@contrast/agent 4.19.4 → 4.19.7

package/lib/assess/hapi/sinks/xss.js

@@ -25,7 +25,7 @@ const {
 const stackFactory = require('../../../core/stacktrace').singleton;
 const { AsyncStorage, KEYS } = require('../../../core/async-storage');
 const semver = require('semver');
-const { funcinfo } = require('@contrast/fn-inspect');
+const { funcInfo } = require('@contrast/fn-inspect');
 const { PATCH_TYPES } = require('../../../constants');
 
 class HapiXssSink {
@@ -107,7 +107,7 @@ class HapiXssSink {
           // if route coverage is enabled we put the original function
           // on the wrap in a Symbol, use that if it exists
           handler = handler[ORIG_FUNC] || handler;
-          const topFrame = funcinfo(handler);
+          const topFrame = funcInfo(handler);
           const stacktrace = stackFactory.createSnapshot({
             constructorOpt: data.hooked,
             prependFrames: [topFrame]

package/lib/assess/loopback4/route-coverage.js

@@ -19,7 +19,7 @@ const agentEmitter = require('../../agent-emitter');
 const patcher = require('../../hooks/patcher');
 const moduleHook = require('../../hooks/require');
 const { PATCH_TYPES } = require('../../constants');
-const { funcinfo } = require('@contrast/fn-inspect');
+const { funcInfo } = require('@contrast/fn-inspect');
 
 class RouteCoverage {
   constructor(agent) {
@@ -54,7 +54,7 @@ class RouteCoverage {
    */
   getSignatureFunc(route) {
     const func = route._controllerName ? route._controllerCtor : route._handler;
-    const finfo = funcinfo(func);
+    const finfo = funcInfo(func);
     const path = finfo.file.replace(`${this.appDir}/`, '');
     const suffix = route._controllerName
       ? `${route._controllerName}.${route._methodName}`

package/lib/assess/models/call-context.js

@@ -110,13 +110,16 @@ module.exports = class CallContext {
 
     if (arg && typeof arg === 'object') {
       for (const key in arg) {
-        if (tracker.getData(arg[key])) {
-          const start = CallContext.valueString(arg).indexOf(arg[key]);
-          if (start === -1) {
+        const trackedData = tracker.getData(arg[key]);
+        if (trackedData) {
+          const { start, stop } = trackedData.tagRanges[0];
+          const taintedString = arg[key].substring(start, stop + 1);
+          const taintRangeStart = CallContext.valueString(arg).indexOf(taintedString);
+          if (taintRangeStart === -1) {
             // If tracked string is not in the abbreviated stringified obj, disable highlighting
             return new TagRange(0, 0, 'disable-highlighting');
           }
-          return new TagRange(start, start + arg[key].length - 1, 'untrusted');
+          return new TagRange(taintRangeStart, taintRangeStart + taintedString.length - 1, 'untrusted');
         }
       }
     }

package/lib/core/async-storage/index.js

@@ -37,6 +37,7 @@ const KEYS = {
   DEFEND: 'defend',
   FASTIFY_HANDLER_RESOLVED: 'fastify.xss.handler.resolved',
   FASTIFY_REPLY_SEND_STATE: 'fastify.xss.reply.send.state',
+  FINALHANDLER_CB_INDEX: 'finalHandlerCbIndex',
   HAPI_CALLER: 'hapi.caller',
   INPUT_EXCLUSIONS: 'defend.exclusions',
   KOA_CTX: 'koa.ctx',

package/lib/core/express/utils.js

@@ -414,7 +414,7 @@ const instrumentHandler = (layer, id, self, stack) => {
  */
 function getLayerHandleMethod(layer) {
   let methodName = 'handle';
-  const __handleData = fnInspect.funcinfo(layer.__handle);
+  const __handleData = fnInspect.funcInfo(layer.__handle);
   if (__handleData && __handleData.file.includes('express-async-errors')) {
     methodName = '__handle';
   }

package/lib/library-usage.js

@@ -30,7 +30,7 @@ module.exports.listen = function(evalInterval = 1) {
   const handler = (codeEvent) => {
     try {
       if (
-        codeEvent.type !== 'LAZY_COMPILE' ||
+        codeEvent.type !== 'LazyCompile' ||
         codeEvent.script.indexOf(`node_modules${path.sep}`) === -1 ||
         reportedFiles.has(codeEvent.script)
       ) {

package/lib/list-installed.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const semver = require('semver');
 const util = require('util');
 
@@ -19,6 +21,8 @@ const {
   AGENT_INFO: { SUPPORTED_NPM_VERSIONS }
 } = require('./constants');
 
+const VERSION_REGEX = /^npm@(\S+)\s+(\S+)$/m;
+
 const execFile = util.promisify(require('child_process').execFile);
 
 /**
@@ -36,41 +40,61 @@ const execFile = util.promisify(require('child_process').execFile);
  */
 module.exports = async function listInstalled(cwd, logger) {
   const env = { ...process.env, NODE_OPTIONS: undefined };
-  const args = ['--silent', 'ls', '--json', '--prod', '--long'];
+  const args = ['ls', '--json', '--prod', '--long'];
+  let stdout;
 
   try {
-    const { stdout: version } = await execFile('npm', ['--version'], {
+    const result = await execFile('npm', ['help'], {
       cwd,
       env,
-      shell: true
+      shell: true,
     });
+    stdout = result.stdout;
+  } catch (err) {
+    logger.debug('`npm` returned an error: %o', err);
+    // If npm encounters any errors whatsoever it will return with a non-zero
+    // exit code but still output the relevant information to stdout.
+    // If an even worse error occurs, we may not be able to parse stdout.
+    stdout = err.stdout || '';
+  }
+
+  const [, version, location] = stdout.match(VERSION_REGEX) || [];
+  if (!version)
+    throw new Error(
+      'Unable to locate `npm`. Please enable debug level logs for more information.'
+    );
 
-    if (semver.gte(version, '7.0.0')) args.push('--all');
-    logger.debug('using npm version %s', version.trim());
-    if (!semver.satisfies(version, SUPPORTED_NPM_VERSIONS))
-      logger.warn(
-        'the installed version of npm can cause unexpected behavior. please install a version that satisfies %s',
-        SUPPORTED_NPM_VERSIONS
-      );
+  logger.debug('using npm version %s at %s', version, location);
 
-    const { stdout: list } = await execFile('npm', args, {
+  if (semver.gte(version, '7.0.0')) args.push('--all');
+  if (!semver.satisfies(version, SUPPORTED_NPM_VERSIONS))
+    logger.warn(
+      'The installed version of npm (%s at %s) can cause unexpected behavior. Please install a version that satisfies %s',
+      version,
+      location,
+      SUPPORTED_NPM_VERSIONS
+    );
+
+  try {
+    const result = await execFile('npm', args, {
       cwd,
       env,
       shell: true,
-      maxBuffer: 1024 * 1024 * 128
+      maxBuffer: 1024 * 1024 * 128,
     });
 
-    return JSON.parse(list);
+    stdout = result.stdout;
   } catch (err) {
-    // If app has unmet dependencies the command above will throw an ELSPROBLEMS
-    // error but still output all the dependencies it finds to stdout.
-    // If an even worse error occurs, we may not be able to parse stdout.
-    try {
-      logger.trace('`npm ls` returned an error: %o', err);
-      return JSON.parse(err.stdout);
-    } catch (parseErr) {
-      logger.trace('parsing the output of `npm ls` failed. %o', parseErr);
-      throw err;
-    }
+    logger.debug('`npm ls` returned an error: %o', err);
+    stdout = err.stdout || '';
+  }
+
+  try {
+    return JSON.parse(stdout);
+  } catch (err) {
+    logger.trace('parsing the output of `npm ls` failed: %o', err);
+    throw new Error(
+      '`npm ls` failed to provide a list of installed dependencies. Please enable debug level logs for more information.'
+    );
   }
 };

package/lib/protect/express/index.js

@@ -12,12 +12,16 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const ProtectSink = require('./sinks');
-const ProectSource = require('./sources');
+const ProtectSource = require('./sources');
+const utils = require('./utils');
 
 module.exports = class ExpressInstrumentation {
   constructor() {
+    utils.install();
     new ProtectSink();
-    new ProectSource();
+    new ProtectSource();
   }
 };

package/lib/protect/express/utils.js

@@ -0,0 +1,60 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../../hooks/patcher');
+const moduleHook = require('../../hooks/require');
+const { PATCH_TYPES } = require('../../constants');
+const { AsyncStorage, KEYS } = require('../../core/async-storage');
+
+module.exports.install = function () {
+  moduleHook.resolve({ name: 'finalhandler' }, (finalhandler) =>
+    patcher.patch(finalhandler, {
+      name: 'finalHandler',
+      patchType: PATCH_TYPES.FRAMEWORK,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'finalHandler.returnedFunction',
+          patchType: PATCH_TYPES.FRAMEWORK,
+          pre(data) {
+            const req = AsyncStorage.get(KEYS.REQ);
+
+            if (!req || !req.__onFinished || !req.__onFinished.queue) {
+              data.queueLength = 0;
+              return;
+            }
+            data.queueLength = req.__onFinished.queue.length;
+          },
+          post(data) {
+            if (!('queueLength' in data)) {
+              return;
+            }
+            const req = AsyncStorage.get(KEYS.REQ);
+
+            if (
+              req &&
+              req.__onFinished &&
+              req.__onFinished.queue &&
+              req.__onFinished.queue.length &&
+              req.__onFinished.queue.length - data.queueLength == 1
+            ) {
+              AsyncStorage.set(KEYS.FINALHANDLER_CB_INDEX, data.queueLength);
+            }
+          },
+        });
+      },
+    })
+  );
+};

package/lib/protect/service.js

@@ -36,6 +36,8 @@ const headerValidators = require('./validators');
 const UserInputKit = require('../reporter/models/utils/user-input-kit');
 const UserInputFactory = require('../reporter/models/utils/user-input-factory');
 const blockRequest = require('../util/block-request');
+const { AsyncStorage, KEYS } = require('../core/async-storage');
+
 
 const evalOptions = { preferWorthWatching: true };
 
@@ -219,17 +221,32 @@ class ProtectService {
     if (!rules) {
       return {};
     }
-    // also, if content-type has multipart...
-    const bodyBuffer = Buffer.concat(chunks);
 
-    const findings = this.agentLib.scoreRequestUnknownBody(
+    let bodyData = '';
+
+    if (Array.isArray(chunks)) {
+      if (typeof chunks[0] == 'string') {
+        const bodyStr = ''.concat('', ...chunks);
+        bodyData = Buffer.from(bodyStr).toString('base64');
+      } else if (Buffer.isBuffer(chunks[0])) {
+        const bodyBuffer = Buffer.concat(chunks);
+        bodyData = Uint8Array.from(bodyBuffer);
+      } else {
+        logger.error('Invalid chunk type');
+      }
+    } else {
+      logger.error('Invalid chunk type');
+    }
+
+    // also, if content-type has multipart...
+    const findings = this.agentLib.scoreRequestBody(
       rules,
-      bodyBuffer,
+      bodyData,
       evalOptions
     );
 
     // store body buffer on findings for nosqli sink.
-    findings.bodyBuffer = bodyBuffer;
+    findings.bodyBuffer = bodyData;
     return findings;
   }
 
@@ -489,6 +506,11 @@ class ProtectService {
    * @returns {Boolean} false which halts executing of original method
    */
   handleBlockAtPerimeter(res) {
+    const finalHandlerCbIndex = AsyncStorage.get(KEYS.FINALHANDLER_CB_INDEX);
+    if (finalHandlerCbIndex || finalHandlerCbIndex == 0) {
+      const req = AsyncStorage.get(KEYS.REQ);
+      req.__onFinished && req.__onFinished.queue && req.__onFinished.queue.splice(finalHandlerCbIndex, 1);
+    }
     blockRequest(res);
     // halts further execution of user code
     return false;
@@ -1135,6 +1157,7 @@ class ProtectService {
    * @param   {Rule[]} rules Rules from which to build findings
    * @returns {Object[]}     The findings from the rules
    */
+  // eslint-disable-next-line default-param-last
   createFindings(rules = [], samples) {
     const findings = [];
     const speedracer = this.reporter.speedracer &&

package/lib/reporter/translations/to-protobuf/dtm/raw-request.js

@@ -42,8 +42,14 @@ function RawRequest(data = {}) {
 function RawRequestWithBody({ requestId, bodyStr, chunks, buffer }) {
   let _body = '';
 
-  if (chunks) {
-    _body = Uint8Array.from(Buffer.concat(chunks));
+  if (Array.isArray(chunks)) {
+    if (typeof chunks[0] == 'string') {
+      const bStr = ''.concat('', ...chunks);
+      _body = Buffer.from(bStr).toString('base64');
+    } else {
+      const bBuffer = Buffer.concat(chunks);
+      _body = Uint8Array.from(bBuffer);
+    }
   } else if (buffer) {
     _body = Uint8Array.from(buffer);
   } else if (bodyStr) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.19.4",
+  "version": "4.19.7",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -76,10 +76,10 @@
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^4.0.0",
-    "@contrast/distringuish-prebuilt": "^2.2.0",
+    "@contrast/agent-lib": "^4.2.0",
+    "@contrast/distringuish-prebuilt": "^3.0.1",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.4",
+    "@contrast/fn-inspect": "^3.0.0",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.5",
     "@contrast/require-hook": "^3.0.0",
@@ -121,7 +121,7 @@
     "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
-    "@ls-lint/ls-lint": "^1.8.1",
+    "@ls-lint/ls-lint": "^1.11.2",
     "@typescript-eslint/eslint-plugin": "^5.12.1",
     "@typescript-eslint/parser": "^5.12.1",
     "ajv": "^8.5.0",
@@ -133,7 +133,6 @@
     "chai": "^4.2.0",
     "chai-as-promised": "^7.1.1",
     "chai-like": "^1.1.1",
-    "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
     "deasync": "^0.1.24",