npm - @contrast/agent - Versions diffs - 4.26.0 → 4.27.0 - Mend

@contrast/agent 4.26.0 → 4.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bootstrap.js +7 -0
package/config-diagnostics.js +130 -0
package/lib/contrast.js +29 -8
package/lib/util/config-diagnostics-utils.js +221 -0
package/package.json +5 -3

package/bootstrap.js CHANGED Viewed

@@ -41,6 +41,13 @@ Module.runMain = async function (...args) {
       await loader.bootstrap(process.argv);
     }
     await loader.resetArgs(process.argv[0], process.argv[1]);
+    const diagnostics = process.env['CONTRAST__AGENT__DIAGNOSTICS__ENABLE'];
+    if (diagnostics === 'true') {
+      // eslint-disable-next-line no-process-exit
+      process.exit(0);
+    }
     loader.logTime(startTime, 'agent');
     const appStartTime = process.hrtime();
     orig.apply(this, args);

package/config-diagnostics.js ADDED Viewed

@@ -0,0 +1,130 @@
+#!/usr/bin/env node
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { exec } = require('child_process');
+function handleDependentParameter(args, currParameter, nextParameter) {
+  switch (currParameter) {
+    case '--output':
+    case '-o':
+      args.output = nextParameter;
+      break;
+    default:
+      throw new Error(`Invalid parameter ${currParameter}`);
+  }
+}
+function handleIndependentParameter(args, parameter) {
+  switch (parameter) {
+    case '--help':
+      args.help = true;
+      break;
+    case '--quiet':
+    case '-q':
+      args.quiet = true;
+      break;
+    default:
+      throw new Error(`Invalid parameter ${parameter}`);
+  }
+}
+function printHelpMessage() {
+  console.log(
+    '\nDescription:\n' +
+      'The config-diagnostics utility returns the current effective node agent configuration\n' +
+    '\nUsage:\n' +
+      'npx -p @contrast/agent config-diagnostics <path/to/entry/script> [options]\n' +
+      'npx -p @contrast/agent config-diagnostics --help\n' +
+    '\nOptions:\n' +
+      '--quiet      -q     Prevents output of the report to the console.\n' +
+      '--output     -o     The directory to write the report in. Defaults to the current directory.\n'
+  );
+}
+function parseArgv() {
+  const argv = process.argv.slice(2);
+  const args = {
+    output: 'contrast_effective_config.json',
+    quiet: false,
+    help: false,
+  };
+  let currParameter = null;
+  for (let i = 0; i < argv.length; i++) {
+    if (!currParameter) {
+      currParameter = argv[i];
+    }
+    if (!(currParameter.startsWith('--') || currParameter.startsWith('-'))) {
+      currParameter = null;
+      continue;
+    }
+    if (i + 1 == argv.length || argv[i + 1].startsWith('--') || argv[i + 1].startsWith('-')) {
+      handleIndependentParameter(args, currParameter);
+      currParameter = null;
+    } else {
+      handleDependentParameter(args, currParameter, argv[i + 1]);
+      currParameter = null;
+    }
+  }
+  return args;
+}
+function executeNodeAgent(args) {
+  let agentEnvArgs = 'CONTRAST__SHOW__BANNER=false CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true';
+  const entry = process.argv.slice(2).shift();
+  if (!args.quiet) {
+    agentEnvArgs = agentEnvArgs.concat(' CONTRAST__AGENT__DIAGNOSTICS__QUIET=false');
+  }
+  if (args.output) {
+    agentEnvArgs = agentEnvArgs.concat(` CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH=${args.output}`);
+  }
+  exec(`${agentEnvArgs} node -r ./node_modules/@contrast/agent/bootstrap.js ${entry}`,
+    (error, stdout, stderr) => {
+      if (error && !args.quiet) {
+        console.log(`error: ${error.message}`);
+        return;
+      }
+      // by default errors still won't be visible since stdout == sterr
+      if (stderr) {
+        console.log(`stderr: ${stderr}`);
+        return;
+      }
+      if (!args.quiet) {
+        console.log(stdout);
+      }
+    }
+  );
+}
+function fetchAgentConfig(args) {
+  if (process.argv.slice(2).length == 1 && args.help) {
+    printHelpMessage();
+  } else {
+    executeNodeAgent(args);
+  }
+}
+fetchAgentConfig(parseArgv());
+// exporting this stuff for testing purposes only
+module.exports = { printHelpMessage, parseArgv, executeNodeAgent, fetchAgentConfig };

package/lib/contrast.js CHANGED Viewed

@@ -14,7 +14,7 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
-const { program } = require('./core/config/options');
+const { program, options } = require('./core/config/options');
 const path = require('path');
 const os = require('os');
 const semver = require('semver');
@@ -25,6 +25,7 @@ const Module = require('module');
 const sourceMapUtility = require('./util/source-map');
 const loggerFactory = require('./core/logger');
 const logger = loggerFactory('contrast:contrast-init');
+const { outputAgentConfigFile } = require('./util/config-diagnostics-utils');
 function getAgentSnippet() {
   // getting reference to name every time for testing purposes
@@ -59,9 +60,12 @@ contrastAgent.showBanner = function showBanner() {
     console.log(colors.red(cat));
   }
-  logger.console();
-  logger.console('%s %s', NAME, VERSION);
-  logger.console(colors.green('--------------------------------------'));
+  const showAgentBanner = (process.env['CONTRAST__SHOW__BANNER'] === 'false') ? false : true;
+  if (showAgentBanner) {
+    logger.console();
+    logger.console('%s %s', NAME, VERSION);
+    logger.console(colors.green('--------------------------------------'));
+  }
 };
 /**
@@ -284,18 +288,16 @@ contrastAgent.prepare = function(...args) {
 /**
  * Sends startup message to TeamServer then instruments user code
- *
  * @param {Array} args process.argv
  */
 contrastAgent.bootstrap = function(args) {
   const reporter = new TSReporter(agent);
   // returning promise for testing purposes only
   return reporter
     .onboard(args)
     .catch((err) => {
-      logger.error(
-        'Reporter onboarding failed. Continuing without instrumentation.'
-      );
+      logger.error('Reporter onboarding failed. Continuing without instrumentation.');
       logger.error(err);
       agent.clearIntervals();
       return;
@@ -314,6 +316,25 @@ contrastAgent.bootstrap = function(args) {
         'Unexpected error while trying to start contrast. Continuing without instrumentation. Error: %o',
         err
       );
+    })
+    .finally(async () => {
+      let destination = process.env['CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH'];
+      if (destination == null) {
+        destination = agent.config._flat['agent.logger.path'].split('/');
+        destination.pop() && destination.push('contrast_effective_config.json');
+        destination = destination.join('/');
+      }
+      const args = {
+        quiet: (process.env['CONTRAST__AGENT__DIAGNOSTICS__QUIET'] === 'false') ? false : true,
+        output: destination,
+      };
+      try {
+        outputAgentConfigFile(agent, options, args, null);
+      } catch (err) {
+        outputAgentConfigFile(agent, options, args, err);
+      }
     });
 };

package/lib/util/config-diagnostics-utils.js ADDED Viewed

@@ -0,0 +1,221 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const path = require('path');
+const fs = require('fs');
+// eslint-disable-next-line complexity
+function getLoggerValues(option, config, tsData) {
+  let tsValue, effectiveValue = config._flat[option.name];
+  switch (option.name) {
+    case 'agent.logger.level':
+      tsValue = tsData.logLevel;
+      break;
+    case 'agent.logger.path':
+      tsValue = tsData.logFile;
+      break;
+    case 'agent.security_logger.syslog.enable':
+      tsValue = tsData.defend.syslog.enabled;
+      break;
+    case 'agent.security_logger.syslog.ip':
+      tsValue = tsData.defend.syslog.ipAddress;
+      break;
+    case 'agent.security_logger.syslog.port':
+      tsValue = tsData.defend.syslog.port;
+      break;
+    case 'agent.security_logger.syslog.fascility':
+      tsValue = tsData.defend.syslog.fascilityCode;
+      break;
+    case 'agent.security_logger.syslog.severity_exploited':
+      tsValue = tsData.defend.syslog.severityExploited;
+      break;
+    case 'agent.security_logger.syslog.severity_blocked':
+      tsValue = tsData.defend.syslog.severityBlocked;
+      break;
+    case 'agent.security_logger.syslog.severity_probed':
+      tsValue = tsData.defend.syslog.severityProbed;
+      break;
+    default:
+      break;
+  }
+  if (config._sources[option.name] == 'DEFAULT' && tsValue != null) {
+    effectiveValue = tsValue;
+    config._sources[option.name] = 'ContrastUI';
+  }
+  return {
+    CanonicalName: option.name,
+    Name: option.name,
+    Value: effectiveValue,
+    Source: config._sources[option.name],
+  };
+}
+function getAssessValues(option, config, tsData) {
+  let tsValue, effectiveValue = config._flat[option.name];
+  switch (option.name) {
+    case 'assess.enable':
+      tsValue = tsData.assess.enabled;
+      break;
+    case 'assess.enable_propagators':
+      tsValue = tsData.assess.propagators;
+      break;
+    case 'assess.sampling.enable':
+      tsValue = tsData.assess.sampling;
+      break;
+    default:
+      break;
+  }
+  if (config._sources[option.name] == 'DEFAULT' && tsValue != null) {
+    effectiveValue = tsValue;
+    config._sources[option.name] = 'ContrastUI';
+  }
+  return {
+    CanonicalName: option.name,
+    Name: option.name,
+    Value: effectiveValue,
+    Source: config._sources[option.name],
+  };
+}
+function getProtectValues(option, config, tsData) {
+  let value = {};
+  if (option.name.includes('ip-denylist')) {
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: tsData.ipDenylistsList,
+      Source: 'ContrastUI',
+    };
+  } else if (option.name.includes('virtual-patch')) {
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: tsData.virtualPatchesList,
+      Source: 'ContrastUI',
+    };
+  } else if (option.name.includes('protect.rules') && option.name.includes('mode')) {
+    const apiRule = tsData.protectionRulesList.find(r => r.id == option.name.split('.')[2]);
+    const apiMode = apiRule ? apiRule.mode : undefined;
+    const ymlMode = config._flat[option.name];
+    let effectiveMode;
+    if (!ymlMode && apiMode) {
+      config._sources[option.name] = 'ContrastUI';
+      effectiveMode = apiMode;
+    } else if (ymlMode) {
+      effectiveMode = ymlMode;
+    }
+    value = {
+      CanonicalName: option.name.split('.')[2],
+      Name: option.name,
+      Value: effectiveMode,
+      Source: config._sources[option.name],
+    };
+  }
+  return value;
+}
+function getEffectiveConfigValues(agent, options, err) {
+  const tsData = { ...agent.tsFeatureSet.serverFeatures, ...agent.tsFeatureSet.applicationSettings };
+  const values = [];
+  for (const option of options) {
+    if (!err && option.name.includes('protect.rules') && option.name.includes('mode')) {
+      // get all protect rules
+      values.push(getProtectValues(option, agent.config, tsData));
+    } else if (!err && option.name.includes('logger')) {
+      // fetch agent/service/sys logger settings
+      values.push(getLoggerValues(option, agent.config, tsData));
+    } else if (!err && option.name.includes('assess')) {
+      // fetch assess settings
+      values.push(getAssessValues(option, agent.config, tsData));
+    } else if (agent.config._flat[option.name] != null) {
+      // fetch everything else
+      values.push({
+        CanonicalName: option.name,
+        Name: option.name,
+        Value: agent.config._flat[option.name],
+        Source: agent.config._sources[option.name],
+      });
+    }
+  }
+  return values;
+}
+function getEffectiveConfig(agent, options, err) {
+  const effectiveConfigValues = getEffectiveConfigValues(agent, options, err);
+  const envValues = effectiveConfigValues.filter(v => v.Source == 'ENV');
+  const cliValues = effectiveConfigValues.filter(v => v.Source == 'CLI');
+  const ymlValues = effectiveConfigValues.filter(v => v.Source == 'YAML');
+  const apiValues = effectiveConfigValues.filter(v => v.Source == 'ContrastUI');
+  const effectiveConfig = {
+    ReportCreate: new Date(Date.now()),
+    Config: {
+      EffectiveConfig: {
+        Status: undefined,
+        Values: effectiveConfigValues
+      },
+      Environment: envValues,
+      CommandLine: cliValues,
+      ContrastUI: apiValues,
+      File: ymlValues,
+    }
+  };
+  return effectiveConfig;
+}
+function outputAgentConfigFile(agent, options, args, err) {
+  const effectiveConfig = getEffectiveConfig(agent, options, err);
+  if (err) {
+    effectiveConfig.Config.Status = 'Failure! ' +
+    `Could not connect to TeamServer, so no TeamServer data will be included. Error: ${err}`;
+  } else {
+    effectiveConfig.Config.Status = 'Success';
+  }
+  try {
+    fs.accessSync(path.join(args.output, '..'), fs.constants.RDWD_OK);
+    fs.writeFileSync(args.output, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
+  } catch (err) {
+    console.log(`Couldn't create effective config file: ${err}`);
+  }
+  if (!args.quiet) {
+    console.log(JSON.stringify(effectiveConfig, null, 2));
+  }
+}
+module.exports = {
+  getEffectiveConfigValues,
+  getEffectiveConfig,
+  outputAgentConfigFile,
+  getProtectValues,
+  getAssessValues,
+  getLoggerValues
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.26.0",
+  "version": "4.27.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -54,7 +54,8 @@
   "bin": {
     "node-contrast": "cli.js",
     "perf-logs": "perf-logs.js",
-    "contrast-transpile": "cli-rewriter.js"
+    "contrast-transpile": "cli-rewriter.js",
+    "read-contrast-config": "config-diagnostics.js"
   },
   "files": [
     "bin/**",
@@ -64,7 +65,8 @@
     "cli.js",
     "esm.mjs",
     "perf-logs.js",
-    "cli-rewriter.js"
+    "cli-rewriter.js",
+    "config-diagnostics.js"
   ],
   "repository": {
     "type": "git"