@contrast/protect 1.2.1 → 1.4.0

package/lib/input-analysis/handlers.js

@@ -1,6 +1,22 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
-const { simpleTraverse } = require('../utils');
+const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
+const address = require('ipaddr.js');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -95,8 +111,12 @@ module.exports = function(core) {
    * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
    */
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
+    if (!sourceContext || sourceContext.allowed) return;
+
     const { rules: { agentLibRules, agentLibRulesMask: mask } } = sourceContext;
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
+
     // initialize findings to the basics
     let block = undefined;
     if (mask !== 0) {
@@ -115,12 +135,12 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext);
   };
 
-
   const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, valueType: agentLib.InputType.JsonValue
+    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
   };
+
   const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, valueType: agentLib.InputType.ParameterValue
+    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
   };
 
   /**
@@ -140,11 +160,22 @@ module.exports = function(core) {
    * @param {Object} queryParams pojo {key: value, ...} for all query params/search params
    */
   inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
+    if (sourceContext.analyzedQuery) return;
+    sourceContext.analyzedQuery = true;
+
     if (typeof queryParams !== 'object') {
       logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
       return;
     }
-    commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
+
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
+
+    const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   /**
@@ -157,11 +188,16 @@ module.exports = function(core) {
    * @param {Object} urlParams pojo
    */
   inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+    if (sourceContext.analyzedUrlParams) return;
+    sourceContext.analyzedUrlParams = true;
+
     if (typeof urlParams !== 'object') {
       logger.debug({ urlParams }, 'handleUrlParams() called with non-object');
       return;
     }
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
+
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
@@ -199,10 +235,11 @@ module.exports = function(core) {
       securityException: undefined,
       resultsList,
     };
+
     const block = mergeFindings(rules.agentLibRules, sourceContext.findings, urlParamsFindings);
 
     if (block) {
-      sourceContext.block(...block);
+      core.protect.throwSecurityException(sourceContext);
     }
   };
 
@@ -215,17 +252,23 @@ module.exports = function(core) {
    * @param {Object} cookies pojo
    */
   inputAnalysis.handleCookies = function(sourceContext, cookies) {
+    if (sourceContext.analyzedCookies) return;
+    sourceContext.analyzedCookies = true;
+
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
       acc.push(key, value);
       return acc;
     }, []);
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     const cookieFindings = agentLib.scoreRequestConnect(mask, { cookies: cookiesArr }, preferWW);
 
     const block = mergeFindings(rules.agentLibRules, sourceContext.findings, cookieFindings);
 
     if (block) {
-      sourceContext.block(...block);
+      core.protect.throwSecurityException(sourceContext);
     }
   };
 
@@ -239,11 +282,16 @@ module.exports = function(core) {
    * @param {Object} parsedBody
    */
   inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
+    if (sourceContext.analyzedBody) return;
+    sourceContext.analyzedBody = true;
+
     if (typeof parsedBody !== 'object') {
       logger.debug({ parsedBody }, 'handleParsedBody() called with non-object');
       return;
     }
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: parsedBody });
+
     let bodyType;
     let inputTypes;
     if (sourceContext.reqData.contentType.includes('/json')) {
@@ -253,8 +301,13 @@ module.exports = function(core) {
       bodyType = 'urlencoded';
       inputTypes = parameterInputTypes;
     }
-    commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+    const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+
     sourceContext.findings.bodyType = bodyType;
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
@@ -263,6 +316,70 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext, name);
   };
 
+  inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
+    const ruleId = 'virtual-patch';
+
+    if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
+
+    for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
+      for (const key in requestInput) {
+        const evaluator = vpEvaluators.get(key);
+
+        if (evaluator && requestInput[key] && evaluator(requestInput[key])) {
+          vpEvaluators.delete(key);
+          const { name, uuid } = vpEvaluators.get('metadata');
+
+          if (vpEvaluators.size === 1 && uuid) {
+            if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+              sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+            }
+            sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+              name,
+              uuid
+            });
+            sourceContext.findings.securityException = ['block', ruleId];
+            core.protect.throwSecurityException(sourceContext);
+          }
+        }
+      }
+    }
+  };
+
+  inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
+    if (!sourceContext || !ipAllowlist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipAllow list');
+      return true;
+    }
+  };
+
+  inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
+    const ruleId = 'ip-denylist';
+
+    if (!sourceContext || !ipDenylist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipDeny list');
+      if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+        sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+      }
+
+      sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+        ip: match.matchedIp,
+        uuid: match.uuid,
+      });
+      return ['block', 'ip-denylist'];
+    }
+  };
 
   /**
    * commonObjectAnalyzer() walks an object supplied by the end-user and checks
@@ -277,12 +394,12 @@ module.exports = function(core) {
    * @param {Object} inputTypes is either jsonInputTypes or parameterInputTypes,
    * both are defined above. They specify the input types to be used when evaluating
    * the object.
-   * @returns undefined
+   * @returns {Array | undefined} returns an array with block info if vulnerability was found.
    */
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     // use inputTypes to set params...
-    const { keyType, valueType } = inputTypes;
+    const { keyType, inputType } = inputTypes;
     const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
     const { Where } = agentLib.MongoQueryType;
     const resultsList = [];
@@ -315,7 +432,7 @@ module.exports = function(core) {
           mongoQueryType = agentLib.getMongoQueryType(value);
         }
       } else {
-        itemType = valueType;
+        itemType = inputType;
       }
       let items = agentLib.scoreAtom(mask, value, itemType, preferWW);
       if (!items && !mongoQueryType) {
@@ -333,7 +450,8 @@ module.exports = function(core) {
         // mimic it here (where scoreAtom() was used). the actual object/string
         // to match is stored as `inputToCheck`.
         const inputType = typeof inputToCheck;
-        if ((mongoQueryType <= Where && inputType === 'object') || (mongoQueryType >= Where && inputType === 'string')) {
+        // query types up to Where, inclusive, accept either string or object values. Where and above accept only string values
+        if (mongoQueryType <= Where || inputType === 'string') {
           // the query-type/input-type combination is valid. add a synthesized item.
           const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
           items.push(item);
@@ -370,9 +488,50 @@ module.exports = function(core) {
       resultsList,
     };
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
-    if (block) {
-      sourceContext.block(...block);
+    return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
+  }
+
+  function ipListAnalysis(reqIp, reqHeaders, list) {
+    const forwardedIps = [];
+
+    for (let i = 0; i < reqHeaders.length; i++) {
+      if (reqHeaders[i] === 'x-forwarded-for') {
+        const ipsFromHeaders = reqHeaders[i + 1]?.split(/[,;]+/);
+        forwardedIps.push(...ipsFromHeaders);
+      }
+    }
+
+    const ipsToCheck = [reqIp, ...forwardedIps];
+    const now = new Date().getTime();
+
+    /* c8 ignore next 3 */
+    if (!ipsToCheck.length) {
+      return false;
+    }
+
+    for (const listEntry of list) {
+      const { doesExpire, expiresAt } = listEntry;
+      for (let i = 0; i < ipsToCheck.length; i++) {
+        const currentIp = ipsToCheck[i];
+
+        // Ignore bad IP values.
+        if (!address.isValid(currentIp)) {
+          logger.warn(`Unable to parse ${currentIp}.`);
+          continue;
+        }
+        const expired = doesExpire ? expiresAt - now <= 0 : false;
+
+        if (expired) {
+          logger.info(`IP expired: ${listEntry.name}, ${listEntry.ip}`);
+          continue;
+        }
+
+        const match = checkIpsMatch(listEntry, currentIp);
+
+        if (match) {
+          return match;
+        }
+      }
     }
   }
 };
@@ -432,13 +591,38 @@ function normalizeFindings(rules, findings) {
     // which the block can occur. so at a minimum 'block' should also result in a
     // block.
     const { mode } = rules[r.ruleId];
-    if (r.score >= 90 && ['block', 'block_at_perimeter'].includes(mode)) {
+    if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
       r.blocked = true;
       findings.securityException = [mode, r.ruleId];
     }
   }
 }
 
+
+function checkIpsMatch(listEntry, ip) {
+  const parsed = address.process(ip);
+
+  // Check if IP is in CIDR range,
+  if (listEntry.cidr) {
+    if (parsed.kind() !== listEntry.cidr.kind) {
+      return null;
+    }
+
+    if (parsed.match(listEntry.cidr.range)) {
+      return { ...listEntry, match: ip };
+    } else {
+      return null;
+    }
+  }
+
+  // or do a direct comparison
+  if (parsed.toNormalizedString() === listEntry.normalizedValue) {
+    return { ...listEntry, matchedIp: ip };
+  }
+
+  return null;
+}
+
 /**
  * getValueAtKey() is used to fetch the object (expected) associated
  * with the path of keys in obj. i say expected because this is only used
@@ -453,6 +637,7 @@ function normalizeFindings(rules, findings) {
  */
 function getValueAtKey(obj, path, key) {
   for (const p of path) {
+    /* c8 ignore next 6 */
     if (!(p in obj)) {
       return undefined;
     }

package/lib/input-analysis/index.js

@@ -1,17 +1,54 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
+  // inputAnalysis handlers
   require('./handlers')(core);
+
+  // http(s) modules instrumentation
   require('./install/http')(core);
+
+  // common libraries instrumentation
+  require('./install/body-parser1')(core);
+  require('./install/cookie-parser1')(core);
+  require('./install/formidable1')(core);
+  require('./install/koa-body5')(core);
+  require('./install/koa-bodyparser4')(core);
+  require('./install/multer1')(core);
+  require('./install/qs6')(core);
+  require('./install/universal-cookie4')(core);
+
+  // framework specific instrumentation
   require('./install/fastify3')(core);
   require('./install/koa2')(core);
+  require('./install/express4')(core);
+
+  // virtual patches
+  require('./virtual-patches')(core);
+  require('./ip-analysis')(core);
 
   inputAnalysis.install = function() {
-    inputAnalysis.httpInstrumentation.install();
-    inputAnalysis.fastifyInstrumentation.install();
-    inputAnalysis.koaInstrumentation.install();
+    Object.values(inputAnalysis)
+      .filter((property) => property.install)
+      .forEach((library) => {
+        library.install();
+      });
   };
 
   return inputAnalysis;

package/lib/input-analysis/install/body-parser1.js

@@ -0,0 +1,122 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  function contrastNext(req, origNext, fnName) {
+    return function next(origErr) {
+      const sourceContext = protect.getSourceContext(fnName);
+      let securityException;
+
+      if (sourceContext && req.body && Object.keys(req.body).length) {
+        sourceContext.parsedBody = req.body;
+
+        try {
+          inputAnalysis.handleParsedBody(sourceContext, req.body);
+        } catch (err) {
+          if (isSecurityException(err)) {
+            securityException = err;
+          } else {
+            logger.error({ err }, 'Unexpected error during input analysis');
+          }
+        }
+      }
+      const error = securityException || origErr;
+
+      origNext(error);
+    };
+  }
+
+  // Patch body parser - `body-parser` used by `express` framework
+  function install() {
+    depHooks.resolve({ name: 'body-parser' }, (bodyParser) => {
+      const origBodyParser = bodyParser;
+
+      const { json: origJson, raw: origRaw, text: origText, urlencoded: origUrlencoded } = bodyParser;
+      const fnArr = [
+        {
+          key: 'json',
+          original: origJson,
+        },
+        {
+          key: 'raw',
+          original: origRaw,
+        },
+        {
+          key: 'text',
+          original: origText,
+        },
+        {
+          key: 'urlencoded',
+          original: origUrlencoded,
+        }
+      ];
+
+      bodyParser = function bodyParser(...args) {
+        const parser = origBodyParser(...args);
+        const hookedParser = function(req, res, next) {
+          parser(req, res, contrastNext(req, next, 'bodyParser'));
+        };
+
+        Object.defineProperty(hookedParser, 'name', {
+          value: 'bodyParser'
+        });
+
+        return hookedParser;
+      };
+
+      fnArr.forEach((fn) => {
+        const fnName = `bodyParser.${fn.key}`;
+        function contrastHooked(...args) {
+          const parser = fn.original(...args);
+          const hookedParser = function (req, res, next) {
+            parser(req, res, contrastNext(req, next, fnName));
+          };
+
+          Object.defineProperty(hookedParser, 'name', {
+            value: `${fn.key}Parser`
+          });
+
+          return hookedParser;
+        }
+
+        Object.defineProperty(bodyParser, fn.key, {
+          configurable: true,
+          enumerable: true,
+          get: () => contrastHooked,
+        });
+      });
+
+      return bodyParser;
+    }
+    );
+  }
+
+  const bodyParser1Instrumentation = inputAnalysis.bodyParser1Instrumentation = {
+    install
+  };
+
+  return bodyParser1Instrumentation;
+};

package/lib/input-analysis/install/cookie-parser1.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `cookie-parser` package
+  function install() {
+    depHooks.resolve({ name: 'cookie-parser' }, (cookieParser) => patcher.patch(cookieParser, {
+      name: 'cookie-parser',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'cookie-parser',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            function contrastNext(origErr) {
+              const sourceContext = protect.getSourceContext('cookie-parser');
+
+              let securityException;
+
+              if (sourceContext
+                && ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length))) {
+                sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
+
+                try {
+                  inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = contrastNext;
+          }
+        });
+      }
+    })
+    );
+  }
+
+  const cookieParser1Instrumentation = inputAnalysis.cookieParser1Instrumentation = {
+    install
+  };
+
+  return cookieParser1Instrumentation;
+};