@contrast/protect 1.6.1 → 1.6.3

package/lib/error-handlers/install/express4.js

@@ -38,7 +38,7 @@ module.exports = function(core) {
           data.result = patcher.patch(data.result, {
             name: 'finalHandler.returnedFunction',
             patchType,
-            around(org, data) {
+            around(orig, data) {
               const [err] = data.args;
               const sourceContext = protect.getSourceContext('finalHandler');
               const isSecurityException = SecurityException.isSecurityException(err);
@@ -53,7 +53,7 @@ module.exports = function(core) {
               if (!sourceContext && isSecurityException) {
                 logger.info('source context not found; unable to handle response');
               }
-              org();
+              return orig();
             },
           });
         },
@@ -64,7 +64,7 @@ module.exports = function(core) {
       patcher.patch(Layer.prototype, 'handle_error', {
         name: 'Layer.prototype.handle_error',
         patchType,
-        around(org, data) {
+        around(orig, data) {
           const [err] = data.args;
           const sourceContext = protect.getSourceContext('express.Layer.handle_error');
           const isSecurityException = SecurityException.isSecurityException(err);
@@ -79,10 +79,71 @@ module.exports = function(core) {
           if (!sourceContext && isSecurityException) {
             logger.info('source context not found; unable to handle response');
           }
-          org();
+          return orig();
+        }
+      });
+
+      // This should be revisited after the research ticket NODE-2556
+      Object.defineProperty(Layer.prototype, 'handle', {
+        enumerable: true,
+        configurable: true,
+        get() {
+          return this.__handle;
+        },
+        set(fn) {
+          fn = patchFn(fn);
+          this.__handle = fn;
+        },
+      });
+    });
+
+    // This should be revisited after the research ticket NODE-2556
+    depHooks.resolve({ name: 'express', version: '>=4.0.0', file: 'lib/router/index.js' }, (Router) => {
+      patcher.patch(Router.prototype.constructor, 'param', {
+        name: 'Router.prototype.constructor.param',
+        patchType,
+        pre({ args }) {
+          if (typeof args[1] === 'function') {
+            args[1] = patchFn(args[1]);
+          }
         }
       });
     });
+
+    // This should be revisited after the research ticket NODE-2556
+    function patchFn(fn) {
+      return patcher.patch(fn, {
+        name: 'express.route-handler',
+        patchType,
+        around(orig) {
+          const ret = orig();
+          if (ret && ret.catch) {
+            return ret.catch((err) => {
+              const sourceContext = protect.getSourceContext('express.Layer.handle_error');
+              const isSecurityException = SecurityException.isSecurityException(err);
+
+              if (isSecurityException && sourceContext) {
+                const blockInfo = sourceContext.findings.securityException;
+
+                sourceContext.block(...blockInfo);
+                return;
+              }
+
+              if (!sourceContext && isSecurityException) {
+                logger.info('source context not found; unable to handle response');
+                return;
+              }
+
+              throw err;
+            });
+          }
+
+          return ret;
+        }
+      });
+    }
+
+
   };
 
   return express4ErrorHandler;

package/lib/error-handlers/install/hapi.js

@@ -39,12 +39,12 @@ module.exports = function (core) {
         const isSecurityException = SecurityException.isSecurityException(err);
 
         if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
-          const [mode, ruleId] = sourceContext.findings.securityException;
+          const [ mode, ruleId ] = sourceContext.findings.securityException;
 
           err.output.statusCode = 403;
           err.reformat();
           err.output.payload = undefined;
-          data.result = null;
+          data.result = err;
 
           logger.info({ mode, ruleId }, 'Request blocked');
 

package/lib/error-handlers/install/koa2.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
           patcher.patch(ctx, 'onerror', {
             name: 'koa.ctx.onerror',
             patchType,
-            around(org, data) {
+            around(orig, data) {
               const [err] = data.args;
               const sourceContext = protect.getSourceContext('Koa.Application.handleRequest');
               const isSecurityException = SecurityException.isSecurityException(err);
@@ -55,7 +55,7 @@ module.exports = function(core) {
                 logger.info('source context not found; unable to handle response');
               }
 
-              org();
+              return orig();
             }
           });
         }

package/lib/index.d.ts

@@ -14,7 +14,7 @@
  * way not consistent with the End User License Agreement.
  */
 
-import { Core } from '@contrast/core';
+// import { Core } from '@contrast/core';
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
@@ -39,7 +39,7 @@ export class HttpInstrumentation {
   maxBodySize: number;
   installed: boolean;
 
-  constructor(core: Core);
+  constructor(core: {});
 
   install(): void;
   uninstall(): void; //NYI

package/lib/index.js

@@ -34,9 +34,6 @@ module.exports = function(core) {
   require('./semantic-analysis')(core);
   require('./error-handlers')(core);
 
-  const pkj = require('../package.json');
-  protect.version = pkj.version;
-
   protect.install = function() {
     installChildComponentsSync(protect);
   };

package/lib/input-tracing/handlers/index.js

@@ -119,7 +119,7 @@ module.exports = function(core) {
   inputTracing.nosqlInjectionMongo = function(sourceContext, sinkContext) {
     const ruleId = 'nosql-injection-mongo';
     const expansionResults = getResultsByRuleId(ruleId, sourceContext);
-    const stringResults = getResultsByRuleId('ssjs-injection', sourceContext);
+    const stringInjectionResults = getResultsByRuleId('ssjs-injection', sourceContext);
 
     if (expansionResults) {
       let expansionFindings = null;
@@ -132,13 +132,31 @@ module.exports = function(core) {
       }
     }
 
-    if (stringResults) {
+    if (stringInjectionResults) {
       let stringFindings = null;
-      for (const result of stringResults) {
-        stringFindings = handleStringValue(result, sinkContext.value);
+
+      for (const result of stringInjectionResults) {
+        if (typeof sinkContext.value === 'object') {
+          simpleTraverse(sinkContext.value, function(path, type, value) {
+            if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
+
+            stringFindings = handleStringValue(result, sinkContext.value[value], agentLib);
+          });
+        } else if (typeof sinkContext.value === 'string') {
+          stringFindings = handleStringValue(result, sinkContext.value, agentLib);
+        }
 
         if (stringFindings) {
-          handleFindings(sourceContext, sinkContext, ruleId, result, stringFindings);
+          const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
+
+          const nosqlInjectionResults = sourceContext.findings.resultsMap[ruleId];
+          if (Array.isArray(nosqlInjectionResults)) {
+            nosqlInjectionResults.push(nosqlInjectionResult);
+          } else {
+            sourceContext.findings.resultsMap[ruleId] = [nosqlInjectionResult];
+          }
+
+          handleFindings(sourceContext, sinkContext, ruleId, nosqlInjectionResult, stringFindings);
         }
       }
     }
@@ -256,25 +274,35 @@ function handleObjectValue(result, object) {
   return findings;
 }
 
-function handleStringValue(result, string) {
-  if (typeof string !== 'string') {
+function handleStringValue(result, cmd, agentLib) {
+  if (typeof cmd !== 'string') {
     return null;
   }
   let findings = null;
 
-  const inputIndex = string.indexOf(result.value);
+  const inputIndex = cmd.indexOf(result.value);
   // if the user input is not in the sink input, there is nothing to do.
   if (inputIndex === -1) {
     return findings;
   }
 
-  if (inputIndex === 0 && string === result.value) {
+  if (inputIndex === 0 && cmd === result.value) {
     findings = {
       start: 0,
       end: result.value.length - 1,
       boundaryOverrunIndex: 0,
       inputBoundaryIndex: 0,
     };
+  } else {
+    const isAttack = agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
+    if (!isAttack) return findings;
+
+    findings = {
+      start: inputIndex,
+      end: inputIndex + result.value.length - 1,
+      boundaryOverrunIndex: 0,
+      inputBoundaryIndex: 0,
+    };
   }
 
   return findings;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.6.1",
+  "version": "1.6.3",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "@babel/template": "^7.16.7",
     "@babel/types": "^7.16.8",
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.2",
-    "@contrast/core": "1.5.1",
-    "@contrast/esm-hooks": "1.1.7",
+    "@contrast/common": "1.1.3",
+    "@contrast/core": "1.6.0",
+    "@contrast/esm-hooks": "1.2.0",
     "@contrast/scopes": "1.1.2",
     "builtin-modules": "^3.2.0",
     "ipaddr.js": "^2.0.1",