@contrast/protect 1.49.0 → 1.50.0

package/lib/input-tracing/install/mssql.js

@@ -27,7 +27,7 @@ module.exports = function (core) {
   } = core;
 
   const pre = ({ args, hooked, name, orig }) => {
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
     const [value] = args;
     if (!sourceContext || !value || !isString(value)) return;
 
@@ -46,7 +46,7 @@ module.exports = function (core) {
   core.protect.inputTracing.mssqlInstrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/prepared-statement.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/prepared-statement.js' },
         (PreparedStatement) => {
           patcher.patch(PreparedStatement.prototype, 'prepare', {
             name: 'mssql.PreparedStatement.prototype.prepare',
@@ -57,7 +57,7 @@ module.exports = function (core) {
       );
 
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/request.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/request.js' },
         (Request) => {
           patcher.patch(Request.prototype, 'batch', {
             name: 'mssql.Request.prototype.batch',

package/lib/input-tracing/install/mssql.test.js

@@ -27,11 +27,11 @@ describe('protect input-tracing mssql', function () {
     Request.prototype.query = sinon.stub();
 
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/prepared-statement.js' })
+      .withArgs(sinon.match({ file: 'lib/base/prepared-statement.js' }))
       .yields(PreparedStatement);
 
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/request.js' })
+      .withArgs(sinon.match({ file: 'lib/base/request.js' }))
       .yields(Request);
 
     require('./mssql')(core).install();

package/lib/input-tracing/install/mysql.js

@@ -40,20 +40,18 @@ module.exports = function(core) {
 
   mysqlInstr.install = function() {
     [
-      { module: 'mysql', file: 'lib/Connection.js', method: 'query' },
-      { module: 'mysql2', file: 'lib/connection.js', method: 'execute' },
-      { module: 'mysql2', file: 'lib/connection.js', method: 'query' }
+      { name: 'mysql', version: '<3', file: 'lib/Connection.js', method: 'query' },
+      { name: 'mysql2', version: '<4', file: 'lib/connection.js', method: 'execute' },
+      { name: 'mysql2', version: '<4', file: 'lib/connection.js', method: 'query' }
     ].forEach(
-      ({ module, file, method }) => {
-        depHooks.resolve({ module, file, method }, conn => {
-          const name = `${module}.Connection.prototype.${method}`;
-
+      ({ name, version, file, method }) => {
+        depHooks.resolve({ name, version, file }, conn => {
           patcher.patch(conn.prototype, method, {
-            name,
+            name: `${name}.Connection.prototype.${method}`,
             patchType,
             pre(data) {
               const { args, hooked, name, orig } = data;
-              const sourceContext = protect.getSourceContext(name);
+              const sourceContext = protect.getSourceContext();
 
               if (!sourceContext) return;
 

package/lib/input-tracing/install/postgres.js

@@ -32,7 +32,7 @@ module.exports = function(core) {
   }
 
   function preHook({ args, hooked, name, orig }) {
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
 
     if (!sourceContext) return;
 
@@ -49,7 +49,7 @@ module.exports = function(core) {
   }
 
   function install() {
-    depHooks.resolve({ name: 'pg', file: 'lib/client.js' }, client => {
+    depHooks.resolve({ name: 'pg', version: '<9', file: 'lib/client.js' }, client => {
       const name = 'pg.Client.prototype.query';
       patcher.patch(client.prototype, 'query', {
         name,
@@ -58,7 +58,7 @@ module.exports = function(core) {
       });
     });
 
-    depHooks.resolve({ name: 'pg-pool' }, pool => {
+    depHooks.resolve({ name: 'pg-pool', version: '<4' }, pool => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,

package/lib/input-tracing/install/postgres.test.js

@@ -31,11 +31,7 @@ describe('protect input-tracing postgres', function () {
     beforeEach(function () {
       Client = function () { };
       Client.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg', file: 'lib/client.js' })
-        .yields(Client);
+      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg' })).yields(Client);
       require('./postgres')(core).install();
     });
 
@@ -79,11 +75,7 @@ describe('protect input-tracing postgres', function () {
     beforeEach(function () {
       Pool = function () { };
       Pool.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg-pool' })
-        .yields(Pool);
+      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg-pool' })).yields(Pool);
 
       require('./postgres')(core).install();
     });

package/lib/input-tracing/install/sequelize.js

@@ -33,7 +33,7 @@ module.exports = function(core) {
   }
 
   function install() {
-    depHooks.resolve({ name: 'sequelize' }, sequelize => {
+    depHooks.resolve({ name: 'sequelize', version: '<7' }, sequelize => {
       const name = 'sequelize.prototype.query';
       patcher.patch(sequelize.prototype, 'query', {
         name,
@@ -41,7 +41,7 @@ module.exports = function(core) {
         pre({ args, hooked, name, orig }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
 
           if (!sourceContext || sourceContext.allowed) return;
 

package/lib/input-tracing/install/spdy.js

@@ -27,7 +27,7 @@ module.exports = function(core) {
   } = core;
 
   function install() {
-    depHooks.resolve({ name: 'spdy' }, spdy => {
+    depHooks.resolve({ name: 'spdy', version: '<5' }, spdy => {
       const name = 'spdy.response.end';
       patcher.patch(spdy.response, 'end', {
         name,
@@ -35,7 +35,7 @@ module.exports = function(core) {
         pre({ args, obj: response, hooked }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
 
           if (!sourceContext) return;
 

package/lib/input-tracing/install/sqlite3.js

@@ -28,7 +28,7 @@ module.exports = function(core) {
   } = core;
 
   function install() {
-    depHooks.resolve({ name: 'sqlite3' }, sqlite3 => {
+    depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
       ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
         const name = `sqlite3.Database.prototype.${method}`;
         patcher.patch(sqlite3.Database.prototype, method, {
@@ -37,7 +37,7 @@ module.exports = function(core) {
           pre({ args, hooked, name, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = protect.getSourceContext(name);
+            const sourceContext = protect.getSourceContext();
             if (!sourceContext) return;
 
             const value = args[0];

package/lib/input-tracing/install/vm.js

@@ -44,7 +44,7 @@ module.exports = function (core) {
   const createPre = (arity) => ({ args, hooked, orig, name }) => {
     if (instrumentation.isLocked()) return;
 
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
     if (!sourceContext) return;
 
     for (let i = 0; i < arity; i++) {
@@ -62,7 +62,7 @@ module.exports = function (core) {
 
   const vmInstrumentation = inputTracing.vmInstrumentation = {
     install() {
-      depHooks.resolve({ name: 'vm' }, (vm) => {
+      depHooks.resolve({ name: 'vm', version: '*' }, (vm) => {
         VM_METHODS.forEach(([method, arity]) => {
           patcher.patch(vm, method, {
             name: `vm.${method}`,

package/lib/semantic-analysis/install/libxmljs.js

@@ -45,7 +45,7 @@ module.exports = function (core) {
         name,
         patchType,
         pre({ args, hooked, orig, funcKey }) {
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
           const [value, options] = args;
 
           if (!sourceContext || !value || !isString(value) || checkOptions(options)) {
@@ -78,11 +78,11 @@ module.exports = function (core) {
   protect.semanticAnalysis.libxmljs = {
     install() {
       // libxmljs changed its API in version 1.0.0
-      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler(true));
+      depHooks.resolve({ name: 'libxmljs', version: '>=1 <2' }, handler(true));
 
       // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
       depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler(false));
-      depHooks.resolve({ name: 'libxmljs2' }, handler(false));
+      depHooks.resolve({ name: 'libxmljs2', version: '<1' }, handler(false));
     }
   };
 

package/lib/semantic-analysis/install/libxmljs.test.js

@@ -35,13 +35,13 @@ describe('protect semantic-analysis libxmljs', function () {
     };
 
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs', version: '>=1' })
+      .withArgs({ name: 'libxmljs', version: '>=1 <2' })
       .yields(modules['libxmljs@1'], { name: 'libxmljs', version: '1.0.9' });
     core.depHooks.resolve
       .withArgs({ name: 'libxmljs', version: '<1' })
       .yields(modules['libxmljs@0'], { name: 'libxmljs', version: '0.19.10' });
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs2' })
+      .withArgs({ name: 'libxmljs2', version: '<1' })
       .yields(modules.libxmljs2, { name: 'libxmljs2', version: '0.32.0' });
 
     require('../../get-source-context')(core);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.49.0",
+  "version": "1.50.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,16 +18,16 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.26.0",
-    "@contrast/config": "1.36.0",
-    "@contrast/core": "1.41.1",
-    "@contrast/dep-hooks": "1.10.0",
-    "@contrast/esm-hooks": "2.15.1",
-    "@contrast/instrumentation": "1.20.0",
-    "@contrast/logger": "1.14.0",
-    "@contrast/patcher": "1.13.0",
-    "@contrast/rewriter": "1.17.1",
-    "@contrast/scopes": "1.11.0",
+    "@contrast/common": "1.27.0",
+    "@contrast/config": "1.37.0",
+    "@contrast/core": "1.42.0",
+    "@contrast/dep-hooks": "1.11.0",
+    "@contrast/esm-hooks": "2.16.0",
+    "@contrast/instrumentation": "1.21.0",
+    "@contrast/logger": "1.15.0",
+    "@contrast/patcher": "1.14.0",
+    "@contrast/rewriter": "1.18.0",
+    "@contrast/scopes": "1.12.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.6.0"
   },

package/lib/error-handlers/install/express4.js

@@ -1,138 +0,0 @@
-/*
- * Copyright: 2024 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const SecurityException = require('../../security-exception');
-const { patchType } = require('../constants');
-
-
-module.exports = function (core) {
-  const {
-    logger,
-    depHooks,
-    patcher,
-    protect,
-  } = core;
-
-  const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
-
-  function aroundFn(name) {
-    return function around(orig, data) {
-      const [err] = data.args;
-      const sourceContext = protect.getSourceContext(name);
-      const isSecurityException = SecurityException.isSecurityException(err);
-
-      if (isSecurityException && sourceContext) {
-        const blockInfo = sourceContext.securityException;
-
-        sourceContext.block(...blockInfo);
-        return;
-      }
-
-      if (!sourceContext && isSecurityException) {
-        logger.info({ funcKey: data.funcKey }, 'source context not found; unable to handle response');
-      }
-      return orig();
-    };
-  }
-
-  express4ErrorHandler.install = function () {
-    depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
-      patcher.patch(finalhandler, {
-        name: 'finalHandler',
-        patchType,
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name: 'finalHandler.returnedFunction',
-            patchType,
-            around: aroundFn('finalHandler')
-          });
-        },
-      })
-    );
-
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
-      patcher.patch(Layer.prototype, 'handle_error', {
-        name: 'Layer.prototype.handle_error',
-        patchType,
-        around: aroundFn('express.Layer.handle_error')
-      });
-
-      // This should be revisited after the research ticket NODE-2556
-      Object.defineProperty(Layer.prototype, 'handle', {
-        enumerable: true,
-        configurable: true,
-        get() {
-          return this.__handle;
-        },
-        set(fn) {
-          fn = patchFn(fn);
-          this.__handle = fn;
-        },
-      });
-    });
-
-    // This should be revisited after the research ticket NODE-2556
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/index.js' }, (Router) => {
-      patcher.patch(Router.prototype.constructor, 'param', {
-        name: 'Router.prototype.constructor.param',
-        patchType,
-        pre({ args }) {
-          if (typeof args[1] === 'function') {
-            args[1] = patchFn(args[1]);
-          }
-        }
-      });
-    });
-
-    // This should be revisited after the research ticket NODE-2556
-    function patchFn(fn) {
-      return patcher.patch(fn, {
-        name: 'express.route-handler',
-        patchType,
-        around(orig, data) {
-          const ret = orig();
-          if (ret && ret.catch) {
-            return ret.catch((err) => {
-              const sourceContext = protect.getSourceContext();
-              const isSecurityException = SecurityException.isSecurityException(err);
-
-              if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.securityException;
-
-                sourceContext.block(...blockInfo);
-                return;
-              }
-
-              if (!sourceContext && isSecurityException) {
-                logger.info({ funcKey: data.funcKey }, 'source context not found; unable to handle response');
-                return;
-              }
-
-              throw err;
-            });
-          }
-
-          return ret;
-        }
-      });
-    }
-
-
-  };
-
-  return express4ErrorHandler;
-};

package/lib/error-handlers/install/express4.test.js

@@ -1,238 +0,0 @@
-/* eslint-disable object-shorthand */
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers express4', function () {
-  let core, store, errorHandlerInstr;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    sinon.spy(core.patcher, 'patch');
-  });
-
-  describe('finalhandler', function () {
-    let finalhandler, returnedFn;
-
-    beforeEach(function () {
-      finalhandler = function () {
-        return function () { };
-      };
-
-      core.depHooks.resolve.withArgs({ name: 'finalhandler' }).yields(finalhandler);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-
-      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
-      returnedFn = patchedFinalhandler();
-    });
-
-    it('should block the request when there is SecurityException', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
-          'source context not found; unable to handle response',
-        );
-      });
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', function () {
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('Layer.prototype.handle_error', function () {
-    let Layer;
-
-    beforeEach(function () {
-      Layer = function () { };
-      Layer.prototype.handle_error = function () { };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }).yields(Layer);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should block the request when there is SecurityException', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:Layer.prototype.handle_error' },
-          'source context not found; unable to handle response'
-        );
-      });
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', function () {
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('Layer.prototype.handle', function () {
-    const sampleFn = function () { };
-    let Layer;
-
-    beforeEach(function () {
-      Layer = function () { };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }).yields(Layer);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should patch the function that is being set for `handle`', function () {
-      Layer.prototype.handle = sampleFn;
-
-      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
-    });
-
-    it('should return the patched function for the `handle` get', function () {
-      Layer.prototype.handle = sampleFn;
-
-      expect(Layer.prototype.handle).to.equal(Layer.prototype.__handle);
-    });
-  });
-
-  describe('Router.prototype.constructor.param', function () {
-    let Router;
-    const sampleFn = function () { };
-    const throwingHandler = (error) => async function () {
-      await Promise.reject(error);
-    };
-
-    beforeEach(function () {
-      Router = function () { };
-      Router.prototype.constructor = {
-        param: function () { },
-      };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/index.js' }).yields(Router);
-
-      core.patcher.patch.resetHistory();
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should patch the function for the param property', function () {
-      Router.prototype.constructor.param('sampleFn', sampleFn);
-
-      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
-    });
-
-    it('should block the request when there is SecurityException', async function () {
-      const error = SecurityException.create();
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      await core.scopes.sources.run(store, async () => {
-        await patchedFn();
-      });
-
-      expect(core.logger.info).not.to.have.been.called;
-      expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
-      const error = SecurityException.create();
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      await core.scopes.sources.run({}, async () => {
-        await patchedFn();
-      });
-
-      expect(core.logger.info).to.have.been.calledWith(
-        { funcKey: 'protect-error-handling:express.route-handler' },
-        'source context not found; unable to handle response',
-      );
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', async function () {
-      const error = new Error('Error');
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      try {
-        await core.scopes.sources.run(store, async () => {
-          await patchedFn();
-        });
-      } catch (err) {
-        expect(err).to.equal(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      }
-    });
-  });
-
-
-});