@contrast/protect 1.8.1 → 1.9.1

package/lib/error-handlers/install/express4.js

@@ -44,7 +44,7 @@ module.exports = function(core) {
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.findings.securityException;
+                const blockInfo = sourceContext.securityException;
 
                 sourceContext.block(...blockInfo);
                 return;
@@ -70,7 +70,7 @@ module.exports = function(core) {
           const isSecurityException = SecurityException.isSecurityException(err);
 
           if (isSecurityException && sourceContext) {
-            const blockInfo = sourceContext.findings.securityException;
+            const blockInfo = sourceContext.securityException;
 
             sourceContext.block(...blockInfo);
             return;
@@ -123,7 +123,7 @@ module.exports = function(core) {
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.findings.securityException;
+                const blockInfo = sourceContext.securityException;
 
                 sourceContext.block(...blockInfo);
                 return;

package/lib/error-handlers/install/fastify.js

@@ -62,7 +62,7 @@ module.exports = function(core) {
       if (!sourceContext) {
         normalHandler.call(this, err, request, reply);
       } else {
-        const blockInfo = sourceContext.findings.securityException;
+        const blockInfo = sourceContext.securityException;
         sourceContext.block(...blockInfo);
       }
     } else {

package/lib/error-handlers/install/hapi.js

@@ -39,7 +39,7 @@ module.exports = function (core) {
         const isSecurityException = SecurityException.isSecurityException(err);
 
         if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
-          const [mode, ruleId] = sourceContext.findings.securityException;
+          const [mode, ruleId] = sourceContext.securityException;
 
           err.output.statusCode = 403;
           err.reformat();

package/lib/error-handlers/install/koa2.js

@@ -46,7 +46,7 @@ module.exports = function(core) {
 
               if (isSecurityException && sourceContext) {
                 data.obj.body = '';
-                const blockInfo = sourceContext.findings.securityException;
+                const blockInfo = sourceContext.securityException;
                 sourceContext.block(...blockInfo);
                 return;
               }

package/lib/hardening/handlers.js

@@ -29,9 +29,9 @@ module.exports = function(core) {
   } = core;
 
   function getResults(sourceContext, ruleId) {
-    let results = sourceContext.findings.hardeningResultsMap[ruleId];
+    let results = sourceContext.resultsMap[ruleId];
     if (!results) {
-      results = sourceContext.findings.hardeningResultsMap[ruleId] = [];
+      results = sourceContext.resultsMap[ruleId] = [];
     }
     return results;
   }
@@ -51,13 +51,14 @@ module.exports = function(core) {
 
       captureStacktrace(sinkContext, stacktraceData);
       results.push({
+        value: sinkContext.value,
         blocked,
-        findings: { deserializer: name, command: false },
+        exploitMetadata: [{ deserializer: name, command: false }],
         sinkContext,
       });
 
       if (blocked) {
-        sourceContext.findings.securityException = [mode, ruleId];
+        sourceContext.securityException = [mode, ruleId];
         throwSecurityException(sourceContext);
       }
     }

package/lib/index.d.ts

@@ -16,7 +16,7 @@
 import { Logger } from '@contrast/logger';
 import { Sources } from '@contrast/scopes';
 import RequireHook from '@contrast/require-hook';
-import { RulesConfig, Messages, ReqData, ProtectMessage, Findings } from '@contrast/common';
+import { RulesConfig, Messages, ReqData, ProtectMessage, ResultMap, ProtectRuleMode } from '@contrast/common';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import { Config } from '@contrast/config';
 import * as http from 'node:http';
@@ -58,7 +58,10 @@ export interface ProtectRequestStore {
   };
   exclusions: any[]; // TODO
   virtualPatches: any[]; // TODO
-  findings: Findings;
+  trackRequest: boolean;
+  securityException?: [mode: ProtectRuleMode, ruleId: string];
+  bodyType?: 'json' | 'urlencoded';
+  resultsMap: Partial<ResultMap>
 }
 
 export interface ConnectInputs {

package/lib/index.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');
-const { installChildComponentsSync } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const protect = core.protect = {
@@ -35,7 +35,7 @@ module.exports = function(core) {
   require('./error-handlers')(core);
 
   protect.install = function() {
-    installChildComponentsSync(protect);
+    callChildComponentMethodsSync(protect, 'install');
   };
 
   return protect;

package/lib/input-analysis/handlers.js

@@ -17,7 +17,8 @@
 
 const {
   BLOCKING_MODES,
-  simpleTraverse,
+  traverseKeysAndValues,
+  traverseValues,
   Rule,
   isString,
   ProtectRuleMode: { OFF },
@@ -199,7 +200,7 @@ module.exports = function(core) {
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
 
-    simpleTraverse(urlParams, function(path, type, value) {
+    traverseValues(urlParams, function(path, type, value) {
       // url param names are not checked.
       if (type !== 'Value') {
         return;
@@ -306,7 +307,7 @@ module.exports = function(core) {
 
     const block = commonObjectAnalyzer(sourceContext, parsedBody, inputTypes);
 
-    sourceContext.findings.bodyType = bodyType;
+    sourceContext.bodyType = bodyType;
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -373,14 +374,14 @@ module.exports = function(core) {
           const { name, uuid } = vpEvaluators.get('metadata');
 
           if (vpEvaluators.size === 1 && uuid) {
-            if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
-              sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+            if (!sourceContext.resultsMap[ruleId]) {
+              sourceContext.resultsMap[ruleId] = [];
             }
-            sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+            sourceContext.resultsMap[ruleId].push({
               name,
               uuid
             });
-            sourceContext.findings.securityException = ['block', ruleId];
+            sourceContext.securityException = ['block', ruleId];
             core.protect.throwSecurityException(sourceContext);
           }
         }
@@ -412,11 +413,11 @@ module.exports = function(core) {
 
     if (match) {
       logger.info(match, 'Found a matching IP to an entry in ipDeny list');
-      if (!sourceContext.findings.serverFeaturesResultsMap[ruleId]) {
-        sourceContext.findings.serverFeaturesResultsMap[ruleId] = [];
+      if (!sourceContext.resultsMap[ruleId]) {
+        sourceContext.resultsMap[ruleId] = [];
       }
 
-      sourceContext.findings.serverFeaturesResultsMap[ruleId].push({
+      sourceContext.resultsMap[ruleId].push({
         ip: match.matchedIp,
         uuid: match.uuid,
       });
@@ -434,7 +435,7 @@ module.exports = function(core) {
   inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
     if (!config.protect.probe_analysis.enable || sourceContext.allowed) return;
 
-    const { resultsMap } = sourceContext.findings;
+    const { resultsMap } = sourceContext;
     const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
     const props = {};
 
@@ -444,11 +445,11 @@ module.exports = function(core) {
         const {
           ruleId,
           blocked,
-          details,
+          exploitMetadata,
           value,
           inputType
         } = resultByRuleId;
-        if (blocked || !blocked && details.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
+        if (blocked || !blocked && exploitMetadata.length > 0 || !probesRules.some(rule => rule === ruleId)) return;
 
         const { policy: { rulesMask } } = sourceContext;
 
@@ -514,19 +515,19 @@ module.exports = function(core) {
 
     // it's possible to optimize this if qs (or a similar package) is not loaded
     // or if none of the values of queryParams are objects. a quick '.includes()'
-    // could be used to determine that. if none are objects then simpleTraverse()
+    // could be used to determine that. if none are objects then traverseKeysAndValues()
     // wouldn't be used, just a simple "for (const key in queryParams) {...}" to
     // check each key and value associated with the key.
     //
     // otoh, it's a fair amount of additional logic and the gain is likely to be
     // small, so it probably only makes sense to check if qs (or similar) is actually
-    // in use. a benchmark of "for (const key in queryParams) {...}" vs simpleTraverse
+    // in use. a benchmark of "for (const key in queryParams) {...}" vs traverseKeysAndValues
     // should be created to see if, and in what cases, it makes sense.
     //
     // another day.
 
     /* eslint-disable-next-line complexity */
-    simpleTraverse(object, function(path, type, value) {
+    traverseKeysAndValues(object, function(path, type, value) {
       let itemType;
       let isMongoQueryType;
       // this is a bit awkward now because nosql-injection-mongo is not integrated
@@ -708,10 +709,10 @@ function isResultExcluded(sourceContext, result) {
  * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
  */
 function mergeFindings(sourceContext, newFindings) {
-  const { findings, policy } = sourceContext;
+  const { policy, securityException, resultsMap } = sourceContext;
 
   if (!newFindings.trackRequest) {
-    return findings.securityException;
+    return securityException;
   }
 
   newFindings.resultsList = newFindings.resultsList.filter(
@@ -720,18 +721,18 @@ function mergeFindings(sourceContext, newFindings) {
 
   normalizeFindings(policy, newFindings);
 
-  findings.trackRequest = findings.trackRequest || newFindings.trackRequest;
-  findings.securityException = findings.securityException || newFindings.securityException;
+  sourceContext.trackRequest = sourceContext.trackRequest || newFindings.trackRequest;
+  sourceContext.securityException = sourceContext.securityException || newFindings.securityException;
 
   // merge them into a ruleId-indexed map (pojo)
   for (const result of newFindings.resultsList) {
-    if (!findings.resultsMap[result.ruleId]) {
-      findings.resultsMap[result.ruleId] = [];
+    if (!resultsMap[result.ruleId]) {
+      resultsMap[result.ruleId] = [];
     }
-    findings.resultsMap[result.ruleId].push(result);
+    resultsMap[result.ruleId].push(result);
   }
 
-  return findings.securityException;
+  return sourceContext.securityException;
 }
 
 //
@@ -749,7 +750,7 @@ function normalizeFindings(policy, findings) {
     r.blocked = false;
 
     // sink analysis will add findings here
-    r.details = [];
+    r.exploitMetadata = [];
 
     // apply exclusions here.
     //

package/lib/input-analysis/index.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { installChildComponentsSync } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
@@ -47,7 +47,7 @@ module.exports = function(core) {
   require('./ip-analysis')(core);
 
   inputAnalysis.install = function() {
-    installChildComponentsSync(inputAnalysis);
+    callChildComponentMethodsSync(inputAnalysis, 'install');
   };
 
   return inputAnalysis;

package/lib/input-tracing/handlers/index.js

@@ -20,7 +20,8 @@ const {
   ProtectRuleMode: { OFF },
   BLOCKING_MODES,
   isString,
-  simpleTraverse
+  traverseKeys,
+  traverseKeysAndValues,
 } = require('@contrast/common');
 
 module.exports = function(core) {
@@ -36,14 +37,14 @@ module.exports = function(core) {
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
     const { stacktraceData } = sinkContext;
     captureStacktrace(sinkContext, stacktraceData);
-    result.details.push({ sinkContext, findings });
+    result.exploitMetadata.push({ sinkContext, findings });
 
     const mode = sourceContext.policy[ruleId];
 
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
       const blockInfo = [mode, ruleId];
-      sourceContext.findings.securityException = blockInfo;
+      sourceContext.securityException = blockInfo;
       throwSecurityException(sourceContext);
     }
   }
@@ -146,10 +147,13 @@ module.exports = function(core) {
 
       for (const result of stringInjectionResults) {
         if (typeof sinkContext.value === 'object') {
-          simpleTraverse(sinkContext.value, function(path, type, value) {
+          traverseKeysAndValues(sinkContext.value, function(path, type, value) {
             if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
 
             stringFindings = handleStringValue(result, sinkContext.value[value], agentLib);
+
+            // halt traversal
+            return true;
           });
         } else if (typeof sinkContext.value === 'string') {
           stringFindings = handleStringValue(result, sinkContext.value, agentLib);
@@ -158,11 +162,11 @@ module.exports = function(core) {
         if (stringFindings) {
           const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
 
-          const nosqlInjectionResults = sourceContext.findings.resultsMap[ruleId];
+          const nosqlInjectionResults = sourceContext.resultsMap[ruleId];
           if (Array.isArray(nosqlInjectionResults)) {
             nosqlInjectionResults.push(nosqlInjectionResult);
           } else {
-            sourceContext.findings.resultsMap[ruleId] = [nosqlInjectionResult];
+            sourceContext.resultsMap[ruleId] = [nosqlInjectionResult];
           }
 
           handleFindings(sourceContext, sinkContext, ruleId, nosqlInjectionResult, stringFindings);
@@ -231,7 +235,7 @@ module.exports = function(core) {
       const findings = idx !== -1 ? { value: sinkContext.value } : null;
 
       if (findings) {
-        result.details.push({ sinkContext, findings });
+        result.exploitMetadata.push({ sinkContext, findings });
       }
     }
   };
@@ -250,18 +254,13 @@ function getResultsByRuleId(ruleId, context) {
   if (context.policy[ruleId] === OFF) {
     return;
   }
-  return context.findings.resultsMap[ruleId];
+  return context.resultsMap[ruleId];
 }
 
 function handleObjectValue(result, object) {
-  if (typeof object !== 'object') {
-    return null;
-  }
   let findings = null;
-  simpleTraverse(object, function(path, type, value) {
-    if (type !== 'Key' || findings) {
-      return;
-    }
+
+  traverseKeys(object, function(path, type, value) {
     // the result value is the key that was found
     if (result.key === value) {
       // does the object at this path equal the user input?
@@ -276,6 +275,9 @@ function handleObjectValue(result, object) {
         const end = start + value.length;
         const inputBoundaryIndex = 0;
         findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };
+
+        // halt traversal
+        return true;
       }
     }
   });

package/lib/input-tracing/index.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { installChildComponentsSync } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const inputTracing = core.protect.inputTracing = {};
@@ -38,7 +38,7 @@ module.exports = function(core) {
   // TODO: NODE-2360 (oracledb)
 
   inputTracing.install = function() {
-    installChildComponentsSync(inputTracing);
+    callChildComponentMethodsSync(inputTracing, 'install');
   };
 
   return inputTracing;

package/lib/input-tracing/install/child-process.js

@@ -23,10 +23,31 @@ module.exports = function(core) {
     scopes: { instrumentation },
     patcher,
     depHooks,
-    protect,
-    protect: { inputTracing }
+    protect: { getSourceContext, inputTracing }
   } = core;
 
+  function pre({ args, name, hooked, orig }) {
+    if (instrumentation.isLocked()) return;
+
+    const sourceContext = getSourceContext('child_process');
+    const value = args[0];
+
+    if (!sourceContext || !value || !isString(value)) return;
+
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
+
+    inputTracing.handleCommandInjection(sourceContext, sinkContext);
+    core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
+    core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
+    core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
+    core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
+  }
+
+
   function install() {
     depHooks.resolve({ name: 'child_process' }, cp => {
       ['exec', 'execSync'].forEach((method) => {
@@ -34,28 +55,7 @@ module.exports = function(core) {
         patcher.patch(cp, method, {
           name,
           patchType,
-          pre({ args, hooked, orig }) {
-            if (instrumentation.isLocked()) return;
-
-            const sourceContext = protect.getSourceContext('child_process');
-            const value = args[0];
-
-            if (!sourceContext || !value || !isString(value)) return;
-
-            const sinkContext = {
-              name,
-              value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-            };
-
-            inputTracing.handleCommandInjection(sourceContext, sinkContext);
-            // To evade code duplication we are using these INPUT TRACING instrumentation
-            // to do the checks for SEMANTIC ANALYSIS too
-            core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors(sourceContext, sinkContext);
-            core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContext);
-            core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous(sourceContext, sinkContext);
-            core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
-          }
+          pre
         });
       });
     });

package/lib/input-tracing/install/function.js

@@ -50,7 +50,7 @@ module.exports = function(core) {
             value: fnBody,
             stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
           };
-          console.log({ sinkContext: sinkContext.stacktraceData });
+
           inputTracing.ssjsInjection(sourceContext, sinkContext);
         }
       })

package/lib/input-tracing/install/mongodb.js

@@ -14,16 +14,14 @@
  */
 
 'use strict';
-
-const { patchType } = require('../constants');
+const moduleName = 'mongodb';
 const semver = require('semver');
+const { patchType } = require('../constants');
 
 module.exports = function (core) {
   const {
-    depHooks,
-    patcher,
-    protect,
-    protect: { inputTracing },
+    protect: { getSourceContext, inputTracing },
+    instrumentation: { instrument }
   } = core;
 
   function getCursorQueryData(args, version) {
@@ -56,178 +54,163 @@ module.exports = function (core) {
     return op.q;
   }
 
-  function hookV3CommandAndCursor(obj, method, patchName, version) {
-    patcher.patch(obj, method, {
-      name: patchName,
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const value = getCursorQueryData(args, version);
-        const sourceContext = protect.getSourceContext(patchName);
-
-        if (!sourceContext || !value) return;
-
-        const sinkContext = {
-          name,
-          value,
-          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-        };
-        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-      }
-    });
+  function preHook(value, { name, hooked, orig }) {
+    const sourceContext = getSourceContext(name);
+
+    if (!sourceContext || !value) return;
+
+    const sinkContext = {
+      name,
+      value,
+      stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+    };
+    inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
   }
 
-  function hookV3UpdateAndRemove(obj, method, patchName) {
-    patcher.patch(obj, method, {
-      name: patchName,
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const sourceContext = protect.getSourceContext(patchName);
-
-        if (!sourceContext) return;
-
-        const ops = Array.isArray(args[1])
-          ? args[1]
-          : [args[1]];
-        for (const op of ops) {
-          const value = op && getOpQueryData(op);
-          if (value) {
-            const sinkContext = {
-              name,
-              value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-            };
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-          }
-        }
-      },
-    });
+  function v4CollectionVal({ args, ...ctx }) {
+    const value = typeof args[0] == 'function' ? null : args[0];
+    preHook(value, ctx);
+  }
+
+  function v4DbVal({ args, ...ctx }) {
+    const value = args[0]?.filter;
+    preHook(value, ctx);
+  }
+
+  function v4CursorVal({ args, ...ctx }) {
+    const value = args[2];
+    preHook(value, ctx);
+  }
+
+  function v3CursorVal({ args, ...ctx }, version) {
+    const value = getCursorQueryData(args, version);
+    preHook(value, ctx);
+  }
+
+  function v3DbVal({ args, ...ctx }) {
+    const value = args[0];
+    preHook(value, ctx);
+  }
+
+  function v3TopologyVal({ args, ...ctx }) {
+    const ops = Array.isArray(args[1]) ? args[1] : [args[1]];
+    for (const op of ops) {
+      const value = op && getOpQueryData(op);
+      if (value) {
+        preHook(value, ctx);
+      }
+    }
   }
 
   function install() {
-    const v4MethodsWithFilter = [
-      'updateOne',
-      'replaceOne',
-      'updateMany',
-      'deleteOne',
-      'deleteMany',
-      'findOneAndDelete',
-      'findOneAndReplace',
-      'findOneAndUpdate',
-      'countDocuments',
-      'count',
-      'distinct',
-    ];
-
-    depHooks.resolve(
+    [
+      {
+        moduleName,
+        version: '>=4.0.0',
+        patchObjects: [
+          {
+            name: 'Collection.prototype',
+            methods: [
+              'updateOne',
+              'replaceOne',
+              'updateMany',
+              'deleteOne',
+              'deleteMany',
+              'findOneAndDelete',
+              'findOneAndReplace',
+              'findOneAndUpdate',
+              'countDocuments',
+              'count',
+              'distinct',
+            ],
+            patchType,
+            preHookFn: v4CollectionVal
+          },
+          {
+            name: 'Db.prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v4DbVal
+          }
+        ]
+      },
       {
-        name: 'mongodb', version: '>=4.0.0'
+        moduleName,
+        version: '>=4.0.0',
+        file: 'lib/cursor/find_cursor',
+        patchObjects: [
+          {
+            methods: ['FindCursor'],
+            patchType,
+            preHookFn: v4CursorVal
+          }
+        ]
       },
-      (mongodb) => {
-        v4MethodsWithFilter.forEach((method) => {
-          patcher.patch(mongodb.Collection.prototype, method, {
-            name: `mongodb.Collection.prototype.${method}`,
+      {
+        moduleName,
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'CoreServer.prototype',
+            methods: ['cursor'],
             patchType,
-            pre: ({ args, hooked, name, orig }) => {
-              const value = typeof args[0] == 'function' ? null : args[0];
-              const sourceContext = protect.getSourceContext(`mongodb.Collection.prototype.${method}`);
-
-              if (!sourceContext || !value) return;
-
-              const sinkContext = {
-                name,
-                value,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-              };
-              inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-            },
-          });
-        });
-
-        patcher.patch(mongodb.Db.prototype, 'command', {
-          name: 'mongodb.Db.prototype.command',
-          patchType,
-          pre: ({ args, hooked, name, orig }) => {
-            const value = args[0]?.filter;
-            const sourceContext = protect.getSourceContext('mongodb.Collection.prototype.command');
-
-            if (!sourceContext || !value) return;
-
-            const sinkContext = {
-              name,
-              value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-            };
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+            preHookFn: v3CursorVal
+          },
+          {
+            name: 'Db.prototype',
+            methods: ['eval'],
+            patchType,
+            preHookFn: v3DbVal
           }
-        });
-      });
-
-    depHooks.resolve(
+        ]
+      },
+      {
+        moduleName,
+        file: 'lib/topologies/topology_base.js',
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'TopologyBase.prototype',
+            methods: ['update', 'remove'],
+            patchType,
+            preHookFn: v3TopologyVal
+          },
+          {
+            name: 'TopologyBase.prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v3CursorVal
+          }
+        ]
+      },
       {
-        name: 'mongodb', version: '<4.0.0'
-      }, (mongodb, { version }) => {
-        hookV3CommandAndCursor(mongodb.CoreServer.prototype, 'cursor', 'mongodb.CoreServer.prototype.cursor', version);
-
-        patcher.patch(mongodb.Db.prototype, 'eval', {
-          name: 'mongodb.Db.prototype.eval',
-          patchType,
-          pre: ({ args, hooked, name, orig }) => {
-            const value = args[0];
-            const sourceContext = protect.getSourceContext('mongodb.Db.prototype.eval');
-
-            if (!sourceContext || !value) return;
-
-            const sinkContext = {
-              name,
-              value,
-              stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-            };
-
-            inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+        moduleName,
+        file: 'lib/topologies/native_topology.js',
+        version: '<4.0.0',
+        patchObjects: [
+          {
+            name: 'NativeTopology.prototype',
+            patchName: 'prototype',
+            methods: ['update', 'remove'],
+            patchType,
+            preHookFn: v3TopologyVal
+          },
+          {
+            name: 'NativeTopology.prototype',
+            patchName: 'prototype',
+            methods: ['command'],
+            patchType,
+            preHookFn: v3CursorVal
           }
-        });
-      });
-
-    depHooks.resolve({ name: 'mongodb', file: 'lib/cursor/find_cursor', version: '>=4.0.0' }, (cursor) => patcher.patch(cursor, 'FindCursor', {
-      name: 'mongodb.FindCursor',
-      patchType,
-      pre: ({ args, hooked, name, orig }) => {
-        const value = args[2];
-        const sourceContext = protect.getSourceContext('mongodb.FindCursor');
-
-        if (!sourceContext || !value) return;
-
-        const sinkContext = {
-          name,
-          value,
-          stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-        };
-        inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
+        ]
       }
-    }));
-
-    const mongoDBTopologiesMethods = ['update', 'remove'];
-
-    depHooks.resolve({
-      name: 'mongodb',
-      file: 'lib/topologies/topology_base.js',
-      version: '<4.0.0'
-    }, (tpl, { version }) => {
-      mongoDBTopologiesMethods.forEach((method) => {
-        hookV3UpdateAndRemove(tpl.TopologyBase.prototype, method, `mongodb.TopologyBase.prototype.${method}`);
-      });
-      hookV3CommandAndCursor(tpl.TopologyBase.prototype, 'command', 'mongodb.TopologyBase.prototype.command', version);
-    });
-
-    depHooks.resolve({
-      name: 'mongodb',
-      file: 'lib/topologies/native_topology.js',
-      version: '<4.0.0'
-    }, (NativeTopology, { version }) => {
-      mongoDBTopologiesMethods.forEach((method) => {
-        hookV3UpdateAndRemove(NativeTopology.prototype, method, `mongodb.NativeTopology.prototype.${method}`);
+    ].forEach(({ moduleName, file, version, patchObjects }) => {
+      instrument({
+        moduleName,
+        file,
+        version,
+        patchObjects
       });
-      hookV3CommandAndCursor(NativeTopology.prototype, 'command', 'mongodb.NativeTopology.prototype.command', version);
     });
   }
   const mongodbInstr = (core.protect.inputTracing.mongodbInstrumentation = {

package/lib/make-source-context.js

@@ -87,19 +87,12 @@ module.exports = function(core) {
       exclusions: [],
       virtualPatchesEvaluators: [],
 
-      // maybe better as result, findings... but my bad naming choice is
-      // past the point of return.
-      findings: {
-        trackRequest: false,
-        securityException: undefined,
-        // bodyType is set to a body type if handlers.parseRawBody() parsed it
-        // successfully.
-        bodyType: undefined,
-        resultsMap: Object.create(null),
-        hardeningResultsMap: Object.create(null),
-        semanticResultsMap: Object.create(null),
-        serverFeaturesResultsMap: Object.create(null)
-      },
+      trackRequest: false,
+      securityException: undefined,
+      // bodyType is set to a body type if handlers.parseRawBody() parsed it
+      // successfully.
+      bodyType: undefined,
+      resultsMap: Object.create(null),
     };
 
     return protectStore;

package/lib/semantic-analysis/handlers.js

@@ -20,7 +20,7 @@ const {
   BLOCKING_MODES,
   ProtectRuleMode: { OFF },
   InputType,
-  simpleTraverse
+  traverseValues,
 } = require('@contrast/common');
 
 const {
@@ -45,17 +45,20 @@ module.exports = function(core) {
     captureStacktrace(sinkContext, stacktraceData);
     const result = {
       blocked: false,
-      findings: { command: value },
+      ruleId,
+      value,
+      mappedId: ruleId,
+      exploitMetadata: [{ command: value }],
       sinkContext,
       ...finding
     };
 
-    getRuleResults(sourceContext.findings.semanticResultsMap, ruleId).push(result);
+    getRuleResults(sourceContext.resultsMap, ruleId).push(result);
 
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
       const blockInfo = [mode, ruleId];
-      sourceContext.findings.securityException = blockInfo;
+      sourceContext.securityException = blockInfo;
       throwSecurityException(sourceContext);
     }
   }
@@ -103,7 +106,7 @@ module.exports = function(core) {
 
     if (agentLib.isDangerousPath(sinkContext.value, true)) {
       handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
-        findings: { path: sinkContext.value }
+        exploitMetadata: [{ path: sinkContext.value }]
       });
     }
   };
@@ -115,7 +118,7 @@ module.exports = function(core) {
     const findings = findExternalEntities(sinkContext.value);
     if (findings.entities.length) {
       handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
-        findings,
+        exploitMetadata: [findings],
       });
     }
   };
@@ -143,17 +146,15 @@ function findBackdoorInjection(sourceContext, command) {
     [InputType.HEADER]: sourceContext.reqData.headers,
   };
 
-  let found = false;
+  let found;
   for (const inputType in valuesOfInterest) {
+    if (found) break;
+
     const values = valuesOfInterest[inputType];
 
     if (values && Object.keys(values).length) {
-      simpleTraverse(values, (path, type, value, obj) => {
-        if (
-          !found &&
-          type === 'Value' &&
-          isBackdoorDetected(value, command)
-        ) {
+      traverseValues(values, (path, type, value, obj) => {
+        if (isBackdoorDetected(value, command)) {
           let key;
           if (inputType === InputType.HEADER) {
             key = obj[path[0] - 1];
@@ -167,6 +168,9 @@ function findBackdoorInjection(sourceContext, command) {
             path: path.slice(0, -1),
             value: command
           };
+
+          // halt traversal
+          return true;
         }
       });
     }

package/lib/semantic-analysis/index.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { installChildComponentsSync } = require('@contrast/common');
+const { callChildComponentMethodsSync } = require('@contrast/common');
 
 /**
  * SEMANTIC ANALYSIS is a STAGE of Protect.
@@ -37,11 +37,8 @@ module.exports = function(core) {
   require('./install/libxmljs')(core);
 
   semanticAnalysis.install = function() {
-    installChildComponentsSync(semanticAnalysis);
+    callChildComponentMethodsSync(semanticAnalysis, 'install');
   };
 
-  // There is no `.install()` method as this STAGE does not introduce side effects on its own,
-  // it uses the instrumentation that's already in place for INPUT TRACING.
-
   return semanticAnalysis;
 };

package/lib/throw-security-exception.js

@@ -24,9 +24,7 @@ module.exports = function(core) {
     if (!sourceContext) return;
 
     const {
-      findings: {
-        securityException: [mode, ruleId]
-      }
+      securityException: [mode, ruleId]
     } = sourceContext;
 
     const err = securityException.create();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.8.1",
+  "version": "1.9.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,11 +18,11 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.1.5",
-    "@contrast/core": "1.7.1",
-    "@contrast/esm-hooks": "1.3.1",
+    "@contrast/common": "1.2.0",
+    "@contrast/core": "1.8.1",
+    "@contrast/esm-hooks": "1.4.1",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }
-}
+}