@contrast/agent 4.12.2 → 4.14.0

package/bootstrap.js

@@ -47,9 +47,8 @@ Module.runMain = async function (...args) {
     loader.logTime(appStartTime, 'application');
     loader.logTime(startTime, 'agent & application');
   } catch (err) {
-    // eslint-disable-next-line no-console
     console.error(err);
-    // eslint-disable-next-line no-process-exit
-    process.exit(-1);
+    process.exit(-1); // eslint-disable-line no-process-exit
+
   }
 };

package/esm.mjs

@@ -24,45 +24,14 @@ if (enabled) {
 await loader.resetArgs(process.argv[0], process.argv[1]);
 const { readFile } = require('fs').promises;
 
-const path = require('path');
 const agent = require(`./lib/agent.js`);
 const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
 const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
 const helpers = require(`./lib/hooks/module/helpers.js`);
-const parent = require('parent-package-json');
+const getType = require(`./lib/util/get-file-type.js`);
 
 const loadedFromCache = new Set();
 
-function getType(url) {
-  const {protocol, pathname} = new URL(url);
-
-  let parentType = 'commonjs';
-  try {
-    parentType = parent(pathname).parse().type;
-  } catch (err) {
-    // Node assumes `commonjs ` if there's no `type` set in package.json
-  }
-
-  if (protocol === 'node:') {
-    return 'builtin';
-  }
-  if (protocol === 'file:') {
-    const ext = path.extname(pathname);
-    if (
-      ext === '.mjs' || 
-      (ext === '.js' && parentType === 'module')
-    ){
-        return 'module';
-      } 
-    else if (
-      ext === '.cjs' || 
-      (ext === '.js' && parentType !== 'module')
-    ){
-        return 'commonjs';
-      }
-  }
-  return 'unknown';
-}
 /**
  * The `getSource` hook is used to provide a custom method for retrieving source
  * code. In our case, we check for previously rewritten ESM files in our cache
@@ -156,10 +125,15 @@ export async function load(url, context, defaultLoad) {
   const filename = fileURLToPath(url);
 
   try {
+    let result;
     const cached = helpers.find(agent, filename);
-    const source = cached || await readFile(filename, 'utf8');
-    const result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });
-    helpers.cacheWithSourceMap(agent, filename, result);
+    if (cached) {
+      result = { code: cached };
+    } else {
+      const source = await readFile(filename, 'utf8');
+      result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });  
+      helpers.cacheWithSourceMap(agent, filename, result);
+    }
     return { format: type, source: result.code };
   } catch (err) {
     logger.error(

package/lib/assess/membrane/debraner.js

@@ -14,8 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-/* eslint-disable prettier/prettier */
-
 const { PROXY_TARGET } = require('../../constants');
 
 class Debraner {

package/lib/assess/membrane/index.js

@@ -152,12 +152,10 @@ class Membrane {
   }
 
   includes(object) {
-    // eslint-disable-next-line prettier/prettier
     return this.members.has(object) || this.members.has(Membrane.unwrap(object));
   }
 
   getMapping(object) {
-    // eslint-disable-next-line prettier/prettier
     return this.members.get(object) || this.members.get(Membrane.unwrap(object));
   }
 
@@ -422,7 +420,7 @@ function copyMetadata(tar, prop, metadata) {
   });
 
   if (!nm.path) {
-    nm.path = prop || `''`;
+    nm.path = prop || "''";
   } else if (nm.isArray) {
     nm.path += `[${prop}]`;
   } else if (prop) {

package/lib/assess/models/tag-range/util.js

@@ -158,7 +158,7 @@ function trim(list, start, stop) {
   return trimmedList;
 }
 
-/* eslint-disable complexity */
+// eslint-disable-next-line complexity
 function trimInPlace(list, start, stop) {
   if (start < 0) {
     logger.debug(
@@ -205,7 +205,6 @@ function trimInPlace(list, start, stop) {
     }
   }
 }
-/* eslint-enable complexity */
 
 /**
  * Returns a filtered lists of TagRanges by type

package/lib/assess/policy/propagators.json

@@ -13,7 +13,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "url.domainToUnicode": {
@@ -21,7 +21,7 @@
       "source": "P",
       "target": "R",
       "command": {
-         "type": "all"
+        "type": "all"
       }
     },
     "joi": {
@@ -65,6 +65,15 @@
         "type": "all"
       }
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["sql-encoded"],
+      "command": {
+        "type": "all"
+      }
+    },
     "mustache.escape": {
       "enabled": true,
       "provider": "./propagators/mustache/escape.js"
@@ -347,8 +356,8 @@
     },
     "process.__add": {
       "enabled": true,
-      "source":"P",
-      "target":"R",
+      "source": "P",
+      "target": "R",
       "command": {
         "type": "append"
       }

package/lib/assess/policy/rules.json

@@ -388,6 +388,48 @@
             ]
           }
         },
+        "mysql2/lib/connection.Connection.query": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mysql2/lib/connection.Connection.execute": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              },
+              {
+                "index": 0,
+                "depth": 1,
+                "exclusiveKeys": ["sql"],
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
         "pg.Connection.prototype.query": {
           "type": "dataflow",
           "enabled": true,

package/lib/assess/policy/signatures.json

@@ -171,6 +171,24 @@
       "methodName": "prototype.query",
       "isModule": true
     },
+    "mysql2/lib/connection.Connection.escape": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.escape",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.query": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.query",
+      "isModule": true
+    },
+    "mysql2/lib/connection.Connection.execute": {
+      "moduleName": "mysql2",
+      "fileName": "lib/connection.js",
+      "methodName": "prototype.execute",
+      "isModule": true
+    },
     "sequelize.prototype.query": {
       "moduleName": "sequelize",
       "version": ">=5.0.0",

package/lib/assess/policy/util.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 /**
  * Contains helper functions used to manage the policy
  * Management of hooked functions that are defined in assess policies(e.g. deadzone.json, propagators.json, rules.json)
@@ -184,7 +186,6 @@ utils.patch = function(obj, path, props, hookOptions) {
 // this triggers, it /should/ be patched anyways.
 const refs = new WeakSet();
 
-/* eslint-disable complexity */
 /**
  * Recursively patch all exports on objects and classes
  * note cyclomatic check disabled because there's no place to break
@@ -195,6 +196,7 @@ const refs = new WeakSet();
  * @param   {number}          depth       current recursion depth
  * @returns {Object|function}             returns original reference but patched
  */
+// eslint-disable-next-line complexity
 utils.patchRecursive = function(obj, hookOptions, depth) {
   let protoNeedsPatch = false;
   let propertyNames; // scoped value so that this doesn't need to be called twice.
@@ -242,7 +244,6 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
 
   return obj;
 };
-/* eslint-enable complexity */
 
 /**
  * Patches either global module or a resolved

package/lib/assess/propagators/JSON/stringify.js

@@ -44,14 +44,12 @@ const patcher = require('../../../hooks/patcher');
 const { PATCH_TYPES } = require('../../../constants');
 
 function makeCanary() {
-  /* eslint-disable prettier/prettier */
   return crypto
-      .randomBytes(12)
-      .toString('base64')
-      // map regex special chars to other chars
-      .replace(/\+/g, '%')
-      .replace(/\//g, '#');
-  /* eslint-enable prettier/prettier */
+    .randomBytes(12)
+    .toString('base64')
+    // map regex special chars to other chars
+    .replace(/\+/g, '%')
+    .replace(/\//g, '#');
 }
 
 // read canary as if the word was "marker". it's just a string inserted into the values
@@ -233,8 +231,7 @@ module.exports.handle = function() {
           if (isString(value)) {
             // make skeletal version of valProperties with only the tagRanges prop.
             data.metadata[id] =
-              // eslint-disable-next-line prettier/prettier
-            { tagRanges: [new TagRange(0, value.length - 1, '')] };
+              { tagRanges: [new TagRange(0, value.length - 1, '')] };
             value = `${canary}${id}~${value}`;
             id++;
           }
@@ -333,7 +330,6 @@ module.exports.handle = function() {
       // this check is required only for tests, i believe. sourceEvents should
       // always exist, even if an empty array, for production code.
       if (metadata.sourceEvents && !metadata.sourceEvents.length) {
-        // eslint-disable-next-line prettier/prettier
         const { sourceEvents, braned } = data.metadata;
         if (braned) {
           sourceEvents.push(
@@ -381,7 +377,6 @@ module.exports.handle = function() {
       // we only find our marker at the start of a string value.
       canaryReplacementDiff += m.length - 1;
       for (const tr of metadata[id].tagRanges) {
-        // eslint-disable-next-line prettier/prettier
         tagRanges.push(new TagRange(tr.start + offset, tr.stop + offset, tr.tag));
       }
 

package/lib/assess/propagators/ajv/conditionals.js

@@ -31,7 +31,6 @@ function executeConditionals(schema) {
       // if the conditional has a validator to check its schema, do it.
       if (conditional.validator) {
         if (!conditional.validator(schema[key])) {
-          // eslint-disable-next-line prettier/prettier
           this.logger.trace(`conditional schema ${key} not valid`);
           continue;
         }
@@ -44,7 +43,6 @@ function executeConditionals(schema) {
   }
 
   if ('if' in schema) {
-    // eslint-disable-next-line prettier/prettier
     valid = handleIfThenElse.call(this, schema.if, schema.then, schema.else) && valid;
   }
 
@@ -158,7 +156,6 @@ const conditionalDispatch = new Map([
   ['allOf', { method: handleAllOf, validator: nonEmptyArray }]
 ]);
 
-/* eslint-enable prettier/prettier */
 const conditionals = [...conditionalDispatch.keys()];
 
 module.exports = {

package/lib/assess/propagators/ajv/json-schema-type-evaluators.js

@@ -32,12 +32,11 @@ function t_boolean(schema, ctx) {
   return typeof ctx.data === 'boolean';
 }
 
-/* eslint-disable complexity */
 //
 // type: number, integer
 //
+// eslint-disable-next-line complexity
 function t_number(schema, ctx) {
-  /* eslint-disable prettier/prettier */
 
   // ajv's number evaluation order
   // integer (if type: integer)
@@ -83,7 +82,6 @@ function t_number(schema, ctx) {
   if ('multipleOf' in schema && (ctx.data / schema.multipleOf) % 1 !== 0) {
     valid = false;
   }
-  /* eslint-enable prettier/prettier */
 
   return valid;
 }
@@ -91,6 +89,7 @@ function t_number(schema, ctx) {
 //
 // type: string
 //
+// eslint-disable-next-line complexity
 function t_string(schema, ctx) {
   // ajv's string evaluation order
   // maxLength
@@ -134,6 +133,7 @@ function t_string(schema, ctx) {
 //
 // type: array
 //
+// eslint-disable-next-line complexity
 function t_array(schema, ctx) {
   if (!Array.isArray(ctx.data)) {
     return false;
@@ -248,6 +248,7 @@ function elementsAreUnique(data) {
 //
 // type: object
 //
+// eslint-disable-next-line complexity
 function t_object(schema, ctx) {
   if (typeof ctx.data !== 'object') {
     return false;
@@ -431,6 +432,7 @@ function* matching(patternProps, prop, ctx) {
 //
 // type: object helper
 //
+// eslint-disable-next-line complexity
 function evaluateObjectDependencies(schema, ctx) {
   const deps = schema.dependencies;
   let valid = true;
@@ -455,7 +457,6 @@ function evaluateObjectDependencies(schema, ctx) {
       }
       // it's an array! if key is present in this.data then all the properties
       // enumerated in the array (they're strings) must be present in this.data.
-      // eslint-disable-next-line prettier/prettier
       if (key in ctx.data && !dep.every((requiredProp) => requiredProp in ctx.data)) {
         // allErrors: true - check ajv's handling
         valid = false;

package/lib/assess/propagators/ajv/refs.js

@@ -40,7 +40,7 @@ const { objectWalk, objectOnlyWalk } = require('./object-walk');
 // when userSchema sees '#/$defs/street' it tries to dereference it as a *local* reference
 // because it has lost the addressSchema context.
 //
-/* eslint-disable complexity */
+// eslint-disable-next-line complexity
 function evalInRefSchema(ref) {
   const ctx = this;
   const ix = ref.indexOf('#');
@@ -194,7 +194,6 @@ function findNoHashRef(ref, ctx) {
   // yes, really.
 
   // try simple path replacement first.
-  // eslint-disable-next-line node/no-deprecated-api
   const urlParts = url.parse(ref);
   if (schemaUrl && !urlParts.host && urlParts.path === ref) {
     const newRef = `${schemaUrl.origin}/${ref}`;

package/lib/assess/propagators/ajv/schema-context.js

@@ -19,8 +19,6 @@ const { evalInRefSchema } = require('./refs');
 const fastDeepEqual = require('fast-deep-equal');
 const { objectWalk } = require('./object-walk');
 
-/* eslint-disable complexity */
-
 class SchemaContext {
   constructor(shadow, schema, object, key, options) {
     const schemaName = schema.$id || '';
@@ -107,6 +105,7 @@ class SchemaContext {
    * @param {object} ctx context for the evaluation, as defined above in evaluate().
    * @returns {boolean} validation result
    */
+  // eslint-disable-next-line complexity
   evaluate(schema) {
     this.inferredType = false;
     // don't do any validation of strings if the schema is boolean. while
@@ -165,6 +164,7 @@ class SchemaContext {
     return false;
   }
 
+  // eslint-disable-next-line complexity
   typeSpecificEval(schema) {
     const { type } = this;
 
@@ -374,7 +374,6 @@ class SchemaContext {
 
 const t = require('./json-schema-type-evaluators');
 
-/* eslint-disable prettier/prettier */
 // map each JSON Schema type to the method name for it
 SchemaContext.typeDispatch = new Map([
   ['null', { method: t.null, enumerator: 'scalarEnum' }],

package/lib/assess/propagators/joi/any.js

@@ -32,7 +32,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         if (data.result && typeof data.result === 'string') {
           tracker.untrack(data.result);

package/lib/assess/propagators/joi/object.js

@@ -49,7 +49,7 @@ requireHook.resolve(
       patchType: ASSESS_PROPAGATOR,
       alwaysRun: true,
       post(data) {
-        if (!agent.config.agent.trust_custom_validators) return;
+        if (!agent.config.assess.trust_custom_validators) return;
 
         data.result.then((result) =>
           traverseObjectAndUntrack(data.obj, data.args[0], result),

package/lib/assess/propagators/joi/string-base.js

@@ -26,6 +26,12 @@ const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const agent = require('../../../agent');
 
+const areThereRules = (obj) =>
+  obj &&
+  obj.schema &&
+  Array.isArray(obj.schema._rules) &&
+  obj.schema._rules.length > 0;
+
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
  * @param {Object} string
@@ -38,11 +44,18 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
+        if (
+          areThereRules(data.args[1]) &&
+          data.args[1].schema._rules.find((rule) => rule.name === 'pattern') &&
+          !agent.config.assess.trust_custom_validators
+        )
+          return;
+
         if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked'),
+            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),
@@ -63,7 +76,7 @@ function instrumentJoiString(string) {
     post(data) {
       if (
         !data.obj.$_terms.externals.length ||
-        !agent.config.agent.trust_custom_validators
+        !agent.config.assess.trust_custom_validators
       )
         return;
 
@@ -77,5 +90,5 @@ function instrumentJoiString(string) {
 
 requireHook.resolve(
   { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
-  instrumentJoiString,
+  instrumentJoiString
 );

package/lib/assess/propagators/mongoose/map.js

@@ -52,7 +52,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/mixed.js

@@ -61,7 +61,7 @@ requireHook.resolve(
   (SchemaMap) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }

package/lib/assess/propagators/mongoose/string.js

@@ -101,7 +101,7 @@ requireHook.resolve(
   (SchemaString) => {
     if (
       !agent.config ||
-      (agent.config && !agent.config.agent.trust_custom_validators)
+      (agent.config && !agent.config.assess.trust_custom_validators)
     ) {
       return;
     }