@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (563) hide show
  1. package/LICENSE +1 -1
  2. package/agent-loader.js +1 -1
  3. package/bin/VERSION +1 -1
  4. package/bin/linux/contrast-service +0 -0
  5. package/bin/mac/contrast-service +0 -0
  6. package/bin/windows/contrast-service.exe +0 -0
  7. package/bootstrap.js +13 -3
  8. package/cli-rewriter.js +1 -1
  9. package/cli.js +1 -1
  10. package/esm.mjs +34 -1
  11. package/lib/agent-emitter.js +1 -1
  12. package/lib/agent.js +1 -1
  13. package/lib/app-info.js +1 -1
  14. package/lib/assess/deadzones/index.js +1 -1
  15. package/lib/assess/deadzones/rewrite.js +1 -1
  16. package/lib/assess/express/index.js +1 -1
  17. package/lib/assess/express/route-coverage.js +1 -1
  18. package/lib/assess/express/sinks/index.js +1 -1
  19. package/lib/assess/express/sinks/xss.js +1 -1
  20. package/lib/assess/express/sources.js +1 -1
  21. package/lib/assess/fastify/index.js +1 -1
  22. package/lib/assess/fastify/route-coverage.js +1 -1
  23. package/lib/assess/fastify/sinks/index.js +1 -1
  24. package/lib/assess/fastify/sinks/response-scanning.js +1 -1
  25. package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
  26. package/lib/assess/fastify/sinks/xss.js +1 -1
  27. package/lib/assess/fastify/sources.js +1 -1
  28. package/lib/assess/hapi/index.js +1 -1
  29. package/lib/assess/hapi/route-coverage.js +1 -1
  30. package/lib/assess/hapi/sinks/index.js +1 -1
  31. package/lib/assess/hapi/sinks/response-scanning.js +1 -1
  32. package/lib/assess/hapi/sinks/session.js +1 -1
  33. package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
  34. package/lib/assess/hapi/sinks/xss.js +1 -1
  35. package/lib/assess/hapi/sources.js +1 -1
  36. package/lib/assess/index.js +3 -1
  37. package/lib/assess/koa/index.js +1 -1
  38. package/lib/assess/koa/route-coverage.js +1 -1
  39. package/lib/assess/koa/sinks/index.js +1 -1
  40. package/lib/assess/koa/sinks/response-scanning.js +1 -1
  41. package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
  42. package/lib/assess/koa/sinks/xss.js +1 -1
  43. package/lib/assess/koa/sources.js +1 -1
  44. package/lib/assess/loopback4/index.js +1 -1
  45. package/lib/assess/loopback4/route-coverage.js +1 -1
  46. package/lib/assess/loopback4/sinks/index.js +1 -1
  47. package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
  48. package/lib/assess/loopback4/sinks/xss.js +1 -1
  49. package/lib/assess/loopback4/sources.js +1 -1
  50. package/lib/assess/membrane/debraner.js +1 -1
  51. package/lib/assess/membrane/deserialization-membrane.js +5 -6
  52. package/lib/assess/membrane/index.js +1 -1
  53. package/lib/assess/membrane/source-membrane.js +16 -20
  54. package/lib/assess/models/base-event.js +1 -1
  55. package/lib/assess/models/call-context.js +2 -2
  56. package/lib/assess/models/index.js +1 -1
  57. package/lib/assess/models/propagation-event.js +1 -1
  58. package/lib/assess/models/signature.js +1 -1
  59. package/lib/assess/models/sink-event.js +1 -1
  60. package/lib/assess/models/source-event.js +7 -1
  61. package/lib/assess/models/tag-range/index.js +1 -1
  62. package/lib/assess/models/tag-range/relationships.js +1 -1
  63. package/lib/assess/models/tag-range/util.js +1 -1
  64. package/lib/assess/policy/index.js +1 -1
  65. package/lib/assess/policy/init.js +1 -1
  66. package/lib/assess/policy/propagators.json +8 -0
  67. package/lib/assess/policy/rules.json +31 -2
  68. package/lib/assess/policy/signatures.json +33 -6
  69. package/lib/assess/policy/util.js +3 -2
  70. package/lib/assess/propagators/JSON/parse.js +2 -2
  71. package/lib/assess/propagators/JSON/stringify.js +81 -11
  72. package/lib/assess/propagators/ajv/conditionals.js +1 -1
  73. package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
  74. package/lib/assess/propagators/ajv/index.js +1 -1
  75. package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
  76. package/lib/assess/propagators/ajv/object-walk.js +1 -1
  77. package/lib/assess/propagators/ajv/refs.js +1 -1
  78. package/lib/assess/propagators/ajv/schema-context.js +1 -1
  79. package/lib/assess/propagators/array-prototype-join.js +8 -9
  80. package/lib/assess/propagators/common.js +8 -6
  81. package/lib/assess/propagators/dustjs/escape-html.js +1 -1
  82. package/lib/assess/propagators/dustjs/escape-js.js +1 -1
  83. package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
  84. package/lib/assess/propagators/encode-uri/encode-uri-component.js +1 -1
  85. package/lib/assess/propagators/encode-uri/encode-uri.js +1 -1
  86. package/lib/assess/propagators/handlebars-compile.js +1 -1
  87. package/lib/assess/propagators/handlebars-escape-expresssion.js +2 -2
  88. package/lib/assess/propagators/index.js +1 -1
  89. package/lib/assess/propagators/joi/boolean.js +2 -2
  90. package/lib/assess/propagators/joi/expression.js +2 -2
  91. package/lib/assess/propagators/joi/index.js +1 -1
  92. package/lib/assess/propagators/joi/number.js +2 -2
  93. package/lib/assess/propagators/joi/string-base.js +2 -2
  94. package/lib/assess/propagators/joi/string-schema.js +13 -14
  95. package/lib/assess/propagators/joi/values.js +12 -12
  96. package/lib/assess/propagators/manager.js +13 -11
  97. package/lib/assess/propagators/mongoose/helpers.js +20 -0
  98. package/lib/assess/propagators/mongoose/index.js +18 -0
  99. package/lib/assess/propagators/mongoose/map.js +74 -0
  100. package/lib/assess/propagators/mongoose/string.js +104 -0
  101. package/lib/assess/propagators/mustache/escape.js +1 -1
  102. package/lib/assess/propagators/number.js +54 -0
  103. package/lib/assess/propagators/object.js +7 -8
  104. package/lib/assess/propagators/path/basename.js +15 -14
  105. package/lib/assess/propagators/path/common.js +2 -2
  106. package/lib/assess/propagators/path/dirname.js +15 -14
  107. package/lib/assess/propagators/path/extname.js +15 -14
  108. package/lib/assess/propagators/path/format.js +1 -1
  109. package/lib/assess/propagators/path/join.js +1 -1
  110. package/lib/assess/propagators/path/normalize.js +1 -1
  111. package/lib/assess/propagators/path/parse.js +2 -2
  112. package/lib/assess/propagators/path/relative.js +8 -6
  113. package/lib/assess/propagators/path/resolve.js +1 -1
  114. package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
  115. package/lib/assess/propagators/pug-compile.js +1 -1
  116. package/lib/assess/propagators/querystring/escape.js +21 -19
  117. package/lib/assess/propagators/querystring/parse.js +8 -6
  118. package/lib/assess/propagators/querystring/stringify.js +26 -25
  119. package/lib/assess/propagators/querystring/unescape.js +21 -19
  120. package/lib/assess/propagators/querystring/utils.js +1 -1
  121. package/lib/assess/propagators/sequelize/sql-string-escape.js +2 -2
  122. package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +2 -2
  123. package/lib/assess/propagators/sequelize/sql-string-format.js +4 -4
  124. package/lib/assess/propagators/sequelize/utils.js +3 -3
  125. package/lib/assess/propagators/string-prototype-replace.js +31 -29
  126. package/lib/assess/propagators/string-prototype-split.js +37 -37
  127. package/lib/assess/propagators/string-prototype-trim.js +16 -18
  128. package/lib/assess/propagators/string.js +13 -17
  129. package/lib/assess/propagators/template-escape.js +22 -19
  130. package/lib/assess/propagators/templates.js +9 -9
  131. package/lib/assess/propagators/url/url-prototype-parse.js +6 -7
  132. package/lib/assess/propagators/url/url-url.js +52 -44
  133. package/lib/assess/propagators/url/utils.js +1 -1
  134. package/lib/assess/propagators/util/format.js +2 -2
  135. package/lib/assess/propagators/utils.js +1 -1
  136. package/lib/assess/propagators/v8/init-hooks.js +4 -4
  137. package/lib/assess/propagators/validator/init-hooks.js +23 -23
  138. package/lib/assess/propagators/validator/validator-methods.js +1 -2
  139. package/lib/assess/response-scanning/app-activity.js +1 -1
  140. package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
  141. package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
  142. package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
  143. package/lib/assess/response-scanning/common.js +1 -1
  144. package/lib/assess/response-scanning/cookies/common.js +1 -1
  145. package/lib/assess/response-scanning/cookies/events.js +1 -1
  146. package/lib/assess/response-scanning/cookies/httponly.js +1 -1
  147. package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
  148. package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
  149. package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
  150. package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
  151. package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
  152. package/lib/assess/response-scanning/headers/powered-by.js +1 -1
  153. package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
  154. package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
  155. package/lib/assess/response-scanning/parameter-pollution.js +1 -1
  156. package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
  157. package/lib/assess/restify/index.js +1 -1
  158. package/lib/assess/restify/route-coverage.js +1 -1
  159. package/lib/assess/restify/session.js +1 -1
  160. package/lib/assess/restify/sinks/index.js +1 -1
  161. package/lib/assess/restify/sinks/response-scanning.js +1 -1
  162. package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
  163. package/lib/assess/restify/sinks/xss.js +1 -1
  164. package/lib/assess/restify/sources.js +1 -1
  165. package/lib/assess/sinks/common.js +11 -6
  166. package/lib/assess/sinks/dustjs-linkedin-xss.js +1 -1
  167. package/lib/assess/sinks/dynamo.js +1 -1
  168. package/lib/assess/sinks/hapi-16-xss.js +1 -1
  169. package/lib/assess/sinks/index.js +1 -1
  170. package/lib/assess/sinks/libxmljs-xxe.js +2 -2
  171. package/lib/assess/sinks/mongodb.js +3 -2
  172. package/lib/assess/sinks/rethinkdb-nosql-injection.js +142 -0
  173. package/lib/assess/sinks/ssrf-url.js +2 -2
  174. package/lib/assess/sources/event-handler.js +307 -0
  175. package/lib/assess/sources/formidable.js +1 -1
  176. package/lib/assess/sources/index.js +94 -6
  177. package/lib/assess/spdy/index.js +23 -0
  178. package/lib/assess/spdy/sinks/index.js +23 -0
  179. package/lib/assess/spdy/sinks/xss.js +84 -0
  180. package/lib/assess/static/hardcoded.js +1 -1
  181. package/lib/assess/technologies/index.js +3 -2
  182. package/lib/assess/utils.js +1 -1
  183. package/lib/cli-rewriter/index.js +1 -1
  184. package/lib/constants.js +7 -3
  185. package/lib/contrast.js +7 -7
  186. package/lib/core/arch-components/dynamodb.js +1 -1
  187. package/lib/core/arch-components/dynamodbv3.js +1 -1
  188. package/lib/core/arch-components/index.js +2 -1
  189. package/lib/core/arch-components/mongodb.js +23 -19
  190. package/lib/core/arch-components/mysql.js +1 -1
  191. package/lib/core/arch-components/postgres.js +22 -4
  192. package/lib/core/arch-components/rethinkdb.js +1 -1
  193. package/lib/core/arch-components/sqlite3.js +4 -6
  194. package/lib/core/async-storage/context.js +1 -1
  195. package/lib/core/async-storage/hooks/bluebird.js +1 -1
  196. package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
  197. package/lib/core/async-storage/hooks/mysql.js +1 -1
  198. package/lib/core/async-storage/hooks/redis.js +1 -1
  199. package/lib/core/async-storage/hooks/utils.js +1 -1
  200. package/lib/core/async-storage/index.js +1 -1
  201. package/lib/core/async-storage/scopes/index.js +1 -1
  202. package/lib/core/common/formidable.js +1 -1
  203. package/lib/core/common/index.js +1 -1
  204. package/lib/core/config/options.js +37 -3
  205. package/lib/core/config/util.js +1 -1
  206. package/lib/core/exclusions/exclusion-factory.js +1 -1
  207. package/lib/core/exclusions/exclusion.js +3 -6
  208. package/lib/core/exclusions/input.js +1 -1
  209. package/lib/core/exclusions/url.js +1 -1
  210. package/lib/core/express/index.js +26 -3
  211. package/lib/core/express/utils.js +9 -4
  212. package/lib/core/fastify/index.js +1 -1
  213. package/lib/core/fastify/utils.js +1 -1
  214. package/lib/core/hapi/index.js +1 -1
  215. package/lib/core/hapi/utils.js +1 -1
  216. package/lib/core/index.js +1 -1
  217. package/lib/core/koa/index.js +1 -1
  218. package/lib/core/koa/utils.js +1 -1
  219. package/lib/core/logger/daily-rotate-file.js +1 -1
  220. package/lib/core/logger/dataflow-monitor.js +1 -1
  221. package/lib/core/logger/debug-logger.js +1 -1
  222. package/lib/core/logger/index.js +1 -1
  223. package/lib/core/logger/perf-logger.js +1 -1
  224. package/lib/core/logger/umbrella-logger.js +1 -1
  225. package/lib/core/loopback4/index.js +1 -1
  226. package/lib/core/metrics/index.js +1 -1
  227. package/lib/core/restify/index.js +1 -1
  228. package/lib/core/restify/utils.js +1 -1
  229. package/lib/core/rewrite/assignment-expression.js +1 -1
  230. package/lib/core/rewrite/binary-expression.js +1 -1
  231. package/lib/core/rewrite/call-expression.js +1 -1
  232. package/lib/core/rewrite/callees.js +1 -1
  233. package/lib/core/rewrite/catch-clause.js +1 -1
  234. package/lib/core/rewrite/function-wrap.js +1 -1
  235. package/lib/core/rewrite/index.js +1 -1
  236. package/lib/core/rewrite/injections.js +9 -1
  237. package/lib/core/rewrite/is-contrast-method.js +1 -1
  238. package/lib/core/rewrite/log.js +1 -1
  239. package/lib/core/rewrite/member-expression.js +1 -1
  240. package/lib/core/rewrite/object-property.js +1 -1
  241. package/lib/core/rewrite/prepend-globals.js +1 -1
  242. package/lib/core/rewrite/rewrite-log.js +1 -1
  243. package/lib/core/rewrite/switch-statement.js +1 -1
  244. package/lib/core/rewrite/template-literal.js +1 -1
  245. package/lib/core/stacktrace.js +1 -1
  246. package/lib/coverage.js +1 -1
  247. package/lib/feature-set.js +2 -2
  248. package/lib/generator-function.js +1 -1
  249. package/lib/hooks/array.js +1 -1
  250. package/lib/hooks/cluster.js +1 -1
  251. package/lib/hooks/dataflow-monitor.js +1 -1
  252. package/lib/hooks/encoding.js +1 -1
  253. package/lib/hooks/express-fileupload.js +1 -1
  254. package/lib/hooks/express-session.js +1 -1
  255. package/lib/hooks/fn-to-string.js +1 -1
  256. package/lib/hooks/frameworks/base.js +1 -1
  257. package/lib/hooks/frameworks/common.js +1 -1
  258. package/lib/hooks/frameworks/hapi16.js +1 -1
  259. package/lib/hooks/frameworks/http.js +1 -1
  260. package/lib/hooks/frameworks/http2.js +1 -1
  261. package/lib/hooks/frameworks/index.js +3 -1
  262. package/lib/hooks/frameworks/spdy.js +87 -0
  263. package/lib/hooks/hapi-16-reply.js +1 -1
  264. package/lib/hooks/hapi-16-session.js +1 -1
  265. package/lib/hooks/http.js +12 -1
  266. package/lib/hooks/module/extensions.js +1 -1
  267. package/lib/hooks/module/helpers.js +1 -1
  268. package/lib/hooks/module/index.js +1 -1
  269. package/lib/hooks/newrelic.js +1 -1
  270. package/lib/hooks/object-is.js +1 -1
  271. package/lib/hooks/object-to-primitive.js +7 -8
  272. package/lib/hooks/patcher.js +2 -2
  273. package/lib/hooks/require.js +1 -1
  274. package/lib/hooks/stealthy-require.js +1 -1
  275. package/lib/instrumentation.js +1 -1
  276. package/lib/libraries.js +1 -1
  277. package/lib/library-usage.js +1 -1
  278. package/lib/list-installed.js +1 -1
  279. package/lib/protect/analysis/aho-corasick.js +1 -1
  280. package/lib/protect/analysis/dfsa-analyzer.js +1 -1
  281. package/lib/protect/errors/handler.js +1 -1
  282. package/lib/protect/errors/security-exception.js +1 -1
  283. package/lib/protect/express/index.js +1 -1
  284. package/lib/protect/express/sinks.js +1 -1
  285. package/lib/protect/express/sources.js +1 -1
  286. package/lib/protect/fastify/index.js +1 -1
  287. package/lib/protect/fastify/sinks.js +1 -1
  288. package/lib/protect/fastify/sources.js +1 -1
  289. package/lib/protect/hapi/error-handler.js +1 -1
  290. package/lib/protect/hapi/index.js +1 -1
  291. package/lib/protect/hapi/sinks.js +1 -1
  292. package/lib/protect/hapi/sources.js +1 -1
  293. package/lib/protect/index.js +1 -1
  294. package/lib/protect/input-analysis.js +1 -1
  295. package/lib/protect/koa/index.js +1 -1
  296. package/lib/protect/koa/sinks.js +1 -1
  297. package/lib/protect/koa/sources.js +1 -1
  298. package/lib/protect/listeners.js +1 -1
  299. package/lib/protect/loopback4/index.js +1 -1
  300. package/lib/protect/loopback4/sources.js +1 -1
  301. package/lib/protect/models/application-context.js +1 -1
  302. package/lib/protect/models/sink-event.js +1 -1
  303. package/lib/protect/models/source-event.js +1 -1
  304. package/lib/protect/restify/index.js +1 -1
  305. package/lib/protect/restify/sinks.js +1 -1
  306. package/lib/protect/restify/sources.js +1 -1
  307. package/lib/protect/rules/assessment.js +1 -1
  308. package/lib/protect/rules/attack-patterns.js +1 -1
  309. package/lib/protect/rules/base-scanner/index.js +1 -1
  310. package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
  311. package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
  312. package/lib/protect/rules/base-scanner/scan-state.js +1 -1
  313. package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
  314. package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
  315. package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
  316. package/lib/protect/rules/bot-blocker/index.js +1 -1
  317. package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
  318. package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
  319. package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
  320. package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
  321. package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
  322. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
  323. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
  324. package/lib/protect/rules/common.js +1 -1
  325. package/lib/protect/rules/index.js +1 -1
  326. package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
  327. package/lib/protect/rules/method-tampering/evaluator.js +1 -1
  328. package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
  329. package/lib/protect/rules/nosqli/nosql-injection-rule.js +228 -0
  330. package/lib/protect/rules/nosqli/nosql-scanner/index.js +1 -1
  331. package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
  332. package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
  333. package/lib/protect/rules/rule-factory.js +3 -3
  334. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
  335. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
  336. package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
  337. package/lib/protect/rules/signatures/evaluator.js +1 -1
  338. package/lib/protect/rules/signatures/index.js +1 -1
  339. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
  340. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
  341. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
  342. package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
  343. package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
  344. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
  345. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
  346. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
  347. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
  348. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
  349. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
  350. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
  351. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
  352. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
  353. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
  354. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
  355. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
  356. package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
  357. package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
  358. package/lib/protect/rules/signatures/signature.js +1 -1
  359. package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
  360. package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
  361. package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
  362. package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
  363. package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
  364. package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
  365. package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
  366. package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
  367. package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
  368. package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
  369. package/lib/protect/rules/sqli/generic-complicated.js +1 -1
  370. package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
  371. package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
  372. package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
  373. package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
  374. package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
  375. package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
  376. package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
  377. package/lib/protect/rules/virtual-patch/index.js +1 -1
  378. package/lib/protect/rules/virtual-patch/utils.js +1 -1
  379. package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
  380. package/lib/protect/rules/xss/helpers/function-call.js +1 -1
  381. package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
  382. package/lib/protect/rules/xxe/xxerule.js +1 -1
  383. package/lib/protect/sample-aggregator.js +1 -1
  384. package/lib/protect/samples.js +1 -1
  385. package/lib/protect/service.js +24 -12
  386. package/lib/protect/sinks/child-process.js +1 -1
  387. package/lib/protect/sinks/eval.js +1 -1
  388. package/lib/protect/sinks/fs.js +1 -1
  389. package/lib/protect/sinks/function.js +1 -1
  390. package/lib/protect/sinks/index.js +1 -1
  391. package/lib/protect/sinks/libxmljs.js +1 -1
  392. package/lib/protect/sinks/mongodb.js +57 -56
  393. package/lib/protect/sinks/mysql.js +1 -1
  394. package/lib/protect/sinks/node-serialize.js +1 -1
  395. package/lib/protect/sinks/postgres.js +1 -1
  396. package/lib/protect/sinks/sequelize.js +1 -1
  397. package/lib/protect/sinks/sqlite3.js +1 -1
  398. package/lib/protect/sinks/vm.js +1 -1
  399. package/lib/protect/sources/busboy.js +1 -1
  400. package/lib/protect/sources/formidable.js +1 -1
  401. package/lib/protect/sources/index.js +1 -1
  402. package/lib/protect/validators/authorization.js +1 -1
  403. package/lib/protect/validators/common.js +1 -1
  404. package/lib/protect/validators/connection.js +1 -1
  405. package/lib/protect/validators/content-length.js +1 -1
  406. package/lib/protect/validators/host.js +1 -1
  407. package/lib/protect/validators/if-none-match.js +1 -1
  408. package/lib/protect/validators/index.js +1 -1
  409. package/lib/protect/validators/origin.js +1 -1
  410. package/lib/reporter/app-activity-queue.js +1 -1
  411. package/lib/reporter/grpc-client.js +1 -1
  412. package/lib/reporter/messages/speedracer/activity.js +1 -1
  413. package/lib/reporter/messages/speedracer/application-create.js +1 -1
  414. package/lib/reporter/messages/speedracer/application-update.js +1 -1
  415. package/lib/reporter/messages/speedracer/base.js +1 -1
  416. package/lib/reporter/messages/speedracer/index.js +1 -1
  417. package/lib/reporter/messages/speedracer/observed-route.js +1 -1
  418. package/lib/reporter/messages/speedracer/poll.js +1 -1
  419. package/lib/reporter/messages/speedracer/request.js +1 -1
  420. package/lib/reporter/messages/speedracer/startup.js +1 -1
  421. package/lib/reporter/messaging-router.js +1 -1
  422. package/lib/reporter/models/app-activity/app-activity.js +1 -1
  423. package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
  424. package/lib/reporter/models/app-activity/defend.js +1 -1
  425. package/lib/reporter/models/app-activity/inventory.js +1 -1
  426. package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
  427. package/lib/reporter/models/app-activity/rule-events.js +1 -1
  428. package/lib/reporter/models/app-activity/sample.js +1 -1
  429. package/lib/reporter/models/app-activity/source.js +1 -1
  430. package/lib/reporter/models/app-activity/user-input.js +1 -1
  431. package/lib/reporter/models/app-create.js +1 -1
  432. package/lib/reporter/models/app-update/index.js +1 -1
  433. package/lib/reporter/models/app-update/library-manifest.js +1 -1
  434. package/lib/reporter/models/app-update/library-usage.js +1 -1
  435. package/lib/reporter/models/app-update/library.js +1 -1
  436. package/lib/reporter/models/event-tag.js +1 -1
  437. package/lib/reporter/models/finding/event.js +1 -1
  438. package/lib/reporter/models/finding/finding.js +1 -1
  439. package/lib/reporter/models/frameworks/express-request.js +1 -1
  440. package/lib/reporter/models/frameworks/fastify-request.js +1 -1
  441. package/lib/reporter/models/frameworks/hapi-request.js +1 -1
  442. package/lib/reporter/models/frameworks/index.js +1 -1
  443. package/lib/reporter/models/frameworks/koa-request.js +1 -1
  444. package/lib/reporter/models/frameworks/restify-request.js +1 -1
  445. package/lib/reporter/models/observed-route.js +1 -1
  446. package/lib/reporter/models/request.js +1 -1
  447. package/lib/reporter/models/route-coverage.js +1 -1
  448. package/lib/reporter/models/startup.js +1 -1
  449. package/lib/reporter/models/trace-event-source.js +1 -1
  450. package/lib/reporter/models/utils/request-factory.js +1 -1
  451. package/lib/reporter/models/utils/user-input-factory.js +1 -1
  452. package/lib/reporter/models/utils/user-input-kit.js +1 -1
  453. package/lib/reporter/mq-client.js +1 -1
  454. package/lib/reporter/server-activity-queue.js +1 -1
  455. package/lib/reporter/socket-client.js +1 -1
  456. package/lib/reporter/speedracer/base-connection-state.js +1 -1
  457. package/lib/reporter/speedracer/constants.js +1 -1
  458. package/lib/reporter/speedracer/failure-connection-state.js +1 -1
  459. package/lib/reporter/speedracer/index.js +1 -1
  460. package/lib/reporter/speedracer/success-connection-state.js +1 -1
  461. package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
  462. package/lib/reporter/translations/enums.js +1 -1
  463. package/lib/reporter/translations/helpers.js +1 -1
  464. package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
  465. package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
  466. package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
  467. package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
  468. package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
  469. package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
  470. package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
  471. package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
  472. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
  473. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
  474. package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
  475. package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
  476. package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
  477. package/lib/reporter/translations/to-protobuf/dtm/index.js +2 -2
  478. package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +2 -2
  479. package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
  480. package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
  481. package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
  482. package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
  483. package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
  484. package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
  485. package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +2 -2
  486. package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
  487. package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
  488. package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
  489. package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
  490. package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
  491. package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
  492. package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
  493. package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +5 -5
  494. package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
  495. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
  496. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
  497. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
  498. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
  499. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
  500. package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
  501. package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
  502. package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
  503. package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
  504. package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
  505. package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
  506. package/lib/reporter/translations/to-protobuf/index.js +1 -1
  507. package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
  508. package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
  509. package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
  510. package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
  511. package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
  512. package/lib/reporter/translations/to-protobuf/settings/defend-features.js +9 -7
  513. package/lib/reporter/translations/to-protobuf/settings/exclusions.js +6 -5
  514. package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
  515. package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
  516. package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
  517. package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
  518. package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
  519. package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
  520. package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
  521. package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
  522. package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
  523. package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
  524. package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
  525. package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
  526. package/lib/reporter/ts-reporter.js +1 -1
  527. package/lib/tracker.js +14 -66
  528. package/lib/util/base64.js +1 -1
  529. package/lib/util/bitset.js +1 -1
  530. package/lib/util/block-request.js +1 -1
  531. package/lib/util/callback-resolver.js +1 -1
  532. package/lib/util/clean-stack.js +1 -1
  533. package/lib/util/clean-string/brackets.js +1 -1
  534. package/lib/util/clean-string/clean-string-base.js +1 -1
  535. package/lib/util/clean-string/comments.js +1 -1
  536. package/lib/util/clean-string/concatenations.js +1 -1
  537. package/lib/util/clean-string/jsclean-string.js +1 -1
  538. package/lib/util/clean-string/placeholders.js +1 -1
  539. package/lib/util/clean-string/util.js +1 -1
  540. package/lib/util/colors.js +1 -1
  541. package/lib/util/file-finder.js +1 -1
  542. package/lib/util/heap-dump.js +1 -1
  543. package/lib/util/html-util.js +1 -1
  544. package/lib/util/ip-analyzer.js +1 -1
  545. package/lib/util/is-agent-path.js +1 -1
  546. package/lib/util/is-contrast-error.js +1 -1
  547. package/lib/util/is-piped-to-dev.js +1 -1
  548. package/lib/util/is-string.js +1 -1
  549. package/lib/util/partial.js +1 -1
  550. package/lib/util/pkg-name.js +1 -1
  551. package/lib/util/request-util.js +1 -1
  552. package/lib/util/resolve-obj.js +1 -1
  553. package/lib/util/route-info.js +1 -1
  554. package/lib/util/some.js +1 -1
  555. package/lib/util/source-map.js +4 -4
  556. package/lib/util/static-rules.js +1 -1
  557. package/lib/util/trace-util.js +1 -1
  558. package/lib/util/traverse.js +1 -1
  559. package/lib/util/user-input-evaluator.js +1 -1
  560. package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
  561. package/package.json +7 -6
  562. package/perf-logs.js +1 -1
  563. package/lib/protect/rules/nosqli/no-sql-injection-rule.js +0 -109
package/lib/core/arch-components/dynamodbv3.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/arch-components/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -18,3 +18,4 @@ require('./sqlite3');
18
18
  require('./postgres');
19
19
  require('./dynamodb');
20
20
  require('./dynamodbv3');
21
+ require('./rethinkdb');
package/lib/core/arch-components/mongodb.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -28,25 +28,29 @@ ModuleHook.resolve(
28
28
  patchType: PATCH_TYPES.ARCH_COMPONENT,
29
29
  alwaysRun: true,
30
30
  post(ctx) {
31
- try {
32
- const { servers = [] } = this.s.options;
33
- if (servers.length === 0) {
34
- logger.warn('Unable to find any MongoDB servers\n');
35
- }
36
- for (const server of servers) {
37
- agentEmitter.emit('architectureComponent', {
38
- vendor: 'MongoDB',
39
- url: `mongodb://${server.host}`,
40
- remoteHost: '',
41
- remotePort: server.port
42
- });
43
- }
44
- } catch (err) {
45
- logger.warn(
46
- 'unable to report MongoDB architecture component\n%o',
47
- err
48
- );
31
+ if (!ctx.result || !ctx.result.then) {
32
+ return;
49
33
  }
34
+
35
+ // We should report only when connection is successful
36
+ ctx.result.then(function(client) {
37
+ try {
38
+ const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
39
+ for (const server of servers) {
40
+ agentEmitter.emit('architectureComponent', {
41
+ vendor: 'MongoDB',
42
+ url: `mongodb://${server.host}:${server.port}`,
43
+ remoteHost: '',
44
+ remotePort: server.port
45
+ });
46
+ }
47
+ } catch (err) {
48
+ logger.warn(
49
+ 'unable to report MongoDB architecture component\n%o',
50
+ err
51
+ );
52
+ }
53
+ });
50
54
  }
51
55
  });
52
56
  }
package/lib/core/arch-components/mysql.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/arch-components/postgres.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -26,15 +26,33 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
26
26
  alwaysRun: true,
27
27
  post(wrapCtx) {
28
28
  try {
29
- const { host, port } = wrapCtx.result;
29
+ const {
30
+ host = process.env.PGHOST,
31
+ port = process.env.PGPORT
32
+ } = wrapCtx.result;
33
+
34
+ if (!host) {
35
+ return;
36
+ }
37
+
38
+ let url = host;
39
+
40
+ // build protocol and port into url prior to parsing
41
+ if (url.indexOf('://') === -1) {
42
+ url = `postgresql://${url}`;
43
+ }
44
+ if (port !== undefined) {
45
+ url = `${url}:${port}`;
46
+ }
47
+
30
48
  agentEmitter.emit('architectureComponent', {
31
49
  vendor: 'PostgreSQL',
32
50
  remotePort: port || 0,
33
- url: new URL(host).toString()
51
+ url: new URL(url).toString()
34
52
  });
35
53
  } catch (err) {
36
54
  logger.warn(
37
- 'unable to report PostgreSQL architecture component\n',
55
+ 'unable to report PostgreSQL architecture component\n%o',
38
56
  err
39
57
  );
40
58
  }
package/lib/core/arch-components/rethinkdb.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/arch-components/sqlite3.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -13,6 +13,7 @@ Copyright: 2021 Contrast Security, Inc
13
13
  way not consistent with the End User License Agreement.
14
14
  */
15
15
  'use strict';
16
+
16
17
  const patcher = require('../../hooks/patcher');
17
18
  const ModuleHook = require('../../hooks/require');
18
19
  const agentEmitter = require('../../agent-emitter');
@@ -26,17 +27,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
26
27
  alwaysRun: true,
27
28
  post(wrapCtx) {
28
29
  try {
29
- // can either be a path to a file or `:memory:'.
30
- const url = new URL(wrapCtx.args[0]).toString();
31
-
32
30
  agentEmitter.emit('architectureComponent', {
33
31
  vendor: 'SQLite3',
34
- url,
32
+ url: wrapCtx.args[0],
35
33
  remoteHost: '',
36
34
  remotePort: 0
37
35
  });
38
36
  } catch (err) {
39
- logger.warn('unable to report SQLite3 architecture component\n', err);
37
+ logger.warn('unable to report SQLite3 architecture component\n%o', err);
40
38
  }
41
39
  }
42
40
  });
package/lib/core/async-storage/context.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/hooks/bluebird.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/hooks/mongodb-core.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/hooks/mysql.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/hooks/redis.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/hooks/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/async-storage/scopes/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/common/formidable.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/common/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/config/options.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -33,7 +33,8 @@ Copyright: 2021 Contrast Security, Inc
33
33
  * @module lib/core/config/options
34
34
  */
35
35
  'use strict';
36
- const program = require('commander');
36
+ const { Command, Option } = require('commander');
37
+ const program = new Command();
37
38
  const os = require('os');
38
39
  const url = require('url');
39
40
  const path = require('path');
@@ -284,7 +285,7 @@ const agent = [
284
285
  {
285
286
  name: 'agent.node.array_request_sampling.enable',
286
287
  arg: '[false]',
287
- default: true,
288
+ default: false,
288
289
  fn: castBoolean,
289
290
  desc: 'enable sampling of array members for dataflow'
290
291
  },
@@ -486,6 +487,12 @@ const agent = [
486
487
  desc:
487
488
  'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
488
489
  },
490
+ {
491
+ name: 'agent.traverse_and_track',
492
+ arg: '<traverse-and-track>',
493
+ default: false,
494
+ desc: 'source membrane alternative'
495
+ },
489
496
  {
490
497
  name: 'agent.polling.app_activity_ms',
491
498
  arg: '<ms>',
@@ -967,6 +974,16 @@ if (process.env.CONTRAST_DEV) {
967
974
  }
968
975
  ];
969
976
  }
977
+ const sails = [
978
+ {
979
+ name: 'pathToSails',
980
+ arg: '<path>',
981
+ },
982
+ {
983
+ name: 'gdsrc',
984
+ arg: '<path>',
985
+ }
986
+ ];
970
987
 
971
988
  const options = [].concat(
972
989
  misc,
@@ -1008,6 +1025,23 @@ options.forEach((option) => {
1008
1025
  program.option(name, option.desc);
1009
1026
  });
1010
1027
 
1028
+ // In NODE-2059 it was discovered that a module was appending config options that the
1029
+ // agent didn't recognize and was causing the application to not load properly.
1030
+ // The agent doesn't need to do anything with these options. It just needs to not
1031
+ // throw an error when it encounters them but we also don't need them displayed on
1032
+ // the agent's config option list. The newest version of Commander lets us do exactly this.
1033
+ // This is structured so that if anything like this is discovered again, they can be
1034
+ // added in easily.
1035
+ const hiddenOptions = [].concat(
1036
+ sails
1037
+ )
1038
+
1039
+ hiddenOptions.forEach((option) => {
1040
+ program.addOption(
1041
+ new Option(`--${option.name} ${option.arg}`).hideHelp()
1042
+ )
1043
+ });
1044
+
1011
1045
  function getDefault(optionName) {
1012
1046
  let option;
1013
1047
  options.forEach((entry) => {
package/lib/core/config/util.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/exclusions/exclusion-factory.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/exclusions/exclusion.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -31,12 +31,9 @@ class Exclusion {
31
31
  return this.assess && this.appliesToRule(id, this.assessmentRulesList);
32
32
  }
33
33
 
34
+ // When an exclusion applies to all rules, its rules list is empty
34
35
  appliesToRule(id, list) {
35
- // When an exclusion applies to all rules, its rules list is empty
36
- const appliesToAllRules = list.length === 0;
37
- const appliesToRuleId = list.includes(id);
38
-
39
- return appliesToAllRules || appliesToRuleId;
36
+ return list.length === 0 || list.includes(id);
40
37
  }
41
38
 
42
39
  appliesToAllAssessRules() {
package/lib/core/exclusions/input.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/exclusions/url.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/express/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -120,6 +120,24 @@ class ExpressFramework {
120
120
  }
121
121
  }
122
122
  });
123
+
124
+ patcher.patch(express.response, 'push', {
125
+ name: 'express.response.push',
126
+ patchType: PATCH_TYPES.PROTECT_SINK,
127
+ pre(data) {
128
+ agentEmitter.emit(
129
+ EVENTS.REQUEST_SEND,
130
+ data.args[0],
131
+ SINK_TYPES.RESPONSE_BODY
132
+ );
133
+
134
+ const body = data.args[0];
135
+ if (isString(body)) {
136
+ emitSendEvent(body.valueOf());
137
+ }
138
+ }
139
+ });
140
+
123
141
  patcher.patch(express.response, 'end', {
124
142
  name: 'express.response.end',
125
143
  patchType: PATCH_TYPES.PROTECT_SINK,
@@ -310,7 +328,9 @@ class ExpressFramework {
310
328
  }, 'textParser');
311
329
 
312
330
  this.useAfter(function ContrastBodyParsed(req, res, next) {
313
- agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
331
+ agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
332
+ type: INPUT_TYPES.BODY
333
+ });
314
334
  next();
315
335
  }, 'urlencodedParser');
316
336
 
@@ -356,7 +376,7 @@ class ExpressFramework {
356
376
  const self = this;
357
377
 
358
378
  // Hook the request handler so that we can access the top of each route.
359
- // This is the only place the "params" hash is avaible
379
+ // This is the only place the "params" hash is available
360
380
  const Layer = ExpressFramework.getStack(app)[0].constructor;
361
381
  const _handle = Layer.prototype.handle_request;
362
382
  if (_handle) {
@@ -399,9 +419,12 @@ class ExpressFramework {
399
419
 
400
420
  Whatever the core issue is, it doesn't appear to have any effects
401
421
  elsewhere in any of our Express/Kraken framework support.
422
+
423
+ BODY_PARSED event is emitted to support Sails framework
402
424
  */
403
425
  if (req.body) {
404
426
  decorateRequest({ body: req.body });
427
+ agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
405
428
  }
406
429
  }
407
430
  });
package/lib/core/express/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -33,7 +33,7 @@ const {
33
33
 
34
34
  const EVENTS = {
35
35
  REQUEST_READY: 'Express.RequestReady',
36
- BODY_PARSED: 'Express.cookiesParsed',
36
+ BODY_PARSED: 'Express.bodyParsed',
37
37
  COOKIES_PARSED: 'Express.cookiesParsed',
38
38
  PARAMS_PARSED: 'Express.paramsParsed',
39
39
  REQUEST_SEND: 'Express.requestSend',
@@ -246,7 +246,9 @@ const captureSignature = (layer, signature) => {
246
246
  const normalizeSignatureArg = (arg) => {
247
247
  // we weave in middleware for express that is prefixed with Contrast
248
248
  // remove this from signature
249
- if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
249
+ if (arg === '') {
250
+ return null;
251
+ } else if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
250
252
  return null;
251
253
  } else if (typeof arg === 'function') {
252
254
  return getHandlerName(arg);
@@ -313,8 +315,11 @@ const updateRouterSignatures = (self, router, path) => {
313
315
  return;
314
316
  }
315
317
  const routePath = _.get(route, 'path', '');
316
- const routeHandle = _.get(route, 'stack[0].handle');
318
+ const routeHandle = _.get(route, 'stack[0].handle', '');
317
319
  const routeMethod = _.get(route, 'stack[0].method');
320
+ if (!routeMethod) {
321
+ return;
322
+ }
318
323
  const newSignature = createSignature(self, 'Router', routeMethod, [
319
324
  path,
320
325
  routePath,
package/lib/core/fastify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/fastify/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/hapi/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/hapi/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/koa/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/koa/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/daily-rotate-file.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/dataflow-monitor.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/debug-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/perf-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/umbrella-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/loopback4/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/metrics/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/restify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/restify/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/assignment-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/binary-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/call-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/callees.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5