@contrast/protect 1.28.1 → 1.29.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/esm-loader.mjs
CHANGED
|
@@ -34,7 +34,7 @@ const require = createRequire(import.meta.url);
|
|
|
34
34
|
const { name: agentName, version: agentVersion } = require('../package.json');
|
|
35
35
|
const core = { agentName, agentVersion };
|
|
36
36
|
try {
|
|
37
|
-
require('@contrast/core/lib/
|
|
37
|
+
require('@contrast/core/lib/messages')(core);
|
|
38
38
|
require('@contrast/config')(core);
|
|
39
39
|
require('@contrast/logger').default(core);
|
|
40
40
|
|
|
@@ -93,7 +93,7 @@ module.exports = (core) => {
|
|
|
93
93
|
// we can exit early if
|
|
94
94
|
// the layer doesn't match the request or
|
|
95
95
|
// the layer doesn't recognize any parameters
|
|
96
|
-
if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route
|
|
96
|
+
if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route?.path === '*') {
|
|
97
97
|
return;
|
|
98
98
|
}
|
|
99
99
|
|
|
@@ -220,6 +220,11 @@ module.exports = function(core) {
|
|
|
220
220
|
if (stringFindings) {
|
|
221
221
|
const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
|
|
222
222
|
|
|
223
|
+
// don't modify ssjs-injection result items so use new exploit metadata array here
|
|
224
|
+
if (nosqlInjectionResult.idsList?.some?.((id) => id.startsWith('SSJS'))) {
|
|
225
|
+
nosqlInjectionResult.exploitMetadata = [];
|
|
226
|
+
}
|
|
227
|
+
|
|
223
228
|
const nosqlInjectionResults = sourceContext.resultsMap[ruleId];
|
|
224
229
|
const isAlreadyPresentInNosqlresults = result.idsList &&
|
|
225
230
|
result.idsList.some(
|
|
@@ -18,7 +18,21 @@
|
|
|
18
18
|
const { isString, isNonEmptyObject } = require('@contrast/common');
|
|
19
19
|
const { patchType } = require('../constants');
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
const VM_METHODS = [
|
|
22
|
+
['Script', 1],
|
|
23
|
+
['createContext', 1],
|
|
24
|
+
['compileFunction', 1],
|
|
25
|
+
['runInContext', 2],
|
|
26
|
+
['runInNewContext', 2],
|
|
27
|
+
['runInThisContext', 1],
|
|
28
|
+
];
|
|
29
|
+
|
|
30
|
+
const SCRIPT_METHODS = [
|
|
31
|
+
'runInContext',
|
|
32
|
+
'runInNewContext'
|
|
33
|
+
];
|
|
34
|
+
|
|
35
|
+
module.exports = function (core) {
|
|
22
36
|
const {
|
|
23
37
|
scopes: { instrumentation },
|
|
24
38
|
patcher,
|
|
@@ -27,15 +41,15 @@ module.exports = function(core) {
|
|
|
27
41
|
protect: { inputTracing }
|
|
28
42
|
} = core;
|
|
29
43
|
|
|
30
|
-
|
|
44
|
+
const createPre = (arity) => ({ args, hooked, orig, name }) => {
|
|
31
45
|
if (instrumentation.isLocked()) return;
|
|
32
46
|
|
|
33
47
|
const sourceContext = protect.getSourceContext(name);
|
|
34
48
|
if (!sourceContext) return;
|
|
35
49
|
|
|
36
|
-
for (let i = 0; i <
|
|
50
|
+
for (let i = 0; i < arity; i++) {
|
|
37
51
|
const arg = args[i];
|
|
38
|
-
if (!
|
|
52
|
+
if (!arg || !(isString(arg) || isNonEmptyObject(arg))) continue;
|
|
39
53
|
|
|
40
54
|
const sinkContext = {
|
|
41
55
|
name,
|
|
@@ -44,37 +58,29 @@ module.exports = function(core) {
|
|
|
44
58
|
};
|
|
45
59
|
inputTracing.ssjsInjection(sourceContext, sinkContext);
|
|
46
60
|
}
|
|
47
|
-
}
|
|
61
|
+
};
|
|
48
62
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
'createScript',
|
|
54
|
-
'runInContext',
|
|
55
|
-
'runInThisContext',
|
|
56
|
-
'createContext',
|
|
57
|
-
'runInNewContext'
|
|
58
|
-
].forEach(
|
|
59
|
-
(method) => {
|
|
60
|
-
const name = `vm.${method}`;
|
|
63
|
+
const vmInstrumentation = inputTracing.vmInstrumentation = {
|
|
64
|
+
install() {
|
|
65
|
+
depHooks.resolve({ name: 'vm' }, (vm) => {
|
|
66
|
+
VM_METHODS.forEach(([method, arity]) => {
|
|
61
67
|
patcher.patch(vm, method, {
|
|
62
|
-
name
|
|
68
|
+
name: `vm.${method}`,
|
|
63
69
|
patchType,
|
|
64
|
-
pre
|
|
70
|
+
pre: createPre(arity)
|
|
65
71
|
});
|
|
66
|
-
}
|
|
67
|
-
);
|
|
72
|
+
});
|
|
68
73
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
74
|
+
SCRIPT_METHODS.forEach((method) => {
|
|
75
|
+
patcher.patch(vm.Script.prototype, method, {
|
|
76
|
+
name: `vm.Script.prototype.${method}`,
|
|
77
|
+
patchType,
|
|
78
|
+
pre: createPre(1)
|
|
79
|
+
});
|
|
80
|
+
});
|
|
73
81
|
});
|
|
74
|
-
}
|
|
75
|
-
}
|
|
76
|
-
|
|
77
|
-
const vmInstrumentation = inputTracing.vmInstrumentation = { install };
|
|
82
|
+
}
|
|
83
|
+
};
|
|
78
84
|
|
|
79
85
|
return vmInstrumentation;
|
|
80
86
|
};
|
package/lib/policy.js
CHANGED
|
@@ -39,7 +39,7 @@ const {
|
|
|
39
39
|
UNTRUSTED_DESERIALIZATION,
|
|
40
40
|
XXE,
|
|
41
41
|
},
|
|
42
|
-
Event
|
|
42
|
+
Event,
|
|
43
43
|
toLowerCase,
|
|
44
44
|
split,
|
|
45
45
|
join
|
|
@@ -345,7 +345,7 @@ module.exports = function (core) {
|
|
|
345
345
|
}
|
|
346
346
|
}
|
|
347
347
|
|
|
348
|
-
messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
|
|
348
|
+
messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
|
|
349
349
|
if (!config.getEffectiveValue('protect.enable')) return;
|
|
350
350
|
|
|
351
351
|
updateExclusions(msg);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/protect",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.29.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Protect support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -18,9 +18,9 @@
|
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
20
|
"@contrast/agent-lib": "^7.0.1",
|
|
21
|
-
"@contrast/common": "1.
|
|
22
|
-
"@contrast/core": "1.
|
|
23
|
-
"@contrast/esm-hooks": "1.
|
|
21
|
+
"@contrast/common": "1.16.0",
|
|
22
|
+
"@contrast/core": "1.27.0",
|
|
23
|
+
"@contrast/esm-hooks": "1.23.0",
|
|
24
24
|
"@contrast/scopes": "1.4.0",
|
|
25
25
|
"ipaddr.js": "^2.0.1",
|
|
26
26
|
"semver": "^7.3.7"
|