@contrast/agent 4.12.2 → 4.14.0

package/lib/protect/listeners.js

@@ -21,6 +21,7 @@ Copyright: 2022 Contrast Security, Inc
  */
 
 const _ = require('lodash');
+
 const Stream = require('stream');
 const parseurl = require('parseurl');
 const agentEmitter = require('../agent-emitter');
@@ -28,25 +29,28 @@ const ApplicationContext = require('./models/application-context');
 const Request = require('../reporter/models/request');
 const {
   AsyncStorage,
-  KEYS: { SAMPLES, RULES, INPUT_EXCLUSIONS, RES, REQ, REQUEST }
+  KEYS: { SAMPLES, RULES, INPUT_EXCLUSIONS, RES, REQ, REQUEST },
 } = require('../core/async-storage');
 const Samples = require('./samples.js');
 const ProtectService = require('./service');
 const { INPUT_TYPES } = require('../constants');
+const handlerAsyncErrors = require('./errors/handler-async-errors');
 
 module.exports = function protectEventListener(agent, reporter) {
   const service = new ProtectService(agent, reporter);
 
+  handlerAsyncErrors.install();
+
   agentEmitter.on('http.requestStart', (req, res, ipEvent) => {
-    // We're expected to apply exclusions based only on the url path name,
-    // not on the full path (which may include query string)
+    // apply exclusions based only on the url path name, not on the full
+    // path (which may include a query string).
     const { pathname: urlPath } = parseurl(req);
 
     const rules = service.getEnabledRules(urlPath, ipEvent);
     AsyncStorage.set(RULES, rules);
     AsyncStorage.set(
       INPUT_EXCLUSIONS,
-      service.getEnabledInputExclusions(urlPath)
+      service.getEnabledInputExclusions(urlPath),
     );
     AsyncStorage.set(SAMPLES, new Samples());
   });
@@ -65,16 +69,20 @@ module.exports = function protectEventListener(agent, reporter) {
     }
 
     const ctxt = AsyncStorage.getContext();
-    const rules = sourceRuleFilter(_.get(ctxt, RULES));
-    const inputExclusions = _.get(ctxt, INPUT_EXCLUSIONS);
-    const samples = _.get(ctxt, SAMPLES);
-
-    enrichEvent(event, ctxt);
-    if (agent.config.agent.node.speedracer_input_analysis) {
+    if (ctxt.defend) {
+      const { exclusions: inputExclusions, samples } = ctxt.defend;
+      const rules = sourceRuleFilter(ctxt.defend.rules);
+      enrichEvent(event, ctxt);
       enrichSamples(event, samples);
-    }
 
-    service.handleSourceEvent(event, rules, inputExclusions, samples);
+      if (!rules || rules.length === 0) {
+        return;
+      }
+      // it's ugly because this probably should have been here all along as opposed
+      // to "enriching" the event with data from ctxt.
+      event._ctxt = ctxt;
+      service.handleSourceEvent(event, rules, inputExclusions, samples);
+    }
   });
 
   agentEmitter.on('protect.sink', (event) => {
@@ -100,13 +108,13 @@ module.exports = function protectEventListener(agent, reporter) {
  * @param {Object} event the SourceEvent instance
  * @param {Set} storage async protect storage
  */
-function enrichEvent(event, storageCtxt = AsyncStorage.getContext()) {
+function enrichEvent(event, storageCtxt) {
   if (storageCtxt) {
     [
       { key: '_incomingMessage', ctxtKey: REQ },
       { key: '_serverResponse', ctxtKey: RES },
       { key: 'request', ctxtKey: REQUEST },
-      { key: 'response', ctxtKey: RES }
+      { key: 'response', ctxtKey: RES },
     ].forEach(({ key, ctxtKey }) => {
       if (!event[key]) {
         setKey({ storageCtxt, ctxtKey, event, key });
@@ -130,11 +138,8 @@ function enrichEvent(event, storageCtxt = AsyncStorage.getContext()) {
  * @param {SourceEvent} event
  * @param {StorageContext} ctxt
  */
-function enrichSamples(event, samples) {
-  if (event.type !== INPUT_TYPES.URL_PARAMETER) {
-    return;
-  }
 
+function enrichSamples(event, samples) {
   for (const key of Object.keys(event.data)) {
     for (const sample of samples.getAllByType(INPUT_TYPES.URL_PARAMETER)) {
       const decoded = decodeURIComponent(sample.input.name);
@@ -189,14 +194,13 @@ function isStream(data) {
 }
 
 /**
- * This filters out which rules should be involved in the handling of source
- * events. Under some conditions, like when we are using Speedracer for input
- * analysis, we only want a subset of active rules to respond to these events.
+ * return a function that filters out rules that speedracer or agent-lib
+ * handles.
  * @param {Object} config The agent configuration
- * @returns {Rule[]}
+ * @returns {Function} function that returns either filtered or unfiltered rules
  */
 function getSourceRuleFilter(config) {
-  return config.agent.node.speedracer_input_analysis
+  return config.agent.node.speedracer_input_analysis && !config.agent.node.native_input_analysis
     ? (rules) => rules.filter((rule) => rule.inputClassification === false)
     : (rules) => rules;
 }

package/lib/protect/rules/base-scanner/index.js

@@ -67,8 +67,8 @@ class BaseScanner {
    *   1. Parsing the query into a token sequence.
    *   2. Finding all stop/start indices of the input string within the query.
    *   3. Comparing these to the indices of the tokens in the sequence.
-   * @param   {String} substring A single input string.
-   * @param   {String}   query       The query to analize.
+   * @param   {String} substring An input string.
+   * @param   {String} query The query to analyze.
    * @returns {Object[]}
    */
   findInjection(substring, query) {

package/lib/protect/rules/bot-blocker/bot-blocker-rule.js

@@ -23,13 +23,15 @@ const { INPUT_TYPES, IMPORTANCE, PROTECTION_MODES } = require('../common');
 const USER_AGENT = 'user-agent';
 
 class BotBlockerRule extends Rule {
-  constructor(policy = {}) {
-    super(policy);
+  constructor(policy = {}, agent) {
+    super(policy, agent);
     this.id = 'bot-blocker';
     this.name = 'Bot Blocker';
     this.blockAtEntry = true;
     this.mode = PROTECTION_MODES.BLOCK_AT_PERIMETER;
     this.applicableInputs = [INPUT_TYPES.HEADER];
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**

package/lib/protect/rules/cmd-injection/cmdinjection-rule.js

@@ -20,10 +20,11 @@ Copyright: 2022 Contrast Security, Inc
 
 const Rule = require('../');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
+const logger = require('../../../core/logger')('contrast:rules:protect');
 
 class CMDInjectionRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
 
     this.id = 'cmd-injection';
     this.name = 'Command Injection';
@@ -42,6 +43,45 @@ class CMDInjectionRule extends Rule {
       INPUT_TYPES.URL_PARAMETER
     ];
     this.applicableSinks = [SINK_TYPES.COMMAND];
+
+    this.usesLibInputAnalysis = true;
+  }
+
+  /**
+   * Calls down to the agent analysis library for evaluation with the
+   * @param {Samples} applicableSamples Samples cache
+   * @param {Set} params.applicableSamples samples applicable to rule id
+   */
+  evaluateAtSinkForLib({ event, applicableSamples }) {
+    if (applicableSamples.size == 0 || !event.data) {
+      return;
+    }
+
+    for (const sample of applicableSamples) {
+      let evalResult = null;
+      try {
+        const input = sample.input.value;
+        const sinkData = event.data;
+        const inputIndex = sinkData.indexOf(input);
+
+        if (inputIndex !== -1) {
+          evalResult = this.agent.agentLib.checkCommandInjectionSink(
+            inputIndex,
+            input.length,
+            input
+          );
+        }
+      } catch (e) {
+        logger.info(`Failed to evaluate command-injection sink: ${e}`);
+      }
+
+      if (evalResult) {
+        this.appendAttackDetails(sample, evalResult);
+        sample.captureAppContext(event);
+        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+        this.blockRequest(sample);
+      }
+    }
   }
 
   /**
@@ -53,6 +93,21 @@ class CMDInjectionRule extends Rule {
   buildDetails(sample, findings) {
     return { command: findings };
   }
+
+  /**
+   * Builds the details for TS UI rendering based on agent lib findings.
+   * @param   {Sample} sample   relevant protect sample
+   * @param   {Object} findings The results from the agent library
+   * @returns {Object}
+   */
+  buildDetailsForLib(sample, findings) {
+    return {
+      command: sample.input.value.substring(
+        findings.startIndex,
+        findings.endIndex
+      )
+    };
+  }
 }
 
 module.exports = CMDInjectionRule;

package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js

@@ -24,8 +24,8 @@ const UserInputFactory = require('../../../reporter/models/utils/user-input-fact
 const ChainedCommandScanner = require('./chained-command-scanner');
 
 class CMDInjectionSemanticChainedCommandsRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this.id = 'cmd-injection-semantic-chained-commands';
     this.name = 'Command Injection Chained Commands';
     this.applicableSinks = [SINK_TYPES.COMMAND];
@@ -72,6 +72,35 @@ class CMDInjectionSemanticChainedCommandsRule extends Rule {
     }
   }
 
+  /**
+   * Performs semantic analysis to determine if there are chained subcommands
+   * using agent-lib
+   * @param {ApplicationContext} event Sink event
+   * @param {Request} request Request model
+   * @param {Samples} samples Samples cache
+   */
+  evaluateAtSinkForLib({ event, request, samples }) {
+    const { data: command } = event;
+    const index = this.agent.agentLib.indexOfChaining(command);
+    if (index != -1) {
+      const sample = this.createAndSaveSample({
+        input: UserInputFactory.makeOne({ value: command }),
+        attributes: { effective: true },
+        classification: IMPORTANCE.DEFINITE,
+        event,
+        samples,
+        request
+      });
+
+      this.appendAttackDetails(sample, {
+        command,
+        findings: [CMD_INJECTION_SEMANTIC_TYPES.CHAINING]
+      });
+
+      this.blockRequest(sample);
+    }
+  }
+
   /**
    * Builds the details for TS UI rendering.
    * @param   {Sample} sample   N/a in this rule's case

package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js

@@ -24,8 +24,8 @@ const UserInputFactory = require('../../../reporter/models/utils/user-input-fact
 const DangerousPathsScanner = require('./dangerous-paths-scanner');
 
 class CMDInjectionSemanticDangerousPathsRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this.id = 'cmd-injection-semantic-dangerous-paths';
     this.name = 'Command Injection Dangerous Paths';
     this.applicableSinks = [SINK_TYPES.COMMAND];
@@ -66,6 +66,36 @@ class CMDInjectionSemanticDangerousPathsRule extends Rule {
     }
   }
 
+  /**
+   * Check for dangerous paths in the input command using the agent library.
+   * @param {ApplicationContext} event Sink event
+   * @param {Request} request Request model
+   * @param {Samples} samples Samples cache
+   */
+  evaluateAtSinkForLib({ event, request, samples }) {
+    const { data: command } = event;
+    const containsDangerousPath = this.agent.agentLib.containsDangerousPath(
+      command
+    );
+    if (containsDangerousPath) {
+      const sample = this.createAndSaveSample({
+        input: UserInputFactory.makeOne({ value: command }),
+        attributes: { effective: true },
+        classification: IMPORTANCE.DEFINITE,
+        event,
+        samples,
+        request
+      });
+
+      this.appendAttackDetails(sample, {
+        command,
+        findings: [CMD_INJECTION_SEMANTIC_TYPES.PATH_ARGUMENT]
+      });
+
+      this.blockRequest(sample);
+    }
+  }
+
   /**
    * Builds the details for TS UI rendering.
    * @param   {Sample} sample   N/a in this rule's case

package/lib/protect/rules/index.js

@@ -28,13 +28,37 @@ const {
 } = require('./common');
 
 class Rule {
-  constructor(policy = { mode: NO_ACTION }) {
+  /**
+   * Rules that need to make use of the agent lib can also take
+   * a second argument: `agent' which is a reference to the agent object.
+   */
+  constructor(policy, agent) {
+    if (!policy) {
+      policy = { mode: NO_ACTION };
+    }
     this.policy = policy;
 
     this.blockAtEntry = policy.mode === BLOCK_AT_PERIMETER;
     this.id = policy.id;
     this.mode = policy.mode;
     this.name = policy.name;
+    this.applicableInputs = [];
+    this.applicableSinks = [];
+    this.agent = agent;
+    const config = (this.agent && this.agent.config) || { agent: { node: {} } };
+
+    this.agentLibEnabled =
+      config.agent.node.native_input_analysis &&
+      config.agent.node.speedracer_input_analysis;
+
+    if (this.agentLibEnabled) {
+      this.evaluator = null;
+    }
+
+    // override this value if the rule uses agent library input analysis.
+    // all rules that agentLibBit applies to use this field with the single
+    // exception of nosqli which uses node input analysis.
+    this.usesLibInputAnalysis = false;
 
     // Samples --> {}
     // This lets us manage non-sample state for each rule. This
@@ -66,10 +90,7 @@ class Rule {
    * @returns {Boolean}
    */
   appliesToInputType(type, name) {
-    return (
-      _.isEmpty(this.applicableInputs) ||
-      _.includes(this.applicableInputs, type)
-    );
+    return this.applicableInputs.length === 0 || this.applicableInputs.includes(type);
   }
 
   /**
@@ -79,11 +100,7 @@ class Rule {
    * @returns {Boolean}
    */
   appliesToSink(type) {
-    if (!this.applicableSinks) {
-      return false;
-    }
-
-    return _.includes(this.applicableSinks, type);
+    return this.applicableSinks.includes(type);
   }
 
   /**
@@ -105,12 +122,6 @@ class Rule {
       return this.signature;
     }
 
-    if (!this.evaluator) {
-      throw new Error(
-        `Rule ${this.id} has no custom evaluator for signature-matching/classification`
-      );
-    }
-
     return this.evaluator;
   }
 
@@ -144,6 +155,7 @@ class Rule {
     const name = sample.input ? sample.input.name : '<anon>';
     const type = sample.input ? sample.input.type : '<no-type>';
 
+    // TODO: should this be ||?
     if (!this.blockAtEntry && !sample.effective) {
       return;
     }
@@ -172,6 +184,10 @@ class Rule {
   preFilterUserInput(input, event, samples) {
     const evaluator = this.getEvaluator();
 
+    if (!evaluator) {
+      return;
+    }
+
     // This is to support the newer API accepting a UserInput,
     let evaluation;
     if (this.signature) {
@@ -188,7 +204,7 @@ class Rule {
       samples
     });
 
-    if (_.get(sample, 'confirmedAttack') === true) {
+    if (sample && sample.confirmedAttack === true && this.mode === BLOCK_AT_PERIMETER) {
       this.blockRequest(sample);
     }
   }
@@ -247,7 +263,7 @@ class Rule {
 
     logger.debug(`${classifiedAs}: ${id} - ${type}.${name}.${value}`);
     if (classifiedAs === IMPORTANCE.NONE) {
-      return;
+      return null;
     }
 
     const sample = samples.addRuleSample({
@@ -277,8 +293,8 @@ class Rule {
       // for CEF extensions
       outcome: this.getAttackStatus(sample),
       pri: this.id,
-      request: _.get(sample, 'request.uri', '').replace(/ /g, '<space>'),
-      spt: _.get(sample, 'request.port', ''),
+      request: (sample.request.uri || '').replace(/ /g, '<space>'),
+      spt: sample.request.port || '',
       requestMethod: sample.request.method,
       src: sample.request.ip,
       value: sample.input.value
@@ -329,7 +345,12 @@ class Rule {
    */
   appendAttackDetails(sample, findings) {
     sample.effective = true;
-    sample.details = this.buildDetails(sample, findings);
+
+    if (!(this.usesLibInputAnalysis && this.agentLibEnabled) || !this.buildDetailsForLib) {
+      sample.details = this.buildDetails(sample, findings);
+    } else {
+      sample.details = this.buildDetailsForLib(sample, findings);
+    }
   }
 }
 

package/lib/protect/rules/ip-denylist/ip-denylist-rule.js

@@ -26,8 +26,8 @@ const {
 const Rule = require('../');
 
 class IpDenylistRule extends Rule {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
     this._analyzer = new IpAnalyzer(policy.data);
     // TODO: This should go away with CONTRAST-34184
     this._analyzer.on('expired', (expired) => {

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -13,8 +13,8 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-/* eslint-disable complexity */
 const _ = require('lodash');
+const util = require('util');
 
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
@@ -32,12 +32,12 @@ const ScannerKit = new Map([
   [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
   [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
-const SubstringFinder = require('../base-scanner/substring-finder');
 
 class NoSqlInjectionRule extends require('../') {
-  constructor(policy = {}) {
+  // eslint-disable-next-line default-param-last
+  constructor(policy = {}, agent) {
     policy.inputParseDepth = 3;
-    super(policy);
+    super(policy, agent);
 
     this._scanners = new Map();
 
@@ -52,56 +52,65 @@ class NoSqlInjectionRule extends require('../') {
       INPUT_TYPES.QUERYSTRING,
       INPUT_TYPES.XML_VALUE,
       INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
+      INPUT_TYPES.URL_PARAMETER,
+      INPUT_TYPES.BODY,
+      INPUT_TYPES.MULTIPART_VALUE,
     ];
+
+    // POST bodies are handled by the lib.
+    // if lib is disabled, node input analysis needs to handle this.
+    if (!this.agentLibEnabled) {
+      this.applicableInputs.push(INPUT_TYPES.BODY);
+    }
+
     this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
+
+    // explicitly set to false so that this rule will continue to use node input analysis.
+    this.usesLibInputAnalysis = false;
   }
 
+  /**
+   * Evaluates the sink data by scanning the document object for repeated instances
+   * of the saved input object/strings. This applies to both string injection and
+   * object expansion.
+   * @param {SinkEvent} event             Emitted by database drivers/wrappers/ORMs
+   * @param {Set}       applicableSamples set of Samples applicable to rule.
+   */
+  // eslint-disable-next-line complexity
   evaluateAtSink({ event, applicableSamples }) {
-    if (_.isEmpty(applicableSamples) || !event.data) {
+    if (applicableSamples.size == 0 || !event.data) {
       return;
     }
 
-    if (typeof event.data === 'object') {
+    const { data } = event;
+    if (typeof data === 'object') {
       for (const sample of applicableSamples) {
-        const requestData = this.getRequestData(sample.input);
-        if (!requestData) {
+        const doc = this.getInput(sample);
+        if (!doc) {
           return;
         }
-        let found;
-        traverse(event.data, (key, value) => {
-          if (found) {
+
+        let evalResult = null;
+        traverse(data, (key, value) => {
+          if (evalResult) {
             return;
           }
 
-          Object.keys(requestData).some((reqKey) => {
-            if (value[reqKey] === requestData[reqKey]) {
-              found = reqKey;
-              return true;
+          // check for _exact_ match under clause for saved user input
+          for (const queryClause of Object.keys(doc)) {
+            if (key === queryClause) {
+              if (_.isEqual(value, doc[queryClause])) {
+                evalResult = this.buildFinding(data, queryClause, doc);
+              }
             }
-          });
+          }
         });
 
-        if (found) {
-          const query = require('util').inspect(event.data, false, null);
-
-          let injection;
-          for (const location of new SubstringFinder(query, found)) {
-            if (location) {
-              injection = {
-                input: found,
-                location,
-                query
-              };
-              break;
-            }
-          }
-          if (injection) {
-            this.appendAttackDetails(sample, injection);
-            sample.captureAppContext(event);
-            logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
-            this.blockRequest(sample);
-          }
+        if (evalResult) {
+          this.appendAttackDetails(sample, evalResult);
+          sample.captureAppContext(event);
+          logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+          this.blockRequest(sample);
         }
       }
     } else if (typeof event.data === 'string' || event.data instanceof String) {
@@ -120,6 +129,47 @@ class NoSqlInjectionRule extends require('../') {
     }
   }
 
+  /**
+   * Depending on the sample's data, collect the query clause and object
+   * for a given input sample. Handles both body inputs and other types.
+   * If the library is enabled and the input is a JSON body, it will parse
+   * query clauses out and pass them in _inputInfoForSink.
+   * @param   {Sample} sample applicable sample for nosqli
+   * @returns {Object}        relevant query clause and doc object to search for.
+   */
+  getInput(sample) {
+    if (!_.isEmpty(sample._inputInfoForSink)) {
+      return {
+        [sample._inputInfoForSink.queryClause]: sample._inputInfoForSink.docObject
+      };
+    }
+
+    const reqData = this.getRequestData(sample.input);
+
+    return reqData;
+  }
+
+  /**
+   * Build the query object based on the inputs passed and stringify them for reporting.
+   * @param {String} queryClause the mongo query clause (ex: $ne, $where, etc.)
+   * @param {Object} docObject   the document object passed to the mongo function.
+   */
+  buildFinding(queryObject, queryClause, docObject) {
+    // this input string being generated is kinda duplicate work from the input stage
+    // but it is only really hit when a nosqli is found, so I'm not sure its a big deal.
+    const input = util.inspect(docObject, false, null);
+    const query = util.inspect(queryObject, false, null);
+    // this substring being generated is some duplicate work.
+    const start = query.indexOf(input);
+    return {
+      input,
+      // account for query clause, ':' and ' '.
+      start: start - queryClause.length - 2,
+      end: start + (queryClause.length + 2),
+      query
+    };
+  }
+
   /**
    * Given the sample's user input object, will read the value from the request
    * from the async storage context.
@@ -149,7 +199,7 @@ class NoSqlInjectionRule extends require('../') {
       this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
-      pathArray.push('body', ..._documentPath.split('.'));
+      pathArray.push('query', ..._documentPath.split('.'));
     }
 
     let data;
@@ -213,9 +263,24 @@ class NoSqlInjectionRule extends require('../') {
       return null;
     }
 
+    // if it's not the old node format, then it's the agent-lib format.
+    // yeah, i know it's ugly.
+    if (!findings.boundary) {
+      const { start, end, query } = findings;
+      return {
+        start,
+        end,
+        // since there are no actual `token boundary overruns' in nosqli,
+        // are these not the exact same as start and end?
+        boundaryOverrunIndex: end,
+        inputBoundaryIndex: start,
+        query
+      };
+    }
+
     const { boundary, location, query } = findings;
     let inputBoundaryIndex, boundaryOverrunIndex;
-    const start = location[0];
+    const start = location[0]; // eslint-disable-line
     const end = location[1] + 1;
 
     if (boundary) {