@contrast/agent-bundle 5.40.0 → 5.41.0

package/node_modules/@contrast/sources/lib/index.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { EventEmitter } = require('events');
+const onFinished = require('on-finished');
+const { set, Event } = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+const NormalizedUriMapper = require('./normalized-uri-mapper');
+const { HttpSourceInfo } = require('./source-info');
+
+const componentName = 'sources';
+
+module.exports = Core.makeComponent({
+  name: componentName,
+  factory: (core) => new Sources(core),
+});
+
+class Sources {
+  constructor(core) {
+    // decorate
+    set(core, componentName, this);
+
+    this.core = core;
+    this._hooks = new EventEmitter();
+    this._normalizedUriMapper = new NormalizedUriMapper(core);
+  }
+
+  addHook(name, handler) {
+    // only this one hook atm
+    if (name === 'onSource') this._hooks.on(name, handler);
+  }
+
+  aroundHook(serverType) {
+    const { _hooks, _normalizedUriMapper, core } = this;
+
+    return function (next, data) {
+      const { args: [event, req, res] } = data;
+
+      if (event !== 'request') {
+        if (event === 'listening') {
+          // take a snapshot of Perf.all at this point. this will get logged
+          // at some point on the perf interval timer.
+          core.Perf.mark('listening');
+          core.messages.emit(Event.SERVER_LISTENING, { type: serverType, server: data.obj });
+        }
+        return next();
+      }
+
+      core.Perf.requestCount += 1;
+
+      const sourceInfo = new HttpSourceInfo({
+        serverType,
+        raw: req,
+        normalizedUriMapper: _normalizedUriMapper,
+      });
+      const store = { sourceInfo };
+
+      onFinished(res, (/* err, req */) => {
+        core.messages.emit(Event.RESPONSE_FINISH, store);
+      });
+
+      return core.scopes.sources.run(store, () => {
+        if (_hooks._events.onSource) {
+          _hooks.emit('onSource', {
+            // future: non-http sources will have their own type
+            sourceType: 'HTTP',
+            store,
+            incomingMessage: req,
+            serverResponse: res,
+          });
+        }
+
+        return next();
+      });
+    };
+  }
+
+  install() {
+    const { instrumentation, sources } = this.core;
+
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrumentation.instrument({
+        moduleName,
+        patchObjects: [{
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType: 'sources',
+          around: sources.aroundHook(moduleName)
+        }]
+      });
+    });
+  }
+}
+
+module.exports.HttpSourceInfo = HttpSourceInfo;

package/node_modules/@contrast/sources/lib/index.test.js

@@ -0,0 +1,120 @@
+'use strict';
+
+const EventEmitter = require('events');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
+const proxyquire = require('proxyquire');
+
+describe('agentify sources', function () {
+  [
+    {
+      name: 'http',
+      expected: {
+        port: 8080,
+        protocol: 'http',
+        serverType: 'http',
+      },
+    },
+    {
+      name: 'https',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'https',
+      },
+    },
+    {
+      name: 'spdy',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createSecureServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    }
+  ].forEach(({ name, method, expected }) => {
+    describe(`${name} sources using ${method || 'Server'}()`, function () {
+      let core, api, ServerMock, reqMock, resMock, onFinishedMock;
+
+      beforeEach(function () {
+        ({ core } = initProtectFixture());
+        ServerMock = function ServerMock() {
+          this.e = new EventEmitter();
+        };
+        ServerMock.prototype.emit = function (...args) {
+          this.e.emit(...args);
+        };
+        ServerMock.prototype.on = function (...args) {
+          this.e.on(...args);
+        };
+        api = {
+          Server: ServerMock,
+          createServer() {
+            return new ServerMock();
+          },
+          createSecureServer() {
+            return new ServerMock();
+          }
+        };
+        reqMock = mocks.incomingMessage();
+        // resMock = new EventEmitter();
+        onFinishedMock = sinon.stub();
+
+        core.depHooks.resolve.withArgs(sinon.match({ name: 'http' })).yields(api);
+        proxyquire('.', {
+          'on-finished': onFinishedMock,
+        })(core).install();
+      });
+
+      it('"request" events run in scope with correct sourceInfo', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('request', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('request', reqMock, resMock);
+
+        expect(store.sourceInfo).to.deep.include({
+          port: 8080,
+          protocol: 'http',
+          serverType: 'http',
+        });
+
+        expect(onFinishedMock).to.have.been.calledWith(resMock);
+      });
+
+      it('non-"request" events do not run in scope', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('foo', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('foo', reqMock, resMock);
+        expect(store).to.be.undefined;
+      });
+    });
+  });
+});

package/node_modules/@contrast/{route-coverage/lib/normalized-url-mapper.js → sources/lib/normalized-uri-mapper.js}

@@ -15,13 +15,14 @@
 'use strict';
 
 const {
+  Event,
   get,
   set,
   primordials: { StringPrototypeSubstr, StringPrototypeSplit }
 } = require('@contrast/common');
 
-class NormalizedUrlMapper {
-  constructor() {
+class NormalizedUriMapper {
+  constructor(core) {
     this._db = {
       // index by static routes e.g.
       // '/' => {}
@@ -39,6 +40,12 @@ class NormalizedUrlMapper {
     };
     this._defaultDynamicRe = /\(|\?|\||\[|\*|\+|\{/;
     this._hapiDynamicRe = /\(|\?|\||\[|\*|\+/;
+
+    core.messages.on(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, (routes) => {
+      for (const routeInfo of routes) {
+        this.handleDiscover(routeInfo);
+      }
+    });
   }
 
   _getPathSegments(uriPath) {
@@ -171,4 +178,4 @@ class NormalizedUrlMapper {
   }
 }
 
-module.exports = NormalizedUrlMapper;
+module.exports = NormalizedUriMapper;

package/node_modules/@contrast/sources/lib/normalized-uri-mapper.test.js

@@ -0,0 +1,59 @@
+'use strict';
+
+const EventEmitter = require('node:events');
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const frameworkRoutingData = require('@contrast/test/data/framework-routing-data');
+const NormalizedUrlMapper = require('./normalized-uri-mapper');
+
+describe('route-coverage NormalizedUrlMapper', function() {
+  const testData = Object.values(frameworkRoutingData()).flatMap((a) => a);
+  let mapper;
+  let messages;
+
+  this.beforeEach(function() {
+    messages = new EventEmitter();
+    mapper = new NormalizedUrlMapper({
+      messages,
+    });
+  });
+
+  describe('.map', function() {
+    it('returns null if no discovery events were handled', function() {
+      [
+        '/user/1',
+        '/user/2',
+        '/user/3',
+        '/user/4',
+        '/user/1/cart',
+        '/user/2/cart',
+        '/user/3/cart',
+        '/user/4/cart',
+        '/products/all',
+        '/products/all',
+        '/products/1',
+        '/products/2',
+        '/products/3',
+        '/products/4',
+      ].forEach((uriPath) => {
+        expect(mapper.map(uriPath)).to.be.null;
+      });
+    });
+
+    it('returns normalizedUrl mapped from generic uriPath', function() {
+      messages.emit(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, testData.map((d) => d.routeInfo));
+      testData.forEach((td) => {
+        const { routeInfo, paths, hasMapping } = td;
+
+        for (const uriPath of paths) {
+          // todo - dynamic and regex paths
+          if (hasMapping === false) {
+            expect(mapper.map(uriPath)).to.be.null;
+          } else {
+            expect(mapper.map(uriPath)).to.equal(routeInfo.normalizedUrl);
+          }
+        }
+      });
+    });
+  });
+});

package/node_modules/@contrast/{sec-obs/node_modules/@contrast/core/lib/sensitive-data-masking/constants.js → sources/lib/req-data.js}

@@ -12,9 +12,3 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
-'use strict';
-
-module.exports = {
-  CONTRAST_REDACTED: 'contrast-redacted',
-};

package/node_modules/@contrast/sources/lib/source-info.js

@@ -0,0 +1,183 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  primordials: {
+    RegExpPrototypeExec,
+    StringPrototypeReplace,
+    StringPrototypeSlice,
+    StringPrototypeSplit,
+    StringPrototypeToLowerCase,
+  }
+} = require('@contrast/common');
+
+const NormalizationPatterns = {
+  UUID: [/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, '{uuid}'],
+  NUMERICAL: [/^\d+$/i, '{n}'],
+  HASH: [/([a-fA-F0-9]{2}){16,}/, '{hash}'],
+  // we can extend these as needed
+};
+
+class HttpSourceInfo {
+  /**
+   * @param {object} param
+   * @param {string} param.serverType
+   * @param {any} param.normalizedUriMapper
+   * @param {IncomingMessage} param.raw
+   */
+  constructor({
+    serverType,
+    normalizedUriMapper,
+    raw,
+  }) {
+    this._headerLookupCache = {};
+    this._normalizedUri = null;
+    this._normalizedUriMasked = null;
+    this._normalizedUriSegments = [];
+    this._normalizedUriMapper = normalizedUriMapper;
+    //
+    this.httpVersion = raw.httpVersion;
+    this.ip = raw.socket.remoteAddress ? StringPrototypeReplace.call(raw.socket.remoteAddress, /::ffff:/, '') : undefined;
+    this.port = raw.socket.address?.()?.port || 0;
+    this.protocol = serverType == 'http' ? 'http' : 'https'; // todo
+    this.serverType = serverType;
+    this.time = Date.now();
+    this.method = StringPrototypeToLowerCase.call(raw.method);
+    this.rawHeaders = [];
+
+    for (let i = 0; i < raw.rawHeaders.length; i += 2) {
+      const iNext = i + 1;
+      const headerName = StringPrototypeToLowerCase.call(raw.rawHeaders[i]);
+
+      headerName == 'content-type' && (this.contentType = raw.rawHeaders[iNext]);
+
+      this.rawHeaders[i] = headerName;
+      this.rawHeaders[iNext] = headerName == 'content-type' ?
+        StringPrototypeToLowerCase.call(raw.rawHeaders[iNext]) :
+        raw.rawHeaders[iNext];
+
+      if (
+        headerName == 'upgrade' &&
+        StringPrototypeToLowerCase.call(this.rawHeaders[iNext]) == 'websocket'
+      ) {
+        this.protocol = 'ws';
+      }
+    }
+
+    const idx = raw.url.indexOf('?');
+    if (idx >= 0) {
+      this.uriPath = StringPrototypeSlice.call(raw.url, 0, idx);
+      this.queries = StringPrototypeSlice.call(raw.url, idx + 1);
+    } else {
+      this.uriPath = raw.url;
+      this.queries = '';
+    }
+  }
+
+  /**
+   * Looks through rawHeaders to find it. Caches results to avoid subsequent lookups.
+   * @param {string} name needs to be lowercase
+   * @returns {string}
+   */
+  getHeader(name) {
+    if (name in this._headerLookupCache) return this._headerLookupCache[name];
+
+    for (let i = 0; i < this.rawHeaders.length; i += 2) {
+      if (name == this.rawHeaders[i]) {
+        return (this._headerLookupCache[name] = this.rawHeaders[i + 1]);
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * The normalizedUri is a computed field
+   */
+  get normalizedUri() {
+    const r = Reflect.get(this, '_normalizedUri');
+    if (!r) this.generateNormalizedUri();
+    return Reflect.get(this, '_normalizedUri');
+  }
+
+  set normalizedUri(value) {
+    Reflect.set(this, '_normalizedUri', value);
+  }
+
+  generateNormalizedUri() {
+    let normalizedUri;
+
+    // leverage route discovery data to try to find route template
+    normalizedUri = this._normalizedUriMapper?.map?.(this.uriPath);
+
+    if (normalizedUri) {
+      // if we can map to the template we can use it for masked value too
+      this._normalizedUri = normalizedUri;
+      this._normalizedUriMasked = normalizedUri;
+    } else {
+      // if we can't find the template then test against common
+      // regular expressions to normalize/mask each segment per spec
+      const arr = StringPrototypeSplit.call(this.uriPath, '/');
+      let maskedUri = '';
+
+      normalizedUri = '';
+
+      for (let idx = 1; idx < arr.length; idx++) {
+        let normalSeg = arr[idx];
+        let maskedSeg = normalSeg;
+
+        let isPattern;
+
+        for (const [rx, substitution] of Object.values(NormalizationPatterns)) {
+          isPattern = !!RegExpPrototypeExec.call(rx, normalSeg);
+          if (isPattern) {
+            normalSeg = maskedSeg = substitution;
+            break;
+          }
+        }
+
+        if (!isPattern) {
+          if (idx > 1) {
+            maskedSeg = `${StringPrototypeSlice.call(normalSeg, 0, 2)}xxxx`;
+          } else {
+            // no masking/normalizing for first seg (called "context" in spec)
+            maskedSeg = arr[idx];
+          }
+        }
+
+        maskedUri += `/${maskedSeg}`;
+        normalizedUri += `/${normalSeg}`;
+      }
+
+      this._normalizedUri = normalizedUri;
+      this._normalizedUriMasked = maskedUri;
+    }
+  }
+
+  get normalizedUriMasked() {
+    const r = Reflect.get(this, '_normalizedUriMasked');
+    if (!r) this.generateNormalizedUri();
+    return Reflect.get(this, '_normalizedUriMasked');
+  }
+
+  set normalizedUriMasked(value) {
+    Reflect.set(this, '_normalizedUriMasked', value);
+  }
+}
+
+module.exports.HttpSourceInfo = HttpSourceInfo;
+module.exports.NORMALIZE_PATTERNS = NormalizationPatterns;

package/node_modules/@contrast/sources/lib/source-info.test.js

@@ -0,0 +1,68 @@
+'use strict';
+
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+
+const { HttpSourceInfo } = require('./source-info');
+
+describe('sources SourceInfo', function () {
+  [
+    {
+      uriPath: '/index',
+      expectedNormalized: '/index',
+      expectedNormalizedMasked: '/index',
+    },
+    {
+      uriPath: '/orders/abc-123',
+      expectedNormalized: '/orders/abc-123',
+      expectedNormalizedMasked: '/orders/abxxxx',
+    },
+    {
+      uriPath: '/orders/abc-123/item/123',
+      expectedNormalized: '/orders/abc-123/item/{n}',
+      expectedNormalizedMasked: '/orders/abxxxx/itxxxx/{n}',
+    },
+    {
+      uriPath: '/orders/1234',
+      expectedNormalized: '/orders/{n}',
+      expectedNormalizedMasked: '/orders/{n}',
+    },
+    {
+      uriPath: '/orders/93a0862a-09be-4292-bc6a-50d38dded69c',
+      expectedNormalized: '/orders/{uuid}',
+      expectedNormalizedMasked: '/orders/{uuid}',
+    },
+    {
+      uriPath: '/orders/0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c',
+      expectedNormalized: '/orders/{hash}',
+      expectedNormalizedMasked: '/orders/{hash}',
+    },
+  ].forEach(({
+    uriPath,
+    expectedNormalized,
+    expectedNormalizedMasked,
+  }) => {
+    it(`normalizedUri and normalizedUriMasked are built correctly: ${uriPath}`, function () {
+      const req = mocks.incomingMessage();
+      req.url = `${uriPath}?${req.queries}`;
+
+      const info = new HttpSourceInfo({
+        serverType: 'http',
+        raw: req
+      });
+      expect(info.normalizedUri).to.equal(expectedNormalized);
+      expect(info.normalizedUriMasked).to.equal(expectedNormalizedMasked);
+    });
+  });
+
+  it('trims IPv6 prefixes from mapped IPv4 addresses', function () {
+    const req = mocks.incomingMessage();
+    req.socket.remoteAddress = '::ffff:127.0.0.1';
+
+    const info = new HttpSourceInfo({
+      serverType: 'http',
+      raw: req
+    });
+    expect(info.ip).to.equal('127.0.0.1');
+  });
+});

package/node_modules/@contrast/sources/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@contrast/sources",
+  "version": "1.1.0",
+  "description": "Instruments to have incoming messages run in async-local request scope.",
+  "main": "lib/index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@contrast/common": "1.35.0",
+    "@contrast/core": "1.55.0",
+    "on-finished": "^2.4.1"
+  }
+}

package/node_modules/@contrast/telemetry/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/telemetry",
-  "version": "1.29.2",
+  "version": "1.30.0",
   "description": "Telemetry reporting for the Contrast Node.js agent.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,11 +19,11 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/logger": "1.27.2",
-    "axios": "^1.7.4",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/logger": "1.28.0",
+    "axios": "^1.11.0",
     "getmac": "^6.3.0"
   }
 }