@contrast/agent 4.15.0 → 4.15.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/libraries.js
CHANGED
|
@@ -124,7 +124,7 @@ const getLibInfo = async (agent, eluEnabled) =>
|
|
|
124
124
|
|
|
125
125
|
if (!nodeModsPath) {
|
|
126
126
|
logger.error(
|
|
127
|
-
|
|
127
|
+
'unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location',
|
|
128
128
|
agent.appInfo.path
|
|
129
129
|
);
|
|
130
130
|
return AppUpdate.libraries;
|
package/lib/protect/service.js
CHANGED
|
@@ -198,7 +198,6 @@ class ProtectService {
|
|
|
198
198
|
}
|
|
199
199
|
|
|
200
200
|
const arg = {
|
|
201
|
-
rules,
|
|
202
201
|
// header names must be lowercase. should this be done in agent-lib?
|
|
203
202
|
headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
|
|
204
203
|
};
|
|
@@ -208,7 +207,7 @@ class ProtectService {
|
|
|
208
207
|
arg.queries = req.url.slice(questionMark + 1);
|
|
209
208
|
}
|
|
210
209
|
|
|
211
|
-
const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
|
|
210
|
+
const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);
|
|
212
211
|
|
|
213
212
|
return findings;
|
|
214
213
|
}
|
|
@@ -813,9 +812,9 @@ class ProtectService {
|
|
|
813
812
|
// for each key, check out the value. the key is set in the code so
|
|
814
813
|
// is not vulnerable.
|
|
815
814
|
for (const key in params) {
|
|
816
|
-
// items from scoreAtom()
|
|
815
|
+
// items from scoreAtom() return only [{ruleId, score}, ...] because the key
|
|
817
816
|
// and inputType are already known and there is no path.
|
|
818
|
-
const items = this.agentLib.scoreAtom(params[key], type
|
|
817
|
+
const items = this.agentLib.scoreAtom(libRules, params[key], type);
|
|
819
818
|
if (!items) {
|
|
820
819
|
continue;
|
|
821
820
|
}
|
|
@@ -865,7 +864,7 @@ class ProtectService {
|
|
|
865
864
|
const filenames = Object.keys(event.data);
|
|
866
865
|
|
|
867
866
|
for (const filename of filenames) {
|
|
868
|
-
const items = this.agentLib.scoreAtom(filename, type
|
|
867
|
+
const items = this.agentLib.scoreAtom(libRules, filename, type);
|
|
869
868
|
if (!items) {
|
|
870
869
|
continue;
|
|
871
870
|
}
|
|
@@ -899,12 +898,9 @@ class ProtectService {
|
|
|
899
898
|
queries.unshift(...q); return queries;
|
|
900
899
|
}, []);
|
|
901
900
|
|
|
902
|
-
const arg = {
|
|
903
|
-
rules: rulesMask,
|
|
904
|
-
queries,
|
|
905
|
-
};
|
|
901
|
+
const arg = { queries };
|
|
906
902
|
|
|
907
|
-
const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
|
|
903
|
+
const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
|
|
908
904
|
|
|
909
905
|
this.handleAgentLibAnalysis({
|
|
910
906
|
asyncStorageContext: event._ctxt,
|
|
@@ -920,8 +916,9 @@ class ProtectService {
|
|
|
920
916
|
acc.unshift(key, value);
|
|
921
917
|
return acc;
|
|
922
918
|
}, []);
|
|
923
|
-
const
|
|
924
|
-
const
|
|
919
|
+
const rulesMask = this.getRulesMask(rules);
|
|
920
|
+
const arg = { cookies };
|
|
921
|
+
const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
|
|
925
922
|
this.handleAgentLibAnalysis({
|
|
926
923
|
asyncStorageContext: event._ctxt,
|
|
927
924
|
appContext: {},
|
|
@@ -1167,7 +1164,7 @@ class ProtectService {
|
|
|
1167
1164
|
const { _type, _value: input } = finding.sample.input;
|
|
1168
1165
|
const type = this.agentLib.InputType[_type];
|
|
1169
1166
|
|
|
1170
|
-
const alFinding = this.agentLib.scoreAtom(input, type
|
|
1167
|
+
const alFinding = this.agentLib.scoreAtom(agentLibBit, input, type);
|
|
1171
1168
|
if (!alFinding) {
|
|
1172
1169
|
return false;
|
|
1173
1170
|
}
|
|
@@ -13,9 +13,10 @@ Copyright: 2022 Contrast Security, Inc
|
|
|
13
13
|
way not consistent with the End User License Agreement.
|
|
14
14
|
*/
|
|
15
15
|
'use strict';
|
|
16
|
-
const readdir = require('recursive-readdir');
|
|
17
16
|
const LibraryManifest = require('./library-manifest');
|
|
18
17
|
const logger = require('../../../core/logger')('contrast:libraries');
|
|
18
|
+
const fs = require('fs');
|
|
19
|
+
const pathModule = require('path');
|
|
19
20
|
|
|
20
21
|
module.exports = class Library {
|
|
21
22
|
/**
|
|
@@ -53,7 +54,7 @@ module.exports = class Library {
|
|
|
53
54
|
manifest: this.manifest.toSerializable(),
|
|
54
55
|
usedClassCount: 0,
|
|
55
56
|
classCount: this.fileCount,
|
|
56
|
-
tags: this.tags
|
|
57
|
+
tags: this.tags,
|
|
57
58
|
};
|
|
58
59
|
}
|
|
59
60
|
|
|
@@ -88,15 +89,68 @@ module.exports = class Library {
|
|
|
88
89
|
);
|
|
89
90
|
}
|
|
90
91
|
|
|
92
|
+
readdir(path, callback) {
|
|
93
|
+
if (!callback) {
|
|
94
|
+
return new Promise((resolve, reject) => {
|
|
95
|
+
this.readdir(path, (err, data) => {
|
|
96
|
+
if (err) {
|
|
97
|
+
reject(err);
|
|
98
|
+
} else {
|
|
99
|
+
resolve(data);
|
|
100
|
+
}
|
|
101
|
+
});
|
|
102
|
+
});
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
let list = [];
|
|
106
|
+
|
|
107
|
+
fs.readdir(path, (err, files) => {
|
|
108
|
+
if (err) {
|
|
109
|
+
return callback(err);
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
let pending = files.length;
|
|
113
|
+
if (!pending) {
|
|
114
|
+
return callback(null, list);
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
files.forEach((file) => {
|
|
118
|
+
const filePath = pathModule.join(path, file);
|
|
119
|
+
fs.stat(filePath, (_err, stats) => {
|
|
120
|
+
if (_err) {
|
|
121
|
+
return callback(_err);
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
if (stats.isDirectory() && !filePath.endsWith('/node_modules')) {
|
|
125
|
+
this.readdir(filePath, (__err, res) => {
|
|
126
|
+
if (__err) {
|
|
127
|
+
return callback(__err);
|
|
128
|
+
}
|
|
129
|
+
|
|
130
|
+
list = list.concat(res);
|
|
131
|
+
pending -= 1;
|
|
132
|
+
if (!pending) {
|
|
133
|
+
return callback(null, list);
|
|
134
|
+
}
|
|
135
|
+
});
|
|
136
|
+
} else {
|
|
137
|
+
list.push(filePath);
|
|
138
|
+
pending -= 1;
|
|
139
|
+
if (!pending) {
|
|
140
|
+
return callback(null, list);
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
});
|
|
144
|
+
});
|
|
145
|
+
});
|
|
146
|
+
}
|
|
147
|
+
|
|
91
148
|
/**
|
|
92
149
|
* Counts all the valid files in a module directory
|
|
93
150
|
*/
|
|
94
151
|
getComposition() {
|
|
95
152
|
// ignore nested node_modules
|
|
96
|
-
return readdir(this._path
|
|
97
|
-
`${this._path}/node_modules/*`,
|
|
98
|
-
`${this._path}/*/node_modules/*`
|
|
99
|
-
])
|
|
153
|
+
return this.readdir(this._path)
|
|
100
154
|
.then((files) => {
|
|
101
155
|
this.fileCount = files.filter((file) =>
|
|
102
156
|
Library.applicableFile(file)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/agent",
|
|
3
|
-
"version": "4.15.
|
|
3
|
+
"version": "4.15.1",
|
|
4
4
|
"description": "Node.js security instrumentation by Contrast Security",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"security",
|
|
@@ -76,7 +76,7 @@
|
|
|
76
76
|
"@babel/template": "^7.10.4",
|
|
77
77
|
"@babel/traverse": "^7.12.1",
|
|
78
78
|
"@babel/types": "^7.12.1",
|
|
79
|
-
"@contrast/agent-lib": "^
|
|
79
|
+
"@contrast/agent-lib": "^3.0.0",
|
|
80
80
|
"@contrast/distringuish-prebuilt": "^2.2.0",
|
|
81
81
|
"@contrast/flat": "^4.1.1",
|
|
82
82
|
"@contrast/fn-inspect": "^2.4.4",
|
|
@@ -107,7 +107,6 @@
|
|
|
107
107
|
"parent-package-json": "^2.0.1",
|
|
108
108
|
"parseurl": "^1.3.3",
|
|
109
109
|
"prom-client": "^12.0.0",
|
|
110
|
-
"recursive-readdir": "^2.2.2",
|
|
111
110
|
"semver": "^7.3.2",
|
|
112
111
|
"uuid": "^8.3.2",
|
|
113
112
|
"winston": "^3.1.0",
|