@contrast/assess 1.27.1 → 1.27.2

package/lib/dataflow/sources/install/http.js

@@ -102,6 +102,21 @@ module.exports = function (core) {
         sourceContext: store.assess
       };
 
+      // track the headers and the url.
+      //
+      // note that req.headers and req.headersDistinct are now (as of v15.1.0)
+      // lazily computed using an accessor property.
+      //
+      // there is no need to track headersDistinct because they are not
+      // referenced prior to this point. and, when they are referenced, node
+      // populates them with references to the (what will be after code below)
+      // already-tracked values in rawHeaders. But headers have already been
+      // referenced by node before the 'request' event is emitted by the server,
+      // so headers need to be tracked independently of rawHeaders. The way
+      // node handles the headers is convoluted; it's easier/safer to track the
+      // headers as they are. An attacker could use knowledge of node's handling
+      // to craft their attack.
+      //
       [
         {
           context: 'req.headers',
@@ -117,18 +132,57 @@ module.exports = function (core) {
           ...sourceInfo,
         }
       ].forEach((sourceData) => {
-        const { inputType } = sourceData;
         try {
           dataflow.sources.handle(sourceData);
         } catch (err) {
+          const { inputType } = sourceData;
           logger.error({ err, inputType, sourceName }, 'unable to handle http source');
         }
       });
 
-      for (let i = 0; i < req.rawHeaders.length; i += 2) {
-        const header = toLowerCase(req.rawHeaders[i]);
-        req.rawHeaders[i + 1] = req.headers[header];
+
+      //
+      // now track the rawHeaders. headers are complicated because they appear
+      // three times: headers, headersDistinct, and rawHeaders and we want to
+      // create only one event per header value. that turns out not to be as
+      // easy/possible as it sounds, due to the way node handles req.headers.
+      //
+      // see node's lib/_http_incoming.js for details. interesting optimizations
+      // and quirky handling per the RFC. some duplicate headers are joined by
+      // default, some are not.
+      //
+      // but we have to track rawHeaders. they are copied to a separate array
+      // because the dataflow.sources.handle() doesn't know about an array where
+      // only odd indexes are to be tracked.
+      //
+      // even though we could track the rawHeaders' keys, we don't because they
+      // are not used by any application that i'm aware of. it's easy enough to
+      // add here if we find there is an edge case where the application bypasses
+      // headers and headersDistinct and uses rawHeaders directly.
+      //
+      const headerValues = [];
+      for (let i = 1; i < req.rawHeaders.length; i += 2) {
+        headerValues.push(req.rawHeaders[i]);
+      }
+
+      try {
+        dataflow.sources.handle({
+          context: 'req.headers',
+          inputType: InputType.HEADER,
+          data: headerValues,
+          ...sourceInfo,
+        });
+      } catch (err) {
+        logger.error({ err, inputType: InputType.HEADER, sourceName }, 'unable to handle http source');
       }
+
+      //
+      // now that the raw headers are tracked, put each tracked value back
+      //
+      for (let i = 0; i < headerValues.length; i++) {
+        req.rawHeaders[(i << 1) + 1] = headerValues[i];
+      }
+
     } catch (err) {
       logger.error({ err, funcKey: data.funcKey }, 'Error during Assess request handling');
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.27.1",
+  "version": "1.27.2",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",