@contrast/agent 4.5.1 → 4.7.1

package/lib/hooks/patcher.js

@@ -36,6 +36,7 @@ const {
   SCOPE_NAMES: { NO_PROPAGATION }
 } = require('../core/async-storage/scopes');
 const promisifyCustom = Symbol.for('nodejs.util.promisify.custom');
+const some = require('../util/some');
 
 // When a pre-hook returns the result of this function, the value passed will
 // be used in place of the original function's return value, and the original
@@ -96,12 +97,7 @@ Function.prototype._contrast_toString = function() {
   return Reflect.apply(functionToString, this, arguments);
 };
 
-function runHooks(type, options, data, fn, thisTarget) {
-  const fnHooks = hooks.get(fn);
-  if (!fnHooks) {
-    return;
-  }
-
+function runHooks(type, data, thisTarget, fnHooks) {
   fnHooks.forEach((hook, key) => {
     if (hook[type]) {
       hook[type].apply(thisTarget, [data]);
@@ -109,6 +105,15 @@ function runHooks(type, options, data, fn, thisTarget) {
   });
 }
 
+/**
+ * Checks if any of the provided arguments are tracked.
+ * @param {any[]} args
+ * @return {boolean}
+ */
+function argsTracked(args) {
+  return some(args, (arg) => arg && tracker.getData(arg));
+}
+
 /**
  * Whether to skip the running of instrumentation in registered pre/post hooks.
  * When this returns `false` (don't skip), the pre/post hooks will execute in
@@ -175,11 +180,17 @@ function runOriginalFunction(fn, { args, name }, target) {
   return fn.apply(this, args);
 }
 
-function recordTime(func, funcKey, type) {
+const runWrapper =
+  !process.hrtime.bigint || !perfLoggingEnabled
+    ? runWithoutRecordingTime
+    : runAndRecordTime;
+
+function runWithoutRecordingTime(func) {
+  return () => func();
+}
+
+function runAndRecordTime(func, funcKey, type) {
   return () => {
-    if (!process.hrtime.bigint || !perfLoggingEnabled) {
-      return func();
-    }
     const start = process.hrtime.bigint();
     const rv = func();
     perfLogger[type](funcKey, Number(process.hrtime.bigint() - start));
@@ -207,6 +218,7 @@ function hookFunction(fn, options) {
   const { funcKey } = options;
   logger.trace(`hook ${funcKey}`);
 
+  // eslint-disable-next-line complexity
   function hooked(...args) {
     const target = new.target;
 
@@ -220,11 +232,8 @@ function hookFunction(fn, options) {
     }
 
     // short-circuit optimization for add
-    const [arg1, arg2] = args;
-    if (fn.name === '__add' && arg1 && arg2) {
-      if (!tracker.getData(arg1).tracked && !tracker.getData(arg2).tracked) {
-        return arg1 + arg2;
-      }
+    if (fn.name === '__add' && !argsTracked(args)) {
+      return args[0] + args[1];
     }
 
     const data = {
@@ -240,36 +249,59 @@ function hookFunction(fn, options) {
       perfLogger.logEvent(funcKey);
     }
 
-    // Run the pre event in a no instrumentation scope
+    let hasPreHook, hasPostHook;
+    const fnHooks = hooks && hooks.get(hooked);
+
+    // If there's a pre event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the pre function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('pre', options, data, hooked, this),
-        funcKey,
-        'pre'
-      ),
-      `${funcKey} pre`
-    );
+    if (fnHooks) {
+      for (const storedHooks of fnHooks.values()) {
+        hasPreHook = Boolean(hasPreHook || (storedHooks && storedHooks.pre));
+        hasPostHook = Boolean(hasPostHook || (storedHooks && storedHooks.post));
+      }
+    }
 
-    // run original function in scope that was passed in
-    data.result = Scopes.runIn(
-      options.scope,
-      recordTime(() => getResult.call(this, fn, data, target), funcKey, 'orig'),
-      funcKey
-    );
+    if (hasPreHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(() => runHooks('pre', data, this, fnHooks), funcKey, 'pre'),
+        `${funcKey} pre`
+      );
+    }
 
-    // Run the post event in a no instrumentation scope
+    // Run original function in scope that was passed in
+    // or just run the original function when the passed scope is undefined
+    if (options.scope) {
+      data.result = Scopes.runIn(
+        options.scope,
+        runWrapper(
+          () => getResult.call(this, fn, data, target),
+          funcKey,
+          'orig'
+        ),
+        funcKey
+      );
+    } else {
+      data.result = runWrapper(
+        () => getResult.call(this, fn, data, target),
+        funcKey,
+        'orig'
+      )();
+    }
+
+    // If there's a post event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the post function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('post', options, data, hooked, this),
-        funcKey,
-        'post'
-      ),
-      `${funcKey} post`
-    );
+    if (hasPostHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(
+          () => runHooks('post', data, this, fnHooks),
+          funcKey,
+          'post'
+        ),
+        `${funcKey} post`
+      );
+    }
 
     return data.result;
   }
@@ -321,7 +353,8 @@ function hookableMethods(obj, props, callback) {
   }
 
   // Execute callback for every method in the props array.
-  for (let i = props.length; i >= 0; i--) {
+  let i = props.length;
+  while (i--) {
     // If the property isn't a function...
     if (
       !isFunction(obj[props[i]]) ||
@@ -428,8 +461,7 @@ function hook(obj, prop, opts) {
     }
   } catch (err) {
     logger.info(
-      `unable to patch unconfigurable property ${opts.name}:${prop}
-`,
+      `unable to patch unconfigurable property ${opts.name}:${prop}`,
       err
     );
   }
@@ -472,7 +504,7 @@ function patch(obj, props, options) {
   }
 
   const hookedMethods = hookableMethods(obj, props).map(function(prop) {
-    const opts = Object.assign({}, options);
+    const opts = typeof options === 'object' ? { ...options } : options;
 
     // staticName means do not append methods to final name
     // only used for Function(aka global.ContrastFunction)
@@ -535,7 +567,6 @@ function unwrap(fn) {
 module.exports = {
   patch,
   preempt,
-  recordTime,
   resetInstrumentation,
   unpatch,
   unwrap

package/lib/hooks/require.js

@@ -14,44 +14,38 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
-/**
- * @module lib/hooks/moduleHook
- * @class ModuleHook
- */
-
 const Module = require('module');
-const agentEmitter = require('../agent-emitter');
 const RequireHook = require('@contrast/require-hook');
+const agentEmitter = require('../agent-emitter');
 const logger = require('../core/logger')('hooks:require');
 
 class ModuleHook {
-  constructor(options) {
+  constructor() {
     this.reqHook = new RequireHook(logger);
 
-    // RequireHook takes care of hooking
-    // but still need to patch require to emit 'require' events
-    const origModRequire = Module.prototype.require;
-    Module.prototype.require = function(name) {
-      agentEmitter.emit('require', name);
-      return origModRequire.call(this, name);
+    // RequireHook takes care of hooking but we still need to patch require to
+    // emit 'require' events
+    const origModLoad = Module._load;
+    Module._load = function __loadAndEmit(...args) {
+      const [request] = args;
+      agentEmitter.emit('require', request);
+      return Reflect.apply(origModLoad, this, args);
     };
   }
 
   /**
-   *
    * Collects instrumentation functions that will run on the specified
-   * module's file at the time it is loaded via <code>require</code>.
-   * @param {Object} descriptor describes module you're hook(name, version, file)
-   * @param {Function} instrumentation The function to run on the module at
-   *                        the time it is required in the code
+   * module's file at the time it is loaded via `require`.
+   * @param {RequireHook.Descriptor} descriptor describes the module to hook
+   * @param {Function} handler The function to run on the module at the time it is required
    */
-  resolve(descriptor, instrumentation) {
-    this.reqHook.resolve(descriptor, instrumentation);
+  resolve(descriptor, handler) {
+    this.reqHook.resolve(descriptor, handler);
   }
 
   /**
-   * reset the hooked state for a module so that it's handlers re-run (used in unit tests)
-   *
+   * Reset the hooked state for a module so that it's handlers re-run.
+   * NOTE: used in unit tests.
    * @param {string} name the name of the module
    */
   reset(name) {

package/lib/instrumentation.js

@@ -40,9 +40,6 @@ module.exports = function instrument(agent, reporter) {
     return;
   }
 
-  const stackFactory = require('./core/stacktrace').singleton;
-  stackFactory.stackTraceLimit = agent.config.agent.stack_trace_limit;
-
   // The order of these matters, do not re-order
   collectLibInfo(agent);
   // (CONTRAST-31526) this must be required first to load global.ContrastMethods

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -0,0 +1,228 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+/* eslint-disable complexity */
+const _ = require('lodash');
+
+const logger = require('../../../core/logger')('contrast:rules:protect');
+const { INPUT_TYPES, SINK_TYPES } = require('../common');
+const AsyncStorage = require('../../../core/async-storage');
+const constants = require('../../../constants');
+const { traverse } = require('../../../util/traverse');
+
+const brackets = /\[(.{1,1024}?)\]/;
+const child = /\[(.{1,1024}?)\]/g;
+
+const MONGODB = 'mongodb';
+
+const ScannerKit = new Map([
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+]);
+const SubstringFinder = require('../base-scanner/substring-finder');
+
+class NoSqlInjectionRule extends require('../') {
+  constructor(policy = {}) {
+    policy.inputParseDepth = 3;
+    super(policy);
+
+    this._scanners = new Map();
+
+    this.id = 'nosql-injection';
+    this.name = 'NoSQL Injection';
+    this.applicableInputs = [
+      INPUT_TYPES.BODY,
+      INPUT_TYPES.JSON_VALUE,
+      INPUT_TYPES.JSON_ARRAYED_VALUE,
+      INPUT_TYPES.PARAMETER_NAME,
+      INPUT_TYPES.PARAMETER_VALUE,
+      INPUT_TYPES.QUERYSTRING,
+      INPUT_TYPES.XML_VALUE,
+      INPUT_TYPES.URI,
+      INPUT_TYPES.URL_PARAMETER
+    ];
+    this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
+  }
+
+  evaluateAtSink({ event, applicableSamples }) {
+    if (_.isEmpty(applicableSamples) || !event.data) {
+      return;
+    }
+
+    if (typeof event.data === 'object') {
+      for (const sample of applicableSamples) {
+        const requestData = this.getRequestData(sample.input);
+        if (!requestData) {
+          return;
+        }
+        let found;
+        traverse(event.data, (key, value) => {
+          if (found) {
+            return;
+          }
+
+          Object.keys(requestData).some((reqKey) => {
+            if (value[reqKey] === requestData[reqKey]) {
+              found = reqKey;
+              return true;
+            }
+          });
+        });
+
+        if (found) {
+          const query = require('util').inspect(event.data, false, null);
+
+          let injection;
+          for (const location of new SubstringFinder(query, found)) {
+            if (location) {
+              injection = {
+                input: found,
+                location,
+                query
+              };
+              break;
+            }
+          }
+          if (injection) {
+            this.appendAttackDetails(sample, injection);
+            sample.captureAppContext(event);
+            logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+            this.blockRequest(sample);
+          }
+        }
+      }
+    } else if (typeof event.data === 'string' || event.data instanceof String) {
+      const scanner = this.getScanner(event.id);
+
+      for (const sample of applicableSamples) {
+        const injection = scanner.findInjection(sample.input.value, event.data);
+
+        if (injection) {
+          this.appendAttackDetails(sample, injection);
+          sample.captureAppContext(event);
+          logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode} `);
+          this.blockRequest(sample);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given the sample's user input object, will read the value from the request
+   * from the async storage context.
+   * @param {string} _documentPath
+   * @param {string} _documentType
+   */
+  getRequestData({ _documentPath, _documentType }) {
+    const ctx = AsyncStorage.getContext();
+
+    if (!ctx) {
+      logger.info(
+        'unable to perform nosql-expansion sink analysis: async storage context not available'
+      );
+      return;
+    }
+
+    const pathArray = [];
+
+    if (!_documentPath) {
+      return pathArray;
+    }
+
+    if (
+      _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
+      _documentPath.length <= 1024
+    ) {
+      let segment = brackets.exec(_documentPath);
+      const parent = segment
+        ? _documentPath.slice(0, segment.index)
+        : _documentPath;
+
+      pathArray.push('query');
+
+      if (parent) {
+        pathArray.push(parent);
+      }
+      while ((segment = child.exec(_documentPath))) {
+        pathArray.push(segment[1]);
+      }
+      pathArray.pop();
+    } else {
+      // only qs params and body are "expandable"
+      pathArray.push('body', ..._documentPath.split('.'));
+    }
+
+    let data;
+    let curr = ctx.req;
+
+    for (const path of pathArray) {
+      if (curr) {
+        data = curr[path];
+        curr = data;
+      }
+    }
+    return data;
+  }
+
+  getScanner(id) {
+    if (!ScannerKit.has(id)) {
+      throw new Error(`Unknown NoSQL scanner: ${id}`);
+    }
+
+    if (!this._scanners.has(id)) {
+      this._scanners.set(id, ScannerKit.get(id)());
+    }
+
+    return this._scanners.get(id);
+  }
+
+  /**
+   * Builds details for NoSQL Injection Attack.
+   * @param   {UserInput} inputDtm The user input that resulted in attack
+   * @param   {String}    query    The query that was analyzed
+   * @param   {Object}    results  The repsults of the sql-scanner
+   * @returns {Object}             The details
+   */
+  buildDetails(sample, findings) {
+    if (!findings) {
+      return null;
+    }
+
+    const { boundary, location, query } = findings;
+    let inputBoundaryIndex, boundaryOverrunIndex;
+    const start = location[0];
+    const end = location[1] + 1;
+
+    if (boundary) {
+      inputBoundaryIndex = boundary.previous
+        ? boundary.previous.start
+        : boundary.start;
+      boundaryOverrunIndex = boundary.stop + 1;
+    } else {
+      inputBoundaryIndex = start;
+      boundaryOverrunIndex = end;
+    }
+
+    return {
+      start,
+      end,
+      input: sample.input.toSerializable(),
+      boundaryOverrunIndex,
+      inputBoundaryIndex,
+      query
+    };
+  }
+}
+
+module.exports = NoSqlInjectionRule;

package/lib/protect/rules/rule-factory.js

@@ -34,7 +34,7 @@ const ctors = {
   [RULES.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: require('./cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule'),
   [RULES.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: require('./cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js'),
   [RULES.METHOD_TAMPERING]: require('./method-tampering/method-tampering-rule'),
-  [RULES.NOSQL_INJECTION]: require('./nosqli/no-sql-injection-rule'),
+  [RULES.NOSQL_INJECTION]: require('./nosqli/nosql-injection-rule'),
   [RULES.PATH_TRAVERSAL]: require('./path-traversal/path-traversal-rule'),
   [RULES.REFLECTED_XSS]: require('./xss/reflected-xss-rule'),
   [RULES.SQL_INJECTION]: require('./sqli/sql-injection-rule'),
@@ -109,7 +109,7 @@ class ProtectRuleFactory {
       this.signatures = new SignatureKit(definitionList);
     }
 
-    const denylist = _.get(settings, 'defend.ipBlacklistsList');
+    const denylist = _.get(settings, 'defend.ipDenylistsList');
     if (denylist) {
       logger.info(`IP Denylist updated. Total: ${denylist.length}`);
     }

package/lib/protect/service.js

@@ -20,7 +20,12 @@ Copyright: 2021 Contrast Security, Inc
 
 const _ = require('lodash');
 
-const { IMPORTANCE, SAFE_HEADER_VALUES, INPUT_TYPES } = require('../constants');
+const {
+  IMPORTANCE,
+  SAFE_HEADER_VALUES,
+  INPUT_TYPES,
+  RULES
+} = require('../constants');
 const agentEmitter = require('../agent-emitter');
 const SampleAggregator = require('./sample-aggregator');
 const RuleFactory = require('./rules/rule-factory');
@@ -203,15 +208,22 @@ class ProtectService {
       appContext.request = request;
     }
 
-    for (const {
-      scoreLevel,
-      ruleId,
-      inputType: type,
-      path,
-      key: name,
-      value,
-      idsList
-    } of resultsList) {
+    for (const result of resultsList) {
+      // Coerce custom rule id
+      if (result.ruleId === RULES.NOSQL_EXPANSION) {
+        result.ruleId = RULES.NOSQL_INJECTION;
+      }
+
+      const {
+        scoreLevel,
+        ruleId,
+        inputType: type,
+        path,
+        key: name,
+        value,
+        idsList
+      } = result;
+
       if (scoreLevel === IMPORTANCE.NONE) {
         return;
       }
@@ -269,7 +281,7 @@ class ProtectService {
    * Loads IP analyzer for allowist analysis given TS settings.
    */
   updateIpAllowlist(settings) {
-    const list = _.get(settings, 'defend.ipWhitelistsList');
+    const list = _.get(settings, 'defend.ipAllowlistsList');
     if (list && list.length) {
       this.ipAllowlist = new IpAnalyzer(list);
       this.ipAllowlist.on('expired', (dtm) => {