@contrast/protect 1.8.0 → 1.9.0

package/lib/input-tracing/install/mongodb.js

@@ -14,17 +14,14 @@
  */
 
 'use strict';
-
-const { patchType } = require('../constants');
+const moduleName = 'mongodb';
 const semver = require('semver');
+const { patchType } = require('../constants');
 
 module.exports = function (core) {
   const {
-    depHooks,
-    patcher,
-    captureStacktrace,
-    protect,
-    protect: { inputTracing },
+    protect: { getSourceContext, inputTracing },
+    instrumentation: { instrument }
   } = core;
 
   function getCursorQueryData(args, version) {
@@ -57,172 +54,163 @@ module.exports = function (core) {
     return op.q;
   }
 
-  function hookV3CommandAndCursor(obj, method, patchName, version) {
-    patcher.patch(obj, method, {
-      name: patchName,
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const value = getCursorQueryData(args, version);
-        const sourceContext = protect.getSourceContext(patchName);
-
-        if (!sourceContext || !value) return;
-
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
-        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-      }
-    });
+  function preHook(value, { name, hooked, orig }) {
+    const sourceContext = getSourceContext(name);
+
+    if (!sourceContext || !value) return;
+
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
+    inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
   }
 
-  function hookV3UpdateAndRemove(obj, method, patchName) {
-    patcher.patch(obj, method, {
-      name: patchName,
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const sourceContext = protect.getSourceContext(patchName);
-
-        if (!sourceContext) return;
-
-        const ops = Array.isArray(args[1])
-          ? args[1]
-          : [args[1]];
-        for (const op of ops) {
-          const value = op && getOpQueryData(op);
-          if (value) {
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-          }
-        }
-      },
-    });
+  function v4CollectionVal({ args, ...ctx }) {
+    const value = typeof args[0] == 'function' ? null : args[0];
+    preHook(value, ctx);
+  }
+
+  function v4DbVal({ args, ...ctx }) {
+    const value = args[0]?.filter;
+    preHook(value, ctx);
+  }
+
+  function v4CursorVal({ args, ...ctx }) {
+    const value = args[2];
+    preHook(value, ctx);
+  }
+
+  function v3CursorVal({ args, ...ctx }, version) {
+    const value = getCursorQueryData(args, version);
+    preHook(value, ctx);
+  }
+
+  function v3DbVal({ args, ...ctx }) {
+    const value = args[0];
+    preHook(value, ctx);
+  }
+
+  function v3TopologyVal({ args, ...ctx }) {
+    const ops = Array.isArray(args[1]) ? args[1] : [args[1]];
+    for (const op of ops) {
+      const value = op && getOpQueryData(op);
+      if (value) {
+        preHook(value, ctx);
+      }
+    }
   }
 
   function install() {
-    const v4MethodsWithFilter = [
-      'updateOne',
-      'replaceOne',
-      'updateMany',
-      'deleteOne',
-      'deleteMany',
-      'findOneAndDelete',
-      'findOneAndReplace',
-      'findOneAndUpdate',
-      'countDocuments',
-      'count',
-      'distinct',
-    ];
-
-    depHooks.resolve(
+    [
       {
-        name: 'mongodb', version: '>=4.0.0'
+        moduleName,
+        version: '>=4.0.0',
+        patchObjects: [
+          {
+            name: 'Collection.prototype',
+            methods: [
+              'updateOne',
+              'replaceOne',
+              'updateMany',
+              'deleteOne',
+              'deleteMany',
+              'findOneAndDelete',
+              'findOneAndReplace',
+              'findOneAndUpdate',
+              'countDocuments',
+              'count',
+              'distinct',
+            ],
+            patchType,
+            preHookFn: v4CollectionVal
+          },
+          {
+            name: 'Db.prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v4DbVal
+          }
+        ]
       },
-      (mongodb) => {
-        v4MethodsWithFilter.forEach((method) => {
-          patcher.patch(mongodb.Collection.prototype, method, {
-            name: `mongodb.Collection.prototype.${method}`,
+      {
+        moduleName,
+        version: '>=4.0.0',
+        file: 'lib/cursor/find_cursor',
+        patchObjects: [
+          {
+            methods: ['FindCursor'],
             patchType,
-            pre: ({ args, hooked, name, orig }) => {
-              const value = typeof args[0] == 'function' ? null : args[0];
-              const sourceContext = protect.getSourceContext(`mongodb.Collection.prototype.${method}`);
-
-              if (!sourceContext || !value) return;
-
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
-              inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-            },
-          });
-        });
-
-        patcher.patch(mongodb.Db.prototype, 'command', {
-          name: 'mongodb.Db.prototype.command',
-          patchType,
-          pre: ({ args, hooked, name, orig }) => {
-            const value = args[0]?.filter;
-            const sourceContext = protect.getSourceContext('mongodb.Collection.prototype.command');
-
-            if (!sourceContext || !value) return;
-
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+            preHookFn: v4CursorVal
           }
-        });
-      });
-
-    depHooks.resolve(
+        ]
+      },
       {
-        name: 'mongodb', version: '<4.0.0'
-      }, (mongodb, { version }) => {
-        hookV3CommandAndCursor(mongodb.CoreServer.prototype, 'cursor', 'mongodb.CoreServer.prototype.cursor', version);
-
-        patcher.patch(mongodb.Db.prototype, 'eval', {
-          name: 'mongodb.Db.prototype.eval',
-          patchType,
-          pre: ({ args, hooked, name, orig }) => {
-            const value = args[0];
-            const sourceContext = protect.getSourceContext('mongodb.Db.prototype.eval');
-
-            if (!sourceContext || !value) return;
-
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
-
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+        moduleName,
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'CoreServer.prototype',
+            methods: ['cursor'],
+            patchType,
+            preHookFn: v3CursorVal
+          },
+          {
+            name: 'Db.prototype',
+            methods: ['eval'],
+            patchType,
+            preHookFn: v3DbVal
           }
-        });
-      });
-
-    depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
-      name: 'mongodb.FindCursor',
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const value = args[2];
-        const sourceContext = protect.getSourceContext('mongodb.FindCursor');
-
-        if (!sourceContext || !value) return;
-
-        const sinkContext = captureStacktrace(
-          { name, value },
-          { constructorOpt: hooked, prependFrames: [orig] }
-        );
-        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+        ]
+      },
+      {
+        moduleName,
+        file: 'lib/topologies/topology_base.js',
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'TopologyBase.prototype',
+            methods: ['update', 'remove'],
+            patchType,
+            preHookFn: v3TopologyVal
+          },
+          {
+            name: 'TopologyBase.prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v3CursorVal
+          }
+        ]
+      },
+      {
+        moduleName,
+        file: 'lib/topologies/native_topology.js',
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'NativeTopology.prototype',
+            patchName: 'prototype',
+            methods: ['update', 'remove'],
+            patchType,
+            preHookFn: v3TopologyVal
+          },
+          {
+            name: 'NativeTopology.prototype',
+            patchName: 'prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v3CursorVal
+          }
+        ]
       }
-    }));
-
-    const mongoDBTopologiesMethods = ['update', 'remove'];
-
-    depHooks.resolve({
-      name: 'mongodb',
-      file: 'lib/topologies/topology_base.js',
-      version: '<4.0.0'
-    }, (tpl, { version }) => {
-      mongoDBTopologiesMethods.forEach((method) => {
-        hookV3UpdateAndRemove(tpl.TopologyBase.prototype, method, `mongodb.TopologyBase.prototype.${method}`);
-      });
-      hookV3CommandAndCursor(tpl.TopologyBase.prototype, 'command', 'mongodb.TopologyBase.prototype.command', version);
-    });
-
-    depHooks.resolve({
-      name: 'mongodb',
-      file: 'lib/topologies/native_topology.js',
-      version: '<4.0.0'
-    }, (NativeTopology, { version }) => {
-      mongoDBTopologiesMethods.forEach((method) => {
-        hookV3UpdateAndRemove(NativeTopology.prototype, method, `mongodb.NativeTopology.prototype.${method}`);
+    ].forEach(({ moduleName, file, version, patchObjects }) => {
+      instrument({
+        moduleName,
+        file,
+        version,
+        patchObjects
       });
-      hookV3CommandAndCursor(NativeTopology.prototype, 'command', 'mongodb.NativeTopology.prototype.command', version);
     });
   }
   const mongodbInstr = (core.protect.inputTracing.mongodbInstrumentation = {

package/lib/input-tracing/install/mysql.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -56,10 +55,11 @@ module.exports = function(core) {
               const value = mysqlInstr.getValueFromArgs(args);
               if (!value) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
 
               inputTracing.handleSqlInjection(sourceContext, sinkContext);
             }

package/lib/input-tracing/install/postgres.js

@@ -22,7 +22,6 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -40,10 +39,11 @@ module.exports = function(core) {
     const value = getQueryFromArgs(args);
     if (!value) return;
 
-    const sinkContext = captureStacktrace(
-      { name, value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     inputTracing.handleSqlInjection(sourceContext, sinkContext);
   }

package/lib/input-tracing/install/sequelize.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -49,10 +48,12 @@ module.exports = function(core) {
           const value = getQueryFromArgs(args);
           if (!value) return;
 
-          const sinkContext = captureStacktrace(
-            { name, value },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name,
+            value,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
+
           inputTracing.handleSqlInjection(sourceContext, sinkContext);
         }
       });

package/lib/input-tracing/install/sqlite3.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -44,10 +43,11 @@ module.exports = function(core) {
             const value = args[0];
             if (!value || !isString(value)) return;
 
-            const sinkContext = captureStacktrace(
-              { name, value },
-              { constructorOpt: hooked, prependFrames: [orig] }
-            );
+            const sinkContext = {
+              name,
+              value,
+              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+            };
 
             inputTracing.handleSqlInjection(sourceContext, sinkContext);
           }

package/lib/input-tracing/install/vm.js

@@ -23,7 +23,6 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    captureStacktrace,
     protect,
     protect: { inputTracing }
   } = core;
@@ -46,10 +45,11 @@ module.exports = function(core) {
               const codeString = args[0];
               if (!codeString || !isString(codeString)) return;
 
-              const sinkContext = captureStacktrace(
-                { name, value: codeString },
-                { constructorOpt: hooked, prependFrames: [orig] }
-              );
+              const sinkContext = {
+                name,
+                value: codeString,
+                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+              };
               inputTracing.ssjsInjection(sourceContext, sinkContext);
             }
           });
@@ -70,14 +70,16 @@ module.exports = function(core) {
 
           if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
 
-          const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: codeString },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
-          const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
-            { name: 'vm.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          ) : null;
+          const codeStringSinkContext = (codeString && isString(codeString)) ? {
+            name: 'vm.runInNewContext',
+            value: codeString,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
+          const envObjSinkContext = isNonEmptyObject(envObj) ? {
+            name: 'vm.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
+          } : null;
 
           codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
           envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
@@ -96,10 +98,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.createContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.createContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });
@@ -116,10 +119,11 @@ module.exports = function(core) {
           const envObj = args[0];
           if (!isNonEmptyObject(envObj)) return;
 
-          const sinkContext = captureStacktrace(
-            { name: 'vm.Script.prototype.runInNewContext', value: envObj },
-            { constructorOpt: hooked, prependFrames: [orig] }
-          );
+          const sinkContext = {
+            name: 'vm.Script.prototype.runInNewContext',
+            value: envObj,
+            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+          };
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       });

package/lib/make-source-context.js

@@ -60,15 +60,6 @@ module.exports = function(core) {
       }
     }
 
-    // if it can be determined that qs-type parsing is not being done then set
-    // standardUrlParsing to true. if it is true, then the query params and bodies
-    // that are form-url-encoded will be parsed by agent-lib and will not need to
-    // be parsed separately.
-    //
-    // the code that scans the dependencies is probably the best place to make the
-    // determination.
-    const standardUrlParsing = false;
-
     // contains request data and information derived from request data. it's
     // possible for any derived information to be derived later, but doing
     // so here is typically better; it makes clear what information is used to
@@ -81,7 +72,6 @@ module.exports = function(core) {
       uriPath,
       queries,
       contentType,
-      standardUrlParsing,
     };
 
     //
@@ -97,19 +87,12 @@ module.exports = function(core) {
       exclusions: [],
       virtualPatchesEvaluators: [],
 
-      // maybe better as result, findings... but my bad naming choice is
-      // past the point of return.
-      findings: {
-        trackRequest: false,
-        securityException: undefined,
-        // bodyType is set to a body type if handlers.parseRawBody() parsed it
-        // successfully.
-        bodyType: undefined,
-        resultsMap: Object.create(null),
-        hardeningResultsMap: Object.create(null),
-        semanticResultsMap: Object.create(null),
-        serverFeaturesResultsMap: Object.create(null)
-      },
+      trackRequest: false,
+      securityException: undefined,
+      // bodyType is set to a body type if handlers.parseRawBody() parsed it
+      // successfully.
+      bodyType: undefined,
+      resultsMap: Object.create(null),
     };
 
     return protectStore;

package/lib/policy.js

@@ -36,14 +36,18 @@ module.exports = function(core) {
     protect: { agentLib }
   } = core;
 
-  const compiled = {
-    url: [],
-    querystring: [],
-    header: [],
-    body: [],
-    cookie: [],
-    parameter: [],
-  };
+  function initCompiled() {
+    return {
+      url: [],
+      querystring: [],
+      header: [],
+      body: [],
+      cookie: [],
+      parameter: [],
+    };
+  }
+
+  let compiled = initCompiled();
 
   const policy = protect.policy = {
     exclusions: compiled
@@ -274,6 +278,7 @@ module.exports = function(core) {
     ].filter((exclusion) => exclusion.modes.includes('defend'));
 
     if (!exclusions.length) return;
+    compiled = initCompiled();
 
     for (const exclusionDtm of exclusions) {
       exclusionDtm.inputType = exclusionDtm.inputType || 'URL';