@contrast/protect 1.5.0 → 1.6.0

package/lib/index.js

@@ -38,7 +38,7 @@ module.exports = function(core) {
   protect.version = pkj.version;
 
   protect.install = function() {
-    installChildComponentsSync(protect)
+    installChildComponentsSync(protect);
   };
 
   return protect;

package/lib/input-analysis/handlers.js

@@ -17,6 +17,7 @@
 
 const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
 const address = require('ipaddr.js');
+const { Rule } = require('@contrast/common');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -54,6 +55,7 @@ module.exports = function(core) {
       agentLib,
       inputAnalysis,
     },
+    config,
   } = core;
 
   // all handlers will be invoked with two arguments:
@@ -127,12 +129,68 @@ module.exports = function(core) {
     return block;
   };
 
-  // this is called before the request goes away. this is where probe detection takes
-  // place. basically loop through findings.resultsList and, for all those that weren't
-  // blocked, run scoreAtom() with preferWorthWatching: false. for any that have a score
-  // >= 90 report them as probes.
+  /**
+   * handleRequestEnd()
+   *
+   * Invoked when the request is complete.
+   *
+   * @param {Object} sourceContext
+   */
   inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-    throw new Error('nyi', sourceContext);
+    if (!config.protect.probe_analysis.enable) return;
+
+    const { resultsMap } = sourceContext.findings;
+    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
+    const props = {};
+
+    // Detecting probes
+    Object.values(resultsMap).forEach(resultsByRuleId => {
+      resultsByRuleId.forEach((resultByRuleId) => {
+        const {
+          ruleId,
+          blocked,
+          details,
+          value,
+          inputType
+        } = resultByRuleId;
+        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
+
+        const { policy: { rulesMask } } = sourceContext;
+
+        const results = (agentLib.scoreAtom(
+          rulesMask,
+          value,
+          agentLib.InputType[inputType],
+          {
+            preferWorthWatching: false
+          }
+        ) || []).filter(({ score }) => score >= 90);
+
+        if (!results.length) return;
+
+        results.forEach(result => {
+          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
+            element.blocked && element.inputType === inputType && element.value === value
+          );
+
+          if (isAlreadyBlocked) return;
+
+          const probe = Object.assign({}, resultByRuleId, result, {
+            mappedId: result.ruleId
+          });
+          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
+          props[key] = probe;
+        });
+      });
+    });
+
+    Object.values(props).forEach(prop => {
+      if (!resultsMap[prop.ruleId]) {
+        resultsMap[prop.ruleId] = [];
+      }
+
+      resultsMap[prop.ruleId].push(prop);
+    });
   };
 
   const jsonInputTypes = {

package/lib/input-analysis/install/fastify.js

@@ -36,48 +36,46 @@ module.exports = (core) => {
    * registers a depHook for fastify module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => {
-      return patcher.patch(fastify, {
-        name: 'fastify.build',
-        patchType,
-        post({ result: server }) {
-          server.addHook('preValidation', function(request, reply, done) {
-            let securityException;
-            const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+    depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => patcher.patch(fastify, {
+      name: 'fastify.build',
+      patchType,
+      post({ result: server }) {
+        server.addHook('preValidation', function(request, reply, done) {
+          let securityException;
+          const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
 
-            if (sourceContext) {
-              try {
-                if (request.params) {
-                  sourceContext.parsedParams = request.params;
-                  inputAnalysis.handleUrlParams(sourceContext, request.params);
-                }
-                if (request.cookies) {
-                  sourceContext.parsedCookies = request.cookies;
-                  inputAnalysis.handleCookies(sourceContext, request.cookies);
-                }
-                if (request.body) {
-                  sourceContext.parsedBody = request.body;
-                  inputAnalysis.handleParsedBody(sourceContext, request.body);
-                }
+          if (sourceContext) {
+            try {
+              if (request.params) {
+                sourceContext.parsedParams = request.params;
+                inputAnalysis.handleUrlParams(sourceContext, request.params);
+              }
+              if (request.cookies) {
+                sourceContext.parsedCookies = request.cookies;
+                inputAnalysis.handleCookies(sourceContext, request.cookies);
+              }
+              if (request.body) {
+                sourceContext.parsedBody = request.body;
+                inputAnalysis.handleParsedBody(sourceContext, request.body);
+              }
 
-                if (request.query) {
-                  sourceContext.parsedQuery = request.query;
-                  inputAnalysis.handleQueryParams(sourceContext, request.query);
-                }
-              } catch (err) {
-                if (isSecurityException(err)) {
-                  securityException = err;
-                } else {
-                  logger.error({ err }, 'Unexpected error during input analysis');
-                }
+              if (request.query) {
+                sourceContext.parsedQuery = request.query;
+                inputAnalysis.handleQueryParams(sourceContext, request.query);
+              }
+            } catch (err) {
+              if (isSecurityException(err)) {
+                securityException = err;
+              } else {
+                logger.error({ err }, 'Unexpected error during input analysis');
               }
             }
+          }
 
-            done(securityException);
-          });
-        },
-      });
-    });
+          done(securityException);
+        });
+      },
+    }));
   }
 
   return inputAnalysis.fastifyInstrumentation = {

package/lib/input-analysis/install/http.js

@@ -27,11 +27,10 @@ module.exports = function(core) {
 };
 class HttpInstrumentation {
   constructor(core) {
-    const { logger } = core;
     this.messages = core.messages;
     this.scope = core.scopes.sources;
     this.config = core.config;
-    this.logger = logger.child({ name: 'contrast:protect:input-analysis' });
+    this.logger = core.logger.child('contrast:protect:input-analysis');
     this.depHooks = core.depHooks;
     this.protect = core.protect;
     this.patcher = core.patcher;
@@ -181,7 +180,10 @@ class HttpInstrumentation {
       store.protect = this.makeSourceContext(req, res);
       const { reqData } = store.protect;
 
-      res.on('finish', () => messages.emit(Event.PROTECT, store));
+      res.on('finish', () => {
+        this.protect.inputAnalysis.handleRequestEnd(store.protect);
+        messages.emit(Event.PROTECT, store);
+      });
 
       // don't put inputs in the store; they are a param to each handler. findings
       // associated with inputs do go into the store. why not put the inputs

package/lib/input-tracing/install/child-process.js

@@ -54,6 +54,7 @@ module.exports = function(core) {
             core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
             core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
             core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
+            core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
           }
         });
       });

package/lib/input-tracing/install/fs.js

@@ -106,6 +106,7 @@ module.exports = function(core) {
                 { constructorOpt: hooked, prependFrames: [orig] }
               );
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
+              core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
             }
           }
         });

package/lib/input-tracing/install/function.js

@@ -34,23 +34,25 @@ module.exports = function(core) {
       return;
     }
 
-    patcher.patch(global.ContrastMethods, 'Function', {
-      name: 'global.ContrastMethods.Function',
-      patchType,
-      pre: ({ args, hooked, orig }) => {
-        if (instrumentation.isLocked()) return;
-
-        const sourceContext = protect.getSourceContext('Function');
-        const fnBody = args[args.length - 1];
-
-        if (!sourceContext || !fnBody || !isString(fnBody)) return;
-
-        const sinkContext = captureStacktrace(
-          { name: 'Function', value: fnBody },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
-        inputTracing.ssjsInjection(sourceContext, sinkContext);
-      }
+    Object.assign(global.ContrastMethods, {
+      Function: patcher.patch(global.ContrastMethods.Function, {
+        name: 'global.ContrastMethods.Function',
+        patchType,
+        pre: ({ args, hooked, orig }) => {
+          if (instrumentation.isLocked()) return;
+
+          const sourceContext = protect.getSourceContext('Function');
+          const fnBody = args[args.length - 1];
+
+          if (!sourceContext || !fnBody || !isString(fnBody)) return;
+
+          const sinkContext = captureStacktrace(
+            { name: 'Function', value: fnBody },
+            { constructorOpt: hooked, prependFrames: [orig] }
+          );
+          inputTracing.ssjsInjection(sourceContext, sinkContext);
+        }
+      })
     });
   }
 

package/lib/policy.js

@@ -105,7 +105,7 @@ module.exports = function(core) {
   messages.on(SERVER_SETTINGS_UPDATE, (remoteSettings) => {
     let update;
 
-    const protectionRules = remoteSettings?.settings?.defend?.protectionRules
+    const protectionRules = remoteSettings?.settings?.defend?.protectionRules;
     if (protectionRules) {
       updateFromProtectionRules(protectionRules);
       update = 'application-settings';

package/lib/semantic-analysis/handlers.js

@@ -16,6 +16,7 @@
 'use strict';
 
 const {
+  Rule,
   BLOCKING_MODES,
   ProtectRuleMode: { OFF },
   InputType,
@@ -26,12 +27,17 @@ const {
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 
-// The sink instrumentation for this rule is in `protect/lib/input-tracing/install/child-process.js
+const getRuleResults = function(obj, prop) {
+  return obj[prop] || (obj[prop] = []);
+};
+
+// Semantic analysis currently shares instrumentation with the input-tracing sinks.
+// See files in protect/lib/input-tracing/install/.
+
 module.exports = function(core) {
   const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
-    const sinkResults = sourceContext.findings.semanticResultsMap[ruleId];
     const result = {
       blocked: false,
       findings: { command: sinkContext.value },
@@ -39,7 +45,7 @@ module.exports = function(core) {
       ...finding
     };
 
-    sourceContext.findings.semanticResultsMap[ruleId] = sinkResults ? [...sinkResults, result] : [result];
+    getRuleResults(sourceContext.findings.semanticResultsMap, ruleId).push(result);
 
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
@@ -50,41 +56,50 @@ module.exports = function(core) {
   }
 
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-semantic-dangerous-paths';
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
 
     if (mode == OFF) return;
 
     const result = agentLib.containsDangerousPath(sinkContext.value);
 
     if (result) {
-      handleResult(sourceContext, sinkContext, ruleId, mode);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS, mode);
     }
   };
 
   semanticAnalysis.handleCmdInjectionSemanticChainedCommands = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-semantic-chained-commands';
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
 
     if (mode == OFF) return;
 
     const indexOfChaining = agentLib.indexOfChaining(sinkContext.value);
 
     if (indexOfChaining != -1) {
-      handleResult(sourceContext, sinkContext, ruleId, mode);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS, mode);
     }
   };
 
   semanticAnalysis.handleCommandInjectionCommandBackdoors = function(sourceContext, sinkContext) {
-    const ruleId = 'cmd-injection-command-backdoors';
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
 
     if (mode == OFF) return;
 
     const finding = findBackdoorInjection(sourceContext, sinkContext.value);
 
     if (finding) {
-      handleResult(sourceContext, sinkContext, ruleId, mode, finding);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_COMMAND_BACKDOORS, mode, finding);
+    }
+  };
+
+  semanticAnalysis.handlePathTraversalFileSecurityBypass = function(sourceContext, sinkContext) {
+    const mode = sourceContext.policy[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
+
+    if (mode == OFF) return;
+
+    if (agentLib.isDangerousPath(sinkContext.value, true)) {
+      handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
+        findings: { path: sinkContext.value }
+      });
     }
   };
 
@@ -119,20 +134,22 @@ function findBackdoorInjection(sourceContext, command) {
       simpleTraverse(values, (path, type, value, obj) => {
         if (
           !found &&
-            value &&
-            type === 'Value' &&
-            isString(value) &&
-            isBackdoorDetected(value, command)
+          type === 'Value' &&
+          isBackdoorDetected(value, command)
         ) {
           let key;
-          key = inputType === InputType.HEADER ? obj.indexOf(command) - 1 : path[path.length - 1];
-          if (Number.isInteger(key) && obj[key]) {
-            key = obj[key];
+          if (inputType === InputType.HEADER) {
+            key = obj[path[0] - 1]
+          } else {
+            key = path[path.length - 1];
           }
-          path = path.length === 1 ? [] : Array.from(path).slice(0, path.length - 1);
-          inputType = path.length > 1 ? InputType.JSON_VALUE : inputType;
 
-          found = { key, inputType, path, value: command };
+          found = {
+            key,
+            inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
+            path: path.slice(0, -1),
+            value: command
+          };
         }
       });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "@babel/template": "^7.16.7",
     "@babel/types": "^7.16.8",
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.1",
-    "@contrast/core": "1.4.0",
-    "@contrast/esm-hooks": "1.1.5",
+    "@contrast/common": "1.1.2",
+    "@contrast/core": "1.5.0",
+    "@contrast/esm-hooks": "1.1.6",
     "@contrast/scopes": "1.1.1",
     "builtin-modules": "^3.2.0",
     "ipaddr.js": "^2.0.1",