@contrast/protect 1.21.0 → 1.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/lib/error-handlers/common-handler.js +1 -1
- package/lib/error-handlers/constants.js +1 -1
- package/lib/error-handlers/index.js +1 -1
- package/lib/error-handlers/init-domain.js +1 -1
- package/lib/error-handlers/install/express4.js +1 -1
- package/lib/error-handlers/install/fastify.js +1 -1
- package/lib/error-handlers/install/hapi.js +1 -1
- package/lib/error-handlers/install/koa2.js +1 -1
- package/lib/esm-loader.mjs +1 -1
- package/lib/get-source-context.js +3 -3
- package/lib/hardening/constants.js +1 -1
- package/lib/hardening/handlers.js +7 -3
- package/lib/hardening/index.js +1 -1
- package/lib/hardening/install/node-serialize0.js +1 -1
- package/lib/index.d.ts +1 -1
- package/lib/index.js +1 -1
- package/lib/input-analysis/constants.js +1 -1
- package/lib/input-analysis/handlers.js +3 -3
- package/lib/input-analysis/index.js +1 -1
- package/lib/input-analysis/install/body-parser1.js +1 -1
- package/lib/input-analysis/install/busboy1.js +1 -1
- package/lib/input-analysis/install/cookie-parser1.js +1 -1
- package/lib/input-analysis/install/express4.js +64 -47
- package/lib/input-analysis/install/fastify.js +1 -1
- package/lib/input-analysis/install/formidable1.js +1 -1
- package/lib/input-analysis/install/hapi.js +1 -1
- package/lib/input-analysis/install/http.js +1 -1
- package/lib/input-analysis/install/koa-body5.js +1 -1
- package/lib/input-analysis/install/koa-bodyparser4.js +1 -1
- package/lib/input-analysis/install/koa2.js +1 -1
- package/lib/input-analysis/install/multer1.js +1 -1
- package/lib/input-analysis/install/qs6.js +1 -1
- package/lib/input-analysis/install/universal-cookie4.js +1 -1
- package/lib/input-analysis/ip-analysis.js +1 -1
- package/lib/input-analysis/virtual-patches.js +1 -1
- package/lib/input-tracing/constants.js +1 -1
- package/lib/input-tracing/handlers/index.js +9 -8
- package/lib/input-tracing/index.js +1 -1
- package/lib/input-tracing/install/child-process.js +1 -1
- package/lib/input-tracing/install/eval.js +1 -1
- package/lib/input-tracing/install/fs.js +1 -1
- package/lib/input-tracing/install/function.js +1 -1
- package/lib/input-tracing/install/http.js +1 -1
- package/lib/input-tracing/install/marsdb.js +1 -1
- package/lib/input-tracing/install/mongodb.js +1 -1
- package/lib/input-tracing/install/mssql.js +1 -1
- package/lib/input-tracing/install/mysql.js +1 -1
- package/lib/input-tracing/install/postgres.js +1 -1
- package/lib/input-tracing/install/sequelize.js +1 -1
- package/lib/input-tracing/install/sqlite3.js +1 -1
- package/lib/input-tracing/install/vm.js +1 -1
- package/lib/make-response-blocker.js +1 -1
- package/lib/make-source-context.js +1 -1
- package/lib/policy.js +4 -4
- package/lib/security-exception.js +1 -1
- package/lib/semantic-analysis/constants.js +1 -1
- package/lib/semantic-analysis/handlers.js +1 -1
- package/lib/semantic-analysis/index.js +1 -1
- package/lib/semantic-analysis/install/libxmljs.js +1 -1
- package/lib/semantic-analysis/utils/xml-analysis.js +1 -1
- package/lib/throw-security-exception.js +1 -1
- package/package.json +4 -4
package/LICENSE
CHANGED
package/lib/esm-loader.mjs
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -15,14 +15,14 @@
|
|
|
15
15
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
|
-
module.exports = function(core) {
|
|
18
|
+
module.exports = function (core) {
|
|
19
19
|
const { scopes: { sources }, logger } = core;
|
|
20
20
|
|
|
21
21
|
function getSourceContext(callPoint) {
|
|
22
22
|
const sourceContext = sources.getStore()?.protect;
|
|
23
23
|
|
|
24
24
|
if (!sourceContext) {
|
|
25
|
-
logger.debug(
|
|
25
|
+
logger.debug('source context not available in %s', callPoint);
|
|
26
26
|
return null;
|
|
27
27
|
}
|
|
28
28
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -15,7 +15,11 @@
|
|
|
15
15
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
|
-
const {
|
|
18
|
+
const {
|
|
19
|
+
BLOCKING_MODES,
|
|
20
|
+
isString,
|
|
21
|
+
Rule: { UNTRUSTED_DESERIALIZATION }
|
|
22
|
+
} = require('@contrast/common');
|
|
19
23
|
|
|
20
24
|
const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
|
|
21
25
|
|
|
@@ -37,7 +41,7 @@ module.exports = function(core) {
|
|
|
37
41
|
}
|
|
38
42
|
|
|
39
43
|
hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
|
|
40
|
-
const ruleId =
|
|
44
|
+
const ruleId = UNTRUSTED_DESERIALIZATION;
|
|
41
45
|
const mode = sourceContext.policy[ruleId];
|
|
42
46
|
const { name, value, stacktraceOpts } = sinkContext;
|
|
43
47
|
|
package/lib/hardening/index.js
CHANGED
package/lib/index.d.ts
CHANGED
package/lib/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -398,7 +398,7 @@ module.exports = function(core) {
|
|
|
398
398
|
};
|
|
399
399
|
|
|
400
400
|
inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
|
|
401
|
-
const ruleId =
|
|
401
|
+
const ruleId = Rule.VIRTUAL_PATCH;
|
|
402
402
|
|
|
403
403
|
if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
|
|
404
404
|
|
|
@@ -440,7 +440,7 @@ module.exports = function(core) {
|
|
|
440
440
|
};
|
|
441
441
|
|
|
442
442
|
inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
|
|
443
|
-
const ruleId =
|
|
443
|
+
const ruleId = Rule.IP_DENYLIST;
|
|
444
444
|
|
|
445
445
|
if (!sourceContext || !ipDenylist.length) return;
|
|
446
446
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -36,63 +36,80 @@ module.exports = (core) => {
|
|
|
36
36
|
* registers a depHook for express module instrumentation
|
|
37
37
|
*/
|
|
38
38
|
function install() {
|
|
39
|
-
depHooks.resolve(
|
|
40
|
-
name: '
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
39
|
+
depHooks.resolve(
|
|
40
|
+
{ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/middleware/query.js' },
|
|
41
|
+
(query) => patcher.patch(query, {
|
|
42
|
+
name: 'express.query',
|
|
43
|
+
patchType,
|
|
44
|
+
post(data) {
|
|
45
|
+
data.result = patcher.patch(data.result, {
|
|
46
|
+
name: 'express.query',
|
|
47
|
+
patchType,
|
|
48
|
+
pre(data) {
|
|
49
|
+
const [req, , origNext] = data.args;
|
|
50
|
+
|
|
51
|
+
function contrastNext(origErr) {
|
|
52
|
+
const sourceContext = protect.getSourceContext('express.query');
|
|
53
|
+
let securityException;
|
|
54
|
+
|
|
55
|
+
// It is possible for the query to be already parsed by `qs`
|
|
56
|
+
// which means that we've already handled/analyzed it.
|
|
57
|
+
// So we check whether we already have the `parsedQuery` property in the context
|
|
58
|
+
if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
|
|
59
|
+
sourceContext.parsedQuery = req.query;
|
|
60
|
+
|
|
61
|
+
try {
|
|
62
|
+
inputAnalysis.handleQueryParams(sourceContext, req.query);
|
|
63
|
+
} catch (err) {
|
|
64
|
+
if (isSecurityException(err)) {
|
|
65
|
+
securityException = err;
|
|
66
|
+
} else {
|
|
67
|
+
logger.error({ err }, 'Unexpected error during input analysis');
|
|
68
|
+
}
|
|
66
69
|
}
|
|
67
70
|
}
|
|
71
|
+
|
|
72
|
+
const error = securityException || origErr;
|
|
73
|
+
|
|
74
|
+
origNext(error);
|
|
68
75
|
}
|
|
69
76
|
|
|
70
|
-
|
|
77
|
+
data.args[2] = contrastNext;
|
|
78
|
+
}
|
|
79
|
+
});
|
|
80
|
+
}
|
|
81
|
+
}));
|
|
82
|
+
|
|
83
|
+
depHooks.resolve(
|
|
84
|
+
{ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' },
|
|
85
|
+
(Layer) => {
|
|
86
|
+
const name = 'express.Layer.prototype.match';
|
|
87
|
+
patcher.patch(Layer.prototype, 'match', {
|
|
88
|
+
name,
|
|
89
|
+
patchType,
|
|
90
|
+
post(data) {
|
|
91
|
+
const layer = data.obj;
|
|
71
92
|
|
|
72
|
-
|
|
93
|
+
// we can exit early if
|
|
94
|
+
// the layer doesn't match the request or
|
|
95
|
+
// the layer doesn't recognize any parameters
|
|
96
|
+
if (!data.result || !layer.keys || layer.keys.length === 0) {
|
|
97
|
+
return;
|
|
73
98
|
}
|
|
74
99
|
|
|
75
|
-
|
|
76
|
-
}
|
|
77
|
-
});
|
|
78
|
-
}
|
|
79
|
-
}));
|
|
100
|
+
const sourceContext = protect.getSourceContext(name);
|
|
80
101
|
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
patchType,
|
|
85
|
-
pre(data) {
|
|
86
|
-
const { obj: { params } } = data;
|
|
87
|
-
const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
|
|
102
|
+
if (!sourceContext) {
|
|
103
|
+
return;
|
|
104
|
+
}
|
|
88
105
|
|
|
89
|
-
|
|
90
|
-
sourceContext.
|
|
91
|
-
inputAnalysis.handleUrlParams(sourceContext, params);
|
|
106
|
+
sourceContext.parsedParams = layer.params;
|
|
107
|
+
inputAnalysis.handleUrlParams(sourceContext, layer.params);
|
|
92
108
|
}
|
|
93
|
-
}
|
|
109
|
+
});
|
|
110
|
+
|
|
111
|
+
return Layer;
|
|
94
112
|
});
|
|
95
|
-
});
|
|
96
113
|
}
|
|
97
114
|
|
|
98
115
|
const express4Instrumentation = inputAnalysis.express4Instrumentation = {
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -22,7 +22,8 @@ const {
|
|
|
22
22
|
isString,
|
|
23
23
|
traverseKeys,
|
|
24
24
|
traverseKeysAndValues,
|
|
25
|
-
agentLibIDListTypes
|
|
25
|
+
agentLibIDListTypes,
|
|
26
|
+
Rule: { SQL_INJECTION, PATH_TRAVERSAL, CMD_INJECTION, NOSQL_INJECTION_MONGO, SSJS_INJECTION, REFLECTED_XSS }
|
|
26
27
|
} = require('@contrast/common');
|
|
27
28
|
|
|
28
29
|
module.exports = function(core) {
|
|
@@ -51,7 +52,7 @@ module.exports = function(core) {
|
|
|
51
52
|
}
|
|
52
53
|
|
|
53
54
|
inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
|
|
54
|
-
const ruleId =
|
|
55
|
+
const ruleId = PATH_TRAVERSAL;
|
|
55
56
|
const results = getResultsByRuleId(ruleId, sourceContext);
|
|
56
57
|
|
|
57
58
|
if (!results) return;
|
|
@@ -67,7 +68,7 @@ module.exports = function(core) {
|
|
|
67
68
|
};
|
|
68
69
|
|
|
69
70
|
inputTracing.handleCommandInjection = function(sourceContext, sinkContext) {
|
|
70
|
-
const ruleId =
|
|
71
|
+
const ruleId = CMD_INJECTION;
|
|
71
72
|
const results = getResultsByRuleId(ruleId, sourceContext);
|
|
72
73
|
|
|
73
74
|
if (!results) return;
|
|
@@ -93,7 +94,7 @@ module.exports = function(core) {
|
|
|
93
94
|
};
|
|
94
95
|
|
|
95
96
|
inputTracing.handleSqlInjection = function(sourceContext, sinkContext) {
|
|
96
|
-
const ruleId =
|
|
97
|
+
const ruleId = SQL_INJECTION;
|
|
97
98
|
const results = getResultsByRuleId(ruleId, sourceContext);
|
|
98
99
|
|
|
99
100
|
if (!results) return;
|
|
@@ -129,7 +130,7 @@ module.exports = function(core) {
|
|
|
129
130
|
};
|
|
130
131
|
|
|
131
132
|
inputTracing.nosqlInjectionMongo = function (sourceContext, sinkContext) {
|
|
132
|
-
const ruleId =
|
|
133
|
+
const ruleId = NOSQL_INJECTION_MONGO;
|
|
133
134
|
const nosqlInjectionMongoResults =
|
|
134
135
|
getResultsByRuleId(ruleId, sourceContext) || [];
|
|
135
136
|
const ssjsInjectionResults =
|
|
@@ -238,7 +239,7 @@ module.exports = function(core) {
|
|
|
238
239
|
};
|
|
239
240
|
|
|
240
241
|
inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
|
|
241
|
-
const ruleId =
|
|
242
|
+
const ruleId = SSJS_INJECTION;
|
|
242
243
|
let sinkValuesArr = [];
|
|
243
244
|
|
|
244
245
|
const results = getResultsByRuleId(ruleId, sourceContext);
|
|
@@ -289,7 +290,7 @@ module.exports = function(core) {
|
|
|
289
290
|
};
|
|
290
291
|
|
|
291
292
|
inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
|
|
292
|
-
const ruleId =
|
|
293
|
+
const ruleId = REFLECTED_XSS;
|
|
293
294
|
const results = getResultsByRuleId(ruleId, sourceContext);
|
|
294
295
|
|
|
295
296
|
if (!results) return;
|
package/lib/policy.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -27,7 +27,7 @@ const {
|
|
|
27
27
|
Event: { SERVER_SETTINGS_UPDATE },
|
|
28
28
|
} = require('@contrast/common');
|
|
29
29
|
|
|
30
|
-
module.exports = function(core) {
|
|
30
|
+
module.exports = function (core) {
|
|
31
31
|
const {
|
|
32
32
|
config,
|
|
33
33
|
logger,
|
|
@@ -95,7 +95,7 @@ module.exports = function(core) {
|
|
|
95
95
|
}
|
|
96
96
|
|
|
97
97
|
function getModeFromConfig(ruleId) {
|
|
98
|
-
if (config.protect.disabled_rules.includes(ruleId)) {
|
|
98
|
+
if (config.protect.rules.disabled_rules.includes(ruleId)) {
|
|
99
99
|
return OFF;
|
|
100
100
|
}
|
|
101
101
|
if (ruleId === 'nosql-injection-mongo') {
|
|
@@ -262,7 +262,7 @@ module.exports = function(core) {
|
|
|
262
262
|
|
|
263
263
|
if (
|
|
264
264
|
bbEnabled != null &&
|
|
265
|
-
!config.protect.disabled_rules.includes(BOT_BLOCKER) &&
|
|
265
|
+
!config.protect.rules.disabled_rules.includes(BOT_BLOCKER) &&
|
|
266
266
|
!config.protect.rules?.[BOT_BLOCKER]?.mode
|
|
267
267
|
) {
|
|
268
268
|
policy[BOT_BLOCKER] = bbEnabled ? BLOCK_AT_PERIMETER : OFF;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/protect",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.23.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Protect support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -18,9 +18,9 @@
|
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
20
|
"@contrast/agent-lib": "^7.0.1",
|
|
21
|
-
"@contrast/common": "1.
|
|
22
|
-
"@contrast/core": "1.
|
|
23
|
-
"@contrast/esm-hooks": "1.
|
|
21
|
+
"@contrast/common": "1.14.0",
|
|
22
|
+
"@contrast/core": "1.21.0",
|
|
23
|
+
"@contrast/esm-hooks": "1.17.0",
|
|
24
24
|
"@contrast/scopes": "1.4.0",
|
|
25
25
|
"ipaddr.js": "^2.0.1",
|
|
26
26
|
"semver": "^7.3.7"
|