@contrast/agent 4.5.1 → 4.7.1

package/lib/feature-set.js

@@ -212,7 +212,7 @@ class FeatureSet {
    */
   getIpDenylistPolicy() {
     const config = this.getProtectRuleConfig(RULES.IP_DENYLIST);
-    const settings = _.get(this, 'serverFeatures.defend.ipBlacklistsList', []);
+    const settings = _.get(this, 'serverFeatures.defend.ipDenylistsList', []);
 
     return {
       id: RULES.IP_DENYLIST,

package/lib/hooks/frameworks/base.js

@@ -22,8 +22,14 @@ const RequestFactory = require('../../reporter/models/utils/request-factory');
 const CleanStack = require('../../util/clean-stack');
 const agentEmitter = require('../../agent-emitter');
 
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
 class BaseFramework {
-  // sets options
+  /**
+   * @param {Object} opts
+   * @param {string} opts.id
+   * @param {Agent} opts.agent
+   */
   constructor({ id, agent } = {}) {
     this.id = id;
     this.agent = agent;
@@ -46,7 +52,7 @@ class BaseFramework {
    * -- Note --
    * The current imlementation uses a CleanStack instance in order to generate
    * a stackframe from which to obtain the information. This can be expensive.
-   * @returns {String}
+   * @returns {string}
    */
   getAppCodeLocation() {
     const limit = Error.stackTraceLimit;

package/lib/hooks/frameworks/http.js

@@ -19,39 +19,41 @@ const moduleHook = require('../require');
 const patcher = require('../patcher');
 const { HTTP_EVENTS, PATCH_TYPES } = require('../../constants');
 
-class HttpFramework extends BaseFramework {
-  constructor(agent, id = 'http') {
-    super({ id, agent });
-
-    this.init();
-  }
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+/** @typedef {import('net').Server} Server */
 
+class HttpFramework extends BaseFramework {
   /**
-   * Initialization logic.
+   * @param {Agent} agent
+   * @param {string} id
    */
-  init() {
+  constructor(agent, id = 'http') {
+    super({ agent, id });
     moduleHook.resolve({ name: this.id }, this.onRequire.bind(this));
   }
 
+  /**
+   * @template {import('http') | import('https')} T
+   * @param {T} xport
+   * @returns {T}
+   */
   onRequire(xport) {
-    const { id } = this;
-
     patcher.patch(xport, 'Server', {
-      name: `${id}.Server`,
+      name: `${this.id}.Server`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport, 'createServer', {
-      name: `${id}.createServer`,
+      name: `${this.id}.createServer`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport.Server.prototype, 'listen', {
-      name: `${id}.Server.prototype`,
+      name: `${this.id}.Server.prototype`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       pre: (fnData) => this.handleServerListen(fnData.args, fnData.obj)
@@ -62,6 +64,7 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a listen event if one has not been pubished for the server instance.
+   * @param {any[]}
    * @param {Server} server Server on which `listen` was called
    */
   handleServerListen(args, server) {
@@ -70,12 +73,16 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a create event for the new Server instance.
-   * @param {*[]} args The arguments passed to the Server constructor
+   * @param {any[]} args The arguments passed to the Server constructor
    * @param {Server} server The http Server instance
    */
   handleServerCreate(args, server) {
-    const [callback] = args;
-    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, callback, server);
+    const [options] = args;
+    let [, handler] = args;
+    if (typeof options === 'function') {
+      handler = options;
+    }
+    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, handler, server);
   }
 }
 

package/lib/hooks/frameworks/http2.js

@@ -0,0 +1,73 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { PATCH_TYPES } = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
+class Http2Framework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'http2');
+  }
+
+  /**
+   * @param {import('http2')} http2
+   * @returns {import('http2')}
+   */
+  onRequire(http2) {
+    patcher.patch(http2, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    patcher.patch(http2, 'createSecureServer', {
+      name: `${this.id}.createSecureServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    return http2;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    // Since the `Http2Server` class is not exported, we can patch it here after
+    // creation.
+    // NOTE: could we just patch `net.Server` here and in `http`?
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.Http2Server.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = Http2Framework;

package/lib/hooks/frameworks/index.js

@@ -14,9 +14,14 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
+const Http = require('./http');
+const Http2 = require('./http2');
+const Hapi16 = require('./hapi16');
+
 module.exports = function(agent) {
   // load all the hooks
-  new (require('./http'))(agent);
-  new (require('./https'))(agent);
-  new (require('./hapi16'))(agent);
+  new Http(agent);
+  new Http(agent, 'https');
+  new Http2(agent);
+  new Hapi16(agent);
 };

package/lib/hooks/http.js

@@ -35,39 +35,45 @@ const logger = require('../core/logger')('contrast:hooks');
 const patcher = require('./patcher');
 const { PATCH_TYPES } = require('../constants');
 
-module.exports = function(agent) {
-  logger.info('applying non-policy hook: http');
+const flatten = (ary) => Array.prototype.join.apply(ary, [',']);
 
-  moduleHook.resolve({ name: 'http' }, function(http) {
-    hookServerPrototype(http.Server.prototype, agent);
-  });
-  moduleHook.resolve({ name: 'https' }, function(https) {
-    hookServerPrototype(https.Server.prototype, agent);
+/**
+ * Logs stack for every res.[end, writeHead, write] call
+ *
+ * @param {ServerResponse} response
+ * @param {string} method method to hook
+ */
+const logHook = (response, method) => {
+  patcher.patch(response, method, {
+    alwaysRun: true,
+    name: 'req-log',
+    patchType: PATCH_TYPES.MISC,
+    post(data) {
+      const { stack } = new Error();
+      logger.info('res.%s(%s):%o', method, flatten(data.args), stack);
+    }
   });
 };
 
-module.exports.getId = getId;
-module.exports.hookServerPrototype = hookServerPrototype;
-
 /**
  * Hooks the Server prototype's <code>emit</code> method.
- * @param {Server} proto The Server prototype
+ * @param {Server} server The Server prototype
  */
-function hookServerPrototype(proto, agent) {
-  patcher.patch(proto, 'listen', {
+const hookServer = (server, agent, id) => {
+  patcher.patch(server, 'listen', {
     alwaysRun: true,
     name: 'server-listen-log-time',
     patchType: PATCH_TYPES.MISC,
-    pre(data) {
+    pre() {
       logger.info(`${process.pid}: http listen after ${process.uptime()}`);
     }
   });
 
   // Wrap the request emit in a contrast domain to track non-dataflow hooks, and for storage.
-  const { emit } = proto;
-  proto.emit = function(...args) {
-    const [event, req, res] = args;
+  const { emit } = server;
+  server.emit = function newEmit(...args) {
     const self = this;
+    const [event, req, res] = args;
 
     if (event === 'request') {
       logger.debug('Received request %s, method %s', req.url, req.method);
@@ -75,35 +81,77 @@ function hookServerPrototype(proto, agent) {
         agent,
         req,
         res,
-        hookResponse,
-        callback: () => {
+        hookResponse(response, agent) {
+          const { writeHead, end } = response;
+          // XXX(ehden): we keep the original method available to call when handling
+          // blocked requests because of MethodTampering or other rules whose sink
+          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+          // when we block to prevent recursing through blocks by setting our own 403.
+          response[WRITE_HEAD] = writeHead;
+          response[END] = end;
+
+          /**
+           * Patch writeHead to emit a sink event before calling writeHead
+           *
+           */
+          patcher.patch(response, 'writeHead', {
+            alwaysRun: true,
+            name: 'write-head',
+            patchType: PATCH_TYPES.PROTECT_SINK,
+            pre(data) {
+              const [statusCode, reason] = data.args;
+              let [, , obj] = data.args;
+              let contentType;
+              if (typeof reason !== 'string') {
+                obj = reason;
+              }
+              if (obj && typeof obj === 'object') {
+                for (const [key, value] of Object.entries(obj)) {
+                  if (key.toLowerCase() === 'content-type') {
+                    contentType = value;
+                  }
+                }
+              }
+              if (contentType) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+              }
+              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+            }
+          });
+
+          patcher.patch(response, 'setHeader', {
+            alwaysRun: true,
+            name: 'set-header',
+            patchType: PATCH_TYPES.ASYNC_CONTEXT,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (name.toLowerCase() === 'content-type' && value) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
+              }
+            }
+          });
+
+          // special HTTP logging for responses.
+          if (agent.config.agent.logger.log_outbound_http) {
+            ['end', 'writeHead', 'write'].forEach((method) => {
+              logHook(response, method);
+            });
+          }
+        },
+        callback() {
           const ipEvent = createSourceEvent(
             req,
             req,
             res,
-            'connection.remoteAddress',
+            'socket.remoteAddress',
             INPUT_TYPES.IP,
-            getId(req)
+            id
           );
           agentEmitter.emit('http.requestStart', req, res, ipEvent);
 
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'method',
-            INPUT_TYPES.METHOD,
-            getId(req)
-          );
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'headers',
-            INPUT_TYPES.HEADER,
-            getId(req)
-          );
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, getId(req));
+          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
 
           const rv = emit.apply(self, args);
 
@@ -115,101 +163,37 @@ function hookServerPrototype(proto, agent) {
       return emit.apply(self, args);
     }
   };
-}
+};
 
-/**
- * Patches ServerResponse instances and runs in AsyncStorage
- * context.
- * @param {ServerResponse} res
- */
-function hookResponse(res, agent) {
-  const flattenArgs = (args) => Array.prototype.join.apply(args, [',']);
-
-  /*
-   * Logs stack for every res.[end, writeHead, write] call
-   *
-   * @param {ServerResponse} res
-   * @param {string} method method to hook
-   */
-  function logHook(res, method) {
-    patcher.patch(res, method, {
-      alwaysRun: true,
-      name: 'req-log',
-      patchType: PATCH_TYPES.MISC,
-      post(data) {
-        const { stack } = new Error();
-        logger.info('res.%s(%s):%o', method, flattenArgs(data.args), stack);
-      }
-    });
-  }
-
-  const { writeHead, end } = res;
-  // XXX(ehden): we keep the original method available to call when handling
-  // blocked requests because of MethodTampering or other rules whose sink
-  // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-  // when we block to prevent recursing through blocks by setting our own 403.
-  res[WRITE_HEAD] = writeHead;
-  res[END] = end;
-
-  /**
-   * Patch writeHead to emit a sink event before calling writeHead
-   *
-   */
-  patcher.patch(res, 'writeHead', {
-    alwaysRun: true,
-    name: 'write-head',
-    patchType: PATCH_TYPES.PROTECT_SINK,
-    pre(data) {
-      let contentType;
-      if (data.args[1] && typeof data.args[1] === 'object') {
-        for (const [key, value] of Object.entries(data.args[1])) {
-          if (key.toLowerCase() === 'content-type') {
-            contentType = value;
-          }
-        }
-      }
+module.exports = (agent) => {
+  logger.info('applying non-policy hook: http');
 
-      if (contentType) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-      }
-      const [statusCode] = data.args;
-      emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, getId(this), false);
-    }
+  moduleHook.resolve({ name: 'http' }, (http) => {
+    hookServer(http.Server.prototype, agent, 'http');
   });
 
-  patcher.patch(res, 'setHeader', {
-    alwaysRun: true,
-    name: 'set-header',
-    patchType: PATCH_TYPES.ASYNC_CONTEXT,
-    pre(data) {
-      if (
-        (data.args[0] || '').toLowerCase() === 'content-type' &&
-        data.args[1]
-      ) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, data.args[1]);
-      }
-    }
+  moduleHook.resolve({ name: 'https' }, (https) => {
+    hookServer(https.Server.prototype, agent, 'https');
   });
 
-  // special HTTP logging for responses.
-  if (agent.config.agent.logger.log_outbound_http) {
-    ['end', 'writeHead', 'write'].forEach((method) => {
-      logHook(res, method);
+  moduleHook.resolve({ name: 'http2' }, (http2) => {
+    patcher.patch(http2, 'createServer', {
+      name: `create-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
     });
-  }
-}
 
-/**
- * Returns http or https depending on information about the
- * incomingMessage
- *
- * @param {IncomingMessage} req
- * @return {string} http or https
- */
-function getId(req) {
-  if (req == null || req.socket == null) {
-    return 'http';
-  } else {
-    return req.socket.encrypted ? 'https' : 'http';
-  }
-}
+    patcher.patch(http2, 'createSecureServer', {
+      name: `create-secure-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
+};
+module.exports.hookServer = hookServer;

package/lib/hooks/object-to-primitive.js

@@ -31,13 +31,12 @@ const tracker = require('../tracker');
 function wrapNativeMethod(origFn, str) {
   let s = Reflect.apply(origFn, str, []);
   const origProps = tracker.getData(str);
-  if (origProps.tracked) {
-    s = tracker.track(s);
-
-    const contrastProps = tracker.getData(s);
-    if (contrastProps.tracked) {
-      contrastProps.tagRanges = origProps.tagRanges;
-      contrastProps.event = origProps.event;
+  if (origProps) {
+    const tracked = tracker.track(s);
+    if (tracked) {
+      s = tracked.str;
+      tracked.props.tagRanges = origProps.tagRanges;
+      tracked.props.event = origProps.event;
     }
   }
   return s;