@contrast/agent 4.4.1 → 4.6.0

package/lib/hooks/frameworks/http2.js

@@ -0,0 +1,73 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { PATCH_TYPES } = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
+class Http2Framework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'http2');
+  }
+
+  /**
+   * @param {import('http2')} http2
+   * @returns {import('http2')}
+   */
+  onRequire(http2) {
+    patcher.patch(http2, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    patcher.patch(http2, 'createSecureServer', {
+      name: `${this.id}.createSecureServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    return http2;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    // Since the `Http2Server` class is not exported, we can patch it here after
+    // creation.
+    // NOTE: could we just patch `net.Server` here and in `http`?
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.Http2Server.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = Http2Framework;

package/lib/hooks/frameworks/index.js

@@ -14,9 +14,14 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
+const Http = require('./http');
+const Http2 = require('./http2');
+const Hapi16 = require('./hapi16');
+
 module.exports = function(agent) {
   // load all the hooks
-  new (require('./http'))(agent);
-  new (require('./https'))(agent);
-  new (require('./hapi16'))(agent);
+  new Http(agent);
+  new Http(agent, 'https');
+  new Http2(agent);
+  new Hapi16(agent);
 };

package/lib/hooks/http.js

@@ -35,39 +35,45 @@ const logger = require('../core/logger')('contrast:hooks');
 const patcher = require('./patcher');
 const { PATCH_TYPES } = require('../constants');
 
-module.exports = function(agent) {
-  logger.info('applying non-policy hook: http');
+const flatten = (ary) => Array.prototype.join.apply(ary, [',']);
 
-  moduleHook.resolve({ name: 'http' }, function(http) {
-    hookServerPrototype(http.Server.prototype, agent);
-  });
-  moduleHook.resolve({ name: 'https' }, function(https) {
-    hookServerPrototype(https.Server.prototype, agent);
+/**
+ * Logs stack for every res.[end, writeHead, write] call
+ *
+ * @param {ServerResponse} response
+ * @param {string} method method to hook
+ */
+const logHook = (response, method) => {
+  patcher.patch(response, method, {
+    alwaysRun: true,
+    name: 'req-log',
+    patchType: PATCH_TYPES.MISC,
+    post(data) {
+      const { stack } = new Error();
+      logger.info('res.%s(%s):%o', method, flatten(data.args), stack);
+    }
   });
 };
 
-module.exports.getId = getId;
-module.exports.hookServerPrototype = hookServerPrototype;
-
 /**
  * Hooks the Server prototype's <code>emit</code> method.
- * @param {Server} proto The Server prototype
+ * @param {Server} server The Server prototype
  */
-function hookServerPrototype(proto, agent) {
-  patcher.patch(proto, 'listen', {
+const hookServer = (server, agent, id) => {
+  patcher.patch(server, 'listen', {
     alwaysRun: true,
     name: 'server-listen-log-time',
     patchType: PATCH_TYPES.MISC,
-    pre(data) {
+    pre() {
       logger.info(`${process.pid}: http listen after ${process.uptime()}`);
     }
   });
 
   // Wrap the request emit in a contrast domain to track non-dataflow hooks, and for storage.
-  const { emit } = proto;
-  proto.emit = function(...args) {
-    const [event, req, res] = args;
+  const { emit } = server;
+  server.emit = function newEmit(...args) {
     const self = this;
+    const [event, req, res] = args;
 
     if (event === 'request') {
       logger.debug('Received request %s, method %s', req.url, req.method);
@@ -75,35 +81,77 @@ function hookServerPrototype(proto, agent) {
         agent,
         req,
         res,
-        hookResponse,
-        callback: () => {
+        hookResponse(response, agent) {
+          const { writeHead, end } = response;
+          // XXX(ehden): we keep the original method available to call when handling
+          // blocked requests because of MethodTampering or other rules whose sink
+          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+          // when we block to prevent recursing through blocks by setting our own 403.
+          response[WRITE_HEAD] = writeHead;
+          response[END] = end;
+
+          /**
+           * Patch writeHead to emit a sink event before calling writeHead
+           *
+           */
+          patcher.patch(response, 'writeHead', {
+            alwaysRun: true,
+            name: 'write-head',
+            patchType: PATCH_TYPES.PROTECT_SINK,
+            pre(data) {
+              const [statusCode, reason] = data.args;
+              let [, , obj] = data.args;
+              let contentType;
+              if (typeof reason !== 'string') {
+                obj = reason;
+              }
+              if (obj && typeof obj === 'object') {
+                for (const [key, value] of Object.entries(obj)) {
+                  if (key.toLowerCase() === 'content-type') {
+                    contentType = value;
+                  }
+                }
+              }
+              if (contentType) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+              }
+              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+            }
+          });
+
+          patcher.patch(response, 'setHeader', {
+            alwaysRun: true,
+            name: 'set-header',
+            patchType: PATCH_TYPES.ASYNC_CONTEXT,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (name.toLowerCase() === 'content-type' && value) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
+              }
+            }
+          });
+
+          // special HTTP logging for responses.
+          if (agent.config.agent.logger.log_outbound_http) {
+            ['end', 'writeHead', 'write'].forEach((method) => {
+              logHook(response, method);
+            });
+          }
+        },
+        callback() {
           const ipEvent = createSourceEvent(
             req,
             req,
             res,
-            'connection.remoteAddress',
+            'socket.remoteAddress',
             INPUT_TYPES.IP,
-            getId(req)
+            id
           );
           agentEmitter.emit('http.requestStart', req, res, ipEvent);
 
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'method',
-            INPUT_TYPES.METHOD,
-            getId(req)
-          );
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'headers',
-            INPUT_TYPES.HEADER,
-            getId(req)
-          );
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, getId(req));
+          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
 
           const rv = emit.apply(self, args);
 
@@ -115,101 +163,37 @@ function hookServerPrototype(proto, agent) {
       return emit.apply(self, args);
     }
   };
-}
+};
 
-/**
- * Patches ServerResponse instances and runs in AsyncStorage
- * context.
- * @param {ServerResponse} res
- */
-function hookResponse(res, agent) {
-  const flattenArgs = (args) => Array.prototype.join.apply(args, [',']);
-
-  /*
-   * Logs stack for every res.[end, writeHead, write] call
-   *
-   * @param {ServerResponse} res
-   * @param {string} method method to hook
-   */
-  function logHook(res, method) {
-    patcher.patch(res, method, {
-      alwaysRun: true,
-      name: 'req-log',
-      patchType: PATCH_TYPES.MISC,
-      post(data) {
-        const { stack } = new Error();
-        logger.info('res.%s(%s):%o', method, flattenArgs(data.args), stack);
-      }
-    });
-  }
-
-  const { writeHead, end } = res;
-  // XXX(ehden): we keep the original method available to call when handling
-  // blocked requests because of MethodTampering or other rules whose sink
-  // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-  // when we block to prevent recursing through blocks by setting our own 403.
-  res[WRITE_HEAD] = writeHead;
-  res[END] = end;
-
-  /**
-   * Patch writeHead to emit a sink event before calling writeHead
-   *
-   */
-  patcher.patch(res, 'writeHead', {
-    alwaysRun: true,
-    name: 'write-head',
-    patchType: PATCH_TYPES.PROTECT_SINK,
-    pre(data) {
-      let contentType;
-      if (data.args[1] && typeof data.args[1] === 'object') {
-        for (const [key, value] of Object.entries(data.args[1])) {
-          if (key.toLowerCase() === 'content-type') {
-            contentType = value;
-          }
-        }
-      }
+module.exports = (agent) => {
+  logger.info('applying non-policy hook: http');
 
-      if (contentType) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-      }
-      const [statusCode] = data.args;
-      emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, getId(this), false);
-    }
+  moduleHook.resolve({ name: 'http' }, (http) => {
+    hookServer(http.Server.prototype, agent, 'http');
   });
 
-  patcher.patch(res, 'setHeader', {
-    alwaysRun: true,
-    name: 'set-header',
-    patchType: PATCH_TYPES.ASYNC_CONTEXT,
-    pre(data) {
-      if (
-        (data.args[0] || '').toLowerCase() === 'content-type' &&
-        data.args[1]
-      ) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, data.args[1]);
-      }
-    }
+  moduleHook.resolve({ name: 'https' }, (https) => {
+    hookServer(https.Server.prototype, agent, 'https');
   });
 
-  // special HTTP logging for responses.
-  if (agent.config.agent.logger.log_outbound_http) {
-    ['end', 'writeHead', 'write'].forEach((method) => {
-      logHook(res, method);
+  moduleHook.resolve({ name: 'http2' }, (http2) => {
+    patcher.patch(http2, 'createServer', {
+      name: `create-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
     });
-  }
-}
 
-/**
- * Returns http or https depending on information about the
- * incomingMessage
- *
- * @param {IncomingMessage} req
- * @return {string} http or https
- */
-function getId(req) {
-  if (req == null || req.socket == null) {
-    return 'http';
-  } else {
-    return req.socket.encrypted ? 'https' : 'http';
-  }
-}
+    patcher.patch(http2, 'createSecureServer', {
+      name: `create-secure-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
+};
+module.exports.hookServer = hookServer;

package/lib/hooks/patcher.js

@@ -22,19 +22,21 @@ Copyright: 2021 Contrast Security, Inc
 // the arguments keyword instead of providing a `...args` rest param.
 /* eslint-disable prefer-rest-params */
 
-const { promisify } = require('util');
 const logger = require('../core/logger')('contrast:hooks');
 const agent = require('../agent');
-const perfLogger = require('../core/logger/perf-logger')(agent);
-const _ = require('lodash');
 const perfLoggingEnabled =
   agent.config && agent.config.agent.node.req_perf_logging;
+const perfLogger = perfLoggingEnabled
+  ? require('../core/logger/perf-logger')(agent)
+  : undefined;
 const tracker = require('../tracker.js');
 const { AsyncStorage } = require('../core/async-storage');
 const {
   Scopes,
   SCOPE_NAMES: { NO_PROPAGATION }
 } = require('../core/async-storage/scopes');
+const promisifyCustom = Symbol.for('nodejs.util.promisify.custom');
+const some = require('../util/some');
 
 // When a pre-hook returns the result of this function, the value passed will
 // be used in place of the original function's return value, and the original
@@ -43,12 +45,8 @@ function preempt(value) {
   return new PatcherPreempt(value);
 }
 
-const { toString } = {};
-
 function isFunction(fn) {
-  return (
-    toString.call(this, fn) === '[object Function]' || fn instanceof Function
-  );
+  return fn instanceof Function || typeof fn === 'function';
 }
 
 function PatcherPreempt(v) {
@@ -118,7 +116,7 @@ function runHooks(type, options, data, fn, thisTarget) {
  * @return {boolean}
  */
 function argsTracked(args) {
-  return _.some(args, (arg) => arg && tracker.getData(arg).tracked);
+  return some(args, (arg) => arg && tracker.getData(arg).tracked);
 }
 
 /**
@@ -283,7 +281,7 @@ function hookFunction(fn, options) {
     return data.result;
   }
 
-  // copy over all properties if there are properties on the original funciton.
+  // copy over all properties if there are properties on the original function.
   // an example of this is the version of buffer you get from require('buffer')
   // see NODE-335 for further background.
   const descriptors = Object.getOwnPropertyDescriptors(fn);
@@ -292,7 +290,7 @@ function hookFunction(fn, options) {
     ...Object.getOwnPropertyNames(descriptors)
   ]) {
     if (
-      key === promisify.custom &&
+      key === promisifyCustom &&
       typeof descriptors[key].value === 'function'
     ) {
       // We must assume that custom promisified function values are true aliases
@@ -482,7 +480,7 @@ function patch(obj, props, options) {
   }
 
   const hookedMethods = hookableMethods(obj, props).map(function(prop) {
-    const opts = _.clone(options);
+    const opts = typeof options === 'object' ? { ...options } : options;
 
     // staticName means do not append methods to final name
     // only used for Function(aka global.ContrastFunction)

package/lib/hooks/require.js

@@ -14,44 +14,38 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
-/**
- * @module lib/hooks/moduleHook
- * @class ModuleHook
- */
-
 const Module = require('module');
-const agentEmitter = require('../agent-emitter');
 const RequireHook = require('@contrast/require-hook');
+const agentEmitter = require('../agent-emitter');
 const logger = require('../core/logger')('hooks:require');
 
 class ModuleHook {
-  constructor(options) {
+  constructor() {
     this.reqHook = new RequireHook(logger);
 
-    // RequireHook takes care of hooking
-    // but still need to patch require to emit 'require' events
-    const origModRequire = Module.prototype.require;
-    Module.prototype.require = function(name) {
-      agentEmitter.emit('require', name);
-      return origModRequire.call(this, name);
+    // RequireHook takes care of hooking but we still need to patch require to
+    // emit 'require' events
+    const origModLoad = Module._load;
+    Module._load = function __loadAndEmit(...args) {
+      const [request] = args;
+      agentEmitter.emit('require', request);
+      return Reflect.apply(origModLoad, this, args);
     };
   }
 
   /**
-   *
    * Collects instrumentation functions that will run on the specified
-   * module's file at the time it is loaded via <code>require</code>.
-   * @param {Object} descriptor describes module you're hook(name, version, file)
-   * @param {Function} instrumentation The function to run on the module at
-   *                        the time it is required in the code
+   * module's file at the time it is loaded via `require`.
+   * @param {RequireHook.Descriptor} descriptor describes the module to hook
+   * @param {Function} handler The function to run on the module at the time it is required
    */
-  resolve(descriptor, instrumentation) {
-    this.reqHook.resolve(descriptor, instrumentation);
+  resolve(descriptor, handler) {
+    this.reqHook.resolve(descriptor, handler);
   }
 
   /**
-   * reset the hooked state for a module so that it's handlers re-run (used in unit tests)
-   *
+   * Reset the hooked state for a module so that it's handlers re-run.
+   * NOTE: used in unit tests.
    * @param {string} name the name of the module
    */
   reset(name) {

package/lib/instrumentation.js

@@ -40,9 +40,6 @@ module.exports = function instrument(agent, reporter) {
     return;
   }
 
-  const stackFactory = require('./core/stacktrace').singleton;
-  stackFactory.stackTraceLimit = agent.config.agent.stack_trace_limit;
-
   // The order of these matters, do not re-order
   collectLibInfo(agent);
   // (CONTRAST-31526) this must be required first to load global.ContrastMethods

package/lib/protect/analysis/aho-corasick.js

@@ -17,9 +17,16 @@ Copyright: 2021 Contrast Security, Inc
 // https://www.geeksforgeeks.org/aho-corasick-algorithm-pattern-searching/
 
 const a = 'a'.charCodeAt(0);
-const z = 'z'.charCodeAt(0);
 const A = 'A'.charCodeAt(0);
 const Z = 'Z'.charCodeAt(0);
+const l2u = a - A;
+
+// initialize the lower -> upper and upper -> lower translation array.
+const TRANSLATION = [];
+for (let byte = A; byte <= Z; byte++) {
+  // translate the uppercase character to lowercase
+  TRANSLATION[byte] = byte + l2u;
+}
 
 class AhoCorasick {
   constructor(words) {
@@ -28,16 +35,6 @@ class AhoCorasick {
     this.maxStates = 0;
     for (const word of words) {
       this.maxStates += word.length;
-      for (const char of word) {
-        // allow for any character to be upper or lower case. this could be
-        // restricted to certain words if desired, by changing the signature
-        // to {caseInsensitive, caseSensitive}.
-        if (char >= 'a' && char <= 'z') {
-          this.maxStates += 1;
-        } else if (char >= 'A' && char <= 'Z') {
-          this.maxStates += 1;
-        }
-      }
     }
 
     // can optimize this by trading off computation for space.
@@ -83,33 +80,17 @@ class AhoCorasick {
       let state = 0;
 
       // create transitions for all character of the current word
-      for (const byte of word) {
+      for (let byte of word) {
         if (byte & 0x80) {
           throw new Error('pattern character codes cannot exceed 127');
+        } else if (TRANSLATION[byte]) {
+          byte = TRANSLATION[byte];
         }
         if (this.goto[state][byte] === undefined) {
           this.goto[state][byte] = stateCount;
           stateCount += 1;
         }
-        const previousState = state;
         state = this.goto[state][byte];
-
-        // now make it case insensitive by mapping the alternate case to the
-        // same state as the original case.
-        let extra;
-        if (byte >= a && byte <= z) {
-          extra = byte - (a - A);
-        } else if (byte >= A && byte <= Z) {
-          extra = byte + (a - A);
-        } else {
-          continue;
-        }
-
-        if (this.goto[previousState][extra] === undefined) {
-          // transition to the state that the other case character transitioned
-          // to.
-          this.goto[previousState][extra] = stateCount - 1;
-        }
       }
 
       // add current word to terminal list
@@ -177,6 +158,8 @@ class AhoCorasick {
     // passes in. and they can be offset by the lowest charcode as well.
     if (byte >= this.maxChars) {
       byte = 0;
+    } else if (TRANSLATION[byte]) {
+      byte = TRANSLATION[byte];
     }
     let next = this.state;
     while (this.goto[next][byte] === undefined) {

package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js

@@ -14,7 +14,7 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 const { INPUT_TYPES } = require('../common');
-const SINK_EXPLOIT_PATTERN = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)([-/].*)*[-/][a-zA-Z]*c/i;
+const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 const REQUEST_KEYS = {
   queryParams: INPUT_TYPES.QUERYSTRING,
@@ -96,8 +96,8 @@ module.exports = class BackdoorDetector {
     const normalizedParam = stripWhiteSpace(requestValue);
     return (
       normalizedParam === this.normalizedCmd ||
-      (SINK_EXPLOIT_PATTERN.test(this.normalizedCmd) &&
-        this.normalizedCmd.endsWith(normalizedParam))
+      (this.normalizedCmd.endsWith(normalizedParam) &&
+        SINK_EXPLOIT_PATTERN_START.test(this.normalizedCmd))
     );
   }
 };

package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js

@@ -73,7 +73,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/protect/rules/xss/helpers/function-call.js

@@ -72,7 +72,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/util/clean-stack.js

@@ -202,7 +202,7 @@ const makeFrame = (callsite) => {
       evalOrigin = CleanStack.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] = callsite
         .getEvalOrigin()
-        .match(/\((.*?):(\d+):\d+\)/);
+        .match(/\((.{3,4095}?):(\d+):\d+\)/);
     }
 
     file = file || callsite.getFileName();

package/lib/util/clean-string/brackets.js

@@ -40,7 +40,7 @@ class Brackets {
 }
 
 /**
- * Coerces occurrances of substrings that look like
+ * Coerces occurrences of substrings that look like
  * bracket accessors (['abcd'], ["efgh"]) into their
  * dot-accessor equivalents (.abcd, .efgh).
  * @param {} str
@@ -58,8 +58,8 @@ function coerceToDotAccessors(str) {
   }
 
   const bracketed = str.substring(startIdx, stopIdx + 1);
-  const patt = /^\[\s*(?:`|'|")([a-zA-Z_]+[a-zA-Z0-9_]*)(?:`|'|")\s*\]$/;
-  const match = patt.exec(bracketed);
+  const pattern = /^\[\s*[`'"]([a-zA-Z_]+[a-zA-Z0-9_]*)[`'"]\s*]$/;
+  const match = pattern.exec(bracketed);
 
   return !match
     ? str