@contrast/protect 1.8.0 → 1.8.1

package/lib/hardening/handlers.js

@@ -24,7 +24,8 @@ module.exports = function(core) {
     protect: {
       hardening,
       throwSecurityException,
-    }
+    },
+    captureStacktrace,
   } = core;
 
   function getResults(sourceContext, ruleId) {
@@ -38,7 +39,7 @@ module.exports = function(core) {
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
     const mode = sourceContext.policy[ruleId];
-    const { name, value } = sinkContext;
+    const { name, value, stacktraceData } = sinkContext;
 
     if (mode === 'off') return;
 
@@ -48,6 +49,7 @@ module.exports = function(core) {
       const blocked = BLOCKING_MODES.includes(mode);
       const results = getResults(sourceContext, ruleId);
 
+      captureStacktrace(sinkContext, stacktraceData);
       results.push({
         blocked,
         findings: { deserializer: name, command: false },

package/lib/hardening/install/node-serialize0.js

@@ -21,7 +21,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: {
       hardening
@@ -43,10 +42,11 @@ module.exports = function(core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name: `${name}.${method}`, value },
-              { constructorOpt: hooked, prependFrames: [orig] },
-            );
+            const sinkContext = {
+              name: `${name}.${method}`,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
           },
         });

package/lib/input-analysis/install/http.js

@@ -214,12 +214,6 @@ class HttpInstrumentation {
         method: reqData.method,
       };
 
-      // only add queries if it's known that 'qs' or equivalent won't be used.
-      /* c8 ignore next 3 */
-      if (reqData.standardUrlParsing) {
-        connectInputs.queries = reqData.queries;
-      }
-
       if (inputAnalysis.virtualPatchesEvaluators?.length) {
         store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));
       }

package/lib/input-tracing/handlers/index.js

@@ -24,9 +24,18 @@ const {
 } = require('@contrast/common');
 
 module.exports = function(core) {
-  const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
+  const {
+    protect: {
+      agentLib,
+      inputTracing,
+      throwSecurityException
+    },
+    captureStacktrace,
+  } = core;
 
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
+    const { stacktraceData } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceData);
     result.details.push({ sinkContext, findings });
 
     const mode = sourceContext.policy[ruleId];

package/lib/input-tracing/install/child-process.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -43,10 +42,11 @@ module.exports = function(core) {
 
             if (!sourceContext || !value || !isString(value)) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.handleCommandInjection(sourceContext, sinkContext);
             // To evade code duplication we are using these INPUT TRACING instrumentation

package/lib/input-tracing/install/eval.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     logger,
     scopes: { instrumentation },
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -45,10 +44,11 @@ module.exports = function(core) {
 
         if (!sourceContext || !value || !isString(value)) return;
 
-        const sinkContext = captureStacktrace(
-          { name: 'eval', value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name: 'eval',
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.ssjsInjection(sourceContext, sinkContext);
       }
     });

package/lib/input-tracing/install/fs.js

@@ -64,7 +64,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -101,10 +100,11 @@ module.exports = function(core) {
             // don't need to necessarily need to lock it here - there are no
             // lower-level calls that we instrument
             for (const value of values) {
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.handlePathTraversal(sourceContext, sinkContext);
               core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/function.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     logger,
     scopes: { instrumentation },
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -46,10 +45,12 @@ module.exports = function(core) {
 
           if (!sourceContext || !fnBody || !isString(fnBody)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'Function', value: fnBody },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'Function',
+            value: fnBody,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
+          console.log({ sinkContext: sinkContext.stacktraceData });
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       })

package/lib/input-tracing/install/http.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -44,10 +43,11 @@ module.exports = function(core) {
             const value = data.args[0]?.toString();
             if (!value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: data.hooked }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: data.hooked },
+            };
             inputTracing.handleReflectedXss(sourceContext, sinkContext);
           }
         });

package/lib/input-tracing/install/mongodb.js

@@ -22,7 +22,6 @@ module.exports = function (core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing },
   } = core;
@@ -67,10 +66,11 @@ module.exports = function (core) {
 
         if (!sourceContext || !value) return;
 
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name,
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
     });
@@ -91,10 +91,11 @@ module.exports = function (core) {
         for (const op of ops) {
           const value = op && getOpQueryData(op);
           if (value) {
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
         }
@@ -132,10 +133,11 @@ module.exports = function (core) {
 
               if (!sourceContext || !value) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
             },
           });
@@ -150,10 +152,11 @@ module.exports = function (core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
         });
@@ -174,10 +177,11 @@ module.exports = function (core) {
 
             if (!sourceContext || !value) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
           }
@@ -193,10 +197,11 @@ module.exports = function (core) {
 
         if (!sourceContext || !value) return;
 
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
+        const sinkContext = {
+          name,
+          value,
+          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+        };
         inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
       }
     }));

package/lib/input-tracing/install/mysql.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -56,10 +55,11 @@ module.exports = function(core) {
               const value = mysqlInstr.getValueFromArgs(args);
               if (!value) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/postgres.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -40,10 +39,11 @@ module.exports = function(core) {
     const value = getQueryFromArgs(args);
     if (!value) return;
 
-    const sinkContext = captureStacktrace(
-      { name, value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);
   }

package/lib/input-tracing/install/sequelize.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -49,10 +48,12 @@ module.exports = function(core) {
           const value = getQueryFromArgs(args);
           if (!value) return;
 
-          const sinkContext = captureStacktrace(
-            { name, value },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name,
+            value,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
+
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }
       });

package/lib/input-tracing/install/sqlite3.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -44,10 +43,11 @@ module.exports = function(core) {
             const value = args[0];
             if (!value || !isString(value)) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }

package/lib/input-tracing/install/vm.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -46,10 +45,11 @@ module.exports = function(core) {
               const codeString = args[0];
               if (!codeString || !isString(codeString)) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value: codeString },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value: codeString,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.ssjsInjection(sourceContext, sinkContext);
             }
           });
@@ -70,14 +70,16 @@ module.exports = function(core) {
 
           if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
 
-          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: codeString },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
-          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
+          const codeStringSinkContext = (codeString && isString(codeString)) ? {
+            name: 'vm.runInNewContext',
+            value: codeString,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? {
+            name: 'vm.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
 
           codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
           envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
@@ -96,10 +98,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.createContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.createContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });
@@ -116,10 +119,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.Script.prototype.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });

package/lib/make-source-context.js

@@ -60,15 +60,6 @@ module.exports = function(core) {
       }
     }
 
-    // if it can be determined that qs-type parsing is not being done then set
-    // standardUrlParsing to true. if it is true, then the query params and bodies
-    // that are form-url-encoded will be parsed by agent-lib and will not need to
-    // be parsed separately.
-    //
-    // the code that scans the dependencies is probably the best place to make the
-    // determination.
-    const standardUrlParsing = false;
-
     // contains request data and information derived from request data. it's
     // possible for any derived information to be derived later, but doing
     // so here is typically better; it makes clear what information is used to
@@ -81,7 +72,6 @@ module.exports = function(core) {
       uriPath,
       queries,
       contentType,
-      standardUrlParsing,
     };
 
     //

package/lib/policy.js

@@ -36,14 +36,18 @@ module.exports = function(core) {
     protect: { agentLib }
   } = core;
 
-  const compiled = {
-    url: [],
-    querystring: [],
-    header: [],
-    body: [],
-    cookie: [],
-    parameter: [],
-  };
+  function initCompiled() {
+    return {
+      url: [],
+      querystring: [],
+      header: [],
+      body: [],
+      cookie: [],
+      parameter: [],
+    };
+  }
+
+  let compiled = initCompiled();
 
   const policy = protect.policy = {
     exclusions: compiled
@@ -274,6 +278,7 @@ module.exports = function(core) {
     ].filter((exclusion) => exclusion.modes.includes('defend'));
 
     if (!exclusions.length) return;
+    compiled = initCompiled();
 
     for (const exclusionDtm of exclusions) {
       exclusionDtm.inputType = exclusionDtm.inputType || 'URL';

package/lib/semantic-analysis/handlers.js

@@ -38,12 +38,14 @@ const getRuleResults = function(obj, prop) {
 // See files in protect/lib/input-tracing/install/.
 
 module.exports = function(core) {
-  const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
+  const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
+    const { value, stacktraceData } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceData);
     const result = {
       blocked: false,
-      findings: { command: sinkContext.value },
+      findings: { command: value },
       sinkContext,
       ...finding
     };

package/lib/semantic-analysis/install/libxmljs.js

@@ -26,7 +26,6 @@ module.exports = function(core) {
     logger,
     protect: { semanticAnalysis },
     protect,
-    captureStacktrace
   } = core;
 
   function install() {
@@ -60,10 +59,11 @@ module.exports = function(core) {
     // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
     if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
 
-    const sinkContext = captureStacktrace(
-      { name: 'libxmljs.parseXmlString', value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name: 'libxmljs.parseXmlString',
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     try {
       semanticAnalysis.handleXXE(sourceContext, sinkContext);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.4",
-    "@contrast/core": "1.7.0",
-    "@contrast/esm-hooks": "1.3.0",
+    "@contrast/common": "1.1.5",
+    "@contrast/core": "1.7.1",
+    "@contrast/esm-hooks": "1.3.1",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"