@contrast/agent 4.10.0 → 4.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/bin/VERSION +1 -1
  2. package/bin/linux/contrast-service +0 -0
  3. package/bin/mac/contrast-service +0 -0
  4. package/bin/windows/contrast-service.exe +0 -0
  5. package/lib/assess/propagators/mongoose/helpers.js +36 -1
  6. package/lib/assess/propagators/mongoose/index.js +1 -0
  7. package/lib/assess/propagators/mongoose/map.js +19 -31
  8. package/lib/assess/propagators/mongoose/mixed.js +71 -0
  9. package/lib/core/arch-components/mysql.js +25 -15
  10. package/lib/core/arch-components/postgres.js +36 -26
  11. package/lib/core/arch-components/util.js +49 -0
  12. package/package.json +1 -1
package/bin/VERSION CHANGED
@@ -1 +1 @@
1
- 2.28.5
1
+ 2.28.9
package/bin/linux/contrast-service CHANGED
Binary file
package/bin/mac/contrast-service CHANGED
Binary file
package/bin/windows/contrast-service.exe CHANGED
Binary file
package/lib/assess/propagators/mongoose/helpers.js CHANGED
@@ -12,9 +12,44 @@ Copyright: 2022 Contrast Security, Inc
12
12
  engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
13
  way not consistent with the End User License Agreement.
14
14
  */
15
+ const TagRange = require('../../models/tag-range');
16
+ const { CallContext, PropagationEvent, Signature } = require('../../models');
17
+
15
18
  const hasUserDefinedValidator = (data) =>
16
19
  data.obj.validators.some((validator) => validator.type === 'user defined');
17
20
 
21
+ const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
22
+ for (const value of values) {
23
+ if (typeof value !== 'string') continue;
24
+
25
+ const trackingData = tracker.track(value);
26
+
27
+ if (!trackingData) return;
28
+
29
+ const { props } = trackingData;
30
+ const stringLength = value.length - 1;
31
+
32
+ props.tagRanges = tagRangeUtil.add(
33
+ props.tagRanges,
34
+ new TagRange(0, stringLength, 'custom-validated-nosql-injection')
35
+ );
36
+
37
+ props.tagRanges = tagRangeUtil.add(
38
+ props.tagRanges,
39
+ new TagRange(0, stringLength, 'string-type-checked')
40
+ );
41
+
42
+ props.event = new PropagationEvent({
43
+ context: new CallContext(data),
44
+ signature: new Signature('mongoose.mixed.doValidateSync'),
45
+ tagRanges: props.tagRanges,
46
+ source: 'P',
47
+ target: 'A',
48
+ parents: [props.event]
49
+ });
50
+ }
51
+ };
18
52
  module.exports = {
19
- hasUserDefinedValidator
53
+ hasUserDefinedValidator,
54
+ tagCustomValidatedValues
20
55
  };
package/lib/assess/propagators/mongoose/index.js CHANGED
@@ -15,4 +15,5 @@ Copyright: 2022 Contrast Security, Inc
15
15
  module.exports.handle = () => {
16
16
  require('./map');
17
17
  require('./string');
18
+ require('./mixed');
18
19
  };
package/lib/assess/propagators/mongoose/map.js CHANGED
@@ -21,9 +21,11 @@ const tagRangeUtil = require('../../models/tag-range/util');
21
21
  const {
22
22
  PATCH_TYPES: { ASSESS_PROPAGATOR }
23
23
  } = require('../../../constants');
24
- const TagRange = require('../../models/tag-range');
25
- const { CallContext, PropagationEvent, Signature } = require('../../models');
26
- const { hasUserDefinedValidator } = require('./helpers');
24
+ const {
25
+ hasUserDefinedValidator,
26
+ tagCustomValidatedValues
27
+ } = require('./helpers');
28
+ const agent = require('../../../agent');
27
29
 
28
30
  const doValidateSyncPatcher = (SchemaMap) => {
29
31
  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
@@ -31,37 +33,16 @@ const doValidateSyncPatcher = (SchemaMap) => {
31
33
  name: 'mongoose.map.doValidateSync',
32
34
  patchType: ASSESS_PROPAGATOR,
33
35
  post(data) {
34
- if (data.result || data.obj.options.of.name !== 'String') return;
36
+ if (data.result) return;
35
37
 
36
38
  if (!hasUserDefinedValidator(data)) return;
37
39
 
38
- for (const value of data.args[0].values()) {
39
- const trackingData = tracker.track(value);
40
-
41
- if (!trackingData) return;
42
-
43
- const { props } = trackingData;
44
- const stringLength = value.length - 1;
45
-
46
- props.tagRanges = tagRangeUtil.add(
47
- props.tagRanges,
48
- new TagRange(0, stringLength, 'custom-validated-nosql-injection')
49
- );
50
-
51
- props.tagRanges = tagRangeUtil.add(
52
- props.tagRanges,
53
- new TagRange(0, stringLength, 'string-type-checked')
54
- );
55
-
56
- props.event = new PropagationEvent({
57
- context: new CallContext(data),
58
- signature: new Signature('mongoose.map.doValidateSync'),
59
- tagRanges: props.tagRanges,
60
- source: 'P',
61
- target: 'A',
62
- parents: [props.event]
63
- });
64
- }
40
+ tagCustomValidatedValues(
41
+ data.args[0].values(),
42
+ data,
43
+ tracker,
44
+ tagRangeUtil
45
+ );
65
46
  }
66
47
  });
67
48
  };
@@ -69,6 +50,13 @@ const doValidateSyncPatcher = (SchemaMap) => {
69
50
  requireHook.resolve(
70
51
  { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
71
52
  (SchemaMap) => {
53
+ if (
54
+ !agent.config ||
55
+ (agent.config && !agent.config.agent.trust_custom_validators)
56
+ ) {
57
+ return;
58
+ }
59
+
72
60
  doValidateSyncPatcher(SchemaMap);
73
61
  }
74
62
  );
package/lib/assess/propagators/mongoose/mixed.js ADDED
@@ -0,0 +1,71 @@
1
+ /**
2
+ Copyright: 2022 Contrast Security, Inc
3
+ Contact: support@contrastsecurity.com
4
+ License: Commercial
5
+
6
+ NOTICE: This Software and the patented inventions embodied within may only be
7
+ used as part of Contrast Security’s commercial offerings. Even though it is
8
+ made available through public repositories, use of this Software is subject to
9
+ the applicable End User Licensing Agreement found at
10
+ https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ between Contrast Security and the End User. The Software may not be reverse
12
+ engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ way not consistent with the End User License Agreement.
14
+ */
15
+ 'use strict';
16
+
17
+ const tracker = require('../../../tracker');
18
+ const patcher = require('../../../hooks/patcher');
19
+ const requireHook = require('../../../hooks/require');
20
+ const tagRangeUtil = require('../../models/tag-range/util');
21
+ const {
22
+ PATCH_TYPES: { ASSESS_PROPAGATOR }
23
+ } = require('../../../constants');
24
+ const {
25
+ hasUserDefinedValidator,
26
+ tagCustomValidatedValues
27
+ } = require('./helpers');
28
+ const agent = require('../../../agent');
29
+
30
+ const doValidateSyncPatcher = (SchemaMap) => {
31
+ patcher.patch(SchemaMap.prototype, 'doValidateSync', {
32
+ alwaysRun: true,
33
+ name: 'mongoose.mixed.doValidateSync',
34
+ patchType: ASSESS_PROPAGATOR,
35
+ post(data) {
36
+ if (data.result || !hasUserDefinedValidator(data)) return;
37
+
38
+ const input = data.args[0];
39
+ const inputType = typeof input;
40
+
41
+ if (inputType !== 'string' && inputType !== 'object') return;
42
+
43
+ let values;
44
+ if (inputType === 'string') {
45
+ values = [input];
46
+ } else if (Array.isArray(input)) {
47
+ values = input;
48
+ } else if (input instanceof Map) {
49
+ values = input.values();
50
+ } else {
51
+ values = Object.values(input);
52
+ }
53
+
54
+ tagCustomValidatedValues(values, data, tracker, tagRangeUtil);
55
+ }
56
+ });
57
+ };
58
+
59
+ requireHook.resolve(
60
+ { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
61
+ (SchemaMap) => {
62
+ if (
63
+ !agent.config ||
64
+ (agent.config && !agent.config.agent.trust_custom_validators)
65
+ ) {
66
+ return;
67
+ }
68
+
69
+ doValidateSyncPatcher(SchemaMap);
70
+ }
71
+ );
package/lib/core/arch-components/mysql.js CHANGED
@@ -19,6 +19,7 @@ const ModuleHook = require('../../hooks/require');
19
19
  const agentEmitter = require('../../agent-emitter');
20
20
  const { PATCH_TYPES } = require('../../constants');
21
21
  const logger = require('../logger')('contrast:arch-component');
22
+ const waitToConnect = require('./util');
22
23
 
23
24
  ModuleHook.resolve(
24
25
  { name: 'mysql', file: 'lib/Connection.js' },
@@ -28,22 +29,31 @@ ModuleHook.resolve(
28
29
  patchType: PATCH_TYPES.ARCH_COMPONENT,
29
30
  alwaysRun: true,
30
31
  post(wrapCtx) {
31
- try {
32
- let url = 'mysql://';
33
- if (this.config.socketPath) {
34
- url += this.config.socketPath;
35
- } else {
36
- url += `${this.config.host}`;
37
- }
38
- agentEmitter.emit('architectureComponent', {
39
- vendor: 'MySQL',
40
- url: new URL(url).toString(),
41
- remoteHost: '',
42
- remotePort: !this.config.socketPath ? this.config.port : -1
32
+ waitToConnect(wrapCtx)
33
+ .then(() => {
34
+ try {
35
+ let url = 'mysql://';
36
+ if (this.config.socketPath) {
37
+ url += this.config.socketPath;
38
+ } else {
39
+ url += `${this.config.host}`;
40
+ }
41
+ agentEmitter.emit('architectureComponent', {
42
+ vendor: 'MySQL',
43
+ url: new URL(url).toString(),
44
+ remoteHost: '',
45
+ remotePort: !this.config.socketPath ? this.config.port : -1
46
+ });
47
+ } catch (err) {
48
+ logger.warn(
49
+ 'unable to report MySQL architecture component\n',
50
+ err
51
+ );
52
+ }
53
+ })
54
+ .catch((err) => {
55
+ logger.warn('unable to report MySQL architecture component\n', err);
43
56
  });
44
- } catch (err) {
45
- logger.warn('unable to report MySQL architecture component\n', err);
46
- }
47
57
  }
48
58
  });
49
59
  }
package/lib/core/arch-components/postgres.js CHANGED
@@ -18,6 +18,7 @@ const ModuleHook = require('../../hooks/require');
18
18
  const agentEmitter = require('../../agent-emitter');
19
19
  const { PATCH_TYPES } = require('../../constants');
20
20
  const logger = require('../logger')('contrast:arch-component');
21
+ const waitToConnect = require('./util');
21
22
 
22
23
  ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
23
24
  patcher.patch(pgClient, {
@@ -25,37 +26,46 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
25
26
  patchType: PATCH_TYPES.ARCH_COMPONENT,
26
27
  alwaysRun: true,
27
28
  post(wrapCtx) {
28
- try {
29
- const {
30
- host = process.env.PGHOST,
31
- port = process.env.PGPORT
32
- } = wrapCtx.result;
29
+ waitToConnect(wrapCtx)
30
+ .then(() => {
31
+ try {
32
+ const {
33
+ host = process.env.PGHOST,
34
+ port = process.env.PGPORT
35
+ } = wrapCtx.result;
33
36
 
34
- if (!host) {
35
- return;
36
- }
37
+ if (!host) {
38
+ return;
39
+ }
37
40
 
38
- let url = host;
41
+ let url = host;
39
42
 
40
- // build protocol and port into url prior to parsing
41
- if (url.indexOf('://') === -1) {
42
- url = `postgresql://${url}`;
43
- }
44
- if (port !== undefined) {
45
- url = `${url}:${port}`;
46
- }
43
+ // build protocol and port into url prior to parsing
44
+ if (url.indexOf('://') === -1) {
45
+ url = `postgresql://${url}`;
46
+ }
47
+ if (port !== undefined) {
48
+ url = `${url}:${port}`;
49
+ }
47
50
 
48
- agentEmitter.emit('architectureComponent', {
49
- vendor: 'PostgreSQL',
50
- remotePort: port || 0,
51
- url: new URL(url).toString()
51
+ agentEmitter.emit('architectureComponent', {
52
+ vendor: 'PostgreSQL',
53
+ remotePort: port || 0,
54
+ url: new URL(url).toString()
55
+ });
56
+ } catch (err) {
57
+ logger.warn(
58
+ 'unable to report PostgreSQL architecture component\n%o',
59
+ err
60
+ );
61
+ }
62
+ })
63
+ .catch((err) => {
64
+ logger.warn(
65
+ 'unable to report PostgreSQL architecture component\n%o',
66
+ err
67
+ );
52
68
  });
53
- } catch (err) {
54
- logger.warn(
55
- 'unable to report PostgreSQL architecture component\n%o',
56
- err
57
- );
58
- }
59
69
  }
60
70
  })
61
71
  );
package/lib/core/arch-components/util.js ADDED
@@ -0,0 +1,49 @@
1
+ /**
2
+ Copyright: 2022 Contrast Security, Inc
3
+ Contact: support@contrastsecurity.com
4
+ License: Commercial
5
+
6
+ NOTICE: This Software and the patented inventions embodied within may only be
7
+ used as part of Contrast Security’s commercial offerings. Even though it is
8
+ made available through public repositories, use of this Software is subject to
9
+ the applicable End User Licensing Agreement found at
10
+ https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ between Contrast Security and the End User. The Software may not be reverse
12
+ engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ way not consistent with the End User License Agreement.
14
+ */
15
+ const MYSQL = 'mysql.connect.arch_component';
16
+ const POSTGRES = 'pg.Client.arch_component';
17
+
18
+ module.exports = function waitToConnect(ctx, count = 0) {
19
+ return new Promise((resolve, reject) => {
20
+ const maxAttempts = 10 * 60; // i.e., 1 min.
21
+ const checkConnection = setInterval(
22
+ function(ctx, resolve, reject) {
23
+ if (count >= maxAttempts) {
24
+ clearInterval(checkConnection);
25
+ reject();
26
+ }
27
+ switch (ctx.name) {
28
+ case MYSQL:
29
+ if (ctx.obj.state === 'authenticated') {
30
+ clearInterval(checkConnection);
31
+ resolve();
32
+ }
33
+ break;
34
+ case POSTGRES:
35
+ if (ctx.result._connected) {
36
+ clearInterval(checkConnection);
37
+ resolve();
38
+ }
39
+ break;
40
+ }
41
+ count++;
42
+ },
43
+ 100,
44
+ ctx,
45
+ resolve,
46
+ reject
47
+ );
48
+ });
49
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/agent",
3
- "version": "4.10.0",
3
+ "version": "4.10.1",
4
4
  "description": "Node.js security instrumentation by Contrast Security",
5
5
  "keywords": [
6
6
  "security",