@contrast/protect 1.2.1 → 1.4.0

package/lib/input-analysis/install/multer1.js

@@ -0,0 +1,88 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    scopes: { wrap },
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `multer`
+  function install() {
+    depHooks.resolve({ name: 'multer', file: 'lib/make-middleware.js' }, (multerMakeMiddleware) => patcher.patch(multerMakeMiddleware, {
+      name: 'multer.make-middleware',
+      patchType,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'multerMiddleware',
+          patchType,
+          pre(data) {
+            const [req, , origNext] = data.args;
+
+            // We are getting the sourceContext here because in the time of calling
+            // the contrastNext() method the context is lost
+            const sourceContext = protect.getSourceContext('multer');
+
+            if (!sourceContext) return;
+
+            function contrastNext(origErr) {
+              let securityException;
+
+              if (req.body) {
+                sourceContext.parsedBody = req.body;
+
+                try {
+                  inputAnalysis.handleParsedBody(sourceContext, req.body);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
+              }
+
+              if (req.file || req.files) {
+                logger.debug('Check for vulnerable filename upload nyi');
+                // TODO: NODE-2601
+              }
+
+              const error = securityException || origErr;
+
+              origNext(error);
+            }
+
+            data.args[2] = wrap(contrastNext);
+          }
+        });
+      }
+    }));
+  }
+
+  const multer1Instrumentation = inputAnalysis.multer1Instrumentation = {
+    install
+  };
+
+  return multer1Instrumentation;
+};

package/lib/input-analysis/install/qs6.js

@@ -0,0 +1,57 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `qs`
+  function install() {
+    depHooks.resolve({ name: 'qs' },
+      (qs) => patcher.patch(qs, 'parse', {
+        name: 'qs',
+        patchType,
+        post({ args, result }) {
+          if (result && Object.keys(result).length) {
+            const sourceContext = protect.getSourceContext('qs');
+
+            // We need to run analysis for the `qs` result only when it's used as a query parser.
+            // `qs` is used also for parsing bodies, but these cases we handle individually with
+            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+            // some cases its use is optional and we cannot rely on it.
+            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
+              sourceContext.parsedQuery = result;
+              inputAnalysis.handleQueryParams(sourceContext, result);
+            }
+          }
+        }
+      })
+    );
+  }
+
+  const qs6Instrumentation = inputAnalysis.qs6Instrumentation = {
+    install
+  };
+
+  return qs6Instrumentation;
+};

package/lib/input-analysis/install/universal-cookie4.js

@@ -0,0 +1,52 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `universal-cookie` package
+  function install() {
+    depHooks.resolve({ name: 'universal-cookie', file: 'cjs/utils.js' }, (uCookieUtils) => patcher.patch(uCookieUtils, 'parseCookies', {
+      name: 'universal-cookie.utils',
+      patchType,
+      post({ result }) {
+        if (result && Object.keys(result).length) {
+          const sourceContext = protect.getSourceContext('universal-cookie');
+
+          if (sourceContext) {
+            sourceContext.parsedCookies = result;
+            inputAnalysis.handleCookies(sourceContext, result);
+          }
+        }
+      }
+    })
+    );
+  }
+
+  const universalCookie4Instrumentation = inputAnalysis.universalCookie4Instrumentation = {
+    install
+  };
+
+  return universalCookie4Instrumentation;
+};

package/lib/input-analysis/ip-analysis.js

@@ -0,0 +1,76 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+const address = require('ipaddr.js');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const ipAllowlist = inputAnalysis.ipAllowlist = [];
+  const ipDenylist = inputAnalysis.ipDenylist = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const now = new Date().getTime();
+    const updatedIpAllowList = serverUpdate.features?.defend?.ipAllowlist.map((ipEntry) => ipEntryMap(ipEntry, now));
+    const updatedIpDenyList = serverUpdate.features?.defend?.ipDenylist.map((ipEntry) => ipEntryMap(ipEntry, now));
+
+    if (updatedIpAllowList) {
+      ipAllowlist.length = 0;
+      ipAllowlist.push(...updatedIpAllowList);
+    }
+    if (updatedIpDenyList) {
+      ipDenylist.length = 0;
+      ipDenylist.push(...updatedIpDenyList);
+    }
+  });
+};
+
+function ipEntryMap(ipEntry, startTime) {
+  const { ip, expires } = ipEntry;
+  let doesExpire, expiresAt, cidr;
+
+  if (expires) {
+    doesExpire = true;
+    expiresAt = startTime + expires;
+  } else {
+    doesExpire = false;
+  }
+
+  const slashIdx = ip.indexOf('/');
+  const isCIDR = slashIdx >= 0;
+  const ipInstance = isCIDR
+    ? address.process(ip.substr(0, slashIdx))
+    : address.process(ip);
+
+  const normalizedValue = ipInstance.toNormalizedString();
+
+  if (isCIDR) {
+    cidr = { range: address.parseCIDR(ip), kind: ipInstance.kind() };
+  }
+
+  return {
+    ...ipEntry,
+    doesExpire,
+    expiresAt,
+    normalizedValue,
+    cidr
+  };
+}

package/lib/input-analysis/virtual-patches.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const virtualPatches = serverUpdate.settings?.defend.virtualPatches;
+    if (virtualPatches) {
+      buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
+    }
+  });
+};
+
+function buildVPEvaluators(virtualPatches, evaluatorsArray) {
+  evaluatorsArray.length = 0;
+  for (const { headers, parameters, urls, uuid, name } of virtualPatches) {
+    const evaluators = new Map();
+
+    if (headers?.length) {
+      evaluators.set('HEADERS', (reqHeaders) => {
+        let result;
+        for (const { evaluation, name, value } of headers) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+          const keyIndex = reqHeaders.indexOf(name.toLowerCase());
+
+          result = keyIndex !== -1 && evalCheck(reqHeaders[keyIndex + 1], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (parameters?.length) {
+      evaluators.set('PARAMETERS', (reqParameters) => {
+        let result;
+        for (const { evaluation, name, value } of parameters) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqParameters[name], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (urls?.length) {
+      evaluators.set('URLS', (reqUrl) => {
+        let result;
+        for (const { evaluation, value } of urls) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqUrl, value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (evaluators.size) {
+      evaluators.set('metadata', { name, uuid });
+      evaluatorsArray.push(evaluators);
+    }
+  }
+}
+
+function buildEvaluationCheck(evaluation) {
+  switch (evaluation) {
+    case 'MATCHES':
+      return (reqValue, matchedValue) => new RegExp(matchedValue, 'i').test(reqValue);
+    case 'EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() === matchedValue.toString();
+    case 'CONTAINS':
+      return (reqValue, matchedValue) => reqValue.includes(matchedValue);
+    case 'DOESNT_MATCH':
+      return (reqValue, matchedValue) => !new RegExp(matchedValue, 'i').test(reqValue);
+      // This is a typo but it is how it's passed from ContrastUI
+    case 'DOESNT_EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() !== matchedValue.toString();
+    case 'DOESNT_CONTAIN':
+      return (reqValue, matchedValue) => !reqValue.includes(matchedValue);
+    default:
+      return () => false;
+  }
+}

package/lib/input-tracing/constants.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = {