@contrast/agent-bundle 5.42.0 → 5.46.0

package/node_modules/@contrast/assess/lib/policy.js

@@ -0,0 +1,400 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  ExclusionType,
+  InputType,
+  Rule,
+  ResponseScanningRule,
+  SessionConfigurationRule,
+  set,
+  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
+} = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+
+const ASSESS_RULES = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...SessionConfigurationRule,
+});
+const BROAD_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.BODY,
+  ExclusionType.QUERYSTRING
+];
+const NAMED_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.COOKIE,
+  ExclusionType.HEADER,
+  ExclusionType.PARAMETER
+];
+const BODY_TYPES = [
+  InputType.BODY,
+  InputType.JSON_VALUE,
+  InputType.JSON_ARRAYED_VALUE,
+  InputType.MULTIPART_CONTENT_TYPE,
+  InputType.MULTIPART_FIELD_NAME,
+  InputType.MULTIPART_NAME,
+  InputType.MULTIPART_VALUE,
+];
+const COMPONENT_NAME = 'assess.policy';
+
+class AssessPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   */
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+
+    this.version = Date.now();
+    this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+    this.exclusionMap = new Map([
+      [ExclusionType.BODY, []],
+      [ExclusionType.COOKIE, []],
+      [ExclusionType.HEADER, []],
+      [ExclusionType.PARAMETER, []],
+      [ExclusionType.QUERYSTRING, []],
+      [ExclusionType.URL, []],
+    ]);
+
+    core.messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+      if (!msg.assess && !msg.exclusions) return;
+
+      this.version = Date.now();
+
+      if (msg.assess) {
+        const enabledRules = new Set();
+        this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+
+        for (const ruleId of ASSESS_RULES) {
+          const enable = msg.assess[ruleId]?.enable;
+          if (enable === false) {
+            this.disabledRules.add(ruleId);
+            // map to "sub-rules"
+            if (ruleId === Rule.NOSQL_INJECTION) this.disabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          } else if (enable === true) {
+            enabledRules.add(ruleId);
+            if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          }
+        }
+        this.core.logger.info({
+          enabledRules,
+          disabledRules: Array.from(this.disabledRules)
+        }, 'Assess policy rules updated');
+      }
+
+      if (msg.exclusions) {
+        for (const arr of this.exclusionMap.values()) arr.length = 0;
+
+        const rawDtmList = [
+          ...(msg?.exclusions?.input || []),
+          ...(msg?.exclusions?.url || []),
+        ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
+
+        // reset global exclusion state
+        for (const type of Object.values(ExclusionType)) {
+          this.exclusionMap.get(type).length = 0;
+        }
+
+        if (!rawDtmList.length) return;
+
+        for (const dtm of rawDtmList) {
+          // normalize different dtm types
+          dtm.type = dtm.type || 'URL';
+          const { type } = dtm;
+          const key = ExclusionType[type];
+          // defensive code against unanticipated DTM values
+          if (key) {
+            const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
+            this.exclusionMap.get(dtm.type).push(new Ctor(dtm));
+          }
+        }
+
+        this.core.logger.info({
+          exclusions: Object.fromEntries(this.exclusionMap)
+        }, 'Assess exclusions updated (%s total)', rawDtmList.length);
+      }
+    });
+  }
+
+  getRequestPolicy(sourceInfo) {
+    return new RequestPolicy(this.core, sourceInfo);
+  }
+}
+
+class RequestPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   */
+  constructor(core, sourceInfo) {
+    Object.defineProperty(this, 'core', { value: core });
+    this.sourceInfo = sourceInfo;
+    this.init();
+  }
+
+  /**
+   * Used to (re)initialize the instance's exclusions, reading from current assess global policy.
+   */
+  init() {
+    const { core, sourceInfo } = this;
+    this.allowed = false;
+    this.version = core.assess.policy.version;
+    this.exclusions = {};
+
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      this.allowed = true;
+      return;
+    }
+
+    // Evaluate URL exclusions.
+    // If one matches and applies to all rules, we set `allowed: true` which will
+    // disable assess for the request (via getSourceContext()). If specific rules are
+    // disabled, we remove them from the request policy's set of enabled rules.
+    for (const urlExclusion of this.core.assess.policy.exclusionMap.get(ExclusionType.URL)) {
+      if (urlExclusion.matchesUriPath(sourceInfo.uriPath)) {
+        if (!urlExclusion.rules?.size) {
+          core.logger.debug({
+            name: urlExclusion.name
+          }, 'All Assess rules have been disabled by URL exclusion');
+          this.allowed = true;
+          // no need to further process exclusions - request will be ignored
+          return;
+        } else {
+          // build as needed
+          if (!this.exclusions.disabledRules) this.exclusions.disabledRules = new Set();
+
+          for (const ruleId of urlExclusion.rules) {
+            this.exclusions.disabledRules.add(ruleId);
+          }
+          core.logger.debug({
+            name: urlExclusion.name,
+            rules: Array.from(urlExclusion.rules),
+          }, 'Assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
+    // Process input exclusions that apply broadly: BODY, QUERYSTRING
+    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          // build as needed
+          if (!this.exclusions[type]) this.exclusions[type] = { track: true, excludedRules: new Set() };
+          const inputPolicy = this.exclusions[type];
+
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              inputPolicy.excludedRules.add(ruleId);
+            }
+          } else {
+            inputPolicy.track = false;
+            inputPolicy.excludedRules.clear();
+            break;
+          }
+        }
+      }
+    }
+
+    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          if (!this.exclusions[type]) this.exclusions[type] = [];
+          this.exclusions[type].push(exclusion);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given input type and optional field name will give instructions on how
+   * to track based on global policy and various exclusions that may apply.
+   * @param {} inputType
+   * @param {} fieldName
+   * @returns {boolean|Set<string>} false - do not track
+   *                                true - track
+   *                                Set - track but add tags to exclude these rules
+   */
+  getInputPolicy(inputType, fieldName) {
+    if (this.version < this.core.assess.policy.version) this.init();
+    if (this.allowed) return false; // don't track - request ignored
+
+    let inputRuleExclusions;
+    let excludedRuleIds;
+
+    if (inputType === InputType.HEADER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.HEADER];
+    } else if (inputType === InputType.QUERYSTRING) {
+      if (this.exclusions[ExclusionType.QUERYSTRING]?.track === false) {
+        return false;
+      } else {
+        if (this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules)
+          excludedRuleIds = new Set(this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules);
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    } else if (inputType === InputType.URL_PARAMETER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+    } else if ([
+      InputType.COOKIE_NAME,
+      InputType.COOKIE_VALUE
+    ].includes(inputType)) {
+      inputRuleExclusions = this.exclusions[ExclusionType.COOKIE];
+    } else if (BODY_TYPES.includes(inputType)) {
+      if (this.exclusions[ExclusionType.BODY]?.track === false) {
+        return false;
+      } else {
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    }
+
+    if (inputRuleExclusions) {
+      for (const exclusion of inputRuleExclusions) {
+        if (exclusion.matchesInputName(fieldName)) {
+          // disables some rules
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              if (!excludedRuleIds) excludedRuleIds = new Set();
+              excludedRuleIds.add(ruleId);
+            }
+          } else {
+            return false; // don't track - all rules disabled
+          }
+        }
+      }
+    }
+
+    if (this.exclusions.disabledRules || excludedRuleIds) {
+      // only URL Exclusions disabled these rules
+      if (!excludedRuleIds) return this.exclusions.disabledRules;
+      // only Input Exclusion disabled these
+      if (!this.exclusions.disabledRules) return excludedRuleIds;
+      // merge since URL Exclusions and Input Exclusions have disabled rules
+      return new Set([...this.exclusions.disabledRules, ...excludedRuleIds]);
+    }
+
+    return true;
+  }
+
+  isRuleEnabled(ruleId) {
+    if (this.version < this.core.assess.policy.version) this.init();
+
+    if (this.allowed) return false;
+
+    return (
+      !this.exclusions.disabledRules?.has?.(ruleId) &&
+      !this.core.assess.policy.disabledRules?.has?.(ruleId)
+    );
+  }
+}
+
+/**
+ * @typedef InputPolicy
+ * @property {boolean} track
+ * @property {Set<Rule>} excludedRules
+ */
+
+class UrlExclusion {
+  constructor(dtm) {
+    this._urlRegex = null;
+    this._urls = new Set();
+    this.name = dtm.name;
+    this.type = ExclusionType[dtm.type];
+    this.rules = new Set(dtm.assess_rules);
+
+    if (dtm.urls.length) {
+      const regexSegments = [];
+      for (const url of dtm.urls) {
+        if (shouldBeRegExp(url)) {
+          regexSegments.push(url);
+        } else {
+          this._urls.add(url);
+        }
+      }
+      if (regexSegments.length) {
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
+      }
+    }
+  }
+
+  /**
+   * Checks whether the current URI path matches any of the exclusion's URL values.
+   * Exclusions that don't match for the current request will not be enabled. The
+   * interpretation of the DTM is that if its urls list is empty, then that means
+   * it should match all requestss (can be the case for input exclusions).
+   * @param {string} uriPath uri to check
+   * @returns {boolean}
+   */
+  matchesUriPath(uriPath) {
+    return (!this._urlRegex && !this._urls.size) ||
+      this._urls.has(uriPath) ||
+      !!this._urlRegex?.test?.(uriPath);
+  }
+}
+
+class InputExclusion extends UrlExclusion {
+  constructor(dtm) {
+    super(dtm);
+    this._inputNameRegex = null;
+    this._inputName = null;
+
+    // dtm.name value is null for BODY and QUERYSTRING types
+    if (dtm.name) {
+      if (shouldBeRegExp(dtm.name)) {
+        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
+      } else {
+        this._inputName = dtm.name;
+      }
+    }
+  }
+
+  /**
+   * Checks if the provided name matches the value from the exclusion dtm.
+   * @param {string} name field name being evaluated
+   * @returns {boolean}
+   */
+  matchesInputName(name) {
+    // BODY and QUERYSTRING always match since they apply broadly
+    if (!this._inputName && !this._inputNameRegex) return true;
+    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
+  }
+}
+
+function shouldBeRegExp(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory(core) {
+    const policy = new AssessPolicy(core);
+    set(core, COMPONENT_NAME, policy);
+    return policy;
+  },
+});
+module.exports.AssessPolicy = AssessPolicy;
+module.exports.RequestPolicy = RequestPolicy;

package/node_modules/@contrast/assess/lib/response-scanning/handlers/index.js

@@ -60,7 +60,7 @@ module.exports = function(core) {
 
   responseScanning.handleAutoCompleteMissing = function(sourceContext, resHeaders, resBody) {
     if (
-      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(AUTOCOMPLETE_MISSING) ||
       !isHtmlContent(resHeaders)
     ) {
       return;
@@ -91,7 +91,7 @@ module.exports = function(core) {
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
     if (
-      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(CACHE_CONTROLS_MISSING) ||
       (isParseableResponse(resHeaders) && !resBody)
     ) {
       return;
@@ -139,7 +139,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CLICKJACKING_CONTROL_MISSING)) return;
 
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = resHeaders['x-frame-options'];
@@ -158,7 +158,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleParameterPollution = function(sourceContext, resBody) {
-    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(PARAMETER_POLLUTION)) return;
 
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
@@ -189,12 +189,12 @@ module.exports = function(core) {
     const cspHeaders = getCspHeaders(resHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
+    if (!cspHeaders && sourceContext.policy?.isRuleEnabled(CSP_HEADER_MISSING)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
 
-    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CSP_HEADER_INSECURE)) return;
 
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
 
@@ -209,7 +209,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleHstsHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(HSTS_HEADER_MISSING)) return;
 
     let header = resHeaders['strict-transport-security'];
     let maxAge;
@@ -241,7 +241,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(XCONTENTTYPE_HEADER_MISSING)) return;
 
     const headerName = 'x-content-type-options';
     let header = resHeaders[headerName];
@@ -262,7 +262,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
-    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(X_POWERED_BY_HEADER)) return;
 
     const headerName = 'x-powered-by';
     let header = resHeaders[headerName];
@@ -280,7 +280,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, responseHeaders) {
-    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(XXSPROTECTION_HEADER_DISABLED)) return;
 
     const header = responseHeaders['x-xss-protection'];
 
@@ -294,9 +294,5 @@ module.exports = function(core) {
     }
   };
 
-  function isEnabled(ruleId, sourceContext) {
-    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
-  }
-
   return responseScanning;
 };

package/node_modules/@contrast/assess/lib/response-scanning/install/http.js

@@ -146,18 +146,6 @@ module.exports = function(core) {
         });
       }
     });
-
-    depHooks.resolve({ name: 'spdy', version: '<5', file: 'lib/spdy/response.js' }, (response) => {
-      patcher.patch(response, 'end', {
-        name: 'spdy.response.end',
-        patchType: 'test',
-        post(data) {
-          const sourceContext = getSourceContext();
-          if (!sourceContext) return;
-          endHookChecks(sourceContext, data.obj.getHeaders?.(), StringPrototypeToLowerCase.call(data.args[0] || ''));
-        }
-      });
-    });
   };
 
   return http;

package/node_modules/@contrast/assess/lib/session-configuration/handlers.js

@@ -67,7 +67,7 @@ module.exports = function (core) {
   function handle(ruleId, sourceContext, cookie, sessionEvent) {
     const state = ensureState(ruleId, sourceContext);
 
-    if (!sourceContext?.policy?.enabledRules?.has?.(ruleId) || state.reported) return;
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
 
     for (const value of ensureIterable(cookie)) {
       if (state.valuesAnalyzed.has(value)) continue;

package/node_modules/@contrast/assess/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.60.0",
+  "version": "1.64.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -14,24 +14,24 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.35.0",
-    "@contrast/config": "1.50.0",
-    "@contrast/core": "1.55.0",
-    "@contrast/dep-hooks": "1.24.0",
-    "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.34.0",
-    "@contrast/logger": "1.28.0",
-    "@contrast/patcher": "1.27.0",
-    "@contrast/rewriter": "1.31.0",
-    "@contrast/route-coverage": "1.47.0",
-    "@contrast/scopes": "1.25.0",
-    "@contrast/sources": "1.1.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/config": "1.53.0",
+    "@contrast/core": "1.58.0",
+    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/distringuish": "^6.0.2",
+    "@contrast/instrumentation": "1.37.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/patcher": "1.30.0",
+    "@contrast/rewriter": "1.35.0",
+    "@contrast/route-coverage": "1.50.0",
+    "@contrast/scopes": "1.28.0",
+    "@contrast/sources": "1.4.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/code-events/binding.gyp

@@ -31,7 +31,7 @@
           "OTHER_CFLAGS": [
             "-arch x86_64",
             "-arch arm64",
-            "-std=c++17",
+            "-std=c++20",
             "-stdlib=libc++",
             "-Wall"
           ],

package/node_modules/@contrast/code-events/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/code-events",
-  "version": "3.1.0",
+  "version": "4.0.2",
   "description": "Listen for v8 CodeEvents and make them available to JavaScript",
   "main": "index.js",
   "types": "index.d.ts",
@@ -22,7 +22,7 @@
     "install": "node-gyp-build",
     "prepare": "husky install",
     "prebuild": "npm run clean",
-    "build": "prebuildify -t 16.9.1 -t 18.7.0 -t 20.6.0 -t 22.2.0 --strip --napi false",
+    "build": "prebuildify -t 18.7.0 -t 20.6.0 -t 22.2.0 -t 24.0.1 --strip --napi false",
     "build:darwin": "npm run build -- --arch x64+arm64",
     "build:win32": "npm run build",
     "clean": "rimraf build/ coverage/ prebuilds/",
@@ -32,10 +32,16 @@
   },
   "keywords": [],
   "engines": {
-    "node": ">=16.9.1"
+    "node": ">=18.7.0"
   },
   "dependencies": {
-    "node-gyp-build": "^4.8.1"
+    "nan": "^2.23.0",
+    "node-abi": "^4.12.0",
+    "node-addon-api": "^8.5.0",
+    "node-gyp-build": "^4.8.4"
+  },
+  "overrides": {
+    "node-abi": "^4.12.0"
   },
   "devDependencies": {
     "@contrast/eslint-config": "^3.2.0",
@@ -43,14 +49,10 @@
     "@octokit/rest": "^20.0.1",
     "c8": "^8.0.1",
     "chai": "^4.3.7",
-    "fast-xml-parser": "^4.3.3",
     "husky": "^8.0.3",
     "lint-staged": "^13.2.3",
     "mocha": "^10.2.0",
-    "nan": "^2.19.0",
-    "node-abi": "^3.65.0",
-    "node-addon-api": "^7.1.0",
-    "node-gyp": "10.1.0",
+    "node-gyp": "^11.2.0",
     "prebuildify": "^6.0.1",
     "rimraf": "^5.0.1",
     "semver": "^7.5.4",