@contrast/protect 1.0.1

package/lib/input-tracing/install/child-process.test.js

@@ -0,0 +1,112 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+
+describe('protect input-tracing child-process', function() {
+  const cpInstr = require('./child-process');
+  const store = { protect: {} };
+  let cp, core;
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks/');
+    const patcher = require('@contrast/patcher');
+
+    cp = {
+      exec: sinon.stub(),
+      execSync: sinon.stub()
+    };
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(cp);
+    core.scopes = mocks.scopes();
+    core.scopes.sources = {
+      getStore: sinon.stub().returns(store)
+    };
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+
+    cpInstr(core);
+
+    core.protect.inputTracing.cpInstrumentation.install();
+  });
+
+  describe('handleCommandInjection() is called with expected values', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(`${name}`, function() {
+        cp[method](...methodArgs);
+
+        const value = methodArgs[0];
+
+        expect(core.captureStacktrace).to.have.been.calledOnceWith(
+          { name, value },
+          { constructorOpt: cp[method] }
+        );
+
+        expect(core.protect.inputTracing.handleCommandInjection).to.have.been.calledWith(
+          store.protect,
+          { name, value }
+        );
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when method args are not relevant', function() {
+    const methodArgs = [1, undefined];
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function() {
+        cp[method](...methodArgs);
+
+        expect(core.captureStacktrace).to.not.have.been.called;
+        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when instrumentation is locked', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function() {
+      core.scopes.instrumentation.isLocked.returns(true);
+    });
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function() {
+        cp[method](...methodArgs);
+
+        expect(core.captureStacktrace).to.not.have.been.called;
+        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when there is no Protect sourceContext', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function() {
+      core.scopes.sources.getStore.returns({ protect: null });
+    });
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function() {
+        cp[method](...methodArgs);
+
+        expect(core.captureStacktrace).to.not.have.been.called;
+        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
+      });
+    });
+  });
+});

package/lib/input-tracing/install/fs.js

@@ -0,0 +1,107 @@
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+const fsMethods = [
+  { method: 'access' },
+  { method: 'accessSync' },
+  { method: 'appendFile' },
+  { method: 'appendFileSync' },
+  { method: 'chmod' },
+  { method: 'chmodSync' },
+  { method: 'chown' },
+  { method: 'chownSync' },
+  { method: 'copyFile', indices: [0, 1] },
+  { method: 'copyFileSync', indices: [0, 1] },
+  { method: 'createReadStream' },
+  { method: 'createWriteStream' },
+  { method: 'lchmod' },
+  { method: 'lchmodSync' },
+  { method: 'lchown' },
+  { method: 'lchownSync' },
+  { method: 'mkdir' },
+  { method: 'mkdirSync' },
+  { method: 'open' },
+  { method: 'openSync' },
+  { method: 'readFile' },
+  { method: 'readFileSync' },
+  { method: 'readdir' },
+  { method: 'readdirSync' },
+  { method: 'readlink' },
+  { method: 'readlinkSync' },
+  { method: 'rename', indices: [0, 1] },
+  { method: 'renameSync', indices: [0, 1] },
+  { method: 'rmdir' },
+  { method: 'rmdirSync' },
+  { method: 'symlink', indices: [0, 1] },
+  { method: 'symlinkSync', indices: [0, 1] },
+  { method: 'truncate' },
+  { method: 'truncateSync' },
+  { method: 'unlink' },
+  { method: 'unlinkSync' },
+  { method: 'writeFile' },
+  { method: 'writeFileSync' },
+];
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect: { inputTracing }
+  } = core;
+
+  function getValues(indices, args) {
+    return indices.reduce((acc, idx) => {
+      const value = args[idx];
+      if (value && isString(value)) acc.push(value);
+      return acc;
+    }, []);
+  }
+
+  function install() {
+    depHooks.resolve({ name: 'fs' }, fs => {
+      fsMethods.forEach(({ method, indices = [0] }) => {
+        const name = `fs.${method}`;
+        patcher.patch(fs, method, {
+          name,
+          patchType,
+          pre({ args, hooked, name }) {
+            // don't proceed if instrumentation is off e.g. within require() call
+            if (instrumentation.isLocked()) return;
+
+            // obtain the Protect sourceContext
+            const sourceContext = sources.getStore()?.protect;
+            if (!sourceContext) return;
+
+            // build list of values on which to perform INPUT TRACING
+            const values = getValues(indices, args);
+            if (!values.length) return;
+
+            // while we need to check whether instrumentation is locked above, we
+            // don't need to necessarily need to lock it here - there are no
+            // lower-level calls that we instrument
+            for (const value of values) {
+              const sinkContext = captureStacktrace(
+                { name, value },
+                { constructorOpt: hooked }
+              );
+              inputTracing.handlePathTraversal(sourceContext, sinkContext);
+            }
+          }
+        });
+      });
+    });
+  }
+
+  const fsInstrumentation = inputTracing.fsInstrumentation = {
+    getValues,
+    install,
+  };
+
+  return fsInstrumentation;
+};
+
+module.exports.fsMethods = fsMethods;

package/lib/input-tracing/install/fs.test.js

@@ -0,0 +1,118 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+
+describe('protect input-tracing fs', function() {
+  const fsInstr = require('./fs');
+  const store = { protect: {} };
+  let fs;
+  let core;
+
+  function makeFsMock() {
+    return fsInstr.fsMethods.reduce((fs, { method, indices }) => {
+      fs[method] = sinon.stub();
+      return fs;
+    }, {});
+  }
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks');
+    const patcher = require('@contrast/patcher');
+
+    fs = makeFsMock();
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(fs);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+
+    fsInstr(core);
+
+    core.protect.inputTracing.fsInstrumentation.install();
+  });
+
+  describe('handlePathTraversal() is called with expected values', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    for (const { method, indices = [0] } of fsInstr.fsMethods) {
+      const name = `fs.${method}`;
+
+      it(`${name}`, function() {
+        fs[method](...methodArgs);
+
+        const calledWith = indices.length === 0 ? 'calledOnceWith' : 'calledWith';
+        for (const idx of indices) {
+
+          const value = methodArgs[idx];
+
+          // this is profound - we are asserting that the stacktrace constructor
+          // opt is the original method
+          expect(core.captureStacktrace).to.have.been[calledWith](
+            { name, value },
+            { constructorOpt: fs[method] }
+          );
+
+          expect(core.protect.inputTracing.handlePathTraversal).to.have.been.calledWith(
+            store.protect,
+            { name, value }
+          );
+        }
+      });
+    }
+  });
+
+  describe('handlePathTraversal() is not called when method args are not relevant', function() {
+    const methodArgs = [1, undefined];
+
+    for (const { method } of fsInstr.fsMethods) {
+      const name = `fs.${method}`;
+
+      it(name, function() {
+        fs[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+      });
+    }
+  });
+
+  describe('handlePathTraversal() is not called when instrumentation is locked', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function() {
+      core.scopes.instrumentation.isLocked.returns(true);
+    });
+
+    for (const { method } of fsInstr.fsMethods) {
+      const name = `fs.${method}`;
+
+      it(name, function() {
+        fs[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+      });
+    }
+  });
+
+  describe('handlePathTraversal() is not called when there is no Protect sourceContext', function() {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function() {
+      core.scopes.sources.getStore.returns({ protect: null });
+    });
+
+    for (const { method } of fsInstr.fsMethods) {
+      const name = `fs.${method}`;
+
+      it(name, function() {
+        fs[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+      });
+    }
+  });
+});

package/lib/input-tracing/install/mysql.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    captureStacktrace,
+    scopes: { sources },
+    protect: { inputTracing }
+  } = core;
+
+  const mysqlInstr = {};
+
+  mysqlInstr.getValueFromArgs = function([value]) {
+    if (isString(value)) {
+      return value;
+    }
+  };
+
+  mysqlInstr.install = function() {
+    [
+      { module: 'mysql', file: 'lib/Connection.js', method: 'query' },
+      { module: 'mysql2', file: 'lib/Connection.js', method: 'execute' }
+    ].forEach(
+      ({ module, file, method }) => {
+        depHooks.resolve({ module, file, method }, conn => {
+          const name = `${module}.Connection.prototype.${method}`;
+
+          patcher.patch(conn.prototype, method, {
+            name,
+            patchType,
+            pre({ args, hooked, name }) {
+              const sourceContext = sources.getStore()?.protect;
+              if (!sourceContext) return;
+
+              const value = mysqlInstr.getValueFromArgs(args);
+              if (!value) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value },
+                { constructorOpt: hooked }
+              );
+
+              inputTracing.handleSqlInjection(sourceContext, sinkContext);
+            }
+          });
+        });
+      });
+  };
+
+  core.protect.inputTracing.mysqlInstrumentation = mysqlInstr;
+
+  return mysqlInstr;
+};

package/lib/input-tracing/install/mysql.test.js

@@ -0,0 +1,108 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+
+describe('protect input-tracing installs: mysql interfaces', function() {
+  const store = { protect: {} };
+
+  let core;
+  let inputTracing;
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks');
+    const patcher = require('@contrast/patcher');
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = mocks.scopes();
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    ({ protect: { inputTracing } } = core);
+
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+  });
+
+  describe('mysql', function() {
+    let Connection;
+
+    beforeEach(function() {
+      Connection = function() {};
+      Connection.prototype.query = sinon.stub();
+      core.depHooks.resolve.yields(Connection);
+      require('./mysql')(core).install();
+    });
+
+    describe('instruments connection.query()', function() {
+      it('handleSqlInjection() is called with valid expected values', function() {
+        const conn = new Connection();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+          {},
+          { name: 'mysql.Connection.prototype.query', value }
+        );
+      });
+
+      it('handleSqlInjection() is not called if there is no sourceContext', function() {
+        core.scopes.sources.getStore.returns({ protect: undefined });
+        const conn = new Connection();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+
+      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+        const conn = new Connection();
+        conn.query('');
+        conn.query(100);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+    });
+  });
+
+  describe('mysql2', function() {
+    let Connection;
+
+    beforeEach(function() {
+      Connection = function() {};
+      Connection.prototype.execute = sinon.stub();
+      core.depHooks.resolve.yields(Connection);
+      require('./mysql')(core).install();
+    });
+
+    describe('instruments connection.execute()', function() {
+      it('handleSqlInjection() is called with expected values', function() {
+        const conn = new Connection();
+        const value = 'SELECT "foo"';
+        conn.execute(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+          {},
+          { name: 'mysql2.Connection.prototype.execute', value }
+        );
+      });
+
+      it('handleSqlInjection() is not called if there is no sourceContext', function() {
+        core.scopes.sources.getStore.returns({ protect: undefined });
+        const conn = new Connection();
+        const value = 'SELECT "foo"';
+        conn.execute(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+
+      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+        const conn = new Connection();
+        conn.execute('');
+        conn.execute(100);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+    });
+  });
+});

package/lib/input-tracing/install/postgres.js

@@ -0,0 +1,61 @@
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    captureStacktrace,
+    protect: { inputTracing }
+  } = core;
+
+  function getQueryFromArgs([value]) {
+    const query = value?.text || value;
+    if (query && isString(query)) return query;
+  }
+
+  function preHook({ args, hooked, name }) {
+    const sourceContext = sources.getStore()?.protect;
+    if (!sourceContext) return;
+
+    const value = getQueryFromArgs(args);
+    if (!value) return;
+
+    const sinkContext = captureStacktrace(
+      { name, value },
+      { constructorOpt: hooked }
+    );
+
+    inputTracing.handleSqlInjection(sourceContext, sinkContext);
+  }
+
+  function install() {
+    depHooks.resolve({ name: 'pg', file: 'lib/client.js' }, client => {
+      const name = 'pg.Client.prototype.query';
+      patcher.patch(client.prototype, 'query', {
+        name,
+        patchType,
+        pre: preHook
+      });
+    });
+
+    depHooks.resolve({ name: 'pg-pool' }, pool => {
+      const name = 'pg-pool.Pool.prototype.query';
+      patcher.patch(pool.prototype, 'query', {
+        name,
+        patchType,
+        pre: preHook
+      });
+    });
+  }
+
+  const postgresInstr = core.protect.inputTracing.postgresInstrumentation = {
+    getQueryFromArgs,
+    install
+  };
+
+  return postgresInstr;
+};

package/lib/input-tracing/install/postgres.test.js

@@ -0,0 +1,125 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+
+describe('protect input-tracing installs: postgres interfaces', function() {
+  const sourceContext = {};
+  const store = { protect: sourceContext };
+  const query = 'SELECT "foo"';
+
+  let core;
+  let inputTracing;
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks');
+    const patcher = require('@contrast/patcher');
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    ({ protect: { inputTracing } } = core);
+  });
+
+  describe('pg.Client.prototype.query', function() {
+    let Client;
+
+    beforeEach(function() {
+      Client = function() {};
+      Client.prototype.query = sinon.stub();
+      core
+        .depHooks
+        .resolve
+        .withArgs({ name: 'pg', file: 'lib/client.js' })
+        .yields(Client);
+      require('./postgres')(core).install();
+    });
+
+    it('handleSqlInjection() is called with expected values', function() {
+      const conn = new Client();
+      conn.query(query);
+      conn.query({ text: query });
+
+      const sinkContext = { name: 'pg.Client.prototype.query', value: query };
+
+      expect(inputTracing.handleSqlInjection.callCount).to.eql(2);
+      [0, 1].forEach(callNum => {
+        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
+      });
+    });
+
+    it('handleSqlInjection() is not called if there is no sourceContext', function() {
+      core.scopes.sources.getStore.returns({ protect: undefined });
+
+      const conn = new Client();
+      conn.query(query);
+      conn.query({ text: query });
+
+      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+    });
+
+    it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+      const conn = new Client();
+      conn.query('');
+      conn.query(100);
+      conn.query({ text: '' });
+      conn.query({ text: 100 });
+
+      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+    });
+  });
+
+  describe('pg-pool.Pool.prototype.query', function() {
+    let Pool;
+
+    beforeEach(function() {
+      Pool = function() {};
+      Pool.prototype.query = sinon.stub();
+      core
+        .depHooks
+        .resolve
+        .withArgs({ name: 'pg-pool' })
+        .yields(Pool);
+
+      require('./postgres')(core).install();
+    });
+
+    it('handleSqlInjection() is called with expected values', function() {
+      const pool = new Pool();
+      pool.query(query);
+      pool.query({ text: query });
+
+      const sinkContext = { name: 'pg-pool.Pool.prototype.query', value: query };
+
+      expect(inputTracing.handleSqlInjection.callCount).to.eql(2);
+      [0, 1].forEach(callNum => {
+        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
+      });
+    });
+
+    it('handleSqlInjection() is not called if there is no sourceContext', function() {
+      core.scopes.sources.getStore.returns({ protect: undefined });
+
+      const pool = new Pool();
+      const value = 'SELECT "foo"';
+      pool.query(value);
+      pool.query({ text: value });
+
+      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+    });
+
+    it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+      const pool = new Pool();
+      pool.query('');
+      pool.query(100);
+      pool.query({ text: '' });
+      pool.query({ text: 100 });
+
+      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+    });
+  });
+});