npm - @contrast/agent - Versions diffs - 4.6.0 → 4.9.0 - Mend

@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/sources/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -26,9 +26,12 @@ const parseurl = require('parseurl');
 const {
   EXCLUSION_INPUT_TYPES: { BODY, HEADER, PARAMETER, QUERYSTRING, COOKIE }
 } = require('../../constants');
+const { Signature } = require('../models');
 const sources = module.exports;
+const { SourceEventHandler } = require('./event-handler');
 /**
  * Registers sources for assess instrumentation
  */
@@ -60,19 +63,104 @@ sources.track = function(type, parent, key, membrane) {
  */
 sources.registerListeners = function({ config, exclusions }) {
   agentEmitter.on('assess.body', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    }
+    agentEmitter.emit('assess.source', {
+      config,
+      exclusions,
+      obj,
+      prop,
+      data: obj[prop],
+      type: BODY
+    });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    }
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: HEADER
+    });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, PARAMETER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        PARAMETER,
+        obj,
+        prop
+      );
+    }
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: PARAMETER
+    });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, QUERYSTRING, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        QUERYSTRING,
+        obj,
+        prop
+      );
+    }
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: QUERYSTRING
+    });
   });
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    }
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      type: COOKIE
+    });
+  });
+  // might be helpful for clients to send add'l values in event arg
+  //   - stackOpts: elide frames from function ref in client instrumentation
+  //   - signature: rather than create shared one in the handler
+  //   - or stack snapshot function - could share among SourceEvents
+  //   - call context to share among SourceEvents
+  agentEmitter.on('assess.source', ({ obj, prop, type, signature }) => {
+    if (!signature) {
+      signature = new Signature({
+        moduleName: 'Object',
+        methodName: 'getter',
+        args: [prop],
+        return: 'String',
+        isModule: false
+      });
+    }
+    new SourceEventHandler({
+      config,
+      exclusions,
+      signature,
+      type,
+      stackOpts: undefined,
+      snapshot: undefined
+    }).handle({ obj, prop });
   });
 };

package/lib/assess/spdy/index.js ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const AssessSinks = require('./sinks');
+module.exports = class SpdyInstrumentation {
+  constructor(agent) {
+    new AssessSinks(agent);
+  }
+};

package/lib/assess/spdy/sinks/index.js ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const ReflectedXss = require('./xss');
+module.exports = class SpdySinks {
+  constructor(agent) {
+    new ReflectedXss(agent);
+  }
+};

package/lib/assess/spdy/sinks/xss.js ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const agentEmitter = require('../../../agent-emitter');
+const { HTTP_RESPONSE_HOOKED_METHOD_KEYS } = require('../../../constants');
+const policy = require('../../policy');
+const { Signature, CallContext } = require('../../models');
+class SpdyXss {
+  constructor(agent) {
+    this.common = require('../../sinks/common')(agent);
+    this.rules = policy.rules;
+    this.ruleId = 'reflected-xss';
+    this.signature = new Signature({
+      moduleName: 'spdy.response',
+      methodName: 'push',
+      isModule: false
+    });
+    agentEmitter.on(
+      HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+      this.checkResult.bind(this)
+    );
+  }
+  /**
+   * checks if an assess rule is enabled in policy
+   */
+  get enabled() {
+    return (
+      this.rules &&
+      this.rules['reflected-xss'] &&
+      this.rules['reflected-xss'].enabled
+    );
+  }
+  checkResult(body) {
+    if (!this.enabled) {
+      return;
+    }
+    const { ruleId, signature } = this;
+    const {
+      isVulnerable,
+      xss: { disallowedTags },
+      requiredTags,
+      report
+    } = this.common;
+    if (
+      isVulnerable({
+        input: body,
+        disallowedTags,
+        requiredTags,
+        ruleId
+      })
+    ) {
+      const ctxt = new CallContext({
+        obj: body,
+        args: [body],
+        result: body,
+        stackOpts: {
+          constructorOpt: agentEmitter.emit
+        }
+      });
+      report({ ruleId, signature, input: body, ctxt });
+    }
+  }
+}
+module.exports = SpdyXss;

package/lib/assess/static/hardcoded.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/technologies/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -31,7 +31,8 @@ const technologies = {
     'fastify',
     'restify',
     'loopback',
-    'kraken-js'
+    'kraken-js',
+    'sails'
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],

package/lib/assess/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/cli-rewriter/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/constants.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -108,8 +108,11 @@ const RULES = {
     'cmd-injection-semantic-chained-commands',
   CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS:
     'cmd-injection-semantic-dangerous-paths',
-  IP_DENYLIST: 'ip-blacklist',
+  IP_DENYLIST: 'ip-denylist',
   METHOD_TAMPERING: 'method-tampering',
+  // The following is not a known rule in TS and is only used by SR when
+  // reporting certain analysis results. We convert to nosqli before reporting
+  NOSQL_EXPANSION: 'nosql-expansion',
   NOSQL_INJECTION: 'nosql-injection',
   PATH_TRAVERSAL: 'path-traversal',
   REFLECTED_XSS: 'reflected-xss',
@@ -641,7 +644,8 @@ const REQUIRED_SIGNATURE_KEYS = [
 const HTTP_RESPONSE_HOOKED_METHOD_KEYS = {
   WRITE_HEAD: Symbol('writeHead'),
-  END: Symbol('end')
+  END: Symbol('end'),
+  PUSH: Symbol('push')
 };
 const PATCH_TYPES = {

package/lib/contrast.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -178,7 +178,7 @@ contrastAgent.configureGlobalLogger = function(config, args, target = global) {
 function getAgentArgs(options) {
   const agentArgs = {};
-  options.options.forEach((opt) => {
+  program.options.forEach((opt) => {
     if (opt.name() !== 'application.args' && options[opt.name()]) {
       agentArgs[opt.name()] = options[opt.name()];
     }
@@ -243,8 +243,8 @@ contrastAgent.prepare = function(...args) {
     logger.info('Using config file at %s', config.configFile);
     // log the argv before and after modification.
-    logger.info(`Original argv: ${options.rawArgs.join(', ')}`);
-    logger.info(`Modified argv: ${options.args.join(', ')}`);
+    logger.info(`Original argv: ${program.rawArgs.join(', ')}`);
+    logger.info(`Modified argv: ${program.args.join(', ')}`);
     agent.config = config;
     agent.tsFeatureSet.config = config;
@@ -335,12 +335,12 @@ contrastAgent.init = async function(args, isCli = false) {
     // source: args passed to cli, destination: args after cli parsed it
     .action(async function callPrepare(options, commanderArgs = []) {
       // the user app main differs if a runner vs preload
-      script = isCli ? options.args[0] : options.rawArgs[1];
+      script = isCli ? program.args[0] : program.rawArgs[1];
       options.script = script;
       // need to slice off app main in runner mode
       options['application.args'] = isCli
-        ? options.args.slice(1)
-        : options.args;
+        ? program.args.slice(1)
+        : program.args;
       try {
         enabled = await contrastAgent.prepare(options, commanderArgs, isCli);

package/lib/core/arch-components/dynamodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/dynamodbv3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -18,3 +18,4 @@ require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
 require('./dynamodbv3');
+require('./rethinkdb');

package/lib/core/arch-components/mongodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -28,25 +28,29 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(ctx) {
-        try {
-          const { servers = [] } = this.s.options;
-          if (servers.length === 0) {
-            logger.warn('Unable to find any MongoDB servers\n');
-          }
-          for (const server of servers) {
-            agentEmitter.emit('architectureComponent', {
-              vendor: 'MongoDB',
-              url: `mongodb://${server.host}`,
-              remoteHost: '',
-              remotePort: server.port
-            });
-          }
-        } catch (err) {
-          logger.warn(
-            'unable to report MongoDB architecture component\n%o',
-            err
-          );
+        if (!ctx.result || !ctx.result.then) {
+          return;
         }
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component\n%o',
+              err
+            );
+          }
+        });
       }
     });
   }

package/lib/core/arch-components/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/postgres.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -26,15 +26,33 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        const { host, port } = wrapCtx.result;
+        const {
+          host = process.env.PGHOST,
+          port = process.env.PGPORT
+        } = wrapCtx.result;
+        if (!host) {
+          return;
+        }
+        let url = host;
+        // build protocol and port into url prior to parsing
+        if (url.indexOf('://') === -1) {
+          url = `postgresql://${url}`;
+        }
+        if (port !== undefined) {
+          url = `${url}:${port}`;
+        }
         agentEmitter.emit('architectureComponent', {
           vendor: 'PostgreSQL',
           remotePort: port || 0,
-          url: new URL(host).toString()
+          url: new URL(url).toString()
         });
       } catch (err) {
         logger.warn(
-          'unable to report PostgreSQL architecture component\n',
+          'unable to report PostgreSQL architecture component\n%o',
           err
         );
       }

package/lib/core/arch-components/rethinkdb.js ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const agentEmitter = require('../../agent-emitter');
+const { PATCH_TYPES } = require('../../constants');
+const ModuleHook = require('../../hooks/require');
+const patcher = require('../../hooks/patcher');
+const logger = require('../logger')('contrast:arch-component');
+ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+  patcher.patch(rethinkdb, 'connect', {
+    name: 'rethinkdb.arch_component',
+    patchType: PATCH_TYPES.ARCH_COMPONENT,
+    alwaysRun: true,
+    post(ctx) {
+      ctx.result
+        .then((res) => {
+          if (res.open) {
+            const url =
+              res.host == 'localhost'
+                ? 'http://localhost'
+                : new URL(res.host).toString();
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'RethinkDB',
+              url,
+              remotePort: res.port
+            });
+          } else {
+            logger.warn('unable to open RethinkDB connection');
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report RethinkDB architecture component\n%o',
+            err
+          );
+        });
+    }
+  });
+});

package/lib/core/arch-components/sqlite3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -13,6 +13,7 @@ Copyright: 2021 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
 const patcher = require('../../hooks/patcher');
 const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
@@ -26,17 +27,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        // can either be a path to a file or `:memory:'.
-        const url = new URL(wrapCtx.args[0]).toString();
         agentEmitter.emit('architectureComponent', {
           vendor: 'SQLite3',
-          url,
+          url: wrapCtx.args[0],
           remoteHost: '',
           remotePort: 0
         });
       } catch (err) {
-        logger.warn('unable to report SQLite3 architecture component\n', err);
+        logger.warn('unable to report SQLite3 architecture component\n%o', err);
       }
     }
   });

package/lib/core/async-storage/context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/bluebird.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/mongodb-core.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/redis.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/scopes/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/common/formidable.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial