@contrast/agent 4.12.2 → 4.14.0

package/lib/protect/rules/path-traversal/path-traversal-rule.js

@@ -41,7 +41,10 @@ class PathTraversalRule extends Rule {
       INPUT_TYPES.URI,
       INPUT_TYPES.URL_PARAMETER
     ];
+
     this.applicableSinks = [SINK_TYPES.FILE_PATH];
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**

package/lib/protect/rules/rule-factory.js

@@ -27,7 +27,6 @@ const DEFAULT_SETTINGS = { serverFeatures: { defend: { enabled: false } } };
  * implemented, we add its constructor path to provide support.
  */
 const ctors = {
-  /* eslint-disable prettier/prettier */
   // protect rules
   [RULES.CMD_INJECTION]: require('./cmd-injection/cmdinjection-rule'),
   [RULES.CMD_INJECTION_COMMAND_BACKDOORS]: require('./cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule'),
@@ -46,15 +45,15 @@ const ctors = {
   [RULES.BOT_BLOCKER]: require('./bot-blocker/bot-blocker-rule'),
   [RULES.IP_DENYLIST]: require('./ip-denylist/ip-denylist-rule'),
   [RULES.VIRTUAL_PATCH]: require('./virtual-patch/virtual-patch-rule'),
-  /* eslint-enable */
 };
 
 class ProtectRuleFactory {
-  constructor({ featureSet = DEFAULT_SETTINGS, enabled }) {
+  constructor({ featureSet = DEFAULT_SETTINGS, enabled, agent }) {
     this.featureSet = featureSet;
     this.settings = {
       exceptions: []
     };
+    this.agent = agent;
     this.policies = {};
     this.signatures = new SignatureKit();
 
@@ -180,7 +179,7 @@ class ProtectRuleFactory {
    */
   IpDenylist() {
     const policy = this.policies[RULES.IP_DENYLIST];
-    return new ctors[RULES.IP_DENYLIST](policy);
+    return new ctors[RULES.IP_DENYLIST](policy, this.agent);
   }
 
   /**
@@ -189,7 +188,7 @@ class ProtectRuleFactory {
    */
   BotBlocker() {
     const policy = this.policies[RULES.BOT_BLOCKER];
-    return new ctors[RULES.BOT_BLOCKER](policy);
+    return new ctors[RULES.BOT_BLOCKER](policy, this.agent);
   }
 
   /**
@@ -198,7 +197,7 @@ class ProtectRuleFactory {
    */
   VirtualPatchRules() {
     return this.policies[RULES.VIRTUAL_PATCH].map(
-      (policy) => new ctors[RULES.VIRTUAL_PATCH](policy)
+      (policy) => new ctors[RULES.VIRTUAL_PATCH](policy, this.agent)
     );
   }
 
@@ -224,7 +223,7 @@ class ProtectRuleFactory {
       policy.enable_rep = enableRep;
 
       if (ProtectRuleFactory.shouldBuildRule(policy)) {
-        const rule = new ctors[id](policy);
+        const rule = new ctors[id](policy, this.agent);
         rule.signature = this.signatures.get(id);
         memo.push(rule);
       }

package/lib/protect/rules/signatures/signature.js

@@ -162,6 +162,9 @@ const createPatterns = (patternDefs) =>
 class Signature {
   constructor(definition) {
     this.name = definition.name;
+    // the following is undefined if the rule is not an input to the
+    // agent-lib score functions.
+    this.agentLibBit = definition.agentLibBit;
     this.keywordSearchers = normalizeScores(
       createKeywords(definition.keywordsList)
     );

package/lib/protect/rules/sqli/sql-injection-rule.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const _ = require('lodash');
-
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { IMPORTANCE, INPUT_TYPES, SINK_TYPES } = require('../common');
 const isGenericComplicated = require('./generic-complicated');
@@ -38,8 +37,8 @@ const ScannerKit = new Map([
 ]);
 
 class SQLInjectionRule extends require('../') {
-  constructor(policy) {
-    super(policy);
+  constructor(policy, agent) {
+    super(policy, agent);
 
     this._scanners = new Map();
 
@@ -57,15 +56,29 @@ class SQLInjectionRule extends require('../') {
       INPUT_TYPES.QUERYSTRING,
       INPUT_TYPES.XML_VALUE,
       INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
+      INPUT_TYPES.URL_PARAMETER,
     ];
     this.applicableSinks = [SINK_TYPES.SQL_QUERY];
+
+    // if not using agentLib this constructor is done.
+    if (!agent.agentLib) {
+      return;
+    }
+
+    this.dbFlavors = {};
+    for (const flavor in agent.agentLib.DbType) {
+      this.dbFlavors[flavor.toLowerCase()] = this.agent.agentLib.DbType[flavor];
+    }
+    this.dbFlavorKeys = Object.keys(this.dbFlavors);
+
+    this.usesLibInputAnalysis = true;
   }
 
   /**
    * Evaluates the sink data by scanning the code string for injections
    * by collected sample inputs.
    * @param {SinkEvent} event Emitted by database drivers/wrappers/ORMs
+   * @param {Set(Sample)} applicableSamples Samples matching sql-injection criteria
    */
   evaluateAtSink({ event, applicableSamples }) {
     if (_.isEmpty(applicableSamples) || !event.data) {
@@ -88,9 +101,65 @@ class SQLInjectionRule extends require('../') {
     }
   }
 
+  /**
+   * Evaluates the sink data by scanning the code string for injections
+   * by collected sample inputs. Rather than using the node evaluators,
+   * this takes advantage of the agent-lib.
+   * @param {SinkEvent} event Emitted by database drivers/wrappers/ORMs
+   * @param {Sample[]}  applicableSamples samples that apply to SQL injection.
+   */
+  // eslint-disable-next-line complexity
+  evaluateAtSinkForLib({ event, applicableSamples }) {
+    if (applicableSamples.size == 0 || !event.data) {
+      return;
+    }
+
+    const tag = this.dbFlavorKeys.find((name) => event.tags.has(name));
+    const dialect = this.dbFlavors[tag] || this.dbFlavors.mysql;
+
+    for (const sample of applicableSamples) {
+      let evalResult = null;
+      try {
+        const input = sample.input.value;
+        const sinkData = event.data;
+        const inputIndex = sinkData.indexOf(input);
+
+        if (inputIndex !== -1) {
+          evalResult = this.agent.agentLib.checkSqlInjectionSink(
+            inputIndex,
+            input.length,
+            dialect,
+            sinkData
+          );
+          if (evalResult) {
+            // capture the query for reporting purposes.
+            evalResult.query = sinkData;
+          } else if (inputIndex === 0 && input.length === sinkData.length) {
+            evalResult = {
+              startIndex: 0,
+              endIndex: input.length - 1,
+              overrunIndex: 0,
+              boundaryIndex: 0,
+              sinkData,
+            };
+          }
+        }
+      } catch (e) {
+        logger.info(`Failed to evaluate command-injection sink: ${e}`);
+      }
+
+      if (evalResult) {
+        this.appendAttackDetails(sample, evalResult);
+        sample.captureAppContext(event);
+        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+        this.blockRequest(sample);
+      }
+    }
+  }
+
   /**
    * In addition to using the traditional signature matching, this rule will
-   * also check wether the input has other characteristics that warrant bumping
+   * also check whether the input has other characteristics that warrant bumping
    * an evaluation's importance from NONE -> WORTH_WATCHING.
    * @returns {}
    */
@@ -141,6 +210,30 @@ class SQLInjectionRule extends require('../') {
     };
   }
 
+  /**
+   * Builds details for Sql Injection Attack from agent-lib evaluation
+   * results.
+   * @param   {Sample} sample   The Sample for the attack
+   * @param   {Object} findings The results of the sink analysis
+   * @returns {Object}          The details
+   */
+  buildDetailsForLib(sample, finding) {
+    if (!finding) {
+      return null;
+    }
+
+    const { query } = finding;
+
+    return {
+      start: finding.startIndex,
+      end: finding.endIndex,
+      input: sample.input.toSerializable(),
+      boundaryOverrunIndex: finding.overrunIndex,
+      inputBoundaryIndex: finding.boundaryIndex,
+      query
+    };
+  }
+
   /**
    * Returns the appropriate scanner for the SQL dialect.
    * @param {String} id The id of the scanner

package/lib/protect/rules/sqli/sql-scanner/labels.json

@@ -115,9 +115,6 @@
     ")"  : "operator",
     ","  : "operator",
     "*"  : "operator",
-    "="  : "operator",
-    "^"  : "operator",
-    "!"  : "operator",
 
     ";": "terminator"
   },

package/lib/protect/rules/xss/reflected-xss-rule.js

@@ -14,8 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
-
 const logger = require('../../../core/logger')('contrast:rules:protect');
 const { INPUT_TYPES, SINK_TYPES } = require('../common');
 
@@ -40,6 +38,8 @@ class ReflectedXssRule extends require('../') {
       INPUT_TYPES.URL_PARAMETER
     ];
     this.applicableSinks = [SINK_TYPES.RESPONSE_BODY];
+
+    this.usesLibInputAnalysis = true;
   }
   /**
    * Evaluates a SinkEvent contingent on <code>applicableSinks</code>.
@@ -48,7 +48,7 @@ class ReflectedXssRule extends require('../') {
    * @param {Set<Sample>} params.applicableSamples all (definite and ww) samples for xss
    */
   evaluateAtSink({ event, applicableSamples }) {
-    if (!applicableSamples.size || !_.isString(event.data)) {
+    if (!applicableSamples.size) {
       return;
     }
 

package/lib/protect/sample-aggregator.js

@@ -20,7 +20,7 @@ Copyright: 2022 Contrast Security, Inc
 
 const _ = require('lodash');
 
-const POINTS_PATH = 'sample.assessment.results.points';
+const { IMPORTANCE } = require('../constants');
 
 /**
  * Compares two findings and returns the one which is
@@ -38,31 +38,26 @@ const rankEffectiveness = (a, b) => {
     return null;
   }
 
-  /* Otherwise, we want the one that is effective. */
-  return _.find([a, b], (f) => f.sample.effective);
+  // effective is a boolean, so there is no "higher" effectiveness.
+  return a.sample.effective ? a : b;
 };
 
 /**
- * Compares two findings and returns the one which is
- * ranked higher in terms of assessment score. If their
- * assessment score  is the same, <code>null</code> is
- * returned, signifying that a ranking order cannot be
- * determined for this criteria.
+ * Compares two findings and returns the one which has the highest
+ * score. If their scores are the same, return the first finding.
  * @param   {object}      a First finding
  * @param   {object}      b Second finding
- * @returns {object | null}
+ * @returns {object}
  */
-const rankPoints = (a, b) => {
-  const p1 = _.get(a, POINTS_PATH);
-  const p2 = _.get(b, POINTS_PATH);
+const POINTS_PATH = 'sample.assessment.results.points';
 
-  /* If both findings share point values, we can't rank them. */
-  if (p1 === p2) {
-    return null;
-  }
+function rankPoints(a, b) {
+  const pA = _.get(a, POINTS_PATH);
+  const pB = _.get(b, POINTS_PATH);
 
-  return p1 < p2 ? b : a;
-};
+  // return a if a is greater than or equal to b
+  return pA < pB ? b : a;
+}
 
 /**
  * Ranks two findings against effectiveness and score.
@@ -72,64 +67,77 @@ const rankPoints = (a, b) => {
  * @param   {object} b Second finding
  * @returns {object}   The highest-ranked finding
  */
-const rankFindings = (a, b) => rankEffectiveness(a, b) || rankPoints(a, b) || a;
+const rankFindings = (a, b) => rankEffectiveness(a, b) || rankPoints(a, b);
 
 /**
- * Takes a collection of findings and organizes them into
- * a map having keys being unique input types and paths,
- * and values being unique findings pertaining to each key.
+ * Takes a collection of findings and organizes them into a map having keys
+ * being unique input types and paths, and values being unique findings pertaining
+ * to each key.
  * @param   {object} memo    The map being created
  * @param   {object} finding Current finding in iteratee
  * @returns {object}         Map of ranked findings per type/path
  */
-const rankIntoMap = (memo, finding) => {
+function rankIntoMap(memo, finding) {
   const type = _.get(finding, 'sample.input.type', '_');
   const path = _.get(finding, 'sample.input.documentPath', '_');
   const name = _.get(finding, 'sample.input.name', '_');
 
-  /* This is what defines uniqueness in reporting */
+  // this string is the key to the map
   const memoPath = `${type}.${path}.${name}`;
-  const existing = memo[memoPath];
 
-  memo[memoPath] = !existing ? finding : rankFindings(existing, finding);
+  const existing = memo[memoPath];
+  // if it exists, rank it against the new finding
+  memo[memoPath] = existing ? rankFindings(existing, finding) : finding;
 
+  // memo returned despite having side effects because this function is
+  // called using reduce.
   return memo;
-};
+}
 
 /**
- * Functions for sample aggregation and ranking.
- */
-/**
- * From a collection of findings, will return a filtered
- * collection without low-scoring samples. Low-scoring
- * samples are not confirmed attacks. BUT, we DO want to
- * report on findings if they were effective, always.
- * @param   {object[]} findings
- * @returns {object[]}
- */
-const filterLowScoring = (findings = []) =>
-  _.filter(
-    findings,
-    (finding) =>
-      // Virtual Patch findings do not have inputs but always create a WW sample.
-      // Make sure they were effective.
-      (!finding.sample.input && finding.sample.effective) ||
-      /* Don't include low-scoring ineffective attacks.           */
-      !(!finding.sample.effective && !finding.sample.confirmedAttack)
-  );
-
-/**
- * Accepts a collection of findings and returns a new
- * collection whose samples are unique with respect to
- * input type and path of the finding per input type. Any
- * duplicate findings for the same type and path will be
- * filtered to only include  the one with the highest
- * points/effectiveness ranking.
+ * Accepts a collection of findings and returns a new collection whose samples
+ * are unique with respect to input type and path of the finding per input type.
+ * Any duplicate findings for the same type and path will be filtered to only
+ * include the one with the highest points/effectiveness ranking.
  * @param   {object[]} findings The findings to aggregate.
+ * @param   {function} wwFilter filter to check if a sample should be saved.
  * @returns {object[]}
+ *
+ * effective, but not blocked, becomes PROBED.
+ *
  */
-const aggregate = (findings = []) =>
-  _.values(_.reduce(filterLowScoring(findings), rankIntoMap, {}));
+function aggregate(findings, wwFilter) {
+  // separate the findings into effective and ineffective
+  // but marked as worth-watching by agent-lib. if not in
+  // one of the two lists, the finding is not relevant.
+  const effective = [];
+  const wwFindings = [];
+  // and the rest were not agent-lib worth-watching or effective
+  for (const finding of findings) {
+    const { sample } = finding;
+    if (sample.confirmedAttack || sample.effective) {
+      effective.push(finding);
+    } else if (finding.rule.agentLibBit && sample.assessment.results.importance === IMPORTANCE.WORTH_WATCHING) {
+      //console.log(finding.rule.id, s.results)
+      wwFindings.push(finding);
+    }
+  }
+
+  // do we need to run any inputs through the full scoring (not the abbreviated
+  // worth-watching scoring)?
+  if (wwFindings.length) {
+    for (const finding of wwFindings) {
+      if (wwFilter(finding)) {
+        finding.sample.assessment.results.importance = IMPORTANCE.DEFINITE;
+        // put this in the "effective list", even though it wasn't effective, so it
+        // will be reported as PROBED.
+        effective.push(finding);
+      }
+    }
+  }
+
+  return _.values(effective.reduce(rankIntoMap, {}));
+}
 
 module.exports = {
   aggregate