@contrast/agent-bundle 5.40.0 → 5.41.0

package/node_modules/@contrast/sec-obs/node_modules/@contrast/common/lib/types.d.ts

@@ -1,383 +0,0 @@
-/// <reference types="node" />
-/// <reference types="node" />
-import { EventEmitter } from 'events';
-import { ServerResponse } from 'node:http';
-import { Event, ProtectRuleMode, Rule } from './constants';
-export interface Installable {
-    install(...args: any[]): void | Promise<void>;
-    uninstall?(): void | Promise<void>;
-}
-export interface Signature {
-    moduleName: string;
-    methodName: string;
-    fileName?: string;
-    version?: string;
-    isModule: boolean;
-    isConstructor?: boolean;
-    source?: 'O' | 'P' | 'R';
-    target?: 'O' | 'P' | 'R';
-}
-export interface AppInfo {
-    os: {
-        type: string;
-        platform: string;
-        architecture: string;
-        release: string;
-    };
-    /** String representation of process.argv */
-    cmd: string;
-    /** OS-provided hostname */
-    hostname: string;
-    /** Application entry point */
-    indexFile: string;
-    /** Path to package.json */
-    path: string;
-    /** package.json contents */
-    pkg: object;
-    /** Configured application name, defaults to pkg.name */
-    name: string;
-    /** Application root directory, i.e. the directory containing package.json */
-    app_dir: string;
-    /** Configured application version, defaults to pkg.version */
-    version: string;
-    /** Configured server version */
-    serverVersion: string;
-    /** process.version */
-    nodeVersion: string;
-    /** Configured application path, defaults to app_dir unless provided by config */
-    appPath: string;
-    /** From config */
-    serverName: string;
-    /** From config */
-    serverType: string;
-    /** From config */
-    serverEnvironment: string;
-    /** From config */
-    group: string | null;
-    /** From config */
-    metadata: string | null;
-    /** Hash of `package-lock.json` or `package.json` */
-    buildId: string;
-}
-export interface SystemInfo {
-    reportDate: string;
-    hostname: string;
-    contrast: {
-        url: string | null;
-        proxy: {
-            enable: boolean;
-            url: string | null;
-        };
-        server: {
-            name: string;
-        };
-        agent: {
-            name: string;
-            version: string;
-        };
-    };
-    node: {
-        path: string;
-        version: string;
-        memory: {
-            total: string;
-            free: string;
-            used: string;
-        };
-    };
-    os: {
-        architecture: string;
-        name: string;
-        version: string;
-        kernelVersion: string;
-        cpu: {
-            type: string;
-            count: number;
-        };
-        memory: {
-            total: string;
-        };
-        id: string | undefined;
-        versionId: string | undefined;
-    };
-    host: {
-        docker: {
-            isDocker: boolean;
-            containerId: string | null;
-        };
-        kubernetes: {
-            isKubernetes: boolean;
-        };
-        pm2: {
-            used: boolean;
-            version: string | null;
-        };
-        memory: {
-            total: string;
-        };
-    };
-    application: object;
-    cloud: {
-        provider: string | null;
-        resourceId: string | null;
-    };
-}
-export type CommonRules = Rule.SQL_INJECTION | Rule.CMD_INJECTION | Rule.PATH_TRAVERSAL | Rule.REFLECTED_XSS | Rule.SSJS_INJECTION | Rule.NOSQL_INJECTION_MONGO | Rule.UNSAFE_FILE_UPLOAD | Rule.NOSQL_INJECTION | Rule.METHOD_TAMPERING | Rule.BOT_BLOCKER;
-export type SemanticAnalysisRules = Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS | Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS | Rule.XXE | Rule.CMD_INJECTION_COMMAND_BACKDOORS | Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS;
-export type ServerFeaturePreliminaryRules = Rule.VIRTUAL_PATCH | Rule.IP_DENYLIST;
-export type HardeningRules = Rule.UNTRUSTED_DESERIALIZATION;
-export interface Result {
-    blocked: boolean;
-    exploitMetadata?: any[] | any;
-    idsList?: string[];
-    inputType: string;
-    key?: string;
-    mappedId: string;
-    mongoExpansionResult?: boolean;
-    path?: string[];
-    ruleId: Rule;
-    score: number;
-    value: string;
-    sinkContext?: any;
-}
-export interface SemanticAnalysisResult extends Result {
-    ruleId: SemanticAnalysisRules;
-    exploitMetadata: {
-        command?: string;
-        prolog?: string;
-        xml?: string;
-    }[];
-    sinkContext?: any;
-}
-export interface HardeningResult extends Result {
-    exploitMetadata: {
-        command?: boolean;
-        deserializer?: string;
-    }[];
-    sinkContext?: any;
-}
-export interface ServerFeaturePreliminaryResult {
-    name?: string;
-    uuid: string;
-    ip?: string;
-}
-export interface ServerFeatureResult extends Result {
-    exploitMetadata?: ServerFeaturePreliminaryResult[];
-}
-export interface ReqData {
-    method: string;
-    headers: string[];
-    uriPath: string;
-    queries: string;
-    contentType?: string;
-    ip: string;
-    httpVersion: string;
-}
-export type CommonRulesResultsMap = {
-    [rule in CommonRules]: Result[];
-};
-export type SemanticAnalysisResultsMap = {
-    [rule in SemanticAnalysisRules]: SemanticAnalysisResult[];
-};
-export type ServerFeaturePreliminaryResultsMap = {
-    [rule in ServerFeaturePreliminaryRules]: ServerFeaturePreliminaryResult[];
-};
-export type HardeningResultsMap = {
-    [rule in HardeningRules]: HardeningResult[];
-};
-export type ResultMap = CommonRulesResultsMap & SemanticAnalysisResultsMap & ServerFeaturePreliminaryResultsMap & HardeningResultsMap;
-export declare class Blocker {
-    constructor(res: ServerResponse);
-    block(mode: string, ruleId: string): void;
-}
-export interface ProtectMessage {
-    reqData: ReqData;
-    blocker: Blocker;
-    policy: Partial<Record<Rule, ProtectRuleMode>>;
-    exclusions: any[];
-    virtualPatches: any[];
-    trackRequest: boolean;
-    securityException?: [mode: ProtectRuleMode, ruleId: string];
-    bodyType?: 'json' | 'urlencoded';
-    resultsMap: Partial<ResultMap>;
-    parsedBody: any;
-    parsedCookies: any;
-    parsedParams: any;
-    parsedQuery: any;
-}
-export interface SourceInfo {
-    serverType: string;
-    port: number;
-    protocol: string;
-    time: number;
-}
-/**
- * this is known as RequestStore even though, in the future, instrumentation
- * will exist for message buses or sources other than HTTP requests. "request"
- * seems generic enough that it's not hard to understand that request can mean
- * an amqp message or other request to perform work that might get user input.
- * additionally, at this time, the only things instrumented are HTTP requests,
- * and other things are only possible extensions to the core facility. it seems
- * reasonable that they will fit into the primary concept that the agent deals
- * with, requests, whether from HTTP or elsewhere.
- */
-export interface RequestStore {
-    sourceInfo?: SourceInfo;
-    protect?: ProtectMessage;
-    assess?: any;
-    route?: any;
-}
-/**
- * Architecture Component registration event payload.
- */
-export interface ArchitectureComponent {
-    /** The type of this component: database, ldap, or web server connection. */
-    type: 'db' | 'ldap' | 'ws';
-    /**
-     * The URL to which this component responds.
-     * @example "mysql://host:3306"
-     */
-    url: string;
-    /**
-     * Some indication of the subtype of the connection.
-     * @example "MySQL"
-     */
-    vendor?: string;
-}
-/**
- * Library discovery event payload.
- */
-export interface Library {
-    /**
-     * The time, in ms, that the library was last modified on the filesystem.
-     * Must be greater than 0 and less than 32503679999000 (Tuesday, 31 December 2999 23:59:59).
-     * @todo
-     */
-    externalDate: number;
-    /**
-     * The time, in ms, that the library was last modified on the filesystem.
-     * Must be greater than 0 and less than 32503679999000 (Tuesday, 31 December 2999 23:59:59).
-     * @todo
-     */
-    internalDate: number;
-    /**
-     * The version of the library.
-     * @example "2.18.1"
-     */
-    version: string;
-    /**
-     * Hash of the library. uses the provided SHA sum when present, or a generated
-     * identifer otherwise.
-     * @example "2254143855c5a8c73825e4522baf2ea021766717"
-     * @example "mysql:2.18.1"
-     */
-    hash: string;
-    /**
-     * Name of the library with version data
-     * @example "mysql-2.18.1"
-     */
-    file: string;
-    /**
-     * Homepage or source of the library.
-     * @example "https://github.com/mysqljs/mysql#readme"
-     * @example "https://registry.npmjs.org/mysql/-/mysql-2.18.1.tgz"
-     */
-    url?: string;
-    /**
-     * Library tags provided by the user to the agent.
-     */
-    tags: string;
-}
-/**
- * Library usage update event payload.
- */
-export interface LibraryUsage {
-    id: string;
-    names: string[];
-}
-export interface LibraryMetadata {
-    /** the name of the module being required as indicated by its package.json */
-    name: string;
-    /** the version of the module being required as indicated by its package.json */
-    version: string;
-}
-/**
- * Route discovery or observation event payload.
- */
-export interface RouteInfo {
-    /**
-     * Language specific signature of the controller method.
-     * @example "Router.get('prefix/route/path', [Function])"
-     */
-    signature: string;
-    /**
-     * The HTTP method supported by the discovered route url, if one is reported.
-     * @example "get"
-     */
-    method?: string;
-    /**
-     * URL for a route.
-     * @example "prefix/route/path"
-     */
-    url: string;
-    /**
-     * Normalized URL for a route.
-     * @example "prefix/:id/path"
-     */
-    normalizedUrl: string;
-}
-/**
- * Agent event emitter for messaging to/from external systems. Use cases are
- * reporting agent findings and broadcasting settings updates.
- *
- * The final, generic, overloads for emit/on matches any calls that don't match
- * one of the more specific definitions.
- */
-export interface Messages extends EventEmitter {
-    emit(event: Event.ARCHITECTURE_COMPONENT, msg: ArchitectureComponent): boolean;
-    emit(event: Event.ASSESS_DATAFLOW_FINDING, msg: any): boolean;
-    emit(event: Event.LIBRARY, msg: Library): boolean;
-    emit(event: Event.LIBRARY_USAGE, msg: LibraryUsage): boolean;
-    emit(event: Event.PROTECT, msg: RequestStore): boolean;
-    emit(event: Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, routes: RouteInfo[]): boolean;
-    emit(event: Event.ROUTE_COVERAGE_OBSERVATION, route: RouteInfo): boolean;
-    emit(event: Event.SERVER_SETTINGS_UPDATE, msg: Record<string, any>): boolean;
-    emit(event: Event.UNINSTALL, msg: any): boolean;
-    emit(event: Event.UNSUPPORTED_LIBRARY, msg: LibraryMetadata): boolean;
-    emit(event: Event, ...args: any[]): boolean;
-    on(event: Event.ARCHITECTURE_COMPONENT, listener: (msg: ArchitectureComponent) => void): this;
-    on(event: Event.ASSESS_DATAFLOW_FINDING, listenter: (msg: any) => void): this;
-    on(event: Event.LIBRARY, listener: (msg: Library) => void): this;
-    on(event: Event.LIBRARY_USAGE, listener: (msg: LibraryUsage) => void): this;
-    on(event: Event.PROTECT, listener: (msg: RequestStore) => void): this;
-    on(event: Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, listener: (routes: RouteInfo[]) => void): this;
-    on(event: Event.ROUTE_COVERAGE_OBSERVATION, listener: (route: RouteInfo) => void): this;
-    on(event: Event.SERVER_SETTINGS_UPDATE, listener: (msg: Record<string, any>) => void): this;
-    on(event: Event.UNSUPPORTED_LIBRARY, listener: (msg: LibraryMetadata) => void): this;
-    on(event: Event.UNINSTALL, listenter: (msg: any) => void): this;
-    on(event: Event, listener: (...args: any[]) => void): this;
-}
-/**
- * IntentionalError is used when code wants to cause no-instrumentation in cases
- * when no actual programmatic error has occurred. E.g., if the api is enabled
- * but not all required api settings are present.
- *
- * It is expected that the code throwing an IntentionalError logs any pertinent
- * information because the try/catch block will not output any error or message
- * when it catches an IntentionalError.
- */
-export declare class IntentionalError extends Error {
-}
-/**
- * Data that needs to be transferred to threads. Originally added for the file
- * descriptor so the main and esm thread logger instances can share the same FD.
- * Over time, other module-specific data that needs to be transferred can be added.
- * The idea is that this data will be added automatically when the esm-loader
- * thread is started (and possibly when other worker threads are started if we
- * instrument them in the future).
- */
-export interface ThreadTransferData {
-    /** File descriptor used by the logger to write to the configured log file. */
-    loggerFd: number | undefined;
-}
-//# sourceMappingURL=types.d.ts.map

package/node_modules/@contrast/sec-obs/node_modules/@contrast/common/lib/types.js

@@ -1,30 +0,0 @@
-"use strict";
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.IntentionalError = void 0;
-/**
- * IntentionalError is used when code wants to cause no-instrumentation in cases
- * when no actual programmatic error has occurred. E.g., if the api is enabled
- * but not all required api settings are present.
- *
- * It is expected that the code throwing an IntentionalError logs any pertinent
- * information because the try/catch block will not output any error or message
- * when it catches an IntentionalError.
- */
-class IntentionalError extends Error {
-}
-exports.IntentionalError = IntentionalError;
-//# sourceMappingURL=types.js.map

package/node_modules/@contrast/sec-obs/node_modules/@contrast/common/package.json

@@ -1,23 +0,0 @@
-{
-  "name": "@contrast/common",
-  "version": "1.33.0",
-  "description": "Shared constants and utilities for all Contrast Agent modules",
-  "license": "UNLICENSED",
-  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
-  "files": [
-    "lib/",
-    "!*.test.*",
-    "!tsconfig.*",
-    "!*.map"
-  ],
-  "main": "lib/index.js",
-  "types": "lib/index.d.ts",
-  "engines": {
-    "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
-  },
-  "scripts": {
-    "build": "tsc --build src/",
-    "test": "bash ../scripts/test.sh"
-  }
-}

package/node_modules/@contrast/sec-obs/node_modules/@contrast/config/LICENSE

@@ -1,12 +0,0 @@
-Copyright: 2025 Contrast Security, Inc
-Contact: support@contrastsecurity.com
-License: Commercial
-
-NOTICE: This Software and the patented inventions embodied within may only be
-used as part of Contrast Security’s commercial offerings. Even though it is
-made available through public repositories, use of this Software is subject to
-the applicable End User Licensing Agreement found at
-https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
-between Contrast Security and the End User. The Software may not be reverse
-engineered, modified, repackaged, sold, redistributed or otherwise used in a
-way not consistent with the End User License Agreement.

package/node_modules/@contrast/sec-obs/node_modules/@contrast/config/README.md

@@ -1,44 +0,0 @@
-# `@contrast/config`
-
-<br>
-
-> Note: This package needs help.
->  * Needlessly dependent on `commander`, `lodash`, and `json-stable-stringify`
->  * Can be simplified
->  * Could benefit from schema-based approach for defaults
-
-<br>
-
-## Overview
-
-This is legacy code ported from `node-agent` repo.
-
-To discover and log configuration data, try
-
-```shell
-node -e "console.log(new (require('.').Config)())"
-```
-
-## Usage
-
-An agent should use a single instance of a config. On instantiation, the config will detect both yaml file and environment variable sources and build out full config object. The object will have defaults set for values not having been set by file or env vars.
-
-```typescript
-const { AgentConfig } = require('@contrast/config');
-const config = new AgentConfig();
-
-// do stuff with config
-if (config.protect.enable) {
-
-}
-```
-
-## New V5 Options
-
- - `agent.stack_trace_filters`
-
-   This allows agent stackframes to be filtered via configuration
-   Default: `agent-,@contrast,node-agent`
-
-
-

package/node_modules/@contrast/sec-obs/node_modules/@contrast/config/lib/common.js

@@ -1,131 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const {
-  ProtectRuleMode: {
-    OFF,
-    MONITOR,
-    BLOCK,
-    BLOCK_AT_PERIMETER
-  },
-  Rule: {
-    CMD_INJECTION,
-    CMD_INJECTION_COMMAND_BACKDOORS,
-    CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-    CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-    METHOD_TAMPERING,
-    NOSQL_INJECTION,
-    NOSQL_INJECTION_MONGO,
-    PATH_TRAVERSAL,
-    PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
-    REFLECTED_XSS,
-    SQL_INJECTION,
-    SSJS_INJECTION,
-    UNSAFE_FILE_UPLOAD,
-    UNTRUSTED_DESERIALIZATION,
-    XXE,
-  },
-  primordials: { StringPrototypeToLowerCase },
-  get,
-  isString,
-} = require('@contrast/common');
-
-function coerceLowerCase(path) {
-  return function(remoteData) {
-    const value = get(remoteData, path);
-    if (value && isString(value)) return StringPrototypeToLowerCase.call(value);
-  };
-}
-
-function protectModeReader(ruleId) {
-  return function (msg) {
-    const remoteSetting = msg?.protect?.rules?.[ruleId];
-    switch (remoteSetting?.mode) {
-      case 'OFF': return OFF;
-      case 'MONITOR':
-      case 'MONITORING': return MONITOR;
-      case 'BLOCK':
-      case 'BLOCKING': return BLOCK;
-      case 'BLOCK_AT_PERIMETER': return BLOCK_AT_PERIMETER;
-    }
-  };
-}
-
-const ConfigSource = {
-  CONTRAST_UI: 'CONTRAST_UI',
-  DEFAULT_VALUE: 'DEFAULT_VALUE',
-  ENVIRONMENT_VARIABLE: 'ENVIRONMENT_VARIABLE',
-  USER_CONFIGURATION_FILE: 'USER_CONFIGURATION_FILE',
-};
-
-// these should return `undefined` if there is no remote value corresponding to the effective config name.
-const mappings = {
-  // agent startup (v1) or application startup (ng fallback)
-  'application.session_id': (remoteData) =>
-    remoteData.identification?.session_id ?? remoteData.settings?.assessment?.session_id,
-  // application settings
-  'protect.enable': (remoteData) => remoteData.protect?.enable,
-  'protect.rules.cmd-injection.mode': protectModeReader(CMD_INJECTION),
-  'protect.rules.cmd-injection-command-backdoors.mode': protectModeReader(CMD_INJECTION_COMMAND_BACKDOORS),
-  'protect.rules.cmd-injection-semantic-chained-commands.mode': protectModeReader(CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS),
-  'protect.rules.cmd-injection-semantic-dangerous-paths.mode': protectModeReader(CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS),
-  'protect.rules.method-tampering.mode': protectModeReader(METHOD_TAMPERING),
-  'protect.rules.nosql-injection.mode': protectModeReader(NOSQL_INJECTION),
-  'protect.rules.nosql-injection-mongo.mode': protectModeReader(NOSQL_INJECTION_MONGO),
-  'protect.rules.path-traversal.mode': protectModeReader(PATH_TRAVERSAL),
-  'protect.rules.path-traversal-semantic-file-security-bypass.mode': protectModeReader(PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS),
-  'protect.rules.reflected-xss.mode': protectModeReader(REFLECTED_XSS),
-  'protect.rules.sql-injection.mode': protectModeReader(SQL_INJECTION),
-  'protect.rules.ssjs-injection.mode': protectModeReader(SSJS_INJECTION),
-  'protect.rules.unsafe-file-upload.mode': protectModeReader(UNSAFE_FILE_UPLOAD),
-  'protect.rules.untrusted-deserialization.mode': protectModeReader(UNTRUSTED_DESERIALIZATION),
-  'protect.rules.xxe.mode': protectModeReader(XXE),
-  // server features
-  'assess.enable': (remoteData) => remoteData.assess?.enable,
-  'assess.probabilistic_sampling.enable': (remoteData) => remoteData.assess?.sampling?.enable,
-  'assess.probabilistic_sampling.baseline': (remoteData) => remoteData.assess?.sampling?.baseline,
-  'assess.probabilistic_sampling.base_probability': (remoteData) => {
-    const request_frequency = remoteData.assess?.sampling?.request_frequency;
-    if (request_frequency > 0) {
-      const baseProbability = 1 / request_frequency;
-      if (!isNaN(baseProbability)) return baseProbability;
-    }
-  },
-  'assess.probabilistic_sampling.window_ms': (remoteData) => remoteData.assess?.sampling?.window_ms,
-  'assess.stacktraces': (remoteData) => remoteData.assess?.report_stacktraces,
-  'agent.logger.level': coerceLowerCase('logger.level'),
-  'agent.logger.path': (remoteData) => remoteData.logger?.path,
-  'agent.security_logger.syslog.enable': (remoteData) => remoteData.security_logger?.syslog?.enable,
-  'agent.security_logger.syslog.ip': (remoteData) => remoteData.security_logger?.syslog?.ip,
-  'agent.security_logger.syslog.port': (remoteData) => remoteData.security_logger?.syslog?.port,
-  'agent.security_logger.syslog.facility': (remoteData) => remoteData.security_logger?.syslog?.facility,
-  'agent.security_logger.syslog.severity_exploited': coerceLowerCase('security_logger.syslog.severity_exploited'),
-  'agent.security_logger.syslog.severity_blocked': coerceLowerCase('security_logger.syslog.severity_blocked'),
-  'agent.security_logger.syslog.severity_probed': coerceLowerCase('security_logger.syslog.severity_probed'),
-  'observe.enable': (remoteData) => remoteData.observe?.enable,
-  'server.environment': (remoteData) => remoteData.environment,
-
-};
-
-/*
- * Keys are canonical name and values are functions which read the equivalent value
- * from the TS response object message.
- */
-module.exports = {
-  ConfigSource,
-  mappings,
-};