@contrast/assess 1.63.0 → 1.65.0

package/lib/get-policy.js

@@ -1,336 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const {
-  Event,
-  ExclusionType,
-  InputType,
-  Rule,
-  ResponseScanningRule,
-  SessionConfigurationRule,
-  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
-} = require('@contrast/common');
-
-const ASSESS_RULES = Object.values({
-  ...Rule,
-  ...ResponseScanningRule,
-  ...SessionConfigurationRule,
-});
-const BROAD_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.BODY,
-  ExclusionType.QUERYSTRING
-];
-const NAMED_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.COOKIE,
-  ExclusionType.HEADER,
-  ExclusionType.PARAMETER
-];
-const BODY_TYPES = [
-  InputType.BODY,
-  InputType.JSON_VALUE,
-  InputType.JSON_ARRAYED_VALUE,
-  InputType.MULTIPART_CONTENT_TYPE,
-  InputType.MULTIPART_FIELD_NAME,
-  InputType.MULTIPART_NAME,
-  InputType.MULTIPART_VALUE,
-];
-const DISABLED_INPUT_POLICY = { track: false };
-
-/**
- * @param {{
- *  config: import('@contrast/config').Config,
- *  logger: import('@contrast/logger').Logger,
- *  messages: import('@contrast/common').Messages,
- * }} core
- * @returns {import('@contrast/common').Installable}
- */
-module.exports = function assess(core) {
-  const { config, logger, messages } = core;
-
-  const globalPolicy = {
-    // by default all rules are enabled
-    enabledRules: new Set(ASSESS_RULES),
-    exclusionMap: new Map([
-      [ExclusionType.BODY, []],
-      [ExclusionType.COOKIE, []],
-      [ExclusionType.HEADER, []],
-      [ExclusionType.PARAMETER, []],
-      [ExclusionType.QUERYSTRING, []],
-      [ExclusionType.URL, []],
-    ]),
-  };
-
-  /**
-   * Subscribe to settings updates and modify global policy accordingly.
-   */
-  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
-    if (!config.getEffectiveValue('assess.enable')) return;
-
-    if (msg.assess) {
-      for (const ruleId of ASSESS_RULES) {
-        const enable = msg.assess[ruleId]?.enable;
-        if (enable === true) {
-          globalPolicy.enabledRules.add(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
-        } else if (enable === false) {
-          globalPolicy.enabledRules.delete(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
-        }
-      }
-      logger.info({ enabledRules: Array.from(globalPolicy.enabledRules) }, 'Assess policy enabled rules updated');
-    }
-
-    if (msg.exclusions) {
-      const rawDtmList = [
-        // todo: NODE-3281 input exclusions
-        ...(msg?.exclusions?.input || []),
-        ...(msg?.exclusions?.url || []),
-      ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
-
-      // reset global exclusion state
-      for (const type of Object.values(ExclusionType)) {
-        globalPolicy.exclusionMap.get(type).length = 0;
-      }
-
-      if (!rawDtmList.length) return;
-
-      for (const dtm of rawDtmList) {
-        // normalize different dtm types
-        dtm.type = dtm.type || 'URL';
-        const { type } = dtm;
-        const key = ExclusionType[type];
-        // defensive code against unanticipated DTM values
-        if (key) {
-          const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
-          globalPolicy.exclusionMap.get(dtm.type).push(new Ctor(dtm));
-        }
-      }
-
-      logger.info({
-        exclusions: Object.fromEntries(globalPolicy.exclusionMap)
-      }, 'Assess exclusions updated (%s total)', rawDtmList.length);
-    }
-  });
-
-  /**
-   * Generates the policy for the current request. We return copy of the global policy
-   * to avoid inconsistent behavior if policy is updated during request handling. In
-   * addition, the request policy is altered to account for any URL or Input exclusions.
-   * @param {string} uriPath
-   */
-  return core.assess.getPolicy = function getPolicy({ uriPath } = {}) {
-    const _enabledRules = new Set(globalPolicy.enabledRules);
-    const exclusionState = {
-      // types that can be disabled broadly
-      [ExclusionType.BODY]: { track: true, excludedRules: new Set() },
-      [ExclusionType.QUERYSTRING]: { track: true, excludedRules: new Set() },
-      // other types we check by name. parameter applies to body and query params
-      [ExclusionType.COOKIE]: [],
-      [ExclusionType.HEADER]: [],
-      [ExclusionType.PARAMETER]: [],
-    };
-
-    // Evaluate URL exclusions.
-    // If one matches and applies to all rules, we return `null` for the policy value, which
-    // will disable assess for the request (via getSourceContext()). If specific rules are
-    // disabled, we remove them from the request policy's set of enabled rules.
-    for (const urlExclusion of globalPolicy.exclusionMap.get(ExclusionType.URL)) {
-      if (urlExclusion.matchesUriPath(uriPath)) {
-        if (!urlExclusion.rules?.size) {
-          core.logger.debug({
-            name: urlExclusion.name
-          }, 'All Assess rules have been disabled by URL exclusion');
-          return null;
-        } else {
-          for (const ruleId of urlExclusion.rules) {
-            _enabledRules.delete(ruleId);
-          }
-          core.logger.debug({
-            name: urlExclusion.name,
-            rules: Array.from(urlExclusion.rules),
-          }, 'Assess rules disabled by URL exclusion');
-        }
-      }
-    }
-
-    // Process input exclusions that apply broadly: BODY, QUERYSTRING
-    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
-      const _policy = exclusionState[type];
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          if (exclusion.rules.size) {
-            for (const ruleId of exclusion.rules) {
-              _policy.excludedRules.add(ruleId);
-            }
-          } else {
-            _policy.track = false;
-            _policy.excludedRules.clear();
-            break;
-          }
-        }
-      }
-    }
-    // Filter input exclusions that will be used to get named input
-    // policies: COOKIE, HEADER, PARAMETER
-    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          exclusionState[type].push(exclusion);
-        }
-      }
-    }
-
-    return {
-      /**
-       * Enabled rules filtered by any applicable URL exclusions
-       */
-      enabledRules: _enabledRules,
-      /**
-       * Used by source handler to get policy information for specific named inputs.
-       * @param {InputType} inputType
-       * @param {string} [fieldName]
-       * @returns {InputPolicy}
-       */
-      getInputPolicy(inputType, fieldName) {
-        let exclusionsByType;
-        const inputPolicy = { track: true, excludedRules: new Set() };
-
-        const isBody = BODY_TYPES.includes(inputType);
-
-        if (isBody || inputType === InputType.QUERYSTRING) {
-          // these can be disabled broadly
-          const _policy = exclusionState[isBody ? ExclusionType.BODY : ExclusionType.QUERYSTRING];
-          if (!_policy.track) {
-            return DISABLED_INPUT_POLICY;
-          }
-          for (const ruleId of _policy.excludedRules) {
-            inputPolicy.excludedRules.add(ruleId);
-          }
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.URL_PARAMETER) {
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.HEADER) {
-          exclusionsByType = exclusionState[ExclusionType.HEADER];
-        } else if ([
-          InputType.COOKIE_NAME,
-          InputType.COOKIE_VALUE
-        ].includes(inputType)) {
-          exclusionsByType = exclusionState[ExclusionType.COOKIE];
-        }
-
-        if (!exclusionsByType) {
-          return inputPolicy;
-        }
-
-        // check input name
-        for (const exclusion of exclusionsByType) {
-          if (exclusion.matchesInputName(fieldName)) {
-            if (exclusion.rules.size) {
-              for (const ruleId of exclusion.rules) {
-                inputPolicy.excludedRules.add(ruleId);
-              }
-            } else {
-              return DISABLED_INPUT_POLICY;
-            }
-          }
-        }
-
-        return inputPolicy;
-      },
-    };
-  };
-};
-
-/**
- * @typedef InputPolicy
- * @property {boolean} track
- * @property {Set<Rule>} excludedRules
- */
-
-class UrlExclusion {
-  constructor(dtm) {
-    this._urlRegex = null;
-    this._urls = new Set();
-    this.name = dtm.name;
-    this.type = ExclusionType[dtm.type];
-    this.rules = new Set(dtm.assess_rules);
-
-    if (dtm.urls.length) {
-      const regexSegments = [];
-      for (const url of dtm.urls) {
-        if (shouldBeRegExp(url)) {
-          regexSegments.push(url);
-        } else {
-          this._urls.add(url);
-        }
-      }
-      if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
-      }
-    }
-  }
-
-  /**
-   * Checks whether the current URI path matches any of the exclusion's URL values.
-   * Exclusions that don't match for the current request will not be enabled. The
-   * interpretation of the DTM is that if its urls list is empty, then that means
-   * it should match all requestss (can be the case for input exclusions).
-   * @param {string} uriPath uri to check
-   * @returns {boolean}
-   */
-  matchesUriPath(uriPath) {
-    return (!this._urlRegex && !this._urls.size) ||
-      this._urls.has(uriPath) ||
-      !!this._urlRegex?.test?.(uriPath);
-  }
-}
-
-class InputExclusion extends UrlExclusion {
-  constructor(dtm) {
-    super(dtm);
-    this._inputNameRegex = null;
-    this._inputName = null;
-
-    // dtm.name value is null for BODY and QUERYSTRING types
-    if (dtm.name) {
-      if (shouldBeRegExp(dtm.name)) {
-        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
-      } else {
-        this._inputName = dtm.name;
-      }
-    }
-  }
-
-  /**
-   * Checks if the provided name matches the value from the exclusion dtm.
-   * @param {string} name field name being evaluated
-   * @returns {boolean}
-   */
-  matchesInputName(name) {
-    // BODY and QUERYSTRING always match since they apply broadly
-    if (!this._inputName && !this._inputNameRegex) return true;
-    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
-  }
-}
-
-function shouldBeRegExp(str) {
-  return str.indexOf('*') > 0 ||
-    str.indexOf('.') > 0 ||
-    str.indexOf('+') > 0 ||
-    str.indexOf('?') > 0 ||
-    str.indexOf('\\') > 0;
-}