npm - @contrast/agent-bundle - Versions diffs - 5.40.0 → 5.42.0 - Mend

@contrast/agent-bundle 5.40.0 → 5.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (290) hide show

package/node_modules/@contrast/library-analysis/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/library-analysis",
-  "version": "1.44.2",
+  "version": "1.45.0",
   "description": "Handles library reporting and library usage analysis",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,10 +21,10 @@
   },
   "dependencies": {
     "@contrast/code-events": "^3.1.0",
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/logger": "1.27.2",
+    "@contrast/logger": "1.28.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/logger/lib/serializers.js CHANGED Viewed

@@ -26,8 +26,8 @@ function config(config) {
     // log as-is if not a Config instance
     if (typeof config?.getReport !== 'function')
         return config;
-    const safeCopy = { _errors: [...config._errors] };
-    const { config: { effective_config } } = config.getReport({ redact: true });
+    const safeCopy = { _errors: [...config._errors], _filepaths: [...config._filepaths] };
+    const { config: { effective_config } } = config.getReport({ redact: true, stringify: false });
     for (const info of effective_config) {
         const { canonical_name, value } = info;
         (0, common_1.set)(safeCopy, canonical_name, value);

package/node_modules/@contrast/logger/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/logger",
-  "version": "1.27.2",
+  "version": "1.28.0",
   "description": "Centralized logging for Contrast agent services",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,8 +21,8 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
     "pino": "^8.15.0"
   }
 }

package/node_modules/@contrast/metrics/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/metrics",
-  "version": "1.31.2",
+  "version": "1.32.0",
   "description": "Records and logs route latency",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,10 +21,10 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2"
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/patcher/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/patcher",
-  "version": "1.26.2",
+  "version": "1.27.0",
   "description": "Advanced monkey patching--registers hooks to run in and around functions",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,6 +20,6 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/logger": "1.27.2"
+    "@contrast/logger": "1.28.0"
   }
 }

package/node_modules/@contrast/protect/lib/get-source-context.js CHANGED Viewed

@@ -22,7 +22,9 @@ module.exports = function init(core) {
     if (!core.config.getEffectiveValue('protect.enable')) return null;
     const sourceContext = sources.getStore()?.protect;
-    return sourceContext?.allowed ? null : sourceContext;
+    if (!sourceContext) return null;
+    return sourceContext.allowed ? null : sourceContext;
   }
   core.protect.getSourceContext = getSourceContext;

package/node_modules/@contrast/protect/lib/index.js CHANGED Viewed

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 module.exports = function(core) {
-  const { config } = core;
+  const { config, sources } = core;
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(),
@@ -55,6 +55,11 @@ module.exports = function(core) {
     callChildComponentMethodsSync(protect, 'install');
   };
+  // append async state to store when request-scope sources are created
+  sources.addHook('onSource', (ctx) => {
+    ctx.store.protect = protect.makeSourceContext(ctx);
+  });
   return protect;
 };

package/node_modules/@contrast/protect/lib/input-analysis/handlers.js CHANGED Viewed

@@ -117,7 +117,6 @@ module.exports = Core.makeComponent({
     // all handlers will be invoked with two arguments:
     // 1) sourceContext object containing:
-    //   - reqData, the abstract request object containing only what is needed
     //   - protect, the protect context
     //     - rules, exclusions, virtual patches (TS data). what was in effect for this
     //       url *at the time the request was started*. these will not change.
@@ -162,7 +161,7 @@ module.exports = Core.makeComponent({
      * 'connectInputs' makes sense; a flag similar to 'contentType' can be set and it can be
      * used later to avoid calling 'handleQueryParams()'
      *
-     * @param {Object} sourceContext { reqData, protect } that will be supplied to
+     * @param {Object} sourceContext { protect } that will be supplied to
      *   all handlers and sinks for this request. It will always be supplied by the caller
      *   to a handler; the handler is not aware of the implementation.
      * @param {Object} connectInputs each property is an input to be evaluated by this
@@ -343,7 +342,8 @@ module.exports = Core.makeComponent({
       let bodyType;
       let inputTypes;
-      if (sourceContext.reqData.contentType.includes('/json')) {
+      const { sourceInfo } = core.scopes.sources.getStore();
+      if (sourceInfo?.contentType?.includes?.('/json')) {
         bodyType = 'json';
         inputTypes = jsonInputTypes;
       } else {
@@ -438,9 +438,8 @@ module.exports = Core.makeComponent({
     inputAnalysis.handleIpAllowlist = function(sourceContext, ipAllowlist) {
       if (!sourceContext || !ipAllowlist.length) return;
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-      const match = ipListAnalysis(reqIp, reqHeaders, ipAllowlist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.ip, sourceInfo.rawHeaders, ipAllowlist);
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipAllow list');
@@ -453,9 +452,8 @@ module.exports = Core.makeComponent({
       if (!sourceContext || !ipDenylist.length) return;
-      const { ip: reqIp, headers: reqHeaders } = sourceContext.reqData;
-      const match = ipListAnalysis(reqIp, reqHeaders, ipDenylist);
+      const { sourceInfo } = core.scopes.sources.getStore();
+      const match = ipListAnalysis(sourceInfo.Ip, sourceInfo.rawHeaders, ipDenylist);
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipDeny list');

package/node_modules/@contrast/protect/lib/input-analysis/install/http.js CHANGED Viewed

@@ -31,24 +31,19 @@ module.exports = function (core) {
     },
   } = core;
-  const instr = inputAnalysis.httpInstrumentation = {
-    install,
-    around
-  };
-  function removeCookies(headers) {
-    for (let i = 0; i < headers.length; i += 2) {
-      if (headers[i] === 'cookies') {
-        headers = ArrayPrototypeSlice.call(headers);
-        headers.splice(i, 2);
+  function removeCookies(rawHeaders) {
+    for (let i = 0; i < rawHeaders.length; i += 2) {
+      if (rawHeaders[i] === 'cookies') {
+        rawHeaders = ArrayPrototypeSlice.call(rawHeaders);
+        rawHeaders.splice(i, 2);
       }
     }
-    return headers;
+    return rawHeaders;
   }
   function around(next, data) {
     let store, block;
-    const { args: [type, req, res] } = data;
+    const { args: [type,, res] } = data;
     function callNext() {
       setImmediate(() => {
@@ -63,21 +58,20 @@ module.exports = function (core) {
     try {
       store = sources.getStore();
-      if (!store) {
+      if (!store?.protect) {
         logger.debug({ funcKey: data.funcKey }, 'request store not available during http input-analysis');
+        callNext();
         return;
       }
-      store.protect = core.protect.makeSourceContext(req, res);
       if (store.protect.allowed) {
         callNext();
         return;
       }
       const {
-        reqData: { headers, uriPath, method },
-        resData,
-      } = store.protect;
+        sourceInfo: { method, rawHeaders, uriPath },
+        protect: { resData }
+      } = store;
       onFinished(res, (/* err, req */) => {
         resData.statusCode = res.statusCode;
@@ -86,7 +80,7 @@ module.exports = function (core) {
       });
       const connectInputs = {
-        headers: removeCookies(headers),
+        headers: removeCookies(rawHeaders),
         uriPath,
         method: StringPrototypeToLowerCase.call(method),
       };
@@ -131,5 +125,10 @@ module.exports = function (core) {
     });
   }
+  const instr = inputAnalysis.httpInstrumentation = {
+    install,
+    around
+  };
   return instr;
 };

package/node_modules/@contrast/protect/lib/input-analysis/install/qs6.js CHANGED Viewed

@@ -22,34 +22,35 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
+    scopes,
   } = core;
   // Patch `qs`
   function install() {
-    depHooks.resolve({ name: 'qs', version: '<7' },
-      (qs) => patcher.patch(qs, 'parse', {
-        name: 'qs',
-        patchType,
-        post({ args, result }) {
-          if (result && Object.keys(result).length) {
-            const sourceContext = protect.getSourceContext();
-            // We need to run analysis for the `qs` result only when it's used as a query parser.
-            // `qs` is used also for parsing bodies, but these cases we handle individually with
-            // the respective library that's using it (e.g. `formidable`, `co-body`) because in
-            // some cases its use is optional and we cannot rely on it.
-            if (sourceContext && sourceContext.reqData?.queries === args[0]) {
+    depHooks.resolve({ name: 'qs', version: '<7' }, (qs) => patcher.patch(qs, 'parse', {
+      name: 'qs',
+      patchType,
+      post({ args, result }) {
+        if (result && Object.keys(result).length) {
+          const sourceContext = protect.getSourceContext();
+          // We need to run analysis for the `qs` result only when it's used as a query parser.
+          // `qs` is used also for parsing bodies, but these cases we handle individually with
+          // the respective library that's using it (e.g. `formidable`, `co-body`) because in
+          // some cases its use is optional and we cannot rely on it.
+          if (sourceContext) {
+            const { sourceInfo } = scopes.sources.getStore();
+            if (sourceInfo.queries === args[0]) {
               sourceContext.parsedQuery = result;
-              inputAnalysis.handleQueryParams(sourceContext, result);
+              protect.inputAnalysis.handleQueryParams(sourceContext, result);
             }
           }
         }
-      })
+      }
+    })
     );
   }
-  const qs6Instrumentation = inputAnalysis.qs6Instrumentation = {
+  const qs6Instrumentation = protect.inputAnalysis.qs6Instrumentation = {
     install
   };

package/node_modules/@contrast/protect/lib/input-analysis/install/universal-cookie4.js CHANGED Viewed

@@ -22,7 +22,6 @@ module.exports = (core) => {
     depHooks,
     patcher,
     protect,
-    protect: { inputAnalysis },
   } = core;
   // Patch `universal-cookie` package
@@ -36,7 +35,7 @@ module.exports = (core) => {
           if (sourceContext) {
             sourceContext.parsedCookies = result;
-            inputAnalysis.handleCookies(sourceContext, result);
+            protect.inputAnalysis.handleCookies(sourceContext, result);
           }
         }
       }
@@ -44,7 +43,7 @@ module.exports = (core) => {
     );
   }
-  const universalCookie4Instrumentation = inputAnalysis.universalCookie4Instrumentation = {
+  const universalCookie4Instrumentation = protect.inputAnalysis.universalCookie4Instrumentation = {
     install
   };

package/node_modules/@contrast/protect/lib/make-source-context.js CHANGED Viewed

@@ -15,80 +15,36 @@
 'use strict';
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 module.exports = function(core) {
-  const {
-    protect: { getPolicy }
-  } = core;
-  const disabledPolicy = { allowed: true };
-  function makeSourceContext(req, res) {
-    if (!core.config.getEffectiveValue('protect.enable')) {
-      return disabledPolicy;
-    }
-    // make the abstract request. it is an abstraction of a request that
-    // contains only the pieces of the request required by handlers. this
-    // is done to make an explicit contract for data that is required by
-    // the handlers. additional data that is discovered to be required by
-    // handlers should be added here. the goal is not to pass the raw req
-    // or res objects so that all data coupling is all defined here.
-    // separate path and search params
-    let uriPath, queries;
-    const ix = req.url.indexOf('?');
-    if (ix >= 0) {
-      uriPath = StringPrototypeSlice.call(req.url, 0, ix);
-      queries = StringPrototypeSlice.call(req.url, ix + 1);
-    } else {
-      uriPath = req.url;
-      queries = '';
-    }
-    const policy = getPolicy({ uriPath });
+  const { protect } = core;
+  const DISABLED_POLICY = { allowed: true };
+  /**
+   * @param {object} param
+   * @param {object} param.store
+   * @param {import('@contrast/common').SourceInfo} param.store.sourceInfo
+   * @param {import('node:http').IncomingMessage} param.incomingMessage
+   * @param {import('node:http').ServerResponse} param.serverResponse
+   *
+   */
+  function makeSourceContext({
+    store: { sourceInfo },
+    // incomingMessage,
+    serverResponse,
+  }) {
+    if (!core.config.getEffectiveValue('protect.enable')) return DISABLED_POLICY;
+    const policy = protect.getPolicy({ uriPath: sourceInfo.uriPath });
     // URL exclusions can disable all rules
-    if (!policy || policy.rulesMask === 0) {
-      return disabledPolicy;
-    }
-    // lowercase header keys and capture content-type
-    let contentType = '';
-    const headers = Array(req.rawHeaders.length);
-    for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = StringPrototypeToLowerCase.call(req.rawHeaders[i]);
-      headers[i + 1] = req.rawHeaders[i + 1];
-      if (headers[i] === 'content-type') {
-        contentType = StringPrototypeToLowerCase.call(headers[i + 1]);
-      }
-    }
-    // contains request data and information derived from request data. it's
-    // possible for any derived information to be derived later, but doing
-    // so here is typically better; it makes clear what information is used to
-    // make decisions by different handlers.
-    const reqData = {
-      ip: req.socket.remoteAddress,
-      httpVersion: req.httpVersion,
-      method: req.method,
-      headers,
-      uriPath,
-      queries,
-      contentType,
-    };
+    if (!policy || policy.rulesMask === 0) return DISABLED_POLICY;
     const protectStore = {
-      reqData,
       resData: {
         statusCode: null,
       },
       // block closure captures res so it isn't exposed to beyond here
-      blocker: new core.protect.Blocker(res),
+      blocker: new core.protect.Blocker(serverResponse),
       policy,
       exclusions: [],
       virtualPatchesEvaluators: [],

package/node_modules/@contrast/protect/lib/semantic-analysis/handlers.js CHANGED Viewed

@@ -75,6 +75,79 @@ module.exports = function(core) {
     }
   }
+  /**
+   * Backdoor detection logic:
+   *  - command is >= 2 chars
+   *  - iterates over every piece of request and checks
+   *    - the full value is the param to sink
+   *    - the value matches a regex and ends the param to the sink
+   */
+  function findBackdoorInjection(sourceContext, command) {
+    if (command?.length < 2) {
+      return null;
+    }
+    const { sourceInfo } = core.scopes.sources.getStore();
+    const valuesOfInterest = {
+      [InputType.QUERYSTRING]: sourceContext.parsedQuery,
+      [InputType.PARAMETER_VALUE]: sourceContext.parsedParams,
+      [InputType.BODY]: sourceContext.parsedBody,
+      [InputType.COOKIE_VALUE]: sourceContext.parsedCookies,
+      [InputType.HEADER]: sourceInfo.rawHeaders,
+    };
+    let found;
+    for (const inputType in valuesOfInterest) {
+      if (found) break;
+      const values = valuesOfInterest[inputType];
+      if (values && Object.keys(values).length) {
+        traverseValues(values, (path, type, value, obj) => {
+          if (isBackdoorDetected(value, command)) {
+            let key;
+            if (inputType === InputType.HEADER) {
+              key = obj[path[0] - 1];
+            } else {
+              key = path[path.length - 1];
+            }
+            found = {
+              key,
+              inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
+              path: ArrayPrototypeSlice.call(path, 0, -1),
+              value: command
+            };
+            // halt traversal
+            return true;
+          }
+        });
+      }
+    }
+    return found;
+  }
+  /**
+     * strips the whitespace of the request value and the command,
+     * checks if the command equals the request value
+     * or if the command looks like the start of a shell execution
+     * and ends with the request value passed to the sink
+     *
+     * @param {string} value from request key
+     */
+  function isBackdoorDetected(requestValue, command) {
+    const normalizedValue = stripWhiteSpace(requestValue);
+    const normalizedCommand = stripWhiteSpace(command);
+    return (
+      normalizedValue === normalizedCommand ||
+      (normalizedCommand.endsWith(normalizedValue) &&
+        RegExpPrototypeTest.call(SINK_EXPLOIT_PATTERN_START, normalizedCommand))
+    );
+  }
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
     const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
@@ -137,75 +210,3 @@ module.exports = function(core) {
   return semanticAnalysis;
 };
-/**
- * Backdoor detection logic:
- *  - command is >= 2 chars
- *  - iterates over every piece of request and checks
- *    - the full value is the param to sink
- *    - the value matches a regex and ends the param to the sink
- */
-function findBackdoorInjection(sourceContext, command) {
-  if (command?.length < 2) {
-    return null;
-  }
-  const valuesOfInterest = {
-    [InputType.QUERYSTRING]: sourceContext.parsedQuery,
-    [InputType.PARAMETER_VALUE]: sourceContext.parsedParams,
-    [InputType.BODY]: sourceContext.parsedBody,
-    [InputType.COOKIE_VALUE]: sourceContext.parsedCookies,
-    [InputType.HEADER]: sourceContext.reqData.headers,
-  };
-  let found;
-  for (const inputType in valuesOfInterest) {
-    if (found) break;
-    const values = valuesOfInterest[inputType];
-    if (values && Object.keys(values).length) {
-      traverseValues(values, (path, type, value, obj) => {
-        if (isBackdoorDetected(value, command)) {
-          let key;
-          if (inputType === InputType.HEADER) {
-            key = obj[path[0] - 1];
-          } else {
-            key = path[path.length - 1];
-          }
-          found = {
-            key,
-            inputType: path.length > 1 ? InputType.JSON_VALUE : inputType,
-            path: ArrayPrototypeSlice.call(path, 0, -1),
-            value: command
-          };
-          // halt traversal
-          return true;
-        }
-      });
-    }
-  }
-  return found;
-}
-/**
-   * strips the whitespace of the request value and the command,
-   * checks if the command equals the request value
-   * or if the command looks like the start of a shell execution
-   * and ends with the request value passed to the sink
-   *
-   * @param {string} value from request key
-   */
-function isBackdoorDetected(requestValue, command) {
-  const normalizedValue = stripWhiteSpace(requestValue);
-  const normalizedCommand = stripWhiteSpace(command);
-  return (
-    normalizedValue === normalizedCommand ||
-      (normalizedCommand.endsWith(normalizedValue) &&
-      RegExpPrototypeTest.call(SINK_EXPLOIT_PATTERN_START, normalizedCommand))
-  );
-}

package/node_modules/@contrast/protect/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.64.2",
+  "version": "1.65.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/esm-hooks": "2.28.2",
-    "@contrast/instrumentation": "1.33.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/rewriter": "1.30.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/esm-hooks": "2.29.0",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/application-activity/index.js CHANGED Viewed

@@ -27,15 +27,15 @@ class ApplicationActivity extends ng_endpoint_1.default {
         this.defendPayload = [];
         this.lastUpdate = 0;
         this.userAgentSet = new Set();
-        uiReporter.subscribeWithLock(common_1.Event.PROTECT, (msg) => {
-            if (!msg.protect)
+        uiReporter.subscribeWithLock(common_1.Event.PROTECT, (store) => {
+            if (!store.protect || !store.sourceInfo)
                 return;
-            const { userAgent, attackModel } = (0, translations_1.handleProtectMessage)(msg.protect);
-            if (userAgent) {
-                this.userAgentSet.add(userAgent);
+            const result = (0, translations_1.handleProtectMessage)(store);
+            if (result?.userAgent) {
+                this.userAgentSet.add(result.userAgent);
             }
-            if (attackModel) {
-                this.defendPayload.push(attackModel);
+            if (result?.attackModel) {
+                this.defendPayload.push(result.attackModel);
             }
         });
     }