@contrast/agent 4.8.0 → 4.10.1

package/lib/core/rewrite/import-declaration.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const t = require('@babel/types');
+const _ = require('lodash');
+
+const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
+  t.memberExpression(t.identifier('import'), t.identifier('meta')),
+  t.identifier('url')
+);
+
+/**
+ * Appends calls to our own instrumentable import methods, providing access to
+ * the imported modules.
+ * ```
+ * import x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importDefault(x, 'mod', import.meta.url);
+ *
+ * import * as x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importNamespace(x, 'mod', import.meta.url);
+ *
+ * import { foo, bar as baz } from 'mod';;
+ * // becomes
+ * ContrastMethods.__import(foo, 'foo', 'mod', import.meta.url);
+ * ContrastMethods.__import(baz, 'bar', 'mod', import.meta.url);
+ * ```
+ * @param {import('@babel/traverse').NodePath<import('@babel/types').ImportDeclaration>} path
+ * @param {import('.').State} state
+ */
+module.exports = function ImportDeclaration(path, state) {
+  const { source, specifiers } = path.node;
+
+  path.insertAfter(
+    specifiers.map((importSpec) => {
+      const spec = _.find(state.specs, { type: importSpec.type });
+      if (!spec || !state.callees[spec.name]) return;
+
+      const args = [importSpec.local];
+
+      if (t.isImportSpecifier(importSpec)) {
+        args.push(
+          t.isIdentifier(importSpec.imported)
+            ? t.stringLiteral(importSpec.imported.name)
+            : importSpec.imported
+        );
+      }
+
+      args.push(source);
+      args.push(IMPORT_META_URL_MEMBER_EXPRESSION);
+
+      return t.callExpression(state.callees[spec.name], args);
+    })
+  );
+};

package/lib/core/rewrite/index.js

@@ -18,23 +18,24 @@ const { default: generate } = require('@babel/generator');
 const { parse } = require('@babel/parser');
 const { default: traverse } = require('@babel/traverse');
 
+const RewriteDeadzones = require('../../assess/deadzones/rewrite');
+const { util: sourceMapUtility } = require('../../util/source-map');
 const Scopes = require('../async-storage/scopes');
 const logger = require('../logger')('contrast:rewrite');
-const RewriteDeadzones = require('../../assess/deadzones/rewrite');
-const logRewrite = require('./log');
-const RewriteLog = require('./rewrite-log');
-const isContrastMethod = require('./is-contrast-method');
-const functionWrap = require('./function-wrap');
-const prependGlobals = require('./prepend-globals');
 const AssignmentExpression = require('./assignment-expression');
 const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
+const functionWrap = require('./function-wrap');
+const ImportDeclaration = require('./import-declaration');
+const isContrastMethod = require('./is-contrast-method');
+const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
 const ObjectProperty = require('./object-property');
+const prependGlobals = require('./prepend-globals');
+const RewriteLog = require('./rewrite-log');
 const SwitchStatement = require('./switch-statement');
 const TemplateLiteral = require('./template-literal');
-const sourceMapUtility = require('../../util/source-map').util;
 
 /**
  * @typedef {Object} State
@@ -105,6 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
+        ImportDeclaration,
         MemberExpression,
         ObjectProperty,
         SwitchStatement,

package/lib/core/rewrite/injections.js

@@ -100,7 +100,11 @@ const ContrastMethods = new Injection(null, 'ContrastMethods', {
   },
   __contrastEval: function __contrastEval(str) {
     return str;
-  }
+  },
+  // TODO: NODE-2020
+  __importDefault(mod, source, url) {},
+  __importNamespace(mod, source, url) {},
+  __import(mod, spec, source, url) {}
 });
 
 ContrastMethods.enable();

package/lib/hooks/frameworks/index.js

@@ -16,6 +16,7 @@ Copyright: 2022 Contrast Security, Inc
 
 const Http = require('./http');
 const Http2 = require('./http2');
+const Spdy = require('./spdy');
 const Hapi16 = require('./hapi16');
 
 module.exports = function(agent) {
@@ -23,5 +24,6 @@ module.exports = function(agent) {
   new Http(agent);
   new Http(agent, 'https');
   new Http2(agent);
+  new Spdy(agent);
   new Hapi16(agent);
 };

package/lib/hooks/frameworks/spdy.js

@@ -0,0 +1,87 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const {
+  PATCH_TYPES,
+  HTTP_RESPONSE_HOOKED_METHOD_KEYS,
+  SINK_TYPES
+} = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+const { isString } = require('../../util/is-string');
+const { emitSendEvent } = require('../../hooks/frameworks/common');
+const agentEmitter = require('../../agent-emitter');
+
+class SpdyFramework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'spdy');
+  }
+
+  /**
+   * @param {import('spdy')} spdy
+   * @returns {import('spdy')}
+   */
+  onRequire(spdy) {
+    patcher.patch(spdy, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => {
+        this.handleServerCreate(args, result);
+      }
+    });
+
+    patcher.patch(spdy.response, 'push', {
+      name: 'spdy.response.push',
+      patchType: PATCH_TYPES.FRAMEWORK,
+      pre(data) {
+        agentEmitter.emit(
+          HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+          data.args[0],
+          SINK_TYPES.RESPONSE_BODY
+        );
+
+        const body = data.args[0];
+        if (isString(body)) {
+          emitSendEvent(body.valueOf());
+        }
+      }
+    });
+
+    return spdy;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.SpdyFramework.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = SpdyFramework;

package/lib/hooks/http.js

@@ -195,5 +195,16 @@ module.exports = (agent) => {
       }
     });
   });
+
+  moduleHook.resolve({ name: 'spdy' }, (spdy) => {
+    patcher.patch(spdy, 'createServer', {
+      name: `create-server-spdy-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
 };
 module.exports.hookServer = hookServer;

package/lib/protect/restify/sources.js

@@ -21,6 +21,8 @@ const {
 } = require('../../constants');
 const { emitSourceEvent } = require('../../hooks/frameworks/common');
 const agentEmitter = require('../../agent-emitter');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
 const {
   utils,
   constants: { EVENTS }
@@ -39,6 +41,39 @@ class RestifyProtectSources {
         EVENTS.CREATE_SERVER,
         this.registerUrlParamsHandler.bind(this)
       );
+      agentEmitter.on(
+        EVENTS.RESTIFY_EXPORT,
+        this.registerQueryParamsHandler.bind(this)
+      );
+    }
+  }
+
+  /**
+   * Patches query parser middleware to wrap the callback argument. Once this
+   * wrapped callback is invoked w/out error we know we can proxy `req.query`.
+   * @param {object} restify
+   */
+  registerQueryParamsHandler(restify) {
+    const {
+      plugins: { queryParser: origQueryParser }
+    } = restify;
+
+    if (origQueryParser) {
+      patcher.patch(restify.plugins, 'queryParser', {
+        name: 'restify.plugins',
+        patchType: PATCH_TYPES.FRAMEWORK,
+        alwaysRun: true,
+        post(data) {
+          patcher.patch(data, 'result', {
+            name: 'restify.plugins.queryParser',
+            patchType: PATCH_TYPES.PROTECT_SOURCE,
+            alwaysRun: true,
+            post(data) {
+              decorateRequest({ query: get(data.args[0], 'query') });
+            }
+          });
+        }
+      });
     }
   }
 

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -26,9 +26,11 @@ const brackets = /\[(.{1,1024}?)\]/;
 const child = /\[(.{1,1024}?)\]/g;
 
 const MONGODB = 'mongodb';
+const RETHINKDB = 'rethinkdb';
 
 const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
+  [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
 const SubstringFinder = require('../base-scanner/substring-finder');
 
@@ -144,27 +146,14 @@ class NoSqlInjectionRule extends require('../') {
       _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
       _documentPath.length <= 1024
     ) {
-      let segment = brackets.exec(_documentPath);
-      const parent = segment
-        ? _documentPath.slice(0, segment.index)
-        : _documentPath;
-
-      pathArray.push('query');
-
-      if (parent) {
-        pathArray.push(parent);
-      }
-      while ((segment = child.exec(_documentPath))) {
-        pathArray.push(segment[1]);
-      }
-      pathArray.pop();
+      this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
       pathArray.push('body', ..._documentPath.split('.'));
     }
 
     let data;
-    let curr = ctx.req;
+    let curr = ctx.request;
 
     for (const path of pathArray) {
       if (curr) {
@@ -175,6 +164,31 @@ class NoSqlInjectionRule extends require('../') {
     return data;
   }
 
+  buildPathArray(documentPath, pathArray) {
+    const documentPathArray = documentPath.split('.');
+
+    pathArray.push('query');
+    documentPathArray.forEach((dotSegment) => {
+      let lastChar;
+      let bracketSegment = brackets.exec(dotSegment);
+      let parent = bracketSegment
+        ? dotSegment.slice(0, bracketSegment.index)
+        : dotSegment;
+      if (parent) {
+        lastChar = parent.slice(-1);
+        parent = lastChar === ']' ? parent.slice(0, -1) : parent;
+        pathArray.push(parent);
+      }
+      while ((bracketSegment = child.exec(dotSegment))) {
+        lastChar = bracketSegment[1].slice(-1);
+        const segment =
+          lastChar === ']' ? bracketSegment[1].slice(0, -1) : bracketSegment[1];
+        pathArray.push(segment);
+      }
+    });
+    pathArray.pop();
+  }
+
   getScanner(id) {
     if (!ScannerKit.has(id)) {
       throw new Error(`Unknown NoSQL scanner: ${id}`);

package/lib/protect/rules/nosqli/nosql-scanner/index.js

@@ -33,7 +33,7 @@ module.exports = {
 
     const databases = {
       MongoDB: () => new (require('./mongodbscanner'))(options),
-
+      RethinkDB: () => new (require('./rethinkdbscanner'))(options),
       [ERROR_KEY]: () => {
         throw new Error();
       }

package/lib/protect/rules/nosqli/nosql-scanner/rethinkdbscanner.js

@@ -0,0 +1,26 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+/**
+ * RethinkDB scanner module
+ * @module lib/protect/rules/nosql/nosql-scanner/RethinkDBScanner
+ */
+
+'use strict';
+
+const { BaseScanner } = require('../../base-scanner');
+
+class RethinkDBScanner extends BaseScanner {}
+
+module.exports = RethinkDBScanner;

package/lib/protect/sinks/index.js

@@ -29,6 +29,7 @@ const MongoDBSink = require('./mongodb');
 const MySQLSink = require('./mysql');
 const NodeSerializeSink = require('./node-serialize');
 const PostgresSink = require('./postgres');
+const RethinkDBSink = require('./rethinkdb');
 const SequelizeSink = require('./sequelize');
 const Sqlite3Sink = require('./sqlite3');
 const VMSink = require('./vm');
@@ -46,6 +47,7 @@ module.exports = function init(agent) {
   new MySQLSink(agent).install({ ModuleHook });
   new NodeSerializeSink(agent).install({ ModuleHook });
   new PostgresSink(agent).install({ ModuleHook });
+  new RethinkDBSink(agent).install({ ModuleHook });
   new SequelizeSink(agent).install({ ModuleHook });
   new VMSink(agent).install({ ModuleHook });
   new Sqlite3Sink(agent).install({ ModuleHook });

package/lib/protect/sinks/mongodb.js

@@ -21,8 +21,6 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
-const agentEmitter = require('../../agent-emitter');
-const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
@@ -37,7 +35,7 @@ function getCursorQueryData(args, version) {
   }
 
   if (_.isString(query)) {
-    return query.toString()
+    return query.toString();
   }
 
   if (query['$where']) {

package/lib/protect/sinks/rethinkdb.js

@@ -0,0 +1,47 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const constants = require('../../constants');
+const BaseSensor = require('../../hooks/frameworks/base');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const { emitSinkEvent } = require('../../hooks/frameworks/common');
+
+const { SINK_TYPES } = constants;
+const ID = 'rethinkdb';
+
+class RethinkDBSensor extends BaseSensor {
+  constructor(agent) {
+    super({ id: ID, agent });
+  }
+
+  install({ ModuleHook }) {
+    ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+      patcher.patch(rethinkdb, 'js', {
+        alwaysRun: true,
+        name: 'rethinkdb',
+        patchType: PATCH_TYPES.PROTECT_SINK,
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
+        }
+      });
+    });
+
+    return this;
+  }
+}
+
+module.exports = RethinkDBSensor;

package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js

@@ -48,9 +48,9 @@ module.exports = function TraceEvent(event = {}) {
     16: ret, //          17           ret
     17: args, //         18          args
     18: stack, //        19         stack
-    19: eventSources, // 10 event_sources
-    20: event.source, // 11        source
-    21: event.target, // 12        target
-    22: taintRanges //   13  taint_ranges
+    19: eventSources, // 20 event_sources
+    20: event.source, // 21        source
+    21: event.target, // 22        target
+    22: taintRanges //   23  taint_ranges
   });
 };

package/lib/util/source-map.js

@@ -156,9 +156,9 @@ class SourceMapUtility {
    * @returns {string}          fixed filename with full path
    */
   replaceSource(original, source) {
-    const origName = path.basename(original);
-
-    return original.replace(origName, source);
+    return original === source
+      ? original
+      : original.replace(path.basename(original), source);
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.8.0",
+  "version": "4.10.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -19,7 +19,13 @@
     "Griffin Yourick",
     "Ati Ok",
     "Pat McClory",
-    "Michael Woytowitz"
+    "Michael Woytowitz",
+    "Jacob Kaplan",
+    "Yulia Tenincheva",
+    "Bruce MacNaughton",
+    "Krasen Penchev",
+    "Ivaylo Grahlyov",
+    "Yavor Stoychev"
   ],
   "scripts": {
     "docs": "jsdoc -c ../.jsdoc.json",
@@ -72,10 +78,10 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.2",
+    "@contrast/fn-inspect": "^2.4.4",
     "@contrast/heapdump": "^1.1.0",
-    "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.6",
+    "@contrast/protobuf-api": "^3.2.3",
+    "@contrast/require-hook": "^2.0.8",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
@@ -83,7 +89,7 @@
     "bluebird": "^3.5.3",
     "builtin-modules": "^3.2.0",
     "cls-hooked": "^4.2.2",
-    "commander": "^5.0.0",
+    "commander": "^8.3.0",
     "content-security-policy-parser": "^0.2.0",
     "cookie": "^0.3.1",
     "crc-32": "^1.0.0",
@@ -109,7 +115,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.8",
+    "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -125,8 +131,8 @@
     "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
-    "deasync": "^0.1.20",
-    "dustjs-linkedin": "^3.0.0",
+    "deasync": "^0.1.24",
+    "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
     "eslint": "^8.2.0",
@@ -142,13 +148,13 @@
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
     "joi": "^17.4.0",
-    "jsdoc": "^3.6.7",
+    "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",
     "libxmljs2": "file:test/mock/libxmljs2",
     "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^9.1.3",
+    "mocha": "^9.2.0",
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
@@ -156,7 +162,7 @@
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
-    "node-fetch": "^2.6.1",
+    "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",