@contrast/agent 4.5.0 → 4.7.0

package/lib/assess/propagators/path/resolve.js

@@ -34,7 +34,12 @@ module.exports.handle = function handle() {
           if (!data.args[0]) return;
           const resultMeta = getResultMeta(data, 'resolve');
           const isAbsolute = absolutePath(data.args[0]);
-          resultMeta.offset = isAbsolute ? 0 : process.cwd().length;
+
+          /*
+            plus one in case isAbsolute is false since our working deretory ends without slash
+            example: /Users/John/Documents/Projects/node-agent
+          */
+          resultMeta.offset = isAbsolute ? 0 : process.cwd().length + 1;
 
           // a work-around for paths like C:\Windows
           if (
@@ -45,7 +50,11 @@ module.exports.handle = function handle() {
             resultMeta.evaluator = (segmentOffset) => segmentOffset > -1;
           }
 
-          propagate({ data, resultMeta, win32: os === 'win32' });
+          propagate({
+            data,
+            resultMeta,
+            win32: os === 'win32'
+          });
         }
       });
     }

package/lib/assess/propagators/template-escape.js

@@ -0,0 +1,84 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../tracker');
+const TagRange = require('../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+
+function getEscapedTagRanges(input, result, start, stop, tag) {
+  const textArr = input.split('').slice(start, stop + 1);
+  const escapedArr = result.split('');
+  const overlap = textArr.filter((x) => {
+    if (escapedArr.includes(x)) {
+      return x;
+    }
+  });
+  if (overlap.length === 0) {
+    return [];
+  }
+  const newTagRanges = [];
+  let firstIndex = escapedArr.indexOf(overlap[0]);
+  let currIndex = firstIndex;
+  let nextIndex;
+  for (let i = 1; i < overlap.length; i++) {
+    nextIndex = escapedArr.indexOf(overlap[i], currIndex + 1);
+    if (nextIndex !== currIndex + 1) {
+      newTagRanges.push(new TagRange(firstIndex, currIndex, tag));
+      firstIndex = nextIndex;
+    }
+    if (i === overlap.length - 1) {
+      newTagRanges.push(new TagRange(firstIndex, nextIndex, tag));
+    }
+    currIndex = nextIndex;
+  }
+  return newTagRanges;
+}
+
+function propagator(data, tagName, signatureName) {
+  const input = data.args[0];
+
+  if (!input || !tracker.getData(input).tracked) {
+    return;
+  }
+
+  // adjust tag ranges
+  const tagRanges = [];
+  tracker.getData(input).tagRanges.forEach((range) => {
+    const { start, stop, tag } = range;
+    tagRanges.push(
+      ...getEscapedTagRanges(input, data.result, start, stop, tag)
+    );
+  });
+  tagRanges.push(new TagRange(0, data.result.length - 1, tagName));
+  const result = tracker.track(data.result);
+  const trackData = tracker.getData(result);
+  trackData.tagRanges = tagRanges;
+  trackData.event = new PropagationEvent({
+    context: new CallContext({
+      ...data,
+      obj: null
+    }),
+    parents: [trackData.event],
+    signature: new Signature(signatureName),
+    source: 'P',
+    target: 'R',
+    tagRanges,
+    tags: tagName
+  });
+  data.result = result;
+}
+
+module.exports.propagate = propagator;

package/lib/assess/propagators/templates.js

@@ -21,10 +21,9 @@ const tracker = require('../../tracker.js');
 
 const { PropagationEvent, Signature, CallContext } = require('../models');
 const { isString } = require('../../util/is-string');
+const injections = require('../../core/rewrite/injections');
 
-const ContrastMethods = require('../../core/rewrite/injections').get(
-  'ContrastMethods'
-);
+const ContrastMethods = injections.get('ContrastMethods');
 
 /**
  * In order to propagate through template literals, we leverage rewriting to

package/lib/assess/sinks/dustjs-linkedin-xss.js

@@ -0,0 +1,131 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const moduleHook = require('../../hooks/require');
+const { CallContext, Signature } = require('../models');
+const {
+  RULES: { REFLECTED_XSS }
+} = require('../../constants');
+
+const signature = new Signature({
+  moduleName: 'http.ClientResponse',
+  methodName: 'write',
+  isModule: true
+});
+const moduleName = 'dustjs-linkedin';
+
+class Handler {
+  constructor({ report, isVulnerable, requiredTags, xss: { disallowedTags } }) {
+    this._isVulnerable = isVulnerable;
+    this.report = report;
+    this.requiredTags = requiredTags;
+    this.disallowedTags = disallowedTags;
+  }
+
+  isVulnerable(input) {
+    const { requiredTags, disallowedTags } = this;
+    const ret = this._isVulnerable({
+      input,
+      ruleId: REFLECTED_XSS,
+      disallowedTags,
+      requiredTags
+    });
+    return ret;
+  }
+
+  handle() {
+    moduleHook.resolve({ name: moduleName }, (dust) =>
+      this.handleRequire(dust)
+    );
+  }
+
+  getType(obj) {
+    return obj && obj.constructor && obj.constructor.name;
+  }
+
+  isResponseType(typeName) {
+    return typeName === 'ServerResponse';
+  }
+
+  patchDust(dust) {
+    const self = this;
+    patcher.patch(dust, 'stream', {
+      name: moduleName,
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post(data) {
+        self.patchStream(data.result);
+      }
+    });
+  }
+
+  /**
+   * Patch the pipe method and check wether the stream is targeting a
+   * response instance. If so, add the instance to the set of streams
+   * we should follow.
+   */
+  patchStream(streamInstance) {
+    const self = this;
+    patcher.patch(streamInstance, 'pipe', {
+      name: 'dust.Stream.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      pre({ args: [maybeRes] }) {
+        self.patchStreamTarget(maybeRes);
+      }
+    });
+  }
+
+  patchStreamTarget(target) {
+    const self = this;
+    const typeName = self.getType(target);
+
+    if (self.isResponseType(typeName)) {
+      patcher.patch(target, 'write', {
+        name: 'dust.pipeTarget',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        alwaysRun: true,
+        post({ args: [str], hooked }) {
+          if (self.isVulnerable(str)) {
+            self.report({
+              ruleId: REFLECTED_XSS,
+              signature,
+              input: str,
+              ctxt: new CallContext({
+                obj: typeName,
+                args: [str],
+                result: str,
+                stackOpts: {
+                  constructorOpt: hooked
+                }
+              })
+            });
+          }
+        }
+      });
+    }
+  }
+
+  handleRequire(dust) {
+    this.patchDust(dust);
+    return dust;
+  }
+}
+
+module.exports = ({ common }) => new Handler(common);
+module.exports.Handler = Handler;

package/lib/core/arch-components/dynamodb.js

@@ -18,7 +18,6 @@ const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
-const _ = require('lodash');
 
 ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
   patcher.patch(AWS.DynamoDB.prototype, 'makeRequest', {
@@ -27,7 +26,7 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
     alwaysRun: true,
     post(ctx) {
       try {
-        const endpoint = _.get(this, 'endpoint');
+        const { endpoint } = this;
         agentEmitter.emit('architectureComponent', {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),

package/lib/core/arch-components/dynamodbv3.js

@@ -0,0 +1,44 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const logger = require('../logger')('contrast:arch-component');
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+
+function emitArchitectureComponent(endpoint) {
+  agentEmitter.emit('architectureComponent', {
+    vendor: 'DynamoDB',
+    url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
+    remoteHost: '',
+    remotePort: endpoint.port
+  });
+}
+
+ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
+  patcher.patch(AWS.DynamoDBClient.prototype, 'send', {
+    name: 'DynamoDBv3.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      try {
+        this.config.endpoint().then(emitArchitectureComponent);
+      } catch (err) {
+        logger.warn('unable to report DynamoDB architecture component\n', err);
+      }
+    }
+  });
+});

package/lib/core/arch-components/index.js

@@ -17,3 +17,4 @@ require('./mysql');
 require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
+require('./dynamodbv3');

package/lib/core/arch-components/rethinkdb.js

@@ -0,0 +1,53 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+const logger = require('../logger')('contrast:arch-component');
+
+ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+  patcher.patch(rethinkdb, 'connect', {
+    name: 'rethinkdb.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      ctx.result
+        .then((res) => {
+          if (res.open) {
+            const url =
+              res.host == 'localhost'
+                ? 'http://localhost'
+                : new URL(res.host).toString();
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'RethinkDB',
+              url,
+              remotePort: res.port
+            });
+          } else {
+            logger.warn('unable to open RethinkDB connection');
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report RethinkDB architecture component\n%o',
+            err
+          );
+        });
+    }
+  });
+});

package/lib/core/async-storage/hooks/bluebird.js

@@ -23,6 +23,26 @@ module.exports = function() {
   moduleHook.resolve({ name: 'bluebird' }, (bluebird) => {
     module.exports.patchConfig(bluebird);
     module.exports.patchAddCallbacks(bluebird);
+    module.exports.patchGetNewLibraryCopy(bluebird);
+  });
+};
+
+/**
+ * Ensures that new library copies are also instrumented.
+ * @param {function} bluebird the library export
+ */
+module.exports.patchGetNewLibraryCopy = function(bluebird) {
+  if (typeof bluebird.getNewLibraryCopy !== 'function') {
+    return;
+  }
+
+  patcher.patch(bluebird, 'getNewLibraryCopy', {
+    alwaysRun: true,
+    name: 'bluebird.getNewLibraryCopy',
+    patchType: PATCH_TYPES.ASYNC_CONTEXT,
+    post(data) {
+      module.exports.patchAddCallbacks(data.result);
+    }
   });
 };
 

package/lib/core/config/options.js

@@ -483,7 +483,8 @@ const agent = [
     arg: '<limit>',
     default: 10,
     fn: parseNum,
-    desc: 'set limit for stack trace size'
+    desc:
+      'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
   {
     name: 'agent.polling.app_activity_ms',

package/lib/core/stacktrace.js

@@ -15,13 +15,13 @@ Copyright: 2021 Contrast Security, Inc
 'use strict';
 
 const semver = require('semver');
+const agent = require('../agent');
 const process = require('process');
 const sourceMap = require('../util/source-map');
 const _isAgentPath = require('../util/is-agent-path');
 
-const STACK_TRACE_LIMIT = 25;
+const STACK_TRACE_LIMIT = agent.config.agent.stack_trace_limit;
 const EVAL_ORIGIN_REGEX = /\((.*?):(\d+):\d+\)/;
-const EJS_EVAL_ORIGIN_REGEX = /(.*\.ejs$)/;
 const EVENTS_FILE = semver.gte(process.version, '16.0.0')
   ? 'node:events'
   : 'events.js';
@@ -146,8 +146,7 @@ class Factory {
     if (callsite.isEval()) {
       evalOrigin = Factory.formatFileName(callsite.getEvalOrigin());
       [, file, lineNumber, columnNumber] =
-        evalOrigin.match(EVAL_ORIGIN_REGEX) ||
-        evalOrigin.match(EJS_EVAL_ORIGIN_REGEX);
+        evalOrigin.match(EVAL_ORIGIN_REGEX) || evalOrigin.endsWith('.ejs');
     }
 
     file = file || callsite.getFileName();

package/lib/feature-set.js

@@ -160,7 +160,8 @@ class FeatureSet {
     );
 
     return disabledConfig
-      .split(/\s*,\s*/)
+      .split(',')
+      .map((c) => c.trim())
       .some((disabledId) => id === disabledId);
   }
 

package/lib/hooks/frameworks/base.js

@@ -22,8 +22,14 @@ const RequestFactory = require('../../reporter/models/utils/request-factory');
 const CleanStack = require('../../util/clean-stack');
 const agentEmitter = require('../../agent-emitter');
 
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
 class BaseFramework {
-  // sets options
+  /**
+   * @param {Object} opts
+   * @param {string} opts.id
+   * @param {Agent} opts.agent
+   */
   constructor({ id, agent } = {}) {
     this.id = id;
     this.agent = agent;
@@ -46,7 +52,7 @@ class BaseFramework {
    * -- Note --
    * The current imlementation uses a CleanStack instance in order to generate
    * a stackframe from which to obtain the information. This can be expensive.
-   * @returns {String}
+   * @returns {string}
    */
   getAppCodeLocation() {
     const limit = Error.stackTraceLimit;

package/lib/hooks/frameworks/http.js

@@ -19,39 +19,41 @@ const moduleHook = require('../require');
 const patcher = require('../patcher');
 const { HTTP_EVENTS, PATCH_TYPES } = require('../../constants');
 
-class HttpFramework extends BaseFramework {
-  constructor(agent, id = 'http') {
-    super({ id, agent });
-
-    this.init();
-  }
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+/** @typedef {import('net').Server} Server */
 
+class HttpFramework extends BaseFramework {
   /**
-   * Initialization logic.
+   * @param {Agent} agent
+   * @param {string} id
    */
-  init() {
+  constructor(agent, id = 'http') {
+    super({ agent, id });
     moduleHook.resolve({ name: this.id }, this.onRequire.bind(this));
   }
 
+  /**
+   * @template {import('http') | import('https')} T
+   * @param {T} xport
+   * @returns {T}
+   */
   onRequire(xport) {
-    const { id } = this;
-
     patcher.patch(xport, 'Server', {
-      name: `${id}.Server`,
+      name: `${this.id}.Server`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport, 'createServer', {
-      name: `${id}.createServer`,
+      name: `${this.id}.createServer`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport.Server.prototype, 'listen', {
-      name: `${id}.Server.prototype`,
+      name: `${this.id}.Server.prototype`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       pre: (fnData) => this.handleServerListen(fnData.args, fnData.obj)
@@ -62,6 +64,7 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a listen event if one has not been pubished for the server instance.
+   * @param {any[]}
    * @param {Server} server Server on which `listen` was called
    */
   handleServerListen(args, server) {
@@ -70,12 +73,16 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a create event for the new Server instance.
-   * @param {*[]} args The arguments passed to the Server constructor
+   * @param {any[]} args The arguments passed to the Server constructor
    * @param {Server} server The http Server instance
    */
   handleServerCreate(args, server) {
-    const [callback] = args;
-    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, callback, server);
+    const [options] = args;
+    let [, handler] = args;
+    if (typeof options === 'function') {
+      handler = options;
+    }
+    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, handler, server);
   }
 }
 

package/lib/hooks/frameworks/http2.js

@@ -0,0 +1,73 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { PATCH_TYPES } = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
+class Http2Framework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'http2');
+  }
+
+  /**
+   * @param {import('http2')} http2
+   * @returns {import('http2')}
+   */
+  onRequire(http2) {
+    patcher.patch(http2, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    patcher.patch(http2, 'createSecureServer', {
+      name: `${this.id}.createSecureServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    return http2;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    // Since the `Http2Server` class is not exported, we can patch it here after
+    // creation.
+    // NOTE: could we just patch `net.Server` here and in `http`?
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.Http2Server.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = Http2Framework;

package/lib/hooks/frameworks/index.js

@@ -14,9 +14,14 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
+const Http = require('./http');
+const Http2 = require('./http2');
+const Hapi16 = require('./hapi16');
+
 module.exports = function(agent) {
   // load all the hooks
-  new (require('./http'))(agent);
-  new (require('./https'))(agent);
-  new (require('./hapi16'))(agent);
+  new Http(agent);
+  new Http(agent, 'https');
+  new Http2(agent);
+  new Hapi16(agent);
 };