@contrast/protect 1.49.0 → 1.50.0

package/lib/error-handlers/index.js

@@ -25,7 +25,7 @@ module.exports = function(core) {
   require('./init-domain')(core);
 
   // installers
-  require('./install/express4')(core);
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/hapi')(core);
   require('./install/koa2')(core);

package/lib/error-handlers/index.test.js

@@ -8,7 +8,7 @@ describe('protect error-handlers', function () {
   let core, errorHandlers;
 
   const installerList = [
-    'express4ErrorHandler',
+    'expressErrorHandler',
     'fastifyErrorHandler',
     'hapiErrorHandler',
     'koa2ErrorHandler',

package/lib/error-handlers/install/express.js

@@ -0,0 +1,162 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function (core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const expressErrorHandler = protect.errorHandlers.expressErrorHandler = {};
+
+  function checkSecurityException(err, funcKey, orig, throwErr = false) {
+    const sourceContext = protect.getSourceContext();
+    const isSecurityException = SecurityException.isSecurityException(err);
+
+    if (isSecurityException && sourceContext) {
+      const blockInfo = sourceContext.securityException;
+
+      sourceContext.block(...blockInfo);
+      return;
+    }
+
+    if (!sourceContext && isSecurityException) {
+      logger.info({ funcKey }, 'source context not found; unable to handle response');
+      return;
+    }
+
+    if (throwErr) {
+      throw err;
+    } else {
+      return orig();
+    }
+  }
+
+  expressErrorHandler.install = function () {
+
+    // Express 4 and 5
+    depHooks.resolve({ name: 'finalhandler', version: '<3' }, (finalhandler) =>
+      patcher.patch(finalhandler, {
+        name: 'finalHandler',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'finalHandler.returnedFunction',
+            patchType,
+            around(orig, data) {
+              const [err] = data.args;
+              checkSecurityException(err, data.funcKey, orig);
+            }
+          });
+        },
+      })
+    );
+
+    function postHook() {
+      return function(data) {
+        patcher.patch(data.result, 'handle', {
+          name: 'handle',
+          patchType,
+          post(data) {
+            data.result = data.result?.catch?.((err) => {
+              checkSecurityException(err, data.funcKey, data.orig, true);
+            });
+          }
+        });
+      };
+    }
+
+    // Express 4
+    depHooks.resolve({ name: 'express', version: '4', file: 'lib/router/layer.js' }, (Layer) => {
+
+      patcher.patch(Layer.prototype, 'handle_error', {
+        name: 'Layer.prototype.handle_error',
+        patchType,
+        around(orig, data) {
+          const [err] = data.args;
+          checkSecurityException(err, data.funcKey, orig);
+        }
+      });
+
+      return patcher.patch(Layer, {
+        name: 'Layer',
+        patchType,
+        post: postHook()
+      });
+
+    });
+
+    // Express 5
+    depHooks.resolve({ name: 'router', version: '2', file: 'lib/layer.js' }, (Layer) => {
+
+      patcher.patch(Layer.prototype, 'handleError', {
+        name: 'Layer.prototype.handleError',
+        patchType,
+        around(orig, data) {
+          const [err] = data.args;
+          checkSecurityException(err, data.funcKey, orig);
+        }
+      });
+
+      return patcher.patch(Layer, {
+        name: 'router.Layer',
+        patchType,
+        post: postHook()
+      });
+    });
+
+    function preHook() {
+      return function(data) {
+        if (typeof data.args[1] === 'function') {
+          patcher.patch(data.args, '1', {
+            name: 'express.route-handler',
+            patchType,
+            post(data) {
+              data.result = data.result?.catch?.((err) => {
+                checkSecurityException(err, data.funcKey, data.orig, true);
+              });
+            }
+          });
+        }
+      };
+    }
+
+    // Express 4
+    depHooks.resolve({ name: 'express', version: '4', file: 'lib/router/index.js' }, (Router) => {
+      patcher.patch(Router.prototype.constructor, 'param', {
+        name: 'Router.prototype.constructor.param',
+        patchType,
+        pre: preHook()
+      });
+    });
+
+    // Express 5
+    depHooks.resolve({ name: 'router', version: '2' }, (Router) => {
+      patcher.patch(Router.prototype, 'param', {
+        name: 'Router.prototype.param',
+        patchType,
+        pre: preHook()
+      });
+    });
+  };
+  return expressErrorHandler;
+};

package/lib/error-handlers/install/express.test.js

@@ -0,0 +1,290 @@
+/* eslint-disable */
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers express', function () {
+  let core, store, errorHandlerInstr;
+
+  const throwingHandler = (error) => async function () {
+    await Promise.reject(error);
+  };  
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    sinon.spy(core.patcher, 'patch');
+  });
+
+  describe('finalhandler', function () {
+    let finalhandler, returnedFn;
+
+    beforeEach(function () {
+      finalhandler = function () {
+        return function () { };
+      };
+
+      core.depHooks.resolve.withArgs({ name: 'finalhandler', version: '<3' }).yields(finalhandler);
+
+      errorHandlerInstr = require('./express')(core);
+      errorHandlerInstr.install();
+
+      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
+      returnedFn = patchedFinalhandler();
+    });
+
+    it('should block the request when there is SecurityException', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run(store, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+    });
+
+    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
+          'source context not found; unable to handle response',
+        );
+      });
+    });
+
+    it('should skip the instrumentation when there is no SecurityException', function () {
+      const error = new Error('Error');
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      });
+    });
+  });
+
+  [
+    { name: 'express', version: '4', file: 'lib/router/layer.js' },
+    { name: 'router', version: '2', file: 'lib/layer.js' }
+  ].forEach((args) => {
+    const fn = args.name === 'express' ? 'handle_error' : 'handleError';
+    describe(`${args.name} Layer.prototype.${fn}`, function () {
+      let Layer;
+  
+      beforeEach(function () {
+        Layer = function () { };
+
+        Layer.prototype[fn] = function () { };
+  
+        core.depHooks.resolve.withArgs(args).yields(Layer);
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+      });
+  
+      it('should block the request when there is SecurityException', function () {
+        const error = SecurityException.create();
+  
+        core.scopes.sources.run(store, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+        });
+      });
+  
+      it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+        const error = SecurityException.create();
+  
+        core.scopes.sources.run({}, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).to.have.been.calledWith(
+            { funcKey: `protect-error-handling:Layer.prototype.${fn}` },
+            'source context not found; unable to handle response'
+          );
+        });
+      });
+  
+      it('should skip the instrumentation when there is no SecurityException', function () {
+        const error = new Error('Error');
+  
+        core.scopes.sources.run({}, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).not.to.have.been.called;
+        });
+      });
+    });
+
+    describe(`${args.name} Layer handle`, function () {
+      let Layer, patchedLayer;
+      const error = SecurityException.create();
+      const fn = throwingHandler(error);
+      beforeEach(function () {
+        Layer = function () {
+          return {
+            handle: fn
+          }
+        };
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
+        });
+
+      it('should block the request when there is SecurityException', async function () {
+        await core.scopes.sources.run(store, async () => {
+          await patchedLayer().handle();
+        });
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+
+      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
+        await core.scopes.sources.run({}, async () => {
+          await patchedLayer().handle();
+        });
+  
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:handle' },
+          'source context not found; unable to handle response',
+        );
+      });
+
+      it('should skip the instrumentation when there is no SecurityException', async function () {
+        const error = new Error('Error');
+        const fn = throwingHandler(error);
+        Layer = function () {
+          return {
+            handle: fn
+          }
+        };
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
+
+        try {
+          await core.scopes.sources.run(store, async () => {
+            await patchedLayer().handle();
+          });
+          } catch (err) {
+            expect(err).to.equal(error);
+            expect(core.logger.info).not.to.have.been.called;
+            expect(store.protect.block).not.to.have.been.called;
+          }
+      });
+    });
+  });
+
+  [
+    { name: 'express', version: '4', file: 'lib/router/index.js' },
+    { name: 'router', version: '2' }
+  ].forEach((args) => {
+    describe(`${args.name} Router param`, function () {
+      let Router, param;
+      const sampleFn = function () { };
+  
+      beforeEach(function () {
+
+        Router = function() { };
+        if (args.name === 'express') {
+          Router.prototype.constructor = {
+            param: function () { },
+          };    
+          param = (...args) => Router.prototype.constructor.param(...args);
+        } else {
+          Router.prototype = {
+            param: function () { },
+          };
+          param = (...args) => Router.prototype.param(...args);
+        }
+        core.depHooks.resolve.withArgs(args).yields(Router);
+  
+        core.patcher.patch.resetHistory();
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+      });
+  
+      it('should patch the function for the param property', function () {
+        param('sampleFn', sampleFn);
+        expect(core.patcher.patch).to.have.been.calledWith(sinon.match.array, '1', sinon.match.object);
+      });
+  
+      it('should block the request when there is SecurityException', async function () {
+        const error = SecurityException.create();
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        await core.scopes.sources.run(store, async () => {
+          await patchedFn();
+        });
+  
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+  
+      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
+        const error = SecurityException.create();
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        await core.scopes.sources.run({}, async () => {
+          await patchedFn();
+        });
+  
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:express.route-handler' },
+          'source context not found; unable to handle response',
+        );
+      });
+  
+      it('should skip the instrumentation when there is no SecurityException', async function () {
+        const error = new Error('Error');
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        try {
+          await core.scopes.sources.run(store, async () => {
+            await patchedFn();
+          });
+        } catch (err) {
+          expect(err).to.equal(error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).not.to.have.been.called;
+        }
+      });
+    });  
+  });
+});

package/lib/error-handlers/install/hapi.js

@@ -60,12 +60,12 @@ module.exports = function (core) {
 
   hapiErrorHandler.install = function () {
     depHooks.resolve(
-      { name: 'boom' },
+      { name: 'boom', version: '<8' },
       (boom) => registerErrorHandler(boom, 'boom'),
     );
 
     depHooks.resolve(
-      { name: '@hapi/boom' },
+      { name: '@hapi/boom', version: '<11' },
       (boom) => registerErrorHandler(boom, '@hapi/boom'),
     );
   };

package/lib/error-handlers/install/hapi.test.js

@@ -39,8 +39,8 @@ describe('protect error-handlers hapi', function () {
     Boom.boomify = function boom() { };
     HapiBoom.boomify = function hapiBoom() { };
 
-    core.depHooks.resolve.withArgs({ name: Boom.name }).yields(Boom);
-    core.depHooks.resolve.withArgs({ name: HapiBoom.name }).yields(HapiBoom);
+    core.depHooks.resolve.withArgs(sinon.match({ name: Boom.name })).yields(Boom);
+    core.depHooks.resolve.withArgs(sinon.match({ name: HapiBoom.name })).yields(HapiBoom);
 
     errorHandler = require('./hapi')(core);
     errorHandler.install();

package/lib/error-handlers/install/koa2.js

@@ -30,7 +30,7 @@ module.exports = function (core) {
   const koa2ErrorHandler = protect.errorHandlers.koa2ErrorHandler = {};
 
   koa2ErrorHandler.install = function () {
-    depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
       patcher.patch(Koa.prototype, 'handleRequest', {
         name: 'Koa.Application.handleRequest',
         patchType,

package/lib/error-handlers/install/restify.js

@@ -24,7 +24,7 @@ module.exports = function init(core) {
   return protect.errorHandlers.restifyErrorHandler = {
     install() {
       depHooks.resolve(
-        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        { name: 'restify', file: 'lib/server.js', version: '>=8 <12' },
         (Server) => {
           patcher.patch(Server.prototype, '_onHandlerError', {
             name: 'restify.Server.prototype._onHandlerError',

package/lib/error-handlers/install/restify.test.js

@@ -15,7 +15,7 @@ describe('protect error-handlers restify v8+', function () {
     store = { protect: { block: sinon.stub(), securityException: ['block'] } };
 
     core.depHooks.resolve
-      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8' })
+      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8 <12' })
       .yields(Server);
 
     core.protect.errorHandlers.restifyErrorHandler.install();

package/lib/hardening/install/node-serialize0.js

@@ -32,13 +32,13 @@ module.exports = function(core) {
     const method = 'unserialize';
 
     depHooks.resolve(
-      { name, version: '<1.0.0' },
+      { name, version: '<1' },
       (nodeSerialize) => {
         patcher.patch(nodeSerialize, method, {
           name,
           patchType,
           pre({ args: [value], hooked, orig }) {
-            const sourceContext = protect.getSourceContext(`${name}.${method}`);
+            const sourceContext = protect.getSourceContext();
 
             if (!sourceContext || !value) return;
 

package/lib/hardening/install/node-serialize0.test.js

@@ -18,10 +18,7 @@ describe('protect hardening node-serialize0', function () {
     core = mocks.core();
     core.logger = mocks.logger();
     core.depHooks = mocks.depHooks();
-    core.depHooks
-      .resolve
-      .withArgs({ name: 'node-serialize', version: '<1.0.0' })
-      .yields(mockLib);
+    core.depHooks.resolve.yields(mockLib);
     core.patcher = patcher(core);
     core.scopes = scopes(core);
     core.protect = mocks.protect();

package/lib/index.d.ts

@@ -122,7 +122,7 @@ export interface Protect {
       install: () => void
     }
     koa2ErrorHandler: { install: () => void },
-    express4ErrorHandler: { install: () => void },
+    expressErrorHandler: { install: () => void },
     install: () => void,
   },
   // eslint-disable-next-line @typescript-eslint/no-explicit-any

package/lib/input-analysis/index.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
   // framework specific instrumentation
   require('./install/fastify')(core);
   require('./install/koa2')(core);
-  require('./install/express4')(core);
+  require('./install/express')(core);
   require('./install/hapi')(core);
   require('./install/restify')(core);
 

package/lib/input-analysis/index.test.js

@@ -25,7 +25,7 @@ describe('protect input-analysis', function () {
       './install/koa2': modulesMock('koa2Instrumentation'),
       './install/koa-body5': modulesMock('koaBody5Instrumentation'),
       './install/koa-bodyparser4': modulesMock('koaBodyparser4Instrumentation'),
-      './install/express4': modulesMock('express4Instrumentation'),
+      './install/express': modulesMock('expressInstrumentation'),
       './install/body-parser1': modulesMock('bodyParser1Instrumentation'),
       './install/cookie-parser1': modulesMock('cookieParser1Instrumentation'),
       './install/formidable1': modulesMock('formidable1Instrumentation'),

package/lib/input-analysis/install/body-parser1.js

@@ -28,7 +28,7 @@ module.exports = (core) => {
 
   function contrastNext(req, origNext, fnName) {
     return function next(origErr) {
-      const sourceContext = protect.getSourceContext(fnName);
+      const sourceContext = protect.getSourceContext();
       let securityException;
 
       if (sourceContext && req.body && Object.keys(req.body).length) {
@@ -62,7 +62,7 @@ module.exports = (core) => {
 
   // Patch body parser - `body-parser` used by `express` framework
   function install() {
-    depHooks.resolve({ name: 'body-parser' }, (bodyParser) => {
+    depHooks.resolve({ name: 'body-parser', version: '<2' }, (bodyParser) => {
       const origBodyParser = bodyParser;
 
       const { json: origJson, raw: origRaw, text: origText, urlencoded: origUrlencoded } = bodyParser;

package/lib/input-analysis/install/busboy1.js

@@ -27,7 +27,7 @@ module.exports = (core) => {
 
   // Patch `busboy`
   function install() {
-    depHooks.resolve({ name: 'busboy' }, (busboy) => {
+    depHooks.resolve({ name: 'busboy', version: '<2' }, (busboy) => {
       patcher.patch(busboy.prototype, 'emit', {
         name: 'busboy.prototype.emit',
         patchType,

package/lib/input-analysis/install/cookie-parser1.js

@@ -29,7 +29,7 @@ module.exports = (core) => {
 
   // Patch `cookie-parser` package
   function install() {
-    depHooks.resolve({ name: 'cookie-parser' }, (cookieParser) => patcher.patch(cookieParser, {
+    depHooks.resolve({ name: 'cookie-parser', version: '<2' }, (cookieParser) => patcher.patch(cookieParser, {
       name: 'cookie-parser',
       patchType,
       post(data) {