@contrast/agent 4.17.1 → 4.18.0

package/lib/assess/sources/index.js

@@ -55,6 +55,25 @@ sources.track = function(type, parent, key, membrane) {
   parent[key] = membrane.wrap(object, metadata);
 };
 
+/**
+ * Chooses a strategy for tracking the source events
+ * @param {any} config Current configuration for the agent
+ * @param {Logger} logger A logger instance
+ * @returns {Boolean} whether lazy tracking is enabled or not
+ */
+sources.getLazyTrackingConfig = function(config, logger) {
+  if (config._default['agent.traverse_and_track']) {
+    return config.assess.enable_lazy_tracking;
+  }
+  if (config._default['assess.enable_lazy_tracking']) {
+    logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+    return !config.agent.traverse_and_track;
+  }
+
+  logger.error('Conflicting options set: `agent.traverse_and_track` and `assess.enable_lazy_tracking`. `agent.traverse_and_track` is deprecated, so `assess.enable_lazy_tracking` takes precedence');
+  return config.assess.enable_lazy_tracking;
+};
+
 /**
  * Registers an event to add URL and input exclusions to async storage if they
  * pertain to the current request path. Also registers all the source events
@@ -62,8 +81,10 @@ sources.track = function(type, parent, key, membrane) {
  * object in a membrane
  */
 sources.registerListeners = function({ config, exclusions }) {
+  const isLazyTrackingEnabled = sources.getLazyTrackingConfig(config, logger);
+
   agentEmitter.on('assess.body', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
     }
 
@@ -77,7 +98,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
     }
 
@@ -89,7 +110,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -107,7 +128,7 @@ sources.registerListeners = function({ config, exclusions }) {
     });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(
         config,
         exclusions,
@@ -126,7 +147,7 @@ sources.registerListeners = function({ config, exclusions }) {
   });
 
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    if (!config.agent.traverse_and_track) {
+    if (isLazyTrackingEnabled) {
       return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
     }
 

package/lib/core/config/options.js

@@ -476,7 +476,13 @@ const agent = [
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
     default: false,
-    desc: 'source membrane alternative',
+    fn: (val, logger) => {
+      if (val) {
+        logger.error('agent.traverse_and_track option is deprecated. Please use assess.enable_lazy_tracking from now on. It\'s value should be the opposite of this one');
+      }
+      return val;
+    },
+    desc: 'source membrane alternative (DEPRECATED)',
   },
   {
     name: 'agent.polling.app_activity_ms',
@@ -747,6 +753,13 @@ const assess = [
     arg: '<tags>',
     desc: 'comma-separated list of tags to apply to each application vulnerability reported by the agent',
   },
+  {
+    name: 'assess.enable_lazy_tracking',
+    arg: '[true]',
+    default: true,
+    fn: castBoolean,
+    desc: 'When set to `false` won\'t track the source events lazily but will track the first up to 250 source events',
+  },
 ];
 
 const protect = [

package/lib/core/config/util.js

@@ -72,8 +72,8 @@ class Config {
         assess: {},
         protect: {},
         server: {},
-        dev: {}
-      }
+        dev: {},
+      },
     };
   }
 
@@ -146,9 +146,10 @@ class Config {
  * @return {string|void} path, if valid
  */
 function checkConfigPath() {
-  const configDir = os.platform() === 'win32'
-    ? `${process.env['ProgramData']}\\contrast`
-    : '/etc/contrast';
+  const configDir =
+    os.platform() === 'win32'
+      ? `${process.env['ProgramData']}\\contrast`
+      : '/etc/contrast';
 
   for (const dir of [process.cwd(), configDir]) {
     const checkPath = path.resolve(dir, 'contrast_security.yaml');
@@ -159,7 +160,6 @@ function checkConfigPath() {
   return;
 }
 
-
 /**
  * @param {Object} cliOptions
  * @param {string} cliOptions.script
@@ -202,7 +202,7 @@ function readConfig(cliOptions, logger) {
     // parse yaml and JSON separately.
     try {
       config = yaml.parse(fileContents, {
-        prettyErrors: true
+        prettyErrors: true,
       });
     } catch (e) {
       logger.error(
@@ -264,7 +264,7 @@ function mergeCliOptions(cliOptions, logger) {
       enum: optEnum,
       fn = _.identity,
       name,
-      required
+      required,
     } = option;
 
     const env = process.env[option.env];
@@ -294,7 +294,7 @@ function mergeCliOptions(cliOptions, logger) {
     // set from default
     if (value === undefined) {
       if (required) {
-        logger.error('Missing required option \'%s\'', name);
+        logger.error("Missing required option '%s'", name);
         return options;
       }
 
@@ -307,10 +307,38 @@ function mergeCliOptions(cliOptions, logger) {
   }, new Config());
 }
 
+/**
+ * When you run an appliaction with pm2 on cluster mode, pm2 attaches the
+ * process.env to a property pm2_env(only for the agent since we start it with -r flag), so
+ * the function checks if there is pm2_env property and merge contrast
+ * related properties to process.env
+ */
+function mergePM2Envs() {
+  if (!process.env.pm2_env) return;
+
+  const pm2_env = JSON.parse(process.env.pm2_env);
+
+  const contrastEnvs = ['DEBUG', 'PGHOST', 'PGPORT'];
+  const objectEntries = Object.entries(pm2_env.env)
+    .concat(Object.entries(pm2_env))
+    .concat(['DEBUG', 'PGHOST', 'PGPORT']);
+
+  objectEntries.forEach(([key, value]) => {
+    if (
+      !process.env[key] &&
+      (key.toLocaleLowerCase().includes('contrast') ||
+        contrastEnvs.includes(key))
+    ) {
+      process.env[key] = value;
+    }
+  });
+}
+
 util.Config = Config;
 util.setup = function setup(cliOptions, logger) {
-  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
+  mergePM2Envs();
 
+  const mergedCliOptions = mergeCliOptions(cliOptions, logger);
   mergedCliOptions.script = cliOptions.script;
   mergedCliOptions.configFile = cliOptions.configFile;
   mergedCliOptions.validate();
@@ -323,7 +351,7 @@ util.logConfig = function logConfig(mergedConfig, logger) {
     'Current Configuration: %s',
     stringify(mergedConfig._flat, {
       replacer: (k, v) => (v == undefined ? null : v),
-      space: 2
+      space: 2,
     })
   );
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.17.1",
+  "version": "4.18.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -152,6 +152,7 @@
     "handlebars": "^4.7.7",
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
+    "jira-client": "^8.1.0",
     "joi": "^17.4.0",
     "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",