npm - @contrast/agent - Versions diffs - 4.7.1 → 4.10.0 - Mend

@contrast/agent 4.7.1 → 4.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (562) hide show

package/lib/assess/spdy/sinks/xss.js ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const agentEmitter = require('../../../agent-emitter');
+const { HTTP_RESPONSE_HOOKED_METHOD_KEYS } = require('../../../constants');
+const policy = require('../../policy');
+const { Signature, CallContext } = require('../../models');
+class SpdyXss {
+  constructor(agent) {
+    this.common = require('../../sinks/common')(agent);
+    this.rules = policy.rules;
+    this.ruleId = 'reflected-xss';
+    this.signature = new Signature({
+      moduleName: 'spdy.response',
+      methodName: 'push',
+      isModule: false
+    });
+    agentEmitter.on(
+      HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+      this.checkResult.bind(this)
+    );
+  }
+  /**
+   * checks if an assess rule is enabled in policy
+   */
+  get enabled() {
+    return (
+      this.rules &&
+      this.rules['reflected-xss'] &&
+      this.rules['reflected-xss'].enabled
+    );
+  }
+  checkResult(body) {
+    if (!this.enabled) {
+      return;
+    }
+    const { ruleId, signature } = this;
+    const {
+      isVulnerable,
+      xss: { disallowedTags },
+      requiredTags,
+      report
+    } = this.common;
+    if (
+      isVulnerable({
+        input: body,
+        disallowedTags,
+        requiredTags,
+        ruleId
+      })
+    ) {
+      const ctxt = new CallContext({
+        obj: body,
+        args: [body],
+        result: body,
+        stackOpts: {
+          constructorOpt: agentEmitter.emit
+        }
+      });
+      report({ ruleId, signature, input: body, ctxt });
+    }
+  }
+}
+module.exports = SpdyXss;

package/lib/assess/static/hardcoded.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/technologies/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -31,7 +31,8 @@ const technologies = {
     'fastify',
     'restify',
     'loopback',
-    'kraken-js'
+    'kraken-js',
+    'sails'
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],

package/lib/assess/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/cli-rewriter/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/constants.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -644,7 +644,8 @@ const REQUIRED_SIGNATURE_KEYS = [
 const HTTP_RESPONSE_HOOKED_METHOD_KEYS = {
   WRITE_HEAD: Symbol('writeHead'),
-  END: Symbol('end')
+  END: Symbol('end'),
+  PUSH: Symbol('push')
 };
 const PATCH_TYPES = {

package/lib/contrast.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -178,7 +178,7 @@ contrastAgent.configureGlobalLogger = function(config, args, target = global) {
 function getAgentArgs(options) {
   const agentArgs = {};
-  options.options.forEach((opt) => {
+  program.options.forEach((opt) => {
     if (opt.name() !== 'application.args' && options[opt.name()]) {
       agentArgs[opt.name()] = options[opt.name()];
     }
@@ -243,8 +243,8 @@ contrastAgent.prepare = function(...args) {
     logger.info('Using config file at %s', config.configFile);
     // log the argv before and after modification.
-    logger.info(`Original argv: ${options.rawArgs.join(', ')}`);
-    logger.info(`Modified argv: ${options.args.join(', ')}`);
+    logger.info(`Original argv: ${program.rawArgs.join(', ')}`);
+    logger.info(`Modified argv: ${program.args.join(', ')}`);
     agent.config = config;
     agent.tsFeatureSet.config = config;
@@ -335,12 +335,12 @@ contrastAgent.init = async function(args, isCli = false) {
     // source: args passed to cli, destination: args after cli parsed it
     .action(async function callPrepare(options, commanderArgs = []) {
       // the user app main differs if a runner vs preload
-      script = isCli ? options.args[0] : options.rawArgs[1];
+      script = isCli ? program.args[0] : program.rawArgs[1];
       options.script = script;
       // need to slice off app main in runner mode
       options['application.args'] = isCli
-        ? options.args.slice(1)
-        : options.args;
+        ? program.args.slice(1)
+        : program.args;
       try {
         enabled = await contrastAgent.prepare(options, commanderArgs, isCli);

package/lib/core/arch-components/dynamodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/dynamodbv3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -18,3 +18,4 @@ require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
 require('./dynamodbv3');
+require('./rethinkdb');

package/lib/core/arch-components/mongodb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -28,25 +28,29 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(ctx) {
-        try {
-          const { servers = [] } = this.s.options;
-          if (servers.length === 0) {
-            logger.warn('Unable to find any MongoDB servers\n');
-          }
-          for (const server of servers) {
-            agentEmitter.emit('architectureComponent', {
-              vendor: 'MongoDB',
-              url: `mongodb://${server.host}`,
-              remoteHost: '',
-              remotePort: server.port
-            });
-          }
-        } catch (err) {
-          logger.warn(
-            'unable to report MongoDB architecture component\n%o',
-            err
-          );
+        if (!ctx.result || !ctx.result.then) {
+          return;
         }
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component\n%o',
+              err
+            );
+          }
+        });
       }
     });
   }

package/lib/core/arch-components/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/postgres.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -26,15 +26,33 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        const { host, port } = wrapCtx.result;
+        const {
+          host = process.env.PGHOST,
+          port = process.env.PGPORT
+        } = wrapCtx.result;
+        if (!host) {
+          return;
+        }
+        let url = host;
+        // build protocol and port into url prior to parsing
+        if (url.indexOf('://') === -1) {
+          url = `postgresql://${url}`;
+        }
+        if (port !== undefined) {
+          url = `${url}:${port}`;
+        }
         agentEmitter.emit('architectureComponent', {
           vendor: 'PostgreSQL',
           remotePort: port || 0,
-          url: new URL(host).toString()
+          url: new URL(url).toString()
         });
       } catch (err) {
         logger.warn(
-          'unable to report PostgreSQL architecture component\n',
+          'unable to report PostgreSQL architecture component\n%o',
           err
         );
       }

package/lib/core/arch-components/rethinkdb.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/arch-components/sqlite3.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -13,6 +13,7 @@ Copyright: 2021 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
 const patcher = require('../../hooks/patcher');
 const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
@@ -26,17 +27,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        // can either be a path to a file or `:memory:'.
-        const url = new URL(wrapCtx.args[0]).toString();
         agentEmitter.emit('architectureComponent', {
           vendor: 'SQLite3',
-          url,
+          url: wrapCtx.args[0],
           remoteHost: '',
           remotePort: 0
         });
       } catch (err) {
-        logger.warn('unable to report SQLite3 architecture component\n', err);
+        logger.warn('unable to report SQLite3 architecture component\n%o', err);
       }
     }
   });

package/lib/core/async-storage/context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/bluebird.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/mongodb-core.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/mysql.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/redis.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/hooks/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/async-storage/scopes/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/common/formidable.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/common/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/config/options.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -33,7 +33,8 @@ Copyright: 2021 Contrast Security, Inc
  * @module lib/core/config/options
  */
 'use strict';
-const program = require('commander');
+const { Command, Option } = require('commander');
+const program = new Command();
 const os = require('os');
 const url = require('url');
 const path = require('path');
@@ -486,6 +487,18 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`
+  },
+  {
+    name: 'agent.traverse_and_track',
+    arg: '<traverse-and-track>',
+    default: false,
+    desc: 'source membrane alternative'
+  },
   {
     name: 'agent.polling.app_activity_ms',
     arg: '<ms>',
@@ -967,6 +980,16 @@ if (process.env.CONTRAST_DEV) {
     }
   ];
 }
+const sails = [
+  {
+    name: 'pathToSails',
+    arg: '<path>'
+  },
+  {
+    name: 'gdsrc',
+    arg: '<path>'
+  }
+];
 const options = [].concat(
   misc,
@@ -1008,6 +1031,19 @@ options.forEach((option) => {
   program.option(name, option.desc);
 });
+// In NODE-2059 it was discovered that a module was appending config options that the
+// agent didn't recognize and was causing the application to not load properly.
+// The agent doesn't need to do anything with these options. It just needs to not
+// throw an error when it encounters them but we also don't need them displayed on
+// the agent's config option list. The newest version of Commander lets us do exactly this.
+// This is structured so that if anything like this is discovered again, they can be
+// added in easily.
+const hiddenOptions = [].concat(sails);
+hiddenOptions.forEach((option) => {
+  program.addOption(new Option(`--${option.name} ${option.arg}`).hideHelp());
+});
 function getDefault(optionName) {
   let option;
   options.forEach((entry) => {

package/lib/core/config/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/exclusions/exclusion-factory.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/exclusions/exclusion.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -31,12 +31,9 @@ class Exclusion {
     return this.assess && this.appliesToRule(id, this.assessmentRulesList);
   }
+  // When an exclusion applies to all rules, its rules list is empty
   appliesToRule(id, list) {
-    // When an exclusion applies to all rules, its rules list is empty
-    const appliesToAllRules = list.length === 0;
-    const appliesToRuleId = list.includes(id);
-    return appliesToAllRules || appliesToRuleId;
+    return list.length === 0 || list.includes(id);
   }
   appliesToAllAssessRules() {

package/lib/core/exclusions/input.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/exclusions/url.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/core/express/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -120,6 +120,24 @@ class ExpressFramework {
         }
       }
     });
+    patcher.patch(express.response, 'push', {
+      name: 'express.response.push',
+      patchType: PATCH_TYPES.PROTECT_SINK,
+      pre(data) {
+        agentEmitter.emit(
+          EVENTS.REQUEST_SEND,
+          data.args[0],
+          SINK_TYPES.RESPONSE_BODY
+        );
+        const body = data.args[0];
+        if (isString(body)) {
+          emitSendEvent(body.valueOf());
+        }
+      }
+    });
     patcher.patch(express.response, 'end', {
       name: 'express.response.end',
       patchType: PATCH_TYPES.PROTECT_SINK,
@@ -310,7 +328,9 @@ class ExpressFramework {
     }, 'textParser');
     this.useAfter(function ContrastBodyParsed(req, res, next) {
-      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
+      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
+        type: INPUT_TYPES.BODY
+      });
       next();
     }, 'urlencodedParser');
@@ -356,7 +376,7 @@ class ExpressFramework {
     const self = this;
     // Hook the request handler so that we can access the top of each route.
-    // This is the only place the "params" hash is avaible
+    // This is the only place the "params" hash is available
     const Layer = ExpressFramework.getStack(app)[0].constructor;
     const _handle = Layer.prototype.handle_request;
     if (_handle) {
@@ -377,6 +397,9 @@ class ExpressFramework {
               req[LAYER_STACK].pop();
             }
           });
+          if (req.query) {
+            decorateRequest({ query: req.query });
+          }
           const params = new Object(this.params);
           if (Object.keys(params).length) {
             agentEmitter.emit(
@@ -399,9 +422,12 @@ class ExpressFramework {
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
+            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
+            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
           }
         }
       });