@contrast/agent 4.8.0 → 4.9.0

package/lib/core/arch-components/postgres.js

@@ -26,15 +26,33 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        const { host, port } = wrapCtx.result;
+        const {
+          host = process.env.PGHOST,
+          port = process.env.PGPORT
+        } = wrapCtx.result;
+
+        if (!host) {
+          return;
+        }
+
+        let url = host;
+
+        // build protocol and port into url prior to parsing
+        if (url.indexOf('://') === -1) {
+          url = `postgresql://${url}`;
+        }
+        if (port !== undefined) {
+          url = `${url}:${port}`;
+        }
+
         agentEmitter.emit('architectureComponent', {
           vendor: 'PostgreSQL',
           remotePort: port || 0,
-          url: new URL(host).toString()
+          url: new URL(url).toString()
         });
       } catch (err) {
         logger.warn(
-          'unable to report PostgreSQL architecture component\n',
+          'unable to report PostgreSQL architecture component\n%o',
           err
         );
       }

package/lib/core/arch-components/sqlite3.js

@@ -13,6 +13,7 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
+
 const patcher = require('../../hooks/patcher');
 const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
@@ -26,17 +27,14 @@ ModuleHook.resolve({ name: 'sqlite3' }, (sqlite3) => {
     alwaysRun: true,
     post(wrapCtx) {
       try {
-        // can either be a path to a file or `:memory:'.
-        const url = new URL(wrapCtx.args[0]).toString();
-
         agentEmitter.emit('architectureComponent', {
           vendor: 'SQLite3',
-          url,
+          url: wrapCtx.args[0],
           remoteHost: '',
           remotePort: 0
         });
       } catch (err) {
-        logger.warn('unable to report SQLite3 architecture component\n', err);
+        logger.warn('unable to report SQLite3 architecture component\n%o', err);
       }
     }
   });

package/lib/core/config/options.js

@@ -33,7 +33,8 @@ Copyright: 2022 Contrast Security, Inc
  * @module lib/core/config/options
  */
 'use strict';
-const program = require('commander');
+const { Command, Option } = require('commander');
+const program = new Command();
 const os = require('os');
 const url = require('url');
 const path = require('path');
@@ -486,6 +487,12 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.traverse_and_track',
+    arg: '<traverse-and-track>',
+    default: false,
+    desc: 'source membrane alternative'
+  },
   {
     name: 'agent.polling.app_activity_ms',
     arg: '<ms>',
@@ -967,6 +974,16 @@ if (process.env.CONTRAST_DEV) {
     }
   ];
 }
+const sails = [
+  {
+    name: 'pathToSails',
+    arg: '<path>',
+  },
+  {
+    name: 'gdsrc',
+    arg: '<path>',
+  }
+];
 
 const options = [].concat(
   misc,
@@ -1008,6 +1025,23 @@ options.forEach((option) => {
   program.option(name, option.desc);
 });
 
+// In NODE-2059 it was discovered that a module was appending config options that the
+// agent didn't recognize and was causing the application to not load properly.
+// The agent doesn't need to do anything with these options. It just needs to not
+// throw an error when it encounters them but we also don't need them displayed on
+// the agent's config option list. The newest version of Commander lets us do exactly this.
+// This is structured so that if anything like this is discovered again, they can be 
+// added in easily.
+const hiddenOptions = [].concat(
+  sails
+)
+
+hiddenOptions.forEach((option) => {
+  program.addOption(
+    new Option(`--${option.name} ${option.arg}`).hideHelp()
+  )
+});
+
 function getDefault(optionName) {
   let option;
   options.forEach((entry) => {

package/lib/core/exclusions/exclusion.js

@@ -31,12 +31,9 @@ class Exclusion {
     return this.assess && this.appliesToRule(id, this.assessmentRulesList);
   }
 
+  // When an exclusion applies to all rules, its rules list is empty
   appliesToRule(id, list) {
-    // When an exclusion applies to all rules, its rules list is empty
-    const appliesToAllRules = list.length === 0;
-    const appliesToRuleId = list.includes(id);
-
-    return appliesToAllRules || appliesToRuleId;
+    return list.length === 0 || list.includes(id);
   }
 
   appliesToAllAssessRules() {

package/lib/core/express/index.js

@@ -120,6 +120,24 @@ class ExpressFramework {
         }
       }
     });
+
+    patcher.patch(express.response, 'push', {
+      name: 'express.response.push',
+      patchType: PATCH_TYPES.PROTECT_SINK,
+      pre(data) {
+        agentEmitter.emit(
+          EVENTS.REQUEST_SEND,
+          data.args[0],
+          SINK_TYPES.RESPONSE_BODY
+        );
+
+        const body = data.args[0];
+        if (isString(body)) {
+          emitSendEvent(body.valueOf());
+        }
+      }
+    });
+
     patcher.patch(express.response, 'end', {
       name: 'express.response.end',
       patchType: PATCH_TYPES.PROTECT_SINK,
@@ -310,7 +328,9 @@ class ExpressFramework {
     }, 'textParser');
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
-      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
+      agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
+        type: INPUT_TYPES.BODY
+      });
       next();
     }, 'urlencodedParser');
 
@@ -356,7 +376,7 @@ class ExpressFramework {
     const self = this;
 
     // Hook the request handler so that we can access the top of each route.
-    // This is the only place the "params" hash is avaible
+    // This is the only place the "params" hash is available
     const Layer = ExpressFramework.getStack(app)[0].constructor;
     const _handle = Layer.prototype.handle_request;
     if (_handle) {
@@ -399,9 +419,12 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
+
+            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
+            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
           }
         }
       });

package/lib/core/express/utils.js

@@ -33,7 +33,7 @@ const {
 
 const EVENTS = {
   REQUEST_READY: 'Express.RequestReady',
-  BODY_PARSED: 'Express.cookiesParsed',
+  BODY_PARSED: 'Express.bodyParsed',
   COOKIES_PARSED: 'Express.cookiesParsed',
   PARAMS_PARSED: 'Express.paramsParsed',
   REQUEST_SEND: 'Express.requestSend',
@@ -246,7 +246,9 @@ const captureSignature = (layer, signature) => {
 const normalizeSignatureArg = (arg) => {
   // we weave in middleware for express that is prefixed with Contrast
   // remove this from signature
-  if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
+  if (arg === '') {
+    return null;
+  } else if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
     return null;
   } else if (typeof arg === 'function') {
     return getHandlerName(arg);
@@ -313,8 +315,11 @@ const updateRouterSignatures = (self, router, path) => {
       return;
     }
     const routePath = _.get(route, 'path', '');
-    const routeHandle = _.get(route, 'stack[0].handle');
+    const routeHandle = _.get(route, 'stack[0].handle', '');
     const routeMethod = _.get(route, 'stack[0].method');
+    if (!routeMethod) {
+      return;
+    }
     const newSignature = createSignature(self, 'Router', routeMethod, [
       path,
       routePath,

package/lib/hooks/frameworks/index.js

@@ -16,6 +16,7 @@ Copyright: 2022 Contrast Security, Inc
 
 const Http = require('./http');
 const Http2 = require('./http2');
+const Spdy = require('./spdy');
 const Hapi16 = require('./hapi16');
 
 module.exports = function(agent) {
@@ -23,5 +24,6 @@ module.exports = function(agent) {
   new Http(agent);
   new Http(agent, 'https');
   new Http2(agent);
+  new Spdy(agent);
   new Hapi16(agent);
 };

package/lib/hooks/frameworks/spdy.js

@@ -0,0 +1,87 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const {
+  PATCH_TYPES,
+  HTTP_RESPONSE_HOOKED_METHOD_KEYS,
+  SINK_TYPES
+} = require('../../constants');
+const patcher = require('../patcher');
+const HttpFramework = require('./http');
+const { isString } = require('../../util/is-string');
+const { emitSendEvent } = require('../../hooks/frameworks/common');
+const agentEmitter = require('../../agent-emitter');
+
+class SpdyFramework extends HttpFramework {
+  /**
+   * @param {Agent} agent
+   */
+  constructor(agent) {
+    super(agent, 'spdy');
+  }
+
+  /**
+   * @param {import('spdy')} spdy
+   * @returns {import('spdy')}
+   */
+  onRequire(spdy) {
+    patcher.patch(spdy, 'createServer', {
+      name: `${this.id}.createServer`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post: ({ args, result }) => {
+        this.handleServerCreate(args, result);
+      }
+    });
+
+    patcher.patch(spdy.response, 'push', {
+      name: 'spdy.response.push',
+      patchType: PATCH_TYPES.FRAMEWORK,
+      pre(data) {
+        agentEmitter.emit(
+          HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+          data.args[0],
+          SINK_TYPES.RESPONSE_BODY
+        );
+
+        const body = data.args[0];
+        if (isString(body)) {
+          emitSendEvent(body.valueOf());
+        }
+      }
+    });
+
+    return spdy;
+  }
+
+  /**
+   * Emits a create event for the new Server instance.
+   * @param {any[]} args The arguments passed to the Server constructor
+   * @param {import('net').Server} server The http Server instance
+   */
+  handleServerCreate(args, server) {
+    super.handleServerCreate(args, server);
+
+    patcher.patch(server, 'listen', {
+      name: `${this.id}.SpdyFramework.listen`,
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      pre: ({ args, obj }) => this.handleServerListen(args, obj)
+    });
+  }
+}
+
+module.exports = SpdyFramework;

package/lib/hooks/http.js

@@ -195,5 +195,16 @@ module.exports = (agent) => {
       }
     });
   });
+
+  moduleHook.resolve({ name: 'spdy' }, (spdy) => {
+    patcher.patch(spdy, 'createServer', {
+      name: `create-server-spdy-hooks`,
+      patchType: PATCH_TYPES.MISC,
+      alwaysRun: true,
+      post({ result }) {
+        hookServer(result, agent);
+      }
+    });
+  });
 };
 module.exports.hookServer = hookServer;

package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js

@@ -48,9 +48,9 @@ module.exports = function TraceEvent(event = {}) {
     16: ret, //          17           ret
     17: args, //         18          args
     18: stack, //        19         stack
-    19: eventSources, // 10 event_sources
-    20: event.source, // 11        source
-    21: event.target, // 12        target
-    22: taintRanges //   13  taint_ranges
+    19: eventSources, // 20 event_sources
+    20: event.source, // 21        source
+    21: event.target, // 22        target
+    22: taintRanges //   23  taint_ranges
   });
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.8.0",
+  "version": "4.9.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -22,6 +22,7 @@
     "Michael Woytowitz"
   ],
   "scripts": {
+    "preinstall": "npx npm-force-resolutions",
     "docs": "jsdoc -c ../.jsdoc.json",
     "release": "scripts/make-release.js",
     "tag": "scripts/tag-release.js",
@@ -72,7 +73,7 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.2",
+    "@contrast/fn-inspect": "^2.4.3",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
     "@contrast/require-hook": "^2.0.6",
@@ -83,7 +84,7 @@
     "bluebird": "^3.5.3",
     "builtin-modules": "^3.2.0",
     "cls-hooked": "^4.2.2",
-    "commander": "^5.0.0",
+    "commander": "^8.3.0",
     "content-security-policy-parser": "^0.2.0",
     "cookie": "^0.3.1",
     "crc-32": "^1.0.0",
@@ -125,8 +126,8 @@
     "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
-    "deasync": "^0.1.20",
-    "dustjs-linkedin": "^3.0.0",
+    "deasync": "^0.1.24",
+    "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
     "eslint": "^8.2.0",
@@ -190,5 +191,9 @@
     "winston",
     "winston-syslog",
     "winston-daily-rotate-file"
-  ]
+  ],
+  "resolutions": {
+    "markdown-it": ">=12.3.2",
+    "marked": ">=4.0.10"
+  }
 }