@contrast/agent 4.5.1 → 4.7.1

package/lib/protect/sinks/mongodb.js

@@ -21,47 +21,41 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
+const agentEmitter = require('../../agent-emitter');
+const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
 
-/**
- * json.stringify(data) in try-catch
- * @param {any} data
- * @returns {string}
- */
-const safeStringify = (data) => {
-  try {
-    return JSON.stringify(data);
-  } catch (e) {
-    // ignore errors
-  }
-};
-
-/**
- * @param {any} query `cmd.query`
- * @returns {string}
- */
-const getQueryAsString = (args, version) => {
+function getCursorQueryData(args, version) {
   const query = semver.gte(version, '3.3.0')
     ? _.get(args, '0.cmd.query')
     : _.get(args, '1.query');
 
-  if (_.isString(query)) return query.toString();
-  if (!_.isObject(query)) return;
+  if (!query) {
+    return;
+  }
+
+  if (_.isString(query)) {
+    return query.toString()
+  }
 
   if (query['$where']) {
     return query['$where'].toString();
   }
 
-  const keys = Object.keys(query);
-  if (keys.length === 1 && _.isString(query[keys[0]])) {
-    // eval: { $where : 'process.exit()' }
-    return query[keys[0]];
+  return query;
+}
+
+function getOpQueryData(op) {
+  if (!op.q) {
+    return;
   }
-  // otherwise try and look at the stringified query
-  return safeStringify(query);
-};
+  if (op.q.$where) {
+    return op.q.$where;
+  }
+  return op.q;
+}
 
 class MongoDBSensor extends BaseSensor {
   constructor(agent) {
@@ -76,8 +70,11 @@ class MongoDBSensor extends BaseSensor {
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
         pre: (wrapCtx) => {
-          const data = getQueryAsString(wrapCtx.args, version);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+          emitSinkEvent(
+            getCursorQueryData(wrapCtx.args, version),
+            SINK_TYPES.NOSQL_QUERY,
+            ID
+          );
         }
       });
 
@@ -86,21 +83,12 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const data = getQueryAsString(wrapCtx.args, version);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
-        }
-      });
-
-      // insert(ns, opts, options, cb)
-      patcher.patch(mongodb.CoreServer.prototype, 'insert', {
-        alwaysRun: true,
-        name: 'mongodb.CoreServer.prototype',
-        patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          emitSinkEvent(
+            getCursorQueryData(data.args, version),
+            SINK_TYPES.NOSQL_QUERY,
+            ID
+          );
         }
       });
 
@@ -109,10 +97,17 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          const ops = Array.isArray(data.args[1])
+            ? data.args[1]
+            : [data.args[1]];
+
+          for (const op of ops) {
+            const eData = getOpQueryData(op);
+            if (eData) {
+              emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
+            }
+          }
         }
       });
 
@@ -121,10 +116,17 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.CoreServer.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const arg = _.get(wrapCtx, 'args.1');
-          const data = safeStringify(arg);
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          const ops = Array.isArray(data.args[1])
+            ? data.args[1]
+            : [data.args[1]];
+
+          for (const op of ops) {
+            const eData = getOpQueryData(op);
+            if (eData) {
+              emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
+            }
+          }
         }
       });
 
@@ -133,9 +135,8 @@ class MongoDBSensor extends BaseSensor {
         alwaysRun: true,
         name: 'mongodb.Db.prototype',
         patchType: PATCH_TYPES.PROTECT_SINK,
-        pre: (wrapCtx) => {
-          const data = _.get(wrapCtx, 'args.0');
-          emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
         }
       });
     });

package/lib/reporter/translations/to-protobuf/dtm/index.js

@@ -27,7 +27,7 @@ module.exports = {
   Finding: require('./finding'),
   HttpMethodTamperingDetails: require('./http-method-tampering-details'),
   HttpRequest: require('./http-request'),
-  IpBlacklistDetails: require('./ip-denylist-details'),
+  IpDenylistDetails: require('./ip-denylist-details'),
   LibraryUsageUpdate: require('./library-usage-update'),
   Poll: require('./poll'),
   NoSqlInjectionDetails: require('./no-sql-injection-details'),

package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js

@@ -16,7 +16,7 @@ Copyright: 2021 Contrast Security, Inc
 const { dtm } = require('@contrast/protobuf-api');
 
 module.exports = function IpDenylistDetails(details = {}) {
-  return new dtm.IpBlacklistDetails({
+  return new dtm.IpDenylistDetails({
     0: details.ip,
     1: details.uuid
   });

package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js

@@ -65,7 +65,7 @@ const DETAILS_MAP = {
     Constructor: require('./untrusted-deserialization-details')
   },
   [IP_DENYLIST]: {
-    index: 22,
+    index: 44,
     Constructor: require('./ip-denylist-details')
   },
   [PATH_TRAVERSAL]: {

package/lib/reporter/translations/to-protobuf/settings/defend-features.js

@@ -33,22 +33,24 @@ function DefendFeatures(defend = {}) {
   const {
     auth,
     botBlockers = [],
-    ipBlacklists = [],
-    ipWhitelists = [],
     logEnhancers = [],
-    ruleDefinitionList = []
+    ruleDefinitionList = [],
+    ipDenylists = [],
+    ipAllowlists = []
   } = defend;
   return wrapToObject(
     new settings.DefendFeatures([
       defend.enabled, //                                             1          enabled
       defend['bot-blocker'], //                                      2      bot_blocker
       botBlockers.map((blocker) => BotBlocker(blocker).array), //    3     bot_blockers
-      ipBlacklists.map((bl) => IpFilter(bl).array), //               4    ip_blacklists
-      ipWhitelists.map((wl) => IpFilter(wl).array), //               5     ip_whitelist
+      undefined, //                                                  4                -
+      undefined, //                                                  5                -
       logEnhancers.map((le) => LogEnhancer(le).array), //            6    log_enhancers (unsupported as of q2-2019)
       ruleDefinitionList.map((def) => RuleDefinition(def).array), // 7 rule_definitions
       Syslog(defend.syslog).array, //                                8           syslog
-      Auth(auth).array //                                            9             auth
+      Auth(auth).array, //                                           9             auth
+      ipDenylists.map((dl) => IpFilter(dl).array), //                10    ip_denylists
+      ipAllowlists.map((al) => IpFilter(al).array) //                11   ip_allowlists
     ]),
     ({ syslog, ruleDefinitionsList }) => {
       ruleDefinitionsList.forEach(({ keywordsList, patternsList }) => {

package/lib/reporter/translations/to-protobuf/settings/exclusions.js

@@ -25,7 +25,6 @@ const {
 
 function Exclusion({
   assessmentRules,
-  blacklist,
   inputName,
   inputType,
   matchStrategy,
@@ -33,7 +32,8 @@ function Exclusion({
   name,
   rules,
   type,
-  urls
+  urls,
+  denylist
 }) {
   return wrapToObject(
     new settings.Exclusion([
@@ -44,11 +44,12 @@ function Exclusion({
       rules, //                                  5 protection_rules
       assessmentRules, //                        6 assessment_rules
       urls, //                                   7             urls
-      blacklist, //                              8        blacklist
+      undefined, //                              8                -
       ExclusionInputType(inputType), //          9       input_type
       inputName, //                             10       input_name
       modes.includes('assess'), //              11           assess
-      modes.includes('defend') //               12          protect
+      modes.includes('defend'), //              12          protect
+      denylist //                               13         denylist
     ]),
     (exclusion) => {
       exclusion.inputType = EXCLUSION_INPUT_TYPES[exclusion.inputType];

package/lib/tracker.js

@@ -45,12 +45,6 @@ const defaultContrastProperties = {
   }
 };
 
-// NOTE: this function just exists for us to get a better view
-// of the module's performance while profiling
-function getExtStringProps(ext) {
-  return distringuish.getProperties(ext);
-}
-
 // i'm not sure why this is a class. there are no methods, and externalized
 // strings don't have an instance of the class; they have an object with the
 // same property names.
@@ -74,37 +68,6 @@ class Tracker {
     this.metadata = new WeakMap();
   }
 
-  /**
-   * Map lookup for metadata of a value
-   *
-   * @param {*} value Tracked value
-   * @return {ContrastProperties|undefined}
-   */
-  getData(value) {
-    if (typeof value === 'string') {
-      const props = getExtStringProps(value);
-      if (props == null) {
-        return defaultContrastProperties;
-      }
-
-      return props;
-    }
-    return this.metadata.get(value) || defaultContrastProperties;
-  }
-
-  /**
-   * Resets a string's tracking metadata to the default contrast properties.
-   * This will effectively untrack the associated string, but it will still be
-   * the externalized value.
-   * @param {object} trackingData A tracked string's metadata
-   */
-  untrack(str) {
-    const trackingData = this.getData(str);
-    if (trackingData.tracked) {
-      Object.assign(trackingData, defaultContrastProperties);
-    }
-  }
-
   trackString(str) {
     if (str.length === 0) {
       return str;
@@ -113,7 +76,7 @@ class Tracker {
     // XXX: this is the closest we have to a dedup.
     // it may be kind of expensive. we need to consider whether or not
     // this is worthwhile
-    if (this.getData(str).tracked) {
+    if (this.getData(str)) {
       return str;
     }
 
@@ -143,38 +106,15 @@ class Tracker {
     return value;
   }
 
-  // trackArray(value, parent, sourceType, parentKey) {}
-
-  /**
-   * Associate properties with a string.
-   *
-   * @param   {*} value value to track
-   * @returns {*}       the value - tracked if some type of string, otherwise untracked
-   */
-  track(value) {
-    if (typeof value === 'string') {
-      return this.trackString(value);
-    }
-
-    if (value instanceof String) {
-      return this.trackStringObject(value);
-    }
-
-    return value;
-  }
 
   /**
    * Associate properties with a string. Returns null if str is not a string,
    * is a zero-length string, or any internal error takes place.
    *
-   * This behavior is different than track in that it requires the caller to check
-   * the return value. track always returned properties even if the value was not a
-   * string or there were no properties associated with the string value.
-   *
    * @param {*} str a value to track.
    * @returns {Object|null} {str, props} or null on error.
    */
-  track2(str) {
+  track(str) {
     if (typeof str === 'string') {
       // is the string already tracked?
       let props = distringuish.getProperties(str);
@@ -217,7 +157,7 @@ class Tracker {
    * @param {*} str any value
    * @return {ContrastProperties|null}
    */
-  getData2(str) {
+  getData(str) {
     if (typeof str === 'string') {
       return distringuish.getProperties(str);
     }
@@ -227,12 +167,20 @@ class Tracker {
     return null;
   }
 
-  untrack2(str) {
+  /**
+   * Resets a string's tracking metadata to the default contrast properties.
+   * This will effectively untrack the associated string, but it will still be
+   * the externalized value.
+   * @param {object} trackingData A tracked string's metadata
+   */
+  untrack(str) {
     if (typeof str === 'string') {
-      if (!distringuish.getProperties(str)) {
+      let props = distringuish.getProperties(str);
+      if (!props) {
         return null;
       }
       // return an untracked version of the string
+      Object.assign(props, {event: null, tagRanges: [], tracked: false})
       return distringuish.internalize(str);
     }
     if (str instanceof String) {

package/lib/util/some.js

@@ -0,0 +1,27 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+function some(array, predicate) {
+  let index = -1;
+  const length = array == null ? 0 : array.length;
+
+  while (++index < length) {
+    if (predicate(array[index], index, array)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+module.exports = some;

package/lib/util/source-map.js

@@ -133,7 +133,7 @@ class SourceMapUtility {
       const { line, source } = consumer.originalPositionFor({
         line: lineNumber,
         column
-      });
+      }) || { line: undefined, source: undefined };
 
       if (line) lineNumber = line;
       if (source) file = this.replaceSource(file, source);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.5.1",
+  "version": "4.7.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -38,7 +38,8 @@
     "extract-licenses": "node scripts/extract-licenses",
     "fix": "eslint . --fix",
     "prepare": "husky install || exit 0",
-    "preversion": "npm run test:gh-ci"
+    "preversion": "npm run test:gh-ci",
+    "initsecrets": "scripts/detect-secrets.sh"
   },
   "lint-staged": {
     "*.js": "eslint --fix",
@@ -74,11 +75,10 @@
     "@contrast/fn-inspect": "^2.4.2",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.5",
+    "@contrast/require-hook": "^2.0.6",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
-    "base64url": "^3.0.1",
     "big-integer": "^1.6.36",
     "bluebird": "^3.5.3",
     "builtin-modules": "^3.2.0",
@@ -94,25 +94,22 @@
     "jspack": "0.0.4",
     "lodash": "^4.17.21",
     "make-dir": "^3.1.0",
-    "moment": "^2.21.0",
     "multi-stage-sourcemap": "^0.3.1",
     "on-finished": "^2.3.0",
     "parseurl": "^1.3.3",
     "prom-client": "^12.0.0",
     "recursive-readdir": "^2.2.2",
-    "request": "^2.88.0",
     "semver": "^7.3.2",
-    "source-map": "^0.7.3",
     "winston": "^3.1.0",
     "winston-daily-rotate-file": "^3.5.1",
-    "winston-syslog": "2.1.0",
     "yaml": "^1.10.0"
   },
   "devDependencies": {
+    "@aws-sdk/client-dynamodb": "^3.39.0",
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.4",
+    "@contrast/screener-service": "^1.12.5",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -129,9 +126,10 @@
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
     "deasync": "^0.1.20",
+    "dustjs-linkedin": "^3.0.0",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
-    "eslint": "^5.16.0",
+    "eslint": "^8.2.0",
     "eslint-config-prettier": "^6.11.0",
     "eslint-plugin-mocha": "^7.0.1",
     "eslint-plugin-node": "^11.1.0",
@@ -147,27 +145,28 @@
     "jsdoc": "^3.6.7",
     "libxmljs": "file:test/mock/libxmljs",
     "libxmljs2": "file:test/mock/libxmljs2",
-    "lint-staged": "^11.0.0",
+    "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^8.2.0",
-    "mochawesome": "^6.2.2",
+    "mocha": "^9.1.3",
+    "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
+    "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
     "node-fetch": "^2.6.1",
     "node-serialize": "file:test/mock/node-serialize",
     "npm-license-crawler": "^0.2.1",
-    "nyc": "^15.0.0",
+    "nyc": "^15.1.0",
     "pg": "file:test/mock/pg",
     "pino": "^6.7.0",
     "prettier": "^1.19.1",
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.3.3",
+    "sequelize": "^6.11.0",
     "shellcheck": "^1.0.0",
     "sinon": "^7.2.2",
     "sinon-chai": "^3.3.0",
@@ -176,7 +175,7 @@
     "triple-beam": "^1.3.0",
     "typeorm": "file:test/mock/typeorm",
     "uuid": "^8.3.1",
-    "validator": "^13.5.2",
+    "validator": "^13.7.0",
     "xpath": "file:test/mock/xpath"
   },
   "main": "bootstrap.js",

package/lib/hooks/frameworks/https.js

@@ -1,42 +0,0 @@
-/**
-Copyright: 2021 Contrast Security, Inc
-  Contact: support@contrastsecurity.com
-  License: Commercial
-
-  NOTICE: This Software and the patented inventions embodied within may only be
-  used as part of Contrast Security’s commercial offerings. Even though it is
-  made available through public repositories, use of this Software is subject to
-  the applicable End User Licensing Agreement found at
-  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
-  between Contrast Security and the End User. The Software may not be reverse
-  engineered, modified, repackaged, sold, redistributed or otherwise used in a
-  way not consistent with the End User License Agreement.
-*/
-'use strict';
-
-const emitter = require('../../agent-emitter');
-const { HTTP_EVENTS } = require('../../constants');
-const HttpFramework = require('./http');
-
-const id = 'https';
-
-class HttpsFramework extends HttpFramework {
-  constructor(agent) {
-    super(agent, id);
-  }
-
-  /**
-   * Override for <code>HttpSource.prototype.handleServerCreate</code>.
-   * We override in order to emit the event with the proper callback argument -
-   * HTTPS servers take an `options` object as the first argument. We want the
-   * second callback argument.
-   * @param {*[]} args The arguments passed to the Server constructor
-   * @param {Server} server
-   */
-  handleServerCreate(args, server) {
-    const callback = args[1];
-    emitter.emit(HTTP_EVENTS.SERVER_CREATE, callback, server);
-  }
-}
-
-module.exports = HttpsFramework;