@contrast/protect 1.36.0 → 1.37.0

package/lib/error-handlers/index.js

@@ -25,10 +25,11 @@ module.exports = function(core) {
   require('./init-domain')(core);
 
   // installers
-  require('./install/fastify')(core);
-  require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/fastify')(core);
   require('./install/hapi')(core);
+  require('./install/koa2')(core);
+  require('./install/restify')(core);
 
   errorHandlers.install = function() {
     callChildComponentMethodsSync(errorHandlers, 'install');

package/lib/error-handlers/install/restify.js

@@ -0,0 +1,52 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function init(core) {
+  const { depHooks, logger, patcher, protect } = core;
+
+  return protect.errorHandlers.restifyErrorHandler = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        (Server) => {
+          patcher.patch(Server.prototype, '_onHandlerError', {
+            name: 'restify.Server.prototype._onHandlerError',
+            patchType,
+            around(orig, { args: [err], funcKey }) {
+              if (isSecurityException(err)) {
+                const sourceContext = protect.getSourceContext();
+
+                if (!sourceContext) {
+                  logger.info({ funcKey }, 'source context not found; unable to handle response');
+                  return;
+                }
+
+                sourceContext.block(...sourceContext.securityException);
+                return;
+              }
+
+              return orig();
+            }
+          });
+        }
+      );
+    }
+  };
+};

package/lib/input-analysis/handlers.js

@@ -24,9 +24,9 @@ const {
   traverseKeysAndValues,
   traverseValues,
   InputType,
-  toLowerCase,
-  split,
-  join
+  ArrayPrototypeJoin,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
 } = require('@contrast/common');
 
 //
@@ -595,7 +595,7 @@ module.exports = function (core) {
         const probe = Object.assign({}, resultByRuleId, result, {
           mappedId: result.ruleId,
         });
-        const key = join([
+        const key = ArrayPrototypeJoin.call([
           probe.ruleId,
           probe.inputType,
           ...probe.path,
@@ -725,7 +725,7 @@ module.exports = function (core) {
 
     for (let i = 0; i < reqHeaders.length; i++) {
       if (reqHeaders[i] === 'x-forwarded-for') {
-        const ipsFromHeaders = split(reqHeaders[i + 1], /[,;]+/);
+        const ipsFromHeaders = StringPrototypeSplit.call(reqHeaders[i + 1], /[,;]+/);
         forwardedIps.push(...ipsFromHeaders);
       }
     }
@@ -797,7 +797,7 @@ function isResultExcluded(sourceContext, result) {
     }
     case 'HeaderKey':
     case 'HeaderValue': {
-      if (path[0] && toLowerCase(path[0]) === 'cookie') {
+      if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
         inputExclusions = exclusions.cookie;
         checkCookiesInHeader = true;
       } else {

package/lib/input-analysis/index.js

@@ -41,6 +41,7 @@ module.exports = function(core) {
   require('./install/koa2')(core);
   require('./install/express4')(core);
   require('./install/hapi')(core);
+  require('./install/restify')(core);
 
   // virtual patches
   require('./virtual-patches')(core);

package/lib/input-analysis/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, toLowerCase } = require('@contrast/common');
+const { Event, StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../constants');
 
 module.exports = function (core) {
@@ -94,7 +94,7 @@ module.exports = function (core) {
       const connectInputs = {
         headers: removeCookies(headers),
         uriPath,
-        method: toLowerCase(method),
+        method:StringPrototypeToLowerCase.call(method),
       };
 
       if (inputAnalysis.virtualPatchesEvaluators?.length) {

package/lib/input-analysis/install/restify.js

@@ -0,0 +1,67 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function init(core) {
+  const { depHooks, patcher, logger, protect } = core;
+  const { inputAnalysis } = protect;
+
+  return inputAnalysis.restifyInstrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        (Server) => {
+          patcher.patch(Server.prototype, '_afterUse', {
+            name: 'restify.Server.prototype._afterUse',
+            patchType,
+            pre(data) {
+              const sourceContext = protect.getSourceContext();
+              if (!sourceContext) return;
+
+              const req = data.args[1];
+              try {
+                if (req.body && !sourceContext.parsedBody) {
+                  sourceContext.parsedBody = req.body;
+                  inputAnalysis.handleParsedBody(sourceContext, req.body);
+                }
+                if (req.params && !sourceContext.parsedParams) {
+                  sourceContext.parsedParams = req.params;
+                  inputAnalysis.handleUrlParams(sourceContext, req.params);
+                }
+                if (req.query && !sourceContext.parsedQuery) {
+                  sourceContext.parsedQuery = req.query;
+                  inputAnalysis.handleQueryParams(sourceContext, req.query);
+                }
+              } catch (err) {
+                if (isSecurityException(err)) {
+                  data.args[0] = err;
+                } else {
+                  logger.error(
+                    { err, funcKey: data.funcKey },
+                    'Unexpected error during input analysis'
+                  );
+                }
+              }
+            }
+          });
+        },
+      );
+    }
+  };
+};

package/lib/input-analysis/ip-analysis.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, substr } = require('@contrast/common');
+const { Event, StringPrototypeSubstr } = require('@contrast/common');
 const address = require('ipaddr.js');
 
 module.exports = (core) => {
@@ -57,7 +57,7 @@ function ipEntryMap(ipEntry, startTime) {
   const slashIdx = ip.indexOf('/');
   const isCIDR = slashIdx >= 0;
   const ipInstance = isCIDR
-    ? address.process(substr(ip, 0, slashIdx))
+    ? address.process(StringPrototypeSubstr.call(ip, 0, slashIdx))
     : address.process(ip);
 
   const normalizedValue = ipInstance.toNormalizedString();

package/lib/input-analysis/virtual-patches.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, toLowerCase } = require('@contrast/common');
+const { Event, StringPrototypeToLowerCase } = require('@contrast/common');
 
 module.exports = (core) => {
   const {
@@ -47,7 +47,7 @@ function buildVPEvaluators(virtualPatches, evaluatorsArray) {
             acc.push(...entry);
             return acc;
           }, []);
-          const keyIndex = headersArray.indexOf(toLowerCase(name));
+          const keyIndex = headersArray.indexOf(StringPrototypeToLowerCase.call(name));
 
           result = keyIndex !== -1 && evalCheck(headersArray[keyIndex + 1], value);
           if (!result) break;

package/lib/input-tracing/handlers/index.js

@@ -20,7 +20,7 @@ const {
   ProtectRuleMode: { OFF },
   BLOCKING_MODES,
   isString,
-  stringify,
+  JSONStringify,
   traverseKeys,
   traverseKeysAndValues,
   agentLibIDListTypes,
@@ -351,7 +351,7 @@ function handleObjectValue(result, object) {
       obj = obj[value];
       // does the found object in the query equal the saved object?
       if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
-        const start = stringify(object).indexOf(value);
+        const start = JSONStringify(object).indexOf(value);
         const end = start + value.length;
         const inputBoundaryIndex = 0;
         findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };

package/lib/input-tracing/index.js

@@ -29,12 +29,14 @@ module.exports = function(core) {
   require('./install/fs')(core);
   require('./install/function')(core);
   require('./install/http')(core);
+  require('./install/http2')(core);
   require('./install/marsdb')(core);
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
+  require('./install/spdy')(core);
   require('./install/sqlite3')(core);
   require('./install/vm')(core);
   // TODO: NODE-2360 (oracledb)

package/lib/input-tracing/install/http.js

@@ -37,10 +37,9 @@ module.exports = function(core) {
             if (instrumentation.isLocked()) return;
 
             const sourceContext = protect.getSourceContext(name);
-
             if (!sourceContext) return;
 
-            const value = data.args[0]?.toString();
+            const value = data.args[0]?.toString?.();
             if (!value) return;
 
             const sinkContext = {

package/lib/input-tracing/install/http2.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'http2' }, http2 => {
+      for (const method of ['write', 'end']) {
+        const name = `http2.Http2ServerResponse.prototype.${method}`;
+        patcher.patch(http2.Http2ServerResponse.prototype, method, {
+          name,
+          patchType,
+          pre(data) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = protect.getSourceContext(name);
+
+            if (!sourceContext) return;
+
+            const value = data.args[0]?.toString();
+            if (!value) return;
+
+            const sinkContext = {
+              name,
+              value,
+              stacktraceOpts: { constructorOpt: data.hooked },
+            };
+            inputTracing.handleReflectedXss(sourceContext, sinkContext);
+          }
+        });
+      }
+    });
+  }
+
+  const http2Instrumentation = inputTracing.http2Instrumentation = {
+    install
+  };
+
+  return http2Instrumentation;
+};

package/lib/input-tracing/install/spdy.js

@@ -0,0 +1,62 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'spdy' }, spdy => {
+      const name = 'spdy.response.end';
+      patcher.patch(spdy.response, 'end', {
+        name,
+        patchType,
+        pre(data) {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext(name);
+
+          if (!sourceContext) return;
+
+          const value = data.args[0]?.toString();
+          if (!value) return;
+
+          const sinkContext = {
+            name,
+            value,
+            stacktraceOpts: { constructorOpt: data.hooked },
+          };
+
+          inputTracing.handleReflectedXss(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const spdyInstrumentation = inputTracing.spdyInstrumentation = {
+    install
+  };
+
+  return spdyInstrumentation;
+};

package/lib/make-response-blocker.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toUpperCase } = require('@contrast/common');
+const { StringPrototypeToUpperCase } = require('@contrast/common');
 
 module.exports = function(core) {
   // i think this should be a weakset. we don't want to accumulate
@@ -29,7 +29,7 @@ module.exports = function(core) {
       if (blocked.has(res)) return;
 
       blocked.add(res);
-      mode = toUpperCase(mode);
+      mode = StringPrototypeToUpperCase.call(mode);
       const end = patcher.unwrap(res.end);
       const writeHead = patcher.unwrap(res.writeHead);
 

package/lib/make-source-context.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toLowerCase, slice } = require('@contrast/common');
+const { StringPrototypeToLowerCase, StringPrototypeSlice } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -36,8 +36,8 @@ module.exports = function(core) {
     const ix = req.url.indexOf('?');
 
     if (ix >= 0) {
-      uriPath = slice(req.url, 0, ix);
-      queries = slice(req.url, ix + 1);
+      uriPath = StringPrototypeSlice.call(req.url, 0, ix);
+      queries = StringPrototypeSlice.call(req.url, ix + 1);
     } else {
       uriPath = req.url;
       queries = '';
@@ -55,10 +55,10 @@ module.exports = function(core) {
     const headers = Array(req.rawHeaders.length);
 
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = toLowerCase(req.rawHeaders[i]);
+      headers[i] = StringPrototypeToLowerCase.call(req.rawHeaders[i]);
       headers[i + 1] = req.rawHeaders[i + 1];
       if (headers[i] === 'content-type') {
-        contentType = toLowerCase(headers[i + 1]);
+        contentType = StringPrototypeToLowerCase.call(headers[i + 1]);
       }
     }
 

package/lib/policy.js

@@ -19,9 +19,9 @@ const {
   Rule,
   ProtectRuleMode,
   Event,
-  toLowerCase,
-  split,
-  join
+  ArrayPrototypeJoin,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
 } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 
@@ -88,7 +88,7 @@ module.exports = function (core) {
       }
     }
     if (regExpNeeded) {
-      const rx = new RegExp(`^${join(urls, '|')}$`);
+      const rx = new RegExp(`^${ArrayPrototypeJoin.call(urls, '|')}$`);
 
       return (uriPath) => rx ? rx.test(uriPath) : false;
     }
@@ -305,7 +305,7 @@ module.exports = function (core) {
       exclusionDtm.type = exclusionDtm.type || 'URL';
 
       const { name, protect_rules, urls, type } = exclusionDtm;
-      const key = toLowerCase(type);
+      const key = StringPrototypeToLowerCase.call(type);
 
       if (!compiled[key]) continue;
 
@@ -340,8 +340,8 @@ module.exports = function (core) {
         }
         if (key === 'cookie') {
           e.checkCookieInHeader = (cookieHeader) => {
-            for (const cookiePair of split(cookieHeader, ';')) {
-              const cookieKey = split(cookiePair, '=')[0];
+            for (const cookiePair of StringPrototypeSplit.call(cookieHeader, ';')) {
+              const cookieKey = StringPrototypeSplit.call(cookiePair, '=')[0];
               if (e.matchesInputName(cookieKey)) {
                 return true;
               }

package/lib/semantic-analysis/handlers.js

@@ -21,7 +21,7 @@ const {
   ProtectRuleMode: { OFF },
   InputType,
   traverseValues,
-  replace
+  StringPrototypeReplace,
 } = require('@contrast/common');
 
 const {
@@ -29,7 +29,7 @@ const {
 } = require('./utils/xml-analysis');
 
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
-const stripWhiteSpace = (str) => replace(str, /\s/g, '');
+const stripWhiteSpace = (str) => StringPrototypeReplace.call(str, /\s/g, '');
 
 const getRuleResults = function(obj, prop) {
   return obj[prop] || (obj[prop] = []);

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { substr, toLowerCase } = require('@contrast/common');
+const { StringPrototypeSubstr, StringPrototypeToLowerCase } = require('@contrast/common');
 
 const PROTOCOLS = {
   FTP: 'FTP',
@@ -23,9 +23,9 @@ const PROTOCOLS = {
   TCP: 'TCP'
 };
 
-const FTP = `${toLowerCase(PROTOCOLS.FTP)}:`;
-const HTTP = `${toLowerCase(PROTOCOLS.HTTP)}:`;
-const HTTPS = `${toLowerCase(PROTOCOLS.HTTPS)}:`;
+const FTP = `${StringPrototypeToLowerCase.call(PROTOCOLS.FTP)}:`;
+const HTTP = `${StringPrototypeToLowerCase.call(PROTOCOLS.HTTP)}:`;
+const HTTPS = `${StringPrototypeToLowerCase.call(PROTOCOLS.HTTPS)}:`;
 const DTD_EXTENSION = '.dtd';
 const FILE_START = 'file:';
 const GOPHER_START = 'gopher:';
@@ -101,7 +101,7 @@ module.exports.findExternalEntities = function(xml = '') {
 
   return {
     entities,
-    prolog: len && substr(xml, 0, entities[len - 1].finish) || null
+    prolog: len && StringPrototypeSubstr.call(xml, 0, entities[len - 1].finish) || null
   };
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.36.0",
+  "version": "1.37.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,17 +11,17 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.18.0"
+    "node": ">= 16.9.1"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.21.0",
-    "@contrast/config": "1.28.0",
-    "@contrast/core": "1.32.0",
-    "@contrast/esm-hooks": "2.6.0",
+    "@contrast/common": "1.21.2",
+    "@contrast/config": "1.28.2",
+    "@contrast/core": "1.32.2",
+    "@contrast/esm-hooks": "2.6.2",
     "@contrast/scopes": "1.4.1",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"