@contrast/assess 1.62.0 → 1.64.0

package/lib/dataflow/propagation/install/ejs/template.js

@@ -37,7 +37,7 @@ module.exports = function (core) {
   } = core;
 
   /** @type {import('@contrast/rewriter').RewriteOpts} */
-  const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, minify: false };
+  const REWRITE_OPTS = { inject: false, minify: false };
   const WRAPPER_PREFIX = ArrayPrototypeJoin.call([
     'function tempWrapper() {',
     'function __append(s) { if (s !== undefined && s !== null) __output += s }'

package/lib/dataflow/propagation/install/pug/index.js

@@ -17,7 +17,7 @@
 const { patchType } = require('../../common');
 
 /** @type {import('@contrast/rewriter').RewriteOpts} */
-const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, minify: false };
+const REWRITE_OPTS = { inject: false, minify: false };
 
 module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };

package/lib/dataflow/sources/handler.js

@@ -45,24 +45,19 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
 
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
-      if (!value?.length) {
-        return null;
-      }
+      if (!value?.length) return null;
 
       const stop = value.length - 1;
-      const tags = {
-        [DataflowTag.UNTRUSTED]: [0, stop]
-      };
+      const tags = { [DataflowTag.UNTRUSTED]: [0, stop] };
 
-      if (tagNames) {
-        for (const tag of tagNames) {
+      if (tagNames)
+        for (const tag of tagNames)
           tags[tag] = [0, stop];
-        }
-      }
 
-      if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
-        tags[DataflowTag.HEADER] = [0, stop];
-      }
+      if (
+        inputType === InputType.HEADER &&
+        StringPrototypeToLowerCase.call(fieldName) === 'referer'
+      ) tags[DataflowTag.HEADER] = [0, stop];
 
       return tags;
     };
@@ -89,14 +84,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      // url exclusion
-      if (!sourceContext.policy) {
-        return null;
-      }
-
-      if (!context) {
-        context = inputType;
-      }
+      if (!context) context = inputType;
 
       const { policy: requestPolicy } = sourceContext;
       const max = config.assess.max_context_source_events;
@@ -111,7 +99,10 @@ module.exports = Core.makeComponent({
       }
 
       function createEvent({ fieldName, pathName, value, excludedRules }) {
-        const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        let tagNames;
+        if (excludedRules) {
+          tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
         return eventFactory.createSourceEvent({
@@ -127,7 +118,10 @@ module.exports = Core.makeComponent({
       }
 
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-        const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+        const inputPolicy = requestPolicy.getInputPolicy(InputType.BODY);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
           return;
@@ -149,7 +143,10 @@ module.exports = Core.makeComponent({
           return true;
         }
 
-        const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const inputPolicy = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
           return;

package/lib/get-source-context.js

@@ -53,20 +53,11 @@ function factory(core) {
   core.assess.getPropagatorContext = function getPropagatorContext() {
     if (instrumentation.isLocked()) return null;
 
-    // the following logging used to be done by the caller, but has been moved
-    // here as opposed to overloading `ctx.policy` with a special value so the
-    // caller could determine whether no source context was available or the
-    // request is being intentionally excluded. A negative of this is that the
-    // function name is not available to be included in the log.
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
     // there is a context, but if policy is null then assess is intentionally
     // disabled (i.e., url exclusion or the request is not sampled).
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx?.policy || ctx?.policy.allowed) return null;
+    // event limits
     if (ctx.propagationEventsCount >= config.assess.max_propagation_events) return null;
 
     return ctx;
@@ -80,13 +71,13 @@ function factory(core) {
     if (instrumentation.isLocked()) return null;
 
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
-    if (!ctx.policy) {
-      return null;
-    }
+    if (!ctx?.policy || ctx.policy?.allowed) return null;
+    if (!ruleId) return ctx;
 
-    if (ruleId && !ctx.policy?.enabledRules?.has?.(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+    if (
+      !ctx.policy?.isRuleEnabled?.(ruleId) ||
+      ruleScopes.isLocked(ruleId)
+    ) return null;
 
     return ctx;
   };
@@ -105,10 +96,8 @@ function factory(core) {
       return null;
     }
 
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx.policy || ctx.policy.allowed) return null;
+    // event limits
     if (ctx.sourceEventsCount >= config.assess.max_context_source_events) return null;
 
     return ctx;

package/lib/index.js

@@ -60,7 +60,7 @@ module.exports = function assess(core) {
 
   // ancillary tools used by different features
   require('./sampler')(core);
-  require('./get-policy')(core);
+  core.initComponentSync(require('./policy'));
   core.initComponentSync(require('./make-source-context'));
   require('./rule-scopes')(core);
   core.initComponentSync(require('./get-source-context'));

package/lib/make-source-context.js

@@ -36,24 +36,19 @@ function factory(core) {
    * @returns {import('@contrast/assess').SourceContext}
    */
   return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-
     try {
       const ctx = store.assess = {
-        // default policy to `null` until it is set later below. this will cause
-        // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-
+      // if assess is disabled or not selected for sampling, the policy will
+      // be null (assess disabled) for lifetime of connection, despite UI updates.
       if (!core.config.getEffectiveValue('assess.enable')) return ctx;
-
-      // check whether sampling allows processing
       ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
 
-      // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(store.sourceInfo);
-      if (!ctx.policy) return ctx;
-
+      // assess-enabled policy from current effective config, but
+      // policy is dynamic and will respond to settings updates
+      ctx.policy = assess.policy.getRequestPolicy(store.sourceInfo);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};

package/lib/policy.js

@@ -0,0 +1,400 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  ExclusionType,
+  InputType,
+  Rule,
+  ResponseScanningRule,
+  SessionConfigurationRule,
+  set,
+  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
+} = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+
+const ASSESS_RULES = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...SessionConfigurationRule,
+});
+const BROAD_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.BODY,
+  ExclusionType.QUERYSTRING
+];
+const NAMED_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.COOKIE,
+  ExclusionType.HEADER,
+  ExclusionType.PARAMETER
+];
+const BODY_TYPES = [
+  InputType.BODY,
+  InputType.JSON_VALUE,
+  InputType.JSON_ARRAYED_VALUE,
+  InputType.MULTIPART_CONTENT_TYPE,
+  InputType.MULTIPART_FIELD_NAME,
+  InputType.MULTIPART_NAME,
+  InputType.MULTIPART_VALUE,
+];
+const COMPONENT_NAME = 'assess.policy';
+
+class AssessPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   */
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+
+    this.version = Date.now();
+    this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+    this.exclusionMap = new Map([
+      [ExclusionType.BODY, []],
+      [ExclusionType.COOKIE, []],
+      [ExclusionType.HEADER, []],
+      [ExclusionType.PARAMETER, []],
+      [ExclusionType.QUERYSTRING, []],
+      [ExclusionType.URL, []],
+    ]);
+
+    core.messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+      if (!msg.assess && !msg.exclusions) return;
+
+      this.version = Date.now();
+
+      if (msg.assess) {
+        const enabledRules = new Set();
+        this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+
+        for (const ruleId of ASSESS_RULES) {
+          const enable = msg.assess[ruleId]?.enable;
+          if (enable === false) {
+            this.disabledRules.add(ruleId);
+            // map to "sub-rules"
+            if (ruleId === Rule.NOSQL_INJECTION) this.disabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          } else if (enable === true) {
+            enabledRules.add(ruleId);
+            if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          }
+        }
+        this.core.logger.info({
+          enabledRules,
+          disabledRules: Array.from(this.disabledRules)
+        }, 'Assess policy rules updated');
+      }
+
+      if (msg.exclusions) {
+        for (const arr of this.exclusionMap.values()) arr.length = 0;
+
+        const rawDtmList = [
+          ...(msg?.exclusions?.input || []),
+          ...(msg?.exclusions?.url || []),
+        ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
+
+        // reset global exclusion state
+        for (const type of Object.values(ExclusionType)) {
+          this.exclusionMap.get(type).length = 0;
+        }
+
+        if (!rawDtmList.length) return;
+
+        for (const dtm of rawDtmList) {
+          // normalize different dtm types
+          dtm.type = dtm.type || 'URL';
+          const { type } = dtm;
+          const key = ExclusionType[type];
+          // defensive code against unanticipated DTM values
+          if (key) {
+            const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
+            this.exclusionMap.get(dtm.type).push(new Ctor(dtm));
+          }
+        }
+
+        this.core.logger.info({
+          exclusions: Object.fromEntries(this.exclusionMap)
+        }, 'Assess exclusions updated (%s total)', rawDtmList.length);
+      }
+    });
+  }
+
+  getRequestPolicy(sourceInfo) {
+    return new RequestPolicy(this.core, sourceInfo);
+  }
+}
+
+class RequestPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   */
+  constructor(core, sourceInfo) {
+    Object.defineProperty(this, 'core', { value: core });
+    this.sourceInfo = sourceInfo;
+    this.init();
+  }
+
+  /**
+   * Used to (re)initialize the instance's exclusions, reading from current assess global policy.
+   */
+  init() {
+    const { core, sourceInfo } = this;
+    this.allowed = false;
+    this.version = core.assess.policy.version;
+    this.exclusions = {};
+
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      this.allowed = true;
+      return;
+    }
+
+    // Evaluate URL exclusions.
+    // If one matches and applies to all rules, we set `allowed: true` which will
+    // disable assess for the request (via getSourceContext()). If specific rules are
+    // disabled, we remove them from the request policy's set of enabled rules.
+    for (const urlExclusion of this.core.assess.policy.exclusionMap.get(ExclusionType.URL)) {
+      if (urlExclusion.matchesUriPath(sourceInfo.uriPath)) {
+        if (!urlExclusion.rules?.size) {
+          core.logger.debug({
+            name: urlExclusion.name
+          }, 'All Assess rules have been disabled by URL exclusion');
+          this.allowed = true;
+          // no need to further process exclusions - request will be ignored
+          return;
+        } else {
+          // build as needed
+          if (!this.exclusions.disabledRules) this.exclusions.disabledRules = new Set();
+
+          for (const ruleId of urlExclusion.rules) {
+            this.exclusions.disabledRules.add(ruleId);
+          }
+          core.logger.debug({
+            name: urlExclusion.name,
+            rules: Array.from(urlExclusion.rules),
+          }, 'Assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
+    // Process input exclusions that apply broadly: BODY, QUERYSTRING
+    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          // build as needed
+          if (!this.exclusions[type]) this.exclusions[type] = { track: true, excludedRules: new Set() };
+          const inputPolicy = this.exclusions[type];
+
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              inputPolicy.excludedRules.add(ruleId);
+            }
+          } else {
+            inputPolicy.track = false;
+            inputPolicy.excludedRules.clear();
+            break;
+          }
+        }
+      }
+    }
+
+    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          if (!this.exclusions[type]) this.exclusions[type] = [];
+          this.exclusions[type].push(exclusion);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given input type and optional field name will give instructions on how
+   * to track based on global policy and various exclusions that may apply.
+   * @param {} inputType
+   * @param {} fieldName
+   * @returns {boolean|Set<string>} false - do not track
+   *                                true - track
+   *                                Set - track but add tags to exclude these rules
+   */
+  getInputPolicy(inputType, fieldName) {
+    if (this.version < this.core.assess.policy.version) this.init();
+    if (this.allowed) return false; // don't track - request ignored
+
+    let inputRuleExclusions;
+    let excludedRuleIds;
+
+    if (inputType === InputType.HEADER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.HEADER];
+    } else if (inputType === InputType.QUERYSTRING) {
+      if (this.exclusions[ExclusionType.QUERYSTRING]?.track === false) {
+        return false;
+      } else {
+        if (this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules)
+          excludedRuleIds = new Set(this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules);
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    } else if (inputType === InputType.URL_PARAMETER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+    } else if ([
+      InputType.COOKIE_NAME,
+      InputType.COOKIE_VALUE
+    ].includes(inputType)) {
+      inputRuleExclusions = this.exclusions[ExclusionType.COOKIE];
+    } else if (BODY_TYPES.includes(inputType)) {
+      if (this.exclusions[ExclusionType.BODY]?.track === false) {
+        return false;
+      } else {
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    }
+
+    if (inputRuleExclusions) {
+      for (const exclusion of inputRuleExclusions) {
+        if (exclusion.matchesInputName(fieldName)) {
+          // disables some rules
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              if (!excludedRuleIds) excludedRuleIds = new Set();
+              excludedRuleIds.add(ruleId);
+            }
+          } else {
+            return false; // don't track - all rules disabled
+          }
+        }
+      }
+    }
+
+    if (this.exclusions.disabledRules || excludedRuleIds) {
+      // only URL Exclusions disabled these rules
+      if (!excludedRuleIds) return this.exclusions.disabledRules;
+      // only Input Exclusion disabled these
+      if (!this.exclusions.disabledRules) return excludedRuleIds;
+      // merge since URL Exclusions and Input Exclusions have disabled rules
+      return new Set([...this.exclusions.disabledRules, ...excludedRuleIds]);
+    }
+
+    return true;
+  }
+
+  isRuleEnabled(ruleId) {
+    if (this.version < this.core.assess.policy.version) this.init();
+
+    if (this.allowed) return false;
+
+    return (
+      !this.exclusions.disabledRules?.has?.(ruleId) &&
+      !this.core.assess.policy.disabledRules?.has?.(ruleId)
+    );
+  }
+}
+
+/**
+ * @typedef InputPolicy
+ * @property {boolean} track
+ * @property {Set<Rule>} excludedRules
+ */
+
+class UrlExclusion {
+  constructor(dtm) {
+    this._urlRegex = null;
+    this._urls = new Set();
+    this.name = dtm.name;
+    this.type = ExclusionType[dtm.type];
+    this.rules = new Set(dtm.assess_rules);
+
+    if (dtm.urls.length) {
+      const regexSegments = [];
+      for (const url of dtm.urls) {
+        if (shouldBeRegExp(url)) {
+          regexSegments.push(url);
+        } else {
+          this._urls.add(url);
+        }
+      }
+      if (regexSegments.length) {
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
+      }
+    }
+  }
+
+  /**
+   * Checks whether the current URI path matches any of the exclusion's URL values.
+   * Exclusions that don't match for the current request will not be enabled. The
+   * interpretation of the DTM is that if its urls list is empty, then that means
+   * it should match all requestss (can be the case for input exclusions).
+   * @param {string} uriPath uri to check
+   * @returns {boolean}
+   */
+  matchesUriPath(uriPath) {
+    return (!this._urlRegex && !this._urls.size) ||
+      this._urls.has(uriPath) ||
+      !!this._urlRegex?.test?.(uriPath);
+  }
+}
+
+class InputExclusion extends UrlExclusion {
+  constructor(dtm) {
+    super(dtm);
+    this._inputNameRegex = null;
+    this._inputName = null;
+
+    // dtm.name value is null for BODY and QUERYSTRING types
+    if (dtm.name) {
+      if (shouldBeRegExp(dtm.name)) {
+        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
+      } else {
+        this._inputName = dtm.name;
+      }
+    }
+  }
+
+  /**
+   * Checks if the provided name matches the value from the exclusion dtm.
+   * @param {string} name field name being evaluated
+   * @returns {boolean}
+   */
+  matchesInputName(name) {
+    // BODY and QUERYSTRING always match since they apply broadly
+    if (!this._inputName && !this._inputNameRegex) return true;
+    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
+  }
+}
+
+function shouldBeRegExp(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory(core) {
+    const policy = new AssessPolicy(core);
+    set(core, COMPONENT_NAME, policy);
+    return policy;
+  },
+});
+module.exports.AssessPolicy = AssessPolicy;
+module.exports.RequestPolicy = RequestPolicy;

package/lib/response-scanning/handlers/index.js

@@ -60,7 +60,7 @@ module.exports = function(core) {
 
   responseScanning.handleAutoCompleteMissing = function(sourceContext, resHeaders, resBody) {
     if (
-      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(AUTOCOMPLETE_MISSING) ||
       !isHtmlContent(resHeaders)
     ) {
       return;
@@ -91,7 +91,7 @@ module.exports = function(core) {
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
     if (
-      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(CACHE_CONTROLS_MISSING) ||
       (isParseableResponse(resHeaders) && !resBody)
     ) {
       return;
@@ -139,7 +139,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CLICKJACKING_CONTROL_MISSING)) return;
 
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = resHeaders['x-frame-options'];
@@ -158,7 +158,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleParameterPollution = function(sourceContext, resBody) {
-    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(PARAMETER_POLLUTION)) return;
 
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
@@ -189,12 +189,12 @@ module.exports = function(core) {
     const cspHeaders = getCspHeaders(resHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
+    if (!cspHeaders && sourceContext.policy?.isRuleEnabled(CSP_HEADER_MISSING)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
 
-    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CSP_HEADER_INSECURE)) return;
 
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
 
@@ -209,7 +209,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleHstsHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(HSTS_HEADER_MISSING)) return;
 
     let header = resHeaders['strict-transport-security'];
     let maxAge;
@@ -241,7 +241,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(XCONTENTTYPE_HEADER_MISSING)) return;
 
     const headerName = 'x-content-type-options';
     let header = resHeaders[headerName];
@@ -262,7 +262,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
-    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(X_POWERED_BY_HEADER)) return;
 
     const headerName = 'x-powered-by';
     let header = resHeaders[headerName];
@@ -280,7 +280,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, responseHeaders) {
-    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(XXSPROTECTION_HEADER_DISABLED)) return;
 
     const header = responseHeaders['x-xss-protection'];
 
@@ -294,9 +294,5 @@ module.exports = function(core) {
     }
   };
 
-  function isEnabled(ruleId, sourceContext) {
-    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
-  }
-
   return responseScanning;
 };

package/lib/session-configuration/handlers.js

@@ -67,7 +67,7 @@ module.exports = function (core) {
   function handle(ruleId, sourceContext, cookie, sessionEvent) {
     const state = ensureState(ruleId, sourceContext);
 
-    if (!sourceContext?.policy?.enabledRules?.has?.(ruleId) || state.reported) return;
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
 
     for (const value of ensureIterable(cookie)) {
       if (state.valuesAnalyzed.has(value)) continue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.62.0",
+  "version": "1.64.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,17 +21,17 @@
   },
   "dependencies": {
     "@contrast/common": "1.37.0",
-    "@contrast/config": "1.52.0",
-    "@contrast/core": "1.57.0",
-    "@contrast/dep-hooks": "1.26.0",
+    "@contrast/config": "1.53.0",
+    "@contrast/core": "1.58.0",
+    "@contrast/dep-hooks": "1.27.0",
     "@contrast/distringuish": "^6.0.2",
-    "@contrast/instrumentation": "1.36.0",
-    "@contrast/logger": "1.30.0",
-    "@contrast/patcher": "1.29.0",
-    "@contrast/rewriter": "1.33.0",
-    "@contrast/route-coverage": "1.49.0",
-    "@contrast/scopes": "1.27.0",
-    "@contrast/sources": "1.3.0",
+    "@contrast/instrumentation": "1.37.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/patcher": "1.30.0",
+    "@contrast/rewriter": "1.35.0",
+    "@contrast/route-coverage": "1.50.0",
+    "@contrast/scopes": "1.28.0",
+    "@contrast/sources": "1.4.0",
     "semver": "^7.6.0"
   }
 }

package/lib/get-policy.js

@@ -1,336 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const {
-  Event,
-  ExclusionType,
-  InputType,
-  Rule,
-  ResponseScanningRule,
-  SessionConfigurationRule,
-  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
-} = require('@contrast/common');
-
-const ASSESS_RULES = Object.values({
-  ...Rule,
-  ...ResponseScanningRule,
-  ...SessionConfigurationRule,
-});
-const BROAD_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.BODY,
-  ExclusionType.QUERYSTRING
-];
-const NAMED_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.COOKIE,
-  ExclusionType.HEADER,
-  ExclusionType.PARAMETER
-];
-const BODY_TYPES = [
-  InputType.BODY,
-  InputType.JSON_VALUE,
-  InputType.JSON_ARRAYED_VALUE,
-  InputType.MULTIPART_CONTENT_TYPE,
-  InputType.MULTIPART_FIELD_NAME,
-  InputType.MULTIPART_NAME,
-  InputType.MULTIPART_VALUE,
-];
-const DISABLED_INPUT_POLICY = { track: false };
-
-/**
- * @param {{
- *  config: import('@contrast/config').Config,
- *  logger: import('@contrast/logger').Logger,
- *  messages: import('@contrast/common').Messages,
- * }} core
- * @returns {import('@contrast/common').Installable}
- */
-module.exports = function assess(core) {
-  const { config, logger, messages } = core;
-
-  const globalPolicy = {
-    // by default all rules are enabled
-    enabledRules: new Set(ASSESS_RULES),
-    exclusionMap: new Map([
-      [ExclusionType.BODY, []],
-      [ExclusionType.COOKIE, []],
-      [ExclusionType.HEADER, []],
-      [ExclusionType.PARAMETER, []],
-      [ExclusionType.QUERYSTRING, []],
-      [ExclusionType.URL, []],
-    ]),
-  };
-
-  /**
-   * Subscribe to settings updates and modify global policy accordingly.
-   */
-  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
-    if (!config.getEffectiveValue('assess.enable')) return;
-
-    if (msg.assess) {
-      for (const ruleId of ASSESS_RULES) {
-        const enable = msg.assess[ruleId]?.enable;
-        if (enable === true) {
-          globalPolicy.enabledRules.add(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
-        } else if (enable === false) {
-          globalPolicy.enabledRules.delete(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
-        }
-      }
-      logger.info({ enabledRules: Array.from(globalPolicy.enabledRules) }, 'Assess policy enabled rules updated');
-    }
-
-    if (msg.exclusions) {
-      const rawDtmList = [
-        // todo: NODE-3281 input exclusions
-        ...(msg?.exclusions?.input || []),
-        ...(msg?.exclusions?.url || []),
-      ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
-
-      // reset global exclusion state
-      for (const type of Object.values(ExclusionType)) {
-        globalPolicy.exclusionMap.get(type).length = 0;
-      }
-
-      if (!rawDtmList.length) return;
-
-      for (const dtm of rawDtmList) {
-        // normalize different dtm types
-        dtm.type = dtm.type || 'URL';
-        const { type } = dtm;
-        const key = ExclusionType[type];
-        // defensive code against unanticipated DTM values
-        if (key) {
-          const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
-          globalPolicy.exclusionMap.get(dtm.type).push(new Ctor(dtm));
-        }
-      }
-
-      logger.info({
-        exclusions: Object.fromEntries(globalPolicy.exclusionMap)
-      }, 'Assess exclusions updated (%s total)', rawDtmList.length);
-    }
-  });
-
-  /**
-   * Generates the policy for the current request. We return copy of the global policy
-   * to avoid inconsistent behavior if policy is updated during request handling. In
-   * addition, the request policy is altered to account for any URL or Input exclusions.
-   * @param {string} uriPath
-   */
-  return core.assess.getPolicy = function getPolicy({ uriPath } = {}) {
-    const _enabledRules = new Set(globalPolicy.enabledRules);
-    const exclusionState = {
-      // types that can be disabled broadly
-      [ExclusionType.BODY]: { track: true, excludedRules: new Set() },
-      [ExclusionType.QUERYSTRING]: { track: true, excludedRules: new Set() },
-      // other types we check by name. parameter applies to body and query params
-      [ExclusionType.COOKIE]: [],
-      [ExclusionType.HEADER]: [],
-      [ExclusionType.PARAMETER]: [],
-    };
-
-    // Evaluate URL exclusions.
-    // If one matches and applies to all rules, we return `null` for the policy value, which
-    // will disable assess for the request (via getSourceContext()). If specific rules are
-    // disabled, we remove them from the request policy's set of enabled rules.
-    for (const urlExclusion of globalPolicy.exclusionMap.get(ExclusionType.URL)) {
-      if (urlExclusion.matchesUriPath(uriPath)) {
-        if (!urlExclusion.rules?.size) {
-          core.logger.debug({
-            name: urlExclusion.name
-          }, 'All Assess rules have been disabled by URL exclusion');
-          return null;
-        } else {
-          for (const ruleId of urlExclusion.rules) {
-            _enabledRules.delete(ruleId);
-          }
-          core.logger.debug({
-            name: urlExclusion.name,
-            rules: Array.from(urlExclusion.rules),
-          }, 'Assess rules disabled by URL exclusion');
-        }
-      }
-    }
-
-    // Process input exclusions that apply broadly: BODY, QUERYSTRING
-    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
-      const _policy = exclusionState[type];
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          if (exclusion.rules.size) {
-            for (const ruleId of exclusion.rules) {
-              _policy.excludedRules.add(ruleId);
-            }
-          } else {
-            _policy.track = false;
-            _policy.excludedRules.clear();
-            break;
-          }
-        }
-      }
-    }
-    // Filter input exclusions that will be used to get named input
-    // policies: COOKIE, HEADER, PARAMETER
-    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          exclusionState[type].push(exclusion);
-        }
-      }
-    }
-
-    return {
-      /**
-       * Enabled rules filtered by any applicable URL exclusions
-       */
-      enabledRules: _enabledRules,
-      /**
-       * Used by source handler to get policy information for specific named inputs.
-       * @param {InputType} inputType
-       * @param {string} [fieldName]
-       * @returns {InputPolicy}
-       */
-      getInputPolicy(inputType, fieldName) {
-        let exclusionsByType;
-        const inputPolicy = { track: true, excludedRules: new Set() };
-
-        const isBody = BODY_TYPES.includes(inputType);
-
-        if (isBody || inputType === InputType.QUERYSTRING) {
-          // these can be disabled broadly
-          const _policy = exclusionState[isBody ? ExclusionType.BODY : ExclusionType.QUERYSTRING];
-          if (!_policy.track) {
-            return DISABLED_INPUT_POLICY;
-          }
-          for (const ruleId of _policy.excludedRules) {
-            inputPolicy.excludedRules.add(ruleId);
-          }
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.URL_PARAMETER) {
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.HEADER) {
-          exclusionsByType = exclusionState[ExclusionType.HEADER];
-        } else if ([
-          InputType.COOKIE_NAME,
-          InputType.COOKIE_VALUE
-        ].includes(inputType)) {
-          exclusionsByType = exclusionState[ExclusionType.COOKIE];
-        }
-
-        if (!exclusionsByType) {
-          return inputPolicy;
-        }
-
-        // check input name
-        for (const exclusion of exclusionsByType) {
-          if (exclusion.matchesInputName(fieldName)) {
-            if (exclusion.rules.size) {
-              for (const ruleId of exclusion.rules) {
-                inputPolicy.excludedRules.add(ruleId);
-              }
-            } else {
-              return DISABLED_INPUT_POLICY;
-            }
-          }
-        }
-
-        return inputPolicy;
-      },
-    };
-  };
-};
-
-/**
- * @typedef InputPolicy
- * @property {boolean} track
- * @property {Set<Rule>} excludedRules
- */
-
-class UrlExclusion {
-  constructor(dtm) {
-    this._urlRegex = null;
-    this._urls = new Set();
-    this.name = dtm.name;
-    this.type = ExclusionType[dtm.type];
-    this.rules = new Set(dtm.assess_rules);
-
-    if (dtm.urls.length) {
-      const regexSegments = [];
-      for (const url of dtm.urls) {
-        if (shouldBeRegExp(url)) {
-          regexSegments.push(url);
-        } else {
-          this._urls.add(url);
-        }
-      }
-      if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
-      }
-    }
-  }
-
-  /**
-   * Checks whether the current URI path matches any of the exclusion's URL values.
-   * Exclusions that don't match for the current request will not be enabled. The
-   * interpretation of the DTM is that if its urls list is empty, then that means
-   * it should match all requestss (can be the case for input exclusions).
-   * @param {string} uriPath uri to check
-   * @returns {boolean}
-   */
-  matchesUriPath(uriPath) {
-    return (!this._urlRegex && !this._urls.size) ||
-      this._urls.has(uriPath) ||
-      !!this._urlRegex?.test?.(uriPath);
-  }
-}
-
-class InputExclusion extends UrlExclusion {
-  constructor(dtm) {
-    super(dtm);
-    this._inputNameRegex = null;
-    this._inputName = null;
-
-    // dtm.name value is null for BODY and QUERYSTRING types
-    if (dtm.name) {
-      if (shouldBeRegExp(dtm.name)) {
-        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
-      } else {
-        this._inputName = dtm.name;
-      }
-    }
-  }
-
-  /**
-   * Checks if the provided name matches the value from the exclusion dtm.
-   * @param {string} name field name being evaluated
-   * @returns {boolean}
-   */
-  matchesInputName(name) {
-    // BODY and QUERYSTRING always match since they apply broadly
-    if (!this._inputName && !this._inputNameRegex) return true;
-    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
-  }
-}
-
-function shouldBeRegExp(str) {
-  return str.indexOf('*') > 0 ||
-    str.indexOf('.') > 0 ||
-    str.indexOf('+') > 0 ||
-    str.indexOf('?') > 0 ||
-    str.indexOf('\\') > 0;
-}