npm - @contrast/agent - Versions diffs - 4.22.0 → 4.22.1 - Mend

@contrast/agent 4.22.0 → 4.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/assess/models/call-context.js +13 -6
package/lib/assess/sinks/dynamo.js +0 -1
package/lib/core/arch-components/mongodb.js +140 -66
package/package.json +1 -1

package/lib/assess/models/call-context.js CHANGED Viewed

@@ -103,18 +103,25 @@ module.exports = class CallContext {
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
   }
-  static getDisplayRange(arg) {
+  static getDisplayRange(arg, orgArg = arg, iteration = 0) {
     if (tracker.getData(arg)) {
       return new TagRange(0, arg.length - 1, 'untrusted');
     }
     if (arg && typeof arg === 'object') {
       for (const key in arg) {
+        if (arg[key] && typeof arg[key] === 'object' && iteration < 5) {
+          const nestedDisplayRange = CallContext.getDisplayRange(arg[key], orgArg, iteration += 1);
+          if (!_.isEmpty(nestedDisplayRange)) {
+            return nestedDisplayRange;
+          }
+        }
         const trackedData = tracker.getData(arg[key]);
-        if (trackedData) {
+        if (trackedData && trackedData.tagRanges.length > 0) {
           const { start, stop } = trackedData.tagRanges[0];
+          const offset = Array.isArray(orgArg) ? 2 : 0;
           const taintedString = arg[key].substring(start, stop + 1);
-          const taintRangeStart = CallContext.valueString(arg).indexOf(taintedString);
+          const taintRangeStart = CallContext.valueString(orgArg).indexOf(taintedString) + offset;
           if (taintRangeStart === -1) {
             // If tracked string is not in the abbreviated stringified obj, disable highlighting
             return new TagRange(0, 0, 'disable-highlighting');
@@ -178,9 +185,9 @@ module.exports = class CallContext {
       return value.toString();
     }
-    const constructorName = _.get(value, 'constructor.name', 'null');
+    const type = _.get(value, 'constructor.name', 'null');
-    if (constructorName === 'Object' && value) {
+    if ((type === 'Object' || type === 'Array') && value) {
       // make string representation uniform with no new lines and consistent spaces
       let str = util
         .inspect(value)
@@ -192,7 +199,7 @@ module.exports = class CallContext {
       return str;
     }
-    return constructorName;
+    return type;
   }
 };

package/lib/assess/sinks/dynamo.js CHANGED Viewed

@@ -37,7 +37,6 @@ const requiredTags = ['untrusted'];
 const trackSchemaCommands = {
   'scan': {
     attributes: [
-      'ExpressionAttributeValues',
       'ExclusiveStartKey',
       'ScanFilter'
     ]

package/lib/core/arch-components/mongodb.js CHANGED Viewed

@@ -19,36 +19,74 @@ const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
 const logger = require('../logger')('contrast:arch-component');
-const semver = require('semver');
+// Architecture component for versions <3.0.0
 ModuleHook.resolve(
   {
     name: 'mongodb',
     file: 'lib/mongo_client.js',
-    version: '>=3.3.0'
+    version: '<3.0.0'
   },
-  (MongoClient, { version }) => {
-    if (semver.lt(version, '4.0.0')) {
-      patcher.patch(MongoClient.prototype, 'connect', {
-        name: 'MongoClient.connect.arch_component',
-        patchType: PATCH_TYPES.ARCH_COMPONENT,
-        alwaysRun: true,
-        post(ctx) {
-          if (!ctx.result || !ctx.result.then) {
-            return;
-          }
-          // We should report only when connection is successful
-          ctx.result.then(function(client) {
+  (MongoClient) => {
+    patcher.patch(MongoClient, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      pre(ctx) {
+        // check if typeof callback == 'function'
+        // if yes:
+        // - MongoClient.connect executes a cb function, which has access to the connection status
+        // if not:
+        // - MongoClient.connect should return a promise and we can check it's result in another hook, just as before
+        const callbackIndex = ctx.args[2] ? 2 : 1;
+        if (ctx.args[callbackIndex] instanceof Function || typeof ctx.args[callbackIndex] === 'function') {
+          ctx.args[callbackIndex] = patcher.patch(ctx.args[callbackIndex], {
+            name: 'MongoClient.connect.callback.arch_component',
+            patchType: PATCH_TYPES.ARCH_COMPONENT,
+            alwaysRun: true,
+            pre(ctx) {
+              const [, db] = ctx.args;
+              if (db && db.s.topology && db.s.topology.s) {
+                try {
+                  const server = db.s.topology.s.server.s;
+                  if (server.pool && server.pool.state == 'connected') {
+                    const connections = server.pool.availableConnections;
+                    for (const c of connections) {
+                      agentEmitter.emit('architectureComponent', {
+                        vendor: 'MongoDB',
+                        url: `mongodb://${c.host}:${c.port}`,
+                        remoteHost: '',
+                        remotePort: c.port
+                      });
+                    }
+                  }
+                } catch (err) {
+                  logger.warn('unable to report MongoDB architecture component, err: %o', err);
+                }
+              }
+            }
+          });
+        }
+      },
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
+        // it never gets here if callbacks are used, because the result won't be then-able
+        ctx.result.then(db => {
+          if (db && db.s && db.s.topology && db.s.topology.s) {
             try {
-              const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
-              for (const server of servers) {
-                agentEmitter.emit('architectureComponent', {
-                  vendor: 'MongoDB',
-                  url: `mongodb://${server.host}:${server.port}`,
-                  remoteHost: '',
-                  remotePort: server.port,
-                });
+              const server = db.s.topology.s.server.s;
+              if (server.pool && server.pool.state == 'connected') {
+                const connections = server.pool.availableConnections;
+                for (const c of connections) {
+                  agentEmitter.emit('architectureComponent', {
+                    vendor: 'MongoDB',
+                    url: `mongodb://${c.host}:${c.port}`,
+                    remoteHost: '',
+                    remotePort: c.port
+                  });
+                }
               }
             } catch (err) {
               logger.warn(
@@ -56,60 +94,96 @@ ModuleHook.resolve(
                 err,
               );
             }
-          });
-        },
-      });
-    }
+          }
+        });
+      }
+    });
+  }
+);
+// Architecture component for versions >=3.3.0 <4.0.0
+ModuleHook.resolve(
+  {
+    name: 'mongodb',
+    file: 'lib/mongo_client.js',
+    version: '>=3.0.0 <4.0.0'
+  },
+  (MongoClient, { version }) => {
+    patcher.patch(MongoClient.prototype, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port,
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component, err: %o',
+              err,
+            );
+          }
+        });
+      },
+    });
   },
 );
-/* Architecture component for >= mongodb@4
- * It's not limited in the require hook to >=4.0.0 because
- * that would result in confusing logs for the customer that
- * we don't support older versions (which is not true) */
+// Architecture component for versions >=4.0.0
 ModuleHook.resolve(
   {
     name: 'mongodb',
-    version: '>=3.3.0'
+    version: '>=4.0.0'
   },
   (MongoDB, { version }) => {
-    if (semver.gte(version, '4.0.0')) {
-      patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
-        name: 'MongoClient.connect.arch_component',
-        patchType: PATCH_TYPES.ARCH_COMPONENT,
-        alwaysRun: true,
-        post(ctx) {
-          if (!ctx.result || !ctx.result.then) {
-            return;
-          }
+    patcher.patch(MongoDB.MongoClient.prototype, 'connect', {
+      name: 'MongoClient.connect.arch_component',
+      patchType: PATCH_TYPES.ARCH_COMPONENT,
+      alwaysRun: true,
+      post(ctx) {
+        if (!ctx.result || !ctx.result.then) {
+          return;
+        }
-          // We should report only when connection is successful
-          ctx.result.then(function(client) {
-            if (client && client.topology && client.topology.s) {
-              try {
-                const { servers } = client.topology.s;
-                for (const [, server] of servers) {
-                  if (server.s && server.s.state === 'connected') {
-                    const { srvServiceName } = server.s.options;
-                    const { address } = server.s.description;
-                    agentEmitter.emit('architectureComponent', {
-                      vendor: 'MongoDB',
-                      url: `${srvServiceName}://${address}`,
-                      remoteHost: '',
-                      remotePort: address.split(':').pop()
-                    });
-                  }
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          if (client && client.topology && client.topology.s) {
+            try {
+              const { servers } = client.topology.s;
+              for (const [, server] of servers) {
+                if (server.s && server.s.state === 'connected') {
+                  const { srvServiceName } = server.s.options;
+                  const { address } = server.s.description;
+                  agentEmitter.emit('architectureComponent', {
+                    vendor: 'MongoDB',
+                    url: `${srvServiceName}://${address}`,
+                    remoteHost: '',
+                    remotePort: address.split(':').pop()
+                  });
                 }
-              } catch (err) {
-                logger.warn(
-                  'unable to report MongoDB architecture component, err: %o',
-                  err,
-                );
               }
+            } catch (err) {
+              logger.warn(
+                'unable to report MongoDB architecture component, err: %o',
+                err,
+              );
             }
-          });
-        },
-      });
-    }
+          }
+        });
+      },
+    });
   },
 );

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.22.0",
+  "version": "4.22.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",