@contrast/protect 1.38.0 → 1.40.0

package/lib/make-source-context.test.js

@@ -0,0 +1,219 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { Rule, Event } = require('@contrast/common');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+
+/* eslint-disable newline-per-chained-call */
+
+describe('protect make-source-context', function () {
+  let core;
+
+  beforeEach(function () {
+    ({ core } = initProtectFixture());
+    core.config.protect.rules = makeProtectRulesConfig('monitor');
+  });
+
+  describe('makeSourceContext() for policy', function () {
+    it('builds policy with rulesMask and modes', function () {
+      require('../../protect')(core);
+
+      const [req, res] = makeReqRes({}, {});
+      const sc = core.protect.makeSourceContext(req, res);
+
+      expect(sc.block).to.be.a('function');
+      expect(sc.policy).to.deep.equal({
+        rulesMask: 511,
+        exclusions: {
+          ignoreQuerystring: false,
+          querystringPolicy: null,
+          ignoreBody: false,
+          bodyPolicy: null,
+          header: [],
+          cookie: [],
+          parameter: [],
+        },
+        ...Object.values(Rule).reduce((acc, ruleId) => ({ ...acc, [ruleId]: 'monitor' }), {}),
+      });
+      expect(sc.exclusions).to.deep.equal([]);
+      expect(sc.virtualPatchesEvaluators).to.deep.equal([]);
+      expect(sc.trackRequest).to.equal(false);
+      expect(sc.securityException).to.be.undefined;
+      expect(sc.bodyType).to.be.undefined;
+      expect(sc.resultsMap).to.eql(Object.create(null));
+    });
+  });
+
+  describe('makeSourceContext() for req, res', function () {
+    const ruleId = 'reflected-xss';
+    const expectedMode = 'monitor';
+    const expectedRulesMask = 4;
+
+    const tests = [
+      { desc: 'works with unmodified req', req: {}, res: {} },
+      { desc: 'handles an uppercase header name', req: { rawHeaders: ['Accept', '*'] }, res: {} },
+      { desc: 'does not modify a header value', req: { rawHeaders: ['Accept', 'TEXT/HTmL'] }, res: {} },
+      { desc: 'handles an empty url', req: { url: '' }, res: {} },
+      { desc: 'handles search params', req: { url: '/mimsy?borogroves' }, res: {} },
+      { desc: 'handles only search params', req: { url: '?alice' }, res: {} },
+      { desc: 'detects multipart content-type', req: { rawHeaders: ['Content-type', 'multipart/x-www-form-urlencoded'] }, res: {} },
+      { desc: 'blocks when headers not sent', req: {}, res: { writeHead: sinon.stub(), end: sinon.stub() } },
+      { desc: 'blocks when headers sent', req: {}, res: { writeHead: sinon.stub(), end: sinon.stub(), headersSent: true } },
+    ];
+
+    tests.forEach((t) => {
+      it(t.desc, function () {
+        core.config.protect.rules = makeProtectRulesConfig('off');
+        core.config.protect.rules['reflected-xss'] = { mode: 'monitor' };
+
+        require('../../protect')(core);
+
+        const [req, res] = makeReqRes(t.req, t.res);
+
+        // default to setting headers but not including a content-type
+        let contentType = '';
+        if (!t.req.rawHeaders) {
+          // the test doesn't set the headers so they are the default
+          contentType = 'application/x-www-form-urlencoded';
+        } else if (t.req.rawHeaders[t.req.rawHeaders.length - 1].startsWith('multipart')) {
+          // the test does set the content-type header (inferred)
+          contentType = t.req.rawHeaders[t.req.rawHeaders.length - 1];
+        }
+        const headers = req.rawHeaders.map((h, ix) => ix & 1 ? h : h.toLowerCase());
+
+        // this is what is really being tested.
+        const sc = core.protect.makeSourceContext(req, res);
+
+
+        const expectedReqData = {
+          method: 'get',
+          headers,
+          uriPath: '/',
+          queries: '',
+          httpVersion: '1',
+          ip: '127.1.1.0',
+          contentType,
+        };
+        if (t.req.rawHeaders) {
+          expectedReqData.headers = t.req.rawHeaders.map((h, i) => {
+            if (i & 1 && h.startsWith('multipart')) {
+              expectedReqData.contentType = h;
+            }
+            return i & 1 ? h : h.toLowerCase();
+          });
+        }
+        if (t.req.url !== undefined) {
+          expectedReqData.uriPath = t.req.url;
+          expectedReqData.queries = '';
+          const ix = t.req.url.indexOf('?');
+          if (ix >= 0) {
+            expectedReqData.uriPath = t.req.url.slice(0, ix);
+            expectedReqData.queries = t.req.url.slice(ix + 1);
+          }
+        }
+
+        // check that req and res make the expected abstract request
+        expect(sc).property('reqData').to.deep.equal(expectedReqData);
+
+        // if a block test, does it work as expected?
+        if (t.res.writeHead) {
+          sc.block('mode', 'reflected-xss');
+          if (!t.res.headersSent) {
+            expect(t.res.writeHead.callCount).to.equal(1);
+          } else {
+            expect(t.res.writeHead.callCount).to.equal(0);
+          }
+          expect(t.res.end.callCount).to.equal(1);
+        }
+
+        // check constant items
+        expect(sc.block).to.be.a('function');
+        expect(sc.policy.rulesMask).to.equal(expectedRulesMask);
+        expect(sc.policy[ruleId]).to.equal(expectedMode);
+        expect(sc.exclusions).to.deep.equal([]);
+        expect(sc.virtualPatchesEvaluators).to.deep.equal([]);
+
+        expect(sc.trackRequest).to.equal(false);
+        expect(sc.securityException).to.be.undefined;
+        expect(sc.bodyType).to.be.undefined;
+        expect(sc.resultsMap).to.eql(Object.create(null));
+      });
+    });
+  });
+
+  describe('handles a case where the returned policy is null so the request is allowed', function () {
+    beforeEach(function () {
+      require('../../protect')(core);
+      const exclusionDtm = {
+        urls: [
+          '.*'
+        ],
+        matchStrategy: 'ONLY',
+        protect_rules: [],
+        modes: [
+          'defend'
+        ],
+        name: 'UrlExclusionAllRules'
+      };
+
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [],
+          url: [exclusionDtm]
+        }
+      });
+    });
+
+    it('returns an sourceContext with only allowed property set to true', function () {
+      const sc = core.protect.makeSourceContext(...makeReqRes());
+
+      expect(sc).to.deep.equal({ allowed: true });
+    });
+  });
+});
+
+//
+// make a req and res pair
+//
+function makeReqRes(req = {}, res = {}) {
+  const defaultReq = {
+    method: 'get',
+    url: '/',
+    httpVersion: '1',
+    socket: {
+      remoteAddress: '127.1.1.0'
+    },
+    rawHeaders: getRawHeaders(),
+  };
+
+  const defaultRes = {
+    headersSent: false,
+    writeHead() { },
+    end() { },
+  };
+
+  return [
+    Object.assign({}, defaultReq, req),
+    Object.assign({}, defaultRes, res),
+  ];
+}
+
+function getRawHeaders() {
+  return [
+    'accept', 'text/html',
+    'accept-encoding', 'gzip, deflate, br',
+    'user-agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.',
+    'content-type', 'application/x-www-form-urlencoded'
+  ];
+}
+
+//
+// create the config for protect's rules
+//
+function makeProtectRulesConfig(mode = 'monitor') {
+  return Object.values(Rule).reduce((acc, ruleId) => ({
+    ...acc,
+    [ruleId]: { mode }
+  }), { disabled_rules: [] });
+}

package/lib/policy.test.js

@@ -0,0 +1,446 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  ConfigSource: { ENVIRONMENT_VARIABLE }, ConfigSource
+} = require('@contrast/config');
+const { Rule, Event } = require('@contrast/common');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
+const exclusionSettingsMessage = require('@contrast/test/data/server-settings/exclusions.json');
+const policyFactory = require('./policy');
+
+describe('protect policy', function () {
+  let core;
+
+  beforeEach(function () {
+    [
+      ['cmd-injection', 'block'],
+      ['path-traversal', 'off'],
+      ['reflected-xss', 'block_at_perimeter'],
+      ['sql-injection', 'monitor'],
+    ].forEach(([ruleId, mode]) => {
+      process.env[`CONTRAST__PROTECT__RULES__${ruleId.toUpperCase().replace('-', '_')}__MODE`] = mode;
+    });
+
+    ({ core } = initProtectFixture());
+    [
+      ['cmd-injection', 'block'],
+      ['path-traversal', 'off'],
+      ['reflected-xss', 'block_at_perimeter'],
+      ['sql-injection', 'monitor'],
+    ].forEach(([ruleId, mode]) => {
+      const name = `protect.rules.${ruleId.replace('-', '_')}.mode`;
+      core.config.setValue(name, mode, ENVIRONMENT_VARIABLE);
+    });
+
+    core.protect = mocks.protect();
+  });
+
+  describe('initialzation and updates', function () {
+    beforeEach(function () {
+      core.config.protect.rules.disabled_rules = ['sql-injection'];
+      [
+        ['cmd-injection', 'block'],
+        ['path-traversal', 'off'],
+        ['reflected-xss', 'block_at_perimeter'],
+        ['sql-injection', 'monitor'],
+      ].forEach(([ruleId, mode]) => {
+        core.config.setValue(`protect.rules.${ruleId}.mode`, mode, ENVIRONMENT_VARIABLE);
+      });
+
+      policyFactory(core);
+    });
+
+    it('initializes policy from configuration', function () {
+      const policy = core.protect.getPolicy();
+
+      expect(policy).to.deep.include({
+        rulesMask: 20,
+        'bot-blocker': 'off',
+        'cmd-injection': 'block',
+        'cmd-injection-command-backdoors': 'off',
+        'cmd-injection-semantic-chained-commands': 'off',
+        'cmd-injection-semantic-dangerous-paths': 'off',
+        'ip-denylist': 'off',
+        'method-tampering': 'off',
+        'nosql-injection': 'off',
+        'nosql-injection-mongo': 'off',
+        'path-traversal': 'off',
+        'path-traversal-semantic-file-security-bypass': 'off',
+        'reflected-xss': 'block_at_perimeter',
+        'sql-injection': 'off',
+        'ssjs-injection': 'off',
+        'ssrf': 'off',
+        'unsafe-code-execution': 'off',
+        'unsafe-file-upload': 'off',
+        'untrusted-deserialization': 'off',
+        'unvalidated-redirect': 'off',
+        'virtual-patch': 'off',
+        'xxe': 'off',
+        exclusions: {
+          bodyPolicy: null,
+          cookie: [],
+          header: [],
+          ignoreBody: false,
+          ignoreQuerystring: false,
+          parameter: [],
+          querystringPolicy: null,
+        }
+      });
+    });
+
+    it('updates policy from app settings and server features', function () {
+      let policy = core.protect.getPolicy();
+
+      expect(policy).to.deep.include({
+        rulesMask: 20,
+        'bot-blocker': 'off',
+        'cmd-injection': 'block',
+        'cmd-injection-command-backdoors': 'off',
+        'cmd-injection-semantic-chained-commands': 'off',
+        'cmd-injection-semantic-dangerous-paths': 'off',
+        'ip-denylist': 'off',
+        'method-tampering': 'off',
+        'nosql-injection': 'off',
+        'nosql-injection-mongo': 'off',
+        'path-traversal': 'off',
+        'path-traversal-semantic-file-security-bypass': 'off',
+        'reflected-xss': 'block_at_perimeter',
+        'sql-injection': 'off',
+        'ssjs-injection': 'off',
+        'ssrf': 'off',
+        'unsafe-code-execution': 'off',
+        'unsafe-file-upload': 'off',
+        'untrusted-deserialization': 'off',
+        'unvalidated-redirect': 'off',
+        'virtual-patch': 'off',
+        'xxe': 'off',
+        exclusions: {
+          bodyPolicy: null,
+          cookie: [],
+          header: [],
+          ignoreBody: false,
+          ignoreQuerystring: false,
+          parameter: [],
+          querystringPolicy: null,
+        }
+      });
+
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        protect: {
+          rules: {
+            'cmd-injection': { mode: 'MONITOR' },
+            'method-tampering': { mode: 'BLOCK_AT_PERIMETER' },
+            'nosql-injection': { mode: 'MONITOR' },
+            'ssjs-injection': { mode: 'BLOCK' },
+          }
+        }
+      });
+
+      policy = core.protect.getPolicy();
+
+      expect(policy).to.deep.include({
+        rulesMask: 436,
+        'bot-blocker': 'off',
+        'cmd-injection': 'block',
+        'cmd-injection-command-backdoors': 'off',
+        'cmd-injection-semantic-chained-commands': 'off',
+        'cmd-injection-semantic-dangerous-paths': 'off',
+        'ip-denylist': 'off',
+        'method-tampering': 'block_at_perimeter',
+        'nosql-injection': 'monitor',
+        'nosql-injection-mongo': 'monitor',
+        'path-traversal': 'off',
+        'path-traversal-semantic-file-security-bypass': 'off',
+        'reflected-xss': 'block_at_perimeter',
+        'sql-injection': 'off',
+        'ssjs-injection': 'block',
+        'ssrf': 'off',
+        'unsafe-code-execution': 'off',
+        'unsafe-file-upload': 'off',
+        'untrusted-deserialization': 'off',
+        'unvalidated-redirect': 'off',
+        'virtual-patch': 'off',
+        'xxe': 'off',
+        exclusions: {
+          bodyPolicy: null,
+          cookie: [],
+          header: [],
+          ignoreBody: false,
+          ignoreQuerystring: false,
+          parameter: [],
+          querystringPolicy: null,
+        }
+      });
+
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        protect: {
+          rules: {
+            bot_blocker: {
+              enable: true
+            }
+          }
+        }
+      });
+
+      policy = core.protect.getPolicy();
+
+      expect(policy).to.deep.include({
+        rulesMask: 500,
+        'bot-blocker': 'block_at_perimeter',
+        'cmd-injection': 'block',
+        'cmd-injection-command-backdoors': 'off',
+        'cmd-injection-semantic-chained-commands': 'off',
+        'cmd-injection-semantic-dangerous-paths': 'off',
+        'ip-denylist': 'off',
+        'method-tampering': 'block_at_perimeter',
+        'nosql-injection': 'monitor',
+        'nosql-injection-mongo': 'monitor',
+        'path-traversal': 'off',
+        'path-traversal-semantic-file-security-bypass': 'off',
+        'reflected-xss': 'block_at_perimeter',
+        'sql-injection': 'off',
+        'ssjs-injection': 'block',
+        'ssrf': 'off',
+        'unsafe-code-execution': 'off',
+        'unsafe-file-upload': 'off',
+        'untrusted-deserialization': 'off',
+        'unvalidated-redirect': 'off',
+        'virtual-patch': 'off',
+        'xxe': 'off',
+        exclusions: {
+          bodyPolicy: null,
+          cookie: [],
+          header: [],
+          ignoreBody: false,
+          ignoreQuerystring: false,
+          parameter: [],
+          querystringPolicy: null,
+        }
+      });
+    });
+
+    describe('special case: nosql-injection-mongo', function() {
+      it('nosql-injection-mongo will not get updated by nosql-injection settings if set in config', function () {
+        core.config.setValue(`protect.rules.${Rule.NOSQL_INJECTION_MONGO}.mode`, 'block', ConfigSource.USER_CONFIGURATION_FILE);
+        const getPolicy = policyFactory(core);
+        let policy = getPolicy();
+
+        expect(policy).to.deep.include({
+          'nosql-injection': 'off',
+          'nosql-injection-mongo': 'block',
+        });
+
+        core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+          protect: {
+            rules: {
+              'nosql-injection': { mode: 'MONITOR' },
+            }
+          }
+        });
+
+        policy = core.protect.getPolicy();
+        expect(policy).to.deep.include({
+          'nosql-injection': 'monitor',
+          'nosql-injection-mongo': 'block',
+        });
+      });
+
+      it('nosql-injection-mongo will inherit nosql-injection config if unset itself', function () {
+        core.config.setValue(`protect.rules.${Rule.NOSQL_INJECTION}.mode`, 'block', ConfigSource.USER_CONFIGURATION_FILE);
+        const getPolicy = policyFactory(core);
+        const policy = getPolicy();
+
+        expect(policy).to.deep.include({
+          'nosql-injection': 'block',
+          'nosql-injection-mongo': 'block',
+        });
+      });
+    });
+  });
+
+  describe('policy building accounts for UI-defined exclusions', function () {
+    beforeEach(function () {
+      core.config.protect.rules['path-traversal'].mode = 'monitor';
+      core.config.protect.rules['sql-injection'].mode = 'monitor';
+      core.config.protect.rules['cmd-injection'].mode = 'monitor';
+      core.config.protect.rules['reflected-xss'].mode = 'monitor';
+      core.config.protect.rules.disabled_rules = [];
+      policyFactory(core);
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, exclusionSettingsMessage);
+    });
+
+    const baseline = {
+      rulesMask: 30,
+      'bot-blocker': 'off',
+      'cmd-injection': 'monitor',
+      'cmd-injection-command-backdoors': 'off',
+      'cmd-injection-semantic-chained-commands': 'off',
+      'cmd-injection-semantic-dangerous-paths': 'off',
+      'ip-denylist': 'off',
+      'method-tampering': 'off',
+      'nosql-injection': 'off',
+      'nosql-injection-mongo': 'off',
+      'path-traversal': 'monitor',
+      'path-traversal-semantic-file-security-bypass': 'off',
+      'reflected-xss': 'monitor',
+      'sql-injection': 'monitor',
+      'ssjs-injection': 'off',
+      'unsafe-code-execution': 'off',
+      'unsafe-file-upload': 'off',
+      'untrusted-deserialization': 'off',
+      'virtual-patch': 'off',
+      'xxe': 'off',
+      exclusions: {
+        ignoreQuerystring: false,
+        querystringPolicy: null,
+        ignoreBody: false,
+        bodyPolicy: null,
+        cookie: [],
+        header: [],
+        parameter: [{
+          policy: { 'sql-injection': 'off' }
+        }],
+      }
+    };
+
+    [
+      { uriPath: 'baseline', expectedPolicy: baseline },
+      { uriPath: '/url-exclusion-all-rules', expectedPolicy: null },
+      {
+        uriPath: '/url-exclusion-some-rules',
+        expectedPolicy: {
+          ...baseline,
+          rulesMask: 28,
+          'path-traversal': 'off',
+        }
+      },
+      {
+        uriPath: '/input-exclusion-some-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            parameter: [{
+              policy: {
+                'sql-injection': 'off',
+              }
+            }]
+          }
+        }
+      },
+      {
+        uriPath: '/input-exclusion-more-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            header: [{
+              policy: {
+                'cmd-injection': 'off',
+                'sql-injection': 'off',
+                'path-traversal': 'off',
+                'reflected-xss': 'off',
+              }
+            }],
+            parameter: [{
+              policy: { 'sql-injection': 'off' }
+            }, {
+              policy: {
+                'cmd-injection': 'off',
+                'sql-injection': 'off',
+                'path-traversal': 'off',
+              }
+            }]
+          }
+        }
+      },
+      {
+        uriPath: '/input-exclusion-body-some-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            bodyPolicy: {
+              'cmd-injection': 'off',
+              'sql-injection': 'off',
+              'path-traversal': 'off',
+              'reflected-xss': 'off',
+            }
+          }
+        }
+      },
+      {
+        uriPath: '/input-exclusion-body-all-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            ignoreBody: true
+          }
+        }
+      },
+      {
+        uriPath: '/input-exclusion-querystring-some-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            querystringPolicy: {
+              'nosql-injection-mongo': 'off',
+              'sql-injection': 'off',
+              'path-traversal': 'off',
+              'reflected-xss': 'off',
+            }
+          }
+        }
+      },
+      {
+        uriPath: '/input-exclusion-querystring-all-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            ignoreQuerystring: true
+          }
+        },
+      },
+      {
+        uriPath: '/input-exclusion-cookie-all-rules',
+        expectedPolicy: {
+          ...baseline,
+          exclusions: {
+            cookie: [{
+              name: '.*',
+            }],
+          }
+        }
+      }
+    ].forEach(({ uriPath, expectedPolicy }) => {
+      it(`builds exclusions correctly for uriPath=${uriPath}`, function () {
+        expect(core.protect.getPolicy({ uriPath })).to.be.like(expectedPolicy);
+
+      });
+    });
+  });
+
+  describe('handles errors during exclusion compilation', function () {
+    it('catches the error and logs a message for it', function () {
+      const exclusionDtm = {
+        urls: [
+          '.*******'
+        ],
+        matchStrategy: 'ONLY',
+        protect_rules: [],
+        modes: [
+          'defend'
+        ],
+        name: 'UrlExclusionAllRules'
+      };
+
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [],
+          url: [exclusionDtm]
+        }
+      });
+      expect(core.logger.error).to.have.been.calledOnceWithExactly({ err: sinon.match.any, exclusionDtm }, 'failed to process exclusion');
+    });
+  });
+});