@contrast/protect 1.2.0 → 1.3.0

package/lib/cli-rewriter.js

@@ -1,5 +1,20 @@
 #!/usr/bin/env node
 
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { cliRewriter } = require('@contrast/core')();

package/lib/error-handlers/constants.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = {

package/lib/error-handlers/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
@@ -5,10 +20,12 @@ module.exports = function(core) {
 
   require('./install/fastify3')(core);
   require('./install/koa2')(core);
+  require('./install/express4')(core);
 
   errorHandlers.install = function() {
     errorHandlers.fastify3ErrorHandler.install();
     errorHandlers.koa2ErrorHandler.install();
+    errorHandlers.express4ErrorHandler.install();
   };
 
   return errorHandlers;

package/lib/error-handlers/install/express4.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+
+module.exports = function(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    scopes: { sources },
+    protect,
+  } = core;
+
+  const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
+
+  express4ErrorHandler.install = function () {
+    depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
+      patcher.patch(finalhandler, {
+        name: 'finalHandler',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'finalHandler.returnedFunction',
+            patchType,
+            around(org, data) {
+              const [err] = data.args;
+              const sourceContext = sources.getStore()?.protect;
+              const isSecurityException = SecurityException.isSecurityException(err);
+
+              if (isSecurityException && sourceContext) {
+                const blockInfo = sourceContext.findings.securityException;
+
+                sourceContext.block(...blockInfo);
+                return;
+              }
+
+              if (!sourceContext && isSecurityException) {
+                logger.info('source context not found; unable to handle response');
+              }
+              org();
+            },
+          });
+        },
+      })
+    );
+
+    depHooks.resolve({ name: 'express', version: '>=4.0.0', file: 'lib/router/layer.js' }, (Layer) => {
+      patcher.patch(Layer.prototype, 'handle_error', {
+        name: 'Layer.prototype.handle_error',
+        patchType,
+        around(org, data) {
+          const [err] = data.args;
+          const sourceContext = sources.getStore()?.protect;
+          const isSecurityException = SecurityException.isSecurityException(err);
+
+          if (isSecurityException && sourceContext) {
+            const blockInfo = sourceContext.findings.securityException;
+
+            sourceContext.block(...blockInfo);
+            return;
+          }
+
+          if (!sourceContext && isSecurityException) {
+            logger.info('source context not found; unable to handle response');
+          }
+          org();
+        }
+      });
+    });
+  };
+
+  return express4ErrorHandler;
+};

package/lib/error-handlers/install/fastify3.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isSecurityException } = require('../../security-exception');

package/lib/error-handlers/install/koa2.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const SecurityException = require('../../security-exception');

package/lib/esm-loader.mjs

@@ -1,2 +1,17 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 import esmHooks from '@contrast/esm-hooks';
 export const { getSource, transformSource, load } = esmHooks();

package/lib/index.d.ts

@@ -1,29 +1,157 @@
+
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 import { Core } from '@contrast/core';
+import { Logger } from '@contrast/logger';
+import { Sources } from '@contrast/scopes';
+import RequireHook from '@contrast/require-hook';
+import { RulesConfig, Rule, Messages, Result } from '@contrast/common';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { Config } from '@contrast/config';
+import { ProtectMessage } from '@contrast/common';
+import * as http from 'node:http';
+import * as https from 'node:https';
+
+type Http = typeof http;
+type Https = typeof https;
+
+export type Block = (mode: string, ruleId: string) => void;
+export class HttpInstrumentation {
+  messages: Messages;
+  scope: Sources;
+  config: Config;
+  logger: Logger;
+  depHooks: RequireHook;
+  protect: ProtectMessage;
+  makeSourceContext: Protect['makeSourceContext'];
+  maxBodySize: number;
+  installed: boolean;
+
+  constructor(core: Core);
+
+  install(): void;
+  uninstall(): void; //NYI
+  hookHttp(): void;
+  hookHttps(): void;
+  hookServer(xport: Http | Https): void;
+  initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
+  removeCookies(headers: string[]): string[];
+}
+export interface ReqData {
+  method: string;
+  headers: string[];
+  uriPath: string;
+  queries: string;
+  contentType?: string;
+  standardUrlParsing: boolean;
+  ip: string;
+  httpVersion: string,
+  headers2: { [key: string]: Array<string> };
+}
+
+export interface Findings {
+  trackRequest: boolean;
+  securityException?: [mode: string, ruleId: string];
+  bodyType?: 'json' | 'urlencoded';
+  resultsMap: Record<Rule, Result[]>
+}
+
+export interface ProtectRequestStore {
+  reqData: ReqData;
+  block: Block;
+  rules: {
+    agentLibRules: RulesConfig;
+    agentLibRulesMask: number;
+    agentRules: RulesConfig;
+  };
+  exclusions: any[]; // TODO
+  virtualPatches: any[]; // TODO
+  findings: Findings;
+}
+
+export interface ConnectInputs {
+  headers: string[],
+  uriPath: string,
+  method: string,
+  queries?: string
+}
 
-// TODO
 export interface Protect {
-  makeResponseBlocker: () => void,
-  makeSourceContext: () => void,
+  makeResponseBlocker: (res: ServerResponse) => Block,
+  makeSourceContext: (req: IncomingMessage, res: ServerResponse) => ProtectRequestStore,
+  throwSecurityException: (sourceContext: ProtectRequestStore) => void,
   inputAnalysis: {
-    handleConnect: () => void,
-    handleRequestEnd: () => void,
-    handleRawBody: () => void,
-    handleQueryParams: () => void,
-    handleUrlParams: () => void,
-    handleCookies: () => void,
-    handleParsedBody: () => void,
-    handleFileuploadName: () => void,
+    handleConnect: (sourceContext: ProtectRequestStore, connectInputs: ConnectInputs) => undefined | [string, string],
+    handleRequestEnd: (sourceContext: ProtectRequestStore) => void, //NYI
+    handleParsedBody: (sourceContext: ProtectRequestStore, parsedBody: { [key: string]: any }) => void,
+    handleQueryParams: (sourceContext: ProtectRequestStore, queryParams: { [key: string]: any }) => void,
+    handleUrlParams: (sourceContext: ProtectRequestStore, urlParams: { [key: string]: any }) => void,
+    handleCookies: (sourceContext: ProtectRequestStore, cookies: { [key: string]: any }) => void,
+    handleFileuploadName: (sourceContext: ProtectRequestStore, name: string) => void, //NYI
+    librariesInstrumentation: {
+      bodyParser: { install: () => void },
+      coBody: { install: () => void },
+      cookieParser: { install: () => void },
+      formidable: { install: () => void },
+      multer: { install: () => void },
+      qs: { install: () => void },
+      universalCookie: { install: () => void },
+    },
+    expressInstrumentation: { install: () => void },
+    fastifyInstrumentation: { install: () => void },
+    koaInstrumentation: { install: () => void },
+    httpInstrumentation: HttpInstrumentation,
     install: () => void,
   },
   inputTracing: {
-    getResultsByRuleId: () => void,
-    handlerFactory: () => void,
-    handlePathTraversal: () => void,
-    handleCommandInjection: () => void,
-    handleSqlInjection: () => void,
+    handlePathTraversal: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    handleCommandInjection: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    handleSqlInjection: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    nosqlInjectionMongo: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: any, stack: { [key: string]: any }[] }) => void,
+    ssjsInjection: () => void, //NYI
+    fsInstrumentation: {
+      getValues: (indices: number[], args: any) => string[],
+      install: () => void
+    },
+    cpInstrumentation: { install: () => void },
+    mysqlInstrumentation: {
+      getValueFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    },
+    postgresInstrumentation: {
+      getQueryFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    },
+    mongodbInstrumentation: { install: () => void },
+    sqlite3Instrumentation: { install: () => void },
+    sequelizeInstrumentation: {
+      getQueryFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    }
     install: () => void
   }
   errorHandlers: {
+    fastify3ErrorHandler: {
+      _userHandler: null | ((...args: any[]) => any),
+      defaultErrorHandler: (error: Error, request: IncomingMessage, reply: ServerResponse) => void,
+      handler: (err: Error, request: IncomingMessage, reply: ServerResponse) => void,
+      install: () => void
+    }
+    koa2ErrorHandler: { install: () => void },
+    express4ErrorHandler: { install: () => void },
     install: () => void,
   },
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -31,6 +159,4 @@ export interface Protect {
   version: string,
 }
 
-declare function init(core: Core): Protect;
-
-export default init;
+export default function(core: Core): ProtectMessage;

package/lib/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');

package/lib/input-analysis/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-input-analysis',
+};

package/lib/input-analysis/handlers.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { simpleTraverse } = require('../utils');
@@ -144,7 +159,11 @@ module.exports = function(core) {
       logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
       return;
     }
-    commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
+    const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   /**
@@ -199,10 +218,11 @@ module.exports = function(core) {
       securityException: undefined,
       resultsList,
     };
+
     const block = mergeFindings(rules.agentLibRules, sourceContext.findings, urlParamsFindings);
 
     if (block) {
-      sourceContext.block(...block);
+      core.protect.throwSecurityException(sourceContext);
     }
   };
 
@@ -225,7 +245,7 @@ module.exports = function(core) {
     const block = mergeFindings(rules.agentLibRules, sourceContext.findings, cookieFindings);
 
     if (block) {
-      sourceContext.block(...block);
+      core.protect.throwSecurityException(sourceContext);
     }
   };
 
@@ -253,8 +273,13 @@ module.exports = function(core) {
       bodyType = 'urlencoded';
       inputTypes = parameterInputTypes;
     }
-    commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+    const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+
     sourceContext.findings.bodyType = bodyType;
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
@@ -277,7 +302,7 @@ module.exports = function(core) {
    * @param {Object} inputTypes is either jsonInputTypes or parameterInputTypes,
    * both are defined above. They specify the input types to be used when evaluating
    * the object.
-   * @returns undefined
+   * @returns {Array | undefined} returns an array with block info if vulnerability was found.
    */
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
@@ -333,7 +358,8 @@ module.exports = function(core) {
         // mimic it here (where scoreAtom() was used). the actual object/string
         // to match is stored as `inputToCheck`.
         const inputType = typeof inputToCheck;
-        if ((mongoQueryType <= Where && inputType === 'object') || (mongoQueryType >= Where && inputType === 'string')) {
+        // query types up to Where, inclusive, accept either string or object values. Where and above accept only string values
+        if (mongoQueryType <= Where || inputType === 'string') {
           // the query-type/input-type combination is valid. add a synthesized item.
           const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
           items.push(item);
@@ -370,10 +396,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
-    if (block) {
-      sourceContext.block(...block);
-    }
+    return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
   }
 };
 

package/lib/input-analysis/index.js

@@ -1,17 +1,50 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
+  // inputAnalysis handlers
   require('./handlers')(core);
+
+  // http(s) modules instrumentation
   require('./install/http')(core);
+
+  // common libraries instrumentation
+  require('./install/body-parser1')(core);
+  require('./install/cookie-parser1')(core);
+  require('./install/formidable1')(core);
+  require('./install/koa-body5')(core);
+  require('./install/koa-bodyparser4')(core);
+  require('./install/multer1')(core);
+  require('./install/qs6')(core);
+  require('./install/universal-cookie4')(core);
+
+  // framework specific instrumentation
   require('./install/fastify3')(core);
   require('./install/koa2')(core);
+  require('./install/express4')(core);
 
   inputAnalysis.install = function() {
-    inputAnalysis.httpInstrumentation.install();
-    inputAnalysis.fastifyInstrumentation.install();
-    inputAnalysis.koaInstrumentation.install();
+    Object.values(inputAnalysis)
+      .filter((property) => property.install)
+      .forEach((library) => {
+        library.install();
+      });
   };
 
   return inputAnalysis;