@contrast/protect 1.3.0 → 1.5.0

package/lib/input-tracing/install/mongodb.js

@@ -22,8 +22,8 @@ module.exports = function (core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     captureStacktrace,
+    protect,
     protect: { inputTracing },
   } = core;
 
@@ -61,15 +61,15 @@ module.exports = function (core) {
     patcher.patch(obj, method, {
       name: patchName,
       patchType,
-      pre: ({ args, hooked, name }) => {
+      pre: ({ args, hooked, name, orig }) => {
         const value = getCursorQueryData(args, version);
-        const sourceContext = sources.getStore()?.protect;
+        const sourceContext = protect.getSourceContext(patchName);
 
         if (!sourceContext || !value) return;
 
         const sinkContext = captureStacktrace(
           { name, value },
-          { constructorOpt: hooked }
+          { constructorOpt: hooked, prependFrames: [orig] }
         );
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
@@ -80,10 +80,10 @@ module.exports = function (core) {
     patcher.patch(obj, method, {
       name: patchName,
       patchType,
-      pre: ({ args, hooked, name }) => {
-        const sourceContext = sources.getStore()?.protect;
-        if (!sourceContext) return;
+      pre: ({ args, hooked, name, orig }) => {
+        const sourceContext = protect.getSourceContext(patchName);
 
+        if (!sourceContext) return;
 
         const ops = Array.isArray(args[1])
           ? args[1]
@@ -93,7 +93,7 @@ module.exports = function (core) {
           if (value) {
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -126,15 +126,15 @@ module.exports = function (core) {
           patcher.patch(mongodb.Collection.prototype, method, {
             name: `mongodb.Collection.prototype.${method}`,
             patchType,
-            pre: ({ args, hooked, name }) => {
+            pre: ({ args, hooked, name, orig }) => {
               const value = typeof args[0] == 'function' ? null : args[0];
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext(`mongodb.Collection.prototype.${method}`);
 
               if (!sourceContext || !value) return;
 
               const sinkContext = captureStacktrace(
                 { name, value },
-                { constructorOpt: hooked }
+                { constructorOpt: hooked, prependFrames: [orig] }
               );
               inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
             },
@@ -144,15 +144,15 @@ module.exports = function (core) {
         patcher.patch(mongodb.Db.prototype, 'command', {
           name: 'mongodb.Db.prototype.command',
           patchType,
-          pre: ({ args, hooked, name }) => {
+          pre: ({ args, hooked, name, orig }) => {
             const value = args[0]?.filter;
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('mongodb.Collection.prototype.command');
 
             if (!sourceContext || !value) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -168,15 +168,15 @@ module.exports = function (core) {
         patcher.patch(mongodb.Db.prototype, 'eval', {
           name: 'mongodb.Db.prototype.eval',
           patchType,
-          pre: ({ args, hooked, name }) => {
+          pre: ({ args, hooked, name, orig }) => {
             const value = args[0];
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext('mongodb.Db.prototype.eval');
 
             if (!sourceContext || !value) return;
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
 
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
@@ -187,15 +187,15 @@ module.exports = function (core) {
     depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
       name: 'mongodb.FindCursor',
       patchType,
-      pre: ({ args, hooked, name }) => {
+      pre: ({ args, hooked, name, orig }) => {
         const value = args[2];
-        const sourceContext = sources.getStore()?.protect;
+        const sourceContext = protect.getSourceContext('mongodb.FindCursor');
 
         if (!sourceContext || !value) return;
 
         const sinkContext = captureStacktrace(
           { name, value },
-          { constructorOpt: hooked }
+          { constructorOpt: hooked, prependFrames: [orig] }
         );
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }

package/lib/input-tracing/install/mysql.js

@@ -23,7 +23,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     captureStacktrace,
-    scopes: { sources },
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -49,7 +49,8 @@ module.exports = function(core) {
             patchType,
             pre(data) {
               const { args, hooked, name, orig } = data;
-              const sourceContext = sources.getStore()?.protect;
+              const sourceContext = protect.getSourceContext(name);
+
               if (!sourceContext) return;
 
               const value = mysqlInstr.getValueFromArgs(args);

package/lib/input-tracing/install/postgres.js

@@ -22,8 +22,8 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -32,8 +32,9 @@ module.exports = function(core) {
     if (query && isString(query)) return query;
   }
 
-  function preHook({ args, hooked, name }) {
-    const sourceContext = sources.getStore()?.protect;
+  function preHook({ args, hooked, name, orig }) {
+    const sourceContext = protect.getSourceContext(name);
+
     if (!sourceContext) return;
 
     const value = getQueryFromArgs(args);
@@ -41,7 +42,7 @@ module.exports = function(core) {
 
     const sinkContext = captureStacktrace(
       { name, value },
-      { constructorOpt: hooked }
+      { constructorOpt: hooked, prependFrames: [orig] }
     );
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);

package/lib/input-tracing/install/sequelize.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -38,18 +39,19 @@ module.exports = function(core) {
       patcher.patch(sequelize.prototype, 'query', {
         name,
         patchType,
-        pre({ args, hooked, name }) {
+        pre({ args, hooked, name, orig }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = sources.getStore()?.protect;
-          if (!sourceContext) return;
+          const sourceContext = protect.getSourceContext(name);
+
+          if (!sourceContext || sourceContext.allowed) return;
 
           const value = getQueryFromArgs(args);
           if (!value) return;
 
           const sinkContext = captureStacktrace(
             { name, value },
-            { constructorOpt: hooked }
+            { constructorOpt: hooked, prependFrames: [orig] }
           );
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }

package/lib/input-tracing/install/sqlite3.js

@@ -20,10 +20,11 @@ const { patchType } = require('../constants');
 
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
+    scopes: { instrumentation },
     patcher,
     depHooks,
     captureStacktrace,
+    protect,
     protect: { inputTracing }
   } = core;
 
@@ -34,10 +35,10 @@ module.exports = function(core) {
         patcher.patch(sqlite3.Database.prototype, method, {
           name,
           patchType,
-          pre({ args, hooked, name }) {
+          pre({ args, hooked, name, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = sources.getStore()?.protect;
+            const sourceContext = protect.getSourceContext(name);
             if (!sourceContext) return;
 
             const value = args[0];
@@ -45,8 +46,9 @@ module.exports = function(core) {
 
             const sinkContext = captureStacktrace(
               { name, value },
-              { constructorOpt: hooked }
+              { constructorOpt: hooked, prependFrames: [orig] }
             );
+
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }
         });

package/lib/input-tracing/install/vm.js

@@ -0,0 +1,132 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString, isNonEmptyObject } = require('@contrast/common');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    captureStacktrace,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'vm' }, (vm) => {
+      ['Script', 'createScript', 'runInContext', 'runInThisContext'].forEach(
+        (method) => {
+          const name = `vm.${method}`;
+
+          patcher.patch(vm, method, {
+            name,
+            patchType,
+            pre({ args, hooked, name, orig }) {
+              if (instrumentation.isLocked()) return;
+
+              const sourceContext = protect.getSourceContext(name);
+              if (!sourceContext) return;
+
+              const codeString = args[0];
+              if (!codeString || !isString(codeString)) return;
+
+              const sinkContext = captureStacktrace(
+                { name, value: codeString },
+                { constructorOpt: hooked, prependFrames: [orig] }
+              );
+              inputTracing.ssjsInjection(sourceContext, sinkContext);
+            }
+          });
+        }
+      );
+
+      patcher.patch(vm, 'runInNewContext', {
+        name: 'vm.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.runInNewContext');
+          if (!sourceContext) return;
+
+          const codeString = args[0];
+          const envObj = args[1];
+
+          if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
+
+          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: codeString },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
+            { name: 'vm.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          ) : null;
+
+          codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
+          envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
+        }
+      });
+
+      patcher.patch(vm, 'createContext', {
+        name: 'vm.createContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.createContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.createContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+
+      patcher.patch(vm.Script.prototype, 'runInNewContext', {
+        name: 'vm.Script.prototype.runInNewContext',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('vm.Script.prototype.runInNewContext');
+          if (!sourceContext) return;
+
+          const envObj = args[0];
+          if (!isNonEmptyObject(envObj)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const vmInstrumentation = inputTracing.vmInstrumentation = { install };
+
+  return vmInstrumentation;
+};

package/lib/make-source-context.js

@@ -16,6 +16,7 @@
 'use strict';
 
 module.exports = function(core) {
+  const { protect } = core;
 
   function makeSourceContext(req, res) {
     // make the abstract request. it is an abstraction of a request that
@@ -79,11 +80,10 @@ module.exports = function(core) {
       // block closure captures res so it isn't exposed to beyond here
       block: core.protect.makeResponseBlocker(res),
 
-      // this should be changed to capture only the rules applicable to this
-      // particular request (if any route exclusions, etc.)
-      rules: core.protect.rules,
+      policy: protect.getPolicy(),
+
       exclusions: [],
-      virtualPatches: [],
+      virtualPatchesEvaluators: [],
 
       // maybe better as result, findings... but my bad naming choice is
       // past the point of return.
@@ -94,55 +94,14 @@ module.exports = function(core) {
         // successfully.
         bodyType: undefined,
         resultsMap: Object.create(null),
+        hardeningResultsMap: Object.create(null),
+        semanticResultsMap: Object.create(null),
+        serverFeaturesResultsMap: Object.create(null)
       },
-
-      /*
-      findings: {
-        trackRequest: true,
-        resultsList: [
-          // Example 2
-          {
-            // return value from agent-lib
-            value: 'kill -9 1',
-            type: 'PARAMETER_VALUE',
-            ruleId: 'cmd-injection',
-            path: ['path', 'to', 'val'],
-            // other data added during lifecycle
-            // could we add these by mutating agent-lib return values?
-            // What if there are multiple injections for the same value? The `details` value
-            // could be an array in that case, or is this too complicated.
-            blocked: false,
-            details: [
-              {
-                context: {
-                  id: 'child_process.exec',
-                  get stack() {}, // lazy
-                  command: 'sudo kill -9 1',
-                  index: 5,
-                }
-              },
-              {
-                sinkId: 'child_process.exec',
-                get stack() {}, // lazy
-                command: 'sudo kill -9 1',
-                index: 5,
-              }]
-          },
-        ]
-      }
-      // (scoreAtom() returns only the ruleId and score because the caller supplied
-      // the input and type; no key or path is known to scoreAtom(). code calling
-      // scoreAtom() will need to augment the finding to match the above.)
-      //
-      // each finding is augmented with additional properties
-      // - blocked: false     // set to true if the finding causes the request to be blocked
-      // - mappedId: ruleId   // normalized ruleId, e.g., nosql-injection-mongo => nosql-injection
-      // -
-      // */
     };
 
     return protectStore;
   }
 
-  core.protect.makeSourceContext = makeSourceContext;
+  return core.protect.makeSourceContext = makeSourceContext;
 };

package/lib/policy.js

@@ -0,0 +1,134 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Rule,
+  ProtectRuleMode: {
+    BLOCK_AT_PERIMETER,
+    BLOCK,
+    MONITOR,
+    OFF,
+  },
+  Rule: { BOT_BLOCKER },
+  Event: { SERVER_SETTINGS_UPDATE },
+} = require('@contrast/common');
+
+
+module.exports = function(core) {
+  const { config, logger, messages, protect } = core;
+  const policy = protect.policy = {};
+
+  function getModeFromConfig(ruleId) {
+    if (config.protect.disabled_rules.includes(ruleId)) {
+      return 'off';
+    }
+    return config.protect.rules?.[ruleId]?.mode;
+  }
+
+  /**
+   * Coerces ContrastUI mode names to match from common-agent-configuration
+   * @param {} remoteSetting
+   * @returns {string}
+   */
+  function readModeFromSetting(remoteSetting) {
+    switch (remoteSetting.mode) {
+      case 'OFF': return OFF;
+      case 'MONITORING': return MONITOR;
+      case 'BLOCKING': return remoteSetting.blockAtEntry ? BLOCK_AT_PERIMETER : BLOCK;
+    }
+  }
+
+  /**
+   * Build out initial policy from configuration data
+   */
+  function initPolicy() {
+    for (const ruleId of Object.values(Rule)) {
+      policy[ruleId] = getModeFromConfig(ruleId) || OFF;
+    }
+    updateRulesMask();
+  }
+
+  /**
+   * When updates are given at runtime, we update our local rule policy while
+   * respecting rules of precedence.
+   * @param {[]} protectionRules
+   */
+  function updateFromProtectionRules(protectionRules) {
+    for (const remoteSetting of Object.values(protectionRules)) {
+      const { id: ruleId } = remoteSetting;
+
+      if (getModeFromConfig(ruleId)) {
+        continue;
+      }
+
+      policy[ruleId] = readModeFromSetting(remoteSetting);
+    }
+  }
+
+  /**
+   * Rebuild rules mask based on which agent-lib rules are enabled
+   */
+  function updateRulesMask() {
+    let rulesMask = 0;
+    for (const [ruleId, mode] of Object.entries(policy)) {
+      if (protect.agentLib.RuleType[ruleId] && mode !== OFF) {
+        rulesMask = rulesMask | protect.agentLib.RuleType[ruleId];
+      }
+    }
+    policy.rulesMask = rulesMask;
+  }
+
+  /**
+   * This gets called by protect.makeSourceContext(). We return copy of policy to avoid
+   * inconsistent behavior if policy is updated during request handling.
+   */
+  function getPolicy() {
+    return { ...policy };
+  }
+
+  initPolicy();
+
+  messages.on(SERVER_SETTINGS_UPDATE, (remoteSettings) => {
+    let update;
+
+    const protectionRules = remoteSettings?.settings?.defend?.protectionRules
+    if (protectionRules) {
+      updateFromProtectionRules(protectionRules);
+      update = 'application-settings';
+    }
+
+    if (remoteSettings?.features?.defend) {
+      const bbEnabled = remoteSettings.features.defend[BOT_BLOCKER];
+
+      if (
+        bbEnabled != null &&
+        !config.protect.disabled_rules.includes(BOT_BLOCKER) &&
+        !config.protect.rules?.[BOT_BLOCKER]?.mode
+      ) {
+        policy[BOT_BLOCKER] = bbEnabled ? BLOCK_AT_PERIMETER : OFF;
+        update = 'server-features';
+      }
+    }
+
+    if (update) {
+      updateRulesMask();
+      logger.info({ policy: protect.policy }, `protect policy updated from ${update}`);
+    }
+  });
+
+  return protect.getPolicy = getPolicy;
+};