@contrast/agent 4.28.0 → 4.29.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.22
+2.28.23

package/bootstrap.js

@@ -44,8 +44,12 @@ Module.runMain = async function (...args) {
 
     const diagnostics = process.env['CONTRAST__AGENT__DIAGNOSTICS__ENABLE'];
     if (diagnostics === 'true') {
-      // eslint-disable-next-line no-process-exit
-      process.exit(0);
+      // Delay just a little bit, so the console.log() in config-diagnostics can finish
+      // Might wanna look for a better solution
+      setTimeout(() => {
+        // eslint-disable-next-line no-process-exit
+        process.exit(0);
+      }, 100); // not sure why so long, in v5 it only needed 5ms more
     }
 
     loader.logTime(startTime, 'agent');

package/config-diagnostics.js

@@ -76,7 +76,9 @@ const diagnostics = {
 
   executeNodeAgent(args) {
     let agentEnvArgs =
-      'CONTRAST__SHOW__BANNER=false CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true';
+      'CONTRAST__SHOW__BANNER=false ' +
+      'CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true ' +
+      'CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE=false';
 
     if (!args.quiet) {
       agentEnvArgs = `${agentEnvArgs} CONTRAST__AGENT__DIAGNOSTICS__QUIET=false`;

package/lib/app-info.js

@@ -18,22 +18,35 @@ const fs = require('fs');
 const path = require('path');
 const parentPackageJson = require('parent-package-json');
 const semver = require('semver');
+const { v4: uuid } = require('uuid');
 const { AGENT_INFO } = require('./constants');
 const logger = require('./core/logger')('contrast:appInfo');
 
-const isContainer = () => {
+const MOUNTINFO_REGEX = /\/docker\/containers\/(.*?)\//;
+const CGROUP_REGEX = /:\/docker\/([^/]+)$/;
+
+const getContainerId = () => {
   try {
-    fs.statSync('/.dockerenv');
-    return true;
+    const results = fs.readFileSync('/proc/self/mountinfo', 'utf8').match(MOUNTINFO_REGEX);
+
+    if (results) return results[1];
   } catch (err) {
-    // if no docker env, check /proc/self/cgroup
+    //
   }
 
   try {
-    return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
+    const results = fs.readFileSync('/proc/self/cgroup', 'utf8').match(CGROUP_REGEX);
+
+    if (results) return results[1];
+  } catch (err) {
+    //
+  }
+
+  try {
+    fs.statSync('/.dockerenv');
+    return `_${uuid()}`;
   } catch (err) {
-    // if file not present,
-    return false;
+    return null;
   }
 };
 
@@ -69,7 +82,7 @@ class AppInfo {
       type: os.type()
     };
     this.hostname = os.hostname();
-    this.isContainer = isContainer();
+    this.containerId = getContainerId();
 
     logger.info('finding package.json for %s', this.indexFile);
 

package/lib/assess/express/route-coverage.js

@@ -12,7 +12,7 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
-'use stict';
+'use strict';
 
 const agentEmitter = require('../../agent-emitter');
 const logger = require('../../core/logger')('contrast:express:route-coverage');
@@ -70,7 +70,7 @@ class ExpressRouteCoverage {
     const { args, result: router } = wrapCtx;
     const layer = Helpers.getLastLayer(router);
 
-    if (!layer) {
+    if (!layer || !layer.route || !layer.route.stack) {
       return;
     }
 
@@ -106,7 +106,7 @@ class ExpressRouteCoverage {
 
     const layer = Helpers.getLastLayer(app._router);
 
-    if (!layer || !layer.route) {
+    if (!layer || !layer.route || !layer.route.stack) {
       return;
     }
 

package/lib/assess/policy/rules.json

@@ -555,6 +555,48 @@
               }
             ]
           }
+        },
+        "mssql/lib/base/prepared-statement.prototype.prepare": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mssql/lib/base/request.prototype.batch": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mssql/lib/base/request.prototype.query": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
         }
       }
     },

package/lib/assess/policy/signatures.json

@@ -626,6 +626,24 @@
       "methodName": "Database.prototype.prepare",
       "isModule": true
     },
+    "mssql/lib/base/prepared-statement.prototype.prepare": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "PreparedStatement.prototype.prepare",
+      "isModule": true
+    },
+    "mssql/lib/base/request.prototype.batch": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "Request.prototype.batch",
+      "isModule": true
+    },
+    "mssql/lib/base/request.prototype.query": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "Request.prototype.query",
+      "isModule": true
+    },
     "path.format": {
       "moduleName": "path",
       "methodName": "format",

package/lib/contrast.js

@@ -337,8 +337,10 @@ contrastAgent.bootstrap = function(args) {
         outputAgentConfigFile(agent, options, args, err);
       }
 
-      const info = fetchSystemInfo();
-      outputSystemInfo({ skip: false, quiet: true, output: 'contrast_system_info.json' }, info);
+      if (!(process.env['CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE'] === 'false')) {
+        const info = fetchSystemInfo();
+        outputSystemInfo({ skip: false, quiet: true, output: 'contrast_system_info.json' }, info);
+      }
     });
 };
 

package/lib/core/express/utils.js

@@ -372,6 +372,8 @@ const handleUseDecoration = (self, event, className) => {
  * @param {Layer[]} stack Express application stack
  */
 const instrumentHandler = (layer, id, self, stack) => {
+  if (!layer) return;
+
   const methodName = getLayerHandleMethod(layer);
 
   patcher.patch(layer, methodName, {
@@ -471,14 +473,16 @@ class RouteCoverage {
             alwaysRun: true,
             pre(data) {
               // There's a new stack item for each fn handler.
-              data.nextIdx = this.stack.length;
+              if (this.stack) {
+                data.nextIdx = this.stack.length;
+              }
             },
             post(data) {
               // if the stack didn't actually grow
               // ie if router.get('/') with no callback is called
               // This is done to cache routes in Express, so we want to
-              // skip this.
-              if (this.stack.length === data.nextIdx) {
+              // skip this. In older versions of express stack will be undefined.
+              if (!this.stack || this.stack.length === data.nextIdx) {
                 logger.debug('express router called without a callback.');
                 data.result = undefined;
                 return;

package/lib/telemetry.js

@@ -74,12 +74,18 @@ module.exports = class Telemetry {
       const mac = getMac();
 
       const hash = createHash('sha256').update(mac);
+      if (appInfo.containerId) {
+        hash.update(appInfo.containerId);
+      }
       this.instanceId = hash.copy().digest('hex');
       this.applicationId = hash.update(appInfo.name).digest('hex');
     } catch (err) {
       // If getMac fails we fall back to generating a UUID. "Unstable"
       // identifiers such as these are prefixed with an underscore.
-      const id = uuid();
+      let id = uuid();
+      if (appInfo.containerId) {
+        id += `_${appInfo.containerId}`;
+      }
 
       this.instanceId = `_${id}`;
       this.applicationId = this.instanceId;
@@ -92,7 +98,7 @@ module.exports = class Telemetry {
       osArch: appInfo.os.architecture,
       osPlatform: appInfo.os.platform,
       osRelease: appInfo.os.release,
-      isContainer: appInfo.isContainer,
+      isContainer: !!appInfo.containerId,
       agent: AGENT_INFO.NAME,
       agentVersion: AGENT_INFO.VERSION,
       isAssess: agent.isInAssessMode(),

package/lib/util/config-diagnostics-utils.js

@@ -29,25 +29,25 @@ function getLoggerValues(option, config, tsData) {
       tsValue = tsData.logFile;
       break;
     case 'agent.security_logger.syslog.enable':
-      tsValue = tsData.defend.syslog.enabled;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.enabled;
       break;
     case 'agent.security_logger.syslog.ip':
-      tsValue = tsData.defend.syslog.ipAddress;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.ipAddress;
       break;
     case 'agent.security_logger.syslog.port':
-      tsValue = tsData.defend.syslog.port;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.port;
       break;
     case 'agent.security_logger.syslog.fascility':
-      tsValue = tsData.defend.syslog.fascilityCode;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.fascilityCode;
       break;
     case 'agent.security_logger.syslog.severity_exploited':
-      tsValue = tsData.defend.syslog.severityExploited;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityExploited;
       break;
     case 'agent.security_logger.syslog.severity_blocked':
-      tsValue = tsData.defend.syslog.severityBlocked;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityBlocked;
       break;
     case 'agent.security_logger.syslog.severity_probed':
-      tsValue = tsData.defend.syslog.severityProbed;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityProbed;
       break;
     default:
       break;

package/lib/util/heap-dump.js

@@ -59,14 +59,12 @@ const init = function init(config) {
     let count = 0;
 
     const interval = setInterval(() => {
-      if (count >= config.count) {
-        clearInterval(interval);
-        return;
-      }
-
       writeHeapSnapshot(config.path);
-
       count++;
+
+      if (count === config.count) {
+        clearInterval(interval);
+      }
     }, config.window_ms);
   }, config.delay_ms).unref();
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.28.0",
+  "version": "4.29.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -121,7 +121,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^3.0.2",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.9",
+    "@contrast/screener-service": "^1.12.12",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.11.2",

package/system-diagnostics.js

@@ -40,21 +40,41 @@ function isContainer() {
     fs.statSync('/.dockerenv');
     return true;
   } catch (err) {
-    // if no docker env, check /proc/self/cgroup
+    // if no docker env, check /proc/self/mountinfo
+  }
+
+  try {
+    return fs.readFileSync('proc/self/mountinfo', 'utf8').includes('docker/containers/');
+  } catch (err) {
+    // else check /proc/self/cgroup
   }
 
   try {
     return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
   } catch (err) {
-    return false;
+    // if there's not such file we can conclude it's not docker env
   }
+
+  return false;
 }
 
 function isUsingPM2() {
-  const externalPkgPath =
-    process.env['npm_package_json'] || path.join(process.env['PWD'], 'package.json');
-  const externalPkg = require(externalPkgPath);
-  return { used: (process.env.pmx || false), version: externalPkg.dependencies.pm2 };
+  const used = !!process.env.pmx;
+  let version = null;
+
+  for (const pathVar of ['npm_package_json', 'PWD']) {
+    const packagePath = process.env[pathVar];
+    if (packagePath) {
+      try {
+        version = require(path.join(packagePath, 'package.json')).dependencies['pm2'];
+      } catch (err) {
+        //
+      }
+    }
+    if (version) break;
+  }
+
+  return { used, version };
 }
 
 const diagnostics = {
@@ -130,7 +150,6 @@ const diagnostics = {
       Node: {
         Version: process.version
       },
-      PM2: isUsingPM2(),
       OperatingSystem: {
         Architecture: os.arch(),
         Name: os.type(),
@@ -143,12 +162,14 @@ const diagnostics = {
       },
       Host: {
         isDocker: isContainer(),
+        PM2: isUsingPM2(),
         Memory: {
           Total: (os.totalmem() / 1e6).toFixed(0).concat(' MB'),
           Free: (os.freemem() / 1e6).toFixed(0).concat(' MB'),
           Used: ((os.totalmem() - os.freemem()) / 1e6).toFixed(0).concat(' MB'),
         }
       },
+      Application: require(path.join(process.env['PWD'], 'package.json')),
     };
 
     return info;