@contrast/agent-bundle 5.45.1 → 5.47.0

package/node_modules/@contrast/assess/lib/policy.js

@@ -0,0 +1,400 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  ExclusionType,
+  InputType,
+  Rule,
+  ResponseScanningRule,
+  ConfigurationRule,
+  set,
+  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
+} = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+
+const ASSESS_RULES = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...ConfigurationRule,
+});
+const BROAD_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.BODY,
+  ExclusionType.QUERYSTRING
+];
+const NAMED_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.COOKIE,
+  ExclusionType.HEADER,
+  ExclusionType.PARAMETER
+];
+const BODY_TYPES = [
+  InputType.BODY,
+  InputType.JSON_VALUE,
+  InputType.JSON_ARRAYED_VALUE,
+  InputType.MULTIPART_CONTENT_TYPE,
+  InputType.MULTIPART_FIELD_NAME,
+  InputType.MULTIPART_NAME,
+  InputType.MULTIPART_VALUE,
+];
+const COMPONENT_NAME = 'assess.policy';
+
+class AssessPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   */
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+
+    this.version = Date.now();
+    this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+    this.exclusionMap = new Map([
+      [ExclusionType.BODY, []],
+      [ExclusionType.COOKIE, []],
+      [ExclusionType.HEADER, []],
+      [ExclusionType.PARAMETER, []],
+      [ExclusionType.QUERYSTRING, []],
+      [ExclusionType.URL, []],
+    ]);
+
+    core.messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+      if (!msg.assess && !msg.exclusions) return;
+
+      this.version = Date.now();
+
+      if (msg.assess) {
+        const enabledRules = new Set();
+        this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+
+        for (const ruleId of ASSESS_RULES) {
+          const enable = msg.assess[ruleId]?.enable;
+          if (enable === false) {
+            this.disabledRules.add(ruleId);
+            // map to "sub-rules"
+            if (ruleId === Rule.NOSQL_INJECTION) this.disabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          } else if (enable === true) {
+            enabledRules.add(ruleId);
+            if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          }
+        }
+        this.core.logger.info({
+          enabledRules,
+          disabledRules: Array.from(this.disabledRules)
+        }, 'Assess policy rules updated');
+      }
+
+      if (msg.exclusions) {
+        for (const arr of this.exclusionMap.values()) arr.length = 0;
+
+        const rawDtmList = [
+          ...(msg?.exclusions?.input || []),
+          ...(msg?.exclusions?.url || []),
+        ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
+
+        // reset global exclusion state
+        for (const type of Object.values(ExclusionType)) {
+          this.exclusionMap.get(type).length = 0;
+        }
+
+        if (!rawDtmList.length) return;
+
+        for (const dtm of rawDtmList) {
+          // normalize different dtm types
+          dtm.type = dtm.type || 'URL';
+          const { type } = dtm;
+          const key = ExclusionType[type];
+          // defensive code against unanticipated DTM values
+          if (key) {
+            const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
+            this.exclusionMap.get(dtm.type).push(new Ctor(dtm));
+          }
+        }
+
+        this.core.logger.info({
+          exclusions: Object.fromEntries(this.exclusionMap)
+        }, 'Assess exclusions updated (%s total)', rawDtmList.length);
+      }
+    });
+  }
+
+  getRequestPolicy(sourceInfo) {
+    return new RequestPolicy(this.core, sourceInfo);
+  }
+}
+
+class RequestPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   */
+  constructor(core, sourceInfo) {
+    Object.defineProperty(this, 'core', { value: core });
+    this.sourceInfo = sourceInfo;
+    this.init();
+  }
+
+  /**
+   * Used to (re)initialize the instance's exclusions, reading from current assess global policy.
+   */
+  init() {
+    const { core, sourceInfo } = this;
+    this.allowed = false;
+    this.version = core.assess.policy.version;
+    this.exclusions = {};
+
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      this.allowed = true;
+      return;
+    }
+
+    // Evaluate URL exclusions.
+    // If one matches and applies to all rules, we set `allowed: true` which will
+    // disable assess for the request (via getSourceContext()). If specific rules are
+    // disabled, we remove them from the request policy's set of enabled rules.
+    for (const urlExclusion of this.core.assess.policy.exclusionMap.get(ExclusionType.URL)) {
+      if (urlExclusion.matchesUriPath(sourceInfo.uriPath)) {
+        if (!urlExclusion.rules?.size) {
+          core.logger.debug({
+            name: urlExclusion.name
+          }, 'All Assess rules have been disabled by URL exclusion');
+          this.allowed = true;
+          // no need to further process exclusions - request will be ignored
+          return;
+        } else {
+          // build as needed
+          if (!this.exclusions.disabledRules) this.exclusions.disabledRules = new Set();
+
+          for (const ruleId of urlExclusion.rules) {
+            this.exclusions.disabledRules.add(ruleId);
+          }
+          core.logger.debug({
+            name: urlExclusion.name,
+            rules: Array.from(urlExclusion.rules),
+          }, 'Assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
+    // Process input exclusions that apply broadly: BODY, QUERYSTRING
+    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          // build as needed
+          if (!this.exclusions[type]) this.exclusions[type] = { track: true, excludedRules: new Set() };
+          const inputPolicy = this.exclusions[type];
+
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              inputPolicy.excludedRules.add(ruleId);
+            }
+          } else {
+            inputPolicy.track = false;
+            inputPolicy.excludedRules.clear();
+            break;
+          }
+        }
+      }
+    }
+
+    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          if (!this.exclusions[type]) this.exclusions[type] = [];
+          this.exclusions[type].push(exclusion);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given input type and optional field name will give instructions on how
+   * to track based on global policy and various exclusions that may apply.
+   * @param {} inputType
+   * @param {} fieldName
+   * @returns {boolean|Set<string>} false - do not track
+   *                                true - track
+   *                                Set - track but add tags to exclude these rules
+   */
+  getInputPolicy(inputType, fieldName) {
+    if (this.version < this.core.assess.policy.version) this.init();
+    if (this.allowed) return false; // don't track - request ignored
+
+    let inputRuleExclusions;
+    let excludedRuleIds;
+
+    if (inputType === InputType.HEADER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.HEADER];
+    } else if (inputType === InputType.QUERYSTRING) {
+      if (this.exclusions[ExclusionType.QUERYSTRING]?.track === false) {
+        return false;
+      } else {
+        if (this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules)
+          excludedRuleIds = new Set(this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules);
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    } else if (inputType === InputType.URL_PARAMETER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+    } else if ([
+      InputType.COOKIE_NAME,
+      InputType.COOKIE_VALUE
+    ].includes(inputType)) {
+      inputRuleExclusions = this.exclusions[ExclusionType.COOKIE];
+    } else if (BODY_TYPES.includes(inputType)) {
+      if (this.exclusions[ExclusionType.BODY]?.track === false) {
+        return false;
+      } else {
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    }
+
+    if (inputRuleExclusions) {
+      for (const exclusion of inputRuleExclusions) {
+        if (exclusion.matchesInputName(fieldName)) {
+          // disables some rules
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              if (!excludedRuleIds) excludedRuleIds = new Set();
+              excludedRuleIds.add(ruleId);
+            }
+          } else {
+            return false; // don't track - all rules disabled
+          }
+        }
+      }
+    }
+
+    if (this.exclusions.disabledRules || excludedRuleIds) {
+      // only URL Exclusions disabled these rules
+      if (!excludedRuleIds) return this.exclusions.disabledRules;
+      // only Input Exclusion disabled these
+      if (!this.exclusions.disabledRules) return excludedRuleIds;
+      // merge since URL Exclusions and Input Exclusions have disabled rules
+      return new Set([...this.exclusions.disabledRules, ...excludedRuleIds]);
+    }
+
+    return true;
+  }
+
+  isRuleEnabled(ruleId) {
+    if (this.version < this.core.assess.policy.version) this.init();
+
+    if (this.allowed) return false;
+
+    return (
+      !this.exclusions.disabledRules?.has?.(ruleId) &&
+      !this.core.assess.policy.disabledRules?.has?.(ruleId)
+    );
+  }
+}
+
+/**
+ * @typedef InputPolicy
+ * @property {boolean} track
+ * @property {Set<Rule>} excludedRules
+ */
+
+class UrlExclusion {
+  constructor(dtm) {
+    this._urlRegex = null;
+    this._urls = new Set();
+    this.name = dtm.name;
+    this.type = ExclusionType[dtm.type];
+    this.rules = new Set(dtm.assess_rules);
+
+    if (dtm.urls.length) {
+      const regexSegments = [];
+      for (const url of dtm.urls) {
+        if (shouldBeRegExp(url)) {
+          regexSegments.push(url);
+        } else {
+          this._urls.add(url);
+        }
+      }
+      if (regexSegments.length) {
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
+      }
+    }
+  }
+
+  /**
+   * Checks whether the current URI path matches any of the exclusion's URL values.
+   * Exclusions that don't match for the current request will not be enabled. The
+   * interpretation of the DTM is that if its urls list is empty, then that means
+   * it should match all requestss (can be the case for input exclusions).
+   * @param {string} uriPath uri to check
+   * @returns {boolean}
+   */
+  matchesUriPath(uriPath) {
+    return (!this._urlRegex && !this._urls.size) ||
+      this._urls.has(uriPath) ||
+      !!this._urlRegex?.test?.(uriPath);
+  }
+}
+
+class InputExclusion extends UrlExclusion {
+  constructor(dtm) {
+    super(dtm);
+    this._inputNameRegex = null;
+    this._inputName = null;
+
+    // dtm.name value is null for BODY and QUERYSTRING types
+    if (dtm.name) {
+      if (shouldBeRegExp(dtm.name)) {
+        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
+      } else {
+        this._inputName = dtm.name;
+      }
+    }
+  }
+
+  /**
+   * Checks if the provided name matches the value from the exclusion dtm.
+   * @param {string} name field name being evaluated
+   * @returns {boolean}
+   */
+  matchesInputName(name) {
+    // BODY and QUERYSTRING always match since they apply broadly
+    if (!this._inputName && !this._inputNameRegex) return true;
+    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
+  }
+}
+
+function shouldBeRegExp(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory(core) {
+    const policy = new AssessPolicy(core);
+    set(core, COMPONENT_NAME, policy);
+    return policy;
+  },
+});
+module.exports.AssessPolicy = AssessPolicy;
+module.exports.RequestPolicy = RequestPolicy;

package/node_modules/@contrast/assess/lib/response-scanning/handlers/index.js

@@ -60,7 +60,7 @@ module.exports = function(core) {
 
   responseScanning.handleAutoCompleteMissing = function(sourceContext, resHeaders, resBody) {
     if (
-      !isEnabled(AUTOCOMPLETE_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(AUTOCOMPLETE_MISSING) ||
       !isHtmlContent(resHeaders)
     ) {
       return;
@@ -91,7 +91,7 @@ module.exports = function(core) {
 
     // de-dupe; this will be re-emitted for parseableBody handlers anyway
     if (
-      !isEnabled(CACHE_CONTROLS_MISSING, sourceContext) ||
+      !sourceContext.policy?.isRuleEnabled(CACHE_CONTROLS_MISSING) ||
       (isParseableResponse(resHeaders) && !resBody)
     ) {
       return;
@@ -139,7 +139,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleClickJackingControlsMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(CLICKJACKING_CONTROL_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CLICKJACKING_CONTROL_MISSING)) return;
 
     // look for x-frame-options headers with deny or sameorigin
     const xFrameHeaders = resHeaders['x-frame-options'];
@@ -158,7 +158,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleParameterPollution = function(sourceContext, resBody) {
-    if (!isEnabled(PARAMETER_POLLUTION, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(PARAMETER_POLLUTION)) return;
 
     // look for form tag with missing action attribute.
     // ex: <form method="post">..
@@ -189,12 +189,12 @@ module.exports = function(core) {
     const cspHeaders = getCspHeaders(resHeaders);
 
     // Don't report if not set; this report belongs to 'csp-header-missing'
-    if (!cspHeaders && isEnabled(CSP_HEADER_MISSING, sourceContext)) {
+    if (!cspHeaders && sourceContext.policy?.isRuleEnabled(CSP_HEADER_MISSING)) {
       reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_MISSING });
       return;
     }
 
-    if (!isEnabled(CSP_HEADER_INSECURE, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(CSP_HEADER_INSECURE)) return;
 
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
 
@@ -209,7 +209,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleHstsHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(HSTS_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(HSTS_HEADER_MISSING)) return;
 
     let header = resHeaders['strict-transport-security'];
     let maxAge;
@@ -241,7 +241,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, resHeaders) {
-    if (!isEnabled(XCONTENTTYPE_HEADER_MISSING, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(XCONTENTTYPE_HEADER_MISSING)) return;
 
     const headerName = 'x-content-type-options';
     let header = resHeaders[headerName];
@@ -262,7 +262,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
-    if (!isEnabled(X_POWERED_BY_HEADER, sourceContext)) return;
+    if (!sourceContext.policy?.isRuleEnabled(X_POWERED_BY_HEADER)) return;
 
     const headerName = 'x-powered-by';
     let header = resHeaders[headerName];
@@ -280,7 +280,7 @@ module.exports = function(core) {
   };
 
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, responseHeaders) {
-    if (!isEnabled(XXSPROTECTION_HEADER_DISABLED, sourceContext)) return;
+    if (!sourceContext?.policy?.isRuleEnabled(XXSPROTECTION_HEADER_DISABLED)) return;
 
     const header = responseHeaders['x-xss-protection'];
 
@@ -294,9 +294,5 @@ module.exports = function(core) {
     }
   };
 
-  function isEnabled(ruleId, sourceContext) {
-    return !!sourceContext?.policy?.enabledRules?.has?.(ruleId);
-  }
-
   return responseScanning;
 };

package/node_modules/@contrast/assess/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.63.0",
+  "version": "1.65.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,18 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/config": "1.52.1",
-    "@contrast/core": "1.57.1",
-    "@contrast/dep-hooks": "1.26.1",
+    "@contrast/common": "1.38.0",
+    "@contrast/config": "1.54.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/dep-hooks": "1.28.0",
     "@contrast/distringuish": "^6.0.2",
-    "@contrast/instrumentation": "1.36.1",
-    "@contrast/logger": "1.30.1",
-    "@contrast/patcher": "1.29.1",
-    "@contrast/rewriter": "1.34.0",
-    "@contrast/route-coverage": "1.49.1",
-    "@contrast/scopes": "1.27.1",
-    "@contrast/sources": "1.3.1",
+    "@contrast/instrumentation": "1.38.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/patcher": "1.31.0",
+    "@contrast/rewriter": "1.36.0",
+    "@contrast/route-coverage": "1.51.0",
+    "@contrast/scopes": "1.29.0",
+    "@contrast/sources": "1.5.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/common/lib/constants.d.ts

@@ -6,7 +6,7 @@ export declare enum Event {
     ASSESS_DATAFLOW_FINDING = "assess-dataflow-findings",
     ASSESS_DATAFLOW_SAFE_POSITIVE = "assess-dataflow-safe-positive",
     ASSESS_RESPONSE_SCANNING_FINDING = "assess-response-scanning-findings",
-    ASSESS_SESSION_CONFIGURATION_FINDING = "assess-session-configuration-findings",
+    ASSESS_CONFIGURATION_FINDING = "assess-configuration-findings",
     ASSESS_CRYPTO_ANALYSIS_FINDING = "assess-crypto-analysis-finding",
     LIBRARY = "library",
     LIBRARY_USAGE = "library-usage",
@@ -60,9 +60,10 @@ export declare enum ResponseScanningRule {
     XCONTENTTYPE_HEADER_MISSING = "xcontenttype-header-missing",
     XXSPROTECTION_HEADER_DISABLED = "xxssprotection-header-disabled"
 }
-export declare enum SessionConfigurationRule {
+export declare enum ConfigurationRule {
     HTTPONLY = "httponly",
-    SECURE_FLAG_MISSING = "secure-flag-missing"
+    SECURE_FLAG_MISSING = "secure-flag-missing",
+    GRAPHQL_INTROSPECTION = "graphql-introspection"
 }
 export declare enum InputType {
     UNDEFINED_TYPE = "UNDEFINED_TYPE",
@@ -86,7 +87,8 @@ export declare enum InputType {
     METHOD = "METHOD",
     REQUEST = "REQUEST",
     URL_PARAMETER = "URL_PARAMETER",
-    UNKNOWN = "UNKNOWN"
+    UNKNOWN = "UNKNOWN",
+    WEBSOCKET = "WEBSOCKET"
 }
 export declare enum ExclusionType {
     BODY = "BODY",
@@ -96,6 +98,12 @@ export declare enum ExclusionType {
     QUERYSTRING = "QUERYSTRING",
     URL = "URL"
 }
+export declare enum RouteType {
+    HTTP = "HTTP",
+    MESSAGE_BROKER = "MESSAGE_BROKER",
+    MIDDLEWARE = "MIDDLEWARE",
+    RPC = "RPC"
+}
 export declare enum DataflowTag {
     XML_ENCODED = "XML_ENCODED",
     XML_DECODED = "XML_DECODED",

package/node_modules/@contrast/common/lib/constants.js

@@ -14,7 +14,7 @@
  * way not consistent with the End User License Agreement.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.URI_REGEXES = exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.ServerEnvironment = exports.DataflowTag = exports.ExclusionType = exports.InputType = exports.SessionConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
+exports.URI_REGEXES = exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.ServerEnvironment = exports.DataflowTag = exports.RouteType = exports.ExclusionType = exports.InputType = exports.ConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
 var Event;
 (function (Event) {
     // lifecycle
@@ -26,7 +26,7 @@ var Event;
     Event["ASSESS_DATAFLOW_FINDING"] = "assess-dataflow-findings";
     Event["ASSESS_DATAFLOW_SAFE_POSITIVE"] = "assess-dataflow-safe-positive";
     Event["ASSESS_RESPONSE_SCANNING_FINDING"] = "assess-response-scanning-findings";
-    Event["ASSESS_SESSION_CONFIGURATION_FINDING"] = "assess-session-configuration-findings";
+    Event["ASSESS_CONFIGURATION_FINDING"] = "assess-configuration-findings";
     Event["ASSESS_CRYPTO_ANALYSIS_FINDING"] = "assess-crypto-analysis-finding";
     Event["LIBRARY"] = "library";
     Event["LIBRARY_USAGE"] = "library-usage";
@@ -85,11 +85,12 @@ var ResponseScanningRule;
     ResponseScanningRule["XCONTENTTYPE_HEADER_MISSING"] = "xcontenttype-header-missing";
     ResponseScanningRule["XXSPROTECTION_HEADER_DISABLED"] = "xxssprotection-header-disabled";
 })(ResponseScanningRule || (exports.ResponseScanningRule = ResponseScanningRule = {}));
-var SessionConfigurationRule;
-(function (SessionConfigurationRule) {
-    SessionConfigurationRule["HTTPONLY"] = "httponly";
-    SessionConfigurationRule["SECURE_FLAG_MISSING"] = "secure-flag-missing";
-})(SessionConfigurationRule || (exports.SessionConfigurationRule = SessionConfigurationRule = {}));
+var ConfigurationRule;
+(function (ConfigurationRule) {
+    ConfigurationRule["HTTPONLY"] = "httponly";
+    ConfigurationRule["SECURE_FLAG_MISSING"] = "secure-flag-missing";
+    ConfigurationRule["GRAPHQL_INTROSPECTION"] = "graphql-introspection";
+})(ConfigurationRule || (exports.ConfigurationRule = ConfigurationRule = {}));
 var InputType;
 (function (InputType) {
     InputType["UNDEFINED_TYPE"] = "UNDEFINED_TYPE";
@@ -114,6 +115,7 @@ var InputType;
     InputType["REQUEST"] = "REQUEST";
     InputType["URL_PARAMETER"] = "URL_PARAMETER";
     InputType["UNKNOWN"] = "UNKNOWN";
+    InputType["WEBSOCKET"] = "WEBSOCKET";
 })(InputType || (exports.InputType = InputType = {}));
 var ExclusionType;
 (function (ExclusionType) {
@@ -124,6 +126,13 @@ var ExclusionType;
     ExclusionType["QUERYSTRING"] = "QUERYSTRING";
     ExclusionType["URL"] = "URL";
 })(ExclusionType || (exports.ExclusionType = ExclusionType = {}));
+var RouteType;
+(function (RouteType) {
+    RouteType["HTTP"] = "HTTP";
+    RouteType["MESSAGE_BROKER"] = "MESSAGE_BROKER";
+    RouteType["MIDDLEWARE"] = "MIDDLEWARE";
+    RouteType["RPC"] = "RPC";
+})(RouteType || (exports.RouteType = RouteType = {}));
 var DataflowTag;
 (function (DataflowTag) {
     DataflowTag["XML_ENCODED"] = "XML_ENCODED";

package/node_modules/@contrast/common/lib/types.d.ts

@@ -1,6 +1,6 @@
 import { EventEmitter } from 'events';
 import { ServerResponse } from 'node:http';
-import { Event, ProtectRuleMode, Rule } from './constants';
+import { Event, ProtectRuleMode, RouteType, Rule } from './constants';
 export interface Installable {
     install(...args: any[]): void | Promise<void>;
     uninstall?(): void | Promise<void>;
@@ -335,6 +335,10 @@ export interface RouteInfo {
      * @example "get"
      */
     method?: string;
+    /**
+     * The type of route that is being reported. Default should be RouteType.HTTP.
+     */
+    type: RouteType;
     /**
      * URL for a route.
      * @example "prefix/route/path"

package/node_modules/@contrast/common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/common",
-  "version": "1.37.0",
+  "version": "1.38.0",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@contrast/config/lib/common.js

@@ -106,6 +106,7 @@ const mappings = {
     }
   },
   'assess.probabilistic_sampling.window_ms': (remoteData) => remoteData.assess?.sampling?.window_ms,
+  'assess.report_middleware_routes': (remoteData) => remoteData.assess?.report_middleware_routes,
   'assess.stacktraces': (remoteData) => remoteData.assess?.report_stacktraces,
   'agent.logger.level': coerceLowerCase('logger.level'),
   'agent.logger.path': (remoteData) => remoteData.logger?.path,