npm - @contrast/protect - Versions diffs - 1.57.0 → 1.59.0 - Mend

@contrast/protect 1.57.0 → 1.59.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/error-handlers/install/express.js +3 -0
package/lib/get-source-context.js +2 -0
package/lib/index.js +12 -2
package/lib/input-analysis/handlers.js +581 -578
package/lib/input-analysis/index.js +1 -1
package/lib/input-tracing/handlers/index.js +1 -1
package/lib/input-tracing/install/fs.js +1 -1
package/lib/make-source-context.js +7 -1
package/package.json +10 -10

package/lib/input-analysis/handlers.js CHANGED Viewed

@@ -31,7 +31,7 @@ const {
     StringPrototypeSplit,
   }
 } = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
 //
 // these rules are not implemented by agent-lib, but are being considered for
 // implementation:
@@ -95,678 +95,681 @@ const acceptedMethods = new Set([
   'version-control',
 ]);
-module.exports = function (core) {
-  const {
-    logger,
-    protect: {
-      agentLib,
-      inputAnalysis,
-    },
-    config,
-  } = core;
-  const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
-  };
-  const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
-  };
-  // all handlers will be invoked with two arguments:
-  // 1) sourceContext object containing:
-  //   - reqData, the abstract request object containing only what is needed
-  //   - protect, the protect context
-  //     - rules, exclusions, virtual patches (TS data). what was in effect for this
-  //       url *at the time the request was started*. these will not change.
-  //     - block(), function that executes block for this specific request
-  //     - findings{}, consolidated collection of findings returned by score functions
-  //       and augmented with disposition and additional information as needed.
-  // 2) input or inputs specific to that handler
-  //
-  // exclusions
-  // - url exclusions are applied at the level above the connect handler, if no rules
-  //   are applicable to a given URL then it's not processed in any way by handlers.
-  // - input exclusions are applied **after** analysis. The rationale is that checking
-  //   inputs against rules 1) is very fast and 2) dramatically pares down the number
-  //   of exclusion checks that need to be made.
-  /**
-   * handleConnect()
-   *
-   * handle the inputs that are available when the HTTP 'request' event is emitted.
-   *
-   * this should *always* be the first handler called; it does setup that other
-   * handlers require.
-   *
-   * the specific data that is available to be processed at this time:
-   * - URI
-   * - queries
-   * - url params
-   * - headers (should exclude cookies header)
-   * - cookies (special handling of the header)
-   *
-   * but it really only makes sense to process:
-   * - URI
-   * - headers except cookies
-   *
-   * why? because the query string will (probably) be interpreted by the framework using
-   * 'qs' and that could result in creating an array or an object instead of a simple text
-   * value. and the cookies need to be parsed into individual cookies by the framework so
-   * that our code doesn't have to guess at the format, encoding, and other permutations.
-   * and for url params - only the framework knows that a portion of the url is a param.
-   *
-   * if it is known that 'qs' is not being used, then passing the query string in the
-   * 'connectInputs' makes sense; a flag similar to 'contentType' can be set and it can be
-   * used later to avoid calling 'handleQueryParams()'
-   *
-   * @param {Object} sourceContext { reqData, protect } that will be supplied to
-   *   all handlers and sinks for this request. It will always be supplied by the caller
-   *   to a handler; the handler is not aware of the implementation.
-   * @param {Object} connectInputs each property is an input to be evaluated by this
-   *   handler.
-   * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
-   */
-  inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-    const { policy: { rulesMask } } = sourceContext;
-    inputAnalysis.handleVirtualPatches(
-      sourceContext,
-      { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers }
-    );
-    const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
-    let block = mergeFindings(sourceContext, findings);
-    if (!block) {
-      block = inputAnalysis.handleMethodTampering(sourceContext, connectInputs);
-    }
+module.exports = Core.makeComponent({
+  name: 'protect.inputAnalysis.handlers',
+  factory(core) {
+    const {
+      logger,
+      protect: {
+        agentLib,
+        inputAnalysis,
+      },
+      config,
+    } = core;
+    const jsonInputTypes = {
+      keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
+    };
-    return block;
-  };
-  /**
-   * handleQueryParams()
-   *
-   * If all values are strings there there is no need to re-evaluate them; that was
-   * done on requestConnect. But some frameworks use packages like 'qs' to parse the
-   * search params, which is non-standard and has many options including changing the
-   * delimiters and the ability to create the equivalent of JSON from the search params
-   * string. If any of the values are not strings then they need to be evaluated here;
-   * these results replace the results generated at requestConnect.
-   *
-   * If it is known that 'qs' is being used then it is better not to have passed the
-   * querystring to scoreRequestConnect().
-   *
-   * @param {Object} sourceContext
-   * @param {Object} queryParams pojo {key: value, ...} for all query params/search params
-   */
-  inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
-    if (sourceContext.analyzedQuery) return;
-    sourceContext.analyzedQuery = true;
-    if (typeof queryParams !== 'object') {
-      logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
-      return;
-    }
+    const parameterInputTypes = {
+      keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
+    };
-    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
+    // all handlers will be invoked with two arguments:
+    // 1) sourceContext object containing:
+    //   - reqData, the abstract request object containing only what is needed
+    //   - protect, the protect context
+    //     - rules, exclusions, virtual patches (TS data). what was in effect for this
+    //       url *at the time the request was started*. these will not change.
+    //     - block(), function that executes block for this specific request
+    //     - findings{}, consolidated collection of findings returned by score functions
+    //       and augmented with disposition and additional information as needed.
+    // 2) input or inputs specific to that handler
+    //
+    // exclusions
+    // - url exclusions are applied at the level above the connect handler, if no rules
+    //   are applicable to a given URL then it's not processed in any way by handlers.
+    // - input exclusions are applied **after** analysis. The rationale is that checking
+    //   inputs against rules 1) is very fast and 2) dramatically pares down the number
+    //   of exclusion checks that need to be made.
+    /**
+     * handleConnect()
+     *
+     * handle the inputs that are available when the HTTP 'request' event is emitted.
+     *
+     * this should *always* be the first handler called; it does setup that other
+     * handlers require.
+     *
+     * the specific data that is available to be processed at this time:
+     * - URI
+     * - queries
+     * - url params
+     * - headers (should exclude cookies header)
+     * - cookies (special handling of the header)
+     *
+     * but it really only makes sense to process:
+     * - URI
+     * - headers except cookies
+     *
+     * why? because the query string will (probably) be interpreted by the framework using
+     * 'qs' and that could result in creating an array or an object instead of a simple text
+     * value. and the cookies need to be parsed into individual cookies by the framework so
+     * that our code doesn't have to guess at the format, encoding, and other permutations.
+     * and for url params - only the framework knows that a portion of the url is a param.
+     *
+     * if it is known that 'qs' is not being used, then passing the query string in the
+     * 'connectInputs' makes sense; a flag similar to 'contentType' can be set and it can be
+     * used later to avoid calling 'handleQueryParams()'
+     *
+     * @param {Object} sourceContext { reqData, protect } that will be supplied to
+     *   all handlers and sinks for this request. It will always be supplied by the caller
+     *   to a handler; the handler is not aware of the implementation.
+     * @param {Object} connectInputs each property is an input to be evaluated by this
+     *   handler.
+     * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
+     */
+    inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
+      const { policy: { rulesMask } } = sourceContext;
+      inputAnalysis.handleVirtualPatches(
+        sourceContext,
+        { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers }
+      );
-    const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
+      const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+      let block = mergeFindings(sourceContext, findings);
-    if (block) {
-      core.protect.throwSecurityException(sourceContext);
-    }
-  };
-  /**
-   * handleUrlParams()
-   *
-   * Invoked when a framework emits URL params. It is similar to handling queryParams
-   * except no finding for URL params can be present.
-   *
-   * @param {Object} sourceContext
-   * @param {Object} urlParams pojo
-   */
-  inputAnalysis.handleUrlParams = function (sourceContext, urlParams) {
-    if (sourceContext.analyzedUrlParams) return;
-    sourceContext.analyzedUrlParams = true;
-    if (typeof urlParams !== 'object') {
-      logger.debug({ urlParams }, 'handleUrlParams() called with non-object');
-      return;
-    }
-    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
+      if (!block) {
+        block = inputAnalysis.handleMethodTampering(sourceContext, connectInputs);
+      }
-    const { policy: { rulesMask } } = sourceContext;
-    const resultsList = [];
-    const { UrlParameter } = agentLib.InputType;
+      return block;
+    };
-    traverseValues(urlParams, function (path, type, value) {
-      // url param names are not checked.
-      if (type !== 'Value') {
+    /**
+     * handleQueryParams()
+     *
+     * If all values are strings there there is no need to re-evaluate them; that was
+     * done on requestConnect. But some frameworks use packages like 'qs' to parse the
+     * search params, which is non-standard and has many options including changing the
+     * delimiters and the ability to create the equivalent of JSON from the search params
+     * string. If any of the values are not strings then they need to be evaluated here;
+     * these results replace the results generated at requestConnect.
+     *
+     * If it is known that 'qs' is being used then it is better not to have passed the
+     * querystring to scoreRequestConnect().
+     *
+     * @param {Object} sourceContext
+     * @param {Object} queryParams pojo {key: value, ...} for all query params/search params
+     */
+    inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
+      if (sourceContext.analyzedQuery) return;
+      sourceContext.analyzedQuery = true;
+      if (typeof queryParams !== 'object') {
+        logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
         return;
       }
-      const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
+      inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
-      if (!items) {
-        return;
-      }
+      const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
-      for (const item of items) {
-        resultsList.push({
-          ruleId: item.ruleId,
-          inputType: 'UrlParameter',
-          path: ArrayPrototypeSlice.call(path),
-          key: path.pop(), // there should always be at least the param name
-          value,
-          score: item.score,
-          idsList: item.idsList
-        });
+      if (block) {
+        core.protect.throwSecurityException(sourceContext);
       }
-    });
+    };
-    // if nothing was found then nothing needs to be done.
-    if (resultsList.length === 0) {
-      return;
-    }
+    /**
+     * handleUrlParams()
+     *
+     * Invoked when a framework emits URL params. It is similar to handling queryParams
+     * except no finding for URL params can be present.
+     *
+     * @param {Object} sourceContext
+     * @param {Object} urlParams pojo
+     */
+    inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+      if (sourceContext.analyzedUrlParams) return;
+      sourceContext.analyzedUrlParams = true;
+      if (typeof urlParams !== 'object') {
+        logger.debug({ urlParams }, 'handleUrlParams() called with non-object');
+        return;
+      }
-    // something was found, so create "complete" findings.
-    const urlParamsFindings = {
-      trackRequest: true,
-      securityException: undefined,
-      resultsList,
-    };
+      inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
-    const block = mergeFindings(sourceContext, urlParamsFindings);
+      const { policy: { rulesMask } } = sourceContext;
+      const resultsList = [];
+      const { UrlParameter } = agentLib.InputType;
-    if (block) {
-      core.protect.throwSecurityException(sourceContext);
-    }
-  };
+      traverseValues(urlParams, function(path, type, value) {
+        // url param names are not checked.
+        if (type !== 'Value') {
+          return;
+        }
-  /**
-   * handleCookies()
-   *
-   * Invoked when a framework emits cookies. It is similar to handling queryParams except
-   * no findings for cookies can be present.
-   * @param {Object} sourceContext
-   * @param {Object} cookies pojo
-   */
-  inputAnalysis.handleCookies = function (sourceContext, cookies) {
-    if (sourceContext.analyzedCookies) return;
-    sourceContext.analyzedCookies = true;
+        const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
-    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+        if (!items) {
+          return;
+        }
-    const { policy: { rulesMask } } = sourceContext;
+        for (const item of items) {
+          resultsList.push({
+            ruleId: item.ruleId,
+            inputType: 'UrlParameter',
+            path: ArrayPrototypeSlice.call(path),
+            key: path.pop(), // there should always be at least the param name
+            value,
+            score: item.score,
+            idsList: item.idsList
+          });
+        }
+      });
-    const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
-      // things like booleans will cause agent-lib to throw
-      if (isString(value)) acc.push(key, value);
-      return acc;
-    }, []);
+      // if nothing was found then nothing needs to be done.
+      if (resultsList.length === 0) {
+        return;
+      }
-    const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
+      // something was found, so create "complete" findings.
+      const urlParamsFindings = {
+        trackRequest: true,
+        securityException: undefined,
+        resultsList,
+      };
-    const block = mergeFindings(sourceContext, cookieFindings);
+      const block = mergeFindings(sourceContext, urlParamsFindings);
-    if (block) {
-      core.protect.throwSecurityException(sourceContext);
-    }
-  };
-  /**
-   * handleParsedBody() is called with the body after a framework has parsed
-   * the body. If the body was JSON then it may have already been scored by
-   * handleRawBody(); if it was, bodyType was set to 'json' and this code only
-   * converts the previous findings, using the parsed body.
-   *
-   * @param {Object} sourceContext
-   * @param {Object} parsedBody
-   */
-  inputAnalysis.handleParsedBody = function (sourceContext, parsedBody) {
-    if (sourceContext.analyzedBody) return;
-    sourceContext.analyzedBody = true;
-    if (typeof parsedBody !== 'object') {
-      logger.debug({ parsedBody }, 'handleParsedBody() called with non-object');
-      return;
-    }
+      if (block) {
+        core.protect.throwSecurityException(sourceContext);
+      }
+    };
-    inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: parsedBody });
+    /**
+     * handleCookies()
+     *
+     * Invoked when a framework emits cookies. It is similar to handling queryParams except
+     * no findings for cookies can be present.
+     * @param {Object} sourceContext
+     * @param {Object} cookies pojo
+     */
+    inputAnalysis.handleCookies = function(sourceContext, cookies) {
+      if (sourceContext.analyzedCookies) return;
+      sourceContext.analyzedCookies = true;
-    let bodyType;
-    let inputTypes;
-    if (sourceContext.reqData.contentType.includes('/json')) {
-      bodyType = 'json';
-      inputTypes = jsonInputTypes;
-    } else {
-      bodyType = 'urlencoded';
-      inputTypes = parameterInputTypes;
-    }
+      inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
-    const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+      const { policy: { rulesMask } } = sourceContext;
-    sourceContext.bodyType = bodyType;
+      const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
+        // things like booleans will cause agent-lib to throw
+        if (isString(value)) acc.push(key, value);
+        return acc;
+      }, []);
-    if (block) {
-      core.protect.throwSecurityException(sourceContext);
-    }
-  };
+      const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
-  // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
-  // of a dumb rule anyway. but maybe some code actually uses the name provided.
-  inputAnalysis.handleFileUploadName = function (sourceContext, names) {
-    const type = agentLib.InputType.MultipartName;
-    const { policy } = sourceContext;
-    const resultsList = [];
+      const block = mergeFindings(sourceContext, cookieFindings);
-    if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
+      if (block) {
+        core.protect.throwSecurityException(sourceContext);
+      }
+    };
-    for (const name of names) {
-      if (!isString(name)) {
-        logger.debug({ filename: name }, 'handleFileUploadName() was called with non-string');
+    /**
+     * handleParsedBody() is called with the body after a framework has parsed
+     * the body. If the body was JSON then it may have already been scored by
+     * handleRawBody(); if it was, bodyType was set to 'json' and this code only
+     * converts the previous findings, using the parsed body.
+     *
+     * @param {Object} sourceContext
+     * @param {Object} parsedBody
+     */
+    inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
+      if (sourceContext.analyzedBody) return;
+      sourceContext.analyzedBody = true;
+      if (typeof parsedBody !== 'object') {
+        logger.debug({ parsedBody }, 'handleParsedBody() called with non-object');
         return;
       }
-      const items = agentLib.scoreAtom(policy.rulesMask, name, type);
+      inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: parsedBody });
-      if (!items) {
-        return;
-      }
-      for (const item of items) {
-        resultsList.push({
-          ruleId: item.ruleId,
-          inputType: type,
-          name: '',
-          value: name,
-          score: item.score,
-          idsList: item.idsList,
-        });
+      let bodyType;
+      let inputTypes;
+      if (sourceContext.reqData.contentType.includes('/json')) {
+        bodyType = 'json';
+        inputTypes = jsonInputTypes;
+      } else {
+        bodyType = 'urlencoded';
+        inputTypes = parameterInputTypes;
       }
-    }
-    // something was found, so create "complete" findings.
-    const unsafeFilenameFindings = {
-      trackRequest: true,
-      securityException: undefined,
-      resultsList,
+      const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
+      sourceContext.bodyType = bodyType;
+      if (block) {
+        core.protect.throwSecurityException(sourceContext);
+      }
     };
-    const block = mergeFindings(sourceContext, unsafeFilenameFindings);
+    // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
+    // of a dumb rule anyway. but maybe some code actually uses the name provided.
+    inputAnalysis.handleFileUploadName = function(sourceContext, names) {
+      const type = agentLib.InputType.MultipartName;
+      const { policy } = sourceContext;
+      const resultsList = [];
-    if (block) {
-      core.protect.throwSecurityException(sourceContext);
-    }
-  };
+      if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
-  inputAnalysis.handleVirtualPatches = function (sourceContext, requestInput) {
-    const ruleId = Rule.VIRTUAL_PATCH;
+      for (const name of names) {
+        if (!isString(name)) {
+          logger.debug({ filename: name }, 'handleFileUploadName() was called with non-string');
+          return;
+        }
-    if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
+        const items = agentLib.scoreAtom(policy.rulesMask, name, type);
-    for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
-      for (const key in requestInput) {
-        const evaluator = vpEvaluators.get(key);
+        if (!items) {
+          return;
+        }
+        for (const item of items) {
+          resultsList.push({
+            ruleId: item.ruleId,
+            inputType: type,
+            name: '',
+            value: name,
+            score: item.score,
+            idsList: item.idsList,
+          });
+        }
+      }
+      // something was found, so create "complete" findings.
+      const unsafeFilenameFindings = {
+        trackRequest: true,
+        securityException: undefined,
+        resultsList,
+      };
-        if (evaluator && requestInput[key] && evaluator(requestInput[key])) {
-          vpEvaluators.delete(key);
-          const { name, uuid } = vpEvaluators.get('metadata');
+      const block = mergeFindings(sourceContext, unsafeFilenameFindings);
-          if (vpEvaluators.size === 1 && uuid) {
-            if (!sourceContext.resultsMap[ruleId]) {
-              sourceContext.resultsMap[ruleId] = [];
+      if (block) {
+        core.protect.throwSecurityException(sourceContext);
+      }
+    };
+    inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
+      const ruleId = Rule.VIRTUAL_PATCH;
+      if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
+      for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
+        for (const key in requestInput) {
+          const evaluator = vpEvaluators.get(key);
+          if (evaluator && requestInput[key] && evaluator(requestInput[key])) {
+            vpEvaluators.delete(key);
+            const { name, uuid } = vpEvaluators.get('metadata');
+            if (vpEvaluators.size === 1 && uuid) {
+              if (!sourceContext.resultsMap[ruleId]) {
+                sourceContext.resultsMap[ruleId] = [];
+              }
+              sourceContext.resultsMap[ruleId].push({
+                name,
+                uuid
+              });
+              sourceContext.securityException = ['block', ruleId];
+              core.protect.throwSecurityException(sourceContext);
             }
-            sourceContext.resultsMap[ruleId].push({
-              name,
-              uuid
-            });
-            sourceContext.securityException = ['block', ruleId];
-            core.protect.throwSecurityException(sourceContext);
           }
         }
       }
-    }
-  };
+    };
-  inputAnalysis.handleIpAllowlist = function (sourceContext, ipAllowlist) {
-    if (!sourceContext || !ipAllowlist.length) return;
+    inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
+      if (!sourceContext || !ipAllowlist.length) return;
-    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-    const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+      const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
-    if (match) {
-      logger.info(match, 'Found a matching IP to an entry in ipAllow list');
-      return true;
-    }
-  };
+      if (match) {
+        logger.info(match, 'Found a matching IP to an entry in ipAllow list');
+        return true;
+      }
+    };
+    inputAnalysis.handleIpDenylist = function(sourceContext, ipDenylist) {
+      const ruleId = Rule.IP_DENYLIST;
-  inputAnalysis.handleIpDenylist = function (sourceContext, ipDenylist) {
-    const ruleId = Rule.IP_DENYLIST;
+      if (!sourceContext || !ipDenylist.length) return;
-    if (!sourceContext || !ipDenylist.length) return;
+      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-    const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
+      const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
-    const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+      if (match) {
+        logger.info(match, 'Found a matching IP to an entry in ipDeny list');
+        if (!sourceContext.resultsMap[ruleId]) {
+          sourceContext.resultsMap[ruleId] = [];
+        }
-    if (match) {
-      logger.info(match, 'Found a matching IP to an entry in ipDeny list');
-      if (!sourceContext.resultsMap[ruleId]) {
-        sourceContext.resultsMap[ruleId] = [];
+        sourceContext.resultsMap[ruleId].push({
+          ip: match.matchedIp,
+          uuid: match.uuid,
+        });
+        return ['block', 'ip-denylist'];
       }
+    };
-      sourceContext.resultsMap[ruleId].push({
-        ip: match.matchedIp,
-        uuid: match.uuid,
-      });
-      return ['block', 'ip-denylist'];
-    }
-  };
-  inputAnalysis.handleMethodTampering = function (sourceContext, connectInputs) {
-    const ruleId = Rule.METHOD_TAMPERING;
-    const mode = sourceContext.policy[ruleId];
-    if (mode !== OFF) {
-      const { method } = connectInputs;
-      if (!acceptedMethods.has(method)) {
-        const result = {
-          inputType: InputType.METHOD,
-          key: 'method',
-          value: method,
-          blocked: false,
-          exploitMetadata: null,
-        };
-        sourceContext.resultsMap[ruleId] = [result];
-        if (BLOCKING_MODES.includes(mode)) {
-          result.blocked = true;
-          return sourceContext.securityException = ['block', ruleId];
+    inputAnalysis.handleMethodTampering = function(sourceContext, connectInputs) {
+      const ruleId = Rule.METHOD_TAMPERING;
+      const mode = sourceContext.policy[ruleId];
+      if (mode !== OFF) {
+        const { method } = connectInputs;
+        if (!acceptedMethods.has(method)) {
+          const result = {
+            inputType: InputType.METHOD,
+            key: 'method',
+            value: method,
+            blocked: false,
+            exploitMetadata: null,
+          };
+          sourceContext.resultsMap[ruleId] = [result];
+          if (BLOCKING_MODES.includes(mode)) {
+            result.blocked = true;
+            return sourceContext.securityException = ['block', ruleId];
+          }
         }
       }
-    }
-  };
-  /**
-   *
-   * Invoked when the request is complete. Handles probe analysis (when configured) and
-   * various other tasks needed prior to reporting.
-   *
-   * @param {Object} sourceContext
-   */
-  inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-    {
-      // check status code to verify method-tampering exploitation
-      const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
-      if (mtResult) {
-        const { statusCode } = sourceContext.resData;
-        if (statusCode !== 405 || statusCode !== 501) {
-          mtResult.exploitMetadata = [{ statusCode }];
+    };
+    /**
+     *
+     * Invoked when the request is complete. Handles probe analysis (when configured) and
+     * various other tasks needed prior to reporting.
+     *
+     * @param {Object} sourceContext
+     */
+    inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
+      {
+        // check status code to verify method-tampering exploitation
+        const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
+        if (mtResult) {
+          const { statusCode } = sourceContext.resData;
+          if (statusCode !== 405 || statusCode !== 501) {
+            mtResult.exploitMetadata = [{ statusCode }];
+          }
         }
       }
-    }
-    if (!config.protect.probe_analysis.enable) return;
-    // Detecting probes
-    const { resultsMap, policy: { rulesMask } } = sourceContext;
-    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
-    const probes = {};
+      if (!config.protect.probe_analysis.enable) return;
+      // Detecting probes
+      const { resultsMap, policy: { rulesMask } } = sourceContext;
+      const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
+      const probes = {};
+      const findingsForScoreRequest = {
+        HeaderValue: {},
+        ParameterValue: {},
+        CookieValue: {},
+      };
+      const findingsForScoreAtom = {};
+      const valueToResultByRuleId = {};
+      Object.values(resultsMap).forEach(resultsByRuleId => {
+        resultsByRuleId.forEach(resultByRuleId => {
+          const {
+            ruleId,
+            exploitMetadata,
+            score,
+            value,
+            key,
+            inputType
+          } = resultByRuleId;
+          if (
+            !isMonitorMode(ruleId, sourceContext) ||
+            exploitMetadata.length > 0 ||
+            score >= 90 ||
+            !probesRules.some((rule) => rule === ruleId)
+          ) {
+            return;
+          }
-    const findingsForScoreRequest = {
-      HeaderValue: {},
-      ParameterValue: {},
-      CookieValue: {},
-    };
-    const findingsForScoreAtom = {};
-    const valueToResultByRuleId = {};
-    Object.values(resultsMap).forEach(resultsByRuleId => {
-      resultsByRuleId.forEach(resultByRuleId => {
-        const {
-          ruleId,
-          exploitMetadata,
-          score,
-          value,
-          key,
-          inputType
-        } = resultByRuleId;
-        if (
-          !isMonitorMode(ruleId, sourceContext) ||
-          exploitMetadata.length > 0 ||
-          score >= 90 ||
-          !probesRules.some((rule) => rule === ruleId)
-        ) {
-          return;
-        }
+          const dataType = findingsForScoreRequest[inputType];
+          if (!dataType) {
+            if (!findingsForScoreAtom[value]) {
+              findingsForScoreAtom[value] = {};
+            }
-        const dataType = findingsForScoreRequest[inputType];
-        if (!dataType) {
-          if (!findingsForScoreAtom[value]) {
-            findingsForScoreAtom[value] = {};
+            findingsForScoreAtom[value][inputType] = resultByRuleId;
+            return;
           }
-          findingsForScoreAtom[value][inputType] = resultByRuleId;
-          return;
-        }
-        dataType[key] = value;
-        valueToResultByRuleId[value] = resultByRuleId;
+          dataType[key] = value;
+          valueToResultByRuleId[value] = resultByRuleId;
+        });
       });
-    });
-    const { ParameterValue, HeaderValue, CookieValue } = findingsForScoreRequest;
-    const results =
-      agentLib.scoreRequestConnect(
-        rulesMask,
-        {
-          queries: Object.entries(ParameterValue).flat(),
-          headers: Object.entries(HeaderValue).flat(),
-          cookies: Object.entries(CookieValue).flat(),
-        },
-        {
-          preferWorthWatching: false,
-        }
-      ).resultsList || [];
-    Object.entries(findingsForScoreAtom).forEach(([value, inputTypes]) => {
-      Object.entries(inputTypes).forEach(([inputType, resultByRuleId]) =>
-        (
-          agentLib.scoreAtom(rulesMask, value, agentLib.InputType[inputType], {
+      const { ParameterValue, HeaderValue, CookieValue } = findingsForScoreRequest;
+      const results =
+        agentLib.scoreRequestConnect(
+          rulesMask,
+          {
+            queries: Object.entries(ParameterValue).flat(),
+            headers: Object.entries(HeaderValue).flat(),
+            cookies: Object.entries(CookieValue).flat(),
+          },
+          {
             preferWorthWatching: false,
-          }) || []
-        ).forEach(result => {
-          results.push({ value, ...result });
-          valueToResultByRuleId[value] = resultByRuleId;
-        })
-      );
-    });
-    results
-      .filter(({ score, ruleId }) => score >= 90 && isMonitorMode(ruleId, sourceContext))
-      .forEach((result) => {
-        const resultByRuleId = valueToResultByRuleId[result.value];
-        const probe = Object.assign({}, resultByRuleId, result, {
-          mappedId: result.ruleId,
-        });
-        const key = ArrayPrototypeJoin.call([
-          probe.ruleId,
-          probe.inputType,
-          ...probe.path,
-          probe.value,
-        ], '|');
-        probes[key] = probe;
+          }
+        ).resultsList || [];
+      Object.entries(findingsForScoreAtom).forEach(([value, inputTypes]) => {
+        Object.entries(inputTypes).forEach(([inputType, resultByRuleId]) =>
+          (
+            agentLib.scoreAtom(rulesMask, value, agentLib.InputType[inputType], {
+              preferWorthWatching: false,
+            }) || []
+          ).forEach(result => {
+            results.push({ value, ...result });
+            valueToResultByRuleId[value] = resultByRuleId;
+          })
+        );
       });
-    Object.values(probes).forEach(probe => {
-      if (!resultsMap[probe.ruleId]) {
-        resultsMap[probe.ruleId] = [];
-      }
+      results
+        .filter(({ score, ruleId }) => score >= 90 && isMonitorMode(ruleId, sourceContext))
+        .forEach((result) => {
+          const resultByRuleId = valueToResultByRuleId[result.value];
+          const probe = Object.assign({}, resultByRuleId, result, {
+            mappedId: result.ruleId,
+          });
+          const key = ArrayPrototypeJoin.call([
+            probe.ruleId,
+            probe.inputType,
+            ...probe.path,
+            probe.value,
+          ], '|');
+          probes[key] = probe;
+        });
-      resultsMap[probe.ruleId].push(probe);
-    });
-  };
-  /**
-   * commonObjectAnalyzer() walks an object supplied by the end-user and checks
-   * it for vulnerabilities.
-   *
-   * This can cause the request to be blocked, depending on the mode and findings.
-   *
-   * @param {Object} sourceContext the sourceContext for the request
-   * @param {Object} object the object to analyze. It could be from any input
-   * source that can resolve to an object: x-www-form-urlencoded, JSON,
-   * query params.
-   * @param {Object} inputTypes is either jsonInputTypes or parameterInputTypes,
-   * both are defined above. They specify the input types to be used when evaluating
-   * the object.
-   * @returns {Array | undefined} returns an array with block info if vulnerability was found.
-   */
-  function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-    const { policy: { rulesMask } } = sourceContext;
-    if (!rulesMask) return;
-    // use inputTypes to set params...
-    const { keyType, inputType } = inputTypes;
-    const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
-    const resultsList = [];
-    // it's possible to optimize this if qs (or a similar package) is not loaded
-    // or if none of the values of queryParams are objects. a quick '.includes()'
-    // could be used to determine that. if none are objects then traverseKeysAndValues()
-    // wouldn't be used, just a simple "for (const key in queryParams) {...}" to
-    // check each key and value associated with the key.
-    //
-    // otoh, it's a fair amount of additional logic and the gain is likely to be
-    // small, so it probably only makes sense to check if qs (or similar) is actually
-    // in use. a benchmark of "for (const key in queryParams) {...}" vs traverseKeysAndValues
-    // should be created to see if, and in what cases, it makes sense.
-    //
-    // another day.
-    /* eslint-disable-next-line complexity */
-    traverseKeysAndValues(object, function (path, type, value) {
-      let itemType;
-      let isMongoQueryType;
-      // this is a bit awkward now because nosql-injection-mongo is not integrated
-      // into the scoreAtom() function (or the check_input() function it uses). as
-      // a result, the two rules need to be checked independently and the results
-      // merged, which is kind of a pia.
-      // TODO AGENT-205
-      if (type === 'Key') {
-        itemType = keyType;
-        if (rulesMask & agentLib.RuleType['nosql-injection-mongo']) {
-          isMongoQueryType = agentLib.isMongoQueryType(value);
+      Object.values(probes).forEach(probe => {
+        if (!resultsMap[probe.ruleId]) {
+          resultsMap[probe.ruleId] = [];
         }
-      } else {
-        itemType = inputType;
-      }
-      let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+        resultsMap[probe.ruleId].push(probe);
+      });
+    };
-      if (!items && !isMongoQueryType) {
-        return;
-      }
-      if (!items) {
-        items = [];
-      }
-      let mongoPath;
-      // if the key was a mongo query key, then add it to the items. it requires
-      // that additional information is kept as well.
-      if (isMongoQueryType) {
-        const inputToCheck = getValueAtKey(object, path, value);
-        // because scoreRequestConnect() returns the query type in the value, we
-        // mimic it here (where scoreAtom() was used). the actual object/string
-        // to match is stored as `inputToCheck`.
-        const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
-        items.push(item);
-      }
-      // make each item a complete Finding
-      for (const item of items) {
-        const result = {
-          ruleId: item.ruleId,
-          inputType: `${inputTypeStr}${type}`,
-          path: mongoPath || ArrayPrototypeSlice.call(path),
-          key: type === 'Key' ? value : path[path.length - 1],
-          value,
-          score: item.score,
-          idsList: item.idsList || [],
-        };
-        if (item.mongoContext) {
-          result.mongoContext = item.mongoContext;
+    /**
+     * commonObjectAnalyzer() walks an object supplied by the end-user and checks
+     * it for vulnerabilities.
+     *
+     * This can cause the request to be blocked, depending on the mode and findings.
+     *
+     * @param {Object} sourceContext the sourceContext for the request
+     * @param {Object} object the object to analyze. It could be from any input
+     * source that can resolve to an object: x-www-form-urlencoded, JSON,
+     * query params.
+     * @param {Object} inputTypes is either jsonInputTypes or parameterInputTypes,
+     * both are defined above. They specify the input types to be used when evaluating
+     * the object.
+     * @returns {Array | undefined} returns an array with block info if vulnerability was found.
+     */
+    function commonObjectAnalyzer(sourceContext, object, inputTypes) {
+      const { policy: { rulesMask } } = sourceContext;
+      if (!rulesMask) return;
+      // use inputTypes to set params...
+      const { keyType, inputType } = inputTypes;
+      const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
+      const resultsList = [];
+      // it's possible to optimize this if qs (or a similar package) is not loaded
+      // or if none of the values of queryParams are objects. a quick '.includes()'
+      // could be used to determine that. if none are objects then traverseKeysAndValues()
+      // wouldn't be used, just a simple "for (const key in queryParams) {...}" to
+      // check each key and value associated with the key.
+      //
+      // otoh, it's a fair amount of additional logic and the gain is likely to be
+      // small, so it probably only makes sense to check if qs (or similar) is actually
+      // in use. a benchmark of "for (const key in queryParams) {...}" vs traverseKeysAndValues
+      // should be created to see if, and in what cases, it makes sense.
+      //
+      // another day.
+      /* eslint-disable-next-line complexity */
+      traverseKeysAndValues(object, function(path, type, value) {
+        let itemType;
+        let isMongoQueryType;
+        // this is a bit awkward now because nosql-injection-mongo is not integrated
+        // into the scoreAtom() function (or the check_input() function it uses). as
+        // a result, the two rules need to be checked independently and the results
+        // merged, which is kind of a pia.
+        // TODO AGENT-205
+        if (type === 'Key') {
+          itemType = keyType;
+          if (rulesMask & agentLib.RuleType['nosql-injection-mongo']) {
+            isMongoQueryType = agentLib.isMongoQueryType(value);
+          }
+        } else {
+          itemType = inputType;
         }
-        resultsList.push(result);
-      }
-    });
-    // if nothing was found then nothing needs to be done.
-    if (resultsList.length === 0) {
-      return;
-    }
-    // something was found, so create "complete" findings.
-    const findings = {
-      trackRequest: true,
-      securityException: undefined,
-      resultsList,
-    };
-    return mergeFindings(sourceContext, findings);
-  }
+        let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
-  function ipListAnalysis(reqIp, reqHeaders, list) {
-    const forwardedIps = [];
+        if (!items && !isMongoQueryType) {
+          return;
+        }
+        if (!items) {
+          items = [];
+        }
+        let mongoPath;
+        // if the key was a mongo query key, then add it to the items. it requires
+        // that additional information is kept as well.
+        if (isMongoQueryType) {
+          const inputToCheck = getValueAtKey(object, path, value);
+          // because scoreRequestConnect() returns the query type in the value, we
+          // mimic it here (where scoreAtom() was used). the actual object/string
+          // to match is stored as `inputToCheck`.
+          const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
+          items.push(item);
+        }
+        // make each item a complete Finding
+        for (const item of items) {
+          const result = {
+            ruleId: item.ruleId,
+            inputType: `${inputTypeStr}${type}`,
+            path: mongoPath || ArrayPrototypeSlice.call(path),
+            key: type === 'Key' ? value : path[path.length - 1],
+            value,
+            score: item.score,
+            idsList: item.idsList || [],
+          };
+          if (item.mongoContext) {
+            result.mongoContext = item.mongoContext;
+          }
+          resultsList.push(result);
+        }
+      });
-    for (let i = 0; i < reqHeaders.length; i++) {
-      if (reqHeaders[i] === 'x-forwarded-for') {
-        const ipsFromHeaders = StringPrototypeSplit.call(reqHeaders[i + 1], /[,;]+/);
-        forwardedIps.push(...ipsFromHeaders);
+      // if nothing was found then nothing needs to be done.
+      if (resultsList.length === 0) {
+        return;
       }
-    }
-    const ipsToCheck = [reqIp, ...forwardedIps];
-    const now = new Date().getTime();
+      // something was found, so create "complete" findings.
+      const findings = {
+        trackRequest: true,
+        securityException: undefined,
+        resultsList,
+      };
-    /* c8 ignore next 3 */
-    if (!ipsToCheck.length) {
-      return false;
+      return mergeFindings(sourceContext, findings);
     }
-    for (const listEntry of list) {
-      const { doesExpire, expiresAt } = listEntry;
-      for (let i = 0; i < ipsToCheck.length; i++) {
-        const currentIp = ipsToCheck[i];
+    function ipListAnalysis(reqIp, reqHeaders, list) {
+      const forwardedIps = [];
-        // Ignore bad IP values.
-        if (!address.isValid(currentIp)) {
-          logger.warn('Unable to parse %s.', currentIp);
-          continue;
+      for (let i = 0; i < reqHeaders.length; i++) {
+        if (reqHeaders[i] === 'x-forwarded-for') {
+          const ipsFromHeaders = StringPrototypeSplit.call(reqHeaders[i + 1], /[,;]+/);
+          forwardedIps.push(...ipsFromHeaders);
         }
-        const expired = doesExpire ? expiresAt - now <= 0 : false;
+      }
-        if (expired) {
-          logger.info('IP expired: %s, %s', listEntry.name, listEntry.ip);
-          continue;
-        }
+      const ipsToCheck = [reqIp, ...forwardedIps];
+      const now = new Date().getTime();
+      /* c8 ignore next 3 */
+      if (!ipsToCheck.length) {
+        return false;
+      }
-        const match = checkIpsMatch(listEntry, currentIp);
+      for (const listEntry of list) {
+        const { doesExpire, expiresAt } = listEntry;
+        for (let i = 0; i < ipsToCheck.length; i++) {
+          const currentIp = ipsToCheck[i];
-        if (match) {
-          return match;
+          // Ignore bad IP values.
+          if (!address.isValid(currentIp)) {
+            logger.warn('Unable to parse %s.', currentIp);
+            continue;
+          }
+          const expired = doesExpire ? expiresAt - now <= 0 : false;
+          if (expired) {
+            logger.info('IP expired: %s, %s', listEntry.name, listEntry.ip);
+            continue;
+          }
+          const match = checkIpsMatch(listEntry, currentIp);
+          if (match) {
+            return match;
+          }
         }
       }
     }
-  }
-};
+  },
+});
 /**
  * Reads the source context's policy and compares to result item to check whether to ignore it.