@contrast/protect 1.64.2 → 1.65.0

package/lib/get-source-context.js

@@ -22,7 +22,9 @@ module.exports = function init(core) {
     if (!core.config.getEffectiveValue('protect.enable')) return null;
 
     const sourceContext = sources.getStore()?.protect;
-    return sourceContext?.allowed ? null : sourceContext;
+    if (!sourceContext) return null;
+
+    return sourceContext.allowed ? null : sourceContext;
   }
 
   core.protect.getSourceContext = getSourceContext;

package/lib/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 
 module.exports = function(core) {
-  const { config } = core;
+  const { config, sources } = core;
 
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(),
@@ -55,6 +55,11 @@ module.exports = function(core) {
     callChildComponentMethodsSync(protect, 'install');
   };
 
+  // append async state to store when request-scope sources are created
+  sources.addHook('onSource', (ctx) => {
+    ctx.store.protect = protect.makeSourceContext(ctx);
+  });
+
   return protect;
 };
 

package/lib/input-analysis/handlers.js

@@ -117,7 +117,6 @@ module.exports = Core.makeComponent({
 
     // all handlers will be invoked with two arguments:
     // 1) sourceContext object containing:
-    //   - reqData, the abstract request object containing only what is needed
     //   - protect, the protect context
     //     - rules, exclusions, virtual patches (TS data). what was in effect for this
     //       url *at the time the request was started*. these will not change.
@@ -162,7 +161,7 @@ module.exports = Core.makeComponent({
      * 'connectInputs' makes sense; a flag similar to 'contentType' can be set and it can be
      * used later to avoid calling 'handleQueryParams()'
      *
-     * @param {Object} sourceContext { reqData, protect } that will be supplied to
+     * @param {Object} sourceContext { protect } that will be supplied to
      *   all handlers and sinks for this request. It will always be supplied by the caller
      *   to a handler; the handler is not aware of the implementation.
      * @param {Object} connectInputs each property is an input to be evaluated by this
@@ -343,7 +342,8 @@ module.exports = Core.makeComponent({
 
       let bodyType;
       let inputTypes;
-      if (sourceContext.reqData.contentType.includes('/json')) {
+      const { sourceInfo } = core.scopes.sources.getStore();
+      if (sourceInfo?.contentType?.includes?.('/json')) {
         bodyType = 'json';
         inputTypes = jsonInputTypes;
       } else {
@@ -438,9 +438,8 @@ module.exports = Core.makeComponent({
     inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
       if (!sourceContext || !ipAllowlist.length) return;
 
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-
-      const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.ip, sourceInfo.rawHeaders, ipAllowlist);
 
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipAllow list');
@@ -453,9 +452,8 @@ module.exports = Core.makeComponent({
 
       if (!sourceContext || !ipDenylist.length) return;
 
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-
-      const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.Ip, sourceInfo.rawHeaders, ipDenylist);
 
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipDeny list');

package/lib/input-analysis/install/http.js

@@ -31,24 +31,19 @@ module.exports = function (core) {
     },
   } = core;
 
-  const instr = inputAnalysis.httpInstrumentation = {
-    install,
-    around
-  };
-
-  function removeCookies(headers) {
-    for (let i = 0; i < headers.length; i += 2) {
-      if (headers[i] === 'cookies') {
-        headers = ArrayPrototypeSlice.call(headers);
-        headers.splice(i, 2);
+  function removeCookies(rawHeaders) {
+    for (let i = 0; i < rawHeaders.length; i += 2) {
+      if (rawHeaders[i] === 'cookies') {
+        rawHeaders = ArrayPrototypeSlice.call(rawHeaders);
+        rawHeaders.splice(i, 2);
       }
     }
-    return headers;
+    return rawHeaders;
   }
 
   function around(next, data) {
     let store, block;
-    const { args: [type, req, res] } = data;
+    const { args: [type,, res] } = data;
 
     function callNext() {
       setImmediate(() => {
@@ -63,21 +58,20 @@ module.exports = function (core) {
 
     try {
       store = sources.getStore();
-      if (!store) {
+      if (!store?.protect) {
         logger.debug({ funcKey: data.funcKey }, 'request store not available during http input-analysis');
+        callNext();
         return;
       }
-
-      store.protect = core.protect.makeSourceContext(req, res);
       if (store.protect.allowed) {
         callNext();
         return;
       }
 
       const {
-        reqData: { headers, uriPath, method },
-        resData,
-      } = store.protect;
+        sourceInfo: { method, rawHeaders, uriPath },
+        protect: { resData }
+      } = store;
 
       onFinished(res, (/* err, req */) => {
         resData.statusCode = res.statusCode;
@@ -86,7 +80,7 @@ module.exports = function (core) {
       });
 
       const connectInputs = {
-        headers: removeCookies(headers),
+        headers: removeCookies(rawHeaders),
         uriPath,
         method: StringPrototypeToLowerCase.call(method),
       };
@@ -131,5 +125,10 @@ module.exports = function (core) {
     });
   }
 
+  const instr = inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
+
   return instr;
 };

package/lib/input-analysis/install/qs6.js

@@ -22,34 +22,35 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
+    scopes,
   } = core;
 
   // Patch `qs`
   function install() {
-    depHooks.resolve({ name: 'qs', version: '<7' },
-      (qs) => patcher.patch(qs, 'parse', {
-        name: 'qs',
-        patchType,
-        post({ args, result }) {
-          if (result && Object.keys(result).length) {
-            const sourceContext = protect.getSourceContext();
-
-            // We need to run analysis for the `qs` result only when it's used as a query parser.
-            // `qs` is used also for parsing bodies, but these cases we handle individually with
-            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-            // some cases its use is optional and we cannot rely on it.
-            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
+    depHooks.resolve({ name: 'qs', version: '<7' }, (qs) => patcher.patch(qs, 'parse', {
+      name: 'qs',
+      patchType,
+      post({ args, result }) {
+        if (result && Object.keys(result).length) {
+          const sourceContext = protect.getSourceContext();
+          // We need to run analysis for the `qs` result only when it's used as a query parser.
+          // `qs` is used also for parsing bodies, but these cases we handle individually with
+          // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+          // some cases its use is optional and we cannot rely on it.
+          if (sourceContext) {
+            const { sourceInfo } = scopes.sources.getStore();
+            if (sourceInfo.queries === args[0]) {
               sourceContext.parsedQuery = result;
-              inputAnalysis.handleQueryParams(sourceContext, result);
+              protect.inputAnalysis.handleQueryParams(sourceContext, result);
             }
           }
         }
-      })
+      }
+    })
     );
   }
 
-  const qs6Instrumentation = inputAnalysis.qs6Instrumentation = {
+  const qs6Instrumentation = protect.inputAnalysis.qs6Instrumentation = {
     install
   };
 

package/lib/input-analysis/install/universal-cookie4.js

@@ -22,7 +22,6 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
   } = core;
 
   // Patch `universal-cookie` package
@@ -36,7 +35,7 @@ module.exports = (core) => {
 
           if (sourceContext) {
             sourceContext.parsedCookies = result;
-            inputAnalysis.handleCookies(sourceContext, result);
+            protect.inputAnalysis.handleCookies(sourceContext, result);
           }
         }
       }
@@ -44,7 +43,7 @@ module.exports = (core) => {
     );
   }
 
-  const universalCookie4Instrumentation = inputAnalysis.universalCookie4Instrumentation = {
+  const universalCookie4Instrumentation = protect.inputAnalysis.universalCookie4Instrumentation = {
     install
   };
 

package/lib/make-source-context.js

@@ -15,80 +15,36 @@
 
 'use strict';
 
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
-
 module.exports = function(core) {
-  const {
-    protect: { getPolicy }
-  } = core;
-
-  const disabledPolicy = { allowed: true };
-
-  function makeSourceContext(req, res) {
-    if (!core.config.getEffectiveValue('protect.enable')) {
-      return disabledPolicy;
-    }
-
-    // make the abstract request. it is an abstraction of a request that
-    // contains only the pieces of the request required by handlers. this
-    // is done to make an explicit contract for data that is required by
-    // the handlers. additional data that is discovered to be required by
-    // handlers should be added here. the goal is not to pass the raw req
-    // or res objects so that all data coupling is all defined here.
-
-    // separate path and search params
-
-    let uriPath, queries;
-    const ix = req.url.indexOf('?');
-
-    if (ix >= 0) {
-      uriPath = StringPrototypeSlice.call(req.url, 0, ix);
-      queries = StringPrototypeSlice.call(req.url, ix + 1);
-    } else {
-      uriPath = req.url;
-      queries = '';
-    }
-
-    const policy = getPolicy({ uriPath });
-
+  const { protect } = core;
+
+  const DISABLED_POLICY = { allowed: true };
+
+  /**
+   * @param {object} param
+   * @param {object} param.store
+   * @param {import('@contrast/common').SourceInfo} param.store.sourceInfo
+   * @param {import('node:http').IncomingMessage} param.incomingMessage
+   * @param {import('node:http').ServerResponse} param.serverResponse
+   *
+   */
+  function makeSourceContext({
+    store: { sourceInfo },
+    // incomingMessage,
+    serverResponse,
+  }) {
+    if (!core.config.getEffectiveValue('protect.enable')) return DISABLED_POLICY;
+
+    const policy = protect.getPolicy({ uriPath: sourceInfo.uriPath });
     // URL exclusions can disable all rules
-    if (!policy || policy.rulesMask === 0) {
-      return disabledPolicy;
-    }
-
-    // lowercase header keys and capture content-type
-    let contentType = '';
-    const headers = Array(req.rawHeaders.length);
-
-    for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = StringPrototypeToLowerCase.call(req.rawHeaders[i]);
-      headers[i + 1] = req.rawHeaders[i + 1];
-      if (headers[i] === 'content-type') {
-        contentType = StringPrototypeToLowerCase.call(headers[i + 1]);
-      }
-    }
-
-    // contains request data and information derived from request data. it's
-    // possible for any derived information to be derived later, but doing
-    // so here is typically better; it makes clear what information is used to
-    // make decisions by different handlers.
-    const reqData = {
-      ip: req.socket.remoteAddress,
-      httpVersion: req.httpVersion,
-      method: req.method,
-      headers,
-      uriPath,
-      queries,
-      contentType,
-    };
+    if (!policy || policy.rulesMask === 0) return DISABLED_POLICY;
 
     const protectStore = {
-      reqData,
       resData: {
         statusCode: null,
       },
       // block closure captures res so it isn't exposed to beyond here
-      blocker: new core.protect.Blocker(res),
+      blocker: new core.protect.Blocker(serverResponse),
       policy,
       exclusions: [],
       virtualPatchesEvaluators: [],

package/lib/semantic-analysis/handlers.js

@@ -75,6 +75,79 @@ module.exports = function(core) {
     }
   }
 
+  /**
+   * Backdoor detection logic:
+   *  - command is >= 2 chars
+   *  - iterates over every piece of request and checks
+   *    - the full value is the param to sink
+   *    - the value matches a regex and ends the param to the sink
+   */
+  function findBackdoorInjection(sourceContext, command) {
+    if (command?.length < 2) {
+      return null;
+    }
+
+    const { sourceInfo } = core.scopes.sources.getStore();
+    const valuesOfInterest = {
+      [InputType.QUERYSTRING]: sourceContext.parsedQuery,
+      [InputType.PARAMETER_VALUE]: sourceContext.parsedParams,
+      [InputType.BODY]: sourceContext.parsedBody,
+      [InputType.COOKIE_VALUE]: sourceContext.parsedCookies,
+      [InputType.HEADER]: sourceInfo.rawHeaders,
+    };
+
+    let found;
+    for (const inputType in valuesOfInterest) {
+      if (found) break;
+
+      const values = valuesOfInterest[inputType];
+
+      if (values && Object.keys(values).length) {
+        traverseValues(values, (path, type, value, obj) => {
+          if (isBackdoorDetected(value, command)) {
+            let key;
+            if (inputType === InputType.HEADER) {
+              key = obj[path[0] - 1];
+            } else {
+              key = path[path.length - 1];
+            }
+
+            found = {
+              key,
+              inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
+              path: ArrayPrototypeSlice.call(path, 0, -1),
+              value: command
+            };
+
+            // halt traversal
+            return true;
+          }
+        });
+      }
+    }
+
+    return found;
+  }
+
+  /**
+     * strips the whitespace of the request value and the command,
+     * checks if the command equals the request value
+     * or if the command looks like the start of a shell execution
+     * and ends with the request value passed to the sink
+     *
+     * @param {string} value from request key
+     */
+  function isBackdoorDetected(requestValue, command) {
+    const normalizedValue = stripWhiteSpace(requestValue);
+    const normalizedCommand = stripWhiteSpace(command);
+
+    return (
+      normalizedValue === normalizedCommand ||
+      (normalizedCommand.endsWith(normalizedValue) &&
+        RegExpPrototypeTest.call(SINK_EXPLOIT_PATTERN_START, normalizedCommand))
+    );
+  }
+
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
     const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
 
@@ -137,75 +210,3 @@ module.exports = function(core) {
 
   return semanticAnalysis;
 };
-
-/**
- * Backdoor detection logic:
- *  - command is >= 2 chars
- *  - iterates over every piece of request and checks
- *    - the full value is the param to sink
- *    - the value matches a regex and ends the param to the sink
- */
-function findBackdoorInjection(sourceContext, command) {
-  if (command?.length < 2) {
-    return null;
-  }
-
-  const valuesOfInterest = {
-    [InputType.QUERYSTRING]: sourceContext.parsedQuery,
-    [InputType.PARAMETER_VALUE]: sourceContext.parsedParams,
-    [InputType.BODY]: sourceContext.parsedBody,
-    [InputType.COOKIE_VALUE]: sourceContext.parsedCookies,
-    [InputType.HEADER]: sourceContext.reqData.headers,
-  };
-
-  let found;
-  for (const inputType in valuesOfInterest) {
-    if (found) break;
-
-    const values = valuesOfInterest[inputType];
-
-    if (values && Object.keys(values).length) {
-      traverseValues(values, (path, type, value, obj) => {
-        if (isBackdoorDetected(value, command)) {
-          let key;
-          if (inputType === InputType.HEADER) {
-            key = obj[path[0] - 1];
-          } else {
-            key = path[path.length - 1];
-          }
-
-          found = {
-            key,
-            inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
-            path: ArrayPrototypeSlice.call(path, 0, -1),
-            value: command
-          };
-
-          // halt traversal
-          return true;
-        }
-      });
-    }
-  }
-
-  return found;
-}
-
-/**
-   * strips the whitespace of the request value and the command,
-   * checks if the command equals the request value
-   * or if the command looks like the start of a shell execution
-   * and ends with the request value passed to the sink
-   *
-   * @param {string} value from request key
-   */
-function isBackdoorDetected(requestValue, command) {
-  const normalizedValue = stripWhiteSpace(requestValue);
-  const normalizedCommand = stripWhiteSpace(command);
-
-  return (
-    normalizedValue === normalizedCommand ||
-      (normalizedCommand.endsWith(normalizedValue) &&
-      RegExpPrototypeTest.call(SINK_EXPLOIT_PATTERN_START, normalizedCommand))
-  );
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.64.2",
+  "version": "1.65.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/esm-hooks": "2.28.2",
-    "@contrast/instrumentation": "1.33.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/rewriter": "1.30.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/esm-hooks": "2.29.0",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",