@contrast/agent 4.21.1 → 4.23.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.20
+2.28.22

package/lib/assess/models/call-context.js

@@ -103,18 +103,25 @@ module.exports = class CallContext {
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
   }
 
-  static getDisplayRange(arg) {
+  static getDisplayRange(arg, orgArg = arg, iteration = 0) {
     if (tracker.getData(arg)) {
       return new TagRange(0, arg.length - 1, 'untrusted');
     }
 
     if (arg && typeof arg === 'object') {
       for (const key in arg) {
+        if (arg[key] && typeof arg[key] === 'object' && iteration < 5) {
+          const nestedDisplayRange = CallContext.getDisplayRange(arg[key], orgArg, iteration += 1);
+          if (!_.isEmpty(nestedDisplayRange)) {
+            return nestedDisplayRange;
+          }
+        }
         const trackedData = tracker.getData(arg[key]);
-        if (trackedData) {
+        if (trackedData && trackedData.tagRanges.length > 0) {
           const { start, stop } = trackedData.tagRanges[0];
+          const offset = Array.isArray(orgArg) ? 2 : 0;
           const taintedString = arg[key].substring(start, stop + 1);
-          const taintRangeStart = CallContext.valueString(arg).indexOf(taintedString);
+          const taintRangeStart = CallContext.valueString(orgArg).indexOf(taintedString) + offset;
           if (taintRangeStart === -1) {
             // If tracked string is not in the abbreviated stringified obj, disable highlighting
             return new TagRange(0, 0, 'disable-highlighting');
@@ -178,9 +185,9 @@ module.exports = class CallContext {
       return value.toString();
     }
 
-    const constructorName = _.get(value, 'constructor.name', 'null');
+    const type = _.get(value, 'constructor.name', 'null');
 
-    if (constructorName === 'Object' && value) {
+    if ((type === 'Object' || type === 'Array') && value) {
       // make string representation uniform with no new lines and consistent spaces
       let str = util
         .inspect(value)
@@ -192,7 +199,7 @@ module.exports = class CallContext {
 
       return str;
     }
-    return constructorName;
+    return type;
   }
 };
 

package/lib/assess/propagators/JSON/stringify.js

@@ -331,7 +331,9 @@ module.exports.handle = function() {
       // always exist, even if an empty array, for production code.
       if (metadata.sourceEvents && !metadata.sourceEvents.length) {
         const { sourceEvents, braned } = data.metadata;
-        if (braned) {
+        // If it is a source membrane (could be deserialization membrane), then
+        // we need to get a source event.
+        if (braned && braned.membrane && braned.membrane.makeReqSourceEvent) {
           sourceEvents.push(
             braned.membrane.makeReqSourceEvent(data.result.length)
           );

package/lib/assess/sinks/dynamo.js

@@ -37,7 +37,6 @@ const requiredTags = ['untrusted'];
 const trackSchemaCommands = {
   'scan': {
     attributes: [
-      'ExpressionAttributeValues',
       'ExclusiveStartKey',
       'ScanFilter'
     ]

package/lib/core/arch-components/mongodb.js

@@ -19,36 +19,74 @@ const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
 const logger = require('../logger')('contrast:arch-component');
-const semver = require('semver');
 
+// Architecture component for versions <3.0.0
 ModuleHook.resolve(
   {
     name: 'mongodb',
     file: 'lib/mongo_client.js',
-    version: '>=3.3.0'
+    version: '<3.0.0'
   },
-  (MongoClient, { version }) => {
-    if (semver.lt(version, '4.0.0')) {
-      patcher.patch(MongoClient.prototype, 'connect', {
-        name: 'MongoClient.connect.arch_component',
-        patchType: PATCH_TYPES.ARCH_COMPONENT,
-        alwaysRun: true,
-        post(ctx) {
-          if (!ctx.result || !ctx.result.then) {
-            return;
-          }
-
-          // We should report only when connection is successful
-          ctx.result.then(function(client) {
+  (MongoClient) => {
+    patcher.patch(MongoClient, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      pre(ctx) {
+        // check if typeof callback == 'function'
+        // if yes:
+        // - MongoClient.connect executes a cb function, which has access to the connection status
+        // if not:
+        // - MongoClient.connect should return a promise and we can check it's result in another hook, just as before
+        const callbackIndex = ctx.args[2] ? 2 : 1;
+        if (ctx.args[callbackIndex] instanceof Function || typeof ctx.args[callbackIndex] === 'function') {
+          ctx.args[callbackIndex] = patcher.patch(ctx.args[callbackIndex], {
+            name: 'MongoClient.connect.callback.arch_component',
+            patchType: PATCH_TYPES.ARCH_COMPONENT,
+            alwaysRun: true,
+            pre(ctx) {
+              const [, db] = ctx.args;
+              if (db && db.s.topology && db.s.topology.s) {
+                try {
+                  const server = db.s.topology.s.server.s;
+                  if (server.pool && server.pool.state == 'connected') {
+                    const connections = server.pool.availableConnections;
+                    for (const c of connections) {
+                      agentEmitter.emit('architectureComponent', {
+                        vendor: 'MongoDB',
+                        url: `mongodb://${c.host}:${c.port}`,
+                        remoteHost: '',
+                        remotePort: c.port
+                      });
+                    }
+                  }
+                } catch (err) {
+                  logger.warn('unable to report MongoDB architecture component, err: %o', err);
+                }
+              }
+            }
+          });
+        }
+      },
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
+        // it never gets here if callbacks are used, because the result won't be then-able
+        ctx.result.then(db => {
+          if (db && db.s && db.s.topology && db.s.topology.s) {
             try {
-              const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
-              for (const server of servers) {
-                agentEmitter.emit('architectureComponent', {
-                  vendor: 'MongoDB',
-                  url: `mongodb://${server.host}:${server.port}`,
-                  remoteHost: '',
-                  remotePort: server.port,
-                });
+              const server = db.s.topology.s.server.s;
+              if (server.pool && server.pool.state == 'connected') {
+                const connections = server.pool.availableConnections;
+                for (const c of connections) {
+                  agentEmitter.emit('architectureComponent', {
+                    vendor: 'MongoDB',
+                    url: `mongodb://${c.host}:${c.port}`,
+                    remoteHost: '',
+                    remotePort: c.port
+                  });
+                }
               }
             } catch (err) {
               logger.warn(
@@ -56,60 +94,96 @@ ModuleHook.resolve(
                 err,
               );
             }
-          });
-        },
-      });
-    }
+          }
+        });
+      }
+    });
+  }
+);
+
+// Architecture component for versions >=3.3.0 <4.0.0
+ModuleHook.resolve(
+  {
+    name: 'mongodb',
+    file: 'lib/mongo_client.js',
+    version: '>=3.0.0 <4.0.0'
+  },
+  (MongoClient, { version }) => {
+    patcher.patch(MongoClient.prototype, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
+
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port,
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component, err: %o',
+              err,
+            );
+          }
+        });
+      },
+    });
   },
 );
 
-/* Architecture component for >= mongodb@4
- * It's not limited in the require hook to >=4.0.0 because
- * that would result in confusing logs for the customer that
- * we don't support older versions (which is not true) */
+// Architecture component for versions >=4.0.0
 ModuleHook.resolve(
   {
     name: 'mongodb',
-    version: '>=3.3.0'
+    version: '>=4.0.0'
   },
   (MongoDB, { version }) => {
-    if (semver.gte(version, '4.0.0')) {
-      patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
-        name: 'MongoClient.connect.arch_component',
-        patchType: PATCH_TYPES.ARCH_COMPONENT,
-        alwaysRun: true,
-        post(ctx) {
-          if (!ctx.result || !ctx.result.then) {
-            return;
-          }
+    patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
 
-          // We should report only when connection is successful
-          ctx.result.then(function(client) {
-            if (client && client.topology && client.topology.s) {
-              try {
-                const { servers } = client.topology.s;
-                for (const [, server] of servers) {
-                  if (server.s && server.s.state === 'connected') {
-                    const { srvServiceName } = server.s.options;
-                    const { address } = server.s.description;
-                    agentEmitter.emit('architectureComponent', {
-                      vendor: 'MongoDB',
-                      url: `${srvServiceName}://${address}`,
-                      remoteHost: '',
-                      remotePort: address.split(':').pop()
-                    });
-                  }
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          if (client && client.topology && client.topology.s) {
+            try {
+              const { servers } = client.topology.s;
+              for (const [, server] of servers) {
+                if (server.s && server.s.state === 'connected') {
+                  const { srvServiceName } = server.s.options;
+                  const { address } = server.s.description;
+                  agentEmitter.emit('architectureComponent', {
+                    vendor: 'MongoDB',
+                    url: `${srvServiceName}://${address}`,
+                    remoteHost: '',
+                    remotePort: address.split(':').pop()
+                  });
                 }
-              } catch (err) {
-                logger.warn(
-                  'unable to report MongoDB architecture component, err: %o',
-                  err,
-                );
               }
+            } catch (err) {
+              logger.warn(
+                'unable to report MongoDB architecture component, err: %o',
+                err,
+              );
             }
-          });
-        },
-      });
-    }
+          }
+        });
+      },
+    });
   },
 );

package/lib/core/async-storage/index.js

@@ -44,7 +44,7 @@ const KEYS = {
   REQUEST: 'request',
   REQ: 'req',
   RES: 'res',
-  RESPONSE_CONTENT_TYPE: 'res.contentType',
+  RESPONSE_CONTENT_TYPE: 'response.contentType',
   ROUTE: 'route',
   RULES: 'defend.rules',
   SAMPLES: 'defend.samples',

package/lib/reporter/speedracer/index.js

@@ -16,7 +16,6 @@ Copyright: 2022 Contrast Security, Inc
 
 const cp = require('child_process');
 const fs = require('fs');
-const os = require('os');
 const path = require('path');
 // according to https://nodejs.org/api/process.html#process_process the process
 // global can be required.  We're only doing so here so we can mock it out in tests
@@ -37,6 +36,21 @@ const SuccessConnectionState = require('./success-connection-state');
 
 const RESEND_WAIT_MS = 100;
 
+/**
+ * We might have the /bin/* files in /target directory if we're in
+ * development. Packaged/installed agents will have the executables in a
+ * top-level directory, e.g. /node_modules/@contrast/agent/bin/*
+ * @returns {'target' | '.'}
+ */
+const maybeTargetDir = () => {
+  try {
+    fs.statSync(path.resolve(__dirname, '..', '..', '..', 'target'));
+    return 'target';
+  } catch (error) {
+    return '.';
+  }
+};
+
 class Speedracer {
   constructor({ agent, logger }) {
     this.agent = agent;
@@ -155,7 +169,35 @@ class Speedracer {
     this.logger.info('starting contrast-service');
     this.startTime = Date.now();
 
-    this.serviceProcess = cp.spawn(this.startCommand, this.startOptions);
+    const speedracerPath = path.resolve(
+      __dirname,
+      '..',
+      '..',
+      '..',
+      maybeTargetDir(),
+      'bin',
+      `contrast-service-${process.platform}-${process.arch}`
+    );
+
+    try {
+      fs.statSync(speedracerPath);
+    } catch (error) {
+      this.logger.error(
+        'unable to locate a speedracer binary for the current platform (%s) and architecture (%s)',
+        process.platform,
+        process.arch
+      );
+      return Promise.reject();
+    }
+
+    this.serviceProcess = cp.spawn(speedracerPath, {
+      env: {
+        ...process.env,
+        CONTRAST_CONFIG_PATH: this.agent.config.configFile
+      },
+      stdio: 'ignore',
+      windowsHide: true
+    });
 
     this.serviceProcess.on('error', (err) => {
       this.serviceProcess = null;
@@ -262,39 +304,6 @@ class Speedracer {
     }
   }
 
-  /**
-   * The start command for spawning the speedracer
-   */
-  get startCommand() {
-    return path.resolve(
-      __dirname,
-      path.join(
-        '..',
-        '..',
-        '..',
-        utils.maybeTargetDir(),
-        'bin',
-        utils.getOsDir(),
-        'contrast-service'
-      )
-    );
-  }
-
-  /**
-   * The start options for spawning the speedracer child process. We provide the
-   * service the location of our config file via environment variable.
-   */
-  get startOptions() {
-    return {
-      env: {
-        ...process.env,
-        CONTRAST_CONFIG_PATH: this.agent.config.configFile
-      },
-      stdio: 'ignore',
-      windowsHide: true
-    };
-  }
-
   /**
    * GRPC is enabled when `agent.service.grpc` is not false, e.g., undefined
    * defaults to enabled, and `agent.service.socket` is not configured
@@ -314,39 +323,4 @@ class Speedracer {
   }
 }
 
-const utils = {
-  /**
-   * We might have the /bin/* files in /target directory if we're in
-   * development. Packaged/installed agents will have the executables in a
-   * top-level directory, e.g. /node_modules/@contrast/agent/bin/*
-   * @returns {String}
-   */
-  maybeTargetDir() {
-    try {
-      fs.statSync(
-        path.resolve(__dirname, path.join('..', '..', '..', 'target'))
-      );
-      return 'target';
-    } catch (error) {
-      return '';
-    }
-  },
-  /**
-   * Map platform values to folder names based on OS. The folder names are
-   * determined by the packaging of the S-R artifacts and how they unzip.
-   * @returns {String}
-   */
-  getOsDir() {
-    switch (os.platform()) {
-      case 'linux':
-        return 'linux';
-      case 'darwin':
-        return 'mac';
-      case 'win32':
-        return 'windows';
-    }
-  }
-};
-
 module.exports = Speedracer;
-module.exports.utils = utils;

package/lib/reporter/translations/to-protobuf/dtm/finding.js

@@ -29,15 +29,19 @@ module.exports = function Finding(details = {}) {
   }
 
   const routes = RoutesListWithObservations(details.routes);
+  const properties = objToMap(details.properties).map(
+    // ensure string values
+    ([key, value]) => [key, String(value)]
+  );
 
   return new dtm.Finding({
-    0: String(details.hash || ''), //                   1  hash_code
-    2: details.ruleId, //                               3    rule_id
-    5: objToMap(details.properties), //                 6 properties
-    6: mapToModelArray(TraceEvent, details.events), //  7     events
-    7: preflight, //                                    8  preflight
-    8: details.tags, //                                 9       tags
-    9: details.version, //                             10    version
+    0: String(details.hash || ''), //                  1  hash_code
+    2: details.ruleId, //                              3    rule_id
+    5: properties, //                                  6 properties
+    6: mapToModelArray(TraceEvent, details.events), // 7     events
+    7: preflight, //                                   8  preflight
+    8: details.tags, //                                9       tags
+    9: details.version, //                            10    version
     10: routes //                                     11     routes
   });
 };

package/lib/util/heap-dump.js

@@ -12,51 +12,63 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
-const path = require('path');
+'use strict';
+
 const fs = require('fs');
+const path = require('path');
+const v8 = require('v8');
 const logger = require('../core/logger')('contrast:heapDump');
-const heapUtil = module.exports;
-let heapdump;
 
 /**
- * setup n heap dumps to be created every n seconds after n seconds.
+ * @param {string} localPath location from config.path
+ */
+const writeHeapSnapshot = function writeHeapSnapshot(localPath) {
+  const dumpPath = path.join(process.cwd(), localPath);
+
+  fs.mkdir(dumpPath, { recursive: true }, (err) => {
+    if (err) {
+      logger.error('Unable to create directory for heap snapshots: %o', err);
+      return;
+    }
+
+    // create dump at ${path}/${time}.heapdump
+    const filename = path.format({
+      dir: dumpPath,
+      name: `${Date.now()}-contrast`,
+      ext: '.heapsnapshot',
+    });
+
+    logger.info('Writing heap snapshot at %s', filename);
+    v8.writeHeapSnapshot(filename);
+  });
+};
+
+/**
+ * setup x heap dumps to be created every y seconds after z seconds.
  * @param {Object} config config blob from config/options.js
- *   must have: window_ms (Number), delay_ms (Number), dumpPath (String), count (Number)
+ * @param {boolean} config.enable
+ * @param {string} config.path
+ * @param {number} config.count x
+ * @param {number} config.window_ms y
+ * @param {number} config.delay_ms z
  */
-heapUtil.init = function(config) {
+const init = function init(config) {
   if (!config.enable) return;
-  // NODE-1200: make this optional based on if config
-  // bit is flipped
-  heapdump = require('@contrast/heapdump');
 
   setTimeout(() => {
     let count = 0;
-    const timeout = setInterval(() => {
+
+    const interval = setInterval(() => {
       if (count >= config.count) {
-        clearInterval(timeout);
+        clearInterval(interval);
         return;
       }
-      heapUtil.buildDump(config.path);
+
+      writeHeapSnapshot(config.path);
 
       count++;
     }, config.window_ms);
   }, config.delay_ms).unref();
 };
 
-heapUtil.buildDump = function(dumpPath) {
-  // create directory in cwd
-  dumpPath = `${path.join(process.cwd(), dumpPath)}`;
-  fs.mkdir(dumpPath, (err) => {
-    if (!err || (err && err.code == 'EEXIST')) {
-      // create dump at ${path}/${time}.heapdump
-      const fileName = `${path.join(
-        dumpPath,
-        String(Date.now())
-      )}-contrast.heapsnapshot`;
-      logger.info(`Building heap snapshot at ${fileName}`);
-      heapdump.writeSnapshot(fileName);
-    } else {
-      logger.error(`Unable to create directory for heap snapshots: ${err}`);
-    }
-  });
-};
+module.exports = { writeHeapSnapshot, init };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.21.1",
+  "version": "4.23.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -76,11 +76,10 @@
     "@babel/template": "^7.10.4",
     "@babel/traverse": "^7.12.1",
     "@babel/types": "^7.12.1",
-    "@contrast/agent-lib": "^4.2.0",
+    "@contrast/agent-lib": "^4.3.0",
     "@contrast/distringuish-prebuilt": "^3.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^3.0.0",
-    "@contrast/heapdump": "^1.1.0",
+    "@contrast/fn-inspect": "^3.1.0",
     "@contrast/protobuf-api": "^3.2.5",
     "@contrast/require-hook": "^3.2.1",
     "@contrast/synchronous-source-maps": "^1.1.0",
@@ -164,7 +163,7 @@
     "mock-fs": "^5.1.2",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
-    "mongoose": "^6.1.1",
+    "mongoose": "^6.4.6",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "mysql2": "file:test/mock/mysql2",