@contrast/protect 1.3.0 → 1.4.0

package/lib/input-analysis/install/body-parser1.js

@@ -21,29 +21,25 @@ module.exports = (core) => {
   const {
     depHooks,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
   function contrastNext(req, origNext, fnName) {
     return function next(origErr) {
-      const sourceContext = sources.getStore()?.protect;
+      const sourceContext = protect.getSourceContext(fnName);
       let securityException;
 
-      if (!sourceContext) {
-        logger.debug(`source context not available in \`body-parser\`'s \`${fnName}\` hook`);
-      } else {
-        if (req.body && Object.keys(req.body).length) {
-          sourceContext.parsedBody = req.body;
-
-          try {
-            inputAnalysis.handleParsedBody(sourceContext, req.body);
-          } catch (err) {
-            if (isSecurityException(err)) {
-              securityException = err;
-            } else {
-              logger.error({ err }, 'Unexpected error during input analysis');
-            }
+      if (sourceContext && req.body && Object.keys(req.body).length) {
+        sourceContext.parsedBody = req.body;
+
+        try {
+          inputAnalysis.handleParsedBody(sourceContext, req.body);
+        } catch (err) {
+          if (isSecurityException(err)) {
+            securityException = err;
+          } else {
+            logger.error({ err }, 'Unexpected error during input analysis');
           }
         }
       }
@@ -96,11 +92,7 @@ module.exports = (core) => {
         function contrastHooked(...args) {
           const parser = fn.original(...args);
           const hookedParser = function (req, res, next) {
-            if (!req.body) {
-              parser(req, res, next);
-            } else {
-              parser(req, res, contrastNext(req, next, fnName));
-            }
+            parser(req, res, contrastNext(req, next, fnName));
           };
 
           Object.defineProperty(hookedParser, 'name', {

package/lib/input-analysis/install/cookie-parser1.js

@@ -23,7 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -40,23 +40,21 @@ module.exports = (core) => {
             const [req, , origNext] = data.args;
 
             function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('cookie-parser');
+
               let securityException;
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `cookie-parser` hook');
-              } else {
-                if ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length)) {
-                  sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
+              if (sourceContext
+                && ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length))) {
+                sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
 
-                  try {
-                    inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
-                  } catch (err) {
-                    if (isSecurityException(err)) {
-                      securityException = err;
-                    } else {
-                      logger.error({ err }, 'Unexpected error during input analysis');
-                    }
+                try {
+                  inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
                   }
                 }
               }

package/lib/input-analysis/install/express4.js

@@ -28,7 +28,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -47,16 +47,13 @@ module.exports = (core) => {
             const [req, , origNext] = data.args;
 
             function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('Express.query');
               let securityException;
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `Express.query` hook');
-
-                // It is possible for the query to be already parsed by `qs`
-                // which means that we've already handled/analyzed it.
-                // So we check whether we already have the `parsedQuery` property in the context
-              } else if (req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+              // It is possible for the query to be already parsed by `qs`
+              // which means that we've already handled/analyzed it.
+              // So we check whether we already have the `parsedQuery` property in the context
+              if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
                 sourceContext.parsedQuery = req.query;
 
                 try {
@@ -87,11 +84,9 @@ module.exports = (core) => {
         patchType,
         pre(data) {
           const { obj: { params } } = data;
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `express.Layer.prototype.handle_request` hook');
-          } else if (params && Object.keys(params).length) {
+          if (sourceContext && params && Object.keys(params).length) {
             sourceContext.parsedParams = params;
             inputAnalysis.handleUrlParams(sourceContext, params);
           }

package/lib/input-analysis/install/fastify3.js

@@ -28,7 +28,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -62,12 +62,11 @@ module.exports = (core) => {
    * @param {Function}        done    callback to signal the hook is finished.
    */
   function preValidationHook(request, reply, done) {
-    const sourceContext = sources.getStore()?.protect;
+    const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+
     let securityException;
 
-    if (!sourceContext) {
-      logger.debug('source context not available in fastify prevalidation hook');
-    } else {
+    if (sourceContext) {
       try {
         if (request.params) {
           sourceContext.parsedParams = request.params;

package/lib/input-analysis/install/formidable1.js

@@ -22,7 +22,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -36,12 +36,11 @@ module.exports = (core) => {
           const origCb = data.args[1];
 
           function hookedCb(...cbArgs) {
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('formidable');
+
             const [, fields, files] = cbArgs;
 
-            if (!sourceContext) {
-              logger.debug('source context not available in `formidable` hook');
-            } else {
+            if (sourceContext) {
               if (fields) {
                 sourceContext.parsedBody = fields;
                 inputAnalysis.handleParsedBody(sourceContext, fields);

package/lib/input-analysis/install/http.js

@@ -33,7 +33,6 @@ class HttpInstrumentation {
     this.config = core.config;
     this.logger = logger.child({ name: 'contrast:protect:input-analysis' });
     this.depHooks = core.depHooks;
-    this.messages = core.messages;
     this.protect = core.protect;
     this.makeSourceContext = this.protect.makeSourceContext;
     this.maxBodySize = 16 * 1024 * 1024;
@@ -166,6 +165,7 @@ class HttpInstrumentation {
       const connectInputs = {
         headers: HttpInstrumentation.removeCookies(reqData.headers),
         uriPath: reqData.uriPath,
+        rawUrl: req.url,
         // TODO AGENT-203 - need to handle method-tampering rule.
         method: reqData.method,
       };
@@ -174,9 +174,18 @@ class HttpInstrumentation {
       if (reqData.standardUrlParsing) {
         connectInputs.queries = reqData.queries;
       }
+      if (inputAnalysis.virtualPatchesEvaluators?.length) {
+        store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));
+      }
+      if (inputAnalysis.ipDenylist?.length) {
+        block = inputAnalysis.handleIpDenylist(store.protect, inputAnalysis.ipDenylist);
+      }
+      if (inputAnalysis.ipAllowlist?.length) {
+        const allowed = inputAnalysis.handleIpAllowlist(store.protect, inputAnalysis.ipAllowlist);
+        if (!block) Object.assign(store.protect, { allowed });
+      }
 
-      block = inputAnalysis.handleConnect(store.protect, connectInputs);
-
+      block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
       this.logger.error({ err }, 'Error during input analysis');
     }

package/lib/input-analysis/install/koa-body5.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -39,15 +38,11 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('koa-body');
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `koa-body` hook');
-              } else {
-                if (ctx.request.body && Object.keys(ctx.request.body).length) {
-                  sourceContext.parsedBody = ctx.request.body;
-                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-                }
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
               }
 
               await origNext(origErr);

package/lib/input-analysis/install/koa-bodyparser4.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -39,15 +38,12 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('koa-bodyparser');
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `koa-bodyparser` hook');
-              } else {
-                if (ctx.request.body && Object.keys(ctx.request.body).length) {
-                  sourceContext.parsedBody = ctx.request.body;
-                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-                }
+
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
               }
 
               await origNext(origErr);

package/lib/input-analysis/install/koa2.js

@@ -26,8 +26,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -38,11 +37,9 @@ module.exports = (core) => {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
       function contrastStartMiddleware(ctx, next) {
         if (ctx.query && Object.keys(ctx.query).length) {
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('Koa startMiddleware');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `qs` hook');
-          } else if (!('parsedQuery' in sourceContext)) {
+          if (sourceContext && !('parsedQuery' in sourceContext)) {
             sourceContext.parsedQuery = ctx.query;
             inputAnalysis.handleQueryParams(sourceContext, ctx.query);
           }
@@ -76,15 +73,11 @@ module.exports = (core) => {
               name: `[${router}].layer.prototype`,
               patchType,
               post({ result }) {
-                const sourceContext = sources.getStore()?.protect;
-
-                if (!sourceContext) {
-                  logger.debug(`source context not available in \`[${router}].layer\` hook`);
-                } else {
-                  if (Object.keys(result).length) {
-                    sourceContext.parsedParams = result;
-                    inputAnalysis.handleUrlParams(sourceContext, result);
-                  }
+                const sourceContext = protect.getSourceContext(`[${router}].layer`);
+
+                if (sourceContext && Object.keys(result).length) {
+                  sourceContext.parsedParams = result;
+                  inputAnalysis.handleUrlParams(sourceContext, result);
                 }
               }
             });
@@ -107,15 +100,11 @@ module.exports = (core) => {
                 const [ctx, origNext] = data.args;
 
                 async function contrastNext(origErr) {
-                  const sourceContext = sources.getStore()?.protect;
-
-                  if (!sourceContext) {
-                    logger.debug('source context not available in `koa-cookie` hook');
-                  } else {
-                    if (ctx.cookie) {
-                      sourceContext.parsedCookies = ctx.cookie;
-                      inputAnalysis.handleCookies(sourceContext, ctx.cookie);
-                    }
+                  const sourceContext = protect.getSourceContext('koa-cookie');
+
+                  if (sourceContext && ctx.cookie) {
+                    sourceContext.parsedCookies = ctx.cookie;
+                    inputAnalysis.handleCookies(sourceContext, ctx.cookie);
                   }
 
                   await origNext(origErr);

package/lib/input-analysis/install/multer1.js

@@ -23,7 +23,8 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources, wrap },
+    scopes: { wrap },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -41,11 +42,9 @@ module.exports = (core) => {
 
             // We are getting the sourceContext here because in the time of calling
             // the contrastNext() method the context is lost
-            const sourceContext = sources.getStore()?.protect;
-            if (!sourceContext) {
-              logger.debug('source context not available in `multer` hook');
-              return;
-            }
+            const sourceContext = protect.getSourceContext('multer');
+
+            if (!sourceContext) return;
 
             function contrastNext(origErr) {
               let securityException;

package/lib/input-analysis/install/qs6.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -34,16 +33,13 @@ module.exports = (core) => {
         patchType,
         post({ args, result }) {
           if (result && Object.keys(result).length) {
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('qs');
 
-            if (!sourceContext) {
-              logger.debug('source context not available in `qs` hook');
-
-              // We need to run analysis for the `qs` result only when it's used as a query parser.
-              // `qs` is used also for parsing bodies, but these cases we handle individually with
-              // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-              // some cases its use is optional and we cannot rely on it.
-            } else if (sourceContext.reqData?.queries === args[0]) {
+            // We need to run analysis for the `qs` result only when it's used as a query parser.
+            // `qs` is used also for parsing bodies, but these cases we handle individually with
+            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+            // some cases its use is optional and we cannot rely on it.
+            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
               sourceContext.parsedQuery = result;
               inputAnalysis.handleQueryParams(sourceContext, result);
             }

package/lib/input-analysis/install/universal-cookie4.js

@@ -21,12 +21,10 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
-
   // Patch `universal-cookie` package
   function install() {
     depHooks.resolve({ name: 'universal-cookie', file: 'cjs/utils.js' }, (uCookieUtils) => patcher.patch(uCookieUtils, 'parseCookies', {
@@ -34,11 +32,9 @@ module.exports = (core) => {
       patchType,
       post({ result }) {
         if (result && Object.keys(result).length) {
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('universal-cookie');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `universal-cookie` hook');
-          } else {
+          if (sourceContext) {
             sourceContext.parsedCookies = result;
             inputAnalysis.handleCookies(sourceContext, result);
           }

package/lib/input-analysis/ip-analysis.js

@@ -0,0 +1,76 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+const address = require('ipaddr.js');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const ipAllowlist = inputAnalysis.ipAllowlist = [];
+  const ipDenylist = inputAnalysis.ipDenylist = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const now = new Date().getTime();
+    const updatedIpAllowList = serverUpdate.features?.defend?.ipAllowlist.map((ipEntry) => ipEntryMap(ipEntry, now));
+    const updatedIpDenyList = serverUpdate.features?.defend?.ipDenylist.map((ipEntry) => ipEntryMap(ipEntry, now));
+
+    if (updatedIpAllowList) {
+      ipAllowlist.length = 0;
+      ipAllowlist.push(...updatedIpAllowList);
+    }
+    if (updatedIpDenyList) {
+      ipDenylist.length = 0;
+      ipDenylist.push(...updatedIpDenyList);
+    }
+  });
+};
+
+function ipEntryMap(ipEntry, startTime) {
+  const { ip, expires } = ipEntry;
+  let doesExpire, expiresAt, cidr;
+
+  if (expires) {
+    doesExpire = true;
+    expiresAt = startTime + expires;
+  } else {
+    doesExpire = false;
+  }
+
+  const slashIdx = ip.indexOf('/');
+  const isCIDR = slashIdx >= 0;
+  const ipInstance = isCIDR
+    ? address.process(ip.substr(0, slashIdx))
+    : address.process(ip);
+
+  const normalizedValue = ipInstance.toNormalizedString();
+
+  if (isCIDR) {
+    cidr = { range: address.parseCIDR(ip), kind: ipInstance.kind() };
+  }
+
+  return {
+    ...ipEntry,
+    doesExpire,
+    expiresAt,
+    normalizedValue,
+    cidr
+  };
+}

package/lib/input-analysis/virtual-patches.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const virtualPatches = serverUpdate.settings?.defend.virtualPatches;
+    if (virtualPatches) {
+      buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
+    }
+  });
+};
+
+function buildVPEvaluators(virtualPatches, evaluatorsArray) {
+  evaluatorsArray.length = 0;
+  for (const { headers, parameters, urls, uuid, name } of virtualPatches) {
+    const evaluators = new Map();
+
+    if (headers?.length) {
+      evaluators.set('HEADERS', (reqHeaders) => {
+        let result;
+        for (const { evaluation, name, value } of headers) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+          const keyIndex = reqHeaders.indexOf(name.toLowerCase());
+
+          result = keyIndex !== -1 && evalCheck(reqHeaders[keyIndex + 1], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (parameters?.length) {
+      evaluators.set('PARAMETERS', (reqParameters) => {
+        let result;
+        for (const { evaluation, name, value } of parameters) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqParameters[name], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (urls?.length) {
+      evaluators.set('URLS', (reqUrl) => {
+        let result;
+        for (const { evaluation, value } of urls) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqUrl, value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (evaluators.size) {
+      evaluators.set('metadata', { name, uuid });
+      evaluatorsArray.push(evaluators);
+    }
+  }
+}
+
+function buildEvaluationCheck(evaluation) {
+  switch (evaluation) {
+    case 'MATCHES':
+      return (reqValue, matchedValue) => new RegExp(matchedValue, 'i').test(reqValue);
+    case 'EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() === matchedValue.toString();
+    case 'CONTAINS':
+      return (reqValue, matchedValue) => reqValue.includes(matchedValue);
+    case 'DOESNT_MATCH':
+      return (reqValue, matchedValue) => !new RegExp(matchedValue, 'i').test(reqValue);
+      // This is a typo but it is how it's passed from ContrastUI
+    case 'DOESNT_EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() !== matchedValue.toString();
+    case 'DOESNT_CONTAIN':
+      return (reqValue, matchedValue) => !reqValue.includes(matchedValue);
+    default:
+      return () => false;
+  }
+}