@contrast/common 1.1.2 → 1.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/constants.d.ts +2 -2
- package/lib/constants.js +2 -2
- package/lib/constants.js.map +1 -1
- package/lib/index.d.ts +4 -1
- package/lib/index.js +0 -1
- package/lib/index.js.map +1 -1
- package/lib/types.d.ts +50 -20
- package/package.json +2 -3
- package/src/constants.ts +2 -3
- package/src/index.ts +5 -2
- package/src/types.ts +75 -45
package/lib/constants.d.ts
CHANGED
|
@@ -24,9 +24,9 @@ export declare enum Rule {
|
|
|
24
24
|
REFLECTED_XSS = "reflected-xss",
|
|
25
25
|
SQL_INJECTION = "sql-injection",
|
|
26
26
|
SSJS_INJECTION = "ssjs-injection",
|
|
27
|
-
VIRTUAL_PATCH = "virtual-patch",
|
|
28
|
-
UNTRUSTED_DESERIALIZATION = "untrusted-deserialization",
|
|
29
27
|
UNSAFE_FILE_UPLOAD = "unsafe-file-upload",
|
|
28
|
+
UNTRUSTED_DESERIALIZATION = "untrusted-deserialization",
|
|
29
|
+
VIRTUAL_PATCH = "virtual-patch",
|
|
30
30
|
XXE = "xxe"
|
|
31
31
|
}
|
|
32
32
|
export declare enum InputType {
|
package/lib/constants.js
CHANGED
|
@@ -44,9 +44,9 @@ var Rule;
|
|
|
44
44
|
Rule["REFLECTED_XSS"] = "reflected-xss";
|
|
45
45
|
Rule["SQL_INJECTION"] = "sql-injection";
|
|
46
46
|
Rule["SSJS_INJECTION"] = "ssjs-injection";
|
|
47
|
-
Rule["VIRTUAL_PATCH"] = "virtual-patch";
|
|
48
|
-
Rule["UNTRUSTED_DESERIALIZATION"] = "untrusted-deserialization";
|
|
49
47
|
Rule["UNSAFE_FILE_UPLOAD"] = "unsafe-file-upload";
|
|
48
|
+
Rule["UNTRUSTED_DESERIALIZATION"] = "untrusted-deserialization";
|
|
49
|
+
Rule["VIRTUAL_PATCH"] = "virtual-patch";
|
|
50
50
|
Rule["XXE"] = "xxe";
|
|
51
51
|
})(Rule = exports.Rule || (exports.Rule = {}));
|
|
52
52
|
var InputType;
|
package/lib/constants.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,IAAY,KAIX;AAJD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;IACnB,0DAAiD,CAAA;AACnD,CAAC,EAJW,KAAK,GAAL,aAAK,KAAL,aAAK,QAIhB;AACD,IAAY,eAKX;AALD,WAAY,eAAe;IACzB,8BAAW,CAAA;IACX,sCAAmB,CAAA;IACnB,kCAAe,CAAA;IACf,4DAAyC,CAAA;AAC3C,CAAC,EALW,eAAe,GAAf,uBAAe,KAAf,uBAAe,QAK1B;AAED,IAAY,IAmBX;AAnBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,qGAA6F,CAAA;IAC7F,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAEH,IAAY,KAIX;AAJD,WAAY,KAAK;IACf,0BAAiB,CAAA;IACjB,4BAAmB,CAAA;IACnB,0DAAiD,CAAA;AACnD,CAAC,EAJW,KAAK,GAAL,aAAK,KAAL,aAAK,QAIhB;AACD,IAAY,eAKX;AALD,WAAY,eAAe;IACzB,8BAAW,CAAA;IACX,sCAAmB,CAAA;IACnB,kCAAe,CAAA;IACf,4DAAyC,CAAA;AAC3C,CAAC,EALW,eAAe,GAAf,uBAAe,KAAf,uBAAe,QAK1B;AAED,IAAY,IAmBX;AAnBD,WAAY,IAAI;IACd,mCAA2B,CAAA;IAC3B,uCAA+B,CAAA;IAC/B,2EAAmE,CAAA;IACnE,2FAAmF,CAAA;IACnF,yFAAiF,CAAA;IACjF,mCAA2B,CAAA;IAC3B,6CAAqC,CAAA;IACrC,2CAAmC,CAAA;IACnC,uDAA+C,CAAA;IAC/C,yCAAiC,CAAA;IACjC,qGAA6F,CAAA;IAC7F,uCAA+B,CAAA;IAC/B,uCAA+B,CAAA;IAC/B,yCAAiC,CAAA;IACjC,iDAAyC,CAAA;IACzC,+DAAuD,CAAA;IACvD,uCAA+B,CAAA;IAC/B,mBAAW,CAAA;AACb,CAAC,EAnBW,IAAI,GAAJ,YAAI,KAAJ,YAAI,QAmBf;AAED,IAAY,SAuBX;AAvBD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,0BAAa,CAAA;IACb,wCAA2B,CAAA;IAC3B,0CAA6B,CAAA;IAC7B,8BAAiB,CAAA;IACjB,8CAAiC,CAAA;IACjC,gDAAmC,CAAA;IACnC,wCAA2B,CAAA;IAC3B,wBAAW,CAAA;IACX,8BAAiB,CAAA;IACjB,sCAAyB,CAAA;IACzB,sDAAyC,CAAA;IACzC,8DAAiD,CAAA;IACjD,gDAAmC,CAAA;IACnC,0DAA6C,CAAA;IAC7C,8CAAiC,CAAA;IACjC,oCAAuB,CAAA;IACvB,oCAAuB,CAAA;IACvB,8BAAiB,CAAA;IACjB,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,gCAAmB,CAAA;AACrB,CAAC,EAvBW,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAuBpB;AAEY,QAAA,cAAc,GAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC"}
|
package/lib/index.d.ts
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
export * from './constants';
|
|
2
2
|
export * from './types';
|
|
3
|
+
interface TraverseCallback {
|
|
4
|
+
(path: any[], type: 'Key' | 'Value', value: any, obj: any): unknown;
|
|
5
|
+
}
|
|
3
6
|
/**
|
|
4
7
|
* Returns true if the value passed is either a primitive string or a
|
|
5
8
|
* String object.
|
|
@@ -7,5 +10,5 @@ export * from './types';
|
|
|
7
10
|
export declare function isString(value: unknown): value is string | String;
|
|
8
11
|
export declare function isNonEmptyObject(value: unknown): value is object;
|
|
9
12
|
export declare function encodeString(str: string): string;
|
|
10
|
-
export declare function simpleTraverse(obj: any, cb:
|
|
13
|
+
export declare function simpleTraverse(obj: any, cb: TraverseCallback): void;
|
|
11
14
|
export declare function installChildComponentsSync(parent: any, order: string[]): void;
|
package/lib/index.js
CHANGED
package/lib/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;AAEH,8CAA4B;AAC5B,0CAAwB;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;AAEH,8CAA4B;AAC5B,0CAAwB;AAMxB;;;GAGG;AACH,wDAAwD;AACxD,SAAgB,QAAQ,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,YAAY,MAAM,CAAC;AAC9D,CAAC;AAFD,4BAEC;AAED,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AAC/E,CAAC;AAFD,4CAEC;AAED,sBAAsB;AACtB,SAAgB,YAAY,CAAC,GAAW;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAFD,oCAEC;AAED,SAAgB,cAAc,CAAC,GAAQ,EAAE,EAAoB;IAC3D,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE;QAC3C,OAAO;KACR;IACD,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,SAAS,QAAQ,CAAC,GAAQ;QACxB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE;YACnB,IAAI,OAAO,EAAE;gBACX,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBACrB,iEAAiE;gBACjE,iEAAiE;gBACjE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACd,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE;oBACnD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;iBACnB;qBAAM,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,CAAC,EAAE;oBACjD,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;iBACjC;gBACD,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;iBAAM,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE;gBACxD,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACb,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjB,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;iBAAM;gBACL,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACxB,mDAAmD;gBACnD,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE;oBACxC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBACb,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;oBAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;iBACZ;aACF;SACF;IACH,CAAC;IAED,QAAQ,CAAC,GAAG,CAAC,CAAC;AAChB,CAAC;AArCD,wCAqCC;AAED,SAAgB,0BAA0B,CAAC,MAAW,EAAE,KAAe;IACrE,MAAM,IAAI,GAAG,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;QACtB,MAAM,SAAS,GAAQ,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,OAAO,SAAS,CAAC,OAAO,KAAK,UAAU,EAAE;YAC3C,SAAS,CAAC,OAAO,EAAE,CAAC;SACrB;KACF;AACH,CAAC;AARD,gEAQC"}
|
package/lib/types.d.ts
CHANGED
|
@@ -1,22 +1,45 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
2
|
import { Event, Rule, ProtectRuleMode } from './constants';
|
|
3
3
|
import { EventEmitter } from 'events';
|
|
4
|
+
export interface AppInfo {
|
|
5
|
+
os: {
|
|
6
|
+
type: string;
|
|
7
|
+
platform: string;
|
|
8
|
+
architecture: string;
|
|
9
|
+
release: string;
|
|
10
|
+
};
|
|
11
|
+
hostname: string;
|
|
12
|
+
name: string;
|
|
13
|
+
pkg: object;
|
|
14
|
+
agentVersion: string;
|
|
15
|
+
app_dir: string;
|
|
16
|
+
serverVersion: string;
|
|
17
|
+
node_version: string;
|
|
18
|
+
appPath: string;
|
|
19
|
+
indexFile: string;
|
|
20
|
+
serverName: string;
|
|
21
|
+
serverEnvironment: string;
|
|
22
|
+
version: string;
|
|
23
|
+
}
|
|
4
24
|
export declare type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
|
|
5
25
|
export interface Result {
|
|
6
26
|
blocked: boolean;
|
|
7
|
-
|
|
27
|
+
details?: any[];
|
|
28
|
+
idsList?: string[];
|
|
8
29
|
inputType: string;
|
|
9
|
-
path?: string[];
|
|
10
30
|
key?: string;
|
|
11
|
-
|
|
12
|
-
score: number;
|
|
13
|
-
details?: any[];
|
|
31
|
+
mappedId: string;
|
|
14
32
|
mongoExpansionResult?: boolean;
|
|
15
|
-
|
|
33
|
+
path?: string[];
|
|
34
|
+
ruleId: Rule;
|
|
35
|
+
score: number;
|
|
36
|
+
value: string;
|
|
16
37
|
}
|
|
17
38
|
export interface SemanticAnalysisResult extends Result {
|
|
18
39
|
findings?: {
|
|
19
40
|
command?: string;
|
|
41
|
+
prolog?: string;
|
|
42
|
+
xml?: string;
|
|
20
43
|
};
|
|
21
44
|
sinkContext?: any;
|
|
22
45
|
}
|
|
@@ -49,18 +72,15 @@ export interface Findings {
|
|
|
49
72
|
trackRequest: boolean;
|
|
50
73
|
securityException?: [mode: ProtectRuleMode, ruleId: string];
|
|
51
74
|
bodyType?: 'json' | 'urlencoded';
|
|
52
|
-
resultsMap: Record<Rule, Result[]
|
|
53
|
-
semanticResultsMap: Record<Rule, SemanticAnalysisResult[]
|
|
54
|
-
serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]
|
|
55
|
-
hardeningResultsMap: Record<Rule, HardeningResult[]
|
|
56
|
-
}
|
|
57
|
-
export interface RequestStore {
|
|
58
|
-
protect?: ProtectMessage;
|
|
75
|
+
resultsMap: Partial<Record<Rule, Result[]>>;
|
|
76
|
+
semanticResultsMap: Partial<Record<Rule, SemanticAnalysisResult[]>>;
|
|
77
|
+
serverFeaturesResultsMap: Partial<Record<Rule, ServerFeaturePreliminaryResult[]>>;
|
|
78
|
+
hardeningResultsMap: Partial<Record<Rule, HardeningResult[]>>;
|
|
59
79
|
}
|
|
60
80
|
export interface ProtectMessage {
|
|
61
81
|
reqData: ReqData;
|
|
62
82
|
block: (mode: string, ruleId: string) => void;
|
|
63
|
-
policy:
|
|
83
|
+
policy: Partial<Record<Rule, ProtectRuleMode>>;
|
|
64
84
|
exclusions: any[];
|
|
65
85
|
virtualPatches: any[];
|
|
66
86
|
findings: Findings;
|
|
@@ -69,16 +89,26 @@ export interface ProtectMessage {
|
|
|
69
89
|
parsedParams: any;
|
|
70
90
|
parsedQuery: any;
|
|
71
91
|
}
|
|
92
|
+
/**
|
|
93
|
+
* this is known as RequestStore even though, in the future, instrumentation
|
|
94
|
+
* will exist for message buses or sources other than HTTP requests. "request"
|
|
95
|
+
* seems generic enough that it's not hard to understand that request can mean
|
|
96
|
+
* an amqp message or other request to perform work that might get user input.
|
|
97
|
+
* additionally, at this time, the only things instrumented are HTTP requests,
|
|
98
|
+
* and other things are only possible extensions to the core facility. it seems
|
|
99
|
+
* reasonable that they will fit into the primary concept that the agent deals
|
|
100
|
+
* with, requests, whether from HTTP or elsewhere.
|
|
101
|
+
*/
|
|
102
|
+
export interface RequestStore {
|
|
103
|
+
protect?: ProtectMessage;
|
|
104
|
+
}
|
|
72
105
|
export interface Messages extends EventEmitter {
|
|
73
106
|
addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
107
|
+
addListener(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
|
|
74
108
|
emit(event: Event.PROTECT, msg: RequestStore): boolean;
|
|
75
|
-
emit(event: Event.SERVER_SETTINGS_UPDATE, msg:
|
|
76
|
-
[key: string]: any;
|
|
77
|
-
}): boolean;
|
|
109
|
+
emit(event: Event.SERVER_SETTINGS_UPDATE, msg: Record<string, any>): boolean;
|
|
78
110
|
on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
79
|
-
on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg:
|
|
80
|
-
[key: string]: any;
|
|
81
|
-
}) => void): this;
|
|
111
|
+
on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
|
|
82
112
|
prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
83
113
|
prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
84
114
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/common",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.4",
|
|
4
4
|
"description": "Shared constants and utilities for all Contrast Agent modules",
|
|
5
5
|
"license": "UNLICENSED",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -13,6 +13,5 @@
|
|
|
13
13
|
"scripts": {
|
|
14
14
|
"build": "tsc --build src/",
|
|
15
15
|
"test": "../scripts/test.sh"
|
|
16
|
-
}
|
|
17
|
-
"dependencies": {}
|
|
16
|
+
}
|
|
18
17
|
}
|
package/src/constants.ts
CHANGED
|
@@ -40,9 +40,9 @@ export enum Rule {
|
|
|
40
40
|
REFLECTED_XSS = 'reflected-xss',
|
|
41
41
|
SQL_INJECTION = 'sql-injection',
|
|
42
42
|
SSJS_INJECTION = 'ssjs-injection',
|
|
43
|
-
VIRTUAL_PATCH = 'virtual-patch',
|
|
44
|
-
UNTRUSTED_DESERIALIZATION = 'untrusted-deserialization',
|
|
45
43
|
UNSAFE_FILE_UPLOAD = 'unsafe-file-upload',
|
|
44
|
+
UNTRUSTED_DESERIALIZATION = 'untrusted-deserialization',
|
|
45
|
+
VIRTUAL_PATCH = 'virtual-patch',
|
|
46
46
|
XXE = 'xxe',
|
|
47
47
|
}
|
|
48
48
|
|
|
@@ -72,4 +72,3 @@ export enum InputType {
|
|
|
72
72
|
}
|
|
73
73
|
|
|
74
74
|
export const BLOCKING_MODES = ['block', 'block_at_perimeter'];
|
|
75
|
-
|
package/src/index.ts
CHANGED
|
@@ -16,6 +16,10 @@
|
|
|
16
16
|
export * from './constants';
|
|
17
17
|
export * from './types';
|
|
18
18
|
|
|
19
|
+
interface TraverseCallback {
|
|
20
|
+
(path: any[], type: 'Key' | 'Value', value: any, obj: any): unknown;
|
|
21
|
+
}
|
|
22
|
+
|
|
19
23
|
/**
|
|
20
24
|
* Returns true if the value passed is either a primitive string or a
|
|
21
25
|
* String object.
|
|
@@ -34,12 +38,11 @@ export function encodeString(str: string): string {
|
|
|
34
38
|
return Buffer.from(str).toString('base64');
|
|
35
39
|
}
|
|
36
40
|
|
|
37
|
-
export function simpleTraverse(obj: any, cb:
|
|
41
|
+
export function simpleTraverse(obj: any, cb: TraverseCallback) {
|
|
38
42
|
if (typeof obj !== 'object' || obj === null) {
|
|
39
43
|
return;
|
|
40
44
|
}
|
|
41
45
|
const path: any[] = [];
|
|
42
|
-
/* eslint-disable complexity */
|
|
43
46
|
function traverse(obj: any) {
|
|
44
47
|
const isArray = Array.isArray(obj);
|
|
45
48
|
for (const k in obj) {
|
package/src/types.ts
CHANGED
|
@@ -16,44 +16,71 @@
|
|
|
16
16
|
import { Event, Rule, ProtectRuleMode } from './constants';
|
|
17
17
|
import { EventEmitter } from 'events';
|
|
18
18
|
|
|
19
|
-
export
|
|
19
|
+
export interface AppInfo {
|
|
20
|
+
os: {
|
|
21
|
+
type: string;
|
|
22
|
+
platform: string;
|
|
23
|
+
architecture: string;
|
|
24
|
+
release: string;
|
|
25
|
+
};
|
|
26
|
+
hostname: string;
|
|
27
|
+
name: string;
|
|
28
|
+
pkg: object; // package.json
|
|
29
|
+
agentVersion: string;
|
|
30
|
+
app_dir: string;
|
|
31
|
+
serverVersion: string;
|
|
32
|
+
node_version: string;
|
|
33
|
+
appPath: string;
|
|
34
|
+
indexFile: string;
|
|
35
|
+
serverName: string;
|
|
36
|
+
serverEnvironment: string;
|
|
37
|
+
version: string;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
export type SemanticAnalysisRules =
|
|
41
|
+
| Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS
|
|
42
|
+
| Rule.CMD_INJECTION_COMMAND_BACKDOORS
|
|
43
|
+
| Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS;
|
|
20
44
|
|
|
21
45
|
export interface Result {
|
|
22
46
|
blocked: boolean;
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
key?: string
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
47
|
+
details?: any[]; // TODO
|
|
48
|
+
idsList?: string[];
|
|
49
|
+
inputType: string; // TODO
|
|
50
|
+
key?: string;
|
|
51
|
+
mappedId: string;
|
|
52
|
+
mongoExpansionResult?: boolean;
|
|
53
|
+
path?: string[];
|
|
54
|
+
ruleId: Rule;
|
|
55
|
+
score: number;
|
|
56
|
+
value: string;
|
|
32
57
|
}
|
|
33
58
|
|
|
34
59
|
export interface SemanticAnalysisResult extends Result {
|
|
35
60
|
findings?: {
|
|
36
|
-
command?: string
|
|
37
|
-
|
|
38
|
-
|
|
61
|
+
command?: string;
|
|
62
|
+
prolog?: string;
|
|
63
|
+
xml?: string;
|
|
64
|
+
};
|
|
65
|
+
sinkContext?: any;
|
|
39
66
|
}
|
|
40
67
|
|
|
41
68
|
export interface HardeningResult extends Result {
|
|
42
69
|
findings?: {
|
|
43
|
-
command?: boolean
|
|
44
|
-
deserializer?: string
|
|
45
|
-
}
|
|
46
|
-
sinkContext?: any
|
|
70
|
+
command?: boolean;
|
|
71
|
+
deserializer?: string;
|
|
72
|
+
};
|
|
73
|
+
sinkContext?: any;
|
|
47
74
|
}
|
|
48
75
|
|
|
49
76
|
export interface ServerFeaturePreliminaryResult {
|
|
50
|
-
name?: string
|
|
51
|
-
uuid: string
|
|
52
|
-
ip?: string
|
|
77
|
+
name?: string;
|
|
78
|
+
uuid: string;
|
|
79
|
+
ip?: string;
|
|
53
80
|
}
|
|
54
81
|
|
|
55
82
|
export interface ServerFeatureResult extends Result {
|
|
56
|
-
details?: ServerFeaturePreliminaryResult[]
|
|
83
|
+
details?: ServerFeaturePreliminaryResult[];
|
|
57
84
|
}
|
|
58
85
|
|
|
59
86
|
export interface ReqData {
|
|
@@ -64,38 +91,23 @@ export interface ReqData {
|
|
|
64
91
|
contentType?: string;
|
|
65
92
|
standardUrlParsing: boolean;
|
|
66
93
|
ip: string;
|
|
67
|
-
httpVersion: string
|
|
94
|
+
httpVersion: string;
|
|
68
95
|
}
|
|
69
96
|
|
|
70
97
|
export interface Findings {
|
|
71
98
|
trackRequest: boolean;
|
|
72
99
|
securityException?: [mode: ProtectRuleMode, ruleId: string];
|
|
73
100
|
bodyType?: 'json' | 'urlencoded';
|
|
74
|
-
resultsMap: Record<Rule, Result[]
|
|
75
|
-
semanticResultsMap: Record<Rule, SemanticAnalysisResult[]
|
|
76
|
-
serverFeaturesResultsMap: Record<Rule, ServerFeaturePreliminaryResult[]
|
|
77
|
-
hardeningResultsMap: Record<Rule, HardeningResult[]
|
|
78
|
-
}
|
|
79
|
-
|
|
80
|
-
//
|
|
81
|
-
// this is known as RequestStore even though, in the future, instrumentation
|
|
82
|
-
// will exist for message buses or sources other than HTTP requests. "request"
|
|
83
|
-
// seems generic enough that it's not hard to understand that request can mean
|
|
84
|
-
// an amqp message or other request to perform work that might get user input.
|
|
85
|
-
// additionally, at this time, the only things instrumented are HTTP requests,
|
|
86
|
-
// and other things are only possible extensions to the core facility. it seems
|
|
87
|
-
// reasonable that they will fit into the primary concept that the agent deals
|
|
88
|
-
// with, requests, whether from HTTP or elsewhere.
|
|
89
|
-
//
|
|
90
|
-
export interface RequestStore {
|
|
91
|
-
// TODO: from protect/lib/make-source-context
|
|
92
|
-
protect?: ProtectMessage;
|
|
101
|
+
resultsMap: Partial<Record<Rule, Result[]>>;
|
|
102
|
+
semanticResultsMap: Partial<Record<Rule, SemanticAnalysisResult[]>>;
|
|
103
|
+
serverFeaturesResultsMap: Partial<Record<Rule, ServerFeaturePreliminaryResult[]>>;
|
|
104
|
+
hardeningResultsMap: Partial<Record<Rule, HardeningResult[]>>;
|
|
93
105
|
}
|
|
94
106
|
|
|
95
107
|
export interface ProtectMessage {
|
|
96
108
|
reqData: ReqData;
|
|
97
109
|
block: (mode: string, ruleId: string) => void;
|
|
98
|
-
policy:
|
|
110
|
+
policy: Partial<Record<Rule, ProtectRuleMode>>;
|
|
99
111
|
exclusions: any[]; // TODO
|
|
100
112
|
virtualPatches: any[]; // TODO
|
|
101
113
|
findings: Findings;
|
|
@@ -105,12 +117,30 @@ export interface ProtectMessage {
|
|
|
105
117
|
parsedQuery: any;
|
|
106
118
|
}
|
|
107
119
|
|
|
120
|
+
/**
|
|
121
|
+
* this is known as RequestStore even though, in the future, instrumentation
|
|
122
|
+
* will exist for message buses or sources other than HTTP requests. "request"
|
|
123
|
+
* seems generic enough that it's not hard to understand that request can mean
|
|
124
|
+
* an amqp message or other request to perform work that might get user input.
|
|
125
|
+
* additionally, at this time, the only things instrumented are HTTP requests,
|
|
126
|
+
* and other things are only possible extensions to the core facility. it seems
|
|
127
|
+
* reasonable that they will fit into the primary concept that the agent deals
|
|
128
|
+
* with, requests, whether from HTTP or elsewhere.
|
|
129
|
+
*/
|
|
130
|
+
export interface RequestStore {
|
|
131
|
+
protect?: ProtectMessage; // from protect/lib/make-source-context
|
|
132
|
+
}
|
|
133
|
+
|
|
108
134
|
export interface Messages extends EventEmitter {
|
|
109
135
|
addListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
136
|
+
addListener(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
|
|
137
|
+
|
|
110
138
|
emit(event: Event.PROTECT, msg: RequestStore): boolean;
|
|
111
|
-
emit(event: Event.SERVER_SETTINGS_UPDATE, msg:
|
|
139
|
+
emit(event: Event.SERVER_SETTINGS_UPDATE, msg: Record<string, any>): boolean;
|
|
140
|
+
|
|
112
141
|
on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
113
|
-
on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg:
|
|
114
|
-
|
|
142
|
+
on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
|
|
143
|
+
|
|
144
|
+
prependListener(event: Event.PROTECT, listener: (msg: RequestStore) => void,): this;
|
|
115
145
|
prependOnceListener(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
|
|
116
146
|
}
|