@contrast/common 1.0.1 → 1.1.0

package/lib/constants.d.ts

@@ -1,6 +1,7 @@
 export declare enum Event {
     ASSESS = "assess",
-    PROTECT = "protect"
+    PROTECT = "protect",
+    SERVER_SETTINGS_UPDATE = "server-settings-update"
 }
 export declare enum Rule {
     BOT_BLOCKER = "bot-blocker",
@@ -21,3 +22,28 @@ export declare enum Rule {
     UNSAFE_FILE_UPLOAD = "unsafe-file-upload",
     XXE = "xxe"
 }
+export declare enum InputType {
+    UNDEFINED_TYPE = "UNDEFINED_TYPE",
+    BODY = "BODY",
+    COOKIE_NAME = "COOKIE_NAME",
+    COOKIE_VALUE = "COOKIE_VALUE",
+    HEADER = "HEADER",
+    PARAMETER_NAME = "PARAMETER_NAME",
+    PARAMETER_VALUE = "PARAMETER_VALUE",
+    QUERYSTRING = "QUERYSTRING",
+    URI = "URI",
+    SOCKET = "SOCKET",
+    JSON_VALUE = "JSON_VALUE",
+    JSON_ARRAYED_VALUE = "JSON_ARRAYED_VALUE",
+    MULTIPART_CONTENT_TYPE = "MULTIPART_CONTENT_TYPE",
+    MULTIPART_VALUE = "MULTIPART_VALUE",
+    MULTIPART_FIELD_NAME = "MULTIPART_FIELD_NAME",
+    MULTIPART_NAME = "MULTIPART_NAME",
+    XML_VALUE = "XML_VALUE",
+    DWR_VALUE = "DWR_VALUE",
+    METHOD = "METHOD",
+    REQUEST = "REQUEST",
+    URL_PARAMETER = "URL_PARAMETER",
+    UNKNOWN = "UNKNOWN"
+}
+export declare const BLOCKING_MODES: string[];

package/lib/constants.js

@@ -1,10 +1,25 @@
 "use strict";
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Rule = exports.Event = void 0;
+exports.BLOCKING_MODES = exports.InputType = exports.Rule = exports.Event = void 0;
 var Event;
 (function (Event) {
     Event["ASSESS"] = "assess";
     Event["PROTECT"] = "protect";
+    Event["SERVER_SETTINGS_UPDATE"] = "server-settings-update";
 })(Event = exports.Event || (exports.Event = {}));
 var Rule;
 (function (Rule) {
@@ -26,4 +41,30 @@ var Rule;
     Rule["UNSAFE_FILE_UPLOAD"] = "unsafe-file-upload";
     Rule["XXE"] = "xxe";
 })(Rule = exports.Rule || (exports.Rule = {}));
+var InputType;
+(function (InputType) {
+    InputType["UNDEFINED_TYPE"] = "UNDEFINED_TYPE";
+    InputType["BODY"] = "BODY";
+    InputType["COOKIE_NAME"] = "COOKIE_NAME";
+    InputType["COOKIE_VALUE"] = "COOKIE_VALUE";
+    InputType["HEADER"] = "HEADER";
+    InputType["PARAMETER_NAME"] = "PARAMETER_NAME";
+    InputType["PARAMETER_VALUE"] = "PARAMETER_VALUE";
+    InputType["QUERYSTRING"] = "QUERYSTRING";
+    InputType["URI"] = "URI";
+    InputType["SOCKET"] = "SOCKET";
+    InputType["JSON_VALUE"] = "JSON_VALUE";
+    InputType["JSON_ARRAYED_VALUE"] = "JSON_ARRAYED_VALUE";
+    InputType["MULTIPART_CONTENT_TYPE"] = "MULTIPART_CONTENT_TYPE";
+    InputType["MULTIPART_VALUE"] = "MULTIPART_VALUE";
+    InputType["MULTIPART_FIELD_NAME"] = "MULTIPART_FIELD_NAME";
+    InputType["MULTIPART_NAME"] = "MULTIPART_NAME";
+    InputType["XML_VALUE"] = "XML_VALUE";
+    InputType["DWR_VALUE"] = "DWR_VALUE";
+    InputType["METHOD"] = "METHOD";
+    InputType["REQUEST"] = "REQUEST";
+    InputType["URL_PARAMETER"] = "URL_PARAMETER";
+    InputType["UNKNOWN"] = "UNKNOWN";
+})(InputType = exports.InputType || (exports.InputType = {}));
+exports.BLOCKING_MODES = ['block', 'block_at_perimeter'];
 //# sourceMappingURL=constants.js.map

package/lib/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA,IAAY,KAGX;AAHD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;AACrB,CAAC,EAHW,KAAK,GAAL,aAAK,KAAL,aAAK,QAGhB;AAED,IAAY,IAkBX;AAlBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,+DAAuD,CAAA;IACvD,iDAAyC,CAAA;IACzC,mBAAW,CAAA;AACb,CAAC,EAlBW,IAAI,GAAJ,YAAI,KAAJ,YAAI,QAkBf"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,IAAY,KAIX;AAJD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;IACnB,0DAAiD,CAAA;AACnD,CAAC,EAJW,KAAK,GAAL,aAAK,KAAL,aAAK,QAIhB;AAED,IAAY,IAkBX;AAlBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,+DAAuD,CAAA;IACvD,iDAAyC,CAAA;IACzC,mBAAW,CAAA;AACb,CAAC,EAlBW,IAAI,GAAJ,YAAI,KAAJ,YAAI,QAkBf;AAED,IAAY,SAuBX;AAvBD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,0BAAa,CAAA;IACb,wCAA2B,CAAA;IAC3B,0CAA6B,CAAA;IAC7B,8BAAiB,CAAA;IACjB,8CAAiC,CAAA;IACjC,gDAAmC,CAAA;IACnC,wCAA2B,CAAA;IAC3B,wBAAW,CAAA;IACX,8BAAiB,CAAA;IACjB,sCAAyB,CAAA;IACzB,sDAAyC,CAAA;IACzC,8DAAiD,CAAA;IACjD,gDAAmC,CAAA;IACnC,0DAA6C,CAAA;IAC7C,8CAAiC,CAAA;IACjC,oCAAuB,CAAA;IACvB,oCAAuB,CAAA;IACvB,8BAAiB,CAAA;IACjB,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,gCAAmB,CAAA;AACrB,CAAC,EAvBW,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAuBpB;AAEY,QAAA,cAAc,GAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC"}

package/lib/index.d.ts

@@ -5,4 +5,6 @@ export * from './types';
  * String object.
  */
 export declare function isString(value: unknown): value is string | String;
+export declare function isNonEmptyObject(value: unknown): value is object;
 export declare function encodeString(str: string): string;
+export declare function simpleTraverse(obj: any, cb: Function): void;

package/lib/index.js

@@ -1,4 +1,18 @@
 "use strict";
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -14,7 +28,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.encodeString = exports.isString = void 0;
+exports.simpleTraverse = exports.encodeString = exports.isNonEmptyObject = exports.isString = void 0;
 __exportStar(require("./constants"), exports);
 __exportStar(require("./types"), exports);
 /**
@@ -26,8 +40,55 @@ function isString(value) {
     return typeof value === 'string' || value instanceof String;
 }
 exports.isString = isString;
+function isNonEmptyObject(value) {
+    return !!value && typeof value === 'object' && Object.keys(value).length > 0;
+}
+exports.isNonEmptyObject = isNonEmptyObject;
+/* c8 ignore next 3 */
 function encodeString(str) {
     return Buffer.from(str).toString('base64');
 }
 exports.encodeString = encodeString;
+function simpleTraverse(obj, cb) {
+    if (typeof obj !== 'object' || obj === null) {
+        return;
+    }
+    const path = [];
+    /* eslint-disable complexity */
+    function traverse(obj) {
+        const isArray = Array.isArray(obj);
+        for (const k in obj) {
+            if (isArray) {
+                const _k = Number(k);
+                // if it is an array, store each index in path but don't call the
+                // callback on the index itself as they are just numeric strings.
+                path.push(_k);
+                if (typeof obj[_k] === 'object' && obj[_k] !== null) {
+                    traverse(obj[_k]);
+                }
+                else if (typeof obj[_k] === 'string' && obj[_k]) {
+                    cb(path, 'Value', obj[_k], obj);
+                }
+                path.pop();
+            }
+            else if (typeof obj[k] === 'object' && obj[k] !== null) {
+                cb(path, 'Key', k, obj);
+                path.push(k);
+                traverse(obj[k]);
+                path.pop();
+            }
+            else {
+                cb(path, 'Key', k, obj);
+                // only callback if the value is a non-empty string
+                if (typeof obj[k] === 'string' && obj[k]) {
+                    path.push(k);
+                    cb(path, 'Value', obj[k], obj);
+                    path.pop();
+                }
+            }
+        }
+    }
+    traverse(obj);
+}
+exports.simpleTraverse = simpleTraverse;
 //# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,0CAAwB;AAExB;;;GAGG;AACH,wDAAwD;AACxD,SAAgB,QAAQ,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,YAAY,MAAM,CAAC;AAC9D,CAAC;AAFD,4BAEC;AAED,SAAgB,YAAY,CAAC,GAAW;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAFD,oCAEC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;AAEH,8CAA4B;AAC5B,0CAAwB;AAExB;;;GAGG;AACH,wDAAwD;AACxD,SAAgB,QAAQ,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,YAAY,MAAM,CAAC;AAC9D,CAAC;AAFD,4BAEC;AAED,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC/E,CAAC;AAFD,4CAEC;AAED,sBAAsB;AACtB,SAAgB,YAAY,CAAC,GAAW;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAFD,oCAEC;AAED,SAAgB,cAAc,CAAC,GAAQ,EAAE,EAAY;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE;QAC3C,OAAO;KACR;IACD,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,+BAA+B;IAC/B,SAAS,QAAQ,CAAC,GAAQ;QACxB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;YACnB,IAAI,OAAO,EAAE;gBACX,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBACrB,iEAAiE;gBACjE,iEAAiE;gBACjE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACd,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE;oBACnD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;iBACnB;qBAAM,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,CAAC,EAAE;oBACjD,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;iBACjC;gBACD,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;iBAAM,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE;gBACxD,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACb,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjB,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;iBAAM;gBACL,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACxB,mDAAmD;gBACnD,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE;oBACxC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBACb,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;oBAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;iBACZ;aACF;SACF;IACH,CAAC;IAED,QAAQ,CAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AAtCD,wCAsCC"}

package/lib/types.d.ts

@@ -0,0 +1,91 @@
+/// <reference types="node" />
+import { Event, Rule } from './constants';
+import { EventEmitter } from 'events';
+export interface RuleConfig {
+    mode: 'monitor' | 'block' | 'block_at_perimeter' | 'off';
+}
+export declare type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
+export interface RulesConfig extends Record<Rule, RuleConfig> {
+}
+export interface Result {
+    blocked: boolean;
+    ruleId: Rule;
+    inputType: string;
+    path?: string[];
+    key?: string;
+    value: string;
+    details?: any[];
+    mongoExpansionResult?: boolean;
+}
+export interface SemanticAnalysisResult extends Result {
+    findings?: {
+        command?: string;
+    };
+    sinkContext?: any;
+}
+export interface HardeningResult extends Result {
+    findings?: {
+        command?: boolean;
+        deserializer?: string;
+    };
+    sinkContext?: any;
+}
+export interface ServerFeaturePreliminaryResult {
+    name?: string;
+    uuid: string;
+    ip?: string;
+}
+export interface ServerFeatureResult extends Result {
+    details?: ServerFeaturePreliminaryResult[];
+}
+export interface ReqData {
+    method: string;
+    headers: string[];
+    uriPath: string;
+    queries: string;
+    contentType?: string;
+    standardUrlParsing: boolean;
+    ip: string;
+    httpVersion: string;
+}
+export interface Findings {
+    trackRequest: boolean;
+    securityException?: [mode: string, ruleId: string];
+    bodyType?: 'json' | 'urlencoded';
+    resultsMap: Record<Rule, Result[]>;
+    semanticResultsMap: Record<Rule, SemanticAnalysisResult[]>;
+    serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]>;
+    hardeningResultsMap: Record<Rule, HardeningResult[]>;
+}
+export interface RequestStore {
+    protect?: ProtectMessage;
+}
+export interface ProtectMessage {
+    reqData: ReqData;
+    block: (mode: string, ruleId: string) => void;
+    rules: {
+        agentLibRules: RulesConfig;
+        agentLibRulesMask: number;
+        agentRules: RulesConfig;
+    };
+    exclusions: any[];
+    virtualPatches: any[];
+    findings: Findings;
+    parsedBody: any;
+    parsedCookies: any;
+    parsedParams: any;
+    parsedQuery: any;
+}
+export interface Messages extends EventEmitter {
+    addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+    emit(event: Event.PROTECT, msg: RequestStore): boolean;
+    emit(event: Event.SERVER_SETTINGS_UPDATE, msg: {
+        [key: string]: any;
+    }): boolean;
+    on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+    on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: {
+        [key: string]: any;
+    }) => void): this;
+    prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+    prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+}

package/lib/types.js

@@ -0,0 +1,17 @@
+"use strict";
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/lib/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG"}

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@contrast/common",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "engines": {
-    "npm": ">=6.13.7 <7 || >= 8.4.0",
+    "npm": ">=6.13.7 <7 || >= 8.3.1",
     "node": ">= 14.15.0"
   },
   "scripts": {

package/src/constants.ts

@@ -1,6 +1,22 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 export enum Event {
   ASSESS = 'assess',
   PROTECT = 'protect',
+  SERVER_SETTINGS_UPDATE = 'server-settings-update',
 }
 
 export enum Rule {
@@ -22,3 +38,31 @@ export enum Rule {
   UNSAFE_FILE_UPLOAD = 'unsafe-file-upload',
   XXE = 'xxe',
 }
+
+export enum InputType {
+  UNDEFINED_TYPE = 'UNDEFINED_TYPE',
+  BODY = 'BODY',
+  COOKIE_NAME = 'COOKIE_NAME',
+  COOKIE_VALUE = 'COOKIE_VALUE',
+  HEADER = 'HEADER',
+  PARAMETER_NAME = 'PARAMETER_NAME',
+  PARAMETER_VALUE = 'PARAMETER_VALUE',
+  QUERYSTRING = 'QUERYSTRING',
+  URI = 'URI',
+  SOCKET = 'SOCKET',
+  JSON_VALUE = 'JSON_VALUE',
+  JSON_ARRAYED_VALUE = 'JSON_ARRAYED_VALUE',
+  MULTIPART_CONTENT_TYPE = 'MULTIPART_CONTENT_TYPE',
+  MULTIPART_VALUE = 'MULTIPART_VALUE',
+  MULTIPART_FIELD_NAME = 'MULTIPART_FIELD_NAME',
+  MULTIPART_NAME = 'MULTIPART_NAME',
+  XML_VALUE = 'XML_VALUE',
+  DWR_VALUE = 'DWR_VALUE',
+  METHOD = 'METHOD',
+  REQUEST = 'REQUEST',
+  URL_PARAMETER = 'URL_PARAMETER',
+  UNKNOWN = 'UNKNOWN',
+}
+
+export const BLOCKING_MODES = ['block', 'block_at_perimeter'];
+

package/src/index.ts

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 export * from './constants';
 export * from './types';
 
@@ -10,6 +25,51 @@ export function isString(value: unknown): value is string | String {
   return typeof value === 'string' || value instanceof String;
 }
 
+export function isNonEmptyObject(value: unknown): value is object {
+  return !!value && typeof value === 'object' && Object.keys(value).length > 0;
+}
+
+/* c8 ignore next 3 */
 export function encodeString(str: string): string {
   return Buffer.from(str).toString('base64');
 }
+
+export function simpleTraverse(obj: any, cb: Function) {
+  if (typeof obj !== 'object' || obj === null) {
+    return;
+  }
+  const path: any[] = [];
+  /* eslint-disable complexity */
+  function traverse(obj: any) {
+    const isArray = Array.isArray(obj);
+    for (const k in obj) {
+      if (isArray) {
+        const _k = Number(k);
+        // if it is an array, store each index in path but don't call the
+        // callback on the index itself as they are just numeric strings.
+        path.push(_k);
+        if (typeof obj[_k] === 'object' && obj[_k] !== null) {
+          traverse(obj[_k]);
+        } else if (typeof obj[_k] === 'string' && obj[_k]) {
+          cb(path, 'Value', obj[_k], obj);
+        }
+        path.pop();
+      } else if (typeof obj[k] === 'object' && obj[k] !== null) {
+        cb(path, 'Key', k, obj);
+        path.push(k);
+        traverse(obj[k]);
+        path.pop();
+      } else {
+        cb(path, 'Key', k, obj);
+        // only callback if the value is a non-empty string
+        if (typeof obj[k] === 'string' && obj[k]) {
+          path.push(k);
+          cb(path, 'Value', obj[k], obj);
+          path.pop();
+        }
+      }
+    }
+  }
+
+  traverse(obj);
+}

package/src/types.ts

@@ -0,0 +1,124 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+import { Event, Rule } from './constants';
+import { EventEmitter } from 'events';
+
+export interface RuleConfig {
+  mode: 'monitor' | 'block' | 'block_at_perimeter' | 'off';
+}
+
+export type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
+
+export interface RulesConfig extends Record<Rule, RuleConfig> { }
+
+export interface Result {
+  blocked: boolean;
+  ruleId: Rule,
+  inputType: string, // TODO
+  path?: string[],
+  key?: string,
+  value: string,
+  details?: any[], // TODO
+  mongoExpansionResult?: boolean
+}
+
+export interface SemanticAnalysisResult extends Result {
+  findings?: {
+    command?: string
+  }
+  sinkContext?: any
+}
+
+export interface HardeningResult extends Result {
+  findings?: {
+    command?: boolean,
+    deserializer?: string
+  }
+  sinkContext?: any
+}
+
+export interface ServerFeaturePreliminaryResult {
+  name?: string,
+  uuid: string,
+  ip?: string
+}
+
+export interface ServerFeatureResult extends Result {
+  details?: ServerFeaturePreliminaryResult[]
+}
+
+export interface ReqData {
+  method: string;
+  headers: string[];
+  uriPath: string;
+  queries: string;
+  contentType?: string;
+  standardUrlParsing: boolean;
+  ip: string;
+  httpVersion: string,
+}
+
+export interface Findings {
+  trackRequest: boolean;
+  securityException?: [mode: string, ruleId: string];
+  bodyType?: 'json' | 'urlencoded';
+  resultsMap: Record<Rule, Result[]>;
+  semanticResultsMap: Record<Rule, SemanticAnalysisResult[]>;
+  serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]>;
+  hardeningResultsMap: Record<Rule, HardeningResult[]>;
+}
+
+//
+// this is known as RequestStore even though, in the future, instrumentation
+// will exist for message buses or sources other than HTTP requests. "request"
+// seems generic enough that it's not hard to understand that request can mean
+// an amqp message or other request to perform work that might get user input.
+// additionally, at this time, the only things instrumented are HTTP requests,
+// and other things are only possible extensions to the core facility. it seems
+// reasonable that they will fit into the primary concept that the agent deals
+// with, requests, whether from HTTP or elsewhere.
+//
+export interface RequestStore {
+  // TODO: from protect/lib/make-source-context
+  protect?: ProtectMessage;
+}
+
+export interface ProtectMessage {
+  reqData: ReqData;
+  block: (mode: string, ruleId: string) => void;
+  rules: {
+    agentLibRules: RulesConfig;
+    agentLibRulesMask: number;
+    agentRules: RulesConfig;
+  };
+  exclusions: any[]; // TODO
+  virtualPatches: any[]; // TODO
+  findings: Findings;
+  parsedBody: any;
+  parsedCookies: any;
+  parsedParams: any;
+  parsedQuery: any;
+}
+
+export interface Messages extends EventEmitter {
+  addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+  emit(event: Event.PROTECT, msg: RequestStore): boolean;
+  emit(event: Event.SERVER_SETTINGS_UPDATE, msg: { [key: string]: any }): boolean;
+  on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+  on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: { [key: string]: any }) => void): this;
+  prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+  prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+}

package/lib/types/index.d.ts

@@ -1,50 +0,0 @@
-/// <reference types="node" />
-import { Event, Rule } from '../constants';
-import { EventEmitter } from 'events';
-export interface RuleConfig {
-    mode: 'monitor' | 'block' | 'block_at_perimeter' | 'off';
-}
-export interface RulesConfig extends Record<Rule, RuleConfig> {
-}
-export interface Result {
-    ruleId: Rule;
-    inputType: string;
-    path: string[];
-    key: string;
-    value: string;
-    details?: any[];
-}
-export interface RequestStore {
-    protect?: {
-        reqData: {
-            method: string;
-            headers: string[];
-            uriPath: string;
-            queries: string;
-            contentType?: string;
-            standardUrlParsing: boolean;
-        };
-        block: (mode: string, ruleId: string) => void;
-        rules: {
-            agentLibRules: RulesConfig;
-            agentLibRulesMask: number;
-            agentRules: RulesConfig;
-        };
-        exclusions: any[];
-        virtualPatches: any[];
-        findings: {
-            trackRequest: boolean;
-            securityException?: [mode: string, ruleId: string];
-            bodyType?: 'json' | 'urlencoded';
-            resultsMap: Record<Rule, Result[]>;
-        };
-    };
-}
-export interface Messages extends EventEmitter {
-    addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    emit(event: Event.PROTECT, msg: RequestStore): boolean;
-    on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    once(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-}

package/lib/types/index.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=index.js.map

package/lib/types/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":""}

package/src/types/index.ts

@@ -1,64 +0,0 @@
-import { Event, Rule } from '../constants';
-import { EventEmitter } from 'events';
-
-export interface RuleConfig {
-  mode: 'monitor' | 'block' | 'block_at_perimeter' | 'off';
-}
-
-export interface RulesConfig extends Record<Rule, RuleConfig> {}
-
-export interface Result {
-  ruleId: Rule,
-  inputType: string, // TODO
-  path: string[],
-  key: string,
-  value: string,
-  details?: any[],
-}
-
-//
-// this is known as RequestStore even though, in the future, instrumentation
-// will exist for message buses or sources other than HTTP requests. "request"
-// seems generic enough that it's not hard to understand that request can mean
-// an amqp message or other request to perform work that might get user input.
-// additionally, at this time, the only things instrumented are HTTP requests,
-// and other things are only possible extensions to the core facility. it seems
-// reasonable that they will fit into the primary concept that the agent deals
-// with, requests, whether from HTTP or elsewhere.
-//
-export interface RequestStore {
-  // TODO: from protect/lib/make-source-context
-  protect?: {
-    reqData: {
-      method: string;
-      headers: string[];
-      uriPath: string;
-      queries: string;
-      contentType?: string;
-      standardUrlParsing: boolean;
-    };
-    block: (mode: string, ruleId: string) => void;
-    rules: {
-      agentLibRules: RulesConfig;
-      agentLibRulesMask: number;
-      agentRules: RulesConfig;
-    };
-    exclusions: any[]; // TODO
-    virtualPatches: any[]; // TODO
-    findings: {
-      trackRequest: boolean;
-      securityException?: [mode: string, ruleId: string];
-      bodyType?: 'json' | 'urlencoded';
-      resultsMap: Record<Rule, Result[]>
-    };
-  };
-}
-
-export interface Messages extends EventEmitter {
-  addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  emit(event: Event.PROTECT, msg: RequestStore): boolean;
-  on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  once(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-}