@contrast/protect 1.12.2 → 1.13.0

package/lib/error-handlers/common-handler.js

@@ -0,0 +1,40 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../security-exception');
+
+module.exports = function(core) {
+  const {
+    logger,
+    protect: { getSourceContext },
+  } = core;
+
+  return core.protect.errorHandlers.commonHandler = function(err) {
+    if (!isSecurityException(err)) {
+      throw err;
+    }
+
+    const sourceContext = getSourceContext('protect-common-error-handler');
+    if (!sourceContext) {
+      logger.info('SecurityException caught by Contrast but Protect store is unavailable for req handling');
+      return;
+    }
+
+    const blockInfo = sourceContext.securityException;
+    sourceContext.block(...blockInfo);
+  };
+};

package/lib/error-handlers/index.js

@@ -15,20 +15,23 @@
 
 'use strict';
 
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
 module.exports = function(core) {
   const errorHandlers = core.protect.errorHandlers = {};
 
+  // api
+  require('./common-handler')(core);
+  require('./init-domain')(core);
+
+  // installers
   require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
   require('./install/hapi')(core);
 
   errorHandlers.install = function() {
-    for (const component of Object.values(errorHandlers)) {
-      if (component.install) {
-        component.install();
-      }
-    }
+    callChildComponentMethodsSync(errorHandlers, 'install');
   };
 
   return errorHandlers;

package/lib/error-handlers/init-domain.js

@@ -0,0 +1,61 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const process = require('process');
+const semver = require('semver');
+
+module.exports = function(core) {
+  const {
+    logger,
+    protect: { errorHandlers }
+  } = core;
+
+  Object.assign(errorHandlers, initSupportedDomainPackage());
+
+  return errorHandlers.initDomain = function(req, res) {
+    const { AsyncHookDomain, Domain } = errorHandlers;
+
+    if (AsyncHookDomain) {
+      new AsyncHookDomain(errorHandlers.commonHandler);
+    } else {
+      const domain = new Domain();
+      domain.add(req);
+      domain.add(res);
+      domain.on('error', errorHandlers.commonHandler);
+      return domain;
+    }
+  };
+
+  function initSupportedDomainPackage() {
+    let AsyncHookDomain, Domain;
+
+    if (semver.lt(process.version, '16.0.0')) {
+      logger.info(
+        '%s. %s. %s.',
+        'falling back to deprecated \'domain\' module for async SecurityException handling',
+        'upgrade to Node 16 LTS or above to allow use of \'async-hook-domain\' modern alternative',
+        'upgrading will resolve any deprecation warnings and prevent the logging of this message'
+      );
+
+      Domain = require('domain').Domain;
+    } else {
+      AsyncHookDomain = require('async-hook-domain');
+    }
+
+    return { AsyncHookDomain, Domain };
+  }
+};

package/lib/index.d.ts

@@ -13,14 +13,11 @@
  * way not consistent with the End User License Agreement.
  */
 
-import { Logger } from '@contrast/logger';
-import { Sources } from '@contrast/scopes';
-import RequireHook from '@contrast/require-hook';
-import { RulesConfig, Messages, ReqData, ProtectMessage, ResultMap, ProtectRuleMode } from '@contrast/common';
+import { ReqData, ProtectMessage, ResultMap, ProtectRuleMode } from '@contrast/common';
 import { IncomingMessage, ServerResponse } from 'node:http';
-import { Config } from '@contrast/config';
 import * as http from 'node:http';
 import * as https from 'node:https';
+import { Domain } from 'domain';
 
 type Http = typeof http;
 type Https = typeof https;
@@ -29,11 +26,7 @@ export type Block = (mode: string, ruleId: string) => void;
 export interface ProtectRequestStore {
   reqData: ReqData;
   block: Block;
-  rules: {
-    agentLibRules: RulesConfig;
-    agentLibRulesMask: number;
-    agentRules: RulesConfig;
-  };
+  rules: Record<Rule, { mode: ProtectRuleMode }>;
   exclusions: any[]; // TODO
   virtualPatches: any[]; // TODO
   trackRequest: boolean;
@@ -105,6 +98,8 @@ export interface Protect {
     install: () => void
   }
   errorHandlers: {
+    commonHandler: (err: Error) => void;
+    initDomain: () => void | Domain;
     fastify3ErrorHandler: {
       _userHandler: null | ((...args: any[]) => any),
       defaultErrorHandler: (error: Error, request: IncomingMessage, reply: ServerResponse) => void,

package/lib/index.js

@@ -28,11 +28,11 @@ module.exports = function(core) {
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
   require('./get-source-context')(core);
+  require('./error-handlers')(core);
   require('./input-analysis')(core);
   require('./input-tracing')(core);
   require('./hardening')(core);
   require('./semantic-analysis')(core);
-  require('./error-handlers')(core);
 
   protect.install = function() {
     callChildComponentMethodsSync(protect, 'install');

package/lib/input-analysis/install/http.js

@@ -15,8 +15,8 @@
 
 'use strict';
 
-const { patchType } = require('../constants');
 const { Event } = require('@contrast/common');
+const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
@@ -24,9 +24,17 @@ module.exports = function(core) {
     messages,
     scopes: { sources },
     instrumentation: { instrument },
-    protect: { inputAnalysis },
+    protect: {
+      inputAnalysis,
+      errorHandlers: { initDomain }
+    },
   } = core;
 
+  const instr = inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
+
   function removeCookies(headers) {
     for (let i = 0; i < headers.length; i += 2) {
       if (headers[i] === 'cookies') {
@@ -48,7 +56,7 @@ module.exports = function(core) {
     try {
       store = sources.getStore();
       if (!store) {
-        logger.debug('cannot acquire store for around()');
+        logger.debug('request store not available during http input-analysis');
         return;
       }
 
@@ -83,11 +91,21 @@ module.exports = function(core) {
 
       block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
-      logger.error({ err }, 'Error during input analysis');
+      logger.error({ err }, 'Error during http input analysis');
     }
 
     if (!block) {
-      setImmediate(() => next.call(data.obj, ...data.args));
+      setImmediate(() => {
+        const domain = initDomain(req, res);
+
+        if (domain) {
+          domain.run(() => {
+            next.call(data.obj, ...data.args);
+          });
+        } else {
+          next.call(data.obj, ...data.args);
+        }
+      });
     } else {
       store.protect.block(...block);
       logger.debug({ block }, 'request blocked by not emitting request event');
@@ -129,6 +147,7 @@ module.exports = function(core) {
           around
         }
       ];
+
       instrument({
         moduleName,
         patchObjects
@@ -136,8 +155,5 @@ module.exports = function(core) {
     });
   }
 
-  return inputAnalysis.httpInstrumentation = {
-    install,
-    around
-  };
+  return instr;
 };

package/lib/input-tracing/handlers/index.js

@@ -73,13 +73,16 @@ module.exports = function(core) {
 
     for (const result of results) {
       let findings = null;
-      const inputIndex = sinkContext.value.indexOf(result.value);
-      if (inputIndex !== -1) {
+      let inputIndex = sinkContext.value.indexOf(result.value);
+
+      while (!findings && inputIndex >= 0) {
         findings = agentLib.checkCommandInjectionSink(
           inputIndex,
           result.value.length,
           sinkContext.value,
         );
+
+        inputIndex = sinkContext.value.indexOf(result.value, inputIndex + 1);
       }
 
       if (findings) {
@@ -96,28 +99,26 @@ module.exports = function(core) {
 
     for (const result of results) {
       let findings = null;
+      let inputIndex = sinkContext.value.indexOf(result.value);
 
-      const inputIndex = sinkContext.value.indexOf(result.value);
-
-      // if the user input is not in the sink input, there is nothing to do.
-      if (inputIndex === -1) {
-        continue;
-      }
+      while (!findings && inputIndex >= 0) {
+        if (inputIndex === 0 && sinkContext.value === result.value) {
+          findings = {
+            startIndex: 0,
+            endIndex: result.value.length - 1,
+            overrunIndex: 0,
+            boundaryIndex: 0,
+          };
+        } else {
+          findings = agentLib.checkSqlInjectionSink(
+            inputIndex,
+            result.value.length,
+            2,
+            sinkContext.value,
+          );
+        }
 
-      if (inputIndex === 0 && sinkContext.value === result.value) {
-        findings = {
-          startIndex: 0,
-          endIndex: result.value.length - 1,
-          overrunIndex: 0,
-          boundaryIndex: 0,
-        };
-      } else {
-        findings = agentLib.checkSqlInjectionSink(
-          inputIndex,
-          result.value.length,
-          2,
-          sinkContext.value,
-        );
+        inputIndex = sinkContext.value.indexOf(result.value, inputIndex + 1);
       }
 
       if (findings) {
@@ -210,25 +211,27 @@ module.exports = function(core) {
       for (const v of sinkValuesArr) {
         if (findings) break;
 
-        const inputIndex = v.indexOf(result.value);
+        let inputIndex = v.indexOf(result.value);
 
-        if (inputIndex === 0 && v === result.value) {
-          findings = {
-            startIndex: 0,
-            endIndex: result?.value.length - 1,
-            boundaryIndex: 0,
-            codeString: result.value
-          };
-        }
+        while (!findings && inputIndex >= 0) {
+          if (inputIndex === 0 && v === result.value) {
+            findings = {
+              startIndex: 0,
+              endIndex: result?.value.length - 1,
+              boundaryIndex: 0,
+              codeString: result.value
+            };
+          } else {
+            const endIndex = inputIndex + result?.value.length;
+            findings = agentLib.checkSsjsInjectionSink(v, inputIndex, result.value.length) && {
+              startIndex: inputIndex,
+              endIndex,
+              boundaryIndex: inputIndex,
+              codeString: result.value
+            };
+          }
 
-        if (inputIndex > 0) {
-          const endIndex = inputIndex + result?.value.length;
-          findings = agentLib.checkSsjsInjectionSink(v, inputIndex, endIndex) && {
-            startIndex: inputIndex,
-            endIndex,
-            boundaryIndex: inputIndex,
-            codeString: result.value
-          };
+          inputIndex = v.indexOf(result.value, inputIndex + 1);
         }
       }
 
@@ -308,34 +311,30 @@ function handleStringValue(result, cmd, agentLib) {
   }
 
   let findings = null;
-  let inputIndex = -1;
-  inputIndex = cmd.indexOf(result.value);
+  let inputIndex = cmd.indexOf(result.value);
+
+  while (!findings && inputIndex >= 0) {
+    if (inputIndex === 0 && cmd === result.value) {
+      findings = {
+        start: 0,
+        end: result.value.length - 1,
+        boundaryOverrunIndex: 0,
+        inputBoundaryIndex: 0,
+      };
+    } else {
+      const isAttack = agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
 
-  // if the user input is not in the sink input, there is nothing to do.
-  if (inputIndex === -1) {
-    return findings;
-  }
+      if (isAttack) {
+        findings = {
+          start: inputIndex,
+          end: inputIndex + result.value.length - 1,
+          boundaryOverrunIndex: 0,
+          inputBoundaryIndex: 0,
+        };
+      }
+    }
 
-  if (inputIndex === 0 && cmd === result.value) {
-    findings = {
-      start: 0,
-      end: result.value.length - 1,
-      boundaryOverrunIndex: 0,
-      inputBoundaryIndex: 0,
-    };
-  } else {
-    // This is a temporary workaround, while `agent-lib` fixes
-    // the `checkSsjsInjectionSink` so it can detect the "TRUE-CLAUSE-1" correctly
-    // TODO: NODE-2897
-    const isAttack = result.idsList.includes('TRUE-CLAUSE-1') || agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
-    if (!isAttack) return findings;
-
-    findings = {
-      start: inputIndex,
-      end: inputIndex + result.value.length - 1,
-      boundaryOverrunIndex: 0,
-      inputBoundaryIndex: 0,
-    };
+    inputIndex = cmd.indexOf(result.value, inputIndex + 1);
   }
 
   return findings;

package/lib/input-tracing/install/mysql.js

@@ -32,12 +32,17 @@ module.exports = function(core) {
     if (isString(value)) {
       return value;
     }
+
+    if (isString(value.sql)) {
+      return value.sql;
+    }
   };
 
   mysqlInstr.install = function() {
     [
       { module: 'mysql', file: 'lib/Connection.js', method: 'query' },
-      { module: 'mysql2', file: 'lib/Connection.js', method: 'execute' }
+      { module: 'mysql2', file: 'lib/connection.js', method: 'execute' },
+      { module: 'mysql2', file: 'lib/connection.js', method: 'query' }
     ].forEach(
       ({ module, file, method }) => {
         depHooks.resolve({ module, file, method }, conn => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.12.2",
+  "version": "1.13.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,12 +17,15 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^5.3.1",
-    "@contrast/common": "1.3.2",
-    "@contrast/core": "1.10.2",
-    "@contrast/esm-hooks": "1.6.2",
-    "@contrast/scopes": "1.2.0",
+    "@contrast/agent-lib": "^5.3.4",
+    "@contrast/common": "1.4.0",
+    "@contrast/core": "1.11.0",
+    "@contrast/esm-hooks": "1.7.0",
+    "@contrast/scopes": "1.3.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
+  },
+  "optionalDependencies": {
+    "async-hook-domain": "^3.0.2"
   }
 }