@contrast/agent-bundle 5.39.0 → 5.40.0

package/node_modules/@contrast/agent/lib/start-agent.js

@@ -19,7 +19,6 @@ const process = require('process');
 const { isMainThread, threadId } = require('worker_threads');
 const { safeConsoleError, safeConsoleWarn } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
-const _agentify = require('@contrast/agentify');
 
 const {
   name: agentName,
@@ -30,6 +29,8 @@ const {
   }
 } = require('../package.json');
 
+const kContrastInitialized = Symbol(`${agentName}:initialized`);
+
 function initCore() {
   const core = new Core({
     agentName,
@@ -70,46 +71,55 @@ function loadFeatures(core) {
 }
 
 function startAgent({ type = 'cjs' } = {}) {
-  if (isMainThread) {
-    try {
-      const core = initCore();
-      const agentify = _agentify(core);
-
-      return agentify(loadFeatures, {
-        installOrder: [
-          'reporter',
-          'startupValidation',
-          'telemetry',
-          'contrastMethods',
-          'deadzones',
-          'scopes',
-          'secObs',
-          'sources',
-          'architectureComponents',
-          'routeCoverage',
-          'assess',
-          'protect',
-          'depHooks',
-          'libraryAnalysis',
-          'heapSnapshots',
-          'metrics',
-          'rewriteHooks',
-          'functionHooks',
-          'esmHooks',
-          'diagnostics',
-        ],
-        type
-      });
-    } catch (cause) {
-      // agentify should catch any startup errors and handle necessary logging,
-      // but this is just in case a fatal error occurs during composition.
-      safeConsoleError(new Error(
-        'Startup error was not handled by agentify. Application Will be run without instrumentation.',
-        { cause }
-      ));
-    }
-  } else {
+  if (!isMainThread) {
     safeConsoleWarn('Not in main thread. Thread (tid: %d) continuing without instrumentation.', threadId);
+    return;
+  }
+
+  if (global[kContrastInitialized]) {
+    safeConsoleWarn('%s has already been initialized. Continuing without reinstrumentation.', agentName);
+    return;
+  }
+
+  try {
+    global[kContrastInitialized] = true;
+
+    const core = initCore();
+    const agentify = require('@contrast/agentify')(core);
+
+    return agentify(loadFeatures, {
+      installOrder: [
+        'reporter',
+        'startupValidation',
+        'telemetry',
+        'contrastMethods',
+        'deadzones',
+        'scopes',
+        'secObs',
+        'sources',
+        'architectureComponents',
+        'routeCoverage',
+        'assess',
+        'protect',
+        'depHooks',
+        'libraryAnalysis',
+        'heapSnapshots',
+        'metrics',
+        'rewriteHooks',
+        'functionHooks',
+        'esmHooks',
+        'diagnostics',
+      ],
+      type
+    });
+  } catch (cause) {
+    delete global[kContrastInitialized];
+    // agentify should catch any startup errors and handle necessary logging,
+    // but this is just in case a fatal error occurs during composition.
+    safeConsoleError(new Error(
+      'Startup error was not handled by agentify. Application Will be run without instrumentation.',
+      { cause }
+    ));
   }
 }
 

package/node_modules/@contrast/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.39.0",
+  "version": "5.40.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -27,15 +27,15 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.52.0",
-    "@contrast/architecture-components": "1.42.0",
-    "@contrast/assess": "1.58.0",
-    "@contrast/common": "1.34.0",
-    "@contrast/core": "1.54.0",
-    "@contrast/library-analysis": "1.44.0",
-    "@contrast/protect": "1.64.0",
-    "@contrast/route-coverage": "1.45.0",
+    "@contrast/agentify": "1.52.2",
+    "@contrast/architecture-components": "1.42.2",
+    "@contrast/assess": "1.58.2",
+    "@contrast/common": "1.34.2",
+    "@contrast/core": "1.54.2",
+    "@contrast/library-analysis": "1.44.2",
+    "@contrast/protect": "1.64.2",
+    "@contrast/route-coverage": "1.45.2",
     "@contrast/sec-obs": "1.0.0-alpha.8",
-    "@contrast/telemetry": "1.29.0"
+    "@contrast/telemetry": "1.29.2"
   }
 }

package/node_modules/@contrast/agentify/lib/sources.js

@@ -37,6 +37,7 @@ module.exports = function(core) {
           // take a snapshot of Perf.all at this point. this will get logged
           // at some point on the perf interval timer.
           core.Perf.mark('listening');
+          messages.emit(Event.SERVER_LISTENING, { type: serverType, server: data.obj });
         }
         return next();
       }

package/node_modules/@contrast/agentify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.52.0",
+  "version": "1.52.2",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,21 +20,21 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/config": "1.49.0",
-    "@contrast/core": "1.54.0",
-    "@contrast/deadzones": "1.26.0",
-    "@contrast/dep-hooks": "1.23.0",
-    "@contrast/esm-hooks": "2.28.0",
+    "@contrast/common": "1.34.2",
+    "@contrast/config": "1.49.2",
+    "@contrast/core": "1.54.2",
+    "@contrast/deadzones": "1.26.2",
+    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/esm-hooks": "2.28.2",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.33.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/metrics": "1.31.0",
-    "@contrast/patcher": "1.26.0",
+    "@contrast/instrumentation": "1.33.2",
+    "@contrast/logger": "1.27.2",
+    "@contrast/metrics": "1.31.2",
+    "@contrast/patcher": "1.26.2",
     "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.51.0",
-    "@contrast/rewriter": "1.30.0",
-    "@contrast/scopes": "1.24.0",
+    "@contrast/reporter": "1.51.2",
+    "@contrast/rewriter": "1.30.2",
+    "@contrast/scopes": "1.24.2",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.42.0",
+  "version": "1.42.2",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/dep-hooks": "1.23.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/patcher": "1.26.0"
+    "@contrast/common": "1.34.2",
+    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/logger": "1.27.2",
+    "@contrast/patcher": "1.26.2"
   }
 }

package/node_modules/@contrast/assess/lib/crypto-analysis/install/math.js

@@ -52,6 +52,7 @@ module.exports = function (core) {
           if (!getSinkContext(ruleId)) return;
 
           const event = eventFactory.createCryptoAnalysisEvent({
+            args: [],
             context: 'Math.random()',
             methodName: 'random',
             moduleName: 'global.Math',

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/string/replace.js

@@ -288,10 +288,13 @@ module.exports = function(core) {
             source: data._objInfo ? (data._history.size > 1 ? 'A' : 'O') : 'P',
             target: 'R',
           });
-          if (!event) return null;
 
-          const { extern } = tracker.track(result, event);
-          return extern;
+          if (event) {
+            const { extern } = tracker.track(result, event);
+            return extern;
+          }
+
+          return result;
         }
       });
     },

package/node_modules/@contrast/assess/lib/dataflow/sources/index.js

@@ -26,7 +26,7 @@ module.exports = function (core) {
   require('./install/hapi')(core);
   require('./install/koa')(core);
   require('./install/restify')(core);
-  require('./install/body-parser1')(core);
+  require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);

package/node_modules/@contrast/assess/lib/dataflow/sources/install/{body-parser1.js → body-parser.js}

@@ -97,7 +97,7 @@ module.exports = function init(core) {
   core.assess.dataflow.sources.bodyParser1Instrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'body-parser', version: '>=1 <2' },
+        { name: 'body-parser', version: '>=1 <3' },
         /** @param {import('body-parser').BodyParser} bodyParser */
         (bodyParser) => {
           bodyParser = patcher.patch(bodyParser, {

package/node_modules/@contrast/assess/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.58.0",
+  "version": "1.58.2",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,17 +20,17 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/config": "1.49.0",
-    "@contrast/core": "1.54.0",
-    "@contrast/dep-hooks": "1.23.0",
+    "@contrast/common": "1.34.2",
+    "@contrast/config": "1.49.2",
+    "@contrast/core": "1.54.2",
+    "@contrast/dep-hooks": "1.23.2",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.33.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/patcher": "1.26.0",
-    "@contrast/rewriter": "1.30.0",
-    "@contrast/route-coverage": "1.45.0",
-    "@contrast/scopes": "1.24.0",
+    "@contrast/instrumentation": "1.33.2",
+    "@contrast/logger": "1.27.2",
+    "@contrast/patcher": "1.26.2",
+    "@contrast/rewriter": "1.30.2",
+    "@contrast/route-coverage": "1.45.2",
+    "@contrast/scopes": "1.24.2",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/common/lib/constants.d.ts

@@ -1,5 +1,6 @@
 export declare enum Event {
     RESPONSE_FINISH = "response-finish",
+    SERVER_LISTENING = "server-listening",
     ROUTE_COVERAGE_DISCOVERY_FINISHED = "route-coverage-discovery-finished",
     ARCHITECTURE_COMPONENT = "architecture-component",
     ASSESS_DATAFLOW_FINDING = "assess-dataflow-findings",
@@ -188,6 +189,11 @@ export declare enum DataflowTag {
     COOKIE = "COOKIE",
     WEAK_URL_ENCODED = "WEAK_URL_ENCODED"
 }
+export declare enum ServerEnvironment {
+    QA = "QA",
+    PRODUCTION = "PRODUCTION",
+    DEVELOPMENT = "DEVELOPMENT"
+}
 export declare const BLOCKING_MODES: readonly ["block", "block_at_perimeter"];
 export declare const FS_METHODS: readonly [{
     readonly name: "access";
@@ -382,4 +388,14 @@ export declare enum agentLibIDListTypes {
 export declare const symbols: {
     readonly kMetrics: symbol;
 };
+export declare const URI_REGEXES: readonly [{
+    readonly rx: RegExp;
+    readonly rp: "{uuid}";
+}, {
+    readonly rx: RegExp;
+    readonly rp: "{hash}";
+}, {
+    readonly rx: RegExp;
+    readonly rp: "{n}";
+}];
 //# sourceMappingURL=constants.d.ts.map

package/node_modules/@contrast/common/lib/constants.js

@@ -14,11 +14,12 @@
  * way not consistent with the End User License Agreement.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.DataflowTag = exports.ExclusionType = exports.InputType = exports.SessionConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
+exports.URI_REGEXES = exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.ServerEnvironment = exports.DataflowTag = exports.ExclusionType = exports.InputType = exports.SessionConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
 var Event;
 (function (Event) {
     // lifecycle
     Event["RESPONSE_FINISH"] = "response-finish";
+    Event["SERVER_LISTENING"] = "server-listening";
     Event["ROUTE_COVERAGE_DISCOVERY_FINISHED"] = "route-coverage-discovery-finished";
     // reports
     Event["ARCHITECTURE_COMPONENT"] = "architecture-component";
@@ -219,6 +220,12 @@ var DataflowTag;
     DataflowTag["COOKIE"] = "COOKIE";
     DataflowTag["WEAK_URL_ENCODED"] = "WEAK_URL_ENCODED";
 })(DataflowTag || (exports.DataflowTag = DataflowTag = {}));
+var ServerEnvironment;
+(function (ServerEnvironment) {
+    ServerEnvironment["QA"] = "QA";
+    ServerEnvironment["PRODUCTION"] = "PRODUCTION";
+    ServerEnvironment["DEVELOPMENT"] = "DEVELOPMENT";
+})(ServerEnvironment || (exports.ServerEnvironment = ServerEnvironment = {}));
 exports.BLOCKING_MODES = ['block', 'block_at_perimeter'];
 exports.FS_METHODS = [
     { name: 'access', promises: true, sync: true, indices: [0] },
@@ -267,4 +274,18 @@ var agentLibIDListTypes;
 exports.symbols = {
     kMetrics: Symbol('contrast.metrics'),
 };
+exports.URI_REGEXES = [
+    {
+        rx: /[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}/g,
+        rp: '{uuid}'
+    },
+    {
+        rx: /([a-fA-F0-9]{2}){16,}/g,
+        rp: '{hash}'
+    },
+    {
+        rx: /(\d+)/g,
+        rp: '{n}'
+    },
+];
 //# sourceMappingURL=constants.js.map

package/node_modules/@contrast/common/lib/index.d.ts

@@ -37,4 +37,5 @@ export declare function set(obj: Record<string, any>, name: string, value: any):
 export declare function safeConsoleError(...args: Parameters<typeof console.error>): void;
 /** Suppresses output to stderr when installed by the universal agent */
 export declare function safeConsoleWarn(...args: Parameters<typeof console.warn>): void;
+export declare function normalizeURI(uri: string): string;
 //# sourceMappingURL=index.d.ts.map

package/node_modules/@contrast/common/lib/index.js

@@ -28,14 +28,14 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.safeConsoleWarn = exports.safeConsoleError = exports.set = exports.get = exports.groupResultsMap = exports.callChildComponentMethods = exports.callChildComponentMethodsSync = exports.traverseKeys = exports.traverseValues = exports.traverseKeysAndValues = exports.encodeString = exports.isNonEmptyObject = exports.isString = exports.empties = void 0;
+exports.normalizeURI = exports.safeConsoleWarn = exports.safeConsoleError = exports.set = exports.get = exports.groupResultsMap = exports.callChildComponentMethods = exports.callChildComponentMethodsSync = exports.traverseKeys = exports.traverseValues = exports.traverseKeysAndValues = exports.encodeString = exports.isNonEmptyObject = exports.isString = exports.empties = void 0;
 const constants_1 = require("./constants");
 const primordials_1 = require("./primordials");
 __exportStar(require("./constants"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./primordials"), exports);
 const { CONTRAST_INSTALLATION_TOOL = 'NONE' } = process.env;
-const { StringPrototypeSplit, BufferFrom, BufferPrototypeToString } = primordials_1.primordials;
+const { StringPrototypeReplaceAll, StringPrototypeSplit, BufferFrom, BufferPrototypeToString } = primordials_1.primordials;
 exports.empties = {
     OBJECT: Object.freeze({}),
     ARRAY: Object.freeze([]),
@@ -225,4 +225,14 @@ function safeConsoleWarn(...args) {
     }
 }
 exports.safeConsoleWarn = safeConsoleWarn;
+function normalizeURI(uri) {
+    let normalizedUri = uri;
+    constants_1.URI_REGEXES.forEach(({ rx, rp }) => {
+        //@ts-ignore
+        normalizedUri = StringPrototypeReplaceAll.call(normalizedUri, rx, rp);
+    });
+    return normalizedUri;
+}
+exports.normalizeURI = normalizeURI;
+;
 //# sourceMappingURL=index.js.map

package/node_modules/@contrast/common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/common",
-  "version": "1.34.0",
+  "version": "1.34.2",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@contrast/config/lib/index.d.ts

@@ -63,6 +63,7 @@ export interface Config {
     args?: any[];
   }[];
 
+  preinstrument: boolean,
 
   api: {
     /** Default: `true` */

package/node_modules/@contrast/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.49.0",
+  "version": "1.49.2",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,8 +20,8 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/core": "1.54.0",
+    "@contrast/common": "1.34.2",
+    "@contrast/core": "1.54.2",
     "yaml": "^2.2.2"
   }
 }

package/node_modules/@contrast/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.54.0",
+  "version": "1.54.2",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,12 +19,12 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/config": "1.49.0",
+    "@contrast/common": "1.34.2",
+    "@contrast/config": "1.49.2",
     "@contrast/find-package-json": "^1.1.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/patcher": "1.26.0",
+    "@contrast/logger": "1.27.2",
+    "@contrast/patcher": "1.26.2",
     "@contrast/perf": "1.3.1",
     "@tsxper/crc32": "^2.1.3",
     "axios": "^1.7.4",

package/node_modules/@contrast/deadzones/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/deadzones",
-  "version": "1.26.0",
+  "version": "1.26.2",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/dep-hooks": "1.23.0",
-    "@contrast/patcher": "1.26.0",
-    "@contrast/scopes": "1.24.0"
+    "@contrast/common": "1.34.2",
+    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/patcher": "1.26.2",
+    "@contrast/scopes": "1.24.2"
   }
 }

package/node_modules/@contrast/dep-hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/dep-hooks",
-  "version": "1.23.0",
+  "version": "1.23.2",
   "description": "Post hooks for Module.prototype.require",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,9 +21,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
+    "@contrast/common": "1.34.2",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.0",
+    "@contrast/logger": "1.27.2",
     "semver": "^7.6.3"
   }
 }

package/node_modules/@contrast/esm-hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/esm-hooks",
-  "version": "2.28.0",
+  "version": "2.28.2",
   "type": "module",
   "description": "Support for loading and instrumenting ECMAScript modules",
   "license": "SEE LICENSE IN LICENSE",
@@ -22,11 +22,11 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/config": "1.49.0",
-    "@contrast/core": "1.54.0",
+    "@contrast/common": "1.34.2",
+    "@contrast/config": "1.49.2",
+    "@contrast/core": "1.54.2",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/rewriter": "1.30.0"
+    "@contrast/logger": "1.27.2",
+    "@contrast/rewriter": "1.30.2"
   }
 }

package/node_modules/@contrast/instrumentation/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/instrumentation",
-  "version": "1.33.0",
+  "version": "1.33.2",
   "description": "Shared hooks and patches between Protect and Assess components",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.0",
-    "@contrast/dep-hooks": "1.23.0",
-    "@contrast/logger": "1.27.0",
-    "@contrast/patcher": "1.26.0"
+    "@contrast/common": "1.34.2",
+    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/logger": "1.27.2",
+    "@contrast/patcher": "1.26.2"
   }
 }