@contrast/agent 4.20.2 → 4.22.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.20
+2.28.22

package/lib/assess/hapi/sources.js

@@ -28,7 +28,7 @@ class HapiAssessSources {
    * Handles emitting of all assess source events
    */
   registerSourcesHandler() {
-    agentEmitter.on(EVENTS.HAPI_PRE_HANDLER, ({ request }) => {
+    agentEmitter.on(EVENTS.HAPI_POST_AUTH, ({ request }) => {
       emitWatchableObjects(request);
     });
   }

package/lib/assess/policy/signatures.json

@@ -1000,6 +1000,12 @@
       "methodName": "isCreditCard",
       "isModule": true
     },
+    "validator.isDate": {
+      "moduleName": "validator",
+      "version": ">=13.0.0",
+      "methodName": "isDecimal",
+      "isModule": true
+    },
     "validator.isDecimal": {
       "moduleName": "validator",
       "version": ">=13.0.0",
@@ -1018,6 +1024,12 @@
       "methodName": "isEAN",
       "isModule": true
     },
+    "validator.isEmail": {
+      "moduleName": "validator",
+      "version": ">=13.0.0",
+      "methodName": "isEmail",
+      "isModule": true
+    },
     "validator.isEthereumAddress": {
       "moduleName": "validator",
       "version": ">=13.0.0",

package/lib/assess/propagators/validator/init-hooks.js

@@ -39,11 +39,11 @@ const agent = require('../../../agent');
  * https://docs.google.com/spreadsheets/d/17p5C6NOISNuWi8D-07d8gNg8byQytuwjtgBgzGpfU_w/edit#gid=0
  *
  */
-module.exports.handle = function() {
+module.exports.handle = function () {
   const {
     validators,
     untrackers,
-    sanitizers
+    sanitizers,
   } = require('./validator-methods.js');
 
   const patchType = PATCH_TYPES.ASSESS_PROPAGATOR;
@@ -62,7 +62,7 @@ module.exports.handle = function() {
     const patched = patcher.patch(obj, {
       name,
       patchType,
-      post
+      post,
     });
     // babel adds a self-referential default property so if present in the unpatched
     // object update the patched object
@@ -89,7 +89,12 @@ module.exports.handle = function() {
       { name: 'validator', file: `lib/${validator}` },
       (index, meta) => {
         function post(data) {
-          if (data.result && (validator !== 'matches' || (validator === 'matches' && agent.config.assess.trust_custom_validators))) {
+          if (
+            data.result &&
+            (validator !== 'matches' ||
+              (validator === 'matches' &&
+                agent.config.assess.trust_custom_validators))
+          ) {
             const trackingData = tracker.getData(data.args[0]);
             if (trackingData) {
               tagRangeUtil.addInPlace(
@@ -104,7 +109,7 @@ module.exports.handle = function() {
                 signature,
                 tagRanges: trackingData.tagRanges,
                 source: 'O',
-                target: 'R'
+                target: 'R',
               });
 
               event.parents.push(trackingData.event);
@@ -210,4 +215,38 @@ module.exports.handle = function() {
       }
     );
   }
+
+  moduleHook.resolve({ name: 'validator', file: 'lib/isEmail' }, (isEmail) => {
+    const signature = new Signature('validator.isEmail');
+
+    function post(data) {
+      const trackingData = tracker.getData(data.args[0]);
+      // The default options for the two fields of interest are:
+      // `{ allow_display_name: false, require_display_name: false }`
+      // so we can use an empty object as it will also yield
+      // falsy values for these two fields
+      const options = data.args[1] ? data.args[1] : {};
+      if (data.result && trackingData && !options.allow_display_name && !options.require_display_name) {
+        tagRangeUtil.addInPlace(
+          trackingData.tagRanges,
+          new TagRange(0, data.args[0].length - 1, 'limited-chars')
+        );
+        tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
+
+        const context = new CallContext(data);
+        const event = new PropagationEvent({
+          context,
+          signature,
+          tagRanges: trackingData.tagRanges,
+          source: 'O',
+          target: 'R',
+        });
+
+        event.parents.push(trackingData.event);
+        trackingData.event = event;
+      }
+    }
+
+    return patch(isEmail, 'isEmail', post);
+  });
 };

package/lib/assess/propagators/validator/validator-methods.js

@@ -32,6 +32,7 @@ module.exports = {
     isBoolean: 'limited-chars',
     isBtcAddress: 'alphanum-space-hyphen',
     isCreditCard: 'limited-chars',
+    isDate: 'limited-chars',
     isDecimal: 'limited-chars',
     // calls toFloat() which calls isFloat() so no need to hook.
     //isDivisibleBy: 'limited-chars',
@@ -88,5 +89,10 @@ module.exports = {
     escape: 'html-encoded'
     // toFloat uses isFloat which is hooked, so no need to do so again
     // toFloat: 'limited-chars'
+  },
+  customLogic: {
+    // this value is not used and it's added just for storing the information
+    // about what's patched in one place
+    isEmail: 'limited-chars'
   }
 };

package/lib/core/hapi/index.js

@@ -42,6 +42,7 @@ const constants = {
     HAPI_ROUTES: 'hapi-routes', // used to instrument registered routes
     HAPI_ADD_ROUTE: 'hapi-add-route', // used to instrument adding a route
     HAPI_PRE_AUTH: 'hapi-pre-auth', // used to implement hapi onPreAuth hooks
+    HAPI_POST_AUTH: 'hapi-post-auth', // uses to implement hapi onPostAuth hooks
     HAPI_PRE_HANDLER: 'hapi-pre-handler', // used to implement hapi onPreHandler hooks
     HAPI_FINISHED: 'hapi-response-finished', // used to implement when hapi response is finished
     HAPI_PRE_RES: 'hapi-pre-response', // used to implement hapi onPreResponse hooks
@@ -162,12 +163,13 @@ class HapiCore {
       return h.continue;
     });
 
-    server.ext('onPreHandler', function onPreHandler(request, h) {
-      agentEmitter.emit(constants.EVENTS.HAPI_PRE_HANDLER, {
+    server.ext('onPostAuth', function onPostAuth(request, h) {
+      agentEmitter.emit(constants.EVENTS.HAPI_POST_AUTH, {
         request,
         h,
         server
       });
+
       // Update the domain's model of the request with body and params since it has been
       // fully parsed and validated
       decorateRequest({
@@ -176,6 +178,17 @@ class HapiCore {
         parameters: request.params,
         query: request.query
       });
+
+      return h.continue;
+    });
+
+    server.ext('onPreHandler', function onPreHandler(request, h) {
+      agentEmitter.emit(constants.EVENTS.HAPI_PRE_HANDLER, {
+        request,
+        h,
+        server
+      });
+
       return h.continue;
     });
 

package/lib/reporter/speedracer/index.js

@@ -16,7 +16,6 @@ Copyright: 2022 Contrast Security, Inc
 
 const cp = require('child_process');
 const fs = require('fs');
-const os = require('os');
 const path = require('path');
 // according to https://nodejs.org/api/process.html#process_process the process
 // global can be required.  We're only doing so here so we can mock it out in tests
@@ -37,6 +36,21 @@ const SuccessConnectionState = require('./success-connection-state');
 
 const RESEND_WAIT_MS = 100;
 
+/**
+ * We might have the /bin/* files in /target directory if we're in
+ * development. Packaged/installed agents will have the executables in a
+ * top-level directory, e.g. /node_modules/@contrast/agent/bin/*
+ * @returns {'target' | '.'}
+ */
+const maybeTargetDir = () => {
+  try {
+    fs.statSync(path.resolve(__dirname, '..', '..', '..', 'target'));
+    return 'target';
+  } catch (error) {
+    return '.';
+  }
+};
+
 class Speedracer {
   constructor({ agent, logger }) {
     this.agent = agent;
@@ -155,7 +169,35 @@ class Speedracer {
     this.logger.info('starting contrast-service');
     this.startTime = Date.now();
 
-    this.serviceProcess = cp.spawn(this.startCommand, this.startOptions);
+    const speedracerPath = path.resolve(
+      __dirname,
+      '..',
+      '..',
+      '..',
+      maybeTargetDir(),
+      'bin',
+      `contrast-service-${process.platform}-${process.arch}`
+    );
+
+    try {
+      fs.statSync(speedracerPath);
+    } catch (error) {
+      this.logger.error(
+        'unable to locate a speedracer binary for the current platform (%s) and architecture (%s)',
+        process.platform,
+        process.arch
+      );
+      return Promise.reject();
+    }
+
+    this.serviceProcess = cp.spawn(speedracerPath, {
+      env: {
+        ...process.env,
+        CONTRAST_CONFIG_PATH: this.agent.config.configFile
+      },
+      stdio: 'ignore',
+      windowsHide: true
+    });
 
     this.serviceProcess.on('error', (err) => {
       this.serviceProcess = null;
@@ -262,39 +304,6 @@ class Speedracer {
     }
   }
 
-  /**
-   * The start command for spawning the speedracer
-   */
-  get startCommand() {
-    return path.resolve(
-      __dirname,
-      path.join(
-        '..',
-        '..',
-        '..',
-        utils.maybeTargetDir(),
-        'bin',
-        utils.getOsDir(),
-        'contrast-service'
-      )
-    );
-  }
-
-  /**
-   * The start options for spawning the speedracer child process. We provide the
-   * service the location of our config file via environment variable.
-   */
-  get startOptions() {
-    return {
-      env: {
-        ...process.env,
-        CONTRAST_CONFIG_PATH: this.agent.config.configFile
-      },
-      stdio: 'ignore',
-      windowsHide: true
-    };
-  }
-
   /**
    * GRPC is enabled when `agent.service.grpc` is not false, e.g., undefined
    * defaults to enabled, and `agent.service.socket` is not configured
@@ -314,39 +323,4 @@ class Speedracer {
   }
 }
 
-const utils = {
-  /**
-   * We might have the /bin/* files in /target directory if we're in
-   * development. Packaged/installed agents will have the executables in a
-   * top-level directory, e.g. /node_modules/@contrast/agent/bin/*
-   * @returns {String}
-   */
-  maybeTargetDir() {
-    try {
-      fs.statSync(
-        path.resolve(__dirname, path.join('..', '..', '..', 'target'))
-      );
-      return 'target';
-    } catch (error) {
-      return '';
-    }
-  },
-  /**
-   * Map platform values to folder names based on OS. The folder names are
-   * determined by the packaging of the S-R artifacts and how they unzip.
-   * @returns {String}
-   */
-  getOsDir() {
-    switch (os.platform()) {
-      case 'linux':
-        return 'linux';
-      case 'darwin':
-        return 'mac';
-      case 'win32':
-        return 'windows';
-    }
-  }
-};
-
 module.exports = Speedracer;
-module.exports.utils = utils;

package/lib/util/heap-dump.js

@@ -12,51 +12,63 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
-const path = require('path');
+'use strict';
+
 const fs = require('fs');
+const path = require('path');
+const v8 = require('v8');
 const logger = require('../core/logger')('contrast:heapDump');
-const heapUtil = module.exports;
-let heapdump;
 
 /**
- * setup n heap dumps to be created every n seconds after n seconds.
+ * @param {string} localPath location from config.path
+ */
+const writeHeapSnapshot = function writeHeapSnapshot(localPath) {
+  const dumpPath = path.join(process.cwd(), localPath);
+
+  fs.mkdir(dumpPath, { recursive: true }, (err) => {
+    if (err) {
+      logger.error('Unable to create directory for heap snapshots: %o', err);
+      return;
+    }
+
+    // create dump at ${path}/${time}.heapdump
+    const filename = path.format({
+      dir: dumpPath,
+      name: `${Date.now()}-contrast`,
+      ext: '.heapsnapshot',
+    });
+
+    logger.info('Writing heap snapshot at %s', filename);
+    v8.writeHeapSnapshot(filename);
+  });
+};
+
+/**
+ * setup x heap dumps to be created every y seconds after z seconds.
  * @param {Object} config config blob from config/options.js
- *   must have: window_ms (Number), delay_ms (Number), dumpPath (String), count (Number)
+ * @param {boolean} config.enable
+ * @param {string} config.path
+ * @param {number} config.count x
+ * @param {number} config.window_ms y
+ * @param {number} config.delay_ms z
  */
-heapUtil.init = function(config) {
+const init = function init(config) {
   if (!config.enable) return;
-  // NODE-1200: make this optional based on if config
-  // bit is flipped
-  heapdump = require('@contrast/heapdump');
 
   setTimeout(() => {
     let count = 0;
-    const timeout = setInterval(() => {
+
+    const interval = setInterval(() => {
       if (count >= config.count) {
-        clearInterval(timeout);
+        clearInterval(interval);
         return;
       }
-      heapUtil.buildDump(config.path);
+
+      writeHeapSnapshot(config.path);
 
       count++;
     }, config.window_ms);
   }, config.delay_ms).unref();
 };
 
-heapUtil.buildDump = function(dumpPath) {
-  // create directory in cwd
-  dumpPath = `${path.join(process.cwd(), dumpPath)}`;
-  fs.mkdir(dumpPath, (err) => {
-    if (!err || (err && err.code == 'EEXIST')) {
-      // create dump at ${path}/${time}.heapdump
-      const fileName = `${path.join(
-        dumpPath,
-        String(Date.now())
-      )}-contrast.heapsnapshot`;
-      logger.info(`Building heap snapshot at ${fileName}`);
-      heapdump.writeSnapshot(fileName);
-    } else {
-      logger.error(`Unable to create directory for heap snapshots: ${err}`);
-    }
-  });
-};
+module.exports = { writeHeapSnapshot, init };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.20.2",
+  "version": "4.22.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -76,13 +76,12 @@
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^4.2.0",
-    "@contrast/distringuish-prebuilt": "^3.0.1",
+    "@contrast/agent-lib": "^4.3.0",
+    "@contrast/distringuish-prebuilt": "^3.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^3.0.0",
-    "@contrast/heapdump": "^1.1.0",
+    "@contrast/fn-inspect": "^3.1.0",
     "@contrast/protobuf-api": "^3.2.5",
-    "@contrast/require-hook": "^3.0.0",
+    "@contrast/require-hook": "^3.2.1",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",