@contrast/agent 4.25.6-beta.0 → 4.27.0

package/bootstrap.js

@@ -41,6 +41,13 @@ Module.runMain = async function (...args) {
       await loader.bootstrap(process.argv);
     }
     await loader.resetArgs(process.argv[0], process.argv[1]);
+
+    const diagnostics = process.env['CONTRAST__AGENT__DIAGNOSTICS__ENABLE'];
+    if (diagnostics === 'true') {
+      // eslint-disable-next-line no-process-exit
+      process.exit(0);
+    }
+
     loader.logTime(startTime, 'agent');
     const appStartTime = process.hrtime();
     orig.apply(this, args);

package/config-diagnostics.js

@@ -0,0 +1,130 @@
+#!/usr/bin/env node
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { exec } = require('child_process');
+
+function handleDependentParameter(args, currParameter, nextParameter) {
+  switch (currParameter) {
+    case '--output':
+    case '-o':
+      args.output = nextParameter;
+      break;
+    default:
+      throw new Error(`Invalid parameter ${currParameter}`);
+  }
+}
+
+function handleIndependentParameter(args, parameter) {
+  switch (parameter) {
+    case '--help':
+      args.help = true;
+      break;
+    case '--quiet':
+    case '-q':
+      args.quiet = true;
+      break;
+    default:
+      throw new Error(`Invalid parameter ${parameter}`);
+  }
+}
+
+function printHelpMessage() {
+  console.log(
+    '\nDescription:\n' +
+      'The config-diagnostics utility returns the current effective node agent configuration\n' +
+    '\nUsage:\n' +
+      'npx -p @contrast/agent config-diagnostics <path/to/entry/script> [options]\n' +
+      'npx -p @contrast/agent config-diagnostics --help\n' +
+    '\nOptions:\n' +
+      '--quiet      -q     Prevents output of the report to the console.\n' +
+      '--output     -o     The directory to write the report in. Defaults to the current directory.\n'
+  );
+}
+
+function parseArgv() {
+  const argv = process.argv.slice(2);
+  const args = {
+    output: 'contrast_effective_config.json',
+    quiet: false,
+    help: false,
+  };
+  let currParameter = null;
+
+  for (let i = 0; i < argv.length; i++) {
+    if (!currParameter) {
+      currParameter = argv[i];
+    }
+    if (!(currParameter.startsWith('--') || currParameter.startsWith('-'))) {
+      currParameter = null;
+      continue;
+    }
+
+    if (i + 1 == argv.length || argv[i + 1].startsWith('--') || argv[i + 1].startsWith('-')) {
+      handleIndependentParameter(args, currParameter);
+      currParameter = null;
+    } else {
+      handleDependentParameter(args, currParameter, argv[i + 1]);
+      currParameter = null;
+    }
+  }
+
+  return args;
+}
+
+function executeNodeAgent(args) {
+  let agentEnvArgs = 'CONTRAST__SHOW__BANNER=false CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true';
+  const entry = process.argv.slice(2).shift();
+
+  if (!args.quiet) {
+    agentEnvArgs = agentEnvArgs.concat(' CONTRAST__AGENT__DIAGNOSTICS__QUIET=false');
+  }
+  if (args.output) {
+    agentEnvArgs = agentEnvArgs.concat(` CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH=${args.output}`);
+  }
+
+  exec(`${agentEnvArgs} node -r ./node_modules/@contrast/agent/bootstrap.js ${entry}`,
+    (error, stdout, stderr) => {
+      if (error && !args.quiet) {
+        console.log(`error: ${error.message}`);
+        return;
+      }
+
+      // by default errors still won't be visible since stdout == sterr
+      if (stderr) {
+        console.log(`stderr: ${stderr}`);
+        return;
+      }
+
+      if (!args.quiet) {
+        console.log(stdout);
+      }
+    }
+  );
+}
+
+function fetchAgentConfig(args) {
+  if (process.argv.slice(2).length == 1 && args.help) {
+    printHelpMessage();
+  } else {
+    executeNodeAgent(args);
+  }
+}
+
+
+fetchAgentConfig(parseArgv());
+// exporting this stuff for testing purposes only
+module.exports = { printHelpMessage, parseArgv, executeNodeAgent, fetchAgentConfig };

package/lib/assess/models/call-context.js

@@ -21,6 +21,7 @@ const stackFactory = require('../../core/stacktrace').singleton;
 const { PROXY_TARGET } = require('../../../lib/constants');
 const TagRange = require('../models/tag-range');
 const distringuish = require('@contrast/distringuish');
+const agent = require('../../agent');
 
 /**
  * Holds information about the call context of a function
@@ -153,13 +154,36 @@ function valueString(value) {
   return type;
 }
 
-function create(params) {
+const appendStack = agent.config.assess.enable_lazy_stacktraces ?
+    (instance, snapshot) => {
+      let stack;
+      // This enables the lazy generation of a stacktrace which is a performance
+      // improvement, but the snapshot method call is in a closure which creates
+      // a memory leak in longer running tests
+      Object.defineProperty(instance, 'stack', {
+        enumerable: true,
+        configurable: true,
+        get() {
+          if (!stack) {
+            stack = snapshot();
+          }
+          return stack;
+        },
+        set(value) {
+          stack = value;
+        }
+      });
+    } : (instance, snapshot) => {
+      instance.stack = snapshot();
+    };
+
+function create (params) {
   const instance = new CallContext(params);
   const snapshot = params.stacktrace || stackFactory.createSnapshot({
     constructorOpt: params.hooked
   });
 
-  instance.stack = typeof snapshot === 'function' ? snapshot() : snapshot;
+  appendStack(instance, snapshot);
 
   return instance;
 }

package/lib/assess/models/index.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const CallContext = require('./call-context');
 const Signature = require('./signature');
 const BaseEvent = require('./base-event');

package/lib/contrast.js

@@ -14,7 +14,7 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const { program } = require('./core/config/options');
+const { program, options } = require('./core/config/options');
 const path = require('path');
 const os = require('os');
 const semver = require('semver');
@@ -25,6 +25,7 @@ const Module = require('module');
 const sourceMapUtility = require('./util/source-map');
 const loggerFactory = require('./core/logger');
 const logger = loggerFactory('contrast:contrast-init');
+const { outputAgentConfigFile } = require('./util/config-diagnostics-utils');
 
 function getAgentSnippet() {
   // getting reference to name every time for testing purposes
@@ -59,9 +60,12 @@ contrastAgent.showBanner = function showBanner() {
     console.log(colors.red(cat));
   }
 
-  logger.console();
-  logger.console('%s %s', NAME, VERSION);
-  logger.console(colors.green('--------------------------------------'));
+  const showAgentBanner = (process.env['CONTRAST__SHOW__BANNER'] === 'false') ? false : true;
+  if (showAgentBanner) {
+    logger.console();
+    logger.console('%s %s', NAME, VERSION);
+    logger.console(colors.green('--------------------------------------'));
+  }
 };
 
 /**
@@ -284,18 +288,16 @@ contrastAgent.prepare = function(...args) {
 
 /**
  * Sends startup message to TeamServer then instruments user code
- *
  * @param {Array} args process.argv
  */
 contrastAgent.bootstrap = function(args) {
   const reporter = new TSReporter(agent);
+
   // returning promise for testing purposes only
   return reporter
     .onboard(args)
     .catch((err) => {
-      logger.error(
-        'Reporter onboarding failed. Continuing without instrumentation.'
-      );
+      logger.error('Reporter onboarding failed. Continuing without instrumentation.');
       logger.error(err);
       agent.clearIntervals();
       return;
@@ -314,6 +316,25 @@ contrastAgent.bootstrap = function(args) {
         'Unexpected error while trying to start contrast. Continuing without instrumentation. Error: %o',
         err
       );
+    })
+    .finally(async () => {
+      let destination = process.env['CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH'];
+      if (destination == null) {
+        destination = agent.config._flat['agent.logger.path'].split('/');
+        destination.pop() && destination.push('contrast_effective_config.json');
+        destination = destination.join('/');
+      }
+
+      const args = {
+        quiet: (process.env['CONTRAST__AGENT__DIAGNOSTICS__QUIET'] === 'false') ? false : true,
+        output: destination,
+      };
+
+      try {
+        outputAgentConfigFile(agent, options, args, null);
+      } catch (err) {
+        outputAgentConfigFile(agent, options, args, err);
+      }
     });
 };
 

package/lib/core/config/options.js

@@ -761,6 +761,13 @@ const assess = [
     fn: castBoolean,
     desc: 'When set to `false` won\'t track the source events lazily but will track the first up to 250 source events',
   },
+  {
+    name: 'assess.enable_lazy_stacktraces',
+    arg: '[false]',
+    default: false,
+    fn: castBoolean,
+    desc: 'When set to `true` it will evaluate stacktraces lazily, this improves performance, but causes a memory leak if used in a longer running application',
+  },
 ];
 
 const protect = [

package/lib/util/config-diagnostics-utils.js

@@ -0,0 +1,221 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+
+// eslint-disable-next-line complexity
+function getLoggerValues(option, config, tsData) {
+  let tsValue, effectiveValue = config._flat[option.name];
+
+  switch (option.name) {
+    case 'agent.logger.level':
+      tsValue = tsData.logLevel;
+      break;
+    case 'agent.logger.path':
+      tsValue = tsData.logFile;
+      break;
+    case 'agent.security_logger.syslog.enable':
+      tsValue = tsData.defend.syslog.enabled;
+      break;
+    case 'agent.security_logger.syslog.ip':
+      tsValue = tsData.defend.syslog.ipAddress;
+      break;
+    case 'agent.security_logger.syslog.port':
+      tsValue = tsData.defend.syslog.port;
+      break;
+    case 'agent.security_logger.syslog.fascility':
+      tsValue = tsData.defend.syslog.fascilityCode;
+      break;
+    case 'agent.security_logger.syslog.severity_exploited':
+      tsValue = tsData.defend.syslog.severityExploited;
+      break;
+    case 'agent.security_logger.syslog.severity_blocked':
+      tsValue = tsData.defend.syslog.severityBlocked;
+      break;
+    case 'agent.security_logger.syslog.severity_probed':
+      tsValue = tsData.defend.syslog.severityProbed;
+      break;
+    default:
+      break;
+  }
+
+  if (config._sources[option.name] == 'DEFAULT' && tsValue != null) {
+    effectiveValue = tsValue;
+    config._sources[option.name] = 'ContrastUI';
+  }
+
+  return {
+    CanonicalName: option.name,
+    Name: option.name,
+    Value: effectiveValue,
+    Source: config._sources[option.name],
+  };
+}
+
+function getAssessValues(option, config, tsData) {
+  let tsValue, effectiveValue = config._flat[option.name];
+
+  switch (option.name) {
+    case 'assess.enable':
+      tsValue = tsData.assess.enabled;
+      break;
+    case 'assess.enable_propagators':
+      tsValue = tsData.assess.propagators;
+      break;
+    case 'assess.sampling.enable':
+      tsValue = tsData.assess.sampling;
+      break;
+    default:
+      break;
+  }
+
+  if (config._sources[option.name] == 'DEFAULT' && tsValue != null) {
+    effectiveValue = tsValue;
+    config._sources[option.name] = 'ContrastUI';
+  }
+
+  return {
+    CanonicalName: option.name,
+    Name: option.name,
+    Value: effectiveValue,
+    Source: config._sources[option.name],
+  };
+}
+
+function getProtectValues(option, config, tsData) {
+  let value = {};
+
+  if (option.name.includes('ip-denylist')) {
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: tsData.ipDenylistsList,
+      Source: 'ContrastUI',
+    };
+  } else if (option.name.includes('virtual-patch')) {
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: tsData.virtualPatchesList,
+      Source: 'ContrastUI',
+    };
+  } else if (option.name.includes('protect.rules') && option.name.includes('mode')) {
+    const apiRule = tsData.protectionRulesList.find(r => r.id == option.name.split('.')[2]);
+
+    const apiMode = apiRule ? apiRule.mode : undefined;
+    const ymlMode = config._flat[option.name];
+    let effectiveMode;
+
+    if (!ymlMode && apiMode) {
+      config._sources[option.name] = 'ContrastUI';
+      effectiveMode = apiMode;
+    } else if (ymlMode) {
+      effectiveMode = ymlMode;
+    }
+
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: effectiveMode,
+      Source: config._sources[option.name],
+    };
+  }
+
+  return value;
+}
+
+function getEffectiveConfigValues(agent, options, err) {
+  const tsData = { ...agent.tsFeatureSet.serverFeatures, ...agent.tsFeatureSet.applicationSettings };
+  const values = [];
+
+  for (const option of options) {
+    if (!err && option.name.includes('protect.rules') && option.name.includes('mode')) {
+      // get all protect rules
+      values.push(getProtectValues(option, agent.config, tsData));
+    } else if (!err && option.name.includes('logger')) {
+      // fetch agent/service/sys logger settings
+      values.push(getLoggerValues(option, agent.config, tsData));
+    } else if (!err && option.name.includes('assess')) {
+      // fetch assess settings
+      values.push(getAssessValues(option, agent.config, tsData));
+    } else if (agent.config._flat[option.name] != null) {
+      // fetch everything else
+      values.push({
+        CanonicalName: option.name,
+        Name: option.name,
+        Value: agent.config._flat[option.name],
+        Source: agent.config._sources[option.name],
+      });
+    }
+  }
+  return values;
+}
+
+function getEffectiveConfig(agent, options, err) {
+  const effectiveConfigValues = getEffectiveConfigValues(agent, options, err);
+  const envValues = effectiveConfigValues.filter(v => v.Source == 'ENV');
+  const cliValues = effectiveConfigValues.filter(v => v.Source == 'CLI');
+  const ymlValues = effectiveConfigValues.filter(v => v.Source == 'YAML');
+  const apiValues = effectiveConfigValues.filter(v => v.Source == 'ContrastUI');
+
+  const effectiveConfig = {
+    ReportCreate: new Date(Date.now()),
+    Config: {
+      EffectiveConfig: {
+        Status: undefined,
+        Values: effectiveConfigValues
+      },
+      Environment: envValues,
+      CommandLine: cliValues,
+      ContrastUI: apiValues,
+      File: ymlValues,
+    }
+  };
+
+  return effectiveConfig;
+}
+
+function outputAgentConfigFile(agent, options, args, err) {
+  const effectiveConfig = getEffectiveConfig(agent, options, err);
+
+  if (err) {
+    effectiveConfig.Config.Status = 'Failure! ' +
+    `Could not connect to TeamServer, so no TeamServer data will be included. Error: ${err}`;
+  } else {
+    effectiveConfig.Config.Status = 'Success';
+  }
+
+  try {
+    fs.accessSync(path.join(args.output, '..'), fs.constants.RDWD_OK);
+    fs.writeFileSync(args.output, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
+  } catch (err) {
+    console.log(`Couldn't create effective config file: ${err}`);
+  }
+
+  if (!args.quiet) {
+    console.log(JSON.stringify(effectiveConfig, null, 2));
+  }
+}
+
+module.exports = {
+  getEffectiveConfigValues,
+  getEffectiveConfig,
+  outputAgentConfigFile,
+  getProtectValues,
+  getAssessValues,
+  getLoggerValues
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.25.6-beta.0",
+  "version": "4.27.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -54,7 +54,8 @@
   "bin": {
     "node-contrast": "cli.js",
     "perf-logs": "perf-logs.js",
-    "contrast-transpile": "cli-rewriter.js"
+    "contrast-transpile": "cli-rewriter.js",
+    "read-contrast-config": "config-diagnostics.js"
   },
   "files": [
     "bin/**",
@@ -64,7 +65,8 @@
     "cli.js",
     "esm.mjs",
     "perf-logs.js",
-    "cli-rewriter.js"
+    "cli-rewriter.js",
+    "config-diagnostics.js"
   ],
   "repository": {
     "type": "git"
@@ -138,7 +140,7 @@
     "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.7",
     "escape-html": "^1.0.3",
-    "eslint": "^8.9.0",
+    "eslint": "^8.26.0",
     "eslint-plugin-mocha": "^10.0.3",
     "eslint-plugin-node": "^11.1.0",
     "express": "file:test/mock/express",
@@ -158,7 +160,7 @@
     "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^9.2.0",
+    "mocha": "^9.2.2",
     "mochawesome": "^7.0.1",
     "mock-fs": "^5.1.2",
     "mongodb": "file:test/mock/mongodb",