@contrast/agent 4.7.0 → 4.7.1

package/lib/assess/propagators/v8/init-hooks.js

@@ -63,7 +63,7 @@ module.exports.handle = function handle() {
         if (tracked) {
           // it was behind a membrane
           data.result[TRACKED] = tracked;
-        } else if (tracker.getData2(data.args[0])) {
+        } else if (tracker.getData(data.args[0])) {
           // it was a tracked string
           data.result[TRACKED] = data.args[0];
         }
@@ -80,13 +80,13 @@ module.exports.handle = function handle() {
           return;
         }
 
-        const sTracking = tracker.getData2(tracked);
+        const sTracking = tracker.getData(tracked);
         // if the argument was a tracked string then the result should
         // have the same tags. i don't know that the length of a string
         // can change as a result of deserialize(serialize()) but best
         // to be safe.
         if (sTracking) {
-          const resultTracking = tracker.track2(data.result);
+          const resultTracking = tracker.track(data.result);
           if (!resultTracking) {
             // there's nothing to do if tracking failed on the result. it should
             // only do so on a zero-length string, but node works in mysterious ways.

package/lib/assess/propagators/validator/init-hooks.js

@@ -90,7 +90,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(0, data.args[0].length - 1, validators[validator])
@@ -131,7 +131,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               trackingData.tagRanges = [];
               trackingData.tracked = false;
             }
@@ -154,36 +154,36 @@ module.exports.handle = function() {
         function post(data) {
           // if not tracked then it can't be untrusted, so don't start
           // tracking this string.
-          if (!tracker.getData(data.args[0]).tracked) return;
+          const inputData = tracker.getData(data.args[0]);
+          if (!inputData) return;
 
           const tag = sanitizers[sanitizer];
-          // get existing tracker data
-          const inputData = tracker.getData(data.args[0]);
 
           // are the input and output of the sanitizer the same?
           if (data.args[0] !== data.result) {
             let needsTag = true;
             // the input and output strings are not the same. start tracking the output.
-            const result = tracker.track(data.result);
-            const resultData = tracker.getData(result);
+            const tracked = tracker.track(data.result);
             // copy the input tags to the result, adjusting the range.
-            const stop = data.result.length - 1;
-            for (let i = 0; i < inputData.tagRanges.length; i++) {
-              resultData.tagRanges[i] = new TagRange(
-                0,
-                stop,
-                inputData.tagRanges[i].tag
-              );
-              if (inputData.tagRanges[i].tag === tag) {
-                needsTag = false;
+            if (tracked) {
+              const stop = data.result.length - 1;
+              for (let i = 0; i < inputData.tagRanges.length; i++) {
+                tracked.props.tagRanges[i] = new TagRange(
+                  0,
+                  stop,
+                  inputData.tagRanges[i].tag
+                );
+                if (inputData.tagRanges[i].tag === tag) {
+                  needsTag = false;
+                }
               }
+              if (needsTag) {
+                tracked.props.tagRanges.push(
+                  new TagRange(0, stop, sanitizers[sanitizer])
+                );
+              }
+              data.result = tracked.str;
             }
-            if (needsTag) {
-              resultData.tagRanges.push(
-                new TagRange(0, stop, sanitizers[sanitizer])
-              );
-            }
-            data.result = result;
           } else {
             // the input and output strings are the same, so the output is already being
             // tracked. if the tag is already present adjust the bounds otherwise add the

package/lib/assess/sinks/common.js

@@ -78,7 +78,9 @@ module.exports = (agent) => {
     // get the tags, event from dataflow actions ONLY
     if (sinkType === DATAFLOW) {
       const contrastProps = tracker.getData(input);
-      ({ tagRanges, event } = contrastProps);
+      if (contrastProps) {
+        ({ tagRanges, event } = contrastProps);
+      }
     }
 
     const sink = new SinkEvent({
@@ -189,7 +191,7 @@ module.exports = (agent) => {
         ) {
           const trackData = tracker.getData(value);
 
-          if (!trackData.tracked) {
+          if (!trackData) {
             return;
           }
 
@@ -415,9 +417,12 @@ module.exports = (agent) => {
           : common.nonDataflowVulnerableCheck({ sink });
 
       const checkedArgs = isVulnCheck(stack, result, args);
-      return Array.isArray(checkedArgs)
-        ? reduceConditions(checkedArgs, conditions.mode)
-        : checkedArgs;
+      if (Array.isArray(checkedArgs) && checkedArgs.length > 0) {
+        const mode = conditions ? conditions.mode : 'and';
+        return reduceConditions(checkedArgs, mode);
+      } else {
+        return checkedArgs;
+      }
     };
 
     /**

package/lib/assess/sinks/libxmljs-xxe.js

@@ -34,7 +34,7 @@ module.exports = ({ common, signature }) => ({
     }
 
     const contrastProps = tracker.getData(xmlString);
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return;
     }
 

package/lib/assess/sinks/mongodb.js

@@ -39,7 +39,8 @@ const ruleId = 'nosql-injection';
 const disallowedTags = [
   'limited-chars',
   'alphanum-space-hyphen',
-  'string-type-checked'
+  'string-type-checked',
+  'custom-validated-nosql-injection'
 ];
 const requiredTags = ['untrusted'];
 

package/lib/assess/sinks/ssrf-url.js

@@ -64,7 +64,7 @@ module.exports = ({ common: { isVulnerable } }) => {
 
     const contrastProps = tracker.getData(input);
 
-    if (!contrastProps.tracked) {
+    if (!contrastProps) {
       return false;
     }
 

package/lib/constants.js

@@ -108,8 +108,11 @@ const RULES = {
     'cmd-injection-semantic-chained-commands',
   CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS:
     'cmd-injection-semantic-dangerous-paths',
-  IP_DENYLIST: 'ip-blacklist',
+  IP_DENYLIST: 'ip-denylist',
   METHOD_TAMPERING: 'method-tampering',
+  // The following is not a known rule in TS and is only used by SR when
+  // reporting certain analysis results. We convert to nosqli before reporting
+  NOSQL_EXPANSION: 'nosql-expansion',
   NOSQL_INJECTION: 'nosql-injection',
   PATH_TRAVERSAL: 'path-traversal',
   REFLECTED_XSS: 'reflected-xss',

package/lib/core/config/options.js

@@ -284,7 +284,7 @@ const agent = [
   {
     name: 'agent.node.array_request_sampling.enable',
     arg: '[false]',
-    default: true,
+    default: false,
     fn: castBoolean,
     desc: 'enable sampling of array members for dataflow'
   },

package/lib/core/rewrite/injections.js

@@ -131,6 +131,14 @@ const injections = {
       name: 'String',
       patchType: PATCH_TYPES.INJECTION
     })
+  ),
+  Number: new Injection(
+    'Number',
+    'ContrastNumber',
+    patcher.patch(global.Number, {
+      name: 'Number',
+      patchType: PATCH_TYPES.INJECTION
+    })
   )
 };
 

package/lib/feature-set.js

@@ -212,7 +212,7 @@ class FeatureSet {
    */
   getIpDenylistPolicy() {
     const config = this.getProtectRuleConfig(RULES.IP_DENYLIST);
-    const settings = _.get(this, 'serverFeatures.defend.ipBlacklistsList', []);
+    const settings = _.get(this, 'serverFeatures.defend.ipDenylistsList', []);
 
     return {
       id: RULES.IP_DENYLIST,

package/lib/hooks/object-to-primitive.js

@@ -31,13 +31,12 @@ const tracker = require('../tracker');
 function wrapNativeMethod(origFn, str) {
   let s = Reflect.apply(origFn, str, []);
   const origProps = tracker.getData(str);
-  if (origProps.tracked) {
-    s = tracker.track(s);
-
-    const contrastProps = tracker.getData(s);
-    if (contrastProps.tracked) {
-      contrastProps.tagRanges = origProps.tagRanges;
-      contrastProps.event = origProps.event;
+  if (origProps) {
+    const tracked = tracker.track(s);
+    if (tracked) {
+      s = tracked.str;
+      tracked.props.tagRanges = origProps.tagRanges;
+      tracked.props.event = origProps.event;
     }
   }
   return s;

package/lib/hooks/patcher.js

@@ -111,7 +111,7 @@ function runHooks(type, data, thisTarget, fnHooks) {
  * @return {boolean}
  */
 function argsTracked(args) {
-  return some(args, (arg) => arg && tracker.getData(arg).tracked);
+  return some(args, (arg) => arg && tracker.getData(arg));
 }
 
 /**

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -0,0 +1,228 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+/* eslint-disable complexity */
+const _ = require('lodash');
+
+const logger = require('../../../core/logger')('contrast:rules:protect');
+const { INPUT_TYPES, SINK_TYPES } = require('../common');
+const AsyncStorage = require('../../../core/async-storage');
+const constants = require('../../../constants');
+const { traverse } = require('../../../util/traverse');
+
+const brackets = /\[(.{1,1024}?)\]/;
+const child = /\[(.{1,1024}?)\]/g;
+
+const MONGODB = 'mongodb';
+
+const ScannerKit = new Map([
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+]);
+const SubstringFinder = require('../base-scanner/substring-finder');
+
+class NoSqlInjectionRule extends require('../') {
+  constructor(policy = {}) {
+    policy.inputParseDepth = 3;
+    super(policy);
+
+    this._scanners = new Map();
+
+    this.id = 'nosql-injection';
+    this.name = 'NoSQL Injection';
+    this.applicableInputs = [
+      INPUT_TYPES.BODY,
+      INPUT_TYPES.JSON_VALUE,
+      INPUT_TYPES.JSON_ARRAYED_VALUE,
+      INPUT_TYPES.PARAMETER_NAME,
+      INPUT_TYPES.PARAMETER_VALUE,
+      INPUT_TYPES.QUERYSTRING,
+      INPUT_TYPES.XML_VALUE,
+      INPUT_TYPES.URI,
+      INPUT_TYPES.URL_PARAMETER
+    ];
+    this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
+  }
+
+  evaluateAtSink({ event, applicableSamples }) {
+    if (_.isEmpty(applicableSamples) || !event.data) {
+      return;
+    }
+
+    if (typeof event.data === 'object') {
+      for (const sample of applicableSamples) {
+        const requestData = this.getRequestData(sample.input);
+        if (!requestData) {
+          return;
+        }
+        let found;
+        traverse(event.data, (key, value) => {
+          if (found) {
+            return;
+          }
+
+          Object.keys(requestData).some((reqKey) => {
+            if (value[reqKey] === requestData[reqKey]) {
+              found = reqKey;
+              return true;
+            }
+          });
+        });
+
+        if (found) {
+          const query = require('util').inspect(event.data, false, null);
+
+          let injection;
+          for (const location of new SubstringFinder(query, found)) {
+            if (location) {
+              injection = {
+                input: found,
+                location,
+                query
+              };
+              break;
+            }
+          }
+          if (injection) {
+            this.appendAttackDetails(sample, injection);
+            sample.captureAppContext(event);
+            logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode}`);
+            this.blockRequest(sample);
+          }
+        }
+      }
+    } else if (typeof event.data === 'string' || event.data instanceof String) {
+      const scanner = this.getScanner(event.id);
+
+      for (const sample of applicableSamples) {
+        const injection = scanner.findInjection(sample.input.value, event.data);
+
+        if (injection) {
+          this.appendAttackDetails(sample, injection);
+          sample.captureAppContext(event);
+          logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode} `);
+          this.blockRequest(sample);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given the sample's user input object, will read the value from the request
+   * from the async storage context.
+   * @param {string} _documentPath
+   * @param {string} _documentType
+   */
+  getRequestData({ _documentPath, _documentType }) {
+    const ctx = AsyncStorage.getContext();
+
+    if (!ctx) {
+      logger.info(
+        'unable to perform nosql-expansion sink analysis: async storage context not available'
+      );
+      return;
+    }
+
+    const pathArray = [];
+
+    if (!_documentPath) {
+      return pathArray;
+    }
+
+    if (
+      _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
+      _documentPath.length <= 1024
+    ) {
+      let segment = brackets.exec(_documentPath);
+      const parent = segment
+        ? _documentPath.slice(0, segment.index)
+        : _documentPath;
+
+      pathArray.push('query');
+
+      if (parent) {
+        pathArray.push(parent);
+      }
+      while ((segment = child.exec(_documentPath))) {
+        pathArray.push(segment[1]);
+      }
+      pathArray.pop();
+    } else {
+      // only qs params and body are "expandable"
+      pathArray.push('body', ..._documentPath.split('.'));
+    }
+
+    let data;
+    let curr = ctx.req;
+
+    for (const path of pathArray) {
+      if (curr) {
+        data = curr[path];
+        curr = data;
+      }
+    }
+    return data;
+  }
+
+  getScanner(id) {
+    if (!ScannerKit.has(id)) {
+      throw new Error(`Unknown NoSQL scanner: ${id}`);
+    }
+
+    if (!this._scanners.has(id)) {
+      this._scanners.set(id, ScannerKit.get(id)());
+    }
+
+    return this._scanners.get(id);
+  }
+
+  /**
+   * Builds details for NoSQL Injection Attack.
+   * @param   {UserInput} inputDtm The user input that resulted in attack
+   * @param   {String}    query    The query that was analyzed
+   * @param   {Object}    results  The repsults of the sql-scanner
+   * @returns {Object}             The details
+   */
+  buildDetails(sample, findings) {
+    if (!findings) {
+      return null;
+    }
+
+    const { boundary, location, query } = findings;
+    let inputBoundaryIndex, boundaryOverrunIndex;
+    const start = location[0];
+    const end = location[1] + 1;
+
+    if (boundary) {
+      inputBoundaryIndex = boundary.previous
+        ? boundary.previous.start
+        : boundary.start;
+      boundaryOverrunIndex = boundary.stop + 1;
+    } else {
+      inputBoundaryIndex = start;
+      boundaryOverrunIndex = end;
+    }
+
+    return {
+      start,
+      end,
+      input: sample.input.toSerializable(),
+      boundaryOverrunIndex,
+      inputBoundaryIndex,
+      query
+    };
+  }
+}
+
+module.exports = NoSqlInjectionRule;

package/lib/protect/rules/rule-factory.js

@@ -34,7 +34,7 @@ const ctors = {
   [RULES.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: require('./cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule'),
   [RULES.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: require('./cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js'),
   [RULES.METHOD_TAMPERING]: require('./method-tampering/method-tampering-rule'),
-  [RULES.NOSQL_INJECTION]: require('./nosqli/no-sql-injection-rule'),
+  [RULES.NOSQL_INJECTION]: require('./nosqli/nosql-injection-rule'),
   [RULES.PATH_TRAVERSAL]: require('./path-traversal/path-traversal-rule'),
   [RULES.REFLECTED_XSS]: require('./xss/reflected-xss-rule'),
   [RULES.SQL_INJECTION]: require('./sqli/sql-injection-rule'),
@@ -109,7 +109,7 @@ class ProtectRuleFactory {
       this.signatures = new SignatureKit(definitionList);
     }
 
-    const denylist = _.get(settings, 'defend.ipBlacklistsList');
+    const denylist = _.get(settings, 'defend.ipDenylistsList');
     if (denylist) {
       logger.info(`IP Denylist updated. Total: ${denylist.length}`);
     }

package/lib/protect/service.js

@@ -20,7 +20,12 @@ Copyright: 2021 Contrast Security, Inc
 
 const _ = require('lodash');
 
-const { IMPORTANCE, SAFE_HEADER_VALUES, INPUT_TYPES } = require('../constants');
+const {
+  IMPORTANCE,
+  SAFE_HEADER_VALUES,
+  INPUT_TYPES,
+  RULES
+} = require('../constants');
 const agentEmitter = require('../agent-emitter');
 const SampleAggregator = require('./sample-aggregator');
 const RuleFactory = require('./rules/rule-factory');
@@ -203,15 +208,22 @@ class ProtectService {
       appContext.request = request;
     }
 
-    for (const {
-      scoreLevel,
-      ruleId,
-      inputType: type,
-      path,
-      key: name,
-      value,
-      idsList
-    } of resultsList) {
+    for (const result of resultsList) {
+      // Coerce custom rule id
+      if (result.ruleId === RULES.NOSQL_EXPANSION) {
+        result.ruleId = RULES.NOSQL_INJECTION;
+      }
+
+      const {
+        scoreLevel,
+        ruleId,
+        inputType: type,
+        path,
+        key: name,
+        value,
+        idsList
+      } = result;
+
       if (scoreLevel === IMPORTANCE.NONE) {
         return;
       }
@@ -269,7 +281,7 @@ class ProtectService {
    * Loads IP analyzer for allowist analysis given TS settings.
    */
   updateIpAllowlist(settings) {
-    const list = _.get(settings, 'defend.ipWhitelistsList');
+    const list = _.get(settings, 'defend.ipAllowlistsList');
     if (list && list.length) {
       this.ipAllowlist = new IpAnalyzer(list);
       this.ipAllowlist.on('expired', (dtm) => {