@contrast/agent 4.16.1 → 4.17.1

package/bin/VERSION

@@ -1 +1 @@
-2.28.19
+2.28.20

package/esm.mjs

@@ -14,21 +14,22 @@ Copyright: 2022 Contrast Security, Inc
 */
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
-const require = createRequire(import.meta.url);
+import { promises as fs } from 'fs';
 
+const require = createRequire(import.meta.url);
 const loader = require('./agent-loader.js');
+
 const { enabled } = await loader.init(process.argv);
 if (enabled) {
   await loader.bootstrap(process.argv);
 }
 await loader.resetArgs(process.argv[0], process.argv[1]);
-const { readFile } = require('fs').promises;
 
-const agent = require(`./lib/agent.js`);
-const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
-const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
-const helpers = require(`./lib/hooks/module/helpers.js`);
-const getType = require(`./lib/util/get-file-type.js`);
+const agent = require('./lib/agent.js');
+const logger = require('./lib/core/logger/index.js')('contrast:esm-loaders');
+const rewriter = require('./lib/core/rewrite/index.js')(agent);
+const helpers = require('./lib/hooks/module/helpers.js');
+const getType = require('./lib/util/get-file-type.js');
 
 const loadedFromCache = new Set();
 
@@ -46,6 +47,8 @@ const loadedFromCache = new Set();
  * @returns {Promise<{ source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function getSource(url, context, defaultGetSource) {
+  if (!enabled) return defaultGetSource(url, context, defaultGetSource);
+
   const filename = fileURLToPath(url);
   logger.debug('getSource %s', filename);
   try {
@@ -78,6 +81,9 @@ export async function getSource(url, context, defaultGetSource) {
  * @returns {Promise<{ source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function transformSource(source, context, defaultTransformSource) {
+  if (!enabled)
+    return defaultTransformSource(source, context, defaultTransformSource);
+
   const filename = fileURLToPath(context.url);
   logger.debug('transformSource %s', filename);
   let result;
@@ -99,11 +105,11 @@ export async function transformSource(source, context, defaultTransformSource) {
 }
 
 /**
- * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been 
+ * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been
  * consolidated into one 'load' hook. The logic is similar to that of transformSource
  * except that the source is not provided and must be either read in from the file provided
  * or accessed from the cache.
- * 
+ *
  * @see https://nodejs.org/dist/latest-v16.x/docs/api/esm.html#loadurl-context-defaultload
  * @param {string} url
  * @param {{ format: string, url: string }} context
@@ -111,6 +117,8 @@ export async function transformSource(source, context, defaultTransformSource) {
  * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function load(url, context, defaultLoad) {
+  if (!enabled) return defaultLoad(url, context, defaultLoad);
+
   const type = getType(url);
 
   if (type === 'builtin' || type === 'unknown') {
@@ -130,8 +138,10 @@ export async function load(url, context, defaultLoad) {
     if (cached) {
       result = { code: cached };
     } else {
-      const source = await readFile(filename, 'utf8');
-      result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });  
+      const source = await fs.readFile(filename, 'utf8');
+      result = rewriter.rewriteFile(source, filename, {
+        sourceType: type === 'commonjs' ? 'script' : 'module',
+      });
       helpers.cacheWithSourceMap(agent, filename, result);
     }
     return { format: type, source: result.code };

package/lib/assess/policy/propagators.json

@@ -532,6 +532,10 @@
     "v8": {
       "enabled": true,
       "override": "./propagators/v8/init-hooks.js"
+    },
+    "fastify-plugin": {
+      "enabled": true,
+      "override": "./propagators/fastify-static/allowed-path.js"
     }
   }
 }

package/lib/assess/policy/signatures.json

@@ -1367,6 +1367,11 @@
       "moduleName": "Number",
       "methodName": "isNaN",
       "isModule": false
+    },
+    "fastify-static.allowedPath": {
+      "moduleName": "fastify-static",
+      "methodName": "allowedPath",
+      "isModule": false
     }
   }
 }

package/lib/assess/propagators/fastify-static/allowed-path.js

@@ -0,0 +1,85 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const logger = require('../../../core/logger')('contrast:validator:propagator');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const { PATCH_TYPES } = require('../../../constants');
+const agent = require('../../../agent');
+const tracker = require('../../../tracker');
+const tagRangeUtil = require('../../models/tag-range/util');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
+module.exports.handle = function handle() {
+  requireHook.resolve(
+    { name: 'fastify-plugin', file: 'plugin' },
+    (fastifyPlugin) => (patcher.patch(fastifyPlugin, {
+      name: 'fastify-plugin',
+      patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      pre: ({ args }) => {
+        if ((typeof args[0] == 'function') && args[1] && (args[1].name === 'fastify-static')) {
+          const fastifyStatic = args[0];
+
+          args[0] = patcher.patch(fastifyStatic, {
+            name: 'fastify-static',
+            patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+            alwaysRun: true,
+            pre: ({ args: preArgs }) => {
+              if (preArgs[1] && preArgs[1].allowedPath) {
+                const { allowedPath } = preArgs[1];
+
+                preArgs[1].allowedPath = patcher.patch(allowedPath, {
+                  name: 'allowed-path',
+                  patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+                  alwaysRun: true,
+                  post: (data) => {
+                    if (data.result && agent.config.assess.trust_custom_validators) {
+                      const trackingData = tracker.getData(data.args[0]);
+
+                      if (trackingData) {
+                        logger.trace('hooking fastify-static/index');
+                        tagRangeUtil.addInPlace(
+                          trackingData.tagRanges,
+                          new TagRange(0, data.args[0].length - 1, 'exclusion:path-traversal')
+                        );
+                        tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
+
+                        const context = new CallContext(data);
+                        const event = new PropagationEvent({
+                          context,
+                          signature: new Signature('fastify-static.allowedPath'),
+                          tagRanges: trackingData.tagRanges,
+                          source: 'O',
+                          target: 'R'
+                        });
+
+                        event.parents.push(trackingData.event);
+                        trackingData.event = event;
+                      }
+                    }
+                  }
+                });
+              }
+            }
+          });
+        }
+      },
+    }))
+
+  );
+};

package/lib/cli-rewriter/index.js

@@ -215,7 +215,7 @@ class CLIRewriter {
 
     const content = await readFile(filename, 'utf8');
     const rewriteData = this.rewriter.rewriteFile(content, filename, {
-      sourceType: type
+      sourceType: type === 'commonjs' ? 'script' : 'module'
     });
 
     if (rewriteData.code) {

package/lib/contrast.js

@@ -223,7 +223,7 @@ contrastAgent.prepare = function(...args) {
     // optionally enable metric collection
     require('./core/metrics').configure(config);
 
-    if (agent.cluster.isPrimary) {
+    if (config.enable && agent.cluster.isPrimary) {
       contrastAgent.showBanner();
     }
 

package/lib/core/rewrite/index.js

@@ -27,7 +27,7 @@ const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
 const functionWrap = require('./function-wrap');
-const ImportDeclaration = require('./import-declaration');
+// const ImportDeclaration = require('./import-declaration');
 const isContrastMethod = require('./is-contrast-method');
 const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
@@ -106,7 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
-        ImportDeclaration,
+        // ImportDeclaration, disabled since we're not yet utilizing this.
         MemberExpression,
         ObjectProperty,
         SwitchStatement,

package/lib/protect/rules/cmd-injection/cmdinjection-rule.js

@@ -68,7 +68,7 @@ class CMDInjectionRule extends Rule {
           evalResult = this.agent.agentLib.checkCommandInjectionSink(
             inputIndex,
             input.length,
-            input
+            sinkData,
           );
         }
       } catch (e) {

package/lib/protect/service.js

@@ -202,9 +202,11 @@ class ProtectService {
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
 
+    arg.uriPath = req.url;
     const questionMark = req.url.indexOf('?');
     if (questionMark >= 0) {
       arg.queries = req.url.slice(questionMark + 1);
+      arg.uriPath = req.url.slice(0, questionMark);
     }
 
     const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);

package/lib/util/trace-util.js

@@ -46,12 +46,13 @@ function getRequest(agent, ruleId) {
   }
 
   const ruleCount = context.rules[ruleId];
-
   const { sampling } = agent.config.assess;
-  if (sampling && sampling.enable && ruleCount < sampling.baseline) {
-    context.rules[ruleId]++;
-    return request;
+  if (sampling && sampling.enable && ruleCount >= sampling.baseline) {
+    return;
   }
+
+  context.rules[ruleId]++;
+  return request;
 }
 
 /**

package/node_modules/@colors/colors/LICENSE

@@ -0,0 +1,26 @@
+MIT License
+
+Original Library
+  - Copyright (c) Marak Squires
+
+Additional Functionality
+ - Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+ - Copyright (c) DABH (https://github.com/DABH)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/node_modules/@colors/colors/README.md

@@ -0,0 +1,219 @@
+# @colors/colors ("colors.js")
+[![Build Status](https://github.com/DABH/colors.js/actions/workflows/ci.yml/badge.svg)](https://github.com/DABH/colors.js/actions/workflows/ci.yml)
+[![version](https://img.shields.io/npm/v/@colors/colors.svg)](https://www.npmjs.org/package/@colors/colors)
+
+Please check out the [roadmap](ROADMAP.md) for upcoming features and releases.  Please open Issues to provide feedback.
+
+## get color and style in your node.js console
+
+![Demo](https://raw.githubusercontent.com/DABH/colors.js/master/screenshots/colors.png)
+
+## Installation
+
+    npm install @colors/colors
+
+## colors and styles!
+
+### text colors
+
+  - black
+  - red
+  - green
+  - yellow
+  - blue
+  - magenta
+  - cyan
+  - white
+  - gray
+  - grey
+
+### bright text colors
+
+  - brightRed
+  - brightGreen
+  - brightYellow
+  - brightBlue
+  - brightMagenta
+  - brightCyan
+  - brightWhite
+
+### background colors
+
+  - bgBlack
+  - bgRed
+  - bgGreen
+  - bgYellow
+  - bgBlue
+  - bgMagenta
+  - bgCyan
+  - bgWhite
+  - bgGray
+  - bgGrey
+
+### bright background colors
+
+  - bgBrightRed
+  - bgBrightGreen
+  - bgBrightYellow
+  - bgBrightBlue
+  - bgBrightMagenta
+  - bgBrightCyan
+  - bgBrightWhite
+
+### styles
+
+  - reset
+  - bold
+  - dim
+  - italic
+  - underline
+  - inverse
+  - hidden
+  - strikethrough
+
+### extras
+
+  - rainbow
+  - zebra
+  - america
+  - trap
+  - random
+
+
+## Usage
+
+By popular demand, `@colors/colors` now ships with two types of usages!
+
+The super nifty way
+
+```js
+var colors = require('@colors/colors');
+
+console.log('hello'.green); // outputs green text
+console.log('i like cake and pies'.underline.red); // outputs red underlined text
+console.log('inverse the color'.inverse); // inverses the color
+console.log('OMG Rainbows!'.rainbow); // rainbow
+console.log('Run the trap'.trap); // Drops the bass
+
+```
+
+or a slightly less nifty way which doesn't extend `String.prototype`
+
+```js
+var colors = require('@colors/colors/safe');
+
+console.log(colors.green('hello')); // outputs green text
+console.log(colors.red.underline('i like cake and pies')); // outputs red underlined text
+console.log(colors.inverse('inverse the color')); // inverses the color
+console.log(colors.rainbow('OMG Rainbows!')); // rainbow
+console.log(colors.trap('Run the trap')); // Drops the bass
+
+```
+
+I prefer the first way. Some people seem to be afraid of extending `String.prototype` and prefer the second way. 
+
+If you are writing good code you will never have an issue with the first approach. If you really don't want to touch `String.prototype`, the second usage will not touch `String` native object.
+
+## Enabling/Disabling Colors
+
+The package will auto-detect whether your terminal can use colors and enable/disable accordingly. When colors are disabled, the color functions do nothing. You can override this with a command-line flag:
+
+```bash
+node myapp.js --no-color
+node myapp.js --color=false
+
+node myapp.js --color
+node myapp.js --color=true
+node myapp.js --color=always
+
+FORCE_COLOR=1 node myapp.js
+```
+
+Or in code:
+
+```javascript
+var colors = require('@colors/colors');
+colors.enable();
+colors.disable();
+```
+
+## Console.log [string substitution](http://nodejs.org/docs/latest/api/console.html#console_console_log_data)
+
+```js
+var name = 'Beowulf';
+console.log(colors.green('Hello %s'), name);
+// outputs -> 'Hello Beowulf'
+```
+
+## Custom themes
+
+### Using standard API
+
+```js
+
+var colors = require('@colors/colors');
+
+colors.setTheme({
+  silly: 'rainbow',
+  input: 'grey',
+  verbose: 'cyan',
+  prompt: 'grey',
+  info: 'green',
+  data: 'grey',
+  help: 'cyan',
+  warn: 'yellow',
+  debug: 'blue',
+  error: 'red'
+});
+
+// outputs red text
+console.log("this is an error".error);
+
+// outputs yellow text
+console.log("this is a warning".warn);
+```
+
+### Using string safe API
+
+```js
+var colors = require('@colors/colors/safe');
+
+// set single property
+var error = colors.red;
+error('this is red');
+
+// set theme
+colors.setTheme({
+  silly: 'rainbow',
+  input: 'grey',
+  verbose: 'cyan',
+  prompt: 'grey',
+  info: 'green',
+  data: 'grey',
+  help: 'cyan',
+  warn: 'yellow',
+  debug: 'blue',
+  error: 'red'
+});
+
+// outputs red text
+console.log(colors.error("this is an error"));
+
+// outputs yellow text
+console.log(colors.warn("this is a warning"));
+
+```
+
+### Combining Colors
+
+```javascript
+var colors = require('@colors/colors');
+
+colors.setTheme({
+  custom: ['red', 'underline']
+});
+
+console.log('test'.custom);
+```
+
+*Protip: There is a secret undocumented style in `colors`. If you find the style you can summon him.*

package/node_modules/@colors/colors/examples/normal-usage.js

@@ -0,0 +1,83 @@
+var colors = require('../lib/index');
+
+console.log('First some yellow text'.yellow);
+
+console.log('Underline that text'.yellow.underline);
+
+console.log('Make it bold and red'.red.bold);
+
+console.log(('Double Raindows All Day Long').rainbow);
+
+console.log('Drop the bass'.trap);
+
+console.log('DROP THE RAINBOW BASS'.trap.rainbow);
+
+// styles not widely supported
+console.log('Chains are also cool.'.bold.italic.underline.red);
+
+// styles not widely supported
+console.log('So '.green + 'are'.underline + ' ' + 'inverse'.inverse
+  + ' styles! '.yellow.bold);
+console.log('Zebras are so fun!'.zebra);
+
+//
+// Remark: .strikethrough may not work with Mac OS Terminal App
+//
+console.log('This is ' + 'not'.strikethrough + ' fun.');
+
+console.log('Background color attack!'.black.bgWhite);
+console.log('Use random styles on everything!'.random);
+console.log('America, Heck Yeah!'.america);
+
+// eslint-disable-next-line max-len
+console.log('Blindingly '.brightCyan + 'bright? '.brightRed + 'Why '.brightYellow + 'not?!'.brightGreen);
+
+console.log('Setting themes is useful');
+
+//
+// Custom themes
+//
+console.log('Generic logging theme as JSON'.green.bold.underline);
+// Load theme with JSON literal
+colors.setTheme({
+  silly: 'rainbow',
+  input: 'grey',
+  verbose: 'cyan',
+  prompt: 'grey',
+  info: 'green',
+  data: 'grey',
+  help: 'cyan',
+  warn: 'yellow',
+  debug: 'blue',
+  error: 'red',
+});
+
+// outputs red text
+console.log('this is an error'.error);
+
+// outputs yellow text
+console.log('this is a warning'.warn);
+
+// outputs grey text
+console.log('this is an input'.input);
+
+console.log('Generic logging theme as file'.green.bold.underline);
+
+// Load a theme from file
+try {
+  colors.setTheme(require(__dirname + '/../themes/generic-logging.js'));
+} catch (err) {
+  console.log(err);
+}
+
+// outputs red text
+console.log('this is an error'.error);
+
+// outputs yellow text
+console.log('this is a warning'.warn);
+
+// outputs grey text
+console.log('this is an input'.input);
+
+// console.log("Don't summon".zalgo)
+