@contrast/agent-bundle 5.40.0 → 5.41.0

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/sensitive-data-masking/protect-listener.js

@@ -1,111 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const { URLSearchParams } = require('url');
-const { Event, primordials: { StringPrototypeReplace } } = require('@contrast/common');
-
-const { CONTRAST_REDACTED } = require('./constants');
-
-module.exports = function (core) {
-  const {
-    messages,
-    logger,
-    sensitiveDataMasking: { policy, getRedactedText, traverseAndMask },
-  } = core;
-
-  messages.on(Event.PROTECT, (msg) => {
-    if (!msg.protect || !policy.keywordSets.length) {
-      return;
-    }
-
-    logger.trace('masking sensitive fields in %s message', Event.PROTECT);
-
-    const unmasked = policy.maskAttackVector ? new Set() : undefined;
-    if (policy.maskHttpBody) {
-      msg.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
-    } else {
-      traverseAndMask(msg.protect?.parsedBody, unmasked);
-    }
-
-    traverseAndMask(msg.protect?.parsedCookies, unmasked);
-    traverseAndMask(msg.protect?.parsedQuery, unmasked);
-
-    // Do parsed URL path params and urlPath together
-    const params = msg.protect?.parsedParams;
-    if (params) {
-      for (const [key, value] of Object.entries(params)) {
-        const redactedText = getRedactedText(key);
-        if (redactedText) {
-          const encoded = encodeURIComponent(value);
-          msg.protect.reqData.uriPath = StringPrototypeReplace.call(
-            msg.protect.reqData.uriPath,
-            encoded,
-            redactedText
-          );
-          msg.protect.parsedParams[key] = redactedText;
-        }
-      }
-    }
-
-    // raw headers
-    const headers = msg.protect?.reqData.headers;
-    for (let i = 0; i <= headers.length - 2; i += 2) {
-      const key = headers[i];
-
-      const redactedText = getRedactedText(key);
-      if (redactedText) {
-        headers[i + 1] = redactedText;
-      }
-    }
-
-    // raw queries
-    if (msg.protect?.reqData?.queries) {
-      const searchParams = new URLSearchParams(msg.protect.reqData.queries);
-      for (const [key] of searchParams) {
-        const redactedText = getRedactedText(key);
-        if (redactedText) {
-          searchParams.set(key, redactedText);
-        }
-      }
-      msg.protect.reqData.queries = searchParams.toString();
-    }
-
-    if (policy.maskAttackVector) {
-      // attack values
-      const inputAnalysis = Object.entries(msg.protect?.resultsMap);
-      for (const [, results] of inputAnalysis) {
-        for (const result of results) {
-          const redactedText = getRedactedText(result.key);
-          if (result.exploitMetadata.length) {
-            result.exploitMetadata.forEach((exploit) => {
-              unmasked.forEach((val) => {
-                exploit.sinkContext.value = StringPrototypeReplace.call(
-                  exploit.sinkContext.value,
-                  val,
-                  'contrast-redacted-vector'
-                );
-              });
-            });
-          }
-          if (redactedText) {
-            result.value = redactedText;
-          }
-        }
-      }
-    }
-  });
-};

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/sensitive-data-masking/server-settings-listener.js

@@ -1,44 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const { Event } = require('@contrast/common');
-
-module.exports = function(core) {
-  const {
-    logger,
-    messages,
-    sensitiveDataMasking: { policy },
-  } = core;
-
-  messages.on(Event.SERVER_SETTINGS_UPDATE, (settingsMsg) => {
-    const dtm = settingsMsg?.sensitive_data_masking_policy;
-
-    if (!dtm) return;
-
-    logger.trace('updating sensitive data masking policy');
-
-    policy.maskHttpBody = dtm.mask_http_body;
-    policy.maskAttackVector = dtm.mask_attack_vector;
-    policy.keywordSets.length = 0;
-    policy.idMap.clear();
-    dtm.rules.forEach(({ id, keywords }) => {
-      const kwSet = new Set(keywords);
-      policy.keywordSets.push(kwSet);
-      policy.idMap.set(kwSet, id);
-    });
-  });
-};

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/system-info/cloud-provider-metadata.js

@@ -1,146 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-// @ts-check
-'use strict';
-
-const { default: axios } = require('axios');
-const METADATA_ENDPOINT_ADDRESS = 'http://169.254.169.254';
-
-/** @param {number} ms */
-const abort = (ms) => {
-  const abortController = new AbortController();
-  setTimeout(() => abortController.abort(), ms);
-  return abortController.signal;
-};
-
-/** @param {number} ms */
-const delay = (ms) => new Promise(resolve => setTimeout(resolve, ms));
-
-const FETCHERS = {
-  /** @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html */
-  async AWS() {
-    try {
-      const { data: token } = await axios({
-        method: 'PUT',
-        url: new URL('/latest/api/token', METADATA_ENDPOINT_ADDRESS).href,
-        headers: {
-          'X-aws-ec2-metadata-token-ttl-seconds': '300'
-        },
-        proxy: false, // proxies should not be used in any cloud provider.
-        signal: abort(5000),
-      });
-      const { data: document } = await axios({
-        method: 'GET',
-        url: new URL('/latest/dynamic/instance-identity/document', METADATA_ENDPOINT_ADDRESS).href,
-        headers: {
-          'X-aws-ec2-metadata-token': token
-        },
-        proxy: false,
-        signal: abort(5000),
-      });
-
-      if (document) {
-        const { region, accountId, instanceId } = document;
-        return {
-          provider: 'aws',
-          id: `arn:aws:ec2:${region}:${accountId}:instance/${instanceId}`,
-        };
-      }
-    } catch {
-      // ignore, return null
-    }
-
-    return null;
-  },
-  /** @see https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux */
-  async Azure() {
-    try {
-      const { data: resourceId } = await axios({
-        method: 'GET',
-        url: new URL('/metadata/instance/compute/resourceId?api-version=2021-02-01&format=text', METADATA_ENDPOINT_ADDRESS).href,
-        headers: {
-          Metadata: 'true'
-        },
-        proxy: false,
-        signal: abort(5000),
-      });
-
-      if (resourceId) {
-        return {
-          provider: 'azure',
-          id: resourceId,
-        };
-      }
-    } catch {
-      // ignore, return null
-    }
-
-    return null;
-  },
-  /** @see https://cloud.google.com/compute/docs/metadata/querying-metadata */
-  async GCP() {
-    try {
-      const { data: id } = await axios({
-        method: 'GET',
-        url: new URL('/computeMetadata/v1/instance/id?alt=text', METADATA_ENDPOINT_ADDRESS).href,
-        headers: {
-          'Metadata-Flavor': 'Google'
-        },
-        // id is a numerical value too big to handle as a js `number`, so we
-        // need to make sure we don't try to parse the response value.
-        transformResponse: (res) => res,
-        proxy: false,
-        signal: abort(5000)
-      });
-
-      if (id) {
-        return { provider: 'gcp', id };
-      }
-    } catch (err) {
-      // retry after 1 second on 503
-      if (err?.response?.status === 503) {
-        await delay(1000);
-        return this.GCP();
-      }
-      // otherwise ignore, return null
-    }
-
-    return null;
-  }
-};
-
-module.exports = {
-  /**
-   * If passed a `provider`, set by the `inventory.gather_metadata_via` config
-   * option, we will only try to retrieve metadata from that cloud provider. If
-   * no provider is passed, we will attempt all endpoints in parallel, returning
-   * the first result or `null` if none resolve within 5 seconds.
-   *
-   * @param {import('@contrast/config').Config['inventory']['gather_metadata_via']} provider
-   * @returns {Promise<{ provider: string, id: string } | null>}
-   */
-  async getCloudProviderMetadata(provider) {
-    if (provider && FETCHERS[provider]) return FETCHERS[provider]();
-
-    const results = await Promise.allSettled(Object.values(FETCHERS).map(fn => fn()));
-    for (const result of results) {
-      if (result.status === 'fulfilled' && result.value !== null) {
-        return result.value;
-      }
-    }
-
-    return null;
-  }
-};

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/system-info/index.js

@@ -1,225 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-// @ts-check
-'use strict';
-
-const fs = require('fs/promises');
-const os = require('os');
-const v8 = require('v8');
-const {
-  primordials: { StringPrototypeMatch, StringPrototypeTrim },
-} = require('@contrast/common');
-const { getCloudProviderMetadata } = require('./cloud-provider-metadata');
-const getLinuxOsInfo = require('./linux-os-info');
-const { humanReadableBytes } = require('./utils');
-
-const MOUNTINFO_REGEX = /\/docker\/containers\/(.*?)\//;
-const CGROUP_REGEX = /:\/docker\/([^/]+)$/;
-const MAX_CGROUP_MEMORY_LIMIT = 2 ** 63 - 1; // Common "unlimited" value for cgroup limits
-
-/**
- * Asynchronously determines if the current environment is running inside a
- * Docker container.
- *
- * The function checks for Docker-specific indicators in the following order:
- * 1. Parses `/proc/self/mountinfo` for Docker mount information.
- * 2. Parses `/proc/self/cgroup` for Docker cgroup information.
- * 3. Checks for the existence of the `/.dockerenv` file.
- *
- * @returns {Promise<{ isDocker: boolean, containerId: string|null }>}
- *  An object indicating whether the environment is Docker and the container ID
- *  if available.
- */
-async function getDockerInfo() {
-  try {
-    const result = await fs.readFile('/proc/self/mountinfo', 'utf8');
-    const matches = StringPrototypeMatch.call(result, MOUNTINFO_REGEX);
-    if (matches) return { isDocker: true, containerId: matches[1] };
-  } catch (err) {
-    // else check /proc/self/cgroup
-  }
-
-  try {
-    const result = await fs.readFile('/proc/self/cgroup', 'utf8');
-    const matches = StringPrototypeMatch.call(result, CGROUP_REGEX);
-    if (matches) return { isDocker: true, containerId: matches[1] };
-  } catch (err) {
-    // else check /.dockerenv
-  }
-
-  try {
-    const result = await fs.stat('/.dockerenv');
-    if (result) return { isDocker: true, containerId: null };
-  } catch (err) {
-    // if there's not such file we can conclude it's not docker env
-  }
-
-  return { isDocker: false, containerId: null };
-}
-
-/**
- * Retrieves information about whether the current environment is running inside
- * Kubernetes.
- *
- * @returns {{ isKubernetes: boolean }} An object indicating if the environment
- *  is Kubernetes.
- */
-function getKubernetesInfo() {
-  return { isKubernetes: !!process.env.KUBERNETES_SERVICE_HOST };
-}
-
-/**
- * Determines if the application is using PM2 and retrieves the PM2 version from
- * the package dependencies.
- *
- * @param {Object} pkg - The package.json object.
- * @param {Object} [pkg.dependencies] - The dependencies listed in package.json.
- * @returns {{ used: boolean, version: string|null }} An object indicating if PM2
- *  used and its version (if available).
- */
-function isUsingPM2(pkg) {
-  const result = { used: !!process.env.pmx, version: null };
-
-  if (pkg?.dependencies?.['pm2']) {
-    result.version = pkg.dependencies['pm2'];
-  }
-
-  return result;
-}
-
-/**
- * Asynchronously retrieves the Docker container's memory limit in bytes, if
- * running inside a cgroup-limited environment.
- *
- * Reads the memory limit from the cgroup file system. If the limit is less than
- * the maximum allowed by cgroups, it returns the value in bytes. If no
- * limit is detected or an error occurs, returns `undefined`.
- *
- * @returns {Promise<number|undefined>} The memory limit in bytes or `undefined`
- *  if the limit is not determined.
- */
-async function getDockerMemoryLimit() {
-  let limitInBytes = NaN;
-
-  // cgroup v2
-  try {
-    const result = await fs.readFile('/sys/fs/cgroup/memory.max', 'utf8');
-    limitInBytes = parseInt(StringPrototypeTrim.call(result), 10);
-  } catch {
-    // try v1...
-  }
-
-  // cgroup v1
-  try {
-    const result = await fs.readFile('/sys/fs/cgroup/memory/memory.limit_in_bytes', 'utf8');
-    limitInBytes = parseInt(StringPrototypeTrim.call(result), 10);
-  } catch {
-    // no cgroup detected...
-  }
-
-  if (!isNaN(limitInBytes) && limitInBytes < MAX_CGROUP_MEMORY_LIMIT) {
-    return limitInBytes;
-  }
-}
-
-/**
- * @param {import('..').Core & {
- *  _systemInfo: import('@contrast/common').SystemInfo | undefined;
- *  config: import('@contrast/config').Config;
- * }} core
- */
-module.exports = function (core) {
-  const { agentName, agentVersion, config, appInfo } = core;
-
-  // have values default to null so all required keys get serialized
-  core.getSystemInfo = async function getSystemInfo() {
-    // memoize for subsequent lookups
-    if (core._systemInfo) return core._systemInfo;
-
-    const cpus = os.cpus();
-    const heapStats = v8.getHeapStatistics();
-    const dockerMemoryLimit = await getDockerMemoryLimit();
-
-    const osMemoryInfo = {
-      total: humanReadableBytes(os.totalmem()),
-    };
-    const linuxOsInfo = await getLinuxOsInfo();
-
-    /** @type {import('@contrast/common').SystemInfo} */
-    const systemInfo = {
-      reportDate: new Date().toISOString(),
-      hostname: os.hostname(),
-      contrast: {
-        url: config.api.url ?? null,
-        proxy: {
-          enable: !!config.api.proxy.enable,
-          url: config.api.proxy.url ?? null,
-        },
-        server: {
-          name: config.server.name,
-        },
-        agent: {
-          name: agentName,
-          version: agentVersion,
-        },
-      },
-      node: {
-        path: process.execPath,
-        version: process.version,
-        memory: {
-          total: humanReadableBytes(heapStats.heap_size_limit),
-          used: humanReadableBytes(heapStats.used_heap_size),
-          free: humanReadableBytes(heapStats.heap_size_limit - heapStats.used_heap_size),
-        },
-      },
-      os: {
-        architecture: os.arch(),
-        name: os.type(),
-        version: os.release(),
-        kernelVersion: os.version(),
-        cpu: {
-          type: cpus[0].model,
-          count: cpus.length,
-        },
-        memory: osMemoryInfo,
-        id: linuxOsInfo?.file ? linuxOsInfo.id : undefined,
-        versionId: linuxOsInfo?.file ? linuxOsInfo.version_id : undefined,
-      },
-      host: {
-        docker: await getDockerInfo(),
-        kubernetes: getKubernetesInfo(),
-        pm2: isUsingPM2(appInfo.pkg),
-        memory: {
-          total: dockerMemoryLimit ? humanReadableBytes(dockerMemoryLimit) : osMemoryInfo.total,
-        },
-      },
-      application: appInfo.pkg,
-      cloud: {
-        provider: null,
-        resourceId: null,
-      },
-    };
-
-    if (config.server.discover_cloud_resource) {
-      const metadata = await getCloudProviderMetadata(config.inventory.gather_metadata_via);
-      if (metadata) {
-        systemInfo.cloud.provider = metadata.provider;
-        systemInfo.cloud.resourceId = metadata.id;
-      }
-    }
-
-    return (core._systemInfo = systemInfo);
-  };
-};

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/system-info/linux-os-info.js

@@ -1,137 +0,0 @@
-/* eslint-disable header/header */
-/**
- * MIT License
- *
- * Copyright (c) 2018 Samuel Carreira
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * This code is modified from https://github.com/bmacnaughton/linux-os-info, a
- * fork of https://github.com/samuelcarreira/linux-release-info.
- */
-
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const fsp = require('node:fs/promises');
-const os = require('node:os');
-
-//
-// the key pieces of information from os-release are:
-// - id: 'ubuntu' or 'alpine' or 'arch' etc.
-// - version_id: ubuntu '22.04', alpine '3.20.3', arch '20241110.0.278197'
-// - version: ubuntu '24.04.1 LTS (Noble Numbat)', alpine undefined, arch undefined
-// NOTE: only ubuntu omits the patch field of the version in version ID. ubuntu
-// includes a version field that has that information, but that's not present in
-// most other distributions.
-// the alpine-release file only contains the version string
-// so fill in the basics based on that.
-function addEtcAlpineReleaseToOutputData(data, outputData) {
-  if (data[data.length - 1] === '\n') {
-    data = data.slice(0, -1);
-  }
-  outputData.name = 'Alpine';
-  outputData.id = 'alpine';
-  outputData.version = data;
-  outputData.version_id = data;
-}
-
-const defaultList = [
-  { path: '/etc/os-release', parser: addOsReleaseToOutputData },
-  { path: '/usr/lib/os-release', parser: addOsReleaseToOutputData },
-  { path: '/etc/alpine-release', parser: addEtcAlpineReleaseToOutputData }
-];
-
-/**
- * Get OS release info with information from '/etc/os-release', '/usr/lib/os-release',
- * or '/etc/alpine-release'. The information in that file is distribution-dependent.
- *
- * @returns {Promise<{
- *  file?: string;
- *  [key: string]: string;
- * }>} - where object is null if not Linux, or an object with
- * the a file property and the key-value pairs from the file. Any quotes around the
- * values are removed.
- *
- * the file property in the info object will be filled in with one of:
- *   - the file path (above) used
- *   - undefined if no file was found/could be read
- */
-async function linuxOsInfo(opts = {}) {
-  // allow searching for other files and parsers.
-  const list = Array.isArray(opts.list) ? opts.list : defaultList;
-
-  if (os.type() !== 'Linux') {
-    return null;
-  }
-
-  let i = 0;
-  while (i < list.length) {
-    try {
-      const file = list[i].path;
-      const data = await fsp.readFile(file, 'utf8');
-      const outputData = { file };
-      list[i].parser(data, outputData);
-
-      return outputData;
-
-    } catch (e) {
-      i += 1;
-      continue;
-    }
-  }
-
-  // no file could be found and read
-  return { file: undefined };
-}
-
-
-function addOsReleaseToOutputData(data, outputData) {
-  const lines = data.split('\n');
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const index = line.indexOf('=');
-    // only look at lines with a key of length 1 or greater
-    if (index < 1) {
-      continue;
-    }
-
-    // lowercase key. all the keys i've seen have been UPPERCASE but it's safer
-    // to normalize them.
-    const key = line.slice(0, index).toLowerCase();
-    // remove quotes around value. this handles a quoted value with embedded
-    // quotes even though i've never seen that in the wild.
-    let value = line.slice(index + 1).trim();
-    if (value[0] === '"' && value[value.length - 1] === '"') {
-      value = value.slice(1, -1);
-      value = value.replace(/\\"/g, '"');
-    }
-
-    outputData[key] = value;
-  }
-}
-
-module.exports = linuxOsInfo;
-

package/node_modules/@contrast/sec-obs/node_modules/@contrast/core/lib/system-info/utils.js

@@ -1,35 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-// @ts-check
-'use strict';
-
-const { primordials: { StringPrototypeConcat } } = require('@contrast/common');
-const DEPTH_TO_PREFIX = ['', 'k', 'M', 'G', 'T']; // I don't think we're going past terabytes of memory...
-
-/**
- * Converts a byte value into a human-readable string with appropriate units (kB, MB, GB, TB).
- *
- * @param {number} bytes - The number of bytes to convert.
- * @param {number} [depth=0] - The current depth of conversion, used internally for recursion.
- * @returns {string} The human-readable string representation of the byte value.
- */
-module.exports.humanReadableBytes = function humanReadableBytes(bytes, depth = 0) {
-  if (bytes >= 1024 && depth < 4) {
-    return humanReadableBytes(bytes / 1024, depth + 1);
-  }
-
-  return StringPrototypeConcat.call(bytes.toFixed(depth > 0 ? 2 : 0), ' ', DEPTH_TO_PREFIX[depth], 'B');
-};
-