowerCase() === 'content-type' && value) {
-                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
-              }
+            if (contentType) {
+              AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+            }
+            emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+          }
+        });
+
+        patcher.patch(response, 'setHeader', {
+          alwaysRun: true,
+          name: 'set-header',
+          patchType: PATCH_TYPES.ASYNC_CONTEXT,
+          pre(data) {
+            const [name = '', value] = data.args;
+            if (name.toLowerCase() === 'content-type' && value) {
+              AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
             }
-          });
-
-          // special HTTP logging for responses.
-          if (agent.config.agent.logger.log_outbound_http) {
-            ['end', 'writeHead', 'write'].forEach((method) => {
-              logHook(response, method);
-            });
           }
-        },
-        callback() {
-          const ipEvent = createSourceEvent(
-            req,
-            req,
-            res,
-            'socket.remoteAddress',
-            INPUT_TYPES.IP,
-            id
-          );
-          agentEmitter.emit('http.requestStart', req, res, ipEvent);
-
-          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
-          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
-
-          const rv = emit.apply(self, args);
-
-          agentEmitter.emit('http.requestEnd', req, res);
-          return rv;
+        });
+
+        // special HTTP logging for responses.
+        if (agent.config.agent.logger.log_outbound_http) {
+          ['end', 'writeHead', 'write'].forEach((method) => {
+            logHook(response, method);
+          });
         }
-      });
-    } else {
-      return emit.apply(self, args);
-    }
+      },
+      callback() {
+        const ipEvent = createSourceEvent(
+          req,
+          req,
+          res,
+          'socket.remoteAddress',
+          INPUT_TYPES.IP,
+          id
+        );
+        agentEmitter.emit('http.requestStart', req, res, ipEvent);
+
+        emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+        emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+        emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
+
+        const rv = emit.apply(self, args);
+
+        agentEmitter.emit('http.requestEnd', req, res);
+        return rv;
+      }
+    });
   };
 };
 

package/lib/hooks/require.js

@@ -22,6 +22,7 @@ const logger = require('../core/logger')('hooks:require');
 class ModuleHook {
   constructor() {
     this.reqHook = new RequireHook(logger);
+    this.reqHook.install();
 
     // RequireHook takes care of hooking but we still need to patch require to
     // emit 'require' events

package/lib/instrumentation.js

@@ -102,6 +102,7 @@ function assessModeFeatures(agent) {
   if (agent.isInAssessMode()) {
     logger.debug('initializing assess mode features');
     require('./assess/policy/init').init(agent);
+    require('./assess/static/read-findings-from-cache')(agent);
     require('./hooks/encoding')();
     require('./hooks/object-to-primitive')();
     require('./hooks/array')();
@@ -121,6 +122,22 @@ function protectModeFeatures({ agent, reporter }) {
     logger.debug('initializing protect mode features');
 
     require('./protect')();
+
+    // if it's native_input_analysis then use agent-lib
+    if (agent.config.agent.node.native_input_analysis) {
+      const lib = require('@contrast/agent-lib');
+      // needs the || '.' for testing...
+      const logDir = agent.config.agent.node.analysis_log_dir || '.';
+      const agentLib = new lib.Agent(
+        { enableLogging: true, logDir, logLevel: "INFO" }
+      );
+      // attach the constants so lib.Agent() isn't exposed.
+      for (const c in lib.constants) {
+        agentLib[c] = lib.constants[c];
+      }
+      agent.agentLib = agentLib;
+    }
+
     const protectService = require('./protect/listeners')(agent, reporter);
     const InputAnalysisSensor = require('./protect/input-analysis');
     require('./protect/sources')(agent);

package/lib/protect/errors/handler-async-errors.js

@@ -0,0 +1,66 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { KEYS, AsyncStorage } = require('../../core/async-storage');
+const agentEmitter = require('../../agent-emitter');
+const isContrastError = require('../../util/is-contrast-error');
+const process = require('process');
+
+const handledErrors = new WeakSet();
+
+module.exports.install = function() {
+  const originalOn = process.on;
+  process.on = function (name, ...args) {
+    if (name === 'unhandledRejection') {
+      return originalOn.call(
+        this,
+        name,
+        ...args.map(
+          (origHandler) =>
+            function (reason, promise) {
+              if (handledErrors.has(reason)) {
+                return; // skip
+              }
+              return origHandler(reason, promise);
+            },
+        ),
+      );
+    } else {
+      return originalOn.call(this, name, ...args);
+    }
+  };
+
+  process.on('unhandledRejection', function asyncErrorHandling(error) {
+    handlerAsyncErrors(error);
+  });
+
+  function handlerAsyncErrors(error) {
+    let handled = null;
+    if (isContrastError(error)) {
+      const res = AsyncStorage.fromException(error, KEYS.RES);
+      handled = agentEmitter.handleError(error, res);
+    }
+    if (handled) {
+      handledErrors.add(error);
+    } else {
+      console.warn(
+        `An Unhandled Rejection has been caught by the Contrast Security node-agent instrumentation. Error: ${error}`,
+      );
+    }
+  }
+};
+
+

package/lib/protect/input-analysis.js

@@ -35,10 +35,7 @@ class InputAnalysisSensor {
    * for instrumenting both `http` and `https` modules when they load.
    */
   install() {
-    if (
-      this.installed ||
-      !this.agent.config.agent.node.speedracer_input_analysis
-    ) {
+    if (this.installed) {
       return;
     }
     this.installed = true;
@@ -140,7 +137,7 @@ class InputAnalysisSensor {
 
     let permit = true;
     try {
-      const appContext = InputAnalysisSensor.getApplicationContext(method);
+      const appContext = InputAnalysisSensor.makeApplicationContext(method);
       permit = await this.service.analyzeRequest({
         meta,
         req,
@@ -249,10 +246,6 @@ class InputAnalysisSensor {
     return sizeInMb >= this.maxSize;
   }
 
-  static isDone(args) {
-    return args[0] === 'end';
-  }
-
   /**
    * We defer calling the original req.emit of data chunks
    * and end until SR analyzes the request body.
@@ -266,7 +259,8 @@ class InputAnalysisSensor {
    */
   async processBodyAndEmit(meta, context, req, res) {
     const { args, method } = context;
-    const done = InputAnalysisSensor.isDone(args);
+    // the request is done when the end event is emitted
+    const done = args[0] === 'end';
 
     let permit = true;
 
@@ -274,7 +268,7 @@ class InputAnalysisSensor {
       let appContext;
 
       if (done) {
-        appContext = InputAnalysisSensor.getApplicationContext(method);
+        appContext = InputAnalysisSensor.makeApplicationContext(method);
 
         permit = await this.service.analyzeRequestStream({
           meta,
@@ -352,10 +346,10 @@ class InputAnalysisSensor {
   }
 
   /**
-   * Gets the app context and sets the stack with
+   * Makes a new app context and sets the stack with
    * the proper request handler
    */
-  static getApplicationContext(handle) {
+  static makeApplicationContext(handle) {
     const appContext = new ApplicationContext();
     appContext.setStack(handle);
     return appContext;

package/lib/protect/listeners.js

@@ -21,6 +21,7 @@ Copyright: 2022 Contrast Security, Inc
  */
 
 const _ = require('lodash');
+
 const Stream = require('stream');
 const parseurl = require('parseurl');
 const agentEmitter = require('../agent-emitter');
@@ -28,25 +29,28 @@ const ApplicationContext = require('./models/application-context');
 const Request = require('../reporter/models/request');
 const {
   AsyncStorage,
-  KEYS: { SAMPLES, RULES, INPUT_EXCLUSIONS, RES, REQ, REQUEST }
+  KEYS: { SAMPLES, RULES, INPUT_EXCLUSIONS, RES, REQ, REQUEST },
 } = require('../core/async-storage');
 const Samples = require('./samples.js');
 const ProtectService = require('./service');
 const { INPUT_TYPES } = require('../constants');
+const handlerAsyncErrors = require('./errors/handler-async-errors');
 
 module.exports = function protectEventListener(agent, reporter) {
   const service = new ProtectService(agent, reporter);
 
+  handlerAsyncErrors.install();
+
   agentEmitter.on('http.requestStart', (req, res, ipEvent) => {
-    // We're expected to apply exclusions based only on the url path name,
-    // not on the full path (which may include query string)
+    // apply exclusions based only on the url path name, not on the full
+    // path (which may include a query string).
     const { pathname: urlPath } = parseurl(req);
 
     const rules = service.getEnabledRules(urlPath, ipEvent);
     AsyncStorage.set(RULES, rules);
     AsyncStorage.set(
       INPUT_EXCLUSIONS,
-      service.getEnabledInputExclusions(urlPath)
+      service.getEnabledInputExclusions(urlPath),
     );
     AsyncStorage.set(SAMPLES, new Samples());
   });
@@ -65,16 +69,20 @@ module.exports = function protectEventListener(agent, reporter) {
     }
 
     const ctxt = AsyncStorage.getContext();
-    const rules = sourceRuleFilter(_.get(ctxt, RULES));
-    const inputExclusions = _.get(ctxt, INPUT_EXCLUSIONS);
-    const samples = _.get(ctxt, SAMPLES);
-
-    enrichEvent(event, ctxt);
-    if (agent.config.agent.node.speedracer_input_analysis) {
+    if (ctxt.defend) {
+      const { exclusions: inputExclusions, samples } = ctxt.defend;
+      const rules = sourceRuleFilter(ctxt.defend.rules);
+      enrichEvent(event, ctxt);
       enrichSamples(event, samples);
-    }
 
-    service.handleSourceEvent(event, rules, inputExclusions, samples);
+      if (!rules || rules.length === 0) {
+        return;
+      }
+      // it's ugly because this probably should have been here all along as opposed
+      // to "enriching" the event with data from ctxt.
+      event._ctxt = ctxt;
+      service.handleSourceEvent(event, rules, inputExclusions, samples);
+    }
   });
 
   agentEmitter.on('protect.sink', (event) => {
@@ -100,13 +108,13 @@ module.exports = function protectEventListener(agent, reporter) {
  * @param {Object} event the SourceEvent instance
  * @param {Set} storage async protect storage
  */
-function enrichEvent(event, storageCtxt = AsyncStorage.getContext()) {
+function enrichEvent(event, storageCtxt) {
   if (storageCtxt) {
     [
       { key: '_incomingMessage', ctxtKey: REQ },
       { key: '_serverResponse', ctxtKey: RES },
       { key: 'request', ctxtKey: REQUEST },
-      { key: 'response', ctxtKey: RES }
+      { key: 'response', ctxtKey: RES },
     ].forEach(({ key, ctxtKey }) => {
       if (!event[key]) {
         setKey({ storageCtxt, ctxtKey, event, key });
@@ -130,11 +138,8 @@ function enrichEvent(event, storageCtxt = AsyncStorage.getContext()) {
  * @param {SourceEvent} event
  * @param {StorageContext} ctxt
  */
-function enrichSamples(event, samples) {
-  if (event.type !== INPUT_TYPES.URL_PARAMETER) {
-    return;
-  }
 
+function enrichSamples(event, samples) {
   for (const key of Object.keys(event.data)) {
     for (const sample of samples.getAllByType(INPUT_TYPES.URL_PARAMETER)) {
       const decoded = decodeURIComponent(sample.input.name);
@@ -189,14 +194,13 @@ function isStream(data) {
 }
 
 /**
- * This filters out which rules should be involved in the handling of source
- * events. Under some conditions, like when we are using Speedracer for input
- * analysis, we only want a subset of active rules to respond to these events.
+ * return a function that filters out rules that speedracer or agent-lib
+ * handles.
  * @param {Object} config The agent configuration
- * @returns {Rule[]}
+ * @returns {Function} function that returns either filtered or unfiltered rules
  */
 function getSourceRuleFilter(config) {
-  return config.agent.node.speedracer_input_analysis
+  return config.agent.node.speedracer_input_analysis && !config.agent.node.native_input_analysis
     ? (rules) => rules.filter((rule) => rule.inputClassification === false)
     : (rules) => rules;
 }

package/lib/protect/rules/base-scanner/index.js

@@ -67,8 +67,8 @@ class BaseScanner {
    *   1. Parsing the query into a token sequence.
    *   2. Finding all stop/start indices of the input string within the query.
    *   3. Comparing these to the indices of the tokens in the sequence.
-   * @param   {String} substring A single input string.
-   * @param   {String}   query       The query to analize.
+   * @param   {String} substring An input string.
+   * @param   {String} query The query to analyze.
    * @returns {Object[]}
    */
   findInjection(substring, query) {

package/lib/protect/rules/bot-blocker/bot-blocker-rule.js

@@ -23,13 +23,15 @@ const { INPUT_TYPES, IMPORTANCE, PROTECTION_MODES } = require('../common');
 const USER_AGENT = 'user-agent';
 
 class BotBlockerRule extends Rule {
-  constructor(policy = {}) {
-    super(policy);
+  constructor(policy = {}, agent) {
+    super(policy, agent);
     this.id = 'bot-blocker';
     this.name = 'Bot Blocker';
     this.blockAtEntry = true;
     this.mode = PROTECTION_MODES.BLOCK_AT_PERIMETER;
     this.applicableInputs = [INPUT_TYPES.HEADER];
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**

package/lib/protect/rules/cmd-injection/cmdinjection-rule.js

@@ -20,10 +20,11 @@ Copyright: 2022 Contrast Security, Inc
 
 const Rule = require('../');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
+const logger = require('../../../core/logger')('contrast:rules:protect');
 
 class CMDInjectionRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
 
     this.id = 'cmd-injection';
     this.name = 'Command Injection';
@@ -42,6 +43,45 @@ class CMDInjectionRule extends Rule {
       INPUT_TYPES.URL_PARAMETER
     ];
     this.applicableSinks = [SINK_TYPES.COMMAND];
+
+    this.usesLibInputAnalysis = true;
+  }
+
+  /**
+   * Calls down to the agent analysis library for evaluation with the
+   * @param {Samples} applicableSamples Samples cache
+   * @param {Set} params.applicableSamples samples applicable to rule id
+   */
+  evaluateAtSinkForLib({ event, applicableSamples }) {
+    if (applicableSamples.size == 0 || !event.data) {
+      return;
+    }
+
+    for (const sample of applicableSamples) {
+      let evalResult = null;
+      try {
+        const input = sample.input.value;
+        const sinkData = event.data;
+        const inputIndex = sinkData.indexOf(input);
+
+        if (inputIndex !== -1) {
+          evalResult = this.agent.agentLib.checkCommandInjectionSink(
+            inputIndex,
+            input.length,
+            input
+          );
+        }
+      } catch (e) {
+        logger.info(`Failed to evaluate command-injection sink: ${e}`);
+      }
+
+      if (evalResult) {
+        this.appendAttackDetails(sample, evalResult);
+        sample.captureAppContext(event);
+        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+        this.blockRequest(sample);
+      }
+    }
   }
 
   /**
@@ -53,6 +93,21 @@ class CMDInjectionRule extends Rule {
   buildDetails(sample, findings) {
     return { command: findings };
   }
+
+  /**
+   * Builds the details for TS UI rendering based on agent lib findings.
+   * @param   {Sample} sample   relevant protect sample
+   * @param   {Object} findings The results from the agent library
+   * @returns {Object}
+   */
+  buildDetailsForLib(sample, findings) {
+    return {
+      command: sample.input.value.substring(
+        findings.startIndex,
+        findings.endIndex
+      )
+    };
+  }
 }
 
 module.exports = CMDInjectionRule;

package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js

@@ -24,8 +24,8 @@ const UserInputFactory = require('../../../reporter/models/utils/user-input-fact
 const ChainedCommandScanner = require('./chained-command-scanner');
 
 class CMDInjectionSemanticChainedCommandsRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this.id = 'cmd-injection-semantic-chained-commands';
     this.name = 'Command Injection Chained Commands';
     this.applicableSinks = [SINK_TYPES.COMMAND];
@@ -72,6 +72,35 @@ class CMDInjectionSemanticChainedCommandsRule extends Rule {
     }
   }
 
+  /**
+   * Performs semantic analysis to determine if there are chained subcommands
+   * using agent-lib
+   * @param {ApplicationContext} event Sink event
+   * @param {Request} request Request model
+   * @param {Samples} samples Samples cache
+   */
+  evaluateAtSinkForLib({ event, request, samples }) {
+    const { data: command } = event;
+    const index = this.agent.agentLib.indexOfChaining(command);
+    if (index != -1) {
+      const sample = this.createAndSaveSample({
+        input: UserInputFactory.makeOne({ value: command }),
+        attributes: { effective: true },
+        classification: IMPORTANCE.DEFINITE,
+        event,
+        samples,
+        request
+      });
+
+      this.appendAttackDetails(sample, {
+        command,
+        findings: [CMD_INJECTION_SEMANTIC_TYPES.CHAINING]
+      });
+
+      this.blockRequest(sample);
+    }
+  }
+
   /**
    * Builds the details for TS UI rendering.
    * @param   {Sample} sample   N/a in this rule's case

package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js

@@ -24,8 +24,8 @@ const UserInputFactory = require('../../../reporter/models/utils/user-input-fact
 const DangerousPathsScanner = require('./dangerous-paths-scanner');
 
 class CMDInjectionSemanticDangerousPathsRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this.id = 'cmd-injection-semantic-dangerous-paths';
     this.name = 'Command Injection Dangerous Paths';
     this.applicableSinks = [SINK_TYPES.COMMAND];
@@ -66,6 +66,36 @@ class CMDInjectionSemanticDangerousPathsRule extends Rule {
     }
   }
 
+  /**
+   * Check for dangerous paths in the input command using the agent library.
+   * @param {ApplicationContext} event Sink event
+   * @param {Request} request Request model
+   * @param {Samples} samples Samples cache
+   */
+  evaluateAtSinkForLib({ event, request, samples }) {
+    const { data: command } = event;
+    const containsDangerousPath = this.agent.agentLib.containsDangerousPath(
+      command
+    );
+    if (containsDangerousPath) {
+      const sample = this.createAndSaveSample({
+        input: UserInputFactory.makeOne({ value: command }),
+        attributes: { effective: true },
+        classification: IMPORTANCE.DEFINITE,
+        event,
+        samples,
+        request
+      });
+
+      this.appendAttackDetails(sample, {
+        command,
+        findings: [CMD_INJECTION_SEMANTIC_TYPES.PATH_ARGUMENT]
+      });
+
+      this.blockRequest(sample);
+    }
+  }
+
   /**
    * Builds the details for TS UI rendering.
    * @param   {Sample} sample   N/a in this rule's case