@contrast/protect 1.2.1 → 1.4.0

package/lib/input-tracing/install/mongodb.js

@@ -0,0 +1,233 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const semver = require('semver');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing },
+  } = core;
+
+  function getCursorQueryData(args, version) {
+    const query = semver.gte(version, '3.3.0')
+      ? args[0]?.cmd?.query
+      : args[1]?.query;
+
+    if (!query) {
+      return;
+    }
+
+    if (Object.prototype.toString.call(query) === '[object String]') {
+      return query.toString();
+    }
+
+    if (query['$where']) {
+      return query['$where'].toString();
+    }
+
+    return query;
+  }
+
+  function getOpQueryData(op) {
+    if (!op.q) {
+      return;
+    }
+    if (op.q.$where) {
+      return op.q.$where;
+    }
+    return op.q;
+  }
+
+  function hookV3CommandAndCursor(obj, method, patchName, version) {
+    patcher.patch(obj, method, {
+      name: patchName,
+      patchType,
+      pre: ({ args, hooked, name, orig }) => {
+        const value = getCursorQueryData(args, version);
+        const sourceContext = protect.getSourceContext(patchName);
+
+        if (!sourceContext || !value) return;
+
+        const sinkContext = captureStacktrace(
+          { name, value },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  function hookV3UpdateAndRemove(obj, method, patchName) {
+    patcher.patch(obj, method, {
+      name: patchName,
+      patchType,
+      pre: ({ args, hooked, name, orig }) => {
+        const sourceContext = protect.getSourceContext(patchName);
+
+        if (!sourceContext) return;
+
+        const ops = Array.isArray(args[1])
+          ? args[1]
+          : [args[1]];
+        for (const op of ops) {
+          const value = op && getOpQueryData(op);
+          if (value) {
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked, prependFrames: [orig] }
+            );
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        }
+      },
+    });
+  }
+
+  function install() {
+    const v4MethodsWithFilter = [
+      'updateOne',
+      'replaceOne',
+      'updateMany',
+      'deleteOne',
+      'deleteMany',
+      'findOneAndDelete',
+      'findOneAndReplace',
+      'findOneAndUpdate',
+      'countDocuments',
+      'count',
+      'distinct',
+    ];
+
+    depHooks.resolve(
+      {
+        name: 'mongodb', version: '>=4.0.0'
+      },
+      (mongodb) => {
+        v4MethodsWithFilter.forEach((method) => {
+          patcher.patch(mongodb.Collection.prototype, method, {
+            name: `mongodb.Collection.prototype.${method}`,
+            patchType,
+            pre: ({ args, hooked, name, orig }) => {
+              const value = typeof args[0] == 'function' ? null : args[0];
+              const sourceContext = protect.getSourceContext(`mongodb.Collection.prototype.${method}`);
+
+              if (!sourceContext || !value) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value },
+                { constructorOpt: hooked, prependFrames: [orig] }
+              );
+              inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+            },
+          });
+        });
+
+        patcher.patch(mongodb.Db.prototype, 'command', {
+          name: 'mongodb.Db.prototype.command',
+          patchType,
+          pre: ({ args, hooked, name, orig }) => {
+            const value = args[0]?.filter;
+            const sourceContext = protect.getSourceContext('mongodb.Collection.prototype.command');
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked, prependFrames: [orig] }
+            );
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+
+    depHooks.resolve(
+      {
+        name: 'mongodb', version: '<4.0.0'
+      }, (mongodb, { version }) => {
+        hookV3CommandAndCursor(mongodb.CoreServer.prototype, 'cursor', 'mongodb.CoreServer.prototype.cursor', version);
+
+        patcher.patch(mongodb.Db.prototype, 'eval', {
+          name: 'mongodb.Db.prototype.eval',
+          patchType,
+          pre: ({ args, hooked, name, orig }) => {
+            const value = args[0];
+            const sourceContext = protect.getSourceContext('mongodb.Db.prototype.eval');
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked, prependFrames: [orig] }
+            );
+
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+
+    depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
+      name: 'mongodb.FindCursor',
+      patchType,
+      pre: ({ args, hooked, name, orig }) => {
+        const value = args[2];
+        const sourceContext = protect.getSourceContext('mongodb.FindCursor');
+
+        if (!sourceContext || !value) return;
+
+        const sinkContext = captureStacktrace(
+          { name, value },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+      }
+    }));
+
+    const mongoDBTopologiesMethods = ['update', 'remove'];
+
+    depHooks.resolve({
+      name: 'mongodb',
+      file: 'lib/topologies/topology_base.js',
+      version: '<4.0.0'
+    }, (tpl, { version }) => {
+      mongoDBTopologiesMethods.forEach((method) => {
+        hookV3UpdateAndRemove(tpl.TopologyBase.prototype, method, `mongodb.TopologyBase.prototype.${method}`);
+      });
+      hookV3CommandAndCursor(tpl.TopologyBase.prototype, 'command', 'mongodb.TopologyBase.prototype.command', version);
+    });
+
+    depHooks.resolve({
+      name: 'mongodb',
+      file: 'lib/topologies/native_topology.js',
+      version: '<4.0.0'
+    }, (NativeTopology, { version }) => {
+      mongoDBTopologiesMethods.forEach((method) => {
+        hookV3UpdateAndRemove(NativeTopology.prototype, method, `mongodb.NativeTopology.prototype.${method}`);
+      });
+      hookV3CommandAndCursor(NativeTopology.prototype, 'command', 'mongodb.NativeTopology.prototype.command', version);
+    });
+  }
+  const mongodbInstr = (core.protect.inputTracing.mongodbInstrumentation = {
+    install,
+  });
+
+  return mongodbInstr;
+};

package/lib/input-tracing/install/mysql.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -8,7 +23,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     captureStacktrace,
-    scopes: { sources },
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -32,8 +47,10 @@ module.exports = function(core) {
           patcher.patch(conn.prototype, method, {
             name,
             patchType,
-            pre({ args, hooked, name }) {
-              const sourceContext = sources.getStore()?.protect;
+            pre(data) {
+              const { args, hooked, name, orig } = data;
+              const sourceContext = protect.getSourceContext(name);
+
               if (!sourceContext) return;
 
               const value = mysqlInstr.getValueFromArgs(args);
@@ -41,7 +58,7 @@ module.exports = function(core) {
 
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/postgres.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -7,8 +22,8 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -17,8 +32,9 @@ module.exports = function(core) {
     if (query && isString(query)) return query;
   }
 
-  function preHook({ args, hooked, name }) {
-    const sourceContext = sources.getStore()?.protect;
+  function preHook({ args, hooked, name, orig }) {
+    const sourceContext = protect.getSourceContext(name);
+
     if (!sourceContext) return;
 
     const value = getQueryFromArgs(args);
@@ -26,7 +42,7 @@ module.exports = function(core) {
 
     const sinkContext = captureStacktrace(
       { name, value },
-      { constructorOpt: hooked }
+      { constructorOpt: hooked, prependFrames: [orig] }
     );
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sequelize.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -5,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -23,18 +39,19 @@ module.exports = function(core) {
       patcher.patch(sequelize.prototype, 'query', {
         name,
         patchType,
-        pre({ args, hooked, name }) {
+        pre({ args, hooked, name, orig }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = sources.getStore()?.protect;
-          if (!sourceContext) return;
+          const sourceContext = protect.getSourceContext(name);
+
+          if (!sourceContext || sourceContext.allowed) return;
 
           const value = getQueryFromArgs(args);
           if (!value) return;
 
           const sinkContext = captureStacktrace(
             { name, value },
-            { constructorOpt: hooked }
+            { constructorOpt: hooked, prependFrames: [orig] }
           );
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }

package/lib/input-tracing/install/sqlite3.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -5,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -19,10 +35,10 @@ module.exports = function(core) {
         patcher.patch(sqlite3.Database.prototype, method, {
           name,
           patchType,
-          pre({ args, hooked, name }) {
+          pre({ args, hooked, name, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext(name);
             if (!sourceContext) return;
 
             const value = args[0];
@@ -30,8 +46,9 @@ module.exports = function(core) {
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }
         });

package/lib/input-tracing/install/vm.js

@@ -0,0 +1,132 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString, isNonEmptyObject } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'vm' }, (vm) => {
+      ['Script', 'createScript', 'runInContext', 'runInThisContext'].forEach(
+        (method) => {
+          const name = `vm.${method}`;
+
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            pre({ args, hooked, name, orig }) {
+              if (instrumentation.isLocked()) return;
+
+              const sourceContext = protect.getSourceContext(name);
+              if (!sourceContext) return;
+
+              const codeString = args[0];
+              if (!codeString || !isString(codeString)) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value: codeString },
+                { constructorOpt: hooked, prependFrames: [orig] }
+              );
+              inputTracing.ssjsInjection(sourceContext, sinkContext);
+            }
+          });
+        }
+      );
+
+      patcher.patch(vm, 'runInNewContext', {
+        name: 'vm.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.runInNewContext');
+          if (!sourceContext) return;
+
+          const codeString = args[0];
+          const envObj = args[1];
+
+          if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
+
+          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: codeString },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+
+          codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
+          envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
+        }
+      });
+
+      patcher.patch(vm, 'createContext', {
+        name: 'vm.createContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.createContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.createContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+
+      patcher.patch(vm.Script.prototype, 'runInNewContext', {
+        name: 'vm.Script.prototype.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.Script.prototype.runInNewContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const vmInstrumentation = inputTracing.vmInstrumentation = { install };
+
+  return vmInstrumentation;
+};

package/lib/make-response-blocker.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {

package/lib/make-source-context.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
@@ -23,6 +38,7 @@ module.exports = function(core) {
     // lowercase header keys and capture content-type
     let contentType = '';
     const headers = Array(req.rawHeaders.length);
+
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
       headers[i] = req.rawHeaders[i].toLowerCase();
       headers[i + 1] = req.rawHeaders[i + 1];
@@ -45,6 +61,8 @@ module.exports = function(core) {
     // so here is typically better; it makes clear what information is used to
     // make decisions by different handlers.
     const reqData = {
+      ip: req.socket.remoteAddress,
+      httpVersion: req.httpVersion,
       method: req.method,
       headers,
       uriPath,
@@ -65,7 +83,7 @@ module.exports = function(core) {
       // particular request (if any route exclusions, etc.)
       rules: core.protect.rules,
       exclusions: [],
-      virtualPatches: [],
+      virtualPatchesEvaluators: [],
 
       // maybe better as result, findings... but my bad naming choice is
       // past the point of return.
@@ -76,6 +94,9 @@ module.exports = function(core) {
         // successfully.
         bodyType: undefined,
         resultsMap: Object.create(null),
+        hardeningResultsMap: Object.create(null),
+        semanticResultsMap: Object.create(null),
+        serverFeaturesResultsMap: Object.create(null)
       },
 
       /*

package/lib/security-exception.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = class SecurityException extends Error {