@contrast/common 1.1.1 → 1.1.3

package/lib/constants.d.ts

@@ -20,12 +20,13 @@ export declare enum Rule {
     NOSQL_INJECTION = "nosql-injection",
     NOSQL_INJECTION_MONGO = "nosql-injection-mongo",
     PATH_TRAVERSAL = "path-traversal",
+    PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS = "path-traversal-semantic-file-security-bypass",
     REFLECTED_XSS = "reflected-xss",
     SQL_INJECTION = "sql-injection",
     SSJS_INJECTION = "ssjs-injection",
-    VIRTUAL_PATCH = "virtual-patch",
-    UNTRUSTED_DESERIALIZATION = "untrusted-deserialization",
     UNSAFE_FILE_UPLOAD = "unsafe-file-upload",
+    UNTRUSTED_DESERIALIZATION = "untrusted-deserialization",
+    VIRTUAL_PATCH = "virtual-patch",
     XXE = "xxe"
 }
 export declare enum InputType {

package/lib/constants.js

@@ -40,12 +40,13 @@ var Rule;
     Rule["NOSQL_INJECTION"] = "nosql-injection";
     Rule["NOSQL_INJECTION_MONGO"] = "nosql-injection-mongo";
     Rule["PATH_TRAVERSAL"] = "path-traversal";
+    Rule["PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS"] = "path-traversal-semantic-file-security-bypass";
     Rule["REFLECTED_XSS"] = "reflected-xss";
     Rule["SQL_INJECTION"] = "sql-injection";
     Rule["SSJS_INJECTION"] = "ssjs-injection";
-    Rule["VIRTUAL_PATCH"] = "virtual-patch";
-    Rule["UNTRUSTED_DESERIALIZATION"] = "untrusted-deserialization";
     Rule["UNSAFE_FILE_UPLOAD"] = "unsafe-file-upload";
+    Rule["UNTRUSTED_DESERIALIZATION"] = "untrusted-deserialization";
+    Rule["VIRTUAL_PATCH"] = "virtual-patch";
     Rule["XXE"] = "xxe";
 })(Rule = exports.Rule || (exports.Rule = {}));
 var InputType;

package/lib/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,IAAY,KAIX;AAJD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;IACnB,0DAAiD,CAAA;AACnD,CAAC,EAJW,KAAK,GAAL,aAAK,KAAL,aAAK,QAIhB;AACD,IAAY,eAKX;AALD,WAAY,eAAe;IACzB,8BAAW,CAAA;IACX,sCAAmB,CAAA;IACnB,kCAAe,CAAA;IACf,4DAAyC,CAAA;AAC3C,CAAC,EALW,eAAe,GAAf,uBAAe,KAAf,uBAAe,QAK1B;AAED,IAAY,IAkBX;AAlBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,uCAA+B,CAAA;IAC/B,+DAAuD,CAAA;IACvD,iDAAyC,CAAA;IACzC,mBAAW,CAAA;AACb,CAAC,EAlBW,IAAI,GAAJ,YAAI,KAAJ,YAAI,QAkBf;AAED,IAAY,SAuBX;AAvBD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,0BAAa,CAAA;IACb,wCAA2B,CAAA;IAC3B,0CAA6B,CAAA;IAC7B,8BAAiB,CAAA;IACjB,8CAAiC,CAAA;IACjC,gDAAmC,CAAA;IACnC,wCAA2B,CAAA;IAC3B,wBAAW,CAAA;IACX,8BAAiB,CAAA;IACjB,sCAAyB,CAAA;IACzB,sDAAyC,CAAA;IACzC,8DAAiD,CAAA;IACjD,gDAAmC,CAAA;IACnC,0DAA6C,CAAA;IAC7C,8CAAiC,CAAA;IACjC,oCAAuB,CAAA;IACvB,oCAAuB,CAAA;IACvB,8BAAiB,CAAA;IACjB,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,gCAAmB,CAAA;AACrB,CAAC,EAvBW,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAuBpB;AAEY,QAAA,cAAc,GAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,IAAY,KAIX;AAJD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;IACnB,0DAAiD,CAAA;AACnD,CAAC,EAJW,KAAK,GAAL,aAAK,KAAL,aAAK,QAIhB;AACD,IAAY,eAKX;AALD,WAAY,eAAe;IACzB,8BAAW,CAAA;IACX,sCAAmB,CAAA;IACnB,kCAAe,CAAA;IACf,4DAAyC,CAAA;AAC3C,CAAC,EALW,eAAe,GAAf,uBAAe,KAAf,uBAAe,QAK1B;AAED,IAAY,IAmBX;AAnBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,qGAA6F,CAAA;IAC7F,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,iDAAyC,CAAA;IACzC,+DAAuD,CAAA;IACvD,uCAA+B,CAAA;IAC/B,mBAAW,CAAA;AACb,CAAC,EAnBW,IAAI,GAAJ,YAAI,KAAJ,YAAI,QAmBf;AAED,IAAY,SAuBX;AAvBD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,0BAAa,CAAA;IACb,wCAA2B,CAAA;IAC3B,0CAA6B,CAAA;IAC7B,8BAAiB,CAAA;IACjB,8CAAiC,CAAA;IACjC,gDAAmC,CAAA;IACnC,wCAA2B,CAAA;IAC3B,wBAAW,CAAA;IACX,8BAAiB,CAAA;IACjB,sCAAyB,CAAA;IACzB,sDAAyC,CAAA;IACzC,8DAAiD,CAAA;IACjD,gDAAmC,CAAA;IACnC,0DAA6C,CAAA;IAC7C,8CAAiC,CAAA;IACjC,oCAAuB,CAAA;IACvB,oCAAuB,CAAA;IACvB,8BAAiB,CAAA;IACjB,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,gCAAmB,CAAA;AACrB,CAAC,EAvBW,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAuBpB;AAEY,QAAA,cAAc,GAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC"}

package/lib/types.d.ts

@@ -1,17 +1,39 @@
 /// <reference types="node" />
 import { Event, Rule, ProtectRuleMode } from './constants';
 import { EventEmitter } from 'events';
+export interface AppInfo {
+    os: {
+        type: string;
+        platform: string;
+        architecture: string;
+        release: string;
+    };
+    hostname: string;
+    version: string;
+    name: string;
+    pkg: object;
+    agentVersion: string;
+    app_dir: string;
+    serverVersion: string;
+    node_version: string;
+    appPath: string;
+    indexFile: string;
+    serverName: string;
+    serverEnvironment: string;
+}
 export declare type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
 export interface Result {
     blocked: boolean;
-    ruleId: Rule;
+    details?: any[];
+    idsList?: string[];
     inputType: string;
-    path?: string[];
     key?: string;
-    value: string;
-    details?: any[];
+    mappedId: string;
     mongoExpansionResult?: boolean;
-    idsList?: string[];
+    path?: string[];
+    ruleId: Rule;
+    score: number;
+    value: string;
 }
 export interface SemanticAnalysisResult extends Result {
     findings?: {
@@ -48,18 +70,15 @@ export interface Findings {
     trackRequest: boolean;
     securityException?: [mode: ProtectRuleMode, ruleId: string];
     bodyType?: 'json' | 'urlencoded';
-    resultsMap: Record<Rule, Result[]>;
-    semanticResultsMap: Record<Rule, SemanticAnalysisResult[]>;
-    serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]>;
-    hardeningResultsMap: Record<Rule, HardeningResult[]>;
-}
-export interface RequestStore {
-    protect?: ProtectMessage;
+    resultsMap: Partial<Record<Rule, Result[]>>;
+    semanticResultsMap: Partial<Record<Rule, SemanticAnalysisResult[]>>;
+    serverFeaturesResultsMap: Partial<Record<Rule, ServerFeaturePreliminaryResult[]>>;
+    hardeningResultsMap: Partial<Record<Rule, HardeningResult[]>>;
 }
 export interface ProtectMessage {
     reqData: ReqData;
     block: (mode: string, ruleId: string) => void;
-    policy: any;
+    policy: Partial<Record<Rule, ProtectRuleMode>>;
     exclusions: any[];
     virtualPatches: any[];
     findings: Findings;
@@ -68,16 +87,26 @@ export interface ProtectMessage {
     parsedParams: any;
     parsedQuery: any;
 }
+/**
+ * this is known as RequestStore even though, in the future, instrumentation
+ * will exist for message buses or sources other than HTTP requests. "request"
+ * seems generic enough that it's not hard to understand that request can mean
+ * an amqp message or other request to perform work that might get user input.
+ * additionally, at this time, the only things instrumented are HTTP requests,
+ * and other things are only possible extensions to the core facility. it seems
+ * reasonable that they will fit into the primary concept that the agent deals
+ * with, requests, whether from HTTP or elsewhere.
+ */
+export interface RequestStore {
+    protect?: ProtectMessage;
+}
 export interface Messages extends EventEmitter {
     addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+    addListener(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
     emit(event: Event.PROTECT, msg: RequestStore): boolean;
-    emit(event: Event.SERVER_SETTINGS_UPDATE, msg: {
-        [key: string]: any;
-    }): boolean;
+    emit(event: Event.SERVER_SETTINGS_UPDATE, msg: Record<string, any>): boolean;
     on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: {
-        [key: string]: any;
-    }) => void): this;
+    on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
     prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
     prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/common",
-  "version": "1.1.1",
+  "version": "1.1.3",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/src/constants.ts

@@ -36,12 +36,13 @@ export enum Rule {
   NOSQL_INJECTION = 'nosql-injection',
   NOSQL_INJECTION_MONGO = 'nosql-injection-mongo',
   PATH_TRAVERSAL = 'path-traversal',
+  PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS = 'path-traversal-semantic-file-security-bypass',
   REFLECTED_XSS = 'reflected-xss',
   SQL_INJECTION = 'sql-injection',
   SSJS_INJECTION = 'ssjs-injection',
-  VIRTUAL_PATCH = 'virtual-patch',
-  UNTRUSTED_DESERIALIZATION = 'untrusted-deserialization',
   UNSAFE_FILE_UPLOAD = 'unsafe-file-upload',
+  UNTRUSTED_DESERIALIZATION = 'untrusted-deserialization',
+  VIRTUAL_PATCH = 'virtual-patch',
   XXE = 'xxe',
 }
 
@@ -71,4 +72,3 @@ export enum InputType {
 }
 
 export const BLOCKING_MODES = ['block', 'block_at_perimeter'];
-

package/src/types.ts

@@ -16,43 +16,69 @@
 import { Event, Rule, ProtectRuleMode } from './constants';
 import { EventEmitter } from 'events';
 
-export type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
+export interface AppInfo {
+  os: {
+    type: string;
+    platform: string;
+    architecture: string;
+    release: string;
+  };
+  hostname: string;
+  version: string;
+  name: string;
+  pkg: object; // package.json
+  agentVersion: string;
+  app_dir: string;
+  serverVersion: string;
+  node_version: string;
+  appPath: string;
+  indexFile: string;
+  serverName: string;
+  serverEnvironment: string;
+}
+
+export type SemanticAnalysisRules =
+  | Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS
+  | Rule.CMD_INJECTION_COMMAND_BACKDOORS
+  | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
 
 export interface Result {
   blocked: boolean;
-  ruleId: Rule,
-  inputType: string, // TODO
-  path?: string[],
-  key?: string,
-  value: string,
-  details?: any[], // TODO
-  mongoExpansionResult?: boolean,
-  idsList?: string[],
+  details?: any[]; // TODO
+  idsList?: string[];
+  inputType: string; // TODO
+  key?: string;
+  mappedId: string;
+  mongoExpansionResult?: boolean;
+  path?: string[];
+  ruleId: Rule;
+  score: number;
+  value: string;
 }
 
 export interface SemanticAnalysisResult extends Result {
   findings?: {
-    command?: string
-  }
-  sinkContext?: any
+    command?: string;
+  };
+  sinkContext?: any;
 }
 
 export interface HardeningResult extends Result {
   findings?: {
-    command?: boolean,
-    deserializer?: string
-  }
-  sinkContext?: any
+    command?: boolean;
+    deserializer?: string;
+  };
+  sinkContext?: any;
 }
 
 export interface ServerFeaturePreliminaryResult {
-  name?: string,
-  uuid: string,
-  ip?: string
+  name?: string;
+  uuid: string;
+  ip?: string;
 }
 
 export interface ServerFeatureResult extends Result {
-  details?: ServerFeaturePreliminaryResult[]
+  details?: ServerFeaturePreliminaryResult[];
 }
 
 export interface ReqData {
@@ -63,38 +89,23 @@ export interface ReqData {
   contentType?: string;
   standardUrlParsing: boolean;
   ip: string;
-  httpVersion: string,
+  httpVersion: string;
 }
 
 export interface Findings {
   trackRequest: boolean;
   securityException?: [mode: ProtectRuleMode, ruleId: string];
   bodyType?: 'json' | 'urlencoded';
-  resultsMap: Record<Rule, Result[]>;
-  semanticResultsMap: Record<Rule, SemanticAnalysisResult[]>;
-  serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]>;
-  hardeningResultsMap: Record<Rule, HardeningResult[]>;
-}
-
-//
-// this is known as RequestStore even though, in the future, instrumentation
-// will exist for message buses or sources other than HTTP requests. "request"
-// seems generic enough that it's not hard to understand that request can mean
-// an amqp message or other request to perform work that might get user input.
-// additionally, at this time, the only things instrumented are HTTP requests,
-// and other things are only possible extensions to the core facility. it seems
-// reasonable that they will fit into the primary concept that the agent deals
-// with, requests, whether from HTTP or elsewhere.
-//
-export interface RequestStore {
-  // TODO: from protect/lib/make-source-context
-  protect?: ProtectMessage;
+  resultsMap: Partial<Record<Rule, Result[]>>;
+  semanticResultsMap: Partial<Record<Rule, SemanticAnalysisResult[]>>;
+  serverFeaturesResultsMap: Partial<Record<Rule, ServerFeaturePreliminaryResult[]>>;
+  hardeningResultsMap: Partial<Record<Rule, HardeningResult[]>>;
 }
 
 export interface ProtectMessage {
   reqData: ReqData;
   block: (mode: string, ruleId: string) => void;
-  policy: any;
+  policy: Partial<Record<Rule, ProtectRuleMode>>;
   exclusions: any[]; // TODO
   virtualPatches: any[]; // TODO
   findings: Findings;
@@ -104,12 +115,44 @@ export interface ProtectMessage {
   parsedQuery: any;
 }
 
+/**
+ * this is known as RequestStore even though, in the future, instrumentation
+ * will exist for message buses or sources other than HTTP requests. "request"
+ * seems generic enough that it's not hard to understand that request can mean
+ * an amqp message or other request to perform work that might get user input.
+ * additionally, at this time, the only things instrumented are HTTP requests,
+ * and other things are only possible extensions to the core facility. it seems
+ * reasonable that they will fit into the primary concept that the agent deals
+ * with, requests, whether from HTTP or elsewhere.
+ */
+export interface RequestStore {
+  protect?: ProtectMessage; // from protect/lib/make-source-context
+}
+
 export interface Messages extends EventEmitter {
-  addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+  addListener(event: Event.PROTECT,
+    listener: (msg: RequestStore) => void,
+  ): this;
+  addListener(
+    event: Event.SERVER_SETTINGS_UPDATE,
+    listener: (msg: Record<string, any>) => void,
+  ): this;
+
   emit(event: Event.PROTECT, msg: RequestStore): boolean;
-  emit(event: Event.SERVER_SETTINGS_UPDATE, msg: { [key: string]: any }): boolean;
+  emit(event: Event.SERVER_SETTINGS_UPDATE, msg: Record<string, any>): boolean;
+
   on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: { [key: string]: any }) => void): this;
-  prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-  prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
+  on(
+    event: Event.SERVER_SETTINGS_UPDATE,
+    listener: (msg: Record<string, any>) => void,
+  ): this;
+
+  prependListener(
+    event: Event.PROTECT,
+    listener: (msg: RequestStore) => void,
+  ): this;
+  prependOnceListener(
+    event: Event.PROTECT,
+    listener: (msg: RequestStore) => void,
+  ): this;
 }