@contrast/protect 1.0.1

package/lib/input-tracing/install/sequelize.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect: { inputTracing }
+  } = core;
+
+  function getQueryFromArgs([value]) {
+    const query = value?.query || value;
+    if (query && isString(query)) return query;
+  }
+
+  function install() {
+    depHooks.resolve({ name: 'sequelize' }, sequelize => {
+      const name = 'sequelize.prototype.query';
+      patcher.patch(sequelize.prototype, 'query', {
+        name,
+        patchType,
+        pre({ args, hooked, name }) {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = sources.getStore()?.protect;
+          if (!sourceContext) return;
+
+          const value = getQueryFromArgs(args);
+          if (!value) return;
+
+          const sinkContext = captureStacktrace(
+            { name, value },
+            { constructorOpt: hooked }
+          );
+          inputTracing.handleSqlInjection(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const sequelizeInstrumentation = inputTracing.sequelizeInstrumentation = {
+    getQueryFromArgs,
+    install
+  };
+
+  return sequelizeInstrumentation;
+};

package/lib/input-tracing/install/sequelize.test.js

@@ -0,0 +1,79 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+
+describe('protect input-tracing installs: sequelize interfaces', function() {
+  const store = { protect: {} };
+
+  let core;
+  let inputTracing;
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks');
+    const patcher = require('@contrast/patcher');
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = mocks.scopes();
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    ({ protect: { inputTracing } } = core);
+
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+  });
+
+  describe('sequelize', function() {
+    let sequelize;
+
+    beforeEach(function() {
+      sequelize = function() {};
+      sequelize.prototype.query = sinon.stub();
+      core.depHooks.resolve.yields(sequelize);
+      require('./sequelize')(core).install();
+    });
+
+    describe('instruments sequelize.query()', function() {
+      it('handleSqlInjection() is called with valid expected values', function() {
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+        conn.query({ query: value });
+
+        expect(inputTracing.handleSqlInjection).to.have.been.calledTwice;
+        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+          {},
+          { name: 'sequelize.prototype.query', value }
+        );
+      });
+
+      it('handleSqlInjection() is not called if instrumentation is locked', function() {
+        core.scopes.instrumentation.isLocked.returns(true);
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+
+      it('handleSqlInjection() is not called if there is no sourceContext', function() {
+        core.scopes.sources.getStore.returns({ protect: undefined });
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+
+      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+        const conn = new sequelize();
+        conn.query('');
+        conn.query(100);
+        conn.query({ query: '' });
+
+        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+      });
+    });
+  });
+});

package/lib/input-tracing/install/sqlite3.js

@@ -0,0 +1,45 @@
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { sources, instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'sqlite3' }, sqlite3 => {
+      ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
+        const name = `sqlite3.Database.prototype.${method}`;
+        patcher.patch(sqlite3.Database.prototype, method, {
+          name,
+          patchType,
+          pre({ args, hooked, name }) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = sources.getStore()?.protect;
+            if (!sourceContext) return;
+
+            const value = args[0];
+            if (!value || !isString(value)) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked }
+            );
+            inputTracing.handleSqlInjection(sourceContext, sinkContext);
+          }
+        });
+      });
+    });
+  }
+
+  const sqlite3Instrumentation = inputTracing.sqlite3Instrumentation = { install };
+
+  return sqlite3Instrumentation;
+};

package/lib/input-tracing/install/sqlite3.test.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+
+describe('protect input-tracing installs: sqlite3 interfaces', function() {
+  const store = { protect: {} };
+
+  let core;
+  let inputTracing;
+
+  beforeEach(function() {
+    const mocks = require('../../../../test/mocks');
+    const patcher = require('@contrast/patcher');
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = mocks.scopes();
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    ({ protect: { inputTracing } } = core);
+
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+  });
+
+  describe('sqlite3', function() {
+    let sqlite3;
+
+    beforeEach(function() {
+      sqlite3 = {
+        // eslint-disable-next-line object-shorthand
+        Database: function() {}
+      };
+      sqlite3.Database.prototype = {
+        all: sinon.stub(),
+        run: sinon.stub(),
+        get: sinon.stub(),
+        each: sinon.stub(),
+        exec: sinon.stub(),
+        prepare: sinon.stub()
+      };
+      core.depHooks.resolve.yields(sqlite3);
+      require('./sqlite3')(core).install();
+    });
+
+    ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
+      describe(`instruments connection.${method}()`, function() {
+        it('handleSqlInjection() is called with valid expected values', function() {
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+            {},
+            { name: `sqlite3.Database.prototype.${method}`, value }
+          );
+        });
+
+        it('handleSqlInjection() is not called if instrumentation is locked', function() {
+          core.scopes.instrumentation.isLocked.returns(true);
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+        });
+
+        it('handleSqlInjection() is not called if there is no sourceContext', function() {
+          core.scopes.sources.getStore.returns({ protect: undefined });
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+        });
+
+        it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
+          const db = new sqlite3.Database();
+          db[method]('');
+          db[method](100);
+
+          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
+        });
+      });
+    });
+  });
+});

package/lib/make-response-blocker.js

@@ -0,0 +1,35 @@
+'use strict';
+
+module.exports = function(core) {
+  // i think this should be a weakset. we don't want to accumulate
+  // blocked requests for the entire life of a program. the req
+  // object is not exactly tiny.
+  const blocked = new WeakSet();
+  const { patcher, logger } = core;
+
+  function makeResponseBlocker(res) {
+    return function block(mode, ruleId) {
+      if (blocked.has(res)) return;
+
+      blocked.add(res);
+      mode = mode.toUpperCase();
+      const end = patcher.unwrap(res.end);
+      const writeHead = patcher.unwrap(res.writeHead);
+
+      try {
+        if (!res.headersSent) writeHead.call(res, 403);
+        end.call(res, '');
+        logger.info({ mode, ruleId }, 'Request blocked');
+      } catch (err) {
+        logger.error({ err, mode, ruleId }, 'Error blocking request');
+      }
+    };
+  }
+
+  // expose. for testing?
+  makeResponseBlocker.blocked = blocked;
+
+  core.protect.makeResponseBlocker = makeResponseBlocker;
+
+  return makeResponseBlocker;
+};

package/lib/make-response-blocker.test.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const mocks = require('../../test/mocks');
+
+describe('protect make-response-blocker', function() {
+
+  let res, core, makeResponseBlocker;
+  beforeEach(function() {
+
+    res = {
+      end: sinon.stub(),
+      headersSent: false,
+      writeHead: sinon.stub()
+    };
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = mocks.patcher();
+    core.protect = {};
+
+    makeResponseBlocker = require('./make-response-blocker')(core);
+  });
+
+  it('Sends a blocked response', function() {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    expect(core.patcher.unwrap).to.have.been.calledWith(res.writeHead);
+    expect(core.patcher.unwrap).to.have.been.calledWith(res.end);
+    expect(res.writeHead).to.have.been.calledWith(403);
+    expect(res.end).to.have.been.calledWith('');
+    expect(core.logger.info).to.have.been.calledWith(
+      { mode: 'BLOCK', ruleId: 'sql-injection' },
+      'Request blocked'
+    );
+  });
+
+  it('Sets blocked property', function() {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    expect(makeResponseBlocker.blocked.has(res)).equal(true);
+  });
+
+  it('Set core.protect.makeResponseBlocker', function() {
+    expect(core.protect.makeResponseBlocker).to.be.equal(makeResponseBlocker);
+  });
+
+  it('Blocks on the same "res" object only once', function() {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    block('block', 'cmd-injection');
+    expect(makeResponseBlocker.blocked.has(res));
+    expect(res.end).to.have.been.calledOnce;
+    expect(res.writeHead).to.have.been.calledOnce;
+    expect(core.logger.info).to.have.been.calledOnce;
+  });
+
+  it('Adds multiple responses to blocked set', function() {
+    const res1 = Object.assign({}, res);
+    const res2 = Object.assign({}, res);
+    const block1 = makeResponseBlocker(res1);
+    const block2 = makeResponseBlocker(res2);
+    block1('block', 'sql-injection');
+    block2('block', 'cmd-injection');
+    expect(makeResponseBlocker.blocked.has(res1));
+    expect(makeResponseBlocker.blocked.has(res2));
+  });
+
+  it('Does not call writeHead when headers already sent', function() {
+    const block = makeResponseBlocker(res);
+    res.headersSent = true;
+    block('block_at_perimeter', 'reflected-xss');
+    expect(res.writeHead).to.not.have.been.called;
+    expect(res.end).to.have.been.calledWith('');
+  });
+
+  it('Logs error when exception thrown', function() {
+    const err = new Error('error');
+    res.end.throws(err);
+    const block = makeResponseBlocker(res);
+    block('block', 'path-traversal');
+    expect(core.logger.error).to.have.been.calledWith(
+      { err, mode: 'BLOCK', ruleId: 'path-traversal' },
+      'Error blocking request'
+    );
+  });
+});

package/lib/make-source-context.js

@@ -0,0 +1,130 @@
+'use strict';
+
+module.exports = function(core) {
+
+  function makeSourceContext(req, res) {
+    // make the abstract request. it is an abstraction of a request that
+    // contains only the pieces of the request required by handlers. this
+    // is done to make an explicit contract for data that is required by
+    // the handlers. additional data that is discovered to be required by
+    // handlers should be added here. the goal is not to pass the raw req
+    // or res objects so that all data coupling is all defined here.
+
+    // separate path and search params
+    const ix = req.url.indexOf('?');
+    let uriPath, queries;
+    if (ix >= 0) {
+      uriPath = req.url.slice(0, ix);
+      queries = req.url.slice(ix + 1);
+    } else {
+      uriPath = req.url;
+      queries = '';
+    }
+    // lowercase header keys and capture content-type
+    let contentType = '';
+    const headers = Array(req.rawHeaders.length);
+    for (let i = 0; i < req.rawHeaders.length; i += 2) {
+      headers[i] = req.rawHeaders[i].toLowerCase();
+      headers[i + 1] = req.rawHeaders[i + 1];
+      if (headers[i] === 'content-type') {
+        contentType = headers[i + 1].toLowerCase();
+      }
+    }
+
+    // if it can be determined that qs-type parsing is not being done then set
+    // standardUrlParsing to true. if it is true, then the query params and bodies
+    // that are form-url-encoded will be parsed by agent-lib and will not need to
+    // be parsed separately.
+    //
+    // the code that scans the dependencies is probably the best place to make the
+    // determination.
+    const standardUrlParsing = false;
+
+    // contains request data and information derived from request data. it's
+    // possible for any derived information to be derived later, but doing
+    // so here is typically better; it makes clear what information is used to
+    // make decisions by different handlers.
+    const reqData = {
+      method: req.method,
+      headers,
+      uriPath,
+      queries,
+      contentType,
+      standardUrlParsing,
+    };
+
+    //
+    // build the protect object that contains all
+    //
+    const protectStore = {
+      reqData,
+      // block closure captures res so it isn't exposed to beyond here
+      block: core.protect.makeResponseBlocker(res),
+
+      // this should be changed to capture only the rules applicable to this
+      // particular request (if any route exclusions, etc.)
+      rules: core.protect.rules,
+      exclusions: [],
+      virtualPatches: [],
+
+      // maybe better as result, findings... but my bad naming choice is
+      // past the point of return.
+      findings: {
+        trackRequest: false,
+        securityException: undefined,
+        // bodyType is set to a body type if handlers.parseRawBody() parsed it
+        // successfully.
+        bodyType: undefined,
+        resultsMap: Object.create(null),
+      },
+
+      /*
+      findings: {
+        trackRequest: true,
+        resultsList: [
+          // Example 2
+          {
+            // return value from agent-lib
+            value: 'kill -9 1',
+            type: 'PARAMETER_VALUE',
+            ruleId: 'cmd-injection',
+            path: ['path', 'to', 'val'],
+            // other data added during lifecycle
+            // could we add these by mutating agent-lib return values?
+            // What if there are multiple injections for the same value? The `details` value
+            // could be an array in that case, or is this too complicated.
+            blocked: false,
+            details: [
+              {
+                context: {
+                  id: 'child_process.exec',
+                  get stack() {}, // lazy
+                  command: 'sudo kill -9 1',
+                  index: 5,
+                }
+              },
+              {
+                sinkId: 'child_process.exec',
+                get stack() {}, // lazy
+                command: 'sudo kill -9 1',
+                index: 5,
+              }]
+          },
+        ]
+      }
+      // (scoreAtom() returns only the ruleId and score because the caller supplied
+      // the input and type; no key or path is known to scoreAtom(). code calling
+      // scoreAtom() will need to augment the finding to match the above.)
+      //
+      // each finding is augmented with additional properties
+      // - blocked: false     // set to true if the finding causes the request to be blocked
+      // - mappedId: ruleId   // normalized ruleId, e.g., nosql-injection-mongo => nosql-injection
+      // -
+      // */
+    };
+
+    return protectStore;
+  }
+
+  core.protect.makeSourceContext = makeSourceContext;
+};