@contrast/protect 1.3.0 → 1.5.0

package/lib/input-analysis/install/formidable1.js

@@ -22,7 +22,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -36,12 +36,11 @@ module.exports = (core) => {
           const origCb = data.args[1];
 
           function hookedCb(...cbArgs) {
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('formidable');
+
             const [, fields, files] = cbArgs;
 
-            if (!sourceContext) {
-              logger.debug('source context not available in `formidable` hook');
-            } else {
+            if (sourceContext) {
               if (fields) {
                 sourceContext.parsedBody = fields;
                 inputAnalysis.handleParsedBody(sourceContext, fields);

package/lib/input-analysis/install/hapi.js

@@ -0,0 +1,106 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for hapi module instrumentation
+   */
+  function install() {
+    depHooks.resolve(
+      { name: 'hapi', version: '>=18 <21' },
+      registerServerHandler
+    );
+    depHooks.resolve(
+      { name: '@hapi/hapi', version: '>=18 <21' },
+      registerServerHandler
+    );
+  }
+
+  const registerServerHandler = (hapi) => {
+    patcher.patch(hapi, 'server', {
+      name: 'hapi.server',
+      patchType,
+      post(data) {
+        const server = data.result;
+        if (server) {
+          instrumentServer(server);
+        } else {
+          logger.error('Hapi Server is called but there is no server instance!');
+        }
+      }
+    });
+  };
+
+  const instrumentServer = (server) => {
+    server.ext('onPreStart', function onPreStart(core) {
+      logger.info('hapi version %s', core.version);
+    });
+
+    server.ext('onPreHandler', function onPreHandler(req, h) {
+      const sourceContext = protect.getSourceContext('hapi.onPreHandler');
+
+      if (sourceContext) {
+        try {
+          if (req.params && Object.keys(req.params).length) {
+            sourceContext.parsedParams = req.params;
+            inputAnalysis.handleUrlParams(sourceContext, req.params);
+          }
+
+          if (req.cookies && Object.keys(req.cookies).length) {
+            sourceContext.parsedCookies = req.cookies;
+            inputAnalysis.handleCookies(sourceContext, req.cookies);
+          }
+
+          if (req.payload && Object.keys(req.payload).length) {
+            sourceContext.parsedBody = req.payload;
+            inputAnalysis.handleParsedBody(sourceContext, req.payload);
+          }
+
+          if (req.query && Object.keys(req.query).length) {
+            sourceContext.parsedQuery = req.query;
+            inputAnalysis.handleQueryParams(sourceContext, req.query);
+          }
+        } catch (err) {
+          if (isSecurityException(err)) {
+            throw err;
+          } else {
+            logger.error({ err }, 'Unexpected error during input analysis');
+          }
+        }
+      }
+
+      return h.continue;
+    });
+  };
+
+  const hapiInstrumentation = inputAnalysis.hapiInstrumentation = {
+    install
+  };
+
+  return hapiInstrumentation;
+};

package/lib/input-analysis/install/http.js

@@ -33,8 +33,8 @@ class HttpInstrumentation {
     this.config = core.config;
     this.logger = logger.child({ name: 'contrast:protect:input-analysis' });
     this.depHooks = core.depHooks;
-    this.messages = core.messages;
     this.protect = core.protect;
+    this.patcher = core.patcher;
     this.makeSourceContext = this.protect.makeSourceContext;
     this.maxBodySize = 16 * 1024 * 1024;
     this.installed = false;
@@ -52,6 +52,7 @@ class HttpInstrumentation {
     this.installed = true;
     this.hookHttp();
     this.hookHttps();
+    this.hookHttp2();
   }
 
   uninstall() {
@@ -63,7 +64,7 @@ class HttpInstrumentation {
    */
   hookHttp() {
     this.logger.debug('hooking library: http');
-    this.depHooks.resolve({ name: 'http' }, this.hookServer.bind(this));
+    this.depHooks.resolve({ name: 'http' }, (http) => this.hookServerEmit.call(this, http, 'httpServer'));
   }
 
   /**
@@ -71,36 +72,78 @@ class HttpInstrumentation {
    */
   hookHttps() {
     this.logger.debug('hooking library: https');
-    this.depHooks.resolve({ name: 'https' }, this.hookServer.bind(this));
+    this.depHooks.resolve({ name: 'https' }, (https) => this.hookServerEmit.call(this, https, 'httpsServer'));
+  }
+
+  /**
+   * Sets hooks to instrument `http2 Servers`.
+   */
+  hookHttp2() {
+    this.logger.debug('hooking library: http2');
+    // http2 library does not expose its Server class, so we need to hook the createServer function
+    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2Server'));
+    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2SecureServer', 'createSecureServer'));
+
+    this.logger.debug('hooking library: spdy');
+    this.depHooks.resolve({ name: 'spdy' }, (spdy) => this.hookServerEmit.call(this, spdy, 'spdyServer'));
   }
 
   /**
-   * Instruments the `Server` prototype from `http(s)`. This patches `emit` and
+   * Instruments the `Server` prototype from `http(s)` or spdy's http2 Server. This patches `emit` and
    * invokes the protect service to do analysis when appropriate.
-   *
-   * @param {Object} xport The http(s) module export
    */
-  hookServer(xport) {
+  hookServerEmit(serverSource, sourceName) {
+    serverSource.Server.prototype = this.patcher.patch(serverSource.Server.prototype, 'emit', {
+      name: `${sourceName}.Server.prototype.emit`,
+      patchType: 'initiate-handling',
+      around: this.emitAroundHook.bind(this)
+    });
+  }
+
+  /**
+   * Instruments the `Http2Server` prototype which results from the http2.createServer/createSecureServer() call.
+   * This also patches `emit` and
+   * invokes the protect service to do analysis when appropriate.
+   */
+  hookCreateServer(serverSource, sourceName, constructorName = 'createServer') {
     const self = this;
 
-    const {
-      Server: {
-        prototype: { emit }
-      }
-    } = xport;
+    return this.patcher.patch(serverSource, constructorName, {
+      name: sourceName,
+      patchType: 'initiate-handling',
+      post(data) {
+
+        const { result: server } = data;
+        const serverPrototype = server ? Object.getPrototypeOf(server) : null;
 
-    xport.Server.prototype.emit = function(...args) {
-      const [type] = args;
+        if (!serverPrototype) {
+          self.logger.error('Unable to patch server prototype, continue without instrumentation');
+          return;
+        }
 
-      if (type !== 'request') {
-        return emit.call(this, ...args);
+        self.patcher.patch(serverPrototype, 'emit', {
+          name: `${sourceName}.Server.prototype.emit`,
+          patchType: 'req-async-storage',
+          around: self.emitAroundHook.bind(self)
+        });
       }
+    });
+  }
 
-      const context = { instance: this, method: emit, args };
-      self.initiateRequestHandling(context);
+  /**
+   * The around hook for `emit` that
+   * invokes the protect service to do analysis when appropriate.
+   */
+  emitAroundHook(next, data) {
+    const [type] = data.args;
+
+    if (type !== 'request') {
+      return next();
+    }
 
-      return !!this._events[type];
-    };
+    const context = { instance: data.obj, method: next, args: data.args };
+    this.initiateRequestHandling(context);
+    return !!data.obj._events[type];
   }
 
   /**
@@ -118,15 +161,6 @@ class HttpInstrumentation {
       args: [, req, res]
     } = fnContext;
 
-    // URL exclusions should be applied here. there is no point in doing any additional
-    // work if the url is excluded for a particular rule, i.e., that rule should be removed
-    // from the list of rules for this request. and if all rules are excluded for this url
-    // then none of the following needs to be done.
-    if (this.protect.rules.agentLibRulesMask === 0) {
-      this.logger.debug('no agent-lib rules are enabled, not checking request');
-      return;
-    }
-
     let store;
     let block;
 
@@ -137,8 +171,10 @@ class HttpInstrumentation {
       // so that an async context is present.
       store = this.scope.getStore();
       // nothing can be done if async context is not available.
+
       if (!store) {
         this.logger.debug('cannot acquire store for initiateRequestHandling()');
+        setImmediate(() => method.call(instance, ...args));
         return;
       }
 
@@ -166,17 +202,31 @@ class HttpInstrumentation {
       const connectInputs = {
         headers: HttpInstrumentation.removeCookies(reqData.headers),
         uriPath: reqData.uriPath,
+        rawUrl: req.url,
         // TODO AGENT-203 - need to handle method-tampering rule.
         method: reqData.method,
       };
+
       // only add queries if it's known that 'qs' or equivalent won't be used.
       /* c8 ignore next 3 */
       if (reqData.standardUrlParsing) {
         connectInputs.queries = reqData.queries;
       }
 
-      block = inputAnalysis.handleConnect(store.protect, connectInputs);
+      if (inputAnalysis.virtualPatchesEvaluators?.length) {
+        store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));
+      }
+
+      if (inputAnalysis.ipDenylist?.length) {
+        block = inputAnalysis.handleIpDenylist(store.protect, inputAnalysis.ipDenylist);
+      }
+
+      if (inputAnalysis.ipAllowlist?.length) {
+        const allowed = inputAnalysis.handleIpAllowlist(store.protect, inputAnalysis.ipAllowlist);
+        if (!block) Object.assign(store.protect, { allowed });
+      }
 
+      block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
       this.logger.error({ err }, 'Error during input analysis');
     }

package/lib/input-analysis/install/koa-body5.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -39,15 +38,11 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('koa-body');
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `koa-body` hook');
-              } else {
-                if (ctx.request.body && Object.keys(ctx.request.body).length) {
-                  sourceContext.parsedBody = ctx.request.body;
-                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-                }
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
               }
 
               await origNext(origErr);

package/lib/input-analysis/install/koa-bodyparser4.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -39,15 +38,12 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext('koa-bodyparser');
 
-              if (!sourceContext) {
-                logger.debug('source context not available in `koa-bodyparser` hook');
-              } else {
-                if (ctx.request.body && Object.keys(ctx.request.body).length) {
-                  sourceContext.parsedBody = ctx.request.body;
-                  inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-                }
+
+              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
+                sourceContext.parsedBody = ctx.request.body;
+                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
               }
 
               await origNext(origErr);

package/lib/input-analysis/install/koa2.js

@@ -26,8 +26,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -38,11 +37,9 @@ module.exports = (core) => {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
       function contrastStartMiddleware(ctx, next) {
         if (ctx.query && Object.keys(ctx.query).length) {
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('Koa startMiddleware');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `qs` hook');
-          } else if (!('parsedQuery' in sourceContext)) {
+          if (sourceContext && !('parsedQuery' in sourceContext)) {
             sourceContext.parsedQuery = ctx.query;
             inputAnalysis.handleQueryParams(sourceContext, ctx.query);
           }
@@ -76,15 +73,11 @@ module.exports = (core) => {
               name: `[${router}].layer.prototype`,
               patchType,
               post({ result }) {
-                const sourceContext = sources.getStore()?.protect;
-
-                if (!sourceContext) {
-                  logger.debug(`source context not available in \`[${router}].layer\` hook`);
-                } else {
-                  if (Object.keys(result).length) {
-                    sourceContext.parsedParams = result;
-                    inputAnalysis.handleUrlParams(sourceContext, result);
-                  }
+                const sourceContext = protect.getSourceContext(`[${router}].layer`);
+
+                if (sourceContext && Object.keys(result).length) {
+                  sourceContext.parsedParams = result;
+                  inputAnalysis.handleUrlParams(sourceContext, result);
                 }
               }
             });
@@ -107,15 +100,11 @@ module.exports = (core) => {
                 const [ctx, origNext] = data.args;
 
                 async function contrastNext(origErr) {
-                  const sourceContext = sources.getStore()?.protect;
-
-                  if (!sourceContext) {
-                    logger.debug('source context not available in `koa-cookie` hook');
-                  } else {
-                    if (ctx.cookie) {
-                      sourceContext.parsedCookies = ctx.cookie;
-                      inputAnalysis.handleCookies(sourceContext, ctx.cookie);
-                    }
+                  const sourceContext = protect.getSourceContext('koa-cookie');
+
+                  if (sourceContext && ctx.cookie) {
+                    sourceContext.parsedCookies = ctx.cookie;
+                    inputAnalysis.handleCookies(sourceContext, ctx.cookie);
                   }
 
                   await origNext(origErr);

package/lib/input-analysis/install/multer1.js

@@ -23,7 +23,8 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    scopes: { sources, wrap },
+    scopes: { wrap },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -41,11 +42,9 @@ module.exports = (core) => {
 
             // We are getting the sourceContext here because in the time of calling
             // the contrastNext() method the context is lost
-            const sourceContext = sources.getStore()?.protect;
-            if (!sourceContext) {
-              logger.debug('source context not available in `multer` hook');
-              return;
-            }
+            const sourceContext = protect.getSourceContext('multer');
+
+            if (!sourceContext) return;
 
             function contrastNext(origErr) {
               let securityException;

package/lib/input-analysis/install/qs6.js

@@ -21,8 +21,7 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
@@ -34,16 +33,13 @@ module.exports = (core) => {
         patchType,
         post({ args, result }) {
           if (result && Object.keys(result).length) {
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('qs');
 
-            if (!sourceContext) {
-              logger.debug('source context not available in `qs` hook');
-
-              // We need to run analysis for the `qs` result only when it's used as a query parser.
-              // `qs` is used also for parsing bodies, but these cases we handle individually with
-              // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-              // some cases its use is optional and we cannot rely on it.
-            } else if (sourceContext.reqData?.queries === args[0]) {
+            // We need to run analysis for the `qs` result only when it's used as a query parser.
+            // `qs` is used also for parsing bodies, but these cases we handle individually with
+            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+            // some cases its use is optional and we cannot rely on it.
+            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
               sourceContext.parsedQuery = result;
               inputAnalysis.handleQueryParams(sourceContext, result);
             }

package/lib/input-analysis/install/universal-cookie4.js

@@ -21,12 +21,10 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
-    scopes: { sources },
+    protect,
     protect: { inputAnalysis },
   } = core;
 
-
   // Patch `universal-cookie` package
   function install() {
     depHooks.resolve({ name: 'universal-cookie', file: 'cjs/utils.js' }, (uCookieUtils) => patcher.patch(uCookieUtils, 'parseCookies', {
@@ -34,11 +32,9 @@ module.exports = (core) => {
       patchType,
       post({ result }) {
         if (result && Object.keys(result).length) {
-          const sourceContext = sources.getStore()?.protect;
+          const sourceContext = protect.getSourceContext('universal-cookie');
 
-          if (!sourceContext) {
-            logger.debug('source context not available in `universal-cookie` hook');
-          } else {
+          if (sourceContext) {
             sourceContext.parsedCookies = result;
             inputAnalysis.handleCookies(sourceContext, result);
           }

package/lib/input-analysis/ip-analysis.js

@@ -0,0 +1,76 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+const address = require('ipaddr.js');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const ipAllowlist = inputAnalysis.ipAllowlist = [];
+  const ipDenylist = inputAnalysis.ipDenylist = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const now = new Date().getTime();
+    const updatedIpAllowList = serverUpdate.features?.defend?.ipAllowlist.map((ipEntry) => ipEntryMap(ipEntry, now));
+    const updatedIpDenyList = serverUpdate.features?.defend?.ipDenylist.map((ipEntry) => ipEntryMap(ipEntry, now));
+
+    if (updatedIpAllowList) {
+      ipAllowlist.length = 0;
+      ipAllowlist.push(...updatedIpAllowList);
+    }
+    if (updatedIpDenyList) {
+      ipDenylist.length = 0;
+      ipDenylist.push(...updatedIpDenyList);
+    }
+  });
+};
+
+function ipEntryMap(ipEntry, startTime) {
+  const { ip, expires } = ipEntry;
+  let doesExpire, expiresAt, cidr;
+
+  if (expires) {
+    doesExpire = true;
+    expiresAt = startTime + expires;
+  } else {
+    doesExpire = false;
+  }
+
+  const slashIdx = ip.indexOf('/');
+  const isCIDR = slashIdx >= 0;
+  const ipInstance = isCIDR
+    ? address.process(ip.substr(0, slashIdx))
+    : address.process(ip);
+
+  const normalizedValue = ipInstance.toNormalizedString();
+
+  if (isCIDR) {
+    cidr = { range: address.parseCIDR(ip), kind: ipInstance.kind() };
+  }
+
+  return {
+    ...ipEntry,
+    doesExpire,
+    expiresAt,
+    normalizedValue,
+    cidr
+  };
+}