@contrast/agent 4.12.2 → 4.14.0

package/lib/core/async-storage/hooks/mysql.js

@@ -16,13 +16,15 @@ Copyright: 2022 Contrast Security, Inc
 
 const logger = require('../../logger')('contrast:async-storage:hooks');
 const { AsyncStorage } = require('../index');
+const { Scopes } = require('../scopes');
 const { ASYNC_CONTEXT } = require('../../../constants').PATCH_TYPES;
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
+const { bindFnArgAtIndex } = require('./utils');
 
 module.exports = function init() {
   // done only to stub these fns for tests
-  const { patchSequence, patchPool } = module.exports;
+  const { patchSequence, patchPool, patchQuery } = module.exports;
 
   // this callback _must return_ the patched function to set export
   requireHook.resolve(
@@ -36,12 +38,20 @@ module.exports = function init() {
   requireHook.resolve({ name: 'mysql', file: 'lib/Pool.js' }, (Pool) =>
     patchPool(Pool)
   );
+
+  requireHook.resolve(
+    { name: 'mysql2', file: 'lib/commands/query.js' },
+    (Query) => patchQuery(Query)
+  );
 };
 
 module.exports.patchSequence = patchSequence;
 module.exports.sequencePostHook = sequencePostHook;
 module.exports.patchPool = patchPool;
 module.exports.poolPreHook = poolPreHook;
+module.exports.patchQuery = patchQuery;
+module.exports.queryPreHook = queryPreHook;
+module.exports.runInAllowAllScope = runInAllowAllScope;
 
 /**
  * Patches the Sequence constructor which the protocol classes inherit.
@@ -62,12 +72,15 @@ function patchSequence(sequenceCtor) {
  * Typically in a constructor the data.result would be the instance. But mysql
  * has the subclasses e.g. Query, do Sequence.call(this, cb). In this case the
  * data.obj is the instance.
- * @param {object} data.obj sequnce instance
+ * @param {object} data.obj sequence instance
  */
-function sequencePostHook({ obj }) {
+function sequencePostHook({ obj, funcKey: identifier }) {
+  // done only to stub this fn for tests
+  const { runInAllowAllScope } = module.exports;
   try {
     if (obj && obj._callback && typeof obj._callback === 'function') {
-      obj._callback = AsyncStorage.bind(obj._callback);
+      const cb = obj._callback;
+      obj._callback = AsyncStorage.bind(runInAllowAllScope(cb, identifier));
     }
     AsyncStorage.getNamespace().bindEmitter(obj);
   } catch (err) {
@@ -75,6 +88,13 @@ function sequencePostHook({ obj }) {
   }
 }
 
+// Created only for the purpose of testing
+function runInAllowAllScope (cb, identifier) {
+  return function (...args) {
+    return Scopes.runInAllowAllScope(() => cb.call(this, ...args), identifier);
+  };
+}
+
 /**
  * Patches Pool.prototype.getConnection.
  * @param {function} poolCtor Pool constructor fn
@@ -92,12 +112,43 @@ function patchPool(poolCtor) {
  * Binds callback (when present) to cls.
  * @param {object} data.args getConnection arguments
  */
-function poolPreHook({ args }) {
+function poolPreHook({ args, funcKey: identifier }) {
   try {
     if (args.length && typeof args[0] === 'function') {
-      args[0] = AsyncStorage.bind(args[0]);
+      bindFnArgAtIndex({ args, idx: 0, identifier });
     }
   } catch (err) {
     logger.warn('Unable to patch Pool.prototype.getConnection: %o', err);
   }
 }
+
+/**
+ * Patches the Query constructor.
+ * This _must return_ the patched value to set the export in require hook.
+ * @param {function} queryCtor Query constructor fn
+ * @returns {function}
+ */
+function patchQuery(queryCtor) {
+  return patcher.patch(queryCtor, {
+    name: 'mysql2.lib/commands/query.js.Query',
+    patchType: ASYNC_CONTEXT,
+    alwaysRun: true,
+    pre: queryPreHook
+  });
+}
+
+/**
+ * Binds callback (when present) to the context the constructor is called in..
+ * @param {object} data the argument for the preHook
+ * @param {object} data.args the arguments passed to the Query constructor
+ * @param {object} data.funcKey Contrast funcKey identifier for a hooked Query function
+ */
+function queryPreHook({ args, funcKey: identifier }) {
+  try {
+    if (args.length && args[1] && typeof args[1] === 'function') {
+      bindFnArgAtIndex({ args, idx: 1, identifier });
+    }
+  } catch (err) {
+    logger.warn('Unable to patch Query constructor: %o', err);
+  }
+}

package/lib/core/config/options.js

@@ -411,6 +411,12 @@ const agent = [
     fn: castBoolean,
     desc: 'do agent-native input analysis prior to any external analysis',
   },
+  {
+    name: 'agent.node.analysis_log_dir',
+    arg: '<path>',
+    default: '.',
+    desc: 'directory to use for the native input analysis log file'
+  },
   {
     name: 'agent.node.unsafe.deadzones',
     arg: '<modules>',
@@ -466,12 +472,6 @@ const agent = [
     fn: parseNum,
     desc: 'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)',
   },
-  {
-    name: 'agent.trust_custom_validators',
-    arg: '<trust-custom-validators>',
-    default: false,
-    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`,
-  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -708,6 +708,12 @@ const assess = [
     fn: castBoolean,
     desc: 'if false, disable assess for this agent. A restart is required to re-enable',
   },
+  {
+    name: 'assess.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: 'trust incoming strings when they pass custom validators (Mongoose, Joi)',
+  },
   {
     name: 'assess.enable_preflight',
     arg: '[false]',

package/lib/core/config/util.js

@@ -15,6 +15,7 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 const _ = require('lodash');
 
+const os = require('os');
 const process = require('process');
 const path = require('path');
 const fs = require('fs');
@@ -24,7 +25,6 @@ const stringify = require('json-stable-stringify');
 const common = require('./options');
 const configOptions = common.options;
 const { configPathEnvVars } = common;
-const fileFinder = require('../../util/file-finder');
 const util = module.exports;
 
 /**
@@ -143,37 +143,23 @@ class Config {
 
 /**
  * Find location of config given options and name of config file
- * @param {Object} cliOptions
- * @param {string} cliOptions.script
- * @param {string} filename
  * @return {string|void} path, if valid
  */
-function checkConfigPath({ script }, filename) {
-  const configDir =
-    require('os').platform() === 'win32'
-      ? `${process.env['ProgramData']}\\contrast`
-      : '/etc/contrast';
-  const guesses = [
-    // try to find in cwd
-    { dir: process.cwd(), attempts: 1 },
-
-    // try to find in /etc/contrast/.. or %ProgramData%\contrast\..
-    { dir: configDir, attempts: 1 },
-
-    // The directory of the application under test such as node_modules/mocha/bin or server.
-    { dir: path.dirname(script) },
-
-    // The directory of this Contrast agent module, assuming it
-    // came packaged with an enterprise-wide contrast.json.
-    { dir: path.resolve(__dirname, '..', '..'), attempts: 1 }
-  ];
-
-  for (const guess of guesses) {
-    const configPath = fileFinder.findFile(guess.dir, filename, guess.attempts);
-    if (configPath) return configPath;
+function checkConfigPath() {
+  const configDir = os.platform() === 'win32'
+    ? `${process.env['ProgramData']}\\contrast`
+    : '/etc/contrast';
+
+  for (const dir of [process.cwd(), configDir]) {
+    const checkPath = path.resolve(dir, 'contrast_security.yaml');
+    if (fs.existsSync(checkPath)) {
+      return checkPath;
+    }
   }
+  return;
 }
 
+
 /**
  * @param {Object} cliOptions
  * @param {string} cliOptions.script
@@ -185,11 +171,7 @@ function getConfigPath(cliOptions) {
     cliOptions.configFile ||
     process.env[configPathEnvVars.path] ||
     process.env[configPathEnvVars.deprecated] ||
-    checkConfigPath(cliOptions, 'contrast_security.yaml') ||
-    checkConfigPath(cliOptions, 'contrast_security.yml') ||
-    checkConfigPath(cliOptions, 'contrast.yaml') ||
-    checkConfigPath(cliOptions, 'contrast.yml') ||
-    checkConfigPath(cliOptions, 'contrast.json')
+    checkConfigPath()
   );
 }
 
@@ -312,7 +294,7 @@ function mergeCliOptions(cliOptions, logger) {
     // set from default
     if (value === undefined) {
       if (required) {
-        logger.error(`Missing required option '%s'`, name);
+        logger.error('Missing required option \'%s\'', name);
         return options;
       }
 

package/lib/core/exclusions/input.js

@@ -29,7 +29,8 @@ const generalizedInputTypes = {
   [INPUT_TYPES.COOKIE_VALUE]: EXCLUSION_INPUT_TYPES.COOKIE,
   [INPUT_TYPES.HEADER]: EXCLUSION_INPUT_TYPES.HEADER,
   [INPUT_TYPES.PARAMETER_NAME]: EXCLUSION_INPUT_TYPES.PARAMETER,
-  [INPUT_TYPES.PARAMETER_VALUE]: EXCLUSION_INPUT_TYPES.PARAMETER
+  [INPUT_TYPES.PARAMETER_VALUE]: EXCLUSION_INPUT_TYPES.PARAMETER,
+  [INPUT_TYPES.URL_PARAMETER]: EXCLUSION_INPUT_TYPES.PARAMETER
 };
 const { BODY, PARAMETER, QUERYSTRING } = EXCLUSION_INPUT_TYPES;
 
@@ -47,6 +48,10 @@ class InputExclusion extends UrlExclusion {
     this.inputName = dtm.inputName;
   }
 
+  shouldExclude(ruleId, type, name) {
+    return this.appliesToProtectRule(ruleId) && this.appliesToInputType(type) && this.matches(name);
+  }
+
   appliesToInputType(type) {
     return (
       this.inputType === InputExclusion.generalizeInputType(type) ||

package/lib/core/express/index.js

@@ -237,7 +237,7 @@ class ExpressFramework {
 
     if (!app || !app.defaultConfiguration) {
       logger.error(
-        `non-express application mistakenly registered`,
+        'non-express application mistakenly registered',
         new Error().stack,
       );
       return;
@@ -336,9 +336,7 @@ class ExpressFramework {
     }, 'textParser');
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
-      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
-        type: INPUT_TYPES.BODY,
-      });
+      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
       next();
     }, 'urlencodedParser');
 

package/lib/core/logger/debug-logger.js

@@ -311,8 +311,8 @@ class DebugLogFactory {
     logger.console = this.mute
       ? noop
       : function() {
-        return console.log(...arguments); // eslint-disable-line
-        };
+        return console.log(...arguments); // eslint-disable-line prefer-rest-params
+      };
 
     [...levelNames, 'console'].forEach((level) => {
       if (level === 'console') {

package/lib/core/stacktrace.js

@@ -65,7 +65,8 @@ class Factory {
         const eventFrames = [];
         const clsFrames = [];
         const callsites = Factory.generateCallsites(target);
-        /* eslint-disable complexity */
+
+        // eslint-disable-next-line complexity
         ret = (callsites || []).reduce((acc, callsite) => {
           if (Factory.isCallsiteValid(callsite)) {
             const frame = Factory.makeFrame(callsite);

package/lib/hooks/http.js

@@ -75,93 +75,93 @@ const hookServer = (server, agent, id) => {
     const self = this;
     const [event, req, res] = args;
 
-    if (event === 'request') {
-      logger.debug('Received request %s, method %s', req.url, req.method);
-      return scopes.runInRequestScope({
-        agent,
-        req,
-        res,
-        hookResponse(response, agent) {
-          const { writeHead, end } = response;
-          // XXX(ehden): we keep the original method available to call when handling
-          // blocked requests because of MethodTampering or other rules whose sink
-          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-          // when we block to prevent recursing through blocks by setting our own 403.
-          response[WRITE_HEAD] = writeHead;
-          response[END] = end;
-
-          /**
-           * Patch writeHead to emit a sink event before calling writeHead
-           *
-           */
-          patcher.patch(response, 'writeHead', {
-            alwaysRun: true,
-            name: 'write-head',
-            patchType: PATCH_TYPES.PROTECT_SINK,
-            pre(data) {
-              const [statusCode, reason] = data.args;
-              let [, , obj] = data.args;
-              let contentType;
-              if (typeof reason !== 'string') {
-                obj = reason;
-              }
-              if (obj && typeof obj === 'object') {
-                for (const [key, value] of Object.entries(obj)) {
-                  if (key.toLowerCase() === 'content-type') {
-                    contentType = value;
-                  }
+    if (event !== 'request') {
+      return emit.apply(self, args);
+    }
+
+    logger.debug('Received request %s, method %s', req.url, req.method);
+    return scopes.runInRequestScope({
+      agent,
+      req,
+      res,
+      hookResponse(response, agent) {
+        const { writeHead, end } = response;
+        // XXX(ehden): we keep the original method available to call when handling
+        // blocked requests because of MethodTampering or other rules whose sink
+        // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+        // when we block to prevent recursing through blocks by setting our own 403.
+        response[WRITE_HEAD] = writeHead;
+        response[END] = end;
+
+        /**
+         * Patch writeHead to emit a sink event before calling writeHead
+         *
+         */
+        patcher.patch(response, 'writeHead', {
+          alwaysRun: true,
+          name: 'write-head',
+          patchType: PATCH_TYPES.PROTECT_SINK,
+          pre(data) {
+            const [statusCode, reason] = data.args;
+            let [, , obj] = data.args;
+            let contentType;
+            if (typeof reason !== 'string') {
+              obj = reason;
+            }
+            if (obj && typeof obj === 'object') {
+              for (const [key, value] of Object.entries(obj)) {
+                if (key.toLowerCase() === 'content-type') {
+                  contentType = value;
                 }
               }
-              if (contentType) {
-                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-              }
-              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
             }
-          });
-
-          patcher.patch(response, 'setHeader', {
-            alwaysRun: true,
-            name: 'set-header',
-            patchType: PATCH_TYPES.ASYNC_CONTEXT,
-            pre(data) {
-              const [name = '', value] = data.args;
-              if (name.toLowerCase() === 'content-type' && value) {
-                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
-              }
+            if (contentType) {
+              AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+            }
+            emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+          }
+        });
+
+        patcher.patch(response, 'setHeader', {
+          alwaysRun: true,
+          name: 'set-header',
+          patchType: PATCH_TYPES.ASYNC_CONTEXT,
+          pre(data) {
+            const [name = '', value] = data.args;
+            if (name.toLowerCase() === 'content-type' && value) {
+              AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
             }
-          });
-
-          // special HTTP logging for responses.
-          if (agent.config.agent.logger.log_outbound_http) {
-            ['end', 'writeHead', 'write'].forEach((method) => {
-              logHook(response, method);
-            });
           }
-        },
-        callback() {
-          const ipEvent = createSourceEvent(
-            req,
-            req,
-            res,
-            'socket.remoteAddress',
-            INPUT_TYPES.IP,
-            id
-          );
-          agentEmitter.emit('http.requestStart', req, res, ipEvent);
-
-          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
-          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
-
-          const rv = emit.apply(self, args);
-
-          agentEmitter.emit('http.requestEnd', req, res);
-          return rv;
+        });
+
+        // special HTTP logging for responses.
+        if (agent.config.agent.logger.log_outbound_http) {
+          ['end', 'writeHead', 'write'].forEach((method) => {
+            logHook(response, method);
+          });
         }
-      });
-    } else {
-      return emit.apply(self, args);
-    }
+      },
+      callback() {
+        const ipEvent = createSourceEvent(
+          req,
+          req,
+          res,
+          'socket.remoteAddress',
+          INPUT_TYPES.IP,
+          id
+        );
+        agentEmitter.emit('http.requestStart', req, res, ipEvent);
+
+        emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+        emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+        emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
+
+        const rv = emit.apply(self, args);
+
+        agentEmitter.emit('http.requestEnd', req, res);
+        return rv;
+      }
+    });
   };
 };
 

package/lib/hooks/require.js

@@ -22,6 +22,7 @@ const logger = require('../core/logger')('hooks:require');
 class ModuleHook {
   constructor() {
     this.reqHook = new RequireHook(logger);
+    this.reqHook.install();
 
     // RequireHook takes care of hooking but we still need to patch require to
     // emit 'require' events

package/lib/instrumentation.js

@@ -102,6 +102,7 @@ function assessModeFeatures(agent) {
   if (agent.isInAssessMode()) {
     logger.debug('initializing assess mode features');
     require('./assess/policy/init').init(agent);
+    require('./assess/static/read-findings-from-cache')(agent);
     require('./hooks/encoding')();
     require('./hooks/object-to-primitive')();
     require('./hooks/array')();
@@ -121,6 +122,22 @@ function protectModeFeatures({ agent, reporter }) {
     logger.debug('initializing protect mode features');
 
     require('./protect')();
+
+    // if it's native_input_analysis then use agent-lib
+    if (agent.config.agent.node.native_input_analysis) {
+      const lib = require('@contrast/agent-lib');
+      // needs the || '.' for testing...
+      const logDir = agent.config.agent.node.analysis_log_dir || '.';
+      const agentLib = new lib.Agent(
+        { enableLogging: true, logDir, logLevel: "INFO" }
+      );
+      // attach the constants so lib.Agent() isn't exposed.
+      for (const c in lib.constants) {
+        agentLib[c] = lib.constants[c];
+      }
+      agent.agentLib = agentLib;
+    }
+
     const protectService = require('./protect/listeners')(agent, reporter);
     const InputAnalysisSensor = require('./protect/input-analysis');
     require('./protect/sources')(agent);

package/lib/protect/analysis/aho-corasick.js

@@ -69,7 +69,7 @@ class AhoCorasick {
     this.state = 0;
   }
 
-  /* eslint-disable complexity */
+  // eslint-disable-next-line complexity
   buildAutomata() {
     // only the root state (state 0) to start with
     let stateCount = 1;

package/lib/protect/errors/handler-async-errors.js

@@ -0,0 +1,66 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { KEYS, AsyncStorage } = require('../../core/async-storage');
+const agentEmitter = require('../../agent-emitter');
+const isContrastError = require('../../util/is-contrast-error');
+const process = require('process');
+
+const handledErrors = new WeakSet();
+
+module.exports.install = function() {
+  const originalOn = process.on;
+  process.on = function (name, ...args) {
+    if (name === 'unhandledRejection') {
+      return originalOn.call(
+        this,
+        name,
+        ...args.map(
+          (origHandler) =>
+            function (reason, promise) {
+              if (handledErrors.has(reason)) {
+                return; // skip
+              }
+              return origHandler(reason, promise);
+            },
+        ),
+      );
+    } else {
+      return originalOn.call(this, name, ...args);
+    }
+  };
+
+  process.on('unhandledRejection', function asyncErrorHandling(error) {
+    handlerAsyncErrors(error);
+  });
+
+  function handlerAsyncErrors(error) {
+    let handled = null;
+    if (isContrastError(error)) {
+      const res = AsyncStorage.fromException(error, KEYS.RES);
+      handled = agentEmitter.handleError(error, res);
+    }
+    if (handled) {
+      handledErrors.add(error);
+    } else {
+      console.warn(
+        `An Unhandled Rejection has been caught by the Contrast Security node-agent instrumentation. Error: ${error}`,
+      );
+    }
+  }
+};
+
+

package/lib/protect/input-analysis.js

@@ -35,10 +35,7 @@ class InputAnalysisSensor {
    * for instrumenting both `http` and `https` modules when they load.
    */
   install() {
-    if (
-      this.installed ||
-      !this.agent.config.agent.node.speedracer_input_analysis
-    ) {
+    if (this.installed) {
       return;
     }
     this.installed = true;
@@ -140,7 +137,7 @@ class InputAnalysisSensor {
 
     let permit = true;
     try {
-      const appContext = InputAnalysisSensor.getApplicationContext(method);
+      const appContext = InputAnalysisSensor.makeApplicationContext(method);
       permit = await this.service.analyzeRequest({
         meta,
         req,
@@ -249,10 +246,6 @@ class InputAnalysisSensor {
     return sizeInMb >= this.maxSize;
   }
 
-  static isDone(args) {
-    return args[0] === 'end';
-  }
-
   /**
    * We defer calling the original req.emit of data chunks
    * and end until SR analyzes the request body.
@@ -266,7 +259,8 @@ class InputAnalysisSensor {
    */
   async processBodyAndEmit(meta, context, req, res) {
     const { args, method } = context;
-    const done = InputAnalysisSensor.isDone(args);
+    // the request is done when the end event is emitted
+    const done = args[0] === 'end';
 
     let permit = true;
 
@@ -274,7 +268,7 @@ class InputAnalysisSensor {
       let appContext;
 
       if (done) {
-        appContext = InputAnalysisSensor.getApplicationContext(method);
+        appContext = InputAnalysisSensor.makeApplicationContext(method);
 
         permit = await this.service.analyzeRequestStream({
           meta,
@@ -352,10 +346,10 @@ class InputAnalysisSensor {
   }
 
   /**
-   * Gets the app context and sets the stack with
+   * Makes a new app context and sets the stack with
    * the proper request handler
    */
-  static getApplicationContext(handle) {
+  static makeApplicationContext(handle) {
     const appContext = new ApplicationContext();
     appContext.setStack(handle);
     return appContext;