@contrast/protect 1.3.0 → 1.5.0

package/lib/input-analysis/handlers.js

@@ -15,7 +15,8 @@
 
 'use strict';
 
-const { simpleTraverse } = require('../utils');
+const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
+const address = require('ipaddr.js');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -110,13 +111,17 @@ module.exports = function(core) {
    * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
    */
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-    const { rules: { agentLibRules, agentLibRulesMask: mask } } = sourceContext;
+    if (!sourceContext || sourceContext.allowed) return;
+
+    const { policy: { rulesMask } } = sourceContext;
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
 
     // initialize findings to the basics
     let block = undefined;
-    if (mask !== 0) {
-      const findings = agentLib.scoreRequestConnect(mask, connectInputs, preferWW);
-      block = mergeFindings(agentLibRules, sourceContext.findings, findings);
+    if (rulesMask !== 0) {
+      const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+      block = mergeFindings(sourceContext, findings);
     }
 
     return block;
@@ -130,12 +135,12 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext);
   };
 
-
   const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, valueType: agentLib.InputType.JsonValue
+    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
   };
+
   const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, valueType: agentLib.InputType.ParameterValue
+    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
   };
 
   /**
@@ -155,10 +160,17 @@ module.exports = function(core) {
    * @param {Object} queryParams pojo {key: value, ...} for all query params/search params
    */
   inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
+    if (sourceContext.analyzedQuery) return;
+    sourceContext.analyzedQuery = true;
+
     if (typeof queryParams !== 'object') {
       logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
       return;
     }
+
+
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
+
     const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
 
     if (block) {
@@ -176,12 +188,17 @@ module.exports = function(core) {
    * @param {Object} urlParams pojo
    */
   inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+    if (sourceContext.analyzedUrlParams) return;
+    sourceContext.analyzedUrlParams = true;
+
     if (typeof urlParams !== 'object') {
       logger.debug({ urlParams }, 'handleUrlParams() called with non-object');
       return;
     }
 
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
+
+    const { policy: { rulesMask } } = sourceContext;
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
 
@@ -190,7 +207,7 @@ module.exports = function(core) {
       if (type !== 'Value') {
         return;
       }
-      const items = agentLib.scoreAtom(mask, value, UrlParameter, preferWW);
+      const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
       if (!items) {
         return;
       }
@@ -219,7 +236,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, urlParamsFindings);
+    const block = mergeFindings(sourceContext, urlParamsFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -235,14 +252,20 @@ module.exports = function(core) {
    * @param {Object} cookies pojo
    */
   inputAnalysis.handleCookies = function(sourceContext, cookies) {
+    if (sourceContext.analyzedCookies) return;
+    sourceContext.analyzedCookies = true;
+
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
       acc.push(key, value);
       return acc;
     }, []);
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
-    const cookieFindings = agentLib.scoreRequestConnect(mask, { cookies: cookiesArr }, preferWW);
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, cookieFindings);
+    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+
+    const { policy: { rulesMask } } = sourceContext;
+    const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
+
+    const block = mergeFindings(sourceContext, cookieFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -259,11 +282,16 @@ module.exports = function(core) {
    * @param {Object} parsedBody
    */
   inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
+    if (sourceContext.analyzedBody) return;
+    sourceContext.analyzedBody = true;
+
     if (typeof parsedBody !== 'object') {
       logger.debug({ parsedBody }, 'handleParsedBody() called with non-object');
       return;
     }
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: parsedBody });
+
     let bodyType;
     let inputTypes;
     if (sourceContext.reqData.contentType.includes('/json')) {
@@ -288,6 +316,70 @@ module.exports = function(core) {
     throw new Error('nyi', sourceContext, name);
   };
 
+  inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
+    const ruleId = 'virtual-patch';
+
+    if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
+
+    for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
+      for (const key in requestInput) {
+        const evaluator = vpEvaluators.get(key);
+
+        if (evaluator && requestInput[key] && evaluator(requestInput[key])) {
+          vpEvaluators.delete(key);
+          const { name, uuid } = vpEvaluators.get('metadata');
+
+          if (vpEvaluators.size === 1 && uuid) {
+            if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+              sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+            }
+            sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+              name,
+              uuid
+            });
+            sourceContext.findings.securityException = ['block', ruleId];
+            core.protect.throwSecurityException(sourceContext);
+          }
+        }
+      }
+    }
+  };
+
+  inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
+    if (!sourceContext || !ipAllowlist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipAllow list');
+      return true;
+    }
+  };
+
+  inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
+    const ruleId = 'ip-denylist';
+
+    if (!sourceContext || !ipDenylist.length) return;
+
+    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+
+    const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+
+    if (match) {
+      logger.info(match, 'Found a matching IP to an entry in ipDeny list');
+      if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
+        sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+      }
+
+      sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+        ip: match.matchedIp,
+        uuid: match.uuid,
+      });
+      return ['block', 'ip-denylist'];
+    }
+  };
 
   /**
    * commonObjectAnalyzer() walks an object supplied by the end-user and checks
@@ -305,11 +397,12 @@ module.exports = function(core) {
    * @returns {Array | undefined} returns an array with block info if vulnerability was found.
    */
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
+    if (!rulesMask) return;
+
     // use inputTypes to set params...
-    const { keyType, valueType } = inputTypes;
+    const { keyType, inputType } = inputTypes;
     const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
-    const { Where } = agentLib.MongoQueryType;
     const resultsList = [];
 
     // it's possible to optimize this if qs (or a similar package) is not loaded
@@ -328,7 +421,7 @@ module.exports = function(core) {
     /* eslint-disable-next-line complexity */
     simpleTraverse(object, function(path, type, value) {
       let itemType;
-      let mongoQueryType;
+      let isMongoQueryType;
       // this is a bit awkward now because nosql-injection-mongo is not integrated
       // into the scoreAtom() function (or the check_input() function it uses). as
       // a result, the two rules need to be checked independently and the results
@@ -336,14 +429,14 @@ module.exports = function(core) {
       // TODO AGENT-205
       if (type === 'Key') {
         itemType = keyType;
-        if (mask & agentLib.RuleType['nosql-injection-mongo']) {
-          mongoQueryType = agentLib.getMongoQueryType(value);
+        if (rulesMask & agentLib.RuleType['nosql-injection-mongo']) {
+          isMongoQueryType = agentLib.isMongoQueryType(value);
         }
       } else {
-        itemType = valueType;
+        itemType = inputType;
       }
-      let items = agentLib.scoreAtom(mask, value, itemType, preferWW);
-      if (!items && !mongoQueryType) {
+      let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+      if (!items && !isMongoQueryType) {
         return;
       }
       if (!items) {
@@ -352,18 +445,13 @@ module.exports = function(core) {
       let mongoPath;
       // if the key was a mongo query key, then add it to the items. it requires
       // that additional information is kept as well.
-      if (mongoQueryType) {
+      if (isMongoQueryType) {
         const inputToCheck = getValueAtKey(object, path, value);
         // because scoreRequestConnect() returns the query type in the value, we
         // mimic it here (where scoreAtom() was used). the actual object/string
         // to match is stored as `inputToCheck`.
-        const inputType = typeof inputToCheck;
-        // query types up to Where, inclusive, accept either string or object values. Where and above accept only string values
-        if (mongoQueryType <= Where || inputType === 'string') {
-          // the query-type/input-type combination is valid. add a synthesized item.
-          const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
-          items.push(item);
-        }
+        const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
+        items.push(item);
       }
       // make each item a complete Finding
       for (const item of items) {
@@ -372,8 +460,7 @@ module.exports = function(core) {
           inputType: `${inputTypeStr}${type}`,
           path: mongoPath || path.slice(),
           key: type === 'Key' ? value : path[path.length - 1],
-          // mimic scoreRequestConnect() returning the query type as the value
-          value: mongoQueryType || value,
+          value,
           score: item.score,
           idsList: [],
         };
@@ -396,7 +483,51 @@ module.exports = function(core) {
       resultsList,
     };
 
-    return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
+    return mergeFindings(sourceContext, findings);
+  }
+
+  function ipListAnalysis(reqIp, reqHeaders, list) {
+    const forwardedIps = [];
+
+    for (let i = 0; i < reqHeaders.length; i++) {
+      if (reqHeaders[i] === 'x-forwarded-for') {
+        const ipsFromHeaders = reqHeaders[i + 1]?.split(/[,;]+/);
+        forwardedIps.push(...ipsFromHeaders);
+      }
+    }
+
+    const ipsToCheck = [reqIp, ...forwardedIps];
+    const now = new Date().getTime();
+
+    /* c8 ignore next 3 */
+    if (!ipsToCheck.length) {
+      return false;
+    }
+
+    for (const listEntry of list) {
+      const { doesExpire, expiresAt } = listEntry;
+      for (let i = 0; i < ipsToCheck.length; i++) {
+        const currentIp = ipsToCheck[i];
+
+        // Ignore bad IP values.
+        if (!address.isValid(currentIp)) {
+          logger.warn(`Unable to parse ${currentIp}.`);
+          continue;
+        }
+        const expired = doesExpire ? expiresAt - now <= 0 : false;
+
+        if (expired) {
+          logger.info(`IP expired: ${listEntry.name}, ${listEntry.ip}`);
+          continue;
+        }
+
+        const match = checkIpsMatch(listEntry, currentIp);
+
+        if (match) {
+          return match;
+        }
+      }
+    }
   }
 };
 
@@ -407,11 +538,13 @@ module.exports = function(core) {
  * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
  * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
  */
-function mergeFindings(rules, findings, newFindings) {
+function mergeFindings(sourceContext, newFindings) {
+  const { findings, policy } = sourceContext;
+
   if (!newFindings.trackRequest) {
     return findings.securityException;
   }
-  normalizeFindings(rules, newFindings);
+  normalizeFindings(policy, newFindings);
 
   findings.trackRequest = findings.trackRequest || newFindings.trackRequest;
   findings.securityException = findings.securityException || newFindings.securityException;
@@ -430,7 +563,7 @@ function mergeFindings(rules, findings, newFindings) {
 //
 // add common fields to findings.
 //
-function normalizeFindings(rules, findings) {
+function normalizeFindings(policy, findings) {
   // now both augment the rules and check to see if any require blocking
   // at perimeter.
   for (const r of findings.resultsList) {
@@ -454,14 +587,39 @@ function normalizeFindings(rules, findings) {
     // option and that implies that there is no sink, so this is the only place at
     // which the block can occur. so at a minimum 'block' should also result in a
     // block.
-    const { mode } = rules[r.ruleId];
-    if (r.score >= 90 && ['block', 'block_at_perimeter'].includes(mode)) {
+    const mode = policy[r.ruleId];
+    if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
       r.blocked = true;
       findings.securityException = [mode, r.ruleId];
     }
   }
 }
 
+
+function checkIpsMatch(listEntry, ip) {
+  const parsed = address.process(ip);
+
+  // Check if IP is in CIDR range,
+  if (listEntry.cidr) {
+    if (parsed.kind() !== listEntry.cidr.kind) {
+      return null;
+    }
+
+    if (parsed.match(listEntry.cidr.range)) {
+      return { ...listEntry, match: ip };
+    } else {
+      return null;
+    }
+  }
+
+  // or do a direct comparison
+  if (parsed.toNormalizedString() === listEntry.normalizedValue) {
+    return { ...listEntry, matchedIp: ip };
+  }
+
+  return null;
+}
+
 /**
  * getValueAtKey() is used to fetch the object (expected) associated
  * with the path of keys in obj. i say expected because this is only used
@@ -476,6 +634,7 @@ function normalizeFindings(rules, findings) {
  */
 function getValueAtKey(obj, path, key) {
   for (const p of path) {
+    /* c8 ignore next 6 */
     if (!(p in obj)) {
       return undefined;
     }

package/lib/input-analysis/index.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { installChildComponentsSync } = require('@contrast/common');
+
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
@@ -35,16 +37,17 @@ module.exports = function(core) {
   require('./install/universal-cookie4')(core);
 
   // framework specific instrumentation
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
+
+  // virtual patches
+  require('./virtual-patches')(core);
+  require('./ip-analysis')(core);
 
   inputAnalysis.install = function() {
-    Object.values(inputAnalysis)
-      .filter((property) => property.install)
-      .forEach((library) => {
-        library.install();
-      });
+    installChildComponentsSync(inputAnalysis);
   };
 
   return inputAnalysis;

package/lib/input-analysis/install/body-parser1.js

@@ -21,29 +21,35 @@ module.exports = (core) => {
   const {
     depHooks,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
   function contrastNext(req, origNext, fnName) {
     return function next(origErr) {
-      const sourceContext = sources.getStore()?.protect;
+      const sourceContext = protect.getSourceContext(fnName);
       let securityException;
 
-      if (!sourceContext) {
-        logger.debug(`source context not available in \`body-parser\`'s \`${fnName}\` hook`);
-      } else {
-        if (req.body && Object.keys(req.body).length) {
-          sourceContext.parsedBody = req.body;
+      if (sourceContext && req.body && Object.keys(req.body).length) {
+        sourceContext.parsedBody = req.body;
 
+        if (fnName === 'bodyParser.text' && typeof req.body === 'string') {
           try {
-            inputAnalysis.handleParsedBody(sourceContext, req.body);
+            sourceContext.parsedBody = JSON.parse(req.body);
           } catch (err) {
-            if (isSecurityException(err)) {
-              securityException = err;
-            } else {
-              logger.error({ err }, 'Unexpected error during input analysis');
-            }
+            logger.error({ err }, 'Error parsing with bodyParser.text()');
+            origNext();
+            return;
+          }
+        }
+
+        try {
+          inputAnalysis.handleParsedBody(sourceContext, sourceContext.parsedBody);
+        } catch (err) {
+          if (isSecurityException(err)) {
+            securityException = err;
+          } else {
+            logger.error({ err }, 'Unexpected error during input analysis');
           }
         }
       }
@@ -96,11 +102,7 @@ module.exports = (core) => {
         function contrastHooked(...args) {
           const parser = fn.original(...args);
           const hookedParser = function (req, res, next) {
-            if (!req.body) {
-              parser(req, res, next);
-            } else {
-              parser(req, res, contrastNext(req, next, fnName));
-            }
+            parser(req, res, contrastNext(req, next, fnName));
           };
 
           Object.defineProperty(hookedParser, 'name', {

package/lib/input-analysis/install/cookie-parser1.js

@@ -23,7 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -40,23 +40,21 @@ module.exports = (core) => {
             const [req, , origNext] = data.args;
 
             function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('cookie-parser');
+
               let securityException;
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `cookie-parser` hook');
-              } else {
-                if ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length)) {
-                  sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
+              if (sourceContext
+                && ((req.cookies && Object.keys(req.cookies).length) || (req.signedCookies && Object.keys(req.signedCookies).length))) {
+                sourceContext.parsedCookies = { ...req.cookies, ...req.signedCookies };
 
-                  try {
-                    inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
-                  } catch (err) {
-                    if (isSecurityException(err)) {
-                      securityException = err;
-                    } else {
-                      logger.error({ err }, 'Unexpected error during input analysis');
-                    }
+                try {
+                  inputAnalysis.handleCookies(sourceContext, sourceContext.parsedCookies);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
                   }
                 }
               }

package/lib/input-analysis/install/express4.js

@@ -28,7 +28,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -47,16 +47,13 @@ module.exports = (core) => {
             const [req, , origNext] = data.args;
 
             function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('Express.query');
               let securityException;
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `Express.query` hook');
-
-                // It is possible for the query to be already parsed by `qs`
-                // which means that we've already handled/analyzed it.
-                // So we check whether we already have the `parsedQuery` property in the context
-              } else if (req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
+              // It is possible for the query to be already parsed by `qs`
+              // which means that we've already handled/analyzed it.
+              // So we check whether we already have the `parsedQuery` property in the context
+              if (sourceContext && req.query && Object.keys(req.query).length && (!('parsedQuery' in sourceContext))) {
                 sourceContext.parsedQuery = req.query;
 
                 try {
@@ -87,11 +84,9 @@ module.exports = (core) => {
         patchType,
         pre(data) {
           const { obj: { params } } = data;
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('Express.Layer.handle_request');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `express.Layer.prototype.handle_request` hook');
-          } else if (params && Object.keys(params).length) {
+          if (sourceContext && params && Object.keys(params).length) {
             sourceContext.parsedParams = params;
             inputAnalysis.handleUrlParams(sourceContext, params);
           }

package/lib/input-analysis/install/fastify.js

@@ -0,0 +1,86 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+/**
+ * Function that exports an install method to patch Fastify framework with our instrumentation
+ * @param {Object} core - the core Contrast object
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for fastify module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => {
+      return patcher.patch(fastify, {
+        name: 'fastify.build',
+        patchType,
+        post({ result: server }) {
+          server.addHook('preValidation', function(request, reply, done) {
+            let securityException;
+            const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+
+            if (sourceContext) {
+              try {
+                if (request.params) {
+                  sourceContext.parsedParams = request.params;
+                  inputAnalysis.handleUrlParams(sourceContext, request.params);
+                }
+                if (request.cookies) {
+                  sourceContext.parsedCookies = request.cookies;
+                  inputAnalysis.handleCookies(sourceContext, request.cookies);
+                }
+                if (request.body) {
+                  sourceContext.parsedBody = request.body;
+                  inputAnalysis.handleParsedBody(sourceContext, request.body);
+                }
+
+                if (request.query) {
+                  sourceContext.parsedQuery = request.query;
+                  inputAnalysis.handleQueryParams(sourceContext, request.query);
+                }
+              } catch (err) {
+                if (isSecurityException(err)) {
+                  securityException = err;
+                } else {
+                  logger.error({ err }, 'Unexpected error during input analysis');
+                }
+              }
+            }
+
+            done(securityException);
+          });
+        },
+      });
+    });
+  }
+
+  return inputAnalysis.fastifyInstrumentation = {
+    install,
+  };
+};