@contrast/agent 4.3.1-0 → 4.5.1

package/node_modules/unix-dgram/src/unix_dgram.cc

@@ -0,0 +1,404 @@
+// -D_GNU_SOURCE makes SOCK_NONBLOCK etc. available on linux
+#undef  _GNU_SOURCE
+#define _GNU_SOURCE
+
+#include <nan.h>
+
+#include <errno.h>
+#include <stddef.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <map>
+
+#define offset_of(type, member)                                               \
+  ((intptr_t) ((char *) &(((type *) 8)->member) - 8))
+
+#define container_of(ptr, type, member)                                       \
+  ((type *) ((char *) (ptr) - offset_of(type, member)))
+
+namespace {
+
+void OnEvent(uv_poll_t* handle, int status, int events);
+
+using v8::Context;
+using v8::Function;
+using v8::FunctionTemplate;
+using v8::Integer;
+using v8::Local;
+using v8::Null;
+using v8::Object;
+using v8::Persistent;
+using v8::String;
+using v8::Value;
+
+struct SocketContext {
+  Nan::Callback recv_cb_;
+  Nan::Callback writable_cb_;
+  uv_poll_t handle_;
+  int fd_;
+};
+
+typedef std::map<int, SocketContext*> watchers_t;
+
+watchers_t watchers;
+
+
+inline void SetNonBlock(int fd) {
+  int flags;
+  int r;
+
+  flags = fcntl(fd, F_GETFL);
+  assert(flags != -1);
+
+  r = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+  assert(r != -1);
+}
+
+
+inline void SetCloExec(int fd) {
+  int flags;
+  int r;
+
+  flags = fcntl(fd, F_GETFD);
+  assert(flags != -1);
+
+  r = fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
+  assert(r != -1);
+}
+
+void OnRecv(SocketContext* sc) {
+  Nan::HandleScope scope;
+  Local<Value> argv[3];
+  msghdr msg;
+  iovec iov;
+  ssize_t err;
+  char scratch[65536];
+
+  /* Union to avoid breaking strict-aliasing rules */
+  union {
+    struct sockaddr_un s;
+    struct sockaddr_storage ss;
+  } u_addr;
+
+  argv[0] = argv[1] = argv[2] = Nan::Null();
+
+  iov.iov_base = scratch;
+  iov.iov_len = sizeof scratch;
+
+  u_addr.s.sun_path[0] = '\0';
+
+  memset(&msg, 0, sizeof msg);
+  msg.msg_iovlen = 1;
+  msg.msg_iov = &iov;
+  msg.msg_name = &u_addr.ss;
+  msg.msg_namelen = sizeof u_addr.ss;
+
+  do
+    err = recvmsg(sc->fd_, &msg, 0);
+  while (err == -1 && errno == EINTR);
+
+  if (err == -1) {
+    err = -errno;
+  } else {
+    argv[1] = Nan::CopyBuffer(scratch, err).ToLocalChecked();
+    if (u_addr.s.sun_path[0] != '\0') {
+      argv[2] = Nan::New<String>(u_addr.s.sun_path).ToLocalChecked();
+    }
+  }
+
+  argv[0] = Nan::New<Integer>(static_cast<int32_t>(err));
+
+  Nan::Call(sc->recv_cb_, sizeof(argv) / sizeof(argv[0]), argv);
+}
+
+void OnWritable(SocketContext* sc) {
+  Nan::HandleScope scope;
+  uv_poll_start(&sc->handle_, UV_READABLE, OnEvent);
+  Nan::Call(sc->writable_cb_, 0, NULL);
+}
+
+void OnEvent(uv_poll_t* handle, int status, int events) {
+  assert(0 == status);
+  assert(0 == (events & ~(UV_READABLE | UV_WRITABLE)));
+  SocketContext* sc = container_of(handle, SocketContext, handle_);
+  if (events & UV_READABLE)
+    OnRecv(sc);
+
+  if (events & UV_WRITABLE)
+    OnWritable(sc);
+}
+
+void StartWatcher(int fd, Local<Value> recv_cb, Local<Value> writable_cb) {
+  // start listening for incoming dgrams
+  SocketContext* sc = new SocketContext;
+  sc->recv_cb_.Reset(recv_cb.As<Function>());
+  sc->writable_cb_.Reset(writable_cb.As<Function>());
+  sc->fd_ = fd;
+
+  uv_poll_init(uv_default_loop(), &sc->handle_, fd);
+  uv_poll_start(&sc->handle_, UV_READABLE, OnEvent);
+
+  // so we can disarm the watcher when close(fd) is called
+  watchers.insert(watchers_t::value_type(fd, sc));
+}
+
+
+void FreeSocketContext(uv_handle_t* handle) {
+  SocketContext* sc = container_of(handle, SocketContext, handle_);
+  delete sc;
+}
+
+
+void StopWatcher(int fd) {
+  watchers_t::iterator iter = watchers.find(fd);
+  assert(iter != watchers.end());
+
+  SocketContext* sc = iter->second;
+  sc->recv_cb_.Reset();
+  sc->writable_cb_.Reset();
+  watchers.erase(iter);
+
+  uv_poll_stop(&sc->handle_);
+  uv_close(reinterpret_cast<uv_handle_t*>(&sc->handle_), FreeSocketContext);
+}
+
+
+NAN_METHOD(Socket) {
+  Nan::HandleScope scope;
+  Local<Value> recv_cb;
+  Local<Value> writable_cb;
+  int protocol;
+  int domain;
+  int type;
+  int fd;
+
+  assert(info.Length() == 5);
+
+  domain      = Nan::To<int32_t>(info[0]).FromJust();
+  type        = Nan::To<int32_t>(info[1]).FromJust();
+  protocol    = Nan::To<int32_t>(info[2]).FromJust();
+  recv_cb     = info[3];
+  writable_cb = info[4];
+
+#if defined(SOCK_NONBLOCK)
+  type |= SOCK_NONBLOCK;
+#endif
+#if defined(SOCK_CLOEXEC)
+  type |= SOCK_CLOEXEC;
+#endif
+
+  fd = socket(domain, type, protocol);
+  if (fd == -1) {
+    fd = -errno;
+    goto out;
+  }
+
+ #if !defined(SOCK_NONBLOCK)
+  SetNonBlock(fd);
+#endif
+#if !defined(SOCK_CLOEXEC)
+  SetCloExec(fd);
+#endif
+
+  StartWatcher(fd, recv_cb, writable_cb);
+
+out:
+  info.GetReturnValue().Set(fd);
+}
+
+
+NAN_METHOD(Bind) {
+  Nan::HandleScope scope;
+  sockaddr_un s;
+  int err;
+  int fd;
+
+  assert(info.Length() == 2);
+
+  fd = Nan::To<int32_t>(info[0]).FromJust();
+  Nan::Utf8String path(info[1]);
+
+  memset(&s, 0, sizeof(s));
+  strncpy(s.sun_path, *path, sizeof(s.sun_path) - 1);
+  s.sun_family = AF_UNIX;
+
+  err = 0;
+  if (bind(fd, reinterpret_cast<sockaddr*>(&s), sizeof(s)))
+    err = -errno;
+
+  info.GetReturnValue().Set(err);
+}
+
+NAN_METHOD(SendTo) {
+  Nan::HandleScope scope;
+  Local<Object> buf;
+  sockaddr_un s;
+  size_t offset;
+  size_t length;
+  msghdr msg;
+  iovec iov;
+  int err;
+  int fd;
+  int r;
+
+  assert(info.Length() == 5);
+
+  fd = Nan::To<int32_t>(info[0]).FromJust();
+  buf = Nan::To<Object>(info[1]).ToLocalChecked();
+  offset = Nan::To<uint32_t>(info[2]).FromJust();
+  length = Nan::To<uint32_t>(info[3]).FromJust();
+  Nan::Utf8String path(info[4]);
+
+  assert(node::Buffer::HasInstance(buf));
+  assert(offset + length <= node::Buffer::Length(buf));
+
+  iov.iov_base = node::Buffer::Data(buf) + offset;
+  iov.iov_len = length;
+
+  memset(&s, 0, sizeof(s));
+  strncpy(s.sun_path, *path, sizeof(s.sun_path) - 1);
+  s.sun_family = AF_UNIX;
+
+  memset(&msg, 0, sizeof msg);
+  msg.msg_iovlen = 1;
+  msg.msg_iov = &iov;
+  msg.msg_name = reinterpret_cast<void*>(&s);
+  msg.msg_namelen = sizeof(s);
+
+  do
+    r = sendmsg(fd, &msg, 0);
+  while (r == -1 && errno == EINTR);
+
+  err = 0;
+  if (r == -1)
+    err = -errno;
+
+  info.GetReturnValue().Set(err);
+}
+
+NAN_METHOD(Send) {
+  Nan::HandleScope scope;
+  Local<Object> buf;
+  msghdr msg;
+  iovec iov;
+  int err;
+  int fd;
+  int r;
+
+  assert(info.Length() == 2);
+
+  fd = Nan::To<int32_t>(info[0]).FromJust();
+  buf = Nan::To<Object>(info[1]).ToLocalChecked();
+  assert(node::Buffer::HasInstance(buf));
+
+  iov.iov_base = node::Buffer::Data(buf);
+  iov.iov_len = node::Buffer::Length(buf);
+
+  memset(&msg, 0, sizeof msg);
+  msg.msg_iovlen = 1;
+  msg.msg_iov = &iov;
+
+  do
+    r = sendmsg(fd, &msg, 0);
+  while (r == -1 && errno == EINTR);
+
+  err = 0;
+  if (r == -1) {
+    err = -errno;
+    if ((errno == EAGAIN) || (errno == EWOULDBLOCK) || (errno == ENOBUFS)) {
+      watchers_t::iterator iter = watchers.find(fd);
+      assert(iter != watchers.end());
+      SocketContext* sc = iter->second;
+      uv_poll_start(&sc->handle_, UV_READABLE | UV_WRITABLE, OnEvent);
+      err = 1;
+    }
+  }
+
+  info.GetReturnValue().Set(err);
+}
+
+NAN_METHOD(Connect) {
+  Nan::HandleScope scope;
+  sockaddr_un s;
+  int err;
+  int fd;
+
+  assert(info.Length() == 2);
+
+  fd = Nan::To<int32_t>(info[0]).FromJust();
+  Nan::Utf8String path(info[1]);
+
+  memset(&s, 0, sizeof(s));
+  strncpy(s.sun_path, *path, sizeof(s.sun_path) - 1);
+  s.sun_family = AF_UNIX;
+
+  err = 0;
+  if (connect(fd, reinterpret_cast<sockaddr*>(&s), sizeof(s)))
+    err = -errno;
+
+  info.GetReturnValue().Set(err);
+}
+
+
+NAN_METHOD(Close) {
+  Nan::HandleScope scope;
+  int err;
+  int fd;
+
+  assert(info.Length() == 1);
+  fd = Nan::To<int32_t>(info[0]).FromJust();
+
+  // Suppress EINTR and EINPROGRESS.  EINTR means that the close() system call
+  // was interrupted by a signal.  According to POSIX, the file descriptor is
+  // in an undefined state afterwards.  It's not safe to try closing it again
+  // because it may have been closed, despite the signal.  If we call close()
+  // again, then it would either:
+  //
+  //   a) fail with EBADF, or
+  //
+  //   b) close the wrong file descriptor if another thread or a signal handler
+  //      has reused it in the mean time.
+  //
+  // Neither is what we want but scenario B is particularly bad.  Not retrying
+  // the close() could, in theory, lead to file descriptor leaks but, in
+  // practice, operating systems do the right thing and close the file
+  // descriptor, regardless of whether the operation was interrupted by
+  // a signal.
+  //
+  // EINPROGRESS is benign.  It means the close operation was interrupted but
+  // that the file descriptor has been closed or is being closed in the
+  // background.  It's informative, not an error.
+  err = 0;
+  if (close(fd))
+    if (errno != EINTR && errno != EINPROGRESS)
+      err = -errno;
+
+  StopWatcher(fd);
+  info.GetReturnValue().Set(err);
+}
+
+
+void Initialize(Local<Object> target) {
+  // don't need to be read-only, only used by the JS shim
+  Nan::Set(target, Nan::New("AF_UNIX").ToLocalChecked(), Nan::New(AF_UNIX));
+  Nan::Set(target, Nan::New("SOCK_DGRAM").ToLocalChecked(),
+           Nan::New(SOCK_DGRAM));
+  Nan::SetMethod(target, "socket", Socket);
+  Nan::SetMethod(target, "bind", Bind);
+  Nan::SetMethod(target, "sendto", SendTo);
+  Nan::SetMethod(target, "send", Send);
+  Nan::SetMethod(target, "connect", Connect);
+  Nan::SetMethod(target, "close", Close);
+}
+
+
+} // anonymous namespace
+
+NODE_MODULE(unix_dgram, Initialize)

package/node_modules/unix-dgram/src/win_dummy.cc

@@ -0,0 +1,7 @@
+#include <node.h>
+
+namespace {
+void Initialize(v8::Local<v8::Object> target) {}
+}
+
+NODE_MODULE(unix_dgram, Initialize)

package/node_modules/unix-dgram/test/test-connect-callback.js

@@ -0,0 +1,68 @@
+var assert = require('assert');
+var fs = require('fs');
+
+var unix = require('../lib/unix_dgram');
+var SOCKNAME = '/tmp/unix_dgram.sock';
+
+var sentCount = 0;
+var seenCount = 0;
+var expected = 300;
+
+process.on('exit', function() {
+  assert.equal(seenCount, sentCount);
+});
+
+try { fs.unlinkSync(SOCKNAME); } catch (e) { /* swallow */ }
+
+var server = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  assert.equal('' + buf, 'PING' + seenCount);
+  if (++ seenCount === expected) {
+    server.close();
+    client.close();
+  }
+});
+server.bind(SOCKNAME);
+
+var client = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  assert(0);
+});
+
+client.on('error', function(err) {
+  console.error(err);
+  assert(0);
+});
+
+client.on('connect', function() {
+  console.error('connected');
+
+  client.on('congestion', function() {
+    throw new Error('Should not emit congestion');
+  });
+
+  client.on('writable', function() {
+    // swallow
+  });
+
+  function send() {
+    var msg = Buffer.from('PING' + sentCount);
+    client.send(msg, function(err) {
+      if (!err) {
+        ++ sentCount;
+        if (sentCount < expected) {
+          // process.nextTick() in today's Node.js master seems to stall
+          // after about ~194 process.nextTick() calls, that's why we
+          // use setImmediate() as a workaround.
+          setImmediate(send);
+        }
+      } else if (err.code < 0) {
+        throw new Error(err);
+      } else {
+        client.once('writable', send);
+      }
+    });
+  }
+
+  send();
+});
+
+client.connect(SOCKNAME);

package/node_modules/unix-dgram/test/test-connect.js

@@ -0,0 +1,53 @@
+var assert = require('assert');
+var fs = require('fs');
+
+var unix = require('../lib/unix_dgram');
+var SOCKNAME = '/tmp/unix_dgram.sock';
+
+var seenCount = 0;
+var expected = 300; // arbitrary enough to generate congestion
+
+process.on('exit', function() {
+  assert.equal(seenCount, expected);
+});
+
+try { fs.unlinkSync(SOCKNAME); } catch (e) { /* swallow */ }
+
+var server = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  assert.equal('' + buf, 'PING' + seenCount);
+  if (++ seenCount === expected) {
+    server.close();
+    client.close();
+  }
+});
+server.bind(SOCKNAME);
+
+var client = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  assert(0);
+});
+
+client.on('error', function(err) {
+  console.error(err);
+  assert(0);
+});
+
+// This test case create a huge congestion which throw a warn (possible EventEmitter memory leak detected)
+// In real process, it would be handled a smarter way (queued to re-send...)
+client.setMaxListeners(300);
+
+client.on('connect', function() {
+  console.error('connected');
+  client.on('congestion', function(buf) {
+    client.once('writable', function() {
+      client.send(buf);
+    });
+  });
+
+  var msg;
+  for(var i=0; i<expected; i++) {
+    msg = Buffer.from('PING' + i);
+    client.send(msg);
+  }
+});
+
+client.connect(SOCKNAME);

package/node_modules/unix-dgram/test/test-dgram-unix.js

@@ -0,0 +1,58 @@
+var assert = require('assert');
+var fs = require('fs');
+
+var unix = require('../lib/unix_dgram');
+var SOCKNAME = '/tmp/unix_dgram.sock';
+var SOCKNAME_CLIENT = '/tmp/unix_dgram_client.sock';
+
+var sentPing1 = false;
+var sentPing2 = false;
+var seenPing1 = false;
+var seenPing2 = false;
+
+process.on('exit', function() {
+  assert.equal(sentPing1, true);
+  assert.equal(sentPing2, true);
+  assert.equal(seenPing1, true);
+  assert.equal(seenPing2, true);
+});
+
+try { fs.unlinkSync(SOCKNAME); } catch (e) { /* swallow */ }
+try { fs.unlinkSync(SOCKNAME_CLIENT); } catch (e) { /* swallow */ }
+
+var n = 0;
+
+var server = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  console.error('server recv', '' + buf, arguments);
+  switch (++n) {
+    case 1:
+      assert.equal('' + buf, 'PING1');
+      assert.equal(rinfo.path, null);
+      seenPing1 = true;
+      client.bind(SOCKNAME_CLIENT);
+      client.send(Buffer.from('PING2'), 0, 5, SOCKNAME, function() {
+        console.error('client send', arguments);
+        sentPing2 = true;
+      });
+    break;
+    case 2:
+      assert.equal('' + buf, 'PING2');
+      assert.equal(rinfo.path, SOCKNAME_CLIENT);
+      seenPing2 = true;
+      server.close();
+      client.close();
+    break;
+
+  }
+});
+server.bind(SOCKNAME);
+
+var client = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  console.error('client recv', arguments);
+  assert(0);
+});
+
+client.send(Buffer.from('PING1'), 0, 5, SOCKNAME, function() {
+  console.error('client send', arguments);
+  sentPing1 = true;
+});

package/node_modules/unix-dgram/test/test-send-error.js

@@ -0,0 +1,26 @@
+var assert = require('assert');
+var fs = require('fs');
+
+var unix = require('../lib/unix_dgram');
+var SOCKNAME = '/tmp/unix_dgram.sock';
+
+try { fs.unlinkSync(SOCKNAME); } catch (e) { /* swallow */ }
+
+var client = unix.createSocket('unix_dgram', function(buf, rinfo) {
+  console.error('client recv', arguments);
+  assert(0);
+});
+
+client.once('error', function(err) {
+  assert.ok(err);
+  client.once('error', function(err) {
+    assert.ifError(err);
+  });
+
+  client.send(Buffer.from('ERROR2'), 0, 6, SOCKNAME, function(err) {
+    assert.ok(err);
+    client.close();
+  });
+});
+
+client.send(Buffer.from('ERROR1'), 0, 6, SOCKNAME);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.3.1-0",
+  "version": "4.5.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -74,7 +74,7 @@
     "@contrast/fn-inspect": "^2.4.2",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.4",
+    "@contrast/require-hook": "^2.0.5",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
@@ -129,6 +129,7 @@
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
     "deasync": "^0.1.20",
+    "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
     "eslint": "^5.16.0",
     "eslint-config-prettier": "^6.11.0",

package/perf-logs.js

@@ -1,4 +1,18 @@
 #!/usr/bin/env node
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
 'use strict';
 
 const { program } = require('commander');