@contrast/protect 1.6.4 → 1.7.0

package/lib/error-handlers/install/hapi.js

@@ -39,7 +39,7 @@ module.exports = function (core) {
         const isSecurityException = SecurityException.isSecurityException(err);
 
         if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
-          const [ mode, ruleId ] = sourceContext.findings.securityException;
+          const [mode, ruleId] = sourceContext.findings.securityException;
 
           err.output.statusCode = 403;
           err.reformat();

package/lib/index.d.ts

@@ -1,4 +1,3 @@
-
 /*
  * Copyright: 2022 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -14,7 +13,6 @@
  * way not consistent with the End User License Agreement.
  */
 
-// import { Core } from '@contrast/core';
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
@@ -39,7 +37,7 @@ export class HttpInstrumentation {
   maxBodySize: number;
   installed: boolean;
 
-  constructor(core: {});
+  constructor(core: any);
 
   install(): void;
   uninstall(): void; //NYI
@@ -81,7 +79,7 @@ export interface Protect {
     handleQueryParams: (sourceContext: ProtectRequestStore, queryParams: { [key: string]: any }) => void,
     handleUrlParams: (sourceContext: ProtectRequestStore, urlParams: { [key: string]: any }) => void,
     handleCookies: (sourceContext: ProtectRequestStore, cookies: { [key: string]: any }) => void,
-    handleFileuploadName: (sourceContext: ProtectRequestStore, name: string) => void, //NYI
+    handleFileUploadName: (sourceContext: ProtectRequestStore, names: string[]) => void,
     librariesInstrumentation: {
       bodyParser: { install: () => void },
       coBody: { install: () => void },

package/lib/input-analysis/handlers.js

@@ -15,9 +15,8 @@
 
 'use strict';
 
-const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
+const { BLOCKING_MODES, simpleTraverse, Rule, isString } = require('@contrast/common');
 const address = require('ipaddr.js');
-const { Rule } = require('@contrast/common');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -370,8 +369,48 @@ module.exports = function(core) {
 
   // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
   // of a dumb rule anyway. but maybe some code actually uses the name provided.
-  inputAnalysis.handleFileUploadName = function(sourceContext, name) {
-    throw new Error('nyi', sourceContext, name);
+  inputAnalysis.handleFileUploadName = function(sourceContext, names) {
+    const type = agentLib.InputType.MultipartName;
+    const { policy } = sourceContext;
+    const resultsList = [];
+
+    if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
+
+    for (const name of names) {
+      if (!isString(name)) {
+        logger.debug({ filename: name }, 'handleFileUploadName() was called with non-string');
+        return;
+      }
+
+      const items = agentLib.scoreAtom(policy.rulesMask, name, type);
+
+      if (!items) {
+        return;
+      }
+      for (const item of items) {
+        resultsList.push({
+          ruleId: item.ruleId,
+          inputType: type,
+          name: '',
+          value: name,
+          score: item.score,
+          idsList: item.idsList,
+        });
+      }
+    }
+
+    // something was found, so create "complete" findings.
+    const unsafeFilenameFindings = {
+      trackRequest: true,
+      securityException: undefined,
+      resultsList,
+    };
+
+    const block = mergeFindings(sourceContext, unsafeFilenameFindings);
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {

package/lib/input-analysis/install/busboy1.js

@@ -0,0 +1,55 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `busboy`
+  function install() {
+    depHooks.resolve({ name: 'busboy' }, (busboy) => {
+      patcher.patch(busboy.prototype, 'emit', {
+        name: 'busboy.prototype.emit',
+        patchType,
+        pre({ args }) {
+          const sourceContext = protect.getSourceContext('busboy');
+
+          if (sourceContext) {
+            const [eventName, , , fileName] = args;
+
+            if (eventName === 'file' && fileName) {
+              inputAnalysis.handleFileUploadName(sourceContext, [fileName]);
+            }
+          }
+        }
+      });
+    });
+  }
+
+  const busboy1Instrumentation = inputAnalysis.busboy1Instrumentation = {
+    install
+  };
+
+  return busboy1Instrumentation;
+};
+

package/lib/input-analysis/install/formidable1.js

@@ -21,7 +21,6 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
     protect,
     protect: { inputAnalysis },
   } = core;
@@ -33,30 +32,40 @@ module.exports = (core) => {
         name: 'Formidable.IncomingForm.prototype.parse',
         patchType,
         pre(data) {
-          const origCb = data.args[1];
+          const sourceContext = protect.getSourceContext('formidable');
 
-          function hookedCb(...cbArgs) {
-            const sourceContext = protect.getSourceContext('formidable');
+          if (sourceContext) {
+            const origCb = data.args[1];
 
-            const [, fields, files] = cbArgs;
+            data.args[1] = function hookedCb(...cbArgs) {
+              const [, fields, files] = cbArgs;
 
-            if (sourceContext) {
               if (fields) {
                 sourceContext.parsedBody = fields;
                 inputAnalysis.handleParsedBody(sourceContext, fields);
               }
+
               if (files) {
-                logger.debug('Check for vulnerable filename upload nyi');
-                // TODO: NODE-2601
+                const filenames = [];
+
+                for (const file of Object.values(files)) {
+                  if (!Array.isArray(file)) {
+                    if (file.name) filenames.push(file.name);
+                  } else {
+                    for (const multiPart of file) {
+                      if (multiPart.name) filenames.push(multiPart.name);
+                    }
+                  }
+                }
+
+                inputAnalysis.handleFileUploadName(sourceContext, filenames);
               }
-            }
 
-            if (origCb && typeof origCb === 'function') {
-              origCb.apply(this, cbArgs);
-            }
+              if (origCb && typeof origCb === 'function') {
+                origCb.apply(this, cbArgs);
+              }
+            };
           }
-
-          data.args[1] = hookedCb;
         }
       });
 

package/lib/input-analysis/install/hapi.js

@@ -39,6 +39,10 @@ module.exports = (core) => {
       { name: '@hapi/hapi', version: '>=18 <21' },
       registerServerHandler
     );
+    depHooks.resolve(
+      { name: '@hapi/pez' },
+      registerMultipartHandler
+    );
   }
 
   const registerServerHandler = (hapi) => {
@@ -98,6 +102,27 @@ module.exports = (core) => {
     });
   };
 
+  const registerMultipartHandler = (Pez) => {
+    patcher.patch(Pez.Dispenser.prototype, 'emit', {
+      name: 'Pez.Dispenser.prototype.emit',
+      patchType,
+      pre: ({ args }) => {
+        const sourceContext = protect.getSourceContext('hapi/pez');
+
+        if (sourceContext) {
+          const [eventName, part] = args;
+          // note: this will emit multiple file upload events during larger files.
+          //       given the domain of this as being part of unsafe-file-upload (which is BAP)
+          //       this isn't much of a concern.
+
+          if (eventName === 'part' && part.filename) {
+            inputAnalysis.handleFileUploadName(sourceContext, [part.filename]);
+          }
+        }
+      }
+    });
+  };
+
   const hapiInstrumentation = inputAnalysis.hapiInstrumentation = {
     install
   };

package/lib/input-analysis/install/multer1.js

@@ -48,6 +48,7 @@ module.exports = (core) => {
 
             function contrastNext(origErr) {
               let securityException;
+              const filenames = [];
 
               if (req.body) {
                 sourceContext.parsedBody = req.body;
@@ -63,9 +64,26 @@ module.exports = (core) => {
                 }
               }
 
-              if (req.file || req.files) {
-                logger.debug('Check for vulnerable filename upload nyi');
-                // TODO: NODE-2601
+              if (req.file) {
+                filenames.push(req.file.originalname);
+              }
+
+              if (req.files) {
+                for (const file of Object.values(req.files)) {
+                  filenames.push(file.originalname);
+                }
+              }
+
+              if (filenames.length) {
+                try {
+                  inputAnalysis.handleFileUploadName(sourceContext, filenames);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
               }
 
               const error = securityException || origErr;

package/lib/semantic-analysis/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-semantic-analysis',
+};

package/lib/semantic-analysis/handlers.js

@@ -20,10 +20,13 @@ const {
   BLOCKING_MODES,
   ProtectRuleMode: { OFF },
   InputType,
-  isString,
   simpleTraverse
 } = require('@contrast/common');
 
+const {
+  findExternalEntities,
+} = require('./utils/xml-analysis');
+
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 
@@ -103,6 +106,18 @@ module.exports = function(core) {
     }
   };
 
+  semanticAnalysis.handleXXE = function (sourceContext, sinkContext) {
+    const mode = sourceContext.policy[Rule.XXE];
+    if (mode == OFF) return;
+
+    const findings = findExternalEntities(sinkContext.value);
+    if (findings.entities.length) {
+      handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
+        findings,
+      });
+    }
+  };
+
   return semanticAnalysis;
 };
 
@@ -127,7 +142,7 @@ function findBackdoorInjection(sourceContext, command) {
   };
 
   let found = false;
-  for (let inputType in valuesOfInterest) {
+  for (const inputType in valuesOfInterest) {
     const values = valuesOfInterest[inputType];
 
     if (values && Object.keys(values).length) {
@@ -139,7 +154,7 @@ function findBackdoorInjection(sourceContext, command) {
         ) {
           let key;
           if (inputType === InputType.HEADER) {
-            key = obj[path[0] - 1]
+            key = obj[path[0] - 1];
           } else {
             key = path[path.length - 1];
           }

package/lib/semantic-analysis/index.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { installChildComponentsSync } = require('@contrast/common');
+
 /**
  * SEMANTIC ANALYSIS is a STAGE of Protect.
  * The information about it can be found under some of the separate rules we support for this stage:
@@ -31,6 +33,13 @@ module.exports = function(core) {
   // load the interfaces that will be used by input tracing instrumentation
   require('./handlers')(core);
 
+  // instrumentation
+  require('./install/libxmljs')(core);
+
+  semanticAnalysis.install = function() {
+    installChildComponentsSync(semanticAnalysis);
+  };
+
   // There is no `.install()` method as this STAGE does not introduce side effects on its own,
   // it uses the instrumentation that's already in place for INPUT TRACING.
 

package/lib/semantic-analysis/install/libxmljs.js

@@ -0,0 +1,82 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect: { semanticAnalysis },
+    protect,
+    captureStacktrace
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'libxmljs' }, hookLibXml);
+    // libxmljs2 is a fork of libxml that has identical signatures.
+    // the only difference is that libxmljs2 is used by juice-shop and thus
+    // we're missing sinks in one of our most important sample apps.
+    depHooks.resolve({ name: 'libxmljs2' }, hookLibXml);
+  }
+
+  function hookLibXml(libxmljs) {
+    patcher.patch(libxmljs, 'parseXmlString', {
+      name: 'libxmljs.parseXmlString',
+      patchType,
+      pre: preParseXmlMethod
+    });
+
+    patcher.patch(libxmljs, 'parseXml', {
+      name: 'libxmljs.parseXml',
+      patchType,
+      pre: preParseXmlMethod
+    });
+  }
+
+  function preParseXmlMethod({ args, hooked, orig }) {
+    const sourceContext = protect.getSourceContext('libxmljs.parseXmlString');
+    const value = args[0];
+
+    // If noent isn't set to true than libxml won't load
+    // external entities, so this isn't vulnerable
+    // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
+    if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
+
+    const sinkContext = captureStacktrace(
+      { name: 'libxmljs.parseXmlString', value },
+      { constructorOpt: hooked, prependFrames: [orig] }
+    );
+
+    try {
+      semanticAnalysis.handleXXE(sourceContext, sinkContext);
+    } catch (err) {
+      if (SecurityException.isSecurityException(err)) {
+        throw err;
+      }
+
+      logger.error({ err }, 'Unexpected error during semantic analysis');
+    }
+  }
+
+  const libxmljs = semanticAnalysis.libxmljs = { install };
+
+  return libxmljs;
+};

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -0,0 +1,107 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const PROTOCOLS = {
+  FTP: 'FTP',
+  HTTP: 'HTTP',
+  HTTPS: 'HTTPS',
+  TCP: 'TCP'
+};
+
+const FTP = `${PROTOCOLS.FTP.toLowerCase()}:`;
+const HTTP = `${PROTOCOLS.HTTP.toLowerCase()}:`;
+const HTTPS = `${PROTOCOLS.HTTPS.toLowerCase()}:`;
+const DTD_EXTENSION = '.dtd';
+const FILE_START = 'file:';
+const GOPHER_START = 'gopher:';
+const JAR_START = 'jar:';
+const DOT = '.';
+const FORWARD_SLASH = '/';
+const UP_DIR_LINUX = '../';
+const UP_DIR_WIN = '..\\';
+const ENTITY_TYPES = {
+  SYSTEM: 'SYSTEM',
+  PUBLIC: 'PUBLIC'
+};
+
+// We only use this against lowercase strings; removed A-Z for speed
+const FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/;
+
+const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g;
+
+// Helper Functions
+const indicators = [
+  FTP,
+  FILE_START,
+  JAR_START,
+  GOPHER_START,
+  FORWARD_SLASH,
+  DOT,
+  UP_DIR_LINUX,
+  UP_DIR_WIN,
+];
+
+function isExternalEntity(str) {
+  if (!str) return false;
+
+  if (str.startsWith(HTTP) || str.startsWith(HTTPS)) {
+    if (!str.endsWith(DTD_EXTENSION)) return true;
+  }
+
+  for (const val of indicators) {
+    if (str.startsWith(val)) return true;
+  }
+
+  return FILE_PATTERN_WINDOWS.test(str);
+}
+
+/**
+ * @param {String} xml
+*/
+module.exports.findExternalEntities = function(xml = '') {
+  const entities = [];
+  let match;
+
+  while ((match = entityRegex.exec(xml))) {
+    const {
+      groups: { type, uri1, uri2 }
+    } = match;
+
+    let uri;
+    if (type === ENTITY_TYPES.SYSTEM && isExternalEntity(uri1)) {
+      uri = uri1;
+    } else if (type === ENTITY_TYPES.PUBLIC && isExternalEntity(uri2)) {
+      uri = uri2;
+    }
+
+    uri && entities.push({
+      start: match.index,
+      finish: match.index + match[0].length,
+      type,
+      uri,
+    });
+  }
+
+  const len = entities.length;
+
+  return {
+    entities,
+    prolog: len && xml.substr(0, entities[len - 1].finish) || null
+  };
+};
+
+module.exports.ENTITY_TYPES = ENTITY_TYPES;
+module.exports.isExternalEntity = isExternalEntity;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.6.4",
+  "version": "1.7.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,14 +17,11 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@babel/template": "^7.16.7",
-    "@babel/types": "^7.16.8",
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.3",
-    "@contrast/core": "1.6.1",
-    "@contrast/esm-hooks": "1.2.1",
-    "@contrast/scopes": "1.1.2",
-    "builtin-modules": "^3.2.0",
+    "@contrast/common": "1.1.4",
+    "@contrast/core": "1.7.0",
+    "@contrast/esm-hooks": "1.3.0",
+    "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }