@contrast/protect 1.2.2 → 1.3.0

package/lib/input-tracing/install/fs.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -68,7 +83,7 @@ module.exports = function(core) {
         patcher.patch(fs, method, {
           name,
           patchType,
-          pre({ args, hooked, name }) {
+          pre({ args, hooked, name, orig }) {
             // don't proceed if instrumentation is off e.g. within require() call
             if (instrumentation.isLocked()) return;
 
@@ -86,7 +101,7 @@ module.exports = function(core) {
             for (const value of values) {
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/mongodb.js

@@ -0,0 +1,233 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const semver = require('semver');
+
+module.exports = function (core) {
+  const {
+    depHooks,
+    patcher,
+    scopes: { sources },
+    captureStacktrace,
+    protect: { inputTracing },
+  } = core;
+
+  function getCursorQueryData(args, version) {
+    const query = semver.gte(version, '3.3.0')
+      ? args[0]?.cmd?.query
+      : args[1]?.query;
+
+    if (!query) {
+      return;
+    }
+
+    if (Object.prototype.toString.call(query) === '[object String]') {
+      return query.toString();
+    }
+
+    if (query['$where']) {
+      return query['$where'].toString();
+    }
+
+    return query;
+  }
+
+  function getOpQueryData(op) {
+    if (!op.q) {
+      return;
+    }
+    if (op.q.$where) {
+      return op.q.$where;
+    }
+    return op.q;
+  }
+
+  function hookV3CommandAndCursor(obj, method, patchName, version) {
+    patcher.patch(obj, method, {
+      name: patchName,
+      patchType,
+      pre: ({ args, hooked, name }) => {
+        const value = getCursorQueryData(args, version);
+        const sourceContext = sources.getStore()?.protect;
+
+        if (!sourceContext || !value) return;
+
+        const sinkContext = captureStacktrace(
+          { name, value },
+          { constructorOpt: hooked }
+        );
+        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  function hookV3UpdateAndRemove(obj, method, patchName) {
+    patcher.patch(obj, method, {
+      name: patchName,
+      patchType,
+      pre: ({ args, hooked, name }) => {
+        const sourceContext = sources.getStore()?.protect;
+        if (!sourceContext) return;
+
+
+        const ops = Array.isArray(args[1])
+          ? args[1]
+          : [args[1]];
+        for (const op of ops) {
+          const value = op && getOpQueryData(op);
+          if (value) {
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked }
+            );
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        }
+      },
+    });
+  }
+
+  function install() {
+    const v4MethodsWithFilter = [
+      'updateOne',
+      'replaceOne',
+      'updateMany',
+      'deleteOne',
+      'deleteMany',
+      'findOneAndDelete',
+      'findOneAndReplace',
+      'findOneAndUpdate',
+      'countDocuments',
+      'count',
+      'distinct',
+    ];
+
+    depHooks.resolve(
+      {
+        name: 'mongodb', version: '>=4.0.0'
+      },
+      (mongodb) => {
+        v4MethodsWithFilter.forEach((method) => {
+          patcher.patch(mongodb.Collection.prototype, method, {
+            name: `mongodb.Collection.prototype.${method}`,
+            patchType,
+            pre: ({ args, hooked, name }) => {
+              const value = typeof args[0] == 'function' ? null : args[0];
+              const sourceContext = sources.getStore()?.protect;
+
+              if (!sourceContext || !value) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value },
+                { constructorOpt: hooked }
+              );
+              inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+            },
+          });
+        });
+
+        patcher.patch(mongodb.Db.prototype, 'command', {
+          name: 'mongodb.Db.prototype.command',
+          patchType,
+          pre: ({ args, hooked, name }) => {
+            const value = args[0]?.filter;
+            const sourceContext = sources.getStore()?.protect;
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked }
+            );
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+
+    depHooks.resolve(
+      {
+        name: 'mongodb', version: '<4.0.0'
+      }, (mongodb, { version }) => {
+        hookV3CommandAndCursor(mongodb.CoreServer.prototype, 'cursor', 'mongodb.CoreServer.prototype.cursor', version);
+
+        patcher.patch(mongodb.Db.prototype, 'eval', {
+          name: 'mongodb.Db.prototype.eval',
+          patchType,
+          pre: ({ args, hooked, name }) => {
+            const value = args[0];
+            const sourceContext = sources.getStore()?.protect;
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: hooked }
+            );
+
+            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+          }
+        });
+      });
+
+    depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
+      name: 'mongodb.FindCursor',
+      patchType,
+      pre: ({ args, hooked, name }) => {
+        const value = args[2];
+        const sourceContext = sources.getStore()?.protect;
+
+        if (!sourceContext || !value) return;
+
+        const sinkContext = captureStacktrace(
+          { name, value },
+          { constructorOpt: hooked }
+        );
+        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+      }
+    }));
+
+    const mongoDBTopologiesMethods = ['update', 'remove'];
+
+    depHooks.resolve({
+      name: 'mongodb',
+      file: 'lib/topologies/topology_base.js',
+      version: '<4.0.0'
+    }, (tpl, { version }) => {
+      mongoDBTopologiesMethods.forEach((method) => {
+        hookV3UpdateAndRemove(tpl.TopologyBase.prototype, method, `mongodb.TopologyBase.prototype.${method}`);
+      });
+      hookV3CommandAndCursor(tpl.TopologyBase.prototype, 'command', 'mongodb.TopologyBase.prototype.command', version);
+    });
+
+    depHooks.resolve({
+      name: 'mongodb',
+      file: 'lib/topologies/native_topology.js',
+      version: '<4.0.0'
+    }, (NativeTopology, { version }) => {
+      mongoDBTopologiesMethods.forEach((method) => {
+        hookV3UpdateAndRemove(NativeTopology.prototype, method, `mongodb.NativeTopology.prototype.${method}`);
+      });
+      hookV3CommandAndCursor(NativeTopology.prototype, 'command', 'mongodb.NativeTopology.prototype.command', version);
+    });
+  }
+  const mongodbInstr = (core.protect.inputTracing.mongodbInstrumentation = {
+    install,
+  });
+
+  return mongodbInstr;
+};

package/lib/input-tracing/install/mysql.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');
@@ -32,7 +47,8 @@ module.exports = function(core) {
           patcher.patch(conn.prototype, method, {
             name,
             patchType,
-            pre({ args, hooked, name }) {
+            pre(data) {
+              const { args, hooked, name, orig } = data;
               const sourceContext = sources.getStore()?.protect;
               if (!sourceContext) return;
 
@@ -41,7 +57,7 @@ module.exports = function(core) {
 
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/postgres.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');

package/lib/input-tracing/install/sequelize.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');

package/lib/input-tracing/install/sqlite3.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 const { isString } = require('@contrast/common');

package/lib/make-response-blocker.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {

package/lib/make-source-context.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = function(core) {
@@ -23,6 +38,7 @@ module.exports = function(core) {
     // lowercase header keys and capture content-type
     let contentType = '';
     const headers = Array(req.rawHeaders.length);
+
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
       headers[i] = req.rawHeaders[i].toLowerCase();
       headers[i + 1] = req.rawHeaders[i + 1];
@@ -45,6 +61,8 @@ module.exports = function(core) {
     // so here is typically better; it makes clear what information is used to
     // make decisions by different handlers.
     const reqData = {
+      ip: req.socket.remoteAddress,
+      httpVersion: req.httpVersion,
       method: req.method,
       headers,
       uriPath,

package/lib/security-exception.js

@@ -1,3 +1,18 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
 module.exports = class SecurityException extends Error {

package/lib/throw-security-exception.js

@@ -1,6 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
 'use strict';
 
-const Domain = require('async-hook-domain');
 const securityException = require('./security-exception');
 
 module.exports = function(core) {
@@ -17,12 +31,9 @@ module.exports = function(core) {
 
     const err = securityException.create();
 
-    new Domain(() => {
-      sourceContext.block(mode, ruleId);
-    });
-
-    logger.info({ err, mode, ruleId }, 'throwing security exception');
+    logger.debug({ err, mode, ruleId }, 'throwing security exception');
 
+    // TO-DO: NODE-2556 Research fail-safe handler for all security exceptions
     throw err;
   }
 

package/lib/utils.js

@@ -1,22 +1,19 @@
-'use strict';
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
 
-/**
- * Get a symbol parameter value on the given object. The function should be
- * used with a `target` for which we are sure that the Symbol property we need is set before
- * any eventual duplicating Symbol properties. In case of duplicating Symbol properties
- * we will always get the one that's set first.
- * @param   {Object} target built outgoing response
- * @param   {String} symbolName full symbol stringified
- * @returns {Object}        value of the requested symbol property
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
  */
-function getSymbolProperty(target, symbolName) {
-  if (!target) return;
-  for (const sym of Object.getOwnPropertySymbols(target)) {
-    if (sym.toString() === `Symbol(${symbolName})`) {
-      return target[sym];
-    }
-  }
-}
+
+'use strict';
 
 /**
  * simpleTraverse() walks an object and calls a user function for each key
@@ -83,6 +80,5 @@ function simpleTraverse(obj, cb) {
 }
 
 module.exports = {
-  getSymbolProperty,
   simpleTraverse,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.2.2",
+  "version": "1.3.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -13,7 +13,7 @@
     "contrast-transpile": "lib/cli-rewriter.js"
   },
   "engines": {
-    "npm": ">=6.13.7 <7 || >= 8.3.1",
+    "npm": ">= 8.4.0",
     "node": ">= 14.15.0"
   },
   "scripts": {
@@ -23,11 +23,11 @@
     "@babel/template": "^7.16.7",
     "@babel/types": "^7.16.8",
     "@contrast/agent-lib": "^4.2.0",
-    "@contrast/common": "1.0.2",
-    "@contrast/core": "1.1.2",
-    "@contrast/scopes": "1.0.2",
-    "@contrast/esm-hooks": "1.1.2",
-    "async-hook-domain": "^2.0.4",
-    "builtin-modules": "^3.2.0"
+    "@contrast/common": "1.0.3",
+    "@contrast/core": "1.2.0",
+    "@contrast/scopes": "1.1.0",
+    "@contrast/esm-hooks": "1.1.3",
+    "builtin-modules": "^3.2.0",
+    "semver": "^7.3.7"
   }
 }

package/lib/input-analysis/install/co-body.js

@@ -1,51 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  async function postHook(data) {
-    const { args: [, opts], result } = data;
-    if (result) {
-      const sourceContext = sources.getStore()?.protect;
-      if (!sourceContext) {
-        logger.debug('source context not available in `co-body` hook');
-      } else {
-        result.then((resolved) => {
-          const parsedBody = opts?.returnRawBody ? resolved.parsed : resolved;
-          sourceContext.parsedBody = parsedBody;
-          inputAnalysis.handleParsedBody(sourceContext, parsedBody);
-        });
-      }
-    }
-  }
-
-  return {
-    // Patch lower level parser - `co-body` used by `koa-body` and `koa-bodyparser`
-    install() {
-      depHooks.resolve({ name: 'co-body' }, (coBody) => {
-        coBody = patcher.patch(coBody, {
-          name: 'co-body',
-          patchType: 'framework-patch',
-          post: postHook
-        });
-
-        ['json', 'form', 'text'].forEach((property) => {
-          patcher.patch(coBody, property, {
-            name: `co-body.${property}`,
-            patchType: 'framework-patch',
-            post: postHook
-          });
-        });
-
-        return coBody;
-      }
-      );
-    }
-  };
-};

package/lib/input-analysis/install/cookie-parser.js

@@ -1,48 +0,0 @@
-'use strict';
-
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    scopes: { sources },
-    protect: { inputAnalysis },
-  } = core;
-
-  return {
-  // Patch `cookie-parser` package
-    install() {
-      depHooks.resolve({ name: 'cookie-parser' }, (cookieParser) => patcher.patch(cookieParser, {
-        name: 'cookie-parser',
-        patchType: 'framework-patch',
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name: 'cookie-parser',
-            patchType: 'framework-patch',
-            pre(data) {
-              const [req, , origNext] = data.args;
-
-              async function contrastNext() {
-                const sourceContext = sources.getStore()?.protect;
-
-                if (!sourceContext) {
-                  logger.debug('source context not available in `cookie-parser` hook');
-                } else {
-                  if (req.cookies) {
-                    sourceContext.parsedCookies = req.cookies;
-                    inputAnalysis.handleCookies(sourceContext, req.cookies);
-                  }
-                }
-
-                await origNext();
-              }
-
-              data.args[2] = contrastNext;
-            }
-          });
-        }
-      })
-      );
-    }
-  };
-};