npm - @contrast/agent-bundle - Versions diffs - 5.40.0 → 5.41.0 - Mend

@contrast/agent-bundle 5.40.0 → 5.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/node_modules/@contrast/agent/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.40.0",
+  "version": "5.41.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -27,15 +27,15 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.52.2",
-    "@contrast/architecture-components": "1.42.2",
-    "@contrast/assess": "1.58.2",
-    "@contrast/common": "1.34.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/library-analysis": "1.44.2",
-    "@contrast/protect": "1.64.2",
-    "@contrast/route-coverage": "1.45.2",
-    "@contrast/sec-obs": "1.0.0-alpha.8",
-    "@contrast/telemetry": "1.29.2"
+    "@contrast/agentify": "1.53.0",
+    "@contrast/architecture-components": "1.43.0",
+    "@contrast/assess": "1.59.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/library-analysis": "1.45.0",
+    "@contrast/protect": "1.65.0",
+    "@contrast/route-coverage": "1.46.0",
+    "@contrast/sec-obs": "1.0.0-alpha.9",
+    "@contrast/telemetry": "1.30.0"
   }
 }

package/node_modules/@contrast/agent-swc-plugin/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -12,7 +12,13 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
+const rewriter = require.resolve('./rewriter.wasm');
+const unwriter = require.resolve('./unwriter.wasm');
 module.exports = {
-  defaultRewriter: require.resolve('./rewriter.wasm'),
-  defaultUnwriter: require.resolve('./unwriter.wasm'),
+  rewriter,
+  unwriter,
+  defaultRewriter: rewriter,
+  defaultUnwriter: unwriter,
 };

package/node_modules/@contrast/agent-swc-plugin/methods.js CHANGED Viewed

@@ -1 +1,15 @@
-module.exports = ["concat", "match", "matchAll", "replace", "replaceAll", "slice", "split", "substring", "substr", "toLowerCase", "toUpperCase", "trim", "join"]
+module.exports = [
+  'concat',
+  'match',
+  'matchAll',
+  'replace',
+  'replaceAll',
+  'slice',
+  'split',
+  'substring',
+  'substr',
+  'toLowerCase',
+  'toUpperCase',
+  'trim',
+  'join',
+];

package/node_modules/@contrast/agent-swc-plugin/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent-swc-plugin",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "SWC plugins Contrast Node agent",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "license": "SEE LICENSE IN LICENSE",
@@ -8,10 +8,8 @@
     "swc-plugin"
   ],
   "main": "index.js",
-  "types": "index.d.ts",
   "files": [
     "index.js",
-    "index.d.ts",
     "methods.js",
     "*.wasm"
   ],
@@ -27,15 +25,14 @@
     "@swc/core": "^1.11.24"
   },
   "devDependencies": {
-    "@swc/cli": "0.7.7",
+    "@swc/cli": "0.7.8",
     "@swc/core": "^1.11.24",
-    "@tsconfig/node16": "16.1.3",
-    "@types/express": "5.0.1",
+    "@tsconfig/node16": "16.1.4",
     "benchmark": "2.1.4",
-    "chai": "5.2.0",
+    "chai": "5.2.1",
     "express": "5.1.0",
     "lodash": "4.17.21",
-    "mocha": "11.3.0",
+    "mocha": "11.7.1",
     "rimraf": "6.0.1",
     "source-map": "^0.7.4",
     "tinybench": "4.0.1",

package/node_modules/@contrast/agent-swc-plugin/rewriter.wasm CHANGED Viewed

Binary file

package/node_modules/@contrast/agentify/lib/index.js CHANGED Viewed

@@ -12,7 +12,6 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-/*eslint node/no-unsupported-features/es-syntax: ["error", {version: >=10.0.0}]*/
 'use strict';
 const Module = require('module');
@@ -137,6 +136,7 @@ module.exports = function init(core = {}) {
       logger.info('Starting %s v%s', core.agentName, core.agentVersion);
       logger.info({ config }, 'Agent configuration');
+      logger.debug({ effectiveConfig: config.getReport({ redact: true }) }, 'Effective configuration');
       const plugin = await _callback?.(core);
@@ -191,9 +191,9 @@ module.exports = function init(core = {}) {
       { name: 'reporter', spec: '@contrast/reporter', default: true },
       { name: 'instrumentation', spec: '@contrast/instrumentation' },
       { name: 'metrics', spec: '@contrast/metrics' },
+      { name: 'sources', spec: '@contrast/sources' },
       // compose additional local services
       { name: 'heap-snapshots', spec: './heap-snapshots' },
-      { name: 'sources', spec: './sources' },
       { name: 'function-hooks', spec: './function-hooks' },
       { name: 'diagnostics', spec: './diagnostics' },
       { name: 'rewrite-hooks', spec: './rewrite-hooks' },

package/node_modules/@contrast/agentify/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.52.2",
+  "version": "1.53.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,21 +20,22 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/deadzones": "1.26.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/esm-hooks": "2.28.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/deadzones": "1.27.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/esm-hooks": "2.29.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.33.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/metrics": "1.31.2",
-    "@contrast/patcher": "1.26.2",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/metrics": "1.32.0",
+    "@contrast/patcher": "1.27.0",
     "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.51.2",
-    "@contrast/rewriter": "1.30.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/reporter": "1.52.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
+    "@contrast/sources": "1.1.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.42.2",
+  "version": "1.43.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2"
+    "@contrast/common": "1.35.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -24,12 +24,35 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect,
       getPropagatorContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
+  function traverseObject(obj, result, tags, history, depth = 1) {
+    let i = 0;
+    for (const val of Object.values(obj)) {
+      if (typeof val === 'object' && depth <= 4) tags = traverseObject(val, result, tags, history, depth += 1);
+      const valInfo = tracker.getData(val);
+      if (!valInfo || depth > 4) break;
+      const currIdx = result.indexOf(val, i);
+      if (currIdx > -1) {
+        i = currIdx + val.length;
+      } else {
+        break;
+      }
+      tags = createAppendTags(tags, valInfo.tags, currIdx);
+      history.push({ ...valInfo });
+    }
+    return tags;
+  }
   return core.assess.dataflow.propagation.utilFormat = {
     install() {
       depHooks.resolve({ name: 'util', version: '*' }, (util) => {
@@ -57,13 +80,14 @@ module.exports = function(core) {
             for (i; i < args.length; i++) {
               let arg = args[i];
+              if (!arg) continue;
               const formatChar = formatChars[i - 1];
               if (formatChar) {
                 switch (formatChar) {
                   case 's':
                     if (typeof arg === 'object') {
-                      // util.inspect instrumentation NYI
-                      arg = arg?.toString ? arg.toString() : util.inspect(arg, { depth: 0, colors: false, compact: 3 });
+                      break; // handled below
                     } else {
                       arg = String(arg);
                     }
@@ -77,36 +101,35 @@ module.exports = function(core) {
                     arg = JSON.stringify(arg) ?? 'undefined';
                     break;
                   case 'o':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg, { showHidden: true, showProxy: true });
-                    break;
+                    break; // handled below
                   case 'O':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg);
-                    break;
+                    break; // handled below
                   case 'c':
                     // c is ignored and skipped
                     arg = '';
                     break;
                 }
               } else if (typeof arg !== 'string') {
-                arg = util.inspect(arg);
+                arg = inspect(arg);
               }
-              const argInfo = tracker.getData(arg);
-              if (!argInfo) continue;
+              if (typeof arg === 'string') {
+                const argInfo = tracker.getData(arg);
+                if (!argInfo) continue;
-              const currIdx = result.indexOf(arg, idx);
-              if (currIdx > -1) {
-                idx = currIdx + arg.length;
-              } else {
-                continue;
+                const currIdx = result.indexOf(arg, idx);
+                if (currIdx > -1) {
+                  idx = currIdx + arg.length;
+                } else {
+                  continue;
+                }
+                newTags = createAppendTags(newTags, argInfo.tags, currIdx);
+                history.push({ ...argInfo });
+                eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
+              } else if (typeof arg === 'object') {
+                newTags = traverseObject(arg, result, newTags, history);
+                eventArgs.push({ value: inspect(arg), tracked: false });
               }
-              newTags = createAppendTags(newTags, argInfo.tags, currIdx);
-              history.push({ ...argInfo });
-              eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
             }
             const resultInfo = tracker.getData(result);

package/node_modules/@contrast/assess/lib/dataflow/sources/install/body-parser.js CHANGED Viewed

@@ -85,7 +85,7 @@ module.exports = function init(core) {
           },
         });
-        sourceContext.parsedBody = !!Object.keys(_data).length;
+        sourceContext.parsedBody = !!(_data && Object.keys(_data).length);
       } catch (err) {
         logger.error({ err, funcKey: data.funcKey }, 'unable to handle source');
       }

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -51,7 +52,8 @@ module.exports = (core) => {
               }
               data.args[1] = async function contrastNext(origErr) {
-                const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
+                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+                const inputType = contentType?.includes?.('/json')
                   ? InputType.JSON_VALUE
                   : typeof ctx.request.body == 'object'
                     ? InputType.PARAMETER_VALUE

package/node_modules/@contrast/assess/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -38,21 +39,20 @@ module.exports = (core) => {
         patchType,
         post({ args, hooked, orig, result, funcKey }) {
           const sourceContext = getSourceContext();
-          if (!sourceContext) {
-            return;
-          }
+          if (!sourceContext) return;
           if (sourceContext.parsedQuery) {
             logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
+          const queries = scopes.sources.getStore()?.sourceInfo?.queries;
           // We need to run analysis for the `qs` result only when it's used as a query parser.
           // `qs` is used also for parsing bodies, but these cases we handle individually with
           // the respective library that's using it (e.g. `formidable`, `co-body`) because in
           // some cases its use is optional and we cannot rely on it.
-          if (sourceContext.reqData?.queries === args[0]) {
+          if (queries === args[0]) {
             try {
               sources.handle({
                 context: 'req.query',

package/node_modules/@contrast/assess/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -24,6 +24,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
   } = core;
   core.assess.dataflow.sources.querystringInstrumentation = {
@@ -46,7 +47,7 @@ module.exports = (core) => {
             // We only run analysis for the `querystring` result when it's used
             // as the framework's query parser
-            if (sourceContext.reqData?.queries === args[0]) {
+            if (scopes.sources.getStore().sourceInfo?.queries === args[0]) {
               try {
                 core.assess.dataflow.sources.handle({
                   context: 'req.query',

package/node_modules/@contrast/assess/lib/index.d.ts CHANGED Viewed

@@ -38,7 +38,6 @@ export interface Core extends _Core {
 }
 export interface SourceContext {
-  reqData: object,
   responseData: {
     contentType: string,
   },

package/node_modules/@contrast/assess/lib/make-source-context.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
 /**
@@ -33,57 +32,28 @@ function factory(core) {
   const { assess, logger } = core;
   /**
+   * todo: how to handle non-HTTP sources
    * @returns {import('@contrast/assess').SourceContext}
    */
-  return core.assess.makeSourceContext = function(sourceData) {
-    try {
+  return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-      const ctx = sourceData.store.assess = {
+    try {
+      const ctx = store.assess = {
         // default policy to `null` until it is set later below. this will cause
         // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-      if (!core.config.getEffectiveValue('assess.enable')) {
-        return ctx;
-      }
-      // todo: how to handle non-HTTP sources
-      const { incomingMessage: req } = sourceData;
-      // minimally process the request data for sampling and exclusions.
-      // more request fields will be appended in final result below.
-      let uriPath;
-      let queries;
-      const idx = req.url.indexOf('?');
-      if (idx >= 0) {
-        uriPath = StringPrototypeSlice.call(req.url, 0, idx);
-        queries = StringPrototypeSlice.call(req.url, idx + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-      ctx.reqData = {
-        method: req.method,
-        uriPath,
-        queries,
-      };
+      if (!core.config.getEffectiveValue('assess.enable')) return ctx;
       // check whether sampling allows processing
-      ctx.sampleInfo = assess.sampler?.getSampleInfo(sourceData) ?? null;
+      ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
       // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(ctx.reqData);
+      ctx.policy = assess.getPolicy(store.sourceInfo);
       if (!ctx.policy) return ctx;
-      // build remaining reqData
-      ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
-      ctx.reqData.ip = req.socket.remoteAddress;
-      ctx.reqData.httpVersion = req.httpVersion;
-      if (ctx.reqData.headers['content-type'])
-        ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};

package/node_modules/@contrast/assess/lib/sampler/common.js CHANGED Viewed

@@ -31,23 +31,22 @@ class RouteAnalysisMonitor {
   }
   /**
-   * @param {object} reqData
-   * @param {string} reqData.uriPath
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   * @param {string} sourceInfo.normalizedUri
    * @returns {AnalysisInfo}
    */
-  getAnalysisInfo({ method, uriPath }) {
-    const normalizedUrl = this._core.routeCoverage.uriPathToNormalizedUrl(uriPath);
+  getAnalysisInfo({ method, normalizedUri }) {
     const now = Date.now();
-    if (normalizedUrl) {
-      const key = `${method}:${normalizedUrl}`;
+    if (normalizedUri) {
+      const key = `${method}:${normalizedUri}`;
       let routeMeta = this._normalCache.get(key);
       // not in cache, not paused
       if (!routeMeta) {
         routeMeta = {
           pauseEnd: now + this._ttl,
-          normalizedUrl,
+          normalizedUrl: normalizedUri,
         };
         this._normalCache.set(key, routeMeta);
@@ -64,8 +63,6 @@ class RouteAnalysisMonitor {
       // was in cache and still paused
       return { paused: true, ...routeMeta };
-    } else {
-      // todo - handle "dynamic" routes
     }
     return this._defaultAnalysisInfo;
@@ -105,7 +102,6 @@ class ProbabilisticSampler extends BaseSampler {
   getSampleInfo(sourceInfo) {
     const { baseline, base_probability } = this.opts;
-    const { reqData } = sourceInfo.store.assess;
     if (this.baseline < baseline) {
       this.baseline++;
@@ -119,7 +115,7 @@ class ProbabilisticSampler extends BaseSampler {
     // check route monitoring before sampling
     if (canSample) {
-      const routeInfo = this.routeMonitor?.getAnalysisInfo(reqData);
+      const routeInfo = this.routeMonitor?.getAnalysisInfo(sourceInfo);
       if (routeInfo) {
         // don't sample if analysis is paused

package/node_modules/@contrast/assess/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.58.2",
+  "version": "1.59.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,17 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.33.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/rewriter": "1.30.2",
-    "@contrast/route-coverage": "1.45.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/route-coverage": "1.46.0",
+    "@contrast/scopes": "1.25.0",
+    "@contrast/sources": "1.1.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/common/lib/types.d.ts CHANGED Viewed

@@ -207,7 +207,6 @@ export declare class Blocker {
     block(mode: string, ruleId: string): void;
 }
 export interface ProtectMessage {
-    reqData: ReqData;
     blocker: Blocker;
     policy: Partial<Record<Rule, ProtectRuleMode>>;
     exclusions: any[];
@@ -226,6 +225,13 @@ export interface SourceInfo {
     port: number;
     protocol: string;
     time: number;
+    method: string;
+    rawHeaders: string[];
+    uriPath: string;
+    queries: string;
+    contentType?: string;
+    ip: string;
+    httpVersion: string;
 }
 /**
  * this is known as RequestStore even though, in the future, instrumentation

package/node_modules/@contrast/common/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/common",
-  "version": "1.34.2",
+  "version": "1.35.0",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@contrast/config/lib/common.js CHANGED Viewed

@@ -45,7 +45,7 @@ const {
 } = require('@contrast/common');
 function coerceLowerCase(path) {
-  return function(remoteData) {
+  return function (remoteData) {
     const value = get(remoteData, path);
     if (value && isString(value)) return StringPrototypeToLowerCase.call(value);
   };