npm - @contrast/agent-bundle - Versions diffs - 5.40.0 → 5.41.0 - Mend

@contrast/agent-bundle 5.40.0 → 5.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/node_modules/@contrast/config/lib/config.js CHANGED Viewed

@@ -12,13 +12,14 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
+// @ts-check
 'use strict';
 const process = require('process');
 const path = require('path');
 const fs = require('fs');
 const os = require('os');
+const merge = require('deepmerge');
 const yaml = require('yaml');
 const { Event, get, set, primordials: { ArrayPrototypeJoin, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const options = require('./options');
@@ -42,12 +43,14 @@ const OS_CONFIG_DIR = os.platform() === 'win32'
 const REDACTED_KEYS = ['api.api_key', 'api.service_key', 'api.token'];
 const OVERRIDABLE_SOURCES = [DEFAULT_VALUE, CONTRAST_UI];
+// Overwrites the existing array values completely rather than concatenating them.
+const arrayMerge = (target, source, options) => source;
 const isValid = (opt) => opt !== undefined && opt !== null && opt !== '';
 module.exports = class Config {
   constructor(core) {
     // internals
-    this._filepath = '';
+    this._filepaths = [];
     this._errors = [];
     this._effectiveMap = new Map();
     this._status = '';
@@ -74,6 +77,7 @@ module.exports = class Config {
       disabled_rules: ''
     };
     this.server = {};
+    this.preinstrument = false;
     // initialize
     this._build();
@@ -138,53 +142,65 @@ module.exports = class Config {
   }
   /**
-   * Returns the locations to search for configuration files. Being a function
-   * allows us to stub these locations within tests.
+   * Returns the locations to search for configuration files as an array of
+   * arrays where each inner array contains a set of files to be merged in order of precedence.
+   * Being a function allows us to stub these locations within tests.
    */
   _configDirs() {
-    return [
-      process.cwd(),
+    return [[
+      process.cwd()
+    ], [
       path.resolve(OS_CONFIG_DIR, 'node'),
       OS_CONFIG_DIR,
+    ], [
       path.resolve(HOME_CONFIG_DIR, 'node'),
       HOME_CONFIG_DIR,
-    ];
+    ]];
   }
   _initFile() {
     let fileConfig = {};
-    this._filepath = process.env[CONTRAST_CONFIG_PATH];
-    if (!this._filepath) {
-      for (const dir of this._configDirs()) {
-        const currentPath = path.resolve(dir, 'contrast_security.yaml');
-        if (fs.existsSync(currentPath)) {
-          this._filepath = currentPath;
-          break;
+    if (process.env[CONTRAST_CONFIG_PATH]) {
+      // deliberately ignore /dev/null (linux) and \\.\\nul (windows)
+      if (process.env[CONTRAST_CONFIG_PATH] === os.devNull) return fileConfig;
+      this._filepaths = [process.env[CONTRAST_CONFIG_PATH]];
+    } else {
+      for (const dirs of this._configDirs()) {
+        for (const dir of dirs) {
+          const currentPath = path.resolve(dir, 'contrast_security.yaml');
+          if (fs.existsSync(currentPath)) {
+            this._filepaths.push(currentPath);
+          }
         }
+        if (this._filepaths.length > 0) break;
       }
     }
-    const { _filepath } = this;
-    // deliberately ignore /dev/null (linux) and \\.\\nul (windows)
-    if (_filepath && _filepath !== os.devNull) {
+    for (const filepath of this._filepaths) {
       let fileContents;
       try {
-        fileContents = fs.readFileSync(_filepath, 'utf-8');
+        fileContents = fs.readFileSync(filepath, 'utf-8');
       } catch (e) {
-        const err = new Error(`Unable to read Contrast configuration file: '${_filepath}'`);
+        const err = new Error(`Unable to read Contrast configuration file: '${filepath}'`);
         err.cause = e;
         this._errors.push(err);
       }
       if (fileContents) {
         try {
-          fileConfig = yaml.parse(fileContents, { prettyErrors: true });
+          const yamlConfig = yaml.parse(fileContents, { prettyErrors: true });
+          if (yamlConfig.root) {
+            this._filepaths = [filepath];
+            return yamlConfig;
+          } else {
+            fileConfig = merge(yamlConfig, fileConfig, { arrayMerge });
+          }
         } catch (e) {
-          const err = new Error(`Contrast configuration file is malformed: '${_filepath}'`);
+          const err = new Error(`Contrast configuration file is malformed: '${filepath}'`);
           this._errors.push(err);
           err.cause = e;
         }
@@ -229,7 +245,11 @@ module.exports = class Config {
     }
     // this is not a common config value
-    this.setValue('preinstrument', !!process.env.CONTRAST_PREINSTRUMENT, ConfigSource.ENVIRONMENT_VARIABLE);
+    this.setValue(
+      'preinstrument',
+      !!process.env.CONTRAST_PREINSTRUMENT,
+      process.env.CONTRAST_PREINSTRUMENT ? ConfigSource.ENVIRONMENT_VARIABLE : ConfigSource.DEFAULT_VALUE,
+    );
   }
   _redact(name, value) {
@@ -247,7 +267,7 @@ module.exports = class Config {
     }
   }
-  getReport({ redact = true }) {
+  getReport({ redact = true, stringify = true } = {}) {
     const report = {
       report_create: new Date(),
       config: {
@@ -257,10 +277,12 @@ module.exports = class Config {
     const effective_config = [], environment_variable = [], contrast_ui = [];
     Array.from(this._effectiveMap.values()).forEach((v) => {
-      let { value, name, canonical_name, source } = v;
+      let { value } = v;
       if (value === null) return;
+      const { name, canonical_name, source } = v;
       if (redact) value = this._redact(name, value);
-      value = String(value);
+      if (stringify) value = String(value);
       effective_config.push({ value, name, canonical_name, source });

package/node_modules/@contrast/config/lib/index.d.ts CHANGED Viewed

@@ -52,7 +52,7 @@ export interface ConfigOption<T> {
 }
 export interface Config {
-  _filepath: string;
+  _filepaths: string[];
   _effectiveMap: Map<string, EffectiveEntry<any>>;
   _errors: Error[];
   _status: string,
@@ -320,7 +320,7 @@ export interface Config {
   };
   getEffectiveSource(cannonicalName: string): string;
   getEffectiveValue<T = any>(cannonicalName: string): T;
-  getReport({ redact: boolean }): any;
+  getReport(opts?: { redact?: boolean, stringify?: boolean }): any;
   setValue<T = any>(name: string, value: T, source: string): void;
 }

package/node_modules/@contrast/config/lib/options.js CHANGED Viewed

@@ -194,25 +194,25 @@ const options = [
   },
   {
     name: 'api.certificate.ca_file',
-    description: 'Set the absolute or relative path to a CA for communication with the Contrast UI using a self-signed certificate.',
+    desc: 'Set the absolute or relative path to a CA for communication with the Contrast UI using a self-signed certificate.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.cert_file',
-    description: 'Set the absolute or relative path to the Certificate PEM file for communication with the Contrast UI.',
+    desc: 'Set the absolute or relative path to the Certificate PEM file for communication with the Contrast UI.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.key_file',
-    description: 'Set the absolute or relative path to the Key PEM file for communication with the Contrast UI.',
+    desc: 'Set the absolute or relative path to the Key PEM file for communication with the Contrast UI.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.ignore_cert_errors',
-    description: 'When set to `true`, the agent ignores certificate verification errors when the agent communicates with the Contrast UI.',
+    desc: 'When set to `true`, the agent ignores certificate verification errors when the agent communicates with the Contrast UI.',
     arg: '[true]',
     default: false,
   },

package/node_modules/@contrast/config/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.49.2",
+  "version": "1.50.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,8 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/core": "1.54.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/core": "1.55.0",
+    "deepmerge": "^4.3.1",
     "yaml": "^2.2.2"
   }
 }

package/node_modules/@contrast/core/lib/sensitive-data-masking/protect-listener.js CHANGED Viewed

@@ -27,8 +27,8 @@ module.exports = function (core) {
     sensitiveDataMasking: { policy, getRedactedText, traverseAndMask },
   } = core;
-  messages.on(Event.PROTECT, (msg) => {
-    if (!msg.protect || !policy.keywordSets.length) {
+  messages.on(Event.PROTECT, (store) => {
+    if (!store.protect || !policy.keywordSets.length || !store.sourceInfo) {
       return;
     }
@@ -36,33 +36,33 @@ module.exports = function (core) {
     const unmasked = policy.maskAttackVector ? new Set() : undefined;
     if (policy.maskHttpBody) {
-      msg.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
+      store.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
     } else {
-      traverseAndMask(msg.protect?.parsedBody, unmasked);
+      traverseAndMask(store.protect?.parsedBody, unmasked);
     }
-    traverseAndMask(msg.protect?.parsedCookies, unmasked);
-    traverseAndMask(msg.protect?.parsedQuery, unmasked);
+    traverseAndMask(store.protect?.parsedCookies, unmasked);
+    traverseAndMask(store.protect?.parsedQuery, unmasked);
     // Do parsed URL path params and urlPath together
-    const params = msg.protect?.parsedParams;
+    const params = store.protect?.parsedParams;
     if (params) {
       for (const [key, value] of Object.entries(params)) {
         const redactedText = getRedactedText(key);
         if (redactedText) {
           const encoded = encodeURIComponent(value);
-          msg.protect.reqData.uriPath = StringPrototypeReplace.call(
-            msg.protect.reqData.uriPath,
+          store.sourceInfo.uriPath = StringPrototypeReplace.call(
+            store.sourceInfo.uriPath,
             encoded,
             redactedText
           );
-          msg.protect.parsedParams[key] = redactedText;
+          store.protect.parsedParams[key] = redactedText;
         }
       }
     }
     // raw headers
-    const headers = msg.protect?.reqData.headers;
+    const headers = store.sourceInfo.rawHeaders;
     for (let i = 0; i <= headers.length - 2; i += 2) {
       const key = headers[i];
@@ -73,20 +73,20 @@ module.exports = function (core) {
     }
     // raw queries
-    if (msg.protect?.reqData?.queries) {
-      const searchParams = new URLSearchParams(msg.protect.reqData.queries);
+    if (store.sourceInfo?.queries) {
+      const searchParams = new URLSearchParams(store.sourceInfo.queries);
       for (const [key] of searchParams) {
         const redactedText = getRedactedText(key);
         if (redactedText) {
           searchParams.set(key, redactedText);
         }
       }
-      msg.protect.reqData.queries = searchParams.toString();
+      store.sourceInfo.queries = searchParams.toString();
     }
     if (policy.maskAttackVector) {
       // attack values
-      const inputAnalysis = Object.entries(msg.protect?.resultsMap);
+      const inputAnalysis = Object.entries(store.protect?.resultsMap);
       for (const [, results] of inputAnalysis) {
         for (const result of results) {
           const redactedText = getRedactedText(result.key);

package/node_modules/@contrast/core/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.54.2",
+  "version": "1.55.0",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,15 +19,15 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
     "@contrast/find-package-json": "^1.1.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
     "@contrast/perf": "1.3.1",
     "@tsxper/crc32": "^2.1.3",
-    "axios": "^1.7.4",
+    "axios": "^1.11.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/deadzones/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/deadzones",
-  "version": "1.26.2",
+  "version": "1.27.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/scopes": "1.24.2"
+    "@contrast/common": "1.35.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/scopes": "1.25.0"
   }
 }

package/node_modules/@contrast/dep-hooks/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/dep-hooks",
-  "version": "1.23.2",
+  "version": "1.24.0",
   "description": "Post hooks for Module.prototype.require",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,9 +21,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
+    "@contrast/common": "1.35.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.2",
+    "@contrast/logger": "1.28.0",
     "semver": "^7.6.3"
   }
 }

package/node_modules/@contrast/esm-hooks/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/esm-hooks",
-  "version": "2.28.2",
+  "version": "2.29.0",
   "type": "module",
   "description": "Support for loading and instrumenting ECMAScript modules",
   "license": "SEE LICENSE IN LICENSE",
@@ -22,11 +22,11 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.2",
-    "@contrast/rewriter": "1.30.2"
+    "@contrast/logger": "1.28.0",
+    "@contrast/rewriter": "1.31.0"
   }
 }

package/node_modules/@contrast/instrumentation/lib/index.js CHANGED Viewed

@@ -31,5 +31,4 @@ module.exports = function(core) {
       installers[moduleName](opts);
     },
   };
 };

package/node_modules/@contrast/instrumentation/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/instrumentation",
-  "version": "1.33.2",
+  "version": "1.34.0",
   "description": "Shared hooks and patches between Protect and Assess components",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2"
+    "@contrast/common": "1.35.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }