@contrast/agent 4.5.0 → 4.5.1

package/bin/VERSION

@@ -1 +1 @@
-2.26.0
+2.27.3

package/lib/assess/membrane/source-membrane.js

@@ -294,10 +294,9 @@ module.exports = class SourceMembrane extends Membrane {
     if (!(metadata.sourceType && metadata.path)) {
       return false;
     }
-    const koaQueryString = metadata.path.match(/(\w+)=/);
-    if (koaQueryString) {
-      // get 1st capture group, fall back to `metadata.path` if for some reason this does not exist
-      metadata.path = koaQueryString[1] || metadata.path;
+    const koaQueryString = metadata.path.split('=');
+    if (koaQueryString[1]) {
+      metadata.path = koaQueryString[0];
     }
     return true;
   }

package/lib/core/async-storage/hooks/bluebird.js

@@ -23,6 +23,26 @@ module.exports = function() {
   moduleHook.resolve({ name: 'bluebird' }, (bluebird) => {
     module.exports.patchConfig(bluebird);
     module.exports.patchAddCallbacks(bluebird);
+    module.exports.patchGetNewLibraryCopy(bluebird);
+  });
+};
+
+/**
+ * Ensures that new library copies are also instrumented.
+ * @param {function} bluebird the library export
+ */
+module.exports.patchGetNewLibraryCopy = function(bluebird) {
+  if (typeof bluebird.getNewLibraryCopy !== 'function') {
+    return;
+  }
+
+  patcher.patch(bluebird, 'getNewLibraryCopy', {
+    alwaysRun: true,
+    name: 'bluebird.getNewLibraryCopy',
+    patchType: PATCH_TYPES.ASYNC_CONTEXT,
+    post(data) {
+      module.exports.patchAddCallbacks(data.result);
+    }
   });
 };
 

package/lib/core/stacktrace.js

@@ -21,7 +21,6 @@ const _isAgentPath = require('../util/is-agent-path');
 
 const STACK_TRACE_LIMIT = 25;
 const EVAL_ORIGIN_REGEX = /\((.*?):(\d+):\d+\)/;
-const EJS_EVAL_ORIGIN_REGEX = /(.*\.ejs$)/;
 const EVENTS_FILE = semver.gte(process.version, '16.0.0')
   ? 'node:events'
   : 'events.js';
@@ -146,8 +145,7 @@ class Factory {
     if (callsite.isEval()) {
       evalOrigin = Factory.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] =
-        evalOrigin.match(EVAL_ORIGIN_REGEX) ||
-        evalOrigin.match(EJS_EVAL_ORIGIN_REGEX);
+        evalOrigin.match(EVAL_ORIGIN_REGEX) || evalOrigin.endsWith('.ejs');
     }
 
     file = file || callsite.getFileName();

package/lib/feature-set.js

@@ -160,7 +160,8 @@ class FeatureSet {
     );
 
     return disabledConfig
-      .split(/\s*,\s*/)
+      .split(',')
+      .map((c) => c.trim())
       .some((disabledId) => id === disabledId);
   }
 

package/lib/hooks/patcher.js

@@ -22,19 +22,20 @@ Copyright: 2021 Contrast Security, Inc
 // the arguments keyword instead of providing a `...args` rest param.
 /* eslint-disable prefer-rest-params */
 
-const { promisify } = require('util');
 const logger = require('../core/logger')('contrast:hooks');
 const agent = require('../agent');
-const perfLogger = require('../core/logger/perf-logger')(agent);
-const _ = require('lodash');
 const perfLoggingEnabled =
   agent.config && agent.config.agent.node.req_perf_logging;
+const perfLogger = perfLoggingEnabled
+  ? require('../core/logger/perf-logger')(agent)
+  : undefined;
 const tracker = require('../tracker.js');
 const { AsyncStorage } = require('../core/async-storage');
 const {
   Scopes,
   SCOPE_NAMES: { NO_PROPAGATION }
 } = require('../core/async-storage/scopes');
+const promisifyCustom = Symbol.for('nodejs.util.promisify.custom');
 
 // When a pre-hook returns the result of this function, the value passed will
 // be used in place of the original function's return value, and the original
@@ -43,12 +44,8 @@ function preempt(value) {
   return new PatcherPreempt(value);
 }
 
-const { toString } = {};
-
 function isFunction(fn) {
-  return (
-    toString.call(this, fn) === '[object Function]' || fn instanceof Function
-  );
+  return fn instanceof Function || typeof fn === 'function';
 }
 
 function PatcherPreempt(v) {
@@ -112,15 +109,6 @@ function runHooks(type, options, data, fn, thisTarget) {
   });
 }
 
-/**
- * Checks if any of the provided arguments are tracked.
- * @param {any[]} args
- * @return {boolean}
- */
-function argsTracked(args) {
-  return _.some(args, (arg) => arg && tracker.getData(arg).tracked);
-}
-
 /**
  * Whether to skip the running of instrumentation in registered pre/post hooks.
  * When this returns `false` (don't skip), the pre/post hooks will execute in
@@ -232,8 +220,11 @@ function hookFunction(fn, options) {
     }
 
     // short-circuit optimization for add
-    if (fn.name === '__add' && !argsTracked(args)) {
-      return args[0] + args[1];
+    const [arg1, arg2] = args;
+    if (fn.name === '__add' && arg1 && arg2) {
+      if (!tracker.getData(arg1).tracked && !tracker.getData(arg2).tracked) {
+        return arg1 + arg2;
+      }
     }
 
     const data = {
@@ -292,7 +283,7 @@ function hookFunction(fn, options) {
     ...Object.getOwnPropertyNames(descriptors)
   ]) {
     if (
-      key === promisify.custom &&
+      key === promisifyCustom &&
       typeof descriptors[key].value === 'function'
     ) {
       // We must assume that custom promisified function values are true aliases
@@ -330,8 +321,7 @@ function hookableMethods(obj, props, callback) {
   }
 
   // Execute callback for every method in the props array.
-  let i = props.length;
-  while (i--) {
+  for (let i = props.length; i >= 0; i--) {
     // If the property isn't a function...
     if (
       !isFunction(obj[props[i]]) ||
@@ -482,7 +472,7 @@ function patch(obj, props, options) {
   }
 
   const hookedMethods = hookableMethods(obj, props).map(function(prop) {
-    const opts = _.clone(options);
+    const opts = Object.assign({}, options);
 
     // staticName means do not append methods to final name
     // only used for Function(aka global.ContrastFunction)

package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js

@@ -14,7 +14,7 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 const { INPUT_TYPES } = require('../common');
-const SINK_EXPLOIT_PATTERN = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)([-/].*)*[-/][a-zA-Z]*c/i;
+const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
 const stripWhiteSpace = (str) => str.replace(/\s/g, '');
 const REQUEST_KEYS = {
   queryParams: INPUT_TYPES.QUERYSTRING,
@@ -96,8 +96,8 @@ module.exports = class BackdoorDetector {
     const normalizedParam = stripWhiteSpace(requestValue);
     return (
       normalizedParam === this.normalizedCmd ||
-      (SINK_EXPLOIT_PATTERN.test(this.normalizedCmd) &&
-        this.normalizedCmd.endsWith(normalizedParam))
+      (this.normalizedCmd.endsWith(normalizedParam) &&
+        SINK_EXPLOIT_PATTERN_START.test(this.normalizedCmd))
     );
   }
 };

package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js

@@ -73,7 +73,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/protect/rules/xss/helpers/function-call.js

@@ -72,7 +72,7 @@ class FunctionCall {
   hasMultipleUnquotedBarewords() {
     let rc = false;
     const QUOTES = new RegExp('[\'|"]');
-    const MULTI_WORDS = new RegExp('[a-zA-Z]+\\s+[a-zA-Z]+');
+    const MULTI_WORDS = new RegExp('[\\w\\s]+');
     if (!this.expression.match(QUOTES)) {
       rc = this.expression.match(MULTI_WORDS);
     }

package/lib/util/clean-stack.js

@@ -202,7 +202,7 @@ const makeFrame = (callsite) => {
       evalOrigin = CleanStack.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] = callsite
         .getEvalOrigin()
-        .match(/\((.*?):(\d+):\d+\)/);
+        .match(/\((.{3,4095}?):(\d+):\d+\)/);
     }
 
     file = file || callsite.getFileName();

package/lib/util/clean-string/brackets.js

@@ -40,7 +40,7 @@ class Brackets {
 }
 
 /**
- * Coerces occurrances of substrings that look like
+ * Coerces occurrences of substrings that look like
  * bracket accessors (['abcd'], ["efgh"]) into their
  * dot-accessor equivalents (.abcd, .efgh).
  * @param {} str
@@ -58,8 +58,8 @@ function coerceToDotAccessors(str) {
   }
 
   const bracketed = str.substring(startIdx, stopIdx + 1);
-  const patt = /^\[\s*(?:`|'|")([a-zA-Z_]+[a-zA-Z0-9_]*)(?:`|'|")\s*\]$/;
-  const match = patt.exec(bracketed);
+  const pattern = /^\[\s*[`'"]([a-zA-Z_]+[a-zA-Z0-9_]*)[`'"]\s*]$/;
+  const match = pattern.exec(bracketed);
 
   return !match
     ? str

package/lib/util/ip-analyzer.js

@@ -66,7 +66,7 @@ const getReqAddresses = (req = {}) => {
  */
 const getForwardedFor = (req = {}) => {
   const header = req.headers && req.headers['x-forwarded-for'];
-  return header ? header.split(/\s*,\s*/) : [];
+  return header ? header.split(',').map((x) => x.trim()) : [];
 };
 
 /**

package/lib/util/xml-analyzer/external-entity-finder.js

@@ -38,7 +38,7 @@ const UP_DIR_LINUX = '../';
 const UP_DIR_WIN = '..\\';
 const ENTITY_TYPES = { SYSTEM: 'SYSTEM', PUBLIC: 'PUBLIC' };
 
-const EXTERNAL_RX = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(?:.*?)>/g;
+const EXTERNAL_RX = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+"(.*?)"\s*>/g;
 // <!ENTITY name SYSTEM "URI">
 const SYSTEM_ID_REGEX = /<!ENTITY\s+([a-zA-Z0-9]+)\s+SYSTEM\s+"(.*?)"\s*>/;
 // <!ENTITY name PUBLIC "public_ID" "URI">

package/node_modules/unix-dgram/build/Makefile

@@ -309,7 +309,7 @@ endif
 
 quiet_cmd_regen_makefile = ACTION Regenerating $@
 cmd_regen_makefile = cd $(srcdir); /opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/home/runner/.cache/node-gyp/12.22.7" "-Dnode_gyp_dir=/opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/home/runner/.cache/node-gyp/12.22.7/<(target_arch)/node.lib" "-Dmodule_root_dir=/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram/build/config.gypi -I/opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/home/runner/.cache/node-gyp/12.22.7/include/node/common.gypi "--toplevel-dir=." binding.gyp
-Makefile: $(srcdir)/build/config.gypi $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../../.cache/node-gyp/12.22.7/include/node/common.gypi $(srcdir)/binding.gyp
+Makefile: $(srcdir)/../../../../../../.cache/node-gyp/12.22.7/include/node/common.gypi $(srcdir)/build/config.gypi $(srcdir)/binding.gyp $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi
 	$(call do_cmd,regen_makefile)
 
 # "all" is a concatenation of the "all" targets from all the included

package/node_modules/unix-dgram/build/config.gypi

@@ -126,7 +126,7 @@
     "progress": "",
     "https_proxy": "",
     "save_prod": "",
-    "npm_session": "f073c21e90fab724",
+    "npm_session": "70d49993d405ee64",
     "audit": "true",
     "cidr": "",
     "onload_script": "",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.5.0",
+  "version": "4.5.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",