@contrast/protect 1.4.0 → 1.6.0

package/lib/error-handlers/index.js

@@ -18,14 +18,17 @@
 module.exports = function(core) {
   const errorHandlers = core.protect.errorHandlers = {};
 
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
 
   errorHandlers.install = function() {
-    errorHandlers.fastify3ErrorHandler.install();
-    errorHandlers.koa2ErrorHandler.install();
-    errorHandlers.express4ErrorHandler.install();
+    for (const component of Object.values(errorHandlers)) {
+      if (component.install) {
+        component.install();
+      }
+    }
   };
 
   return errorHandlers;

package/lib/error-handlers/install/{fastify3.js → fastify.js}

@@ -25,7 +25,7 @@ module.exports = function(core) {
     protect,
   } = core;
 
-  const fastify3ErrorHandler = protect.errorHandlers.fastify3ErrorHandler = {
+  const fastifyErrorHandler = protect.errorHandlers.fastifyErrorHandler = {
     _userHandler: null
   };
 
@@ -33,7 +33,7 @@ module.exports = function(core) {
    * This is the default handler from fastify's source code. If it's not a
    * Contrast error and the user didn't supply their own we should use this.
    */
-  fastify3ErrorHandler.defaultErrorHandler = function (error, request, reply) {
+  fastifyErrorHandler.defaultErrorHandler = function (error, request, reply) {
     if (reply.statusCode < 500) {
       reply.log.info({ res: reply, err: error }, error && error.message);
     } else {
@@ -47,17 +47,17 @@ module.exports = function(core) {
 
   /**
    * Check if the error being handled was thrown by Contrast. If not,
-   * use either the default fastify3 error handler or the user-defined handler
+   * use either the default fastify error handler or the user-defined handler
    * if one was specified by calling fastify.setErrorHandler(fn).
    * @param {error} err error being handled
    * @param {object} request fastify request
    * @param {object} reply fastify repoly
    */
-  fastify3ErrorHandler.handler = function(err, request, reply) {
-    const normalHandler = fastify3ErrorHandler._userHandler || fastify3ErrorHandler.defaultErrorHandler;
+  fastifyErrorHandler.handler = function(err, request, reply) {
+    const normalHandler = fastifyErrorHandler._userHandler || fastifyErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = protect.getSourceContext('fastify3.errorHandler');
+      const sourceContext = protect.getSourceContext('fastify.errorHandler');
 
       if (!sourceContext) {
         normalHandler.call(this, err, request, reply);
@@ -73,14 +73,14 @@ module.exports = function(core) {
   /**
    * Instruments fastify in order to add our custom error handler.
    */
-  fastify3ErrorHandler.install = function() {
-    depHooks.resolve({ name: 'fastify', version: '<=4.0.0' }, (fastify) => patcher.patch(fastify, {
+  fastifyErrorHandler.install = function() {
+    depHooks.resolve({ name: 'fastify', version: '<=3 <5' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify',
       patchType,
       post(data) {
         const { result: server } = data;
         // Set our custom handler initially
-        server.setErrorHandler(fastify3ErrorHandler.handler);
+        server.setErrorHandler(fastifyErrorHandler.handler);
 
         // Patch, so that if someone sets their own, we override with ours. But,
         // we do need to keep a reference to it so we can still call it for when
@@ -89,13 +89,13 @@ module.exports = function(core) {
           name: 'fastify.setErrorHandler',
           patchType,
           pre({ args }) {
-            fastify3ErrorHandler._userHandler = args[0];
-            args[0] = fastify3ErrorHandler.handler;
+            fastifyErrorHandler._userHandler = args[0];
+            args[0] = fastifyErrorHandler.handler;
           }
         });
       }
     }));
   };
 
-  return fastify3ErrorHandler;
+  return fastifyErrorHandler;
 };

package/lib/error-handlers/install/hapi.js

@@ -0,0 +1,75 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+
+module.exports = function (core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const hapiErrorHandler = protect.errorHandlers.hapiErrorHandler = {};
+
+  const registerErrorHandler = (boom, name) => {
+    patcher.patch(boom, 'boomify', {
+      name: `${name}.boomify`,
+      patchType,
+      post(data) {
+        const [err] = data.args;
+        const sourceContext = protect.getSourceContext('Hapi.boom.boomify');
+        const isSecurityException = SecurityException.isSecurityException(err);
+
+        if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
+          const [mode, ruleId] = sourceContext.findings.securityException;
+          sourceContext.block('block', 'cmd-injection');
+
+          err.output.statusCode = 403;
+          err.reformat();
+          err.output.payload = undefined;
+          data.result = null;
+
+          logger.info({ mode, ruleId }, 'Request blocked');
+
+          return;
+        }
+
+        if (!sourceContext && isSecurityException) {
+          logger.info('source context not found; unable to handle response');
+        }
+      }
+    });
+  };
+
+  hapiErrorHandler.install = function () {
+    depHooks.resolve(
+      { name: 'boom' },
+      (boom) => registerErrorHandler(boom, 'boom'),
+    );
+
+    depHooks.resolve(
+      { name: '@hapi/boom' },
+      (boom) => registerErrorHandler(boom, '@hapi/boom'),
+    );
+  };
+
+  return hapiErrorHandler;
+};

package/lib/hardening/handlers.js

@@ -37,7 +37,7 @@ module.exports = function(core) {
 
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
-    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const mode = sourceContext.policy[ruleId];
     const { name, value } = sinkContext;
 
     if (mode === 'off') return;

package/lib/index.js

@@ -16,20 +16,14 @@
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');
+const { installChildComponentsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(agentLib),
   };
 
-  const rules = instantiateRulesFromConfig(
-    core.config.protect.rules,
-    core.config.protect.disabled_rules,
-    protect.agentLib,
-  );
-
-  protect.rules = rules;
-
+  require('./policy')(core);
   require('./throw-security-exception')(core);
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
@@ -44,10 +38,7 @@ module.exports = function(core) {
   protect.version = pkj.version;
 
   protect.install = function() {
-    protect.inputAnalysis.install();
-    protect.inputTracing.install();
-    protect.hardening.install();
-    protect.errorHandlers.install();
+    installChildComponentsSync(protect);
   };
 
   return protect;
@@ -71,38 +62,3 @@ function instantiateAgentLib(lib) {
   }
   return agentLib;
 }
-
-/**
- * This function instatiates the rules as defined in the configuration into
- * some structure. I'm in no way convinced or asserting that this is the right
- * structure but it does get a usable definition of rules in place. The final
- * structure will change based on what exactly TS sends as well as what the needs
- * of the code accessing the rules, exclusions, virtual-patches, etc.
- *
- * @param {Object} rules the rules object in the config.protect object.
- * @param {string[]} disabled array of disabled rules from config.protect
- * @param {Object} agentLib the agent-lib instance
- * @returns {Object} { agentLibRules, agentLibRulesMask, agentRules }
- */
-function instantiateRulesFromConfig(rules, disabled, agentLib) {
-  const agentLibRules = {};
-  let agentLibRulesMask = 0;
-  const agentRules = {};
-
-  for (const ruleId in rules) {
-    if (disabled.indexOf(ruleId) >= 0 || rules[ruleId].mode === 'off') {
-      continue;
-    }
-    // [matt] this is awkward. we should probably make each nosql-injection-x
-    // rule separate in the config and only convert them to 'nosql-injection'
-    // for reporting.
-    if (agentLib.RuleType[ruleId]) {
-      agentLibRules[ruleId] = rules[ruleId];
-      agentLibRulesMask = agentLibRulesMask | agentLib.RuleType[ruleId];
-    } else {
-      agentRules[ruleId] = rules[ruleId];
-    }
-  }
-
-  return { agentLibRules, agentLibRulesMask, agentRules };
-}

package/lib/input-analysis/handlers.js

@@ -17,6 +17,7 @@
 
 const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
 const address = require('ipaddr.js');
+const { Rule } = require('@contrast/common');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -54,6 +55,7 @@ module.exports = function(core) {
       agentLib,
       inputAnalysis,
     },
+    config,
   } = core;
 
   // all handlers will be invoked with two arguments:
@@ -113,26 +115,82 @@ module.exports = function(core) {
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
     if (!sourceContext || sourceContext.allowed) return;
 
-    const { rules: { agentLibRules, agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
 
     inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
 
     // initialize findings to the basics
     let block = undefined;
-    if (mask !== 0) {
-      const findings = agentLib.scoreRequestConnect(mask, connectInputs, preferWW);
-      block = mergeFindings(agentLibRules, sourceContext.findings, findings);
+    if (rulesMask !== 0) {
+      const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+      block = mergeFindings(sourceContext, findings);
     }
 
     return block;
   };
 
-  // this is called before the request goes away. this is where probe detection takes
-  // place. basically loop through findings.resultsList and, for all those that weren't
-  // blocked, run scoreAtom() with preferWorthWatching: false. for any that have a score
-  // >= 90 report them as probes.
+  /**
+   * handleRequestEnd()
+   *
+   * Invoked when the request is complete.
+   *
+   * @param {Object} sourceContext
+   */
   inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-    throw new Error('nyi', sourceContext);
+    if (!config.protect.probe_analysis.enable) return;
+
+    const { resultsMap } = sourceContext.findings;
+    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
+    const props = {};
+
+    // Detecting probes
+    Object.values(resultsMap).forEach(resultsByRuleId => {
+      resultsByRuleId.forEach((resultByRuleId) => {
+        const {
+          ruleId,
+          blocked,
+          details,
+          value,
+          inputType
+        } = resultByRuleId;
+        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
+
+        const { policy: { rulesMask } } = sourceContext;
+
+        const results = (agentLib.scoreAtom(
+          rulesMask,
+          value,
+          agentLib.InputType[inputType],
+          {
+            preferWorthWatching: false
+          }
+        ) || []).filter(({ score }) => score >= 90);
+
+        if (!results.length) return;
+
+        results.forEach(result => {
+          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
+            element.blocked && element.inputType === inputType && element.value === value
+          );
+
+          if (isAlreadyBlocked) return;
+
+          const probe = Object.assign({}, resultByRuleId, result, {
+            mappedId: result.ruleId
+          });
+          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
+          props[key] = probe;
+        });
+      });
+    });
+
+    Object.values(props).forEach(prop => {
+      if (!resultsMap[prop.ruleId]) {
+        resultsMap[prop.ruleId] = [];
+      }
+
+      resultsMap[prop.ruleId].push(prop);
+    });
   };
 
   const jsonInputTypes = {
@@ -198,7 +256,7 @@ module.exports = function(core) {
 
     inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
 
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
 
@@ -207,7 +265,7 @@ module.exports = function(core) {
       if (type !== 'Value') {
         return;
       }
-      const items = agentLib.scoreAtom(mask, value, UrlParameter, preferWW);
+      const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
       if (!items) {
         return;
       }
@@ -236,7 +294,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, urlParamsFindings);
+    const block = mergeFindings(sourceContext, urlParamsFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -262,10 +320,10 @@ module.exports = function(core) {
 
     inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
 
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
-    const cookieFindings = agentLib.scoreRequestConnect(mask, { cookies: cookiesArr }, preferWW);
+    const { policy: { rulesMask } } = sourceContext;
+    const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, cookieFindings);
+    const block = mergeFindings(sourceContext, cookieFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -397,11 +455,12 @@ module.exports = function(core) {
    * @returns {Array | undefined} returns an array with block info if vulnerability was found.
    */
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
+    if (!rulesMask) return;
+
     // use inputTypes to set params...
     const { keyType, inputType } = inputTypes;
     const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
-    const { Where } = agentLib.MongoQueryType;
     const resultsList = [];
 
     // it's possible to optimize this if qs (or a similar package) is not loaded
@@ -420,7 +479,7 @@ module.exports = function(core) {
     /* eslint-disable-next-line complexity */
     simpleTraverse(object, function(path, type, value) {
       let itemType;
-      let mongoQueryType;
+      let isMongoQueryType;
       // this is a bit awkward now because nosql-injection-mongo is not integrated
       // into the scoreAtom() function (or the check_input() function it uses). as
       // a result, the two rules need to be checked independently and the results
@@ -428,14 +487,14 @@ module.exports = function(core) {
       // TODO AGENT-205
       if (type === 'Key') {
         itemType = keyType;
-        if (mask & agentLib.RuleType['nosql-injection-mongo']) {
-          mongoQueryType = agentLib.getMongoQueryType(value);
+        if (rulesMask & agentLib.RuleType['nosql-injection-mongo']) {
+          isMongoQueryType = agentLib.isMongoQueryType(value);
         }
       } else {
         itemType = inputType;
       }
-      let items = agentLib.scoreAtom(mask, value, itemType, preferWW);
-      if (!items && !mongoQueryType) {
+      let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+      if (!items && !isMongoQueryType) {
         return;
       }
       if (!items) {
@@ -444,18 +503,13 @@ module.exports = function(core) {
       let mongoPath;
       // if the key was a mongo query key, then add it to the items. it requires
       // that additional information is kept as well.
-      if (mongoQueryType) {
+      if (isMongoQueryType) {
         const inputToCheck = getValueAtKey(object, path, value);
         // because scoreRequestConnect() returns the query type in the value, we
         // mimic it here (where scoreAtom() was used). the actual object/string
         // to match is stored as `inputToCheck`.
-        const inputType = typeof inputToCheck;
-        // query types up to Where, inclusive, accept either string or object values. Where and above accept only string values
-        if (mongoQueryType <= Where || inputType === 'string') {
-          // the query-type/input-type combination is valid. add a synthesized item.
-          const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
-          items.push(item);
-        }
+        const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
+        items.push(item);
       }
       // make each item a complete Finding
       for (const item of items) {
@@ -464,8 +518,7 @@ module.exports = function(core) {
           inputType: `${inputTypeStr}${type}`,
           path: mongoPath || path.slice(),
           key: type === 'Key' ? value : path[path.length - 1],
-          // mimic scoreRequestConnect() returning the query type as the value
-          value: mongoQueryType || value,
+          value,
           score: item.score,
           idsList: [],
         };
@@ -488,7 +541,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
+    return mergeFindings(sourceContext, findings);
   }
 
   function ipListAnalysis(reqIp, reqHeaders, list) {
@@ -543,11 +596,13 @@ module.exports = function(core) {
  * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
  * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
  */
-function mergeFindings(rules, findings, newFindings) {
+function mergeFindings(sourceContext, newFindings) {
+  const { findings, policy } = sourceContext;
+
   if (!newFindings.trackRequest) {
     return findings.securityException;
   }
-  normalizeFindings(rules, newFindings);
+  normalizeFindings(policy, newFindings);
 
   findings.trackRequest = findings.trackRequest || newFindings.trackRequest;
   findings.securityException = findings.securityException || newFindings.securityException;
@@ -566,7 +621,7 @@ function mergeFindings(rules, findings, newFindings) {
 //
 // add common fields to findings.
 //
-function normalizeFindings(rules, findings) {
+function normalizeFindings(policy, findings) {
   // now both augment the rules and check to see if any require blocking
   // at perimeter.
   for (const r of findings.resultsList) {
@@ -590,7 +645,7 @@ function normalizeFindings(rules, findings) {
     // option and that implies that there is no sink, so this is the only place at
     // which the block can occur. so at a minimum 'block' should also result in a
     // block.
-    const { mode } = rules[r.ruleId];
+    const mode = policy[r.ruleId];
     if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
       r.blocked = true;
       findings.securityException = [mode, r.ruleId];

package/lib/input-analysis/index.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { installChildComponentsSync } = require('@contrast/common');
+
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
@@ -35,20 +37,17 @@ module.exports = function(core) {
   require('./install/universal-cookie4')(core);
 
   // framework specific instrumentation
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
 
   // virtual patches
   require('./virtual-patches')(core);
   require('./ip-analysis')(core);
 
   inputAnalysis.install = function() {
-    Object.values(inputAnalysis)
-      .filter((property) => property.install)
-      .forEach((library) => {
-        library.install();
-      });
+    installChildComponentsSync(inputAnalysis);
   };
 
   return inputAnalysis;

package/lib/input-analysis/install/body-parser1.js

@@ -33,8 +33,18 @@ module.exports = (core) => {
       if (sourceContext && req.body && Object.keys(req.body).length) {
         sourceContext.parsedBody = req.body;
 
+        if (fnName === 'bodyParser.text' && typeof req.body === 'string') {
+          try {
+            sourceContext.parsedBody = JSON.parse(req.body);
+          } catch (err) {
+            logger.error({ err }, 'Error parsing with bodyParser.text()');
+            origNext();
+            return;
+          }
+        }
+
         try {
-          inputAnalysis.handleParsedBody(sourceContext, req.body);
+          inputAnalysis.handleParsedBody(sourceContext, sourceContext.parsedBody);
         } catch (err) {
           if (isSecurityException(err)) {
             securityException = err;

package/lib/input-analysis/install/fastify.js

@@ -0,0 +1,84 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+/**
+ * Function that exports an install method to patch Fastify framework with our instrumentation
+ * @param {Object} core - the core Contrast object
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for fastify module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => patcher.patch(fastify, {
+      name: 'fastify.build',
+      patchType,
+      post({ result: server }) {
+        server.addHook('preValidation', function(request, reply, done) {
+          let securityException;
+          const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+
+          if (sourceContext) {
+            try {
+              if (request.params) {
+                sourceContext.parsedParams = request.params;
+                inputAnalysis.handleUrlParams(sourceContext, request.params);
+              }
+              if (request.cookies) {
+                sourceContext.parsedCookies = request.cookies;
+                inputAnalysis.handleCookies(sourceContext, request.cookies);
+              }
+              if (request.body) {
+                sourceContext.parsedBody = request.body;
+                inputAnalysis.handleParsedBody(sourceContext, request.body);
+              }
+
+              if (request.query) {
+                sourceContext.parsedQuery = request.query;
+                inputAnalysis.handleQueryParams(sourceContext, request.query);
+              }
+            } catch (err) {
+              if (isSecurityException(err)) {
+                securityException = err;
+              } else {
+                logger.error({ err }, 'Unexpected error during input analysis');
+              }
+            }
+          }
+
+          done(securityException);
+        });
+      },
+    }));
+  }
+
+  return inputAnalysis.fastifyInstrumentation = {
+    install,
+  };
+};