@contrast/agent-bundle 5.42.0 → 5.46.0

package/README.md

@@ -65,23 +65,14 @@ Notes:
 
 ### With end-of-life Node.js Versions
 
-When using the agent with end-of-life Node.js versions, use either the `--loader` or
-`--require` flag, depending on the version of Node.js and the module system used.
-
 Use the `--loader` flag for Node.js versions `>=16.17.0 <18.19.0`.
 
 ```sh
 node --loader @contrast/agent app-main.mjs [app arguments]
 ```
 
-Use the `--require` (`-r`) flag for Node.js versions `<16.17.0`.
-
-```sh
-node -r @contrast/agent app-main [app arguments]
-```
-
 Note:
-- `-r` will still work for Node.js versions that have no ESM modules or dependencies.
+- `--require` or `-r` will still work for Node.js versions that have no ESM modules or dependencies.
 
 ### Configuration
 

package/node_modules/@contrast/agent/README.md

@@ -65,23 +65,14 @@ Notes:
 
 ### With end-of-life Node.js Versions
 
-When using the agent with end-of-life Node.js versions, use either the `--loader` or
-`--require` flag, depending on the version of Node.js and the module system used.
-
 Use the `--loader` flag for Node.js versions `>=16.17.0 <18.19.0`.
 
 ```sh
 node --loader @contrast/agent app-main.mjs [app arguments]
 ```
 
-Use the `--require` (`-r`) flag for Node.js versions `<16.17.0`.
-
-```sh
-node -r @contrast/agent app-main [app arguments]
-```
-
 Note:
-- `-r` will still work for Node.js versions that have no ESM modules or dependencies.
+- `--require` or `-r` will still work for Node.js versions that have no ESM modules or dependencies.
 
 ### Configuration
 

package/node_modules/@contrast/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.42.0",
+  "version": "5.46.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,21 +22,21 @@
   "main": "./lib/index.js",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">=16.9.1 <17 || >=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23"
+    "node": ">=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.54.0",
-    "@contrast/architecture-components": "1.43.0",
-    "@contrast/assess": "1.60.0",
-    "@contrast/common": "1.35.0",
-    "@contrast/core": "1.55.0",
-    "@contrast/library-analysis": "1.45.0",
-    "@contrast/protect": "1.65.0",
-    "@contrast/route-coverage": "1.47.0",
-    "@contrast/sec-obs": "1.0.0-alpha.9",
-    "@contrast/telemetry": "1.30.0"
+    "@contrast/agentify": "1.58.0",
+    "@contrast/architecture-components": "1.46.0",
+    "@contrast/assess": "1.64.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/core": "1.58.0",
+    "@contrast/library-analysis": "1.48.0",
+    "@contrast/protect": "1.69.0",
+    "@contrast/route-coverage": "1.50.0",
+    "@contrast/sec-obs": "1.2.0",
+    "@contrast/telemetry": "1.33.0"
   }
 }

package/node_modules/@contrast/agent-swc-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent-swc-plugin",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "SWC plugins Contrast Node agent",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "license": "SEE LICENSE IN LICENSE",
@@ -22,11 +22,11 @@
     "prepack": "cp target/wasm32-wasip1/release/*.wasm ."
   },
   "peerDependencies": {
-    "@swc/core": "^1.11.24"
+    "@swc/core": "^1.13.3"
   },
   "devDependencies": {
     "@swc/cli": "0.7.8",
-    "@swc/core": "^1.11.24",
+    "@swc/core": "^1.13.3",
     "@tsconfig/node16": "16.1.4",
     "benchmark": "2.1.4",
     "chai": "5.2.1",

package/node_modules/@contrast/agentify/lib/rewrite-hooks.js

@@ -26,8 +26,10 @@ const { rewriteIsDeadzoned } = require('@contrast/rewriter/lib/rewrite-is-deadzo
  * @returns {import('@contrast/common').Installable}
  */
 module.exports = function init(core) {
-  let js;
+  /** @type {Module.prototype["_compile"]} */
   let _compile;
+  /** @type {Module._extensions[".js"]} */
+  let js;
 
   core.rewriteHooks = {
     install() {
@@ -49,9 +51,7 @@ module.exports = function init(core) {
         /** @type {import('@contrast/rewriter').RewriteOpts} */
         const options = {
           filename,
-          isModule: false,
           inject: true,
-          wrap: true,
           minify: true,
         };
 

package/node_modules/@contrast/agentify/lib/utils.js

@@ -18,13 +18,17 @@
 const path = require('path');
 const process = require('process');
 const semver = require('semver');
-
 const {
   engines: {
     node: nodeEngines,
   }
 } = require('../package.json');
 
+const UNSUPPORTED_FLAGS = [
+  '--experimental',
+  '--permission',
+];
+
 const { primordials: { StringPrototypeSlice, StringPrototypeSplit, StringPrototypeTrim } } = require('@contrast/common');
 
 /**
@@ -33,7 +37,7 @@ const { primordials: { StringPrototypeSlice, StringPrototypeSplit, StringPrototy
  * @param {string} core.nodeEngines
  */
 function preStartupValidation(core) {
-  assertNoExperimentalFeatureFlags();
+  assertNoUnsupportedFlags();
   assertSupportedNodeVersion(core.nodeEngines || nodeEngines);
   assertSupportedPreloadUsage();
 }
@@ -61,15 +65,17 @@ function assertSupportedNodeVersion(engines) {
  * Checks that no experimental feature flags are used.
  * @throws {Error}
  */
-function assertNoExperimentalFeatureFlags() {
+function assertNoUnsupportedFlags() {
   const {
     execArgv,
     env: { NODE_OPTIONS },
   } = process;
 
-  if (execArgv.some(arg => arg.includes('--experimental')) || NODE_OPTIONS?.includes('--experimental')) {
-    const msg = 'Contrast Agent does not support experimental features.';
-    throw new Error(msg);
+  for (const pattern of UNSUPPORTED_FLAGS) {
+    if (execArgv.some(arg => arg.includes(pattern)) || NODE_OPTIONS?.includes(pattern)) {
+      const msg = `Contrast Agent does not support flags matching \`${pattern}\`.`;
+      throw new Error(msg);
+    }
   }
 }
 
@@ -168,6 +174,6 @@ module.exports = {
   assertValidOpts,
   assertSupportedNodeVersion,
   assertSupportedPreloadUsage,
-  assertNoExperimentalFeatureFlags,
+  assertNoUnsupportedFlags,
   preStartupValidation,
 };

package/node_modules/@contrast/agentify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.54.0",
+  "version": "1.58.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -14,28 +14,28 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.35.0",
-    "@contrast/config": "1.50.0",
-    "@contrast/core": "1.55.0",
-    "@contrast/deadzones": "1.27.0",
-    "@contrast/dep-hooks": "1.24.0",
-    "@contrast/esm-hooks": "2.29.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/config": "1.53.0",
+    "@contrast/core": "1.58.0",
+    "@contrast/deadzones": "1.30.0",
+    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/esm-hooks": "2.33.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.34.0",
-    "@contrast/logger": "1.28.0",
-    "@contrast/metrics": "1.32.0",
-    "@contrast/patcher": "1.27.0",
-    "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.53.0",
-    "@contrast/rewriter": "1.31.0",
-    "@contrast/scopes": "1.25.0",
-    "@contrast/sources": "1.1.0",
+    "@contrast/instrumentation": "1.37.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/metrics": "1.35.0",
+    "@contrast/patcher": "1.30.0",
+    "@contrast/perf": "1.4.0",
+    "@contrast/reporter": "1.56.0",
+    "@contrast/rewriter": "1.35.0",
+    "@contrast/scopes": "1.28.0",
+    "@contrast/sources": "1.4.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.43.0",
+  "version": "1.46.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -14,15 +14,15 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.35.0",
-    "@contrast/dep-hooks": "1.24.0",
-    "@contrast/logger": "1.28.0",
-    "@contrast/patcher": "1.27.0"
+    "@contrast/common": "1.37.0",
+    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/patcher": "1.30.0"
   }
 }

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/ejs/template.js

@@ -37,7 +37,7 @@ module.exports = function (core) {
   } = core;
 
   /** @type {import('@contrast/rewriter').RewriteOpts} */
-  const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, minify: false };
+  const REWRITE_OPTS = { inject: false, minify: false };
   const WRAPPER_PREFIX = ArrayPrototypeJoin.call([
     'function tempWrapper() {',
     'function __append(s) { if (s !== undefined && s !== null) __output += s }'

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/pug/index.js

@@ -17,7 +17,7 @@
 const { patchType } = require('../../common');
 
 /** @type {import('@contrast/rewriter').RewriteOpts} */
-const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, minify: false };
+const REWRITE_OPTS = { inject: false, minify: false };
 
 module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };

package/node_modules/@contrast/assess/lib/dataflow/sinks/install/http/server-response.js

@@ -77,7 +77,7 @@ module.exports = function(core) {
   ];
 
   const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => {
-    const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`;
+    const methodName = `${`${responseName}.prototype`}.${method}`;
     const name = `${moduleName}.${methodName}`;
     const sourceContext = getSinkContext(ruleId);
     if (!sourceContext) return;
@@ -91,7 +91,6 @@ module.exports = function(core) {
     const { contentType } = sourceContext.responseData;
     if (contentType && isSafeContentType(contentType)) return;
 
-    if (moduleName === 'spdy') response.spdyStream.once('finish', () => response.emit('finish'));
     if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
       const event = createSinkEvent({
         args: [{
@@ -175,16 +174,6 @@ module.exports = function(core) {
         });
       }
     });
-    depHooks.resolve({ name: 'spdy', version: '<5', file: 'lib/spdy/response.js' }, (response) => {
-      {
-        const method = 'end';
-        patcher.patch(response, method, {
-          name: 'spdy.response.end',
-          patchType,
-          pre: preHook('spdy', 'response', method),
-        });
-      }
-    });
   };
 
   return http;

package/node_modules/@contrast/assess/lib/dataflow/sinks/install/restify.js

@@ -113,7 +113,7 @@ module.exports = function(core) {
     install() {
       // restify adds functionality to the built-in response via this patch function.
       // once it returns the request, it'll have been decorated with redirect() method.
-      depHooks.resolve({ name: 'restify', version: '<12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
+      depHooks.resolve({ name: 'restify', version: '>=10 <12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
         name: 'restify.response.patch',
         patchType,
         post(data) {

package/node_modules/@contrast/assess/lib/dataflow/sources/handler.js

@@ -45,24 +45,19 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
 
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
-      if (!value?.length) {
-        return null;
-      }
+      if (!value?.length) return null;
 
       const stop = value.length - 1;
-      const tags = {
-        [DataflowTag.UNTRUSTED]: [0, stop]
-      };
+      const tags = { [DataflowTag.UNTRUSTED]: [0, stop] };
 
-      if (tagNames) {
-        for (const tag of tagNames) {
+      if (tagNames)
+        for (const tag of tagNames)
           tags[tag] = [0, stop];
-        }
-      }
 
-      if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
-        tags[DataflowTag.HEADER] = [0, stop];
-      }
+      if (
+        inputType === InputType.HEADER &&
+        StringPrototypeToLowerCase.call(fieldName) === 'referer'
+      ) tags[DataflowTag.HEADER] = [0, stop];
 
       return tags;
     };
@@ -89,14 +84,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      // url exclusion
-      if (!sourceContext.policy) {
-        return null;
-      }
-
-      if (!context) {
-        context = inputType;
-      }
+      if (!context) context = inputType;
 
       const { policy: requestPolicy } = sourceContext;
       const max = config.assess.max_context_source_events;
@@ -111,7 +99,10 @@ module.exports = Core.makeComponent({
       }
 
       function createEvent({ fieldName, pathName, value, excludedRules }) {
-        const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        let tagNames;
+        if (excludedRules) {
+          tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
         return eventFactory.createSourceEvent({
@@ -127,7 +118,10 @@ module.exports = Core.makeComponent({
       }
 
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-        const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+        const inputPolicy = requestPolicy.getInputPolicy(InputType.BODY);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
           return;
@@ -149,7 +143,10 @@ module.exports = Core.makeComponent({
           return true;
         }
 
-        const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const inputPolicy = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
           return;

package/node_modules/@contrast/assess/lib/dataflow/sources/install/http.js

@@ -196,7 +196,7 @@ module.exports = function (core) {
   }
 
   function install() {
-    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+    ['http', 'https', 'http2'].forEach((moduleName) => {
       instrument({
         moduleName,
         patchObjects: [{

package/node_modules/@contrast/assess/lib/dataflow/tracker.js

@@ -65,7 +65,7 @@ module.exports = function tracker(core) {
 
       if (distringuish.getProperties(value)) {
         const err = new Error();
-        logger.error({ err, value }, 'tracker.track called with a string value that is already tracked');
+        logger.debug({ err, value }, 'tracker.track called with a string value that is already tracked');
         return { extern: null };
       }
 

package/node_modules/@contrast/assess/lib/get-source-context.js

@@ -53,20 +53,11 @@ function factory(core) {
   core.assess.getPropagatorContext = function getPropagatorContext() {
     if (instrumentation.isLocked()) return null;
 
-    // the following logging used to be done by the caller, but has been moved
-    // here as opposed to overloading `ctx.policy` with a special value so the
-    // caller could determine whether no source context was available or the
-    // request is being intentionally excluded. A negative of this is that the
-    // function name is not available to be included in the log.
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
     // there is a context, but if policy is null then assess is intentionally
     // disabled (i.e., url exclusion or the request is not sampled).
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx?.policy || ctx?.policy.allowed) return null;
+    // event limits
     if (ctx.propagationEventsCount >= config.assess.max_propagation_events) return null;
 
     return ctx;
@@ -80,13 +71,13 @@ function factory(core) {
     if (instrumentation.isLocked()) return null;
 
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
-    if (!ctx.policy) {
-      return null;
-    }
+    if (!ctx?.policy || ctx.policy?.allowed) return null;
+    if (!ruleId) return ctx;
 
-    if (ruleId && !ctx.policy?.enabledRules?.has?.(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+    if (
+      !ctx.policy?.isRuleEnabled?.(ruleId) ||
+      ruleScopes.isLocked(ruleId)
+    ) return null;
 
     return ctx;
   };
@@ -101,14 +92,12 @@ function factory(core) {
       // that the caller previously logged, we generate a stack trace to
       // capture that information.
       const err = new Error('No source context found');
-      core.logger.warn({ err }, 'assess running outside of request scope');
-      return null;
-    }
-
-    if (!ctx.policy) {
+      core.logger.debug({ err }, 'assess running outside of request scope');
       return null;
     }
 
+    if (!ctx.policy || ctx.policy.allowed) return null;
+    // event limits
     if (ctx.sourceEventsCount >= config.assess.max_context_source_events) return null;
 
     return ctx;

package/node_modules/@contrast/assess/lib/index.js

@@ -60,7 +60,7 @@ module.exports = function assess(core) {
 
   // ancillary tools used by different features
   require('./sampler')(core);
-  require('./get-policy')(core);
+  core.initComponentSync(require('./policy'));
   core.initComponentSync(require('./make-source-context'));
   require('./rule-scopes')(core);
   core.initComponentSync(require('./get-source-context'));

package/node_modules/@contrast/assess/lib/make-source-context.js

@@ -36,24 +36,19 @@ function factory(core) {
    * @returns {import('@contrast/assess').SourceContext}
    */
   return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-
     try {
       const ctx = store.assess = {
-        // default policy to `null` until it is set later below. this will cause
-        // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-
+      // if assess is disabled or not selected for sampling, the policy will
+      // be null (assess disabled) for lifetime of connection, despite UI updates.
       if (!core.config.getEffectiveValue('assess.enable')) return ctx;
-
-      // check whether sampling allows processing
       ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
 
-      // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(store.sourceInfo);
-      if (!ctx.policy) return ctx;
-
+      // assess-enabled policy from current effective config, but
+      // policy is dynamic and will respond to settings updates
+      ctx.policy = assess.policy.getRequestPolicy(store.sourceInfo);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};