@contrast/protect 1.2.0 → 1.3.0

package/lib/input-analysis/install/body-parser1.js

@@ -0,0 +1,130 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  function contrastNext(req, origNext, fnName) {
+    return function next(origErr) {
+      const sourceContext = sources.getStore()?.protect;
+      let securityException;
+
+      if (!sourceContext) {
+        logger.debug(`source context not available in \`body-parser\`'s \`${fnName}\` hook`);
+      } else {
+        if (req.body && Object.keys(req.body).length) {
+          sourceContext.parsedBody = req.body;
+
+          try {
+            inputAnalysis.handleParsedBody(sourceContext, req.body);
+          } catch (err) {
+            if (isSecurityException(err)) {
+              securityException = err;
+            } else {
+              logger.error({ err }, 'Unexpected error during input analysis');
+            }
+          }
+        }
+      }
+      const error = securityException || origErr;
+
+      origNext(error);
+    };
+  }
+
+  // Patch body parser - `body-parser` used by `express` framework
+  function install() {
+    depHooks.resolve({ name: 'body-parser' }, (bodyParser) => {
+      const origBodyParser = bodyParser;
+
+      const { json: origJson, raw: origRaw, text: origText, urlencoded: origUrlencoded } = bodyParser;
+      const fnArr = [
+        {
+          key: 'json',
+          original: origJson,
+        },
+        {
+          key: 'raw',
+          original: origRaw,
+        },
+        {
+          key: 'text',
+          original: origText,
+        },
+        {
+          key: 'urlencoded',
+          original: origUrlencoded,
+        }
+      ];
+
+      bodyParser = function bodyParser(...args) {
+        const parser = origBodyParser(...args);
+        const hookedParser = function(req, res, next) {
+          parser(req, res, contrastNext(req, next, 'bodyParser'));
+        };
+
+        Object.defineProperty(hookedParser, 'name', {
+          value: 'bodyParser'
+        });
+
+        return hookedParser;
+      };
+
+      fnArr.forEach((fn) => {
+        const fnName = `bodyParser.${fn.key}`;
+        function contrastHooked(...args) {
+          const parser = fn.original(...args);
+          const hookedParser = function (req, res, next) {
+            if (!req.body) {
+              parser(req, res, next);
+            } else {
+              parser(req, res, contrastNext(req, next, fnName));
+            }
+          };
+
+          Object.defineProperty(hookedParser, 'name', {
+            value: `${fn.key}Parser`
+          });
+
+          return hookedParser;
+        }
+
+        Object.defineProperty(bodyParser, fn.key, {
+          configurable: true,
+          enumerable: true,
+          get: () => contrastHooked,
+        });
+      });
+
+      return bodyParser;
+    }
+    );
+  }
+
+  const bodyParser1Instrumentation = inputAnalysis.bodyParser1Instrumentation = {
+    install
+  };
+
+  return bodyParser1Instrumentation;
+};

package/lib/input-analysis/install/cookie-parser1.js

@@ -0,0 +1,82 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `cookie-parser` package
+  function install() {
+    depHooks.resolve({ name: 'cookie-parser' }, (cookieParser) => patcher.patch(cookieParser, {
+      name: 'cookie-parser',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'cookie-parser',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            function contrastNext(origErr) {
+              const sourceContext = sources.getStore()?.protect;
+              let securityException;
+
+              if (!sourceContext) {
+                logger.debug('source context not available in `cookie-parser` hook');
+              } else {
+                if ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length)) {
+                  sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
+
+                  try {
+                    inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
+                  } catch (err) {
+                    if (isSecurityException(err)) {
+                      securityException = err;
+                    } else {
+                      logger.error({ err }, 'Unexpected error during input analysis');
+                    }
+                  }
+                }
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = contrastNext;
+          }
+        });
+      }
+    })
+    );
+  }
+
+  const cookieParser1Instrumentation = inputAnalysis.cookieParser1Instrumentation = {
+    install
+  };
+
+  return cookieParser1Instrumentation;
+};

package/lib/input-analysis/install/express4.js

@@ -0,0 +1,108 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+/**
+ * Function that exports an install method to patch Express framework with our instrumentation
+ * @param {Object} core - the core Contrast object in v5
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for express module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' }, (query) => patcher.patch(query, {
+      name: 'Express.query',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'Express.query',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            function contrastNext(origErr) {
+              const sourceContext = sources.getStore()?.protect;
+              let securityException;
+
+              if (!sourceContext) {
+                logger.debug('source context not available in `Express.query` hook');
+
+                // It is possible for the query to be already parsed by `qs`
+                // which means that we've already handled/analyzed it.
+                // So we check whether we already have the `parsedQuery` property in the context
+              } else if (req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+                sourceContext.parsedQuery = req.query;
+
+                try {
+                  inputAnalysis.handleQueryParams(sourceContext, req.query);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = contrastNext;
+          }
+        });
+      }
+    }));
+
+    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
+      patcher.patch(Layer.prototype, 'handle_request', {
+        name: 'express.Layer.prototype.handle_request',
+        patchType,
+        pre(data) {
+          const { obj: { params } } = data;
+          const sourceContext = sources.getStore()?.protect;
+
+          if (!sourceContext) {
+            logger.debug('source context not available in `express.Layer.prototype.handle_request` hook');
+          } else if (params && Object.keys(params).length) {
+            sourceContext.parsedParams = params;
+            inputAnalysis.handleUrlParams(sourceContext, params);
+          }
+        }
+      });
+    });
+  }
+
+  const express4Instrumentation = inputAnalysis.express4Instrumentation = {
+    install
+  };
+
+  return express4Instrumentation;
+};

package/lib/input-analysis/install/fastify3.js

@@ -1,5 +1,23 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
 /**
  * Function that exports an install method to patch Fastify framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
@@ -29,7 +47,7 @@ module.exports = (core) => {
   function patchFastify(fastify) {
     return patcher.patch(fastify, {
       name: 'fastify.build',
-      patchType: 'framework-patch',
+      patchType,
       post({ result: server }) {
         server.addHook('preValidation', preValidationHook);
       },
@@ -45,35 +63,45 @@ module.exports = (core) => {
    */
   function preValidationHook(request, reply, done) {
     const sourceContext = sources.getStore()?.protect;
+    let securityException;
 
     if (!sourceContext) {
       logger.debug('source context not available in fastify prevalidation hook');
     } else {
-      if (request.params) {
-        sourceContext.parsedParams = request.params;
-        inputAnalysis.handleUrlParams(sourceContext, request.params);
-      }
-      if (request.cookies) {
-        sourceContext.parsedCookies = request.cookies;
-        inputAnalysis.handleCookies(sourceContext, request.cookies);
-      }
-      if (request.body) {
-        sourceContext.parsedBody = request.body;
-        inputAnalysis.handleParsedBody(sourceContext, request.body);
-      }
+      try {
+        if (request.params) {
+          sourceContext.parsedParams = request.params;
+          inputAnalysis.handleUrlParams(sourceContext, request.params);
+        }
+        if (request.cookies) {
+          sourceContext.parsedCookies = request.cookies;
+          inputAnalysis.handleCookies(sourceContext, request.cookies);
+        }
+        if (request.body) {
+          sourceContext.parsedBody = request.body;
+          inputAnalysis.handleParsedBody(sourceContext, request.body);
+        }
 
-      if (request.query) {
-        sourceContext.parsedQuery = request.query;
-        inputAnalysis.handleQueryParams(sourceContext, request.query);
+        if (request.query) {
+          sourceContext.parsedQuery = request.query;
+          inputAnalysis.handleQueryParams(sourceContext, request.query);
+        }
+      } catch (err) {
+        if (isSecurityException(err)) {
+          securityException = err;
+        } else {
+          logger.error({ err }, 'Unexpected error during input analysis');
+        }
       }
     }
-    done();
+
+    done(securityException);
   }
 
-  const fastifyInstrumentation = inputAnalysis.fastifyInstrumentation = {
+  const fastify3Instrumentation = inputAnalysis.fastify3Instrumentation = {
     preValidationHook,
     install,
   };
 
-  return fastifyInstrumentation;
+  return fastify3Instrumentation;
 };

package/lib/input-analysis/install/formidable1.js

@@ -0,0 +1,73 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `formidable`
+  function install() {
+    depHooks.resolve({ name: 'formidable' }, (formidable) => {
+      formidable.IncomingForm.prototype.parse = patcher.patch(formidable.IncomingForm.prototype.parse, {
+        name: 'Formidable.IncomingForm.prototype.parse',
+        patchType,
+        pre(data) {
+          const origCb = data.args[1];
+
+          function hookedCb(...cbArgs) {
+            const sourceContext = sources.getStore()?.protect;
+            const [, fields, files] = cbArgs;
+
+            if (!sourceContext) {
+              logger.debug('source context not available in `formidable` hook');
+            } else {
+              if (fields) {
+                sourceContext.parsedBody = fields;
+                inputAnalysis.handleParsedBody(sourceContext, fields);
+              }
+              if (files) {
+                logger.debug('Check for vulnerable filename upload nyi');
+                // TODO: NODE-2601
+              }
+            }
+
+            if (origCb && typeof origCb === 'function') {
+              origCb.apply(this, cbArgs);
+            }
+          }
+
+          data.args[1] = hookedCb;
+        }
+      });
+
+      return formidable;
+    });
+  }
+
+  const formidable1Instrumentation = inputAnalysis.formidable1Instrumentation = {
+    install
+  };
+
+  return formidable1Instrumentation;
+};

package/lib/input-analysis/install/http.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { Event } = require('@contrast/common');
@@ -39,7 +54,9 @@ class HttpInstrumentation {
     this.hookHttps();
   }
 
-  uninstall() {}
+  uninstall() {
+    return null; //NYI
+  }
 
   /**
    * Sets hooks to instrument `http.Server.prototype`.

package/lib/input-analysis/install/koa-body5.js

@@ -0,0 +1,68 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `koa-body` package
+  function install() {
+    depHooks.resolve({ name: 'koa-body' }, (koaBody) => patcher.patch(koaBody, {
+      name: 'koa-body',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'koa-body',
+          patchType,
+          pre(data) {
+            const [ctx, origNext] = data.args;
+
+            async function contrastNext(origErr) {
+              const sourceContext = sources.getStore()?.protect;
+
+              if (!sourceContext) {
+                logger.debug('source context not available in `koa-body` hook');
+              } else {
+                if (ctx.request.body && Object.keys(ctx.request.body).length) {
+                  sourceContext.parsedBody = ctx.request.body;
+                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
+                }
+              }
+
+              await origNext(origErr);
+            }
+
+            data.args[1] = contrastNext;
+          }
+        });
+      }
+    }));
+  }
+
+  const koaBody5Instrumentation = inputAnalysis.koaBody5Instrumentation = {
+    install
+  };
+
+  return koaBody5Instrumentation;
+};

package/lib/input-analysis/install/koa-bodyparser4.js

@@ -0,0 +1,68 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `koa-bodyparser` package
+  function install() {
+    depHooks.resolve({ name: 'koa-bodyparser' }, (koaBodyparser) => patcher.patch(koaBodyparser, {
+      name: 'koa-bodyparser',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'koa-bodyparser',
+          patchType,
+          pre(data) {
+            const [ctx, origNext] = data.args;
+
+            async function contrastNext(origErr) {
+              const sourceContext = sources.getStore()?.protect;
+
+              if (!sourceContext) {
+                logger.debug('source context not available in `koa-bodyparser` hook');
+              } else {
+                if (ctx.request.body && Object.keys(ctx.request.body).length) {
+                  sourceContext.parsedBody = ctx.request.body;
+                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
+                }
+              }
+
+              await origNext(origErr);
+            }
+
+            data.args[1] = contrastNext;
+          }
+        });
+      }
+    }));
+  }
+
+  const koaBodyparser4Instrumentation = inputAnalysis.koaBodyparser4Instrumentation = {
+    install
+  };
+
+  return koaBodyparser4Instrumentation;
+};