@contrast/protect 1.2.1 → 1.4.0

package/lib/input-tracing/handlers/index.js

@@ -1,95 +1,103 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
+const util = require('util');
+const { BLOCKING_MODES, isString, simpleTraverse } = require('@contrast/common');
+
 module.exports = function(core) {
   const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
 
-  /**
-   * Util for pulling results from context for the particular rule id
-   * @param {string} ruleId rule id
-   * @param {object} context async storage data for protect
-   * @returns {AnalysisResult[]}
-   */
-  inputTracing.getResultsByRuleId = function(ruleId, context) {
-    return context.findings.resultsMap[ruleId];
-  };
+  function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
+    result.details.push({ sinkContext, findings });
 
-  /**
-   * Given a ruleId and an analysis function, wrap the analysis function
-   * with common setup and post-processing code.
-   */
-  inputTracing.handlerFactory = function(ruleId, analysisFn) {
-    /**
-     * This is the common API for INPUT TRACING instrumentation.
-     * @param {object} sourceContext
-     * @param {object} sinkContext
-     */
-    return function(sourceContext, sinkContext) {
-      if (sourceContext.rules.agentLibRules[ruleId].mode === 'off') {
-        return;
-      }
+    const { mode } = sourceContext.rules.agentLibRules[ruleId];
 
-      const results = inputTracing.getResultsByRuleId(ruleId, sourceContext);
-      if (!results) return;
+    if (BLOCKING_MODES.includes(mode)) {
+      result.blocked = true;
+      const blockInfo = [mode, ruleId];
+      sourceContext.findings.securityException = blockInfo;
+      throwSecurityException(sourceContext);
+    }
+  }
 
-      for (const result of results) {
-        const findings = analysisFn(result, sinkContext);
+  inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
+    const ruleId = 'path-traversal';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-        if (findings) {
-          result.details.push({ sinkContext, findings });
+    if (!results) return;
 
-          if (sourceContext.rules.agentLibRules[ruleId].mode === 'block') {
-            result.blocked = true;
-            const blockInfo = ['block', ruleId];
-            sourceContext.findings.securityException = blockInfo;
-            throwSecurityException(sourceContext);
-          }
-        }
+    for (const result of results) {
+      const idx = sinkContext.value.indexOf(result.value);
+      const findings = idx !== -1 ? { path: sinkContext.value } : null;
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
       }
-    };
+    }
   };
 
-  inputTracing.handlePathTraversal = inputTracing.handlerFactory(
-    'path-traversal',
-    function(result, sinkContext) {
-      const idx = sinkContext.value.indexOf(result.value);
-      return idx !== -1 ? { path: sinkContext.value } : null;
-    }
-  );
+  inputTracing.handleCommandInjection = function(sourceContext, sinkContext) {
+    const ruleId = 'cmd-injection';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-  inputTracing.handleCommandInjection = inputTracing.handlerFactory(
-    'cmd-injection',
-    function(result, sinkContext) {
+    if (!results) return;
+
+    for (const result of results) {
+      let findings = null;
       const inputIndex = sinkContext.value.indexOf(result.value);
       if (inputIndex !== -1) {
-        return agentLib.checkCommandInjectionSink(
+        findings = agentLib.checkCommandInjectionSink(
           inputIndex,
           result.value.length,
           sinkContext.value,
         );
       }
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
     }
-  );
+  };
 
-  inputTracing.handleSqlInjection = inputTracing.handlerFactory(
-    'sql-injection',
-    function(result, sinkContext) {
-      let analysis = null;
+  inputTracing.handleSqlInjection = function(sourceContext, sinkContext) {
+    const ruleId = 'sql-injection';
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    for (const result of results) {
+      let findings = null;
 
       const inputIndex = sinkContext.value.indexOf(result.value);
+
       // if the user input is not in the sink input, there is nothing to do.
       if (inputIndex === -1) {
-        return analysis;
+        continue;
       }
 
       if (inputIndex === 0 && sinkContext.value === result.value) {
-        analysis = {
+        findings = {
           startIndex: 0,
           endIndex: result.value.length - 1,
           overrunIndex: 0,
           boundaryIndex: 0,
         };
       } else {
-        analysis = agentLib.checkSqlInjectionSink(
+        findings = agentLib.checkSqlInjectionSink(
           inputIndex,
           result.value.length,
           2,
@@ -97,21 +105,172 @@ module.exports = function(core) {
         );
       }
 
-      return analysis;
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
+    }
+  };
+
+  inputTracing.nosqlInjectionMongo = function(sourceContext, sinkContext) {
+    const ruleId = 'nosql-injection-mongo';
+    const expansionResults = getResultsByRuleId(ruleId, sourceContext);
+    const stringResults = getResultsByRuleId('ssjs-injection', sourceContext);
+
+    if (expansionResults) {
+      let expansionFindings = null;
+      for (const result of expansionResults) {
+        expansionFindings = handleObjectValue(result, sinkContext.value);
+
+        if (expansionFindings) {
+          handleFindings(sourceContext, sinkContext, ruleId, result, expansionFindings);
+        }
+      }
+    }
+
+    if (stringResults) {
+      let stringFindings = null;
+      for (const result of stringResults) {
+        stringFindings = handleStringValue(result, sinkContext.value);
+
+        if (stringFindings) {
+          handleFindings(sourceContext, sinkContext, ruleId, result, stringFindings);
+        }
+      }
+    }
+  };
+
+  inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
+    const ruleId = 'ssjs-injection';
+    let sinkValuesArr = [];
+
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    if (isString(sinkContext.value)) {
+      sinkValuesArr.push(sinkContext.value);
+    } else {
+      const strValues = Object.values(sinkContext.value).filter((v) => isString(v) && v.length);
+      sinkValuesArr = [...strValues];
     }
-  );
 
-  inputTracing.nosqlInjectionMongo = inputTracing.handlerFactory(
-    'nosql-injection-mongo', require('./nosql-injection-mongo')
-  );
+    for (const result of results) {
+      let findings = null;
+
+      for (const v of sinkValuesArr) {
+        if (findings) break;
+
+        const inputIndex = v.indexOf(result.value);
+
+        if (inputIndex === 0 && v === result.value) {
+          findings = {
+            startIndex: 0,
+            endIndex: result?.value.length - 1,
+            boundaryIndex: 0,
+            codeString: result.value
+          };
+        }
+
+        if (inputIndex > 0) {
+          const endIndex = inputIndex + result?.value.length;
+          findings = agentLib.checkSsjsInjectionSink(v, inputIndex, endIndex) && {
+            startIndex: inputIndex,
+            endIndex,
+            boundaryIndex: inputIndex,
+            codeString: result.value
+          };
+        }
+      }
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
+    }
+  };
+
+  inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
+    const ruleId = 'reflected-xss';
+    const results = getResultsByRuleId(ruleId, sourceContext);
 
-  inputTracing.ssjsInjection = inputTracing.handlerFactory(
-    'ssjs-injection',
-    function(results, sinkContext) {
-      return null;
+    if (!results) return;
+
+    for (const result of results) {
+      const idx = sinkContext.value.indexOf(result.value);
+      const findings = idx !== -1 ? { value: sinkContext.value } : null;
+
+      if (findings) {
+        result.details.push({ sinkContext, findings });
+      }
     }
-  );
+  };
+
 
   return inputTracing;
 };
 
+/**
+ * Util for pulling results from context for the particular rule id
+ * @param {string} ruleId rule id
+ * @param {object} context async storage data for protect
+ * @returns {AnalysisResult[]}
+ */
+function getResultsByRuleId(ruleId, context) {
+  if (context.rules.agentLibRules[ruleId].mode === 'off') {
+    return;
+  }
+  return context.findings.resultsMap[ruleId];
+}
+
+function handleObjectValue(result, object) {
+  if (typeof object !== 'object') {
+    return null;
+  }
+  let findings = null;
+  simpleTraverse(object, function(path, type, value) {
+    if (type !== 'Key' || findings) {
+      return;
+    }
+    // the result value is the key that was found
+    if (result.key === value) {
+      // does the object at this path equal the user input?
+      let obj = object;
+      for (const p of path) {
+        obj = obj[p];
+      }
+      obj = obj[value];
+      // does the found object in the query equal the saved object?
+      if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
+        const start = JSON.stringify(object).indexOf(value);
+        const end = start + value.length;
+        const inputBoundaryIndex = 0;
+        findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };
+      }
+    }
+  });
+
+  return findings;
+}
+
+function handleStringValue(result, string) {
+  if (typeof string !== 'string') {
+    return null;
+  }
+  let findings = null;
+
+  const inputIndex = string.indexOf(result.value);
+  // if the user input is not in the sink input, there is nothing to do.
+  if (inputIndex === -1) {
+    return findings;
+  }
+
+  if (inputIndex === 0 && string === result.value) {
+    findings = {
+      start: 0,
+      end: result.value.length - 1,
+      boundaryOverrunIndex: 0,
+      inputBoundaryIndex: 0,
+    };
+  }
+
+  return findings;
+}

package/lib/input-tracing/index.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 /**
@@ -15,16 +30,24 @@ module.exports = function(core) {
   require('./handlers')(core);
 
   // load the instrumentation installers
-  require('./install/fs')(core);
   require('./install/child-process')(core);
+  require('./install/fs')(core);
+  require('./install/mongodb')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
+  require('./install/sequelize')(core);
+  require('./install/sqlite3')(core);
+  require('./install/http')(core);
 
   inputTracing.install = function() {
-    inputTracing.fsInstrumentation.install();
     inputTracing.cpInstrumentation.install();
+    inputTracing.fsInstrumentation.install();
+    inputTracing.mongodbInstrumentation.install();
     inputTracing.mysqlInstrumentation.install();
     inputTracing.postgresInstrumentation.install();
+    inputTracing.sequelizeInstrumentation.install();
+    inputTracing.sqlite3Instrumentation.install();
+    inputTracing.httpInstrumentation.install();
     // TODO: NODE-2360 (2260?)
   };
 

package/lib/input-tracing/install/child-process.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -5,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -19,20 +35,25 @@ module.exports = function(core) {
         patcher.patch(cp, method, {
           name,
           patchType,
-          pre(data) {
+          pre({ args, hooked, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
-            if (!sourceContext) return;
+            const sourceContext = protect.getSourceContext('child_process');
+            const value = args[0];
 
-            const value = data.args[0];
-            if (!value || !isString(value)) return;
+            if (!sourceContext || !value || !isString(value)) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: data.hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
+            // To evade code duplication we are using these INPUT TRACING instrumentation
+            // to do the checks for SEMANTIC ANALYSIS too
+            core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
           }
         });
       });

package/lib/input-tracing/install/eval.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation },
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    if (!global.ContrastMethods.__contrastEval) {
+      logger.error('Cannot install `eval` instrumentation - Contrast method DNE');
+      return;
+    }
+
+    patcher.patch(global.ContrastMethods, '__contrastEval', {
+      name: 'global.ContrastMethods.__contrastEval',
+      patchType,
+      pre: ({ args, hooked, orig }) => {
+        if (instrumentation.isLocked()) return;
+
+        const sourceContext = protect.getSourceContext('eval');
+        const value = args[0];
+
+        if (!sourceContext || !value || !isString(value)) return;
+
+        const sinkContext = captureStacktrace(
+          { name: 'eval', value },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.ssjsInjection(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  const evalInstrumentation = inputTracing.evalInstrumentation = { install };
+
+  return evalInstrumentation;
+};

package/lib/input-tracing/install/fs.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -46,10 +61,11 @@ const fsMethods = [
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -68,12 +84,13 @@ module.exports = function(core) {
         patcher.patch(fs, method, {
           name,
           patchType,
-          pre({ args, hooked, name }) {
+          pre({ args, hooked, name, orig }) {
             // don't proceed if instrumentation is off e.g. within require() call
             if (instrumentation.isLocked()) return;
 
             // obtain the Protect sourceContext
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('fs');
+
             if (!sourceContext) return;
 
             // build list of values on which to perform INPUT TRACING
@@ -86,7 +103,7 @@ module.exports = function(core) {
             for (const value of values) {
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/http.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'http' }, http => {
+      for (const method of ['write', 'end']) {
+        const name = `http.ServerResponse.prototype.${method}`;
+        patcher.patch(http.ServerResponse.prototype, method, {
+          name,
+          patchType,
+          pre(data) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = protect.getSourceContext(name);
+
+            if (!sourceContext) return;
+
+            const value = data.args[0]?.toString();
+            if (!value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: data.hooked }
+            );
+            inputTracing.handleReflectedXss(sourceContext, sinkContext);
+          }
+        });
+      }
+    });
+  }
+
+  const httpInstrumentation = inputTracing.httpInstrumentation = {
+    install
+  };
+
+  return httpInstrumentation;
+};