@contrast/agent 4.19.6 → 4.20.1

package/lib/assess/policy/signatures.json

@@ -215,13 +215,13 @@
     },
     "mongodb.Db.prototype.eval": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Db.prototype.eval",
       "isModule": true
     },
     "mongodb.Collection.prototype.rename": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Collection.prototype.rename",
       "isModule": true
     },

package/lib/assess/sinks/mongodb.js

@@ -48,10 +48,11 @@ module.exports = ({ common }) => {
   const mongoSink = {};
 
   /**
-   * Methods to hook in Collection.prototype.
+   * Methods to hook in Collection.prototype
    * Collated and pruned from: Object.keys(mongodb.Collection.prototype)
+   * Some methods are deprecated in newer DATABASE versions
    */
-  mongoSink.collectionMethodsV3 = [
+  mongoSink.collectionMethods = [
     // XXX hooking these results in compilation issues; unsure why
     // 'collectionName',
     // 'namespace',
@@ -91,45 +92,36 @@ module.exports = ({ common }) => {
     // 'initializeOrderedBulkOp'
 
     // 'bulkWrite',
-    // 'insert',
 
-    'deleteMany',
-    'deleteOne',
     'find',
-    'findAndModify',
-    'findAndRemove',
     'findOne',
+    'findAndModify',
     'findOneAndDelete',
     'findOneAndReplace',
     'findOneAndUpdate',
+    'insert',
     'insertMany',
     'insertOne',
     'remove',
-    'removeMany',
     'removeOne',
     'replaceOne',
+    'removeMany',
     'save',
     'update',
+    'updateOne',
     'updateMany',
-    'updateOne'
+    'deleteOne',
+    'deleteMany',
   ];
 
-  mongoSink.collectionMethodsV4 = [
-    'deleteMany',
-    'deleteOne',
-    'find',
-    'findOne',
-    'findOneAndDelete',
+  // Collection of methods with the syntax: method(filter, doc, options);
+  // We should track and report unsafe inputs in both: `filter` and `doc`
+  const twoArgsCollectionMethods = [
     'findOneAndReplace',
     'findOneAndUpdate',
-    'insert',
-    'insertMany',
-    'insertOne',
-    'remove',
     'replaceOne',
-    'update',
-    'updateMany',
-    'updateOne'
+    'updateOne',
+    'updateMany'
   ];
 
   /**
@@ -144,6 +136,7 @@ module.exports = ({ common }) => {
           ...data,
           result: null
         });
+
         // events are prefixed with 'protect '
         ctxt.signature = data.name.split(' ')[1];
         Object.defineProperty(doc, '__contrastContext', {
@@ -169,8 +162,10 @@ module.exports = ({ common }) => {
   };
 
   mongoSink.collectionMethodPost = (data) => {
+    const method = data.hooked && data.hooked.name;
+
     try {
-      const doc = data.args[0];
+      let doc = data.args[0];
 
       if (!doc) {
         return;
@@ -183,7 +178,14 @@ module.exports = ({ common }) => {
       }
 
       const ctxt = getCallContext(contrastContext, data);
+
+      if (twoArgsCollectionMethods.indexOf(method) > -1) {
+        // Assess both args at once
+        doc = { filter: data.args[0], update: data.args[1] };
+      }
+
       mongoSink.assess(doc, ctxt);
+
     } catch (err) {
       logger.error(`Unable to perform post hook in ${data.name} %o`, err);
     }
@@ -287,13 +289,6 @@ module.exports = ({ common }) => {
   };
 
   mongoSink.handleVersion4 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV4, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
-
     patcher.patch(mongodb.Db.prototype, 'command', {
       name: 'assess mongodb.Db.prototype',
       patchType: PATCH_TYPES.ASSESS_SINK,
@@ -302,13 +297,6 @@ module.exports = ({ common }) => {
   };
 
   mongoSink.handleVersion3 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV3, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
-
     patcher.patch(
       mongodb.CoreServer.prototype,
       mongoSink.coreServerQueryMethods,
@@ -342,7 +330,15 @@ module.exports = ({ common }) => {
       return;
     }
 
+    // NPM package architectures are different between v3.x.x and v4.x.x
     requireHook.resolve({ name: 'mongodb' }, function(mongodb, { version }) {
+      patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethods, {
+        name: 'assess mongodb.Collection.prototype',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        pre: mongoSink.collectionMethodHandler,
+        post: mongoSink.collectionMethodPost
+      });
+
       if (semver.gte(version, '4.0.0')) {
         return mongoSink.handleVersion4(mongodb, version);
       }
@@ -358,9 +354,7 @@ module.exports = ({ common }) => {
  * It tries to get the context from the pre handler
  * See: mongoSink.collectionMethodHandler
  *
- * If it does not exists, it tries to create a call context
- * although it won't be great, it is something
- *
+ * If it does not exist, it tries to create a call context
  */
 function getCallContext(ctxt, data) {
   if (!ctxt) {

package/lib/core/arch-components/mongodb.js

@@ -19,39 +19,97 @@ const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
 const logger = require('../logger')('contrast:arch-component');
+const semver = require('semver');
 
 ModuleHook.resolve(
-  { name: 'mongodb', file: 'lib/mongo_client.js' },
-  (MongoClient) => {
-    patcher.patch(MongoClient.prototype, 'connect', {
-      name: 'MongoClient.connect.arch_component',
-      patchType: PATCH_TYPES.ARCH_COMPONENT,
-      alwaysRun: true,
-      post(ctx) {
-        if (!ctx.result || !ctx.result.then) {
-          return;
-        }
+  {
+    name: 'mongodb',
+    file: 'lib/mongo_client.js',
+    version: '>=3.3.0'
+  },
+  (MongoClient, { version }) => {
+    if (semver.lt(version, '4.0.0')) {
+      patcher.patch(MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
+          }
 
-        // We should report only when connection is successful
-        ctx.result.then(function (client) {
-          try {
-            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
-            for (const server of servers) {
-              agentEmitter.emit('architectureComponent', {
-                vendor: 'MongoDB',
-                url: `mongodb://${server.host}:${server.port}`,
-                remoteHost: '',
-                remotePort: server.port,
-              });
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            try {
+              const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+              for (const server of servers) {
+                agentEmitter.emit('architectureComponent', {
+                  vendor: 'MongoDB',
+                  url: `mongodb://${server.host}:${server.port}`,
+                  remoteHost: '',
+                  remotePort: server.port,
+                });
+              }
+            } catch (err) {
+              logger.warn(
+                'unable to report MongoDB architecture component, err: %o',
+                err,
+              );
             }
-          } catch (err) {
-            logger.warn(
-              'unable to report MongoDB architecture component, err: %o',
-              err,
-            );
+          });
+        },
+      });
+    }
+  },
+);
+
+/* Architecture component for >= mongodb@4
+ * It's not limited in the require hook to >=4.0.0 because
+ * that would result in confusing logs for the customer that
+ * we don't support older versions (which is not true) */
+ModuleHook.resolve(
+  {
+    name: 'mongodb',
+    version: '>=3.3.0'
+  },
+  (MongoDB, { version }) => {
+    if (semver.gte(version, '4.0.0')) {
+      patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
           }
-        });
-      },
-    });
+
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            if (client && client.topology && client.topology.s) {
+              try {
+                const { servers } = client.topology.s;
+                for (const [, server] of servers) {
+                  if (server.s && server.s.state === 'connected') {
+                    const { srvServiceName } = server.s.options;
+                    const { address } = server.s.description;
+                    agentEmitter.emit('architectureComponent', {
+                      vendor: 'MongoDB',
+                      url: `${srvServiceName}://${address}`,
+                      remoteHost: '',
+                      remotePort: address.split(':').pop()
+                    });
+                  }
+                }
+              } catch (err) {
+                logger.warn(
+                  'unable to report MongoDB architecture component, err: %o',
+                  err,
+                );
+              }
+            }
+          });
+        },
+      });
+    }
   },
 );

package/lib/core/async-storage/hooks/mongodb.js

@@ -20,6 +20,7 @@ const requireHook = require('../../../hooks/require');
 const resolveCallbackIdx = require('../../../util/callback-resolver');
 const patcher = require('../../../hooks/patcher');
 const utils = require('./utils');
+const semver = require('semver');
 
 /**
  * Hooks a method to properly bind to AsyncStorage
@@ -35,10 +36,11 @@ function hookMethod(obj, method, patchName) {
     pre: (data) => {
       const { args, funcKey: identifier } = data;
       const idx = resolveCallbackIdx(data.args);
+
       if (idx >= 0) {
         utils.bindFnArgAtIndex({ args, idx, identifier });
       }
-    }
+    },
   });
 }
 
@@ -70,34 +72,84 @@ function init() {
   requireHook.resolve(
     {
       name: 'mongodb',
-      file: 'lib/topologies/server.js',
-      version: '>=3.3.0 <4.0.0'
+      file: 'lib/topologies/topology_base.js',
+      version: '>=3.3.0',
     },
-    (server) =>
-      patcher.patch(server, {
-        name: 'mongodb.Server',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          const methods = ['command', 'insert', 'update', 'remove'];
-          for (const method of methods) {
-            hookMethod(data.result, method, 'mongodb.Server');
-          }
-        }
-      })
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, 'TopologyBase', {
+          name: 'mongodb.TopologyBase',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.TopologyBase');
+            }
+          },
+        });
+      }
+    }
   );
 
   requireHook.resolve(
-    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
-    (cursor) =>
-      patcher.patch(cursor, {
-        name: 'mongodb.Cursor',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          hookMethod(data.result, '_next', 'mongodb.Cursor');
-        }
-      })
+    {
+      name: 'mongodb',
+      file: 'lib/topologies/native_topology.js',
+      version: '>=3.3.0',
+    },
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, {
+          name: 'mongodb.NativeTopology',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.NativeTopology');
+            }
+          },
+        });
+      }
+    }
+  );
+
+  requireHook.resolve(
+    {
+      name: 'mongodb',
+      file: 'lib/operations/command.js',
+      version: '>=3.3.0',
+    },
+    (command, { version }) => {
+      if (semver.gte(version, '4.0.0')) {
+        return patcher.patch(command, {
+          name: 'mongodb.Command',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, 'executeCommand', 'mongodb.Command');
+            hookMethod(data.result, 'execute', 'mongodb.Command');
+          },
+        });
+      }
+    }
+  );
+
+  requireHook.resolve(
+    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0' },
+    (cursor, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(cursor, {
+          name: 'mongodb.Cursor',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, '_next', 'mongodb.Cursor');
+          },
+        });
+      }
+    }
   );
 }
 

package/lib/core/async-storage/index.js

@@ -195,7 +195,7 @@ class AsyncStorage {
   }
 
   /**
-   * Retrives the active storage context from an error
+   * Retrieves the active storage context from an error
    * context is added to error when one is thrown
    * see: https://github.com/Jeff-Lewis/cls-hooked/blob/master/context.js#L101
    *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.19.6",
+  "version": "4.20.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -133,7 +133,6 @@
     "chai": "^4.2.0",
     "chai-as-promised": "^7.1.1",
     "chai-like": "^1.1.1",
-    "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
     "deasync": "^0.1.24",