@contrast/agent 4.10.5 → 4.12.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.13
+2.28.14

package/lib/agent.js

@@ -31,8 +31,13 @@ class ContrastAgent {
   constructor() {
     /**
      * Instance of AppInfo containing application information.
-     * @member */
+     * @type {import('./app-info')}
+     */
     this.appInfo = null;
+
+    /** @type {import('./telemetry') */
+    this.telemetry = null;
+
     /**
      * Holds user settings for the agent
      * @member */
@@ -94,7 +99,9 @@ class ContrastAgent {
      */
     this.argv = process.argv;
     this.tsFeatureSet._subscribers.push(this.agentEmitter);
-    this.exclusions = new ExclusionFactory({ featureSet: this.tsFeatureSet });
+    this.exclusions = new ExclusionFactory({
+      featureSet: this.tsFeatureSet
+    });
     this.agentEmitter.on('application-settings', (applicationSettings) => {
       this.exclusions.updateSettings({
         settings: applicationSettings,

package/lib/app-info.js

@@ -14,87 +14,123 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 const os = require('os');
+const fs = require('fs');
 const path = require('path');
-
+const parentPackageJson = require('parent-package-json');
+const semver = require('semver');
+const { AGENT_INFO } = require('./constants');
 const logger = require('./core/logger')('contrast:appInfo');
-const fileFinder = require('./util/file-finder');
-const {
-  AGENT_INFO: { VERSION }
-} = require('./constants');
+
+const isContainer = () => {
+  try {
+    fs.statSync('/.dockerenv');
+    return true;
+  } catch (err) {
+    // if no docker env, check /proc/self/cgroup
+  }
+
+  try {
+    return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
+  } catch (err) {
+    // if file not present,
+    return false;
+  }
+};
 
 /**
  * An AppInfo instance carries properties of the application being instrumented,
  * such as OS-related information, hostname, name and version information. The
  * name, version, and package.json data
  *
- * @class
- * @param {String} script File name/location for the app.
- * @param {} options Current configuration for the agent
- *
  * TODO(ehden): I'd like to get rid of this and put it more inline with what's happening in config/util.js,
  * but that's a bigger refactor and out of the scope of common config work.
  */
 class AppInfo {
+  /**
+   * @param {string} script File name/location for the app.
+   * @param {any} config Current configuration for the agent
+   */
   constructor(script, config) {
+    this.indexFile = path.resolve(script);
+    let isDir = false;
+
+    try {
+      const stats = fs.statSync(script);
+      isDir = stats.isDirectory();
+    } catch (err) {
+      // if we can't stat the start script we'll likely throw unless `app_root`
+      // is set. We'll let the logic below handle that.
+    }
+
     this.os = {
-      type: os.type(),
-      platform: os.platform(),
       architecture: os.arch(),
-      release: os.release()
+      platform: os.platform(),
+      release: os.release(),
+      type: os.type()
     };
     this.hostname = os.hostname();
-    const cmd = path.resolve(script);
-    logger.info('finding package.json for %s', cmd);
-    this.path = AppInfo.resolveAppPath(
-      config.agent.node.app_root,
-      path.dirname(cmd)
+    this.isContainer = isContainer();
+
+    logger.info('finding package.json for %s', this.indexFile);
+
+    // If started with `script` as a directory, append a file similar to below.
+    if (isDir) {
+      this.indexFile = path.join(this.indexFile, 'index.js');
+    }
+
+    const manifest = parentPackageJson(
+      // The `parent-package-json` library expects the start path to be a file,
+      // not a directory, so we append `package.json`. This lets us use the lib
+      // without changing the expected config option.
+      config.agent.node.app_root
+        ? path.join(config.agent.node.app_root, 'package.json')
+        : this.indexFile
     );
-    config.agent.node.app_root = this.path;
 
-    try {
-      this.appPackage = require(this.path);
-    } catch (e) {
+    if (!manifest) {
       throw new Error("Unable to find application's package.json.");
     }
-    this.name = config.application.name || this.appPackage.name;
 
-    const packageVersion = this.appPackage.version;
-    this.version = config.application.version || packageVersion;
-    this.serverVersion = config.server.version || VERSION;
+    /**
+     * Path to the application's package.json
+     * @type {string}
+     */
+    this.path = manifest.path;
+    logger.info('using package.json at %s', this.path);
 
-    logger.info('using appname %s', this.name);
+    /**
+     * Actual application location (directory containing package.json)
+     * @type {string}
+     */
+    this.appDir = path.dirname(this.path);
 
-    this.node_version = process.version;
-    this.app_dir = path.dirname(this.path);
-    this.appPath = config.application.path || this.app_dir;
-    this.indexFile = script; // cli.js, app.js, index.js, server.js... etc
-    this.serverName = config.server.name;
-    this.serverEnvironment = config.server.environment;
-  }
-
-  /**
-   * Returns the location of the app package
-   *
-   * @param {string} appRoot config.agent.node.app_root
-   * @param {string} scriptPath directory the script is in
-   * @returns {string} location of the app package
-   */
-  static resolveAppPath(appRoot, scriptPath) {
-    let packageLocation;
+    /**
+     * Contents of the application's package.json
+     * @type {Record<string, any>}
+     */
+    this.appPackage = manifest.parse();
 
-    if (appRoot) {
-      packageLocation = fileFinder.findFile(appRoot, 'package.json');
+    if (isDir) {
+      this.indexFile = path.resolve(this.appDir, this.appPackage.main);
     }
 
-    if (!packageLocation) {
-      packageLocation = fileFinder.findFile(scriptPath, 'package.json');
-    }
+    this.name = config.application.name || this.appPackage.name;
+    logger.info('using appname %s', this.name);
 
-    if (packageLocation) {
-      logger.info('using package.json at %s', packageLocation);
-    }
+    this.version = config.application.version || this.appPackage.version;
+    this.serverVersion = config.server.version || AGENT_INFO.VERSION;
 
-    return packageLocation;
+    this.nodeVersion = process.version;
+    this.nodeVersionMajor = semver.major(this.nodeVersion);
+
+    /**
+     * Configured application path to report
+     * @type {string}
+     */
+    this.appPath = config.application.path || this.appDir;
+
+    this.serverName = config.server.name;
+    this.serverEnvironment = config.server.environment;
   }
 }
 

package/lib/assess/loopback4/route-coverage.js

@@ -24,7 +24,7 @@ const { funcinfo } = require('@contrast/fn-inspect');
 class RouteCoverage {
   constructor(agent) {
     this.routes = new Map();
-    this.appDir = agent.appInfo.app_dir;
+    this.appDir = agent.appInfo.appDir;
     moduleHook.resolve(
       { name: '@loopback/rest', file: 'dist/router/routing-table.js' },
       this.patchRoutingTable.bind(this)

package/lib/assess/propagators/joi/any.js

@@ -12,10 +12,12 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const agent = require('../../../agent');
@@ -23,18 +25,15 @@ const agent = require('../../../agent');
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
   (object) => {
-    if (
-      !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
-    ) {
-      return;
-    }
+    if (!agent.config) return;
 
     patcher.patch(object._definition.rules.custom, 'validate', {
       name: 'joi.any.custom.validate',
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
+        if (!agent.config.agent.trust_custom_validators) return;
+
         if (data.result && typeof data.result === 'string') {
           tracker.untrack(data.result);
         }
@@ -42,7 +41,7 @@ requireHook.resolve(
         if (data.args[0] && typeof data.args[0] === 'string') {
           tracker.untrack(data.args[0]);
         }
-      }
+      },
     });
-  }
+  },
 );

package/lib/assess/propagators/joi/object.js

@@ -12,10 +12,12 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const agent = require('../../../agent');
@@ -40,22 +42,19 @@ const traverseObjectAndUntrack = (object, incomingInput, result) => {
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
   (object) => {
-    if (
-      !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
-    ) {
-      return;
-    }
+    if (!agent.config) return;
 
     patcher.patch(object.__proto__, 'validateAsync', {
       name: 'joi.object.validateAsync',
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
+        if (!agent.config.agent.trust_custom_validators) return;
+
         data.result.then((result) =>
-          traverseObjectAndUntrack(data.obj, data.args[0], result)
+          traverseObjectAndUntrack(data.obj, data.args[0], result),
         );
-      }
+      },
     });
-  }
+  },
 );

package/lib/assess/propagators/joi/string-base.js

@@ -18,7 +18,7 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
@@ -42,7 +42,7 @@ function instrumentJoiString(string) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
+            new TagRange(0, data.args[0].length - 1, 'string-type-checked'),
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),
@@ -50,29 +50,32 @@ function instrumentJoiString(string) {
             tagRanges: trackingData.tagRanges,
             source: 'P',
             target: 'A',
-            parents: [event]
+            parents: [event],
           });
         }
-      }
+      },
     });
 
-  if (agent.config.agent.trust_custom_validators) {
-    patcher.patch(string.__proto__, 'validateAsync', {
-      name: 'joi.string.validateAsync',
-      patchType: ASSESS_PROPAGATOR,
-      alwaysRun: true,
-      post(data) {
-        if (!data.obj.$_terms.externals.length) return;
-        data.result.then((result) => {
-          tracker.untrack(data.args[0]);
-          tracker.untrack(result);
-        });
-      }
-    });
-  }
+  patcher.patch(string.__proto__, 'validateAsync', {
+    name: 'joi.string.validateAsync',
+    patchType: ASSESS_PROPAGATOR,
+    alwaysRun: true,
+    post(data) {
+      if (
+        !data.obj.$_terms.externals.length ||
+        !agent.config.agent.trust_custom_validators
+      )
+        return;
+
+      data.result.then((result) => {
+        tracker.untrack(data.args[0]);
+        tracker.untrack(result);
+      });
+    },
+  });
 }
 
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
-  instrumentJoiString
+  instrumentJoiString,
 );

package/lib/assess/sinks/rethinkdb-nosql-injection.js

@@ -67,7 +67,7 @@ class Handler {
 
   patchRethinkDb(rethinkdb) {
     const self = this;
-    patcher.patch(rethinkdb, 'table', {
+    patcher.patch(rethinkdb, 'db', {
       name: moduleName,
       patchType: PATCH_TYPES.ASSESS_SINK,
       alwaysRun: true,

package/lib/contrast.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /**
 Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
@@ -13,13 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
-/**
- * Process flows to bootstrapping user code with the node agent code
- *
- * @module lib/contrastAgent
- *
- */
 'use strict';
+
 const { program } = require('./core/config/options');
 const path = require('path');
 const os = require('os');
@@ -27,8 +21,6 @@ const semver = require('semver');
 const colors = require('./util/colors');
 const { AGENT_INFO } = require('./constants');
 const { VERSION, SUPPORTED_VERSIONS, NAME } = AGENT_INFO;
-const contrastAgent = module.exports;
-const Promise = require('bluebird');
 const Module = require('module');
 const sourceMapUtility = require('./util/source-map');
 const loggerFactory = require('./core/logger');
@@ -43,10 +35,18 @@ function getAgentSnippet() {
 }
 
 let AppInfo,
+  /** @type {import('./agent')} */
   agent = {},
   TSReporter,
-  tracker,
-  instrument;
+  instrument,
+  /** @type {import('./telemetry')} */
+  Telemetry,
+  tracker;
+
+/**
+ * Process flows to bootstrapping user code with the node agent code
+ */
+const contrastAgent = module.exports;
 
 /**
  * Who doesn't like ASCII art. Displays Matt's cat when CONTRAST_CAT env var is set to MATT
@@ -56,7 +56,6 @@ contrastAgent.showBanner = function showBanner() {
     const fs = require('fs');
     const file = path.resolve(__dirname, 'cat.txt');
     const cat = fs.readFileSync(file, 'utf8');
-    // eslint-disable-next-line no-console
     console.log(colors.red(cat));
   }
 
@@ -71,9 +70,10 @@ contrastAgent.showBanner = function showBanner() {
 contrastAgent.doImports = function doImports() {
   AppInfo = require('./app-info');
   agent = require('./agent');
-  tracker = require('./tracker');
   TSReporter = require('./reporter/ts-reporter');
   instrument = require('./instrumentation');
+  Telemetry = require('./telemetry');
+  tracker = require('./tracker');
 };
 
 /**
@@ -229,7 +229,7 @@ contrastAgent.prepare = function(...args) {
 
     if (isCli) {
       logger.error(
-        `DEPRECATED: Agent is started as runner. Please use '%s'`,
+        "DEPRECATED: Agent is started as runner. Please use '%s'",
         getAgentSnippet()
       );
     } else {
@@ -256,7 +256,7 @@ contrastAgent.prepare = function(...args) {
     }
 
     if (config.agent.node.dev.global_tracker) {
-      logger.debug('>> config.agent.node.dev.global_tracker enabled <<'); // eslint-disable-line
+      logger.debug('>> config.agent.node.dev.global_tracker enabled <<');
       global.contrast_tracker = tracker;
     }
 
@@ -271,6 +271,7 @@ contrastAgent.prepare = function(...args) {
 
     config.version = semver.valid(semver.coerce(VERSION));
     agent.appInfo = app;
+    agent.telemetry = new Telemetry(agent, config);
 
     config.override('application.name', app.name);
 
@@ -358,12 +359,11 @@ contrastAgent.init = async function(args, isCli = false) {
       }
     })
     .on('--help', function() {
-      // eslint-disable-next-line no-console
-      console.log(`
-Example:
-${colors.cyan(
-  `    $ ${getAgentSnippet()} -c ../contrast_security.yaml -- --appArg1 --appArg2 -e -t -c`
-)}`);
+      console.log('Example:');
+      console.log(
+        colors.cyan('\t$ %s -c ../contrast_security.yaml -- --appArg1 --appArg2 -e -t -c'),
+        getAgentSnippet(),
+      );
     });
 
   await program.parseAsync(args);
@@ -407,7 +407,9 @@ contrastAgent.resetArgs = function(nodePath, script) {
   process.argv = agent.config
     ? [nodePath, script].concat(agent.config.application.args)
     : process.argv;
-  const isPrimary = !agent.hasOwnProperty('cluster') || agent.cluster.isPrimary;
+  const isPrimary =
+    !Object.prototype.hasOwnProperty.call(agent, 'cluster') ||
+    agent.cluster.isPrimary;
   const location = isPrimary ? 'Entering main' : 'Entering fork';
 
   logger.debug('%s at %s', location, script);

package/lib/core/arch-components/dynamodb.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const logger = require('../logger')('contrast:arch-component');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
@@ -31,11 +32,14 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
           remoteHost: '',
-          remotePort: endpoint.port
+          remotePort: endpoint.port,
         });
       } catch (err) {
-        logger.warn('unable to report DynamoDB architecture component\n', err);
+        logger.warn(
+          'unable to report DynamoDB architecture component, err: %o',
+          err,
+        );
       }
-    }
+    },
   });
 });

package/lib/core/arch-components/dynamodbv3.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const logger = require('../logger')('contrast:arch-component');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
@@ -24,7 +25,7 @@ function emitArchitectureComponent(endpoint) {
     vendor: 'DynamoDB',
     url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
     remoteHost: '',
-    remotePort: endpoint.port
+    remotePort: endpoint.port,
   });
 }
 
@@ -37,8 +38,11 @@ ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
       try {
         this.config.endpoint().then(emitArchitectureComponent);
       } catch (err) {
-        logger.warn('unable to report DynamoDB architecture component\n', err);
+        logger.warn(
+          'unable to report DynamoDB architecture component, err: %o',
+          err,
+        );
       }
-    }
+    },
   });
 });

package/lib/core/arch-components/index.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 require('./mongodb');
 require('./mysql');
 require('./sqlite3');

package/lib/core/arch-components/mongodb.js

@@ -33,7 +33,7 @@ ModuleHook.resolve(
         }
 
         // We should report only when connection is successful
-        ctx.result.then(function(client) {
+        ctx.result.then(function (client) {
           try {
             const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
             for (const server of servers) {
@@ -41,17 +41,17 @@ ModuleHook.resolve(
                 vendor: 'MongoDB',
                 url: `mongodb://${server.host}:${server.port}`,
                 remoteHost: '',
-                remotePort: server.port
+                remotePort: server.port,
               });
             }
           } catch (err) {
             logger.warn(
-              'unable to report MongoDB architecture component\n%o',
-              err
+              'unable to report MongoDB architecture component, err: %o',
+              err,
             );
           }
         });
-      }
+      },
     });
-  }
+  },
 );

package/lib/core/arch-components/mysql.js

@@ -42,19 +42,22 @@ ModuleHook.resolve(
                 vendor: 'MySQL',
                 url: new URL(url).toString(),
                 remoteHost: '',
-                remotePort: !this.config.socketPath ? this.config.port : -1
+                remotePort: !this.config.socketPath ? this.config.port : -1,
               });
             } catch (err) {
               logger.warn(
-                'unable to report MySQL architecture component\n',
-                err
+                'unable to report MySQL architecture component, err: %o',
+                err,
               );
             }
           })
           .catch((err) => {
-            logger.warn('unable to report MySQL architecture component\n', err);
+            logger.warn(
+              'unable to report MySQL architecture component, err: %o',
+              err,
+            );
           });
-      }
+      },
     });
-  }
+  },
 );