@contrast/protect 1.8.0 → 1.9.0

package/lib/semantic-analysis/handlers.js

@@ -20,7 +20,7 @@ const {
   BLOCKING_MODES,
   ProtectRuleMode: { OFF },
   InputType,
-  simpleTraverse
+  traverseValues,
 } = require('@contrast/common');
 
 const {
@@ -38,22 +38,27 @@ const getRuleResults = function(obj, prop) {
 // See files in protect/lib/input-tracing/install/.
 
 module.exports = function(core) {
-  const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
+  const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
+    const { value, stacktraceData } = sinkContext;
+    captureStacktrace(sinkContext, stacktraceData);
     const result = {
       blocked: false,
-      findings: { command: sinkContext.value },
+      ruleId,
+      value,
+      mappedId: ruleId,
+      exploitMetadata: [{ command: value }],
       sinkContext,
       ...finding
     };
 
-    getRuleResults(sourceContext.findings.semanticResultsMap, ruleId).push(result);
+    getRuleResults(sourceContext.resultsMap, ruleId).push(result);
 
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
       const blockInfo = [mode, ruleId];
-      sourceContext.findings.securityException = blockInfo;
+      sourceContext.securityException = blockInfo;
       throwSecurityException(sourceContext);
     }
   }
@@ -101,7 +106,7 @@ module.exports = function(core) {
 
     if (agentLib.isDangerousPath(sinkContext.value, true)) {
       handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
-        findings: { path: sinkContext.value }
+        exploitMetadata: [{ path: sinkContext.value }]
       });
     }
   };
@@ -113,7 +118,7 @@ module.exports = function(core) {
     const findings = findExternalEntities(sinkContext.value);
     if (findings.entities.length) {
       handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
-        findings,
+        exploitMetadata: [findings],
       });
     }
   };
@@ -141,17 +146,15 @@ function findBackdoorInjection(sourceContext, command) {
     [InputType.HEADER]: sourceContext.reqData.headers,
   };
 
-  let found = false;
+  let found;
   for (const inputType in valuesOfInterest) {
+    if (found) break;
+
     const values = valuesOfInterest[inputType];
 
     if (values && Object.keys(values).length) {
-      simpleTraverse(values, (path, type, value, obj) => {
-        if (
-          !found &&
-          type === 'Value' &&
-          isBackdoorDetected(value, command)
-        ) {
+      traverseValues(values, (path, type, value, obj) => {
+        if (isBackdoorDetected(value, command)) {
           let key;
           if (inputType === InputType.HEADER) {
             key = obj[path[0] - 1];
@@ -165,6 +168,9 @@ function findBackdoorInjection(sourceContext, command) {
             path: path.slice(0, -1),
             value: command
           };
+
+          // halt traversal
+          return true;
         }
       });
     }

package/lib/semantic-analysis/index.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { installChildComponentsSync } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 
 /**
  * SEMANTIC ANALYSIS is a STAGE of Protect.
@@ -37,11 +37,8 @@ module.exports = function(core) {
   require('./install/libxmljs')(core);
 
   semanticAnalysis.install = function() {
-    installChildComponentsSync(semanticAnalysis);
+    callChildComponentMethodsSync(semanticAnalysis, 'install');
   };
 
-  // There is no `.install()` method as this STAGE does not introduce side effects on its own,
-  // it uses the instrumentation that's already in place for INPUT TRACING.
-
   return semanticAnalysis;
 };

package/lib/semantic-analysis/install/libxmljs.js

@@ -26,7 +26,6 @@ module.exports = function(core) {
     logger,
     protect: { semanticAnalysis },
     protect,
-    captureStacktrace
   } = core;
 
   function install() {
@@ -60,10 +59,11 @@ module.exports = function(core) {
     // see: https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
     if (!sourceContext || !value || !isString(value) || !args[1].noent) return;
 
-    const sinkContext = captureStacktrace(
-      { name: 'libxmljs.parseXmlString', value },
-      { constructorOpt: hooked, prependFrames: [orig] }
-    );
+    const sinkContext = {
+      name: 'libxmljs.parseXmlString',
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
     try {
       semanticAnalysis.handleXXE(sourceContext, sinkContext);

package/lib/throw-security-exception.js

@@ -24,9 +24,7 @@ module.exports = function(core) {
     if (!sourceContext) return;
 
     const {
-      findings: {
-        securityException: [mode, ruleId]
-      }
+      securityException: [mode, ruleId]
     } = sourceContext;
 
     const err = securityException.create();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,11 +18,11 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.4",
-    "@contrast/core": "1.7.0",
-    "@contrast/esm-hooks": "1.3.0",
+    "@contrast/common": "1.2.0",
+    "@contrast/core": "1.8.0",
+    "@contrast/esm-hooks": "1.4.0",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }
-}
+}