@contrast/protect 1.3.0 → 1.5.0

package/lib/error-handlers/index.js

@@ -18,14 +18,17 @@
 module.exports = function(core) {
   const errorHandlers = core.protect.errorHandlers = {};
 
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
 
   errorHandlers.install = function() {
-    errorHandlers.fastify3ErrorHandler.install();
-    errorHandlers.koa2ErrorHandler.install();
-    errorHandlers.express4ErrorHandler.install();
+    for (const component of Object.values(errorHandlers)) {
+      if (component.install) {
+        component.install();
+      }
+    }
   };
 
   return errorHandlers;

package/lib/error-handlers/install/express4.js

@@ -24,7 +24,6 @@ module.exports = function(core) {
     logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -41,7 +40,7 @@ module.exports = function(core) {
             patchType,
             around(org, data) {
               const [err] = data.args;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('finalHandler');
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {
@@ -67,7 +66,7 @@ module.exports = function(core) {
         patchType,
         around(org, data) {
           const [err] = data.args;
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('express.Layer.handle_error');
           const isSecurityException = SecurityException.isSecurityException(err);
 
           if (isSecurityException && sourceContext) {

package/lib/error-handlers/install/{fastify3.js → fastify.js}

@@ -20,14 +20,12 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
-  const fastify3ErrorHandler = protect.errorHandlers.fastify3ErrorHandler = {
+  const fastifyErrorHandler = protect.errorHandlers.fastifyErrorHandler = {
     _userHandler: null
   };
 
@@ -35,7 +33,7 @@ module.exports = function(core) {
    * This is the default handler from fastify's source code. If it's not a
    * Contrast error and the user didn't supply their own we should use this.
    */
-  fastify3ErrorHandler.defaultErrorHandler = function (error, request, reply) {
+  fastifyErrorHandler.defaultErrorHandler = function (error, request, reply) {
     if (reply.statusCode < 500) {
       reply.log.info({ res: reply, err: error }, error && error.message);
     } else {
@@ -49,19 +47,19 @@ module.exports = function(core) {
 
   /**
    * Check if the error being handled was thrown by Contrast. If not,
-   * use either the default fastify3 error handler or the user-defined handler
+   * use either the default fastify error handler or the user-defined handler
    * if one was specified by calling fastify.setErrorHandler(fn).
    * @param {error} err error being handled
    * @param {object} request fastify request
    * @param {object} reply fastify repoly
    */
-  fastify3ErrorHandler.handler = function(err, request, reply) {
-    const normalHandler = fastify3ErrorHandler._userHandler || fastify3ErrorHandler.defaultErrorHandler;
+  fastifyErrorHandler.handler = function(err, request, reply) {
+    const normalHandler = fastifyErrorHandler._userHandler || fastifyErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = sources.getStore()?.protect;
+      const sourceContext = protect.getSourceContext('fastify.errorHandler');
+
       if (!sourceContext) {
-        logger.info('source context not found; unable to handle response');
         normalHandler.call(this, err, request, reply);
       } else {
         const blockInfo = sourceContext.findings.securityException;
@@ -75,14 +73,14 @@ module.exports = function(core) {
   /**
    * Instruments fastify in order to add our custom error handler.
    */
-  fastify3ErrorHandler.install = function() {
-    depHooks.resolve({ name: 'fastify', version: '<=4.0.0' }, (fastify) => patcher.patch(fastify, {
+  fastifyErrorHandler.install = function() {
+    depHooks.resolve({ name: 'fastify', version: '<=3 <5' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify',
       patchType,
       post(data) {
         const { result: server } = data;
         // Set our custom handler initially
-        server.setErrorHandler(fastify3ErrorHandler.handler);
+        server.setErrorHandler(fastifyErrorHandler.handler);
 
         // Patch, so that if someone sets their own, we override with ours. But,
         // we do need to keep a reference to it so we can still call it for when
@@ -91,13 +89,13 @@ module.exports = function(core) {
           name: 'fastify.setErrorHandler',
           patchType,
           pre({ args }) {
-            fastify3ErrorHandler._userHandler = args[0];
-            args[0] = fastify3ErrorHandler.handler;
+            fastifyErrorHandler._userHandler = args[0];
+            args[0] = fastifyErrorHandler.handler;
           }
         });
       }
     }));
   };
 
-  return fastify3ErrorHandler;
+  return fastifyErrorHandler;
 };

package/lib/error-handlers/install/hapi.js

@@ -0,0 +1,75 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+
+module.exports = function (core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const hapiErrorHandler = protect.errorHandlers.hapiErrorHandler = {};
+
+  const registerErrorHandler = (boom, name) => {
+    patcher.patch(boom, 'boomify', {
+      name: `${name}.boomify`,
+      patchType,
+      post(data) {
+        const [err] = data.args;
+        const sourceContext = protect.getSourceContext('Hapi.boom.boomify');
+        const isSecurityException = SecurityException.isSecurityException(err);
+
+        if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
+          const [mode, ruleId] = sourceContext.findings.securityException;
+          sourceContext.block('block', 'cmd-injection');
+
+          err.output.statusCode = 403;
+          err.reformat();
+          err.output.payload = undefined;
+          data.result = null;
+
+          logger.info({ mode, ruleId }, 'Request blocked');
+
+          return;
+        }
+
+        if (!sourceContext && isSecurityException) {
+          logger.info('source context not found; unable to handle response');
+        }
+      }
+    });
+  };
+
+  hapiErrorHandler.install = function () {
+    depHooks.resolve(
+      { name: 'boom' },
+      (boom) => registerErrorHandler(boom, 'boom'),
+    );
+
+    depHooks.resolve(
+      { name: '@hapi/boom' },
+      (boom) => registerErrorHandler(boom, '@hapi/boom'),
+    );
+  };
+
+  return hapiErrorHandler;
+};

package/lib/error-handlers/install/koa2.js

@@ -24,7 +24,6 @@ module.exports = function(core) {
     logger,
     depHooks,
     patcher,
-    scopes: { sources },
     protect,
   } = core;
 
@@ -42,7 +41,7 @@ module.exports = function(core) {
             patchType,
             around(org, data) {
               const [err] = data.args;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('Koa.Application.handleRequest');
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {

package/lib/{cli-rewriter.js → get-source-context.js}

@@ -1,5 +1,3 @@
-#!/usr/bin/env node
-
 /*
  * Copyright: 2022 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -17,19 +15,19 @@
 
 'use strict';
 
-const { cliRewriter } = require('@contrast/core')();
+module.exports = function(core) {
+  const { scopes: { sources }, logger } = core;
+
+  function getSourceContext(callPoint) {
+    const sourceContext = sources.getStore()?.protect;
 
-cliRewriter((deps) => {
-  if (deps.config.protect.enable) {
-    try {
-      const protect = require('./index')(deps);
-      protect.rewriting.install();
-    } catch (err) {
-      // TODO: something else
-      throw err;
+    if (!sourceContext) {
+      logger.debug(`source context not available in ${callPoint}`);
+      return null;
     }
-  } else {
-    deps.logger.error('Configuration Error: mode \'Protect\' is not enabled');
-    process.exit(1);
+
+    return sourceContext.allowed ? null : sourceContext;
   }
-});
+
+  core.protect.getSourceContext = getSourceContext;
+};

package/lib/hardening/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-hardening'
+};

package/lib/hardening/handlers.js

@@ -0,0 +1,65 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { BLOCKING_MODES, isString } = require('@contrast/common');
+
+const NODE_SERIALIZE_RCE_TOKEN = '_$$ND_FUNC$$_';
+
+module.exports = function(core) {
+  const {
+    protect: {
+      hardening,
+      throwSecurityException,
+    }
+  } = core;
+
+  function getResults(sourceContext, ruleId) {
+    let results = sourceContext.findings.hardeningResultsMap[ruleId];
+    if (!results) {
+      results = sourceContext.findings.hardeningResultsMap[ruleId] = [];
+    }
+    return results;
+  }
+
+  hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
+    const ruleId = 'untrusted-deserialization';
+    const mode = sourceContext.policy[ruleId];
+    const { name, value } = sinkContext;
+
+    if (mode === 'off') return;
+
+    if (name === 'node-serialize.unserialize') {
+      if (!isString(value) || !value.indexOf(NODE_SERIALIZE_RCE_TOKEN)) return;
+
+      const blocked = BLOCKING_MODES.includes(mode);
+      const results = getResults(sourceContext, ruleId);
+
+      results.push({
+        blocked,
+        findings: { deserializer: name, command: false },
+        sinkContext,
+      });
+
+      if (blocked) {
+        sourceContext.findings.securityException = [mode, ruleId];
+        throwSecurityException(sourceContext);
+      }
+    }
+  };
+
+  return hardening;
+};

package/lib/hardening/index.js

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = function(core) {
+  const hardening = core.protect.hardening = {};
+
+  require('./handlers')(core);
+
+  require('./install/node-serialize0')(core);
+  hardening.install = function() {
+    hardening.nodeSerialize0Instrumentation.install();
+  };
+
+  return hardening;
+};

package/lib/hardening/install/node-serialize0.js

@@ -0,0 +1,59 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: {
+      hardening
+    }
+  } = core;
+
+  function install() {
+    const name = 'node-serialize';
+    const method = 'unserialize';
+
+    depHooks.resolve(
+      { name, version: '<1.0.0' },
+      (nodeSerialize) => {
+        patcher.patch(nodeSerialize, method, {
+          name,
+          patchType,
+          pre({ args: [value], hooked, orig }) {
+            const sourceContext = protect.getSourceContext(`${name}.${method}`);
+
+            if (!sourceContext || !value) return;
+
+            const sinkContext = captureStacktrace(
+              { name: `${name}.${method}`, value },
+              { constructorOpt: hooked, prependFrames: [orig] },
+            );
+            hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
+          },
+        });
+      });
+  }
+
+  return hardening.nodeSerialize0Instrumentation = {
+    install
+  };
+};

package/lib/index.d.ts

@@ -18,10 +18,9 @@ import { Core } from '@contrast/core';
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
-import { RulesConfig, Rule, Messages, Result } from '@contrast/common';
+import { RulesConfig, Messages, ReqData, ProtectMessage, Findings } from '@contrast/common';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import { Config } from '@contrast/config';
-import { ProtectMessage } from '@contrast/common';
 import * as http from 'node:http';
 import * as https from 'node:https';
 
@@ -50,24 +49,6 @@ export class HttpInstrumentation {
   initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
   removeCookies(headers: string[]): string[];
 }
-export interface ReqData {
-  method: string;
-  headers: string[];
-  uriPath: string;
-  queries: string;
-  contentType?: string;
-  standardUrlParsing: boolean;
-  ip: string;
-  httpVersion: string,
-  headers2: { [key: string]: Array<string> };
-}
-
-export interface Findings {
-  trackRequest: boolean;
-  securityException?: [mode: string, ruleId: string];
-  bodyType?: 'json' | 'urlencoded';
-  resultsMap: Record<Rule, Result[]>
-}
 
 export interface ProtectRequestStore {
   reqData: ReqData;
@@ -140,7 +121,8 @@ export interface Protect {
     sequelizeInstrumentation: {
       getQueryFromArgs: ([value]: any[]) => string | undefined,
       install: () => void
-    }
+    },
+    httpInstrumentation: { install: () => void },
     install: () => void
   }
   errorHandlers: {

package/lib/index.js

@@ -16,34 +16,29 @@
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');
+const { installChildComponentsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(agentLib),
   };
 
-  const rules = instantiateRulesFromConfig(
-    core.config.protect.rules,
-    core.config.protect.disabled_rules,
-    protect.agentLib,
-  );
-
-  protect.rules = rules;
-
+  require('./policy')(core);
   require('./throw-security-exception')(core);
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
+  require('./get-source-context')(core);
   require('./input-analysis')(core);
   require('./input-tracing')(core);
+  require('./hardening')(core);
+  require('./semantic-analysis')(core);
   require('./error-handlers')(core);
 
   const pkj = require('../package.json');
   protect.version = pkj.version;
 
   protect.install = function() {
-    protect.inputAnalysis.install();
-    protect.inputTracing.install();
-    protect.errorHandlers.install();
+    installChildComponentsSync(protect)
   };
 
   return protect;
@@ -67,38 +62,3 @@ function instantiateAgentLib(lib) {
   }
   return agentLib;
 }
-
-/**
- * This function instatiates the rules as defined in the configuration into
- * some structure. I'm in no way convinced or asserting that this is the right
- * structure but it does get a usable definition of rules in place. The final
- * structure will change based on what exactly TS sends as well as what the needs
- * of the code accessing the rules, exclusions, virtual-patches, etc.
- *
- * @param {Object} rules the rules object in the config.protect object.
- * @param {string[]} disabled array of disabled rules from config.protect
- * @param {Object} agentLib the agent-lib instance
- * @returns {Object} { agentLibRules, agentLibRulesMask, agentRules }
- */
-function instantiateRulesFromConfig(rules, disabled, agentLib) {
-  const agentLibRules = {};
-  let agentLibRulesMask = 0;
-  const agentRules = {};
-
-  for (const ruleId in rules) {
-    if (disabled.indexOf(ruleId) >= 0 || rules[ruleId].mode === 'off') {
-      continue;
-    }
-    // [matt] this is awkward. we should probably make each nosql-injection-x
-    // rule separate in the config and only convert them to 'nosql-injection'
-    // for reporting.
-    if (agentLib.RuleType[ruleId]) {
-      agentLibRules[ruleId] = rules[ruleId];
-      agentLibRulesMask = agentLibRulesMask | agentLib.RuleType[ruleId];
-    } else {
-      agentRules[ruleId] = rules[ruleId];
-    }
-  }
-
-  return { agentLibRules, agentLibRulesMask, agentRules };
-}