@contrast/protect 1.9.1 → 1.11.0

package/lib/error-handlers/install/express4.js

@@ -29,6 +29,26 @@ module.exports = function(core) {
 
   const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
 
+  function aroundFn(name) {
+    return function around(orig, data) {
+      const [err] = data.args;
+      const sourceContext = protect.getSourceContext(name);
+      const isSecurityException = SecurityException.isSecurityException(err);
+
+      if (isSecurityException && sourceContext) {
+        const blockInfo = sourceContext.securityException;
+
+        sourceContext.block(...blockInfo);
+        return;
+      }
+
+      if (!sourceContext && isSecurityException) {
+        logger.info('source context not found; unable to handle response');
+      }
+      return orig();
+    };
+  }
+
   express4ErrorHandler.install = function () {
     depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
       patcher.patch(finalhandler, {
@@ -38,23 +58,7 @@ module.exports = function(core) {
           data.result = patcher.patch(data.result, {
             name: 'finalHandler.returnedFunction',
             patchType,
-            around(orig, data) {
-              const [err] = data.args;
-              const sourceContext = protect.getSourceContext('finalHandler');
-              const isSecurityException = SecurityException.isSecurityException(err);
-
-              if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.securityException;
-
-                sourceContext.block(...blockInfo);
-                return;
-              }
-
-              if (!sourceContext && isSecurityException) {
-                logger.info('source context not found; unable to handle response');
-              }
-              return orig();
-            },
+            around: aroundFn('finalHandler')
           });
         },
       })
@@ -64,23 +68,7 @@ module.exports = function(core) {
       patcher.patch(Layer.prototype, 'handle_error', {
         name: 'Layer.prototype.handle_error',
         patchType,
-        around(orig, data) {
-          const [err] = data.args;
-          const sourceContext = protect.getSourceContext('express.Layer.handle_error');
-          const isSecurityException = SecurityException.isSecurityException(err);
-
-          if (isSecurityException && sourceContext) {
-            const blockInfo = sourceContext.securityException;
-
-            sourceContext.block(...blockInfo);
-            return;
-          }
-
-          if (!sourceContext && isSecurityException) {
-            logger.info('source context not found; unable to handle response');
-          }
-          return orig();
-        }
+        around: aroundFn('express.Layer.handle_error')
       });
 
       // This should be revisited after the research ticket NODE-2556

package/lib/index.d.ts

@@ -26,28 +26,6 @@ type Http = typeof http;
 type Https = typeof https;
 
 export type Block = (mode: string, ruleId: string) => void;
-export class HttpInstrumentation {
-  messages: Messages;
-  scope: Sources;
-  config: Config;
-  logger: Logger;
-  depHooks: RequireHook;
-  protect: ProtectMessage;
-  makeSourceContext: Protect['makeSourceContext'];
-  maxBodySize: number;
-  installed: boolean;
-
-  constructor(core: any);
-
-  install(): void;
-  uninstall(): void; //NYI
-  hookHttp(): void;
-  hookHttps(): void;
-  hookServer(xport: Http | Https): void;
-  initiateRequestHandling(fnContext: { instance: any, method: any, args: any }): void; //TODO
-  removeCookies(headers: string[]): string[];
-}
-
 export interface ProtectRequestStore {
   reqData: ReqData;
   block: Block;
@@ -95,7 +73,7 @@ export interface Protect {
     expressInstrumentation: { install: () => void },
     fastifyInstrumentation: { install: () => void },
     koaInstrumentation: { install: () => void },
-    httpInstrumentation: HttpInstrumentation,
+    httpInstrumentation: { install: () => void },
     install: () => void,
   },
   inputTracing: {

package/lib/input-analysis/install/http.js

@@ -15,203 +15,57 @@
 
 'use strict';
 
+const { patchType } = require('../constants');
 const { Event } = require('@contrast/common');
 
-// Instruments http `Server` and `IncomingMessage` instances to support input
-// analysis in framework-agnostic manner.
-
 module.exports = function(core) {
-  const { protect: { inputAnalysis } } = core;
-  inputAnalysis.httpInstrumentation = new HttpInstrumentation(core);
-  return inputAnalysis.httpInstrumentation;
-};
-class HttpInstrumentation {
-  constructor(core) {
-    this.messages = core.messages;
-    this.scope = core.scopes.sources;
-    this.config = core.config;
-    this.logger = core.logger.child('contrast:protect:input-analysis');
-    this.depHooks = core.depHooks;
-    this.protect = core.protect;
-    this.patcher = core.patcher;
-    this.makeSourceContext = this.protect.makeSourceContext;
-    this.maxBodySize = 16 * 1024 * 1024;
-    this.installed = false;
-  }
-
-  /**
-   * After checking whether the sensor is enabled, will set up `require` hooks
-   * for instrumenting both `http` and `https` modules when they load.
-   */
-  install() {
-    if (this.installed) {
-      return;
-    }
-
-    this.installed = true;
-    this.hookHttp();
-    this.hookHttps();
-    this.hookHttp2();
-  }
-
-  uninstall() {
-    return null; //NYI
-  }
-
-  /**
-   * Sets hooks to instrument `http.Server.prototype`.
-   */
-  hookHttp() {
-    this.logger.debug('hooking library: http');
-    this.depHooks.resolve({ name: 'http' }, (http) => this.hookServerEmit.call(this, http, 'httpServer'));
-  }
-
-  /**
-   * Sets hooks to instrument `https.Server.prototype`.
-   */
-  hookHttps() {
-    this.logger.debug('hooking library: https');
-    this.depHooks.resolve({ name: 'https' }, (https) => this.hookServerEmit.call(this, https, 'httpsServer'));
-  }
-
-  /**
-   * Sets hooks to instrument `http2 Servers`.
-   */
-  hookHttp2() {
-    this.logger.debug('hooking library: http2');
-    // http2 library does not expose its Server class, so we need to hook the createServer function
-    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2Server'));
-    this.depHooks.resolve({ name: 'http2' }, (http2) => this.hookCreateServer.call(this, http2, 'http2SecureServer', 'createSecureServer'));
-
-    this.logger.debug('hooking library: spdy');
-    this.depHooks.resolve({ name: 'spdy' }, (spdy) => this.hookServerEmit.call(this, spdy, 'spdyServer'));
-  }
-
-  /**
-   * Instruments the `Server` prototype from `http(s)` or spdy's http2 Server. This patches `emit` and
-   * invokes the protect service to do analysis when appropriate.
-   */
-  hookServerEmit(serverSource, sourceName) {
-    serverSource.Server.prototype = this.patcher.patch(serverSource.Server.prototype, 'emit', {
-      name: `${sourceName}.Server.prototype.emit`,
-      patchType: 'initiate-handling',
-      around: this.emitAroundHook.bind(this)
-    });
-  }
-
-  /**
-   * Instruments the `Http2Server` prototype which results from the http2.createServer/createSecureServer() call.
-   * This also patches `emit` and
-   * invokes the protect service to do analysis when appropriate.
-   */
-  hookCreateServer(serverSource, sourceName, constructorName = 'createServer') {
-    const self = this;
-
-    return this.patcher.patch(serverSource, constructorName, {
-      name: sourceName,
-      patchType: 'initiate-handling',
-      post(data) {
-
-        const { result: server } = data;
-        const serverPrototype = server ? Object.getPrototypeOf(server) : null;
-
-        if (!serverPrototype) {
-          self.logger.error('Unable to patch server prototype, continue without instrumentation');
-          return;
-        }
-
-        self.patcher.patch(serverPrototype, 'emit', {
-          name: `${sourceName}.Server.prototype.emit`,
-          patchType: 'req-async-storage',
-          around: self.emitAroundHook.bind(self)
-        });
+  const {
+    logger,
+    messages,
+    scopes: { sources },
+    instrumentation: { instrument },
+    protect: { inputAnalysis },
+  } = core;
+
+  function removeCookies(headers) {
+    for (let i = 0; i < headers.length; i += 2) {
+      if (headers[i] === 'cookies') {
+        headers = headers.slice();
+        headers.splice(i, 2);
       }
-    });
+    }
+    return headers;
   }
 
-  /**
-   * The around hook for `emit` that
-   * invokes the protect service to do analysis when appropriate.
-   */
-  emitAroundHook(next, data) {
-    const [type] = data.args;
+  function around(next, data) {
+    let store, block;
+    const { args: [type, req, res] } = data;
 
     if (type !== 'request') {
       return next();
     }
 
-    const context = { instance: data.obj, method: next, args: data.args };
-    this.initiateRequestHandling(context);
-    return !!data.obj._events[type];
-  }
-
-  /**
-   * Creates the sourceContext for the request and invokes the handler for
-   * inputs that are present in the 'incomingMessage' object at the time of
-   * the 'connect' event.
-   *
-   * @param {Object} context Function invocation context
-   */
-  initiateRequestHandling(fnContext) {
-    const {
-      instance,
-      method,
-      args,
-      args: [, req, res]
-    } = fnContext;
-
-    let store;
-    let block;
-
     try {
-      const { messages, protect: { inputAnalysis } } = this; // the functions that do input analysis
-
-      // this must be invoked by the patching code using scope.sources.run({}, ...)
-      // so that an async context is present.
-      store = this.scope.getStore();
-      // nothing can be done if async context is not available.
-
+      store = sources.getStore();
       if (!store) {
-        this.logger.debug('cannot acquire store for initiateRequestHandling()');
-        setImmediate(() => method.call(instance, ...args));
-        return;
-      }
-      store.protect = this.makeSourceContext(req, res);
-
-      if (store.protect.allowed) {
-        setImmediate(() => method.call(instance, ...args));
+        logger.debug('cannot acquire store for around()');
         return;
       }
 
-      const { reqData } = store.protect;
+      store.protect = core.protect.makeSourceContext(req, res);
+      const {
+        reqData: { headers, uriPath, method }
+      } = store.protect;
 
       res.on('finish', () => {
-        this.protect.inputAnalysis.handleRequestEnd(store.protect);
+        inputAnalysis.handleRequestEnd(store.protect);
         messages.emit(Event.PROTECT, store);
       });
 
-      // don't put inputs in the store; they are a param to each handler. findings
-      // associated with inputs do go into the store. why not put the inputs
-      // into the store? after all, the inputs come from the store. mostly because
-      // they can really add up to a lot of data that isn't going to be used.
-      //
-      // how to replace result in resultsList, e.g., queries find something
-      // but then framework emits parsed queries? does this only matter for
-      // no-sql? index-lookup or hash?
-      //
-      // create inputs for this handler. we defer cookies until the framework
-      // parses them because there is no way to be certain of their formatting
-      // and encoding.
-      //
-      // the primary reason for this is to avoid passing the incomingMessage,
-      // req, to all the handlers allowing direct access to it and tightly
-      // coupling all handlers to an extensive collection of data.
       const connectInputs = {
-        headers: HttpInstrumentation.removeCookies(reqData.headers),
-        uriPath: reqData.uriPath,
-        rawUrl: req.url,
-        // TODO AGENT-203 - need to handle method-tampering rule.
-        method: reqData.method,
+        headers: removeCookies(headers),
+        uriPath,
+        method
       };
 
       if (inputAnalysis.virtualPatchesEvaluators?.length) {
@@ -229,25 +83,61 @@ class HttpInstrumentation {
 
       block = block || inputAnalysis.handleConnect(store.protect, connectInputs);
     } catch (err) {
-      this.logger.error({ err }, 'Error during input analysis');
+      logger.error({ err }, 'Error during input analysis');
     }
 
     if (!block) {
-      setImmediate(() => method.call(instance, ...args));
+      setImmediate(() => next.call(data.obj, ...data.args));
     } else {
       store.protect.block(...block);
-      this.logger.debug({ block }, 'request blocked by not emitting request event');
+      logger.debug({ block }, 'request blocked by not emitting request event');
     }
   }
 
-  static removeCookies(headers) {
-    for (let i = 0; i < headers.length; i += 2) {
-      if (headers[i] === 'cookies') {
-        headers = headers.slice();
-        headers.splice(i, 2);
-        return headers;
-      }
-    }
-    return headers;
+  function install() {
+    [{
+      moduleName: 'http'
+    },
+    {
+      moduleName: 'https'
+    },
+    {
+      moduleName: 'spdy'
+    },
+    {
+      moduleName: 'http2',
+      patchObjectsProps: [
+        {
+          methods: ['createServer', 'createSecureServer'],
+          patchType,
+          patchObjects: [
+            {
+              name: 'Server.prototype',
+              methods: ['emit'],
+              patchType,
+              around
+            }
+          ]
+        }
+      ]
+    }].forEach(({ moduleName, patchObjectsProps }) => {
+      const patchObjects = patchObjectsProps || [
+        {
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType,
+          around
+        }
+      ];
+      instrument({
+        moduleName,
+        patchObjects
+      });
+    });
   }
-}
+
+  return inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
+};

package/lib/input-tracing/handlers/index.js

@@ -149,9 +149,8 @@ module.exports = function(core) {
         if (typeof sinkContext.value === 'object') {
           traverseKeysAndValues(sinkContext.value, function(path, type, value) {
             if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
-
-            stringFindings = handleStringValue(result, sinkContext.value[value], agentLib);
-
+            const cmdVal = sinkContext.value[value];
+            stringFindings = handleStringValue(result, cmdVal?.['$function']?.body || cmdVal, agentLib);
             // halt traversal
             return true;
           });
@@ -289,9 +288,11 @@ function handleStringValue(result, cmd, agentLib) {
   if (typeof cmd !== 'string') {
     return null;
   }
+
   let findings = null;
+  let inputIndex = -1;
+  inputIndex = cmd.indexOf(result.value);
 
-  const inputIndex = cmd.indexOf(result.value);
   // if the user input is not in the sink input, there is nothing to do.
   if (inputIndex === -1) {
     return findings;

package/lib/input-tracing/install/vm.js

@@ -27,105 +27,49 @@ module.exports = function(core) {
     protect: { inputTracing }
   } = core;
 
+  function pre({ args, hooked, orig, name }) {
+    if (instrumentation.isLocked()) return;
+
+    const sourceContext = protect.getSourceContext(name);
+    if (!sourceContext) return;
+
+    for (let i = 0; i < (name === 'vm.runInNewContext' ? 2 : 1); i++) {
+      const arg = args[i];
+      if (!((arg && isString(arg)) || isNonEmptyObject(arg))) continue;
+
+      const sinkContext = {
+        name,
+        value: arg,
+        stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
+      };
+      inputTracing.ssjsInjection(sourceContext, sinkContext);
+    }
+  }
+
   function install() {
     depHooks.resolve({ name: 'vm' }, (vm) => {
-      ['Script', 'createScript', 'runInContext', 'runInThisContext'].forEach(
+      [
+        'Script',
+        'createScript',
+        'runInContext',
+        'runInThisContext',
+        'createContext',
+        'runInNewContext'
+      ].forEach(
         (method) => {
           const name = `vm.${method}`;
-
           patcher.patch(vm, method, {
             name,
             patchType,
-            pre({ args, hooked, name, orig }) {
-              if (instrumentation.isLocked()) return;
-
-              const sourceContext = protect.getSourceContext(name);
-              if (!sourceContext) return;
-
-              const codeString = args[0];
-              if (!codeString || !isString(codeString)) return;
-
-              const sinkContext = {
-                name,
-                value: codeString,
-                stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-              };
-              inputTracing.ssjsInjection(sourceContext, sinkContext);
-            }
+            pre
           });
         }
       );
 
-      patcher.patch(vm, 'runInNewContext', {
-        name: 'vm.runInNewContext',
-        patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.runInNewContext');
-          if (!sourceContext) return;
-
-          const codeString = args[0];
-          const envObj = args[1];
-
-          if ((!codeString || !isString(codeString)) && (!isNonEmptyObject(envObj))) return;
-
-          const codeStringSinkContext = (codeString && isString(codeString)) ? {
-            name: 'vm.runInNewContext',
-            value: codeString,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
-          } : null;
-          const envObjSinkContext = isNonEmptyObject(envObj) ? {
-            name: 'vm.runInNewContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
-          } : null;
-
-          codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);
-          envObjSinkContext && inputTracing.ssjsInjection(sourceContext, envObjSinkContext);
-        }
-      });
-
-      patcher.patch(vm, 'createContext', {
-        name: 'vm.createContext',
-        patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.createContext');
-          if (!sourceContext) return;
-
-          const envObj = args[0];
-          if (!isNonEmptyObject(envObj)) return;
-
-          const sinkContext = {
-            name: 'vm.createContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-          };
-          inputTracing.ssjsInjection(sourceContext, sinkContext);
-        }
-      });
-
       patcher.patch(vm.Script.prototype, 'runInNewContext', {
         name: 'vm.Script.prototype.runInNewContext',
         patchType,
-        pre: ({ args, hooked, orig }) => {
-          if (instrumentation.isLocked()) return;
-
-          const sourceContext = protect.getSourceContext('vm.Script.prototype.runInNewContext');
-          if (!sourceContext) return;
-
-          const envObj = args[0];
-          if (!isNonEmptyObject(envObj)) return;
-
-          const sinkContext = {
-            name: 'vm.Script.prototype.runInNewContext',
-            value: envObj,
-            stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
-          };
-          inputTracing.ssjsInjection(sourceContext, sinkContext);
-        }
+        pre
       });
     });
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.9.1",
+  "version": "1.11.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,11 +18,11 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^5.1.0",
-    "@contrast/common": "1.2.0",
-    "@contrast/core": "1.8.1",
-    "@contrast/esm-hooks": "1.4.1",
+    "@contrast/common": "1.3.1",
+    "@contrast/core": "1.10.0",
+    "@contrast/esm-hooks": "1.6.0",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"
   }
-}
+}