@contrast/protect 1.2.1 → 1.4.0

package/lib/input-analysis/install/express4.js

@@ -0,0 +1,103 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+/**
+ * Function that exports an install method to patch Express framework with our instrumentation
+ * @param {Object} core - the core Contrast object in v5
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for express module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' }, (query) => patcher.patch(query, {
+      name: 'Express.query',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'Express.query',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            function contrastNext(origErr) {
+              const sourceContext = protect.getSourceContext('Express.query');
+              let securityException;
+
+              // It is possible for the query to be already parsed by `qs`
+              // which means that we've already handled/analyzed it.
+              // So we check whether we already have the `parsedQuery` property in the context
+              if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+                sourceContext.parsedQuery = req.query;
+
+                try {
+                  inputAnalysis.handleQueryParams(sourceContext, req.query);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = contrastNext;
+          }
+        });
+      }
+    }));
+
+    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
+      patcher.patch(Layer.prototype, 'handle_request', {
+        name: 'express.Layer.prototype.handle_request',
+        patchType,
+        pre(data) {
+          const { obj: { params } } = data;
+          const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
+
+          if (sourceContext && params && Object.keys(params).length) {
+            sourceContext.parsedParams = params;
+            inputAnalysis.handleUrlParams(sourceContext, params);
+          }
+        }
+      });
+    });
+  }
+
+  const express4Instrumentation = inputAnalysis.express4Instrumentation = {
+    install
+  };
+
+  return express4Instrumentation;
+};

package/lib/input-analysis/install/fastify3.js

@@ -1,5 +1,23 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
 /**
  * Function that exports an install method to patch Fastify framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
@@ -10,7 +28,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -29,7 +47,7 @@ module.exports = (core) => {
   function patchFastify(fastify) {
     return patcher.patch(fastify, {
       name: 'fastify.build',
-      patchType: 'framework-patch',
+      patchType,
       post({ result: server }) {
         server.addHook('preValidation', preValidationHook);
       },
@@ -44,36 +62,45 @@ module.exports = (core) => {
    * @param {Function}        done    callback to signal the hook is finished.
    */
   function preValidationHook(request, reply, done) {
-    const sourceContext = sources.getStore()?.protect;
+    const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
 
-    if (!sourceContext) {
-      logger.debug('source context not available in fastify prevalidation hook');
-    } else {
-      if (request.params) {
-        sourceContext.parsedParams = request.params;
-        inputAnalysis.handleUrlParams(sourceContext, request.params);
-      }
-      if (request.cookies) {
-        sourceContext.parsedCookies = request.cookies;
-        inputAnalysis.handleCookies(sourceContext, request.cookies);
-      }
-      if (request.body) {
-        sourceContext.parsedBody = request.body;
-        inputAnalysis.handleParsedBody(sourceContext, request.body);
-      }
+    let securityException;
 
-      if (request.query) {
-        sourceContext.parsedQuery = request.query;
-        inputAnalysis.handleQueryParams(sourceContext, request.query);
+    if (sourceContext) {
+      try {
+        if (request.params) {
+          sourceContext.parsedParams = request.params;
+          inputAnalysis.handleUrlParams(sourceContext, request.params);
+        }
+        if (request.cookies) {
+          sourceContext.parsedCookies = request.cookies;
+          inputAnalysis.handleCookies(sourceContext, request.cookies);
+        }
+        if (request.body) {
+          sourceContext.parsedBody = request.body;
+          inputAnalysis.handleParsedBody(sourceContext, request.body);
+        }
+
+        if (request.query) {
+          sourceContext.parsedQuery = request.query;
+          inputAnalysis.handleQueryParams(sourceContext, request.query);
+        }
+      } catch (err) {
+        if (isSecurityException(err)) {
+          securityException = err;
+        } else {
+          logger.error({ err }, 'Unexpected error during input analysis');
+        }
       }
     }
-    done();
+
+    done(securityException);
   }
 
-  const fastifyInstrumentation = inputAnalysis.fastifyInstrumentation = {
+  const fastify3Instrumentation = inputAnalysis.fastify3Instrumentation = {
     preValidationHook,
     install,
   };
 
-  return fastifyInstrumentation;
+  return fastify3Instrumentation;
 };

package/lib/input-analysis/install/formidable1.js

@@ -0,0 +1,72 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `formidable`
+  function install() {
+    depHooks.resolve({ name: 'formidable' }, (formidable) => {
+      formidable.IncomingForm.prototype.parse = patcher.patch(formidable.IncomingForm.prototype.parse, {
+        name: 'Formidable.IncomingForm.prototype.parse',
+        patchType,
+        pre(data) {
+          const origCb = data.args[1];
+
+          function hookedCb(...cbArgs) {
+            const sourceContext = protect.getSourceContext('formidable');
+
+            const [, fields, files] = cbArgs;
+
+            if (sourceContext) {
+              if (fields) {
+                sourceContext.parsedBody = fields;
+                inputAnalysis.handleParsedBody(sourceContext, fields);
+              }
+              if (files) {
+                logger.debug('Check for vulnerable filename upload nyi');
+                // TODO: NODE-2601
+              }
+            }
+
+            if (origCb && typeof origCb === 'function') {
+              origCb.apply(this, cbArgs);
+            }
+          }
+
+          data.args[1] = hookedCb;
+        }
+      });
+
+      return formidable;
+    });
+  }
+
+  const formidable1Instrumentation = inputAnalysis.formidable1Instrumentation = {
+    install
+  };
+
+  return formidable1Instrumentation;
+};

package/lib/input-analysis/install/http.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { Event } = require('@contrast/common');
@@ -18,7 +33,6 @@ class HttpInstrumentation {
     this.config = core.config;
     this.logger = logger.child({ name: 'contrast:protect:input-analysis' });
     this.depHooks = core.depHooks;
-    this.messages = core.messages;
     this.protect = core.protect;
     this.makeSourceContext = this.protect.makeSourceContext;
     this.maxBodySize = 16 * 1024 * 1024;
@@ -39,7 +53,9 @@ class HttpInstrumentation {
     this.hookHttps();
   }
 
-  uninstall() {}
+  uninstall() {
+    return null; //NYI
+  }
 
   /**
    * Sets hooks to instrument `http.Server.prototype`.
@@ -149,6 +165,7 @@ class HttpInstrumentation {
       const connectInputs = {
         headers: HttpInstrumentation.removeCookies(reqData.headers),
         uriPath: reqData.uriPath,
+        rawUrl: req.url,
         // TODO AGENT-203 - need to handle method-tampering rule.
         method: reqData.method,
       };
@@ -157,9 +174,18 @@ class HttpInstrumentation {
       if (reqData.standardUrlParsing) {
         connectInputs.queries = reqData.queries;
       }
+      if (inputAnalysis.virtualPatchesEvaluators?.length) {
+        store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));
+      }
+      if (inputAnalysis.ipDenylist?.length) {
+        block = inputAnalysis.handleIpDenylist(store.protect, inputAnalysis.ipDenylist);
+      }
+      if (inputAnalysis.ipAllowlist?.length) {
+        const allowed = inputAnalysis.handleIpAllowlist(store.protect, inputAnalysis.ipAllowlist);
+        if (!block) Object.assign(store.protect, { allowed });
+      }
 
-      block = inputAnalysis.handleConnect(store.protect, connectInputs);
-
+      block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
       this.logger.error({ err }, 'Error during input analysis');
     }

package/lib/input-analysis/install/koa-body5.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `koa-body` package
+  function install() {
+    depHooks.resolve({ name: 'koa-body' }, (koaBody) => patcher.patch(koaBody, {
+      name: 'koa-body',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'koa-body',
+          patchType,
+          pre(data) {
+            const [ctx, origNext] = data.args;
+
+            async function contrastNext(origErr) {
+              const sourceContext = protect.getSourceContext('koa-body');
+
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
+              }
+
+              await origNext(origErr);
+            }
+
+            data.args[1] = contrastNext;
+          }
+        });
+      }
+    }));
+  }
+
+  const koaBody5Instrumentation = inputAnalysis.koaBody5Instrumentation = {
+    install
+  };
+
+  return koaBody5Instrumentation;
+};

package/lib/input-analysis/install/koa-bodyparser4.js

@@ -0,0 +1,64 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `koa-bodyparser` package
+  function install() {
+    depHooks.resolve({ name: 'koa-bodyparser' }, (koaBodyparser) => patcher.patch(koaBodyparser, {
+      name: 'koa-bodyparser',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'koa-bodyparser',
+          patchType,
+          pre(data) {
+            const [ctx, origNext] = data.args;
+
+            async function contrastNext(origErr) {
+              const sourceContext = protect.getSourceContext('koa-bodyparser');
+
+
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
+              }
+
+              await origNext(origErr);
+            }
+
+            data.args[1] = contrastNext;
+          }
+        });
+      }
+    }));
+  }
+
+  const koaBodyparser4Instrumentation = inputAnalysis.koaBodyparser4Instrumentation = {
+    install
+  };
+
+  return koaBodyparser4Instrumentation;
+};

package/lib/input-analysis/install/koa2.js

@@ -1,7 +1,24 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const { patchType } = require('../constants');
+
 /**
- * Function that exports an install method to patch Fastify framework with our instrumentation
+ * Function that exports an install method to patch Koa framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
  * @return {Object}     object with install method and the other relative functions exported for testing purposes
  */
@@ -9,8 +26,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -19,25 +35,14 @@ module.exports = (core) => {
    */
   function install() {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
-      const coBodyPatch = require('./co-body.js')(core);
-      const multerPatch = require('./multer')(core);
-      const formidablePatch = require('./formidable')(core);
-      const qsPatch = require('./qs')(core);
-      const cookieParserPatch = require('./cookie-parser')(core);
-      const universalCookiePatch = require('./universal-cookie')(core);
-
-
       function contrastStartMiddleware(ctx, next) {
         if (ctx.query && Object.keys(ctx.query).length) {
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('Koa startMiddleware');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `qs` hook');
-          } else if (!('parsedQuery' in sourceContext)) {
+          if (sourceContext && !('parsedQuery' in sourceContext)) {
             sourceContext.parsedQuery = ctx.query;
             inputAnalysis.handleQueryParams(sourceContext, ctx.query);
           }
-
         }
         return next();
       }
@@ -47,7 +52,7 @@ module.exports = (core) => {
 
       patcher.patch(Koa.prototype, 'use', {
         name: 'Koa.Application',
-        patchType: 'framework-patch',
+        patchType,
         pre({ obj: app }) {
           // if not already inserted, insert the initial middleware.
           if (
@@ -66,17 +71,13 @@ module.exports = (core) => {
           (layer) => {
             layer.prototype = patcher.patch(layer.prototype, 'params', {
               name: `[${router}].layer.prototype`,
-              patchType: 'framework-patch',
+              patchType,
               post({ result }) {
-                const sourceContext = sources.getStore()?.protect;
-
-                if (!sourceContext) {
-                  logger.debug(`source context not available in \`[${router}].layer\` hook`);
-                } else {
-                  if (Object.keys(result).length) {
-                    sourceContext.parsedParams = result;
-                    inputAnalysis.handleUrlParams(sourceContext, result);
-                  }
+                const sourceContext = protect.getSourceContext(`[${router}].layer`);
+
+                if (sourceContext && Object.keys(result).length) {
+                  sourceContext.parsedParams = result;
+                  inputAnalysis.handleUrlParams(sourceContext, result);
                 }
               }
             });
@@ -90,27 +91,23 @@ module.exports = (core) => {
         const { default: cookieParser } = koaCookie;
         koaCookie.default = patcher.patch(cookieParser, {
           name: 'koa-cookie',
-          patchType: 'framework-patch',
+          patchType,
           post(data) {
             data.result = patcher.patch(data.result, {
               name: 'koa-cookie',
-              patchType: 'framework-patch',
+              patchType,
               pre(data) {
                 const [ctx, origNext] = data.args;
 
-                async function contrastNext() {
-                  const sourceContext = sources.getStore()?.protect;
+                async function contrastNext(origErr) {
+                  const sourceContext = protect.getSourceContext('koa-cookie');
 
-                  if (!sourceContext) {
-                    logger.debug('source context not available in `koa-cookie` hook');
-                  } else {
-                    if (ctx.cookie) {
-                      sourceContext.parsedCookies = ctx.cookie;
-                      inputAnalysis.handleCookies(sourceContext, ctx.cookie);
-                    }
+                  if (sourceContext && ctx.cookie) {
+                    sourceContext.parsedCookies = ctx.cookie;
+                    inputAnalysis.handleCookies(sourceContext, ctx.cookie);
                   }
 
-                  await origNext();
+                  await origNext(origErr);
                 }
 
                 data.args[1] = contrastNext;
@@ -119,19 +116,12 @@ module.exports = (core) => {
           }
         });
       });
-
-      coBodyPatch.install();
-      multerPatch.install();
-      formidablePatch.install();
-      qsPatch.install();
-      cookieParserPatch.install();
-      universalCookiePatch.install();
     });
   }
 
-  const koaInstrumentation = inputAnalysis.koaInstrumentation = {
+  const koa2Instrumentation = inputAnalysis.koa2Instrumentation = {
     install
   };
 
-  return koaInstrumentation;
+  return koa2Instrumentation;
 };