@contrast/protect 1.3.0 → 1.4.0

package/lib/error-handlers/install/express4.js

@@ -24,7 +24,6 @@ module.exports = function(core) {
     logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -41,7 +40,7 @@ module.exports = function(core) {
             patchType,
             around(org, data) {
               const [err] = data.args;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('finalHandler');
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {
@@ -67,7 +66,7 @@ module.exports = function(core) {
         patchType,
         around(org, data) {
           const [err] = data.args;
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('express.Layer.handle_error');
           const isSecurityException = SecurityException.isSecurityException(err);
 
           if (isSecurityException && sourceContext) {

package/lib/error-handlers/install/fastify3.js

@@ -20,10 +20,8 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -59,9 +57,9 @@ module.exports = function(core) {
     const normalHandler = fastify3ErrorHandler._userHandler || fastify3ErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = sources.getStore()?.protect;
+      const sourceContext = protect.getSourceContext('fastify3.errorHandler');
+
       if (!sourceContext) {
-        logger.info('source context not found; unable to handle response');
         normalHandler.call(this, err, request, reply);
       } else {
         const blockInfo = sourceContext.findings.securityException;

package/lib/error-handlers/install/koa2.js

@@ -24,7 +24,6 @@ module.exports = function(core) {
     logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -42,7 +41,7 @@ module.exports = function(core) {
             patchType,
             around(org, data) {
               const [err] = data.args;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('Koa.Application.handleRequest');
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {

package/lib/{cli-rewriter.js → get-source-context.js}

@@ -1,5 +1,3 @@
-#!/usr/bin/env node
-
 /*
  * Copyright: 2022 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -17,19 +15,19 @@
 
 'use strict';
 
-const { cliRewriter } = require('@contrast/core')();
+module.exports = function(core) {
+  const { scopes: { sources }, logger } = core;
+
+  function getSourceContext(callPoint) {
+    const sourceContext = sources.getStore()?.protect;
 
-cliRewriter((deps) => {
-  if (deps.config.protect.enable) {
-    try {
-      const protect = require('./index')(deps);
-      protect.rewriting.install();
-    } catch (err) {
-      // TODO: something else
-      throw err;
+    if (!sourceContext) {
+      logger.debug(`source context not available in ${callPoint}`);
+      return null;
     }
-  } else {
-    deps.logger.error('Configuration Error: mode \'Protect\' is not enabled');
-    process.exit(1);
+
+    return sourceContext.allowed ? null : sourceContext;
   }
-});
+
+  core.protect.getSourceContext = getSourceContext;
+};

package/lib/hardening/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-hardening'
+};

package/lib/hardening/handlers.js

@@ -0,0 +1,65 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { BLOCKING_MODES, isString } = require('@contrast/common');
+
+const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
+
+module.exports = function(core) {
+  const {
+    protect: {
+      hardening,
+      throwSecurityException,
+    }
+  } = core;
+
+  function getResults(sourceContext, ruleId) {
+    let results = sourceContext.findings.hardeningResultsMap[ruleId];
+    if (!results) {
+      results = sourceContext.findings.hardeningResultsMap[ruleId] = [];
+    }
+    return results;
+  }
+
+  hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
+    const ruleId = 'untrusted-deserialization';
+    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const { name, value } = sinkContext;
+
+    if (mode === 'off') return;
+
+    if (name === 'node-serialize.unserialize') {
+      if (!isString(value) || !value.indexOf(NODE_SERIALIZE_RCE_TOKEN)) return;
+
+      const blocked = BLOCKING_MODES.includes(mode);
+      const results = getResults(sourceContext, ruleId);
+
+      results.push({
+        blocked,
+        findings: { deserializer: name, command: false },
+        sinkContext,
+      });
+
+      if (blocked) {
+        sourceContext.findings.securityException = [mode, ruleId];
+        throwSecurityException(sourceContext);
+      }
+    }
+  };
+
+  return hardening;
+};

package/lib/hardening/index.js

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const hardening = core.protect.hardening = {};
+
+  require('./handlers')(core);
+
+  require('./install/node-serialize0')(core);
+  hardening.install = function() {
+    hardening.nodeSerialize0Instrumentation.install();
+  };
+
+  return hardening;
+};

package/lib/hardening/install/node-serialize0.js

@@ -0,0 +1,59 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: {
+      hardening
+    }
+  } = core;
+
+  function install() {
+    const name = 'node-serialize';
+    const method = 'unserialize';
+
+    depHooks.resolve(
+      { name, version: '<1.0.0' },
+      (nodeSerialize) => {
+        patcher.patch(nodeSerialize, method, {
+          name,
+          patchType,
+          pre({ args: [value], hooked, orig }) {
+            const sourceContext = protect.getSourceContext(`${name}.${method}`);
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name: `${name}.${method}`, value },
+              { constructorOpt: hooked, prependFrames: [orig] },
+            );
+            hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
+          },
+        });
+      });
+  }
+
+  return hardening.nodeSerialize0Instrumentation = {
+    install
+  };
+};

package/lib/index.d.ts

@@ -18,10 +18,9 @@ import { Core } from '@contrast/core';
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
-import { RulesConfig, Rule, Messages, Result } from '@contrast/common';
+import { RulesConfig, Messages, ReqData, ProtectMessage, Findings } from '@contrast/common';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import { Config } from '@contrast/config';
-import { ProtectMessage } from '@contrast/common';
 import * as http from 'node:http';
 import * as https from 'node:https';
 
@@ -50,24 +49,6 @@ export class HttpInstrumentation {
   initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
   removeCookies(headers: string[]): string[];
 }
-export interface ReqData {
-  method: string;
-  headers: string[];
-  uriPath: string;
-  queries: string;
-  contentType?: string;
-  standardUrlParsing: boolean;
-  ip: string;
-  httpVersion: string,
-  headers2: { [key: string]: Array<string> };
-}
-
-export interface Findings {
-  trackRequest: boolean;
-  securityException?: [mode: string, ruleId: string];
-  bodyType?: 'json' | 'urlencoded';
-  resultsMap: Record<Rule, Result[]>
-}
 
 export interface ProtectRequestStore {
   reqData: ReqData;
@@ -140,7 +121,8 @@ export interface Protect {
     sequelizeInstrumentation: {
       getQueryFromArgs: ([value]: any[]) => string | undefined,
       install: () => void
-    }
+    },
+    httpInstrumentation: { install: () => void },
     install: () => void
   }
   errorHandlers: {

package/lib/index.js

@@ -33,8 +33,11 @@ module.exports = function(core) {
   require('./throw-security-exception')(core);
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
+  require('./get-source-context')(core);
   require('./input-analysis')(core);
   require('./input-tracing')(core);
+  require('./hardening')(core);
+  require('./semantic-analysis')(core);
   require('./error-handlers')(core);
 
   const pkj = require('../package.json');
@@ -43,6 +46,7 @@ module.exports = function(core) {
   protect.install = function() {
     protect.inputAnalysis.install();
     protect.inputTracing.install();
+    protect.hardening.install();
     protect.errorHandlers.install();
   };
 

package/lib/input-analysis/handlers.js

@@ -15,7 +15,8 @@
 
 'use strict';
 
-const { simpleTraverse } = require('../utils');
+const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
+const address = require('ipaddr.js');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -110,8 +111,12 @@ module.exports = function(core) {
    * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
    */
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
+    if (!sourceContext || sourceContext.allowed) return;
+
     const { rules: { agentLibRules, agentLibRulesMask: mask } } = sourceContext;
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
+
     // initialize findings to the basics
     let block = undefined;
     if (mask !== 0) {
@@ -130,12 +135,12 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext);
   };
 
-
   const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, valueType: agentLib.InputType.JsonValue
+    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
   };
+
   const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, valueType: agentLib.InputType.ParameterValue
+    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
   };
 
   /**
@@ -155,10 +160,17 @@ module.exports = function(core) {
    * @param {Object} queryParams pojo {key: value, ...} for all query params/search params
    */
   inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
+    if (sourceContext.analyzedQuery) return;
+    sourceContext.analyzedQuery = true;
+
     if (typeof queryParams !== 'object') {
       logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
       return;
     }
+
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
+
     const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
 
     if (block) {
@@ -176,11 +188,16 @@ module.exports = function(core) {
    * @param {Object} urlParams pojo
    */
   inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+    if (sourceContext.analyzedUrlParams) return;
+    sourceContext.analyzedUrlParams = true;
+
     if (typeof urlParams !== 'object') {
       logger.debug({ urlParams }, 'handleUrlParams() called with non-object');
       return;
     }
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
+
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
@@ -235,10 +252,16 @@ module.exports = function(core) {
    * @param {Object} cookies pojo
    */
   inputAnalysis.handleCookies = function(sourceContext, cookies) {
+    if (sourceContext.analyzedCookies) return;
+    sourceContext.analyzedCookies = true;
+
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
       acc.push(key, value);
       return acc;
     }, []);
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     const cookieFindings = agentLib.scoreRequestConnect(mask, { cookies: cookiesArr }, preferWW);
 
@@ -259,11 +282,16 @@ module.exports = function(core) {
    * @param {Object} parsedBody
    */
   inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
+    if (sourceContext.analyzedBody) return;
+    sourceContext.analyzedBody = true;
+
     if (typeof parsedBody !== 'object') {
       logger.debug({ parsedBody }, 'handleParsedBody() called with non-object');
       return;
     }
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: parsedBody });
+
     let bodyType;
     let inputTypes;
     if (sourceContext.reqData.contentType.includes('/json')) {
@@ -288,6 +316,70 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext, name);
   };
 
+  inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
+    const ruleId = 'virtual-patch';
+
+    if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
+
+    for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
+      for (const key in requestInput) {
+        const evaluator = vpEvaluators.get(key);
+
+        if (evaluator && requestInput[key] && evaluator(requestInput[key])) {
+          vpEvaluators.delete(key);
+          const { name, uuid } = vpEvaluators.get('metadata');
+
+          if (vpEvaluators.size === 1 && uuid) {
+            if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+              sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+            }
+            sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+              name,
+              uuid
+            });
+            sourceContext.findings.securityException = ['block', ruleId];
+            core.protect.throwSecurityException(sourceContext);
+          }
+        }
+      }
+    }
+  };
+
+  inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
+    if (!sourceContext || !ipAllowlist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipAllow list');
+      return true;
+    }
+  };
+
+  inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
+    const ruleId = 'ip-denylist';
+
+    if (!sourceContext || !ipDenylist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipDeny list');
+      if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+        sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+      }
+
+      sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+        ip: match.matchedIp,
+        uuid: match.uuid,
+      });
+      return ['block', 'ip-denylist'];
+    }
+  };
 
   /**
    * commonObjectAnalyzer() walks an object supplied by the end-user and checks
@@ -307,7 +399,7 @@ module.exports = function(core) {
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
     const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
     // use inputTypes to set params...
-    const { keyType, valueType } = inputTypes;
+    const { keyType, inputType } = inputTypes;
     const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
     const { Where } = agentLib.MongoQueryType;
     const resultsList = [];
@@ -340,7 +432,7 @@ module.exports = function(core) {
           mongoQueryType = agentLib.getMongoQueryType(value);
         }
       } else {
-        itemType = valueType;
+        itemType = inputType;
       }
       let items = agentLib.scoreAtom(mask, value, itemType, preferWW);
       if (!items && !mongoQueryType) {
@@ -398,6 +490,50 @@ module.exports = function(core) {
 
     return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
   }
+
+  function ipListAnalysis(reqIp, reqHeaders, list) {
+    const forwardedIps = [];
+
+    for (let i = 0; i < reqHeaders.length; i++) {
+      if (reqHeaders[i] === 'x-forwarded-for') {
+        const ipsFromHeaders = reqHeaders[i + 1]?.split(/[,;]+/);
+        forwardedIps.push(...ipsFromHeaders);
+      }
+    }
+
+    const ipsToCheck = [reqIp, ...forwardedIps];
+    const now = new Date().getTime();
+
+    /* c8 ignore next 3 */
+    if (!ipsToCheck.length) {
+      return false;
+    }
+
+    for (const listEntry of list) {
+      const { doesExpire, expiresAt } = listEntry;
+      for (let i = 0; i < ipsToCheck.length; i++) {
+        const currentIp = ipsToCheck[i];
+
+        // Ignore bad IP values.
+        if (!address.isValid(currentIp)) {
+          logger.warn(`Unable to parse ${currentIp}.`);
+          continue;
+        }
+        const expired = doesExpire ? expiresAt - now <= 0 : false;
+
+        if (expired) {
+          logger.info(`IP expired: ${listEntry.name}, ${listEntry.ip}`);
+          continue;
+        }
+
+        const match = checkIpsMatch(listEntry, currentIp);
+
+        if (match) {
+          return match;
+        }
+      }
+    }
+  }
 };
 
 /**
@@ -455,13 +591,38 @@ function normalizeFindings(rules, findings) {
     // which the block can occur. so at a minimum 'block' should also result in a
     // block.
     const { mode } = rules[r.ruleId];
-    if (r.score >= 90 && ['block', 'block_at_perimeter'].includes(mode)) {
+    if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
       r.blocked = true;
       findings.securityException = [mode, r.ruleId];
     }
   }
 }
 
+
+function checkIpsMatch(listEntry, ip) {
+  const parsed = address.process(ip);
+
+  // Check if IP is in CIDR range,
+  if (listEntry.cidr) {
+    if (parsed.kind() !== listEntry.cidr.kind) {
+      return null;
+    }
+
+    if (parsed.match(listEntry.cidr.range)) {
+      return { ...listEntry, match: ip };
+    } else {
+      return null;
+    }
+  }
+
+  // or do a direct comparison
+  if (parsed.toNormalizedString() === listEntry.normalizedValue) {
+    return { ...listEntry, matchedIp: ip };
+  }
+
+  return null;
+}
+
 /**
  * getValueAtKey() is used to fetch the object (expected) associated
  * with the path of keys in obj. i say expected because this is only used
@@ -476,6 +637,7 @@ function normalizeFindings(rules, findings) {
  */
 function getValueAtKey(obj, path, key) {
   for (const p of path) {
+    /* c8 ignore next 6 */
     if (!(p in obj)) {
       return undefined;
     }

package/lib/input-analysis/index.js

@@ -39,6 +39,10 @@ module.exports = function(core) {
   require('./install/koa2')(core);
   require('./install/express4')(core);
 
+  // virtual patches
+  require('./virtual-patches')(core);
+  require('./ip-analysis')(core);
+
   inputAnalysis.install = function() {
     Object.values(inputAnalysis)
       .filter((property) => property.install)