@contrast/agent 4.6.0 → 4.7.0

package/bin/VERSION

@@ -1 +1 @@
-2.27.3
+2.28.0

package/lib/assess/membrane/source-membrane.js

@@ -39,14 +39,6 @@ const signature = new Signature({
   isModule: false
 });
 
-const numericCheck = /^[0-9]+$/;
-function isNumeric(input) {
-  // regex from validator.js/lib/isNumeric.js:
-  // https://github.com/validatorjs/validator.js/blob/master/lib/isNumeric.js
-  // do we want to allow symbols (plus/minus sign, decimal point?)
-  return numericCheck.test(input);
-}
-
 module.exports = class SourceMembrane extends Membrane {
   /**
    * @param {object} config agent config to use for array sampling.
@@ -304,8 +296,7 @@ module.exports = class SourceMembrane extends Membrane {
   /**
    * The `TagRanges` returned  will include the `untrusted` tag. There will be
    * `exclusion:${ruleId}` tags for input exclusions pertaining to specific
-   * rules and whose name matches the property name described in metadata. And
-   * `limited-chars` tags are included if string is numeric.
+   * rules and whose name matches the property name described in metadata.
    * @param {string} str string being tracked by membrane
    * @param {object} metadata metadata about source type and key name
    * @returns {TagRange[]}
@@ -342,10 +333,6 @@ module.exports = class SourceMembrane extends Membrane {
       }
     }
 
-    if (isNumeric(str)) {
-      tagRanges.push(new TagRange(start, stop, 'limited-chars'));
-    }
-
     if (metadata.sourceType === 'header') {
       if (metadata.path.toLocaleLowerCase() !== 'referer') {
         tagRanges.push(new TagRange(start, stop, 'header'));

package/lib/assess/policy/propagators.json

@@ -59,33 +59,15 @@
     },
     "mustache.escape": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/mustache/escape.js"
     },
     "dust.escapeHtml": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/dustjs/escape-html.js"
     },
     "dust.escapeJs": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["javascript-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/dustjs/escape-js.js"
     },
     "pug.compile": {
       "enabled": true,
@@ -349,23 +331,11 @@
     },
     "encodeURI": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["weak-url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri.js"
     },
     "encodeURIComponent": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri-component.js"
     },
     "process.__add": {
       "enabled": true,

package/lib/assess/policy/rules.json

@@ -1371,6 +1371,11 @@
       "type": "http",
       "provider": "./sinks/hapi-16-xss"
     },
+    "reflected-xss_dustjs-linkedin": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/dustjs-linkedin-xss"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",

package/lib/assess/policy/signatures.json

@@ -1317,6 +1317,11 @@
       "moduleName": "node-serialize",
       "methodName": "unserialize",
       "isModule": true
+    },
+    "dustjs-linkedin": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "pipe",
+      "isModule": true
     }
   }
 }

package/lib/assess/propagators/dustjs/escape-html.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'html-encoded', 'dustjs-linkedin.escapeHtml');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/dustjs/escape-js.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'javascript-encoded', 'dustjs-linkedin.escapeJs');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri-component.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'url-encoded', 'global.encodeURIComponent');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'weak-url-encoded', 'global.encodeURI');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/index.js

@@ -128,8 +128,6 @@ const generateHookWrappers = (agent, policyNode, key) => {
     } else {
       ({ pre, post } = provider.handle);
     }
-
-    propagatorDescriptor.provider = provider.handle;
   } else {
     // generic propagator
     post = new Propagator(agent, propagatorDescriptor);

package/lib/assess/propagators/joi/values.js

@@ -51,18 +51,9 @@ function instrumentJoiValues(values) {
         return;
       }
 
-      const resultIsString = _.isString(result.value);
-      const argIsString = _.isString(value);
-
       if (result.ref) {
-        // result === false means ref resolution failed
-        if (resultIsString && argIsString) {
-          const resolvedTrackData = tracker.getData(result.value);
-          const refTrackData = tracker.getData(value);
-          const handler = getRefHandler(resolvedTrackData, refTrackData);
-          handler && handler(data, resolvedTrackData, refTrackData);
-        }
-      } else if (resultIsString) {
+        handler(result.value, value, data);
+      } else if (_.isString(result.value)) {
         // use case is .valid() - safe
         tracker.untrack(result.value);
       }
@@ -70,6 +61,30 @@ function instrumentJoiValues(values) {
   });
 }
 
+const stringHandler = (resultValue, argValue, data) => {
+  const resultIsString = _.isString(resultValue);
+  const argIsString = _.isString(argValue);
+
+  if (resultIsString && argIsString) {
+    const resolvedTrackData = tracker.getData(resultValue);
+    const refTrackData = tracker.getData(argValue);
+    const handler = getRefHandler(resolvedTrackData, refTrackData);
+    handler && handler(data, resolvedTrackData, refTrackData);
+  }
+};
+
+const handler = (resultValue, argValue, data) => {
+  if (_.isString(resultValue)) {
+    return stringHandler(resultValue, argValue, data);
+  }
+
+  if (_.isObject(resultValue)) {
+    for (const [key, value] of Object.entries(resultValue)) {
+      handler(value, argValue[key], data);
+    }
+  }
+};
+
 /**
  * Depending on which values are tracked, ref and/or target, returns the
  * appropriate function to handle the scenario.

package/lib/assess/propagators/mustache/escape.js

@@ -0,0 +1,22 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+
+function handler(data) {
+  propagate(data, 'html-encoded', 'mustache.escape');
+}
+
+module.exports.handle = handler;

package/lib/assess/propagators/template-escape.js

@@ -0,0 +1,84 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../tracker');
+const TagRange = require('../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+
+function getEscapedTagRanges(input, result, start, stop, tag) {
+  const textArr = input.split('').slice(start, stop + 1);
+  const escapedArr = result.split('');
+  const overlap = textArr.filter((x) => {
+    if (escapedArr.includes(x)) {
+      return x;
+    }
+  });
+  if (overlap.length === 0) {
+    return [];
+  }
+  const newTagRanges = [];
+  let firstIndex = escapedArr.indexOf(overlap[0]);
+  let currIndex = firstIndex;
+  let nextIndex;
+  for (let i = 1; i < overlap.length; i++) {
+    nextIndex = escapedArr.indexOf(overlap[i], currIndex + 1);
+    if (nextIndex !== currIndex + 1) {
+      newTagRanges.push(new TagRange(firstIndex, currIndex, tag));
+      firstIndex = nextIndex;
+    }
+    if (i === overlap.length - 1) {
+      newTagRanges.push(new TagRange(firstIndex, nextIndex, tag));
+    }
+    currIndex = nextIndex;
+  }
+  return newTagRanges;
+}
+
+function propagator(data, tagName, signatureName) {
+  const input = data.args[0];
+
+  if (!input || !tracker.getData(input).tracked) {
+    return;
+  }
+
+  // adjust tag ranges
+  const tagRanges = [];
+  tracker.getData(input).tagRanges.forEach((range) => {
+    const { start, stop, tag } = range;
+    tagRanges.push(
+      ...getEscapedTagRanges(input, data.result, start, stop, tag)
+    );
+  });
+  tagRanges.push(new TagRange(0, data.result.length - 1, tagName));
+  const result = tracker.track(data.result);
+  const trackData = tracker.getData(result);
+  trackData.tagRanges = tagRanges;
+  trackData.event = new PropagationEvent({
+    context: new CallContext({
+      ...data,
+      obj: null
+    }),
+    parents: [trackData.event],
+    signature: new Signature(signatureName),
+    source: 'P',
+    target: 'R',
+    tagRanges,
+    tags: tagName
+  });
+  data.result = result;
+}
+
+module.exports.propagate = propagator;

package/lib/assess/propagators/templates.js

@@ -21,10 +21,9 @@ const tracker = require('../../tracker.js');
 
 const { PropagationEvent, Signature, CallContext } = require('../models');
 const { isString } = require('../../util/is-string');
+const injections = require('../../core/rewrite/injections');
 
-const ContrastMethods = require('../../core/rewrite/injections').get(
-  'ContrastMethods'
-);
+const ContrastMethods = injections.get('ContrastMethods');
 
 /**
  * In order to propagate through template literals, we leverage rewriting to

package/lib/assess/sinks/dustjs-linkedin-xss.js

@@ -0,0 +1,131 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const moduleHook = require('../../hooks/require');
+const { CallContext, Signature } = require('../models');
+const {
+  RULES: { REFLECTED_XSS }
+} = require('../../constants');
+
+const signature = new Signature({
+  moduleName: 'http.ClientResponse',
+  methodName: 'write',
+  isModule: true
+});
+const moduleName = 'dustjs-linkedin';
+
+class Handler {
+  constructor({ report, isVulnerable, requiredTags, xss: { disallowedTags } }) {
+    this._isVulnerable = isVulnerable;
+    this.report = report;
+    this.requiredTags = requiredTags;
+    this.disallowedTags = disallowedTags;
+  }
+
+  isVulnerable(input) {
+    const { requiredTags, disallowedTags } = this;
+    const ret = this._isVulnerable({
+      input,
+      ruleId: REFLECTED_XSS,
+      disallowedTags,
+      requiredTags
+    });
+    return ret;
+  }
+
+  handle() {
+    moduleHook.resolve({ name: moduleName }, (dust) =>
+      this.handleRequire(dust)
+    );
+  }
+
+  getType(obj) {
+    return obj && obj.constructor && obj.constructor.name;
+  }
+
+  isResponseType(typeName) {
+    return typeName === 'ServerResponse';
+  }
+
+  patchDust(dust) {
+    const self = this;
+    patcher.patch(dust, 'stream', {
+      name: moduleName,
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      post(data) {
+        self.patchStream(data.result);
+      }
+    });
+  }
+
+  /**
+   * Patch the pipe method and check wether the stream is targeting a
+   * response instance. If so, add the instance to the set of streams
+   * we should follow.
+   */
+  patchStream(streamInstance) {
+    const self = this;
+    patcher.patch(streamInstance, 'pipe', {
+      name: 'dust.Stream.prototype',
+      patchType: PATCH_TYPES.ASSESS_SINK,
+      alwaysRun: true,
+      pre({ args: [maybeRes] }) {
+        self.patchStreamTarget(maybeRes);
+      }
+    });
+  }
+
+  patchStreamTarget(target) {
+    const self = this;
+    const typeName = self.getType(target);
+
+    if (self.isResponseType(typeName)) {
+      patcher.patch(target, 'write', {
+        name: 'dust.pipeTarget',
+        patchType: PATCH_TYPES.ASSESS_SINK,
+        alwaysRun: true,
+        post({ args: [str], hooked }) {
+          if (self.isVulnerable(str)) {
+            self.report({
+              ruleId: REFLECTED_XSS,
+              signature,
+              input: str,
+              ctxt: new CallContext({
+                obj: typeName,
+                args: [str],
+                result: str,
+                stackOpts: {
+                  constructorOpt: hooked
+                }
+              })
+            });
+          }
+        }
+      });
+    }
+  }
+
+  handleRequire(dust) {
+    this.patchDust(dust);
+    return dust;
+  }
+}
+
+module.exports = ({ common }) => new Handler(common);
+module.exports.Handler = Handler;

package/lib/core/arch-components/rethinkdb.js

@@ -0,0 +1,53 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+const logger = require('../logger')('contrast:arch-component');
+
+ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+  patcher.patch(rethinkdb, 'connect', {
+    name: 'rethinkdb.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      ctx.result
+        .then((res) => {
+          if (res.open) {
+            const url =
+              res.host == 'localhost'
+                ? 'http://localhost'
+                : new URL(res.host).toString();
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'RethinkDB',
+              url,
+              remotePort: res.port
+            });
+          } else {
+            logger.warn('unable to open RethinkDB connection');
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report RethinkDB architecture component\n%o',
+            err
+          );
+        });
+    }
+  });
+});

package/lib/core/config/options.js

@@ -481,7 +481,7 @@ const agent = [
   {
     name: 'agent.stack_trace_limit',
     arg: '<limit>',
-    default: 25,
+    default: 10,
     fn: parseNum,
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'

package/lib/hooks/patcher.js

@@ -97,12 +97,7 @@ Function.prototype._contrast_toString = function() {
   return Reflect.apply(functionToString, this, arguments);
 };
 
-function runHooks(type, options, data, fn, thisTarget) {
-  const fnHooks = hooks.get(fn);
-  if (!fnHooks) {
-    return;
-  }
-
+function runHooks(type, data, thisTarget, fnHooks) {
   fnHooks.forEach((hook, key) => {
     if (hook[type]) {
       hook[type].apply(thisTarget, [data]);
@@ -185,11 +180,17 @@ function runOriginalFunction(fn, { args, name }, target) {
   return fn.apply(this, args);
 }
 
-function recordTime(func, funcKey, type) {
+const runWrapper =
+  !process.hrtime.bigint || !perfLoggingEnabled
+    ? runWithoutRecordingTime
+    : runAndRecordTime;
+
+function runWithoutRecordingTime(func) {
+  return () => func();
+}
+
+function runAndRecordTime(func, funcKey, type) {
   return () => {
-    if (!process.hrtime.bigint || !perfLoggingEnabled) {
-      return func();
-    }
     const start = process.hrtime.bigint();
     const rv = func();
     perfLogger[type](funcKey, Number(process.hrtime.bigint() - start));
@@ -217,6 +218,7 @@ function hookFunction(fn, options) {
   const { funcKey } = options;
   logger.trace(`hook ${funcKey}`);
 
+  // eslint-disable-next-line complexity
   function hooked(...args) {
     const target = new.target;
 
@@ -247,36 +249,59 @@ function hookFunction(fn, options) {
       perfLogger.logEvent(funcKey);
     }
 
-    // Run the pre event in a no instrumentation scope
+    let hasPreHook, hasPostHook;
+    const fnHooks = hooks && hooks.get(hooked);
+
+    // If there's a pre event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the pre function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('pre', options, data, hooked, this),
-        funcKey,
-        'pre'
-      ),
-      `${funcKey} pre`
-    );
+    if (fnHooks) {
+      for (const storedHooks of fnHooks.values()) {
+        hasPreHook = Boolean(hasPreHook || (storedHooks && storedHooks.pre));
+        hasPostHook = Boolean(hasPostHook || (storedHooks && storedHooks.post));
+      }
+    }
 
-    // run original function in scope that was passed in
-    data.result = Scopes.runIn(
-      options.scope,
-      recordTime(() => getResult.call(this, fn, data, target), funcKey, 'orig'),
-      funcKey
-    );
+    if (hasPreHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(() => runHooks('pre', data, this, fnHooks), funcKey, 'pre'),
+        `${funcKey} pre`
+      );
+    }
 
-    // Run the post event in a no instrumentation scope
+    // Run original function in scope that was passed in
+    // or just run the original function when the passed scope is undefined
+    if (options.scope) {
+      data.result = Scopes.runIn(
+        options.scope,
+        runWrapper(
+          () => getResult.call(this, fn, data, target),
+          funcKey,
+          'orig'
+        ),
+        funcKey
+      );
+    } else {
+      data.result = runWrapper(
+        () => getResult.call(this, fn, data, target),
+        funcKey,
+        'orig'
+      )();
+    }
+
+    // If there's a post event run it in a no instrumentation scope
     // this will prevent other instrumentation from running
     // within the post function
-    Scopes.runInNoInstrumentationScope(
-      recordTime(
-        () => runHooks('post', options, data, hooked, this),
-        funcKey,
-        'post'
-      ),
-      `${funcKey} post`
-    );
+    if (hasPostHook) {
+      Scopes.runInNoInstrumentationScope(
+        runWrapper(
+          () => runHooks('post', data, this, fnHooks),
+          funcKey,
+          'post'
+        ),
+        `${funcKey} post`
+      );
+    }
 
     return data.result;
   }
@@ -436,8 +461,7 @@ function hook(obj, prop, opts) {
     }
   } catch (err) {
     logger.info(
-      `unable to patch unconfigurable property ${opts.name}:${prop}
-`,
+      `unable to patch unconfigurable property ${opts.name}:${prop}`,
       err
     );
   }
@@ -543,7 +567,6 @@ function unwrap(fn) {
 module.exports = {
   patch,
   preempt,
-  recordTime,
   resetInstrumentation,
   unpatch,
   unwrap

package/lib/util/source-map.js

@@ -133,7 +133,7 @@ class SourceMapUtility {
       const { line, source } = consumer.originalPositionFor({
         line: lineNumber,
         column
-      });
+      }) || { line: undefined, source: undefined };
 
       if (line) lineNumber = line;
       if (source) file = this.replaceSource(file, source);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.6.0",
+  "version": "4.7.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -165,7 +165,7 @@
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.3.3",
+    "sequelize": "^6.11.0",
     "shellcheck": "^1.0.0",
     "sinon": "^7.2.2",
     "sinon-chai": "^3.3.0",