@contrast/agent 4.10.5 → 4.12.0

package/lib/hooks/frameworks/base.js

@@ -66,7 +66,7 @@ class BaseFramework {
 
     if (frame) {
       const { file, lineNumber } = frame;
-      const relativeFile = (file || '').replace(this.agent.appInfo.app_dir, '');
+      const relativeFile = (file || '').replace(this.agent.appInfo.appDir, '');
       return `${relativeFile}:${lineNumber || ''}`;
     } else {
       return null;

package/lib/hooks/module/helpers.js

@@ -36,7 +36,7 @@ let appDirRegex;
  * @returns {string}
  */
 const getCachedFilename = (agent, filename) => {
-  appDirRegex = appDirRegex || new RegExp(`^(${agent.appInfo.app_dir})?`);
+  appDirRegex = appDirRegex || new RegExp(`^(${agent.appInfo.appDir})?`);
   if (os.platform() === 'win32') {
     filename = filename.replace(/C:/i, '');
   }

package/lib/instrumentation.js

@@ -89,7 +89,7 @@ function collectLibInfo(agent) {
       require('./hooks/module/extensions')();
       libUsage.listen(evalFrequency);
     }
-    libraries.getPackageLibraries(agent, eluEnabled).then((libs) => {
+    libraries.getLibInfo(agent, eluEnabled).then((libs) => {
       agentEmitter.emit('appinfo', { libs });
     });
   }

package/lib/libraries.js

@@ -13,176 +13,160 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const Promise = require('bluebird');
-const stringify = require('json-stable-stringify');
-const _ = require('lodash');
-const path = require('path');
-const util = require('util');
 
-const {
-  AGENT_INFO: { NAME }
-} = require('./constants');
-const logger = require('./core/logger')('contrast:libraries');
+const { stat } = require('fs').promises;
+const stringify = require('json-stable-stringify');
+const Module = require('module');
+const { AGENT_INFO } = require('./constants');
 const { runInNoInstrumentationScope } = require('./core/async-storage/scopes');
+const logger = require('./core/logger')('contrast:libraries');
 const listInstalled = require('./list-installed');
 const AppUpdate = require('./reporter/models/app-update');
 
 const DEADZONE_NAME = 'agent: libraries';
 
-// Note: do not use bluebird.promisify here as it will break tests by leaking
-// NO_INSTRUMENTATION Scope across tests. see:
-// https://contrast.atlassian.net/wiki/spaces/~18775625/pages/1222052407/Async+Context+when+a+Promise+is+returned+from+runInScope
-const stat = util.promisify(require('fs').stat);
+/**
+ * @typedef {import('./list-installed').Result} Result
+ */
 
 /**
- * Scan dependencies recursively to determine dependents.
- * @param {Object} deps the formatted object from formatDependencies
+ * Searches a list of paths and returns the first valid path found.
+ * @param {string[]} paths
+ * @returns {Promise<string | undefined>}
+ */
+const findNodeModsPath = async (paths) =>
+  // this functions similarly to `Bluebird.map() with concurrency: 1
+  paths.reduce(async (prev, path) => {
+    if (await prev) return prev;
+
+    try {
+      await stat(path);
+      return path;
+    } catch (err) {
+      return undefined;
+    }
+  }, Promise.resolve());
+
+/**
+ * Filters out the agent as a dependency, formats libraries, and keeps track of
+ * nested modules.
+ *
+ * @param {{ [key: string]: Result | string }} deps collection of dependencies from app root
  * @param {Map<string, Set<string>} requiredBy
- * @returns {Map<string, Set<string>}
+ * @param {string} parent the name of the module requiring the current when nested
+ * @return {{ [key: string]: Result }} formatted object
  */
-function setRequiredBy(deps, requiredBy = new Map()) {
-  _.forEach(deps, (dep, depName) => {
-    _.forEach(dep.dependencies, (depOfDep, depOfDepName) => {
-      const set = requiredBy.has(depOfDepName)
-        ? requiredBy.get(depOfDepName)
-        : new Set();
-
-      set.add(depName);
-      requiredBy.set(depOfDepName, set);
-    });
-
-    setRequiredBy(dep.dependencies, requiredBy);
-  });
+const formatDependencies = (deps, requiredBy, parent) =>
+  Object.entries(deps || {}).reduce((result, [key, val]) => {
+    if (key === AGENT_INFO.NAME) {
+      return result;
+    }
+
+    if (parent) {
+      const set = requiredBy.has(key) ? requiredBy.get(key) : new Set();
+
+      set.add(parent);
+      requiredBy.set(key, set);
+    }
+
+    if (typeof val === 'string') {
+      result[key] = {
+        name: key,
+        version: val,
+        dependencies: {}
+      };
+      return result;
+    }
+
+    if (!val.name) val.name = key;
+
+    val.dependencies = formatDependencies(val.dependencies, requiredBy, key);
+    result[key] = val;
 
-  return requiredBy;
-}
+    return result;
+  }, {});
 
 /**
  * Recursively adds each dependency as a library which is used later
  * for reporting inventory and class usage
  *
- * @param {Object} deps  collection of dependencies
+ * @param {{ [key: string]: Result }} deps the formatted object from formatDependencies
  * @param {Map<string, Set<string>} requiredBy map containing data regarding dependents
- * @param {Object} agent agent instance
+ * @param {import('./agent')} agent agent instance
  */
-function processDependencies(deps, requiredBy, agent) {
-  for (const key in deps) {
-    const dep = deps[key];
-    if (!dep.name) {
-      dep.name = key;
-    }
-
+const processDependencies = (deps, requiredBy, agent) => {
+  Object.values(deps).forEach((dep) => {
     dep._requiredBy = requiredBy.has(dep.name)
       ? Array.from(requiredBy.get(dep.name))
       : [];
 
     const newLib = AppUpdate.addLib(dep, agent);
-    // check its deps as well
+    // If this is the first time we've checked this dep, check its deps as well.
     if (newLib) {
       processDependencies(dep.dependencies, requiredBy, agent);
     }
-  }
-}
-
-/**
- * compares module name with agent name
- *
- * @param {string} modeName
- * @return {Boolean} if modName matches agent, returns true
- */
-function isAgent(modName) {
-  return modName === NAME;
-}
+  });
+};
 
 /**
- * Filters out the agent as a dependency
- * Formats libraries as { 'mod-name': { <mod package.json deets } }
+ * Traverses entire dependency tree to report library inventory
  *
- * @param {Object} deps collection of dependencies from app root
- * @return {Object} formatted object
+ * @param {import('./agent')} agent agent instance
+ * @param {boolean} eluEnabled flag to get composition for each module
+ * @returns {AppUpdate.libraries}
  */
-function formatDependencies(deps) {
-  return _.reduce(
-    deps,
-    (result, value, key) => {
-      if (isAgent(key)) {
-        return result;
+const getLibInfo = async (agent, eluEnabled) =>
+  runInNoInstrumentationScope(async () => {
+    try {
+      const boundRequire = Module.createRequire(agent.appInfo.path);
+      const paths = boundRequire.resolve.paths(agent.appInfo.path);
+      const nodeModsPath = await findNodeModsPath(paths);
+
+      if (!nodeModsPath) {
+        logger.error(
+          `unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location`,
+          agent.appInfo.path
+        );
+        return AppUpdate.libraries;
       }
 
-      if (typeof value === 'object') {
-        result[key] = value;
-      } else {
-        result[key] = {
-          name: key,
-          version: value
-        };
+      logger.debug('detected node_modules at %s', nodeModsPath);
+      const data = await listInstalled(nodeModsPath, logger);
+
+      logger.debug(
+        'package.json dependencies: %s',
+        // _dependencies contains { name: version } info
+        stringify(data._dependencies, { space: 2 })
+      );
+      logger.debug(
+        'package.json devDependencies: %s',
+        stringify(data.devDependencies, { space: 2 })
+      );
+
+      const requiredBy = new Map();
+      const dependencies = formatDependencies(data.dependencies, requiredBy);
+      processDependencies(dependencies, requiredBy, agent);
+
+      const libs = AppUpdate.libraries;
+      if (eluEnabled) {
+        logger.info('recursively scanning dependencies');
+        // this functions similarly to `Bluebird.map()` with concurrency: 1
+        await Object.values(libs).reduce(async (prev, lib) => {
+          await prev;
+          return lib.getComposition();
+        }, Promise.resolve());
       }
 
-      return result;
-    },
-    {}
-  );
-}
+      logger.info(
+        'finished library inventory for %s dependencies',
+        Object.keys(libs).length
+      );
 
-/**
- * Traverses entire dependency tree to report library inventory
- *
- * @param {Object} agent agent instance
- * @param {Boolean} eluEnabled flag to get composition for each module
- */
-function getPackageLibraries(agent, eluEnabled) {
-  const appRoot = _.get(agent, 'appInfo.path');
-  return runInNoInstrumentationScope(() => {
-    const dir = path.dirname(appRoot);
-
-    let nodeModsExists = false;
-    return stat(`${dir + path.sep}node_modules`)
-      .then(() => {
-        nodeModsExists = true;
-        return listInstalled(dir, logger);
-      })
-      .then((data) => {
-        logger.debug(
-          'package.json dependencies: %s',
-          stringify(data._dependencies, { space: 2 })
-        );
-        logger.debug(
-          'package.json devDependencies: %s',
-          stringify(data.devDependencies, { space: 2 })
-        );
-        const dependencies = formatDependencies(data.dependencies);
-        const requiredBy = setRequiredBy(dependencies);
-        return processDependencies(dependencies, requiredBy, agent);
-      })
-      .then(() => {
-        if (eluEnabled) {
-          logger.info('recursively scanning dependencies');
-          const libs = _.values(AppUpdate.libraries);
-          return Promise.map(libs, (lib) => lib.getComposition(), {
-            concurrency: 1
-          });
-        }
-      })
-      .then(() => {
-        const libs = AppUpdate.libraries;
-        logger.info(
-          'finished library inventory for %s dependencies',
-          Object.keys(libs).length
-        );
-
-        return libs;
-      })
-      .catch((err) => {
-        if (!nodeModsExists) {
-          logger.error(
-            `unable to read install dependencies because node_modules are not installed in app root (${dir}) - use agent.node.app_root configuration if installed in non-standard location`
-          );
-        } else {
-          logger.error('unable to read installed dependencies. %o', err);
-        }
-        return AppUpdate.libraries;
-      });
+      return libs;
+    } catch (err) {
+      logger.error('unable to read installed dependencies. %o', err);
+      return AppUpdate.libraries;
+    }
   }, DEADZONE_NAME);
-}
 
-module.exports.getPackageLibraries = getPackageLibraries;
+module.exports.getLibInfo = getLibInfo;

package/lib/list-installed.js

@@ -21,6 +21,19 @@ const {
 
 const execFile = util.promisify(require('child_process').execFile);
 
+/**
+ * @typedef {Object} Result
+ * @property {string} name
+ * @property {string} version
+ * @property {{ [key: string]: Result | string }} dependencies
+ * @property {{ [key: string]: Result | string }} devDependencies
+ */
+
+/**
+ * @param {string} cwd directory in which we want to execute `npm ls`
+ * @param {*} logger
+ * @returns {Promise<Result>}
+ */
 module.exports = async function listInstalled(cwd, logger) {
   const env = { ...process.env, NODE_OPTIONS: undefined };
   const args = ['--silent', 'ls', '--json', '--prod', '--long'];

package/lib/reporter/models/app-update/index.js

@@ -160,7 +160,7 @@ module.exports = class AppUpdate {
 
   /**
    * returns collection of libraries
-   * @return {Object}
+   * @return {{ [key: string]: Library }}
    */
   static get libraries() {
     const data = {};

package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js

@@ -22,18 +22,18 @@ const {
 
 module.exports = function AgentStartup({
   config = { server: {} },
-  appInfo: { app_dir, serverEnvironment, serverVersion, version } = {}
+  appInfo: { appDir, serverEnvironment, serverVersion, version } = {}
 } = {}) {
   const serverName = config.server.name;
   const { tags, type } = config.server;
-  app_dir = config.server.path || app_dir;
+  appDir = config.server.path || appDir;
 
   return new dtm.AgentStartup({
     1: VERSION, //           2 version
     2: serverEnvironment, // 3 environment
     3: tags, //              4 tags
     4: serverName, //        5 server_name
-    5: app_dir, //           6 server_path
+    5: appDir, //            6 server_path
     6: type, //              7 server_type
     7: serverVersion //      8 server_version
   });

package/lib/telemetry.js

@@ -0,0 +1,188 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { default: axios } = require('axios');
+const { createHash } = require('crypto');
+const findCacheDir = require('find-cache-dir');
+const { promises: fs } = require('fs');
+const { default: getMac } = require('getmac');
+const os = require('os');
+const path = require('path');
+const process = require('process');
+const { v4: uuid } = require('uuid');
+const { AGENT_INFO } = require('./constants');
+const logger = require('./core/logger')('contrast:telemetry');
+
+const TELEMETRY_URL = 'https://telemetry.nodejs.contrastsecurity.com/';
+const TELEMETRY_VERSION = 'v0'; // TODO: set this to v1 when format is established.
+
+const {
+  CONTRAST_AGENT_TELEMETRY_OPTOUT,
+  CONTRAST_DEV,
+  CONTRAST_SCREENER
+} = process.env;
+
+// TODO: LINK
+const DISCLAIMER = `The Contrast Node Agent collects usage data in order to help us improve compatibility and security coverage.
+The data is anonymous and does not contain application data. It is collected by Contrast and is never shared.
+You can opt-out of telemetry by setting the CONTRAST_AGENT_TELEMETRY_OPTOUT environment variable to '1' or 'true'.
+`;
+// Read more about the Node Agent's telemetry: TODO
+// `;
+
+const LOG_MESSAGE = `Telemetry is now active.
+You can opt-out of telemetry by setting the CONTRAST_AGENT_TELEMETRY_OPTOUT environment variable to '1' or 'true'.
+`;
+
+module.exports = class Telemetry {
+  /**
+   * @param {import('./agent')} agent
+   * @param {any} config
+   */
+  constructor(agent, config) {
+    const { appInfo } = agent;
+    this.appInfo = appInfo;
+    this.config = config;
+    this.disabled =
+      CONTRAST_AGENT_TELEMETRY_OPTOUT === 'true' ||
+      CONTRAST_AGENT_TELEMETRY_OPTOUT === '1';
+
+    if (this.disabled) {
+      logger.info(
+        'Telemetry opt-out in effect. All usage data collection is suppressed.'
+      );
+      return;
+    }
+    this.printDisclaimer();
+
+    try {
+      // Returns the "first" valid MAC address for the machine, throwing if none
+      // is found.
+      const mac = getMac();
+
+      const hash = createHash('sha256').update(mac);
+      this.instanceId = hash.copy().digest('hex');
+      this.applicationId = hash.update(appInfo.name).digest('hex');
+    } catch (err) {
+      // If getMac fails we fall back to generating a UUID. "Unstable"
+      // identifiers such as these are prefixed with an underscore.
+      const id = uuid();
+
+      this.instanceId = `_${id}`;
+      this.applicationId = this.instanceId;
+    }
+
+    this.metrics = this.createMetricsClient();
+    this.tags = {
+      isCustomerEnv: this.isCustomerEnv(),
+      applicationId: this.applicationId,
+      osArch: appInfo.os.architecture,
+      osPlatform: appInfo.os.platform,
+      osRelease: appInfo.os.release,
+      isContainer: appInfo.isContainer,
+      agent: AGENT_INFO.NAME,
+      agentVersion: AGENT_INFO.VERSION,
+      isAssess: agent.isInAssessMode(),
+      isProtect: agent.isInDefendMode(),
+      nodeVersion: appInfo.nodeVersion,
+      nodeVersionMajor: appInfo.nodeVersionMajor,
+      telemetryVersion: TELEMETRY_VERSION
+    };
+
+    this.sendStartupData();
+  }
+
+  async printDisclaimer() {
+    const filePath = path.resolve(
+      findCacheDir({ name: AGENT_INFO.NAME }) || os.tmpdir(),
+      '.telemetry-disclaimer'
+    );
+
+    try {
+      await fs.stat(filePath);
+      // If we've previously shown our disclaimer we log the shorter message.
+      logger.info(LOG_MESSAGE);
+    } catch (err) {
+      // When there's no file `stat` throws an error. That means we haven't
+      // yet shown our disclaimer.
+      console.log(DISCLAIMER);
+      logger.info(DISCLAIMER);
+      try {
+        await fs.writeFile(filePath, DISCLAIMER);
+      } catch (err) {
+        // if we can't write, oh well.
+      }
+    }
+  }
+
+  /**
+   * @returns {import('axios').AxiosInstance}
+   */
+  createMetricsClient() {
+    const userAgent = `${AGENT_INFO.NAME}/${AGENT_INFO.VERSION}`;
+
+    return axios.create({
+      baseURL: new URL('/api/v1/telemetry/metrics/node', TELEMETRY_URL).href,
+      headers: {
+        'User-Agent': userAgent
+      }
+    });
+  }
+
+  /**
+   * Logic to determine whether we are reporting a customer's application.
+   * Naive for the time being.
+   * @returns {boolean}
+   */
+  isCustomerEnv() {
+    if (CONTRAST_SCREENER || CONTRAST_DEV) return false;
+    return true;
+  }
+
+  /**
+   * @param {string} path
+   * @param {{ [field: string]: number ]}} fields
+   */
+  async sendMetrics(path, fields) {
+    return this.metrics.post(path, [
+      {
+        timestamp: new Date().toISOString(),
+        instance: this.instanceId,
+        tags: this.tags,
+        fields
+      }
+    ]);
+  }
+
+  async sendStartupData() {
+    try {
+      // snapshotted when we send our startup data.
+      const memoryUsage = process.memoryUsage();
+
+      await this.sendMetrics('startup', {
+        numCpus: os.cpus().length,
+        memTotal: os.totalmem(),
+        memHeapTotal: memoryUsage.heapTotal,
+        memHeapUsed: memoryUsage.heapUsed,
+        memExternal: memoryUsage.external,
+        memRss: memoryUsage.rss,
+        uptime: process.uptime()
+      });
+    } catch (err) {
+      logger.warn('telemetry update failed: %s', err.toJSON());
+    }
+  }
+};

package/lib/util/traverse.js

@@ -158,24 +158,28 @@ function traverse(obj, fn, visitor, maxDepth) {
   traverseObject(obj, visitor, maxDepth);
 }
 
-function traverseObject(obj, visitor, remainingDepth = Infinity) {
-  if (!obj) {
+function traverseObject(obj, visitor, remainingDepth = 250, visited = new Set()) {
+  if (!obj || visited.has(obj)) {
     return;
   }
+
   if (visitor.path.length() < 1) {
     visitor.visit('', obj);
+    visited.add(obj);
   }
 
   // This is done just to reset the stack, without changing the current impletion
   if (remainingDepth == 0) {
     visitor.visit(null, null, true);
+    visited.add(obj);
     return;
   }
 
   Object.entries(obj).forEach(([key, value]) => {
     visitor.visit(key, value);
+    visited.add(obj);
     if (value && typeof value === 'object') {
-      traverseObject(value, visitor, remainingDepth - 1);
+      traverseObject(value, visitor, remainingDepth - 1, visited);
     }
   });
 }