@contrast/agent 4.12.1 → 4.13.1

package/bootstrap.js

@@ -47,9 +47,8 @@ Module.runMain = async function (...args) {
     loader.logTime(appStartTime, 'application');
     loader.logTime(startTime, 'agent & application');
   } catch (err) {
-    // eslint-disable-next-line no-console
     console.error(err);
-    // eslint-disable-next-line no-process-exit
-    process.exit(-1);
+    process.exit(-1); // eslint-disable-line no-process-exit
+
   }
 };

package/esm.mjs

@@ -24,45 +24,14 @@ if (enabled) {
 await loader.resetArgs(process.argv[0], process.argv[1]);
 const { readFile } = require('fs').promises;
 
-const path = require('path');
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
 const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
 const helpers = require(`./lib/hooks/module/helpers.js`);
-const parent = require('parent-package-json');
+const getType = require(`./lib/util/get-file-type.js`);
 
 const loadedFromCache = new Set();
 
-function getType(url) {
-  const {protocol, pathname} = new URL(url);
-
-  let parentType = 'commonjs';
-  try {
-    parentType = parent(pathname).parse().type;
-  } catch (err) {
-    // Node assumes `commonjs ` if there's no `type` set in package.json
-  }
-
-  if (protocol === 'node:') {
-    return 'builtin';
-  }
-  if (protocol === 'file:') {
-    const ext = path.extname(pathname);
-    if (
-      ext === '.mjs' || 
-      (ext === '.js' && parentType === 'module')
-    ){
-        return 'module';
-      } 
-    else if (
-      ext === '.cjs' || 
-      (ext === '.js' && parentType !== 'module')
-    ){
-        return 'commonjs';
-      }
-  }
-  return 'unknown';
-}
 /**
  * The `getSource` hook is used to provide a custom method for retrieving source
  * code. In our case, we check for previously rewritten ESM files in our cache
@@ -156,10 +125,15 @@ export async function load(url, context, defaultLoad) {
   const filename = fileURLToPath(url);
 
   try {
+    let result;
     const cached = helpers.find(agent, filename);
-    const source = cached || await readFile(filename, 'utf8');
-    const result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });
-    helpers.cacheWithSourceMap(agent, filename, result);
+    if (cached) {
+      result = { code: cached };
+    } else {
+      const source = await readFile(filename, 'utf8');
+      result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });  
+      helpers.cacheWithSourceMap(agent, filename, result);
+    }
     return { format: type, source: result.code };
   } catch (err) {
     logger.error(

package/lib/assess/membrane/debraner.js

@@ -14,8 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-/* eslint-disable prettier/prettier */
-
 const { PROXY_TARGET } = require('../../constants');
 
 class Debraner {

package/lib/assess/membrane/index.js

@@ -152,12 +152,10 @@ class Membrane {
   }
 
   includes(object) {
-    // eslint-disable-next-line prettier/prettier
     return this.members.has(object) || this.members.has(Membrane.unwrap(object));
   }
 
   getMapping(object) {
-    // eslint-disable-next-line prettier/prettier
     return this.members.get(object) || this.members.get(Membrane.unwrap(object));
   }
 
@@ -422,7 +420,7 @@ function copyMetadata(tar, prop, metadata) {
   });
 
   if (!nm.path) {
-    nm.path = prop || `''`;
+    nm.path = prop || "''";
   } else if (nm.isArray) {
     nm.path += `[${prop}]`;
   } else if (prop) {

package/lib/assess/models/base-event.js

@@ -83,7 +83,7 @@ class BaseEvent {
     this.parents = sortEvents(this.parents);
 
     this.parents.forEach((p) => {
-      if (!set.has(p)) {
+      if (p && !set.has(p)) {
         set = p.getAllParents(set);
         set.add(p);
       }

package/lib/assess/models/tag-range/util.js

@@ -158,7 +158,7 @@ function trim(list, start, stop) {
   return trimmedList;
 }
 
-/* eslint-disable complexity */
+// eslint-disable-next-line complexity
 function trimInPlace(list, start, stop) {
   if (start < 0) {
     logger.debug(
@@ -205,7 +205,6 @@ function trimInPlace(list, start, stop) {
     }
   }
 }
-/* eslint-enable complexity */
 
 /**
  * Returns a filtered lists of TagRanges by type

package/lib/assess/policy/util.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 /**
  * Contains helper functions used to manage the policy
  * Management of hooked functions that are defined in assess policies(e.g. deadzone.json, propagators.json, rules.json)
@@ -184,7 +186,6 @@ utils.patch = function(obj, path, props, hookOptions) {
 // this triggers, it /should/ be patched anyways.
 const refs = new WeakSet();
 
-/* eslint-disable complexity */
 /**
  * Recursively patch all exports on objects and classes
  * note cyclomatic check disabled because there's no place to break
@@ -195,6 +196,7 @@ const refs = new WeakSet();
  * @param   {number}          depth       current recursion depth
  * @returns {Object|function}             returns original reference but patched
  */
+// eslint-disable-next-line complexity
 utils.patchRecursive = function(obj, hookOptions, depth) {
   let protoNeedsPatch = false;
   let propertyNames; // scoped value so that this doesn't need to be called twice.
@@ -242,7 +244,6 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
 
   return obj;
 };
-/* eslint-enable complexity */
 
 /**
  * Patches either global module or a resolved

package/lib/assess/propagators/JSON/stringify.js

@@ -44,14 +44,12 @@ const patcher = require('../../../hooks/patcher');
 const { PATCH_TYPES } = require('../../../constants');
 
 function makeCanary() {
-  /* eslint-disable prettier/prettier */
   return crypto
-      .randomBytes(12)
-      .toString('base64')
-      // map regex special chars to other chars
-      .replace(/\+/g, '%')
-      .replace(/\//g, '#');
-  /* eslint-enable prettier/prettier */
+    .randomBytes(12)
+    .toString('base64')
+    // map regex special chars to other chars
+    .replace(/\+/g, '%')
+    .replace(/\//g, '#');
 }
 
 // read canary as if the word was "marker". it's just a string inserted into the values
@@ -233,8 +231,7 @@ module.exports.handle = function() {
           if (isString(value)) {
             // make skeletal version of valProperties with only the tagRanges prop.
             data.metadata[id] =
-              // eslint-disable-next-line prettier/prettier
-            { tagRanges: [new TagRange(0, value.length - 1, '')] };
+              { tagRanges: [new TagRange(0, value.length - 1, '')] };
             value = `${canary}${id}~${value}`;
             id++;
           }
@@ -333,7 +330,6 @@ module.exports.handle = function() {
       // this check is required only for tests, i believe. sourceEvents should
       // always exist, even if an empty array, for production code.
       if (metadata.sourceEvents && !metadata.sourceEvents.length) {
-        // eslint-disable-next-line prettier/prettier
         const { sourceEvents, braned } = data.metadata;
         if (braned) {
           sourceEvents.push(
@@ -381,7 +377,6 @@ module.exports.handle = function() {
       // we only find our marker at the start of a string value.
       canaryReplacementDiff += m.length - 1;
       for (const tr of metadata[id].tagRanges) {
-        // eslint-disable-next-line prettier/prettier
         tagRanges.push(new TagRange(tr.start + offset, tr.stop + offset, tr.tag));
       }
 

package/lib/assess/propagators/ajv/conditionals.js

@@ -31,7 +31,6 @@ function executeConditionals(schema) {
       // if the conditional has a validator to check its schema, do it.
       if (conditional.validator) {
         if (!conditional.validator(schema[key])) {
-          // eslint-disable-next-line prettier/prettier
           this.logger.trace(`conditional schema ${key} not valid`);
           continue;
         }
@@ -44,7 +43,6 @@ function executeConditionals(schema) {
   }
 
   if ('if' in schema) {
-    // eslint-disable-next-line prettier/prettier
     valid = handleIfThenElse.call(this, schema.if, schema.then, schema.else) && valid;
   }
 
@@ -158,7 +156,6 @@ const conditionalDispatch = new Map([
   ['allOf', { method: handleAllOf, validator: nonEmptyArray }]
 ]);
 
-/* eslint-enable prettier/prettier */
 const conditionals = [...conditionalDispatch.keys()];
 
 module.exports = {

package/lib/assess/propagators/ajv/json-schema-type-evaluators.js

@@ -32,12 +32,11 @@ function t_boolean(schema, ctx) {
   return typeof ctx.data === 'boolean';
 }
 
-/* eslint-disable complexity */
 //
 // type: number, integer
 //
+// eslint-disable-next-line complexity
 function t_number(schema, ctx) {
-  /* eslint-disable prettier/prettier */
 
   // ajv's number evaluation order
   // integer (if type: integer)
@@ -83,7 +82,6 @@ function t_number(schema, ctx) {
   if ('multipleOf' in schema && (ctx.data / schema.multipleOf) % 1 !== 0) {
     valid = false;
   }
-  /* eslint-enable prettier/prettier */
 
   return valid;
 }
@@ -91,6 +89,7 @@ function t_number(schema, ctx) {
 //
 // type: string
 //
+// eslint-disable-next-line complexity
 function t_string(schema, ctx) {
   // ajv's string evaluation order
   // maxLength
@@ -134,6 +133,7 @@ function t_string(schema, ctx) {
 //
 // type: array
 //
+// eslint-disable-next-line complexity
 function t_array(schema, ctx) {
   if (!Array.isArray(ctx.data)) {
     return false;
@@ -248,6 +248,7 @@ function elementsAreUnique(data) {
 //
 // type: object
 //
+// eslint-disable-next-line complexity
 function t_object(schema, ctx) {
   if (typeof ctx.data !== 'object') {
     return false;
@@ -431,6 +432,7 @@ function* matching(patternProps, prop, ctx) {
 //
 // type: object helper
 //
+// eslint-disable-next-line complexity
 function evaluateObjectDependencies(schema, ctx) {
   const deps = schema.dependencies;
   let valid = true;
@@ -455,7 +457,6 @@ function evaluateObjectDependencies(schema, ctx) {
       }
       // it's an array! if key is present in this.data then all the properties
       // enumerated in the array (they're strings) must be present in this.data.
-      // eslint-disable-next-line prettier/prettier
       if (key in ctx.data && !dep.every((requiredProp) => requiredProp in ctx.data)) {
         // allErrors: true - check ajv's handling
         valid = false;

package/lib/assess/propagators/ajv/refs.js

@@ -40,7 +40,7 @@ const { objectWalk, objectOnlyWalk } = require('./object-walk');
 // when userSchema sees '#/$defs/street' it tries to dereference it as a *local* reference
 // because it has lost the addressSchema context.
 //
-/* eslint-disable complexity */
+// eslint-disable-next-line complexity
 function evalInRefSchema(ref) {
   const ctx = this;
   const ix = ref.indexOf('#');
@@ -194,7 +194,6 @@ function findNoHashRef(ref, ctx) {
   // yes, really.
 
   // try simple path replacement first.
-  // eslint-disable-next-line node/no-deprecated-api
   const urlParts = url.parse(ref);
   if (schemaUrl && !urlParts.host && urlParts.path === ref) {
     const newRef = `${schemaUrl.origin}/${ref}`;

package/lib/assess/propagators/ajv/schema-context.js

@@ -19,8 +19,6 @@ const { evalInRefSchema } = require('./refs');
 const fastDeepEqual = require('fast-deep-equal');
 const { objectWalk } = require('./object-walk');
 
-/* eslint-disable complexity */
-
 class SchemaContext {
   constructor(shadow, schema, object, key, options) {
     const schemaName = schema.$id || '';
@@ -107,6 +105,7 @@ class SchemaContext {
    * @param {object} ctx context for the evaluation, as defined above in evaluate().
    * @returns {boolean} validation result
    */
+  // eslint-disable-next-line complexity
   evaluate(schema) {
     this.inferredType = false;
     // don't do any validation of strings if the schema is boolean. while
@@ -165,6 +164,7 @@ class SchemaContext {
     return false;
   }
 
+  // eslint-disable-next-line complexity
   typeSpecificEval(schema) {
     const { type } = this;
 
@@ -374,7 +374,6 @@ class SchemaContext {
 
 const t = require('./json-schema-type-evaluators');
 
-/* eslint-disable prettier/prettier */
 // map each JSON Schema type to the method name for it
 SchemaContext.typeDispatch = new Map([
   ['null', { method: t.null, enumerator: 'scalarEnum' }],

package/lib/assess/propagators/path/common.js

@@ -59,23 +59,31 @@ function splitString(str, win32) {
  * @param {number} offset offset of full arg from result of path.resolve
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function getSegmentOffset({ str, evaluator }, offset, segment, win32) {
+// eslint-disable-next-line complexity
+function getSegmentOffset({ meta: { str, evaluator }, offset, segment, win32, validateAgainstResult }) {
   // as the segments in each arg and in the result get traversed,
   // winnow away the string to ensure we are finding the proper
   // segment within the path
   const substr = str.substring(offset);
-  let segmentOffset = substr.indexOf(segment);
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  let segmentOffset;
+  // Sometimes the segment starts with a separator, but the path method removes the initial separator if the path is not absolute
+  if (validateAgainstResult && segment.startsWith(sep) && offset == 0 && !['\\', '/', '.'].includes(substr[0]) && !['\\', '/'].includes(segment)) {
+    segment = segment.slice(1);
+  }
+  segmentOffset = substr.indexOf(segment);
+
   // If tracking separators, evaluator will fail on extensions
   if (substr === `.${segment}`) {
-    return segmentOffset + offset;
+    return { offset: segmentOffset + offset, value: segment };
   }
+
   // Adjust offset if the segment does not start with a separator
-  const { sep } = path[win32 ? 'win32' : 'posix'];
   if (substr.startsWith(sep) && !segment.startsWith(sep)) {
     segmentOffset--;
   }
 
-  return evaluator(segmentOffset) ? segmentOffset + offset : -1;
+  return { offset: evaluator(segmentOffset) ? segmentOffset + offset : -1, value: segment };
 }
 
 /**
@@ -215,15 +223,19 @@ function filterSegmentsAndCalculateOffset(
         additionalOffset = hasChange ? (sepAdded ? 1 : -1) : 0;
       }
 
-      const offset = getSegmentOffset(
-        resultMeta,
-        accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
+
+      const validatedSegment = getSegmentOffset({
+        meta: resultMeta,
+        offset: accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
         segment,
-        win32
-      );
+        win32,
+        validateAgainstResult: true
+      });
+
+      const { offset: segmentOffset, value: segmentValue } = validatedSegment;
 
       // no reason to proceed if segment is not in final result
-      if (offset === -1) {
+      if (segmentOffset === -1) {
         if (hasChange) {
           additionalOffset = 0;
           accumulator.isModified = false;
@@ -233,12 +245,11 @@ function filterSegmentsAndCalculateOffset(
       }
 
       // in case we have a file we need to increment the offset
-      if (resultMeta.str[offset + segment.length] === '.') {
+      if (resultMeta.str[segmentOffset + segmentValue.length] === '.') {
         accumulator.fileDotSeparator = 1;
       }
-
-      validSegments.push(segment);
-      accumulator.offset = calculateNewOffset(accumulator.offset, segment);
+      validSegments.push(validatedSegment);
+      accumulator.offset = calculateNewOffset(accumulator.offset, segmentValue);
       accumulator.isModified = true;
 
       return accumulator;
@@ -280,26 +291,20 @@ function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
   resultMeta.offset += additionalOffset;
 
   return segments.reduce((newTags, segment) => {
-    const offset = getSegmentOffset(
-      resultMeta,
-      resultMeta.offset,
-      segment,
-      win32
-    );
-
-    const argOffset = getSegmentOffset(argMeta, argMeta.offset, segment, win32);
+    const { offset, value: segmentValue } = segment;
+    const { offset: argOffset } = getSegmentOffset({ meta: argMeta, offset: argMeta.offset, segment: segmentValue, win32, validateAgainstResult: false });
 
     // updating the offset
-    resultMeta.offset = calculateNewOffset(resultMeta.offset, segment);
-    argMeta.offset = calculateNewOffset(argMeta.offset, segment);
+    resultMeta.offset = calculateNewOffset(resultMeta.offset, segmentValue);
+    argMeta.offset = calculateNewOffset(argMeta.offset, segmentValue);
 
     // in case we have a file we need to increment the offset
-    if (resultMeta.str[offset + segment.length] === '.') {
+    if (resultMeta.str[offset + segment.value.length] === '.') {
       resultMeta.offset += 1;
     }
 
     tagRanges.forEach((tag) => {
-      if (!isWithinTag(segment, argOffset, tag)) return;
+      if (!isWithinTag(segmentValue, argOffset, tag)) return;
 
       const start = adjustStart({
         tag,
@@ -310,7 +315,7 @@ function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
         tag,
         argOffset,
         offset,
-        segment
+        segment: segmentValue
       });
 
       newTags.push(new TagRange(start, stop, tag.tag));
@@ -327,6 +332,7 @@ function propagate({ resultMeta, data, win32 }) {
 
   data.args.forEach((arg, index) => {
     const argData = tracker.getData(arg);
+
     maybeUpdateResultMeta({ resultMeta, index, arg });
 
     const argMeta = {
@@ -354,7 +360,10 @@ function propagate({ resultMeta, data, win32 }) {
 }
 
 function getResultMeta(data, method) {
-  const offset = path.win32.isAbsolute(data.args[0]) ? 0 : process.cwd().length;
+  let offset = 0;
+  if (method === 'resolve' && !path.win32.isAbsolute(data.args[0])) {
+    offset = process.cwd().length;
+  }
 
   return {
     method: `path.${method}`,

package/lib/assess/propagators/path/resolve.js

@@ -19,6 +19,7 @@ const patcher = require('../../../hooks/patcher');
 const { PATCH_TYPES } = require('../../../constants');
 const { propagate, absolutePath, getResultMeta } = require('./common');
 
+
 /**
  * Entry point to propagator provider
  * This instruments path.resolve on

package/lib/assess/propagators/sequelize/utils.js

@@ -30,8 +30,7 @@ module.exports.isTracked = function isTracked(value) {
  * Function to get sql-string export. Caches the export on first call.
  */
 module.exports.getSequelizeString = function() {
-  // eslint-disable-next-line node/no-unpublished-require
-  const data = require('sequelize/lib/sql-string');
+  const data = require('sequelize/lib/sql-string'); // eslint-disable-line node/no-unpublished-require
   module.exports.getSequelizeString = () => data;
   return data;
 };

package/lib/assess/propagators/v8/init-hooks.js

@@ -14,7 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-// eslint-disable-next-line no-unused-vars
 const logger = require('../../../core/logger')('contrast:v8:propagator');
 const tracker = require('../../../tracker');
 const patcher = require('../../../hooks/patcher');