@contrast/protect 1.6.4 → 1.8.0

package/lib/error-handlers/install/hapi.js

@@ -39,7 +39,7 @@ module.exports = function (core) {
         const isSecurityException = SecurityException.isSecurityException(err);
 
         if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
-          const [ mode, ruleId ] = sourceContext.findings.securityException;
+          const [mode, ruleId] = sourceContext.findings.securityException;
 
           err.output.statusCode = 403;
           err.reformat();

package/lib/index.d.ts

@@ -1,4 +1,3 @@
-
 /*
  * Copyright: 2022 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
@@ -14,7 +13,6 @@
  * way not consistent with the End User License Agreement.
  */
 
-// import { Core } from '@contrast/core';
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
@@ -39,7 +37,7 @@ export class HttpInstrumentation {
   maxBodySize: number;
   installed: boolean;
 
-  constructor(core: {});
+  constructor(core: any);
 
   install(): void;
   uninstall(): void; //NYI
@@ -81,7 +79,7 @@ export interface Protect {
     handleQueryParams: (sourceContext: ProtectRequestStore, queryParams: { [key: string]: any }) => void,
     handleUrlParams: (sourceContext: ProtectRequestStore, urlParams: { [key: string]: any }) => void,
     handleCookies: (sourceContext: ProtectRequestStore, cookies: { [key: string]: any }) => void,
-    handleFileuploadName: (sourceContext: ProtectRequestStore, name: string) => void, //NYI
+    handleFileUploadName: (sourceContext: ProtectRequestStore, names: string[]) => void,
     librariesInstrumentation: {
       bodyParser: { install: () => void },
       coBody: { install: () => void },

package/lib/input-analysis/handlers.js

@@ -15,9 +15,14 @@
 
 'use strict';
 
-const { BLOCKING_MODES, simpleTraverse } = require('@contrast/common');
+const {
+  BLOCKING_MODES,
+  simpleTraverse,
+  Rule,
+  isString,
+  ProtectRuleMode: { OFF },
+} = require('@contrast/common');
 const address = require('ipaddr.js');
-const { Rule } = require('@contrast/common');
 
 //
 // these rules are not implemented by agent-lib, but are being considered for
@@ -58,6 +63,14 @@ module.exports = function(core) {
     config,
   } = core;
 
+  const jsonInputTypes = {
+    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
+  };
+
+  const parameterInputTypes = {
+    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
+  };
+
   // all handlers will be invoked with two arguments:
   // 1) sourceContext object containing:
   //   - reqData, the abstract request object containing only what is needed
@@ -113,8 +126,6 @@ module.exports = function(core) {
    * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
    */
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-    if (!sourceContext || sourceContext.allowed) return;
-
     const { policy: { rulesMask } } = sourceContext;
 
     inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
@@ -123,84 +134,13 @@ module.exports = function(core) {
     let block = undefined;
     if (rulesMask !== 0) {
       const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+
       block = mergeFindings(sourceContext, findings);
     }
 
     return block;
   };
 
-  /**
-   * handleRequestEnd()
-   *
-   * Invoked when the request is complete.
-   *
-   * @param {Object} sourceContext
-   */
-  inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-    if (!config.protect.probe_analysis.enable) return;
-
-    const { resultsMap } = sourceContext.findings;
-    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
-    const props = {};
-
-    // Detecting probes
-    Object.values(resultsMap).forEach(resultsByRuleId => {
-      resultsByRuleId.forEach((resultByRuleId) => {
-        const {
-          ruleId,
-          blocked,
-          details,
-          value,
-          inputType
-        } = resultByRuleId;
-        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
-
-        const { policy: { rulesMask } } = sourceContext;
-
-        const results = (agentLib.scoreAtom(
-          rulesMask,
-          value,
-          agentLib.InputType[inputType],
-          {
-            preferWorthWatching: false
-          }
-        ) || []).filter(({ score }) => score >= 90);
-
-        if (!results.length) return;
-
-        results.forEach(result => {
-          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
-            element.blocked && element.inputType === inputType && element.value === value
-          );
-
-          if (isAlreadyBlocked) return;
-
-          const probe = Object.assign({}, resultByRuleId, result, {
-            mappedId: result.ruleId
-          });
-          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
-          props[key] = probe;
-        });
-      });
-    });
-
-    Object.values(props).forEach(prop => {
-      if (!resultsMap[prop.ruleId]) {
-        resultsMap[prop.ruleId] = [];
-      }
-
-      resultsMap[prop.ruleId].push(prop);
-    });
-  };
-
-  const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
-  };
-
-  const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
-  };
-
   /**
    * handleQueryParams()
    *
@@ -226,7 +166,6 @@ module.exports = function(core) {
       return;
     }
 
-
     inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
 
     const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
@@ -265,10 +204,13 @@ module.exports = function(core) {
       if (type !== 'Value') {
         return;
       }
+
       const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
+
       if (!items) {
         return;
       }
+
       for (const item of items) {
         resultsList.push({
           ruleId: item.ruleId,
@@ -313,14 +255,15 @@ module.exports = function(core) {
     if (sourceContext.analyzedCookies) return;
     sourceContext.analyzedCookies = true;
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+
+    const { policy: { rulesMask } } = sourceContext;
+
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
       acc.push(key, value);
       return acc;
     }, []);
 
-    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
-
-    const { policy: { rulesMask } } = sourceContext;
     const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
 
     const block = mergeFindings(sourceContext, cookieFindings);
@@ -341,6 +284,7 @@ module.exports = function(core) {
    */
   inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
     if (sourceContext.analyzedBody) return;
+
     sourceContext.analyzedBody = true;
 
     if (typeof parsedBody !== 'object') {
@@ -359,6 +303,7 @@ module.exports = function(core) {
       bodyType = 'urlencoded';
       inputTypes = parameterInputTypes;
     }
+
     const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
 
     sourceContext.findings.bodyType = bodyType;
@@ -370,8 +315,48 @@ module.exports = function(core) {
 
   // was MULTIPART_NAME but maybe we should just call it what it is. it's kind
   // of a dumb rule anyway. but maybe some code actually uses the name provided.
-  inputAnalysis.handleFileUploadName = function(sourceContext, name) {
-    throw new Error('nyi', sourceContext, name);
+  inputAnalysis.handleFileUploadName = function(sourceContext, names) {
+    const type = agentLib.InputType.MultipartName;
+    const { policy } = sourceContext;
+    const resultsList = [];
+
+    if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
+
+    for (const name of names) {
+      if (!isString(name)) {
+        logger.debug({ filename: name }, 'handleFileUploadName() was called with non-string');
+        return;
+      }
+
+      const items = agentLib.scoreAtom(policy.rulesMask, name, type);
+
+      if (!items) {
+        return;
+      }
+      for (const item of items) {
+        resultsList.push({
+          ruleId: item.ruleId,
+          inputType: type,
+          name: '',
+          value: name,
+          score: item.score,
+          idsList: item.idsList,
+        });
+      }
+    }
+
+    // something was found, so create "complete" findings.
+    const unsafeFilenameFindings = {
+      trackRequest: true,
+      securityException: undefined,
+      resultsList,
+    };
+
+    const block = mergeFindings(sourceContext, unsafeFilenameFindings);
+
+    if (block) {
+      core.protect.throwSecurityException(sourceContext);
+    }
   };
 
   inputAnalysis.handleVirtualPatches = function(sourceContext, requestInput) {
@@ -439,6 +424,70 @@ module.exports = function(core) {
     }
   };
 
+  /**
+   * handleRequestEnd()
+   *
+   * Invoked when the request is complete.
+   *
+   * @param {Object} sourceContext
+   */
+  inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
+    if (!config.protect.probe_analysis.enable || sourceContext.allowed) return;
+
+    const { resultsMap } = sourceContext.findings;
+    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
+    const props = {};
+
+    // Detecting probes
+    Object.values(resultsMap).forEach(resultsByRuleId => {
+      resultsByRuleId.forEach((resultByRuleId) => {
+        const {
+          ruleId,
+          blocked,
+          details,
+          value,
+          inputType
+        } = resultByRuleId;
+        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
+
+        const { policy: { rulesMask } } = sourceContext;
+
+        const results = (agentLib.scoreAtom(
+          rulesMask,
+          value,
+          agentLib.InputType[inputType],
+          {
+            preferWorthWatching: false
+          }
+        ) || []).filter(({ score }) => score >= 90);
+
+        if (!results.length) return;
+
+        results.forEach(result => {
+          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
+            element.blocked && element.inputType === inputType && element.value === value
+          );
+
+          if (isAlreadyBlocked) return;
+
+          const probe = Object.assign({}, resultByRuleId, result, {
+            mappedId: result.ruleId
+          });
+          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
+          props[key] = probe;
+        });
+      });
+    });
+
+    Object.values(props).forEach(prop => {
+      if (!resultsMap[prop.ruleId]) {
+        resultsMap[prop.ruleId] = [];
+      }
+
+      resultsMap[prop.ruleId].push(prop);
+    });
+  };
+
   /**
    * commonObjectAnalyzer() walks an object supplied by the end-user and checks
    * it for vulnerabilities.
@@ -493,7 +542,9 @@ module.exports = function(core) {
       } else {
         itemType = inputType;
       }
+
       let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+
       if (!items && !isMongoQueryType) {
         return;
       }
@@ -589,6 +640,66 @@ module.exports = function(core) {
   }
 };
 
+/**
+ * Reads the source context's policy and compares to result item to check whether to ignore it.
+ * @param {ProtectMessage} sourceContext
+ * @param {Result} result
+ * @returns {boolean} whether result should be excluded
+ */
+function isResultExcluded(sourceContext, result) {
+  const { policy: { exclusions } } = sourceContext;
+  const { ruleId, path, inputType, value } = result;
+  const inputName = path ? path[path.length - 1] : null;
+
+  let checkCookiesInHeader = false;
+  let inputExclusions;
+  switch (inputType) {
+    case 'JsonKey':
+    case 'JsonValue':
+    case 'MultipartName': {
+      return exclusions.ignoreBody || exclusions.bodyPolicy?.[ruleId] === OFF;
+    }
+    case 'ParameterKey':
+    case 'ParameterValue': {
+      const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
+      if (qsExcluded) return true;
+      inputExclusions = exclusions.parameter;
+      break;
+    }
+    case 'CookieValue': {
+      inputExclusions = exclusions.cookie;
+      break;
+    }
+    case 'HeaderKey':
+    case 'HeaderValue': {
+      if (path?.[0]?.toLowerCase() === 'cookie') {
+        inputExclusions = exclusions.cookie;
+        checkCookiesInHeader = true;
+      } else {
+        inputExclusions = exclusions.header;
+      }
+      break;
+    }
+  }
+
+  if (!inputName || !inputExclusions) return false;
+
+  for (const excl of inputExclusions) {
+    let nameCheck = false;
+    if (checkCookiesInHeader) {
+      nameCheck = excl.checkCookiesInHeader(value);
+    } else {
+      nameCheck = excl.matchesInputName(inputName);
+    }
+    if (!nameCheck) continue;
+    if (!excl.policy || excl.policy[ruleId] === OFF) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /**
  * merge new findings into the existing findings
  *
@@ -602,6 +713,11 @@ function mergeFindings(sourceContext, newFindings) {
   if (!newFindings.trackRequest) {
     return findings.securityException;
   }
+
+  newFindings.resultsList = newFindings.resultsList.filter(
+    (result) => !isResultExcluded(sourceContext, result)
+  );
+
   normalizeFindings(policy, newFindings);
 
   findings.trackRequest = findings.trackRequest || newFindings.trackRequest;

package/lib/input-analysis/install/busboy1.js

@@ -0,0 +1,55 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  // Patch `busboy`
+  function install() {
+    depHooks.resolve({ name: 'busboy' }, (busboy) => {
+      patcher.patch(busboy.prototype, 'emit', {
+        name: 'busboy.prototype.emit',
+        patchType,
+        pre({ args }) {
+          const sourceContext = protect.getSourceContext('busboy');
+
+          if (sourceContext) {
+            const [eventName, , , fileName] = args;
+
+            if (eventName === 'file' && fileName) {
+              inputAnalysis.handleFileUploadName(sourceContext, [fileName]);
+            }
+          }
+        }
+      });
+    });
+  }
+
+  const busboy1Instrumentation = inputAnalysis.busboy1Instrumentation = {
+    install
+  };
+
+  return busboy1Instrumentation;
+};
+

package/lib/input-analysis/install/formidable1.js

@@ -21,7 +21,6 @@ module.exports = (core) => {
   const {
     depHooks,
     patcher,
-    logger,
     protect,
     protect: { inputAnalysis },
   } = core;
@@ -33,30 +32,40 @@ module.exports = (core) => {
         name: 'Formidable.IncomingForm.prototype.parse',
         patchType,
         pre(data) {
-          const origCb = data.args[1];
+          const sourceContext = protect.getSourceContext('formidable');
 
-          function hookedCb(...cbArgs) {
-            const sourceContext = protect.getSourceContext('formidable');
+          if (sourceContext) {
+            const origCb = data.args[1];
 
-            const [, fields, files] = cbArgs;
+            data.args[1] = function hookedCb(...cbArgs) {
+              const [, fields, files] = cbArgs;
 
-            if (sourceContext) {
               if (fields) {
                 sourceContext.parsedBody = fields;
                 inputAnalysis.handleParsedBody(sourceContext, fields);
               }
+
               if (files) {
-                logger.debug('Check for vulnerable filename upload nyi');
-                // TODO: NODE-2601
+                const filenames = [];
+
+                for (const file of Object.values(files)) {
+                  if (!Array.isArray(file)) {
+                    if (file.name) filenames.push(file.name);
+                  } else {
+                    for (const multiPart of file) {
+                      if (multiPart.name) filenames.push(multiPart.name);
+                    }
+                  }
+                }
+
+                inputAnalysis.handleFileUploadName(sourceContext, filenames);
               }
-            }
 
-            if (origCb && typeof origCb === 'function') {
-              origCb.apply(this, cbArgs);
-            }
+              if (origCb && typeof origCb === 'function') {
+                origCb.apply(this, cbArgs);
+              }
+            };
           }
-
-          data.args[1] = hookedCb;
         }
       });
 

package/lib/input-analysis/install/hapi.js

@@ -39,6 +39,10 @@ module.exports = (core) => {
       { name: '@hapi/hapi', version: '>=18 <21' },
       registerServerHandler
     );
+    depHooks.resolve(
+      { name: '@hapi/pez' },
+      registerMultipartHandler
+    );
   }
 
   const registerServerHandler = (hapi) => {
@@ -98,6 +102,27 @@ module.exports = (core) => {
     });
   };
 
+  const registerMultipartHandler = (Pez) => {
+    patcher.patch(Pez.Dispenser.prototype, 'emit', {
+      name: 'Pez.Dispenser.prototype.emit',
+      patchType,
+      pre: ({ args }) => {
+        const sourceContext = protect.getSourceContext('hapi/pez');
+
+        if (sourceContext) {
+          const [eventName, part] = args;
+          // note: this will emit multiple file upload events during larger files.
+          //       given the domain of this as being part of unsafe-file-upload (which is BAP)
+          //       this isn't much of a concern.
+
+          if (eventName === 'part' && part.filename) {
+            inputAnalysis.handleFileUploadName(sourceContext, [part.filename]);
+          }
+        }
+      }
+    });
+  };
+
   const hapiInstrumentation = inputAnalysis.hapiInstrumentation = {
     install
   };

package/lib/input-analysis/install/http.js

@@ -176,8 +176,13 @@ class HttpInstrumentation {
         setImmediate(() => method.call(instance, ...args));
         return;
       }
-
       store.protect = this.makeSourceContext(req, res);
+
+      if (store.protect.allowed) {
+        setImmediate(() => method.call(instance, ...args));
+        return;
+      }
+
       const { reqData } = store.protect;
 
       res.on('finish', () => {

package/lib/input-analysis/install/multer1.js

@@ -48,6 +48,7 @@ module.exports = (core) => {
 
             function contrastNext(origErr) {
               let securityException;
+              const filenames = [];
 
               if (req.body) {
                 sourceContext.parsedBody = req.body;
@@ -63,9 +64,26 @@ module.exports = (core) => {
                 }
               }
 
-              if (req.file || req.files) {
-                logger.debug('Check for vulnerable filename upload nyi');
-                // TODO: NODE-2601
+              if (req.file) {
+                filenames.push(req.file.originalname);
+              }
+
+              if (req.files) {
+                for (const file of Object.values(req.files)) {
+                  filenames.push(file.originalname);
+                }
+              }
+
+              if (filenames.length) {
+                try {
+                  inputAnalysis.handleFileUploadName(sourceContext, filenames);
+                } catch (err) {
+                  if (isSecurityException(err)) {
+                    securityException = err;
+                  } else {
+                    logger.error({ err }, 'Unexpected error during input analysis');
+                  }
+                }
               }
 
               const error = securityException || origErr;

package/lib/input-analysis/virtual-patches.js

@@ -26,7 +26,7 @@ module.exports = (core) => {
   const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
 
   messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
-    const virtualPatches = serverUpdate.settings?.defend.virtualPatches;
+    const virtualPatches = serverUpdate.settings?.defend?.virtualPatches;
     if (virtualPatches) {
       buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
     }

package/lib/make-source-context.js

@@ -16,7 +16,9 @@
 'use strict';
 
 module.exports = function(core) {
-  const { protect } = core;
+  const {
+    protect: { getPolicy }
+  } = core;
 
   function makeSourceContext(req, res) {
     // make the abstract request. it is an abstraction of a request that
@@ -27,8 +29,10 @@ module.exports = function(core) {
     // or res objects so that all data coupling is all defined here.
 
     // separate path and search params
-    const ix = req.url.indexOf('?');
+
     let uriPath, queries;
+    const ix = req.url.indexOf('?');
+
     if (ix >= 0) {
       uriPath = req.url.slice(0, ix);
       queries = req.url.slice(ix + 1);
@@ -36,6 +40,14 @@ module.exports = function(core) {
       uriPath = req.url;
       queries = '';
     }
+
+    const policy = getPolicy({ uriPath });
+
+    // URL exclusions can disable all rules
+    if (!policy) {
+      return { allowed: true };
+    }
+
     // lowercase header keys and capture content-type
     let contentType = '';
     const headers = Array(req.rawHeaders.length);
@@ -80,7 +92,7 @@ module.exports = function(core) {
       // block closure captures res so it isn't exposed to beyond here
       block: core.protect.makeResponseBlocker(res),
 
-      policy: protect.getPolicy(),
+      policy,
 
       exclusions: [],
       virtualPatchesEvaluators: [],

package/lib/policy.js

@@ -27,14 +27,72 @@ const {
   Event: { SERVER_SETTINGS_UPDATE },
 } = require('@contrast/common');
 
-
 module.exports = function(core) {
-  const { config, logger, messages, protect } = core;
-  const policy = protect.policy = {};
+  const {
+    config,
+    logger,
+    messages,
+    protect,
+    protect: { agentLib }
+  } = core;
+
+  const compiled = {
+    url: [],
+    querystring: [],
+    header: [],
+    body: [],
+    cookie: [],
+    parameter: [],
+  };
+
+  const policy = protect.policy = {
+    exclusions: compiled
+  };
+
+  function regExpCheck(str) {
+    return str.indexOf('*') > 0 ||
+      str.indexOf('.') > 0 ||
+      str.indexOf('+') > 0 ||
+      str.indexOf('?') > 0 ||
+      str.indexOf('\\') > 0;
+  }
+
+  function buildUriPathRegExp(urls) {
+    let regExpNeeded = false;
+    for (const url of urls) {
+      if (regExpCheck(url)) {
+        regExpNeeded = true;
+      }
+    }
+    if (regExpNeeded) {
+      const rx = new RegExp(`^${urls.join('|')}$`);
+
+      return (uriPath) => rx ? rx.test(uriPath) : false;
+    }
+
+    return (uriPath) => urls.some((url) => url === uriPath);
+  }
+
+  function createUriPathMatcher(urls) {
+    if (urls.length) {
+      return buildUriPathRegExp(urls);
+    } else {
+      return () => true;
+    }
+  }
+
+  function createInputNameMatcher(dtmInputName) {
+    if (regExpCheck(dtmInputName)) {
+      const rx = new RegExp(`^${dtmInputName}$`);
+      return (inputName) => rx ? rx.test(inputName) : false;
+    }
+
+    return (inputName) => inputName === dtmInputName;
+  }
 
   function getModeFromConfig(ruleId) {
     if (config.protect.disabled_rules.includes(ruleId)) {
-      return 'off';
+      return OFF;
     }
     return config.protect.rules?.[ruleId]?.mode;
   }
@@ -84,11 +142,20 @@ module.exports = function(core) {
    */
   function updateRulesMask() {
     let rulesMask = 0;
-    for (const [ruleId, mode] of Object.entries(policy)) {
+
+    for (const entry of Object.entries(policy)) {
+      let [ruleId] = entry;
+      const [, mode] = entry;
+
+      if (ruleId === 'nosql-injection') {
+        ruleId = 'nosql-injection-mongo';
+      }
+
       if (protect.agentLib.RuleType[ruleId] && mode !== OFF) {
         rulesMask = rulesMask | protect.agentLib.RuleType[ruleId];
       }
     }
+
     policy.rulesMask = rulesMask;
   }
 
@@ -96,13 +163,83 @@ module.exports = function(core) {
    * This gets called by protect.makeSourceContext(). We return copy of policy to avoid
    * inconsistent behavior if policy is updated during request handling.
    */
-  function getPolicy() {
-    return { ...policy };
-  }
+  function getPolicy({ uriPath } = {}) {
+    const requestPolicy = {
+      exclusions: {
+        ignoreQuerystring: false,
+        querystringPolicy: null,
+        ignoreBody: false,
+        bodyPolicy: null,
+        header: [],
+        cookie: [],
+        parameter: [],
+      },
+      rulesMask: policy.rulesMask,
+    };
 
-  initPolicy();
+    for (const ruleId of Object.values(Rule)) {
+      requestPolicy[ruleId] = policy[ruleId];
+    }
 
-  messages.on(SERVER_SETTINGS_UPDATE, (remoteSettings) => {
+    // handle exclusions
+    for (const [inputType, exclusions] of Object.entries(compiled)) {
+      for (const e of exclusions) {
+        if (!e.matchesUriPath(uriPath)) continue;
+
+        // url exclusions
+        if (inputType === 'url') {
+          // if applies to all rules, there is no policy for the request i.e. disable protect
+          if (!e.policy) {
+            return null;
+          }
+
+          // merge exclusion's policy into the request's policy
+          for (const key of Object.keys(e.policy)) {
+            const value = e.policy[key];
+            if (key === 'rulesMask') {
+              // this is how to disable rules bitwise
+              requestPolicy.rulesMask = requestPolicy.rulesMask & ~value;
+            } else {
+              requestPolicy[key] = value;
+            }
+          }
+        } else if (inputType === 'querystring') {
+          if (!e.policy) {
+            requestPolicy.exclusions.ignoreQuerystring = true;
+          } else {
+            // merge exclusion's policy into the querystring's policy
+            requestPolicy.exclusions.querystringPolicy = requestPolicy.exclusions.querystringPolicy || {};
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key !== 'rulesMask') {
+                requestPolicy.exclusions.querystringPolicy[key] = value;
+              }
+            }
+          }
+        } else if (inputType === 'body') {
+          if (!e.policy) {
+            requestPolicy.exclusions.ignoreBody = true;
+          } else {
+            // merge exclusion's policy into the querystring's policy
+            requestPolicy.exclusions.bodyPolicy = requestPolicy.exclusions.bodyPolicy || {};
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key !== 'rulesMask') {
+                requestPolicy.exclusions.bodyPolicy[key] = value;
+              }
+            }
+          }
+        } else {
+          // copy matching input exclusions into request policy
+          requestPolicy.exclusions[inputType].push(e);
+        }
+      }
+    }
+
+    return requestPolicy;
+  }
+
+  function updateGlobalPolicy(remoteSettings) {
     let update;
 
     const protectionRules = remoteSettings?.settings?.defend?.protectionRules;
@@ -128,7 +265,79 @@ module.exports = function(core) {
       updateRulesMask();
       logger.info({ policy: protect.policy }, `protect policy updated from ${update}`);
     }
+  }
+
+  function updateExclusions(serverUpdate) {
+    const exclusions = [
+      ...(serverUpdate.settings?.exceptions?.inputExceptions || []),
+      ...(serverUpdate.settings?.exceptions?.urlExceptions || [])
+    ].filter((exclusion) => exclusion.modes.includes('defend'));
+
+    if (!exclusions.length) return;
+
+    for (const exclusionDtm of exclusions) {
+      exclusionDtm.inputType = exclusionDtm.inputType || 'URL';
+
+      const { name, rules, inputName, urls, inputType } = exclusionDtm;
+      const key = inputType.toLowerCase();
+
+      if (!compiled[key]) continue;
+
+      try {
+        const e = { name };
+        e.matchesUriPath = createUriPathMatcher(urls);
+
+        if (inputName) {
+          e.matchesInputName = createInputNameMatcher(inputName);
+        }
+
+        if (rules.length) {
+          let rulesMask = 0;
+          const exclusionPolicy = {};
+
+          for (let ruleId of rules) {
+            // todo: this doesn't seem to make a difference?
+            if (ruleId === 'nosql-injection') {
+              ruleId = 'nosql-injection-mongo';
+            }
+
+            if (agentLib.RuleType[ruleId]) {
+              Object.assign(exclusionPolicy, { [ruleId]: OFF });
+              if (inputType === 'URL') {
+                rulesMask = rulesMask | agentLib.RuleType[ruleId];
+                exclusionPolicy.rulesMask = rulesMask;
+              }
+            }
+          }
+
+          e.policy = exclusionPolicy;
+        }
+        if (key === 'cookie') {
+          e.checkCookieInHeader = (cookieHeader) => {
+            for (const cookiePair of cookieHeader.split(';')) {
+              const cookieKey = cookiePair.split('=')[0];
+              if (e.matchesInputName(cookieKey)) {
+                return true;
+              }
+            }
+
+            return false;
+          };
+        }
+
+        compiled[key].push(e);
+      } catch (err) {
+        logger.error({ err, exclusionDtm }, 'failed to process exclusion');
+      }
+    }
+  }
+
+  messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
+    updateGlobalPolicy(msg);
+    updateExclusions(msg);
   });
 
+  initPolicy();
+
   return protect.getPolicy = getPolicy;
 };

package/lib/semantic-analysis/constants.js

@@ -0,0 +1,20 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+module.exports = {
+  patchType: 'protect-semantic-analysis',
+};

package/lib/semantic-analysis/handlers.js

@@ -20,10 +20,13 @@ const {
   BLOCKING_MODES,
   ProtectRuleMode: { OFF },
   InputType,
-  isString,
   simpleTraverse
 } = require('@contrast/common');
 
+const {
+  findExternalEntities,
+} = require('./utils/xml-analysis');
+
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 
@@ -103,6 +106,18 @@ module.exports = function(core) {
     }
   };
 
+  semanticAnalysis.handleXXE = function (sourceContext, sinkContext) {
+    const mode = sourceContext.policy[Rule.XXE];
+    if (mode == OFF) return;
+
+    const findings = findExternalEntities(sinkContext.value);
+    if (findings.entities.length) {
+      handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
+        findings,
+      });
+    }
+  };
+
   return semanticAnalysis;
 };
 
@@ -127,7 +142,7 @@ function findBackdoorInjection(sourceContext, command) {
   };
 
   let found = false;
-  for (let inputType in valuesOfInterest) {
+  for (const inputType in valuesOfInterest) {
     const values = valuesOfInterest[inputType];
 
     if (values && Object.keys(values).length) {
@@ -139,7 +154,7 @@ function findBackdoorInjection(sourceContext, command) {
         ) {
           let key;
           if (inputType === InputType.HEADER) {
-            key = obj[path[0] - 1]
+            key = obj[path[0] - 1];
           } else {
             key = path[path.length - 1];
           }

package/lib/semantic-analysis/index.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { installChildComponentsSync } = require('@contrast/common');
+
 /**
  * SEMANTIC ANALYSIS is a STAGE of Protect.
  * The information about it can be found under some of the separate rules we support for this stage:
@@ -31,6 +33,13 @@ module.exports = function(core) {
   // load the interfaces that will be used by input tracing instrumentation
   require('./handlers')(core);
 
+  // instrumentation
+  require('./install/libxmljs')(core);
+
+  semanticAnalysis.install = function() {
+    installChildComponentsSync(semanticAnalysis);
+  };
+
   // There is no `.install()` method as this STAGE does not introduce side effects on its own,
   // it uses the instrumentation that's already in place for INPUT TRACING.
 

package/lib/semantic-analysis/install/libxmljs.js

@@ -0,0 +1,82 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { isString } = require('@contrast/common');
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect: { semanticAnalysis },
+    protect,
+    captureStacktrace
+  } = core;
+
+  function install() {
+    depHooks.resolve({ name: 'libxmljs' }, hookLibXml);
+    // libxmljs2 is a fork of libxml that has identical signatures.
+    // the only difference is that libxmljs2 is used by juice-shop and thus
+    // we're missing sinks in one of our most important sample apps.
+    depHooks.resolve({ name: 'libxmljs2' }, hookLibXml);
+  }
+
+  function hookLibXml(libxmljs) {
+    patcher.patch(libxmljs, 'parseXmlString', {
+      name: 'libxmljs.parseXmlString',
+      patchType,
+      pre: preParseXmlMethod
+    });
+
+    patcher.patch(libxmljs, 'parseXml', {
+      name: 'libxmljs.parseXml',
+      patchType,
+      pre: preParseXmlMethod
+    });
+  }
+
+  function preParseXmlMethod({ args, hooked, orig }) {
+    const sourceContext = protect.getSourceContext('libxmljs.parseXmlString');
+    const value = args[0];
+
+    // If noent isn't set to true than libxml won't load
+    // external entities, so this isn't vulnerable
+    // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
+    if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
+
+    const sinkContext = captureStacktrace(
+      { name: 'libxmljs.parseXmlString', value },
+      { constructorOpt: hooked, prependFrames: [orig] }
+    );
+
+    try {
+      semanticAnalysis.handleXXE(sourceContext, sinkContext);
+    } catch (err) {
+      if (SecurityException.isSecurityException(err)) {
+        throw err;
+      }
+
+      logger.error({ err }, 'Unexpected error during semantic analysis');
+    }
+  }
+
+  const libxmljs = semanticAnalysis.libxmljs = { install };
+
+  return libxmljs;
+};

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -0,0 +1,107 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const PROTOCOLS = {
+  FTP: 'FTP',
+  HTTP: 'HTTP',
+  HTTPS: 'HTTPS',
+  TCP: 'TCP'
+};
+
+const FTP = `${PROTOCOLS.FTP.toLowerCase()}:`;
+const HTTP = `${PROTOCOLS.HTTP.toLowerCase()}:`;
+const HTTPS = `${PROTOCOLS.HTTPS.toLowerCase()}:`;
+const DTD_EXTENSION = '.dtd';
+const FILE_START = 'file:';
+const GOPHER_START = 'gopher:';
+const JAR_START = 'jar:';
+const DOT = '.';
+const FORWARD_SLASH = '/';
+const UP_DIR_LINUX = '../';
+const UP_DIR_WIN = '..\\';
+const ENTITY_TYPES = {
+  SYSTEM: 'SYSTEM',
+  PUBLIC: 'PUBLIC'
+};
+
+// We only use this against lowercase strings; removed A-Z for speed
+const FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/;
+
+const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g;
+
+// Helper Functions
+const indicators = [
+  FTP,
+  FILE_START,
+  JAR_START,
+  GOPHER_START,
+  FORWARD_SLASH,
+  DOT,
+  UP_DIR_LINUX,
+  UP_DIR_WIN,
+];
+
+function isExternalEntity(str) {
+  if (!str) return false;
+
+  if (str.startsWith(HTTP) || str.startsWith(HTTPS)) {
+    if (!str.endsWith(DTD_EXTENSION)) return true;
+  }
+
+  for (const val of indicators) {
+    if (str.startsWith(val)) return true;
+  }
+
+  return FILE_PATTERN_WINDOWS.test(str);
+}
+
+/**
+ * @param {String} xml
+*/
+module.exports.findExternalEntities = function(xml = '') {
+  const entities = [];
+  let match;
+
+  while ((match = entityRegex.exec(xml))) {
+    const {
+      groups: { type, uri1, uri2 }
+    } = match;
+
+    let uri;
+    if (type === ENTITY_TYPES.SYSTEM && isExternalEntity(uri1)) {
+      uri = uri1;
+    } else if (type === ENTITY_TYPES.PUBLIC && isExternalEntity(uri2)) {
+      uri = uri2;
+    }
+
+    uri && entities.push({
+      start: match.index,
+      finish: match.index + match[0].length,
+      type,
+      uri,
+    });
+  }
+
+  const len = entities.length;
+
+  return {
+    entities,
+    prolog: len && xml.substr(0, entities[len - 1].finish) || null
+  };
+};
+
+module.exports.ENTITY_TYPES = ENTITY_TYPES;
+module.exports.isExternalEntity = isExternalEntity;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.6.4",
+  "version": "1.8.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,14 +17,11 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@babel/template": "^7.16.7",
-    "@babel/types": "^7.16.8",
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.3",
-    "@contrast/core": "1.6.1",
-    "@contrast/esm-hooks": "1.2.1",
-    "@contrast/scopes": "1.1.2",
-    "builtin-modules": "^3.2.0",
+    "@contrast/common": "1.1.4",
+    "@contrast/core": "1.7.0",
+    "@contrast/esm-hooks": "1.3.0",
+    "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }