@contrast/protect 1.7.0 → 1.8.1

package/lib/hardening/handlers.js

@@ -24,7 +24,8 @@ module.exports = function(core) {
     protect: {
       hardening,
       throwSecurityException,
-    }
+    },
+    captureStacktrace,
   } = core;
 
   function getResults(sourceContext, ruleId) {
@@ -38,7 +39,7 @@ module.exports = function(core) {
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
     const mode = sourceContext.policy[ruleId];
-    const { name, value } = sinkContext;
+    const { name, value, stacktraceData } = sinkContext;
 
     if (mode === 'off') return;
 
@@ -48,6 +49,7 @@ module.exports = function(core) {
       const blocked = BLOCKING_MODES.includes(mode);
       const results = getResults(sourceContext, ruleId);
 
+      captureStacktrace(sinkContext, stacktraceData);
       results.push({
         blocked,
         findings: { deserializer: name, command: false },

package/lib/hardening/install/node-serialize0.js

@@ -21,7 +21,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: {
       hardening
@@ -43,10 +42,11 @@ module.exports = function(core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name: `${name}.${method}`, value },
-              { constructorOpt: hooked, prependFrames: [orig] },
-            );
+            const sinkContext = {
+              name: `${name}.${method}`,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
           },
         });

package/lib/input-analysis/handlers.js

@@ -15,7 +15,13 @@
 
 'use strict';
 
-const { BLOCKING_MODES, simpleTraverse, Rule, isString } = require('@contrast/common');
+const {
+  BLOCKING_MODES,
+  simpleTraverse,
+  Rule,
+  isString,
+  ProtectRuleMode: { OFF },
+} = require('@contrast/common');
 const address = require('ipaddr.js');
 
 //
@@ -57,6 +63,14 @@ module.exports = function(core) {
     config,
   } = core;
 
+  const jsonInputTypes = {
+    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
+  };
+
+  const parameterInputTypes = {
+    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
+  };
+
   // all handlers will be invoked with two arguments:
   // 1) sourceContext object containing:
   //   - reqData, the abstract request object containing only what is needed
@@ -112,8 +126,6 @@ module.exports = function(core) {
    * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
    */
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-    if (!sourceContext || sourceContext.allowed) return;
-
     const { policy: { rulesMask } } = sourceContext;
 
     inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
@@ -122,84 +134,13 @@ module.exports = function(core) {
     let block = undefined;
     if (rulesMask !== 0) {
       const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+
       block = mergeFindings(sourceContext, findings);
     }
 
     return block;
   };
 
-  /**
-   * handleRequestEnd()
-   *
-   * Invoked when the request is complete.
-   *
-   * @param {Object} sourceContext
-   */
-  inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-    if (!config.protect.probe_analysis.enable) return;
-
-    const { resultsMap } = sourceContext.findings;
-    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
-    const props = {};
-
-    // Detecting probes
-    Object.values(resultsMap).forEach(resultsByRuleId => {
-      resultsByRuleId.forEach((resultByRuleId) => {
-        const {
-          ruleId,
-          blocked,
-          details,
-          value,
-          inputType
-        } = resultByRuleId;
-        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
-
-        const { policy: { rulesMask } } = sourceContext;
-
-        const results = (agentLib.scoreAtom(
-          rulesMask,
-          value,
-          agentLib.InputType[inputType],
-          {
-            preferWorthWatching: false
-          }
-        ) || []).filter(({ score }) => score >= 90);
-
-        if (!results.length) return;
-
-        results.forEach(result => {
-          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
-            element.blocked && element.inputType === inputType && element.value === value
-          );
-
-          if (isAlreadyBlocked) return;
-
-          const probe = Object.assign({}, resultByRuleId, result, {
-            mappedId: result.ruleId
-          });
-          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
-          props[key] = probe;
-        });
-      });
-    });
-
-    Object.values(props).forEach(prop => {
-      if (!resultsMap[prop.ruleId]) {
-        resultsMap[prop.ruleId] = [];
-      }
-
-      resultsMap[prop.ruleId].push(prop);
-    });
-  };
-
-  const jsonInputTypes = {
-    keyType: agentLib.InputType.JsonKey, inputType: agentLib.InputType.JsonValue
-  };
-
-  const parameterInputTypes = {
-    keyType: agentLib.InputType.ParameterKey, inputType: agentLib.InputType.ParameterValue
-  };
-
   /**
    * handleQueryParams()
    *
@@ -225,7 +166,6 @@ module.exports = function(core) {
       return;
     }
 
-
     inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
 
     const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
@@ -264,10 +204,13 @@ module.exports = function(core) {
       if (type !== 'Value') {
         return;
       }
+
       const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
+
       if (!items) {
         return;
       }
+
       for (const item of items) {
         resultsList.push({
           ruleId: item.ruleId,
@@ -312,14 +255,15 @@ module.exports = function(core) {
     if (sourceContext.analyzedCookies) return;
     sourceContext.analyzedCookies = true;
 
+    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
+
+    const { policy: { rulesMask } } = sourceContext;
+
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
       acc.push(key, value);
       return acc;
     }, []);
 
-    inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
-
-    const { policy: { rulesMask } } = sourceContext;
     const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
 
     const block = mergeFindings(sourceContext, cookieFindings);
@@ -340,6 +284,7 @@ module.exports = function(core) {
    */
   inputAnalysis.handleParsedBody = function(sourceContext, parsedBody) {
     if (sourceContext.analyzedBody) return;
+
     sourceContext.analyzedBody = true;
 
     if (typeof parsedBody !== 'object') {
@@ -358,6 +303,7 @@ module.exports = function(core) {
       bodyType = 'urlencoded';
       inputTypes = parameterInputTypes;
     }
+
     const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
 
     sourceContext.findings.bodyType = bodyType;
@@ -478,6 +424,70 @@ module.exports = function(core) {
     }
   };
 
+  /**
+   * handleRequestEnd()
+   *
+   * Invoked when the request is complete.
+   *
+   * @param {Object} sourceContext
+   */
+  inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
+    if (!config.protect.probe_analysis.enable || sourceContext.allowed) return;
+
+    const { resultsMap } = sourceContext.findings;
+    const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
+    const props = {};
+
+    // Detecting probes
+    Object.values(resultsMap).forEach(resultsByRuleId => {
+      resultsByRuleId.forEach((resultByRuleId) => {
+        const {
+          ruleId,
+          blocked,
+          details,
+          value,
+          inputType
+        } = resultByRuleId;
+        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
+
+        const { policy: { rulesMask } } = sourceContext;
+
+        const results = (agentLib.scoreAtom(
+          rulesMask,
+          value,
+          agentLib.InputType[inputType],
+          {
+            preferWorthWatching: false
+          }
+        ) || []).filter(({ score }) => score >= 90);
+
+        if (!results.length) return;
+
+        results.forEach(result => {
+          const isAlreadyBlocked = (resultsMap[result.ruleId] || []).some(element =>
+            element.blocked && element.inputType === inputType && element.value === value
+          );
+
+          if (isAlreadyBlocked) return;
+
+          const probe = Object.assign({}, resultByRuleId, result, {
+            mappedId: result.ruleId
+          });
+          const key = [probe.ruleId, probe.inputType, ...probe.path, probe.value].join('|');
+          props[key] = probe;
+        });
+      });
+    });
+
+    Object.values(props).forEach(prop => {
+      if (!resultsMap[prop.ruleId]) {
+        resultsMap[prop.ruleId] = [];
+      }
+
+      resultsMap[prop.ruleId].push(prop);
+    });
+  };
+
   /**
    * commonObjectAnalyzer() walks an object supplied by the end-user and checks
    * it for vulnerabilities.
@@ -532,7 +542,9 @@ module.exports = function(core) {
       } else {
         itemType = inputType;
       }
+
       let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+
       if (!items && !isMongoQueryType) {
         return;
       }
@@ -628,6 +640,66 @@ module.exports = function(core) {
   }
 };
 
+/**
+ * Reads the source context's policy and compares to result item to check whether to ignore it.
+ * @param {ProtectMessage} sourceContext
+ * @param {Result} result
+ * @returns {boolean} whether result should be excluded
+ */
+function isResultExcluded(sourceContext, result) {
+  const { policy: { exclusions } } = sourceContext;
+  const { ruleId, path, inputType, value } = result;
+  const inputName = path ? path[path.length - 1] : null;
+
+  let checkCookiesInHeader = false;
+  let inputExclusions;
+  switch (inputType) {
+    case 'JsonKey':
+    case 'JsonValue':
+    case 'MultipartName': {
+      return exclusions.ignoreBody || exclusions.bodyPolicy?.[ruleId] === OFF;
+    }
+    case 'ParameterKey':
+    case 'ParameterValue': {
+      const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
+      if (qsExcluded) return true;
+      inputExclusions = exclusions.parameter;
+      break;
+    }
+    case 'CookieValue': {
+      inputExclusions = exclusions.cookie;
+      break;
+    }
+    case 'HeaderKey':
+    case 'HeaderValue': {
+      if (path?.[0]?.toLowerCase() === 'cookie') {
+        inputExclusions = exclusions.cookie;
+        checkCookiesInHeader = true;
+      } else {
+        inputExclusions = exclusions.header;
+      }
+      break;
+    }
+  }
+
+  if (!inputName || !inputExclusions) return false;
+
+  for (const excl of inputExclusions) {
+    let nameCheck = false;
+    if (checkCookiesInHeader) {
+      nameCheck = excl.checkCookiesInHeader(value);
+    } else {
+      nameCheck = excl.matchesInputName(inputName);
+    }
+    if (!nameCheck) continue;
+    if (!excl.policy || excl.policy[ruleId] === OFF) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /**
  * merge new findings into the existing findings
  *
@@ -641,6 +713,11 @@ function mergeFindings(sourceContext, newFindings) {
   if (!newFindings.trackRequest) {
     return findings.securityException;
   }
+
+  newFindings.resultsList = newFindings.resultsList.filter(
+    (result) => !isResultExcluded(sourceContext, result)
+  );
+
   normalizeFindings(policy, newFindings);
 
   findings.trackRequest = findings.trackRequest || newFindings.trackRequest;

package/lib/input-analysis/install/http.js

@@ -176,8 +176,13 @@ class HttpInstrumentation {
         setImmediate(() => method.call(instance, ...args));
         return;
       }
-
       store.protect = this.makeSourceContext(req, res);
+
+      if (store.protect.allowed) {
+        setImmediate(() => method.call(instance, ...args));
+        return;
+      }
+
       const { reqData } = store.protect;
 
       res.on('finish', () => {
@@ -209,12 +214,6 @@ class HttpInstrumentation {
         method: reqData.method,
       };
 
-      // only add queries if it's known that 'qs' or equivalent won't be used.
-      /* c8 ignore next 3 */
-      if (reqData.standardUrlParsing) {
-        connectInputs.queries = reqData.queries;
-      }
-
       if (inputAnalysis.virtualPatchesEvaluators?.length) {
         store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));
       }

package/lib/input-analysis/virtual-patches.js

@@ -26,7 +26,7 @@ module.exports = (core) => {
   const virtualPatchesEvaluators = inputAnalysis.virtualPatchesEvaluators = [];
 
   messages.on(Event.SERVER_SETTINGS_UPDATE, (serverUpdate) => {
-    const virtualPatches = serverUpdate.settings?.defend.virtualPatches;
+    const virtualPatches = serverUpdate.settings?.defend?.virtualPatches;
     if (virtualPatches) {
       buildVPEvaluators(virtualPatches, virtualPatchesEvaluators);
     }

package/lib/input-tracing/handlers/index.js

@@ -24,9 +24,18 @@ const {
 } = require('@contrast/common');
 
 module.exports = function(core) {
-  const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
+  const {
+    protect: {
+      agentLib,
+      inputTracing,
+      throwSecurityException
+    },
+    captureStacktrace,
+  } = core;
 
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
+    const { stacktraceData } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceData);
     result.details.push({ sinkContext, findings });
 
     const mode = sourceContext.policy[ruleId];

package/lib/input-tracing/install/child-process.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -43,10 +42,11 @@ module.exports = function(core) {
 
             if (!sourceContext || !value || !isString(value)) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
             // To evade code duplication we are using these INPUT TRACING instrumentation

package/lib/input-tracing/install/eval.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     logger,
     scopes: { instrumentation },
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -45,10 +44,11 @@ module.exports = function(core) {
 
         if (!sourceContext || !value || !isString(value)) return;
 
-        const sinkContext = captureStacktrace(
-          { name: 'eval', value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name: 'eval',
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.ssjsInjection(sourceContext, sinkContext);
       }
     });

package/lib/input-tracing/install/fs.js

@@ -64,7 +64,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -101,10 +100,11 @@ module.exports = function(core) {
             // don't need to necessarily need to lock it here - there are no
             // lower-level calls that we instrument
             for (const value of values) {
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
               core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/function.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     logger,
     scopes: { instrumentation },
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -46,10 +45,12 @@ module.exports = function(core) {
 
           if (!sourceContext || !fnBody || !isString(fnBody)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'Function', value: fnBody },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'Function',
+            value: fnBody,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
+          console.log({ sinkContext: sinkContext.stacktraceData });
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       })

package/lib/input-tracing/install/http.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -44,10 +43,11 @@ module.exports = function(core) {
             const value = data.args[0]?.toString();
             if (!value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: data.hooked }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: data.hooked },
+            };
             inputTracing.handleReflectedXss(sourceContext, sinkContext);
           }
         });

package/lib/input-tracing/install/mongodb.js

@@ -22,7 +22,6 @@ module.exports = function (core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing },
   } = core;
@@ -67,10 +66,11 @@ module.exports = function (core) {
 
         if (!sourceContext || !value) return;
 
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name,
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
     });
@@ -91,10 +91,11 @@ module.exports = function (core) {
         for (const op of ops) {
           const value = op && getOpQueryData(op);
           if (value) {
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
         }
@@ -132,10 +133,11 @@ module.exports = function (core) {
 
               if (!sourceContext || !value) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
             },
           });
@@ -150,10 +152,11 @@ module.exports = function (core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
         });
@@ -174,10 +177,11 @@ module.exports = function (core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -193,10 +197,11 @@ module.exports = function (core) {
 
         if (!sourceContext || !value) return;
 
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name,
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
     }));

package/lib/input-tracing/install/mysql.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -56,10 +55,11 @@ module.exports = function(core) {
               const value = mysqlInstr.getValueFromArgs(args);
               if (!value) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/postgres.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -40,10 +39,11 @@ module.exports = function(core) {
     const value = getQueryFromArgs(args);
     if (!value) return;
 
-    const sinkContext = captureStacktrace(
-      { name, value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);
   }

package/lib/input-tracing/install/sequelize.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -49,10 +48,12 @@ module.exports = function(core) {
           const value = getQueryFromArgs(args);
           if (!value) return;
 
-          const sinkContext = captureStacktrace(
-            { name, value },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name,
+            value,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
+
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }
       });

package/lib/input-tracing/install/sqlite3.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -44,10 +43,11 @@ module.exports = function(core) {
             const value = args[0];
             if (!value || !isString(value)) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }

package/lib/input-tracing/install/vm.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -46,10 +45,11 @@ module.exports = function(core) {
               const codeString = args[0];
               if (!codeString || !isString(codeString)) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value: codeString },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value: codeString,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.ssjsInjection(sourceContext, sinkContext);
             }
           });
@@ -70,14 +70,16 @@ module.exports = function(core) {
 
           if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
 
-          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: codeString },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
-          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
+          const codeStringSinkContext = (codeString && isString(codeString)) ? {
+            name: 'vm.runInNewContext',
+            value: codeString,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? {
+            name: 'vm.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
 
           codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
           envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
@@ -96,10 +98,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.createContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.createContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });
@@ -116,10 +119,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.Script.prototype.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });

package/lib/make-source-context.js

@@ -16,7 +16,9 @@
 'use strict';
 
 module.exports = function(core) {
-  const { protect } = core;
+  const {
+    protect: { getPolicy }
+  } = core;
 
   function makeSourceContext(req, res) {
     // make the abstract request. it is an abstraction of a request that
@@ -27,8 +29,10 @@ module.exports = function(core) {
     // or res objects so that all data coupling is all defined here.
 
     // separate path and search params
-    const ix = req.url.indexOf('?');
+
     let uriPath, queries;
+    const ix = req.url.indexOf('?');
+
     if (ix >= 0) {
       uriPath = req.url.slice(0, ix);
       queries = req.url.slice(ix + 1);
@@ -36,6 +40,14 @@ module.exports = function(core) {
       uriPath = req.url;
       queries = '';
     }
+
+    const policy = getPolicy({ uriPath });
+
+    // URL exclusions can disable all rules
+    if (!policy) {
+      return { allowed: true };
+    }
+
     // lowercase header keys and capture content-type
     let contentType = '';
     const headers = Array(req.rawHeaders.length);
@@ -48,15 +60,6 @@ module.exports = function(core) {
       }
     }
 
-    // if it can be determined that qs-type parsing is not being done then set
-    // standardUrlParsing to true. if it is true, then the query params and bodies
-    // that are form-url-encoded will be parsed by agent-lib and will not need to
-    // be parsed separately.
-    //
-    // the code that scans the dependencies is probably the best place to make the
-    // determination.
-    const standardUrlParsing = false;
-
     // contains request data and information derived from request data. it's
     // possible for any derived information to be derived later, but doing
     // so here is typically better; it makes clear what information is used to
@@ -69,7 +72,6 @@ module.exports = function(core) {
       uriPath,
       queries,
       contentType,
-      standardUrlParsing,
     };
 
     //
@@ -80,7 +82,7 @@ module.exports = function(core) {
       // block closure captures res so it isn't exposed to beyond here
       block: core.protect.makeResponseBlocker(res),
 
-      policy: protect.getPolicy(),
+      policy,
 
       exclusions: [],
       virtualPatchesEvaluators: [],

package/lib/policy.js

@@ -27,14 +27,76 @@ const {
   Event: { SERVER_SETTINGS_UPDATE },
 } = require('@contrast/common');
 
-
 module.exports = function(core) {
-  const { config, logger, messages, protect } = core;
-  const policy = protect.policy = {};
+  const {
+    config,
+    logger,
+    messages,
+    protect,
+    protect: { agentLib }
+  } = core;
+
+  function initCompiled() {
+    return {
+      url: [],
+      querystring: [],
+      header: [],
+      body: [],
+      cookie: [],
+      parameter: [],
+    };
+  }
+
+  let compiled = initCompiled();
+
+  const policy = protect.policy = {
+    exclusions: compiled
+  };
+
+  function regExpCheck(str) {
+    return str.indexOf('*') > 0 ||
+      str.indexOf('.') > 0 ||
+      str.indexOf('+') > 0 ||
+      str.indexOf('?') > 0 ||
+      str.indexOf('\\') > 0;
+  }
+
+  function buildUriPathRegExp(urls) {
+    let regExpNeeded = false;
+    for (const url of urls) {
+      if (regExpCheck(url)) {
+        regExpNeeded = true;
+      }
+    }
+    if (regExpNeeded) {
+      const rx = new RegExp(`^${urls.join('|')}$`);
+
+      return (uriPath) => rx ? rx.test(uriPath) : false;
+    }
+
+    return (uriPath) => urls.some((url) => url === uriPath);
+  }
+
+  function createUriPathMatcher(urls) {
+    if (urls.length) {
+      return buildUriPathRegExp(urls);
+    } else {
+      return () => true;
+    }
+  }
+
+  function createInputNameMatcher(dtmInputName) {
+    if (regExpCheck(dtmInputName)) {
+      const rx = new RegExp(`^${dtmInputName}$`);
+      return (inputName) => rx ? rx.test(inputName) : false;
+    }
+
+    return (inputName) => inputName === dtmInputName;
+  }
 
   function getModeFromConfig(ruleId) {
     if (config.protect.disabled_rules.includes(ruleId)) {
-      return 'off';
+      return OFF;
     }
     return config.protect.rules?.[ruleId]?.mode;
   }
@@ -84,11 +146,20 @@ module.exports = function(core) {
    */
   function updateRulesMask() {
     let rulesMask = 0;
-    for (const [ruleId, mode] of Object.entries(policy)) {
+
+    for (const entry of Object.entries(policy)) {
+      let [ruleId] = entry;
+      const [, mode] = entry;
+
+      if (ruleId === 'nosql-injection') {
+        ruleId = 'nosql-injection-mongo';
+      }
+
       if (protect.agentLib.RuleType[ruleId] && mode !== OFF) {
         rulesMask = rulesMask | protect.agentLib.RuleType[ruleId];
       }
     }
+
     policy.rulesMask = rulesMask;
   }
 
@@ -96,13 +167,83 @@ module.exports = function(core) {
    * This gets called by protect.makeSourceContext(). We return copy of policy to avoid
    * inconsistent behavior if policy is updated during request handling.
    */
-  function getPolicy() {
-    return { ...policy };
-  }
+  function getPolicy({ uriPath } = {}) {
+    const requestPolicy = {
+      exclusions: {
+        ignoreQuerystring: false,
+        querystringPolicy: null,
+        ignoreBody: false,
+        bodyPolicy: null,
+        header: [],
+        cookie: [],
+        parameter: [],
+      },
+      rulesMask: policy.rulesMask,
+    };
 
-  initPolicy();
+    for (const ruleId of Object.values(Rule)) {
+      requestPolicy[ruleId] = policy[ruleId];
+    }
+
+    // handle exclusions
+    for (const [inputType, exclusions] of Object.entries(compiled)) {
+      for (const e of exclusions) {
+        if (!e.matchesUriPath(uriPath)) continue;
+
+        // url exclusions
+        if (inputType === 'url') {
+          // if applies to all rules, there is no policy for the request i.e. disable protect
+          if (!e.policy) {
+            return null;
+          }
+
+          // merge exclusion's policy into the request's policy
+          for (const key of Object.keys(e.policy)) {
+            const value = e.policy[key];
+            if (key === 'rulesMask') {
+              // this is how to disable rules bitwise
+              requestPolicy.rulesMask = requestPolicy.rulesMask & ~value;
+            } else {
+              requestPolicy[key] = value;
+            }
+          }
+        } else if (inputType === 'querystring') {
+          if (!e.policy) {
+            requestPolicy.exclusions.ignoreQuerystring = true;
+          } else {
+            // merge exclusion's policy into the querystring's policy
+            requestPolicy.exclusions.querystringPolicy = requestPolicy.exclusions.querystringPolicy || {};
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key !== 'rulesMask') {
+                requestPolicy.exclusions.querystringPolicy[key] = value;
+              }
+            }
+          }
+        } else if (inputType === 'body') {
+          if (!e.policy) {
+            requestPolicy.exclusions.ignoreBody = true;
+          } else {
+            // merge exclusion's policy into the querystring's policy
+            requestPolicy.exclusions.bodyPolicy = requestPolicy.exclusions.bodyPolicy || {};
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key !== 'rulesMask') {
+                requestPolicy.exclusions.bodyPolicy[key] = value;
+              }
+            }
+          }
+        } else {
+          // copy matching input exclusions into request policy
+          requestPolicy.exclusions[inputType].push(e);
+        }
+      }
+    }
+
+    return requestPolicy;
+  }
 
-  messages.on(SERVER_SETTINGS_UPDATE, (remoteSettings) => {
+  function updateGlobalPolicy(remoteSettings) {
     let update;
 
     const protectionRules = remoteSettings?.settings?.defend?.protectionRules;
@@ -128,7 +269,80 @@ module.exports = function(core) {
       updateRulesMask();
       logger.info({ policy: protect.policy }, `protect policy updated from ${update}`);
     }
+  }
+
+  function updateExclusions(serverUpdate) {
+    const exclusions = [
+      ...(serverUpdate.settings?.exceptions?.inputExceptions || []),
+      ...(serverUpdate.settings?.exceptions?.urlExceptions || [])
+    ].filter((exclusion) => exclusion.modes.includes('defend'));
+
+    if (!exclusions.length) return;
+    compiled = initCompiled();
+
+    for (const exclusionDtm of exclusions) {
+      exclusionDtm.inputType = exclusionDtm.inputType || 'URL';
+
+      const { name, rules, inputName, urls, inputType } = exclusionDtm;
+      const key = inputType.toLowerCase();
+
+      if (!compiled[key]) continue;
+
+      try {
+        const e = { name };
+        e.matchesUriPath = createUriPathMatcher(urls);
+
+        if (inputName) {
+          e.matchesInputName = createInputNameMatcher(inputName);
+        }
+
+        if (rules.length) {
+          let rulesMask = 0;
+          const exclusionPolicy = {};
+
+          for (let ruleId of rules) {
+            // todo: this doesn't seem to make a difference?
+            if (ruleId === 'nosql-injection') {
+              ruleId = 'nosql-injection-mongo';
+            }
+
+            if (agentLib.RuleType[ruleId]) {
+              Object.assign(exclusionPolicy, { [ruleId]: OFF });
+              if (inputType === 'URL') {
+                rulesMask = rulesMask | agentLib.RuleType[ruleId];
+                exclusionPolicy.rulesMask = rulesMask;
+              }
+            }
+          }
+
+          e.policy = exclusionPolicy;
+        }
+        if (key === 'cookie') {
+          e.checkCookieInHeader = (cookieHeader) => {
+            for (const cookiePair of cookieHeader.split(';')) {
+              const cookieKey = cookiePair.split('=')[0];
+              if (e.matchesInputName(cookieKey)) {
+                return true;
+              }
+            }
+
+            return false;
+          };
+        }
+
+        compiled[key].push(e);
+      } catch (err) {
+        logger.error({ err, exclusionDtm }, 'failed to process exclusion');
+      }
+    }
+  }
+
+  messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
+    updateGlobalPolicy(msg);
+    updateExclusions(msg);
   });
 
+  initPolicy();
+
   return protect.getPolicy = getPolicy;
 };

package/lib/semantic-analysis/handlers.js

@@ -38,12 +38,14 @@ const getRuleResults = function(obj, prop) {
 // See files in protect/lib/input-tracing/install/.
 
 module.exports = function(core) {
-  const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
+  const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
+    const { value, stacktraceData } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceData);
     const result = {
       blocked: false,
-      findings: { command: sinkContext.value },
+      findings: { command: value },
       sinkContext,
       ...finding
     };

package/lib/semantic-analysis/install/libxmljs.js

@@ -26,7 +26,6 @@ module.exports = function(core) {
     logger,
     protect: { semanticAnalysis },
     protect,
-    captureStacktrace
   } = core;
 
   function install() {
@@ -60,10 +59,11 @@ module.exports = function(core) {
     // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
     if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
 
-    const sinkContext = captureStacktrace(
-      { name: 'libxmljs.parseXmlString', value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name: 'libxmljs.parseXmlString',
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     try {
       semanticAnalysis.handleXXE(sourceContext, sinkContext);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.7.0",
+  "version": "1.8.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.4",
-    "@contrast/core": "1.7.0",
-    "@contrast/esm-hooks": "1.3.0",
+    "@contrast/common": "1.1.5",
+    "@contrast/core": "1.7.1",
+    "@contrast/esm-hooks": "1.3.1",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"