@contrast/agent 4.7.0 → 4.7.1

package/lib/protect/sinks/mongodb.js

@@ -21,47 +21,41 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
+const agentEmitter = require('../../agent-emitter');
+const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
 
-/**
- * json.stringify(data) in try-catch
- * @param {any} data
- * @returns {string}
- */
-const safeStringify = (data) => {
-  try {
-    return JSON.stringify(data);
-  } catch (e) {
-    // ignore errors
-  }
-};
-
-/**
- * @param {any} query `cmd.query`
- * @returns {string}
- */
-const getQueryAsString = (args, version) => {
+function getCursorQueryData(args, version) {
   const query = semver.gte(version, '3.3.0')
     ? _.get(args, '0.cmd.query')
     : _.get(args, '1.query');
 
-  if (_.isString(query)) return query.toString();
-  if (!_.isObject(query)) return;
+  if (!query) {
+    return;
+  }
+
+  if (_.isString(query)) {
+    return query.toString()
+  }
 
   if (query['$where']) {
     return query['$where'].toString();
   }
 
-  const keys = Object.keys(query);
-  if (keys.length === 1 && _.isString(query[keys[0]])) {
-    // eval: { $where : 'process.exit()' }
-    return query[keys[0]];
+  return query;
+}
+
+function getOpQueryData(op) {
+  if (!op.q) {
+    return;
   }
-  // otherwise try and look at the stringified query
-  return safeStringify(query);
-};
+  if (op.q.$where) {
+    return op.q.$where;
+  }
+  return op.q;
+}
 
 class MongoDBSensor extends BaseSensor {
   constructor(agent) {
@@ -76,8 +70,11 @@ class MongoDBSensor extends BaseSensor {
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
         pre: (wrapCtx) => {
-          const data = getQueryAsString(wrapCtx.args, version);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+          emitSinkEvent(
+            getCursorQueryData(wrapCtx.args, version),
+            SINK_TYPES.NOSQL_QUERY,
+            ID
+          );
         }
       });
 
@@ -86,21 +83,12 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const data = getQueryAsString(wrapCtx.args, version);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
-        }
-      });
-
-      // insert(ns, opts, options, cb)
-      patcher.patch(mongodb.CoreServer.prototype, 'insert', {
-        alwaysRun: true,
-        name: 'mongodb.CoreServer.prototype',
-        patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          emitSinkEvent(
+            getCursorQueryData(data.args, version),
+            SINK_TYPES.NOSQL_QUERY,
+            ID
+          );
         }
       });
 
@@ -109,10 +97,17 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          const ops = Array.isArray(data.args[1])
+            ? data.args[1]
+            : [data.args[1]];
+
+          for (const op of ops) {
+            const eData = getOpQueryData(op);
+            if (eData) {
+              emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
+            }
+          }
         }
       });
 
@@ -121,10 +116,17 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          const ops = Array.isArray(data.args[1])
+            ? data.args[1]
+            : [data.args[1]];
+
+          for (const op of ops) {
+            const eData = getOpQueryData(op);
+            if (eData) {
+              emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
+            }
+          }
         }
       });
 
@@ -133,9 +135,8 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.Db.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const data = _.get(wrapCtx, 'args.0');
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
         }
       });
     });

package/lib/reporter/translations/to-protobuf/dtm/index.js

@@ -27,7 +27,7 @@ module.exports = {
   Finding: require('./finding'),
   HttpMethodTamperingDetails: require('./http-method-tampering-details'),
   HttpRequest: require('./http-request'),
-  IpBlacklistDetails: require('./ip-denylist-details'),
+  IpDenylistDetails: require('./ip-denylist-details'),
   LibraryUsageUpdate: require('./library-usage-update'),
   Poll: require('./poll'),
   NoSqlInjectionDetails: require('./no-sql-injection-details'),

package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js

@@ -16,7 +16,7 @@ Copyright: 2021 Contrast Security, Inc
 const { dtm } = require('@contrast/protobuf-api');
 
 module.exports = function IpDenylistDetails(details = {}) {
-  return new dtm.IpBlacklistDetails({
+  return new dtm.IpDenylistDetails({
     0: details.ip,
     1: details.uuid
   });

package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js

@@ -65,7 +65,7 @@ const DETAILS_MAP = {
     Constructor: require('./untrusted-deserialization-details')
   },
   [IP_DENYLIST]: {
-    index: 22,
+    index: 44,
     Constructor: require('./ip-denylist-details')
   },
   [PATH_TRAVERSAL]: {

package/lib/reporter/translations/to-protobuf/settings/defend-features.js

@@ -33,22 +33,24 @@ function DefendFeatures(defend = {}) {
   const {
     auth,
     botBlockers = [],
-    ipBlacklists = [],
-    ipWhitelists = [],
     logEnhancers = [],
-    ruleDefinitionList = []
+    ruleDefinitionList = [],
+    ipDenylists = [],
+    ipAllowlists = []
   } = defend;
   return wrapToObject(
     new settings.DefendFeatures([
       defend.enabled, //                                             1          enabled
       defend['bot-blocker'], //                                      2      bot_blocker
       botBlockers.map((blocker) => BotBlocker(blocker).array), //    3     bot_blockers
-      ipBlacklists.map((bl) => IpFilter(bl).array), //               4    ip_blacklists
-      ipWhitelists.map((wl) => IpFilter(wl).array), //               5     ip_whitelist
+      undefined, //                                                  4                -
+      undefined, //                                                  5                -
       logEnhancers.map((le) => LogEnhancer(le).array), //            6    log_enhancers (unsupported as of q2-2019)
       ruleDefinitionList.map((def) => RuleDefinition(def).array), // 7 rule_definitions
       Syslog(defend.syslog).array, //                                8           syslog
-      Auth(auth).array //                                            9             auth
+      Auth(auth).array, //                                           9             auth
+      ipDenylists.map((dl) => IpFilter(dl).array), //                10    ip_denylists
+      ipAllowlists.map((al) => IpFilter(al).array) //                11   ip_allowlists
     ]),
     ({ syslog, ruleDefinitionsList }) => {
       ruleDefinitionsList.forEach(({ keywordsList, patternsList }) => {

package/lib/reporter/translations/to-protobuf/settings/exclusions.js

@@ -25,7 +25,6 @@ const {
 
 function Exclusion({
   assessmentRules,
-  blacklist,
   inputName,
   inputType,
   matchStrategy,
@@ -33,7 +32,8 @@ function Exclusion({
   name,
   rules,
   type,
-  urls
+  urls,
+  denylist
 }) {
   return wrapToObject(
     new settings.Exclusion([
@@ -44,11 +44,12 @@ function Exclusion({
       rules, //                                  5 protection_rules
       assessmentRules, //                        6 assessment_rules
       urls, //                                   7             urls
-      blacklist, //                              8        blacklist
+      undefined, //                              8                -
       ExclusionInputType(inputType), //          9       input_type
       inputName, //                             10       input_name
       modes.includes('assess'), //              11           assess
-      modes.includes('defend') //               12          protect
+      modes.includes('defend'), //              12          protect
+      denylist //                               13         denylist
     ]),
     (exclusion) => {
       exclusion.inputType = EXCLUSION_INPUT_TYPES[exclusion.inputType];

package/lib/tracker.js

@@ -45,12 +45,6 @@ const defaultContrastProperties = {
   }
 };
 
-// NOTE: this function just exists for us to get a better view
-// of the module's performance while profiling
-function getExtStringProps(ext) {
-  return distringuish.getProperties(ext);
-}
-
 // i'm not sure why this is a class. there are no methods, and externalized
 // strings don't have an instance of the class; they have an object with the
 // same property names.
@@ -74,37 +68,6 @@ class Tracker {
     this.metadata = new WeakMap();
   }
 
-  /**
-   * Map lookup for metadata of a value
-   *
-   * @param {*} value Tracked value
-   * @return {ContrastProperties|undefined}
-   */
-  getData(value) {
-    if (typeof value === 'string') {
-      const props = getExtStringProps(value);
-      if (props == null) {
-        return defaultContrastProperties;
-      }
-
-      return props;
-    }
-    return this.metadata.get(value) || defaultContrastProperties;
-  }
-
-  /**
-   * Resets a string's tracking metadata to the default contrast properties.
-   * This will effectively untrack the associated string, but it will still be
-   * the externalized value.
-   * @param {object} trackingData A tracked string's metadata
-   */
-  untrack(str) {
-    const trackingData = this.getData(str);
-    if (trackingData.tracked) {
-      Object.assign(trackingData, defaultContrastProperties);
-    }
-  }
-
   trackString(str) {
     if (str.length === 0) {
       return str;
@@ -113,7 +76,7 @@ class Tracker {
     // XXX: this is the closest we have to a dedup.
     // it may be kind of expensive. we need to consider whether or not
     // this is worthwhile
-    if (this.getData(str).tracked) {
+    if (this.getData(str)) {
       return str;
     }
 
@@ -143,38 +106,15 @@ class Tracker {
     return value;
   }
 
-  // trackArray(value, parent, sourceType, parentKey) {}
-
-  /**
-   * Associate properties with a string.
-   *
-   * @param   {*} value value to track
-   * @returns {*}       the value - tracked if some type of string, otherwise untracked
-   */
-  track(value) {
-    if (typeof value === 'string') {
-      return this.trackString(value);
-    }
-
-    if (value instanceof String) {
-      return this.trackStringObject(value);
-    }
-
-    return value;
-  }
 
   /**
    * Associate properties with a string. Returns null if str is not a string,
    * is a zero-length string, or any internal error takes place.
    *
-   * This behavior is different than track in that it requires the caller to check
-   * the return value. track always returned properties even if the value was not a
-   * string or there were no properties associated with the string value.
-   *
    * @param {*} str a value to track.
    * @returns {Object|null} {str, props} or null on error.
    */
-  track2(str) {
+  track(str) {
     if (typeof str === 'string') {
       // is the string already tracked?
       let props = distringuish.getProperties(str);
@@ -217,7 +157,7 @@ class Tracker {
    * @param {*} str any value
    * @return {ContrastProperties|null}
    */
-  getData2(str) {
+  getData(str) {
     if (typeof str === 'string') {
       return distringuish.getProperties(str);
     }
@@ -227,12 +167,20 @@ class Tracker {
     return null;
   }
 
-  untrack2(str) {
+  /**
+   * Resets a string's tracking metadata to the default contrast properties.
+   * This will effectively untrack the associated string, but it will still be
+   * the externalized value.
+   * @param {object} trackingData A tracked string's metadata
+   */
+  untrack(str) {
     if (typeof str === 'string') {
-      if (!distringuish.getProperties(str)) {
+      let props = distringuish.getProperties(str);
+      if (!props) {
         return null;
       }
       // return an untracked version of the string
+      Object.assign(props, {event: null, tagRanges: [], tracked: false})
       return distringuish.internalize(str);
     }
     if (str instanceof String) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.7.0",
+  "version": "4.7.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -152,6 +152,7 @@
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
+    "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",

package/lib/protect/rules/nosqli/no-sql-injection-rule.js

@@ -1,109 +0,0 @@
-/**
-Copyright: 2021 Contrast Security, Inc
-  Contact: support@contrastsecurity.com
-  License: Commercial
-
-  NOTICE: This Software and the patented inventions embodied within may only be
-  used as part of Contrast Security’s commercial offerings. Even though it is
-  made available through public repositories, use of this Software is subject to
-  the applicable End User Licensing Agreement found at
-  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
-  between Contrast Security and the End User. The Software may not be reverse
-  engineered, modified, repackaged, sold, redistributed or otherwise used in a
-  way not consistent with the End User License Agreement.
-*/
-const _ = require('lodash');
-
-const logger = require('../../../core/logger')('contrast:rules:protect');
-const { INPUT_TYPES, SINK_TYPES } = require('../common');
-
-const MONGODB = 'mongodb';
-
-const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
-]);
-
-class NoSqlInjectionRule extends require('../') {
-  constructor(policy = {}) {
-    policy.inputParseDepth = 3;
-    super(policy);
-
-    this._scanners = new Map();
-
-    this.id = 'nosql-injection';
-    this.name = 'NoSQL Injection';
-    this.applicableInputs = [
-      INPUT_TYPES.BODY,
-      INPUT_TYPES.JSON_VALUE,
-      INPUT_TYPES.JSON_ARRAYED_VALUE,
-      INPUT_TYPES.PARAMETER_NAME,
-      INPUT_TYPES.PARAMETER_VALUE,
-      INPUT_TYPES.QUERYSTRING,
-      INPUT_TYPES.XML_VALUE,
-      INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
-    ];
-    this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
-  }
-
-  evaluateAtSink({ event, applicableSamples }) {
-    if (_.isEmpty(applicableSamples)) {
-      return;
-    }
-
-    const scanner = this.getScanner(event.id);
-
-    for (const sample of applicableSamples) {
-      const injection = scanner.findInjection(sample.input.value, event.data);
-
-      if (injection) {
-        this.appendAttackDetails(sample, injection);
-        sample.captureAppContext(event);
-        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode} `);
-        this.blockRequest(sample);
-      }
-    }
-  }
-
-  getScanner(id) {
-    if (!ScannerKit.has(id)) {
-      throw new Error(`Unknown NoSQL scanner: ${id}`);
-    }
-
-    if (!this._scanners.has(id)) {
-      this._scanners.set(id, ScannerKit.get(id)());
-    }
-
-    return this._scanners.get(id);
-  }
-
-  /**
-   * Builds details for Sql Injection Attack.
-   * @param   {UserInput} inputDtm The user input that resulted in attack
-   * @param   {String}    query    The query that was analyzed
-   * @param   {Object}    results  The repsults of the sql-scanner
-   * @returns {Object}             The details
-   */
-  buildDetails(sample, findings) {
-    if (!findings) {
-      return null;
-    }
-
-    const { boundary, location, query } = findings;
-
-    const inputBoundaryIndex = boundary.previous
-      ? boundary.previous.start
-      : boundary.start;
-
-    return {
-      start: location[0],
-      end: location[1] + 1,
-      input: sample.input.toSerializable(),
-      boundaryOverrunIndex: boundary.stop + 1,
-      inputBoundaryIndex,
-      query
-    };
-  }
-}
-
-module.exports = NoSqlInjectionRule;