@contrast/protect 1.11.0 → 1.12.1

package/lib/hardening/handlers.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
     const mode = sourceContext.policy[ruleId];
-    const { name, value, stacktraceData } = sinkContext;
+    const { name, value, stacktraceOpts } = sinkContext;
 
     if (mode === 'off') return;
 
@@ -49,7 +49,7 @@ module.exports = function(core) {
       const blocked = BLOCKING_MODES.includes(mode);
       const results = getResults(sourceContext, ruleId);
 
-      captureStacktrace(sinkContext, stacktraceData);
+      captureStacktrace(sinkContext, stacktraceOpts);
       results.push({
         value: sinkContext.value,
         blocked,

package/lib/hardening/install/node-serialize0.js

@@ -45,7 +45,7 @@ module.exports = function(core) {
             const sinkContext = {
               name: `${name}.${method}`,
               value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
             };
             hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
           },

package/lib/input-analysis/handlers.js

@@ -220,7 +220,7 @@ module.exports = function(core) {
           key: path.pop(), // there should always be at least the param name
           value,
           score: item.score,
-          idsList: [],
+          idsList: item.idsList
         });
       }
     });

package/lib/input-tracing/handlers/index.js

@@ -35,8 +35,8 @@ module.exports = function(core) {
   } = core;
 
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
-    const { stacktraceData } = sinkContext;
-    captureStacktrace(sinkContext, stacktraceData);
+    const { stacktraceOpts } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceOpts);
     result.exploitMetadata.push({ sinkContext, findings });
 
     const mode = sourceContext.policy[ruleId];
@@ -147,12 +147,27 @@ module.exports = function(core) {
 
       for (const result of stringInjectionResults) {
         if (typeof sinkContext.value === 'object') {
-          traverseKeysAndValues(sinkContext.value, function(path, type, value) {
+          traverseKeysAndValues(sinkContext.value, function(path, type, value, obj) {
             if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
-            const cmdVal = sinkContext.value[value];
-            stringFindings = handleStringValue(result, cmdVal?.['$function']?.body || cmdVal, agentLib);
-            // halt traversal
-            return true;
+
+            if (!stringFindings && type == 'Key' && value == '$accumulator') {
+              stringFindings =
+                handleStringValue(result, obj[value]?.['init'], agentLib) ||
+                handleStringValue(result, obj[value]?.['merge'], agentLib) ||
+                handleStringValue(result, obj[value]?.['finalize'], agentLib) ||
+                handleStringValue(result, obj[value]?.['accumulate'], agentLib);
+            }
+
+            if (!stringFindings && type == 'Key' && value == '$function') {
+              stringFindings =
+                handleStringValue(result, obj['$function']?.body, agentLib);
+            }
+
+            if (!stringFindings) {
+              stringFindings = handleStringValue(result, obj[value], agentLib);
+            }
+
+            if (stringFindings) return true;
           });
         } else if (typeof sinkContext.value === 'string') {
           stringFindings = handleStringValue(result, sinkContext.value, agentLib);
@@ -253,7 +268,10 @@ function getResultsByRuleId(ruleId, context) {
   if (context.policy[ruleId] === OFF) {
     return;
   }
-  return context.resultsMap[ruleId];
+  // because agent-lib stores all nosql-injection results under nosql-injection-mongo
+  const resultsMapRuleId = ruleId === 'nosql-injection' ? 'nosql-injection-mongo' : ruleId;
+
+  return context.resultsMap[resultsMapRuleId];
 }
 
 function handleObjectValue(result, object) {
@@ -306,7 +324,10 @@ function handleStringValue(result, cmd, agentLib) {
       inputBoundaryIndex: 0,
     };
   } else {
-    const isAttack = agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
+    // This is a temporary workaround, while `agent-lib` fixes
+    // the `checkSsjsInjectionSink` so it can detect the "TRUE-CLAUSE-1" correctly
+    // TODO: NODE-2897
+    const isAttack = result.idsList.includes('TRUE-CLAUSE-1') || agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
     if (!isAttack) return findings;
 
     findings = {

package/lib/input-tracing/index.js

@@ -27,6 +27,7 @@ module.exports = function(core) {
   require('./install/child-process')(core);
   require('./install/fs')(core);
   require('./install/mongodb')(core);
+  require('./install/marsdb')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);

package/lib/input-tracing/install/child-process.js

@@ -37,7 +37,7 @@ module.exports = function(core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     inputTracing.handleCommandInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/eval.js

@@ -47,7 +47,7 @@ module.exports = function(core) {
         const sinkContext = {
           name: 'eval',
           value,
-          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
         };
         inputTracing.ssjsInjection(sourceContext, sinkContext);
       }

package/lib/input-tracing/install/fs.js

@@ -103,7 +103,7 @@ module.exports = function(core) {
               const sinkContext = {
                 name,
                 value,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+                stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
               };
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
               core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);

package/lib/input-tracing/install/function.js

@@ -48,7 +48,7 @@ module.exports = function(core) {
           const sinkContext = {
             name: 'Function',
             value: fnBody,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
           };
 
           inputTracing.ssjsInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/http.js

@@ -46,7 +46,7 @@ module.exports = function(core) {
             const sinkContext = {
               name,
               value,
-              stacktraceData: { constructorOpt: data.hooked },
+              stacktraceOpts: { constructorOpt: data.hooked },
             };
             inputTracing.handleReflectedXss(sourceContext, sinkContext);
           }

package/lib/input-tracing/install/marsdb.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+const { patchType } = require('../constants');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    protect: { getSourceContext, inputTracing },
+  } = core;
+
+  const methods = ['find', 'findOne', 'update', 'insert', 'remove', 'ids', 'count'];
+
+  function getCursorQueryData(args) {
+    const query = args[0];
+    if (!query) {
+      return;
+    }
+
+    if (Object.prototype.toString.call(query) === '[object String]') {
+      return query.toString();
+    }
+
+    if (query['$where']) {
+      return query['$where'].toString();
+    }
+
+    return query;
+  }
+
+  function install() {
+    depHooks.resolve({ name: 'marsdb' }, marsdb => {
+      methods.forEach((method) => {
+        const name = `marsdb.Collection.prototype.${method}`;
+
+        patcher.patch(marsdb.Collection.prototype, method, {
+          name,
+          patchType,
+          pre({ args, hooked, orig }) {
+            const value = getCursorQueryData(args);
+            const sourceContext = getSourceContext(name);
+
+            if (
+              !sourceContext ||
+              !value ||
+              !Object.keys(value).length
+            ) return;
+
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+    });
+  }
+
+  const marsdbInstr = (core.protect.inputTracing.marsdbInstrumentation = {
+    install,
+  });
+
+  return marsdbInstr;
+};

package/lib/input-tracing/install/mongodb.js

@@ -62,7 +62,7 @@ module.exports = function (core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
     inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
   }
@@ -122,6 +122,7 @@ module.exports = function (core) {
               'countDocuments',
               'count',
               'distinct',
+              'aggregate'
             ],
             patchType,
             preHookFn: v4CollectionVal

package/lib/input-tracing/install/mysql.js

@@ -58,7 +58,7 @@ module.exports = function(core) {
               const sinkContext = {
                 name,
                 value,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+                stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
               };
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/postgres.js

@@ -42,7 +42,7 @@ module.exports = function(core) {
     const sinkContext = {
       name,
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sequelize.js

@@ -51,7 +51,7 @@ module.exports = function(core) {
           const sinkContext = {
             name,
             value,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
           };
 
           inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sqlite3.js

@@ -46,7 +46,7 @@ module.exports = function(core) {
             const sinkContext = {
               name,
               value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
             };
 
             inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/vm.js

@@ -40,7 +40,7 @@ module.exports = function(core) {
       const sinkContext = {
         name,
         value: arg,
-        stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
       };
       inputTracing.ssjsInjection(sourceContext, sinkContext);
     }

package/lib/semantic-analysis/handlers.js

@@ -41,8 +41,8 @@ module.exports = function(core) {
   const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
-    const { value, stacktraceData } = sinkContext;
-    captureStacktrace(sinkContext, stacktraceData);
+    const { value, stacktraceOpts } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceOpts);
     const result = {
       blocked: false,
       ruleId,

package/lib/semantic-analysis/install/libxmljs.js

@@ -62,7 +62,7 @@ module.exports = function(core) {
     const sinkContext = {
       name: 'libxmljs.parseXmlString',
       value,
-      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
 
     try {

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -40,7 +40,7 @@ const ENTITY_TYPES = {
 // We only use this against lowercase strings; removed A-Z for speed
 const FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/;
 
-const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g;
+const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+['"](?<uri1>.*?)['"]\s*(['"](?<uri2>.*?)['"]\s*)?>/g;
 
 // Helper Functions
 const indicators = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.11.0",
+  "version": "1.12.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,10 +17,10 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.3.1",
-    "@contrast/core": "1.10.0",
-    "@contrast/esm-hooks": "1.6.0",
+    "@contrast/agent-lib": "^5.3.1",
+    "@contrast/common": "1.3.2",
+    "@contrast/core": "1.10.2",
+    "@contrast/esm-hooks": "1.6.2",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"