@contrast/protect 1.24.0 → 1.25.0

package/lib/input-analysis/handlers.js

@@ -24,6 +24,9 @@ const {
   traverseKeysAndValues,
   traverseValues,
   InputType,
+  toLowerCase,
+  split,
+  join
 } = require('@contrast/common');
 
 //
@@ -591,12 +594,12 @@ module.exports = function(core) {
         const probe = Object.assign({}, resultByRuleId, result, {
           mappedId: result.ruleId,
         });
-        const key = [
+        const key = join([
           probe.ruleId,
           probe.inputType,
           ...probe.path,
           probe.value,
-        ].join('|');
+        ], '|');
         probes[key] = probe;
       });
 
@@ -721,7 +724,7 @@ module.exports = function(core) {
 
     for (let i = 0; i < reqHeaders.length; i++) {
       if (reqHeaders[i] === 'x-forwarded-for') {
-        const ipsFromHeaders = reqHeaders[i + 1]?.split(/[,;]+/);
+        const ipsFromHeaders = split(reqHeaders[i + 1], /[,;]+/);
         forwardedIps.push(...ipsFromHeaders);
       }
     }
@@ -793,7 +796,7 @@ function isResultExcluded(sourceContext, result) {
     }
     case 'HeaderKey':
     case 'HeaderValue': {
-      if (path?.[0]?.toLowerCase() === 'cookie') {
+      if (path[0] && toLowerCase(path[0]) === 'cookie') {
         inputExclusions = exclusions.cookie;
         checkCookiesInHeader = true;
       } else {

package/lib/input-analysis/ip-analysis.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event } = require('@contrast/common');
+const { Event, substr } = require('@contrast/common');
 const address = require('ipaddr.js');
 
 module.exports = (core) => {
@@ -57,7 +57,7 @@ function ipEntryMap(ipEntry, startTime) {
   const slashIdx = ip.indexOf('/');
   const isCIDR = slashIdx >= 0;
   const ipInstance = isCIDR
-    ? address.process(ip.substr(0, slashIdx))
+    ? address.process(substr(ip, 0, slashIdx))
     : address.process(ip);
 
   const normalizedValue = ipInstance.toNormalizedString();

package/lib/input-analysis/virtual-patches.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event } = require('@contrast/common');
+const { Event, toLowerCase } = require('@contrast/common');
 
 module.exports = (core) => {
   const {
@@ -47,7 +47,7 @@ function buildVPEvaluators(virtualPatches, evaluatorsArray) {
             acc.push(...entry);
             return acc;
           }, []);
-          const keyIndex = headersArray.indexOf(name.toLowerCase());
+          const keyIndex = headersArray.indexOf(toLowerCase(name));
 
           result = keyIndex !== -1 && evalCheck(headersArray[keyIndex + 1], value);
           if (!result) break;

package/lib/input-tracing/handlers/index.js

@@ -20,6 +20,7 @@ const {
   ProtectRuleMode: { OFF },
   BLOCKING_MODES,
   isString,
+  stringify,
   traverseKeys,
   traverseKeysAndValues,
   agentLibIDListTypes,
@@ -339,7 +340,7 @@ function handleObjectValue(result, object) {
       obj = obj[value];
       // does the found object in the query equal the saved object?
       if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
-        const start = JSON.stringify(object).indexOf(value);
+        const start = stringify(object).indexOf(value);
         const end = start + value.length;
         const inputBoundaryIndex = 0;
         findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };

package/lib/make-response-blocker.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { toUpperCase } = require('@contrast/common');
+
 module.exports = function(core) {
   // i think this should be a weakset. we don't want to accumulate
   // blocked requests for the entire life of a program. the req
@@ -27,7 +29,7 @@ module.exports = function(core) {
       if (blocked.has(res)) return;
 
       blocked.add(res);
-      mode = mode.toUpperCase();
+      mode = toUpperCase(mode);
       const end = patcher.unwrap(res.end);
       const writeHead = patcher.unwrap(res.writeHead);
 

package/lib/make-source-context.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { toLowerCase, slice } = require('@contrast/common');
+
 module.exports = function(core) {
   const {
     protect: { getPolicy }
@@ -34,8 +36,8 @@ module.exports = function(core) {
     const ix = req.url.indexOf('?');
 
     if (ix >= 0) {
-      uriPath = req.url.slice(0, ix);
-      queries = req.url.slice(ix + 1);
+      uriPath = slice(req.url, 0, ix);
+      queries = slice(req.url, ix + 1);
     } else {
       uriPath = req.url;
       queries = '';
@@ -53,10 +55,10 @@ module.exports = function(core) {
     const headers = Array(req.rawHeaders.length);
 
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = req.rawHeaders[i].toLowerCase();
+      headers[i] = toLowerCase(req.rawHeaders[i]);
       headers[i + 1] = req.rawHeaders[i + 1];
       if (headers[i] === 'content-type') {
-        contentType = headers[i + 1].toLowerCase();
+        contentType = toLowerCase(headers[i + 1]);
       }
     }
 

package/lib/policy.js

@@ -19,12 +19,30 @@ const {
   Rule,
   ProtectRuleMode: {
     BLOCK_AT_PERIMETER,
-    BLOCK,
-    MONITOR,
     OFF,
   },
-  Rule: { BOT_BLOCKER },
+  Rule: {
+    BOT_BLOCKER,
+    CMD_INJECTION,
+    CMD_INJECTION_COMMAND_BACKDOORS,
+    CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+    CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+    METHOD_TAMPERING,
+    NOSQL_INJECTION,
+    NOSQL_INJECTION_MONGO,
+    PATH_TRAVERSAL,
+    PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+    REFLECTED_XSS,
+    SQL_INJECTION,
+    SSJS_INJECTION,
+    UNSAFE_FILE_UPLOAD,
+    UNTRUSTED_DESERIALIZATION,
+    XXE,
+  },
   Event: { SERVER_SETTINGS_UPDATE },
+  toLowerCase,
+  split,
+  join
 } = require('@contrast/common');
 
 module.exports = function (core) {
@@ -69,7 +87,7 @@ module.exports = function (core) {
       }
     }
     if (regExpNeeded) {
-      const rx = new RegExp(`^${urls.join('|')}$`);
+      const rx = new RegExp(`^${join(urls, '|')}$`);
 
       return (uriPath) => rx ? rx.test(uriPath) : false;
     }
@@ -104,20 +122,6 @@ module.exports = function (core) {
     return config.protect.rules?.[ruleId]?.mode;
   }
 
-  /**
-   * Coerces ContrastUI mode names to match from common-agent-configuration
-   * @param {} remoteSetting
-   * @returns {string}
-   */
-  function readModeFromSetting(remoteSetting) {
-    switch (remoteSetting.mode) {
-      case 'OFF': return OFF;
-      case 'MONITOR': return MONITOR;
-      case 'BLOCK': return BLOCK;
-      case 'BLOCK_AT_PERIMETER': return BLOCK_AT_PERIMETER;
-    }
-  }
-
   /**
    * Build out initial policy from configuration data
    */
@@ -128,26 +132,6 @@ module.exports = function (core) {
     updateRulesMask();
   }
 
-  /**
-   * When updates are given at runtime, we update our local rule policy while
-   * respecting rules of precedence.
-   * @param {[]} protectionRules
-   */
-  function updateFromProtectionRules(protectionRules) {
-    for (const ruleId in protectionRules) {
-      if (ruleId === 'nosql-injection' && !getModeFromConfig('nosql-injection-mongo')) {
-        policy['nosql-injection-mongo'] = readModeFromSetting(protectionRules[ruleId]);
-      }
-
-      if (getModeFromConfig(ruleId)) {
-        continue;
-      }
-
-      policy[ruleId] && (policy[ruleId] = readModeFromSetting(protectionRules[ruleId]));
-
-    }
-  }
-
   /**
    * Rebuild rules mask based on which agent-lib rules are enabled
    */
@@ -255,8 +239,29 @@ module.exports = function (core) {
 
     const protectionRules = remoteSettings?.protect?.rules;
     if (protectionRules) {
-      updateFromProtectionRules(protectionRules);
-      update = 'application-settings';
+      [
+        CMD_INJECTION,
+        CMD_INJECTION_COMMAND_BACKDOORS,
+        CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+        CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+        METHOD_TAMPERING,
+        NOSQL_INJECTION,
+        NOSQL_INJECTION_MONGO,
+        PATH_TRAVERSAL,
+        PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+        REFLECTED_XSS,
+        SQL_INJECTION,
+        SSJS_INJECTION,
+        UNSAFE_FILE_UPLOAD,
+        UNTRUSTED_DESERIALIZATION,
+        XXE,
+      ].forEach((ruleId) => {
+        if (config.protect.rules.disabled_rules.includes(ruleId)) {
+          policy[ruleId] = OFF;
+        } else {
+          policy[ruleId] = config.getEffectiveValue(`protect.rules.${ruleId}.mode`);
+        }
+      });
 
       const bbEnabled = remoteSettings.protect.rules?.bot_blocker?.enable;
 
@@ -267,9 +272,7 @@ module.exports = function (core) {
       ) {
         policy[BOT_BLOCKER] = bbEnabled ? BLOCK_AT_PERIMETER : OFF;
       }
-    }
 
-    if (update) {
       updateRulesMask();
       protect.policy.exclusions = compiled;
       logger.info({ policy: protect.policy }, `protect policy updated from ${update}`);
@@ -289,7 +292,7 @@ module.exports = function (core) {
       exclusionDtm.type = exclusionDtm.type || 'URL';
 
       const { name, protect_rules, urls, type } = exclusionDtm;
-      const key = type.toLowerCase();
+      const key = toLowerCase(type);
 
       if (!compiled[key]) continue;
 
@@ -324,8 +327,8 @@ module.exports = function (core) {
         }
         if (key === 'cookie') {
           e.checkCookieInHeader = (cookieHeader) => {
-            for (const cookiePair of cookieHeader.split(';')) {
-              const cookieKey = cookiePair.split('=')[0];
+            for (const cookiePair of split(cookieHeader, ';')) {
+              const cookieKey = split(cookiePair, '=')[0];
               if (e.matchesInputName(cookieKey)) {
                 return true;
               }

package/lib/semantic-analysis/handlers.js

@@ -21,6 +21,7 @@ const {
   ProtectRuleMode: { OFF },
   InputType,
   traverseValues,
+  replace
 } = require('@contrast/common');
 
 const {
@@ -28,7 +29,7 @@ const {
 } = require('./utils/xml-analysis');
 
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
-const stripWhiteSpace = (str) => str.replace(/\s/g, '');
+const stripWhiteSpace = (str) => replace(str, /\s/g, '');
 
 const getRuleResults = function(obj, prop) {
   return obj[prop] || (obj[prop] = []);

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -14,6 +14,8 @@
  */
 'use strict';
 
+const { substr, toLowerCase } = require('@contrast/common');
+
 const PROTOCOLS = {
   FTP: 'FTP',
   HTTP: 'HTTP',
@@ -21,9 +23,9 @@ const PROTOCOLS = {
   TCP: 'TCP'
 };
 
-const FTP = `${PROTOCOLS.FTP.toLowerCase()}:`;
-const HTTP = `${PROTOCOLS.HTTP.toLowerCase()}:`;
-const HTTPS = `${PROTOCOLS.HTTPS.toLowerCase()}:`;
+const FTP = `${toLowerCase(PROTOCOLS.FTP)}:`;
+const HTTP = `${toLowerCase(PROTOCOLS.HTTP)}:`;
+const HTTPS = `${toLowerCase(PROTOCOLS.HTTPS)}:`;
 const DTD_EXTENSION = '.dtd';
 const FILE_START = 'file:';
 const GOPHER_START = 'gopher:';
@@ -99,7 +101,7 @@ module.exports.findExternalEntities = function(xml = '') {
 
   return {
     entities,
-    prolog: len && xml.substr(0, entities[len - 1].finish) || null
+    prolog: len && substr(xml, 0, entities[len - 1].finish) || null
   };
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.24.0",
+  "version": "1.25.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -10,7 +10,7 @@
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "engines": {
-    "npm": ">= 8.4.0",
+    "npm": ">=6.13.7 <7 || >= 8.3.1",
     "node": ">= 14.15.0"
   },
   "scripts": {
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.14.0",
-    "@contrast/core": "1.22.0",
-    "@contrast/esm-hooks": "1.18.0",
+    "@contrast/common": "1.15.0",
+    "@contrast/core": "1.23.0",
+    "@contrast/esm-hooks": "1.19.0",
     "@contrast/scopes": "1.4.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
@@ -28,4 +28,4 @@
   "optionalDependencies": {
     "async-hook-domain": "^3.0.2"
   }
-}
+}