@contrast/protect 1.39.0 → 1.40.1

package/lib/semantic-analysis/handlers.test.js

@@ -0,0 +1,379 @@
+'use strict';
+
+const os = require('os');
+const { Rule } = require('@contrast/common');
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect semantic-analysis handlers', function () {
+  let core, handlers;
+
+  // each test should be asserting this at least
+  const TEST_DESCRIPTION = 'captures findings and sinkContext in result.exploitMetadata array';
+
+  // for additional assertions that might happen in tests, add to description
+  function makeTestDescription(blocks) {
+    const addl = blocks ? ' and blocks when in BLOCK mode' : '';
+    return `${TEST_DESCRIPTION}${addl}`;
+  }
+
+  function makeSourceContext(resultsList, ruleModes) {
+    const semanticResultsMap = Object.create(null);
+    if (resultsList) {
+      for (const result of resultsList) {
+        if (!semanticResultsMap[result.ruleId]) {
+          semanticResultsMap[result.ruleId] = [];
+        }
+        semanticResultsMap[result.ruleId].push(result);
+      }
+    }
+
+    return {
+      policy: {
+        [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'monitor',
+        [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'monitor',
+        [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'monitor',
+        [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'monitor',
+        ...(ruleModes || {}),
+      },
+      trackRequest: true,
+      resultsMap: semanticResultsMap,
+    };
+  }
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.protect = mocks.protect();
+    core.protect.throwSecurityException = require('../throw-security-exception');
+
+    handlers = require('./handlers')(core);
+  });
+
+  describe('handleCmdInjectionSemanticDangerous()', function () {
+    const sinkContextPositive = {
+      name: 'child_process.execSync',
+      value: 'ls; cat /etc/passwd',
+      stack: [],
+    };
+    const sinkContextNegative = {
+      name: 'child_process.execSync',
+      value: 'foo',
+      stack: []
+    };
+    const command = 'ls; cat /etc/passwd';
+
+    [
+      {
+        blocks: false,
+        sourceContext: makeSourceContext([]),
+        expectedResults: [
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: false
+          },
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: false
+          },
+        ]
+      },
+      {
+        blocks: true,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'block'
+          }
+        ),
+        expectedResults: [
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: true
+          },
+        ]
+      },
+      {
+        blocks: false,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'off'
+          }
+        ),
+        expectedResults: undefined,
+      }
+    ].forEach(({ blocks, sourceContext, expectedResults }) => {
+      it(makeTestDescription(blocks), function () {
+        const testFn = () => {
+          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextPositive);
+          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextPositive);
+          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextNegative);
+        };
+
+        const test = expect(testFn);
+        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
+
+        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
+        expect(cmdiSDPResults).to.deep.equal(expectedResults);
+      });
+    });
+  });
+
+  describe('handleCmdInjectionSemanticChainedCommands()', function () {
+    const sinkContextPositive = {
+      name: 'child_process.execSync',
+      value: 'test&whoami',
+      stack: [],
+    };
+    const sinkContextNegative = {
+      name: 'child_process.execSync',
+      value: 'foo',
+      stack: []
+    };
+    const command = 'test&whoami';
+
+    [
+      {
+        blocks: false,
+        sourceContext: makeSourceContext([]),
+        expectedResults: [
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: false
+          },
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: false
+          },
+        ]
+      },
+      {
+        blocks: true,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'block'
+          }
+        ),
+        expectedResults: [
+          {
+            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
+            value: sinkContextPositive.value,
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            blocked: true
+          },
+        ]
+      },
+      {
+        blocks: false,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'off'
+          }
+        ),
+        expectedResults: undefined,
+      }
+    ].forEach(({ blocks, sourceContext, expectedResults }) => {
+      it(makeTestDescription(blocks), function () {
+        const testFn = () => {
+          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextPositive);
+          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextPositive);
+          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextNegative);
+        };
+
+        const test = expect(testFn);
+        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
+
+
+        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
+        expect(cmdiSDPResults).to.deep.equal(expectedResults);
+      });
+    });
+  });
+
+  describe('handleCommandInjectionCommandBackdoors()', function () {
+    const sinkContextPositive = {
+      name: 'child_process.execSync',
+      value: 'ls .',
+      stack: [],
+    };
+    const sinkContextPositiveV2 = {
+      name: 'child_process.execSync',
+      value: '/bin/sh -c "cat /etc/passwd"',
+      stack: [],
+    };
+    const sinkContextNegative = {
+      name: 'child_process.execSync',
+      value: 'f',
+      stack: []
+    };
+    const command = 'ls .';
+
+    [
+      {
+        blocks: false,
+        sourceContext: makeSourceContext([]),
+        expectedResults: [
+          {
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            inputType: 'HEADER',
+            key: 'malicious-header',
+            path: [],
+            blocked: false,
+            value: 'ls .',
+            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+          },
+          {
+            sinkContext: sinkContextPositiveV2,
+            exploitMetadata: [{ command: '/bin/sh -c "cat /etc/passwd"' }],
+            inputType: 'JSON_VALUE',
+            key: 'command',
+            path: ['some', 'hidden'],
+            blocked: false,
+            value: '/bin/sh -c "cat /etc/passwd"',
+            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+          },
+        ]
+      },
+      {
+        blocks: true,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'block'
+          }
+        ),
+        expectedResults: [
+          {
+            sinkContext: sinkContextPositive,
+            exploitMetadata: [{ command }],
+            inputType: 'HEADER',
+            key: 'malicious-header',
+            path: [],
+            blocked: true,
+            value: 'ls .',
+            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
+          },
+        ]
+      },
+      {
+        blocks: false,
+        sourceContext: makeSourceContext(
+          [], {
+            [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'off'
+          }
+        ),
+        expectedResults: undefined,
+      }
+    ].forEach(({ blocks, sourceContext, expectedResults }) => {
+      it(makeTestDescription(blocks), function () {
+        sourceContext.reqData = {
+          headers: ['some-other-header', 'and-its-value', 'malicious-header', 'ls .']
+        };
+        sourceContext.parsedBody = { some: { hidden: { command: '-c "cat /etc/passwd"' } } };
+        const testFn = () => {
+          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextPositive);
+          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextPositiveV2);
+          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextNegative);
+        };
+
+        const test = expect(testFn);
+        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
+
+
+        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
+        expect(cmdiSDPResults).to.deep.equal(expectedResults);
+      });
+    });
+  });
+
+  describe('handlePathTraversalFileSecurityBypass()', function () {
+    const sinkContextNegative = {
+      name: 'fs.writeFile',
+      value: 'f',
+      stack: []
+    };
+    const sinkContexts = [{ name: 'fs.readFileSync', value: 'c:\textfile.txt::$DATA' }];
+
+    if (os.platform() !== 'win32') {
+      sinkContexts.push({ name: 'fs.readFile', value: '/etc/passwd' });
+    }
+
+    [
+      {
+        blocks: false,
+        sourceContext: makeSourceContext([]),
+        sinkContexts,
+        expectedResults: sinkContexts.map((ctx) => ({
+          sinkContext: ctx,
+          exploitMetadata: [{ path: ctx.value }],
+          blocked: false,
+          mappedId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+          ruleId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+          value: ctx.value
+        })),
+      },
+      {
+        blocks: true,
+        sourceContext: makeSourceContext([], {
+          [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'block',
+        }),
+        sinkContexts,
+        expectedResults: [{
+          sinkContext: sinkContexts[0],
+          exploitMetadata: [{ path: sinkContexts[0].value }],
+          blocked: true,
+          mappedId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+          ruleId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
+          value: sinkContexts[0].value
+        }],
+      },
+      {
+        blocks: false,
+        sinkContexts,
+        sourceContext: makeSourceContext([], {
+          [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'off',
+        }),
+        expectedResults: undefined,
+      }
+    ].forEach(({ blocks, sourceContext, sinkContexts, expectedResults }) => {
+      it(makeTestDescription(blocks), function () {
+        const testFn = () => {
+          sinkContexts.forEach((sinkContext) => {
+            handlers.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
+          });
+          handlers.handlePathTraversalFileSecurityBypass(sourceContext, sinkContextNegative);
+        };
+
+        const test = expect(testFn);
+        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
+
+        const results = sourceContext.resultsMap[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
+        expect(results).to.deep.equal(expectedResults);
+      });
+    });
+  });
+});

package/lib/semantic-analysis/index.test.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect semantic-analysis', function () {
+  let core, installStub, hooksMock;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.protect = {};
+    core.scopes = mocks.scopes();
+    core.depHooks = mocks.depHooks();
+    core.instrumentation = mocks.instrumentation();
+    installStub = sinon.stub();
+    hooksMock = (hookProp) => function (core) {
+      if (core.protect.semanticAnalysis) {
+        core.protect.semanticAnalysis[hookProp] = { install: installStub };
+      } else {
+        core.protect.semanticAnalysis = {
+          [hookProp]: { install: installStub }
+        };
+      }
+    };
+  });
+
+  it('calls the install() method of the required hooks', function () {
+    const hooks = proxyquire('.', {
+      './install/libxmljs': hooksMock('libxmljsInstrumentation')
+    })(core);
+
+    expect(installStub).not.to.have.been.called;
+    hooks.install();
+    expect(installStub).to.have.callCount(1);
+  });
+});

package/lib/semantic-analysis/install/libxmljs.test.js

@@ -0,0 +1,156 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect semantic-analysis libxmljs', function () {
+  const store = { protect: {} };
+  let core, modules;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+
+
+    modules = {
+      'libxmljs@0': {
+        parseXml: sinon.stub().returns({})
+      },
+
+      'libxmljs@1': {
+        parseXml: sinon.stub().returns({})
+      },
+
+      'libxmljs2': {
+        parseXml: sinon.stub().returns({})
+      },
+    };
+
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs', version: '>=1' })
+      .yields(modules['libxmljs@1'], { name: 'libxmljs', version: '1.0.9' });
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs', version: '<1' })
+      .yields(modules['libxmljs@0'], { name: 'libxmljs', version: '0.19.10' });
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs2' })
+      .yields(modules.libxmljs2, { name: 'libxmljs2', version: '0.32.0' });
+
+    require('../../get-source-context')(core);
+    require('./libxmljs')(core).install();
+  });
+
+  ['libxmljs@0', 'libxmljs@1', 'libxmljs2'].forEach((name) => {
+    describe(name, function () {
+      it('skips instrumentation if sourceContext is missing', function () {
+        core.scopes.sources.getStore.returns(undefined);
+
+        modules[name].parseXml('value');
+
+        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
+      });
+
+      it('skips instrumentation if the value is not provided or not a string', function () {
+        [
+          undefined,
+          null,
+          () => ({}),
+          {},
+          1,
+          NaN,
+          true
+        ].forEach(value => {
+          modules[name].parseXml(value);
+        });
+
+        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
+      });
+
+      it('skips instrumentation if noent is set to false', function () {
+        modules[name].parseXml('string', { noent: false });
+
+        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
+      });
+
+      if (name === 'libxmljs@1') {
+        it('skips instrumentation if replaceEntities is set to false', function () {
+          modules[name].parseXml('string', { replaceEntities: false });
+
+          expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
+        });
+      }
+
+      it('calls handleXXE with sourceContext and sinkContext when noent: true', function () {
+        const nameWithoutVersion = name.split('@')[0];
+        const sinkContext = {
+          name: `${nameWithoutVersion}:parseXml`,
+          value: 'string1',
+          stacktraceOpts: {
+            constructorOpt: modules[name].parseXml,
+            prependFrames: [sinon.match.func]
+          }
+        };
+
+        modules[name].parseXml('string1', { noent: true });
+
+        expect(core.protect.semanticAnalysis.handleXXE).to.have.been.calledWith(
+          store.protect,
+          sinkContext
+        );
+      });
+
+      if (name === 'libxmljs@1') {
+        it('calls handleXXE with sourceContext and sinkContext when replaceEntities: true', function () {
+          const nameWithoutVersion = name.split('@')[0];
+          const sinkContext = {
+            name: `${nameWithoutVersion}:parseXml`,
+            value: 'string1',
+            stacktraceOpts: {
+              constructorOpt: modules[name].parseXml,
+              prependFrames: [sinon.match.func]
+            }
+          };
+
+          modules[name].parseXml('string1', { replaceEntities: true });
+
+          expect(core.protect.semanticAnalysis.handleXXE).to.have.been.calledWith(
+            store.protect,
+            sinkContext
+          );
+        });
+      }
+
+      it('logs an error when handleXXE throws an unknown error', function () {
+        const nameWithoutVersion = name.split('@')[0];
+        const err = new Error('unknown!');
+        core.protect.semanticAnalysis.handleXXE.throws(err);
+
+        expect(() =>
+          modules[name].parseXml('string1', { noent: true })
+        ).not.to.throw();
+
+        expect(core.logger.error).to.have.been.calledWith(
+          { err, funcKey: `protect-semantic-analysis:${nameWithoutVersion}:parseXml` },
+          'Unexpected error during semantic analysis'
+        );
+      });
+
+      it('throws a SecurityException when handleXXE throws one', function () {
+        const err = SecurityException.create();
+        core.protect.semanticAnalysis.handleXXE.throws(err);
+
+        expect(() =>
+          modules[name].parseXml('string1', { noent: true })
+        ).to.throw(err);
+      });
+    });
+  });
+});