@contrast/protect 1.67.0 → 1.68.0

package/lib/hardening/handlers.js

@@ -42,11 +42,10 @@ module.exports = function(core) {
     return results;
   }
 
-  function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
+  function handleFindings(sourceContext, sinkContext, ruleId, result, findings, mode) {
     const { stacktraceOpts } = sinkContext;
-    captureStacktrace(sinkContext, stacktraceOpts);
 
-    const mode = sourceContext.policy[ruleId];
+    captureStacktrace(sinkContext, stacktraceOpts);
     getResults(sourceContext, ruleId).push(result);
 
     let blockInfo;
@@ -63,7 +62,7 @@ module.exports = function(core) {
 
   hardening.handleUntrustedDeserialization = function (sourceContext, sinkContext) {
     const ruleId = UNTRUSTED_DESERIALIZATION;
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy.getRuleMode(ruleId);
     const { name, value } = sinkContext;
 
     if (
@@ -82,7 +81,7 @@ module.exports = function(core) {
     };
     const findings = { deserializer: name, command: false };
 
-    handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+    handleFindings(sourceContext, sinkContext, ruleId, result, findings, mode);
   };
 
   return hardening;

package/lib/input-analysis/handlers.js

@@ -32,6 +32,7 @@ const {
   }
 } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
+
 //
 // these rules are not implemented by agent-lib, but are being considered for
 // implementation:
@@ -133,6 +134,124 @@ module.exports = Core.makeComponent({
     //   inputs against rules 1) is very fast and 2) dramatically pares down the number
     //   of exclusion checks that need to be made.
 
+    /**
+     * merge new findings into the existing findings
+     *
+     * @param {Object} sourceContext sourceContext.findings is the existing findings
+     * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
+     * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
+     */
+    function mergeFindings(sourceContext, newFindings) {
+      const { policy } = sourceContext;
+      const { securityException, resultsMap } = sourceContext;
+
+      if (!newFindings.trackRequest) {
+        return securityException;
+      }
+
+      newFindings.resultsList = newFindings.resultsList.filter(
+        (result) => !inputAnalysis.isResultExcluded(sourceContext, result)
+      );
+
+      normalizeFindings(policy, newFindings);
+
+      sourceContext.trackRequest = sourceContext.trackRequest || newFindings.trackRequest;
+      sourceContext.securityException = sourceContext.securityException || newFindings.securityException;
+
+      // merge them into a ruleId-indexed map (pojo)
+      for (const result of newFindings.resultsList) {
+        if (!resultsMap[result.ruleId]) {
+          resultsMap[result.ruleId] = [];
+        }
+        resultsMap[result.ruleId].push(result);
+      }
+
+      return sourceContext.securityException;
+    }
+
+    //
+    // add common fields to findings.
+    //
+    function normalizeFindings(policy, findings) {
+      // now both augment the rules and check to see if any require blocking
+      // at perimeter.
+      for (const r of findings.resultsList) {
+        // augment
+        // what additional augmentations are needed?
+        // the name/id might need to be mapped but keep the original so it's not lost
+        r.mappedId = agentLibRuleTypeToName[r.ruleId] || r.ruleId;
+
+        // if we block this or the value is found in sink, we'll know not to check
+        // this result for probe analysis in handleRequestEnd().
+        r.blocked = false;
+        r.exploited = false;
+
+        // apply exclusions here.
+        //
+        // apply exclusions after scoring inputs as it will require less work
+        // most of the time.
+        //
+        // the following might need to be changed. BAP is legacy behavior; beyond that,
+        // the only way a score >= 90 can come back is if there is no "worth-watching"
+        // option and that implies that there is no sink, so this is the only place at
+        // which the block can occur. so at a minimum 'block' should also result in a
+        // block.
+        const mode = policy.getRuleMode(r.ruleId);
+
+        if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
+          r.blocked = true;
+          findings.securityException = [mode, r.ruleId, { result: r }];
+        }
+      }
+    }
+
+    function checkIpsMatch(listEntry, ip) {
+      const parsed = address.process(ip);
+
+      // Check if IP is in CIDR range,
+      if (listEntry.cidr) {
+        if (parsed.kind() !== listEntry.cidr.kind) {
+          return null;
+        }
+
+        if (parsed.match(listEntry.cidr.range)) {
+          return { ...listEntry, match: ip };
+        } else {
+          return null;
+        }
+      }
+
+      // or do a direct comparison
+      if (parsed.toNormalizedString() === listEntry.normalizedValue) {
+        return { ...listEntry, matchedIp: ip };
+      }
+
+      return null;
+    }
+
+    /**
+     * getValueAtKey() is used to fetch the object (expected) associated
+     * with the path of keys in obj. i say expected because this is only used
+     * for fetching the objects associated with a nosql vulnerability and those
+     * should always be objects.
+     *
+     * @param {Object} obj an object with keys
+     * @param {Array} path list of keys to walk through the object
+     * @param {String} lastKey the last key (it's not in path)
+     *
+     * @returns the value at end of walking path in obj
+     */
+    function getValueAtKey(obj, path, key) {
+      for (const p of path) {
+        /* c8 ignore next 6 */
+        if (!(p in obj)) {
+          return undefined;
+        }
+        obj = obj[p];
+      }
+      return key in obj ? obj[key] : undefined;
+    }
+
     /**
      * handleConnect()
      *
@@ -170,7 +289,7 @@ module.exports = Core.makeComponent({
      * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
      */
     inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-      const { policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
 
       inputAnalysis.handleVirtualPatches(
         sourceContext,
@@ -210,16 +329,13 @@ module.exports = Core.makeComponent({
     inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
       if (sourceContext.analyzedQuery) return;
       sourceContext.analyzedQuery = true;
-
       if (typeof queryParams !== 'object') {
         logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
         return;
       }
-
       inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
 
       const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
-
       if (block) {
         core.protect.reportFinding(block[2]);
         core.protect.throwSecurityException(sourceContext);
@@ -236,6 +352,9 @@ module.exports = Core.makeComponent({
      * @param {Object} urlParams pojo
      */
     inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
+
       if (sourceContext.analyzedUrlParams) return;
       sourceContext.analyzedUrlParams = true;
 
@@ -246,7 +365,6 @@ module.exports = Core.makeComponent({
 
       inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
 
-      const { policy: { rulesMask } } = sourceContext;
       const resultsList = [];
       const { UrlParameter } = agentLib.InputType;
 
@@ -257,7 +375,6 @@ module.exports = Core.makeComponent({
         }
 
         const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
-
         if (!items) {
           return;
         }
@@ -311,7 +428,8 @@ module.exports = Core.makeComponent({
 
       inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
 
-      const { policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
 
       const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
         // things like booleans will cause agent-lib to throw
@@ -321,7 +439,6 @@ module.exports = Core.makeComponent({
 
       const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
 
-
       const block = mergeFindings(sourceContext, cookieFindings);
 
       if (block) {
@@ -379,7 +496,7 @@ module.exports = Core.makeComponent({
       const { policy } = sourceContext;
       const resultsList = [];
 
-      if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
+      if (policy.getRuleMode(Rule.UNSAFE_FILE_UPLOAD) === 'off') return;
 
       for (const name of names) {
         if (!isString(name)) {
@@ -387,7 +504,7 @@ module.exports = Core.makeComponent({
           return;
         }
 
-        const items = agentLib.scoreAtom(policy.rulesMask, name, type);
+        const items = agentLib.scoreAtom(policy.getRulesMask(), name, type);
 
         if (!items) {
           return;
@@ -424,6 +541,7 @@ module.exports = Core.makeComponent({
 
       if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
 
+      // todo: get virtualPatchesEvaluators from protect policy instead of request
       for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
         for (const key in requestInput) {
           const evaluator = vpEvaluators.get(key);
@@ -502,7 +620,7 @@ module.exports = Core.makeComponent({
 
     inputAnalysis.handleMethodTampering = function(sourceContext, connectInputs) {
       const ruleId = Rule.METHOD_TAMPERING;
-      const mode = sourceContext.policy[ruleId];
+      const mode = sourceContext.policy.getRuleMode(ruleId);
       if (mode !== OFF) {
         const { method } = connectInputs;
 
@@ -533,9 +651,10 @@ module.exports = Core.makeComponent({
      * @param {Object} sourceContext
      */
     inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
+      const { policy } = sourceContext;
       // check status code to verify method-tampering exploitation
       const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
-      if (mtResult) {
+      if (mtResult && policy.getRuleMode(Rule.METHOD_TAMPERING) !== OFF) {
         const { statusCode } = sourceContext.resData;
         if (statusCode !== 405 || statusCode !== 501) {
           mtResult.exploited = true;
@@ -543,12 +662,11 @@ module.exports = Core.makeComponent({
         }
       }
 
-      if (!config.protect.probe_analysis.enable) return;
-
-      const probeReports = [];
-
       // Detecting probes
-      const { resultsMap, policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (rulesMask == 0 || !config.protect.probe_analysis.enable) return;
+      const probeReports = [];
+      const { resultsMap } = sourceContext;
       const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
       const probes = {};
       const findingsForScoreRequest = {
@@ -571,7 +689,7 @@ module.exports = Core.makeComponent({
           } = resultByRuleId;
 
           if (
-            !isMonitorMode(ruleId, sourceContext) ||
+            sourceContext.policy.getRuleMode(ruleId) !== MONITOR ||
             exploited === true || // todo: remove
             score >= 90 ||
             !probesRules.some((rule) => rule === ruleId) ||
@@ -623,7 +741,7 @@ module.exports = Core.makeComponent({
       });
 
       results
-        .filter(({ score, ruleId }) => score >= 90 && isMonitorMode(ruleId, sourceContext))
+        .filter(({ score, ruleId }) => score >= 90 && sourceContext.policy.getRuleMode(ruleId) == MONITOR)
         .forEach((result) => {
           const resultByRuleId = valueToResultByRuleId[result.value];
           const probe = Object.assign({}, resultByRuleId, result, {
@@ -652,11 +770,80 @@ module.exports = Core.makeComponent({
       }
     };
 
+    /**
+     * Reads the source context's policy and compares to result item to check whether to ignore it.
+     * @param {ProtectMessage} sourceContext
+     * @param {Result} result
+     * @returns {boolean} whether result should be excluded
+     */
+    inputAnalysis.isResultExcluded = function isResultExcluded(sourceContext, result) {
+      const exclusions = sourceContext.policy.getExclusionInfo();
+      if (!exclusions) return false;
+
+      const { ruleId, path, inputType, value } = result;
+      const inputName = path ? path[path.length - 1] : null;
+
+      let checkCookiesInHeader = false;
+      let inputExclusions;
+
+      switch (inputType) {
+        case 'JsonKey':
+        case 'JsonValue':
+        case 'MultipartName': {
+          if (
+            exclusions?.ignoreBody ||
+            exclusions?.bodyPolicy?.[ruleId] == OFF
+          ) return true;
+
+          return false;
+        }
+        case 'ParameterKey':
+        case 'ParameterValue': {
+          const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
+          if (qsExcluded) return true;
+          inputExclusions = exclusions.parameter;
+          break;
+        }
+        case 'CookieValue': {
+          inputExclusions = exclusions.cookie;
+          break;
+        }
+        case 'HeaderKey':
+        case 'HeaderValue': {
+          if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
+            inputExclusions = exclusions.cookie;
+            checkCookiesInHeader = true;
+          } else {
+            inputExclusions = exclusions?.header;
+          }
+          break;
+        }
+      }
+
+      if (!inputName || !inputExclusions) return false;
+
+      for (const excl of inputExclusions) {
+        let nameCheck = false;
+        if (checkCookiesInHeader) {
+          nameCheck = excl.checkCookiesInHeader(value);
+        } else {
+          nameCheck = excl.matchesInputName(inputName);
+        }
+        if (!nameCheck) continue;
+        if (!excl.policy || excl.policy[ruleId] === OFF) {
+          return true;
+        }
+      }
+
+      return false;
+    };
+
     /**
      * commonObjectAnalyzer() walks an object supplied by the end-user and checks
      * it for vulnerabilities.
      *
-     * This can cause the request to be blocked, depending on the mode and findings.
+     *
+ This can cause the request to be blocked, depending on the mode and findings.
      *
      * @param {Object} sourceContext the sourceContext for the request
      * @param {Object} object the object to analyze. It could be from any input
@@ -668,14 +855,14 @@ module.exports = Core.makeComponent({
      * @returns {Array | undefined} returns an array with block info if vulnerability was found.
      */
     function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-      const { policy: { rulesMask } } = sourceContext;
-      if (!rulesMask) return;
-
       // use inputTypes to set params...
       const { keyType, inputType } = inputTypes;
       const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
       const resultsList = [];
 
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
+
       // it's possible to optimize this if qs (or a similar package) is not loaded
       // or if none of the values of queryParams are objects. a quick '.includes()'
       // could be used to determine that. if none are objects then traverseKeysAndValues()
@@ -804,184 +991,3 @@ module.exports = Core.makeComponent({
     }
   },
 });
-
-/**
- * Reads the source context's policy and compares to result item to check whether to ignore it.
- * @param {ProtectMessage} sourceContext
- * @param {Result} result
- * @returns {boolean} whether result should be excluded
- */
-function isResultExcluded(sourceContext, result) {
-  const { policy: { exclusions } } = sourceContext;
-  const { ruleId, path, inputType, value } = result;
-  const inputName = path ? path[path.length - 1] : null;
-
-  let checkCookiesInHeader = false;
-  let inputExclusions;
-  switch (inputType) {
-    case 'JsonKey':
-    case 'JsonValue':
-    case 'MultipartName': {
-      return exclusions.ignoreBody || exclusions.bodyPolicy?.[ruleId] === OFF;
-    }
-    case 'ParameterKey':
-    case 'ParameterValue': {
-      const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
-      if (qsExcluded) return true;
-      inputExclusions = exclusions.parameter;
-      break;
-    }
-    case 'CookieValue': {
-      inputExclusions = exclusions.cookie;
-      break;
-    }
-    case 'HeaderKey':
-    case 'HeaderValue': {
-      if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
-        inputExclusions = exclusions.cookie;
-        checkCookiesInHeader = true;
-      } else {
-        inputExclusions = exclusions.header;
-      }
-      break;
-    }
-  }
-
-  if (!inputName || !inputExclusions) return false;
-
-  for (const excl of inputExclusions) {
-    let nameCheck = false;
-    if (checkCookiesInHeader) {
-      nameCheck = excl.checkCookiesInHeader(value);
-    } else {
-      nameCheck = excl.matchesInputName(inputName);
-    }
-    if (!nameCheck) continue;
-    if (!excl.policy || excl.policy[ruleId] === OFF) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-/**
- * merge new findings into the existing findings
- *
- * @param {Object} sourceContext sourceContext.findings is the existing findings
- * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
- * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
- */
-function mergeFindings(sourceContext, newFindings) {
-  const { policy, securityException, resultsMap } = sourceContext;
-
-  if (!newFindings.trackRequest) {
-    return securityException;
-  }
-
-  newFindings.resultsList = newFindings.resultsList.filter(
-    (result) => !isResultExcluded(sourceContext, result)
-  );
-
-  normalizeFindings(policy, newFindings);
-
-  sourceContext.trackRequest = sourceContext.trackRequest || newFindings.trackRequest;
-  sourceContext.securityException = sourceContext.securityException || newFindings.securityException;
-
-  // merge them into a ruleId-indexed map (pojo)
-  for (const result of newFindings.resultsList) {
-    if (!resultsMap[result.ruleId]) {
-      resultsMap[result.ruleId] = [];
-    }
-    resultsMap[result.ruleId].push(result);
-  }
-
-  return sourceContext.securityException;
-}
-
-//
-// add common fields to findings.
-//
-function normalizeFindings(policy, findings) {
-  // now both augment the rules and check to see if any require blocking
-  // at perimeter.
-  for (const r of findings.resultsList) {
-    // augment
-    // what additional augmentations are needed?
-    // the name/id might need to be mapped but keep the original so it's not lost
-    r.mappedId = agentLibRuleTypeToName[r.ruleId] || r.ruleId;
-
-    // if we block this or the value is found in sink, we'll know not to check
-    // this result for probe analysis in handleRequestEnd().
-    r.blocked = false;
-    r.exploited = false;
-
-    // apply exclusions here.
-    //
-    // apply exclusions after scoring inputs as it will require less work
-    // most of the time.
-    //
-    // the following might need to be changed. BAP is legacy behavior; beyond that,
-    // the only way a score >= 90 can come back is if there is no "worth-watching"
-    // option and that implies that there is no sink, so this is the only place at
-    // which the block can occur. so at a minimum 'block' should also result in a
-    // block.
-    const mode = policy[r.ruleId];
-    if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
-      r.blocked = true;
-      findings.securityException = [mode, r.ruleId, { result: r }];
-    }
-  }
-}
-
-
-function checkIpsMatch(listEntry, ip) {
-  const parsed = address.process(ip);
-
-  // Check if IP is in CIDR range,
-  if (listEntry.cidr) {
-    if (parsed.kind() !== listEntry.cidr.kind) {
-      return null;
-    }
-
-    if (parsed.match(listEntry.cidr.range)) {
-      return { ...listEntry, match: ip };
-    } else {
-      return null;
-    }
-  }
-
-  // or do a direct comparison
-  if (parsed.toNormalizedString() === listEntry.normalizedValue) {
-    return { ...listEntry, matchedIp: ip };
-  }
-
-  return null;
-}
-
-/**
- * getValueAtKey() is used to fetch the object (expected) associated
- * with the path of keys in obj. i say expected because this is only used
- * for fetching the objects associated with a nosql vulnerability and those
- * should always be objects.
- *
- * @param {Object} obj an object with keys
- * @param {Array} path list of keys to walk through the object
- * @param {String} lastKey the last key (it's not in path)
- *
- * @returns the value at end of walking path in obj
- */
-function getValueAtKey(obj, path, key) {
-  for (const p of path) {
-    /* c8 ignore next 6 */
-    if (!(p in obj)) {
-      return undefined;
-    }
-    obj = obj[p];
-  }
-  return key in obj ? obj[key] : undefined;
-}
-
-function isMonitorMode(ruleId, sourceContext) {
-  return sourceContext.policy[ruleId] === MONITOR;
-}

package/lib/input-tracing/handlers.js

@@ -43,7 +43,7 @@ module.exports = function(core) {
     captureStacktrace(sinkContext, stacktraceOpts);
     result.exploited = true;
 
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy.getRuleMode(ruleId);
     const eventArg = { findings, result, sinkContext };
 
     let blockInfo;
@@ -328,7 +328,7 @@ module.exports = function(core) {
  * @returns {AnalysisResult[]}
  */
 function getResultsByRuleId(ruleId, context) {
-  if (!context.policy || context.policy[ruleId] === OFF) {
+  if (!context.policy || context.policy.getRuleMode(ruleId) === OFF) {
     return;
   }
   // because agent-lib stores all nosql-injection results under nosql-injection-mongo

package/lib/make-source-context.js

@@ -18,8 +18,6 @@
 module.exports = function(core) {
   const { protect } = core;
 
-  const DISABLED_POLICY = { allowed: true };
-
   /**
    * @param {object} param
    * @param {object} param.store
@@ -33,12 +31,7 @@ module.exports = function(core) {
     // incomingMessage,
     serverResponse,
   }) {
-    if (!core.config.getEffectiveValue('protect.enable')) return DISABLED_POLICY;
-
     const policy = protect.getPolicy({ uriPath: sourceInfo.uriPath });
-    // URL exclusions can disable all rules
-    if (!policy || policy.rulesMask === 0) return DISABLED_POLICY;
-
     const protectStore = {
       resData: {
         statusCode: null,
@@ -56,6 +49,11 @@ module.exports = function(core) {
       resultsMap: Object.create(null),
     };
 
+    if (policy.allowed) {
+      protectStore.allowed = true;
+    }
+
+
     return protectStore;
   }
 

package/lib/policy.js

@@ -24,10 +24,10 @@ const {
     StringPrototypeToLowerCase,
     StringPrototypeSplit,
     RegExpPrototypeTest
-  }
+  },
+  set,
 } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
-
 const { BLOCK_AT_PERIMETER, OFF } = ProtectRuleMode;
 const {
   BOT_BLOCKER,
@@ -58,6 +58,121 @@ module.exports = function (core) {
     protect: { agentLib }
   } = core;
 
+  // todo: can we not init this and just set what's needed
+  let processedExclusions = initCompiled();
+
+  const policy = protect.policy = {
+    version: Date.now(),
+    exclusions: processedExclusions
+  };
+
+
+  class RequestPolicy {
+    constructor(core, sourceInfo) {
+      Object.defineProperty(this, 'core', { value: core });
+      Object.defineProperty(this, 'sourceInfo', { value: sourceInfo });
+
+      this.init();
+    }
+
+    init() {
+      const { uriPath } = this.sourceInfo;
+      this.version = core.protect.policy.version;
+
+      if (!this.core.config.getEffectiveValue('protect.enable')) {
+        this.allowed = true;
+        return;
+      }
+
+      // todo build exclusions
+      for (const [inputType, exclusions] of Object.entries(processedExclusions)) {
+        for (const e of exclusions) {
+          if (!e.matchesUriPath(uriPath)) continue;
+
+          // url exclusions
+          if (inputType === 'url') {
+            // if applies to all rules, there is no policy for the request i.e. disable protect
+            if (!e.policy) {
+              this.allowed = true;
+              return;
+            }
+
+            // merge exclusion's policy into the request's policy
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key === 'rulesMask') {
+                if (this.exclusions?.rulesMask == null)
+                  set(this, 'exclusions.rulesMask', this.core.protect.policy.rulesMask);
+                // this is how to disable rules bitwise
+                this.exclusions.rulesMask = this.exclusions.rulesMask & ~value;
+              } else {
+                set(this, `exclusions.${key}`, value);
+              }
+            }
+          } else if (inputType === 'querystring') {
+            if (!e.policy) {
+              set(this, 'exclusions.ignoreQuerystring', true);
+            } else {
+              // merge exclusion's policy into the querystring's policy
+              // this.exclusions.querystringPolicy = this.exclusions.querystringPolicy || {};
+              for (const key of Object.keys(e.policy)) {
+                const value = e.policy[key];
+                if (key !== 'rulesMask') {
+                  set(this, `exclusions.querystringPolicy.${key}`, value);
+                }
+              }
+            }
+          } else if (inputType === 'body') {
+            if (!e.policy) {
+              set(this, 'exclusions.ignoreBody', true);
+            } else {
+              // merge exclusion's policy into the querystring's policy
+              // set(this, `exclusions.bodyPolicy = this.exclusions.bodyPolicy || {};
+              for (const key of Object.keys(e.policy)) {
+                const value = e.policy[key];
+                if (key !== 'rulesMask') {
+                  set(this, `exclusions.bodyPolicy.${key}`, value);
+                }
+              }
+            }
+          } else {
+            // copy matching input exclusions into request policy
+            if (!this.exclusions?.[inputType]) set(this, `exclusions.${inputType}`, []);
+            this.exclusions[inputType].push(e);
+          }
+        }
+      }
+    }
+
+    checkInit() {
+      if (!this.version == core.protect.policy.version) {
+        this.init();
+      }
+    }
+
+    isDisabled() {
+      this.checkInit();
+      return this.allowed === true;
+    }
+
+    getRulesMask(inputType) {
+      this.checkInit();
+      if (this.allowed) return 0;
+      return this.exclusions?.rulesMask ?? this.core.protect.policy.rulesMask;
+    }
+
+    getRuleMode(ruleId) {
+      this.checkInit();
+      if (this.allowed) return OFF;
+      return this.exclusions?.[ruleId] ?? this.core.protect.policy[ruleId];
+    }
+
+    getExclusionInfo(key, inputType) {
+      this.checkInit();
+      return key ? this.exclusions?.[key] : this.exclusions;
+    }
+  }
+
   function initCompiled() {
     return {
       url: [],
@@ -69,12 +184,6 @@ module.exports = function (core) {
     };
   }
 
-  let compiled = initCompiled();
-
-  const policy = protect.policy = {
-    exclusions: compiled
-  };
-
   function regExpCheck(str) {
     return str.indexOf('*') > 0 ||
       str.indexOf('.') > 0 ||
@@ -156,96 +265,19 @@ module.exports = function (core) {
         ruleId = 'nosql-injection-mongo';
       }
 
-      if (protect.agentLib.RuleType[ruleId] && mode !== OFF) {
-        rulesMask = rulesMask | protect.agentLib.RuleType[ruleId];
+      if (agentLib.RuleType[ruleId] && mode !== OFF) {
+        rulesMask = rulesMask | agentLib.RuleType[ruleId];
       }
     }
 
     policy.rulesMask = rulesMask;
   }
 
-  /**
-   * This gets called by protect.makeSourceContext(). We return copy of policy to avoid
-   * inconsistent behavior if policy is updated during request handling.
-   */
-  function getPolicy({ uriPath } = {}) {
-    const requestPolicy = {
-      exclusions: {
-        ignoreQuerystring: false,
-        querystringPolicy: null,
-        ignoreBody: false,
-        bodyPolicy: null,
-        header: [],
-        cookie: [],
-        parameter: [],
-      },
-      rulesMask: policy.rulesMask,
-    };
-
-    for (const ruleId of Object.values(Rule)) {
-      requestPolicy[ruleId] = policy[ruleId];
-    }
-
-    // handle exclusions
-    for (const [inputType, exclusions] of Object.entries(compiled)) {
-      for (const e of exclusions) {
-        if (!e.matchesUriPath(uriPath)) continue;
-
-        // url exclusions
-        if (inputType === 'url') {
-          // if applies to all rules, there is no policy for the request i.e. disable protect
-          if (!e.policy) {
-            return null;
-          }
-
-          // merge exclusion's policy into the request's policy
-          for (const key of Object.keys(e.policy)) {
-            const value = e.policy[key];
-            if (key === 'rulesMask') {
-              // this is how to disable rules bitwise
-              requestPolicy.rulesMask = requestPolicy.rulesMask & ~value;
-            } else {
-              requestPolicy[key] = value;
-            }
-          }
-        } else if (inputType === 'querystring') {
-          if (!e.policy) {
-            requestPolicy.exclusions.ignoreQuerystring = true;
-          } else {
-            // merge exclusion's policy into the querystring's policy
-            requestPolicy.exclusions.querystringPolicy = requestPolicy.exclusions.querystringPolicy || {};
-            for (const key of Object.keys(e.policy)) {
-              const value = e.policy[key];
-              if (key !== 'rulesMask') {
-                requestPolicy.exclusions.querystringPolicy[key] = value;
-              }
-            }
-          }
-        } else if (inputType === 'body') {
-          if (!e.policy) {
-            requestPolicy.exclusions.ignoreBody = true;
-          } else {
-            // merge exclusion's policy into the querystring's policy
-            requestPolicy.exclusions.bodyPolicy = requestPolicy.exclusions.bodyPolicy || {};
-            for (const key of Object.keys(e.policy)) {
-              const value = e.policy[key];
-              if (key !== 'rulesMask') {
-                requestPolicy.exclusions.bodyPolicy[key] = value;
-              }
-            }
-          }
-        } else {
-          // copy matching input exclusions into request policy
-          requestPolicy.exclusions[inputType].push(e);
-        }
-      }
-    }
-
-    return requestPolicy;
-  }
-
   function updateGlobalPolicy(remoteSettings) {
     const protectionRules = remoteSettings?.protect?.rules;
+    // last updated
+    protect.policy.version = Date.now();
+
     if (protectionRules) {
       [
         CMD_INJECTION,
@@ -290,7 +322,8 @@ module.exports = function (core) {
       }
 
       updateRulesMask();
-      protect.policy.exclusions = compiled;
+      protect.policy.exclusions = processedExclusions;
+
       logger.info({ policy: protect.policy }, 'Protect policy updated');
     }
   }
@@ -302,7 +335,7 @@ module.exports = function (core) {
     ].filter((exclusion) => exclusion.modes.includes('defend'));
 
     if (!exclusions.length) return;
-    compiled = initCompiled();
+    processedExclusions = initCompiled();
 
     for (const exclusionDtm of exclusions) {
       exclusionDtm.type = exclusionDtm.type || 'URL';
@@ -310,7 +343,7 @@ module.exports = function (core) {
       const { name, protect_rules, urls, type } = exclusionDtm;
       const key = StringPrototypeToLowerCase.call(type);
 
-      if (!compiled[key]) continue;
+      if (!processedExclusions[key]) continue;
 
       try {
         const e = { name };
@@ -354,7 +387,7 @@ module.exports = function (core) {
           };
         }
 
-        compiled[key].push(e);
+        processedExclusions[key].push(e);
       } catch (err) {
         logger.error({ err, exclusionDtm }, 'failed to process exclusion');
       }
@@ -370,5 +403,7 @@ module.exports = function (core) {
 
   initPolicy();
 
-  return protect.getPolicy = getPolicy;
+  return protect.getPolicy = function getPolicy(sourceInfo) {
+    return new RequestPolicy(core, sourceInfo);
+  };
 };

package/lib/semantic-analysis/handlers.js

@@ -155,7 +155,7 @@ module.exports = function(core) {
   }
 
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS);
 
     if (mode == OFF) return;
 
@@ -167,7 +167,7 @@ module.exports = function(core) {
   };
 
   semanticAnalysis.handleCmdInjectionSemanticChainedCommands = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS);
 
     if (mode == OFF) return;
 
@@ -179,10 +179,9 @@ module.exports = function(core) {
   };
 
   semanticAnalysis.handleCommandInjectionCommandBackdoors = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_COMMAND_BACKDOORS);
 
     if (mode == OFF) return;
-
     const finding = findBackdoorInjection(sourceContext, sinkContext.value);
 
     if (finding) {
@@ -191,7 +190,7 @@ module.exports = function(core) {
   };
 
   semanticAnalysis.handlePathTraversalFileSecurityBypass = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
+    const mode = sourceContext.policy.getRuleMode(Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS);
 
     if (mode == OFF) return;
 
@@ -201,7 +200,7 @@ module.exports = function(core) {
   };
 
   semanticAnalysis.handleXXE = function (sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.XXE];
+    const mode = sourceContext.policy.getRuleMode(Rule.XXE);
     if (mode == OFF) return;
 
     const findings = findExternalEntities(sinkContext.value);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.67.0",
+  "version": "1.68.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,15 +22,15 @@
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
     "@contrast/common": "1.37.0",
-    "@contrast/config": "1.52.0",
-    "@contrast/core": "1.57.0",
-    "@contrast/dep-hooks": "1.26.0",
-    "@contrast/esm-hooks": "2.31.0",
-    "@contrast/instrumentation": "1.36.0",
-    "@contrast/logger": "1.30.0",
-    "@contrast/patcher": "1.29.0",
-    "@contrast/rewriter": "1.33.0",
-    "@contrast/scopes": "1.27.0",
+    "@contrast/config": "1.52.1",
+    "@contrast/core": "1.57.1",
+    "@contrast/dep-hooks": "1.26.1",
+    "@contrast/esm-hooks": "2.32.0",
+    "@contrast/instrumentation": "1.36.1",
+    "@contrast/logger": "1.30.1",
+    "@contrast/patcher": "1.29.1",
+    "@contrast/rewriter": "1.34.0",
+    "@contrast/scopes": "1.27.1",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",