npm - @contrast/agent - Versions diffs - 4.19.7 → 4.20.0 - Mend

@contrast/agent 4.19.7 → 4.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/lib/assess/policy/signatures.json +2 -2
package/lib/assess/sinks/mongodb.js +34 -40
package/lib/core/arch-components/mongodb.js +87 -29
package/lib/core/async-storage/hooks/mongodb.js +77 -25
package/lib/core/async-storage/index.js +1 -1
package/package.json +1 -1

package/lib/assess/policy/signatures.json CHANGED Viewed

@@ -215,13 +215,13 @@
     },
     "mongodb.Db.prototype.eval": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Db.prototype.eval",
       "isModule": true
     },
     "mongodb.Collection.prototype.rename": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Collection.prototype.rename",
       "isModule": true
     },

package/lib/assess/sinks/mongodb.js CHANGED Viewed

@@ -48,10 +48,11 @@ module.exports = ({ common }) => {
   const mongoSink = {};
   /**
-   * Methods to hook in Collection.prototype.
+   * Methods to hook in Collection.prototype
    * Collated and pruned from: Object.keys(mongodb.Collection.prototype)
+   * Some methods are deprecated in newer DATABASE versions
    */
-  mongoSink.collectionMethodsV3 = [
+  mongoSink.collectionMethods = [
     // XXX hooking these results in compilation issues; unsure why
     // 'collectionName',
     // 'namespace',
@@ -91,45 +92,36 @@ module.exports = ({ common }) => {
     // 'initializeOrderedBulkOp'
     // 'bulkWrite',
-    // 'insert',
-    'deleteMany',
-    'deleteOne',
     'find',
-    'findAndModify',
-    'findAndRemove',
     'findOne',
+    'findAndModify',
     'findOneAndDelete',
     'findOneAndReplace',
     'findOneAndUpdate',
+    'insert',
     'insertMany',
     'insertOne',
     'remove',
-    'removeMany',
     'removeOne',
     'replaceOne',
+    'removeMany',
     'save',
     'update',
+    'updateOne',
     'updateMany',
-    'updateOne'
+    'deleteOne',
+    'deleteMany',
   ];
-  mongoSink.collectionMethodsV4 = [
-    'deleteMany',
-    'deleteOne',
-    'find',
-    'findOne',
-    'findOneAndDelete',
+  // Collection of methods with the syntax: method(filter, doc, options);
+  // We should track and report unsafe inputs in both: `filter` and `doc`
+  const twoArgsCollectionMethods = [
     'findOneAndReplace',
     'findOneAndUpdate',
-    'insert',
-    'insertMany',
-    'insertOne',
-    'remove',
     'replaceOne',
-    'update',
-    'updateMany',
-    'updateOne'
+    'updateOne',
+    'updateMany'
   ];
   /**
@@ -144,6 +136,7 @@ module.exports = ({ common }) => {
           ...data,
           result: null
         });
         // events are prefixed with 'protect '
         ctxt.signature = data.name.split(' ')[1];
         Object.defineProperty(doc, '__contrastContext', {
@@ -169,8 +162,10 @@ module.exports = ({ common }) => {
   };
   mongoSink.collectionMethodPost = (data) => {
+    const method = data.hooked && data.hooked.name;
     try {
-      const doc = data.args[0];
+      let doc = data.args[0];
       if (!doc) {
         return;
@@ -183,7 +178,14 @@ module.exports = ({ common }) => {
       }
       const ctxt = getCallContext(contrastContext, data);
+      if (twoArgsCollectionMethods.indexOf(method) > -1) {
+        // Assess both args at once
+        doc = { filter: data.args[0], update: data.args[1] };
+      }
       mongoSink.assess(doc, ctxt);
     } catch (err) {
       logger.error(`Unable to perform post hook in ${data.name} %o`, err);
     }
@@ -287,13 +289,6 @@ module.exports = ({ common }) => {
   };
   mongoSink.handleVersion4 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV4, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
     patcher.patch(mongodb.Db.prototype, 'command', {
       name: 'assess mongodb.Db.prototype',
       patchType: PATCH_TYPES.ASSESS_SINK,
@@ -302,13 +297,6 @@ module.exports = ({ common }) => {
   };
   mongoSink.handleVersion3 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV3, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
     patcher.patch(
       mongodb.CoreServer.prototype,
       mongoSink.coreServerQueryMethods,
@@ -342,7 +330,15 @@ module.exports = ({ common }) => {
       return;
     }
+    // NPM package architectures are different between v3.x.x and v4.x.x
     requireHook.resolve({ name: 'mongodb' }, function(mongodb, { version }) {
+      patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethods, {
+        name: 'assess mongodb.Collection.prototype',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        pre: mongoSink.collectionMethodHandler,
+        post: mongoSink.collectionMethodPost
+      });
       if (semver.gte(version, '4.0.0')) {
         return mongoSink.handleVersion4(mongodb, version);
       }
@@ -358,9 +354,7 @@ module.exports = ({ common }) => {
  * It tries to get the context from the pre handler
  * See: mongoSink.collectionMethodHandler
  *
- * If it does not exists, it tries to create a call context
- * although it won't be great, it is something
- *
+ * If it does not exist, it tries to create a call context
  */
 function getCallContext(ctxt, data) {
   if (!ctxt) {

package/lib/core/arch-components/mongodb.js CHANGED Viewed

@@ -19,39 +19,97 @@ const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
 const logger = require('../logger')('contrast:arch-component');
+const semver = require('semver');
 ModuleHook.resolve(
-  { name: 'mongodb', file: 'lib/mongo_client.js' },
-  (MongoClient) => {
-    patcher.patch(MongoClient.prototype, 'connect', {
-      name: 'MongoClient.connect.arch_component',
-      patchType: PATCH_TYPES.ARCH_COMPONENT,
-      alwaysRun: true,
-      post(ctx) {
-        if (!ctx.result || !ctx.result.then) {
-          return;
-        }
+  {
+    name: 'mongodb',
+    file: 'lib/mongo_client.js',
+    version: '>=3.3.0'
+  },
+  (MongoClient, { version }) => {
+    if (semver.lt(version, '4.0.0')) {
+      patcher.patch(MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
+          }
-        // We should report only when connection is successful
-        ctx.result.then(function (client) {
-          try {
-            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
-            for (const server of servers) {
-              agentEmitter.emit('architectureComponent', {
-                vendor: 'MongoDB',
-                url: `mongodb://${server.host}:${server.port}`,
-                remoteHost: '',
-                remotePort: server.port,
-              });
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            try {
+              const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+              for (const server of servers) {
+                agentEmitter.emit('architectureComponent', {
+                  vendor: 'MongoDB',
+                  url: `mongodb://${server.host}:${server.port}`,
+                  remoteHost: '',
+                  remotePort: server.port,
+                });
+              }
+            } catch (err) {
+              logger.warn(
+                'unable to report MongoDB architecture component, err: %o',
+                err,
+              );
             }
-          } catch (err) {
-            logger.warn(
-              'unable to report MongoDB architecture component, err: %o',
-              err,
-            );
+          });
+        },
+      });
+    }
+  },
+);
+/* Architecture component for >= mongodb@4
+ * It's not limited in the require hook to >=4.0.0 because
+ * that would result in confusing logs for the customer that
+ * we don't support older versions (which is not true) */
+ModuleHook.resolve(
+  {
+    name: 'mongodb',
+    version: '>=3.3.0'
+  },
+  (MongoDB, { version }) => {
+    if (semver.gte(version, '4.0.0')) {
+      patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
           }
-        });
-      },
-    });
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            if (client && client.topology && client.topology.s) {
+              try {
+                const { servers } = client.topology.s;
+                for (const [, server] of servers) {
+                  if (server.s && server.s.state === 'connected') {
+                    const { srvServiceName } = server.s.options;
+                    const { address } = server.s.description;
+                    agentEmitter.emit('architectureComponent', {
+                      vendor: 'MongoDB',
+                      url: `${srvServiceName}://${address}`,
+                      remoteHost: '',
+                      remotePort: address.split(':').pop()
+                    });
+                  }
+                }
+              } catch (err) {
+                logger.warn(
+                  'unable to report MongoDB architecture component, err: %o',
+                  err,
+                );
+              }
+            }
+          });
+        },
+      });
+    }
   },
 );

package/lib/core/async-storage/hooks/mongodb.js CHANGED Viewed

@@ -20,6 +20,7 @@ const requireHook = require('../../../hooks/require');
 const resolveCallbackIdx = require('../../../util/callback-resolver');
 const patcher = require('../../../hooks/patcher');
 const utils = require('./utils');
+const semver = require('semver');
 /**
  * Hooks a method to properly bind to AsyncStorage
@@ -35,10 +36,11 @@ function hookMethod(obj, method, patchName) {
     pre: (data) => {
       const { args, funcKey: identifier } = data;
       const idx = resolveCallbackIdx(data.args);
       if (idx >= 0) {
         utils.bindFnArgAtIndex({ args, idx, identifier });
       }
-    }
+    },
   });
 }
@@ -70,34 +72,84 @@ function init() {
   requireHook.resolve(
     {
       name: 'mongodb',
-      file: 'lib/topologies/server.js',
-      version: '>=3.3.0 <4.0.0'
+      file: 'lib/topologies/topology_base.js',
+      version: '>=3.3.0',
     },
-    (server) =>
-      patcher.patch(server, {
-        name: 'mongodb.Server',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          const methods = ['command', 'insert', 'update', 'remove'];
-          for (const method of methods) {
-            hookMethod(data.result, method, 'mongodb.Server');
-          }
-        }
-      })
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, 'TopologyBase', {
+          name: 'mongodb.TopologyBase',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.TopologyBase');
+            }
+          },
+        });
+      }
+    }
   );
   requireHook.resolve(
-    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
-    (cursor) =>
-      patcher.patch(cursor, {
-        name: 'mongodb.Cursor',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          hookMethod(data.result, '_next', 'mongodb.Cursor');
-        }
-      })
+    {
+      name: 'mongodb',
+      file: 'lib/topologies/native_topology.js',
+      version: '>=3.3.0 <4.0.0',
+    },
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, {
+          name: 'mongodb.NativeTopology',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.NativeTopology');
+            }
+          },
+        });
+      }
+    }
+  );
+  requireHook.resolve(
+    {
+      name: 'mongodb',
+      file: 'lib/operations/command.js',
+      version: '>=3.3.0',
+    },
+    (command, { version }) => {
+      if (semver.gte(version, '4.0.0')) {
+        return patcher.patch(command, {
+          name: 'mongodb.Command',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, 'executeCommand', 'mongodb.Command');
+            hookMethod(data.result, 'execute', 'mongodb.Command');
+          },
+        });
+      }
+    }
+  );
+  requireHook.resolve(
+    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0' },
+    (cursor, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(cursor, {
+          name: 'mongodb.Cursor',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, '_next', 'mongodb.Cursor');
+          },
+        });
+      }
+    }
   );
 }

package/lib/core/async-storage/index.js CHANGED Viewed

@@ -195,7 +195,7 @@ class AsyncStorage {
   }
   /**
-   * Retrives the active storage context from an error
+   * Retrieves the active storage context from an error
    * context is added to error when one is thrown
    * see: https://github.com/Jeff-Lewis/cls-hooked/blob/master/context.js#L101
    *

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.19.7",
+  "version": "4.20.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",