@contrast/assess 1.27.0 → 1.27.2

package/lib/dataflow/sinks/install/child-process.js

@@ -44,7 +44,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  const safeTags = [];
+  const safeTags = [`excluded:${ruleId}`];
 
   function commandCheck(
     name,

package/lib/dataflow/sinks/install/eval.js

@@ -31,6 +31,7 @@ const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
   CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,

package/lib/dataflow/sinks/install/express/reflected-xss.js

@@ -62,6 +62,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
+    `excluded:${ruleId}`,
     COOKIE,
     HEADER,
     LIMITED_CHARS,

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -59,6 +59,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
+    `excluded:${ruleId}`,
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
     HTML_ENCODED,

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -79,6 +79,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
+    `excluded:${ruleId}`,
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
     HTML_ENCODED,

package/lib/dataflow/sinks/install/fs.js

@@ -46,6 +46,7 @@ module.exports = function(core) {
   } = core;
 
   const safeTags = [
+    `excluded:${ruleId}`,
     URL_ENCODED,
     LIMITED_CHARS,
     ALPHANUM_SPACE_HYPHEN,
@@ -77,6 +78,7 @@ module.exports = function(core) {
     });
     for (let i = 0; i < values.length; i++) {
       const { strInfo } = args[i];
+
       if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
         continue;
       }

package/lib/dataflow/sinks/install/function.js

@@ -33,6 +33,7 @@ const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,
   CUSTOM_ENCODED,
   CUSTOM_VALIDATED_TRUST_BOUNDARY_VIOLATION,

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js

@@ -59,6 +59,7 @@ module.exports = function(core) {
   const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
+    `excluded:${ruleId}`,
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
     HTML_ENCODED,

package/lib/dataflow/sinks/install/http/request.js

@@ -60,6 +60,7 @@ module.exports = function(core) {
   const http = core.assess.dataflow.sinks.http.request = {};
 
   const safeTags = [
+    `excluded:${ruleId}`,
     CUSTOM_ENCODED_SSRF,
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED_SSRF,

package/lib/dataflow/sinks/install/http/server-response.js

@@ -64,6 +64,7 @@ module.exports = function(core) {
   const http = core.assess.dataflow.sinks.http.serverResponse = {};
 
   const safeTags = [
+    `excluded:${ruleId}`,
     ALPHANUM_SPACE_HYPHEN,
     COOKIE,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -58,6 +58,7 @@ module.exports = function(core) {
 
   const inspect = patcher.unwrap(util.inspect);
   const safeTags = [
+    `excluded:${ruleId}`,
     CUSTOM_ENCODED,
     CUSTOM_VALIDATED,
     HTML_ENCODED,

package/lib/dataflow/sinks/install/libxmljs.js

@@ -29,6 +29,7 @@ const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   LIMITED_CHARS,
   ALPHANUM_SPACE_HYPHEN
 ];

package/lib/dataflow/sinks/install/marsdb.js

@@ -31,6 +31,7 @@ const { patchType } = require('../common');
 
 const collectionMethods = ['find', 'findOne', 'update', 'remove'];
 const querySafeTags = [
+  `excluded:${ruleId}`,
   LIMITED_CHARS,
   ALPHANUM_SPACE_HYPHEN,
   STRING_TYPE_CHECKED,

package/lib/dataflow/sinks/install/mongodb.js

@@ -60,6 +60,7 @@ const dbMethods = [
 const methodsWithNestedCalls = ['findOne', 'eval', 'group'];
 
 const querySafeTags = [
+  `excluded:${ruleId}`,
   ALPHANUM_SPACE_HYPHEN,
   CUSTOM_VALIDATED,
   CUSTOM_VALIDATED_NOSQL_INJECTION,

package/lib/dataflow/sinks/install/mssql.js

@@ -31,6 +31,7 @@ const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   SQL_ENCODED,
   LIMITED_CHARS,
   CUSTOM_VALIDATED,

package/lib/dataflow/sinks/install/mysql.js

@@ -33,6 +33,7 @@ const {
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   CUSTOM_ENCODED_SQL_INJECTION,
   CUSTOM_ENCODED,
   CUSTOM_VALIDATED_SQL_INJECTION,

package/lib/dataflow/sinks/install/node-serialize.js

@@ -25,6 +25,8 @@ const {
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 
+const safeTags = [`excluded:${ruleId}`];
+
 /**
  * @param {{
  *  assess: import('@contrast/assess').Assess,
@@ -59,7 +61,7 @@ module.exports = function(core) {
             if (!isString(input)) return;
 
             const strInfo = tracker.getData(input);
-            if (!strInfo || !isVulnerable(UNTRUSTED, [], strInfo.tags)) return;
+            if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) return;
 
             const sinkEvent = createSinkEvent({
               name: 'node-serialize.unserialize',

package/lib/dataflow/sinks/install/postgres.js

@@ -53,6 +53,7 @@ module.exports = function(core) {
   } = core;
 
   const safeTags = [
+    `excluded:${ruleId}`,
     SQL_ENCODED,
     LIMITED_CHARS,
     CUSTOM_VALIDATED,

package/lib/dataflow/sinks/install/sequelize.js

@@ -52,6 +52,7 @@ module.exports = function (core) {
   } = core;
 
   const safeTags = [
+    `excluded:${ruleId}`,
     SQL_ENCODED,
     LIMITED_CHARS,
     CUSTOM_VALIDATED,

package/lib/dataflow/sinks/install/sqlite3.js

@@ -30,6 +30,7 @@ const {
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
 const safeTags = [
+  `excluded:${ruleId}`,
   SQL_ENCODED,
   LIMITED_CHARS,
   CUSTOM_VALIDATED,

package/lib/dataflow/sources/handler.js

@@ -39,7 +39,7 @@ module.exports = function (core) {
 
   const emptyStack = Object.freeze([]);
 
-  sources.createTags = function createTags({ inputType, fieldName = '', value }) {
+  sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
     if (!value?.length) {
       return null;
     }
@@ -49,6 +49,12 @@ module.exports = function (core) {
       [DataflowTag.UNTRUSTED]: [0, stop]
     };
 
+    if (tagNames) {
+      for (const tag of tagNames) {
+        tags[tag] = [0, stop];
+      }
+    }
+
     if (inputType === InputType.HEADER && fieldName.toLowerCase() === 'referer') {
       tags[DataflowTag.HEADER] = [0, stop];
     }
@@ -78,10 +84,16 @@ module.exports = function (core) {
       return null;
     }
 
+    // url exclusion
+    if (!sourceContext.policy) {
+      return null;
+    }
+
     if (!context) {
       context = inputType;
     }
 
+    const { policy: requestPolicy } = sourceContext;
     const max = config.assess.max_context_source_events;
     let _data = data;
     let stack;
@@ -93,7 +105,8 @@ module.exports = function (core) {
       }
     }
 
-    function createEvent({ fieldName, pathName, value }) {
+    function createEvent({ fieldName, pathName, value, excludedRules }) {
+      const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
       // create the stacktrace once per call to .handle()
       stack || (stack = sources.createStacktrace(stacktraceOpts));
       return eventFactory.createSourceEvent({
@@ -103,16 +116,23 @@ module.exports = function (core) {
         pathName,
         stack,
         inputType,
-        tags: sources.createTags({ inputType, fieldName, value }),
+        tags: sources.createTags({ inputType, fieldName, value, tagNames }),
         result: { tracked: true, value },
       });
     }
 
     if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-      const event = createEvent({ pathName: 'body', value: data, fieldName: '' });
+      const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+      if (!track) {
+        core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
+        return;
+      }
+
+      const event = createEvent({ pathName: 'body', value: data, fieldName: '', excludedRules });
       if (event) {
         tracker.track(data, event);
       }
+
       return;
     }
 
@@ -124,18 +144,22 @@ module.exports = function (core) {
         return true;
       }
 
+      const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+      if (!track) {
+        core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
+        return;
+      }
+
       if (isString(value) && value.length) {
         const strInfo = tracker.getData(value);
-
         if (strInfo) {
           // TODO: confirm this "layering-on" approach is what we want
-          // when the value is tracked the handler wins out and we "re-tracks" the value with new source
+          // when a value is already tracked, the handler will "re-track" the value with new source
           // event metadata. without this step tracker would complain about value already being tracked.
           // alternatively we could treat this more like a propagation event and update existing metadata.
           value = strInfo.value;
         }
-
-        const event = createEvent({ pathName, value, fieldName });
+        const event = createEvent({ pathName, value, fieldName, excludedRules });
         if (!event) {
           logger.warn({ inputType, sourceName: name, pathName, value }, 'unable to create source event');
           return;
@@ -149,7 +173,7 @@ module.exports = function (core) {
           sourceContext.sourceEventsCount++;
         }
       } else if (Buffer.isBuffer(value) && !tracker.getData(value)) {
-        const event = createEvent({ pathName, value, fieldName });
+        const event = createEvent({ pathName, value, fieldName, excludedRules });
         if (event) {
           tracker.track(value, event);
         } else {
@@ -193,9 +217,7 @@ function traverse(target, cb, path = [], visited = new Set()) {
 
       if (isVisitable(value)) {
         const halt = cb(path, key, value, target) === false;
-        if (halt) {
-          return;
-        }
+        if (halt) return;
       }
 
       if (isTraversable(value)) {

package/lib/dataflow/sources/install/http.js

@@ -102,6 +102,21 @@ module.exports = function (core) {
         sourceContext: store.assess
       };
 
+      // track the headers and the url.
+      //
+      // note that req.headers and req.headersDistinct are now (as of v15.1.0)
+      // lazily computed using an accessor property.
+      //
+      // there is no need to track headersDistinct because they are not
+      // referenced prior to this point. and, when they are referenced, node
+      // populates them with references to the (what will be after code below)
+      // already-tracked values in rawHeaders. But headers have already been
+      // referenced by node before the 'request' event is emitted by the server,
+      // so headers need to be tracked independently of rawHeaders. The way
+      // node handles the headers is convoluted; it's easier/safer to track the
+      // headers as they are. An attacker could use knowledge of node's handling
+      // to craft their attack.
+      //
       [
         {
           context: 'req.headers',
@@ -117,18 +132,57 @@ module.exports = function (core) {
           ...sourceInfo,
         }
       ].forEach((sourceData) => {
-        const { inputType } = sourceData;
         try {
           dataflow.sources.handle(sourceData);
         } catch (err) {
+          const { inputType } = sourceData;
           logger.error({ err, inputType, sourceName }, 'unable to handle http source');
         }
       });
 
-      for (let i = 0; i < req.rawHeaders.length; i += 2) {
-        const header = toLowerCase(req.rawHeaders[i]);
-        req.rawHeaders[i + 1] = req.headers[header];
+
+      //
+      // now track the rawHeaders. headers are complicated because they appear
+      // three times: headers, headersDistinct, and rawHeaders and we want to
+      // create only one event per header value. that turns out not to be as
+      // easy/possible as it sounds, due to the way node handles req.headers.
+      //
+      // see node's lib/_http_incoming.js for details. interesting optimizations
+      // and quirky handling per the RFC. some duplicate headers are joined by
+      // default, some are not.
+      //
+      // but we have to track rawHeaders. they are copied to a separate array
+      // because the dataflow.sources.handle() doesn't know about an array where
+      // only odd indexes are to be tracked.
+      //
+      // even though we could track the rawHeaders' keys, we don't because they
+      // are not used by any application that i'm aware of. it's easy enough to
+      // add here if we find there is an edge case where the application bypasses
+      // headers and headersDistinct and uses rawHeaders directly.
+      //
+      const headerValues = [];
+      for (let i = 1; i < req.rawHeaders.length; i += 2) {
+        headerValues.push(req.rawHeaders[i]);
+      }
+
+      try {
+        dataflow.sources.handle({
+          context: 'req.headers',
+          inputType: InputType.HEADER,
+          data: headerValues,
+          ...sourceInfo,
+        });
+      } catch (err) {
+        logger.error({ err, inputType: InputType.HEADER, sourceName }, 'unable to handle http source');
       }
+
+      //
+      // now that the raw headers are tracked, put each tracked value back
+      //
+      for (let i = 0; i < headerValues.length; i++) {
+        req.rawHeaders[(i << 1) + 1] = headerValues[i];
+      }
+
     } catch (err) {
       logger.error({ err, funcKey: data.funcKey }, 'Error during Assess request handling');
     }

package/lib/get-policy.js

@@ -16,51 +16,39 @@
 'use strict';
 
 const {
+  Event,
+  ExclusionType,
+  InputType,
   Rule,
   ResponseScanningRule,
   SessionConfigurationRule,
-  Event,
   join,
-  toLowerCase,
 } = require('@contrast/common');
 
-const rulesIds = Object.values({
+const ASSESS_RULES = Object.values({
   ...Rule,
   ...ResponseScanningRule,
   ...SessionConfigurationRule,
 });
-
-function buildUriPathRegExp(urls) {
-  let regExpNeeded = false;
-  for (const url of urls) {
-    if (regExpCheck(url)) {
-      regExpNeeded = true;
-    }
-  }
-  if (regExpNeeded) {
-    const rx = new RegExp(`^${join(urls, '|')}$`);
-
-    return (uriPath) => rx ? rx.test(uriPath) : false;
-  }
-
-  return (uriPath) => urls.some((url) => url === uriPath);
-}
-
-function createUriPathMatcher(urls) {
-  if (urls.length) {
-    return buildUriPathRegExp(urls);
-  } else {
-    return () => true;
-  }
-}
-
-function regExpCheck(str) {
-  return str.indexOf('*') > 0 ||
-    str.indexOf('.') > 0 ||
-    str.indexOf('+') > 0 ||
-    str.indexOf('?') > 0 ||
-    str.indexOf('\\') > 0;
-}
+const BROAD_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.BODY,
+  ExclusionType.QUERYSTRING
+];
+const NAMED_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.COOKIE,
+  ExclusionType.HEADER,
+  ExclusionType.PARAMETER
+];
+const BODY_TYPES = [
+  InputType.BODY,
+  InputType.JSON_VALUE,
+  InputType.JSON_ARRAYED_VALUE,
+  InputType.MULTIPART_CONTENT_TYPE,
+  InputType.MULTIPART_FIELD_NAME,
+  InputType.MULTIPART_NAME,
+  InputType.MULTIPART_VALUE,
+];
+const DISABLED_INPUT_POLICY = { track: false };
 
 /**
  * @param {{
@@ -73,100 +61,276 @@ function regExpCheck(str) {
 module.exports = function assess(core) {
   const { config, logger, messages } = core;
 
-  const enabledRules = new Set(rulesIds);
-  const exclusions = {
-    url: [],
+  const globalPolicy = {
+    // by default all rules are enabled
+    enabledRules: new Set(ASSESS_RULES),
+    exclusionMap: new Map([
+      [ExclusionType.BODY, []],
+      [ExclusionType.COOKIE, []],
+      [ExclusionType.HEADER, []],
+      [ExclusionType.PARAMETER, []],
+      [ExclusionType.QUERYSTRING, []],
+      [ExclusionType.URL, []],
+    ]),
   };
 
-  function compileExclusions(settings) {
-    // reset global exclusion state
-    for (const key of Object.keys(exclusions)) {
-      exclusions[key] = [];
-    }
-
-    const rawDtmList = [
-      // todo: NODE-3281 input exclusions
-      ...(settings?.exclusions?.url || [])
-    ].filter((exclusion) => exclusion.modes.includes('assess'));
-
-    if (!rawDtmList.length) {
-      return;
-    }
-
-    for (const dtm of rawDtmList) {
-      dtm.type = dtm.type || 'URL';
-
-      const { name, assess_rules, urls, type } = dtm;
-      const key = toLowerCase(type);
-      try {
-        const e = {
-          name,
-          rules: new Set(assess_rules),
-        };
-        e.matchesUriPath = createUriPathMatcher(urls);
-        exclusions[key].push(e);
-      } catch (err) {
-        logger.error({ err, dtm }, 'failed to process exclusion');
-      }
-    }
-  }
-
+  /**
+   * Subscribe to settings updates and modify global policy accordingly.
+   */
   messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
     if (!config.getEffectiveValue('assess.enable')) return;
 
     if (msg.assess) {
-      for (const ruleId of rulesIds) {
+      for (const ruleId of ASSESS_RULES) {
         const enable = msg.assess[ruleId]?.enable;
         if (enable === true) {
-          enabledRules.add(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          globalPolicy.enabledRules.add(ruleId);
+          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
         } else if (enable === false) {
-          if (ruleId === Rule.NOSQL_INJECTION) enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
-          enabledRules.delete(ruleId);
+          globalPolicy.enabledRules.delete(ruleId);
+          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
         }
       }
+      logger.info({ enabledRules: Array.from(globalPolicy.enabledRules) }, 'Assess policy enabled rules updated');
     }
 
     if (msg.exclusions) {
-      compileExclusions(msg);
-    }
+      const rawDtmList = [
+        // todo: NODE-3281 input exclusions
+        ...(msg?.exclusions?.input || []),
+        ...(msg?.exclusions?.url || []),
+      ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
+
+      // reset global exclusion state
+      for (const type of Object.values(ExclusionType)) {
+        globalPolicy.exclusionMap.get(type).length = 0;
+      }
+
+      if (!rawDtmList.length) return;
 
-    logger.info({ enabledRules: Array.from(enabledRules) }, 'Assess policy updated');
+      for (const dtm of rawDtmList) {
+        // normalize different dtm types
+        dtm.type = dtm.type || 'URL';
+        const { type } = dtm;
+        const key = ExclusionType[type];
+        // defensive code against unanticipated DTM values
+        if (key) {
+          const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
+          globalPolicy.exclusionMap.get(dtm.type).push(new Ctor(dtm));
+        }
+      }
+
+      logger.info({
+        exclusions: Object.fromEntries(globalPolicy.exclusionMap)
+      }, 'Assess exclusions updated (%s total)', rawDtmList.length);
+    }
   });
 
   /**
-   * This gets called by assess.makeSourceContext(). We return copy of policy to avoid
-   * inconsistent behavior if policy is updated during request handling.
+   * Generates the policy for the current request. We return copy of the global policy
+   * to avoid inconsistent behavior if policy is updated during request handling. In
+   * addition, the request policy is altered to account for any URL or Input exclusions.
+   * @param {string} uriPath
    */
   return core.assess.getPolicy = function getPolicy({ uriPath } = {}) {
-    const _enabledRules = new Set(enabledRules);
+    const _enabledRules = new Set(globalPolicy.enabledRules);
+    const exclusionState = {
+      // types that can be disabled broadly
+      [ExclusionType.BODY]: { track: true, excludedRules: new Set() },
+      [ExclusionType.QUERYSTRING]: { track: true, excludedRules: new Set() },
+      // other types we check by name. parameter applies to body and query params
+      [ExclusionType.COOKIE]: [],
+      [ExclusionType.HEADER]: [],
+      [ExclusionType.PARAMETER]: [],
+    };
 
-    // Evaluate url exclusions for current request.
-    // If one matches and applies to all rules, we return `null` for the policy value,
-    // which will disable assess for the request. If specific rules are disabled, we
-    // just removed them from the request policy's set of `enabledRules`.
-    for (const urlExclusion of exclusions.url) {
+    // Evaluate URL exclusions.
+    // If one matches and applies to all rules, we return `null` for the policy value, which
+    // will disable assess for the request (via getSourceContext()). If specific rules are
+    // disabled, we remove them from the request policy's set of enabled rules.
+    for (const urlExclusion of globalPolicy.exclusionMap.get(ExclusionType.URL)) {
       if (urlExclusion.matchesUriPath(uriPath)) {
         if (!urlExclusion.rules?.size) {
           core.logger.debug({
             name: urlExclusion.name
-          }, 'all assess rules disabled by URL exclusion');
+          }, 'All Assess rules have been disabled by URL exclusion');
           return null;
         } else {
           for (const ruleId of urlExclusion.rules) {
-            if (_enabledRules.has(ruleId)) _enabledRules.delete(ruleId);
+            _enabledRules.delete(ruleId);
           }
           core.logger.debug({
             name: urlExclusion.name,
             rules: Array.from(urlExclusion.rules),
-          }, 'assess rules disabled by URL exclusion');
+          }, 'Assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
+    // Process input exclusions that apply broadly: BODY, QUERYSTRING
+    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
+      const _policy = exclusionState[type];
+      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(uriPath)) {
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              _policy.excludedRules.add(ruleId);
+            }
+          } else {
+            _policy.track = false;
+            _policy.excludedRules.clear();
+            break;
+          }
+        }
+      }
+    }
+    // Filter input exclusions that will be used to get named input
+    // policies: COOKIE, HEADER, PARAMETER
+    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(uriPath)) {
+          exclusionState[type].push(exclusion);
         }
       }
     }
 
-    // creates copy of local policy for request store
     return {
-      enabledRules: new Set(_enabledRules),
+      /**
+       * Enabled rules filtered by any applicable URL exclusions
+       */
+      enabledRules: _enabledRules,
+      /**
+       * Used by source handler to get policy information for specific named inputs.
+       * @param {InputType} inputType
+       * @param {string} [fieldName]
+       * @returns {InputPolicy}
+       */
+      getInputPolicy(inputType, fieldName) {
+        let exclusionsByType;
+        const inputPolicy = { track: true, excludedRules: new Set() };
+
+        const isBody = BODY_TYPES.includes(inputType);
+
+        if (isBody || inputType === InputType.QUERYSTRING) {
+          // these can be disabled broadly
+          const _policy = exclusionState[isBody ? ExclusionType.BODY : ExclusionType.QUERYSTRING];
+          if (!_policy.track) {
+            return DISABLED_INPUT_POLICY;
+          }
+          for (const ruleId of _policy.excludedRules) {
+            inputPolicy.excludedRules.add(ruleId);
+          }
+          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
+        } else if (inputType === InputType.URL_PARAMETER) {
+          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
+        } else if (inputType === InputType.HEADER) {
+          exclusionsByType = exclusionState[ExclusionType.HEADER];
+        } else if ([
+          InputType.COOKIE_NAME,
+          InputType.COOKIE_VALUE
+        ].includes(inputType)) {
+          exclusionsByType = exclusionState[ExclusionType.COOKIE];
+        }
+
+        if (!exclusionsByType) {
+          return inputPolicy;
+        }
+
+        // check input name
+        for (const exclusion of exclusionsByType) {
+          if (exclusion.matchesInputName(fieldName)) {
+            if (exclusion.rules.size) {
+              for (const ruleId of exclusion.rules) {
+                inputPolicy.excludedRules.add(ruleId);
+              }
+            } else {
+              return DISABLED_INPUT_POLICY;
+            }
+          }
+        }
+
+        return inputPolicy;
+      },
     };
   };
 };
+
+/**
+ * @typedef InputPolicy
+ * @property {boolean} track
+ * @property {Set<Rule>} excludedRules
+ */
+
+class UrlExclusion {
+  constructor(dtm) {
+    this._urlRegex = null;
+    this._urls = new Set();
+    this.name = dtm.name;
+    this.type = ExclusionType[dtm.type];
+    this.rules = new Set(dtm.assess_rules);
+
+    if (dtm.urls.length) {
+      const regexSegments = [];
+      for (const url of dtm.urls) {
+        if (shouldBeRegExp(url)) {
+          regexSegments.push(url);
+        } else {
+          this._urls.add(url);
+        }
+      }
+      if (regexSegments.length) {
+        this._urlRegex = new RegExp(`^${join(regexSegments, '|')}$`);
+      }
+    }
+  }
+
+  /**
+   * Checks whether the current URI path matches any of the exclusion's URL values.
+   * Exclusions that don't match for the current request will not be enabled. The
+   * interpretation of the DTM is that if its urls list is empty, then that means
+   * it should match all requestss (can be the case for input exclusions).
+   * @param {string} uriPath uri to check
+   * @returns {boolean}
+   */
+  matchesUriPath(uriPath) {
+    return (!this._urlRegex && !this._urls.size) ||
+      this._urls.has(uriPath) ||
+      !!this._urlRegex?.test?.(uriPath);
+  }
+}
+
+class InputExclusion extends UrlExclusion {
+  constructor(dtm) {
+    super(dtm);
+    this._inputNameRegex = null;
+    this._inputName = null;
+
+    // dtm.name value is null for BODY and QUERYSTRING types
+    if (dtm.name) {
+      if (shouldBeRegExp(dtm.name)) {
+        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
+      } else {
+        this._inputName = dtm.name;
+      }
+    }
+  }
+
+  /**
+   * Checks if the provided name matches the value from the exclusion dtm.
+   * @param {string} name field name being evaluated
+   * @returns {boolean}
+   */
+  matchesInputName(name) {
+    // BODY and QUERYSTRING always match since they apply broadly
+    if (!this._inputName && !this._inputNameRegex) return true;
+    return this._inputNameRegex ? this._inputNameRegex.test(name) : this._inputName === name;
+  }
+}
+
+function shouldBeRegExp(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}

package/lib/get-source-context.js

@@ -53,7 +53,7 @@ module.exports = function(core) {
       case InstrumentationType.RULE: {
         const [ruleId] = rest;
         if (!ruleId) break;
-        if (!ctx.policy.enabledRules.has(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+        if (!ctx.policy?.enabledRules?.has?.(ruleId) || ruleScopes.isLocked(ruleId)) return null;
         break;
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.27.0",
+  "version": "1.27.2",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,14 +11,14 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.15.0"
+    "node": ">= 14.18.0"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.20.0",
+    "@contrast/common": "1.20.1",
     "@contrast/distringuish": "^4.4.0",
-    "@contrast/scopes": "1.4.0"
+    "@contrast/scopes": "1.4.1"
   }
 }