@contrast/agent-bundle 5.45.1 → 5.47.0

package/README.md

@@ -61,7 +61,7 @@ node --import @contrast/agent app-main [app arguments]
 
 Notes:
 - `--import` should be used for Node.js LTS (Active and Maintenance) versions `>=18.19.0`
-- Node.js versions `>=20.0.0 <20.6.0` are not supported
+- Node.js versions `>=20.0.0 <20.9.0` are not supported
 
 ### With end-of-life Node.js Versions
 

package/node_modules/@contrast/agent/README.md

@@ -61,7 +61,7 @@ node --import @contrast/agent app-main [app arguments]
 
 Notes:
 - `--import` should be used for Node.js LTS (Active and Maintenance) versions `>=18.19.0`
-- Node.js versions `>=20.0.0 <20.6.0` are not supported
+- Node.js versions `>=20.0.0 <20.9.0` are not supported
 
 ### With end-of-life Node.js Versions
 

package/node_modules/@contrast/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.45.1",
+  "version": "5.47.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,21 +22,21 @@
   "main": "./lib/index.js",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
+    "node": ">=18.7.0 <19 || >=20.9.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.57.0",
-    "@contrast/architecture-components": "1.45.1",
-    "@contrast/assess": "1.63.0",
-    "@contrast/common": "1.37.0",
-    "@contrast/core": "1.57.1",
-    "@contrast/library-analysis": "1.47.1",
-    "@contrast/protect": "1.68.0",
-    "@contrast/route-coverage": "1.49.1",
-    "@contrast/sec-obs": "1.1.1",
-    "@contrast/telemetry": "1.32.1"
+    "@contrast/agentify": "1.59.0",
+    "@contrast/architecture-components": "1.47.0",
+    "@contrast/assess": "1.65.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/library-analysis": "1.49.0",
+    "@contrast/protect": "1.70.0",
+    "@contrast/route-coverage": "1.51.0",
+    "@contrast/sec-obs": "1.3.0",
+    "@contrast/telemetry": "1.34.0"
   }
 }

package/node_modules/@contrast/agentify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.57.0",
+  "version": "1.59.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,22 +20,22 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/config": "1.52.1",
-    "@contrast/core": "1.57.1",
-    "@contrast/deadzones": "1.29.1",
-    "@contrast/dep-hooks": "1.26.1",
-    "@contrast/esm-hooks": "2.32.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/config": "1.54.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/deadzones": "1.31.0",
+    "@contrast/dep-hooks": "1.28.0",
+    "@contrast/esm-hooks": "2.34.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.36.1",
-    "@contrast/logger": "1.30.1",
-    "@contrast/metrics": "1.34.1",
-    "@contrast/patcher": "1.29.1",
+    "@contrast/instrumentation": "1.38.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/metrics": "1.36.0",
+    "@contrast/patcher": "1.31.0",
     "@contrast/perf": "1.4.0",
-    "@contrast/reporter": "1.55.1",
-    "@contrast/rewriter": "1.34.0",
-    "@contrast/scopes": "1.27.1",
-    "@contrast/sources": "1.3.1",
+    "@contrast/reporter": "1.57.0",
+    "@contrast/rewriter": "1.36.0",
+    "@contrast/scopes": "1.29.0",
+    "@contrast/sources": "1.5.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.45.1",
+  "version": "1.47.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/dep-hooks": "1.26.1",
-    "@contrast/logger": "1.30.1",
-    "@contrast/patcher": "1.29.1"
+    "@contrast/common": "1.38.0",
+    "@contrast/dep-hooks": "1.28.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/patcher": "1.31.0"
   }
 }

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/common.js

@@ -15,5 +15,5 @@
 'use strict';
 
 module.exports = {
-  patchType: 'session-configuration'
+  patchType: 'configuration'
 };

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/handlers.js

@@ -17,15 +17,15 @@
 
 const {
   Event,
-  SessionConfigurationRule,
+  ConfigurationRule,
   isString,
 } = require('@contrast/common');
 
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+const { HTTPONLY, SECURE_FLAG_MISSING, GRAPHQL_INTROSPECTION } = ConfigurationRule;
 
 module.exports = function (core) {
   const {
-    assess: { sessionConfiguration },
+    assess: { configurationAnalysis },
     messages,
   } = core;
 
@@ -40,7 +40,7 @@ module.exports = function (core) {
   }
 
   /**
-   * @param {SessionConfigurationRule} ruleId
+   * @param {ConfigurationRule} ruleId
    * @param {import('@contrast/assess').SourceContext} sourceContext
    * @returns {import('@contrast/assess').SessionRuleState}
    */
@@ -67,7 +67,7 @@ module.exports = function (core) {
   function handle(ruleId, sourceContext, cookie, sessionEvent) {
     const state = ensureState(ruleId, sourceContext);
 
-    if (!sourceContext?.policy?.enabledRules?.has?.(ruleId) || state.reported) return;
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
 
     for (const value of ensureIterable(cookie)) {
       if (state.valuesAnalyzed.has(value)) continue;
@@ -76,7 +76,7 @@ module.exports = function (core) {
       if (!isVulnerable(ruleId, value)) continue;
 
       else {
-        sessionConfiguration.reportFindings({
+        configurationAnalysis.reportFindings({
           ruleId,
           sinkEvent: sessionEvent,
           properties: {
@@ -89,17 +89,30 @@ module.exports = function (core) {
     }
   }
 
-  sessionConfiguration.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
     handle(HTTPONLY, sourceContext, cookie, sessionEvent);
   };
 
-  sessionConfiguration.handleSecure = function (sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleSecure = function (sourceContext, cookie, sessionEvent) {
     handle(SECURE_FLAG_MISSING, sourceContext, cookie, sessionEvent);
   };
 
-  sessionConfiguration.reportFindings = function (finding) {
-    messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, finding);
+  configurationAnalysis.handleGraphqlIntrospection = function (sourceContext, sessionEvent, value) {
+    const ruleId = GRAPHQL_INTROSPECTION;
+    const state = ensureState(ruleId, sourceContext);
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
+
+    configurationAnalysis.reportFindings({
+      ruleId,
+      sinkEvent: sessionEvent,
+      evidence: value
+    });
+    state.reported = true;
+  };
+
+  configurationAnalysis.reportFindings = function (finding) {
+    messages.emit(Event.ASSESS_CONFIGURATION_FINDING, finding);
   };
 
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/index.js

@@ -18,17 +18,19 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  const sessionConfiguration = core.assess.sessionConfiguration = {};
+  const configurationAnalysis = core.assess.configurationAnalysis = {};
 
   require('./handlers')(core);
+  require('./install/apollo-server')(core);
+  require('./install/graphql-yoga')(core);
   require('./install/express-session')(core);
   require('./install/fastify-cookie')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
 
-  sessionConfiguration.install = function() {
-    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  configurationAnalysis.install = function() {
+    callChildComponentMethodsSync(configurationAnalysis, 'install');
   };
 
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/node_modules/@contrast/assess/lib/configuration-analysis/install/apollo-server.js

@@ -0,0 +1,92 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  const apolloServer = core.assess.configurationAnalysis.apolloServer = {};
+
+  apolloServer.install = function () {
+    return depHooks.resolve({ name: '@apollo/server', version: '>=4', file: 'dist/cjs' }, (xport) => {
+      if (!xport.ApolloServer) return;
+      patcher.patch(xport, 'ApolloServer', {
+        name: '@apollo/server.ApolloServer',
+        patchType,
+        post(data) {
+          if (!data.args[0]?.introspection) return;
+
+          const options = { introspection: true };
+          const optionsString = inspect(options);
+          const sessionEvent = createSessionEvent({
+            args: [{
+              tracked: false,
+              value: optionsString,
+            }],
+            context: optionsString,
+            name: '@apollo/server',
+            moduleName: 'ApolloServer',
+            methodName: '',
+            object: {
+              tracked: false,
+              value: 'ApolloServer',
+            },
+            result: {
+              tracked: false,
+            },
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+            framework: 'graphql',
+          });
+
+          patcher.patch(data.result, 'executeHTTPGraphQLRequest', {
+            name: 'ApolloServer.executeHTTPGraphQLRequest',
+            patchType,
+            post(data) {
+              const sourceContext = getSourceContext();
+              if (!sourceContext) return;
+
+              handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+
+            }
+          });
+        }
+      });
+    });
+  };
+
+  return apolloServer;
+};

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/express-session.js

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  const expressSession = core.assess.sessionConfiguration.expressSession = {};
+  const expressSession = core.assess.configurationAnalysis.expressSession = {};
 
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session', version: '<2' }, (session) => {

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/fastify-cookie.js

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  return core.assess.sessionConfiguration.fastifyCookie = {
+  return core.assess.configurationAnalysis.fastifyCookie = {
     install () {
       depHooks.resolve({ name: '@fastify/cookie', version: '<12' }, (_export) => {
         const patched = patcher.patch(_export, {

package/node_modules/@contrast/assess/lib/configuration-analysis/install/graphql-yoga.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  const graphqlYoga = core.assess.configurationAnalysis.graphqlYoga = {};
+
+  graphqlYoga.install = function () {
+    return depHooks.resolve({ name: '@graphql-yoga/plugin-disable-introspection', version: '*', file: 'cjs' }, (xport) => patcher.patch(xport, 'useDisableIntrospection', {
+      name: '@graphql-yoga/plugin-disable-introspection.useDisableIntrospection',
+      patchType,
+      post(data) {
+        const options = data.args[0];
+        const optionsString = inspect(options);
+        patcher.patch(data.result, 'onValidate', {
+          name: 'onValidate',
+          patchType,
+          pre(data) {
+            patcher.patch(data.args[0], 'addValidationRule', {
+              name: 'addValidationRule',
+              patchType,
+              post(data) {
+                const sourceContext = getSourceContext();
+                if (!sourceContext) return;
+                const sessionEvent = createSessionEvent({
+                  args: [{
+                    tracked: false,
+                    value: optionsString,
+                  }],
+                  context: optionsString,
+                  name: '@graphql-yoga',
+                  moduleName: 'plugin-disable-introspection',
+                  methodName: 'addValidationRule',
+                  object: {
+                    tracked: false,
+                    value: 'plugin-disable-introspection',
+                  },
+                  result: {
+                    tracked: false,
+                  },
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                  },
+                  framework: 'graphql',
+                });
+                handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+              }
+            });
+          }
+        });
+      }
+    }));
+  };
+
+  return graphqlYoga;
+};

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/hapi.js

@@ -21,7 +21,7 @@ module.exports = function (core) {
     assess: {
       inspect, // TODO NODE-3455: remove
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -31,7 +31,7 @@ module.exports = function (core) {
     scopes: { sources },
   } = core;
 
-  const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
+  const hapiSession = core.assess.configurationAnalysis.hapiSession = {};
 
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/koa.js

@@ -28,7 +28,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -37,9 +37,9 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  return core.assess.sessionConfiguration.koa = {
+  return core.assess.configurationAnalysis.koa = {
     install () {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
         patcher.patch(Koa.prototype, 'use', {
           name: 'Koa.Application',
           patchType,

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/string/substring.js

@@ -89,7 +89,7 @@ module.exports = function(core) {
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
-              methodName: 'prototype.substring',
+              methodName: `prototype.${method}`,
               get context() {
                 return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
               },

package/node_modules/@contrast/assess/lib/dataflow/sources/handler.js

@@ -45,24 +45,19 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
 
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
-      if (!value?.length) {
-        return null;
-      }
+      if (!value?.length) return null;
 
       const stop = value.length - 1;
-      const tags = {
-        [DataflowTag.UNTRUSTED]: [0, stop]
-      };
+      const tags = { [DataflowTag.UNTRUSTED]: [0, stop] };
 
-      if (tagNames) {
-        for (const tag of tagNames) {
+      if (tagNames)
+        for (const tag of tagNames)
           tags[tag] = [0, stop];
-        }
-      }
 
-      if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
-        tags[DataflowTag.HEADER] = [0, stop];
-      }
+      if (
+        inputType === InputType.HEADER &&
+        StringPrototypeToLowerCase.call(fieldName) === 'referer'
+      ) tags[DataflowTag.HEADER] = [0, stop];
 
       return tags;
     };
@@ -81,6 +76,7 @@ module.exports = Core.makeComponent({
       stacktraceOpts,
       data,
       sourceContext,
+      onEvent,
     }) {
       if (!data) return;
 
@@ -89,14 +85,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      // url exclusion
-      if (!sourceContext.policy) {
-        return null;
-      }
-
-      if (!context) {
-        context = inputType;
-      }
+      if (!context) context = inputType;
 
       const { policy: requestPolicy } = sourceContext;
       const max = config.assess.max_context_source_events;
@@ -111,10 +100,13 @@ module.exports = Core.makeComponent({
       }
 
       function createEvent({ fieldName, pathName, value, excludedRules }) {
-        const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        let tagNames;
+        if (excludedRules) {
+          tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
-        return eventFactory.createSourceEvent({
+        const eventData = {
           context: `${context}.${pathName}`,
           name,
           fieldName,
@@ -123,11 +115,19 @@ module.exports = Core.makeComponent({
           inputType,
           tags: sources.createTags({ inputType, fieldName, value, tagNames }),
           result: { tracked: true, value },
-        });
+        };
+
+        const event = eventFactory.createSourceEvent(eventData);;
+        if (event && onEvent) onEvent(event, fieldName, pathName);
+
+        return event;
       }
 
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-        const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+        const inputPolicy = requestPolicy.getInputPolicy(InputType.BODY);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
           return;
@@ -135,6 +135,7 @@ module.exports = Core.makeComponent({
 
         const event = createEvent({ pathName: 'body', value: data, fieldName: '', excludedRules });
         if (event) {
+          if (onEvent) onEvent(event);
           tracker.track(data, event);
         }
 
@@ -149,7 +150,10 @@ module.exports = Core.makeComponent({
           return true;
         }
 
-        const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const inputPolicy = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
           return;

package/node_modules/@contrast/assess/lib/dataflow/sources/index.js

@@ -29,12 +29,14 @@ module.exports = function (core) {
   require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
+  core.initComponentSync(require('./install/fastify-websocket'));
   require('./install/formidable1')(core);
   require('./install/graphql-http')(core);
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
   require('./install/multer1')(core);
+  core.initComponentSync(require('./install/socket.io'));
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');