@contrast/protect 1.3.0 → 1.5.0

package/lib/input-analysis/virtual-patches.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+
+module.exports = (core) => {
+  const {
+    messages,
+    protect: { inputAnalysis },
+  } = core;
+
+  const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
+    const virtualPatches = serverUpdate.settings?.defend.virtualPatches;
+    if (virtualPatches) {
+      buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
+    }
+  });
+};
+
+function buildVPEvaluators(virtualPatches, evaluatorsArray) {
+  evaluatorsArray.length = 0;
+  for (const { headers, parameters, urls, uuid, name } of virtualPatches) {
+    const evaluators = new Map();
+
+    if (headers?.length) {
+      evaluators.set('HEADERS', (reqHeaders) => {
+        let result;
+        for (const { evaluation, name, value } of headers) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+          const keyIndex = reqHeaders.indexOf(name.toLowerCase());
+
+          result = keyIndex !== -1 && evalCheck(reqHeaders[keyIndex + 1], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (parameters?.length) {
+      evaluators.set('PARAMETERS', (reqParameters) => {
+        let result;
+        for (const { evaluation, name, value } of parameters) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqParameters[name], value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (urls?.length) {
+      evaluators.set('URLS', (reqUrl) => {
+        let result;
+        for (const { evaluation, value } of urls) {
+          const evalCheck = buildEvaluationCheck(evaluation);
+
+          result = evalCheck(reqUrl, value);
+          if (!result) break;
+        }
+
+        return result;
+      });
+    }
+
+    if (evaluators.size) {
+      evaluators.set('metadata', { name, uuid });
+      evaluatorsArray.push(evaluators);
+    }
+  }
+}
+
+function buildEvaluationCheck(evaluation) {
+  switch (evaluation) {
+    case 'MATCHES':
+      return (reqValue, matchedValue) => new RegExp(matchedValue, 'i').test(reqValue);
+    case 'EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() === matchedValue.toString();
+    case 'CONTAINS':
+      return (reqValue, matchedValue) => reqValue.includes(matchedValue);
+    case 'DOESNT_MATCH':
+      return (reqValue, matchedValue) => !new RegExp(matchedValue, 'i').test(reqValue);
+      // This is a typo but it is how it's passed from ContrastUI
+    case 'DOESNT_EQUALS':
+      return (reqValue, matchedValue) => reqValue.toString() !== matchedValue.toString();
+    case 'DOESNT_CONTAIN':
+      return (reqValue, matchedValue) => !reqValue.includes(matchedValue);
+    default:
+      return () => false;
+  }
+}

package/lib/input-tracing/handlers/index.js

@@ -16,30 +16,22 @@
 'use strict';
 
 const util = require('util');
-const { simpleTraverse } = require('../../utils');
+const {
+  ProtectRuleMode: { OFF },
+  BLOCKING_MODES,
+  isString,
+  simpleTraverse
+} = require('@contrast/common');
 
 module.exports = function(core) {
   const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
 
-  /**
-   * Util for pulling results from context for the particular rule id
-   * @param {string} ruleId rule id
-   * @param {object} context async storage data for protect
-   * @returns {AnalysisResult[]}
-   */
-  function getResultsByRuleId(ruleId, context) {
-    if (context.rules.agentLibRules[ruleId].mode === 'off') {
-      return;
-    }
-    return context.findings.resultsMap[ruleId];
-  }
-
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
     result.details.push({ sinkContext, findings });
 
-    const { mode } = sourceContext.rules.agentLibRules[ruleId];
+    const mode = sourceContext.policy[ruleId];
 
-    if (['block', 'block_at_perimeter'].includes(mode)) {
+    if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
       const blockInfo = [mode, ruleId];
       sourceContext.findings.securityException = blockInfo;
@@ -153,13 +145,87 @@ module.exports = function(core) {
   };
 
   inputTracing.ssjsInjection = function(sourceContext, sinkContext) {
-    // 'ssjs-injection' NYI
-    return null;
+    const ruleId = 'ssjs-injection';
+    let sinkValuesArr = [];
+
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    if (isString(sinkContext.value)) {
+      sinkValuesArr.push(sinkContext.value);
+    } else {
+      const strValues = Object.values(sinkContext.value).filter((v) => isString(v) && v.length);
+      sinkValuesArr = [...strValues];
+    }
+
+    for (const result of results) {
+      let findings = null;
+
+      for (const v of sinkValuesArr) {
+        if (findings) break;
+
+        const inputIndex = v.indexOf(result.value);
+
+        if (inputIndex === 0 && v === result.value) {
+          findings = {
+            startIndex: 0,
+            endIndex: result?.value.length - 1,
+            boundaryIndex: 0,
+            codeString: result.value
+          };
+        }
+
+        if (inputIndex > 0) {
+          const endIndex = inputIndex + result?.value.length;
+          findings = agentLib.checkSsjsInjectionSink(v, inputIndex, endIndex) && {
+            startIndex: inputIndex,
+            endIndex,
+            boundaryIndex: inputIndex,
+            codeString: result.value
+          };
+        }
+      }
+
+      if (findings) {
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+      }
+    }
   };
 
+  inputTracing.handleReflectedXss = function(sourceContext, sinkContext) {
+    const ruleId = 'reflected-xss';
+    const results = getResultsByRuleId(ruleId, sourceContext);
+
+    if (!results) return;
+
+    for (const result of results) {
+      const idx = sinkContext.value.indexOf(result.value);
+      const findings = idx !== -1 ? { value: sinkContext.value } : null;
+
+      if (findings) {
+        result.details.push({ sinkContext, findings });
+      }
+    }
+  };
+
+
   return inputTracing;
 };
 
+/**
+ * Util for pulling results from context for the particular rule id
+ * @param {string} ruleId rule id
+ * @param {object} context async storage data for protect
+ * @returns {AnalysisResult[]}
+ */
+function getResultsByRuleId(ruleId, context) {
+  if (context.policy[ruleId] === OFF) {
+    return;
+  }
+  return context.findings.resultsMap[ruleId];
+}
+
 function handleObjectValue(result, object) {
   if (typeof object !== 'object') {
     return null;
@@ -179,7 +245,10 @@ function handleObjectValue(result, object) {
       obj = obj[value];
       // does the found object in the query equal the saved object?
       if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
-        findings = { key: value };
+        const start = JSON.stringify(object).indexOf(value);
+        const end = start + value.length;
+        const inputBoundaryIndex = 0;
+        findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };
       }
     }
   });
@@ -201,10 +270,10 @@ function handleStringValue(result, string) {
 
   if (inputIndex === 0 && string === result.value) {
     findings = {
-      startIndex: 0,
-      endIndex: result.value.length - 1,
-      overrunIndex: 0,
-      boundaryIndex: 0,
+      start: 0,
+      end: result.value.length - 1,
+      boundaryOverrunIndex: 0,
+      inputBoundaryIndex: 0,
     };
   }
 

package/lib/input-tracing/index.js

@@ -15,34 +15,30 @@
 
 'use strict';
 
-/**
- * INPUT TRACING is a STAGE of Protect.
- * The specification can be found here https://protect-spec.prod.dotnet.contsec.com/guide/input-tracing.html.
- *
- * To view other STAGES see https://protect-spec.prod.dotnet.contsec.com/guide/protect-types.html#protection-types
- * @param {object} core composed dependencies
- * @returns {object}
- */
+const { installChildComponentsSync } = require('@contrast/common');
+
 module.exports = function(core) {
   const inputTracing = core.protect.inputTracing = {};
 
-  // load the interfaces that will be used by input tracing instrumentation
+  // api
   require('./handlers')(core);
 
-  // load the instrumentation installers
-  require('./install/fs')(core);
+  // instrumentation
   require('./install/child-process')(core);
+  require('./install/fs')(core);
+  require('./install/mongodb')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
-  require('./install/mongodb')(core);
+  require('./install/sequelize')(core);
+  require('./install/sqlite3')(core);
+  require('./install/http')(core);
+  require('./install/vm')(core);
+  require('./install/eval')(core);
+  require('./install/function')(core);
+  // TODO: NODE-2360 (oracledb)
 
   inputTracing.install = function() {
-    inputTracing.fsInstrumentation.install();
-    inputTracing.cpInstrumentation.install();
-    inputTracing.mysqlInstrumentation.install();
-    inputTracing.postgresInstrumentation.install();
-    inputTracing.mongodbInstrumentation.install();
-    // TODO: NODE-2360 (2260?)
+    installChildComponentsSync(inputTracing);
   };
 
   return inputTracing;

package/lib/input-tracing/install/child-process.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -34,20 +35,25 @@ module.exports = function(core) {
         patcher.patch(cp, method, {
           name,
           patchType,
-          pre(data) {
+          pre({ args, hooked, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
-            if (!sourceContext) return;
+            const sourceContext = protect.getSourceContext('child_process');
+            const value = args[0];
 
-            const value = data.args[0];
-            if (!value || !isString(value)) return;
+            if (!sourceContext || !value || !isString(value)) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: data.hooked, prependFrames: [data.orig] }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
+            // To evade code duplication we are using these INPUT TRACING instrumentation
+            // to do the checks for SEMANTIC ANALYSIS too
+            core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
           }
         });
       });

package/lib/input-tracing/install/eval.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation },
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    if (!global.ContrastMethods.eval) {
+      logger.error('Cannot install `eval` instrumentation - Contrast method DNE');
+      return;
+    }
+
+    patcher.patch(global.ContrastMethods, 'eval', {
+      name: 'global.ContrastMethods.eval',
+      patchType,
+      pre: ({ args, hooked, orig }) => {
+        if (instrumentation.isLocked()) return;
+
+        const sourceContext = protect.getSourceContext('eval');
+        const value = args[0];
+
+        if (!sourceContext || !value || !isString(value)) return;
+
+        const sinkContext = captureStacktrace(
+          { name: 'eval', value },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.ssjsInjection(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  const evalInstrumentation = inputTracing.evalInstrumentation = { install };
+
+  return evalInstrumentation;
+};

package/lib/input-tracing/install/fs.js

@@ -61,10 +61,11 @@ const fsMethods = [
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -88,7 +89,8 @@ module.exports = function(core) {
             if (instrumentation.isLocked()) return;
 
             // obtain the Protect sourceContext
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('fs');
+
             if (!sourceContext) return;
 
             // build list of values on which to perform INPUT TRACING

package/lib/input-tracing/install/function.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    logger,
+    scopes: { instrumentation },
+    patcher,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    if (!global.ContrastMethods.Function) {
+      logger.error('Cannot install `Function` instrumentation - Contrast method DNE');
+      return;
+    }
+
+    patcher.patch(global.ContrastMethods, 'Function', {
+      name: 'global.ContrastMethods.Function',
+      patchType,
+      pre: ({ args, hooked, orig }) => {
+        if (instrumentation.isLocked()) return;
+
+        const sourceContext = protect.getSourceContext('Function');
+        const fnBody = args[args.length - 1];
+
+        if (!sourceContext || !fnBody || !isString(fnBody)) return;
+
+        const sinkContext = captureStacktrace(
+          { name: 'Function', value: fnBody },
+          { constructorOpt: hooked, prependFrames: [orig] }
+        );
+        inputTracing.ssjsInjection(sourceContext, sinkContext);
+      }
+    });
+  }
+
+  const functionInstrumentation = inputTracing.functionInstrumentation = { install };
+
+  return functionInstrumentation;
+};

package/lib/input-tracing/install/http.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'http' }, http => {
+      for (const method of ['write', 'end']) {
+        const name = `http.ServerResponse.prototype.${method}`;
+        patcher.patch(http.ServerResponse.prototype, method, {
+          name,
+          patchType,
+          pre(data) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = protect.getSourceContext(name);
+
+            if (!sourceContext) return;
+
+            const value = data.args[0]?.toString();
+            if (!value) return;
+
+            const sinkContext = captureStacktrace(
+              { name, value },
+              { constructorOpt: data.hooked }
+            );
+            inputTracing.handleReflectedXss(sourceContext, sinkContext);
+          }
+        });
+      }
+    });
+  }
+
+  const httpInstrumentation = inputTracing.httpInstrumentation = {
+    install
+  };
+
+  return httpInstrumentation;
+};