npm - @contrast/agent-bundle - Versions diffs - 5.46.0 → 5.47.0 - Mend

@contrast/agent-bundle 5.46.0 → 5.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/README.md CHANGED Viewed

@@ -61,7 +61,7 @@ node --import @contrast/agent app-main [app arguments]
 Notes:
 - `--import` should be used for Node.js LTS (Active and Maintenance) versions `>=18.19.0`
-- Node.js versions `>=20.0.0 <20.6.0` are not supported
+- Node.js versions `>=20.0.0 <20.9.0` are not supported
 ### With end-of-life Node.js Versions

package/node_modules/@contrast/agent/README.md CHANGED Viewed

@@ -61,7 +61,7 @@ node --import @contrast/agent app-main [app arguments]
 Notes:
 - `--import` should be used for Node.js LTS (Active and Maintenance) versions `>=18.19.0`
-- Node.js versions `>=20.0.0 <20.6.0` are not supported
+- Node.js versions `>=20.0.0 <20.9.0` are not supported
 ### With end-of-life Node.js Versions

package/node_modules/@contrast/agent/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.46.0",
+  "version": "5.47.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,21 +22,21 @@
   "main": "./lib/index.js",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
+    "node": ">=18.7.0 <19 || >=20.9.0 <21 || >= 22.5.1 <23 || >= 24.0.1 <25"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.58.0",
-    "@contrast/architecture-components": "1.46.0",
-    "@contrast/assess": "1.64.0",
-    "@contrast/common": "1.37.0",
-    "@contrast/core": "1.58.0",
-    "@contrast/library-analysis": "1.48.0",
-    "@contrast/protect": "1.69.0",
-    "@contrast/route-coverage": "1.50.0",
-    "@contrast/sec-obs": "1.2.0",
-    "@contrast/telemetry": "1.33.0"
+    "@contrast/agentify": "1.59.0",
+    "@contrast/architecture-components": "1.47.0",
+    "@contrast/assess": "1.65.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/library-analysis": "1.49.0",
+    "@contrast/protect": "1.70.0",
+    "@contrast/route-coverage": "1.51.0",
+    "@contrast/sec-obs": "1.3.0",
+    "@contrast/telemetry": "1.34.0"
   }
 }

package/node_modules/@contrast/agentify/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.58.0",
+  "version": "1.59.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,22 +20,22 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/config": "1.53.0",
-    "@contrast/core": "1.58.0",
-    "@contrast/deadzones": "1.30.0",
-    "@contrast/dep-hooks": "1.27.0",
-    "@contrast/esm-hooks": "2.33.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/config": "1.54.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/deadzones": "1.31.0",
+    "@contrast/dep-hooks": "1.28.0",
+    "@contrast/esm-hooks": "2.34.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.37.0",
-    "@contrast/logger": "1.31.0",
-    "@contrast/metrics": "1.35.0",
-    "@contrast/patcher": "1.30.0",
+    "@contrast/instrumentation": "1.38.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/metrics": "1.36.0",
+    "@contrast/patcher": "1.31.0",
     "@contrast/perf": "1.4.0",
-    "@contrast/reporter": "1.56.0",
-    "@contrast/rewriter": "1.35.0",
-    "@contrast/scopes": "1.28.0",
-    "@contrast/sources": "1.4.0",
+    "@contrast/reporter": "1.57.0",
+    "@contrast/rewriter": "1.36.0",
+    "@contrast/scopes": "1.29.0",
+    "@contrast/sources": "1.5.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.46.0",
+  "version": "1.47.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/dep-hooks": "1.27.0",
-    "@contrast/logger": "1.31.0",
-    "@contrast/patcher": "1.30.0"
+    "@contrast/common": "1.38.0",
+    "@contrast/dep-hooks": "1.28.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/patcher": "1.31.0"
   }
 }

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/common.js RENAMED Viewed

@@ -15,5 +15,5 @@
 'use strict';
 module.exports = {
-  patchType: 'session-configuration'
+  patchType: 'configuration'
 };

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/handlers.js RENAMED Viewed

@@ -17,15 +17,15 @@
 const {
   Event,
-  SessionConfigurationRule,
+  ConfigurationRule,
   isString,
 } = require('@contrast/common');
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+const { HTTPONLY, SECURE_FLAG_MISSING, GRAPHQL_INTROSPECTION } = ConfigurationRule;
 module.exports = function (core) {
   const {
-    assess: { sessionConfiguration },
+    assess: { configurationAnalysis },
     messages,
   } = core;
@@ -40,7 +40,7 @@ module.exports = function (core) {
   }
   /**
-   * @param {SessionConfigurationRule} ruleId
+   * @param {ConfigurationRule} ruleId
    * @param {import('@contrast/assess').SourceContext} sourceContext
    * @returns {import('@contrast/assess').SessionRuleState}
    */
@@ -76,7 +76,7 @@ module.exports = function (core) {
       if (!isVulnerable(ruleId, value)) continue;
       else {
-        sessionConfiguration.reportFindings({
+        configurationAnalysis.reportFindings({
           ruleId,
           sinkEvent: sessionEvent,
           properties: {
@@ -89,17 +89,30 @@ module.exports = function (core) {
     }
   }
-  sessionConfiguration.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
     handle(HTTPONLY, sourceContext, cookie, sessionEvent);
   };
-  sessionConfiguration.handleSecure = function (sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleSecure = function (sourceContext, cookie, sessionEvent) {
     handle(SECURE_FLAG_MISSING, sourceContext, cookie, sessionEvent);
   };
-  sessionConfiguration.reportFindings = function (finding) {
-    messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, finding);
+  configurationAnalysis.handleGraphqlIntrospection = function (sourceContext, sessionEvent, value) {
+    const ruleId = GRAPHQL_INTROSPECTION;
+    const state = ensureState(ruleId, sourceContext);
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
+    configurationAnalysis.reportFindings({
+      ruleId,
+      sinkEvent: sessionEvent,
+      evidence: value
+    });
+    state.reported = true;
+  };
+  configurationAnalysis.reportFindings = function (finding) {
+    messages.emit(Event.ASSESS_CONFIGURATION_FINDING, finding);
   };
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/index.js RENAMED Viewed

@@ -18,17 +18,19 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
-  const sessionConfiguration = core.assess.sessionConfiguration = {};
+  const configurationAnalysis = core.assess.configurationAnalysis = {};
   require('./handlers')(core);
+  require('./install/apollo-server')(core);
+  require('./install/graphql-yoga')(core);
   require('./install/express-session')(core);
   require('./install/fastify-cookie')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
-  sessionConfiguration.install = function() {
-    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  configurationAnalysis.install = function() {
+    callChildComponentMethodsSync(configurationAnalysis, 'install');
   };
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/node_modules/@contrast/assess/lib/configuration-analysis/install/apollo-server.js ADDED Viewed

@@ -0,0 +1,92 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+  const apolloServer = core.assess.configurationAnalysis.apolloServer = {};
+  apolloServer.install = function () {
+    return depHooks.resolve({ name: '@apollo/server', version: '>=4', file: 'dist/cjs' }, (xport) => {
+      if (!xport.ApolloServer) return;
+      patcher.patch(xport, 'ApolloServer', {
+        name: '@apollo/server.ApolloServer',
+        patchType,
+        post(data) {
+          if (!data.args[0]?.introspection) return;
+          const options = { introspection: true };
+          const optionsString = inspect(options);
+          const sessionEvent = createSessionEvent({
+            args: [{
+              tracked: false,
+              value: optionsString,
+            }],
+            context: optionsString,
+            name: '@apollo/server',
+            moduleName: 'ApolloServer',
+            methodName: '',
+            object: {
+              tracked: false,
+              value: 'ApolloServer',
+            },
+            result: {
+              tracked: false,
+            },
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+            framework: 'graphql',
+          });
+          patcher.patch(data.result, 'executeHTTPGraphQLRequest', {
+            name: 'ApolloServer.executeHTTPGraphQLRequest',
+            patchType,
+            post(data) {
+              const sourceContext = getSourceContext();
+              if (!sourceContext) return;
+              handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+            }
+          });
+        }
+      });
+    });
+  };
+  return apolloServer;
+};

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/express-session.js RENAMED Viewed

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
-  const expressSession = core.assess.sessionConfiguration.expressSession = {};
+  const expressSession = core.assess.configurationAnalysis.expressSession = {};
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session', version: '<2' }, (session) => {

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/fastify-cookie.js RENAMED Viewed

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
-  return core.assess.sessionConfiguration.fastifyCookie = {
+  return core.assess.configurationAnalysis.fastifyCookie = {
     install () {
       depHooks.resolve({ name: '@fastify/cookie', version: '<12' }, (_export) => {
         const patched = patcher.patch(_export, {

package/node_modules/@contrast/assess/lib/configuration-analysis/install/graphql-yoga.js ADDED Viewed

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../common');
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+  const graphqlYoga = core.assess.configurationAnalysis.graphqlYoga = {};
+  graphqlYoga.install = function () {
+    return depHooks.resolve({ name: '@graphql-yoga/plugin-disable-introspection', version: '*', file: 'cjs' }, (xport) => patcher.patch(xport, 'useDisableIntrospection', {
+      name: '@graphql-yoga/plugin-disable-introspection.useDisableIntrospection',
+      patchType,
+      post(data) {
+        const options = data.args[0];
+        const optionsString = inspect(options);
+        patcher.patch(data.result, 'onValidate', {
+          name: 'onValidate',
+          patchType,
+          pre(data) {
+            patcher.patch(data.args[0], 'addValidationRule', {
+              name: 'addValidationRule',
+              patchType,
+              post(data) {
+                const sourceContext = getSourceContext();
+                if (!sourceContext) return;
+                const sessionEvent = createSessionEvent({
+                  args: [{
+                    tracked: false,
+                    value: optionsString,
+                  }],
+                  context: optionsString,
+                  name: '@graphql-yoga',
+                  moduleName: 'plugin-disable-introspection',
+                  methodName: 'addValidationRule',
+                  object: {
+                    tracked: false,
+                    value: 'plugin-disable-introspection',
+                  },
+                  result: {
+                    tracked: false,
+                  },
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                  },
+                  framework: 'graphql',
+                });
+                handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+              }
+            });
+          }
+        });
+      }
+    }));
+  };
+  return graphqlYoga;
+};

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/hapi.js RENAMED Viewed

@@ -21,7 +21,7 @@ module.exports = function (core) {
     assess: {
       inspect, // TODO NODE-3455: remove
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -31,7 +31,7 @@ module.exports = function (core) {
     scopes: { sources },
   } = core;
-  const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
+  const hapiSession = core.assess.configurationAnalysis.hapiSession = {};
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {

package/node_modules/@contrast/assess/lib/{session-configuration → configuration-analysis}/install/koa.js RENAMED Viewed

@@ -28,7 +28,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -37,9 +37,9 @@ module.exports = function (core) {
     patcher,
   } = core;
-  return core.assess.sessionConfiguration.koa = {
+  return core.assess.configurationAnalysis.koa = {
     install () {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
         patcher.patch(Koa.prototype, 'use', {
           name: 'Koa.Application',
           patchType,

package/node_modules/@contrast/assess/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -89,7 +89,7 @@ module.exports = function(core) {
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
-              methodName: 'prototype.substring',
+              methodName: `prototype.${method}`,
               get context() {
                 return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
               },

package/node_modules/@contrast/assess/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -76,6 +76,7 @@ module.exports = Core.makeComponent({
       stacktraceOpts,
       data,
       sourceContext,
+      onEvent,
     }) {
       if (!data) return;
@@ -105,7 +106,7 @@ module.exports = Core.makeComponent({
         }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
-        return eventFactory.createSourceEvent({
+        const eventData = {
           context: `${context}.${pathName}`,
           name,
           fieldName,
@@ -114,7 +115,12 @@ module.exports = Core.makeComponent({
           inputType,
           tags: sources.createTags({ inputType, fieldName, value, tagNames }),
           result: { tracked: true, value },
-        });
+        };
+        const event = eventFactory.createSourceEvent(eventData);;
+        if (event && onEvent) onEvent(event, fieldName, pathName);
+        return event;
       }
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
@@ -129,6 +135,7 @@ module.exports = Core.makeComponent({
         const event = createEvent({ pathName: 'body', value: data, fieldName: '', excludedRules });
         if (event) {
+          if (onEvent) onEvent(event);
           tracker.track(data, event);
         }

package/node_modules/@contrast/assess/lib/dataflow/sources/index.js CHANGED Viewed

@@ -29,12 +29,14 @@ module.exports = function (core) {
   require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
+  core.initComponentSync(require('./install/fastify-websocket'));
   require('./install/formidable1')(core);
   require('./install/graphql-http')(core);
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
   require('./install/multer1')(core);
+  core.initComponentSync(require('./install/socket.io'));
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/node_modules/@contrast/assess/lib/dataflow/sources/install/fastify-websocket.js ADDED Viewed

@@ -0,0 +1,63 @@
+'use strict';
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+const COMPONENT_NAME = 'assess.dataflow.sources.fastifyWebsocketInstrumentation';
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new FastifyWebsocketAssessSource(core),
+});
+class FastifyWebsocketAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+  /**
+   * Deploys @fastify/websocket instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+    depHooks.resolve({ name: '@fastify/websocket', version: '*' }, (fws) => {
+      // patch exported function
+      return patcher.patch(fws, {
+        name: '@fastify/websocket',
+        patchType,
+        post(data) {
+          // the plugin decorates fastify with the ws.WebSocketServer instance.
+          // we use the connection event to get reference to connecting
+          // WebSockets, and track when they emit message buffers.
+          data.args[0].websocketServer?.on?.('connection', (socket) => {
+            socket.on('message', function handler(data) {
+              const sourceContext = assess.getSourceContext();
+              // this should be present since sources run 'upgrade' requests in request scope
+              if (!sourceContext) return;
+              // this will track the emitted buffer
+              assess.dataflow.sources.handle({
+                data,
+                name: 'fastify-websocket',
+                inputType: InputType.WEBSOCKET,
+                stacktraceOpts: { constructorOpt: handler },
+                sourceContext,
+                onEvent(event) {
+                  event.context = 'WebSocket.on("message", ...args)';
+                  event.args = [{ value: 'args.0', tracked: true }];
+                },
+              });
+            });
+          });
+        }
+      });
+    });
+  }
+};