@contrast/agent 4.28.1 → 4.29.1

package/lib/app-info.js

@@ -18,22 +18,35 @@ const fs = require('fs');
 const path = require('path');
 const parentPackageJson = require('parent-package-json');
 const semver = require('semver');
+const { v4: uuid } = require('uuid');
 const { AGENT_INFO } = require('./constants');
 const logger = require('./core/logger')('contrast:appInfo');
 
-const isContainer = () => {
+const MOUNTINFO_REGEX = /\/docker\/containers\/(.*?)\//;
+const CGROUP_REGEX = /:\/docker\/([^/]+)$/;
+
+const getContainerId = () => {
   try {
-    fs.statSync('/.dockerenv');
-    return true;
+    const results = fs.readFileSync('/proc/self/mountinfo', 'utf8').match(MOUNTINFO_REGEX);
+
+    if (results) return results[1];
   } catch (err) {
-    // if no docker env, check /proc/self/cgroup
+    //
   }
 
   try {
-    return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
+    const results = fs.readFileSync('/proc/self/cgroup', 'utf8').match(CGROUP_REGEX);
+
+    if (results) return results[1];
+  } catch (err) {
+    //
+  }
+
+  try {
+    fs.statSync('/.dockerenv');
+    return `_${uuid()}`;
   } catch (err) {
-    // if file not present,
-    return false;
+    return null;
   }
 };
 
@@ -69,7 +82,7 @@ class AppInfo {
       type: os.type()
     };
     this.hostname = os.hostname();
-    this.isContainer = isContainer();
+    this.containerId = getContainerId();
 
     logger.info('finding package.json for %s', this.indexFile);
 

package/lib/assess/policy/rules.json

@@ -555,6 +555,48 @@
               }
             ]
           }
+        },
+        "mssql/lib/base/prepared-statement.prototype.prepare": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mssql/lib/base/request.prototype.batch": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
+        },
+        "mssql/lib/base/request.prototype.query": {
+          "type": "dataflow",
+          "enabled": true,
+          "conditions": {
+            "mode": "or",
+            "args": [
+              {
+                "index": 0,
+                "requiredTags": ["untrusted"],
+                "disallowedTags": ["sql-encoded", "limited-chars"]
+              }
+            ]
+          }
         }
       }
     },

package/lib/assess/policy/signatures.json

@@ -626,6 +626,24 @@
       "methodName": "Database.prototype.prepare",
       "isModule": true
     },
+    "mssql/lib/base/prepared-statement.prototype.prepare": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "PreparedStatement.prototype.prepare",
+      "isModule": true
+    },
+    "mssql/lib/base/request.prototype.batch": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "Request.prototype.batch",
+      "isModule": true
+    },
+    "mssql/lib/base/request.prototype.query": {
+      "moduleName": "mssql",
+      "version": ">=6.4.0",
+      "methodName": "Request.prototype.query",
+      "isModule": true
+    },
     "path.format": {
       "moduleName": "path",
       "methodName": "format",

package/lib/contrast.js

@@ -319,27 +319,29 @@ contrastAgent.bootstrap = function(args) {
       );
     })
     .finally(async () => {
-      let destination = process.env['CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH'];
-      if (destination == null) {
-        destination = agent.config._flat['agent.logger.path'].split('/');
-        destination.pop() && destination.push('contrast_effective_config.json');
-        destination = destination.join('/');
-      }
-
-      const args = {
-        quiet: (process.env['CONTRAST__AGENT__DIAGNOSTICS__QUIET'] === 'false') ? false : true,
-        output: destination,
-      };
-
-      try {
-        outputAgentConfigFile(agent, options, args, null);
-      } catch (err) {
-        outputAgentConfigFile(agent, options, args, err);
-      }
-
-      if (!(process.env['CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE'] === 'false')) {
-        const info = fetchSystemInfo();
-        outputSystemInfo({ skip: false, quiet: true, output: 'contrast_system_info.json' }, info);
+      if (!(process.env['CONTRAST__AGENT__DIAGNOSTICS__ENABLE'] === 'false')) {
+        let destination = process.env['CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH'];
+        if (destination == null) {
+          destination = agent.config._flat['agent.logger.path'].split('/');
+          destination.pop() && destination.push('contrast_effective_config.json');
+          destination = destination.join('/');
+        }
+
+        const args = {
+          quiet: (process.env['CONTRAST__AGENT__DIAGNOSTICS__QUIET'] === 'false') ? false : true,
+          output: destination,
+        };
+
+        try {
+          outputAgentConfigFile(agent, options, args, null);
+        } catch (err) {
+          outputAgentConfigFile(agent, options, args, err);
+        }
+
+        if (!(process.env['CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE'] === 'false')) {
+          const info = fetchSystemInfo();
+          outputSystemInfo({ skip: false, quiet: true, output: 'contrast_system_info.json' }, info);
+        }
       }
     });
 };

package/lib/telemetry.js

@@ -74,12 +74,18 @@ module.exports = class Telemetry {
       const mac = getMac();
 
       const hash = createHash('sha256').update(mac);
+      if (appInfo.containerId) {
+        hash.update(appInfo.containerId);
+      }
       this.instanceId = hash.copy().digest('hex');
       this.applicationId = hash.update(appInfo.name).digest('hex');
     } catch (err) {
       // If getMac fails we fall back to generating a UUID. "Unstable"
       // identifiers such as these are prefixed with an underscore.
-      const id = uuid();
+      let id = uuid();
+      if (appInfo.containerId) {
+        id += `_${appInfo.containerId}`;
+      }
 
       this.instanceId = `_${id}`;
       this.applicationId = this.instanceId;
@@ -92,7 +98,7 @@ module.exports = class Telemetry {
       osArch: appInfo.os.architecture,
       osPlatform: appInfo.os.platform,
       osRelease: appInfo.os.release,
-      isContainer: appInfo.isContainer,
+      isContainer: !!appInfo.containerId,
       agent: AGENT_INFO.NAME,
       agentVersion: AGENT_INFO.VERSION,
       isAssess: agent.isInAssessMode(),

package/lib/util/config-diagnostics-utils.js

@@ -29,25 +29,25 @@ function getLoggerValues(option, config, tsData) {
       tsValue = tsData.logFile;
       break;
     case 'agent.security_logger.syslog.enable':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.enabled;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogEnabled;
       break;
     case 'agent.security_logger.syslog.ip':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.ipAddress;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogIpAddress;
       break;
     case 'agent.security_logger.syslog.port':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.port;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogPortNumber;
       break;
-    case 'agent.security_logger.syslog.fascility':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.fascilityCode;
+    case 'agent.security_logger.syslog.facility':
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogFacilityCode;
       break;
     case 'agent.security_logger.syslog.severity_exploited':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityExploited;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogSeverityExploited;
       break;
     case 'agent.security_logger.syslog.severity_blocked':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityBlocked;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogSeverityBlocked;
       break;
     case 'agent.security_logger.syslog.severity_probed':
-      tsValue = tsData.defend.syslog && tsData.defend.syslog.severityProbed;
+      tsValue = tsData.defend.syslog && tsData.defend.syslog.syslogSeverityProbed;
       break;
     default:
       break;

package/lib/util/heap-dump.js

@@ -59,14 +59,12 @@ const init = function init(config) {
     let count = 0;
 
     const interval = setInterval(() => {
-      if (count >= config.count) {
-        clearInterval(interval);
-        return;
-      }
-
       writeHeapSnapshot(config.path);
-
       count++;
+
+      if (count === config.count) {
+        clearInterval(interval);
+      }
     }, config.window_ms);
   }, config.delay_ms).unref();
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.28.1",
+  "version": "4.29.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",

package/system-diagnostics.js

@@ -40,14 +40,22 @@ function isContainer() {
     fs.statSync('/.dockerenv');
     return true;
   } catch (err) {
-    // if no docker env, check /proc/self/cgroup
+    // if no docker env, check /proc/self/mountinfo
+  }
+
+  try {
+    return fs.readFileSync('proc/self/mountinfo', 'utf8').includes('docker/containers/');
+  } catch (err) {
+    // else check /proc/self/cgroup
   }
 
   try {
     return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
   } catch (err) {
-    return false;
+    // if there's not such file we can conclude it's not docker env
   }
+
+  return false;
 }
 
 function isUsingPM2() {
@@ -55,11 +63,11 @@ function isUsingPM2() {
   let version = null;
 
   for (const pathVar of ['npm_package_json', 'PWD']) {
-    let packagePath;
-    if (packagePath = process.env[pathVar]) {
+    const packagePath = process.env[pathVar];
+    if (packagePath) {
       try {
-        version = require(path.join(packagePath, 'package.json'));
-      } catch(err) {
+        version = require(path.join(packagePath, 'package.json')).dependencies['pm2'];
+      } catch (err) {
         //
       }
     }
@@ -124,6 +132,7 @@ const diagnostics = {
 
   fetchSystemInfo() {
     const yaml = setup({}, logger);
+    const appPath = process.cwd();
 
     const info = {
       ReportDate: new Date(),
@@ -142,7 +151,6 @@ const diagnostics = {
       Node: {
         Version: process.version
       },
-      PM2: isUsingPM2(),
       OperatingSystem: {
         Architecture: os.arch(),
         Name: os.type(),
@@ -155,12 +163,14 @@ const diagnostics = {
       },
       Host: {
         isDocker: isContainer(),
+        PM2: isUsingPM2(),
         Memory: {
           Total: (os.totalmem() / 1e6).toFixed(0).concat(' MB'),
           Free: (os.freemem() / 1e6).toFixed(0).concat(' MB'),
           Used: ((os.totalmem() - os.freemem()) / 1e6).toFixed(0).concat(' MB'),
         }
       },
+      Application: appPath ? require(path.join(appPath, 'package.json')) : null,
     };
 
     return info;