@contrast/agent 4.5.2 → 4.6.0

package/lib/assess/policy/propagators.json

@@ -67,6 +67,26 @@
         "type": "keep"
       }
     },
+    "dust.escapeHtml": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["html-encoded"],
+      "type": "overload",
+      "command": {
+        "type": "keep"
+      }
+    },
+    "dust.escapeJs": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["javascript-encoded"],
+      "type": "overload",
+      "command": {
+        "type": "keep"
+      }
+    },
     "pug.compile": {
       "enabled": true,
       "provider": "./propagators/pug-compile.js"

package/lib/assess/policy/signatures.json

@@ -233,6 +233,16 @@
       "methodName": "escape",
       "isModule": true
     },
+    "dust.escapeHtml": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeHtml",
+      "isModule": true
+    },
+    "dust.escapeJs": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeJs",
+      "isModule": true
+    },
     "express.response.send": {
       "moduleName": "express",
       "version": ">=4.0.0",

package/lib/core/config/options.js

@@ -481,9 +481,10 @@ const agent = [
   {
     name: 'agent.stack_trace_limit',
     arg: '<limit>',
-    default: 10,
+    default: 25,
     fn: parseNum,
-    desc: 'set limit for stack trace size'
+    desc:
+      'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
   {
     name: 'agent.polling.app_activity_ms',

package/lib/core/stacktrace.js

@@ -15,11 +15,12 @@ Copyright: 2021 Contrast Security, Inc
 'use strict';
 
 const semver = require('semver');
+const agent = require('../agent');
 const process = require('process');
 const sourceMap = require('../util/source-map');
 const _isAgentPath = require('../util/is-agent-path');
 
-const STACK_TRACE_LIMIT = 25;
+const STACK_TRACE_LIMIT = agent.config.agent.stack_trace_limit;
 const EVAL_ORIGIN_REGEX = /\((.*?):(\d+):\d+\)/;
 const EVENTS_FILE = semver.gte(process.version, '16.0.0')
   ? 'node:events'

package/lib/hooks/frameworks/base.js

@@ -22,8 +22,14 @@ const RequestFactory = require('../../reporter/models/utils/request-factory');
 const CleanStack = require('../../util/clean-stack');
 const agentEmitter = require('../../agent-emitter');
 
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
 class BaseFramework {
-  // sets options
+  /**
+   * @param {Object} opts
+   * @param {string} opts.id
+   * @param {Agent} opts.agent
+   */
   constructor({ id, agent } = {}) {
     this.id = id;
     this.agent = agent;
@@ -46,7 +52,7 @@ class BaseFramework {
    * -- Note --
    * The current imlementation uses a CleanStack instance in order to generate
    * a stackframe from which to obtain the information. This can be expensive.
-   * @returns {String}
+   * @returns {string}
    */
   getAppCodeLocation() {
     const limit = Error.stackTraceLimit;

package/lib/hooks/frameworks/http.js

@@ -19,39 +19,41 @@ const moduleHook = require('../require');
 const patcher = require('../patcher');
 const { HTTP_EVENTS, PATCH_TYPES } = require('../../constants');
 
-class HttpFramework extends BaseFramework {
-  constructor(agent, id = 'http') {
-    super({ id, agent });
-
-    this.init();
-  }
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+/** @typedef {import('net').Server} Server */
 
+class HttpFramework extends BaseFramework {
   /**
-   * Initialization logic.
+   * @param {Agent} agent
+   * @param {string} id
    */
-  init() {
+  constructor(agent, id = 'http') {
+    super({ agent, id });
     moduleHook.resolve({ name: this.id }, this.onRequire.bind(this));
   }
 
+  /**
+   * @template {import('http') | import('https')} T
+   * @param {T} xport
+   * @returns {T}
+   */
   onRequire(xport) {
-    const { id } = this;
-
     patcher.patch(xport, 'Server', {
-      name: `${id}.Server`,
+      name: `${this.id}.Server`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport, 'createServer', {
-      name: `${id}.createServer`,
+      name: `${this.id}.createServer`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       post: (fnData) => this.handleServerCreate(fnData.args, fnData.result)
     });
 
     patcher.patch(xport.Server.prototype, 'listen', {
-      name: `${id}.Server.prototype`,
+      name: `${this.id}.Server.prototype`,
       patchType: PATCH_TYPES.FRAMEWORK,
       alwaysRun: true,
       pre: (fnData) => this.handleServerListen(fnData.args, fnData.obj)
@@ -62,6 +64,7 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a listen event if one has not been pubished for the server instance.
+   * @param {any[]}
    * @param {Server} server Server on which `listen` was called
    */
   handleServerListen(args, server) {
@@ -70,12 +73,16 @@ class HttpFramework extends BaseFramework {
 
   /**
    * Emits a create event for the new Server instance.
-   * @param {*[]} args The arguments passed to the Server constructor
+   * @param {any[]} args The arguments passed to the Server constructor
    * @param {Server} server The http Server instance
    */
   handleServerCreate(args, server) {
-    const [callback] = args;
-    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, callback, server);
+    const [options] = args;
+    let [, handler] = args;
+    if (typeof options === 'function') {
+      handler = options;
+    }
+    this.emitter.emit(HTTP_EVENTS.SERVER_CREATE, handler, server);
   }
 }
 

package/lib/hooks/frameworks/http2.js

@@ -0,0 +1,73 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const { PATCH_TYPES } = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+
+/** @typedef {import('../../agent').ContrastAgent} Agent */
+
+class Http2Framework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'http2');
+  }
+
+  /**
+   * @param {import('http2')} http2
+   * @returns {import('http2')}
+   */
+  onRequire(http2) {
+    patcher.patch(http2, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    patcher.patch(http2, 'createSecureServer', {
+      name: `${this.id}.createSecureServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => this.handleServerCreate(args, result)
+    });
+
+    return http2;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    // Since the `Http2Server` class is not exported, we can patch it here after
+    // creation.
+    // NOTE: could we just patch `net.Server` here and in `http`?
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.Http2Server.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = Http2Framework;

package/lib/hooks/frameworks/index.js

@@ -14,9 +14,14 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
+const Http = require('./http');
+const Http2 = require('./http2');
+const Hapi16 = require('./hapi16');
+
 module.exports = function(agent) {
   // load all the hooks
-  new (require('./http'))(agent);
-  new (require('./https'))(agent);
-  new (require('./hapi16'))(agent);
+  new Http(agent);
+  new Http(agent, 'https');
+  new Http2(agent);
+  new Hapi16(agent);
 };

package/lib/hooks/http.js

@@ -35,39 +35,45 @@ const logger = require('../core/logger')('contrast:hooks');
 const patcher = require('./patcher');
 const { PATCH_TYPES } = require('../constants');
 
-module.exports = function(agent) {
-  logger.info('applying non-policy hook: http');
+const flatten = (ary) => Array.prototype.join.apply(ary, [',']);
 
-  moduleHook.resolve({ name: 'http' }, function(http) {
-    hookServerPrototype(http.Server.prototype, agent);
-  });
-  moduleHook.resolve({ name: 'https' }, function(https) {
-    hookServerPrototype(https.Server.prototype, agent);
+/**
+ * Logs stack for every res.[end, writeHead, write] call
+ *
+ * @param {ServerResponse} response
+ * @param {string} method method to hook
+ */
+const logHook = (response, method) => {
+  patcher.patch(response, method, {
+    alwaysRun: true,
+    name: 'req-log',
+    patchType: PATCH_TYPES.MISC,
+    post(data) {
+      const { stack } = new Error();
+      logger.info('res.%s(%s):%o', method, flatten(data.args), stack);
+    }
   });
 };
 
-module.exports.getId = getId;
-module.exports.hookServerPrototype = hookServerPrototype;
-
 /**
  * Hooks the Server prototype's <code>emit</code> method.
- * @param {Server} proto The Server prototype
+ * @param {Server} server The Server prototype
  */
-function hookServerPrototype(proto, agent) {
-  patcher.patch(proto, 'listen', {
+const hookServer = (server, agent, id) => {
+  patcher.patch(server, 'listen', {
     alwaysRun: true,
     name: 'server-listen-log-time',
     patchType: PATCH_TYPES.MISC,
-    pre(data) {
+    pre() {
       logger.info(`${process.pid}: http listen after ${process.uptime()}`);
     }
   });
 
   // Wrap the request emit in a contrast domain to track non-dataflow hooks, and for storage.
-  const { emit } = proto;
-  proto.emit = function(...args) {
-    const [event, req, res] = args;
+  const { emit } = server;
+  server.emit = function newEmit(...args) {
     const self = this;
+    const [event, req, res] = args;
 
     if (event === 'request') {
       logger.debug('Received request %s, method %s', req.url, req.method);
@@ -75,35 +81,77 @@ function hookServerPrototype(proto, agent) {
         agent,
         req,
         res,
-        hookResponse,
-        callback: () => {
+        hookResponse(response, agent) {
+          const { writeHead, end } = response;
+          // XXX(ehden): we keep the original method available to call when handling
+          // blocked requests because of MethodTampering or other rules whose sink
+          // type is RESPONSE_STATUS and which can block at perimeter. We call the original
+          // when we block to prevent recursing through blocks by setting our own 403.
+          response[WRITE_HEAD] = writeHead;
+          response[END] = end;
+
+          /**
+           * Patch writeHead to emit a sink event before calling writeHead
+           *
+           */
+          patcher.patch(response, 'writeHead', {
+            alwaysRun: true,
+            name: 'write-head',
+            patchType: PATCH_TYPES.PROTECT_SINK,
+            pre(data) {
+              const [statusCode, reason] = data.args;
+              let [, , obj] = data.args;
+              let contentType;
+              if (typeof reason !== 'string') {
+                obj = reason;
+              }
+              if (obj && typeof obj === 'object') {
+                for (const [key, value] of Object.entries(obj)) {
+                  if (key.toLowerCase() === 'content-type') {
+                    contentType = value;
+                  }
+                }
+              }
+              if (contentType) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
+              }
+              emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, id, false);
+            }
+          });
+
+          patcher.patch(response, 'setHeader', {
+            alwaysRun: true,
+            name: 'set-header',
+            patchType: PATCH_TYPES.ASYNC_CONTEXT,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (name.toLowerCase() === 'content-type' && value) {
+                AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, value);
+              }
+            }
+          });
+
+          // special HTTP logging for responses.
+          if (agent.config.agent.logger.log_outbound_http) {
+            ['end', 'writeHead', 'write'].forEach((method) => {
+              logHook(response, method);
+            });
+          }
+        },
+        callback() {
           const ipEvent = createSourceEvent(
             req,
             req,
             res,
-            'connection.remoteAddress',
+            'socket.remoteAddress',
             INPUT_TYPES.IP,
-            getId(req)
+            id
           );
           agentEmitter.emit('http.requestStart', req, res, ipEvent);
 
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'method',
-            INPUT_TYPES.METHOD,
-            getId(req)
-          );
-          emitSourceEvent(
-            req,
-            req,
-            res,
-            'headers',
-            INPUT_TYPES.HEADER,
-            getId(req)
-          );
-          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, getId(req));
+          emitSourceEvent(req, req, res, 'method', INPUT_TYPES.METHOD, id);
+          emitSourceEvent(req, req, res, 'headers', INPUT_TYPES.HEADER, id);
+          emitSourceEvent(req, req, res, 'url', INPUT_TYPES.URL, id);
 
           const rv = emit.apply(self, args);
 
@@ -115,101 +163,37 @@ function hookServerPrototype(proto, agent) {
       return emit.apply(self, args);
     }
   };
-}
+};
 
-/**
- * Patches ServerResponse instances and runs in AsyncStorage
- * context.
- * @param {ServerResponse} res
- */
-function hookResponse(res, agent) {
-  const flattenArgs = (args) => Array.prototype.join.apply(args, [',']);
-
-  /*
-   * Logs stack for every res.[end, writeHead, write] call
-   *
-   * @param {ServerResponse} res
-   * @param {string} method method to hook
-   */
-  function logHook(res, method) {
-    patcher.patch(res, method, {
-      alwaysRun: true,
-      name: 'req-log',
-      patchType: PATCH_TYPES.MISC,
-      post(data) {
-        const { stack } = new Error();
-        logger.info('res.%s(%s):%o', method, flattenArgs(data.args), stack);
-      }
-    });
-  }
-
-  const { writeHead, end } = res;
-  // XXX(ehden): we keep the original method available to call when handling
-  // blocked requests because of MethodTampering or other rules whose sink
-  // type is RESPONSE_STATUS and which can block at perimeter. We call the original
-  // when we block to prevent recursing through blocks by setting our own 403.
-  res[WRITE_HEAD] = writeHead;
-  res[END] = end;
-
-  /**
-   * Patch writeHead to emit a sink event before calling writeHead
-   *
-   */
-  patcher.patch(res, 'writeHead', {
-    alwaysRun: true,
-    name: 'write-head',
-    patchType: PATCH_TYPES.PROTECT_SINK,
-    pre(data) {
-      let contentType;
-      if (data.args[1] && typeof data.args[1] === 'object') {
-        for (const [key, value] of Object.entries(data.args[1])) {
-          if (key.toLowerCase() === 'content-type') {
-            contentType = value;
-          }
-        }
-      }
+module.exports = (agent) => {
+  logger.info('applying non-policy hook: http');
 
-      if (contentType) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, contentType);
-      }
-      const [statusCode] = data.args;
-      emitSinkEvent(statusCode, SINK_TYPES.RESPONSE_STATUS, getId(this), false);
-    }
+  moduleHook.resolve({ name: 'http' }, (http) => {
+    hookServer(http.Server.prototype, agent, 'http');
   });
 
-  patcher.patch(res, 'setHeader', {
-    alwaysRun: true,
-    name: 'set-header',
-    patchType: PATCH_TYPES.ASYNC_CONTEXT,
-    pre(data) {
-      if (
-        (data.args[0] || '').toLowerCase() === 'content-type' &&
-        data.args[1]
-      ) {
-        AsyncStorage.set(KEYS.RESPONSE_CONTENT_TYPE, data.args[1]);
-      }
-    }
+  moduleHook.resolve({ name: 'https' }, (https) => {
+    hookServer(https.Server.prototype, agent, 'https');
   });
 
-  // special HTTP logging for responses.
-  if (agent.config.agent.logger.log_outbound_http) {
-    ['end', 'writeHead', 'write'].forEach((method) => {
-      logHook(res, method);
+  moduleHook.resolve({ name: 'http2' }, (http2) => {
+    patcher.patch(http2, 'createServer', {
+      name: `create-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
     });
-  }
-}
 
-/**
- * Returns http or https depending on information about the
- * incomingMessage
- *
- * @param {IncomingMessage} req
- * @return {string} http or https
- */
-function getId(req) {
-  if (req == null || req.socket == null) {
-    return 'http';
-  } else {
-    return req.socket.encrypted ? 'https' : 'http';
-  }
-}
+    patcher.patch(http2, 'createSecureServer', {
+      name: `create-secure-server-http2-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
+};
+module.exports.hookServer = hookServer;

package/lib/hooks/require.js

@@ -14,44 +14,38 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
-/**
- * @module lib/hooks/moduleHook
- * @class ModuleHook
- */
-
 const Module = require('module');
-const agentEmitter = require('../agent-emitter');
 const RequireHook = require('@contrast/require-hook');
+const agentEmitter = require('../agent-emitter');
 const logger = require('../core/logger')('hooks:require');
 
 class ModuleHook {
-  constructor(options) {
+  constructor() {
     this.reqHook = new RequireHook(logger);
 
-    // RequireHook takes care of hooking
-    // but still need to patch require to emit 'require' events
-    const origModRequire = Module.prototype.require;
-    Module.prototype.require = function(name) {
-      agentEmitter.emit('require', name);
-      return origModRequire.call(this, name);
+    // RequireHook takes care of hooking but we still need to patch require to
+    // emit 'require' events
+    const origModLoad = Module._load;
+    Module._load = function __loadAndEmit(...args) {
+      const [request] = args;
+      agentEmitter.emit('require', request);
+      return Reflect.apply(origModLoad, this, args);
     };
   }
 
   /**
-   *
    * Collects instrumentation functions that will run on the specified
-   * module's file at the time it is loaded via <code>require</code>.
-   * @param {Object} descriptor describes module you're hook(name, version, file)
-   * @param {Function} instrumentation The function to run on the module at
-   *                        the time it is required in the code
+   * module's file at the time it is loaded via `require`.
+   * @param {RequireHook.Descriptor} descriptor describes the module to hook
+   * @param {Function} handler The function to run on the module at the time it is required
    */
-  resolve(descriptor, instrumentation) {
-    this.reqHook.resolve(descriptor, instrumentation);
+  resolve(descriptor, handler) {
+    this.reqHook.resolve(descriptor, handler);
   }
 
   /**
-   * reset the hooked state for a module so that it's handlers re-run (used in unit tests)
-   *
+   * Reset the hooked state for a module so that it's handlers re-run.
+   * NOTE: used in unit tests.
    * @param {string} name the name of the module
    */
   reset(name) {

package/lib/instrumentation.js

@@ -40,9 +40,6 @@ module.exports = function instrument(agent, reporter) {
     return;
   }
 
-  const stackFactory = require('./core/stacktrace').singleton;
-  stackFactory.stackTraceLimit = agent.config.agent.stack_trace_limit;
-
   // The order of these matters, do not re-order
   collectLibInfo(agent);
   // (CONTRAST-31526) this must be required first to load global.ContrastMethods