npm - @contrast/agent-bundle - Versions diffs - 5.39.1 → 5.41.0 - Mend

@contrast/agent-bundle 5.39.1 → 5.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/node_modules/@contrast/agent/lib/start-agent.js CHANGED Viewed

@@ -19,7 +19,6 @@ const process = require('process');
 const { isMainThread, threadId } = require('worker_threads');
 const { safeConsoleError, safeConsoleWarn } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
-const _agentify = require('@contrast/agentify');
 const {
   name: agentName,
@@ -30,6 +29,8 @@ const {
   }
 } = require('../package.json');
+const kContrastInitialized = Symbol(`${agentName}:initialized`);
 function initCore() {
   const core = new Core({
     agentName,
@@ -70,46 +71,55 @@ function loadFeatures(core) {
 }
 function startAgent({ type = 'cjs' } = {}) {
-  if (isMainThread) {
-    try {
-      const core = initCore();
-      const agentify = _agentify(core);
-      return agentify(loadFeatures, {
-        installOrder: [
-          'reporter',
-          'startupValidation',
-          'telemetry',
-          'contrastMethods',
-          'deadzones',
-          'scopes',
-          'secObs',
-          'sources',
-          'architectureComponents',
-          'routeCoverage',
-          'assess',
-          'protect',
-          'depHooks',
-          'libraryAnalysis',
-          'heapSnapshots',
-          'metrics',
-          'rewriteHooks',
-          'functionHooks',
-          'esmHooks',
-          'diagnostics',
-        ],
-        type
-      });
-    } catch (cause) {
-      // agentify should catch any startup errors and handle necessary logging,
-      // but this is just in case a fatal error occurs during composition.
-      safeConsoleError(new Error(
-        'Startup error was not handled by agentify. Application Will be run without instrumentation.',
-        { cause }
-      ));
-    }
-  } else {
+  if (!isMainThread) {
     safeConsoleWarn('Not in main thread. Thread (tid: %d) continuing without instrumentation.', threadId);
+    return;
+  }
+  if (global[kContrastInitialized]) {
+    safeConsoleWarn('%s has already been initialized. Continuing without reinstrumentation.', agentName);
+    return;
+  }
+  try {
+    global[kContrastInitialized] = true;
+    const core = initCore();
+    const agentify = require('@contrast/agentify')(core);
+    return agentify(loadFeatures, {
+      installOrder: [
+        'reporter',
+        'startupValidation',
+        'telemetry',
+        'contrastMethods',
+        'deadzones',
+        'scopes',
+        'secObs',
+        'sources',
+        'architectureComponents',
+        'routeCoverage',
+        'assess',
+        'protect',
+        'depHooks',
+        'libraryAnalysis',
+        'heapSnapshots',
+        'metrics',
+        'rewriteHooks',
+        'functionHooks',
+        'esmHooks',
+        'diagnostics',
+      ],
+      type
+    });
+  } catch (cause) {
+    delete global[kContrastInitialized];
+    // agentify should catch any startup errors and handle necessary logging,
+    // but this is just in case a fatal error occurs during composition.
+    safeConsoleError(new Error(
+      'Startup error was not handled by agentify. Application Will be run without instrumentation.',
+      { cause }
+    ));
   }
 }

package/node_modules/@contrast/agent/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.39.1",
+  "version": "5.41.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -27,15 +27,15 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.52.1",
-    "@contrast/architecture-components": "1.42.1",
-    "@contrast/assess": "1.58.1",
-    "@contrast/common": "1.34.1",
-    "@contrast/core": "1.54.1",
-    "@contrast/library-analysis": "1.44.1",
-    "@contrast/protect": "1.64.1",
-    "@contrast/route-coverage": "1.45.1",
-    "@contrast/sec-obs": "1.0.0-alpha.8",
-    "@contrast/telemetry": "1.29.1"
+    "@contrast/agentify": "1.53.0",
+    "@contrast/architecture-components": "1.43.0",
+    "@contrast/assess": "1.59.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/library-analysis": "1.45.0",
+    "@contrast/protect": "1.65.0",
+    "@contrast/route-coverage": "1.46.0",
+    "@contrast/sec-obs": "1.0.0-alpha.9",
+    "@contrast/telemetry": "1.30.0"
   }
 }

package/node_modules/@contrast/agent-swc-plugin/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -12,7 +12,13 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
+const rewriter = require.resolve('./rewriter.wasm');
+const unwriter = require.resolve('./unwriter.wasm');
 module.exports = {
-  defaultRewriter: require.resolve('./rewriter.wasm'),
-  defaultUnwriter: require.resolve('./unwriter.wasm'),
+  rewriter,
+  unwriter,
+  defaultRewriter: rewriter,
+  defaultUnwriter: unwriter,
 };

package/node_modules/@contrast/agent-swc-plugin/methods.js CHANGED Viewed

@@ -1 +1,15 @@
-module.exports = ["concat", "match", "matchAll", "replace", "replaceAll", "slice", "split", "substring", "substr", "toLowerCase", "toUpperCase", "trim", "join"]
+module.exports = [
+  'concat',
+  'match',
+  'matchAll',
+  'replace',
+  'replaceAll',
+  'slice',
+  'split',
+  'substring',
+  'substr',
+  'toLowerCase',
+  'toUpperCase',
+  'trim',
+  'join',
+];

package/node_modules/@contrast/agent-swc-plugin/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent-swc-plugin",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "SWC plugins Contrast Node agent",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "license": "SEE LICENSE IN LICENSE",
@@ -8,10 +8,8 @@
     "swc-plugin"
   ],
   "main": "index.js",
-  "types": "index.d.ts",
   "files": [
     "index.js",
-    "index.d.ts",
     "methods.js",
     "*.wasm"
   ],
@@ -27,15 +25,14 @@
     "@swc/core": "^1.11.24"
   },
   "devDependencies": {
-    "@swc/cli": "0.7.7",
+    "@swc/cli": "0.7.8",
     "@swc/core": "^1.11.24",
-    "@tsconfig/node16": "16.1.3",
-    "@types/express": "5.0.1",
+    "@tsconfig/node16": "16.1.4",
     "benchmark": "2.1.4",
-    "chai": "5.2.0",
+    "chai": "5.2.1",
     "express": "5.1.0",
     "lodash": "4.17.21",
-    "mocha": "11.3.0",
+    "mocha": "11.7.1",
     "rimraf": "6.0.1",
     "source-map": "^0.7.4",
     "tinybench": "4.0.1",

package/node_modules/@contrast/agent-swc-plugin/rewriter.wasm CHANGED Viewed

Binary file

package/node_modules/@contrast/agentify/lib/index.js CHANGED Viewed

@@ -12,7 +12,6 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-/*eslint node/no-unsupported-features/es-syntax: ["error", {version: >=10.0.0}]*/
 'use strict';
 const Module = require('module');
@@ -137,6 +136,7 @@ module.exports = function init(core = {}) {
       logger.info('Starting %s v%s', core.agentName, core.agentVersion);
       logger.info({ config }, 'Agent configuration');
+      logger.debug({ effectiveConfig: config.getReport({ redact: true }) }, 'Effective configuration');
       const plugin = await _callback?.(core);
@@ -191,9 +191,9 @@ module.exports = function init(core = {}) {
       { name: 'reporter', spec: '@contrast/reporter', default: true },
       { name: 'instrumentation', spec: '@contrast/instrumentation' },
       { name: 'metrics', spec: '@contrast/metrics' },
+      { name: 'sources', spec: '@contrast/sources' },
       // compose additional local services
       { name: 'heap-snapshots', spec: './heap-snapshots' },
-      { name: 'sources', spec: './sources' },
       { name: 'function-hooks', spec: './function-hooks' },
       { name: 'diagnostics', spec: './diagnostics' },
       { name: 'rewrite-hooks', spec: './rewrite-hooks' },

package/node_modules/@contrast/agentify/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.52.1",
+  "version": "1.53.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,21 +20,22 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.1",
-    "@contrast/config": "1.49.1",
-    "@contrast/core": "1.54.1",
-    "@contrast/deadzones": "1.26.1",
-    "@contrast/dep-hooks": "1.23.1",
-    "@contrast/esm-hooks": "2.28.1",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/deadzones": "1.27.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/esm-hooks": "2.29.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.33.1",
-    "@contrast/logger": "1.27.1",
-    "@contrast/metrics": "1.31.1",
-    "@contrast/patcher": "1.26.1",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/metrics": "1.32.0",
+    "@contrast/patcher": "1.27.0",
     "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.51.1",
-    "@contrast/rewriter": "1.30.1",
-    "@contrast/scopes": "1.24.1",
+    "@contrast/reporter": "1.52.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
+    "@contrast/sources": "1.1.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.42.1",
+  "version": "1.43.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.1",
-    "@contrast/dep-hooks": "1.23.1",
-    "@contrast/logger": "1.27.1",
-    "@contrast/patcher": "1.26.1"
+    "@contrast/common": "1.35.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -288,10 +288,13 @@ module.exports = function(core) {
             source: data._objInfo ? (data._history.size > 1 ? 'A' : 'O') : 'P',
             target: 'R',
           });
-          if (!event) return null;
-          const { extern } = tracker.track(result, event);
-          return extern;
+          if (event) {
+            const { extern } = tracker.track(result, event);
+            return extern;
+          }
+          return result;
         }
       });
     },

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -24,12 +24,35 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect,
       getPropagatorContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
+  function traverseObject(obj, result, tags, history, depth = 1) {
+    let i = 0;
+    for (const val of Object.values(obj)) {
+      if (typeof val === 'object' && depth <= 4) tags = traverseObject(val, result, tags, history, depth += 1);
+      const valInfo = tracker.getData(val);
+      if (!valInfo || depth > 4) break;
+      const currIdx = result.indexOf(val, i);
+      if (currIdx > -1) {
+        i = currIdx + val.length;
+      } else {
+        break;
+      }
+      tags = createAppendTags(tags, valInfo.tags, currIdx);
+      history.push({ ...valInfo });
+    }
+    return tags;
+  }
   return core.assess.dataflow.propagation.utilFormat = {
     install() {
       depHooks.resolve({ name: 'util', version: '*' }, (util) => {
@@ -57,13 +80,14 @@ module.exports = function(core) {
             for (i; i < args.length; i++) {
               let arg = args[i];
+              if (!arg) continue;
               const formatChar = formatChars[i - 1];
               if (formatChar) {
                 switch (formatChar) {
                   case 's':
                     if (typeof arg === 'object') {
-                      // util.inspect instrumentation NYI
-                      arg = arg?.toString ? arg.toString() : util.inspect(arg, { depth: 0, colors: false, compact: 3 });
+                      break; // handled below
                     } else {
                       arg = String(arg);
                     }
@@ -77,36 +101,35 @@ module.exports = function(core) {
                     arg = JSON.stringify(arg) ?? 'undefined';
                     break;
                   case 'o':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg, { showHidden: true, showProxy: true });
-                    break;
+                    break; // handled below
                   case 'O':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg);
-                    break;
+                    break; // handled below
                   case 'c':
                     // c is ignored and skipped
                     arg = '';
                     break;
                 }
               } else if (typeof arg !== 'string') {
-                arg = util.inspect(arg);
+                arg = inspect(arg);
               }
-              const argInfo = tracker.getData(arg);
-              if (!argInfo) continue;
+              if (typeof arg === 'string') {
+                const argInfo = tracker.getData(arg);
+                if (!argInfo) continue;
-              const currIdx = result.indexOf(arg, idx);
-              if (currIdx > -1) {
-                idx = currIdx + arg.length;
-              } else {
-                continue;
+                const currIdx = result.indexOf(arg, idx);
+                if (currIdx > -1) {
+                  idx = currIdx + arg.length;
+                } else {
+                  continue;
+                }
+                newTags = createAppendTags(newTags, argInfo.tags, currIdx);
+                history.push({ ...argInfo });
+                eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
+              } else if (typeof arg === 'object') {
+                newTags = traverseObject(arg, result, newTags, history);
+                eventArgs.push({ value: inspect(arg), tracked: false });
               }
-              newTags = createAppendTags(newTags, argInfo.tags, currIdx);
-              history.push({ ...argInfo });
-              eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
             }
             const resultInfo = tracker.getData(result);

package/node_modules/@contrast/assess/lib/dataflow/sources/index.js CHANGED Viewed

@@ -26,7 +26,7 @@ module.exports = function (core) {
   require('./install/hapi')(core);
   require('./install/koa')(core);
   require('./install/restify')(core);
-  require('./install/body-parser1')(core);
+  require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);

package/node_modules/@contrast/assess/lib/dataflow/sources/install/{body-parser1.js → body-parser.js} RENAMED Viewed

@@ -85,7 +85,7 @@ module.exports = function init(core) {
           },
         });
-        sourceContext.parsedBody = !!Object.keys(_data).length;
+        sourceContext.parsedBody = !!(_data && Object.keys(_data).length);
       } catch (err) {
         logger.error({ err, funcKey: data.funcKey }, 'unable to handle source');
       }
@@ -97,7 +97,7 @@ module.exports = function init(core) {
   core.assess.dataflow.sources.bodyParser1Instrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'body-parser', version: '>=1 <2' },
+        { name: 'body-parser', version: '>=1 <3' },
         /** @param {import('body-parser').BodyParser} bodyParser */
         (bodyParser) => {
           bodyParser = patcher.patch(bodyParser, {

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -51,7 +52,8 @@ module.exports = (core) => {
               }
               data.args[1] = async function contrastNext(origErr) {
-                const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
+                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+                const inputType = contentType?.includes?.('/json')
                   ? InputType.JSON_VALUE
                   : typeof ctx.request.body == 'object'
                     ? InputType.PARAMETER_VALUE

package/node_modules/@contrast/assess/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -38,21 +39,20 @@ module.exports = (core) => {
         patchType,
         post({ args, hooked, orig, result, funcKey }) {
           const sourceContext = getSourceContext();
-          if (!sourceContext) {
-            return;
-          }
+          if (!sourceContext) return;
           if (sourceContext.parsedQuery) {
             logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
+          const queries = scopes.sources.getStore()?.sourceInfo?.queries;
           // We need to run analysis for the `qs` result only when it's used as a query parser.
           // `qs` is used also for parsing bodies, but these cases we handle individually with
           // the respective library that's using it (e.g. `formidable`, `co-body`) because in
           // some cases its use is optional and we cannot rely on it.
-          if (sourceContext.reqData?.queries === args[0]) {
+          if (queries === args[0]) {
             try {
               sources.handle({
                 context: 'req.query',

package/node_modules/@contrast/assess/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -24,6 +24,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
   } = core;
   core.assess.dataflow.sources.querystringInstrumentation = {
@@ -46,7 +47,7 @@ module.exports = (core) => {
             // We only run analysis for the `querystring` result when it's used
             // as the framework's query parser
-            if (sourceContext.reqData?.queries === args[0]) {
+            if (scopes.sources.getStore().sourceInfo?.queries === args[0]) {
               try {
                 core.assess.dataflow.sources.handle({
                   context: 'req.query',

package/node_modules/@contrast/assess/lib/index.d.ts CHANGED Viewed

@@ -38,7 +38,6 @@ export interface Core extends _Core {
 }
 export interface SourceContext {
-  reqData: object,
   responseData: {
     contentType: string,
   },

package/node_modules/@contrast/assess/lib/make-source-context.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
 /**
@@ -33,57 +32,28 @@ function factory(core) {
   const { assess, logger } = core;
   /**
+   * todo: how to handle non-HTTP sources
    * @returns {import('@contrast/assess').SourceContext}
    */
-  return core.assess.makeSourceContext = function(sourceData) {
-    try {
+  return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-      const ctx = sourceData.store.assess = {
+    try {
+      const ctx = store.assess = {
         // default policy to `null` until it is set later below. this will cause
         // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-      if (!core.config.getEffectiveValue('assess.enable')) {
-        return ctx;
-      }
-      // todo: how to handle non-HTTP sources
-      const { incomingMessage: req } = sourceData;
-      // minimally process the request data for sampling and exclusions.
-      // more request fields will be appended in final result below.
-      let uriPath;
-      let queries;
-      const idx = req.url.indexOf('?');
-      if (idx >= 0) {
-        uriPath = StringPrototypeSlice.call(req.url, 0, idx);
-        queries = StringPrototypeSlice.call(req.url, idx + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-      ctx.reqData = {
-        method: req.method,
-        uriPath,
-        queries,
-      };
+      if (!core.config.getEffectiveValue('assess.enable')) return ctx;
       // check whether sampling allows processing
-      ctx.sampleInfo = assess.sampler?.getSampleInfo(sourceData) ?? null;
+      ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
       // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(ctx.reqData);
+      ctx.policy = assess.getPolicy(store.sourceInfo);
       if (!ctx.policy) return ctx;
-      // build remaining reqData
-      ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
-      ctx.reqData.ip = req.socket.remoteAddress;
-      ctx.reqData.httpVersion = req.httpVersion;
-      if (ctx.reqData.headers['content-type'])
-        ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};