@contrast/agent 4.16.2 → 4.18.0

package/esm.mjs

@@ -14,21 +14,22 @@ Copyright: 2022 Contrast Security, Inc
 */
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
-const require = createRequire(import.meta.url);
+import { promises as fs } from 'fs';
 
+const require = createRequire(import.meta.url);
 const loader = require('./agent-loader.js');
+
 const { enabled } = await loader.init(process.argv);
 if (enabled) {
   await loader.bootstrap(process.argv);
 }
 await loader.resetArgs(process.argv[0], process.argv[1]);
-const { readFile } = require('fs').promises;
 
-const agent = require(`./lib/agent.js`);
-const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
-const rewriter = require(`./lib/core/rewrite/index.js`)(agent);
-const helpers = require(`./lib/hooks/module/helpers.js`);
-const getType = require(`./lib/util/get-file-type.js`);
+const agent = require('./lib/agent.js');
+const logger = require('./lib/core/logger/index.js')('contrast:esm-loaders');
+const rewriter = require('./lib/core/rewrite/index.js')(agent);
+const helpers = require('./lib/hooks/module/helpers.js');
+const getType = require('./lib/util/get-file-type.js');
 
 const loadedFromCache = new Set();
 
@@ -46,6 +47,8 @@ const loadedFromCache = new Set();
  * @returns {Promise<{ source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function getSource(url, context, defaultGetSource) {
+  if (!enabled) return defaultGetSource(url, context, defaultGetSource);
+
   const filename = fileURLToPath(url);
   logger.debug('getSource %s', filename);
   try {
@@ -78,6 +81,9 @@ export async function getSource(url, context, defaultGetSource) {
  * @returns {Promise<{ source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function transformSource(source, context, defaultTransformSource) {
+  if (!enabled)
+    return defaultTransformSource(source, context, defaultTransformSource);
+
   const filename = fileURLToPath(context.url);
   logger.debug('transformSource %s', filename);
   let result;
@@ -99,11 +105,11 @@ export async function transformSource(source, context, defaultTransformSource) {
 }
 
 /**
- * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been 
+ * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been
  * consolidated into one 'load' hook. The logic is similar to that of transformSource
  * except that the source is not provided and must be either read in from the file provided
  * or accessed from the cache.
- * 
+ *
  * @see https://nodejs.org/dist/latest-v16.x/docs/api/esm.html#loadurl-context-defaultload
  * @param {string} url
  * @param {{ format: string, url: string }} context
@@ -111,6 +117,8 @@ export async function transformSource(source, context, defaultTransformSource) {
  * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
  */
 export async function load(url, context, defaultLoad) {
+  if (!enabled) return defaultLoad(url, context, defaultLoad);
+
   const type = getType(url);
 
   if (type === 'builtin' || type === 'unknown') {
@@ -130,8 +138,10 @@ export async function load(url, context, defaultLoad) {
     if (cached) {
       result = { code: cached };
     } else {
-      const source = await readFile(filename, 'utf8');
-      result = rewriter.rewriteFile(source, filename, { sourceType: type === 'commonjs' ? 'script' : 'module' });  
+      const source = await fs.readFile(filename, 'utf8');
+      result = rewriter.rewriteFile(source, filename, {
+        sourceType: type === 'commonjs' ? 'script' : 'module',
+      });
       helpers.cacheWithSourceMap(agent, filename, result);
     }
     return { format: type, source: result.code };

package/lib/assess/policy/propagators.json

@@ -532,6 +532,10 @@
     "v8": {
       "enabled": true,
       "override": "./propagators/v8/init-hooks.js"
+    },
+    "fastify-plugin": {
+      "enabled": true,
+      "override": "./propagators/fastify-static/allowed-path.js"
     }
   }
 }

package/lib/assess/policy/signatures.json

@@ -1367,6 +1367,11 @@
       "moduleName": "Number",
       "methodName": "isNaN",
       "isModule": false
+    },
+    "fastify-static.allowedPath": {
+      "moduleName": "fastify-static",
+      "methodName": "allowedPath",
+      "isModule": false
     }
   }
 }

package/lib/assess/propagators/fastify-static/allowed-path.js

@@ -0,0 +1,85 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const logger = require('../../../core/logger')('contrast:validator:propagator');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const { PATCH_TYPES } = require('../../../constants');
+const agent = require('../../../agent');
+const tracker = require('../../../tracker');
+const tagRangeUtil = require('../../models/tag-range/util');
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
+module.exports.handle = function handle() {
+  requireHook.resolve(
+    { name: 'fastify-plugin', file: 'plugin' },
+    (fastifyPlugin) => (patcher.patch(fastifyPlugin, {
+      name: 'fastify-plugin',
+      patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      pre: ({ args }) => {
+        if ((typeof args[0] == 'function') && args[1] && (args[1].name === 'fastify-static')) {
+          const fastifyStatic = args[0];
+
+          args[0] = patcher.patch(fastifyStatic, {
+            name: 'fastify-static',
+            patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+            alwaysRun: true,
+            pre: ({ args: preArgs }) => {
+              if (preArgs[1] && preArgs[1].allowedPath) {
+                const { allowedPath } = preArgs[1];
+
+                preArgs[1].allowedPath = patcher.patch(allowedPath, {
+                  name: 'allowed-path',
+                  patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
+                  alwaysRun: true,
+                  post: (data) => {
+                    if (data.result && agent.config.assess.trust_custom_validators) {
+                      const trackingData = tracker.getData(data.args[0]);
+
+                      if (trackingData) {
+                        logger.trace('hooking fastify-static/index');
+                        tagRangeUtil.addInPlace(
+                          trackingData.tagRanges,
+                          new TagRange(0, data.args[0].length - 1, 'exclusion:path-traversal')
+                        );
+                        tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
+
+                        const context = new CallContext(data);
+                        const event = new PropagationEvent({
+                          context,
+                          signature: new Signature('fastify-static.allowedPath'),
+                          tagRanges: trackingData.tagRanges,
+                          source: 'O',
+                          target: 'R'
+                        });
+
+                        event.parents.push(trackingData.event);
+                        trackingData.event = event;
+                      }
+                    }
+                  }
+                });
+              }
+            }
+          });
+        }
+      },
+    }))
+
+  );
+};

package/lib/assess/sources/index.js

@@ -55,6 +55,25 @@ sources.track = function(type, parent, key, membrane) {
   parent[key] = membrane.wrap(object, metadata);
 };
 
+/**
+ * Chooses a strategy for tracking the source events
+ * @param {any} config Current configuration for the agent
+ * @param {Logger} logger A logger instance
+ * @returns {Boolean} whether lazy tracking is enabled or not
+ */
+sources.getLazyTrackingConfig = function(config, logger) {
+  if (config._default['agent.traverse_and_track']) {
+    return config.assess.enable_lazy_tracking;
+  }
+  if (config._default['assess.enable_lazy_tracking']) {
+    logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+    return !config.agent.traverse_and_track;
+  }
+
+  logger.error('Conflicting options set: `agent.traverse_and_track` and `assess.enable_lazy_tracking`. `agent.traverse_and_track` is deprecated, so `assess.enable_lazy_tracking` takes precedence');
+  return config.assess.enable_lazy_tracking;
+};
+
 /**
  * Registers an event to add URL and input exclusions to async storage if they
  * pertain to the current request path. Also registers all the source events
@@ -62,8 +81,10 @@ sources.track = function(type, parent, key, membrane) {
  * object in a membrane
  */
 sources.registerListeners = function({ config, exclusions }) {
+  const isLazyTrackingEnabled = sources.getLazyTrackingConfig(config, logger);
+
   agentEmitter.on('assess.body', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
     }
 
@@ -77,7 +98,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
     }
 
@@ -89,7 +110,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -107,7 +128,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -126,7 +147,7 @@ sources.registerListeners = function({ config, exclusions }) {
   });
 
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
     }
 

package/lib/cli-rewriter/index.js

@@ -215,7 +215,7 @@ class CLIRewriter {
 
     const content = await readFile(filename, 'utf8');
     const rewriteData = this.rewriter.rewriteFile(content, filename, {
-      sourceType: type
+      sourceType: type === 'commonjs' ? 'script' : 'module'
     });
 
     if (rewriteData.code) {

package/lib/contrast.js

@@ -223,7 +223,7 @@ contrastAgent.prepare = function(...args) {
     // optionally enable metric collection
     require('./core/metrics').configure(config);
 
-    if (agent.cluster.isPrimary) {
+    if (config.enable && agent.cluster.isPrimary) {
       contrastAgent.showBanner();
     }
 

package/lib/core/config/options.js

@@ -476,7 +476,13 @@ const agent = [
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
     default: false,
-    desc: 'source membrane alternative',
+    fn: (val, logger) => {
+      if (val) {
+        logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+      }
+      return val;
+    },
+    desc: 'source membrane alternative (DEPRECATED)',
   },
   {
     name: 'agent.polling.app_activity_ms',
@@ -747,6 +753,13 @@ const assess = [
     arg: '<tags>',
     desc: 'comma-separated list of tags to apply to each application vulnerability reported by the agent',
   },
+  {
+    name: 'assess.enable_lazy_tracking',
+    arg: '[true]',
+    default: true,
+    fn: castBoolean,
+    desc: 'When set to `false` won\'t track the source events lazily but will track the first up to 250 source events',
+  },
 ];
 
 const protect = [

package/lib/core/config/util.js

@@ -72,8 +72,8 @@ class Config {
         assess: {},
         protect: {},
         server: {},
-        dev: {}
-      }
+        dev: {},
+      },
     };
   }
 
@@ -146,9 +146,10 @@ class Config {
  * @return {string|void} path, if valid
  */
 function checkConfigPath() {
-  const configDir = os.platform() === 'win32'
-    ? `${process.env['ProgramData']}\\contrast`
-    : '/etc/contrast';
+  const configDir =
+    os.platform() === 'win32'
+      ? `${process.env['ProgramData']}\\contrast`
+      : '/etc/contrast';
 
   for (const dir of [process.cwd(), configDir]) {
     const checkPath = path.resolve(dir, 'contrast_security.yaml');
@@ -159,7 +160,6 @@ function checkConfigPath() {
   return;
 }
 
-
 /**
  * @param {Object} cliOptions
  * @param {string} cliOptions.script
@@ -202,7 +202,7 @@ function readConfig(cliOptions, logger) {
     // parse yaml and JSON separately.
     try {
       config = yaml.parse(fileContents, {
-        prettyErrors: true
+        prettyErrors: true,
       });
     } catch (e) {
       logger.error(
@@ -264,7 +264,7 @@ function mergeCliOptions(cliOptions, logger) {
       enum: optEnum,
       fn = _.identity,
       name,
-      required
+      required,
     } = option;
 
     const env = process.env[option.env];
@@ -294,7 +294,7 @@ function mergeCliOptions(cliOptions, logger) {
     // set from default
     if (value === undefined) {
       if (required) {
-        logger.error('Missing required option \'%s\'', name);
+        logger.error("Missing required option '%s'", name);
         return options;
       }
 
@@ -307,10 +307,38 @@ function mergeCliOptions(cliOptions, logger) {
   }, new Config());
 }
 
+/**
+ * When you run an appliaction with pm2 on cluster mode, pm2 attaches the
+ * process.env to a property pm2_env(only for the agent since we start it with -r flag), so
+ * the function checks if there is pm2_env property and merge contrast
+ * related properties to process.env
+ */
+function mergePM2Envs() {
+  if (!process.env.pm2_env) return;
+
+  const pm2_env = JSON.parse(process.env.pm2_env);
+
+  const contrastEnvs = ['DEBUG', 'PGHOST', 'PGPORT'];
+  const objectEntries = Object.entries(pm2_env.env)
+    .concat(Object.entries(pm2_env))
+    .concat(['DEBUG', 'PGHOST', 'PGPORT']);
+
+  objectEntries.forEach(([key, value]) => {
+    if (
+      !process.env[key] &&
+      (key.toLocaleLowerCase().includes('contrast') ||
+        contrastEnvs.includes(key))
+    ) {
+      process.env[key] = value;
+    }
+  });
+}
+
 util.Config = Config;
 util.setup = function setup(cliOptions, logger) {
-  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
+  mergePM2Envs();
 
+  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
   mergedCliOptions.script = cliOptions.script;
   mergedCliOptions.configFile = cliOptions.configFile;
   mergedCliOptions.validate();
@@ -323,7 +351,7 @@ util.logConfig = function logConfig(mergedConfig, logger) {
     'Current Configuration: %s',
     stringify(mergedConfig._flat, {
       replacer: (k, v) => (v == undefined ? null : v),
-      space: 2
+      space: 2,
     })
   );
 };

package/lib/core/rewrite/index.js

@@ -27,7 +27,7 @@ const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
 const functionWrap = require('./function-wrap');
-const ImportDeclaration = require('./import-declaration');
+// const ImportDeclaration = require('./import-declaration');
 const isContrastMethod = require('./is-contrast-method');
 const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
@@ -106,7 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
-        ImportDeclaration,
+        // ImportDeclaration, disabled since we're not yet utilizing this.
         MemberExpression,
         ObjectProperty,
         SwitchStatement,

package/lib/protect/service.js

@@ -202,9 +202,11 @@ class ProtectService {
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
 
+    arg.uriPath = req.url;
     const questionMark = req.url.indexOf('?');
     if (questionMark >= 0) {
       arg.queries = req.url.slice(questionMark + 1);
+      arg.uriPath = req.url.slice(0, questionMark);
     }
 
     const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);

package/lib/util/trace-util.js

@@ -46,12 +46,13 @@ function getRequest(agent, ruleId) {
   }
 
   const ruleCount = context.rules[ruleId];
-
   const { sampling } = agent.config.assess;
-  if (sampling && sampling.enable && ruleCount < sampling.baseline) {
-    context.rules[ruleId]++;
-    return request;
+  if (sampling && sampling.enable && ruleCount >= sampling.baseline) {
+    return;
   }
+
+  context.rules[ruleId]++;
+  return request;
 }
 
 /**

package/node_modules/@colors/colors/LICENSE

@@ -0,0 +1,26 @@
+MIT License
+
+Original Library
+  - Copyright (c) Marak Squires
+
+Additional Functionality
+ - Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+ - Copyright (c) DABH (https://github.com/DABH)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.