@contrast/agent 4.19.0 → 4.19.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/changelog.config.js +3 -3
- package/lib/assess/models/call-context.js +22 -0
- package/lib/core/async-storage/hooks/mongodb.js +14 -12
- package/lib/core/config/util.js +4 -0
- package/lib/reporter/models/event-tag.js +4 -1
- package/lib/reporter/models/finding/event.js +6 -0
- package/package.json +1 -2
package/changelog.config.js
CHANGED
|
@@ -17,7 +17,7 @@ Copyright: 2022 Contrast Security, Inc
|
|
|
17
17
|
module.exports = {
|
|
18
18
|
jira: {
|
|
19
19
|
baseUrl: `https://${process.env.JIRA_HOST}`,
|
|
20
|
-
ticketIDPattern: /(NODE
|
|
20
|
+
ticketIDPattern: /(NODE-?\s?[0-9]{4})/i,
|
|
21
21
|
excludeIssueTypes: ['Sub-task', 'Release'],
|
|
22
22
|
api: {
|
|
23
23
|
host: process.env.JIRA_HOST,
|
|
@@ -26,14 +26,14 @@ module.exports = {
|
|
|
26
26
|
}
|
|
27
27
|
},
|
|
28
28
|
hideEmptyBlocks: true,
|
|
29
|
-
template: `##
|
|
29
|
+
template: `## <%= process.env.VERSION -%>
|
|
30
30
|
|
|
31
31
|
<% blockTickets = tickets.all.filter((t) => !t.reverted); -%>
|
|
32
32
|
<% if (blockTickets.length > 0 || !options.hideEmptyBlocks) { -%>
|
|
33
33
|
### Jira Tickets
|
|
34
34
|
---------------------
|
|
35
35
|
<% blockTickets.forEach(ticket => { -%>
|
|
36
|
-
*
|
|
36
|
+
* [<%= ticket.fields.issuetype.name %>] - <%- ticket.fields.summary %>
|
|
37
37
|
[<%= ticket.key %>](<%= jira.baseUrl + '/browse/' + ticket.key %>)
|
|
38
38
|
<% }); -%>
|
|
39
39
|
<% if (!blockTickets.length) {%> ~ None ~ <% } %>
|
|
@@ -20,6 +20,7 @@ const tracker = require('../../tracker');
|
|
|
20
20
|
const stackFactory = require('../../core/stacktrace').singleton;
|
|
21
21
|
const distringuish = require('@contrast/distringuish-prebuilt');
|
|
22
22
|
const { PROXY_TARGET } = require('../../../lib/constants');
|
|
23
|
+
const TagRange = require('../models/tag-range');
|
|
23
24
|
|
|
24
25
|
/**
|
|
25
26
|
* Holds information about the call context of a function
|
|
@@ -102,6 +103,26 @@ module.exports = class CallContext {
|
|
|
102
103
|
return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
|
|
103
104
|
}
|
|
104
105
|
|
|
106
|
+
static getDisplayRange(arg) {
|
|
107
|
+
if (tracker.getData(arg)) {
|
|
108
|
+
return new TagRange(0, arg.length - 1, 'untrusted');
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
if (arg && typeof arg === 'object') {
|
|
112
|
+
for (const key in arg) {
|
|
113
|
+
if (tracker.getData(arg[key])) {
|
|
114
|
+
const start = CallContext.valueString(arg).indexOf(arg[key]);
|
|
115
|
+
if (start === -1) {
|
|
116
|
+
// If tracked string is not in the abbreviated stringified obj, disable highlighting
|
|
117
|
+
return new TagRange(0, 0, 'disable-highlighting');
|
|
118
|
+
}
|
|
119
|
+
return new TagRange(start, start + arg[key].length - 1, 'untrusted');
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
return {};
|
|
124
|
+
}
|
|
125
|
+
|
|
105
126
|
set result(result) {
|
|
106
127
|
this.__result = CallContext.valueString(result);
|
|
107
128
|
this.resultTracked = CallContext.isTracked(result);
|
|
@@ -113,6 +134,7 @@ module.exports = class CallContext {
|
|
|
113
134
|
set args(args) {
|
|
114
135
|
this.__args = args.map(CallContext.valueString);
|
|
115
136
|
this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
|
|
137
|
+
this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
|
|
116
138
|
}
|
|
117
139
|
|
|
118
140
|
get args() {
|
|
@@ -25,6 +25,7 @@ const utils = require('./utils');
|
|
|
25
25
|
* Hooks a method to properly bind to AsyncStorage
|
|
26
26
|
* @param {Object} prototype to hook
|
|
27
27
|
* @param {String} method to hook
|
|
28
|
+
* @param {String} patchName of the patch
|
|
28
29
|
*/
|
|
29
30
|
function hookMethod(obj, method, patchName) {
|
|
30
31
|
patcher.patch(obj, method, {
|
|
@@ -72,23 +73,24 @@ function init() {
|
|
|
72
73
|
file: 'lib/topologies/server.js',
|
|
73
74
|
version: '>=3.3.0 <4.0.0'
|
|
74
75
|
},
|
|
75
|
-
(server) =>
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
76
|
+
(server) =>
|
|
77
|
+
patcher.patch(server, {
|
|
78
|
+
name: 'mongodb.Server',
|
|
79
|
+
patchType: ASYNC_CONTEXT,
|
|
80
|
+
alwaysRun: true,
|
|
81
|
+
post: (data) => {
|
|
82
|
+
const methods = ['command', 'insert', 'update', 'remove'];
|
|
83
|
+
for (const method of methods) {
|
|
84
|
+
hookMethod(data.result, method, 'mongodb.Server');
|
|
85
|
+
}
|
|
83
86
|
}
|
|
84
|
-
}
|
|
85
|
-
})
|
|
87
|
+
})
|
|
86
88
|
);
|
|
87
89
|
|
|
88
90
|
requireHook.resolve(
|
|
89
91
|
{ name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
|
|
90
|
-
(cursor) =>
|
|
91
|
-
{
|
|
92
|
+
(cursor) =>
|
|
93
|
+
patcher.patch(cursor, {
|
|
92
94
|
name: 'mongodb.Cursor',
|
|
93
95
|
patchType: ASYNC_CONTEXT,
|
|
94
96
|
alwaysRun: true,
|
package/lib/core/config/util.js
CHANGED
|
@@ -323,6 +323,10 @@ function mergePM2Envs() {
|
|
|
323
323
|
.concat(Object.entries(pm2_env))
|
|
324
324
|
.concat(['DEBUG', 'PGHOST', 'PGPORT']);
|
|
325
325
|
|
|
326
|
+
const pm2ConfigPath =
|
|
327
|
+
pm2_env.env.CONTRAST_CONFIG_PATH || pm2_env.CONTRAST_CONFIG_PATH;
|
|
328
|
+
if (pm2ConfigPath) process.env.CONTRAST_CONFIG_PATH = pm2ConfigPath;
|
|
329
|
+
|
|
326
330
|
objectEntries.forEach(([key, value]) => {
|
|
327
331
|
if (
|
|
328
332
|
!process.env[key] &&
|
|
@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
|
|
|
12
12
|
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
13
|
way not consistent with the End User License Agreement.
|
|
14
14
|
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
15
17
|
const { TAGS } = require('../../constants');
|
|
16
18
|
|
|
17
19
|
/**
|
|
@@ -23,10 +25,11 @@ class EventTag {
|
|
|
23
25
|
*/
|
|
24
26
|
constructor(tagRange) {
|
|
25
27
|
this.tag = TAGS[tagRange.tag] || 'CUSTOM';
|
|
28
|
+
this.offset = this.tag === 'disable-highlighting' ? 0 : 1;
|
|
26
29
|
// agent tracks ranges as [start,stop] (inclusive,inclusive)
|
|
27
30
|
// but TS interprets as [start,stop) (inclusive,exclusive)
|
|
28
31
|
// so we need to add 1 to stop
|
|
29
|
-
this.range = `${tagRange.start}:${tagRange.stop +
|
|
32
|
+
this.range = `${tagRange.start}:${tagRange.stop + this.offset}`;
|
|
30
33
|
}
|
|
31
34
|
}
|
|
32
35
|
|
|
@@ -102,6 +102,12 @@ class Event {
|
|
|
102
102
|
this.args.push(
|
|
103
103
|
new ObjectDTM(event.context.args[i], event.context.argsTracked[i])
|
|
104
104
|
);
|
|
105
|
+
if (event.tagRanges[i]
|
|
106
|
+
&& event.context.argsDisplayRanges
|
|
107
|
+
&& Object.keys(event.context.argsDisplayRanges[i]).length
|
|
108
|
+
) {
|
|
109
|
+
event.tagRanges[i] = event.context.argsDisplayRanges[i];
|
|
110
|
+
}
|
|
105
111
|
}
|
|
106
112
|
|
|
107
113
|
if (event.code) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/agent",
|
|
3
|
-
"version": "4.19.
|
|
3
|
+
"version": "4.19.3",
|
|
4
4
|
"description": "Node.js security instrumentation by Contrast Security",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"security",
|
|
@@ -200,7 +200,6 @@
|
|
|
200
200
|
},
|
|
201
201
|
"bundleDependencies": [
|
|
202
202
|
"winston",
|
|
203
|
-
"winston-syslog",
|
|
204
203
|
"winston-daily-rotate-file"
|
|
205
204
|
]
|
|
206
205
|
}
|