@contrast/agent 4.31.1 → 4.32.0

package/bin/VERSION

@@ -1 +1 @@
-2.28.23
+2.28.24

package/lib/assess/hapi/sinks/xss.js

@@ -118,6 +118,14 @@ class HapiXssSink {
     });
   }
 
+  hasViewEngineSource(source) {
+    if (typeof source === 'object' && source.manager && source.context) {
+      return true;
+    }
+
+    return false;
+  }
+
   /**
    * Checks the response in a `onPreResponse` hook for xss vulns
    */
@@ -140,11 +148,14 @@ class HapiXssSink {
         requiredTags
       } = this.common;
 
+      const input = this.hasViewEngineSource(source) ? source.context : source;
+
       if (
         isVulnerable({
-          input: source,
+          input,
           disallowedTags,
           requiredTags,
+          searchDepth: typeof input === 'string' ? 0 : Infinity,
           ruleId
         })
       ) {

package/lib/assess/models/base-event.js

@@ -82,12 +82,19 @@ class BaseEvent {
   getAllParents(set = new Set()) {
     this.parents = sortEvents(this.parents);
 
-    this.parents.forEach((p) => {
-      if (p && !set.has(p)) {
-        set = p.getAllParents(set);
-        set.add(p);
-      }
-    });
+    try {
+      this.parents.forEach((p) => {
+        if (p && !set.has(p)) {
+          set = p.getAllParents(set);
+          set.add(p);
+        }
+      });
+    } catch (err) {
+      logger.warn(
+        'Unable to get all parents for dataflowEvent',
+        err
+      );
+    }
 
     return set;
   }
@@ -114,14 +121,14 @@ class BaseEvent {
     if (this.source === 'P') {
       const numArgs = this.context.hasArgsTracked.length;
       if (numArgs === 1) {
-        this.source = 'P0'
+        this.source = 'P0';
       } else {
         this.source = '';
         for (let i = 0; i < numArgs; i++) {
           if (this.context.hasArgsTracked[i]) {
             this.source += `P${i},`;
           }
-        }  
+        }
       }
     }
 

package/lib/contrast.js

@@ -115,16 +115,16 @@ contrastAgent.checkNodeVersion = function(
     !semver.satisfies(version, supportedVersions) ||
     semver.major(version) % 2
   ) {
-    const minVersion = semver.minVersion(supportedVersions).toString();
-    const maxVersion = supportedVersions
-      .split('||')
-      .pop()
-      .split('<')
-      .pop();
+    let validRanges = '';
+    supportedVersions.split('||').forEach((range) => {
+      const minVersion = semver.minVersion(range).toString();
+      const maxVersion = range.split('<').pop()
+        .trim();
+      validRanges += `${minVersion} and ${maxVersion}, `;
+    });
     logger.error(
-      'Contrast only officially supports Node LTS versions between %s and %s but detected %s. Continuing without instrumentation.',
-      minVersion,
-      maxVersion,
+      'Contrast only officially supports Node LTS versions between %sbut detected %s. Continuing without instrumentation.',
+      validRanges,
       version
     );
     return false;
@@ -191,6 +191,18 @@ function getAgentArgs(options) {
   return agentArgs;
 }
 
+function parseArgv(argv) {
+  const parsed = [];
+  const cwd = process.cwd();
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i].includes(cwd)) {
+      parsed.push(path.relative(cwd, argv[i]).toLowerCase());
+    } else {
+      parsed.push(path.basename(argv[i]).toLowerCase());
+    }
+  }
+  return parsed;
+}
 /**
  * Initializes config, logger and other non-instrumentation code.
  *
@@ -210,6 +222,26 @@ contrastAgent.prepare = function(...args) {
     const configUtil = require('./core/config/util');
     const config = configUtil.setup(options, logger);
 
+    if (config.agent.node.exclusive_entrypoint) {
+      const parsed = parseArgv(process.argv);
+      if (!parsed.includes(config.agent.node.exclusive_entrypoint)) {
+        return false;
+      }
+    }
+
+    if (config.agent.node.cmd_ignore_list) {
+      const parsed = parseArgv(process.argv);
+      const cmdIgnoreList = config.agent.node.cmd_ignore_list.split(',');
+      if (parsed.includes('npm')) {
+        if (cmdIgnoreList.includes('npm*')) return false;
+        parsed.shift();
+      }
+      const cmd = parsed.join(' ');
+      if (cmdIgnoreList.includes(cmd)) {
+        return false;
+      }
+    }
+
     loggerFactory.init(config);
 
     contrastAgent.doImports();

package/lib/core/config/options.js

@@ -454,6 +454,18 @@ const agent = [
     default: 16,
     desc: 'set the maximum body size that will be sent to speedracer for input analysis',
   },
+  {
+    // SEE NODE-2886
+    name: 'agent.node.cmd_ignore_list',
+    arg: '<commands>',
+    desc: 'comma-separated list of commands that will not startup the agent if agent is required; npm* will ignore all npm executables but not your application\'s scripts'
+  },
+  {
+    // SEE NODE-2886
+    name: 'agent.node.exclusive_entrypoint',
+    arg: '<entrypoint.js>',
+    desc: 'an entrypoint for an application that, when specified, will prevent the agent instrumenting on anything else'
+  },
   {
     name: 'agent.heap_dump.enable',
     arg: '[true]',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.31.1",
+  "version": "4.32.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -181,7 +181,7 @@
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.11.0",
+    "sequelize": "^6.29.0",
     "serve-static": "^1.15.0",
     "shellcheck": "^1.0.0",
     "sinon": "^9.2.4",