@contrast/agent 4.10.4 → 4.11.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.12
+2.28.13

package/esm.mjs

@@ -24,13 +24,45 @@ if (enabled) {
 await loader.resetArgs(process.argv[0], process.argv[1]);
 const { readFile } = require('fs').promises;
 
+const path = require('path');
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
 const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
 const helpers = require(`./lib/hooks/module/helpers.js`);
+const parent = require('parent-package-json');
 
 const loadedFromCache = new Set();
 
+function getType(url) {
+  const {protocol, pathname} = new URL(url);
+
+  let parentType = 'commonjs';
+  try {
+    parentType = parent(pathname).parse().type;
+  } catch (err) {
+    // Node assumes `commonjs ` if there's no `type` set in package.json
+  }
+
+  if (protocol === 'node:') {
+    return 'builtin';
+  }
+  if (protocol === 'file:') {
+    const ext = path.extname(pathname);
+    if (
+      ext === '.mjs' || 
+      (ext === '.js' && parentType === 'module')
+    ){
+        return 'module';
+      } 
+    else if (
+      ext === '.cjs' || 
+      (ext === '.js' && parentType !== 'module')
+    ){
+        return 'commonjs';
+      }
+  }
+  return 'unknown';
+}
 /**
  * The `getSource` hook is used to provide a custom method for retrieving source
  * code. In our case, we check for previously rewritten ESM files in our cache
@@ -110,15 +142,25 @@ export async function transformSource(source, context, defaultTransformSource) {
  * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function load(url, context, defaultLoad) {
+  const type = getType(url);
+
+  if (type === 'builtin' || type === 'unknown') {
+    logger.debug(
+      'Skipping rewrite for %s module %s, loading original code',
+      type,
+      url
+    );
+    return defaultLoad(url, context, defaultLoad);
+  }
+
   const filename = fileURLToPath(url);
 
   try {
     const cached = helpers.find(agent, filename);
     const source = cached || await readFile(filename, 'utf8');
-    const result = rewriter.rewriteFile(source, filename, { sourceType: 'module' });
+    const result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });
     helpers.cacheWithSourceMap(agent, filename, result);
-    return { format: context.format, source: result.code };
-
+    return { format: type, source: result.code };
   } catch (err) {
     logger.error(
       'Failed to load rewritten code for %s, err: %o, rewritten code %s, loading original code.',

package/lib/assess/propagators/joi/any.js

@@ -12,10 +12,12 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const agent = require('../../../agent');
@@ -23,18 +25,15 @@ const agent = require('../../../agent');
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
   (object) => {
-    if (
-      !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
-    ) {
-      return;
-    }
+    if (!agent.config) return;
 
     patcher.patch(object._definition.rules.custom, 'validate', {
       name: 'joi.any.custom.validate',
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
+        if (!agent.config.agent.trust_custom_validators) return;
+
         if (data.result && typeof data.result === 'string') {
           tracker.untrack(data.result);
         }
@@ -42,7 +41,7 @@ requireHook.resolve(
         if (data.args[0] && typeof data.args[0] === 'string') {
           tracker.untrack(data.args[0]);
         }
-      }
+      },
     });
-  }
+  },
 );

package/lib/assess/propagators/joi/object.js

@@ -12,10 +12,12 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const agent = require('../../../agent');
@@ -40,22 +42,19 @@ const traverseObjectAndUntrack = (object, incomingInput, result) => {
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
   (object) => {
-    if (
-      !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
-    ) {
-      return;
-    }
+    if (!agent.config) return;
 
     patcher.patch(object.__proto__, 'validateAsync', {
       name: 'joi.object.validateAsync',
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
+        if (!agent.config.agent.trust_custom_validators) return;
+
         data.result.then((result) =>
-          traverseObjectAndUntrack(data.obj, data.args[0], result)
+          traverseObjectAndUntrack(data.obj, data.args[0], result),
         );
-      }
+      },
     });
-  }
+  },
 );

package/lib/assess/propagators/joi/string-base.js

@@ -18,7 +18,7 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
@@ -42,7 +42,7 @@ function instrumentJoiString(string) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
+            new TagRange(0, data.args[0].length - 1, 'string-type-checked'),
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),
@@ -50,29 +50,32 @@ function instrumentJoiString(string) {
             tagRanges: trackingData.tagRanges,
             source: 'P',
             target: 'A',
-            parents: [event]
+            parents: [event],
           });
         }
-      }
+      },
     });
 
-  if (agent.config.agent.trust_custom_validators) {
-    patcher.patch(string.__proto__, 'validateAsync', {
-      name: 'joi.string.validateAsync',
-      patchType: ASSESS_PROPAGATOR,
-      alwaysRun: true,
-      post(data) {
-        if (!data.obj.$_terms.externals.length) return;
-        data.result.then((result) => {
-          tracker.untrack(data.args[0]);
-          tracker.untrack(result);
-        });
-      }
-    });
-  }
+  patcher.patch(string.__proto__, 'validateAsync', {
+    name: 'joi.string.validateAsync',
+    patchType: ASSESS_PROPAGATOR,
+    alwaysRun: true,
+    post(data) {
+      if (
+        !data.obj.$_terms.externals.length ||
+        !agent.config.agent.trust_custom_validators
+      )
+        return;
+
+      data.result.then((result) => {
+        tracker.untrack(data.args[0]);
+        tracker.untrack(result);
+      });
+    },
+  });
 }
 
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
-  instrumentJoiString
+  instrumentJoiString,
 );

package/lib/assess/sinks/rethinkdb-nosql-injection.js

@@ -67,7 +67,7 @@ class Handler {
 
   patchRethinkDb(rethinkdb) {
     const self = this;
-    patcher.patch(rethinkdb, 'table', {
+    patcher.patch(rethinkdb, 'db', {
       name: moduleName,
       patchType: PATCH_TYPES.ASSESS_SINK,
       alwaysRun: true,

package/lib/core/arch-components/dynamodb.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const logger = require('../logger')('contrast:arch-component');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
@@ -31,11 +32,14 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
           remoteHost: '',
-          remotePort: endpoint.port
+          remotePort: endpoint.port,
         });
       } catch (err) {
-        logger.warn('unable to report DynamoDB architecture component\n', err);
+        logger.warn(
+          'unable to report DynamoDB architecture component, err: %o',
+          err,
+        );
       }
-    }
+    },
   });
 });

package/lib/core/arch-components/dynamodbv3.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const logger = require('../logger')('contrast:arch-component');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
@@ -24,7 +25,7 @@ function emitArchitectureComponent(endpoint) {
     vendor: 'DynamoDB',
     url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
     remoteHost: '',
-    remotePort: endpoint.port
+    remotePort: endpoint.port,
   });
 }
 
@@ -37,8 +38,11 @@ ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
       try {
         this.config.endpoint().then(emitArchitectureComponent);
       } catch (err) {
-        logger.warn('unable to report DynamoDB architecture component\n', err);
+        logger.warn(
+          'unable to report DynamoDB architecture component, err: %o',
+          err,
+        );
       }
-    }
+    },
   });
 });

package/lib/core/arch-components/index.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 require('./mongodb');
 require('./mysql');
 require('./sqlite3');

package/lib/core/arch-components/mongodb.js

@@ -33,7 +33,7 @@ ModuleHook.resolve(
         }
 
         // We should report only when connection is successful
-        ctx.result.then(function(client) {
+        ctx.result.then(function (client) {
           try {
             const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
             for (const server of servers) {
@@ -41,17 +41,17 @@ ModuleHook.resolve(
                 vendor: 'MongoDB',
                 url: `mongodb://${server.host}:${server.port}`,
                 remoteHost: '',
-                remotePort: server.port
+                remotePort: server.port,
               });
             }
           } catch (err) {
             logger.warn(
-              'unable to report MongoDB architecture component\n%o',
-              err
+              'unable to report MongoDB architecture component, err: %o',
+              err,
             );
           }
         });
-      }
+      },
     });
-  }
+  },
 );

package/lib/core/arch-components/mysql.js

@@ -42,19 +42,22 @@ ModuleHook.resolve(
                 vendor: 'MySQL',
                 url: new URL(url).toString(),
                 remoteHost: '',
-                remotePort: !this.config.socketPath ? this.config.port : -1
+                remotePort: !this.config.socketPath ? this.config.port : -1,
               });
             } catch (err) {
               logger.warn(
-                'unable to report MySQL architecture component\n',
-                err
+                'unable to report MySQL architecture component, err: %o',
+                err,
               );
             }
           })
           .catch((err) => {
-            logger.warn('unable to report MySQL architecture component\n', err);
+            logger.warn(
+              'unable to report MySQL architecture component, err: %o',
+              err,
+            );
           });
-      }
+      },
     });
-  }
+  },
 );

package/lib/core/arch-components/postgres.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const patcher = require('../../hooks/patcher');
 const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
@@ -29,10 +30,8 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
       waitToConnect(wrapCtx)
         .then(() => {
           try {
-            const {
-              host = process.env.PGHOST,
-              port = process.env.PGPORT
-            } = wrapCtx.result;
+            const { host = process.env.PGHOST, port = process.env.PGPORT } =
+              wrapCtx.result;
 
             if (!host) {
               return;
@@ -51,21 +50,21 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
             agentEmitter.emit('architectureComponent', {
               vendor: 'PostgreSQL',
               remotePort: port || 0,
-              url: new URL(url).toString()
+              url: new URL(url).toString(),
             });
           } catch (err) {
             logger.warn(
-              'unable to report PostgreSQL architecture component\n%o',
-              err
+              'unable to report PostgreSQL architecture component, err: %o',
+              err,
             );
           }
         })
         .catch((err) => {
           logger.warn(
-            'unable to report PostgreSQL architecture component\n%o',
-            err
+            'unable to report PostgreSQL architecture component, err: %o',
+            err,
           );
         });
-    }
-  })
+    },
+  }),
 );

package/lib/core/arch-components/rethinkdb.js

@@ -36,7 +36,7 @@ ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
             agentEmitter.emit('architectureComponent', {
               vendor: 'RethinkDB',
               url,
-              remotePort: res.port
+              remotePort: res.port,
             });
           } else {
             logger.warn('unable to open RethinkDB connection');
@@ -44,10 +44,10 @@ ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
         })
         .catch((err) => {
           logger.warn(
-            'unable to report RethinkDB architecture component\n%o',
-            err
+            'unable to report RethinkDB architecture component, err: %o',
+            err,
           );
         });
-    }
+    },
   });
 });

package/lib/core/arch-components/sqlite3.js

@@ -31,11 +31,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
           vendor: 'SQLite3',
           url: wrapCtx.args[0],
           remoteHost: '',
-          remotePort: 0
+          remotePort: 0,
         });
       } catch (err) {
-        logger.warn('unable to report SQLite3 architecture component\n%o', err);
+        logger.warn(
+          'unable to report SQLite3 architecture component, err: %o',
+          err,
+        );
       }
-    }
+    },
   });
 });

package/lib/core/arch-components/util.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const MYSQL = 'mysql.connect.arch_component';
 const POSTGRES = 'pg.Client.arch_component';
 
@@ -19,7 +21,7 @@ module.exports = function waitToConnect(ctx, count = 0) {
   return new Promise((resolve, reject) => {
     const maxAttempts = 10 * 60; // i.e., 1 min.
     const checkConnection = setInterval(
-      function(ctx, resolve, reject) {
+      function (ctx, resolve, reject) {
         if (count >= maxAttempts) {
           clearInterval(checkConnection);
           reject();
@@ -43,7 +45,7 @@ module.exports = function waitToConnect(ctx, count = 0) {
       100,
       ctx,
       resolve,
-      reject
+      reject,
     );
   });
 };