@contrast/protect 1.36.1 → 1.38.0

package/lib/error-handlers/index.js

@@ -25,10 +25,11 @@ module.exports = function(core) {
   require('./init-domain')(core);
 
   // installers
-  require('./install/fastify')(core);
-  require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/fastify')(core);
   require('./install/hapi')(core);
+  require('./install/koa2')(core);
+  require('./install/restify')(core);
 
   errorHandlers.install = function() {
     callChildComponentMethodsSync(errorHandlers, 'install');

package/lib/error-handlers/install/restify.js

@@ -0,0 +1,52 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function init(core) {
+  const { depHooks, logger, patcher, protect } = core;
+
+  return protect.errorHandlers.restifyErrorHandler = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        (Server) => {
+          patcher.patch(Server.prototype, '_onHandlerError', {
+            name: 'restify.Server.prototype._onHandlerError',
+            patchType,
+            around(orig, { args: [err], funcKey }) {
+              if (isSecurityException(err)) {
+                const sourceContext = protect.getSourceContext();
+
+                if (!sourceContext) {
+                  logger.info({ funcKey }, 'source context not found; unable to handle response');
+                  return;
+                }
+
+                sourceContext.block(...sourceContext.securityException);
+                return;
+              }
+
+              return orig();
+            }
+          });
+        }
+      );
+    }
+  };
+};

package/lib/input-analysis/index.js

@@ -41,6 +41,7 @@ module.exports = function(core) {
   require('./install/koa2')(core);
   require('./install/express4')(core);
   require('./install/hapi')(core);
+  require('./install/restify')(core);
 
   // virtual patches
   require('./virtual-patches')(core);

package/lib/input-analysis/install/restify.js

@@ -0,0 +1,67 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isSecurityException } = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function init(core) {
+  const { depHooks, patcher, logger, protect } = core;
+  const { inputAnalysis } = protect;
+
+  return inputAnalysis.restifyInstrumentation = {
+    install() {
+      depHooks.resolve(
+        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        (Server) => {
+          patcher.patch(Server.prototype, '_afterUse', {
+            name: 'restify.Server.prototype._afterUse',
+            patchType,
+            pre(data) {
+              const sourceContext = protect.getSourceContext();
+              if (!sourceContext) return;
+
+              const req = data.args[1];
+              try {
+                if (req.body && !sourceContext.parsedBody) {
+                  sourceContext.parsedBody = req.body;
+                  inputAnalysis.handleParsedBody(sourceContext, req.body);
+                }
+                if (req.params && !sourceContext.parsedParams) {
+                  sourceContext.parsedParams = req.params;
+                  inputAnalysis.handleUrlParams(sourceContext, req.params);
+                }
+                if (req.query && !sourceContext.parsedQuery) {
+                  sourceContext.parsedQuery = req.query;
+                  inputAnalysis.handleQueryParams(sourceContext, req.query);
+                }
+              } catch (err) {
+                if (isSecurityException(err)) {
+                  data.args[0] = err;
+                } else {
+                  logger.error(
+                    { err, funcKey: data.funcKey },
+                    'Unexpected error during input analysis'
+                  );
+                }
+              }
+            }
+          });
+        },
+      );
+    }
+  };
+};

package/lib/input-tracing/index.js

@@ -29,12 +29,14 @@ module.exports = function(core) {
   require('./install/fs')(core);
   require('./install/function')(core);
   require('./install/http')(core);
+  require('./install/http2')(core);
   require('./install/marsdb')(core);
   require('./install/mongodb')(core);
   require('./install/mssql')(core);
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
+  require('./install/spdy')(core);
   require('./install/sqlite3')(core);
   require('./install/vm')(core);
   // TODO: NODE-2360 (oracledb)

package/lib/input-tracing/install/http.js

@@ -37,10 +37,9 @@ module.exports = function(core) {
             if (instrumentation.isLocked()) return;
 
             const sourceContext = protect.getSourceContext(name);
-
             if (!sourceContext) return;
 
-            const value = data.args[0]?.toString();
+            const value = data.args[0]?.toString?.();
             if (!value) return;
 
             const sinkContext = {

package/lib/input-tracing/install/http2.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'http2' }, http2 => {
+      for (const method of ['write', 'end']) {
+        const name = `http2.Http2ServerResponse.prototype.${method}`;
+        patcher.patch(http2.Http2ServerResponse.prototype, method, {
+          name,
+          patchType,
+          pre(data) {
+            if (instrumentation.isLocked()) return;
+
+            const sourceContext = protect.getSourceContext(name);
+
+            if (!sourceContext) return;
+
+            const value = data.args[0]?.toString();
+            if (!value) return;
+
+            const sinkContext = {
+              name,
+              value,
+              stacktraceOpts: { constructorOpt: data.hooked },
+            };
+            inputTracing.handleReflectedXss(sourceContext, sinkContext);
+          }
+        });
+      }
+    });
+  }
+
+  const http2Instrumentation = inputTracing.http2Instrumentation = {
+    install
+  };
+
+  return http2Instrumentation;
+};

package/lib/input-tracing/install/spdy.js

@@ -0,0 +1,63 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    scopes: { instrumentation },
+    patcher,
+    depHooks,
+    protect,
+    protect: { inputTracing }
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'spdy' }, spdy => {
+      const name = 'spdy.response.end';
+      patcher.patch(spdy.response, 'end', {
+        name,
+        patchType,
+        pre({ args, obj: response, hooked }) {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext(name);
+
+          if (!sourceContext) return;
+
+          const value = args[0]?.toString();
+          if (!value) return;
+
+          const sinkContext = {
+            name,
+            value,
+            stacktraceOpts: { constructorOpt: hooked },
+          };
+
+          response.spdyStream.once('finish', () => response.emit('finish'));
+          inputTracing.handleReflectedXss(sourceContext, sinkContext);
+        }
+      });
+    });
+  }
+
+  const spdyInstrumentation = inputTracing.spdyInstrumentation = {
+    install
+  };
+
+  return spdyInstrumentation;
+};

package/lib/make-response-blocker.js

@@ -15,7 +15,10 @@
 
 'use strict';
 
-const { StringPrototypeToUpperCase } = require('@contrast/common');
+const {
+  StringPrototypeToUpperCase,
+  symbols: { kMetrics }
+} = require('@contrast/common');
 
 module.exports = function(core) {
   // i think this should be a weakset. we don't want to accumulate
@@ -34,6 +37,9 @@ module.exports = function(core) {
       const writeHead = patcher.unwrap(res.writeHead);
 
       try {
+        clearTimeout(res[kMetrics]?.timeout);
+        delete res[kMetrics];
+
         if (!res.headersSent) writeHead.call(res, 403);
         end.call(res, '');
         logger.info({ mode, ruleId }, 'Request blocked');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.36.1",
+  "version": "1.38.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,10 +18,10 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.21.1",
-    "@contrast/config": "1.28.1",
-    "@contrast/core": "1.32.1",
-    "@contrast/esm-hooks": "2.6.1",
+    "@contrast/common": "1.21.3",
+    "@contrast/config": "1.28.3",
+    "@contrast/core": "1.32.3",
+    "@contrast/esm-hooks": "2.6.3",
     "@contrast/scopes": "1.4.1",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"