@contrast/protect 1.4.0 → 1.6.0

package/lib/semantic-analysis/handlers.js

@@ -16,7 +16,9 @@
 'use strict';
 
 const {
+  Rule,
   BLOCKING_MODES,
+  ProtectRuleMode: { OFF },
   InputType,
   isString,
   simpleTraverse
@@ -25,12 +27,17 @@ const {
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 
-// The sink instrumentation for this rule is in `protect/lib/input-tracing/install/child-process.js
+const getRuleResults = function(obj, prop) {
+  return obj[prop] || (obj[prop] = []);
+};
+
+// Semantic analysis currently shares instrumentation with the input-tracing sinks.
+// See files in protect/lib/input-tracing/install/.
+
 module.exports = function(core) {
   const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
-    const sinkResults = sourceContext.findings.semanticResultsMap[ruleId];
     const result = {
       blocked: false,
       findings: { command: sinkContext.value },
@@ -38,7 +45,7 @@ module.exports = function(core) {
       ...finding
     };
 
-    sourceContext.findings.semanticResultsMap[ruleId] = sinkResults ? [...sinkResults, result] : [result];
+    getRuleResults(sourceContext.findings.semanticResultsMap, ruleId).push(result);
 
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
@@ -49,41 +56,50 @@ module.exports = function(core) {
   }
 
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-semantic-dangerous-paths';
-    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
 
-    if (mode == 'off') return;
+    if (mode == OFF) return;
 
     const result = agentLib.containsDangerousPath(sinkContext.value);
 
     if (result) {
-      handleResult(sourceContext, sinkContext, ruleId, mode);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS, mode);
     }
   };
 
   semanticAnalysis.handleCmdInjectionSemanticChainedCommands = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-semantic-chained-commands';
-    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
 
-    if (mode == 'off') return;
+    if (mode == OFF) return;
 
     const indexOfChaining = agentLib.indexOfChaining(sinkContext.value);
 
     if (indexOfChaining != -1) {
-      handleResult(sourceContext, sinkContext, ruleId, mode);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS, mode);
     }
   };
 
   semanticAnalysis.handleCommandInjectionCommandBackdoors = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-command-backdoors';
-    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
 
-    if (mode == 'off') return;
+    if (mode == OFF) return;
 
     const finding = findBackdoorInjection(sourceContext, sinkContext.value);
 
     if (finding) {
-      handleResult(sourceContext, sinkContext, ruleId, mode, finding);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_COMMAND_BACKDOORS, mode, finding);
+    }
+  };
+
+  semanticAnalysis.handlePathTraversalFileSecurityBypass = function(sourceContext, sinkContext) {
+    const mode = sourceContext.policy[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
+
+    if (mode == OFF) return;
+
+    if (agentLib.isDangerousPath(sinkContext.value, true)) {
+      handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
+        findings: { path: sinkContext.value }
+      });
     }
   };
 
@@ -118,20 +134,22 @@ function findBackdoorInjection(sourceContext, command) {
       simpleTraverse(values, (path, type, value, obj) => {
         if (
           !found &&
-            value &&
-            type === 'Value' &&
-            isString(value) &&
-            isBackdoorDetected(value, command)
+          type === 'Value' &&
+          isBackdoorDetected(value, command)
         ) {
           let key;
-          key = inputType === InputType.HEADER ? obj.indexOf(command) - 1 : path[path.length - 1];
-          if (Number.isInteger(key) && obj[key]) {
-            key = obj[key];
+          if (inputType === InputType.HEADER) {
+            key = obj[path[0] - 1]
+          } else {
+            key = path[path.length - 1];
           }
-          path = path.length === 1 ? [] : Array.from(path).slice(0, path.length - 1);
-          inputType = path.length > 1 ? InputType.JSON_VALUE : inputType;
 
-          found = { key, inputType, path, value: command };
+          found = {
+            key,
+            inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
+            path: path.slice(0, -1),
+            value: command
+          };
         }
       });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,10 +19,10 @@
   "dependencies": {
     "@babel/template": "^7.16.7",
     "@babel/types": "^7.16.8",
-    "@contrast/agent-lib": "^5.0.0",
-    "@contrast/common": "1.1.0",
-    "@contrast/core": "1.3.0",
-    "@contrast/esm-hooks": "1.1.4",
+    "@contrast/agent-lib": "^5.1.0",
+    "@contrast/common": "1.1.2",
+    "@contrast/core": "1.5.0",
+    "@contrast/esm-hooks": "1.1.6",
     "@contrast/scopes": "1.1.1",
     "builtin-modules": "^3.2.0",
     "ipaddr.js": "^2.0.1",

package/lib/input-analysis/install/fastify3.js

@@ -1,106 +0,0 @@
-/*
- * Copyright: 2022 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const { patchType } = require('../constants');
-const { isSecurityException } = require('../../security-exception');
-
-/**
- * Function that exports an install method to patch Fastify framework with our instrumentation
- * @param {Object} core - the core Contrast object in v5
- * @return {Object}     object with install method and the other relative functions exported for testing purposes
- */
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    logger,
-    protect,
-    protect: { inputAnalysis },
-  } = core;
-
-  /**
-   * registers a depHook for fastify module instrumentation
-   */
-  function install() {
-    depHooks.resolve({ name: 'fastify', version: '>=3.0.0' }, (fastify) => patchFastify(fastify));
-  }
-
-  /**
-   * The patch function for the depHooks callback
-   * @param {Object} fastify the fastify object returned from requiring the module
-   * @returns                a patched fastify object
-   */
-  function patchFastify(fastify) {
-    return patcher.patch(fastify, {
-      name: 'fastify.build',
-      patchType,
-      post({ result: server }) {
-        server.addHook('preValidation', preValidationHook);
-      },
-    });
-  }
-
-  /**
-   * Fastify lifecycle hook as defined in official docs.
-   * @external https://www.fastify.io/docs/latest/Reference/Hooks/#prevalidation
-   * @param {Fastify.Request} request incoming request
-   * @param {Fastify.Reply}   reply   unbuilt outgoing response
-   * @param {Function}        done    callback to signal the hook is finished.
-   */
-  function preValidationHook(request, reply, done) {
-    const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
-
-    let securityException;
-
-    if (sourceContext) {
-      try {
-        if (request.params) {
-          sourceContext.parsedParams = request.params;
-          inputAnalysis.handleUrlParams(sourceContext, request.params);
-        }
-        if (request.cookies) {
-          sourceContext.parsedCookies = request.cookies;
-          inputAnalysis.handleCookies(sourceContext, request.cookies);
-        }
-        if (request.body) {
-          sourceContext.parsedBody = request.body;
-          inputAnalysis.handleParsedBody(sourceContext, request.body);
-        }
-
-        if (request.query) {
-          sourceContext.parsedQuery = request.query;
-          inputAnalysis.handleQueryParams(sourceContext, request.query);
-        }
-      } catch (err) {
-        if (isSecurityException(err)) {
-          securityException = err;
-        } else {
-          logger.error({ err }, 'Unexpected error during input analysis');
-        }
-      }
-    }
-
-    done(securityException);
-  }
-
-  const fastify3Instrumentation = inputAnalysis.fastify3Instrumentation = {
-    preValidationHook,
-    install,
-  };
-
-  return fastify3Instrumentation;
-};