npm - @contrast/agent - Versions diffs - 4.19.7 → 4.20.2 - Mend

@contrast/agent 4.19.7 → 4.20.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/lib/assess/policy/signatures.json +2 -2
package/lib/assess/sinks/mongodb.js +34 -40
package/lib/core/arch-components/mongodb.js +87 -29
package/lib/core/async-storage/hooks/mongodb.js +77 -25
package/lib/core/async-storage/index.js +1 -1
package/lib/libraries.js +1 -1
package/lib/list-installed.js +14 -20
package/node_modules/moment/CHANGELOG.md +13 -1
package/node_modules/moment/dist/locale/sr-cyrl.js +3 -2
package/node_modules/moment/dist/locale/sr.js +3 -2
package/node_modules/moment/dist/moment.js +3 -3
package/node_modules/moment/locale/sr-cyrl.js +3 -2
package/node_modules/moment/locale/sr.js +3 -2
package/node_modules/moment/min/locales.js +6 -4
package/node_modules/moment/min/locales.min.js +1 -1
package/node_modules/moment/min/locales.min.js.map +1 -1
package/node_modules/moment/min/moment-with-locales.js +8 -6
package/node_modules/moment/min/moment-with-locales.min.js +1 -1
package/node_modules/moment/min/moment-with-locales.min.js.map +1 -1
package/node_modules/moment/min/moment.min.js +1 -1
package/node_modules/moment/min/moment.min.js.map +1 -1
package/node_modules/moment/moment.js +3 -3
package/node_modules/moment/package.json +4 -4
package/node_modules/moment/src/lib/create/from-string.js +1 -1
package/node_modules/moment/src/locale/sr-cyrl.js +3 -2
package/node_modules/moment/src/locale/sr.js +3 -2
package/node_modules/moment/src/moment.js +2 -2
package/package.json +1 -1

package/lib/assess/policy/signatures.json CHANGED Viewed

@@ -215,13 +215,13 @@
     },
     "mongodb.Db.prototype.eval": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Db.prototype.eval",
       "isModule": true
     },
     "mongodb.Collection.prototype.rename": {
       "moduleName": "mongodb",
-      "version": ">=3.5.0",
+      "version": ">=3.3.0",
       "methodName": "Collection.prototype.rename",
       "isModule": true
     },

package/lib/assess/sinks/mongodb.js CHANGED Viewed

@@ -48,10 +48,11 @@ module.exports = ({ common }) => {
   const mongoSink = {};
   /**
-   * Methods to hook in Collection.prototype.
+   * Methods to hook in Collection.prototype
    * Collated and pruned from: Object.keys(mongodb.Collection.prototype)
+   * Some methods are deprecated in newer DATABASE versions
    */
-  mongoSink.collectionMethodsV3 = [
+  mongoSink.collectionMethods = [
     // XXX hooking these results in compilation issues; unsure why
     // 'collectionName',
     // 'namespace',
@@ -91,45 +92,36 @@ module.exports = ({ common }) => {
     // 'initializeOrderedBulkOp'
     // 'bulkWrite',
-    // 'insert',
-    'deleteMany',
-    'deleteOne',
     'find',
-    'findAndModify',
-    'findAndRemove',
     'findOne',
+    'findAndModify',
     'findOneAndDelete',
     'findOneAndReplace',
     'findOneAndUpdate',
+    'insert',
     'insertMany',
     'insertOne',
     'remove',
-    'removeMany',
     'removeOne',
     'replaceOne',
+    'removeMany',
     'save',
     'update',
+    'updateOne',
     'updateMany',
-    'updateOne'
+    'deleteOne',
+    'deleteMany',
   ];
-  mongoSink.collectionMethodsV4 = [
-    'deleteMany',
-    'deleteOne',
-    'find',
-    'findOne',
-    'findOneAndDelete',
+  // Collection of methods with the syntax: method(filter, doc, options);
+  // We should track and report unsafe inputs in both: `filter` and `doc`
+  const twoArgsCollectionMethods = [
     'findOneAndReplace',
     'findOneAndUpdate',
-    'insert',
-    'insertMany',
-    'insertOne',
-    'remove',
     'replaceOne',
-    'update',
-    'updateMany',
-    'updateOne'
+    'updateOne',
+    'updateMany'
   ];
   /**
@@ -144,6 +136,7 @@ module.exports = ({ common }) => {
           ...data,
           result: null
         });
         // events are prefixed with 'protect '
         ctxt.signature = data.name.split(' ')[1];
         Object.defineProperty(doc, '__contrastContext', {
@@ -169,8 +162,10 @@ module.exports = ({ common }) => {
   };
   mongoSink.collectionMethodPost = (data) => {
+    const method = data.hooked && data.hooked.name;
     try {
-      const doc = data.args[0];
+      let doc = data.args[0];
       if (!doc) {
         return;
@@ -183,7 +178,14 @@ module.exports = ({ common }) => {
       }
       const ctxt = getCallContext(contrastContext, data);
+      if (twoArgsCollectionMethods.indexOf(method) > -1) {
+        // Assess both args at once
+        doc = { filter: data.args[0], update: data.args[1] };
+      }
       mongoSink.assess(doc, ctxt);
     } catch (err) {
       logger.error(`Unable to perform post hook in ${data.name} %o`, err);
     }
@@ -287,13 +289,6 @@ module.exports = ({ common }) => {
   };
   mongoSink.handleVersion4 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV4, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
     patcher.patch(mongodb.Db.prototype, 'command', {
       name: 'assess mongodb.Db.prototype',
       patchType: PATCH_TYPES.ASSESS_SINK,
@@ -302,13 +297,6 @@ module.exports = ({ common }) => {
   };
   mongoSink.handleVersion3 = (mongodb, version) => {
-    patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethodsV3, {
-      name: 'assess mongodb.Collection.prototype',
-      patchType: PATCH_TYPES.ASSESS_SINK,
-      pre: mongoSink.collectionMethodHandler,
-      post: mongoSink.collectionMethodPost
-    });
     patcher.patch(
       mongodb.CoreServer.prototype,
       mongoSink.coreServerQueryMethods,
@@ -342,7 +330,15 @@ module.exports = ({ common }) => {
       return;
     }
+    // NPM package architectures are different between v3.x.x and v4.x.x
     requireHook.resolve({ name: 'mongodb' }, function(mongodb, { version }) {
+      patcher.patch(mongodb.Collection.prototype, mongoSink.collectionMethods, {
+        name: 'assess mongodb.Collection.prototype',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        pre: mongoSink.collectionMethodHandler,
+        post: mongoSink.collectionMethodPost
+      });
       if (semver.gte(version, '4.0.0')) {
         return mongoSink.handleVersion4(mongodb, version);
       }
@@ -358,9 +354,7 @@ module.exports = ({ common }) => {
  * It tries to get the context from the pre handler
  * See: mongoSink.collectionMethodHandler
  *
- * If it does not exists, it tries to create a call context
- * although it won't be great, it is something
- *
+ * If it does not exist, it tries to create a call context
  */
 function getCallContext(ctxt, data) {
   if (!ctxt) {

package/lib/core/arch-components/mongodb.js CHANGED Viewed

@@ -19,39 +19,97 @@ const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
 const logger = require('../logger')('contrast:arch-component');
+const semver = require('semver');
 ModuleHook.resolve(
-  { name: 'mongodb', file: 'lib/mongo_client.js' },
-  (MongoClient) => {
-    patcher.patch(MongoClient.prototype, 'connect', {
-      name: 'MongoClient.connect.arch_component',
-      patchType: PATCH_TYPES.ARCH_COMPONENT,
-      alwaysRun: true,
-      post(ctx) {
-        if (!ctx.result || !ctx.result.then) {
-          return;
-        }
+  {
+    name: 'mongodb',
+    file: 'lib/mongo_client.js',
+    version: '>=3.3.0'
+  },
+  (MongoClient, { version }) => {
+    if (semver.lt(version, '4.0.0')) {
+      patcher.patch(MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
+          }
-        // We should report only when connection is successful
-        ctx.result.then(function (client) {
-          try {
-            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
-            for (const server of servers) {
-              agentEmitter.emit('architectureComponent', {
-                vendor: 'MongoDB',
-                url: `mongodb://${server.host}:${server.port}`,
-                remoteHost: '',
-                remotePort: server.port,
-              });
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            try {
+              const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+              for (const server of servers) {
+                agentEmitter.emit('architectureComponent', {
+                  vendor: 'MongoDB',
+                  url: `mongodb://${server.host}:${server.port}`,
+                  remoteHost: '',
+                  remotePort: server.port,
+                });
+              }
+            } catch (err) {
+              logger.warn(
+                'unable to report MongoDB architecture component, err: %o',
+                err,
+              );
             }
-          } catch (err) {
-            logger.warn(
-              'unable to report MongoDB architecture component, err: %o',
-              err,
-            );
+          });
+        },
+      });
+    }
+  },
+);
+/* Architecture component for >= mongodb@4
+ * It's not limited in the require hook to >=4.0.0 because
+ * that would result in confusing logs for the customer that
+ * we don't support older versions (which is not true) */
+ModuleHook.resolve(
+  {
+    name: 'mongodb',
+    version: '>=3.3.0'
+  },
+  (MongoDB, { version }) => {
+    if (semver.gte(version, '4.0.0')) {
+      patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
+        name: 'MongoClient.connect.arch_component',
+        patchType: PATCH_TYPES.ARCH_COMPONENT,
+        alwaysRun: true,
+        post(ctx) {
+          if (!ctx.result || !ctx.result.then) {
+            return;
           }
-        });
-      },
-    });
+          // We should report only when connection is successful
+          ctx.result.then(function(client) {
+            if (client && client.topology && client.topology.s) {
+              try {
+                const { servers } = client.topology.s;
+                for (const [, server] of servers) {
+                  if (server.s && server.s.state === 'connected') {
+                    const { srvServiceName } = server.s.options;
+                    const { address } = server.s.description;
+                    agentEmitter.emit('architectureComponent', {
+                      vendor: 'MongoDB',
+                      url: `${srvServiceName}://${address}`,
+                      remoteHost: '',
+                      remotePort: address.split(':').pop()
+                    });
+                  }
+                }
+              } catch (err) {
+                logger.warn(
+                  'unable to report MongoDB architecture component, err: %o',
+                  err,
+                );
+              }
+            }
+          });
+        },
+      });
+    }
   },
 );

package/lib/core/async-storage/hooks/mongodb.js CHANGED Viewed

@@ -20,6 +20,7 @@ const requireHook = require('../../../hooks/require');
 const resolveCallbackIdx = require('../../../util/callback-resolver');
 const patcher = require('../../../hooks/patcher');
 const utils = require('./utils');
+const semver = require('semver');
 /**
  * Hooks a method to properly bind to AsyncStorage
@@ -35,10 +36,11 @@ function hookMethod(obj, method, patchName) {
     pre: (data) => {
       const { args, funcKey: identifier } = data;
       const idx = resolveCallbackIdx(data.args);
       if (idx >= 0) {
         utils.bindFnArgAtIndex({ args, idx, identifier });
       }
-    }
+    },
   });
 }
@@ -70,34 +72,84 @@ function init() {
   requireHook.resolve(
     {
       name: 'mongodb',
-      file: 'lib/topologies/server.js',
-      version: '>=3.3.0 <4.0.0'
+      file: 'lib/topologies/topology_base.js',
+      version: '>=3.3.0',
     },
-    (server) =>
-      patcher.patch(server, {
-        name: 'mongodb.Server',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          const methods = ['command', 'insert', 'update', 'remove'];
-          for (const method of methods) {
-            hookMethod(data.result, method, 'mongodb.Server');
-          }
-        }
-      })
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, 'TopologyBase', {
+          name: 'mongodb.TopologyBase',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.TopologyBase');
+            }
+          },
+        });
+      }
+    }
   );
   requireHook.resolve(
-    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
-    (cursor) =>
-      patcher.patch(cursor, {
-        name: 'mongodb.Cursor',
-        patchType: ASYNC_CONTEXT,
-        alwaysRun: true,
-        post: (data) => {
-          hookMethod(data.result, '_next', 'mongodb.Cursor');
-        }
-      })
+    {
+      name: 'mongodb',
+      file: 'lib/topologies/native_topology.js',
+      version: '>=3.3.0',
+    },
+    (tpl, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(tpl, {
+          name: 'mongodb.NativeTopology',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            const methods = ['command', 'insert', 'update', 'remove'];
+            for (const method of methods) {
+              hookMethod(data.result, method, 'mongodb.NativeTopology');
+            }
+          },
+        });
+      }
+    }
+  );
+  requireHook.resolve(
+    {
+      name: 'mongodb',
+      file: 'lib/operations/command.js',
+      version: '>=3.3.0',
+    },
+    (command, { version }) => {
+      if (semver.gte(version, '4.0.0')) {
+        return patcher.patch(command, {
+          name: 'mongodb.Command',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, 'executeCommand', 'mongodb.Command');
+            hookMethod(data.result, 'execute', 'mongodb.Command');
+          },
+        });
+      }
+    }
+  );
+  requireHook.resolve(
+    { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0' },
+    (cursor, { version }) => {
+      if (semver.lt(version, '4.0.0')) {
+        return patcher.patch(cursor, {
+          name: 'mongodb.Cursor',
+          patchType: ASYNC_CONTEXT,
+          alwaysRun: true,
+          post: (data) => {
+            hookMethod(data.result, '_next', 'mongodb.Cursor');
+          },
+        });
+      }
+    }
   );
 }

package/lib/core/async-storage/index.js CHANGED Viewed

@@ -195,7 +195,7 @@ class AsyncStorage {
   }
   /**
-   * Retrives the active storage context from an error
+   * Retrieves the active storage context from an error
    * context is added to error when one is thrown
    * see: https://github.com/Jeff-Lewis/cls-hooked/blob/master/context.js#L101
    *

package/lib/libraries.js CHANGED Viewed

@@ -164,7 +164,7 @@ const getLibInfo = async (agent, eluEnabled) =>
       return libs;
     } catch (err) {
-      logger.error('unable to read installed dependencies. %o', err);
+      logger.error('unable to read installed dependencies: %o', err);
       return AppUpdate.libraries;
     }
   }, DEADZONE_NAME);

package/lib/list-installed.js CHANGED Viewed

@@ -18,7 +18,7 @@ const semver = require('semver');
 const util = require('util');
 const {
-  AGENT_INFO: { SUPPORTED_NPM_VERSIONS }
+  AGENT_INFO: { SUPPORTED_NPM_VERSIONS },
 } = require('./constants');
 const VERSION_REGEX = /^npm@(\S+)\s+(\S+)$/m;
@@ -39,19 +39,18 @@ const execFile = util.promisify(require('child_process').execFile);
  * @returns {Promise<Result>}
  */
 module.exports = async function listInstalled(cwd, logger) {
-  const env = { ...process.env, NODE_OPTIONS: undefined };
-  const args = ['ls', '--json', '--prod', '--long'];
+  const execFileOpts = {
+    cwd,
+    env: { ...process.env, NODE_OPTIONS: undefined },
+    maxBuffer: 1024 * 1024 * 128,
+  };
   let stdout;
   try {
-    const result = await execFile('npm', ['help'], {
-      cwd,
-      env,
-      shell: true,
-    });
+    const result = await execFile('npm', ['help'], execFileOpts);
     stdout = result.stdout;
   } catch (err) {
-    logger.debug('`npm` returned an error: %o', err);
+    logger.trace('`npm help` returned an error: %o', err);
     // If npm encounters any errors whatsoever it will return with a non-zero
     // exit code but still output the relevant information to stdout.
     // If an even worse error occurs, we may not be able to parse stdout.
@@ -61,12 +60,13 @@ module.exports = async function listInstalled(cwd, logger) {
   const [, version, location] = stdout.match(VERSION_REGEX) || [];
   if (!version)
     throw new Error(
-      'Unable to locate `npm`. Please enable debug level logs for more information.'
+      "Unable to locate `npm`. `npm` is required for your application's libraries to be reported to Contrast for analysis. Please enable debug level logs for more information."
     );
   logger.debug('using npm version %s at %s', version, location);
-  if (semver.gte(version, '7.0.0')) args.push('--all');
+  const lsArgs = ['ls', '--json', '--long'];
+  if (semver.gte(version, '7.0.0')) lsArgs.push('--all');
   if (!semver.satisfies(version, SUPPORTED_NPM_VERSIONS))
     logger.warn(
       'The installed version of npm (%s at %s) can cause unexpected behavior. Please install a version that satisfies %s',
@@ -76,16 +76,10 @@ module.exports = async function listInstalled(cwd, logger) {
     );
   try {
-    const result = await execFile('npm', args, {
-      cwd,
-      env,
-      shell: true,
-      maxBuffer: 1024 * 1024 * 128,
-    });
+    const result = await execFile('npm', lsArgs, execFileOpts);
     stdout = result.stdout;
   } catch (err) {
-    logger.debug('`npm ls` returned an error: %o', err);
+    logger.trace('`npm ls` returned an error: %o', err);
     stdout = err.stdout || '';
   }
@@ -94,7 +88,7 @@ module.exports = async function listInstalled(cwd, logger) {
   } catch (err) {
     logger.trace('parsing the output of `npm ls` failed: %o', err);
     throw new Error(
-      '`npm ls` failed to provide a list of installed dependencies. Please enable debug level logs for more information.'
+      '`npm ls` failed to provide a list of installed dependencies. Please enable trace level logs for more information.'
     );
   }
 };

package/node_modules/moment/CHANGELOG.md CHANGED Viewed

@@ -1,11 +1,23 @@
 Changelog
 =========
+### 2.29.4
+* Release Jul 6, 2022
+  * [#6015](https://github.com/moment/moment/pull/6015) [bugfix] Fix ReDoS in preprocessRFC2822 regex
+### 2.29.3 [Full changelog](https://gist.github.com/ichernev/edebd440f49adcaec72e5e77b791d8be)
+* Release Apr 17, 2022
+  * [#5995](https://github.com/moment/moment/pull/5995) [bugfix] Remove const usage
+  * [#5990](https://github.com/moment/moment/pull/5990) misc: fix advisory link
 ### 2.29.2 [See full changelog](https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c)
 * Release Apr 3 2022
-Address https://github.com/advisories/GHSA-8hfj-j24r-96c4
+Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
 ### 2.29.1 [See full changelog](https://gist.github.com/marwahaha/cc478ba01a1292ab4bd4e861d164d99b)

package/node_modules/moment/dist/locale/sr-cyrl.js CHANGED Viewed

@@ -31,7 +31,8 @@ var translator = {
         return wordKey[2];
     },
     translate: function (number, withoutSuffix, key, isFuture) {
-        var wordKey = translator.words[key];
+        var wordKey = translator.words[key],
+            word;
         if (key.length === 1) {
             // Nominativ
@@ -39,7 +40,7 @@ var translator = {
             return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
         }
-        const word = translator.correctGrammaticalCase(number, wordKey);
+        word = translator.correctGrammaticalCase(number, wordKey);
         // Nominativ
         if (key === 'yy' && withoutSuffix && word === 'годину') {
             return number + ' година';

package/node_modules/moment/dist/locale/sr.js CHANGED Viewed

@@ -31,7 +31,8 @@ var translator = {
         return wordKey[2];
     },
     translate: function (number, withoutSuffix, key, isFuture) {
-        var wordKey = translator.words[key];
+        var wordKey = translator.words[key],
+            word;
         if (key.length === 1) {
             // Nominativ
@@ -39,7 +40,7 @@ var translator = {
             return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
         }
-        const word = translator.correctGrammaticalCase(number, wordKey);
+        word = translator.correctGrammaticalCase(number, wordKey);
         // Nominativ
         if (key === 'yy' && withoutSuffix && word === 'godinu') {
             return number + ' godina';

package/node_modules/moment/dist/moment.js CHANGED Viewed

@@ -1,5 +1,5 @@
 //! moment.js
-//! version : 2.29.2
+//! version : 2.29.4
 //! authors : Tim Wood, Iskren Chernev, Moment.js contributors
 //! license : MIT
 //! momentjs.com
@@ -2448,7 +2448,7 @@ function untruncateYear(yearStr) {
 function preprocessRFC2822(s) {
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
     return s
-        .replace(/\([^)]*\)|[\n\t]/g, ' ')
+        .replace(/\([^()]*\)|[\n\t]/g, ' ')
         .replace(/(\s\s+)/g, ' ')
         .replace(/^\s\s*/, '')
         .replace(/\s\s*$/, '');
@@ -5629,7 +5629,7 @@ addParseToken('x', function (input, array, config) {
 //! moment.js
-hooks.version = '2.29.2';
+hooks.version = '2.29.4';
 setHookCallback(createLocal);

package/node_modules/moment/locale/sr-cyrl.js CHANGED Viewed

@@ -38,7 +38,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator.words[key];
+            var wordKey = translator.words[key],
+                word;
             if (key.length === 1) {
                 // Nominativ
@@ -46,7 +47,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
-            const word = translator.correctGrammaticalCase(number, wordKey);
+            word = translator.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'годину') {
                 return number + ' година';

package/node_modules/moment/locale/sr.js CHANGED Viewed

@@ -38,7 +38,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator.words[key];
+            var wordKey = translator.words[key],
+                word;
             if (key.length === 1) {
                 // Nominativ
@@ -46,7 +47,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
-            const word = translator.correctGrammaticalCase(number, wordKey);
+            word = translator.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'godinu') {
                 return number + ' godina';