@contrast/protect 1.2.1 → 1.4.0

package/lib/error-handlers/constants.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = {

package/lib/error-handlers/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
@@ -5,10 +20,12 @@ module.exports = function(core) {
 
   require('./install/fastify3')(core);
   require('./install/koa2')(core);
+  require('./install/express4')(core);
 
   errorHandlers.install = function() {
     errorHandlers.fastify3ErrorHandler.install();
     errorHandlers.koa2ErrorHandler.install();
+    errorHandlers.express4ErrorHandler.install();
   };
 
   return errorHandlers;

package/lib/error-handlers/install/express4.js

@@ -0,0 +1,89 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+
+module.exports = function(core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
+
+  express4ErrorHandler.install = function () {
+    depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
+      patcher.patch(finalhandler, {
+        name: 'finalHandler',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'finalHandler.returnedFunction',
+            patchType,
+            around(org, data) {
+              const [err] = data.args;
+              const sourceContext = protect.getSourceContext('finalHandler');
+              const isSecurityException = SecurityException.isSecurityException(err);
+
+              if (isSecurityException && sourceContext) {
+                const blockInfo = sourceContext.findings.securityException;
+
+                sourceContext.block(...blockInfo);
+                return;
+              }
+
+              if (!sourceContext && isSecurityException) {
+                logger.info('source context not found; unable to handle response');
+              }
+              org();
+            },
+          });
+        },
+      })
+    );
+
+    depHooks.resolve({ name: 'express', version: '>=4.0.0', file: 'lib/router/layer.js' }, (Layer) => {
+      patcher.patch(Layer.prototype, 'handle_error', {
+        name: 'Layer.prototype.handle_error',
+        patchType,
+        around(org, data) {
+          const [err] = data.args;
+          const sourceContext = protect.getSourceContext('express.Layer.handle_error');
+          const isSecurityException = SecurityException.isSecurityException(err);
+
+          if (isSecurityException && sourceContext) {
+            const blockInfo = sourceContext.findings.securityException;
+
+            sourceContext.block(...blockInfo);
+            return;
+          }
+
+          if (!sourceContext && isSecurityException) {
+            logger.info('source context not found; unable to handle response');
+          }
+          org();
+        }
+      });
+    });
+  };
+
+  return express4ErrorHandler;
+};

package/lib/error-handlers/install/fastify3.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isSecurityException } = require('../../security-exception');
@@ -5,10 +20,8 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -44,9 +57,9 @@ module.exports = function(core) {
     const normalHandler = fastify3ErrorHandler._userHandler || fastify3ErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = sources.getStore()?.protect;
+      const sourceContext = protect.getSourceContext('fastify3.errorHandler');
+
       if (!sourceContext) {
-        logger.info('source context not found; unable to handle response');
         normalHandler.call(this, err, request, reply);
       } else {
         const blockInfo = sourceContext.findings.securityException;

package/lib/error-handlers/install/koa2.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const SecurityException = require('../../security-exception');
@@ -9,7 +24,6 @@ module.exports = function(core) {
     logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -27,7 +41,7 @@ module.exports = function(core) {
             patchType,
             around(org, data) {
               const [err] = data.args;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('Koa.Application.handleRequest');
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {

package/lib/esm-loader.mjs

@@ -1,2 +1,17 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 import esmHooks from '@contrast/esm-hooks';
 export const { getSource, transformSource, load } = esmHooks();

package/lib/get-source-context.js

@@ -0,0 +1,33 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const { scopes: { sources }, logger } = core;
+
+  function getSourceContext(callPoint) {
+    const sourceContext = sources.getStore()?.protect;
+
+    if (!sourceContext) {
+      logger.debug(`source context not available in ${callPoint}`);
+      return null;
+    }
+
+    return sourceContext.allowed ? null : sourceContext;
+  }
+
+  core.protect.getSourceContext = getSourceContext;
+};

package/lib/hardening/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-hardening'
+};

package/lib/hardening/handlers.js

@@ -0,0 +1,65 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { BLOCKING_MODES, isString } = require('@contrast/common');
+
+const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
+
+module.exports = function(core) {
+  const {
+    protect: {
+      hardening,
+      throwSecurityException,
+    }
+  } = core;
+
+  function getResults(sourceContext, ruleId) {
+    let results = sourceContext.findings.hardeningResultsMap[ruleId];
+    if (!results) {
+      results = sourceContext.findings.hardeningResultsMap[ruleId] = [];
+    }
+    return results;
+  }
+
+  hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
+    const ruleId = 'untrusted-deserialization';
+    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const { name, value } = sinkContext;
+
+    if (mode === 'off') return;
+
+    if (name === 'node-serialize.unserialize') {
+      if (!isString(value) || !value.indexOf(NODE_SERIALIZE_RCE_TOKEN)) return;
+
+      const blocked = BLOCKING_MODES.includes(mode);
+      const results = getResults(sourceContext, ruleId);
+
+      results.push({
+        blocked,
+        findings: { deserializer: name, command: false },
+        sinkContext,
+      });
+
+      if (blocked) {
+        sourceContext.findings.securityException = [mode, ruleId];
+        throwSecurityException(sourceContext);
+      }
+    }
+  };
+
+  return hardening;
+};

package/lib/hardening/index.js

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const hardening = core.protect.hardening = {};
+
+  require('./handlers')(core);
+
+  require('./install/node-serialize0')(core);
+  hardening.install = function() {
+    hardening.nodeSerialize0Instrumentation.install();
+  };
+
+  return hardening;
+};

package/lib/hardening/install/node-serialize0.js

@@ -0,0 +1,59 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: {
+      hardening
+    }
+  } = core;
+
+  function install() {
+    const name = 'node-serialize';
+    const method = 'unserialize';
+
+    depHooks.resolve(
+      { name, version: '<1.0.0' },
+      (nodeSerialize) => {
+        patcher.patch(nodeSerialize, method, {
+          name,
+          patchType,
+          pre({ args: [value], hooked, orig }) {
+            const sourceContext = protect.getSourceContext(`${name}.${method}`);
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name: `${name}.${method}`, value },
+              { constructorOpt: hooked, prependFrames: [orig] },
+            );
+            hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
+          },
+        });
+      });
+  }
+
+  return hardening.nodeSerialize0Instrumentation = {
+    install
+  };
+};

package/lib/index.d.ts

@@ -1,29 +1,139 @@
+
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 import { Core } from '@contrast/core';
+import { Logger } from '@contrast/logger';
+import { Sources } from '@contrast/scopes';
+import RequireHook from '@contrast/require-hook';
+import { RulesConfig, Messages, ReqData, ProtectMessage, Findings } from '@contrast/common';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { Config } from '@contrast/config';
+import * as http from 'node:http';
+import * as https from 'node:https';
+
+type Http = typeof http;
+type Https = typeof https;
+
+export type Block = (mode: string, ruleId: string) => void;
+export class HttpInstrumentation {
+  messages: Messages;
+  scope: Sources;
+  config: Config;
+  logger: Logger;
+  depHooks: RequireHook;
+  protect: ProtectMessage;
+  makeSourceContext: Protect['makeSourceContext'];
+  maxBodySize: number;
+  installed: boolean;
+
+  constructor(core: Core);
+
+  install(): void;
+  uninstall(): void; //NYI
+  hookHttp(): void;
+  hookHttps(): void;
+  hookServer(xport: Http | Https): void;
+  initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
+  removeCookies(headers: string[]): string[];
+}
+
+export interface ProtectRequestStore {
+  reqData: ReqData;
+  block: Block;
+  rules: {
+    agentLibRules: RulesConfig;
+    agentLibRulesMask: number;
+    agentRules: RulesConfig;
+  };
+  exclusions: any[]; // TODO
+  virtualPatches: any[]; // TODO
+  findings: Findings;
+}
+
+export interface ConnectInputs {
+  headers: string[],
+  uriPath: string,
+  method: string,
+  queries?: string
+}
 
-// TODO
 export interface Protect {
-  makeResponseBlocker: () => void,
-  makeSourceContext: () => void,
+  makeResponseBlocker: (res: ServerResponse) => Block,
+  makeSourceContext: (req: IncomingMessage, res: ServerResponse) => ProtectRequestStore,
+  throwSecurityException: (sourceContext: ProtectRequestStore) => void,
   inputAnalysis: {
-    handleConnect: () => void,
-    handleRequestEnd: () => void,
-    handleRawBody: () => void,
-    handleQueryParams: () => void,
-    handleUrlParams: () => void,
-    handleCookies: () => void,
-    handleParsedBody: () => void,
-    handleFileuploadName: () => void,
+    handleConnect: (sourceContext: ProtectRequestStore, connectInputs: ConnectInputs) => undefined | [string, string],
+    handleRequestEnd: (sourceContext: ProtectRequestStore) => void, //NYI
+    handleParsedBody: (sourceContext: ProtectRequestStore, parsedBody: { [key: string]: any }) => void,
+    handleQueryParams: (sourceContext: ProtectRequestStore, queryParams: { [key: string]: any }) => void,
+    handleUrlParams: (sourceContext: ProtectRequestStore, urlParams: { [key: string]: any }) => void,
+    handleCookies: (sourceContext: ProtectRequestStore, cookies: { [key: string]: any }) => void,
+    handleFileuploadName: (sourceContext: ProtectRequestStore, name: string) => void, //NYI
+    librariesInstrumentation: {
+      bodyParser: { install: () => void },
+      coBody: { install: () => void },
+      cookieParser: { install: () => void },
+      formidable: { install: () => void },
+      multer: { install: () => void },
+      qs: { install: () => void },
+      universalCookie: { install: () => void },
+    },
+    expressInstrumentation: { install: () => void },
+    fastifyInstrumentation: { install: () => void },
+    koaInstrumentation: { install: () => void },
+    httpInstrumentation: HttpInstrumentation,
     install: () => void,
   },
   inputTracing: {
-    getResultsByRuleId: () => void,
-    handlerFactory: () => void,
-    handlePathTraversal: () => void,
-    handleCommandInjection: () => void,
-    handleSqlInjection: () => void,
+    handlePathTraversal: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    handleCommandInjection: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    handleSqlInjection: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: string, stack: { [key: string]: any }[] }) => void,
+    nosqlInjectionMongo: (sourceContext: ProtectRequestStore, sinkContext: { name: string, value: any, stack: { [key: string]: any }[] }) => void,
+    ssjsInjection: () => void, //NYI
+    fsInstrumentation: {
+      getValues: (indices: number[], args: any) => string[],
+      install: () => void
+    },
+    cpInstrumentation: { install: () => void },
+    mysqlInstrumentation: {
+      getValueFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    },
+    postgresInstrumentation: {
+      getQueryFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    },
+    mongodbInstrumentation: { install: () => void },
+    sqlite3Instrumentation: { install: () => void },
+    sequelizeInstrumentation: {
+      getQueryFromArgs: ([value]: any[]) => string | undefined,
+      install: () => void
+    },
+    httpInstrumentation: { install: () => void },
     install: () => void
   }
   errorHandlers: {
+    fastify3ErrorHandler: {
+      _userHandler: null | ((...args: any[]) => any),
+      defaultErrorHandler: (error: Error, request: IncomingMessage, reply: ServerResponse) => void,
+      handler: (err: Error, request: IncomingMessage, reply: ServerResponse) => void,
+      install: () => void
+    }
+    koa2ErrorHandler: { install: () => void },
+    express4ErrorHandler: { install: () => void },
     install: () => void,
   },
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -31,6 +141,4 @@ export interface Protect {
   version: string,
 }
 
-declare function init(core: Core): Protect;
-
-export default init;
+export default function(core: Core): ProtectMessage;

package/lib/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');
@@ -18,8 +33,11 @@ module.exports = function(core) {
   require('./throw-security-exception')(core);
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
+  require('./get-source-context')(core);
   require('./input-analysis')(core);
   require('./input-tracing')(core);
+  require('./hardening')(core);
+  require('./semantic-analysis')(core);
   require('./error-handlers')(core);
 
   const pkj = require('../package.json');
@@ -28,6 +46,7 @@ module.exports = function(core) {
   protect.install = function() {
     protect.inputAnalysis.install();
     protect.inputTracing.install();
+    protect.hardening.install();
     protect.errorHandlers.install();
   };
 

package/lib/input-analysis/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-input-analysis',
+};