@contrast/agent 4.8.0 → 4.10.1

package/lib/assess/spdy/sinks/index.js

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const ReflectedXss = require('./xss');
+
+module.exports = class SpdySinks {
+  constructor(agent) {
+    new ReflectedXss(agent);
+  }
+};

package/lib/assess/spdy/sinks/xss.js

@@ -0,0 +1,84 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../../agent-emitter');
+const { HTTP_RESPONSE_HOOKED_METHOD_KEYS } = require('../../../constants');
+const policy = require('../../policy');
+const { Signature, CallContext } = require('../../models');
+
+class SpdyXss {
+  constructor(agent) {
+    this.common = require('../../sinks/common')(agent);
+    this.rules = policy.rules;
+    this.ruleId = 'reflected-xss';
+    this.signature = new Signature({
+      moduleName: 'spdy.response',
+      methodName: 'push',
+      isModule: false
+    });
+    agentEmitter.on(
+      HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+      this.checkResult.bind(this)
+    );
+  }
+
+  /**
+   * checks if an assess rule is enabled in policy
+   */
+  get enabled() {
+    return (
+      this.rules &&
+      this.rules['reflected-xss'] &&
+      this.rules['reflected-xss'].enabled
+    );
+  }
+
+  checkResult(body) {
+    if (!this.enabled) {
+      return;
+    }
+
+    const { ruleId, signature } = this;
+
+    const {
+      isVulnerable,
+      xss: { disallowedTags },
+      requiredTags,
+      report
+    } = this.common;
+
+    if (
+      isVulnerable({
+        input: body,
+        disallowedTags,
+        requiredTags,
+        ruleId
+      })
+    ) {
+      const ctxt = new CallContext({
+        obj: body,
+        args: [body],
+        result: body,
+        stackOpts: {
+          constructorOpt: agentEmitter.emit
+        }
+      });
+      report({ ruleId, signature, input: body, ctxt });
+    }
+  }
+}
+
+module.exports = SpdyXss;

package/lib/assess/technologies/index.js

@@ -31,7 +31,8 @@ const technologies = {
     'fastify',
     'restify',
     'loopback',
-    'kraken-js'
+    'kraken-js',
+    'sails'
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],

package/lib/constants.js

@@ -644,7 +644,8 @@ const REQUIRED_SIGNATURE_KEYS = [
 
 const HTTP_RESPONSE_HOOKED_METHOD_KEYS = {
   WRITE_HEAD: Symbol('writeHead'),
-  END: Symbol('end')
+  END: Symbol('end'),
+  PUSH: Symbol('push')
 };
 
 const PATCH_TYPES = {

package/lib/contrast.js

@@ -178,7 +178,7 @@ contrastAgent.configureGlobalLogger = function(config, args, target = global) {
 
 function getAgentArgs(options) {
   const agentArgs = {};
-  options.options.forEach((opt) => {
+  program.options.forEach((opt) => {
     if (opt.name() !== 'application.args' && options[opt.name()]) {
       agentArgs[opt.name()] = options[opt.name()];
     }
@@ -243,8 +243,8 @@ contrastAgent.prepare = function(...args) {
 
     logger.info('Using config file at %s', config.configFile);
     // log the argv before and after modification.
-    logger.info(`Original argv: ${options.rawArgs.join(', ')}`);
-    logger.info(`Modified argv: ${options.args.join(', ')}`);
+    logger.info(`Original argv: ${program.rawArgs.join(', ')}`);
+    logger.info(`Modified argv: ${program.args.join(', ')}`);
 
     agent.config = config;
     agent.tsFeatureSet.config = config;
@@ -335,12 +335,12 @@ contrastAgent.init = async function(args, isCli = false) {
     // source: args passed to cli, destination: args after cli parsed it
     .action(async function callPrepare(options, commanderArgs = []) {
       // the user app main differs if a runner vs preload
-      script = isCli ? options.args[0] : options.rawArgs[1];
+      script = isCli ? program.args[0] : program.rawArgs[1];
       options.script = script;
       // need to slice off app main in runner mode
       options['application.args'] = isCli
-        ? options.args.slice(1)
-        : options.args;
+        ? program.args.slice(1)
+        : program.args;
 
       try {
         enabled = await contrastAgent.prepare(options, commanderArgs, isCli);

package/lib/core/arch-components/index.js

@@ -18,3 +18,4 @@ require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
 require('./dynamodbv3');
+require('./rethinkdb');

package/lib/core/arch-components/mongodb.js

@@ -28,25 +28,29 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(ctx) {
-        try {
-          const { servers = [] } = this.s.options;
-          if (servers.length === 0) {
-            logger.warn('Unable to find any MongoDB servers\n');
-          }
-          for (const server of servers) {
-            agentEmitter.emit('architectureComponent', {
-              vendor: 'MongoDB',
-              url: `mongodb://${server.host}`,
-              remoteHost: '',
-              remotePort: server.port
-            });
-          }
-        } catch (err) {
-          logger.warn(
-            'unable to report MongoDB architecture component\n%o',
-            err
-          );
+        if (!ctx.result || !ctx.result.then) {
+          return;
         }
+
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component\n%o',
+              err
+            );
+          }
+        });
       }
     });
   }

package/lib/core/arch-components/mysql.js

@@ -19,6 +19,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve(
   { name: 'mysql', file: 'lib/Connection.js' },
@@ -28,22 +29,31 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(wrapCtx) {
-        try {
-          let url = 'mysql://';
-          if (this.config.socketPath) {
-            url += this.config.socketPath;
-          } else {
-            url += `${this.config.host}`;
-          }
-          agentEmitter.emit('architectureComponent', {
-            vendor: 'MySQL',
-            url: new URL(url).toString(),
-            remoteHost: '',
-            remotePort: !this.config.socketPath ? this.config.port : -1
+        waitToConnect(wrapCtx)
+          .then(() => {
+            try {
+              let url = 'mysql://';
+              if (this.config.socketPath) {
+                url += this.config.socketPath;
+              } else {
+                url += `${this.config.host}`;
+              }
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MySQL',
+                url: new URL(url).toString(),
+                remoteHost: '',
+                remotePort: !this.config.socketPath ? this.config.port : -1
+              });
+            } catch (err) {
+              logger.warn(
+                'unable to report MySQL architecture component\n',
+                err
+              );
+            }
+          })
+          .catch((err) => {
+            logger.warn('unable to report MySQL architecture component\n', err);
           });
-        } catch (err) {
-          logger.warn('unable to report MySQL architecture component\n', err);
-        }
       }
     });
   }

package/lib/core/arch-components/postgres.js

@@ -18,6 +18,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
   patcher.patch(pgClient, {
@@ -25,19 +26,46 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     patchType: PATCH_TYPES.ARCH_COMPONENT,
     alwaysRun: true,
     post(wrapCtx) {
-      try {
-        const { host, port } = wrapCtx.result;
-        agentEmitter.emit('architectureComponent', {
-          vendor: 'PostgreSQL',
-          remotePort: port || 0,
-          url: new URL(host).toString()
+      waitToConnect(wrapCtx)
+        .then(() => {
+          try {
+            const {
+              host = process.env.PGHOST,
+              port = process.env.PGPORT
+            } = wrapCtx.result;
+
+            if (!host) {
+              return;
+            }
+
+            let url = host;
+
+            // build protocol and port into url prior to parsing
+            if (url.indexOf('://') === -1) {
+              url = `postgresql://${url}`;
+            }
+            if (port !== undefined) {
+              url = `${url}:${port}`;
+            }
+
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'PostgreSQL',
+              remotePort: port || 0,
+              url: new URL(url).toString()
+            });
+          } catch (err) {
+            logger.warn(
+              'unable to report PostgreSQL architecture component\n%o',
+              err
+            );
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report PostgreSQL architecture component\n%o',
+            err
+          );
         });
-      } catch (err) {
-        logger.warn(
-          'unable to report PostgreSQL architecture component\n',
-          err
-        );
-      }
     }
   })
 );

package/lib/core/arch-components/sqlite3.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const patcher = require('../../hooks/patcher');
 const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
@@ -26,17 +27,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        // can either be a path to a file or `:memory:'.
-        const url = new URL(wrapCtx.args[0]).toString();
-
         agentEmitter.emit('architectureComponent', {
           vendor: 'SQLite3',
-          url,
+          url: wrapCtx.args[0],
           remoteHost: '',
           remotePort: 0
         });
       } catch (err) {
-        logger.warn('unable to report SQLite3 architecture component\n', err);
+        logger.warn('unable to report SQLite3 architecture component\n%o', err);
       }
     }
   });

package/lib/core/arch-components/util.js

@@ -0,0 +1,49 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const MYSQL = 'mysql.connect.arch_component';
+const POSTGRES = 'pg.Client.arch_component';
+
+module.exports = function waitToConnect(ctx, count = 0) {
+  return new Promise((resolve, reject) => {
+    const maxAttempts = 10 * 60; // i.e., 1 min.
+    const checkConnection = setInterval(
+      function(ctx, resolve, reject) {
+        if (count >= maxAttempts) {
+          clearInterval(checkConnection);
+          reject();
+        }
+        switch (ctx.name) {
+          case MYSQL:
+            if (ctx.obj.state === 'authenticated') {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+          case POSTGRES:
+            if (ctx.result._connected) {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+        }
+        count++;
+      },
+      100,
+      ctx,
+      resolve,
+      reject
+    );
+  });
+};

package/lib/core/config/options.js

@@ -33,7 +33,8 @@ Copyright: 2022 Contrast Security, Inc
  * @module lib/core/config/options
  */
 'use strict';
-const program = require('commander');
+const { Command, Option } = require('commander');
+const program = new Command();
 const os = require('os');
 const url = require('url');
 const path = require('path');
@@ -486,6 +487,18 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`
+  },
+  {
+    name: 'agent.traverse_and_track',
+    arg: '<traverse-and-track>',
+    default: false,
+    desc: 'source membrane alternative'
+  },
   {
     name: 'agent.polling.app_activity_ms',
     arg: '<ms>',
@@ -967,6 +980,16 @@ if (process.env.CONTRAST_DEV) {
     }
   ];
 }
+const sails = [
+  {
+    name: 'pathToSails',
+    arg: '<path>'
+  },
+  {
+    name: 'gdsrc',
+    arg: '<path>'
+  }
+];
 
 const options = [].concat(
   misc,
@@ -1008,6 +1031,19 @@ options.forEach((option) => {
   program.option(name, option.desc);
 });
 
+// In NODE-2059 it was discovered that a module was appending config options that the
+// agent didn't recognize and was causing the application to not load properly.
+// The agent doesn't need to do anything with these options. It just needs to not
+// throw an error when it encounters them but we also don't need them displayed on
+// the agent's config option list. The newest version of Commander lets us do exactly this.
+// This is structured so that if anything like this is discovered again, they can be
+// added in easily.
+const hiddenOptions = [].concat(sails);
+
+hiddenOptions.forEach((option) => {
+  program.addOption(new Option(`--${option.name} ${option.arg}`).hideHelp());
+});
+
 function getDefault(optionName) {
   let option;
   options.forEach((entry) => {

package/lib/core/exclusions/exclusion.js

@@ -31,12 +31,9 @@ class Exclusion {
     return this.assess && this.appliesToRule(id, this.assessmentRulesList);
   }
 
+  // When an exclusion applies to all rules, its rules list is empty
   appliesToRule(id, list) {
-    // When an exclusion applies to all rules, its rules list is empty
-    const appliesToAllRules = list.length === 0;
-    const appliesToRuleId = list.includes(id);
-
-    return appliesToAllRules || appliesToRuleId;
+    return list.length === 0 || list.includes(id);
   }
 
   appliesToAllAssessRules() {

package/lib/core/express/index.js

@@ -120,6 +120,24 @@ class ExpressFramework {
         }
       }
     });
+
+    patcher.patch(express.response, 'push', {
+      name: 'express.response.push',
+      patchType: PATCH_TYPES.PROTECT_SINK,
+      pre(data) {
+        agentEmitter.emit(
+          EVENTS.REQUEST_SEND,
+          data.args[0],
+          SINK_TYPES.RESPONSE_BODY
+        );
+
+        const body = data.args[0];
+        if (isString(body)) {
+          emitSendEvent(body.valueOf());
+        }
+      }
+    });
+
     patcher.patch(express.response, 'end', {
       name: 'express.response.end',
       patchType: PATCH_TYPES.PROTECT_SINK,
@@ -310,7 +328,9 @@ class ExpressFramework {
     }, 'textParser');
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
-      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
+      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
+        type: INPUT_TYPES.BODY
+      });
       next();
     }, 'urlencodedParser');
 
@@ -356,7 +376,7 @@ class ExpressFramework {
     const self = this;
 
     // Hook the request handler so that we can access the top of each route.
-    // This is the only place the "params" hash is avaible
+    // This is the only place the "params" hash is available
     const Layer = ExpressFramework.getStack(app)[0].constructor;
     const _handle = Layer.prototype.handle_request;
     if (_handle) {
@@ -377,6 +397,9 @@ class ExpressFramework {
               req[LAYER_STACK].pop();
             }
           });
+          if (req.query) {
+            decorateRequest({ query: req.query });
+          }
           const params = new Object(this.params);
           if (Object.keys(params).length) {
             agentEmitter.emit(
@@ -399,9 +422,12 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
+
+            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
+            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
           }
         }
       });

package/lib/core/express/utils.js

@@ -33,7 +33,7 @@ const {
 
 const EVENTS = {
   REQUEST_READY: 'Express.RequestReady',
-  BODY_PARSED: 'Express.cookiesParsed',
+  BODY_PARSED: 'Express.bodyParsed',
   COOKIES_PARSED: 'Express.cookiesParsed',
   PARAMS_PARSED: 'Express.paramsParsed',
   REQUEST_SEND: 'Express.requestSend',
@@ -246,7 +246,9 @@ const captureSignature = (layer, signature) => {
 const normalizeSignatureArg = (arg) => {
   // we weave in middleware for express that is prefixed with Contrast
   // remove this from signature
-  if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
+  if (arg === '') {
+    return null;
+  } else if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
     return null;
   } else if (typeof arg === 'function') {
     return getHandlerName(arg);
@@ -313,8 +315,11 @@ const updateRouterSignatures = (self, router, path) => {
       return;
     }
     const routePath = _.get(route, 'path', '');
-    const routeHandle = _.get(route, 'stack[0].handle');
+    const routeHandle = _.get(route, 'stack[0].handle', '');
     const routeMethod = _.get(route, 'stack[0].method');
+    if (!routeMethod) {
+      return;
+    }
     const newSignature = createSignature(self, 'Router', routeMethod, [
       path,
       routePath,

package/lib/core/fastify/index.js

@@ -154,7 +154,8 @@ class FastifyCore {
     agentEmitter.emit(constants.EVENTS.PRE_VALIDATION, ...data);
     decorateRequest({
       body: request.body,
-      parameters: request.params
+      parameters: request.params,
+      query: request.query
     });
     done();
   }

package/lib/core/hapi/index.js

@@ -173,7 +173,8 @@ class HapiCore {
       decorateRequest({
         normalizedUri: get(request, 'route.path'),
         body: request.payload,
-        parameters: request.params
+        parameters: request.params,
+        query: request.query
       });
       return h.continue;
     });

package/lib/core/koa/index.js

@@ -216,13 +216,21 @@ class KoaCore {
    */
   registerRequestHandler(ctx) {
     ctx.req.request = ctx.request;
+    const { query } = ctx.request;
     ctx.request = new Proxy(ctx.request, {
       set(...args) {
         const [obj, prop] = args;
         const result = Reflect.set(...args);
+        if (query) {
+          decorateRequest({
+            query
+          });
+        }
         switch (prop) {
           case 'body':
-            decorateRequest({ body: obj[prop] });
+            decorateRequest({
+              body: obj[prop]
+            });
             agentEmitter.emit(constants.EVENTS.CTX_REQUEST_BODY, {
               request: obj,
               ctx

package/lib/core/rewrite/callees.js

@@ -67,6 +67,22 @@ const specs = [
     token: 'eval',
     modes: { assess: true, protect: true }
   },
+  // Import Declaration
+  {
+    name: '__importDefault',
+    type: 'ImportDefaultSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__importNamespace',
+    type: 'ImportNamespaceSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__import',
+    type: 'ImportSpecifier',
+    modes: { assess: true, protect: true }
+  },
   // Member Expression
   {
     name: '__forceCopy',