@contrast/agent 4.10.1 → 4.10.5

package/bin/VERSION

@@ -1 +1 @@
-2.28.9
+2.28.13

package/bootstrap.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /**
 Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
@@ -13,6 +12,7 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
 
 const startTime = process.hrtime();
 
@@ -25,7 +25,7 @@ const orig = Module.runMain;
  * process before invoking the main
  * script from cli
  */
-Module.runMain = async function(...args) {
+Module.runMain = async function (...args) {
   const { isMainThread } = require('worker_threads');
 
   try {

package/esm.mjs

@@ -24,13 +24,45 @@ if (enabled) {
 await loader.resetArgs(process.argv[0], process.argv[1]);
 const { readFile } = require('fs').promises;
 
+const path = require('path');
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
 const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
 const helpers = require(`./lib/hooks/module/helpers.js`);
+const parent = require('parent-package-json');
 
 const loadedFromCache = new Set();
 
+function getType(url) {
+  const {protocol, pathname} = new URL(url);
+
+  let parentType = 'commonjs';
+  try {
+    parentType = parent(pathname).parse().type;
+  } catch (err) {
+    // Node assumes `commonjs ` if there's no `type` set in package.json
+  }
+
+  if (protocol === 'node:') {
+    return 'builtin';
+  }
+  if (protocol === 'file:') {
+    const ext = path.extname(pathname);
+    if (
+      ext === '.mjs' || 
+      (ext === '.js' && parentType === 'module')
+    ){
+        return 'module';
+      } 
+    else if (
+      ext === '.cjs' || 
+      (ext === '.js' && parentType !== 'module')
+    ){
+        return 'commonjs';
+      }
+  }
+  return 'unknown';
+}
 /**
  * The `getSource` hook is used to provide a custom method for retrieving source
  * code. In our case, we check for previously rewritten ESM files in our cache
@@ -110,15 +142,25 @@ export async function transformSource(source, context, defaultTransformSource) {
  * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function load(url, context, defaultLoad) {
+  const type = getType(url);
+
+  if (type === 'builtin' || type === 'unknown') {
+    logger.debug(
+      'Skipping rewrite for %s module %s, loading original code',
+      type,
+      url
+    );
+    return defaultLoad(url, context, defaultLoad);
+  }
+
   const filename = fileURLToPath(url);
 
   try {
     const cached = helpers.find(agent, filename);
     const source = cached || await readFile(filename, 'utf8');
-    const result = rewriter.rewriteFile(source, filename, { sourceType: 'module' });
+    const result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });
     helpers.cacheWithSourceMap(agent, filename, result);
-    return { format: context.format, source: result.code };
-
+    return { format: type, source: result.code };
   } catch (err) {
     logger.error(
       'Failed to load rewritten code for %s, err: %o, rewritten code %s, loading original code.',

package/lib/core/express/index.js

@@ -26,7 +26,7 @@ const { isString } = require('../../util/is-string');
 const { emitSendEvent } = require('../../hooks/frameworks/common');
 const {
   prototype: { decorateRequest },
-  setFrameworkRequest
+  setFrameworkRequest,
 } = require('../../hooks/frameworks/base');
 const ExpressRequest = require('../../reporter/models/frameworks/express-request');
 
@@ -40,7 +40,7 @@ const {
   INPUT_TYPES,
   SINK_TYPES,
   MW_PATH,
-  LAYER_STACK
+  LAYER_STACK,
 } = constants;
 const { EVENTS } = Helpers;
 
@@ -111,14 +111,14 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
 
-        const body = data.args[0];
+        const [body] = data.args;
         if (isString(body)) {
           emitSendEvent(body.valueOf());
         }
-      }
+      },
     });
 
     patcher.patch(express.response, 'push', {
@@ -128,14 +128,14 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
 
-        const body = data.args[0];
+        const [body] = data.args;
         if (isString(body)) {
           emitSendEvent(body.valueOf());
         }
-      }
+      },
     });
 
     patcher.patch(express.response, 'end', {
@@ -145,9 +145,9 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
-      }
+      },
     });
 
     patcher.patch(express.Router, 'use', {
@@ -157,7 +157,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_USE, self, wrapCtx);
-      }
+      },
     });
 
     patcher.patch(express.Router, 'route', {
@@ -166,7 +166,7 @@ class ExpressFramework {
       alwaysRun: true,
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_ROUTE, self, wrapCtx);
-      }
+      },
     });
 
     LC_HTTP_VERBS.forEach((verb) => {
@@ -177,7 +177,7 @@ class ExpressFramework {
         pre: self.injectContrastMiddleware.bind(self),
         post: (wrapCtx) => {
           agentEmitter.emit(EVENTS.ROUTER_METHOD, self, wrapCtx, verb);
-        }
+        },
       });
     });
 
@@ -188,7 +188,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_METHOD, self, wrapCtx, 'all');
-      }
+      },
     });
 
     patcher.patch(express.application, 'use', {
@@ -198,7 +198,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.APP_USE, self, wrapCtx);
-      }
+      },
     });
 
     LC_HTTP_VERBS.forEach((verb) => {
@@ -209,7 +209,7 @@ class ExpressFramework {
         pre: self.injectContrastMiddleware.bind(self),
         post: (wrapCtx) => {
           agentEmitter.emit(EVENTS.APP_METHOD, self, wrapCtx, verb);
-        }
+        },
       });
     });
 
@@ -220,7 +220,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.APP_METHOD, self, wrapCtx, 'all');
-      }
+      },
     });
 
     agentEmitter.on(HTTP_EVENTS.SERVER_CREATE, this.onServerCreate.bind(this));
@@ -238,7 +238,7 @@ class ExpressFramework {
     if (!app || !app.defaultConfiguration) {
       logger.error(
         `non-express application mistakenly registered`,
-        new Error().stack
+        new Error().stack,
       );
       return;
     }
@@ -305,7 +305,7 @@ class ExpressFramework {
         EVENTS.REQUEST_READY,
         req,
         res,
-        INPUT_TYPES.QUERYSTRING
+        INPUT_TYPES.QUERYSTRING,
       );
       next();
     }, 'query');
@@ -322,6 +322,14 @@ class ExpressFramework {
       next();
     }, 'rawParser');
 
+    // ... bodyParser in Sails Framework ............................
+    this.useAfter(function ContrastBodyParsed(req, res, next) {
+      if (req._sails && req.body) {
+        agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
+      }
+      next();
+    }, '_parseHTTPBody');
+
     this.useAfter(function ContrastTextBodyParsed(req, res, next) {
       agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
       next();
@@ -329,7 +337,7 @@ class ExpressFramework {
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
       agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
-        type: INPUT_TYPES.BODY
+        type: INPUT_TYPES.BODY,
       });
       next();
     }, 'urlencodedParser');
@@ -345,7 +353,7 @@ class ExpressFramework {
         EVENTS.COOKIES_PARSED,
         req,
         res,
-        INPUT_TYPES.COOKIE_VALUE
+        INPUT_TYPES.COOKIE_VALUE,
       );
 
       next();
@@ -395,7 +403,7 @@ class ExpressFramework {
             patchType: PATCH_TYPES.SOURCE,
             pre(data) {
               req[LAYER_STACK].pop();
-            }
+            },
           });
           if (req.query) {
             decorateRequest({ query: req.query });
@@ -406,11 +414,11 @@ class ExpressFramework {
               EVENTS.PARAM_PARSED,
               req,
               res,
-              INPUT_TYPES.URL_PARAMETER
+              INPUT_TYPES.URL_PARAMETER,
             );
 
             decorateRequest({
-              parameters: req.params
+              parameters: req.params,
             });
           }
 
@@ -422,21 +430,18 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
-
-            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
-            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
           }
-        }
+        },
       });
     }
   }
 
   useAfter(fn, after) {
     this.handlers[after] = {
-      post: fn
+      post: fn,
     };
   }
 

package/lib/core/logger/debug-logger.js

@@ -108,9 +108,10 @@ class DebugLogFactory {
 
     // We always log to a file, but check whether we should log to stdout
     if (
-      !this.stdout ||
-      !process.env.DEBUG ||
-      !/(^|,\s*)contrast:.+/.test(process.env.DEBUG)
+      this.loggerPath &&
+      (!this.stdout ||
+        !process.env.DEBUG ||
+        !/(^|,\s*)contrast:.+/.test(process.env.DEBUG))
     ) {
       this.mute = true;
     }

package/lib/core/rewrite/binary-expression.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const t = require('@babel/types');
-const _ = require('lodash');
 
 /**
  * Wraps binary expressions in one of the following: `ContrastMethods.__add`,
@@ -30,7 +29,7 @@ const _ = require('lodash');
  * @param {import('.').State} state
  */
 module.exports = function BinaryExpression(path, state) {
-  const spec = _.find(state.specs, { token: path.node.operator });
+  const spec = state.specs.find(({ token }) => token === path.node.operator);
   if (
     !spec ||
     !state.callees[spec.name] ||

package/lib/core/rewrite/callees.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const { expression } = require('@babel/template');
-const _ = require('lodash');
 
 /**
  * @typedef {Object} Spec
@@ -132,7 +131,9 @@ module.exports = function createCallees(agent) {
   const callees = specs.reduce(
     (memo, spec) =>
       (assessMode && spec.modes.assess) || (protectMode && spec.modes.protect)
-        ? _.set(memo, spec.name, calleeBuilder({ name: spec.name }))
+        ? Object.assign(memo, {
+            [spec.name]: calleeBuilder({ name: spec.name })
+          })
         : memo,
     {}
   );

package/lib/core/rewrite/catch-clause.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 const { statement } = require('@babel/template');
-const _ = require('lodash');
 
 const logStatementBuilder = statement(
   `if (global.CONTRAST_LOG) {
@@ -38,7 +37,10 @@ const logStatementBuilder = statement(
  * @param {import('.').State} state
  */
 module.exports = function CatchClause(path, state) {
-  if (!_.get(state.agent, 'config.agent.node.enable_catch_log')) return;
+  const { config } = state.agent;
+  if (!config || !config.agent.node.enable_catch_log) {
+    return;
+  }
 
   path.node.param = path.node.param || path.scope.generateUidIdentifier('err');
   path

package/lib/core/rewrite/import-declaration.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const t = require('@babel/types');
-const _ = require('lodash');
 
 const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
   t.memberExpression(t.identifier('import'), t.identifier('meta')),
@@ -49,7 +48,8 @@ module.exports = function ImportDeclaration(path, state) {
 
   path.insertAfter(
     specifiers.map((importSpec) => {
-      const spec = _.find(state.specs, { type: importSpec.type });
+      const spec = state.specs.find(({ type }) => type === importSpec.type);
+
       if (!spec || !state.callees[spec.name]) return;
 
       const args = [importSpec.local];

package/lib/core/rewrite/index.js

@@ -116,6 +116,7 @@ class Rewriter {
       null,
       initialState
     );
+    traverse.cache.clear();
   }
 
   /**

package/lib/core/rewrite/injections.js

@@ -14,7 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
 const logger = require('../logger')('contrast:rewrite:injections');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
@@ -161,8 +160,7 @@ module.exports = {
    * @returns {Injection[]}
    */
   getEnabled() {
-    return _.reduce(
-      injections,
+    return Object.values(injections).reduce(
       (enabled, injection) =>
         injection.enabled() ? [...enabled, injection] : enabled,
       []

package/lib/core/rewrite/rewrite-log.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const _ = require('lodash');
 
 /**
  * Helper class that provides some means of optimizing the rewrite process.
@@ -32,11 +31,9 @@ module.exports = class RewriteLog {
     this._tokenMatches = specs.reduce(
       (matches, spec) =>
         callees[spec.name]
-          ? _.set(
-              matches,
-              spec.name,
-              !spec.token || 0 <= codeString.indexOf(spec.token)
-            )
+          ? Object.assign(matches, {
+              [spec.name]: !spec.token || 0 <= codeString.indexOf(spec.token)
+            })
           : matches,
       {}
     );
@@ -60,7 +57,7 @@ module.exports = class RewriteLog {
    * if we need to even rewrite the code at all.
    */
   foundTokens() {
-    return _.some(this._tokenMatches, _.identity);
+    return Object.values(this._tokenMatches).some(Boolean);
   }
 
   /**
@@ -72,6 +69,6 @@ module.exports = class RewriteLog {
    * make changes, we can just return original code.
    */
   rewritesOccurred() {
-    return !this.aborted && _.some(this._tokensRewritten, _.identity);
+    return !this.aborted && Object.values(this._tokensRewritten).some(Boolean);
   }
 };

package/lib/util/traverse.js

@@ -59,7 +59,7 @@ class Path extends Stack {
 
     super.push({
       key,
-      array
+      array,
     });
   }
 }
@@ -74,7 +74,16 @@ class Visitor {
     this.cache = new WeakSet();
   }
 
-  visit(key, value) {
+  visit(key, value, isMaxDepthReached) {
+    if (isMaxDepthReached) {
+      this.updateStacks(
+        { counter: this.counter, path: this.path },
+        null,
+        null,
+        isMaxDepthReached,
+      );
+      return;
+    }
     // skip circular objects
     if (typeof value === 'object' && value !== null) {
       if (this.cache.has(value)) {
@@ -96,7 +105,11 @@ class Visitor {
     return newVal || value;
   }
 
-  updateStacks(stacks, key, value) {
+  updateStacks(stacks, key, value, isMaxDepthReached) {
+    if (isMaxDepthReached) {
+      stacks.counter.pop();
+      stacks.path.pop();
+    }
     // We're decending into the object, so here we're
     // just building up the stacks.
 
@@ -123,7 +136,7 @@ class Visitor {
         return this.updateStacks(
           { counter: this.counter, path: this.path },
           key,
-          value
+          value,
         );
       }
       return;
@@ -136,16 +149,34 @@ function traverse(obj, fn, visitor, maxDepth) {
     maxDepth = visitor;
     visitor = undefined;
   }
-
   visitor =
     visitor ||
-    new Visitor(function(key, value, depth, paths) {
+    new Visitor(function (key, value, depth, paths) {
       fn(key, value, depth, paths);
     }, maxDepth);
 
-  JSON.stringify(obj, function(k, v) {
-    // if  is traversable and empty, call traverse on value and pass in existing visitor
-    return visitor.visit(k, v);
+  traverseObject(obj, visitor, maxDepth);
+}
+
+function traverseObject(obj, visitor, remainingDepth = Infinity) {
+  if (!obj) {
+    return;
+  }
+  if (visitor.path.length() < 1) {
+    visitor.visit('', obj);
+  }
+
+  // This is done just to reset the stack, without changing the current impletion
+  if (remainingDepth == 0) {
+    visitor.visit(null, null, true);
+    return;
+  }
+
+  Object.entries(obj).forEach(([key, value]) => {
+    visitor.visit(key, value);
+    if (value && typeof value === 'object') {
+      traverseObject(value, visitor, remainingDepth - 1);
+    }
   });
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.10.1",
+  "version": "4.10.5",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -113,12 +113,14 @@
   "devDependencies": {
     "@aws-sdk/client-dynamodb": "^3.39.0",
     "@bmacnaughton/string-generator": "^1.0.0",
-    "@contrast/eslint-config": "^2.0.1",
+    "@contrast/eslint-config": "^2.2.0",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
     "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
+    "@typescript-eslint/eslint-plugin": "^5.10.2",
+    "@typescript-eslint/parser": "^5.10.2",
     "ajv": "^8.5.0",
     "ast-types": "^0.12.4",
     "aws-sdk": "file:test/mock/aws-sdk",
@@ -135,11 +137,11 @@
     "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
-    "eslint": "^8.2.0",
-    "eslint-config-prettier": "^6.11.0",
-    "eslint-plugin-mocha": "^7.0.1",
+    "eslint": "^8.8.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-mocha": "^10.0.3",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^3.1.4",
+    "eslint-plugin-prettier": "^4.0.0",
     "express": "file:test/mock/express",
     "fetch-cookie": "^0.11.0",
     "form-data": "^3.0.0",
@@ -168,7 +170,7 @@
     "nyc": "^15.1.0",
     "pg": "file:test/mock/pg",
     "pino": "^6.7.0",
-    "prettier": "^1.19.1",
+    "prettier": "^2.5.1",
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",