@contrast/protect 1.3.0 → 1.4.0

package/lib/input-tracing/handlers/index.js

@@ -16,30 +16,17 @@
 'use strict';
 
 const util = require('util');
-const { simpleTraverse } = require('../../utils');
+const { BLOCKING_MODES, isString, simpleTraverse } = require('@contrast/common');
 
 module.exports = function(core) {
   const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
 
-  /**
-   * Util for pulling results from context for the particular rule id
-   * @param {string} ruleId rule id
-   * @param {object} context async storage data for protect
-   * @returns {AnalysisResult[]}
-   */
-  function getResultsByRuleId(ruleId, context) {
-    if (context.rules.agentLibRules[ruleId].mode === 'off') {
-      return;
-    }
-    return context.findings.resultsMap[ruleId];
-  }
-
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
     result.details.push({ sinkContext, findings });
 
     const { mode } = sourceContext.rules.agentLibRules[ruleId];
 
-    if (['block', 'block_at_perimeter'].includes(mode)) {
+    if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
       const blockInfo = [mode, ruleId];
       sourceContext.findings.securityException = blockInfo;
@@ -153,13 +140,87 @@ module.exports = function(core) {
   };
 
   inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
-    // 'ssjs-injection' NYI
-    return null;
+    const ruleId = 'ssjs-injection';
+    let sinkValuesArr = [];
+
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    if (isString(sinkContext.value)) {
+      sinkValuesArr.push(sinkContext.value);
+    } else {
+      const strValues = Object.values(sinkContext.value).filter((v) => isString(v) && v.length);
+      sinkValuesArr = [...strValues];
+    }
+
+    for (const result of results) {
+      let findings = null;
+
+      for (const v of sinkValuesArr) {
+        if (findings) break;
+
+        const inputIndex = v.indexOf(result.value);
+
+        if (inputIndex === 0 && v === result.value) {
+          findings = {
+            startIndex: 0,
+            endIndex: result?.value.length - 1,
+            boundaryIndex: 0,
+            codeString: result.value
+          };
+        }
+
+        if (inputIndex > 0) {
+          const endIndex = inputIndex + result?.value.length;
+          findings = agentLib.checkSsjsInjectionSink(v, inputIndex, endIndex) && {
+            startIndex: inputIndex,
+            endIndex,
+            boundaryIndex: inputIndex,
+            codeString: result.value
+          };
+        }
+      }
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
+    }
   };
 
+  inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
+    const ruleId = 'reflected-xss';
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    for (const result of results) {
+      const idx = sinkContext.value.indexOf(result.value);
+      const findings = idx !== -1 ? { value: sinkContext.value } : null;
+
+      if (findings) {
+        result.details.push({ sinkContext, findings });
+      }
+    }
+  };
+
+
   return inputTracing;
 };
 
+/**
+ * Util for pulling results from context for the particular rule id
+ * @param {string} ruleId rule id
+ * @param {object} context async storage data for protect
+ * @returns {AnalysisResult[]}
+ */
+function getResultsByRuleId(ruleId, context) {
+  if (context.rules.agentLibRules[ruleId].mode === 'off') {
+    return;
+  }
+  return context.findings.resultsMap[ruleId];
+}
+
 function handleObjectValue(result, object) {
   if (typeof object !== 'object') {
     return null;
@@ -179,7 +240,10 @@ function handleObjectValue(result, object) {
       obj = obj[value];
       // does the found object in the query equal the saved object?
       if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
-        findings = { key: value };
+        const start = JSON.stringify(object).indexOf(value);
+        const end = start + value.length;
+        const inputBoundaryIndex = 0;
+        findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };
       }
     }
   });
@@ -201,10 +265,10 @@ function handleStringValue(result, string) {
 
   if (inputIndex === 0 && string === result.value) {
     findings = {
-      startIndex: 0,
-      endIndex: result.value.length - 1,
-      overrunIndex: 0,
-      boundaryIndex: 0,
+      start: 0,
+      end: result.value.length - 1,
+      boundaryOverrunIndex: 0,
+      inputBoundaryIndex: 0,
     };
   }
 

package/lib/input-tracing/index.js

@@ -30,18 +30,24 @@ module.exports = function(core) {
   require('./handlers')(core);
 
   // load the instrumentation installers
-  require('./install/fs')(core);
   require('./install/child-process')(core);
+  require('./install/fs')(core);
+  require('./install/mongodb')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
-  require('./install/mongodb')(core);
+  require('./install/sequelize')(core);
+  require('./install/sqlite3')(core);
+  require('./install/http')(core);
 
   inputTracing.install = function() {
-    inputTracing.fsInstrumentation.install();
     inputTracing.cpInstrumentation.install();
+    inputTracing.fsInstrumentation.install();
+    inputTracing.mongodbInstrumentation.install();
     inputTracing.mysqlInstrumentation.install();
     inputTracing.postgresInstrumentation.install();
-    inputTracing.mongodbInstrumentation.install();
+    inputTracing.sequelizeInstrumentation.install();
+    inputTracing.sqlite3Instrumentation.install();
+    inputTracing.httpInstrumentation.install();
     // TODO: NODE-2360 (2260?)
   };
 

package/lib/input-tracing/install/child-process.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -34,20 +35,25 @@ module.exports = function(core) {
         patcher.patch(cp, method, {
           name,
           patchType,
-          pre(data) {
+          pre({ args, hooked, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
-            if (!sourceContext) return;
+            const sourceContext = protect.getSourceContext('child_process');
+            const value = args[0];
 
-            const value = data.args[0];
-            if (!value || !isString(value)) return;
+            if (!sourceContext || !value || !isString(value)) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: data.hooked, prependFrames: [data.orig] }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
+            // To evade code duplication we are using these INPUT TRACING instrumentation
+            // to do the checks for SEMANTIC ANALYSIS too
+            core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
           }
         });
       });

package/lib/input-tracing/install/eval.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation },
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    if (!global.ContrastMethods.__contrastEval) {
+      logger.error('Cannot install `eval` instrumentation - Contrast method DNE');
+      return;
+    }
+
+    patcher.patch(global.ContrastMethods, '__contrastEval', {
+      name: 'global.ContrastMethods.__contrastEval',
+      patchType,
+      pre: ({ args, hooked, orig }) => {
+        if (instrumentation.isLocked()) return;
+
+        const sourceContext = protect.getSourceContext('eval');
+        const value = args[0];
+
+        if (!sourceContext || !value || !isString(value)) return;
+
+        const sinkContext = captureStacktrace(
+          { name: 'eval', value },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.ssjsInjection(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  const evalInstrumentation = inputTracing.evalInstrumentation = { install };
+
+  return evalInstrumentation;
+};

package/lib/input-tracing/install/fs.js

@@ -61,10 +61,11 @@ const fsMethods = [
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -88,7 +89,8 @@ module.exports = function(core) {
             if (instrumentation.isLocked()) return;
 
             // obtain the Protect sourceContext
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('fs');
+
             if (!sourceContext) return;
 
             // build list of values on which to perform INPUT TRACING

package/lib/input-tracing/install/http.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'http' }, http => {
+      for (const method of ['write', 'end']) {
+        const name = `http.ServerResponse.prototype.${method}`;
+        patcher.patch(http.ServerResponse.prototype, method, {
+          name,
+          patchType,
+          pre(data) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = protect.getSourceContext(name);
+
+            if (!sourceContext) return;
+
+            const value = data.args[0]?.toString();
+            if (!value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: data.hooked }
+            );
+            inputTracing.handleReflectedXss(sourceContext, sinkContext);
+          }
+        });
+      }
+    });
+  }
+
+  const httpInstrumentation = inputTracing.httpInstrumentation = {
+    install
+  };
+
+  return httpInstrumentation;
+};

package/lib/input-tracing/install/mongodb.js

@@ -22,8 +22,8 @@ module.exports = function (core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     captureStacktrace,
+    protect,
     protect: { inputTracing },
   } = core;
 
@@ -61,15 +61,15 @@ module.exports = function (core) {
     patcher.patch(obj, method, {
       name: patchName,
       patchType,
-      pre: ({ args, hooked, name }) => {
+      pre: ({ args, hooked, name, orig }) => {
         const value = getCursorQueryData(args, version);
-        const sourceContext = sources.getStore()?.protect;
+        const sourceContext = protect.getSourceContext(patchName);
 
         if (!sourceContext || !value) return;
 
         const sinkContext = captureStacktrace(
           { name, value },
-          { constructorOpt: hooked }
+          { constructorOpt: hooked, prependFrames: [orig] }
         );
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
@@ -80,10 +80,10 @@ module.exports = function (core) {
     patcher.patch(obj, method, {
       name: patchName,
       patchType,
-      pre: ({ args, hooked, name }) => {
-        const sourceContext = sources.getStore()?.protect;
-        if (!sourceContext) return;
+      pre: ({ args, hooked, name, orig }) => {
+        const sourceContext = protect.getSourceContext(patchName);
 
+        if (!sourceContext) return;
 
         const ops = Array.isArray(args[1])
           ? args[1]
@@ -93,7 +93,7 @@ module.exports = function (core) {
           if (value) {
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -126,15 +126,15 @@ module.exports = function (core) {
           patcher.patch(mongodb.Collection.prototype, method, {
             name: `mongodb.Collection.prototype.${method}`,
             patchType,
-            pre: ({ args, hooked, name }) => {
+            pre: ({ args, hooked, name, orig }) => {
               const value = typeof args[0] == 'function' ? null : args[0];
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext(`mongodb.Collection.prototype.${method}`);
 
               if (!sourceContext || !value) return;
 
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
               inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
             },
@@ -144,15 +144,15 @@ module.exports = function (core) {
         patcher.patch(mongodb.Db.prototype, 'command', {
           name: 'mongodb.Db.prototype.command',
           patchType,
-          pre: ({ args, hooked, name }) => {
+          pre: ({ args, hooked, name, orig }) => {
             const value = args[0]?.filter;
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('mongodb.Collection.prototype.command');
 
             if (!sourceContext || !value) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -168,15 +168,15 @@ module.exports = function (core) {
         patcher.patch(mongodb.Db.prototype, 'eval', {
           name: 'mongodb.Db.prototype.eval',
           patchType,
-          pre: ({ args, hooked, name }) => {
+          pre: ({ args, hooked, name, orig }) => {
             const value = args[0];
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('mongodb.Db.prototype.eval');
 
             if (!sourceContext || !value) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
 
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
@@ -187,15 +187,15 @@ module.exports = function (core) {
     depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
       name: 'mongodb.FindCursor',
       patchType,
-      pre: ({ args, hooked, name }) => {
+      pre: ({ args, hooked, name, orig }) => {
         const value = args[2];
-        const sourceContext = sources.getStore()?.protect;
+        const sourceContext = protect.getSourceContext('mongodb.FindCursor');
 
         if (!sourceContext || !value) return;
 
         const sinkContext = captureStacktrace(
           { name, value },
-          { constructorOpt: hooked }
+          { constructorOpt: hooked, prependFrames: [orig] }
         );
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }

package/lib/input-tracing/install/mysql.js

@@ -23,7 +23,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     captureStacktrace,
-    scopes: { sources },
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -49,7 +49,8 @@ module.exports = function(core) {
             patchType,
             pre(data) {
               const { args, hooked, name, orig } = data;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext(name);
+
               if (!sourceContext) return;
 
               const value = mysqlInstr.getValueFromArgs(args);

package/lib/input-tracing/install/postgres.js

@@ -22,8 +22,8 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -32,8 +32,9 @@ module.exports = function(core) {
     if (query && isString(query)) return query;
   }
 
-  function preHook({ args, hooked, name }) {
-    const sourceContext = sources.getStore()?.protect;
+  function preHook({ args, hooked, name, orig }) {
+    const sourceContext = protect.getSourceContext(name);
+
     if (!sourceContext) return;
 
     const value = getQueryFromArgs(args);
@@ -41,7 +42,7 @@ module.exports = function(core) {
 
     const sinkContext = captureStacktrace(
       { name, value },
-      { constructorOpt: hooked }
+      { constructorOpt: hooked, prependFrames: [orig] }
     );
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sequelize.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -38,18 +39,19 @@ module.exports = function(core) {
       patcher.patch(sequelize.prototype, 'query', {
         name,
         patchType,
-        pre({ args, hooked, name }) {
+        pre({ args, hooked, name, orig }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = sources.getStore()?.protect;
-          if (!sourceContext) return;
+          const sourceContext = protect.getSourceContext(name);
+
+          if (!sourceContext || sourceContext.allowed) return;
 
           const value = getQueryFromArgs(args);
           if (!value) return;
 
           const sinkContext = captureStacktrace(
             { name, value },
-            { constructorOpt: hooked }
+            { constructorOpt: hooked, prependFrames: [orig] }
           );
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }

package/lib/input-tracing/install/sqlite3.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -34,10 +35,10 @@ module.exports = function(core) {
         patcher.patch(sqlite3.Database.prototype, method, {
           name,
           patchType,
-          pre({ args, hooked, name }) {
+          pre({ args, hooked, name, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext(name);
             if (!sourceContext) return;
 
             const value = args[0];
@@ -45,8 +46,9 @@ module.exports = function(core) {
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }
         });