npm - @contrast/agent-bundle - Versions diffs - 5.39.1 → 5.41.0 - Mend

@contrast/agent-bundle 5.39.1 → 5.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/node_modules/@contrast/library-analysis/lib/install/library-reporting/index.js CHANGED Viewed

@@ -73,7 +73,6 @@ module.exports = function init(core) {
   } = core;
   const libPathHashMap = new Map();
   /**
    * @returns {Promise<string | undefined>}
    */
@@ -100,6 +99,14 @@ module.exports = function init(core) {
   const libraryReporting = core.libraryAnalysis.libraryReporting = {
     async install() {
+      const topLevelPkgInfo = core.appInfo.pkg;
+      if (!topLevelPkgInfo) {
+        logger.warn('Unable to get top-level package.json; aborting library analysis. Ensure the `agent.node.app_root` configuration variable is set to the directory containing your `node_modules` folder.');
+        return;
+      }
+      const { dependencies: topLevelDependencies } = topLevelPkgInfo;
       const nodeModulesPath = await getNodeModulesPath();
       if (!nodeModulesPath) {
         logger.warn('Unable to determine the location of the `node_modules` directory; aborting library analysis. Ensure the `agent.node.app_root` configuration variable is set to the directory containing your `node_modules` folder.');
@@ -108,7 +115,7 @@ module.exports = function init(core) {
       try {
         const flatAgentDeps = flattenDeps(agentDeps);
-        const npmData = listInstalled(nodeModulesPath, flatAgentDeps, logger);
+        const npmData = listInstalled(topLevelDependencies, nodeModulesPath, flatAgentDeps, logger);
         processDependencies(npmData, libPathHashMap, logger);
       } catch (err) {
         logger.warn({ err }, 'Unable to perform library analysis.');

package/node_modules/@contrast/library-analysis/lib/install/library-reporting/utils.js CHANGED Viewed

@@ -19,6 +19,27 @@ const path = require('path');
 const { primordials: { JSONParse } } = require('@contrast/common');
+function parsePackage(filePath, logger) {
+  const pkgPath = path.join(filePath, 'package.json');
+  if (!fs.existsSync(pkgPath)) return;
+  const pkg = fs.readFileSync(pkgPath, 'utf-8');
+  if (!pkg) {
+    logger.warn('Error reading package.json for %s', pkgPath);
+    return;
+  }
+  if (typeof pkg !== 'string') return;
+  let pkgInfo;
+  try {
+    pkgInfo = JSONParse(pkg);
+  } catch (err) {
+    logger.warn({ err }, 'Error parsing package.json for %s', pkgPath);
+  }
+  return pkgInfo;
+}
 // Just used, for now, to flatten the agent dependencies stored in dep.json
 function flattenDeps(deps, flatDeps = {}) {
   Object.entries(deps.dependencies).forEach(([key, val]) => {
@@ -31,59 +52,48 @@ function flattenDeps(deps, flatDeps = {}) {
   return flatDeps;
 }
-function listInstalled(nodeModulesPath, agentDeps, logger, installed = new Map()) {
+function listInstalled(topLevelDeps, nodeModulesPath, agentDeps, logger, installed = new Map()) {
   if (!fs.existsSync(nodeModulesPath)) return;
   function traversePackage(filePath, checkingAgentDeps = false) {
-    const pkgPath = path.join(filePath, 'package.json');
-    if (!fs.existsSync(pkgPath)) return;
-    const pkg = fs.readFileSync(pkgPath, 'utf-8');
-    try {
-      if (typeof pkg === 'string') {
-        const pkgInfo = JSONParse(pkg);
-        pkgInfo.path = filePath;
-        const { name } = pkgInfo;
-        const pkgId = `${name}:${pkgInfo?.version}`;
-        if (installed.has(pkgId)) return;
-        // The library we are checking is a known agent dependency
-        // store its path so if it turns out to also be an app
-        // dependency we can go back and traverse it later
-        if (!checkingAgentDeps && agentDeps[name]) {
-          agentDeps[name] = { filePath };
-          return;
-        }
-        installed.set(pkgId, pkgInfo);
-        // Looks in a library's package.json for dependencies shared by the agent
-        // if one is found, go back and traverse it
-        ['dependencies', 'peerDependencies', 'optionalDependencies'].forEach((deps) => {
-          if (pkgInfo?.[deps]) {
-            Object.entries(pkgInfo[deps]).forEach(([key]) => {
-              if (agentDeps[key]) {
-                const { filePath } = agentDeps[key];
-                agentDeps[key] = false;
-                if (filePath) traversePackage(filePath, true);
-              }
-            });
+    const pkgInfo = parsePackage(filePath, logger);
+    if (!pkgInfo) return;
+    pkgInfo.path = filePath;
+    const { name } = pkgInfo;
+    const pkgId = `${name}:${pkgInfo?.version}`;
+    if (installed.has(pkgId)) return;
+    // The library we are checking is a known agent dependency
+    // store its path so if it turns out to also be an app
+    // dependency we can go back and traverse it later
+    if (!checkingAgentDeps && agentDeps[name] && !topLevelDeps[name]) {
+      agentDeps[name] = { filePath };
+      return;
+    }
+    installed.set(pkgId, pkgInfo);
+    // Looks in a library's package.json for dependencies shared by the agent
+    // if one is found, go back and traverse it
+    ['dependencies', 'peerDependencies', 'optionalDependencies'].forEach((deps) => {
+      if (pkgInfo?.[deps]) {
+        Object.entries(pkgInfo[deps]).forEach(([key]) => {
+          if (agentDeps[key]) {
+            const { filePath } = agentDeps[key];
+            agentDeps[key] = false;
+            if (filePath) traversePackage(filePath, true);
           }
         });
-      } else {
-        logger.warn('Error reading package.json for %s', pkgPath);
       }
-    } catch (err) {
-      logger.warn(err);
-      logger.warn('Error parsing package.json for %s', pkgPath);
-    }
+    });
     // If a library contains its own node_modules directory
     const filePathNodeModulesPath = path.join(filePath, 'node_modules');
     if (fs.existsSync(filePathNodeModulesPath)) {
-      listInstalled(filePathNodeModulesPath, agentDeps, logger, installed);
+      listInstalled(topLevelDeps, filePathNodeModulesPath, agentDeps, logger, installed);
     }
   }
@@ -110,6 +120,7 @@ function listInstalled(nodeModulesPath, agentDeps, logger, installed = new Map()
 }
 module.exports = {
+  parsePackage,
   flattenDeps,
-  listInstalled
+  listInstalled,
 };

package/node_modules/@contrast/library-analysis/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/library-analysis",
-  "version": "1.44.1",
+  "version": "1.45.0",
   "description": "Handles library reporting and library usage analysis",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,10 +21,10 @@
   },
   "dependencies": {
     "@contrast/code-events": "^3.1.0",
-    "@contrast/common": "1.34.1",
-    "@contrast/config": "1.49.1",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.1",
+    "@contrast/logger": "1.28.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/logger/lib/serializers.js CHANGED Viewed

@@ -26,8 +26,8 @@ function config(config) {
     // log as-is if not a Config instance
     if (typeof config?.getReport !== 'function')
         return config;
-    const safeCopy = { _errors: [...config._errors] };
-    const { config: { effective_config } } = config.getReport({ redact: true });
+    const safeCopy = { _errors: [...config._errors], _filepaths: [...config._filepaths] };
+    const { config: { effective_config } } = config.getReport({ redact: true, stringify: false });
     for (const info of effective_config) {
         const { canonical_name, value } = info;
         (0, common_1.set)(safeCopy, canonical_name, value);

package/node_modules/@contrast/logger/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/logger",
-  "version": "1.27.1",
+  "version": "1.28.0",
   "description": "Centralized logging for Contrast agent services",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,8 +21,8 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.1",
-    "@contrast/config": "1.49.1",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
     "pino": "^8.15.0"
   }
 }

package/node_modules/@contrast/metrics/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/metrics",
-  "version": "1.31.1",
+  "version": "1.32.0",
   "description": "Records and logs route latency",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,10 +21,10 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.1",
-    "@contrast/config": "1.49.1",
-    "@contrast/dep-hooks": "1.23.1",
-    "@contrast/logger": "1.27.1",
-    "@contrast/patcher": "1.26.1"
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/patcher/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/patcher",
-  "version": "1.26.1",
+  "version": "1.27.0",
   "description": "Advanced monkey patching--registers hooks to run in and around functions",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,6 +20,6 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/logger": "1.27.1"
+    "@contrast/logger": "1.28.0"
   }
 }

package/node_modules/@contrast/protect/lib/get-source-context.js CHANGED Viewed

@@ -22,7 +22,9 @@ module.exports = function init(core) {
     if (!core.config.getEffectiveValue('protect.enable')) return null;
     const sourceContext = sources.getStore()?.protect;
-    return sourceContext?.allowed ? null : sourceContext;
+    if (!sourceContext) return null;
+    return sourceContext.allowed ? null : sourceContext;
   }
   core.protect.getSourceContext = getSourceContext;

package/node_modules/@contrast/protect/lib/index.js CHANGED Viewed

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 module.exports = function(core) {
-  const { config } = core;
+  const { config, sources } = core;
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(),
@@ -55,6 +55,11 @@ module.exports = function(core) {
     callChildComponentMethodsSync(protect, 'install');
   };
+  // append async state to store when request-scope sources are created
+  sources.addHook('onSource', (ctx) => {
+    ctx.store.protect = protect.makeSourceContext(ctx);
+  });
   return protect;
 };

package/node_modules/@contrast/protect/lib/input-analysis/handlers.js CHANGED Viewed

@@ -117,7 +117,6 @@ module.exports = Core.makeComponent({
     // all handlers will be invoked with two arguments:
     // 1) sourceContext object containing:
-    //   - reqData, the abstract request object containing only what is needed
     //   - protect, the protect context
     //     - rules, exclusions, virtual patches (TS data). what was in effect for this
     //       url *at the time the request was started*. these will not change.
@@ -162,7 +161,7 @@ module.exports = Core.makeComponent({
      * 'connectInputs' makes sense; a flag similar to 'contentType' can be set and it can be
      * used later to avoid calling 'handleQueryParams()'
      *
-     * @param {Object} sourceContext { reqData, protect } that will be supplied to
+     * @param {Object} sourceContext { protect } that will be supplied to
      *   all handlers and sinks for this request. It will always be supplied by the caller
      *   to a handler; the handler is not aware of the implementation.
      * @param {Object} connectInputs each property is an input to be evaluated by this
@@ -343,7 +342,8 @@ module.exports = Core.makeComponent({
       let bodyType;
       let inputTypes;
-      if (sourceContext.reqData.contentType.includes('/json')) {
+      const { sourceInfo } = core.scopes.sources.getStore();
+      if (sourceInfo?.contentType?.includes?.('/json')) {
         bodyType = 'json';
         inputTypes = jsonInputTypes;
       } else {
@@ -438,9 +438,8 @@ module.exports = Core.makeComponent({
     inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
       if (!sourceContext || !ipAllowlist.length) return;
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-      const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.ip, sourceInfo.rawHeaders, ipAllowlist);
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipAllow list');
@@ -453,9 +452,8 @@ module.exports = Core.makeComponent({
       if (!sourceContext || !ipDenylist.length) return;
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-      const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.Ip, sourceInfo.rawHeaders, ipDenylist);
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipDeny list');

package/node_modules/@contrast/protect/lib/input-analysis/index.js CHANGED Viewed

@@ -27,7 +27,7 @@ module.exports = function(core) {
   require('./install/http')(core);
   // common libraries instrumentation
-  require('./install/body-parser1')(core);
+  require('./install/body-parser')(core);
   require('./install/cookie-parser1')(core);
   require('./install/formidable1')(core);
   require('./install/koa-body5')(core);

package/node_modules/@contrast/protect/lib/input-analysis/install/{body-parser1.js → body-parser.js} RENAMED Viewed

@@ -62,7 +62,7 @@ module.exports = (core) => {
   // Patch body parser - `body-parser` used by `express` framework
   function install() {
-    depHooks.resolve({ name: 'body-parser', version: '<2' }, (bodyParser) => {
+    depHooks.resolve({ name: 'body-parser', version: '<3' }, (bodyParser) => {
       const origBodyParser = bodyParser;
       const { json: origJson, raw: origRaw, text: origText, urlencoded: origUrlencoded } = bodyParser;

package/node_modules/@contrast/protect/lib/input-analysis/install/http.js CHANGED Viewed

@@ -31,24 +31,19 @@ module.exports = function (core) {
     },
   } = core;
-  const instr = inputAnalysis.httpInstrumentation = {
-    install,
-    around
-  };
-  function removeCookies(headers) {
-    for (let i = 0; i < headers.length; i += 2) {
-      if (headers[i] === 'cookies') {
-        headers = ArrayPrototypeSlice.call(headers);
-        headers.splice(i, 2);
+  function removeCookies(rawHeaders) {
+    for (let i = 0; i < rawHeaders.length; i += 2) {
+      if (rawHeaders[i] === 'cookies') {
+        rawHeaders = ArrayPrototypeSlice.call(rawHeaders);
+        rawHeaders.splice(i, 2);
       }
     }
-    return headers;
+    return rawHeaders;
   }
   function around(next, data) {
     let store, block;
-    const { args: [type, req, res] } = data;
+    const { args: [type,, res] } = data;
     function callNext() {
       setImmediate(() => {
@@ -63,21 +58,20 @@ module.exports = function (core) {
     try {
       store = sources.getStore();
-      if (!store) {
+      if (!store?.protect) {
         logger.debug({ funcKey: data.funcKey }, 'request store not available during http input-analysis');
+        callNext();
         return;
       }
-      store.protect = core.protect.makeSourceContext(req, res);
       if (store.protect.allowed) {
         callNext();
         return;
       }
       const {
-        reqData: { headers, uriPath, method },
-        resData,
-      } = store.protect;
+        sourceInfo: { method, rawHeaders, uriPath },
+        protect: { resData }
+      } = store;
       onFinished(res, (/* err, req */) => {
         resData.statusCode = res.statusCode;
@@ -86,7 +80,7 @@ module.exports = function (core) {
       });
       const connectInputs = {
-        headers: removeCookies(headers),
+        headers: removeCookies(rawHeaders),
         uriPath,
         method: StringPrototypeToLowerCase.call(method),
       };
@@ -131,5 +125,10 @@ module.exports = function (core) {
     });
   }
+  const instr = inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
   return instr;
 };

package/node_modules/@contrast/protect/lib/input-analysis/install/qs6.js CHANGED Viewed

@@ -22,34 +22,35 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
+    scopes,
   } = core;
   // Patch `qs`
   function install() {
-    depHooks.resolve({ name: 'qs', version: '<7' },
-      (qs) => patcher.patch(qs, 'parse', {
-        name: 'qs',
-        patchType,
-        post({ args, result }) {
-          if (result && Object.keys(result).length) {
-            const sourceContext = protect.getSourceContext();
-            // We need to run analysis for the `qs` result only when it's used as a query parser.
-            // `qs` is used also for parsing bodies, but these cases we handle individually with
-            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-            // some cases its use is optional and we cannot rely on it.
-            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
+    depHooks.resolve({ name: 'qs', version: '<7' }, (qs) => patcher.patch(qs, 'parse', {
+      name: 'qs',
+      patchType,
+      post({ args, result }) {
+        if (result && Object.keys(result).length) {
+          const sourceContext = protect.getSourceContext();
+          // We need to run analysis for the `qs` result only when it's used as a query parser.
+          // `qs` is used also for parsing bodies, but these cases we handle individually with
+          // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+          // some cases its use is optional and we cannot rely on it.
+          if (sourceContext) {
+            const { sourceInfo } = scopes.sources.getStore();
+            if (sourceInfo.queries === args[0]) {
               sourceContext.parsedQuery = result;
-              inputAnalysis.handleQueryParams(sourceContext, result);
+              protect.inputAnalysis.handleQueryParams(sourceContext, result);
             }
           }
         }
-      })
+      }
+    })
     );
   }
-  const qs6Instrumentation = inputAnalysis.qs6Instrumentation = {
+  const qs6Instrumentation = protect.inputAnalysis.qs6Instrumentation = {
     install
   };

package/node_modules/@contrast/protect/lib/input-analysis/install/universal-cookie4.js CHANGED Viewed

@@ -22,7 +22,6 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
   } = core;
   // Patch `universal-cookie` package
@@ -36,7 +35,7 @@ module.exports = (core) => {
           if (sourceContext) {
             sourceContext.parsedCookies = result;
-            inputAnalysis.handleCookies(sourceContext, result);
+            protect.inputAnalysis.handleCookies(sourceContext, result);
           }
         }
       }
@@ -44,7 +43,7 @@ module.exports = (core) => {
     );
   }
-  const universalCookie4Instrumentation = inputAnalysis.universalCookie4Instrumentation = {
+  const universalCookie4Instrumentation = protect.inputAnalysis.universalCookie4Instrumentation = {
     install
   };

package/node_modules/@contrast/protect/lib/make-source-context.js CHANGED Viewed

@@ -15,80 +15,36 @@
 'use strict';
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 module.exports = function(core) {
-  const {
-    protect: { getPolicy }
-  } = core;
-  const disabledPolicy = { allowed: true };
-  function makeSourceContext(req, res) {
-    if (!core.config.getEffectiveValue('protect.enable')) {
-      return disabledPolicy;
-    }
-    // make the abstract request. it is an abstraction of a request that
-    // contains only the pieces of the request required by handlers. this
-    // is done to make an explicit contract for data that is required by
-    // the handlers. additional data that is discovered to be required by
-    // handlers should be added here. the goal is not to pass the raw req
-    // or res objects so that all data coupling is all defined here.
-    // separate path and search params
-    let uriPath, queries;
-    const ix = req.url.indexOf('?');
-    if (ix >= 0) {
-      uriPath = StringPrototypeSlice.call(req.url, 0, ix);
-      queries = StringPrototypeSlice.call(req.url, ix + 1);
-    } else {
-      uriPath = req.url;
-      queries = '';
-    }
-    const policy = getPolicy({ uriPath });
+  const { protect } = core;
+  const DISABLED_POLICY = { allowed: true };
+  /**
+   * @param {object} param
+   * @param {object} param.store
+   * @param {import('@contrast/common').SourceInfo} param.store.sourceInfo
+   * @param {import('node:http').IncomingMessage} param.incomingMessage
+   * @param {import('node:http').ServerResponse} param.serverResponse
+   *
+   */
+  function makeSourceContext({
+    store: { sourceInfo },
+    // incomingMessage,
+    serverResponse,
+  }) {
+    if (!core.config.getEffectiveValue('protect.enable')) return DISABLED_POLICY;
+    const policy = protect.getPolicy({ uriPath: sourceInfo.uriPath });
     // URL exclusions can disable all rules
-    if (!policy || policy.rulesMask === 0) {
-      return disabledPolicy;
-    }
-    // lowercase header keys and capture content-type
-    let contentType = '';
-    const headers = Array(req.rawHeaders.length);
-    for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = StringPrototypeToLowerCase.call(req.rawHeaders[i]);
-      headers[i + 1] = req.rawHeaders[i + 1];
-      if (headers[i] === 'content-type') {
-        contentType = StringPrototypeToLowerCase.call(headers[i + 1]);
-      }
-    }
-    // contains request data and information derived from request data. it's
-    // possible for any derived information to be derived later, but doing
-    // so here is typically better; it makes clear what information is used to
-    // make decisions by different handlers.
-    const reqData = {
-      ip: req.socket.remoteAddress,
-      httpVersion: req.httpVersion,
-      method: req.method,
-      headers,
-      uriPath,
-      queries,
-      contentType,
-    };
+    if (!policy || policy.rulesMask === 0) return DISABLED_POLICY;
     const protectStore = {
-      reqData,
       resData: {
         statusCode: null,
       },
       // block closure captures res so it isn't exposed to beyond here
-      blocker: new core.protect.Blocker(res),
+      blocker: new core.protect.Blocker(serverResponse),
       policy,
       exclusions: [],
       virtualPatchesEvaluators: [],