@contrast/protect 1.14.0 → 1.15.1

package/lib/index.d.ts

@@ -42,10 +42,25 @@ export interface ConnectInputs {
   queries?: string
 }
 
+export interface ExclusionPolicy {
+  exclusions: {
+    url: [],
+    querystring: [],
+    header: [],
+    body: [],
+    cookie: [],
+    parameter: []
+  }
+}
+
+export type ProtectPolicy = ExclusionPolicy & Record<rule, ProtectRuleMode> & { rulesMask: number };
+
 export interface Protect {
   makeResponseBlocker: (res: ServerResponse) => Block,
   makeSourceContext: (req: IncomingMessage, res: ServerResponse) => ProtectRequestStore,
   throwSecurityException: (sourceContext: ProtectRequestStore) => void,
+  policy: ProtectPolicy,
+  getPolicy(): ProtectPolicy, // creates copy for request scope
   inputAnalysis: {
     handleConnect: (sourceContext: ProtectRequestStore, connectInputs: ConnectInputs) => undefined | [string, string],
     handleRequestEnd: (sourceContext: ProtectRequestStore) => void, //NYI

package/lib/input-analysis/handlers.js

@@ -15,16 +15,16 @@
 
 'use strict';
 
+const address = require('ipaddr.js');
 const {
   BLOCKING_MODES,
-  traverseKeysAndValues,
-  traverseValues,
   Rule,
-  ProtectRuleMode,
+  ProtectRuleMode: { OFF, MONITOR },
   isString,
-  ProtectRuleMode: { OFF },
+  traverseKeysAndValues,
+  traverseValues,
+  InputType,
 } = require('@contrast/common');
-const address = require('ipaddr.js');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -55,6 +55,40 @@ const agentLibRuleTypeToName = {
 
 const preferWW = { preferWorthWatching: true };
 
+const acceptedMethods = new Set([
+  'acl',
+  'baseline-control',
+  'checkin',
+  'checkout',
+  'connect',
+  'copy',
+  'delete',
+  'get',
+  'head',
+  'label',
+  'lock',
+  'merge',
+  'mkactivity',
+  'mkcalendar',
+  'mkcol',
+  'mkworkspace',
+  'move',
+  'options',
+  'orderpatch',
+  'patch',
+  'post',
+  'propfind',
+  'proppatch',
+  'put',
+  'report',
+  'search',
+  'trace',
+  'uncheckout',
+  'unlock',
+  'update',
+  'version-control',
+]);
+
 module.exports = function(core) {
   const {
     logger,
@@ -130,16 +164,22 @@ module.exports = function(core) {
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
     const { policy: { rulesMask } } = sourceContext;
 
-    inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
+    inputAnalysis.handleVirtualPatches(
+      sourceContext,
+      { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers }
+    );
 
     // initialize findings to the basics
     let block = undefined;
     if (rulesMask !== 0) {
       const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
-
       block = mergeFindings(sourceContext, findings);
     }
 
+    if (!block) {
+      block = inputAnalysis.handleMethodTampering(sourceContext, connectInputs);
+    }
+
     return block;
   };
 
@@ -426,19 +466,54 @@ module.exports = function(core) {
     }
   };
 
+  inputAnalysis.handleMethodTampering = function(sourceContext, connectInputs) {
+    const ruleId = Rule.METHOD_TAMPERING;
+    const mode = sourceContext.policy[ruleId];
+    if (mode !== OFF) {
+      const { method } = connectInputs;
+
+      if (!acceptedMethods.has(method)) {
+        const result = {
+          inputType: InputType.METHOD,
+          key: 'method',
+          value: method,
+          blocked: false,
+          exploitMetadata: null,
+        };
+
+        sourceContext.resultsMap[ruleId] = [result];
+
+        if (BLOCKING_MODES.includes(mode)) {
+          result.blocked = true;
+          return sourceContext.securityException = ['block', ruleId];
+        }
+      }
+    }
+  };
+
   /**
-   * handleRequestEnd()
    *
-   * Invoked when the request is complete.
+   * Invoked when the request is complete. Handles probe analysis (when configured) and
+   * various other tasks needed prior to reporting.
    *
    * @param {Object} sourceContext
    */
   inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
+    {
+      // check status code to verify method-tampering exploitation
+      const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
+      if (mtResult) {
+        const { statusCode } = sourceContext.resData;
+        if (statusCode !== 405 || statusCode !== 501) {
+          mtResult.exploitMetadata = [{ statusCode }];
+        }
+      }
+    }
+
     if (!config.protect.probe_analysis.enable || sourceContext.allowed) return;
 
     // Detecting probes
     const { resultsMap, policy: { rulesMask } } = sourceContext;
-
     const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
     const probes = {};
 
@@ -868,5 +943,5 @@ function getValueAtKey(obj, path, key) {
 }
 
 function isMonitorMode(ruleId, sourceContext) {
-  return sourceContext.policy[ruleId] === ProtectRuleMode.MONITOR;
+  return sourceContext.policy[ruleId] === MONITOR;
 }

package/lib/input-analysis/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event } = require('@contrast/common');
+const { Event, toLowerCase } = require('@contrast/common');
 const { patchType } = require('../constants');
 
 module.exports = function(core) {
@@ -62,10 +62,12 @@ module.exports = function(core) {
 
       store.protect = core.protect.makeSourceContext(req, res);
       const {
-        reqData: { headers, uriPath, method }
+        reqData: { headers, uriPath, method },
+        resData,
       } = store.protect;
 
       res.on('finish', () => {
+        resData.statusCode = res.statusCode;
         inputAnalysis.handleRequestEnd(store.protect);
         messages.emit(Event.PROTECT, store);
       });
@@ -73,7 +75,7 @@ module.exports = function(core) {
       const connectInputs = {
         headers: removeCookies(headers),
         uriPath,
-        method
+        method: toLowerCase(method),
       };
 
       if (inputAnalysis.virtualPatchesEvaluators?.length) {

package/lib/input-tracing/index.js

@@ -25,17 +25,18 @@ module.exports = function(core) {
 
   // instrumentation
   require('./install/child-process')(core);
+  require('./install/eval')(core);
   require('./install/fs')(core);
-  require('./install/mongodb')(core);
+  require('./install/function')(core);
+  require('./install/http')(core);
   require('./install/marsdb')(core);
+  require('./install/mongodb')(core);
+  require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
   require('./install/sqlite3')(core);
-  require('./install/http')(core);
   require('./install/vm')(core);
-  require('./install/eval')(core);
-  require('./install/function')(core);
   // TODO: NODE-2360 (oracledb)
 
   inputTracing.install = function() {

package/lib/input-tracing/install/fs.js

@@ -80,6 +80,10 @@ module.exports = function(core) {
     depHooks.resolve({ name: 'fs' }, fs => {
       fsMethods.forEach(({ method, indices = [0] }) => {
         const name = `fs.${method}`;
+
+        // may not exist depending on OS
+        if (!fs[method]) return;
+
         patcher.patch(fs, method, {
           name,
           patchType,

package/lib/input-tracing/install/mssql.js

@@ -0,0 +1,79 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputTracing },
+  } = core;
+
+  const pre = ({ args, hooked, name, orig }) => {
+    const sourceContext = protect.getSourceContext(name);
+    const [value] = args;
+    if (!sourceContext || !value || !isString(value)) return;
+
+    const sinkContext = {
+      name,
+      value,
+      stacktraceOpts: {
+        constructorOpt: hooked,
+        prependFrames: [orig],
+      },
+    };
+
+    inputTracing.handleSqlInjection(sourceContext, sinkContext);
+  };
+
+  core.protect.inputTracing.mssqlInstrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'mssql', file: 'lib/base/prepared-statement.js' },
+        (PreparedStatement) => {
+          patcher.patch(PreparedStatement.prototype, 'prepare', {
+            name: 'mssql.PreparedStatement.prototype.prepare',
+            patchType,
+            pre,
+          });
+        },
+      );
+
+      depHooks.resolve(
+        { name: 'mssql', file: 'lib/base/request.js' },
+        (Request) => {
+          patcher.patch(Request.prototype, 'batch', {
+            name: 'mssql.Request.prototype.batch',
+            patchType,
+            pre,
+          });
+
+          patcher.patch(Request.prototype, 'query', {
+            name: 'mssql.Request.prototype.query',
+            patchType,
+            pre,
+          });
+        },
+      );
+    },
+  };
+
+  return core.protect.inputTracing.mssqlInstrumentation;
+};

package/lib/make-source-context.js

@@ -74,19 +74,16 @@ module.exports = function(core) {
       contentType,
     };
 
-    //
-    // build the protect object that contains all
-    //
     const protectStore = {
       reqData,
+      resData: {
+        statusCode: null,
+      },
       // block closure captures res so it isn't exposed to beyond here
       block: core.protect.makeResponseBlocker(res),
-
       policy,
-
       exclusions: [],
       virtualPatchesEvaluators: [],
-
       trackRequest: false,
       securityException: undefined,
       // bodyType is set to a body type if handlers.parseRawBody() parsed it

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.14.0",
+  "version": "1.15.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.3.4",
-    "@contrast/common": "1.5.0",
-    "@contrast/core": "1.12.0",
-    "@contrast/esm-hooks": "1.8.0",
+    "@contrast/common": "1.6.0",
+    "@contrast/core": "1.13.1",
+    "@contrast/esm-hooks": "1.9.1",
     "@contrast/scopes": "1.3.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"