@contrast/protect 1.2.0 → 1.3.0

package/lib/input-analysis/install/koa2.js

@@ -1,7 +1,24 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const { patchType } = require('../constants');
+
 /**
- * Function that exports an install method to patch Fastify framework with our instrumentation
+ * Function that exports an install method to patch Koa framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
  * @return {Object}     object with install method and the other relative functions exported for testing purposes
  */
@@ -19,14 +36,6 @@ module.exports = (core) => {
    */
   function install() {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
-      const coBodyPatch = require('./co-body.js')(core);
-      const multerPatch = require('./multer')(core);
-      const formidablePatch = require('./formidable')(core);
-      const qsPatch = require('./qs')(core);
-      const cookieParserPatch = require('./cookie-parser')(core);
-      const universalCookiePatch = require('./universal-cookie')(core);
-
-
       function contrastStartMiddleware(ctx, next) {
         if (ctx.query && Object.keys(ctx.query).length) {
           const sourceContext = sources.getStore()?.protect;
@@ -37,7 +46,6 @@ module.exports = (core) => {
             sourceContext.parsedQuery = ctx.query;
             inputAnalysis.handleQueryParams(sourceContext, ctx.query);
           }
-
         }
         return next();
       }
@@ -47,7 +55,7 @@ module.exports = (core) => {
 
       patcher.patch(Koa.prototype, 'use', {
         name: 'Koa.Application',
-        patchType: 'framework-patch',
+        patchType,
         pre({ obj: app }) {
           // if not already inserted, insert the initial middleware.
           if (
@@ -66,7 +74,7 @@ module.exports = (core) => {
           (layer) => {
             layer.prototype = patcher.patch(layer.prototype, 'params', {
               name: `[${router}].layer.prototype`,
-              patchType: 'framework-patch',
+              patchType,
               post({ result }) {
                 const sourceContext = sources.getStore()?.protect;
 
@@ -90,15 +98,15 @@ module.exports = (core) => {
         const { default: cookieParser } = koaCookie;
         koaCookie.default = patcher.patch(cookieParser, {
           name: 'koa-cookie',
-          patchType: 'framework-patch',
+          patchType,
           post(data) {
             data.result = patcher.patch(data.result, {
               name: 'koa-cookie',
-              patchType: 'framework-patch',
+              patchType,
               pre(data) {
                 const [ctx, origNext] = data.args;
 
-                async function contrastNext() {
+                async function contrastNext(origErr) {
                   const sourceContext = sources.getStore()?.protect;
 
                   if (!sourceContext) {
@@ -110,7 +118,7 @@ module.exports = (core) => {
                     }
                   }
 
-                  await origNext();
+                  await origNext(origErr);
                 }
 
                 data.args[1] = contrastNext;
@@ -119,19 +127,12 @@ module.exports = (core) => {
           }
         });
       });
-
-      coBodyPatch.install();
-      multerPatch.install();
-      formidablePatch.install();
-      qsPatch.install();
-      cookieParserPatch.install();
-      universalCookiePatch.install();
     });
   }
 
-  const koaInstrumentation = inputAnalysis.koaInstrumentation = {
+  const koa2Instrumentation = inputAnalysis.koa2Instrumentation = {
     install
   };
 
-  return koaInstrumentation;
+  return koa2Instrumentation;
 };

package/lib/input-analysis/install/multer1.js

@@ -0,0 +1,89 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources, wrap },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `multer`
+  function install() {
+    depHooks.resolve({ name: 'multer', file: 'lib/make-middleware.js' }, (multerMakeMiddleware) => patcher.patch(multerMakeMiddleware, {
+      name: 'multer.make-middleware',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'multerMiddleware',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            // We are getting the sourceContext here because in the time of calling
+            // the contrastNext() method the context is lost
+            const sourceContext = sources.getStore()?.protect;
+            if (!sourceContext) {
+              logger.debug('source context not available in `multer` hook');
+              return;
+            }
+
+            function contrastNext(origErr) {
+              let securityException;
+
+              if (req.body) {
+                sourceContext.parsedBody = req.body;
+
+                try {
+                  inputAnalysis.handleParsedBody(sourceContext, req.body);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
+              }
+
+              if (req.file || req.files) {
+                logger.debug('Check for vulnerable filename upload nyi');
+                // TODO: NODE-2601
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = wrap(contrastNext);
+          }
+        });
+      }
+    }));
+  }
+
+  const multer1Instrumentation = inputAnalysis.multer1Instrumentation = {
+    install
+  };
+
+  return multer1Instrumentation;
+};

package/lib/input-analysis/install/qs6.js

@@ -0,0 +1,61 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `qs`
+  function install() {
+    depHooks.resolve({ name: 'qs' },
+      (qs) => patcher.patch(qs, 'parse', {
+        name: 'qs',
+        patchType,
+        post({ args, result }) {
+          if (result && Object.keys(result).length) {
+            const sourceContext = sources.getStore()?.protect;
+
+            if (!sourceContext) {
+              logger.debug('source context not available in `qs` hook');
+
+              // We need to run analysis for the `qs` result only when it's used as a query parser.
+              // `qs` is used also for parsing bodies, but these cases we handle individually with
+              // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+              // some cases its use is optional and we cannot rely on it.
+            } else if (sourceContext.reqData?.queries === args[0]) {
+              sourceContext.parsedQuery = result;
+              inputAnalysis.handleQueryParams(sourceContext, result);
+            }
+          }
+        }
+      })
+    );
+  }
+
+  const qs6Instrumentation = inputAnalysis.qs6Instrumentation = {
+    install
+  };
+
+  return qs6Instrumentation;
+};

package/lib/input-analysis/install/universal-cookie4.js

@@ -0,0 +1,56 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { sources },
+    protect: { inputAnalysis },
+  } = core;
+
+
+  // Patch `universal-cookie` package
+  function install() {
+    depHooks.resolve({ name: 'universal-cookie', file: 'cjs/utils.js' }, (uCookieUtils) => patcher.patch(uCookieUtils, 'parseCookies', {
+      name: 'universal-cookie.utils',
+      patchType,
+      post({ result }) {
+        if (result && Object.keys(result).length) {
+          const sourceContext = sources.getStore()?.protect;
+
+          if (!sourceContext) {
+            logger.debug('source context not available in `universal-cookie` hook');
+          } else {
+            sourceContext.parsedCookies = result;
+            inputAnalysis.handleCookies(sourceContext, result);
+          }
+        }
+      }
+    })
+    );
+  }
+
+  const universalCookie4Instrumentation = inputAnalysis.universalCookie4Instrumentation = {
+    install
+  };
+
+  return universalCookie4Instrumentation;
+};

package/lib/input-tracing/constants.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = {

package/lib/input-tracing/handlers/index.js

@@ -1,5 +1,23 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const util = require('util');
+const { simpleTraverse } = require('../../utils');
+
 module.exports = function(core) {
   const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
 
@@ -9,87 +27,90 @@ module.exports = function(core) {
    * @param {object} context async storage data for protect
    * @returns {AnalysisResult[]}
    */
-  inputTracing.getResultsByRuleId = function(ruleId, context) {
+  function getResultsByRuleId(ruleId, context) {
+    if (context.rules.agentLibRules[ruleId].mode === 'off') {
+      return;
+    }
     return context.findings.resultsMap[ruleId];
-  };
+  }
 
-  /**
-   * Given a ruleId and an analysis function, wrap the analysis function
-   * with common setup and post-processing code.
-   */
-  inputTracing.handlerFactory = function(ruleId, analysisFn) {
-    /**
-     * This is the common API for INPUT TRACING instrumentation.
-     * @param {object} sourceContext
-     * @param {object} sinkContext
-     */
-    return function(sourceContext, sinkContext) {
-      if (sourceContext.rules.agentLibRules[ruleId].mode === 'off') {
-        return;
-      }
+  function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
+    result.details.push({ sinkContext, findings });
 
-      const results = inputTracing.getResultsByRuleId(ruleId, sourceContext);
-      if (!results) return;
+    const { mode } = sourceContext.rules.agentLibRules[ruleId];
 
-      for (const result of results) {
-        const findings = analysisFn(result, sinkContext);
+    if (['block', 'block_at_perimeter'].includes(mode)) {
+      result.blocked = true;
+      const blockInfo = [mode, ruleId];
+      sourceContext.findings.securityException = blockInfo;
+      throwSecurityException(sourceContext);
+    }
+  }
 
-        if (findings) {
-          result.details.push({ sinkContext, findings });
+  inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
+    const ruleId = 'path-traversal';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-          if (sourceContext.rules.agentLibRules[ruleId].mode === 'block') {
-            result.blocked = true;
-            const blockInfo = ['block', ruleId];
-            sourceContext.findings.securityException = blockInfo;
-            throwSecurityException(sourceContext);
-          }
-        }
-      }
-    };
-  };
+    if (!results) return;
 
-  inputTracing.handlePathTraversal = inputTracing.handlerFactory(
-    'path-traversal',
-    function(result, sinkContext) {
+    for (const result of results) {
       const idx = sinkContext.value.indexOf(result.value);
-      return idx !== -1 ? { path: sinkContext.value } : null;
+      const findings = idx !== -1 ? { path: sinkContext.value } : null;
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
     }
-  );
+  };
+
+  inputTracing.handleCommandInjection = function(sourceContext, sinkContext) {
+    const ruleId = 'cmd-injection';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-  inputTracing.handleCommandInjection = inputTracing.handlerFactory(
-    'cmd-injection',
-    function(result, sinkContext) {
+    if (!results) return;
+
+    for (const result of results) {
+      let findings = null;
       const inputIndex = sinkContext.value.indexOf(result.value);
       if (inputIndex !== -1) {
-        return agentLib.checkCommandInjectionSink(
+        findings = agentLib.checkCommandInjectionSink(
           inputIndex,
           result.value.length,
           sinkContext.value,
         );
       }
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
     }
-  );
+  };
+
+  inputTracing.handleSqlInjection = function(sourceContext, sinkContext) {
+    const ruleId = 'sql-injection';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-  inputTracing.handleSqlInjection = inputTracing.handlerFactory(
-    'sql-injection',
-    function(result, sinkContext) {
-      let analysis = null;
+    if (!results) return;
+
+    for (const result of results) {
+      let findings = null;
 
       const inputIndex = sinkContext.value.indexOf(result.value);
+
       // if the user input is not in the sink input, there is nothing to do.
       if (inputIndex === -1) {
-        return analysis;
+        continue;
       }
 
       if (inputIndex === 0 && sinkContext.value === result.value) {
-        analysis = {
+        findings = {
           startIndex: 0,
           endIndex: result.value.length - 1,
           overrunIndex: 0,
           boundaryIndex: 0,
         };
       } else {
-        analysis = agentLib.checkSqlInjectionSink(
+        findings = agentLib.checkSqlInjectionSink(
           inputIndex,
           result.value.length,
           2,
@@ -97,21 +118,95 @@ module.exports = function(core) {
         );
       }
 
-      return analysis;
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
     }
-  );
+  };
+
+  inputTracing.nosqlInjectionMongo = function(sourceContext, sinkContext) {
+    const ruleId = 'nosql-injection-mongo';
+    const expansionResults = getResultsByRuleId(ruleId, sourceContext);
+    const stringResults = getResultsByRuleId('ssjs-injection', sourceContext);
 
-  inputTracing.nosqlInjectionMongo = inputTracing.handlerFactory(
-    'nosql-injection-mongo', require('./nosql-injection-mongo')
-  );
+    if (expansionResults) {
+      let expansionFindings = null;
+      for (const result of expansionResults) {
+        expansionFindings = handleObjectValue(result, sinkContext.value);
 
-  inputTracing.ssjsInjection = inputTracing.handlerFactory(
-    'ssjs-injection',
-    function(results, sinkContext) {
-      return null;
+        if (expansionFindings) {
+          handleFindings(sourceContext, sinkContext, ruleId, result, expansionFindings);
+        }
+      }
     }
-  );
+
+    if (stringResults) {
+      let stringFindings = null;
+      for (const result of stringResults) {
+        stringFindings = handleStringValue(result, sinkContext.value);
+
+        if (stringFindings) {
+          handleFindings(sourceContext, sinkContext, ruleId, result, stringFindings);
+        }
+      }
+    }
+  };
+
+  inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
+    // 'ssjs-injection' NYI
+    return null;
+  };
 
   return inputTracing;
 };
 
+function handleObjectValue(result, object) {
+  if (typeof object !== 'object') {
+    return null;
+  }
+  let findings = null;
+  simpleTraverse(object, function(path, type, value) {
+    if (type !== 'Key' || findings) {
+      return;
+    }
+    // the result value is the key that was found
+    if (result.key === value) {
+      // does the object at this path equal the user input?
+      let obj = object;
+      for (const p of path) {
+        obj = obj[p];
+      }
+      obj = obj[value];
+      // does the found object in the query equal the saved object?
+      if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
+        findings = { key: value };
+      }
+    }
+  });
+
+  return findings;
+}
+
+function handleStringValue(result, string) {
+  if (typeof string !== 'string') {
+    return null;
+  }
+  let findings = null;
+
+  const inputIndex = string.indexOf(result.value);
+  // if the user input is not in the sink input, there is nothing to do.
+  if (inputIndex === -1) {
+    return findings;
+  }
+
+  if (inputIndex === 0 && string === result.value) {
+    findings = {
+      startIndex: 0,
+      endIndex: result.value.length - 1,
+      overrunIndex: 0,
+      boundaryIndex: 0,
+    };
+  }
+
+  return findings;
+}

package/lib/input-tracing/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 /**
@@ -19,12 +34,14 @@ module.exports = function(core) {
   require('./install/child-process')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
+  require('./install/mongodb')(core);
 
   inputTracing.install = function() {
     inputTracing.fsInstrumentation.install();
     inputTracing.cpInstrumentation.install();
     inputTracing.mysqlInstrumentation.install();
     inputTracing.postgresInstrumentation.install();
+    inputTracing.mongodbInstrumentation.install();
     // TODO: NODE-2360 (2260?)
   };
 

package/lib/input-tracing/install/child-process.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -30,7 +45,7 @@ module.exports = function(core) {
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: data.hooked }
+              { constructorOpt: data.hooked, prependFrames: [data.orig] }
             );
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
           }