@contrast/protect 1.10.0 → 1.12.0

package/lib/error-handlers/install/express4.js

@@ -29,6 +29,26 @@ module.exports = function(core) {
 
   const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
 
+  function aroundFn(name) {
+    return function around(orig, data) {
+      const [err] = data.args;
+      const sourceContext = protect.getSourceContext(name);
+      const isSecurityException = SecurityException.isSecurityException(err);
+
+      if (isSecurityException && sourceContext) {
+        const blockInfo = sourceContext.securityException;
+
+        sourceContext.block(...blockInfo);
+        return;
+      }
+
+      if (!sourceContext && isSecurityException) {
+        logger.info('source context not found; unable to handle response');
+      }
+      return orig();
+    };
+  }
+
   express4ErrorHandler.install = function () {
     depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
       patcher.patch(finalhandler, {
@@ -38,23 +58,7 @@ module.exports = function(core) {
           data.result = patcher.patch(data.result, {
             name: 'finalHandler.returnedFunction',
             patchType,
-            around(orig, data) {
-              const [err] = data.args;
-              const sourceContext = protect.getSourceContext('finalHandler');
-              const isSecurityException = SecurityException.isSecurityException(err);
-
-              if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.securityException;
-
-                sourceContext.block(...blockInfo);
-                return;
-              }
-
-              if (!sourceContext && isSecurityException) {
-                logger.info('source context not found; unable to handle response');
-              }
-              return orig();
-            },
+            around: aroundFn('finalHandler')
           });
         },
       })
@@ -64,23 +68,7 @@ module.exports = function(core) {
       patcher.patch(Layer.prototype, 'handle_error', {
         name: 'Layer.prototype.handle_error',
         patchType,
-        around(orig, data) {
-          const [err] = data.args;
-          const sourceContext = protect.getSourceContext('express.Layer.handle_error');
-          const isSecurityException = SecurityException.isSecurityException(err);
-
-          if (isSecurityException && sourceContext) {
-            const blockInfo = sourceContext.securityException;
-
-            sourceContext.block(...blockInfo);
-            return;
-          }
-
-          if (!sourceContext && isSecurityException) {
-            logger.info('source context not found; unable to handle response');
-          }
-          return orig();
-        }
+        around: aroundFn('express.Layer.handle_error')
       });
 
       // This should be revisited after the research ticket NODE-2556

package/lib/hardening/handlers.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
     const mode = sourceContext.policy[ruleId];
-    const { name, value, stacktraceData } = sinkContext;
+    const { name, value, stacktraceOpts } = sinkContext;
 
     if (mode === 'off') return;
 
@@ -49,7 +49,7 @@ module.exports = function(core) {
       const blocked = BLOCKING_MODES.includes(mode);
       const results = getResults(sourceContext, ruleId);
 
-      captureStacktrace(sinkContext, stacktraceData);
+      captureStacktrace(sinkContext, stacktraceOpts);
       results.push({
         value: sinkContext.value,
         blocked,

package/lib/hardening/install/node-serialize0.js

@@ -45,7 +45,7 @@ module.exports = function(core) {
             const sinkContext = {
               name: `${name}.${method}`,
               value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
             };
             hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
           },

package/lib/index.d.ts

@@ -26,28 +26,6 @@ type Http = typeof http;
 type Https = typeof https;
 
 export type Block = (mode: string, ruleId: string) => void;
-export class HttpInstrumentation {
-  messages: Messages;
-  scope: Sources;
-  config: Config;
-  logger: Logger;
-  depHooks: RequireHook;
-  protect: ProtectMessage;
-  makeSourceContext: Protect['makeSourceContext'];
-  maxBodySize: number;
-  installed: boolean;
-
-  constructor(core: any);
-
-  install(): void;
-  uninstall(): void; //NYI
-  hookHttp(): void;
-  hookHttps(): void;
-  hookServer(xport: Http | Https): void;
-  initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
-  removeCookies(headers: string[]): string[];
-}
-
 export interface ProtectRequestStore {
   reqData: ReqData;
   block: Block;
@@ -95,7 +73,7 @@ export interface Protect {
     expressInstrumentation: { install: () => void },
     fastifyInstrumentation: { install: () => void },
     koaInstrumentation: { install: () => void },
-    httpInstrumentation: HttpInstrumentation,
+    httpInstrumentation: { install: () => void },
     install: () => void,
   },
   inputTracing: {

package/lib/input-analysis/install/http.js

@@ -15,203 +15,57 @@
 
 'use strict';
 
+const { patchType } = require('../constants');
 const { Event } = require('@contrast/common');
 
-// Instruments http `Server` and `IncomingMessage` instances to support input
-// analysis in framework-agnostic manner.
-
 module.exports = function(core) {
-  const { protect: { inputAnalysis } } = core;
-  inputAnalysis.httpInstrumentation = new HttpInstrumentation(core);
-  return inputAnalysis.httpInstrumentation;
-};
-class HttpInstrumentation {
-  constructor(core) {
-    this.messages = core.messages;
-    this.scope = core.scopes.sources;
-    this.config = core.config;
-    this.logger = core.logger.child('contrast:protect:input-analysis');
-    this.depHooks = core.depHooks;
-    this.protect = core.protect;
-    this.patcher = core.patcher;
-    this.makeSourceContext = this.protect.makeSourceContext;
-    this.maxBodySize = 16 * 1024 * 1024;
-    this.installed = false;
-  }
-
-  /**
-   * After checking whether the sensor is enabled, will set up `require` hooks
-   * for instrumenting both `http` and `https` modules when they load.
-   */
-  install() {
-    if (this.installed) {
-      return;
-    }
-
-    this.installed = true;
-    this.hookHttp();
-    this.hookHttps();
-    this.hookHttp2();
-  }
-
-  uninstall() {
-    return null; //NYI
-  }
-
-  /**
-   * Sets hooks to instrument `http.Server.prototype`.
-   */
-  hookHttp() {
-    this.logger.debug('hooking library: http');
-    this.depHooks.resolve({ name: 'http' }, (http) => this.hookServerEmit.call(this, http, 'httpServer'));
-  }
-
-  /**
-   * Sets hooks to instrument `https.Server.prototype`.
-   */
-  hookHttps() {
-    this.logger.debug('hooking library: https');
-    this.depHooks.resolve({ name: 'https' }, (https) => this.hookServerEmit.call(this, https, 'httpsServer'));
-  }
-
-  /**
-   * Sets hooks to instrument `http2 Servers`.
-   */
-  hookHttp2() {
-    this.logger.debug('hooking library: http2');
-    // http2 library does not expose its Server class, so we need to hook the createServer function
-    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2Server'));
-    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2SecureServer', 'createSecureServer'));
-
-    this.logger.debug('hooking library: spdy');
-    this.depHooks.resolve({ name: 'spdy' }, (spdy) => this.hookServerEmit.call(this, spdy, 'spdyServer'));
-  }
-
-  /**
-   * Instruments the `Server` prototype from `http(s)` or spdy's http2 Server. This patches `emit` and
-   * invokes the protect service to do analysis when appropriate.
-   */
-  hookServerEmit(serverSource, sourceName) {
-    serverSource.Server.prototype = this.patcher.patch(serverSource.Server.prototype, 'emit', {
-      name: `${sourceName}.Server.prototype.emit`,
-      patchType: 'initiate-handling',
-      around: this.emitAroundHook.bind(this)
-    });
-  }
-
-  /**
-   * Instruments the `Http2Server` prototype which results from the http2.createServer/createSecureServer() call.
-   * This also patches `emit` and
-   * invokes the protect service to do analysis when appropriate.
-   */
-  hookCreateServer(serverSource, sourceName, constructorName = 'createServer') {
-    const self = this;
-
-    return this.patcher.patch(serverSource, constructorName, {
-      name: sourceName,
-      patchType: 'initiate-handling',
-      post(data) {
-
-        const { result: server } = data;
-        const serverPrototype = server ? Object.getPrototypeOf(server) : null;
-
-        if (!serverPrototype) {
-          self.logger.error('Unable to patch server prototype, continue without instrumentation');
-          return;
-        }
-
-        self.patcher.patch(serverPrototype, 'emit', {
-          name: `${sourceName}.Server.prototype.emit`,
-          patchType: 'req-async-storage',
-          around: self.emitAroundHook.bind(self)
-        });
+  const {
+    logger,
+    messages,
+    scopes: { sources },
+    instrumentation: { instrument },
+    protect: { inputAnalysis },
+  } = core;
+
+  function removeCookies(headers) {
+    for (let i = 0; i < headers.length; i += 2) {
+      if (headers[i] === 'cookies') {
+        headers = headers.slice();
+        headers.splice(i, 2);
       }
-    });
+    }
+    return headers;
   }
 
-  /**
-   * The around hook for `emit` that
-   * invokes the protect service to do analysis when appropriate.
-   */
-  emitAroundHook(next, data) {
-    const [type] = data.args;
+  function around(next, data) {
+    let store, block;
+    const { args: [type, req, res] } = data;
 
     if (type !== 'request') {
       return next();
     }
 
-    const context = { instance: data.obj, method: next, args: data.args };
-    this.initiateRequestHandling(context);
-    return !!data.obj._events[type];
-  }
-
-  /**
-   * Creates the sourceContext for the request and invokes the handler for
-   * inputs that are present in the 'incomingMessage' object at the time of
-   * the 'connect' event.
-   *
-   * @param {Object} context Function invocation context
-   */
-  initiateRequestHandling(fnContext) {
-    const {
-      instance,
-      method,
-      args,
-      args: [, req, res]
-    } = fnContext;
-
-    let store;
-    let block;
-
     try {
-      const { messages, protect: { inputAnalysis } } = this; // the functions that do input analysis
-
-      // this must be invoked by the patching code using scope.sources.run({}, ...)
-      // so that an async context is present.
-      store = this.scope.getStore();
-      // nothing can be done if async context is not available.
-
+      store = sources.getStore();
       if (!store) {
-        this.logger.debug('cannot acquire store for initiateRequestHandling()');
-        setImmediate(() => method.call(instance, ...args));
-        return;
-      }
-      store.protect = this.makeSourceContext(req, res);
-
-      if (store.protect.allowed) {
-        setImmediate(() => method.call(instance, ...args));
+        logger.debug('cannot acquire store for around()');
         return;
       }
 
-      const { reqData } = store.protect;
+      store.protect = core.protect.makeSourceContext(req, res);
+      const {
+        reqData: { headers, uriPath, method }
+      } = store.protect;
 
       res.on('finish', () => {
-        this.protect.inputAnalysis.handleRequestEnd(store.protect);
+        inputAnalysis.handleRequestEnd(store.protect);
         messages.emit(Event.PROTECT, store);
       });
 
-      // don't put inputs in the store; they are a param to each handler. findings
-      // associated with inputs do go into the store. why not put the inputs
-      // into the store? after all, the inputs come from the store. mostly because
-      // they can really add up to a lot of data that isn't going to be used.
-      //
-      // how to replace result in resultsList, e.g., queries find something
-      // but then framework emits parsed queries? does this only matter for
-      // no-sql? index-lookup or hash?
-      //
-      // create inputs for this handler. we defer cookies until the framework
-      // parses them because there is no way to be certain of their formatting
-      // and encoding.
-      //
-      // the primary reason for this is to avoid passing the incomingMessage,
-      // req, to all the handlers allowing direct access to it and tightly
-      // coupling all handlers to an extensive collection of data.
       const connectInputs = {
-        headers: HttpInstrumentation.removeCookies(reqData.headers),
-        uriPath: reqData.uriPath,
-        rawUrl: req.url,
-        // TODO AGENT-203 - need to handle method-tampering rule.
-        method: reqData.method,
+        headers: removeCookies(headers),
+        uriPath,
+        method
       };
 
       if (inputAnalysis.virtualPatchesEvaluators?.length) {
@@ -229,25 +83,61 @@ class HttpInstrumentation {
 
       block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
-      this.logger.error({ err }, 'Error during input analysis');
+      logger.error({ err }, 'Error during input analysis');
     }
 
     if (!block) {
-      setImmediate(() => method.call(instance, ...args));
+      setImmediate(() => next.call(data.obj, ...data.args));
     } else {
       store.protect.block(...block);
-      this.logger.debug({ block }, 'request blocked by not emitting request event');
+      logger.debug({ block }, 'request blocked by not emitting request event');
     }
   }
 
-  static removeCookies(headers) {
-    for (let i = 0; i < headers.length; i += 2) {
-      if (headers[i] === 'cookies') {
-        headers = headers.slice();
-        headers.splice(i, 2);
-        return headers;
-      }
-    }
-    return headers;
+  function install() {
+    [{
+      moduleName: 'http'
+    },
+    {
+      moduleName: 'https'
+    },
+    {
+      moduleName: 'spdy'
+    },
+    {
+      moduleName: 'http2',
+      patchObjectsProps: [
+        {
+          methods: ['createServer', 'createSecureServer'],
+          patchType,
+          patchObjects: [
+            {
+              name: 'Server.prototype',
+              methods: ['emit'],
+              patchType,
+              around
+            }
+          ]
+        }
+      ]
+    }].forEach(({ moduleName, patchObjectsProps }) => {
+      const patchObjects = patchObjectsProps || [
+        {
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType,
+          around
+        }
+      ];
+      instrument({
+        moduleName,
+        patchObjects
+      });
+    });
   }
-}
+
+  return inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
+};

package/lib/input-tracing/handlers/index.js

@@ -35,8 +35,8 @@ module.exports = function(core) {
   } = core;
 
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
-    const { stacktraceData } = sinkContext;
-    captureStacktrace(sinkContext, stacktraceData);
+    const { stacktraceOpts } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceOpts);
     result.exploitMetadata.push({ sinkContext, findings });
 
     const mode = sourceContext.policy[ruleId];
@@ -142,18 +142,33 @@ module.exports = function(core) {
       }
     }
 
+
     if (stringInjectionResults) {
       let stringFindings = null;
 
       for (const result of stringInjectionResults) {
         if (typeof sinkContext.value === 'object') {
-          traverseKeysAndValues(sinkContext.value, function(path, type, value) {
+          traverseKeysAndValues(sinkContext.value, function(path, type, value, obj) {
             if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
 
-            stringFindings = handleStringValue(result, sinkContext.value[value], agentLib);
+            if (!stringFindings && type == 'Key' && value == '$accumulator') {
+              stringFindings =
+                handleStringValue(result, obj[value]?.['init'], agentLib) ||
+                handleStringValue(result, obj[value]?.['merge'], agentLib) ||
+                handleStringValue(result, obj[value]?.['finalize'], agentLib) ||
+                handleStringValue(result, obj[value]?.['accumulate'], agentLib);
+            }
+
+            if (!stringFindings && type == 'Key' && value == '$function') {
+              stringFindings =
+                handleStringValue(result, obj['$function']?.body, agentLib);
+            }
+
+            if (!stringFindings) {
+              stringFindings = handleStringValue(result, obj[value], agentLib);
+            }
 
-            // halt traversal
-            return true;
+            if (stringFindings) return true;
           });
         } else if (typeof sinkContext.value === 'string') {
           stringFindings = handleStringValue(result, sinkContext.value, agentLib);
@@ -254,7 +269,10 @@ function getResultsByRuleId(ruleId, context) {
   if (context.policy[ruleId] === OFF) {
     return;
   }
-  return context.resultsMap[ruleId];
+  // because agent-lib stores all nosql-injection results under nosql-injection-mongo
+  const resultsMapRuleId = ruleId === 'nosql-injection' ? 'nosql-injection-mongo' : ruleId;
+
+  return context.resultsMap[resultsMapRuleId];
 }
 
 function handleObjectValue(result, object) {
@@ -289,9 +307,11 @@ function handleStringValue(result, cmd, agentLib) {
   if (typeof cmd !== 'string') {
     return null;
   }
+
   let findings = null;
+  let inputIndex = -1;
+  inputIndex = cmd.indexOf(result.value);
 
-  const inputIndex = cmd.indexOf(result.value);
   // if the user input is not in the sink input, there is nothing to do.
   if (inputIndex === -1) {
     return findings;

package/lib/input-tracing/index.js

@@ -27,6 +27,7 @@ module.exports = function(core) {
   require('./install/child-process')(core);
   require('./install/fs')(core);
   require('./install/mongodb')(core);
+  require('./install/marsdb')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);

package/lib/input-tracing/install/child-process.js

@@ -37,7 +37,7 @@ module.exports = function(core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     inputTracing.handleCommandInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/eval.js

@@ -47,7 +47,7 @@ module.exports = function(core) {
         const sinkContext = {
           name: 'eval',
           value,
-          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
         };
         inputTracing.ssjsInjection(sourceContext, sinkContext);
       }

package/lib/input-tracing/install/fs.js

@@ -103,7 +103,7 @@ module.exports = function(core) {
               const sinkContext = {
                 name,
                 value,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+                stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
               };
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
               core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);

package/lib/input-tracing/install/function.js

@@ -48,7 +48,7 @@ module.exports = function(core) {
           const sinkContext = {
             name: 'Function',
             value: fnBody,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
           };
 
           inputTracing.ssjsInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/http.js

@@ -46,7 +46,7 @@ module.exports = function(core) {
             const sinkContext = {
               name,
               value,
-              stacktraceData: { constructorOpt: data.hooked },
+              stacktraceOpts: { constructorOpt: data.hooked },
             };
             inputTracing.handleReflectedXss(sourceContext, sinkContext);
           }

package/lib/input-tracing/install/marsdb.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../constants');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    protect: { getSourceContext, inputTracing },
+  } = core;
+
+  const methods = ['find', 'findOne', 'update', 'insert', 'remove', 'ids', 'count'];
+
+  function getCursorQueryData(args) {
+    const query = args[0];
+    if (!query) {
+      return;
+    }
+
+    if (Object.prototype.toString.call(query) === '[object String]') {
+      return query.toString();
+    }
+
+    if (query['$where']) {
+      return query['$where'].toString();
+    }
+
+    return query;
+  }
+
+  function install() {
+    depHooks.resolve({ name: 'marsdb' }, marsdb => {
+      methods.forEach((method) => {
+        const name = `marsdb.Collection.prototype.${method}`;
+
+        patcher.patch(marsdb.Collection.prototype, method, {
+          name,
+          patchType,
+          pre({ args, hooked, orig }) {
+            const value = getCursorQueryData(args);
+            const sourceContext = getSourceContext(name);
+
+            if (
+              !sourceContext ||
+              !value ||
+              !Object.keys(value).length
+            ) return;
+
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+    });
+  }
+
+  const marsdbInstr = (core.protect.inputTracing.marsdbInstrumentation = {
+    install,
+  });
+
+  return marsdbInstr;
+};

package/lib/input-tracing/install/mongodb.js

@@ -62,7 +62,7 @@ module.exports = function (core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
     inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
   }
@@ -122,6 +122,7 @@ module.exports = function (core) {
               'countDocuments',
               'count',
               'distinct',
+              'aggregate'
             ],
             patchType,
             preHookFn: v4CollectionVal

package/lib/input-tracing/install/mysql.js

@@ -58,7 +58,7 @@ module.exports = function(core) {
               const sinkContext = {
                 name,
                 value,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+                stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
               };
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/postgres.js

@@ -42,7 +42,7 @@ module.exports = function(core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sequelize.js

@@ -51,7 +51,7 @@ module.exports = function(core) {
           const sinkContext = {
             name,
             value,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
           };
 
           inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sqlite3.js

@@ -46,7 +46,7 @@ module.exports = function(core) {
             const sinkContext = {
               name,
               value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
             };
 
             inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/vm.js

@@ -27,105 +27,49 @@ module.exports = function(core) {
     protect: { inputTracing }
   } = core;
 
+  function pre({ args, hooked, orig, name }) {
+    if (instrumentation.isLocked()) return;
+
+    const sourceContext = protect.getSourceContext(name);
+    if (!sourceContext) return;
+
+    for (let i = 0; i < (name === 'vm.runInNewContext' ? 2 : 1); i++) {
+      const arg = args[i];
+      if (!((arg && isString(arg)) || isNonEmptyObject(arg))) continue;
+
+      const sinkContext = {
+        name,
+        value: arg,
+        stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
+      };
+      inputTracing.ssjsInjection(sourceContext, sinkContext);
+    }
+  }
+
   function install() {
     depHooks.resolve({ name: 'vm' }, (vm) => {
-      ['Script', 'createScript', 'runInContext', 'runInThisContext'].forEach(
+      [
+        'Script',
+        'createScript',
+        'runInContext',
+        'runInThisContext',
+        'createContext',
+        'runInNewContext'
+      ].forEach(
         (method) => {
           const name = `vm.${method}`;
-
           patcher.patch(vm, method, {
             name,
             patchType,
-            pre({ args, hooked, name, orig }) {
-              if (instrumentation.isLocked()) return;
-
-              const sourceContext = protect.getSourceContext(name);
-              if (!sourceContext) return;
-
-              const codeString = args[0];
-              if (!codeString || !isString(codeString)) return;
-
-              const sinkContext = {
-                name,
-                value: codeString,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-              };
-              inputTracing.ssjsInjection(sourceContext, sinkContext);
-            }
+            pre
           });
         }
       );
 
-      patcher.patch(vm, 'runInNewContext', {
-        name: 'vm.runInNewContext',
-        patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.runInNewContext');
-          if (!sourceContext) return;
-
-          const codeString = args[0];
-          const envObj = args[1];
-
-          if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
-
-          const codeStringSinkContext = (codeString && isString(codeString)) ? {
-            name: 'vm.runInNewContext',
-            value: codeString,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
-          } : null;
-          const envObjSinkContext = isNonEmptyObject(envObj) ? {
-            name: 'vm.runInNewContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
-          } : null;
-
-          codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
-          envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
-        }
-      });
-
-      patcher.patch(vm, 'createContext', {
-        name: 'vm.createContext',
-        patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.createContext');
-          if (!sourceContext) return;
-
-          const envObj = args[0];
-          if (!isNonEmptyObject(envObj)) return;
-
-          const sinkContext = {
-            name: 'vm.createContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-          };
-          inputTracing.ssjsInjection(sourceContext, sinkContext);
-        }
-      });
-
       patcher.patch(vm.Script.prototype, 'runInNewContext', {
         name: 'vm.Script.prototype.runInNewContext',
         patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.Script.prototype.runInNewContext');
-          if (!sourceContext) return;
-
-          const envObj = args[0];
-          if (!isNonEmptyObject(envObj)) return;
-
-          const sinkContext = {
-            name: 'vm.Script.prototype.runInNewContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-          };
-          inputTracing.ssjsInjection(sourceContext, sinkContext);
-        }
+        pre
       });
     });
   }

package/lib/semantic-analysis/handlers.js

@@ -41,8 +41,8 @@ module.exports = function(core) {
   const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
-    const { value, stacktraceData } = sinkContext;
-    captureStacktrace(sinkContext, stacktraceData);
+    const { value, stacktraceOpts } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceOpts);
     const result = {
       blocked: false,
       ruleId,

package/lib/semantic-analysis/install/libxmljs.js

@@ -62,7 +62,7 @@ module.exports = function(core) {
     const sinkContext = {
       name: 'libxmljs.parseXmlString',
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     try {

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -40,7 +40,7 @@ const ENTITY_TYPES = {
 // We only use this against lowercase strings; removed A-Z for speed
 const FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/;
 
-const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g;
+const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+['"](?<uri1>.*?)['"]\s*(['"](?<uri2>.*?)['"]\s*)?>/g;
 
 // Helper Functions
 const indicators = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,12 +17,12 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.3.0",
-    "@contrast/core": "1.9.0",
-    "@contrast/esm-hooks": "1.5.0",
+    "@contrast/agent-lib": "^5.3.0",
+    "@contrast/common": "1.3.1",
+    "@contrast/core": "1.10.1",
+    "@contrast/esm-hooks": "1.6.1",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }
-}
+}