merge resolved

lib/instrumentation-security/hooks/fs/nr-fs.js

@@ -142,9 +142,8 @@ function openHook(shim, mod, moduleName) {
  parameters[0] = API.getSecAgent().applicationInfo.serverInfo.deployedApplications[0].deployedPath + SLASH + parameters[0];
  } else if (parameters[0].startsWith(SLASHDOTDOT)) {
  parameters[0] = API.getSecAgent().applicationInfo.serverInfo.deployedApplications[0].deployedPath + parameters[0];
- } else {
- parameters[0] = path.resolve(parameters[0]);
- }
+ } 
+
  } catch (error) {
 
  }
@@ -188,11 +187,6 @@ function probableToFAHooks(shim, mod, moduleName) {
  const request = requestManager.getRequest(shim);
  if (request && typeof arguments[0] === STRING && !lodash.isEmpty(arguments[0])) {
  const traceObject = secUtils.getTraceObject(shim);
- try {
- parameters[0] = path.resolve(parameters[0]);
- } catch (error) {
-
- }
  let absoluteParameters = [parameters[0]];
  const secMetadata = securityMetaData.getSecurityMetaData(request, absoluteParameters, traceObject, secUtils.getExecutionId(), EVENT_TYPE.FILE_OPERATION, EVENT_CATEGORY.FILE)
  this.secEvent = API.generateSecEvent(secMetadata);
@@ -228,12 +222,6 @@ function probableToFIHooks(shim, mod, moduleName) {
  const request = requestManager.getRequest(shim);
  if (request && typeof arguments[0] === STRING && !lodash.isEmpty(arguments[0])) {
  const traceObject = secUtils.getTraceObject(shim);
- try {
- parameters[0] = path.resolve(parameters[0]);
- parameters[1] = path.resolve(parameters[1]);
- } catch (error) {
-
- }
  let absoluteParameters = [parameters[0]];
  if (fun === COPY_FILE || fun === RENAME) {
  const secMetadata = securityMetaData.getSecurityMetaData(request, parameters[1], traceObject, secUtils.getExecutionId(), getCase(arguments[1]), EVENT_CATEGORY.FILE)
@@ -271,11 +259,6 @@ function probablePromiseToFAHooks(shim, mod, moduleName) {
  const request = requestManager.getRequest(shim);
  if (request && typeof arguments[0] === STRING && !lodash.isEmpty(arguments[0])) {
  const traceObject = secUtils.getTraceObject(shim);
- try {
- parameters[0] = path.resolve(parameters[0]);
- } catch (error) {
-
- }
  let absoluteParameters = [parameters[0]];
  const secMetadata = securityMetaData.getSecurityMetaData(request, absoluteParameters, traceObject, secUtils.getExecutionId(), EVENT_TYPE.FILE_OPERATION, EVENT_CATEGORY.FILE)
  this.secEvent = API.generateSecEvent(secMetadata);
@@ -304,12 +287,6 @@ function probablePromiseToFIHooks(shim, mod, moduleName) {
  const request = requestManager.getRequest(shim);
  if (request && typeof arguments[0] === STRING && !lodash.isEmpty(arguments[0])) {
  const traceObject = secUtils.getTraceObject(shim);
- try {
- parameters[0] = path.resolve(parameters[0]);
- parameters[1] = path.resolve(parameters[1]);
- } catch (error) {
-
- }
  let absoluteParameters = [parameters[0]];
  if (fun === COPY_FILE || fun === RENAME) {
  const secMetadata = securityMetaData.getSecurityMetaData(request, parameters[1], traceObject, secUtils.getExecutionId(), getCase(arguments[1]), EVENT_CATEGORY.FILE)

lib/instrumentation-security/hooks/http/nr-http.js

@@ -34,7 +34,8 @@ const semver = require('semver');
 const ExceptionReporting = require('../../../nr-security-agent/lib/core/ExceptionReporting');
 
 const CSEC_SEP = ':IAST:';
-const find = '{{NR_CSEC_VALIDATOR_HOME_TMP}}';
+const sep = require('path').sep;
+const find = `${sep}{{NR_CSEC_VALIDATOR_HOME_TMP}}`;
 const CSEC_HOME_TMP_CONST = new RegExp(find, 'g');
 let CSEC_HOME = NRAgent && NRAgent.config.newrelic_home ? NRAgent.config.newrelic_home : NRAgent && NRAgent.config.logging.filepath ? path.dirname(NRAgent.config.logging.filepath) : require('path').join(process.cwd());
 const CSEC_HOME_TMP = `${CSEC_HOME}/nr-security-home/tmp/language-agent/${process.env.applicationUUID}`
@@ -189,6 +190,7 @@ function parseFuzzheaders(requestData, transactionId) {
  logger.debug("fliesTocreate:", filesToCreate);
  for (let i = 0; i < filesToCreate.length; i++) {
  let file = filesToCreate[i].trim();
+ file = decodeURIComponent(file);
  file = file.replace(CSEC_HOME_TMP_CONST, CSEC_HOME_TMP);
  file = path.resolve(file);
  const parentDir = path.dirname(file);

lib/nr-security-agent/lib/core/connections/websocket/response/fuzz-request-handler.js

@@ -25,7 +25,7 @@ const PolicyManager = require('../../../Policy');
 const find = `${SLASH}{{NR_CSEC_VALIDATOR_HOME_TMP}}`;
 const CSEC_HOME_TMP_CONST = new RegExp(find, 'g');
 
-const commonUtils = require('../../../commonUtils');
+const CSEC_HOME_TMP_CONST_ENCODED = new RegExp('%7B%7BNR_CSEC_VALIDATOR_HOME_TMP%7D%7D', 'g');
 
 let logger;
 let lastFuzzEventTime = 0;
@@ -52,7 +52,7 @@ function startIASTSchedular() {
  if (isNaN(probingInterval)) {
  probingInterval = 5;
  }
- 
+
  iastIntervalConst = setInterval(() => {
  let data = IASTUtil.generateIASTDataRequest();
  let currentTime = Date.now();
@@ -90,15 +90,22 @@ function logScannedApiId(fuzzHeader, requestURL) {
 function handler(json) {
  setLastFuzzEventTime();
  let rawFuzzRequest = json.arguments[0];
- rawFuzzRequest = rawFuzzRequest.replace(CSEC_HOME_TMP_CONST, CSEC_HOME_TMP);
+
+ try {
+ rawFuzzRequest = rawFuzzRequest.replace(CSEC_HOME_TMP_CONST, CSEC_HOME_TMP);
+ rawFuzzRequest = rawFuzzRequest.replace(CSEC_HOME_TMP_CONST_ENCODED, encodeURI(CSEC_HOME_TMP));
+ } catch (error) {
+ logger.debug("Error while replacing place holder", error);
+ }
+
  let fuzzRequest;
  try {
  fuzzRequest = JSON.parse(rawFuzzRequest);
  fuzzRequest['id'] = json.id;
  IASTUtil.addPendingRequestId(json.id);
  } catch (error) {
  logger.error('Parsing exeception in fuzz request: ', error);
- 
+
  const logMessage = new LogMessage.logMessage(SEVERE, 'Parsing exeception in fuzz request', __filename, error);
  require('../../../commonUtils').addLogEventtoBuffer(logMessage);
  }