@contrast/protect 1.21.0 → 1.22.0

package/lib/get-source-context.js

@@ -15,14 +15,14 @@
 
 'use strict';
 
-module.exports = function(core) {
+module.exports = function (core) {
   const { scopes: { sources }, logger } = core;
 
   function getSourceContext(callPoint) {
     const sourceContext = sources.getStore()?.protect;
 
     if (!sourceContext) {
-      logger.debug(`source context not available in ${callPoint}`);
+      logger.debug('source context not available in %s', callPoint);
       return null;
     }
 

package/lib/hardening/handlers.js

@@ -15,7 +15,11 @@
 
 'use strict';
 
-const { BLOCKING_MODES, isString } = require('@contrast/common');
+const {
+  BLOCKING_MODES,
+  isString,
+  Rule: { UNTRUSTED_DESERIALIZATION }
+} = require('@contrast/common');
 
 const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
 
@@ -37,7 +41,7 @@ module.exports = function(core) {
   }
 
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
-    const ruleId = 'untrusted-deserialization';
+    const ruleId = UNTRUSTED_DESERIALIZATION;
     const mode = sourceContext.policy[ruleId];
     const { name, value, stacktraceOpts } = sinkContext;
 

package/lib/input-analysis/handlers.js

@@ -398,7 +398,7 @@ module.exports = function(core) {
   };
 
   inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
-    const ruleId = 'virtual-patch';
+    const ruleId = Rule.VIRTUAL_PATCH;
 
     if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
 
@@ -440,7 +440,7 @@ module.exports = function(core) {
   };
 
   inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
-    const ruleId = 'ip-denylist';
+    const ruleId = Rule.IP_DENYLIST;
 
     if (!sourceContext || !ipDenylist.length) return;
 

package/lib/input-analysis/install/express4.js

@@ -36,63 +36,80 @@ module.exports = (core) => {
    * registers a depHook for express module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' }, (query) => patcher.patch(query, {
-      name: 'Express.query',
-      patchType,
-      post(data) {
-        data.result = patcher.patch(data.result, {
-          name: 'Express.query',
-          patchType,
-          pre(data) {
-            const [req, , origNext] = data.args;
-
-            function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext('Express.query');
-              let securityException;
-
-              // It is possible for the query to be already parsed by `qs`
-              // which means that we've already handled/analyzed it.
-              // So we check whether we already have the `parsedQuery` property in the context
-              if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
-                sourceContext.parsedQuery = req.query;
-
-                try {
-                  inputAnalysis.handleQueryParams(sourceContext, req.query);
-                } catch (err) {
-                  if (isSecurityException(err)) {
-                    securityException = err;
-                  } else {
-                    logger.error({ err }, 'Unexpected error during input analysis');
+    depHooks.resolve(
+      { name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' },
+      (query) => patcher.patch(query, {
+        name: 'express.query',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'express.query',
+            patchType,
+            pre(data) {
+              const [req, , origNext] = data.args;
+
+              function contrastNext(origErr) {
+                const sourceContext = protect.getSourceContext('express.query');
+                let securityException;
+
+                // It is possible for the query to be already parsed by `qs`
+                // which means that we've already handled/analyzed it.
+                // So we check whether we already have the `parsedQuery` property in the context
+                if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+                  sourceContext.parsedQuery = req.query;
+
+                  try {
+                    inputAnalysis.handleQueryParams(sourceContext, req.query);
+                  } catch (err) {
+                    if (isSecurityException(err)) {
+                      securityException = err;
+                    } else {
+                      logger.error({ err }, 'Unexpected error during input analysis');
+                    }
                   }
                 }
+
+                const error = securityException || origErr;
+
+                origNext(error);
               }
 
-              const error = securityException || origErr;
+              data.args[2] = contrastNext;
+            }
+          });
+        }
+      }));
+
+    depHooks.resolve(
+      { name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' },
+      (Layer) => {
+        const name = 'express.Layer.prototype.match';
+        patcher.patch(Layer.prototype, 'match', {
+          name,
+          patchType,
+          post(data) {
+            const layer = data.obj;
 
-              origNext(error);
+            // we can exit early if
+            //  the layer doesn't match the request or
+            //  the layer doesn't recognize any parameters
+            if (!data.result || !layer.keys || layer.keys.length === 0) {
+              return;
             }
 
-            data.args[2] = contrastNext;
-          }
-        });
-      }
-    }));
+            const sourceContext = protect.getSourceContext(name);
 
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
-      patcher.patch(Layer.prototype, 'handle_request', {
-        name: 'express.Layer.prototype.handle_request',
-        patchType,
-        pre(data) {
-          const { obj: { params } } = data;
-          const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
+            if (!sourceContext) {
+              return;
+            }
 
-          if (sourceContext && params && Object.keys(params).length) {
-            sourceContext.parsedParams = params;
-            inputAnalysis.handleUrlParams(sourceContext, params);
+            sourceContext.parsedParams = layer.params;
+            inputAnalysis.handleUrlParams(sourceContext, layer.params);
           }
-        }
+        });
+
+        return Layer;
       });
-    });
   }
 
   const express4Instrumentation = inputAnalysis.express4Instrumentation = {

package/lib/input-tracing/handlers/index.js

@@ -22,7 +22,8 @@ const {
   isString,
   traverseKeys,
   traverseKeysAndValues,
-  agentLibIDListTypes
+  agentLibIDListTypes,
+  Rule: { SQL_INJECTION, PATH_TRAVERSAL, CMD_INJECTION, NOSQL_INJECTION_MONGO, SSJS_INJECTION, REFLECTED_XSS }
 } = require('@contrast/common');
 
 module.exports = function(core) {
@@ -51,7 +52,7 @@ module.exports = function(core) {
   }
 
   inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
-    const ruleId = 'path-traversal';
+    const ruleId = PATH_TRAVERSAL;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -67,7 +68,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleCommandInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection';
+    const ruleId = CMD_INJECTION;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -93,7 +94,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleSqlInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'sql-injection';
+    const ruleId = SQL_INJECTION;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;
@@ -129,7 +130,7 @@ module.exports = function(core) {
   };
 
   inputTracing.nosqlInjectionMongo = function (sourceContext, sinkContext) {
-    const ruleId = 'nosql-injection-mongo';
+    const ruleId = NOSQL_INJECTION_MONGO;
     const nosqlInjectionMongoResults =
       getResultsByRuleId(ruleId, sourceContext) || [];
     const ssjsInjectionResults =
@@ -238,7 +239,7 @@ module.exports = function(core) {
   };
 
   inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
-    const ruleId = 'ssjs-injection';
+    const ruleId = SSJS_INJECTION;
     let sinkValuesArr = [];
 
     const results = getResultsByRuleId(ruleId, sourceContext);
@@ -289,7 +290,7 @@ module.exports = function(core) {
   };
 
   inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
-    const ruleId = 'reflected-xss';
+    const ruleId = REFLECTED_XSS;
     const results = getResultsByRuleId(ruleId, sourceContext);
 
     if (!results) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.21.0",
+  "version": "1.22.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.12.0",
-    "@contrast/core": "1.19.0",
-    "@contrast/esm-hooks": "1.15.0",
+    "@contrast/common": "1.13.0",
+    "@contrast/core": "1.20.0",
+    "@contrast/esm-hooks": "1.16.0",
     "@contrast/scopes": "1.4.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"