@contrast/agent 4.17.0 → 4.19.0

package/changelog.config.js

@@ -0,0 +1,56 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+module.exports = {
+  jira: {
+    baseUrl: `https://${process.env.JIRA_HOST}`,
+    ticketIDPattern: /(NODE+-?[0-9]{4})/i,
+    excludeIssueTypes: ['Sub-task', 'Release'],
+    api: {
+      host: process.env.JIRA_HOST,
+      email: process.env.JIRA_EMAIL,
+      token: process.env.JIRA_TOKEN
+    }
+  },
+  hideEmptyBlocks: true,
+  template: `## v<%= process.env.VERSION -%>
+
+<% blockTickets = tickets.all.filter((t) => !t.reverted); -%>
+<% if (blockTickets.length > 0 || !options.hideEmptyBlocks) { -%>
+### Jira Tickets
+---------------------
+<% blockTickets.forEach(ticket => { -%>
+  * <<%= ticket.fields.issuetype.name %>> - <%- ticket.fields.summary %>
+    [<%= ticket.key %>](<%= jira.baseUrl + '/browse/' + ticket.key %>)
+<% }); -%>
+<% if (!blockTickets.length) {%> ~ None ~ <% } %>
+<% } -%>
+<% blockNoTickets = commits.noTickets; -%>
+<% if (blockNoTickets.length > 0 || !options.hideEmptyBlocks) { -%>
+
+### Other Commits
+---------------------
+<% blockNoTickets.forEach(commit => { -%>
+  * <%= commit.slackUser ? '@'+commit.slackUser.name : commit.authorName %> - <<%= commit.revision.substr(0, 7) %>> - <%= commit.summary %>
+<% }); -%>
+<% if (!blockNoTickets.length) {%> ~ None ~ <% } %>
+<% } -%>
+<% blockPendingByOwner = tickets.pendingByOwner; -%>
+<% if (blockPendingByOwner.length > 0 || !options.hideEmptyBlocks) { -%>
+<% } -%>
+--------------------
+`
+};

package/lib/assess/propagators/joi/index.js

@@ -15,6 +15,7 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 module.exports.handle = function() {
+  require('./keys');
   require('./boolean');
   require('./number');
   require('./values');

package/lib/assess/propagators/joi/keys.js

@@ -0,0 +1,72 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
+} = require('../../../constants');
+const { isObject } = require('../utils');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' },
+  (joi) => {
+    patcher.patch(joi.__proto__, 'keys', {
+      name: 'joi.keys',
+      alwaysRun: true,
+      patchType: ASSESS_PROPAGATOR,
+      pre(data) {
+        if (!data || !data.args) return;
+        const value = data.args[0];
+        if (value) {
+          traverseObject(data.obj.$_root, value, value);
+        }
+      },
+    });
+  }
+);
+
+const traverseObject = (joi, currentValue, originalInput, currentPath = []) => {
+  if (joi.isSchema(currentValue) || joi.isExpression(currentValue)) return;
+  if (joi.isRef(currentValue)) {
+    const referenceInstance = currentValue;
+
+    const targetSchemaInstace = currentValue.path.reduce(
+      (acc, value) => acc[value] || acc,
+      originalInput
+    );
+
+    if (!targetSchemaInstace) return;
+
+    if (!targetSchemaInstace.__CONTRAST__) {
+      Object.defineProperty(targetSchemaInstace, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          refInstances: {},
+        },
+        writable: true,
+      });
+    }
+
+    targetSchemaInstace.__CONTRAST__.refInstances[currentPath.join('.')] = referenceInstance;
+  }
+
+  if (isObject(currentValue)) {
+    for (const [objKey, objValue] of Object.entries(currentValue)) {
+      traverseObject(joi, objValue, originalInput, [...currentPath, objKey]);
+    }
+  }
+};

package/lib/assess/propagators/joi/string-base.js

@@ -25,6 +25,7 @@ const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const agent = require('../../../agent');
+const { setProxyTaggedString, getContrastData } = require('../utils');
 
 const areThereRules = (obj) =>
   obj &&
@@ -43,7 +44,35 @@ function instrumentJoiString(string) {
       name: 'joi.string.validate',
       patchType: ASSESS_PROPAGATOR,
       post(data) {
-        const trackingData = tracker.getData(data.args[0]);
+        const input = data.args[0];
+        const contrastData = getContrastData(data);
+        const doesSchemaHaveReferences = !!contrastData;
+
+        let trackingData = tracker.getData(input);
+
+        if (!trackingData && !data.result && doesSchemaHaveReferences) {
+          const proxyTaggedString = setProxyTaggedString(
+            contrastData,
+            input,
+            tracker
+          );
+
+          trackingData = tracker.getData(proxyTaggedString);
+
+          Object.values(contrastData.refInstances).forEach(
+            (referenceInstance) => {
+              Object.defineProperty(referenceInstance, '__CONTRAST__', {
+                enumerable: false,
+                configurable: true,
+                value: {
+                  proxyTaggedString,
+                },
+                writable: true,
+              });
+            }
+          );
+        }
+
         if (
           areThereRules(data.args[1]) &&
           data.args[1].schema._rules.find((rule) => rule.name === 'pattern') &&
@@ -51,11 +80,11 @@ function instrumentJoiString(string) {
         )
           return;
 
-        if (data.result === undefined && trackingData) {
+        if (!data.result && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,
-            new TagRange(0, data.args[0].length - 1, 'string-type-checked')
+            new TagRange(0, input.length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
             context: new CallContext(data),

package/lib/assess/propagators/joi/string-schema.js

@@ -18,12 +18,13 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const tracker = require('../../../tracker');
+const { setProxyTaggedString, getContrastData } = require('../utils');
 
 const VALIDATORS = {
   base64: 'alphanum-space-hyphen',
@@ -36,7 +37,7 @@ const VALIDATORS = {
   creditCard: 'limited-chars',
   ip: 'limited-chars',
   hostname: 'alphanum-space-hyphen',
-  domain: 'alphanum-space-hyphen'
+  domain: 'alphanum-space-hyphen',
 };
 
 requireHook.resolve(
@@ -96,12 +97,12 @@ function reTrackCoercedValue(coerce, rule) {
           trackedArgsData: argContrastProperties,
           tagRanges: tracked.props.tagRanges,
           target: 'R',
-          joiMethod: rule
+          joiMethod: rule,
         });
 
         data.result = { value: tracked.str };
       }
-    }
+    },
   });
 }
 
@@ -119,27 +120,53 @@ function wrapRuleAsValidator(rules, rule, tagName) {
       }
 
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties) {
+
+      const contrastData = getContrastData(data);
+      const doesSchemaHaveReferences = !!contrastData;
+
+      if (!argContrastProperties && !doesSchemaHaveReferences) {
         return;
       }
 
-      const strContrastProperties = tracker.getData(result);
+      let trackingData = tracker.getData(result);
+
+      if (!trackingData && doesSchemaHaveReferences) {
+        const proxyTaggedString = setProxyTaggedString(
+          contrastData,
+          result,
+          tracker
+        );
+        trackingData = tracker.getData(proxyTaggedString);
+
+        Object.values(contrastData.refInstances).forEach(
+          (referenceInstance) => {
+            Object.defineProperty(referenceInstance, '__CONTRAST__', {
+              enumerable: false,
+              configurable: true,
+              value: {
+                proxyTaggedString,
+              },
+              writable: true,
+            });
+          }
+        );
+      }
 
-      if (strContrastProperties) {
-        strContrastProperties.tagRanges = tagRangeUtil.add(
-          strContrastProperties.tagRanges,
+      if (trackingData) {
+        trackingData.tagRanges = tagRangeUtil.add(
+          trackingData.tagRanges,
           new TagRange(0, result.length - 1, tagName)
         );
 
-        strContrastProperties.event = createPropagationEvent({
+        trackingData.event = createPropagationEvent({
           data,
-          trackedArgsData: argContrastProperties,
-          tagRanges: strContrastProperties.tagRanges,
+          trackedArgsData: trackingData,
+          tagRanges: trackingData.tagRanges,
           target: 'A',
-          joiMethod: rule
+          joiMethod: rule,
         });
       }
-    }
+    },
   });
 }
 
@@ -148,7 +175,7 @@ function createPropagationEvent({
   trackedArgsData,
   tagRanges,
   target,
-  joiMethod
+  joiMethod,
 }) {
   const { event: lastEvent } = trackedArgsData;
 
@@ -160,7 +187,7 @@ function createPropagationEvent({
     signature,
     tagRanges,
     source: 'P',
-    target
+    target,
   });
 
   event.parents.push(lastEvent);

package/lib/assess/propagators/joi/values.js

@@ -18,7 +18,7 @@ const _ = require('lodash');
 const requireHook = require('../../../hooks/require');
 const patcher = require('../../../hooks/patcher');
 const {
-  PATCH_TYPES: { ASSESS_PROPAGATOR }
+  PATCH_TYPES: { ASSESS_PROPAGATOR },
 } = require('../../../constants');
 const tracker = require('../../../tracker');
 const tagRangeUtil = require('../../models/tag-range/util');
@@ -41,9 +41,9 @@ function instrumentJoiValues(values) {
     name: 'joi.values',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      let {
+      const {
         args: [value],
-        result
+        result,
       } = data;
 
       // value not found during lookup
@@ -52,12 +52,21 @@ function instrumentJoiValues(values) {
       }
 
       if (result.ref) {
-        handler(result.value, value, data);
+        const resultValue = result.ref.__CONTRAST__
+          ? result.ref.__CONTRAST__.proxyTaggedString
+          : result.value;
+
+        handler(resultValue, value, data);
+
+        if (result.ref.__CONTRAST__) {
+          delete result.ref.__CONTRAST__;
+        }
+
       } else if (_.isString(result.value)) {
         // use case is .valid() - safe
         result.value = tracker.untrack(result.value) || result.value;
       }
-    }
+    },
   });
 }
 
@@ -118,7 +127,7 @@ function getRefHandler(resolvedTrackData, refTrackData) {
  */
 function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
   const {
-    args: [value]
+    args: [value],
   } = data;
   data.result.value = toUntrackedString(value);
 }
@@ -131,9 +140,10 @@ function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleBothTracked(data, resolvedTrackData, refTrackData) {
-  let {
-    args: [value, , prefs],
-    result
+  let value = data.args[0];
+  const {
+    args: [, , prefs],
+    result,
   } = data;
 
   // We can't reliably validate values that get adjusted
@@ -160,9 +170,10 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
-  let {
-    args: [value, , prefs],
-    result
+  let value = data.args[0];
+  const {
+    args: [, , prefs],
+    result,
   } = data;
 
   if (prefs.convert) {
@@ -221,7 +232,7 @@ function copyValidationHistory(targetTrackData, refTrackData) {
  */
 function buildEventsAndTagsToReplay(joiEvents) {
   const hist = [];
-  const tagRangesSeen = new WeakSet(_.get(joiEvents, `0.parents.0.tagRanges`));
+  const tagRangesSeen = new WeakSet(_.get(joiEvents, '0.parents.0.tagRanges'));
 
   for (const event of joiEvents) {
     const newEventRanges = [];
@@ -239,7 +250,7 @@ function buildEventsAndTagsToReplay(joiEvents) {
     if (newEventRanges.length) {
       hist.push({
         event,
-        tagRanges: newEventRanges
+        tagRanges: newEventRanges,
       });
     }
   }

package/lib/assess/propagators/utils.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 /**
  * Propagation Utility
  *
@@ -41,7 +43,7 @@ function deepOrigValue(val, max = 10) {
   function walk(item, depth) {
     if (Array.isArray(item) && depth < max) {
       depth++;
-      return item.map(function(item) {
+      return item.map(function (item) {
         return walk(item, depth);
       });
     }
@@ -94,18 +96,53 @@ function getArgValue({ arg, inclusive, allowNegatives = true, sourceLength }) {
  */
 function sortParamTypes(params, args, sourceLength) {
   const paramTypes = {};
-  params.forEach(function(param) {
+  params.forEach(function (param) {
     paramTypes[param.type] = getArgValue({
       arg: args[param.index],
       inclusive: param.inclusive,
       allowNegatives: param.allowNegatives,
-      sourceLength
+      sourceLength,
     });
   });
 
   return paramTypes;
 }
 
+/**
+ * Checks whether the input is an object
+ * @param {*} value
+ * @return {boolean}
+ */
+function isObject(value) {
+  if (typeof value === 'object' && !Array.isArray(value) && value !== null) {
+    return true;
+  }
+
+  return false;
+}
+
+function setProxyTaggedString(contrastData, input, tracker) {
+  let proxyTaggedString;
+
+  if (contrastData.proxyTaggedString) {
+    proxyTaggedString = contrastData.proxyTaggedString;
+  } else {
+    const { str } = tracker.track(input);
+    proxyTaggedString = str;
+  }
+
+  contrastData.proxyTaggedString = proxyTaggedString;
+
+  return proxyTaggedString;
+}
+
+function getContrastData(data) {
+  return data.args[1].schema && data.args[1].schema.__CONTRAST__;
+}
+
 module.exports.origValue = origValue;
 module.exports.deepOrigValue = deepOrigValue;
 module.exports.sortParamTypes = sortParamTypes;
+module.exports.isObject = isObject;
+module.exports.setProxyTaggedString = setProxyTaggedString;
+module.exports.getContrastData = getContrastData;

package/lib/assess/sources/index.js

@@ -55,6 +55,25 @@ sources.track = function(type, parent, key, membrane) {
   parent[key] = membrane.wrap(object, metadata);
 };
 
+/**
+ * Chooses a strategy for tracking the source events
+ * @param {any} config Current configuration for the agent
+ * @param {Logger} logger A logger instance
+ * @returns {Boolean} whether lazy tracking is enabled or not
+ */
+sources.getLazyTrackingConfig = function(config, logger) {
+  if (config._default['agent.traverse_and_track']) {
+    return config.assess.enable_lazy_tracking;
+  }
+  if (config._default['assess.enable_lazy_tracking']) {
+    logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+    return !config.agent.traverse_and_track;
+  }
+
+  logger.error('Conflicting options set: `agent.traverse_and_track` and `assess.enable_lazy_tracking`. `agent.traverse_and_track` is deprecated, so `assess.enable_lazy_tracking` takes precedence');
+  return config.assess.enable_lazy_tracking;
+};
+
 /**
  * Registers an event to add URL and input exclusions to async storage if they
  * pertain to the current request path. Also registers all the source events
@@ -62,8 +81,10 @@ sources.track = function(type, parent, key, membrane) {
  * object in a membrane
  */
 sources.registerListeners = function({ config, exclusions }) {
+  const isLazyTrackingEnabled = sources.getLazyTrackingConfig(config, logger);
+
   agentEmitter.on('assess.body', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
     }
 
@@ -77,7 +98,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
     }
 
@@ -89,7 +110,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -107,7 +128,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -126,7 +147,7 @@ sources.registerListeners = function({ config, exclusions }) {
   });
 
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
     }
 

package/lib/cli-rewriter/index.js

@@ -215,7 +215,7 @@ class CLIRewriter {
 
     const content = await readFile(filename, 'utf8');
     const rewriteData = this.rewriter.rewriteFile(content, filename, {
-      sourceType: type
+      sourceType: type === 'commonjs' ? 'script' : 'module'
     });
 
     if (rewriteData.code) {

package/lib/core/async-storage/hooks/{mongodb-core.js → mongodb.js}

@@ -26,9 +26,9 @@ const utils = require('./utils');
  * @param {Object} prototype to hook
  * @param {String} method to hook
  */
-function hookMethod(prototype, method) {
-  patcher.patch(prototype, method, {
-    name: `mongodb-core.${prototype.constructor.name}.prototype`,
+function hookMethod(obj, method, patchName) {
+  patcher.patch(obj, method, {
+    name: patchName,
     patchType: ASYNC_CONTEXT,
     alwaysRun: true,
     pre: (data) => {
@@ -42,17 +42,18 @@ function hookMethod(prototype, method) {
 }
 
 /**
- * Registers the hooks for mongdb-core
+ * Registers the hooks for mongodb and mongodb-core
  */
 function init() {
-  logger.info('applying non-policy hook: mongodb-core');
+  logger.info('applying non-policy hook: mongodb');
 
   requireHook.resolve(
     { name: 'mongodb-core', file: 'lib/topologies/server.js' },
     (server) => {
       const methods = ['command', 'insert', 'update', 'remove', 'logout'];
       for (const method of methods) {
-        hookMethod(server.prototype, method);
+        const name = `mongodb-core.${server.prototype.constructor.name}.prototype`;
+        hookMethod(server.prototype, method, name);
       }
     }
   );
@@ -60,9 +61,42 @@ function init() {
   requireHook.resolve(
     { name: 'mongodb-core', file: 'lib/cursor.js' },
     (cursor) => {
-      hookMethod(cursor.prototype, 'next');
+      const name = `mongodb-core.${cursor.prototype.constructor.name}.prototype`;
+      hookMethod(cursor.prototype, 'next', name);
     }
   );
+
+  requireHook.resolve(
+    {
+      name: 'mongodb',
+      file: 'lib/topologies/server.js',
+      version: '>=3.3.0 <4.0.0'
+    },
+    (server) => patcher.patch(server, {
+      name: 'mongodb.Server',
+      patchType: ASYNC_CONTEXT,
+      alwaysRun: true,
+      post: (data) => {
+        const methods = ['command', 'insert', 'update', 'remove'];
+        for (const method of methods) {
+          hookMethod(data.result, method, 'mongodb.Server');
+        }
+      }
+    })
+  );
+
+  requireHook.resolve(
+    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
+    (cursor) => patcher.patch(cursor,
+      {
+        name: 'mongodb.Cursor',
+        patchType: ASYNC_CONTEXT,
+        alwaysRun: true,
+        post: (data) => {
+          hookMethod(data.result, '_next', 'mongodb.Cursor');
+        }
+      })
+  );
 }
 
 module.exports = init;

package/lib/core/config/options.js

@@ -476,7 +476,13 @@ const agent = [
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
     default: false,
-    desc: 'source membrane alternative',
+    fn: (val, logger) => {
+      if (val) {
+        logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+      }
+      return val;
+    },
+    desc: 'source membrane alternative (DEPRECATED)',
   },
   {
     name: 'agent.polling.app_activity_ms',
@@ -747,6 +753,13 @@ const assess = [
     arg: '<tags>',
     desc: 'comma-separated list of tags to apply to each application vulnerability reported by the agent',
   },
+  {
+    name: 'assess.enable_lazy_tracking',
+    arg: '[true]',
+    default: true,
+    fn: castBoolean,
+    desc: 'When set to `false` won\'t track the source events lazily but will track the first up to 250 source events',
+  },
 ];
 
 const protect = [

package/lib/core/config/util.js

@@ -72,8 +72,8 @@ class Config {
         assess: {},
         protect: {},
         server: {},
-        dev: {}
-      }
+        dev: {},
+      },
     };
   }
 
@@ -146,9 +146,10 @@ class Config {
  * @return {string|void} path, if valid
  */
 function checkConfigPath() {
-  const configDir = os.platform() === 'win32'
-    ? `${process.env['ProgramData']}\\contrast`
-    : '/etc/contrast';
+  const configDir =
+    os.platform() === 'win32'
+      ? `${process.env['ProgramData']}\\contrast`
+      : '/etc/contrast';
 
   for (const dir of [process.cwd(), configDir]) {
     const checkPath = path.resolve(dir, 'contrast_security.yaml');
@@ -159,7 +160,6 @@ function checkConfigPath() {
   return;
 }
 
-
 /**
  * @param {Object} cliOptions
  * @param {string} cliOptions.script
@@ -202,7 +202,7 @@ function readConfig(cliOptions, logger) {
     // parse yaml and JSON separately.
     try {
       config = yaml.parse(fileContents, {
-        prettyErrors: true
+        prettyErrors: true,
       });
     } catch (e) {
       logger.error(
@@ -264,7 +264,7 @@ function mergeCliOptions(cliOptions, logger) {
       enum: optEnum,
       fn = _.identity,
       name,
-      required
+      required,
     } = option;
 
     const env = process.env[option.env];
@@ -294,7 +294,7 @@ function mergeCliOptions(cliOptions, logger) {
     // set from default
     if (value === undefined) {
       if (required) {
-        logger.error('Missing required option \'%s\'', name);
+        logger.error("Missing required option '%s'", name);
         return options;
       }
 
@@ -307,10 +307,38 @@ function mergeCliOptions(cliOptions, logger) {
   }, new Config());
 }
 
+/**
+ * When you run an appliaction with pm2 on cluster mode, pm2 attaches the
+ * process.env to a property pm2_env(only for the agent since we start it with -r flag), so
+ * the function checks if there is pm2_env property and merge contrast
+ * related properties to process.env
+ */
+function mergePM2Envs() {
+  if (!process.env.pm2_env) return;
+
+  const pm2_env = JSON.parse(process.env.pm2_env);
+
+  const contrastEnvs = ['DEBUG', 'PGHOST', 'PGPORT'];
+  const objectEntries = Object.entries(pm2_env.env)
+    .concat(Object.entries(pm2_env))
+    .concat(['DEBUG', 'PGHOST', 'PGPORT']);
+
+  objectEntries.forEach(([key, value]) => {
+    if (
+      !process.env[key] &&
+      (key.toLocaleLowerCase().includes('contrast') ||
+        contrastEnvs.includes(key))
+    ) {
+      process.env[key] = value;
+    }
+  });
+}
+
 util.Config = Config;
 util.setup = function setup(cliOptions, logger) {
-  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
+  mergePM2Envs();
 
+  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
   mergedCliOptions.script = cliOptions.script;
   mergedCliOptions.configFile = cliOptions.configFile;
   mergedCliOptions.validate();
@@ -323,7 +351,7 @@ util.logConfig = function logConfig(mergedConfig, logger) {
     'Current Configuration: %s',
     stringify(mergedConfig._flat, {
       replacer: (k, v) => (v == undefined ? null : v),
-      space: 2
+      space: 2,
     })
   );
 };

package/lib/instrumentation.js

@@ -129,7 +129,7 @@ function protectModeFeatures({ agent, reporter }) {
       // needs the || '.' for testing...
       const logDir = agent.config.agent.node.analysis_log_dir || '.';
       const agentLib = new lib.Agent(
-        { enableLogging: true, logDir, logLevel: "INFO" }
+        { enableLogging: true, logDir, logLevel: 'INFO' }
       );
       // attach the constants so lib.Agent() isn't exposed.
       for (const c in lib.constants) {
@@ -159,7 +159,7 @@ function protectModeFeatures({ agent, reporter }) {
 function nonPolicyHooks(agent) {
   require('./core/async-storage/hooks/bluebird')();
   require('./core/async-storage/hooks/redis')();
-  require('./core/async-storage/hooks/mongodb-core')();
+  require('./core/async-storage/hooks/mongodb')();
   require('./core/async-storage/hooks/mysql')();
   require('./hooks/require');
   require('./hooks/cluster')(agent);

package/lib/protect/service.js

@@ -202,9 +202,11 @@ class ProtectService {
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
 
+    arg.uriPath = req.url;
     const questionMark = req.url.indexOf('?');
     if (questionMark >= 0) {
       arg.queries = req.url.slice(questionMark + 1);
+      arg.uriPath = req.url.slice(0, questionMark);
     }
 
     const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);

package/lib/util/trace-util.js

@@ -46,12 +46,13 @@ function getRequest(agent, ruleId) {
   }
 
   const ruleCount = context.rules[ruleId];
-
   const { sampling } = agent.config.assess;
-  if (sampling && sampling.enable && ruleCount < sampling.baseline) {
-    context.rules[ruleId]++;
-    return request;
+  if (sampling && sampling.enable && ruleCount >= sampling.baseline) {
+    return;
   }
+
+  context.rules[ruleId]++;
+  return request;
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.17.0",
+  "version": "4.19.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -76,7 +76,7 @@
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^3.0.0",
+    "@contrast/agent-lib": "^4.0.0",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
     "@contrast/fn-inspect": "^2.4.4",
@@ -138,7 +138,7 @@
     "csv-writer": "^1.2.0",
     "deasync": "^0.1.24",
     "dustjs-linkedin": "^3.0.1",
-    "ejs": "^3.1.6",
+    "ejs": "^3.1.7",
     "escape-html": "^1.0.3",
     "eslint": "^8.9.0",
     "eslint-plugin-mocha": "^10.0.3",
@@ -152,6 +152,7 @@
     "handlebars": "^4.7.7",
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
+    "jira-client": "^8.1.0",
     "joi": "^17.4.0",
     "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",