@contrast/protect 1.3.0 → 1.4.0

package/lib/input-tracing/install/vm.js

@@ -0,0 +1,132 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString, isNonEmptyObject } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'vm' }, (vm) => {
+      ['Script', 'createScript', 'runInContext', 'runInThisContext'].forEach(
+        (method) => {
+          const name = `vm.${method}`;
+
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            pre({ args, hooked, name, orig }) {
+              if (instrumentation.isLocked()) return;
+
+              const sourceContext = protect.getSourceContext(name);
+              if (!sourceContext) return;
+
+              const codeString = args[0];
+              if (!codeString || !isString(codeString)) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value: codeString },
+                { constructorOpt: hooked, prependFrames: [orig] }
+              );
+              inputTracing.ssjsInjection(sourceContext, sinkContext);
+            }
+          });
+        }
+      );
+
+      patcher.patch(vm, 'runInNewContext', {
+        name: 'vm.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.runInNewContext');
+          if (!sourceContext) return;
+
+          const codeString = args[0];
+          const envObj = args[1];
+
+          if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
+
+          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: codeString },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+
+          codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
+          envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
+        }
+      });
+
+      patcher.patch(vm, 'createContext', {
+        name: 'vm.createContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.createContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.createContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+
+      patcher.patch(vm.Script.prototype, 'runInNewContext', {
+        name: 'vm.Script.prototype.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.Script.prototype.runInNewContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const vmInstrumentation = inputTracing.vmInstrumentation = { install };
+
+  return vmInstrumentation;
+};

package/lib/make-source-context.js

@@ -83,7 +83,7 @@ module.exports = function(core) {
       // particular request (if any route exclusions, etc.)
       rules: core.protect.rules,
       exclusions: [],
-      virtualPatches: [],
+      virtualPatchesEvaluators: [],
 
       // maybe better as result, findings... but my bad naming choice is
       // past the point of return.
@@ -94,6 +94,9 @@ module.exports = function(core) {
         // successfully.
         bodyType: undefined,
         resultsMap: Object.create(null),
+        hardeningResultsMap: Object.create(null),
+        semanticResultsMap: Object.create(null),
+        serverFeaturesResultsMap: Object.create(null)
       },
 
       /*

package/lib/semantic-analysis/handlers.js

@@ -0,0 +1,160 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  BLOCKING_MODES,
+  InputType,
+  isString,
+  simpleTraverse
+} = require('@contrast/common');
+
+const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
+const stripWhiteSpace = (str) => str.replace(/\s/g, '');
+
+// The sink instrumentation for this rule is in `protect/lib/input-tracing/install/child-process.js
+module.exports = function(core) {
+  const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
+
+  function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
+    const sinkResults = sourceContext.findings.semanticResultsMap[ruleId];
+    const result = {
+      blocked: false,
+      findings: { command: sinkContext.value },
+      sinkContext,
+      ...finding
+    };
+
+    sourceContext.findings.semanticResultsMap[ruleId] = sinkResults ? [...sinkResults, result] : [result];
+
+    if (BLOCKING_MODES.includes(mode)) {
+      result.blocked = true;
+      const blockInfo = [mode, ruleId];
+      sourceContext.findings.securityException = blockInfo;
+      throwSecurityException(sourceContext);
+    }
+  }
+
+  semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
+    const ruleId = 'cmd-injection-semantic-dangerous-paths';
+    const { mode } = sourceContext.rules.agentRules[ruleId];
+
+    if (mode == 'off') return;
+
+    const result = agentLib.containsDangerousPath(sinkContext.value);
+
+    if (result) {
+      handleResult(sourceContext, sinkContext, ruleId, mode);
+    }
+  };
+
+  semanticAnalysis.handleCmdInjectionSemanticChainedCommands = function(sourceContext, sinkContext) {
+    const ruleId = 'cmd-injection-semantic-chained-commands';
+    const { mode } = sourceContext.rules.agentRules[ruleId];
+
+    if (mode == 'off') return;
+
+    const indexOfChaining = agentLib.indexOfChaining(sinkContext.value);
+
+    if (indexOfChaining != -1) {
+      handleResult(sourceContext, sinkContext, ruleId, mode);
+    }
+  };
+
+  semanticAnalysis.handleCommandInjectionCommandBackdoors = function(sourceContext, sinkContext) {
+    const ruleId = 'cmd-injection-command-backdoors';
+    const { mode } = sourceContext.rules.agentRules[ruleId];
+
+    if (mode == 'off') return;
+
+    const finding = findBackdoorInjection(sourceContext, sinkContext.value);
+
+    if (finding) {
+      handleResult(sourceContext, sinkContext, ruleId, mode, finding);
+    }
+  };
+
+  return semanticAnalysis;
+};
+
+/**
+ * Backdoor detection logic:
+ *  - command is >= 2 chars
+ *  - iterates over every piece of request and checks
+ *    - the full value is the param to sink
+ *    - the value matches a regex and ends the param to the sink
+ */
+function findBackdoorInjection(sourceContext, command) {
+  if (command?.length < 2) {
+    return null;
+  }
+
+  const valuesOfInterest = {
+    [InputType.QUERYSTRING]: sourceContext.parsedQuery,
+    [InputType.PARAMETER_VALUE]: sourceContext.parsedParams,
+    [InputType.BODY]: sourceContext.parsedBody,
+    [InputType.COOKIE_VALUE]: sourceContext.parsedCookies,
+    [InputType.HEADER]: sourceContext.reqData.headers,
+  };
+
+  let found = false;
+  for (let inputType in valuesOfInterest) {
+    const values = valuesOfInterest[inputType];
+
+    if (values && Object.keys(values).length) {
+      simpleTraverse(values, (path, type, value, obj) => {
+        if (
+          !found &&
+            value &&
+            type === 'Value' &&
+            isString(value) &&
+            isBackdoorDetected(value, command)
+        ) {
+          let key;
+          key = inputType === InputType.HEADER ? obj.indexOf(command) - 1 : path[path.length - 1];
+          if (Number.isInteger(key) && obj[key]) {
+            key = obj[key];
+          }
+          path = path.length === 1 ? [] : Array.from(path).slice(0, path.length - 1);
+          inputType = path.length > 1 ? InputType.JSON_VALUE : inputType;
+
+          found = { key, inputType, path, value: command };
+        }
+      });
+    }
+  }
+
+  return found;
+}
+
+/**
+   * strips the whitespace of the request value and the command,
+   * checks if the command equals the request value
+   * or if the command looks like the start of a shell execution
+   * and ends with the request value passed to the sink
+   *
+   * @param {string} value from request key
+   */
+function isBackdoorDetected(requestValue, command) {
+  const normalizedValue = stripWhiteSpace(requestValue);
+  const normalizedCommand = stripWhiteSpace(command);
+
+  return (
+    normalizedValue === normalizedCommand ||
+      (normalizedCommand.endsWith(normalizedValue) &&
+        SINK_EXPLOIT_PATTERN_START.test(normalizedCommand))
+  );
+}

package/lib/semantic-analysis/index.js

@@ -0,0 +1,38 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+/**
+ * SEMANTIC ANALYSIS is a STAGE of Protect.
+ * The information about it can be found under some of the separate rules we support for this stage:
+ * https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection-semantic-dangerous-paths.html#semantic-analysis
+ * https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection-semantic-chained-commands.html#semantic-analysis
+ *
+ * To view other STAGES see https://protect-spec.prod.dotnet.contsec.com/guide/protect-types.html#protection-types
+ * @param {object} core composed dependencies
+ * @returns {object}
+ */
+module.exports = function(core) {
+  const semanticAnalysis = core.protect.semanticAnalysis = {};
+
+  // load the interfaces that will be used by input tracing instrumentation
+  require('./handlers')(core);
+
+  // There is no `.install()` method as this STAGE does not introduce side effects on its own,
+  // it uses the instrumentation that's already in place for INPUT TRACING.
+
+  return semanticAnalysis;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -9,9 +9,6 @@
   ],
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
-  "bin": {
-    "contrast-transpile": "lib/cli-rewriter.js"
-  },
   "engines": {
     "npm": ">= 8.4.0",
     "node": ">= 14.15.0"
@@ -22,12 +19,13 @@
   "dependencies": {
     "@babel/template": "^7.16.7",
     "@babel/types": "^7.16.8",
-    "@contrast/agent-lib": "^4.2.0",
-    "@contrast/common": "1.0.3",
-    "@contrast/core": "1.2.0",
-    "@contrast/scopes": "1.1.0",
-    "@contrast/esm-hooks": "1.1.3",
+    "@contrast/agent-lib": "^5.0.0",
+    "@contrast/common": "1.1.0",
+    "@contrast/core": "1.3.0",
+    "@contrast/esm-hooks": "1.1.4",
+    "@contrast/scopes": "1.1.1",
     "builtin-modules": "^3.2.0",
+    "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }
 }

package/lib/utils.js

@@ -1,84 +0,0 @@
-/*
- * Copyright: 2022 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-/**
- * simpleTraverse() walks an object and calls a user function for each key
- * and string value. It is a "simple traverse" in that it
- * 1) doesn't make value callbacks unless the value is a non-empty string
- * 2) it only recognizes items that can be expressed in JSON, i.e., POJO
- * and arrays.
- * 3) it doesn't make callbacks for array indexes (though they appear in
- * the path). array indexes are always numeric and are not a threat.
- *
- * N.B. the path array that is passed to the callback is a dynamic path; new
- * keys are pushed and popped onto the path as simpleTraverse() walks the
- * object. in order to capture the path at the time of the callback, the
- * callback must copy the array, e.g., `path.slice()`, in order to "freeze"
- * it at the time of the callback. the reason for this is that most keys/values
- * are not going to be of interest, and there is no reason to create a new array
- * unless the key/value is of interest.
- *
- * @param {Object} obj the object to traverse
- * @param {Function} cb(path, type, value) is called for each non-array-index key
- * and string value. It is not called for non-string or empty-string Values.
- *   path {[String]} the path prior to the 'Key' or 'Value'; includes array indexes.
- *   type {String} 'Key' or 'Value'
- *   value {String} the Key or Leaf string
- *
- */
-function simpleTraverse(obj, cb) {
-  if (typeof obj !== 'object' || obj === null) {
-    return;
-  }
-  const path = [];
-  /* eslint-disable complexity */
-  function traverse(obj) {
-    const isArray = Array.isArray(obj);
-    for (const k in obj) {
-      if (isArray) {
-        // if it is an array, store each index in path but don't call the
-        // callback on the index itself as they are just numeric strings.
-        path.push(k);
-        if (typeof obj[k] === 'object' && obj[k] !== null) {
-          traverse(obj[k]);
-        } else if (typeof obj[k] === 'string' && obj[k]) {
-          cb(path, 'Value', obj[k]);
-        }
-        path.pop();
-      } else if (typeof obj[k] === 'object' && obj[k] !== null) {
-        cb(path, 'Key', k);
-        path.push(k);
-        traverse(obj[k]);
-        path.pop();
-      } else {
-        cb(path, 'Key', k);
-        // only callback if the value is a non-empty string
-        if (typeof obj[k] === 'string' && obj[k]) {
-          path.push(k);
-          cb(path, 'Value', obj[k]);
-          path.pop();
-        }
-      }
-    }
-  }
-
-  traverse(obj);
-}
-
-module.exports = {
-  simpleTraverse,
-};