npm - @contrast/agent-bundle - Versions diffs - 5.45.1 → 5.47.0 - Mend

@contrast/agent-bundle 5.45.1 → 5.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/node_modules/undici-types/webidl.d.ts CHANGED Viewed

@@ -10,11 +10,6 @@ type SequenceConverter<T> = (object: unknown, iterable?: IterableIterator<T>) =>
 type RecordConverter<K extends string, V> = (object: unknown) => Record<K, V>
-interface ConvertToIntOpts {
-  clamp?: boolean
-  enforceRange?: boolean
-}
 interface WebidlErrors {
   /**
    * @description Instantiate an error
@@ -74,7 +69,7 @@ interface WebidlUtil {
     V: unknown,
     bitLength: number,
     signedness: 'signed' | 'unsigned',
-    opts?: ConvertToIntOpts
+    flags?: number
   ): number
   /**
@@ -94,15 +89,17 @@ interface WebidlUtil {
    * This is only effective in some newer Node.js versions.
    */
   markAsUncloneable (V: any): void
+  IsResizableArrayBuffer (V: ArrayBufferLike): boolean
+  HasFlag (flag: number, attributes: number): boolean
 }
 interface WebidlConverters {
   /**
    * @see https://webidl.spec.whatwg.org/#es-DOMString
    */
-  DOMString (V: unknown, prefix: string, argument: string, opts?: {
-    legacyNullToEmptyString: boolean
-  }): string
+  DOMString (V: unknown, prefix: string, argument: string, flags?: number): string
   /**
    * @see https://webidl.spec.whatwg.org/#es-ByteString
@@ -142,39 +139,78 @@ interface WebidlConverters {
   /**
    * @see https://webidl.spec.whatwg.org/#es-unsigned-short
    */
-  ['unsigned short'] (V: unknown, opts?: ConvertToIntOpts): number
+  ['unsigned short'] (V: unknown, flags?: number): number
   /**
    * @see https://webidl.spec.whatwg.org/#idl-ArrayBuffer
    */
-  ArrayBuffer (V: unknown): ArrayBufferLike
-  ArrayBuffer (V: unknown, opts: { allowShared: false }): ArrayBuffer
+  ArrayBuffer (
+    V: unknown,
+    prefix: string,
+    argument: string,
+    options?: { allowResizable: boolean }
+  ): ArrayBuffer
+  /**
+   * @see https://webidl.spec.whatwg.org/#idl-SharedArrayBuffer
+   */
+  SharedArrayBuffer (
+    V: unknown,
+    prefix: string,
+    argument: string,
+    options?: { allowResizable: boolean }
+  ): SharedArrayBuffer
   /**
    * @see https://webidl.spec.whatwg.org/#es-buffer-source-types
    */
   TypedArray (
     V: unknown,
-    TypedArray: NodeJS.TypedArray | ArrayBufferLike
-  ): NodeJS.TypedArray | ArrayBufferLike
-  TypedArray (
+    T: new () => NodeJS.TypedArray,
+    prefix: string,
+    argument: string,
+    flags?: number
+  ): NodeJS.TypedArray
+  /**
+   * @see https://webidl.spec.whatwg.org/#es-buffer-source-types
+   */
+  DataView (
     V: unknown,
-    TypedArray: NodeJS.TypedArray | ArrayBufferLike,
-    opts?: { allowShared: false }
-  ): NodeJS.TypedArray | ArrayBuffer
+    prefix: string,
+    argument: string,
+    flags?: number
+  ): DataView
   /**
    * @see https://webidl.spec.whatwg.org/#es-buffer-source-types
    */
-  DataView (V: unknown, opts?: { allowShared: boolean }): DataView
+  ArrayBufferView (
+    V: unknown,
+    prefix: string,
+    argument: string,
+    flags?: number
+  ): NodeJS.ArrayBufferView
   /**
    * @see https://webidl.spec.whatwg.org/#BufferSource
    */
   BufferSource (
     V: unknown,
-    opts?: { allowShared: boolean }
-  ): NodeJS.TypedArray | ArrayBufferLike | DataView
+    prefix: string,
+    argument: string,
+    flags?: number
+  ): ArrayBuffer | NodeJS.ArrayBufferView
+  /**
+   * @see https://webidl.spec.whatwg.org/#AllowSharedBufferSource
+   */
+  AllowSharedBufferSource (
+    V: unknown,
+    prefix: string,
+    argument: string,
+    flags?: number
+  ): ArrayBuffer | SharedArrayBuffer | NodeJS.ArrayBufferView
   ['sequence<ByteString>']: SequenceConverter<string>
@@ -192,6 +228,13 @@ interface WebidlConverters {
    */
   RequestInit (V: unknown): undici.RequestInit
+  /**
+   * @see https://html.spec.whatwg.org/multipage/webappapis.html#eventhandlernonnull
+   */
+  EventHandlerNonNull (V: unknown): Function | null
+  WebSocketStreamWrite (V: unknown): ArrayBuffer | NodeJS.TypedArray | string
   [Key: string]: (...args: any[]) => unknown
 }
@@ -210,6 +253,10 @@ interface WebidlIs {
   AbortSignal: WebidlIsFunction<AbortSignal>
   MessagePort: WebidlIsFunction<MessagePort>
   USVString: WebidlIsFunction<string>
+  /**
+   * @see https://webidl.spec.whatwg.org/#BufferSource
+   */
+  BufferSource: WebidlIsFunction<ArrayBuffer | NodeJS.TypedArray>
 }
 export interface Webidl {
@@ -217,6 +264,7 @@ export interface Webidl {
   util: WebidlUtil
   converters: WebidlConverters
   is: WebidlIs
+  attributes: WebIDLExtendedAttributes
   /**
    * @description Performs a brand-check on {@param V} to ensure it is a
@@ -278,3 +326,16 @@ export interface Webidl {
   argumentLengthCheck (args: { length: number }, min: number, context: string): void
 }
+interface WebIDLExtendedAttributes {
+  /** https://webidl.spec.whatwg.org/#Clamp */
+  Clamp: number
+  /** https://webidl.spec.whatwg.org/#EnforceRange */
+  EnforceRange: number
+  /** https://webidl.spec.whatwg.org/#AllowShared */
+  AllowShared: number
+  /** https://webidl.spec.whatwg.org/#AllowResizable */
+  AllowResizable: number
+  /** https://webidl.spec.whatwg.org/#LegacyNullToEmptyString */
+  LegacyNullToEmptyString: number
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent-bundle",
-  "version": "5.45.1",
+  "version": "5.47.0",
   "description": "Contrast Security Node.js Agent bundle with all dependencies included",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,13 +21,13 @@
   "main": "./lib/index.js",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
+    "node": ">=18.7.0 <19 || >=20.9.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent": "5.45.1"
+    "@contrast/agent": "5.47.0"
   },
   "bundleDependencies": [
     "@contrast/agent"

package/node_modules/@contrast/assess/lib/get-policy.js DELETED Viewed

@@ -1,336 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-const {
-  Event,
-  ExclusionType,
-  InputType,
-  Rule,
-  ResponseScanningRule,
-  SessionConfigurationRule,
-  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
-} = require('@contrast/common');
-const ASSESS_RULES = Object.values({
-  ...Rule,
-  ...ResponseScanningRule,
-  ...SessionConfigurationRule,
-});
-const BROAD_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.BODY,
-  ExclusionType.QUERYSTRING
-];
-const NAMED_INPUT_EXCLUSION_TYPES = [
-  ExclusionType.COOKIE,
-  ExclusionType.HEADER,
-  ExclusionType.PARAMETER
-];
-const BODY_TYPES = [
-  InputType.BODY,
-  InputType.JSON_VALUE,
-  InputType.JSON_ARRAYED_VALUE,
-  InputType.MULTIPART_CONTENT_TYPE,
-  InputType.MULTIPART_FIELD_NAME,
-  InputType.MULTIPART_NAME,
-  InputType.MULTIPART_VALUE,
-];
-const DISABLED_INPUT_POLICY = { track: false };
-/**
- * @param {{
- *  config: import('@contrast/config').Config,
- *  logger: import('@contrast/logger').Logger,
- *  messages: import('@contrast/common').Messages,
- * }} core
- * @returns {import('@contrast/common').Installable}
- */
-module.exports = function assess(core) {
-  const { config, logger, messages } = core;
-  const globalPolicy = {
-    // by default all rules are enabled
-    enabledRules: new Set(ASSESS_RULES),
-    exclusionMap: new Map([
-      [ExclusionType.BODY, []],
-      [ExclusionType.COOKIE, []],
-      [ExclusionType.HEADER, []],
-      [ExclusionType.PARAMETER, []],
-      [ExclusionType.QUERYSTRING, []],
-      [ExclusionType.URL, []],
-    ]),
-  };
-  /**
-   * Subscribe to settings updates and modify global policy accordingly.
-   */
-  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
-    if (!config.getEffectiveValue('assess.enable')) return;
-    if (msg.assess) {
-      for (const ruleId of ASSESS_RULES) {
-        const enable = msg.assess[ruleId]?.enable;
-        if (enable === true) {
-          globalPolicy.enabledRules.add(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
-        } else if (enable === false) {
-          globalPolicy.enabledRules.delete(ruleId);
-          if (ruleId === Rule.NOSQL_INJECTION) globalPolicy.enabledRules.delete(Rule.NOSQL_INJECTION_MONGO);
-        }
-      }
-      logger.info({ enabledRules: Array.from(globalPolicy.enabledRules) }, 'Assess policy enabled rules updated');
-    }
-    if (msg.exclusions) {
-      const rawDtmList = [
-        // todo: NODE-3281 input exclusions
-        ...(msg?.exclusions?.input || []),
-        ...(msg?.exclusions?.url || []),
-      ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
-      // reset global exclusion state
-      for (const type of Object.values(ExclusionType)) {
-        globalPolicy.exclusionMap.get(type).length = 0;
-      }
-      if (!rawDtmList.length) return;
-      for (const dtm of rawDtmList) {
-        // normalize different dtm types
-        dtm.type = dtm.type || 'URL';
-        const { type } = dtm;
-        const key = ExclusionType[type];
-        // defensive code against unanticipated DTM values
-        if (key) {
-          const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
-          globalPolicy.exclusionMap.get(dtm.type).push(new Ctor(dtm));
-        }
-      }
-      logger.info({
-        exclusions: Object.fromEntries(globalPolicy.exclusionMap)
-      }, 'Assess exclusions updated (%s total)', rawDtmList.length);
-    }
-  });
-  /**
-   * Generates the policy for the current request. We return copy of the global policy
-   * to avoid inconsistent behavior if policy is updated during request handling. In
-   * addition, the request policy is altered to account for any URL or Input exclusions.
-   * @param {string} uriPath
-   */
-  return core.assess.getPolicy = function getPolicy({ uriPath } = {}) {
-    const _enabledRules = new Set(globalPolicy.enabledRules);
-    const exclusionState = {
-      // types that can be disabled broadly
-      [ExclusionType.BODY]: { track: true, excludedRules: new Set() },
-      [ExclusionType.QUERYSTRING]: { track: true, excludedRules: new Set() },
-      // other types we check by name. parameter applies to body and query params
-      [ExclusionType.COOKIE]: [],
-      [ExclusionType.HEADER]: [],
-      [ExclusionType.PARAMETER]: [],
-    };
-    // Evaluate URL exclusions.
-    // If one matches and applies to all rules, we return `null` for the policy value, which
-    // will disable assess for the request (via getSourceContext()). If specific rules are
-    // disabled, we remove them from the request policy's set of enabled rules.
-    for (const urlExclusion of globalPolicy.exclusionMap.get(ExclusionType.URL)) {
-      if (urlExclusion.matchesUriPath(uriPath)) {
-        if (!urlExclusion.rules?.size) {
-          core.logger.debug({
-            name: urlExclusion.name
-          }, 'All Assess rules have been disabled by URL exclusion');
-          return null;
-        } else {
-          for (const ruleId of urlExclusion.rules) {
-            _enabledRules.delete(ruleId);
-          }
-          core.logger.debug({
-            name: urlExclusion.name,
-            rules: Array.from(urlExclusion.rules),
-          }, 'Assess rules disabled by URL exclusion');
-        }
-      }
-    }
-    // Process input exclusions that apply broadly: BODY, QUERYSTRING
-    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
-      const _policy = exclusionState[type];
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          if (exclusion.rules.size) {
-            for (const ruleId of exclusion.rules) {
-              _policy.excludedRules.add(ruleId);
-            }
-          } else {
-            _policy.track = false;
-            _policy.excludedRules.clear();
-            break;
-          }
-        }
-      }
-    }
-    // Filter input exclusions that will be used to get named input
-    // policies: COOKIE, HEADER, PARAMETER
-    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
-      for (const exclusion of globalPolicy.exclusionMap.get(type)) {
-        if (exclusion.matchesUriPath(uriPath)) {
-          exclusionState[type].push(exclusion);
-        }
-      }
-    }
-    return {
-      /**
-       * Enabled rules filtered by any applicable URL exclusions
-       */
-      enabledRules: _enabledRules,
-      /**
-       * Used by source handler to get policy information for specific named inputs.
-       * @param {InputType} inputType
-       * @param {string} [fieldName]
-       * @returns {InputPolicy}
-       */
-      getInputPolicy(inputType, fieldName) {
-        let exclusionsByType;
-        const inputPolicy = { track: true, excludedRules: new Set() };
-        const isBody = BODY_TYPES.includes(inputType);
-        if (isBody || inputType === InputType.QUERYSTRING) {
-          // these can be disabled broadly
-          const _policy = exclusionState[isBody ? ExclusionType.BODY : ExclusionType.QUERYSTRING];
-          if (!_policy.track) {
-            return DISABLED_INPUT_POLICY;
-          }
-          for (const ruleId of _policy.excludedRules) {
-            inputPolicy.excludedRules.add(ruleId);
-          }
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.URL_PARAMETER) {
-          exclusionsByType = exclusionState[ExclusionType.PARAMETER];
-        } else if (inputType === InputType.HEADER) {
-          exclusionsByType = exclusionState[ExclusionType.HEADER];
-        } else if ([
-          InputType.COOKIE_NAME,
-          InputType.COOKIE_VALUE
-        ].includes(inputType)) {
-          exclusionsByType = exclusionState[ExclusionType.COOKIE];
-        }
-        if (!exclusionsByType) {
-          return inputPolicy;
-        }
-        // check input name
-        for (const exclusion of exclusionsByType) {
-          if (exclusion.matchesInputName(fieldName)) {
-            if (exclusion.rules.size) {
-              for (const ruleId of exclusion.rules) {
-                inputPolicy.excludedRules.add(ruleId);
-              }
-            } else {
-              return DISABLED_INPUT_POLICY;
-            }
-          }
-        }
-        return inputPolicy;
-      },
-    };
-  };
-};
-/**
- * @typedef InputPolicy
- * @property {boolean} track
- * @property {Set<Rule>} excludedRules
- */
-class UrlExclusion {
-  constructor(dtm) {
-    this._urlRegex = null;
-    this._urls = new Set();
-    this.name = dtm.name;
-    this.type = ExclusionType[dtm.type];
-    this.rules = new Set(dtm.assess_rules);
-    if (dtm.urls.length) {
-      const regexSegments = [];
-      for (const url of dtm.urls) {
-        if (shouldBeRegExp(url)) {
-          regexSegments.push(url);
-        } else {
-          this._urls.add(url);
-        }
-      }
-      if (regexSegments.length) {
-        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
-      }
-    }
-  }
-  /**
-   * Checks whether the current URI path matches any of the exclusion's URL values.
-   * Exclusions that don't match for the current request will not be enabled. The
-   * interpretation of the DTM is that if its urls list is empty, then that means
-   * it should match all requestss (can be the case for input exclusions).
-   * @param {string} uriPath uri to check
-   * @returns {boolean}
-   */
-  matchesUriPath(uriPath) {
-    return (!this._urlRegex && !this._urls.size) ||
-      this._urls.has(uriPath) ||
-      !!this._urlRegex?.test?.(uriPath);
-  }
-}
-class InputExclusion extends UrlExclusion {
-  constructor(dtm) {
-    super(dtm);
-    this._inputNameRegex = null;
-    this._inputName = null;
-    // dtm.name value is null for BODY and QUERYSTRING types
-    if (dtm.name) {
-      if (shouldBeRegExp(dtm.name)) {
-        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
-      } else {
-        this._inputName = dtm.name;
-      }
-    }
-  }
-  /**
-   * Checks if the provided name matches the value from the exclusion dtm.
-   * @param {string} name field name being evaluated
-   * @returns {boolean}
-   */
-  matchesInputName(name) {
-    // BODY and QUERYSTRING always match since they apply broadly
-    if (!this._inputName && !this._inputNameRegex) return true;
-    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
-  }
-}
-function shouldBeRegExp(str) {
-  return str.indexOf('*') > 0 ||
-    str.indexOf('.') > 0 ||
-    str.indexOf('+') > 0 ||
-    str.indexOf('?') > 0 ||
-    str.indexOf('\\') > 0;
-}

package/node_modules/@contrast/protect/lib/input-analysis/install/koa-body5.js DELETED Viewed

@@ -1,63 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-const { patchType } = require('../constants');
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    protect,
-    protect: { inputAnalysis },
-  } = core;
-  // Patch `koa-body` package
-  function install() {
-    depHooks.resolve({ name: 'koa-body', version: '<7' }, (koaBody) => patcher.patch(koaBody, {
-      name: 'koa-body',
-      patchType,
-      post(data) {
-        data.result = patcher.patch(data.result, {
-          name: 'koa-body',
-          patchType,
-          pre(data) {
-            const [ctx, origNext] = data.args;
-            async function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext();
-              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
-                sourceContext.parsedBody = ctx.request.body;
-                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-              }
-              await origNext(origErr);
-            }
-            data.args[1] = contrastNext;
-          }
-        });
-      }
-    }));
-  }
-  const koaBody5Instrumentation = inputAnalysis.koaBody5Instrumentation = {
-    install
-  };
-  return koaBody5Instrumentation;
-};

package/node_modules/@contrast/protect/lib/input-analysis/install/koa-bodyparser4.js DELETED Viewed

@@ -1,64 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-const { patchType } = require('../constants');
-module.exports = (core) => {
-  const {
-    depHooks,
-    patcher,
-    protect,
-    protect: { inputAnalysis },
-  } = core;
-  // Patch `koa-bodyparser` package
-  function install() {
-    depHooks.resolve({ name: 'koa-bodyparser', version: '<5' }, (koaBodyparser) => patcher.patch(koaBodyparser, {
-      name: 'koa-bodyparser',
-      patchType,
-      post(data) {
-        data.result = patcher.patch(data.result, {
-          name: 'koa-bodyparser',
-          patchType,
-          pre(data) {
-            const [ctx, origNext] = data.args;
-            async function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext();
-              if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
-                sourceContext.parsedBody = ctx.request.body;
-                inputAnalysis.handleParsedBody(sourceContext, ctx.request.body);
-              }
-              await origNext(origErr);
-            }
-            data.args[1] = contrastNext;
-          }
-        });
-      }
-    }));
-  }
-  const koaBodyparser4Instrumentation = inputAnalysis.koaBodyparser4Instrumentation = {
-    install
-  };
-  return koaBodyparser4Instrumentation;
-};