@contrast/protect 1.2.0 → 1.3.0

package/lib/input-analysis/install/formidable.js

@@ -1,53 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  return {
-    // Patch `formidable`
-    install() {
-      depHooks.resolve({ name: 'formidable' }, (formidable) => {
-        formidable.IncomingForm.prototype.parse = patcher.patch(formidable.IncomingForm.prototype.parse, {
-          name: 'Formidable.IncomingForm.prototype.parse',
-          patchType: 'framework-patch',
-          pre(data) {
-            const origCb = data.args[1];
-
-            function hookedCb(...cbArgs) {
-              const sourceContext = sources.getStore()?.protect;
-              const [, fields, files] = cbArgs;
-
-              if (!sourceContext) {
-                logger.debug('source context not available in `formidable` hook');
-              } else {
-                if (fields) {
-                  sourceContext.parsedBody = fields;
-                  inputAnalysis.handleParsedBody(sourceContext, fields);
-                }
-                if (files) {
-                  logger.debug('Check for vulnerable filename upload nyi');
-                  // CHECK FILENAME - NYI
-                }
-              }
-
-              if (origCb && typeof origCb === 'function') {
-                // Should we explicitly run in the current source context?
-                origCb.apply(this, cbArgs);
-              }
-            }
-
-            data.args[1] = hookedCb;
-          }
-        });
-
-        return formidable;
-      });
-    }
-  };
-};

package/lib/input-analysis/install/multer.js

@@ -1,52 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  return {
-    // Patch `multer`
-    install() {
-      depHooks.resolve({ name: 'multer', file: 'lib/make-middleware.js' }, (multerMakeMiddleware) => patcher.patch(multerMakeMiddleware, {
-        name: 'multer.make-middleware',
-        patchType: 'framework-patch',
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name: 'multerMiddleware',
-            patchType: 'framework-patch',
-            pre(data) {
-              const [req, , origNext] = data.args;
-
-              async function contrastNext() {
-
-                const sourceContext = sources.getStore()?.protect;
-
-                if (!sourceContext) {
-                  logger.debug('source context not available in `multer` hook');
-                } else {
-                  if (req.body) {
-                    sourceContext.parsedBody = req.body;
-                    inputAnalysis.handleParsedBody(sourceContext, req.body);
-                  }
-                  if (req.file || req.files) {
-                    logger.debug('Check for vulnerable filename upload nyi');
-                    // CHECK FILENAME - NYI
-                  }
-                }
-
-                await origNext();
-              }
-
-              data.args[2] = contrastNext;
-            }
-          });
-        }
-      }));
-    }
-  };
-};

package/lib/input-analysis/install/qs.js

@@ -1,40 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  return {
-    // Patch `qs`
-    install() {
-      depHooks.resolve({ name: 'qs' },
-        (qs) => patcher.patch(qs, 'parse', {
-          name: 'qs',
-          patchType: 'framework-patch',
-          post({ args, result }) {
-            if (result && Object.keys(result).length) {
-              const sourceContext = sources.getStore()?.protect;
-
-              if (!sourceContext) {
-                logger.debug('source context not available in `qs` hook');
-
-              // We need to run analysis for the `qs` result only when it's used as a query parser.
-              // `qs` is used also for parsing bodies, but these cases we handle individually with
-              // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-              // some cases its use is optional and we cannot rely on it.
-              } else if (sourceContext.reqData?.queries === args[0]) {
-                sourceContext.parsedQuery = result;
-                inputAnalysis.handleQueryParams(sourceContext, result);
-              }
-            }
-          }
-        })
-      );
-    }
-  };
-};

package/lib/input-analysis/install/universal-cookie.js

@@ -1,34 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  return {
-  // Patch `universal-cookie` package
-    install() {
-      depHooks.resolve({ name: 'universal-cookie', file: 'cjs/utils.js' }, (uCookieUtils) => patcher.patch(uCookieUtils, 'parseCookies', {
-        name: 'universal-cookie.utils',
-        patchType: 'framework-patch',
-        post({ result }) {
-          if (result && Object.keys(result).length) {
-            const sourceContext = sources.getStore()?.protect;
-
-            if (!sourceContext) {
-              logger.debug('source context not available in `universal-cookie` hook');
-            } else {
-              sourceContext.parsedCookies = result;
-              inputAnalysis.handleCookies(sourceContext, result);
-            }
-          }
-        }
-      })
-      );
-    }
-  };
-};

package/lib/input-tracing/handlers/nosql-injection-mongo.js

@@ -1,48 +0,0 @@
-'use strict';
-
-/* c8 ignore start */
-// this is just the general structure of how to handle mongo sinks
-const util = require('util');
-
-const { simpleTraverse } = require('../../utils');
-
-function mongoSink(results, sinkContext) {
-  if (typeof sinkContext.value === 'object') {
-    return handleObjectValue(results, sinkContext.value);
-  } else if (typeof sinkContext.value === 'string') {
-    return handleStringValue(results, sinkContext.value);
-  }
-
-  return null;
-}
-
-function handleObjectValue(results, object) {
-  for (const result of results) {
-    simpleTraverse(object, function(path, type, value) {
-      if (type !== 'Key') {
-        return;
-      }
-      // the result value is the key that was found
-      if (result.value === value) {
-        // does the object at this path equal the user input?
-        let obj = object;
-        for (const p of path) {
-          obj = obj[p];
-        }
-        obj = obj[value];
-        // does the found object in the query equal the saved object?
-        if (util.isDeepStrictEqual(obj, object)) {
-          //
-        }
-      }
-    });
-  }
-}
-
-function handleStringValue(results, string) {
-  // nyi
-}
-
-module.exports = mongoSink;
-
-/* c8 ignore stop */