@contrast/protect 1.15.1 → 1.16.0

package/lib/input-analysis/install/http.js

@@ -115,44 +115,15 @@ module.exports = function(core) {
   }
 
   function install() {
-    [{
-      moduleName: 'http'
-    },
-    {
-      moduleName: 'https'
-    },
-    {
-      moduleName: 'spdy'
-    },
-    {
-      moduleName: 'http2',
-      patchObjectsProps: [
-        {
-          methods: ['createServer', 'createSecureServer'],
-          patchType,
-          patchObjects: [
-            {
-              name: 'Server.prototype',
-              methods: ['emit'],
-              patchType,
-              around
-            }
-          ]
-        }
-      ]
-    }].forEach(({ moduleName, patchObjectsProps }) => {
-      const patchObjects = patchObjectsProps || [
-        {
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrument({
+        moduleName,
+        patchObjects: [{
           name: 'Server.prototype',
           methods: ['emit'],
           patchType,
           around
-        }
-      ];
-
-      instrument({
-        moduleName,
-        patchObjects
+        }]
       });
     });
   }

package/lib/input-analysis/ip-analysis.js

@@ -29,8 +29,8 @@ module.exports = (core) => {
 
   messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
     const now = new Date().getTime();
-    const updatedIpAllowList = serverUpdate.features?.defend?.ipAllowlist?.map?.((ipEntry) => ipEntryMap(ipEntry, now));
-    const updatedIpDenyList = serverUpdate.features?.defend?.ipDenylist?.map?.((ipEntry) => ipEntryMap(ipEntry, now));
+    const updatedIpAllowList = serverUpdate.protect?.rules?.ip_allowlist?.map?.((ipEntry) => ipEntryMap(ipEntry, now));
+    const updatedIpDenyList = serverUpdate.protect?.rules?.ip_denylist?.map?.((ipEntry) => ipEntryMap(ipEntry, now));
 
     if (updatedIpAllowList) {
       ipAllowlist.length = 0;

package/lib/input-analysis/virtual-patches.js

@@ -26,7 +26,7 @@ module.exports = (core) => {
   const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
 
   messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
-    const virtualPatches = serverUpdate.settings?.defend?.virtualPatches;
+    const virtualPatches = serverUpdate.protect?.['virtual-patches'];
     if (virtualPatches) {
       buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
     }

package/lib/policy.js

@@ -112,8 +112,9 @@ module.exports = function(core) {
   function readModeFromSetting(remoteSetting) {
     switch (remoteSetting.mode) {
       case 'OFF': return OFF;
-      case 'MONITORING': return MONITOR;
-      case 'BLOCKING': return remoteSetting.blockAtEntry ? BLOCK_AT_PERIMETER : BLOCK;
+      case 'MONITOR': return MONITOR;
+      case 'BLOCK': return BLOCK;
+      case 'BLOCK_AT_PERIMETER': return BLOCK_AT_PERIMETER;
     }
   }
 
@@ -133,17 +134,16 @@ module.exports = function(core) {
    * @param {[]} protectionRules
    */
   function updateFromProtectionRules(protectionRules) {
-    for (const remoteSetting of Object.values(protectionRules)) {
-      const { id: ruleId } = remoteSetting;
+    for (const ruleId in protectionRules) {
       if (ruleId === 'nosql-injection' && !getModeFromConfig('nosql-injection-mongo')) {
-        policy['nosql-injection-mongo'] = readModeFromSetting(remoteSetting);
+        policy['nosql-injection-mongo'] = readModeFromSetting(protectionRules[ruleId]);
       }
 
       if (getModeFromConfig(ruleId)) {
         continue;
       }
 
-      policy[ruleId] = readModeFromSetting(remoteSetting);
+      policy[ruleId] && (policy[ruleId] = readModeFromSetting(protectionRules[ruleId]));
 
     }
   }
@@ -253,14 +253,12 @@ module.exports = function(core) {
   function updateGlobalPolicy(remoteSettings) {
     let update;
 
-    const protectionRules = remoteSettings?.settings?.defend?.protectionRules;
+    const protectionRules = remoteSettings?.protect?.rules;
     if (protectionRules) {
       updateFromProtectionRules(protectionRules);
       update = 'application-settings';
-    }
 
-    if (remoteSettings?.features?.defend) {
-      const bbEnabled = remoteSettings.features.defend[BOT_BLOCKER];
+      const bbEnabled = remoteSettings.protect.rules?.bot_blocker?.enable;
 
       if (
         bbEnabled != null &&
@@ -268,30 +266,30 @@ module.exports = function(core) {
         !config.protect.rules?.[BOT_BLOCKER]?.mode
       ) {
         policy[BOT_BLOCKER] = bbEnabled ? BLOCK_AT_PERIMETER : OFF;
-        update = 'server-features';
       }
     }
 
     if (update) {
       updateRulesMask();
+      protect.policy.exclusions = compiled;
       logger.info({ policy: protect.policy }, `protect policy updated from ${update}`);
     }
   }
 
   function updateExclusions(serverUpdate) {
     const exclusions = [
-      ...(serverUpdate.settings?.exceptions?.inputExceptions || []),
-      ...(serverUpdate.settings?.exceptions?.urlExceptions || [])
+      ...(serverUpdate?.exclusions?.input || []),
+      ...(serverUpdate?.exclusions?.url || [])
     ].filter((exclusion) => exclusion.modes.includes('defend'));
 
     if (!exclusions.length) return;
     compiled = initCompiled();
 
     for (const exclusionDtm of exclusions) {
-      exclusionDtm.inputType = exclusionDtm.inputType || 'URL';
+      exclusionDtm.type = exclusionDtm.type || 'URL';
 
-      const { name, rules, inputName, urls, inputType } = exclusionDtm;
-      const key = inputType.toLowerCase();
+      const { name, protect_rules, urls, type } = exclusionDtm;
+      const key = type.toLowerCase();
 
       if (!compiled[key]) continue;
 
@@ -299,15 +297,15 @@ module.exports = function(core) {
         const e = { name };
         e.matchesUriPath = createUriPathMatcher(urls);
 
-        if (inputName) {
-          e.matchesInputName = createInputNameMatcher(inputName);
+        if (name) {
+          e.matchesInputName = createInputNameMatcher(name);
         }
 
-        if (rules.length) {
+        if (protect_rules.length) {
           let rulesMask = 0;
           const exclusionPolicy = {};
 
-          for (let ruleId of rules) {
+          for (let ruleId of protect_rules) {
             // todo: this doesn't seem to make a difference?
             if (ruleId === 'nosql-injection') {
               ruleId = 'nosql-injection-mongo';
@@ -315,7 +313,7 @@ module.exports = function(core) {
 
             if (agentLib.RuleType[ruleId]) {
               Object.assign(exclusionPolicy, { [ruleId]: OFF });
-              if (inputType === 'URL') {
+              if (type === 'URL') {
                 rulesMask = rulesMask | agentLib.RuleType[ruleId];
                 exclusionPolicy.rulesMask = rulesMask;
               }
@@ -345,8 +343,8 @@ module.exports = function(core) {
   }
 
   messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
-    updateGlobalPolicy(msg);
     updateExclusions(msg);
+    updateGlobalPolicy(msg);
   });
 
   initPolicy();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.15.1",
+  "version": "1.16.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.3.4",
-    "@contrast/common": "1.6.0",
-    "@contrast/core": "1.13.1",
-    "@contrast/esm-hooks": "1.9.1",
+    "@contrast/common": "1.7.0",
+    "@contrast/core": "1.14.0",
+    "@contrast/esm-hooks": "1.10.0",
     "@contrast/scopes": "1.3.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"