@contrast/protect 1.49.0 → 1.51.0

package/lib/error-handlers/index.js

@@ -25,7 +25,7 @@ module.exports = function(core) {
   require('./init-domain')(core);
 
   // installers
-  require('./install/express4')(core);
+  require('./install/express')(core);
   require('./install/fastify')(core);
   require('./install/hapi')(core);
   require('./install/koa2')(core);

package/lib/error-handlers/index.test.js

@@ -8,7 +8,7 @@ describe('protect error-handlers', function () {
   let core, errorHandlers;
 
   const installerList = [
-    'express4ErrorHandler',
+    'expressErrorHandler',
     'fastifyErrorHandler',
     'hapiErrorHandler',
     'koa2ErrorHandler',

package/lib/error-handlers/init-domain.js

@@ -15,47 +15,12 @@
 
 'use strict';
 
-const process = require('process');
-const semver = require('semver');
+const { Domain } = require('async-hook-domain');
 
 module.exports = function(core) {
-  const {
-    logger,
-    protect: { errorHandlers }
-  } = core;
+  const { protect: { errorHandlers } } = core;
 
-  Object.assign(errorHandlers, initSupportedDomainPackage());
-
-  return errorHandlers.initDomain = function(req, res) {
-    const { AsyncHookDomain, Domain } = errorHandlers;
-
-    if (AsyncHookDomain) {
-      new AsyncHookDomain(errorHandlers.commonHandler);
-    } else {
-      const domain = new Domain();
-      domain.add(req);
-      domain.add(res);
-      domain.on('error', errorHandlers.commonHandler);
-      return domain;
-    }
+  return errorHandlers.initDomain = function initDomain() {
+    return new Domain(errorHandlers.commonHandler);
   };
-
-  function initSupportedDomainPackage() {
-    let AsyncHookDomain, Domain;
-
-    if (semver.lt(process.version, '16.0.0')) {
-      logger.info(
-        '%s. %s. %s.',
-        'falling back to deprecated \'domain\' module for async SecurityException handling',
-        'upgrade to Node 16 LTS or above to allow use of \'async-hook-domain\' modern alternative',
-        'upgrading will resolve any deprecation warnings and prevent the logging of this message'
-      );
-
-      Domain = require('domain').Domain;
-    } else {
-      AsyncHookDomain = require('async-hook-domain');
-    }
-
-    return { AsyncHookDomain, Domain };
-  }
 };

package/lib/error-handlers/init-domain.test.js

@@ -5,30 +5,18 @@ const sinon = require('sinon');
 const { initProtectFixture } = require('@contrast/test/fixtures');
 
 describe('protect error-handlers init-domain', function () {
-  let core, errorHandlers, initDomain;
+  let core;
 
   beforeEach(function () {
     ({ core } = initProtectFixture());
 
     sinon.stub(core.protect.errorHandlers, 'commonHandler');
-
-    errorHandlers = core.protect.errorHandlers;
-    initDomain = errorHandlers.initDomain;
   });
 
   describe('domain integration', function () {
-    beforeEach(function () {
-      sinon.stub(errorHandlers, 'AsyncHookDomain');
-    });
-
-    it('initializes correct domain', function () {
-      expect(core.protect.errorHandlers.AsyncHookDomain).to.be.a('function');
-      expect(core.protect.errorHandlers.Domain).to.be.undefined;
-    });
-
     it('instantiates async-hook-domain with common error handler', function () {
-      initDomain();
-      expect(errorHandlers.AsyncHookDomain).to.have.been.calledWith(errorHandlers.commonHandler);
+      const d = core.protect.errorHandlers.initDomain();
+      expect(d.onerror).to.equal(core.protect.errorHandlers.commonHandler);
     });
   });
 });

package/lib/error-handlers/install/express.js

@@ -0,0 +1,162 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function (core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const expressErrorHandler = protect.errorHandlers.expressErrorHandler = {};
+
+  function checkSecurityException(err, funcKey, orig, throwErr = false) {
+    const sourceContext = protect.getSourceContext();
+    const isSecurityException = SecurityException.isSecurityException(err);
+
+    if (isSecurityException && sourceContext) {
+      const blockInfo = sourceContext.securityException;
+
+      sourceContext.block(...blockInfo);
+      return;
+    }
+
+    if (!sourceContext && isSecurityException) {
+      logger.info({ funcKey }, 'source context not found; unable to handle response');
+      return;
+    }
+
+    if (throwErr) {
+      throw err;
+    } else {
+      return orig();
+    }
+  }
+
+  expressErrorHandler.install = function () {
+
+    // Express 4 and 5
+    depHooks.resolve({ name: 'finalhandler', version: '<3' }, (finalhandler) =>
+      patcher.patch(finalhandler, {
+        name: 'finalHandler',
+        patchType,
+        post(data) {
+          data.result = patcher.patch(data.result, {
+            name: 'finalHandler.returnedFunction',
+            patchType,
+            around(orig, data) {
+              const [err] = data.args;
+              checkSecurityException(err, data.funcKey, orig);
+            }
+          });
+        },
+      })
+    );
+
+    function postHook() {
+      return function(data) {
+        patcher.patch(data.result, 'handle', {
+          name: 'handle',
+          patchType,
+          post(data) {
+            data.result = data.result?.catch?.((err) => {
+              checkSecurityException(err, data.funcKey, data.orig, true);
+            });
+          }
+        });
+      };
+    }
+
+    // Express 4
+    depHooks.resolve({ name: 'express', version: '4', file: 'lib/router/layer.js' }, (Layer) => {
+
+      patcher.patch(Layer.prototype, 'handle_error', {
+        name: 'Layer.prototype.handle_error',
+        patchType,
+        around(orig, data) {
+          const [err] = data.args;
+          checkSecurityException(err, data.funcKey, orig);
+        }
+      });
+
+      return patcher.patch(Layer, {
+        name: 'Layer',
+        patchType,
+        post: postHook()
+      });
+
+    });
+
+    // Express 5
+    depHooks.resolve({ name: 'router', version: '2', file: 'lib/layer.js' }, (Layer) => {
+
+      patcher.patch(Layer.prototype, 'handleError', {
+        name: 'Layer.prototype.handleError',
+        patchType,
+        around(orig, data) {
+          const [err] = data.args;
+          checkSecurityException(err, data.funcKey, orig);
+        }
+      });
+
+      return patcher.patch(Layer, {
+        name: 'router.Layer',
+        patchType,
+        post: postHook()
+      });
+    });
+
+    function preHook() {
+      return function(data) {
+        if (typeof data.args[1] === 'function') {
+          patcher.patch(data.args, '1', {
+            name: 'express.route-handler',
+            patchType,
+            post(data) {
+              data.result = data.result?.catch?.((err) => {
+                checkSecurityException(err, data.funcKey, data.orig, true);
+              });
+            }
+          });
+        }
+      };
+    }
+
+    // Express 4
+    depHooks.resolve({ name: 'express', version: '4', file: 'lib/router/index.js' }, (Router) => {
+      patcher.patch(Router.prototype.constructor, 'param', {
+        name: 'Router.prototype.constructor.param',
+        patchType,
+        pre: preHook()
+      });
+    });
+
+    // Express 5
+    depHooks.resolve({ name: 'router', version: '2' }, (Router) => {
+      patcher.patch(Router.prototype, 'param', {
+        name: 'Router.prototype.param',
+        patchType,
+        pre: preHook()
+      });
+    });
+  };
+  return expressErrorHandler;
+};

package/lib/error-handlers/install/express.test.js

@@ -0,0 +1,290 @@
+/* eslint-disable */
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers express', function () {
+  let core, store, errorHandlerInstr;
+
+  const throwingHandler = (error) => async function () {
+    await Promise.reject(error);
+  };  
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    sinon.spy(core.patcher, 'patch');
+  });
+
+  describe('finalhandler', function () {
+    let finalhandler, returnedFn;
+
+    beforeEach(function () {
+      finalhandler = function () {
+        return function () { };
+      };
+
+      core.depHooks.resolve.withArgs({ name: 'finalhandler', version: '<3' }).yields(finalhandler);
+
+      errorHandlerInstr = require('./express')(core);
+      errorHandlerInstr.install();
+
+      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
+      returnedFn = patchedFinalhandler();
+    });
+
+    it('should block the request when there is SecurityException', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run(store, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+    });
+
+    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
+          'source context not found; unable to handle response',
+        );
+      });
+    });
+
+    it('should skip the instrumentation when there is no SecurityException', function () {
+      const error = new Error('Error');
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      });
+    });
+  });
+
+  [
+    { name: 'express', version: '4', file: 'lib/router/layer.js' },
+    { name: 'router', version: '2', file: 'lib/layer.js' }
+  ].forEach((args) => {
+    const fn = args.name === 'express' ? 'handle_error' : 'handleError';
+    describe(`${args.name} Layer.prototype.${fn}`, function () {
+      let Layer;
+  
+      beforeEach(function () {
+        Layer = function () { };
+
+        Layer.prototype[fn] = function () { };
+  
+        core.depHooks.resolve.withArgs(args).yields(Layer);
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+      });
+  
+      it('should block the request when there is SecurityException', function () {
+        const error = SecurityException.create();
+  
+        core.scopes.sources.run(store, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+        });
+      });
+  
+      it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+        const error = SecurityException.create();
+  
+        core.scopes.sources.run({}, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).to.have.been.calledWith(
+            { funcKey: `protect-error-handling:Layer.prototype.${fn}` },
+            'source context not found; unable to handle response'
+          );
+        });
+      });
+  
+      it('should skip the instrumentation when there is no SecurityException', function () {
+        const error = new Error('Error');
+  
+        core.scopes.sources.run({}, () => {
+          Layer.prototype[fn](error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).not.to.have.been.called;
+        });
+      });
+    });
+
+    describe(`${args.name} Layer handle`, function () {
+      let Layer, patchedLayer;
+      const error = SecurityException.create();
+      const fn = throwingHandler(error);
+      beforeEach(function () {
+        Layer = function () {
+          return {
+            handle: fn
+          }
+        };
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
+        });
+
+      it('should block the request when there is SecurityException', async function () {
+        await core.scopes.sources.run(store, async () => {
+          await patchedLayer().handle();
+        });
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+
+      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
+        await core.scopes.sources.run({}, async () => {
+          await patchedLayer().handle();
+        });
+  
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:handle' },
+          'source context not found; unable to handle response',
+        );
+      });
+
+      it('should skip the instrumentation when there is no SecurityException', async function () {
+        const error = new Error('Error');
+        const fn = throwingHandler(error);
+        Layer = function () {
+          return {
+            handle: fn
+          }
+        };
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
+
+        try {
+          await core.scopes.sources.run(store, async () => {
+            await patchedLayer().handle();
+          });
+          } catch (err) {
+            expect(err).to.equal(error);
+            expect(core.logger.info).not.to.have.been.called;
+            expect(store.protect.block).not.to.have.been.called;
+          }
+      });
+    });
+  });
+
+  [
+    { name: 'express', version: '4', file: 'lib/router/index.js' },
+    { name: 'router', version: '2' }
+  ].forEach((args) => {
+    describe(`${args.name} Router param`, function () {
+      let Router, param;
+      const sampleFn = function () { };
+  
+      beforeEach(function () {
+
+        Router = function() { };
+        if (args.name === 'express') {
+          Router.prototype.constructor = {
+            param: function () { },
+          };    
+          param = (...args) => Router.prototype.constructor.param(...args);
+        } else {
+          Router.prototype = {
+            param: function () { },
+          };
+          param = (...args) => Router.prototype.param(...args);
+        }
+        core.depHooks.resolve.withArgs(args).yields(Router);
+  
+        core.patcher.patch.resetHistory();
+  
+        errorHandlerInstr = require('./express')(core);
+        errorHandlerInstr.install();
+      });
+  
+      it('should patch the function for the param property', function () {
+        param('sampleFn', sampleFn);
+        expect(core.patcher.patch).to.have.been.calledWith(sinon.match.array, '1', sinon.match.object);
+      });
+  
+      it('should block the request when there is SecurityException', async function () {
+        const error = SecurityException.create();
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        await core.scopes.sources.run(store, async () => {
+          await patchedFn();
+        });
+  
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+  
+      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
+        const error = SecurityException.create();
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        await core.scopes.sources.run({}, async () => {
+          await patchedFn();
+        });
+  
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:express.route-handler' },
+          'source context not found; unable to handle response',
+        );
+      });
+  
+      it('should skip the instrumentation when there is no SecurityException', async function () {
+        const error = new Error('Error');
+        const fn = throwingHandler(error);
+  
+        param('fn', fn);
+  
+        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
+  
+        try {
+          await core.scopes.sources.run(store, async () => {
+            await patchedFn();
+          });
+        } catch (err) {
+          expect(err).to.equal(error);
+          expect(core.logger.info).not.to.have.been.called;
+          expect(store.protect.block).not.to.have.been.called;
+        }
+      });
+    });  
+  });
+});

package/lib/error-handlers/install/hapi.js

@@ -60,12 +60,12 @@ module.exports = function (core) {
 
   hapiErrorHandler.install = function () {
     depHooks.resolve(
-      { name: 'boom' },
+      { name: 'boom', version: '<8' },
       (boom) => registerErrorHandler(boom, 'boom'),
     );
 
     depHooks.resolve(
-      { name: '@hapi/boom' },
+      { name: '@hapi/boom', version: '<11' },
       (boom) => registerErrorHandler(boom, '@hapi/boom'),
     );
   };

package/lib/error-handlers/install/hapi.test.js

@@ -39,8 +39,8 @@ describe('protect error-handlers hapi', function () {
     Boom.boomify = function boom() { };
     HapiBoom.boomify = function hapiBoom() { };
 
-    core.depHooks.resolve.withArgs({ name: Boom.name }).yields(Boom);
-    core.depHooks.resolve.withArgs({ name: HapiBoom.name }).yields(HapiBoom);
+    core.depHooks.resolve.withArgs(sinon.match({ name: Boom.name })).yields(Boom);
+    core.depHooks.resolve.withArgs(sinon.match({ name: HapiBoom.name })).yields(HapiBoom);
 
     errorHandler = require('./hapi')(core);
     errorHandler.install();

package/lib/error-handlers/install/koa2.js

@@ -30,7 +30,7 @@ module.exports = function (core) {
   const koa2ErrorHandler = protect.errorHandlers.koa2ErrorHandler = {};
 
   koa2ErrorHandler.install = function () {
-    depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
       patcher.patch(Koa.prototype, 'handleRequest', {
         name: 'Koa.Application.handleRequest',
         patchType,

package/lib/error-handlers/install/restify.js

@@ -24,7 +24,7 @@ module.exports = function init(core) {
   return protect.errorHandlers.restifyErrorHandler = {
     install() {
       depHooks.resolve(
-        { name: 'restify', file: 'lib/server.js', version: '>=8' },
+        { name: 'restify', file: 'lib/server.js', version: '>=8 <12' },
         (Server) => {
           patcher.patch(Server.prototype, '_onHandlerError', {
             name: 'restify.Server.prototype._onHandlerError',

package/lib/error-handlers/install/restify.test.js

@@ -15,7 +15,7 @@ describe('protect error-handlers restify v8+', function () {
     store = { protect: { block: sinon.stub(), securityException: ['block'] } };
 
     core.depHooks.resolve
-      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8' })
+      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8 <12' })
       .yields(Server);
 
     core.protect.errorHandlers.restifyErrorHandler.install();

package/lib/hardening/install/node-serialize0.js

@@ -32,13 +32,13 @@ module.exports = function(core) {
     const method = 'unserialize';
 
     depHooks.resolve(
-      { name, version: '<1.0.0' },
+      { name, version: '<1' },
       (nodeSerialize) => {
         patcher.patch(nodeSerialize, method, {
           name,
           patchType,
           pre({ args: [value], hooked, orig }) {
-            const sourceContext = protect.getSourceContext(`${name}.${method}`);
+            const sourceContext = protect.getSourceContext();
 
             if (!sourceContext || !value) return;
 

package/lib/hardening/install/node-serialize0.test.js

@@ -18,10 +18,7 @@ describe('protect hardening node-serialize0', function () {
     core = mocks.core();
     core.logger = mocks.logger();
     core.depHooks = mocks.depHooks();
-    core.depHooks
-      .resolve
-      .withArgs({ name: 'node-serialize', version: '<1.0.0' })
-      .yields(mockLib);
+    core.depHooks.resolve.yields(mockLib);
     core.patcher = patcher(core);
     core.scopes = scopes(core);
     core.protect = mocks.protect();

package/lib/index.d.ts

@@ -17,7 +17,7 @@ import { ReqData, ProtectMessage, ResultMap, ProtectRuleMode } from '@contrast/c
 import { IncomingMessage, ServerResponse } from 'node:http';
 import * as http from 'node:http';
 import * as https from 'node:https';
-import { Domain } from 'domain';
+import { Domain } from 'async-hook-domain';
 
 type Http = typeof http;
 type Https = typeof https;
@@ -114,7 +114,7 @@ export interface Protect {
   }
   errorHandlers: {
     commonHandler: (err: Error) => void;
-    initDomain: () => void | Domain;
+    initDomain: () => Domain;
     fastify3ErrorHandler: {
       _userHandler: null | ((...args: any[]) => any),
       defaultErrorHandler: (error: Error, request: IncomingMessage, reply: ServerResponse) => void,
@@ -122,7 +122,7 @@ export interface Protect {
       install: () => void
     }
     koa2ErrorHandler: { install: () => void },
-    express4ErrorHandler: { install: () => void },
+    expressErrorHandler: { install: () => void },
     install: () => void,
   },
   // eslint-disable-next-line @typescript-eslint/no-explicit-any

package/lib/input-analysis/index.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
   // framework specific instrumentation
   require('./install/fastify')(core);
   require('./install/koa2')(core);
-  require('./install/express4')(core);
+  require('./install/express')(core);
   require('./install/hapi')(core);
   require('./install/restify')(core);