@contrast/agent 4.20.0 → 4.21.0

package/lib/assess/hapi/sources.js

@@ -28,7 +28,7 @@ class HapiAssessSources {
    * Handles emitting of all assess source events
    */
   registerSourcesHandler() {
-    agentEmitter.on(EVENTS.HAPI_PRE_HANDLER, ({ request }) => {
+    agentEmitter.on(EVENTS.HAPI_POST_AUTH, ({ request }) => {
       emitWatchableObjects(request);
     });
   }

package/lib/assess/policy/signatures.json

@@ -1000,6 +1000,12 @@
       "methodName": "isCreditCard",
       "isModule": true
     },
+    "validator.isDate": {
+      "moduleName": "validator",
+      "version": ">=13.0.0",
+      "methodName": "isDecimal",
+      "isModule": true
+    },
     "validator.isDecimal": {
       "moduleName": "validator",
       "version": ">=13.0.0",
@@ -1018,6 +1024,12 @@
       "methodName": "isEAN",
       "isModule": true
     },
+    "validator.isEmail": {
+      "moduleName": "validator",
+      "version": ">=13.0.0",
+      "methodName": "isEmail",
+      "isModule": true
+    },
     "validator.isEthereumAddress": {
       "moduleName": "validator",
       "version": ">=13.0.0",

package/lib/assess/propagators/validator/init-hooks.js

@@ -39,11 +39,11 @@ const agent = require('../../../agent');
  * https://docs.google.com/spreadsheets/d/17p5C6NOISNuWi8D-07d8gNg8byQytuwjtgBgzGpfU_w/edit#gid=0
  *
  */
-module.exports.handle = function() {
+module.exports.handle = function () {
   const {
     validators,
     untrackers,
-    sanitizers
+    sanitizers,
   } = require('./validator-methods.js');
 
   const patchType = PATCH_TYPES.ASSESS_PROPAGATOR;
@@ -62,7 +62,7 @@ module.exports.handle = function() {
     const patched = patcher.patch(obj, {
       name,
       patchType,
-      post
+      post,
     });
     // babel adds a self-referential default property so if present in the unpatched
     // object update the patched object
@@ -89,7 +89,12 @@ module.exports.handle = function() {
       { name: 'validator', file: `lib/${validator}` },
       (index, meta) => {
         function post(data) {
-          if (data.result && (validator !== 'matches' || (validator === 'matches' && agent.config.assess.trust_custom_validators))) {
+          if (
+            data.result &&
+            (validator !== 'matches' ||
+              (validator === 'matches' &&
+                agent.config.assess.trust_custom_validators))
+          ) {
             const trackingData = tracker.getData(data.args[0]);
             if (trackingData) {
               tagRangeUtil.addInPlace(
@@ -104,7 +109,7 @@ module.exports.handle = function() {
                 signature,
                 tagRanges: trackingData.tagRanges,
                 source: 'O',
-                target: 'R'
+                target: 'R',
               });
 
               event.parents.push(trackingData.event);
@@ -210,4 +215,38 @@ module.exports.handle = function() {
       }
     );
   }
+
+  moduleHook.resolve({ name: 'validator', file: 'lib/isEmail' }, (isEmail) => {
+    const signature = new Signature('validator.isEmail');
+
+    function post(data) {
+      const trackingData = tracker.getData(data.args[0]);
+      // The default options for the two fields of interest are:
+      // `{ allow_display_name: false, require_display_name: false }`
+      // so we can use an empty object as it will also yield
+      // falsy values for these two fields
+      const options = data.args[1] ? data.args[1] : {};
+      if (data.result && trackingData && !options.allow_display_name && !options.require_display_name) {
+        tagRangeUtil.addInPlace(
+          trackingData.tagRanges,
+          new TagRange(0, data.args[0].length - 1, 'limited-chars')
+        );
+        tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
+
+        const context = new CallContext(data);
+        const event = new PropagationEvent({
+          context,
+          signature,
+          tagRanges: trackingData.tagRanges,
+          source: 'O',
+          target: 'R',
+        });
+
+        event.parents.push(trackingData.event);
+        trackingData.event = event;
+      }
+    }
+
+    return patch(isEmail, 'isEmail', post);
+  });
 };

package/lib/assess/propagators/validator/validator-methods.js

@@ -32,6 +32,7 @@ module.exports = {
     isBoolean: 'limited-chars',
     isBtcAddress: 'alphanum-space-hyphen',
     isCreditCard: 'limited-chars',
+    isDate: 'limited-chars',
     isDecimal: 'limited-chars',
     // calls toFloat() which calls isFloat() so no need to hook.
     //isDivisibleBy: 'limited-chars',
@@ -88,5 +89,10 @@ module.exports = {
     escape: 'html-encoded'
     // toFloat uses isFloat which is hooked, so no need to do so again
     // toFloat: 'limited-chars'
+  },
+  customLogic: {
+    // this value is not used and it's added just for storing the information
+    // about what's patched in one place
+    isEmail: 'limited-chars'
   }
 };

package/lib/core/async-storage/hooks/mongodb.js

@@ -96,7 +96,7 @@ function init() {
     {
       name: 'mongodb',
       file: 'lib/topologies/native_topology.js',
-      version: '>=3.3.0 <4.0.0',
+      version: '>=3.3.0',
     },
     (tpl, { version }) => {
       if (semver.lt(version, '4.0.0')) {

package/lib/core/hapi/index.js

@@ -42,6 +42,7 @@ const constants = {
     HAPI_ROUTES: 'hapi-routes', // used to instrument registered routes
     HAPI_ADD_ROUTE: 'hapi-add-route', // used to instrument adding a route
     HAPI_PRE_AUTH: 'hapi-pre-auth', // used to implement hapi onPreAuth hooks
+    HAPI_POST_AUTH: 'hapi-post-auth', // uses to implement hapi onPostAuth hooks
     HAPI_PRE_HANDLER: 'hapi-pre-handler', // used to implement hapi onPreHandler hooks
     HAPI_FINISHED: 'hapi-response-finished', // used to implement when hapi response is finished
     HAPI_PRE_RES: 'hapi-pre-response', // used to implement hapi onPreResponse hooks
@@ -162,12 +163,13 @@ class HapiCore {
       return h.continue;
     });
 
-    server.ext('onPreHandler', function onPreHandler(request, h) {
-      agentEmitter.emit(constants.EVENTS.HAPI_PRE_HANDLER, {
+    server.ext('onPostAuth', function onPostAuth(request, h) {
+      agentEmitter.emit(constants.EVENTS.HAPI_POST_AUTH, {
         request,
         h,
         server
       });
+
       // Update the domain's model of the request with body and params since it has been
       // fully parsed and validated
       decorateRequest({
@@ -176,6 +178,17 @@ class HapiCore {
         parameters: request.params,
         query: request.query
       });
+
+      return h.continue;
+    });
+
+    server.ext('onPreHandler', function onPreHandler(request, h) {
+      agentEmitter.emit(constants.EVENTS.HAPI_PRE_HANDLER, {
+        request,
+        h,
+        server
+      });
+
       return h.continue;
     });
 

package/lib/libraries.js

@@ -164,7 +164,7 @@ const getLibInfo = async (agent, eluEnabled) =>
 
       return libs;
     } catch (err) {
-      logger.error('unable to read installed dependencies. %o', err);
+      logger.error('unable to read installed dependencies: %o', err);
       return AppUpdate.libraries;
     }
   }, DEADZONE_NAME);

package/lib/list-installed.js

@@ -18,7 +18,7 @@ const semver = require('semver');
 const util = require('util');
 
 const {
-  AGENT_INFO: { SUPPORTED_NPM_VERSIONS }
+  AGENT_INFO: { SUPPORTED_NPM_VERSIONS },
 } = require('./constants');
 
 const VERSION_REGEX = /^npm@(\S+)\s+(\S+)$/m;
@@ -39,19 +39,18 @@ const execFile = util.promisify(require('child_process').execFile);
  * @returns {Promise<Result>}
  */
 module.exports = async function listInstalled(cwd, logger) {
-  const env = { ...process.env, NODE_OPTIONS: undefined };
-  const args = ['ls', '--json', '--prod', '--long'];
+  const execFileOpts = {
+    cwd,
+    env: { ...process.env, NODE_OPTIONS: undefined },
+    maxBuffer: 1024 * 1024 * 128,
+  };
   let stdout;
 
   try {
-    const result = await execFile('npm', ['help'], {
-      cwd,
-      env,
-      shell: true,
-    });
+    const result = await execFile('npm', ['help'], execFileOpts);
     stdout = result.stdout;
   } catch (err) {
-    logger.debug('`npm` returned an error: %o', err);
+    logger.trace('`npm help` returned an error: %o', err);
     // If npm encounters any errors whatsoever it will return with a non-zero
     // exit code but still output the relevant information to stdout.
     // If an even worse error occurs, we may not be able to parse stdout.
@@ -61,12 +60,13 @@ module.exports = async function listInstalled(cwd, logger) {
   const [, version, location] = stdout.match(VERSION_REGEX) || [];
   if (!version)
     throw new Error(
-      'Unable to locate `npm`. Please enable debug level logs for more information.'
+      "Unable to locate `npm`. `npm` is required for your application's libraries to be reported to Contrast for analysis. Please enable debug level logs for more information."
     );
 
   logger.debug('using npm version %s at %s', version, location);
 
-  if (semver.gte(version, '7.0.0')) args.push('--all');
+  const lsArgs = ['ls', '--json', '--long'];
+  if (semver.gte(version, '7.0.0')) lsArgs.push('--all');
   if (!semver.satisfies(version, SUPPORTED_NPM_VERSIONS))
     logger.warn(
       'The installed version of npm (%s at %s) can cause unexpected behavior. Please install a version that satisfies %s',
@@ -76,16 +76,10 @@ module.exports = async function listInstalled(cwd, logger) {
     );
 
   try {
-    const result = await execFile('npm', args, {
-      cwd,
-      env,
-      shell: true,
-      maxBuffer: 1024 * 1024 * 128,
-    });
-
+    const result = await execFile('npm', lsArgs, execFileOpts);
     stdout = result.stdout;
   } catch (err) {
-    logger.debug('`npm ls` returned an error: %o', err);
+    logger.trace('`npm ls` returned an error: %o', err);
     stdout = err.stdout || '';
   }
 
@@ -94,7 +88,7 @@ module.exports = async function listInstalled(cwd, logger) {
   } catch (err) {
     logger.trace('parsing the output of `npm ls` failed: %o', err);
     throw new Error(
-      '`npm ls` failed to provide a list of installed dependencies. Please enable debug level logs for more information.'
+      '`npm ls` failed to provide a list of installed dependencies. Please enable trace level logs for more information.'
     );
   }
 };

package/node_modules/moment/CHANGELOG.md

@@ -1,11 +1,23 @@
 Changelog
 =========
 
+### 2.29.4
+
+* Release Jul 6, 2022
+  * [#6015](https://github.com/moment/moment/pull/6015) [bugfix] Fix ReDoS in preprocessRFC2822 regex
+
+### 2.29.3 [Full changelog](https://gist.github.com/ichernev/edebd440f49adcaec72e5e77b791d8be)
+
+* Release Apr 17, 2022
+  * [#5995](https://github.com/moment/moment/pull/5995) [bugfix] Remove const usage
+  * [#5990](https://github.com/moment/moment/pull/5990) misc: fix advisory link
+
+
 ### 2.29.2 [See full changelog](https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c)
 
 * Release Apr 3 2022
 
-Address https://github.com/advisories/GHSA-8hfj-j24r-96c4
+Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
 
 ### 2.29.1 [See full changelog](https://gist.github.com/marwahaha/cc478ba01a1292ab4bd4e861d164d99b)
 

package/node_modules/moment/dist/locale/sr-cyrl.js

@@ -31,7 +31,8 @@ var translator = {
         return wordKey[2];
     },
     translate: function (number, withoutSuffix, key, isFuture) {
-        var wordKey = translator.words[key];
+        var wordKey = translator.words[key],
+            word;
 
         if (key.length === 1) {
             // Nominativ
@@ -39,7 +40,7 @@ var translator = {
             return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
         }
 
-        const word = translator.correctGrammaticalCase(number, wordKey);
+        word = translator.correctGrammaticalCase(number, wordKey);
         // Nominativ
         if (key === 'yy' && withoutSuffix && word === 'годину') {
             return number + ' година';

package/node_modules/moment/dist/locale/sr.js

@@ -31,7 +31,8 @@ var translator = {
         return wordKey[2];
     },
     translate: function (number, withoutSuffix, key, isFuture) {
-        var wordKey = translator.words[key];
+        var wordKey = translator.words[key],
+            word;
 
         if (key.length === 1) {
             // Nominativ
@@ -39,7 +40,7 @@ var translator = {
             return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
         }
 
-        const word = translator.correctGrammaticalCase(number, wordKey);
+        word = translator.correctGrammaticalCase(number, wordKey);
         // Nominativ
         if (key === 'yy' && withoutSuffix && word === 'godinu') {
             return number + ' godina';

package/node_modules/moment/dist/moment.js

@@ -1,5 +1,5 @@
 //! moment.js
-//! version : 2.29.2
+//! version : 2.29.4
 //! authors : Tim Wood, Iskren Chernev, Moment.js contributors
 //! license : MIT
 //! momentjs.com
@@ -2448,7 +2448,7 @@ function untruncateYear(yearStr) {
 function preprocessRFC2822(s) {
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
     return s
-        .replace(/\([^)]*\)|[\n\t]/g, ' ')
+        .replace(/\([^()]*\)|[\n\t]/g, ' ')
         .replace(/(\s\s+)/g, ' ')
         .replace(/^\s\s*/, '')
         .replace(/\s\s*$/, '');
@@ -5629,7 +5629,7 @@ addParseToken('x', function (input, array, config) {
 
 //! moment.js
 
-hooks.version = '2.29.2';
+hooks.version = '2.29.4';
 
 setHookCallback(createLocal);
 

package/node_modules/moment/locale/sr-cyrl.js

@@ -38,7 +38,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator.words[key];
+            var wordKey = translator.words[key],
+                word;
 
             if (key.length === 1) {
                 // Nominativ
@@ -46,7 +47,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
 
-            const word = translator.correctGrammaticalCase(number, wordKey);
+            word = translator.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'годину') {
                 return number + ' година';

package/node_modules/moment/locale/sr.js

@@ -38,7 +38,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator.words[key];
+            var wordKey = translator.words[key],
+                word;
 
             if (key.length === 1) {
                 // Nominativ
@@ -46,7 +47,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
 
-            const word = translator.correctGrammaticalCase(number, wordKey);
+            word = translator.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'godinu') {
                 return number + ' godina';

package/node_modules/moment/min/locales.js

@@ -10097,7 +10097,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator$1.words[key];
+            var wordKey = translator$1.words[key],
+                word;
 
             if (key.length === 1) {
                 // Nominativ
@@ -10105,7 +10106,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
 
-            const word = translator$1.correctGrammaticalCase(number, wordKey);
+            word = translator$1.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'годину') {
                 return number + ' година';
@@ -10219,7 +10220,8 @@
             return wordKey[2];
         },
         translate: function (number, withoutSuffix, key, isFuture) {
-            var wordKey = translator$2.words[key];
+            var wordKey = translator$2.words[key],
+                word;
 
             if (key.length === 1) {
                 // Nominativ
@@ -10227,7 +10229,7 @@
                 return isFuture || withoutSuffix ? wordKey[0] : wordKey[1];
             }
 
-            const word = translator$2.correctGrammaticalCase(number, wordKey);
+            word = translator$2.correctGrammaticalCase(number, wordKey);
             // Nominativ
             if (key === 'yy' && withoutSuffix && word === 'godinu') {
                 return number + ' godina';