@contrast/agent 4.31.0 → 4.31.2

package/bin/VERSION

@@ -1 +1 @@
-2.28.23
+2.28.24

package/config-diagnostics.js

@@ -77,8 +77,7 @@ const diagnostics = {
   executeNodeAgent(args) {
     let agentEnvArgs =
       'CONTRAST__SHOW__BANNER=false ' +
-      'CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true ' +
-      'CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE=false';
+      'CONTRAST__AGENT__DIAGNOSTICS__ENABLE=true ';
 
     if (!args.quiet) {
       agentEnvArgs = `${agentEnvArgs} CONTRAST__AGENT__DIAGNOSTICS__QUIET=false`;

package/lib/assess/fastify/sinks/xss.js

@@ -196,7 +196,8 @@ class FastifyXssSink {
       alwaysRun: true,
       pre(data) {
         // Final check after handler and all hooks have ran
-        const payload = data.args[0];
+        const replyState = AsyncStorage.get(KEYS.FASTIFY_REPLY_SEND_STATE);
+        const payload = data.args[0] || replyState.payload;
 
         if (
           isVulnerable({
@@ -206,8 +207,6 @@ class FastifyXssSink {
             ruleId
           })
         ) {
-          const replyState = AsyncStorage.get(KEYS.FASTIFY_REPLY_SEND_STATE);
-          // If the handler called Reply.send with a vuln report that stack.  Otherwise just report the current stack
           const ctxt = replyState
             ? CallContext.create({
                 obj: replyState.reply,

package/lib/assess/hapi/sinks/xss.js

@@ -118,6 +118,14 @@ class HapiXssSink {
     });
   }
 
+  hasViewEngineSource(source) {
+    if (typeof source === 'object' && source.manager && source.context) {
+      return true;
+    }
+
+    return false;
+  }
+
   /**
    * Checks the response in a `onPreResponse` hook for xss vulns
    */
@@ -140,11 +148,14 @@ class HapiXssSink {
         requiredTags
       } = this.common;
 
+      const input = this.hasViewEngineSource(source) ? source.context : source;
+
       if (
         isVulnerable({
-          input: source,
+          input,
           disallowedTags,
           requiredTags,
+          searchDepth: typeof input === 'string' ? 0 : Infinity,
           ruleId
         })
       ) {

package/lib/assess/models/base-event.js

@@ -82,12 +82,19 @@ class BaseEvent {
   getAllParents(set = new Set()) {
     this.parents = sortEvents(this.parents);
 
-    this.parents.forEach((p) => {
-      if (p && !set.has(p)) {
-        set = p.getAllParents(set);
-        set.add(p);
-      }
-    });
+    try {
+      this.parents.forEach((p) => {
+        if (p && !set.has(p)) {
+          set = p.getAllParents(set);
+          set.add(p);
+        }
+      });
+    } catch (err) {
+      logger.warn(
+        'Unable to get all parents for dataflowEvent',
+        err
+      );
+    }
 
     return set;
   }
@@ -114,14 +121,14 @@ class BaseEvent {
     if (this.source === 'P') {
       const numArgs = this.context.hasArgsTracked.length;
       if (numArgs === 1) {
-        this.source = 'P0'
+        this.source = 'P0';
       } else {
         this.source = '';
         for (let i = 0; i < numArgs; i++) {
           if (this.context.hasArgsTracked[i]) {
             this.source += `P${i},`;
           }
-        }  
+        }
       }
     }
 

package/lib/contrast.js

@@ -115,16 +115,16 @@ contrastAgent.checkNodeVersion = function(
     !semver.satisfies(version, supportedVersions) ||
     semver.major(version) % 2
   ) {
-    const minVersion = semver.minVersion(supportedVersions).toString();
-    const maxVersion = supportedVersions
-      .split('||')
-      .pop()
-      .split('<')
-      .pop();
+    let validRanges = '';
+    supportedVersions.split('||').forEach((range) => {
+      const minVersion = semver.minVersion(range).toString();
+      const maxVersion = range.split('<').pop()
+        .trim();
+      validRanges += `${minVersion} and ${maxVersion}, `;
+    });
     logger.error(
-      'Contrast only officially supports Node LTS versions between %s and %s but detected %s. Continuing without instrumentation.',
-      minVersion,
-      maxVersion,
+      'Contrast only officially supports Node LTS versions between %sbut detected %s. Continuing without instrumentation.',
+      validRanges,
       version
     );
     return false;
@@ -319,8 +319,8 @@ contrastAgent.bootstrap = function(args) {
       );
     })
     .finally(async () => {
-      if (!(process.env['CONTRAST__AGENT__DIAGNOSTICS__ENABLE'] === 'false')) {
-        let destination = process.env['CONTRAST__AGENT__DIAGNOSTICS__REPORT_PATH'];
+      if (agent.config._flat['agent.diagnostics.enable'] !== false) {
+        let destination = agent.config._flat['agent.diagnostics.report_path'];
         if (destination == null) {
           destination = agent.config._flat['agent.logger.path'].split('/');
           destination.pop() && destination.push('contrast_effective_config.json');
@@ -328,7 +328,7 @@ contrastAgent.bootstrap = function(args) {
         }
 
         const args = {
-          quiet: (process.env['CONTRAST__AGENT__DIAGNOSTICS__QUIET'] === 'false') ? false : true,
+          quiet: agent.config._flat['agent.diagnostics.quiet'],
           output: destination,
           skip: false,
         };
@@ -339,11 +339,9 @@ contrastAgent.bootstrap = function(args) {
           outputAgentConfigFile(agent, options, args, err);
         }
 
-        if (!(process.env['CONTRAST__AGENT__SYSTEM_DIAGNOSTICS__ENABLE'] === 'false')) {
-          args.output = path.join(args.output, '../contrast_system_info.json');
-          const info = fetchSystemInfo();
-          outputSystemInfo(args, info);
-        }
+        args.output = path.join(args.output, '../contrast_system_info.json');
+        const info = fetchSystemInfo();
+        outputSystemInfo(args, info);
       }
     });
 };

package/lib/core/config/options.js

@@ -240,6 +240,25 @@ const api = [
 ];
 
 const agent = [
+  {
+    name: 'agent.diagnostics.enable',
+    arg: '[false]',
+    default: true,
+    fn: castBoolean,
+    desc: 'If true the agent will try to create both diagnostic files at startup',
+  },
+  {
+    name: 'agent.diagnostics.quiet',
+    arg: '[false]',
+    default: true,
+    fn: castBoolean,
+    desc: 'If true the agent will print all diagnostic results to stdout as well',
+  },
+  {
+    name: 'agent.diagnostics.report_path',
+    arg: '<path>',
+    desc: 'path indicating where to report all diagnostics results',
+  },
   {
     name: 'agent.logger.append',
     arg: '[false]',
@@ -724,7 +743,8 @@ const assess = [
   {
     name: 'assess.enable_sanitizer_serve_static',
     arg: '<enable-sanitizer-serve-static>',
-    default: false,
+    default: true,
+    fn: castBoolean,
     desc: 'Enables the serve-static module as a path-traversal sanitizer. Express uses serve-static in a safe way' +
     'but manual setup of serve-static can be vulnerable. Even with Express there is a possibility for "traversing-down"' +
     'the served folder or user misconfiguration if not configured with an absolute path',

package/lib/core/config/util.js

@@ -301,10 +301,21 @@ function mergeCliOptions(cliOptions, logger) {
     // if it's an enum, find it in the enum or set the value to default
     // ineffective if optDefault wasn't in the enum;
     // optDefault won't get passed through fn, so it needs to be valid.
-    // XXX: do we want to warn whenever we fallback? that's tricky because
-    // logger hasn't been initialized yet.
     if (optEnum && optEnum.indexOf(value) === -1) {
-      value = fn(optDefault, logger);
+      const defaultOption = fn(optDefault, logger);
+      // If value is set but not in optEnum
+      if (value) {
+        logger.error(
+          "'%s' is not a valid option for %s\n\
+          Valid options include: %s\n\
+          Setting to default option: '%s'",
+          value,
+          name,
+          optEnum,
+          defaultOption
+        );
+      }
+      value = defaultOption;
       isFromDefault = true;
       origin = 'DEFAULT';
     }

package/lib/core/fastify/index.js

@@ -32,7 +32,7 @@ const constants = {
     FASTIFY_EXPORT: 'fastify-export', // used to patch methods on the fastify framework
     PRE_VALIDATION: 'fastify-prevalidation-hook', // used to implement fastify `preValidation` hook
     ON_SEND: 'fastify-onsend-hook', // used to implement fastify `onSend` hook
-    ON_ROUTE: 'fastify-onroute-hook' // used to implement fastify `onRoute` hook
+    ON_ROUTE: 'fastify-onroute-hook', // used to implement fastify `onRoute` hook
   }
 };
 

package/lib/util/config-diagnostics-utils.js

@@ -206,19 +206,16 @@ function outputAgentConfigFile(agent, options, args, err) {
     fs.accessSync(path.join(args.output, '..'), fs.constants.RDWD_OK);
     fs.writeFileSync(args.output, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
   } catch (err) {
-    // try to write the file at pwd instead
     args.output = path.join(process.cwd(), 'contrast_effective_config.json');
-  }
-
-  try {
-    fs.accessSync(path.join(args.output, '..'), fs.constants.RDWD_OK);
-    fs.writeFileSync(args.output, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
-  } catch (err) {
-    console.log(`Couldn't create effective config file: ${err}`);
+    try {
+      fs.writeFileSync(args.output, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
+    } catch (err) {
+      console.log(`Couldn't create effective config file: ${err}`);
+    }
   }
 
   if (!args.quiet) {
-    console.log(JSON.stringify(effectiveConfig, null, 2));
+    fs.writeFileSync(1, JSON.stringify(effectiveConfig, null, 2), 'utf-8');
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.31.0",
+  "version": "4.31.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -181,7 +181,7 @@
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.11.0",
+    "sequelize": "^6.29.0",
     "serve-static": "^1.15.0",
     "shellcheck": "^1.0.0",
     "sinon": "^9.2.4",

package/system-diagnostics.js

@@ -132,7 +132,7 @@ const diagnostics = {
     }
 
     if (!args.quiet) {
-      console.log(JSON.stringify(info, null, 2));
+      fs.writeFileSync(1, JSON.stringify(info, null, 2), 'utf-8');
     }
   },