@contrast/agent 4.5.0 → 4.7.0

package/lib/hooks/http.js

@@ -35,39 +35,45 @@ const logger = require('../core/logger')('contrast:hooks');
 const patcher = require('./patcher');
 const { PATCH_TYPES } = require('../constants');
 
-module.exports = function(agent) {
-  logger.info('applying non-policy hook: http');
+const flatten = (ary) => Array.prototype.join.apply(ary, [',']);
 
-  moduleHook.resolve({ name: 'http' }, function(http) {
-    hookServerPrototype(http.Server.prototype, agent);
-  });
-  moduleHook.resolve({ name: 'https' }, function(https) {
-    hookServerPrototype(https.Server.prototype, agent);
+/**
+ * Logs stack for every res.[end, writeHead, write] call
+ *
+ * @param {ServerResponse} response
+ * @param {string} method method to hook
+ */
+const logHook = (response, method) => {
+  patcher.patch(response, method, {
+    alwaysRun: true,
+    name: 'req-log',
+    patchType: PATCH_TYPES.MISC,
+    post(data) {
+      const { stack } = new Error();
+      logger.info('res.%s(%s):%o', method, flatten(data.args), stack);
+    }
   });
 };
 
-module.exports.getId = getId;
-module.exports.hookServerPrototype = hookServerPrototype;
-
 /**
  * Hooks the Server prototype's <code>emit</code> method.
- * @param {Server} proto The Server prototype
+ * @param {Server} server The Server prototype
  */
-function hookServerPrototype(proto, agent) {
-  patcher.patch(proto, 'listen', {
+const hookServer = (server, agent, id) => {
+  patcher.patch(server, 'listen', {
     alwaysRun: true,
     name: 'server-listen-log-time',
     patchType: PATCH_TYPES.MISC,
-    pre(data) {
+    pre() {
       logger.info(`${process.pid}: http listen after ${process.uptime()}`);
     }
   });
 
   // Wrap the request emit in a contrast domain to track non-dataflow hooks, and for storage.
-  const { emit } = proto;
-  proto.emit = function(...args) {
-    const [event, req, res] = args;
+  const { emit } = server;
+  server.emit = function newEmit(...args) {
     const self = this;
+    const [event, req, res] = args;
 
     if (event === 'request') {
       logger.debug('Received request %s, method %s', req.url, req.method);
@@ -75,35 +81,77 @@ function hookServerPrototype(proto, agent) {
         agent,
         req,
         res,
-        hookResponse,
-        callback: () => {
+        hookResponse(response, agent) {
+          const { writeHead, end } = response;
+          // XXX(ehden): we keep the original method available to call when handling
+          // blocked requests because of MethodTampering or other rules whose sink
+          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+          // when we block to prevent recursing through blocks by setting our own 403.
+          response[WRITE_HEAD] = writeHead;
+          response[END] = end;
+
+          /**
+           * Patch writeHead to emit a sink event before calling writeHead
+           *
+           */
+          patcher.patch(response, 'writeHead', {
+            alwaysRun: true,
+            name: 'write-head',
+            patchType: PATCH_TYPES.PROTECT_SINK,
+            pre(data) {
+              const [statusCode, reason] = data.args;
+              let [, , obj] = data.args;
+              let contentType;
+              if (typeof reason !== 'string') {
+                obj = reason;
+              }
+              if (obj && typeof obj === 'object') {
+                for (const [key, value] of Object.entries(obj)) {
+                  if (key.toLowerCase() === 'content-type') {
+                    contentType = value;
+                  }
+                }
+              }
+              if (contentType) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+              }
+              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+            }
+          });
+
+          patcher.patch(response, 'setHeader', {
+            alwaysRun: true,
+            name: 'set-header',
+            patchType: PATCH_TYPES.ASYNC_CONTEXT,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (name.toLowerCase() === 'content-type' && value) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
+              }
+            }
+          });
+
+          // special HTTP logging for responses.
+          if (agent.config.agent.logger.log_outbound_http) {
+            ['end', 'writeHead', 'write'].forEach((method) => {
+              logHook(response, method);
+            });
+          }
+        },
+        callback() {
           const ipEvent = createSourceEvent(
             req,
             req,
             res,
-            'connection.remoteAddress',
+            'socket.remoteAddress',
             INPUT_TYPES.IP,
-            getId(req)
+            id
           );
           agentEmitter.emit('http.requestStart', req, res, ipEvent);
 
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'method',
-            INPUT_TYPES.METHOD,
-            getId(req)
-          );
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'headers',
-            INPUT_TYPES.HEADER,
-            getId(req)
-          );
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, getId(req));
+          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
 
           const rv = emit.apply(self, args);
 
@@ -115,101 +163,37 @@ function hookServerPrototype(proto, agent) {
       return emit.apply(self, args);
     }
   };
-}
+};
 
-/**
- * Patches ServerResponse instances and runs in AsyncStorage
- * context.
- * @param {ServerResponse} res
- */
-function hookResponse(res, agent) {
-  const flattenArgs = (args) => Array.prototype.join.apply(args, [',']);
-
-  /*
-   * Logs stack for every res.[end, writeHead, write] call
-   *
-   * @param {ServerResponse} res
-   * @param {string} method method to hook
-   */
-  function logHook(res, method) {
-    patcher.patch(res, method, {
-      alwaysRun: true,
-      name: 'req-log',
-      patchType: PATCH_TYPES.MISC,
-      post(data) {
-        const { stack } = new Error();
-        logger.info('res.%s(%s):%o', method, flattenArgs(data.args), stack);
-      }
-    });
-  }
-
-  const { writeHead, end } = res;
-  // XXX(ehden): we keep the original method available to call when handling
-  // blocked requests because of MethodTampering or other rules whose sink
-  // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-  // when we block to prevent recursing through blocks by setting our own 403.
-  res[WRITE_HEAD] = writeHead;
-  res[END] = end;
-
-  /**
-   * Patch writeHead to emit a sink event before calling writeHead
-   *
-   */
-  patcher.patch(res, 'writeHead', {
-    alwaysRun: true,
-    name: 'write-head',
-    patchType: PATCH_TYPES.PROTECT_SINK,
-    pre(data) {
-      let contentType;
-      if (data.args[1] && typeof data.args[1] === 'object') {
-        for (const [key, value] of Object.entries(data.args[1])) {
-          if (key.toLowerCase() === 'content-type') {
-            contentType = value;
-          }
-        }
-      }
+module.exports = (agent) => {
+  logger.info('applying non-policy hook: http');
 
-      if (contentType) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-      }
-      const [statusCode] = data.args;
-      emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, getId(this), false);
-    }
+  moduleHook.resolve({ name: 'http' }, (http) => {
+    hookServer(http.Server.prototype, agent, 'http');
   });
 
-  patcher.patch(res, 'setHeader', {
-    alwaysRun: true,
-    name: 'set-header',
-    patchType: PATCH_TYPES.ASYNC_CONTEXT,
-    pre(data) {
-      if (
-        (data.args[0] || '').toLowerCase() === 'content-type' &&
-        data.args[1]
-      ) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, data.args[1]);
-      }
-    }
+  moduleHook.resolve({ name: 'https' }, (https) => {
+    hookServer(https.Server.prototype, agent, 'https');
   });
 
-  // special HTTP logging for responses.
-  if (agent.config.agent.logger.log_outbound_http) {
-    ['end', 'writeHead', 'write'].forEach((method) => {
-      logHook(res, method);
+  moduleHook.resolve({ name: 'http2' }, (http2) => {
+    patcher.patch(http2, 'createServer', {
+      name: `create-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
     });
-  }
-}
 
-/**
- * Returns http or https depending on information about the
- * incomingMessage
- *
- * @param {IncomingMessage} req
- * @return {string} http or https
- */
-function getId(req) {
-  if (req == null || req.socket == null) {
-    return 'http';
-  } else {
-    return req.socket.encrypted ? 'https' : 'http';
-  }
-}
+    patcher.patch(http2, 'createSecureServer', {
+      name: `create-secure-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
+};
+module.exports.hookServer = hookServer;

package/lib/hooks/patcher.js

@@ -22,19 +22,21 @@ Copyright: 2021 Contrast Security, Inc
 // the arguments keyword instead of providing a `...args` rest param.
 /* eslint-disable prefer-rest-params */
 
-const { promisify } = require('util');
 const logger = require('../core/logger')('contrast:hooks');
 const agent = require('../agent');
-const perfLogger = require('../core/logger/perf-logger')(agent);
-const _ = require('lodash');
 const perfLoggingEnabled =
   agent.config && agent.config.agent.node.req_perf_logging;
+const perfLogger = perfLoggingEnabled
+  ? require('../core/logger/perf-logger')(agent)
+  : undefined;
 const tracker = require('../tracker.js');
 const { AsyncStorage } = require('../core/async-storage');
 const {
   Scopes,
   SCOPE_NAMES: { NO_PROPAGATION }
 } = require('../core/async-storage/scopes');
+const promisifyCustom = Symbol.for('nodejs.util.promisify.custom');
+const some = require('../util/some');
 
 // When a pre-hook returns the result of this function, the value passed will
 // be used in place of the original function's return value, and the original
@@ -43,12 +45,8 @@ function preempt(value) {
   return new PatcherPreempt(value);
 }
 
-const { toString } = {};
-
 function isFunction(fn) {
-  return (
-    toString.call(this, fn) === '[object Function]' || fn instanceof Function
-  );
+  return fn instanceof Function || typeof fn === 'function';
 }
 
 function PatcherPreempt(v) {
@@ -99,12 +97,7 @@ Function.prototype._contrast_toString = function() {
   return Reflect.apply(functionToString, this, arguments);
 };
 
-function runHooks(type, options, data, fn, thisTarget) {
-  const fnHooks = hooks.get(fn);
-  if (!fnHooks) {
-    return;
-  }
-
+function runHooks(type, data, thisTarget, fnHooks) {
   fnHooks.forEach((hook, key) => {
     if (hook[type]) {
       hook[type].apply(thisTarget, [data]);
@@ -118,7 +111,7 @@ function runHooks(type, options, data, fn, thisTarget) {
  * @return {boolean}
  */
 function argsTracked(args) {
-  return _.some(args, (arg) => arg && tracker.getData(arg).tracked);
+  return some(args, (arg) => arg && tracker.getData(arg).tracked);
 }
 
 /**
@@ -187,11 +180,17 @@ function runOriginalFunction(fn, { args, name }, target) {
   return fn.apply(this, args);
 }
 
-function recordTime(func, funcKey, type) {
+const runWrapper =
+  !process.hrtime.bigint || !perfLoggingEnabled
+    ? runWithoutRecordingTime
+    : runAndRecordTime;
+
+function runWithoutRecordingTime(func) {
+  return () => func();
+}
+
+function runAndRecordTime(func, funcKey, type) {
   return () => {
-    if (!process.hrtime.bigint || !perfLoggingEnabled) {
-      return func();
-    }
     const start = process.hrtime.bigint();
     const rv = func();
     perfLogger[type](funcKey, Number(process.hrtime.bigint() - start));
@@ -219,6 +218,7 @@ function hookFunction(fn, options) {
   const { funcKey } = options;
   logger.trace(`hook ${funcKey}`);
 
+  // eslint-disable-next-line complexity
   function hooked(...args) {
     const target = new.target;
 
@@ -249,36 +249,59 @@ function hookFunction(fn, options) {
       perfLogger.logEvent(funcKey);
     }
 
-    // Run the pre event in a no instrumentation scope
+    let hasPreHook, hasPostHook;
+    const fnHooks = hooks && hooks.get(hooked);
+
+    // If there's a pre event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the pre function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('pre', options, data, hooked, this),
-        funcKey,
-        'pre'
-      ),
-      `${funcKey} pre`
-    );
+    if (fnHooks) {
+      for (const storedHooks of fnHooks.values()) {
+        hasPreHook = Boolean(hasPreHook || (storedHooks && storedHooks.pre));
+        hasPostHook = Boolean(hasPostHook || (storedHooks && storedHooks.post));
+      }
+    }
 
-    // run original function in scope that was passed in
-    data.result = Scopes.runIn(
-      options.scope,
-      recordTime(() => getResult.call(this, fn, data, target), funcKey, 'orig'),
-      funcKey
-    );
+    if (hasPreHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(() => runHooks('pre', data, this, fnHooks), funcKey, 'pre'),
+        `${funcKey} pre`
+      );
+    }
 
-    // Run the post event in a no instrumentation scope
+    // Run original function in scope that was passed in
+    // or just run the original function when the passed scope is undefined
+    if (options.scope) {
+      data.result = Scopes.runIn(
+        options.scope,
+        runWrapper(
+          () => getResult.call(this, fn, data, target),
+          funcKey,
+          'orig'
+        ),
+        funcKey
+      );
+    } else {
+      data.result = runWrapper(
+        () => getResult.call(this, fn, data, target),
+        funcKey,
+        'orig'
+      )();
+    }
+
+    // If there's a post event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the post function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('post', options, data, hooked, this),
-        funcKey,
-        'post'
-      ),
-      `${funcKey} post`
-    );
+    if (hasPostHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(
+          () => runHooks('post', data, this, fnHooks),
+          funcKey,
+          'post'
+        ),
+        `${funcKey} post`
+      );
+    }
 
     return data.result;
   }
@@ -292,7 +315,7 @@ function hookFunction(fn, options) {
     ...Object.getOwnPropertyNames(descriptors)
   ]) {
     if (
-      key === promisify.custom &&
+      key === promisifyCustom &&
       typeof descriptors[key].value === 'function'
     ) {
       // We must assume that custom promisified function values are true aliases
@@ -438,8 +461,7 @@ function hook(obj, prop, opts) {
     }
   } catch (err) {
     logger.info(
-      `unable to patch unconfigurable property ${opts.name}:${prop}
-`,
+      `unable to patch unconfigurable property ${opts.name}:${prop}`,
       err
     );
   }
@@ -482,7 +504,7 @@ function patch(obj, props, options) {
   }
 
   const hookedMethods = hookableMethods(obj, props).map(function(prop) {
-    const opts = _.clone(options);
+    const opts = typeof options === 'object' ? { ...options } : options;
 
     // staticName means do not append methods to final name
     // only used for Function(aka global.ContrastFunction)
@@ -545,7 +567,6 @@ function unwrap(fn) {
 module.exports = {
   patch,
   preempt,
-  recordTime,
   resetInstrumentation,
   unpatch,
   unwrap

package/lib/hooks/require.js

@@ -14,44 +14,38 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
-/**
- * @module lib/hooks/moduleHook
- * @class ModuleHook
- */
-
 const Module = require('module');
-const agentEmitter = require('../agent-emitter');
 const RequireHook = require('@contrast/require-hook');
+const agentEmitter = require('../agent-emitter');
 const logger = require('../core/logger')('hooks:require');
 
 class ModuleHook {
-  constructor(options) {
+  constructor() {
     this.reqHook = new RequireHook(logger);
 
-    // RequireHook takes care of hooking
-    // but still need to patch require to emit 'require' events
-    const origModRequire = Module.prototype.require;
-    Module.prototype.require = function(name) {
-      agentEmitter.emit('require', name);
-      return origModRequire.call(this, name);
+    // RequireHook takes care of hooking but we still need to patch require to
+    // emit 'require' events
+    const origModLoad = Module._load;
+    Module._load = function __loadAndEmit(...args) {
+      const [request] = args;
+      agentEmitter.emit('require', request);
+      return Reflect.apply(origModLoad, this, args);
     };
   }
 
   /**
-   *
    * Collects instrumentation functions that will run on the specified
-   * module's file at the time it is loaded via <code>require</code>.
-   * @param {Object} descriptor describes module you're hook(name, version, file)
-   * @param {Function} instrumentation The function to run on the module at
-   *                        the time it is required in the code
+   * module's file at the time it is loaded via `require`.
+   * @param {RequireHook.Descriptor} descriptor describes the module to hook
+   * @param {Function} handler The function to run on the module at the time it is required
    */
-  resolve(descriptor, instrumentation) {
-    this.reqHook.resolve(descriptor, instrumentation);
+  resolve(descriptor, handler) {
+    this.reqHook.resolve(descriptor, handler);
   }
 
   /**
-   * reset the hooked state for a module so that it's handlers re-run (used in unit tests)
-   *
+   * Reset the hooked state for a module so that it's handlers re-run.
+   * NOTE: used in unit tests.
    * @param {string} name the name of the module
    */
   reset(name) {

package/lib/instrumentation.js

@@ -40,9 +40,6 @@ module.exports = function instrument(agent, reporter) {
     return;
   }
 
-  const stackFactory = require('./core/stacktrace').singleton;
-  stackFactory.stackTraceLimit = agent.config.agent.stack_trace_limit;
-
   // The order of these matters, do not re-order
   collectLibInfo(agent);
   // (CONTRAST-31526) this must be required first to load global.ContrastMethods

package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js

@@ -14,7 +14,7 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 const { INPUT_TYPES } = require('../common');
-const SINK_EXPLOIT_PATTERN = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)([-/].*)*[-/][a-zA-Z]*c/i;
+const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 const REQUEST_KEYS = {
   queryParams: INPUT_TYPES.QUERYSTRING,
@@ -96,8 +96,8 @@ module.exports = class BackdoorDetector {
     const normalizedParam = stripWhiteSpace(requestValue);
     return (
       normalizedParam === this.normalizedCmd ||
-      (SINK_EXPLOIT_PATTERN.test(this.normalizedCmd) &&
-        this.normalizedCmd.endsWith(normalizedParam))
+      (this.normalizedCmd.endsWith(normalizedParam) &&
+        SINK_EXPLOIT_PATTERN_START.test(this.normalizedCmd))
     );
   }
 };

package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js

@@ -73,7 +73,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/protect/rules/xss/helpers/function-call.js

@@ -72,7 +72,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/util/clean-stack.js

@@ -202,7 +202,7 @@ const makeFrame = (callsite) => {
       evalOrigin = CleanStack.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] = callsite
         .getEvalOrigin()
-        .match(/\((.*?):(\d+):\d+\)/);
+        .match(/\((.{3,4095}?):(\d+):\d+\)/);
     }
 
     file = file || callsite.getFileName();

package/lib/util/clean-string/brackets.js

@@ -40,7 +40,7 @@ class Brackets {
 }
 
 /**
- * Coerces occurrances of substrings that look like
+ * Coerces occurrences of substrings that look like
  * bracket accessors (['abcd'], ["efgh"]) into their
  * dot-accessor equivalents (.abcd, .efgh).
  * @param {} str
@@ -58,8 +58,8 @@ function coerceToDotAccessors(str) {
   }
 
   const bracketed = str.substring(startIdx, stopIdx + 1);
-  const patt = /^\[\s*(?:`|'|")([a-zA-Z_]+[a-zA-Z0-9_]*)(?:`|'|")\s*\]$/;
-  const match = patt.exec(bracketed);
+  const pattern = /^\[\s*[`'"]([a-zA-Z_]+[a-zA-Z0-9_]*)[`'"]\s*]$/;
+  const match = pattern.exec(bracketed);
 
   return !match
     ? str

package/lib/util/ip-analyzer.js

@@ -66,7 +66,7 @@ const getReqAddresses = (req = {}) => {
  */
 const getForwardedFor = (req = {}) => {
   const header = req.headers && req.headers['x-forwarded-for'];
-  return header ? header.split(/\s*,\s*/) : [];
+  return header ? header.split(',').map((x) => x.trim()) : [];
 };
 
 /**

package/lib/util/some.js

@@ -0,0 +1,27 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+function some(array, predicate) {
+  let index = -1;
+  const length = array == null ? 0 : array.length;
+
+  while (++index < length) {
+    if (predicate(array[index], index, array)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+module.exports = some;