@contrast/agent-bundle 5.39.1 → 5.41.0

package/node_modules/@contrast/route-coverage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.45.1",
+  "version": "1.46.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,14 +20,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.1",
-    "@contrast/config": "1.49.1",
-    "@contrast/dep-hooks": "1.23.1",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.1",
-    "@contrast/patcher": "1.26.1",
-    "@contrast/scopes": "1.24.1",
-    "semver": "^7.6.0",
-    "path-to-regexp": "^8.2.0"
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/scopes": "1.25.0",
+    "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/scopes/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/scopes",
-  "version": "1.24.1",
+  "version": "1.25.0",
   "description": "Handles AsyncLocalStorage scopes",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/core": "1.54.1",
-    "@contrast/dep-hooks": "1.23.1",
-    "@contrast/logger": "1.27.1",
-    "@contrast/patcher": "1.26.1"
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/sec-obs/lib/traces/http.js

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
+const { normalizeURI, primordials: { StringPrototypeSplit } } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -48,7 +48,7 @@ module.exports = function(core) {
     if (!method || !url) return next();
 
     const [path] = StringPrototypeSplit.call(url, '?'); // TODO: NODE-3701 sync discovered route name and trace
-    const name = `${method} ${path}`;
+    const name = `${method} ${normalizeURI(path)}`;
     const rootSpan = tracer.startSpan(name);
     // TODO: Audit other attributes and add as needed
     const headers = getHeaders(req);

package/node_modules/@contrast/sec-obs/lib/traces/http.test.js

@@ -69,6 +69,23 @@ describe('observability root spans', function () {
         expect(span.end).to.have.been.called;
       });
 
+      it('generates a span with the normalized uri', function() {
+        emit('request', {
+          method: 'GET',
+          url: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+        }, resMock);
+        expect(startSpan).to.have.been.calledWith('GET /path/{uuid}/{hash}/{n}/end');
+        const span = startSpan.getCall(0).returnValue;
+        expect(span.setAttributes).to.have.been.calledWith({
+          'network.protocol.name': moduleName,
+          'http.request.method': 'GET',
+        });
+        expect(span.setAttributes).to.have.been.calledWith({
+          'http.response.status_code': 200
+        });
+        expect(span.end).to.have.been.called;
+      });
+
       it('generates a span with the attributes derived from headers', function() {
         const headersSymbol = Symbol('Headers');
         reqMock[headersSymbol] = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.js

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { isString } = require('@contrast/common');
+const { isString, normalizeURI } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -37,7 +37,7 @@ module.exports = function(core) {
     protocol = protocol.endsWith(':') ? protocol : `${protocol}:`;
     path = path || pathname;
     port &&= `:${port}`;
-    return `${protocol}//${hostname}${port}${path}`;
+    return `${protocol}//${hostname}${port}${normalizeURI(path)}`;
   }
 
   return core.secObs.traces.outboundServiceCall = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.test.js

@@ -138,4 +138,21 @@ describe('observability outbound-service-call action', function () {
     });
     expect(span.end).to.have.been.called;
   });
+
+  it('generates a span with normalized path', function() {
+    core.secObs.tracing.getContext.returns({});
+    core.secObs.tracing.runContext.returns({});
+    http.request({
+      protocol: 'http',
+      hostname: 'example.com',
+      path: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+    });
+    expect(startSpan).to.have.been.calledWith('outbound-service-call', undefined, {});
+    const span = startSpan.getCall(0).returnValue;
+    expect(span.setAttributes).to.have.been.calledWith({
+      'url.full': 'http://example.com/path/{uuid}/{hash}/{n}/end',
+      'server.address': 'example.com',
+    });
+    expect(span.end).to.have.been.called;
+  });
 });

package/node_modules/@contrast/sec-obs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/sec-obs",
-  "version": "1.0.0-alpha.8",
+  "version": "1.0.0-alpha.9",
   "description": "Contrast service providing framework-agnostic Observability support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,14 +17,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.33.0",
-    "@contrast/config": "1.48.0",
-    "@contrast/core": "1.53.0",
-    "@contrast/dep-hooks": "1.22.0",
-    "@contrast/logger": "1.26.0",
-    "@contrast/patcher": "1.25.0",
-    "@contrast/rewriter": "1.29.0",
-    "@contrast/scopes": "1.23.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.57.1",
     "@opentelemetry/exporter-trace-otlp-http": "^0.57.1",

package/node_modules/@contrast/sources/lib/index.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { EventEmitter } = require('events');
+const onFinished = require('on-finished');
+const { set, Event } = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+const NormalizedUriMapper = require('./normalized-uri-mapper');
+const { HttpSourceInfo } = require('./source-info');
+
+const componentName = 'sources';
+
+module.exports = Core.makeComponent({
+  name: componentName,
+  factory: (core) => new Sources(core),
+});
+
+class Sources {
+  constructor(core) {
+    // decorate
+    set(core, componentName, this);
+
+    this.core = core;
+    this._hooks = new EventEmitter();
+    this._normalizedUriMapper = new NormalizedUriMapper(core);
+  }
+
+  addHook(name, handler) {
+    // only this one hook atm
+    if (name === 'onSource') this._hooks.on(name, handler);
+  }
+
+  aroundHook(serverType) {
+    const { _hooks, _normalizedUriMapper, core } = this;
+
+    return function (next, data) {
+      const { args: [event, req, res] } = data;
+
+      if (event !== 'request') {
+        if (event === 'listening') {
+          // take a snapshot of Perf.all at this point. this will get logged
+          // at some point on the perf interval timer.
+          core.Perf.mark('listening');
+          core.messages.emit(Event.SERVER_LISTENING, { type: serverType, server: data.obj });
+        }
+        return next();
+      }
+
+      core.Perf.requestCount += 1;
+
+      const sourceInfo = new HttpSourceInfo({
+        serverType,
+        raw: req,
+        normalizedUriMapper: _normalizedUriMapper,
+      });
+      const store = { sourceInfo };
+
+      onFinished(res, (/* err, req */) => {
+        core.messages.emit(Event.RESPONSE_FINISH, store);
+      });
+
+      return core.scopes.sources.run(store, () => {
+        if (_hooks._events.onSource) {
+          _hooks.emit('onSource', {
+            // future: non-http sources will have their own type
+            sourceType: 'HTTP',
+            store,
+            incomingMessage: req,
+            serverResponse: res,
+          });
+        }
+
+        return next();
+      });
+    };
+  }
+
+  install() {
+    const { instrumentation, sources } = this.core;
+
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrumentation.instrument({
+        moduleName,
+        patchObjects: [{
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType: 'sources',
+          around: sources.aroundHook(moduleName)
+        }]
+      });
+    });
+  }
+}
+
+module.exports.HttpSourceInfo = HttpSourceInfo;

package/node_modules/@contrast/sources/lib/index.test.js

@@ -0,0 +1,120 @@
+'use strict';
+
+const EventEmitter = require('events');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
+const proxyquire = require('proxyquire');
+
+describe('agentify sources', function () {
+  [
+    {
+      name: 'http',
+      expected: {
+        port: 8080,
+        protocol: 'http',
+        serverType: 'http',
+      },
+    },
+    {
+      name: 'https',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'https',
+      },
+    },
+    {
+      name: 'spdy',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createSecureServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    }
+  ].forEach(({ name, method, expected }) => {
+    describe(`${name} sources using ${method || 'Server'}()`, function () {
+      let core, api, ServerMock, reqMock, resMock, onFinishedMock;
+
+      beforeEach(function () {
+        ({ core } = initProtectFixture());
+        ServerMock = function ServerMock() {
+          this.e = new EventEmitter();
+        };
+        ServerMock.prototype.emit = function (...args) {
+          this.e.emit(...args);
+        };
+        ServerMock.prototype.on = function (...args) {
+          this.e.on(...args);
+        };
+        api = {
+          Server: ServerMock,
+          createServer() {
+            return new ServerMock();
+          },
+          createSecureServer() {
+            return new ServerMock();
+          }
+        };
+        reqMock = mocks.incomingMessage();
+        // resMock = new EventEmitter();
+        onFinishedMock = sinon.stub();
+
+        core.depHooks.resolve.withArgs(sinon.match({ name: 'http' })).yields(api);
+        proxyquire('.', {
+          'on-finished': onFinishedMock,
+        })(core).install();
+      });
+
+      it('"request" events run in scope with correct sourceInfo', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('request', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('request', reqMock, resMock);
+
+        expect(store.sourceInfo).to.deep.include({
+          port: 8080,
+          protocol: 'http',
+          serverType: 'http',
+        });
+
+        expect(onFinishedMock).to.have.been.calledWith(resMock);
+      });
+
+      it('non-"request" events do not run in scope', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('foo', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('foo', reqMock, resMock);
+        expect(store).to.be.undefined;
+      });
+    });
+  });
+});

package/node_modules/@contrast/{route-coverage/lib/normalized-url-mapper.js → sources/lib/normalized-uri-mapper.js}

@@ -15,13 +15,14 @@
 'use strict';
 
 const {
+  Event,
   get,
   set,
   primordials: { StringPrototypeSubstr, StringPrototypeSplit }
 } = require('@contrast/common');
 
-class NormalizedUrlMapper {
-  constructor() {
+class NormalizedUriMapper {
+  constructor(core) {
     this._db = {
       // index by static routes e.g.
       // '/' => {}
@@ -39,6 +40,12 @@ class NormalizedUrlMapper {
     };
     this._defaultDynamicRe = /\(|\?|\||\[|\*|\+|\{/;
     this._hapiDynamicRe = /\(|\?|\||\[|\*|\+/;
+
+    core.messages.on(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, (routes) => {
+      for (const routeInfo of routes) {
+        this.handleDiscover(routeInfo);
+      }
+    });
   }
 
   _getPathSegments(uriPath) {
@@ -171,4 +178,4 @@ class NormalizedUrlMapper {
   }
 }
 
-module.exports = NormalizedUrlMapper;
+module.exports = NormalizedUriMapper;

package/node_modules/@contrast/sources/lib/normalized-uri-mapper.test.js

@@ -0,0 +1,59 @@
+'use strict';
+
+const EventEmitter = require('node:events');
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const frameworkRoutingData = require('@contrast/test/data/framework-routing-data');
+const NormalizedUrlMapper = require('./normalized-uri-mapper');
+
+describe('route-coverage NormalizedUrlMapper', function() {
+  const testData = Object.values(frameworkRoutingData()).flatMap((a) => a);
+  let mapper;
+  let messages;
+
+  this.beforeEach(function() {
+    messages = new EventEmitter();
+    mapper = new NormalizedUrlMapper({
+      messages,
+    });
+  });
+
+  describe('.map', function() {
+    it('returns null if no discovery events were handled', function() {
+      [
+        '/user/1',
+        '/user/2',
+        '/user/3',
+        '/user/4',
+        '/user/1/cart',
+        '/user/2/cart',
+        '/user/3/cart',
+        '/user/4/cart',
+        '/products/all',
+        '/products/all',
+        '/products/1',
+        '/products/2',
+        '/products/3',
+        '/products/4',
+      ].forEach((uriPath) => {
+        expect(mapper.map(uriPath)).to.be.null;
+      });
+    });
+
+    it('returns normalizedUrl mapped from generic uriPath', function() {
+      messages.emit(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, testData.map((d) => d.routeInfo));
+      testData.forEach((td) => {
+        const { routeInfo, paths, hasMapping } = td;
+
+        for (const uriPath of paths) {
+          // todo - dynamic and regex paths
+          if (hasMapping === false) {
+            expect(mapper.map(uriPath)).to.be.null;
+          } else {
+            expect(mapper.map(uriPath)).to.equal(routeInfo.normalizedUrl);
+          }
+        }
+      });
+    });
+  });
+});

package/node_modules/@contrast/{sec-obs/node_modules/@contrast/core/lib/sensitive-data-masking/constants.js → sources/lib/req-data.js}

@@ -12,9 +12,3 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
-'use strict';
-
-module.exports = {
-  CONTRAST_REDACTED: 'contrast-redacted',
-};

package/node_modules/@contrast/sources/lib/source-info.js

@@ -0,0 +1,183 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  primordials: {
+    RegExpPrototypeExec,
+    StringPrototypeReplace,
+    StringPrototypeSlice,
+    StringPrototypeSplit,
+    StringPrototypeToLowerCase,
+  }
+} = require('@contrast/common');
+
+const NormalizationPatterns = {
+  UUID: [/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, '{uuid}'],
+  NUMERICAL: [/^\d+$/i, '{n}'],
+  HASH: [/([a-fA-F0-9]{2}){16,}/, '{hash}'],
+  // we can extend these as needed
+};
+
+class HttpSourceInfo {
+  /**
+   * @param {object} param
+   * @param {string} param.serverType
+   * @param {any} param.normalizedUriMapper
+   * @param {IncomingMessage} param.raw
+   */
+  constructor({
+    serverType,
+    normalizedUriMapper,
+    raw,
+  }) {
+    this._headerLookupCache = {};
+    this._normalizedUri = null;
+    this._normalizedUriMasked = null;
+    this._normalizedUriSegments = [];
+    this._normalizedUriMapper = normalizedUriMapper;
+    //
+    this.httpVersion = raw.httpVersion;
+    this.ip = raw.socket.remoteAddress ? StringPrototypeReplace.call(raw.socket.remoteAddress, /::ffff:/, '') : undefined;
+    this.port = raw.socket.address?.()?.port || 0;
+    this.protocol = serverType == 'http' ? 'http' : 'https'; // todo
+    this.serverType = serverType;
+    this.time = Date.now();
+    this.method = StringPrototypeToLowerCase.call(raw.method);
+    this.rawHeaders = [];
+
+    for (let i = 0; i < raw.rawHeaders.length; i += 2) {
+      const iNext = i + 1;
+      const headerName = StringPrototypeToLowerCase.call(raw.rawHeaders[i]);
+
+      headerName == 'content-type' && (this.contentType = raw.rawHeaders[iNext]);
+
+      this.rawHeaders[i] = headerName;
+      this.rawHeaders[iNext] = headerName == 'content-type' ?
+        StringPrototypeToLowerCase.call(raw.rawHeaders[iNext]) :
+        raw.rawHeaders[iNext];
+
+      if (
+        headerName == 'upgrade' &&
+        StringPrototypeToLowerCase.call(this.rawHeaders[iNext]) == 'websocket'
+      ) {
+        this.protocol = 'ws';
+      }
+    }
+
+    const idx = raw.url.indexOf('?');
+    if (idx >= 0) {
+      this.uriPath = StringPrototypeSlice.call(raw.url, 0, idx);
+      this.queries = StringPrototypeSlice.call(raw.url, idx + 1);
+    } else {
+      this.uriPath = raw.url;
+      this.queries = '';
+    }
+  }
+
+  /**
+   * Looks through rawHeaders to find it. Caches results to avoid subsequent lookups.
+   * @param {string} name needs to be lowercase
+   * @returns {string}
+   */
+  getHeader(name) {
+    if (name in this._headerLookupCache) return this._headerLookupCache[name];
+
+    for (let i = 0; i < this.rawHeaders.length; i += 2) {
+      if (name == this.rawHeaders[i]) {
+        return (this._headerLookupCache[name] = this.rawHeaders[i + 1]);
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * The normalizedUri is a computed field
+   */
+  get normalizedUri() {
+    const r = Reflect.get(this, '_normalizedUri');
+    if (!r) this.generateNormalizedUri();
+    return Reflect.get(this, '_normalizedUri');
+  }
+
+  set normalizedUri(value) {
+    Reflect.set(this, '_normalizedUri', value);
+  }
+
+  generateNormalizedUri() {
+    let normalizedUri;
+
+    // leverage route discovery data to try to find route template
+    normalizedUri = this._normalizedUriMapper?.map?.(this.uriPath);
+
+    if (normalizedUri) {
+      // if we can map to the template we can use it for masked value too
+      this._normalizedUri = normalizedUri;
+      this._normalizedUriMasked = normalizedUri;
+    } else {
+      // if we can't find the template then test against common
+      // regular expressions to normalize/mask each segment per spec
+      const arr = StringPrototypeSplit.call(this.uriPath, '/');
+      let maskedUri = '';
+
+      normalizedUri = '';
+
+      for (let idx = 1; idx < arr.length; idx++) {
+        let normalSeg = arr[idx];
+        let maskedSeg = normalSeg;
+
+        let isPattern;
+
+        for (const [rx, substitution] of Object.values(NormalizationPatterns)) {
+          isPattern = !!RegExpPrototypeExec.call(rx, normalSeg);
+          if (isPattern) {
+            normalSeg = maskedSeg = substitution;
+            break;
+          }
+        }
+
+        if (!isPattern) {
+          if (idx > 1) {
+            maskedSeg = `${StringPrototypeSlice.call(normalSeg, 0, 2)}xxxx`;
+          } else {
+            // no masking/normalizing for first seg (called "context" in spec)
+            maskedSeg = arr[idx];
+          }
+        }
+
+        maskedUri += `/${maskedSeg}`;
+        normalizedUri += `/${normalSeg}`;
+      }
+
+      this._normalizedUri = normalizedUri;
+      this._normalizedUriMasked = maskedUri;
+    }
+  }
+
+  get normalizedUriMasked() {
+    const r = Reflect.get(this, '_normalizedUriMasked');
+    if (!r) this.generateNormalizedUri();
+    return Reflect.get(this, '_normalizedUriMasked');
+  }
+
+  set normalizedUriMasked(value) {
+    Reflect.set(this, '_normalizedUriMasked', value);
+  }
+}
+
+module.exports.HttpSourceInfo = HttpSourceInfo;
+module.exports.NORMALIZE_PATTERNS = NormalizationPatterns;