@contrast/protect 1.20.0 → 1.22.0

package/lib/get-source-context.js

@@ -15,14 +15,14 @@
 
 'use strict';
 
-module.exports = function(core) {
+module.exports = function (core) {
   const { scopes: { sources }, logger } = core;
 
   function getSourceContext(callPoint) {
     const sourceContext = sources.getStore()?.protect;
 
     if (!sourceContext) {
-      logger.debug(`source context not available in ${callPoint}`);
+      logger.debug('source context not available in %s', callPoint);
       return null;
     }
 

package/lib/hardening/handlers.js

@@ -15,7 +15,11 @@
 
 'use strict';
 
-const { BLOCKING_MODES, isString } = require('@contrast/common');
+const {
+  BLOCKING_MODES,
+  isString,
+  Rule: { UNTRUSTED_DESERIALIZATION }
+} = require('@contrast/common');
 
 const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
 
@@ -37,7 +41,7 @@ module.exports = function(core) {
   }
 
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
-    const ruleId = 'untrusted-deserialization';
+    const ruleId = UNTRUSTED_DESERIALIZATION;
     const mode = sourceContext.policy[ruleId];
     const { name, value, stacktraceOpts } = sinkContext;
 

package/lib/input-analysis/handlers.js

@@ -398,7 +398,7 @@ module.exports = function(core) {
   };
 
   inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
-    const ruleId = 'virtual-patch';
+    const ruleId = Rule.VIRTUAL_PATCH;
 
     if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
 
@@ -440,7 +440,7 @@ module.exports = function(core) {
   };
 
   inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
-    const ruleId = 'ip-denylist';
+    const ruleId = Rule.IP_DENYLIST;
 
     if (!sourceContext || !ipDenylist.length) return;
 

package/lib/input-analysis/install/express4.js

@@ -36,63 +36,80 @@ module.exports = (core) => {
    * registers a depHook for express module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' }, (query) => patcher.patch(query, {
-      name: 'Express.query',
-      patchType,
-      post(data) {
-        data.result = patcher.patch(data.result, {
-          name: 'Express.query',
-          patchType,
-          pre(data) {
-            const [req, , origNext] = data.args;
-
-            function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext('Express.query');
-              let securityException;
-
-              // It is possible for the query to be already parsed by `qs`
-              // which means that we've already handled/analyzed it.
-              // So we check whether we already have the `parsedQuery` property in the context
-              if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
-                sourceContext.parsedQuery = req.query;
-
-                try {
-                  inputAnalysis.handleQueryParams(sourceContext, req.query);
-                } catch (err) {
-                  if (isSecurityException(err)) {
-                    securityException = err;
-                  } else {
-                    logger.error({ err }, 'Unexpected error during input analysis');
+    depHooks.resolve(
+      { name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' },
+      (query) => patcher.patch(query, {
+        name: 'express.query',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'express.query',
+            patchType,
+            pre(data) {
+              const [req, , origNext] = data.args;
+
+              function contrastNext(origErr) {
+                const sourceContext = protect.getSourceContext('express.query');
+                let securityException;
+
+                // It is possible for the query to be already parsed by `qs`
+                // which means that we've already handled/analyzed it.
+                // So we check whether we already have the `parsedQuery` property in the context
+                if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+                  sourceContext.parsedQuery = req.query;
+
+                  try {
+                    inputAnalysis.handleQueryParams(sourceContext, req.query);
+                  } catch (err) {
+                    if (isSecurityException(err)) {
+                      securityException = err;
+                    } else {
+                      logger.error({ err }, 'Unexpected error during input analysis');
+                    }
                   }
                 }
+
+                const error = securityException || origErr;
+
+                origNext(error);
               }
 
-              const error = securityException || origErr;
+              data.args[2] = contrastNext;
+            }
+          });
+        }
+      }));
+
+    depHooks.resolve(
+      { name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' },
+      (Layer) => {
+        const name = 'express.Layer.prototype.match';
+        patcher.patch(Layer.prototype, 'match', {
+          name,
+          patchType,
+          post(data) {
+            const layer = data.obj;
 
-              origNext(error);
+            // we can exit early if
+            //  the layer doesn't match the request or
+            //  the layer doesn't recognize any parameters
+            if (!data.result || !layer.keys || layer.keys.length === 0) {
+              return;
             }
 
-            data.args[2] = contrastNext;
-          }
-        });
-      }
-    }));
+            const sourceContext = protect.getSourceContext(name);
 
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
-      patcher.patch(Layer.prototype, 'handle_request', {
-        name: 'express.Layer.prototype.handle_request',
-        patchType,
-        pre(data) {
-          const { obj: { params } } = data;
-          const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
+            if (!sourceContext) {
+              return;
+            }
 
-          if (sourceContext && params && Object.keys(params).length) {
-            sourceContext.parsedParams = params;
-            inputAnalysis.handleUrlParams(sourceContext, params);
+            sourceContext.parsedParams = layer.params;
+            inputAnalysis.handleUrlParams(sourceContext, layer.params);
           }
-        }
+        });
+
+        return Layer;
       });
-    });
   }
 
   const express4Instrumentation = inputAnalysis.express4Instrumentation = {

package/lib/input-tracing/handlers/index.js

@@ -22,7 +22,8 @@ const {
   isString,
   traverseKeys,
   traverseKeysAndValues,
-  agentLibIDListTypes
+  agentLibIDListTypes,
+  Rule: { SQL_INJECTION, PATH_TRAVERSAL, CMD_INJECTION, NOSQL_INJECTION_MONGO, SSJS_INJECTION, REFLECTED_XSS }
 } = require('@contrast/common');
 
 module.exports = function(core) {
@@ -51,7 +52,7 @@ module.exports = function(core) {
   }
 
   inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
-    const ruleId = 'path-traversal';
+    const ruleId = PATH_TRAVERSAL;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -67,7 +68,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleCommandInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection';
+    const ruleId = CMD_INJECTION;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -93,7 +94,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleSqlInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'sql-injection';
+    const ruleId = SQL_INJECTION;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -129,7 +130,7 @@ module.exports = function(core) {
   };
 
   inputTracing.nosqlInjectionMongo = function (sourceContext, sinkContext) {
-    const ruleId = 'nosql-injection-mongo';
+    const ruleId = NOSQL_INJECTION_MONGO;
     const nosqlInjectionMongoResults =
       getResultsByRuleId(ruleId, sourceContext) || [];
     const ssjsInjectionResults =
@@ -238,7 +239,7 @@ module.exports = function(core) {
   };
 
   inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'ssjs-injection';
+    const ruleId = SSJS_INJECTION;
     let sinkValuesArr = [];
 
     const results = getResultsByRuleId(ruleId, sourceContext);
@@ -289,7 +290,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
-    const ruleId = 'reflected-xss';
+    const ruleId = REFLECTED_XSS;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;

package/lib/semantic-analysis/install/libxmljs.js

@@ -19,64 +19,72 @@ const { isString } = require('@contrast/common');
 const SecurityException = require('../../security-exception');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     depHooks,
     patcher,
     logger,
-    protect: { semanticAnalysis },
     protect,
   } = core;
 
-  function install() {
-    depHooks.resolve({ name: 'libxmljs' }, hookLibXml);
-    // libxmljs2 is a fork of libxml that has identical signatures.
-    // the only difference is that libxmljs2 is used by juice-shop and thus
-    // we're missing sinks in one of our most important sample apps.
-    depHooks.resolve({ name: 'libxmljs2' }, hookLibXml);
-  }
+  /**
+   * @param {boolean} newApi
+   */
+  const handler = (newApi) => (mod, metadata) => {
+    const checkOptions = newApi
+      ? (opts) => !opts?.noent && !opts?.replaceEntities
+      : (opts) => !opts?.noent;
 
-  function hookLibXml(libxmljs) {
-    patcher.patch(libxmljs, 'parseXmlString', {
-      name: 'libxmljs.parseXmlString',
-      patchType,
-      pre: preParseXmlMethod
-    });
+    const methods = newApi
+      ? ['parseXml', 'parseXmlAsync']
+      : ['parseXml', 'parseXmlString'];
 
-    patcher.patch(libxmljs, 'parseXml', {
-      name: 'libxmljs.parseXml',
-      patchType,
-      pre: preParseXmlMethod
-    });
-  }
+    methods.forEach((method) => {
+      const name = `${metadata.name}:${method}`;
+      patcher.patch(mod, method, {
+        name,
+        patchType,
+        pre({ args, hooked, orig }) {
+          const sourceContext = protect.getSourceContext(name);
+          const [value, options] = args;
 
-  function preParseXmlMethod({ args, hooked, orig }) {
-    const sourceContext = protect.getSourceContext('libxmljs.parseXmlString');
-    const value = args[0];
+          if (!sourceContext || !value || !isString(value) || checkOptions(options)) {
+            return;
+          }
 
-    // If noent isn't set to true than libxml won't load
-    // external entities, so this isn't vulnerable
-    // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
-    if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
+          const sinkContext = {
+            name,
+            value,
+            stacktraceOpts: {
+              constructorOpt: hooked,
+              prependFrames: [orig]
+            },
+          };
 
-    const sinkContext = {
-      name: 'libxmljs.parseXmlString',
-      value,
-      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
-    };
+          try {
+            protect.semanticAnalysis.handleXXE(sourceContext, sinkContext);
+          } catch (err) {
+            if (SecurityException.isSecurityException(err)) {
+              throw err;
+            }
 
-    try {
-      semanticAnalysis.handleXXE(sourceContext, sinkContext);
-    } catch (err) {
-      if (SecurityException.isSecurityException(err)) {
-        throw err;
-      }
+            logger.error({ err }, 'Unexpected error during semantic analysis');
+          }
+        }
+      });
+    });
+  };
 
-      logger.error({ err }, 'Unexpected error during semantic analysis');
-    }
-  }
+  protect.semanticAnalysis.libxmljs = {
+    install() {
+      // libxmljs changed its API in version 1.0.0
+      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler(true));
 
-  const libxmljs = semanticAnalysis.libxmljs = { install };
+      // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
+      depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler(false));
+      depHooks.resolve({ name: 'libxmljs2' }, handler(false));
+    }
+  };
 
-  return libxmljs;
+  return protect.semanticAnalysis.libxmljs;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.20.0",
+  "version": "1.22.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.11.0",
-    "@contrast/core": "1.18.0",
-    "@contrast/esm-hooks": "1.14.0",
+    "@contrast/common": "1.13.0",
+    "@contrast/core": "1.20.0",
+    "@contrast/esm-hooks": "1.16.0",
     "@contrast/scopes": "1.4.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"