@contrast/agent-bundle 5.40.0 → 5.42.0

package/node_modules/@contrast/route-coverage/lib/index.js

@@ -16,7 +16,6 @@
 'use strict';
 
 const { callChildComponentMethodsSync, Event } = require('@contrast/common');
-const NormalizedUrlMapper = require('./normalized-url-mapper');
 
 /**
  * @param {import('.').Core & {
@@ -36,21 +35,14 @@ module.exports = function init(core) {
   const routeQueue = new Map();
 
   const routeIdentifier = (method, signature) => `${method}.${signature}`;
-  const routeCoverage = core.routeCoverage = {
-    _normalizedUrlMapper: new NormalizedUrlMapper(),
-
-    uriPathToNormalizedUrl(uriPath) {
-      return this._normalizedUrlMapper.map(uriPath);
-    },
 
+  const routeCoverage = core.routeCoverage = {
     discover(info) {
       const id = routeIdentifier(info.method, info.signature);
       if (routeInfo.get(id)) return;
 
       logger.trace({ info }, 'Discovered new route:');
       routeInfo.set(id, info);
-      this._normalizedUrlMapper.handleDiscover(info);
-
     },
 
     discoveryFinished() {

package/node_modules/@contrast/route-coverage/lib/install/express/express5.js

@@ -386,10 +386,14 @@ class ExpressInstrumentation {
         // `value` is a terminal Layer with observable signatures.
         // emit discovery after appending metadata.
         if (value[kMetaKey]) {
-          if (!value[kMetaKey].observables) {
-            value[kMetaKey].observables = {};
+          const observables = this.generateObservables(metas, value.handle);
+          if (observables) {
+            if (!value[kMetaKey].observables) {
+              value[kMetaKey].observables = observables;
+            } else {
+              Object.assign(value[kMetaKey].observables, observables);
+            }
           }
-          Object.assign(value[kMetaKey].observables, this.generateObservables(metas, value.handle));
           self.discover(value[kMetaKey]);
         }
       }
@@ -411,31 +415,28 @@ class ExpressInstrumentation {
         maybeLayer?.constructor?.name == 'Layer' &&
         !maybeLayer?.stack?.length
       ) {
-        //
         let _data = data.get(maybeLayer);
+
         if (!_data) {
-          _data = { path: [...path] };
+          _data = { paths: [] };
           data.set(maybeLayer, _data);
         }
 
         // you can mount a router on itself
         // prevent infinitely recursing into self-mounted routers
-        if (path.length > _data.path.length) {
-          let isNested = true;
-          loopPaths: for (let idx = 0; idx < _data.path.length; idx++) {
-            if (path[idx] != _data.path[idx]) {
-              isNested = false;
-              break loopPaths;
-            }
-          }
-          if (isNested) {
-            // todo: we don't support recursive router discovery/observation case atm
-            // stop to avoid infinite traversal
+        for (const visitedPath of _data.paths) {
+          // these conditions indicate recursive nesting at particular path
+          if (
+            path.length > visitedPath.length &&
+            visitedPath.every((el, i) => path[i] == el)
+          ) {
             path.pop();
             continue loopKeys;
           }
         }
 
+        _data.paths.push([...path]); // copy because path argument mutates
+
         const halt = cb(path, key, maybeLayer, target) === false;
         if (halt) return;
       }
@@ -500,9 +501,6 @@ class ExpressInstrumentation {
     // build signature lookup based on each template (normalizeUri)
     const map = templates.reduce((acc, routeTemplate) => {
       if (!routeTemplate) routeTemplate = '/';
-      if (routeTemplate?.includes?.('typecheck')) {
-        // console.dir({ info, template });
-      }
       acc[routeTemplate] = `${type}.${method}('${routeTemplate}', ${formattedHandler})`;
       return acc;
     }, {});

package/node_modules/@contrast/route-coverage/lib/install/hapi.js

@@ -62,11 +62,18 @@ module.exports = function init(core) {
                   patcher.patch(data.result.route.settings, 'handler', {
                     name: 'route.settings.handler',
                     patchType,
-                    post({ args }) {
+                    // this needs to be in a pre-hook so that the route
+                    // data is in the store before our dataflow hooks run
+                    pre({ args }) {
                       const [{ method, path: url, route }] = args;
                       //TODO: Will this signature always be associated with an existing route?
                       const signature = createSignature(method, path);
-                      routeCoverage.observe({ signature, url, method: StringPrototypeToLowerCase.call(method), normalizedUrl: route.path });
+                      routeCoverage.observe({
+                        signature,
+                        url,
+                        method: StringPrototypeToLowerCase.call(method),
+                        normalizedUrl: route.path,
+                      });
                     }
                   });
                 }

package/node_modules/@contrast/route-coverage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.45.2",
+  "version": "1.47.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,14 +20,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/scopes": "1.25.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/scopes/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/scopes",
-  "version": "1.24.2",
+  "version": "1.25.0",
   "description": "Handles AsyncLocalStorage scopes",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2"
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/sec-obs/lib/traces/http.js

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
+const { normalizeURI, primordials: { StringPrototypeSplit } } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -48,7 +48,7 @@ module.exports = function(core) {
     if (!method || !url) return next();
 
     const [path] = StringPrototypeSplit.call(url, '?'); // TODO: NODE-3701 sync discovered route name and trace
-    const name = `${method} ${path}`;
+    const name = `${method} ${normalizeURI(path)}`;
     const rootSpan = tracer.startSpan(name);
     // TODO: Audit other attributes and add as needed
     const headers = getHeaders(req);

package/node_modules/@contrast/sec-obs/lib/traces/http.test.js

@@ -69,6 +69,23 @@ describe('observability root spans', function () {
         expect(span.end).to.have.been.called;
       });
 
+      it('generates a span with the normalized uri', function() {
+        emit('request', {
+          method: 'GET',
+          url: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+        }, resMock);
+        expect(startSpan).to.have.been.calledWith('GET /path/{uuid}/{hash}/{n}/end');
+        const span = startSpan.getCall(0).returnValue;
+        expect(span.setAttributes).to.have.been.calledWith({
+          'network.protocol.name': moduleName,
+          'http.request.method': 'GET',
+        });
+        expect(span.setAttributes).to.have.been.calledWith({
+          'http.response.status_code': 200
+        });
+        expect(span.end).to.have.been.called;
+      });
+
       it('generates a span with the attributes derived from headers', function() {
         const headersSymbol = Symbol('Headers');
         reqMock[headersSymbol] = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.js

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { isString } = require('@contrast/common');
+const { isString, normalizeURI } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -37,7 +37,7 @@ module.exports = function(core) {
     protocol = protocol.endsWith(':') ? protocol : `${protocol}:`;
     path = path || pathname;
     port &&= `:${port}`;
-    return `${protocol}//${hostname}${port}${path}`;
+    return `${protocol}//${hostname}${port}${normalizeURI(path)}`;
   }
 
   return core.secObs.traces.outboundServiceCall = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.test.js

@@ -138,4 +138,21 @@ describe('observability outbound-service-call action', function () {
     });
     expect(span.end).to.have.been.called;
   });
+
+  it('generates a span with normalized path', function() {
+    core.secObs.tracing.getContext.returns({});
+    core.secObs.tracing.runContext.returns({});
+    http.request({
+      protocol: 'http',
+      hostname: 'example.com',
+      path: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+    });
+    expect(startSpan).to.have.been.calledWith('outbound-service-call', undefined, {});
+    const span = startSpan.getCall(0).returnValue;
+    expect(span.setAttributes).to.have.been.calledWith({
+      'url.full': 'http://example.com/path/{uuid}/{hash}/{n}/end',
+      'server.address': 'example.com',
+    });
+    expect(span.end).to.have.been.called;
+  });
 });

package/node_modules/@contrast/sec-obs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/sec-obs",
-  "version": "1.0.0-alpha.8",
+  "version": "1.0.0-alpha.9",
   "description": "Contrast service providing framework-agnostic Observability support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,14 +17,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.33.0",
-    "@contrast/config": "1.48.0",
-    "@contrast/core": "1.53.0",
-    "@contrast/dep-hooks": "1.22.0",
-    "@contrast/logger": "1.26.0",
-    "@contrast/patcher": "1.25.0",
-    "@contrast/rewriter": "1.29.0",
-    "@contrast/scopes": "1.23.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.57.1",
     "@opentelemetry/exporter-trace-otlp-http": "^0.57.1",

package/node_modules/@contrast/sources/lib/index.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { EventEmitter } = require('events');
+const onFinished = require('on-finished');
+const { set, Event } = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+const NormalizedUriMapper = require('./normalized-uri-mapper');
+const { HttpSourceInfo } = require('./source-info');
+
+const componentName = 'sources';
+
+module.exports = Core.makeComponent({
+  name: componentName,
+  factory: (core) => new Sources(core),
+});
+
+class Sources {
+  constructor(core) {
+    // decorate
+    set(core, componentName, this);
+
+    this.core = core;
+    this._hooks = new EventEmitter();
+    this._normalizedUriMapper = new NormalizedUriMapper(core);
+  }
+
+  addHook(name, handler) {
+    // only this one hook atm
+    if (name === 'onSource') this._hooks.on(name, handler);
+  }
+
+  aroundHook(serverType) {
+    const { _hooks, _normalizedUriMapper, core } = this;
+
+    return function (next, data) {
+      const { args: [event, req, res] } = data;
+
+      if (event !== 'request') {
+        if (event === 'listening') {
+          // take a snapshot of Perf.all at this point. this will get logged
+          // at some point on the perf interval timer.
+          core.Perf.mark('listening');
+          core.messages.emit(Event.SERVER_LISTENING, { type: serverType, server: data.obj });
+        }
+        return next();
+      }
+
+      core.Perf.requestCount += 1;
+
+      const sourceInfo = new HttpSourceInfo({
+        serverType,
+        raw: req,
+        normalizedUriMapper: _normalizedUriMapper,
+      });
+      const store = { sourceInfo };
+
+      onFinished(res, (/* err, req */) => {
+        core.messages.emit(Event.RESPONSE_FINISH, store);
+      });
+
+      return core.scopes.sources.run(store, () => {
+        if (_hooks._events.onSource) {
+          _hooks.emit('onSource', {
+            // future: non-http sources will have their own type
+            sourceType: 'HTTP',
+            store,
+            incomingMessage: req,
+            serverResponse: res,
+          });
+        }
+
+        return next();
+      });
+    };
+  }
+
+  install() {
+    const { instrumentation, sources } = this.core;
+
+    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+      instrumentation.instrument({
+        moduleName,
+        patchObjects: [{
+          name: 'Server.prototype',
+          methods: ['emit'],
+          patchType: 'sources',
+          around: sources.aroundHook(moduleName)
+        }]
+      });
+    });
+  }
+}
+
+module.exports.HttpSourceInfo = HttpSourceInfo;

package/node_modules/@contrast/sources/lib/index.test.js

@@ -0,0 +1,120 @@
+'use strict';
+
+const EventEmitter = require('events');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
+const proxyquire = require('proxyquire');
+
+describe('agentify sources', function () {
+  [
+    {
+      name: 'http',
+      expected: {
+        port: 8080,
+        protocol: 'http',
+        serverType: 'http',
+      },
+    },
+    {
+      name: 'https',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'https',
+      },
+    },
+    {
+      name: 'spdy',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    },
+    {
+      name: 'http2',
+      method: 'createSecureServer',
+      expected: {
+        port: 8080,
+        protocol: 'https',
+        serverType: 'spdy',
+      },
+    }
+  ].forEach(({ name, method, expected }) => {
+    describe(`${name} sources using ${method || 'Server'}()`, function () {
+      let core, api, ServerMock, reqMock, resMock, onFinishedMock;
+
+      beforeEach(function () {
+        ({ core } = initProtectFixture());
+        ServerMock = function ServerMock() {
+          this.e = new EventEmitter();
+        };
+        ServerMock.prototype.emit = function (...args) {
+          this.e.emit(...args);
+        };
+        ServerMock.prototype.on = function (...args) {
+          this.e.on(...args);
+        };
+        api = {
+          Server: ServerMock,
+          createServer() {
+            return new ServerMock();
+          },
+          createSecureServer() {
+            return new ServerMock();
+          }
+        };
+        reqMock = mocks.incomingMessage();
+        // resMock = new EventEmitter();
+        onFinishedMock = sinon.stub();
+
+        core.depHooks.resolve.withArgs(sinon.match({ name: 'http' })).yields(api);
+        proxyquire('.', {
+          'on-finished': onFinishedMock,
+        })(core).install();
+      });
+
+      it('"request" events run in scope with correct sourceInfo', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('request', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('request', reqMock, resMock);
+
+        expect(store.sourceInfo).to.deep.include({
+          port: 8080,
+          protocol: 'http',
+          serverType: 'http',
+        });
+
+        expect(onFinishedMock).to.have.been.calledWith(resMock);
+      });
+
+      it('non-"request" events do not run in scope', function () {
+        const server = method ? api[method]() : new ServerMock();
+        let store;
+
+        server.on('foo', function () {
+          store = core.scopes.sources.getStore();
+        });
+
+        server.emit('foo', reqMock, resMock);
+        expect(store).to.be.undefined;
+      });
+    });
+  });
+});

package/node_modules/@contrast/{route-coverage/lib/normalized-url-mapper.js → sources/lib/normalized-uri-mapper.js}

@@ -15,13 +15,14 @@
 'use strict';
 
 const {
+  Event,
   get,
   set,
   primordials: { StringPrototypeSubstr, StringPrototypeSplit }
 } = require('@contrast/common');
 
-class NormalizedUrlMapper {
-  constructor() {
+class NormalizedUriMapper {
+  constructor(core) {
     this._db = {
       // index by static routes e.g.
       // '/' => {}
@@ -39,6 +40,12 @@ class NormalizedUrlMapper {
     };
     this._defaultDynamicRe = /\(|\?|\||\[|\*|\+|\{/;
     this._hapiDynamicRe = /\(|\?|\||\[|\*|\+/;
+
+    core.messages.on(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, (routes) => {
+      for (const routeInfo of routes) {
+        this.handleDiscover(routeInfo);
+      }
+    });
   }
 
   _getPathSegments(uriPath) {
@@ -171,4 +178,4 @@ class NormalizedUrlMapper {
   }
 }
 
-module.exports = NormalizedUrlMapper;
+module.exports = NormalizedUriMapper;

package/node_modules/@contrast/sources/lib/normalized-uri-mapper.test.js

@@ -0,0 +1,59 @@
+'use strict';
+
+const EventEmitter = require('node:events');
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const frameworkRoutingData = require('@contrast/test/data/framework-routing-data');
+const NormalizedUrlMapper = require('./normalized-uri-mapper');
+
+describe('route-coverage NormalizedUrlMapper', function() {
+  const testData = Object.values(frameworkRoutingData()).flatMap((a) => a);
+  let mapper;
+  let messages;
+
+  this.beforeEach(function() {
+    messages = new EventEmitter();
+    mapper = new NormalizedUrlMapper({
+      messages,
+    });
+  });
+
+  describe('.map', function() {
+    it('returns null if no discovery events were handled', function() {
+      [
+        '/user/1',
+        '/user/2',
+        '/user/3',
+        '/user/4',
+        '/user/1/cart',
+        '/user/2/cart',
+        '/user/3/cart',
+        '/user/4/cart',
+        '/products/all',
+        '/products/all',
+        '/products/1',
+        '/products/2',
+        '/products/3',
+        '/products/4',
+      ].forEach((uriPath) => {
+        expect(mapper.map(uriPath)).to.be.null;
+      });
+    });
+
+    it('returns normalizedUrl mapped from generic uriPath', function() {
+      messages.emit(Event.ROUTE_COVERAGE_DISCOVERY_FINISHED, testData.map((d) => d.routeInfo));
+      testData.forEach((td) => {
+        const { routeInfo, paths, hasMapping } = td;
+
+        for (const uriPath of paths) {
+          // todo - dynamic and regex paths
+          if (hasMapping === false) {
+            expect(mapper.map(uriPath)).to.be.null;
+          } else {
+            expect(mapper.map(uriPath)).to.equal(routeInfo.normalizedUrl);
+          }
+        }
+      });
+    });
+  });
+});

package/node_modules/@contrast/{sec-obs/node_modules/@contrast/core/lib/sensitive-data-masking/constants.js → sources/lib/req-data.js}

@@ -12,9 +12,3 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
-'use strict';
-
-module.exports = {
-  CONTRAST_REDACTED: 'contrast-redacted',
-};