@contrast/agent 4.5.1 → 4.5.2

package/lib/assess/propagators/path/common.js

@@ -19,7 +19,6 @@ const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
 const tracker = require('../../../tracker');
 const path = require('path');
-let trackingSeparators;
 
 /**
  * Splits string by separator
@@ -31,8 +30,9 @@ let trackingSeparators;
  */
 function splitString(str, win32) {
   // windows treats both (forward and backward) slashes as separators
-  const posixRegEx = trackingSeparators ? /(?=\/)/g : /(\/)/g;
-  const win32RegEx = trackingSeparators ? /(?=[/\\])/g : /[/\\]/g;
+  const posixRegEx = /(?=\/)/g;
+  const win32RegEx = /(?=[/\\])/g;
+
   if (win32) {
     str = str.replace(/\//g, '\\').split(win32RegEx);
   } else {
@@ -55,29 +55,26 @@ function splitString(str, win32) {
  *
  * @param {Object} meta object of metadata from result/arg
  * @param {(segmentOffset: number) => boolean} meta.evaluator expression to determine the proper position of segment in string
- * @param {number} meta.offset offset of full arg from result of path.resolve
  * @param {string} meta.str result from path.resolve or arg
+ * @param {number} offset offset of full arg from result of path.resolve
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function getSegmentOffset({ str, offset, evaluator }, segment, win32) {
+function getSegmentOffset({ str, evaluator }, offset, segment, win32) {
   // as the segments in each arg and in the result get traversed,
   // winnow away the string to ensure we are finding the proper
   // segment within the path
   const substr = str.substring(offset);
   let segmentOffset = substr.indexOf(segment);
   // If tracking separators, evaluator will fail on extensions
-  if (trackingSeparators && substr === `.${segment}`) {
+  if (substr === `.${segment}`) {
     return segmentOffset + offset;
   }
   // Adjust offset if the segment does not start with a separator
   const { sep } = path[win32 ? 'win32' : 'posix'];
-  if (
-    trackingSeparators &&
-    substr.startsWith(sep) &&
-    !segment.startsWith(sep)
-  ) {
+  if (substr.startsWith(sep) && !segment.startsWith(sep)) {
     segmentOffset--;
   }
+
   return evaluator(segmentOffset) ? segmentOffset + offset : -1;
 }
 
@@ -90,7 +87,12 @@ function getSegmentOffset({ str, offset, evaluator }, segment, win32) {
  */
 function isWithinTag(str, start, tag) {
   const stop = str.length - 1 + start;
-  return tag.overlaps({ start, stop, tag: tag.tag });
+
+  return (
+    (stop <= tag.stop && stop >= tag.start) ||
+    (start >= tag.start && start <= tag.stop) ||
+    (tag.start >= start && tag.start <= stop)
+  );
 }
 
 /**
@@ -103,6 +105,7 @@ function isWithinTag(str, start, tag) {
  */
 function adjustStart({ tag, argOffset, offset }) {
   const start = tag.start - argOffset;
+
   return start > 0 ? start + offset : offset;
 }
 
@@ -154,16 +157,13 @@ function maybeUpdateResultMeta({ index, arg, resultMeta }) {
 }
 
 /**
- * Encapsulates moving the resultOffset based on a segment
+ * Calculates a new offset based on a segment
  *
- * @param {Object} resultMeta metadata from result of path.resolve
- * @param {Object} argMeta metadata for a given argument
+ * @param {Object} offset offset of the object
  * @param {string} segment path segment from one of the args to path.resolve
  */
-function calculateNewOffset(resultMeta, argMeta, segment) {
-  const separatorOffset = trackingSeparators ? 0 : 1;
-  resultMeta.offset = resultMeta.offset + segment.length + separatorOffset;
-  argMeta.offset = argMeta.offset + segment.length + separatorOffset;
+function calculateNewOffset(offset, segment) {
+  return offset + segment.length;
 }
 
 /**
@@ -173,10 +173,89 @@ function calculateNewOffset(resultMeta, argMeta, segment) {
  * @param {string} segment path segment to check
  * @return {boolean}
  */
-function applicableSegment(segment) {
+function isApplicableSegment(segment) {
   return segment !== '.' && segment !== '..' && segment !== '';
 }
 
+/**
+ * Filters invalid segments like those that are not part of the end result.
+ * It also calculates additional offset.
+ *
+ * @param {*} segments splitted path into segments
+ * @param {Object} resultMeta metadata from result of path.resolve
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
+ * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ */
+function filterSegmentsAndCalculateOffset(
+  segments,
+  resultMeta,
+  data,
+  index,
+  win32
+) {
+  const { sep } = path[win32 ? 'win32' : 'posix'];
+  const isFirstIteration = index === 0;
+  const validSegments = [];
+  let additionalOffset = 0;
+
+  segments.reduce(
+    // eslint-disable-next-line complexity
+    (accumulator, segment) => {
+      let hasChange = false;
+      if (!isApplicableSegment(segment)) return accumulator;
+
+      if (!accumulator.isModified && !isFirstIteration) {
+        const previousArg = data.args[index - 1];
+
+        const sepAdded = !segment.startsWith(sep) && !previousArg.endsWith(sep);
+        const sepTaken = segment.startsWith(sep) && previousArg.endsWith(sep);
+        accumulator.isModified = sepAdded || sepTaken;
+        hasChange = sepAdded || sepTaken;
+        additionalOffset = hasChange ? (sepAdded ? 1 : -1) : 0;
+      }
+
+      const offset = getSegmentOffset(
+        resultMeta,
+        accumulator.offset + additionalOffset + accumulator.fileDotSeparator,
+        segment,
+        win32
+      );
+
+      // no reason to proceed if segment is not in final result
+      if (offset === -1) {
+        if (hasChange) {
+          additionalOffset = 0;
+          accumulator.isModified = false;
+        }
+
+        return accumulator;
+      }
+
+      // in case we have a file we need to increment the offset
+      if (resultMeta.str[offset + segment.length] === '.') {
+        accumulator.fileDotSeparator = 1;
+      }
+
+      validSegments.push(segment);
+      accumulator.offset = calculateNewOffset(accumulator.offset, segment);
+      accumulator.isModified = true;
+
+      return accumulator;
+    },
+    {
+      offset: resultMeta.offset,
+      fileDotSeparator: 0,
+      isModified: false
+    }
+  );
+
+  return {
+    additionalOffset,
+    segments: validSegments
+  };
+}
+
 /**
  * Moves the tag ranges properly based on if a path segment exists in the
  * result
@@ -184,43 +263,66 @@ function applicableSegment(segment) {
  * @param {Object} resultMeta metadata for the result
  * @param {Object} argMeta meta for a given argument
  * @param {boolean} win32 indicating win32 to replace `/` with `\'
+ * @param {Object} data the data object of the propagate function
+ * @param {number} index the iteration index
  */
-function adjustTagsToPart(resultMeta, argMeta, win32) {
+function adjustTagsToPart(resultMeta, argMeta, win32, data, index) {
   const { str, tagRanges } = argMeta;
-  const segments = splitString(str, win32);
-  const newTags = [];
-  segments.forEach((segment) => {
-    if (!applicableSegment(segment)) {
-      return;
-    }
-    const offset = getSegmentOffset(resultMeta, segment, win32);
-    // no reason to proceed if segment is not in final result
-    if (offset === -1) {
-      return;
-    }
+  const { segments, additionalOffset } = filterSegmentsAndCalculateOffset(
+    splitString(str, win32),
+    resultMeta,
+    data,
+    index,
+    win32
+  );
+
+  // updating the offset
+  resultMeta.offset += additionalOffset;
+
+  return segments.reduce((newTags, segment) => {
+    const offset = getSegmentOffset(
+      resultMeta,
+      resultMeta.offset,
+      segment,
+      win32
+    );
+
+    const argOffset = getSegmentOffset(argMeta, argMeta.offset, segment, win32);
 
-    const argOffset = getSegmentOffset(argMeta, segment, win32);
+    // updating the offset
+    resultMeta.offset = calculateNewOffset(resultMeta.offset, segment);
+    argMeta.offset = calculateNewOffset(argMeta.offset, segment);
 
-    calculateNewOffset(resultMeta, argMeta, segment);
+    // in case we have a file we need to increment the offset
+    if (resultMeta.str[offset + segment.length] === '.') {
+      resultMeta.offset += 1;
+    }
 
     tagRanges.forEach((tag) => {
-      if (isWithinTag(segment, argOffset, tag)) {
-        const start = adjustStart({ tag, argOffset, offset });
-        const stop = adjustStop({ tag, argOffset, offset, segment });
+      if (!isWithinTag(segment, argOffset, tag)) return;
 
-        newTags.push(new TagRange(start, stop, tag.tag));
-      }
+      const start = adjustStart({
+        tag,
+        argOffset,
+        offset
+      });
+      const stop = adjustStop({
+        tag,
+        argOffset,
+        offset,
+        segment
+      });
+
+      newTags.push(new TagRange(start, stop, tag.tag));
     });
-  });
 
-  return newTags;
+    return newTags;
+  }, []);
 }
 
-function propagate({ resultMeta, data, win32, trackSeparators }) {
-  trackingSeparators = trackSeparators;
+function propagate({ resultMeta, data, win32 }) {
   if (!resultMeta.evaluator) {
-    resultMeta.evaluator = (segmentOffset) =>
-      segmentOffset === (trackingSeparators ? 0 : 1);
+    resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
   }
 
   data.args.forEach((arg, index) => {
@@ -234,13 +336,20 @@ function propagate({ resultMeta, data, win32, trackSeparators }) {
       tagRanges: argData.tracked ? argData.tagRanges : []
     };
 
-    const targetTagRanges = adjustTagsToPart(resultMeta, argMeta, win32);
+    const targetTagRanges = adjustTagsToPart(
+      resultMeta,
+      argMeta,
+      win32,
+      data,
+      index
+    );
 
     if (targetTagRanges.length > 0) {
       resultMeta.parents.push(argData.event);
       tagRangeUtil.addAllInPlace(resultMeta.tagRanges, targetTagRanges);
     }
   });
+
   trackResult(resultMeta, data);
 }
 

package/lib/assess/propagators/path/join.js

@@ -31,7 +31,11 @@ function hookPath(path) {
           resultMeta.offset = 0;
           resultMeta.evaluator = (segmentOffset) => segmentOffset === 0;
         }
-        propagate({ data, resultMeta, win32: os === 'win32' });
+        propagate({
+          data,
+          resultMeta,
+          win32: os === 'win32'
+        });
       }
     });
   }

package/lib/assess/propagators/path/normalize.js

@@ -46,8 +46,7 @@ module.exports.handle = function handle() {
           propagate({
             resultMeta,
             data,
-            win32: os === 'win32',
-            trackSeparators: true
+            win32: os === 'win32'
           });
         }
       });

package/lib/assess/propagators/path/resolve.js

@@ -34,7 +34,12 @@ module.exports.handle = function handle() {
           if (!data.args[0]) return;
           const resultMeta = getResultMeta(data, 'resolve');
           const isAbsolute = absolutePath(data.args[0]);
-          resultMeta.offset = isAbsolute ? 0 : process.cwd().length;
+
+          /*
+            plus one in case isAbsolute is false since our working deretory ends without slash
+            example: /Users/John/Documents/Projects/node-agent
+          */
+          resultMeta.offset = isAbsolute ? 0 : process.cwd().length + 1;
 
           // a work-around for paths like C:\Windows
           if (
@@ -45,7 +50,11 @@ module.exports.handle = function handle() {
             resultMeta.evaluator = (segmentOffset) => segmentOffset > -1;
           }
 
-          propagate({ data, resultMeta, win32: os === 'win32' });
+          propagate({
+            data,
+            resultMeta,
+            win32: os === 'win32'
+          });
         }
       });
     }

package/lib/core/arch-components/dynamodb.js

@@ -18,7 +18,6 @@ const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const ModuleHook = require('../../hooks/require');
 const patcher = require('../../hooks/patcher');
-const _ = require('lodash');
 
 ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
   patcher.patch(AWS.DynamoDB.prototype, 'makeRequest', {
@@ -27,7 +26,7 @@ ModuleHook.resolve({ name: 'aws-sdk' }, (AWS) => {
     alwaysRun: true,
     post(ctx) {
       try {
-        const endpoint = _.get(this, 'endpoint');
+        const { endpoint } = this;
         agentEmitter.emit('architectureComponent', {
           vendor: 'DynamoDB',
           url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),

package/lib/core/arch-components/dynamodbv3.js

@@ -0,0 +1,44 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const logger = require('../logger')('contrast:arch-component');
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+
+function emitArchitectureComponent(endpoint) {
+  agentEmitter.emit('architectureComponent', {
+    vendor: 'DynamoDB',
+    url: new URL(`${endpoint.protocol}//${endpoint.hostname}`).toString(),
+    remoteHost: '',
+    remotePort: endpoint.port
+  });
+}
+
+ModuleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (AWS) => {
+  patcher.patch(AWS.DynamoDBClient.prototype, 'send', {
+    name: 'DynamoDBv3.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      try {
+        this.config.endpoint().then(emitArchitectureComponent);
+      } catch (err) {
+        logger.warn('unable to report DynamoDB architecture component\n', err);
+      }
+    }
+  });
+});

package/lib/core/arch-components/index.js

@@ -17,3 +17,4 @@ require('./mysql');
 require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
+require('./dynamodbv3');

package/lib/hooks/patcher.js

@@ -36,6 +36,7 @@ const {
   SCOPE_NAMES: { NO_PROPAGATION }
 } = require('../core/async-storage/scopes');
 const promisifyCustom = Symbol.for('nodejs.util.promisify.custom');
+const some = require('../util/some');
 
 // When a pre-hook returns the result of this function, the value passed will
 // be used in place of the original function's return value, and the original
@@ -109,6 +110,15 @@ function runHooks(type, options, data, fn, thisTarget) {
   });
 }
 
+/**
+ * Checks if any of the provided arguments are tracked.
+ * @param {any[]} args
+ * @return {boolean}
+ */
+function argsTracked(args) {
+  return some(args, (arg) => arg && tracker.getData(arg).tracked);
+}
+
 /**
  * Whether to skip the running of instrumentation in registered pre/post hooks.
  * When this returns `false` (don't skip), the pre/post hooks will execute in
@@ -220,11 +230,8 @@ function hookFunction(fn, options) {
     }
 
     // short-circuit optimization for add
-    const [arg1, arg2] = args;
-    if (fn.name === '__add' && arg1 && arg2) {
-      if (!tracker.getData(arg1).tracked && !tracker.getData(arg2).tracked) {
-        return arg1 + arg2;
-      }
+    if (fn.name === '__add' && !argsTracked(args)) {
+      return args[0] + args[1];
     }
 
     const data = {
@@ -321,7 +328,8 @@ function hookableMethods(obj, props, callback) {
   }
 
   // Execute callback for every method in the props array.
-  for (let i = props.length; i >= 0; i--) {
+  let i = props.length;
+  while (i--) {
     // If the property isn't a function...
     if (
       !isFunction(obj[props[i]]) ||
@@ -472,7 +480,7 @@ function patch(obj, props, options) {
   }
 
   const hookedMethods = hookableMethods(obj, props).map(function(prop) {
-    const opts = Object.assign({}, options);
+    const opts = typeof options === 'object' ? { ...options } : options;
 
     // staticName means do not append methods to final name
     // only used for Function(aka global.ContrastFunction)

package/lib/util/some.js

@@ -0,0 +1,27 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+function some(array, predicate) {
+  let index = -1;
+  const length = array == null ? 0 : array.length;
+
+  while (++index < length) {
+    if (predicate(array[index], index, array)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+module.exports = some;

package/node_modules/unix-dgram/build/Makefile

@@ -309,7 +309,7 @@ endif
 
 quiet_cmd_regen_makefile = ACTION Regenerating $@
 cmd_regen_makefile = cd $(srcdir); /opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/home/runner/.cache/node-gyp/12.22.7" "-Dnode_gyp_dir=/opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/home/runner/.cache/node-gyp/12.22.7/<(target_arch)/node.lib" "-Dmodule_root_dir=/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram/build/config.gypi -I/opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/home/runner/.cache/node-gyp/12.22.7/include/node/common.gypi "--toplevel-dir=." binding.gyp
-Makefile: $(srcdir)/../../../../../../.cache/node-gyp/12.22.7/include/node/common.gypi $(srcdir)/build/config.gypi $(srcdir)/binding.gyp $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi
+Makefile: $(srcdir)/../../../../../../.cache/node-gyp/12.22.7/include/node/common.gypi $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.7/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/build/config.gypi $(srcdir)/binding.gyp
 	$(call do_cmd,regen_makefile)
 
 # "all" is a concatenation of the "all" targets from all the included

package/node_modules/unix-dgram/build/config.gypi

@@ -126,7 +126,7 @@
     "progress": "",
     "https_proxy": "",
     "save_prod": "",
-    "npm_session": "70d49993d405ee64",
+    "npm_session": "3f130026df618e76",
     "audit": "true",
     "cidr": "",
     "onload_script": "",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.5.1",
+  "version": "4.5.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -109,6 +109,7 @@
     "yaml": "^1.10.0"
   },
   "devDependencies": {
+    "@aws-sdk/client-dynamodb": "^3.39.0",
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",