@contrast/agent 4.4.1 → 4.6.0

package/lib/assess/propagators/path/common.js

@@ -30,14 +30,21 @@ const path = require('path');
  */
 function splitString(str, win32) {
   // windows treats both (forward and backward) slashes as separators
-  str = str.split(win32 ? /[/\\]/ : /\//);
+  const posixRegEx = /(?=\/)/g;
+  const win32RegEx = /(?=[/\\])/g;
+
+  if (win32) {
+    str = str.replace(/\//g, '\\').split(win32RegEx);
+  } else {
+    str = str.split(posixRegEx);
+  }
   if (str.length) {
     // if there is an extension split it out.
     const ix = str[str.length - 1].lastIndexOf('.');
     if (ix > 0) {
       const last = str[str.length - 1];
       str[str.length - 1] = last.substr(0, ix);
-      str.push(last.substr(ix));
+      str.push(last.substr(ix + 1));
     }
   }
   return str;
@@ -48,16 +55,25 @@ function splitString(str, win32) {
  *
  * @param {Object} meta object of metadata from result/arg
  * @param {(segmentOffset: number) => boolean} meta.evaluator expression to determine the proper position of segment in string
- * @param {number} meta.offset offset of full arg from result of path.resolve
  * @param {string} meta.str result from path.resolve or arg
+ * @param {number} offset offset of full arg from result of path.resolve
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function getSegmentOffset({ str, offset, evaluator }, segment) {
+function getSegmentOffset({ str, evaluator }, offset, segment, win32) {
   // as the segments in each arg and in the result get traversed,
   // winnow away the string to ensure we are finding the proper
   // segment within the path
   const substr = str.substring(offset);
-  const segmentOffset = substr.indexOf(segment);
+  let segmentOffset = substr.indexOf(segment);
+  // If tracking separators, evaluator will fail on extensions
+  if (substr === `.${segment}`) {
+    return segmentOffset + offset;
+  }
+  // Adjust offset if the segment does not start with a separator
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  if (substr.startsWith(sep) && !segment.startsWith(sep)) {
+    segmentOffset--;
+  }
 
   return evaluator(segmentOffset) ? segmentOffset + offset : -1;
 }
@@ -71,7 +87,12 @@ function getSegmentOffset({ str, offset, evaluator }, segment) {
  */
 function isWithinTag(str, start, tag) {
   const stop = str.length - 1 + start;
-  return tag.overlaps({ start, stop, tag: tag.tag });
+
+  return (
+    (stop <= tag.stop && stop >= tag.start) ||
+    (start >= tag.start && start <= tag.stop) ||
+    (tag.start >= start && tag.start <= stop)
+  );
 }
 
 /**
@@ -84,6 +105,7 @@ function isWithinTag(str, start, tag) {
  */
 function adjustStart({ tag, argOffset, offset }) {
   const start = tag.start - argOffset;
+
   return start > 0 ? start + offset : offset;
 }
 
@@ -135,15 +157,13 @@ function maybeUpdateResultMeta({ index, arg, resultMeta }) {
 }
 
 /**
- * Encapsulates moving the resultOffset based on a segment
+ * Calculates a new offset based on a segment
  *
- * @param {Object} resultMeta metadata from result of path.resolve
- * @param {Object} argMeta metadata for a given argument
+ * @param {Object} offset offset of the object
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function calculateNewOffset(resultMeta, argMeta, segment) {
-  resultMeta.offset = resultMeta.offset + segment.length + 1;
-  argMeta.offset = argMeta.offset + segment.length + 1;
+function calculateNewOffset(offset, segment) {
+  return offset + segment.length;
 }
 
 /**
@@ -153,10 +173,89 @@ function calculateNewOffset(resultMeta, argMeta, segment) {
  * @param {string} segment path segment to check
  * @return {boolean}
  */
-function applicableSegment(segment) {
+function isApplicableSegment(segment) {
   return segment !== '.' && segment !== '..' && segment !== '';
 }
 
+/**
+ * Filters invalid segments like those that are not part of the end result.
+ * It also calculates additional offset.
+ *
+ * @param {*} segments splitted path into segments
+ * @param {Object} resultMeta metadata from result of path.resolve
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
+ * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ */
+function filterSegmentsAndCalculateOffset(
+  segments,
+  resultMeta,
+  data,
+  index,
+  win32
+) {
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  const isFirstIteration = index === 0;
+  const validSegments = [];
+  let additionalOffset = 0;
+
+  segments.reduce(
+    // eslint-disable-next-line complexity
+    (accumulator, segment) => {
+      let hasChange = false;
+      if (!isApplicableSegment(segment)) return accumulator;
+
+      if (!accumulator.isModified && !isFirstIteration) {
+        const previousArg = data.args[index - 1];
+
+        const sepAdded = !segment.startsWith(sep) && !previousArg.endsWith(sep);
+        const sepTaken = segment.startsWith(sep) && previousArg.endsWith(sep);
+        accumulator.isModified = sepAdded || sepTaken;
+        hasChange = sepAdded || sepTaken;
+        additionalOffset = hasChange ? (sepAdded ? 1 : -1) : 0;
+      }
+
+      const offset = getSegmentOffset(
+        resultMeta,
+        accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
+        segment,
+        win32
+      );
+
+      // no reason to proceed if segment is not in final result
+      if (offset === -1) {
+        if (hasChange) {
+          additionalOffset = 0;
+          accumulator.isModified = false;
+        }
+
+        return accumulator;
+      }
+
+      // in case we have a file we need to increment the offset
+      if (resultMeta.str[offset + segment.length] === '.') {
+        accumulator.fileDotSeparator = 1;
+      }
+
+      validSegments.push(segment);
+      accumulator.offset = calculateNewOffset(accumulator.offset, segment);
+      accumulator.isModified = true;
+
+      return accumulator;
+    },
+    {
+      offset: resultMeta.offset,
+      fileDotSeparator: 0,
+      isModified: false
+    }
+  );
+
+  return {
+    additionalOffset,
+    segments: validSegments
+  };
+}
+
 /**
  * Moves the tag ranges properly based on if a path segment exists in the
  * result
@@ -164,42 +263,66 @@ function applicableSegment(segment) {
  * @param {Object} resultMeta metadata for the result
  * @param {Object} argMeta meta for a given argument
  * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
  */
-function adjustTagsToPart(resultMeta, argMeta, win32) {
+function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
   const { str, tagRanges } = argMeta;
-  const segments = splitString(str, win32);
-  const newTags = [];
-  segments.forEach((segment) => {
-    if (!applicableSegment(segment)) {
-      return;
-    }
+  const { segments, additionalOffset } = filterSegmentsAndCalculateOffset(
+    splitString(str, win32),
+    resultMeta,
+    data,
+    index,
+    win32
+  );
 
-    const offset = getSegmentOffset(resultMeta, segment);
-    // no reason to proceed if segment is not in final result
-    if (offset === -1) {
-      return;
-    }
+  // updating the offset
+  resultMeta.offset += additionalOffset;
 
-    const argOffset = getSegmentOffset(argMeta, segment);
+  return segments.reduce((newTags, segment) => {
+    const offset = getSegmentOffset(
+      resultMeta,
+      resultMeta.offset,
+      segment,
+      win32
+    );
 
-    calculateNewOffset(resultMeta, argMeta, segment);
+    const argOffset = getSegmentOffset(argMeta, argMeta.offset, segment, win32);
+
+    // updating the offset
+    resultMeta.offset = calculateNewOffset(resultMeta.offset, segment);
+    argMeta.offset = calculateNewOffset(argMeta.offset, segment);
+
+    // in case we have a file we need to increment the offset
+    if (resultMeta.str[offset + segment.length] === '.') {
+      resultMeta.offset += 1;
+    }
 
     tagRanges.forEach((tag) => {
-      if (isWithinTag(segment, argOffset, tag)) {
-        const start = adjustStart({ tag, argOffset, offset });
-        const stop = adjustStop({ tag, argOffset, offset, segment });
+      if (!isWithinTag(segment, argOffset, tag)) return;
 
-        newTags.push(new TagRange(start, stop, tag.tag));
-      }
+      const start = adjustStart({
+        tag,
+        argOffset,
+        offset
+      });
+      const stop = adjustStop({
+        tag,
+        argOffset,
+        offset,
+        segment
+      });
+
+      newTags.push(new TagRange(start, stop, tag.tag));
     });
-  });
 
-  return newTags;
+    return newTags;
+  }, []);
 }
 
 function propagate({ resultMeta, data, win32 }) {
   if (!resultMeta.evaluator) {
-    resultMeta.evaluator = (segmentOffset) => segmentOffset === 1;
+    resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
   }
 
   data.args.forEach((arg, index) => {
@@ -213,7 +336,13 @@ function propagate({ resultMeta, data, win32 }) {
       tagRanges: argData.tracked ? argData.tagRanges : []
     };
 
-    const targetTagRanges = adjustTagsToPart(resultMeta, argMeta, win32);
+    const targetTagRanges = adjustTagsToPart(
+      resultMeta,
+      argMeta,
+      win32,
+      data,
+      index
+    );
 
     if (targetTagRanges.length > 0) {
       resultMeta.parents.push(argData.event);

package/lib/assess/propagators/path/join.js

@@ -31,7 +31,11 @@ function hookPath(path) {
           resultMeta.offset = 0;
           resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
         }
-        propagate({ data, resultMeta, win32: os === 'win32' });
+        propagate({
+          data,
+          resultMeta,
+          win32: os === 'win32'
+        });
       }
     });
   }

package/lib/assess/propagators/path/normalize.js

@@ -43,7 +43,11 @@ module.exports.handle = function handle() {
             resultMeta.evaluator = (segmentOffset) => segmentOffset > -1;
           }
 
-          propagate({ resultMeta, data, win32: os === 'win32' });
+          propagate({
+            resultMeta,
+            data,
+            win32: os === 'win32'
+          });
         }
       });
     }

package/lib/assess/propagators/path/resolve.js

@@ -34,7 +34,12 @@ module.exports.handle = function handle() {
           if (!data.args[0]) return;
           const resultMeta = getResultMeta(data, 'resolve');
           const isAbsolute = absolutePath(data.args[0]);
-          resultMeta.offset = isAbsolute ? 0 : process.cwd().length;
+
+          /*
+            plus one in case isAbsolute is false since our working deretory ends without slash
+            example: /Users/John/Documents/Projects/node-agent
+          */
+          resultMeta.offset = isAbsolute ? 0 : process.cwd().length + 1;
 
           // a work-around for paths like C:\Windows
           if (
@@ -45,7 +50,11 @@ module.exports.handle = function handle() {
             resultMeta.evaluator = (segmentOffset) => segmentOffset > -1;
           }
 
-          propagate({ data, resultMeta, win32: os === 'win32' });
+          propagate({
+            data,
+            resultMeta,
+            win32: os === 'win32'
+          });
         }
       });
     }

package/lib/assess/response-scanning/autocomplete-missing.js

@@ -42,8 +42,6 @@ module.exports = ({ common }) => {
           start: 0,
           end: elements[i].length
         };
-      } else {
-        return;
       }
     }
   };

package/lib/assess/response-scanning/parameter-pollution.js

@@ -34,8 +34,6 @@ module.exports = ({ agent, common: { emitFinding } }) => {
           attribute: action,
           html: elements[i]
         };
-      } else {
-        return undefined;
       }
     }
   };

package/lib/core/arch-components/dynamodb.js

@@ -18,7 +18,6 @@ const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
-const _ = require('lodash');
 
 ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
   patcher.patch(AWS.DynamoDB.prototype, 'makeRequest', {
@@ -27,7 +26,7 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
     alwaysRun: true,
     post(ctx) {
       try {
-        const endpoint = _.get(this, 'endpoint');
+        const { endpoint } = this;
         agentEmitter.emit('architectureComponent', {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),

package/lib/core/arch-components/dynamodbv3.js

@@ -0,0 +1,44 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const logger = require('../logger')('contrast:arch-component');
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+
+function emitArchitectureComponent(endpoint) {
+  agentEmitter.emit('architectureComponent', {
+    vendor: 'DynamoDB',
+    url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
+    remoteHost: '',
+    remotePort: endpoint.port
+  });
+}
+
+ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
+  patcher.patch(AWS.DynamoDBClient.prototype, 'send', {
+    name: 'DynamoDBv3.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      try {
+        this.config.endpoint().then(emitArchitectureComponent);
+      } catch (err) {
+        logger.warn('unable to report DynamoDB architecture component\n', err);
+      }
+    }
+  });
+});

package/lib/core/arch-components/index.js

@@ -17,3 +17,4 @@ require('./mysql');
 require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
+require('./dynamodbv3');

package/lib/core/async-storage/hooks/bluebird.js

@@ -23,6 +23,26 @@ module.exports = function() {
   moduleHook.resolve({ name: 'bluebird' }, (bluebird) => {
     module.exports.patchConfig(bluebird);
     module.exports.patchAddCallbacks(bluebird);
+    module.exports.patchGetNewLibraryCopy(bluebird);
+  });
+};
+
+/**
+ * Ensures that new library copies are also instrumented.
+ * @param {function} bluebird the library export
+ */
+module.exports.patchGetNewLibraryCopy = function(bluebird) {
+  if (typeof bluebird.getNewLibraryCopy !== 'function') {
+    return;
+  }
+
+  patcher.patch(bluebird, 'getNewLibraryCopy', {
+    alwaysRun: true,
+    name: 'bluebird.getNewLibraryCopy',
+    patchType: PATCH_TYPES.ASYNC_CONTEXT,
+    post(data) {
+      module.exports.patchAddCallbacks(data.result);
+    }
   });
 };
 

package/lib/core/config/options.js

@@ -481,9 +481,10 @@ const agent = [
   {
     name: 'agent.stack_trace_limit',
     arg: '<limit>',
-    default: 10,
+    default: 25,
     fn: parseNum,
-    desc: 'set limit for stack trace size'
+    desc:
+      'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
   {
     name: 'agent.polling.app_activity_ms',

package/lib/core/express/utils.js

@@ -273,7 +273,7 @@ const normalizeSegment = (segment) => {
       }
     }
   } else if (segment instanceof RegExp) {
-    segment = segment.toString().replace(/^\/?|\/?$/g, '');
+    segment = segment.toString().replace(/(^\/?)|(\/?$)/g, '');
     segment = `/{${segment}}`;
   } else if (Array.isArray(segment)) {
     segment = segment.map((s) => `${normalizeSignatureArg(`${s}`)}`);

package/lib/core/logger/debug-logger.js

@@ -314,23 +314,21 @@ class DebugLogFactory {
         };
 
     [...levelNames, 'console'].forEach((level) => {
-      if (level !== noop) {
-        if (level === 'console') {
-          const orig = logger[level].bind(logger);
-          logger[level] = function(...args) {
-            return Scopes.runInNoInstrumentationScope(
-              () => orig(...args),
-              DEADZONE_NAME
-            );
-          };
-        } else {
-          logger[level] = function(message, ...splat) {
-            return Scopes.runInNoInstrumentationScope(
-              () => logger.log({ level, message, splat }),
-              DEADZONE_NAME
-            );
-          };
-        }
+      if (level === 'console') {
+        const orig = logger[level].bind(logger);
+        logger[level] = function(...args) {
+          return Scopes.runInNoInstrumentationScope(
+            () => orig(...args),
+            DEADZONE_NAME
+          );
+        };
+      } else {
+        logger[level] = function(message, ...splat) {
+          return Scopes.runInNoInstrumentationScope(
+            () => logger.log({ level, message, splat }),
+            DEADZONE_NAME
+          );
+        };
       }
     });
 

package/lib/core/stacktrace.js

@@ -15,13 +15,13 @@ Copyright: 2021 Contrast Security, Inc
 'use strict';
 
 const semver = require('semver');
+const agent = require('../agent');
 const process = require('process');
 const sourceMap = require('../util/source-map');
 const _isAgentPath = require('../util/is-agent-path');
 
-const STACK_TRACE_LIMIT = 25;
+const STACK_TRACE_LIMIT = agent.config.agent.stack_trace_limit;
 const EVAL_ORIGIN_REGEX = /\((.*?):(\d+):\d+\)/;
-const EJS_EVAL_ORIGIN_REGEX = /(.*\.ejs$)/;
 const EVENTS_FILE = semver.gte(process.version, '16.0.0')
   ? 'node:events'
   : 'events.js';
@@ -146,8 +146,7 @@ class Factory {
     if (callsite.isEval()) {
       evalOrigin = Factory.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] =
-        evalOrigin.match(EVAL_ORIGIN_REGEX) ||
-        evalOrigin.match(EJS_EVAL_ORIGIN_REGEX);
+        evalOrigin.match(EVAL_ORIGIN_REGEX) || evalOrigin.endsWith('.ejs');
     }
 
     file = file || callsite.getFileName();

package/lib/feature-set.js

@@ -160,7 +160,8 @@ class FeatureSet {
     );
 
     return disabledConfig
-      .split(/\s*,\s*/)
+      .split(',')
+      .map((c) => c.trim())
       .some((disabledId) => id === disabledId);
   }
 

package/lib/hooks/encoding.js

@@ -31,7 +31,7 @@ module.exports = function() {
   hardPatchEncoding(Buffer.prototype, 'Buffer', 'lastIndexOf', 0);
   hardPatchEncoding(Buffer.prototype, 'Buffer', 'includes', 0);
 
-  hardPatchEncoding(Buffer, 'Buffer', 'alloc', 0, 1);
+  hardPatchEncoding(Buffer, 'Buffer', 'alloc', 0);
   hardPatchEncoding(Buffer.prototype, 'Buffer', 'fill', 0);
 };
 

package/lib/hooks/frameworks/base.js

@@ -22,8 +22,14 @@ const RequestFactory = require('../../reporter/models/utils/request-factory');
 const CleanStack = require('../../util/clean-stack');
 const agentEmitter = require('../../agent-emitter');
 
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
 class BaseFramework {
-  // sets options
+  /**
+   * @param {Object} opts
+   * @param {string} opts.id
+   * @param {Agent} opts.agent
+   */
   constructor({ id, agent } = {}) {
     this.id = id;
     this.agent = agent;
@@ -46,7 +52,7 @@ class BaseFramework {
    * -- Note --
    * The current imlementation uses a CleanStack instance in order to generate
    * a stackframe from which to obtain the information. This can be expensive.
-   * @returns {String}
+   * @returns {string}
    */
   getAppCodeLocation() {
     const limit = Error.stackTraceLimit;

package/lib/hooks/frameworks/http.js

@@ -19,39 +19,41 @@ const moduleHook = require('../require');
 const patcher = require('../patcher');
 const { HTTP_EVENTS, PATCH_TYPES } = require('../../constants');
 
-class HttpFramework extends BaseFramework {
-  constructor(agent, id = 'http') {
-    super({ id, agent });
-
-    this.init();
-  }
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+/** @typedef {import('net').Server} Server */
 
+class HttpFramework extends BaseFramework {
   /**
-   * Initialization logic.
+   * @param {Agent} agent
+   * @param {string} id
    */
-  init() {
+  constructor(agent, id = 'http') {
+    super({ agent, id });
     moduleHook.resolve({ name: this.id }, this.onRequire.bind(this));
   }
 
+  /**
+   * @template {import('http') | import('https')} T
+   * @param {T} xport
+   * @returns {T}
+   */
   onRequire(xport) {
-    const { id } = this;
-
     patcher.patch(xport, 'Server', {
-      name: `${id}.Server`,
+      name: `${this.id}.Server`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport, 'createServer', {
-      name: `${id}.createServer`,
+      name: `${this.id}.createServer`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport.Server.prototype, 'listen', {
-      name: `${id}.Server.prototype`,
+      name: `${this.id}.Server.prototype`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       pre: (fnData) => this.handleServerListen(fnData.args, fnData.obj)
@@ -62,6 +64,7 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a listen event if one has not been pubished for the server instance.
+   * @param {any[]}
    * @param {Server} server Server on which `listen` was called
    */
   handleServerListen(args, server) {
@@ -70,12 +73,16 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a create event for the new Server instance.
-   * @param {*[]} args The arguments passed to the Server constructor
+   * @param {any[]} args The arguments passed to the Server constructor
    * @param {Server} server The http Server instance
    */
   handleServerCreate(args, server) {
-    const [callback] = args;
-    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, callback, server);
+    const [options] = args;
+    let [, handler] = args;
+    if (typeof options === 'function') {
+      handler = options;
+    }
+    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, handler, server);
   }
 }