@contrast/agent 4.9.0 → 4.10.2

package/bin/VERSION

@@ -1 +1 @@
-2.28.5
+2.28.9

package/lib/assess/propagators/joi/any.js

@@ -0,0 +1,48 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object._definition.rules.custom, 'validate', {
+      name: 'joi.any.custom.validate',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (data.result && typeof data.result === 'string') {
+          tracker.untrack(data.result);
+        }
+
+        if (data.args[0] && typeof data.args[0] === 'string') {
+          tracker.untrack(data.args[0]);
+        }
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/index.js

@@ -21,4 +21,6 @@ module.exports.handle = function() {
   require('./string-schema');
   require('./string-base');
   require('./expression');
+  require('./object');
+  require('./any');
 };

package/lib/assess/propagators/joi/object.js

@@ -0,0 +1,61 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+const traverseObjectAndUntrack = (object, incomingInput, result) => {
+  if (object.type === 'object' && object.$_terms.keys) {
+    object.$_terms.keys.forEach(({ key, schema }) => {
+      traverseObjectAndUntrack(schema, incomingInput[key], result[key]);
+    });
+  }
+
+  if (
+    object.type === 'string' &&
+    Array.isArray(object.$_terms.externals) &&
+    object.$_terms.externals.length
+  ) {
+    tracker.untrack(incomingInput);
+    tracker.untrack(result);
+  }
+};
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object.__proto__, 'validateAsync', {
+      name: 'joi.object.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        data.result.then((result) =>
+          traverseObjectAndUntrack(data.obj, data.args[0], result)
+        );
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/string-base.js

@@ -24,6 +24,7 @@ const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
+const agent = require('../../../agent');
 
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
@@ -54,6 +55,21 @@ function instrumentJoiString(string) {
         }
       }
     });
+
+  if (agent.config.agent.trust_custom_validators) {
+    patcher.patch(string.__proto__, 'validateAsync', {
+      name: 'joi.string.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (!data.obj.$_terms.externals.length) return;
+        data.result.then((result) => {
+          tracker.untrack(data.args[0]);
+          tracker.untrack(result);
+        });
+      }
+    });
+  }
 }
 
 requireHook.resolve(

package/lib/assess/propagators/mongoose/helpers.js

@@ -12,9 +12,44 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
 const hasUserDefinedValidator = (data) =>
   data.obj.validators.some((validator) => validator.type === 'user defined');
 
+const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
+  for (const value of values) {
+    if (typeof value !== 'string') continue;
+
+    const trackingData = tracker.track(value);
+
+    if (!trackingData) return;
+
+    const { props } = trackingData;
+    const stringLength = value.length - 1;
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+    );
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'string-type-checked')
+    );
+
+    props.event = new PropagationEvent({
+      context: new CallContext(data),
+      signature: new Signature('mongoose.mixed.doValidateSync'),
+      tagRanges: props.tagRanges,
+      source: 'P',
+      target: 'A',
+      parents: [props.event]
+    });
+  }
+};
 module.exports = {
-  hasUserDefinedValidator
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
 };

package/lib/assess/propagators/mongoose/index.js

@@ -15,4 +15,5 @@ Copyright: 2022 Contrast Security, Inc
 module.exports.handle = () => {
   require('./map');
   require('./string');
+  require('./mixed');
 };

package/lib/assess/propagators/mongoose/map.js

@@ -21,9 +21,11 @@ const tagRangeUtil = require('../../models/tag-range/util');
 const {
   PATCH_TYPES: { ASSESS_PROPAGATOR }
 } = require('../../../constants');
-const TagRange = require('../../models/tag-range');
-const { CallContext, PropagationEvent, Signature } = require('../../models');
-const { hasUserDefinedValidator } = require('./helpers');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
 
 const doValidateSyncPatcher = (SchemaMap) => {
   patcher.patch(SchemaMap.prototype, 'doValidateSync', {
@@ -31,37 +33,16 @@ const doValidateSyncPatcher = (SchemaMap) => {
     name: 'mongoose.map.doValidateSync',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (data.result) return;
 
       if (!hasUserDefinedValidator(data)) return;
 
-      for (const value of data.args[0].values()) {
-        const trackingData = tracker.track(value);
-
-        if (!trackingData) return;
-
-        const { props } = trackingData;
-        const stringLength = value.length - 1;
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
-        );
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'string-type-checked')
-        );
-
-        props.event = new PropagationEvent({
-          context: new CallContext(data),
-          signature: new Signature('mongoose.map.doValidateSync'),
-          tagRanges: props.tagRanges,
-          source: 'P',
-          target: 'A',
-          parents: [props.event]
-        });
-      }
+      tagCustomValidatedValues(
+        data.args[0].values(),
+        data,
+        tracker,
+        tagRangeUtil
+      );
     }
   });
 };
@@ -69,6 +50,13 @@ const doValidateSyncPatcher = (SchemaMap) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
   (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     doValidateSyncPatcher(SchemaMap);
   }
 );

package/lib/assess/propagators/mongoose/mixed.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
+
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.mixed.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || !hasUserDefinedValidator(data)) return;
+
+      const input = data.args[0];
+      const inputType = typeof input;
+
+      if (inputType !== 'string' && inputType !== 'object') return;
+
+      let values;
+      if (inputType === 'string') {
+        values = [input];
+      } else if (Array.isArray(input)) {
+        values = input;
+      } else if (input instanceof Map) {
+        values = input.values();
+      } else {
+        values = Object.values(input);
+      }
+
+      tagCustomValidatedValues(values, data, tracker, tagRangeUtil);
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/assess/propagators/mongoose/string.js

@@ -24,6 +24,7 @@ const {
 const TagRange = require('../../models/tag-range');
 const { CallContext, PropagationEvent, Signature } = require('../../models');
 const { hasUserDefinedValidator } = require('./helpers');
+const agent = require('../../../agent');
 
 const enumPatcher = (SchemaString) => {
   patcher.patch(SchemaString.prototype, 'enum', {
@@ -98,6 +99,13 @@ const doValidateSyncPatcher = (SchemaString) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
   (SchemaString) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     enumPatcher(SchemaString);
     doValidateSyncPatcher(SchemaString);
   }

package/lib/core/arch-components/mysql.js

@@ -19,6 +19,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve(
   { name: 'mysql', file: 'lib/Connection.js' },
@@ -28,22 +29,31 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(wrapCtx) {
-        try {
-          let url = 'mysql://';
-          if (this.config.socketPath) {
-            url += this.config.socketPath;
-          } else {
-            url += `${this.config.host}`;
-          }
-          agentEmitter.emit('architectureComponent', {
-            vendor: 'MySQL',
-            url: new URL(url).toString(),
-            remoteHost: '',
-            remotePort: !this.config.socketPath ? this.config.port : -1
+        waitToConnect(wrapCtx)
+          .then(() => {
+            try {
+              let url = 'mysql://';
+              if (this.config.socketPath) {
+                url += this.config.socketPath;
+              } else {
+                url += `${this.config.host}`;
+              }
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MySQL',
+                url: new URL(url).toString(),
+                remoteHost: '',
+                remotePort: !this.config.socketPath ? this.config.port : -1
+              });
+            } catch (err) {
+              logger.warn(
+                'unable to report MySQL architecture component\n',
+                err
+              );
+            }
+          })
+          .catch((err) => {
+            logger.warn('unable to report MySQL architecture component\n', err);
           });
-        } catch (err) {
-          logger.warn('unable to report MySQL architecture component\n', err);
-        }
       }
     });
   }

package/lib/core/arch-components/postgres.js

@@ -18,6 +18,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
   patcher.patch(pgClient, {
@@ -25,37 +26,46 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     patchType: PATCH_TYPES.ARCH_COMPONENT,
     alwaysRun: true,
     post(wrapCtx) {
-      try {
-        const {
-          host = process.env.PGHOST,
-          port = process.env.PGPORT
-        } = wrapCtx.result;
+      waitToConnect(wrapCtx)
+        .then(() => {
+          try {
+            const {
+              host = process.env.PGHOST,
+              port = process.env.PGPORT
+            } = wrapCtx.result;
 
-        if (!host) {
-          return;
-        }
+            if (!host) {
+              return;
+            }
 
-        let url = host;
+            let url = host;
 
-        // build protocol and port into url prior to parsing
-        if (url.indexOf('://') === -1) {
-          url = `postgresql://${url}`;
-        }
-        if (port !== undefined) {
-          url = `${url}:${port}`;
-        }
+            // build protocol and port into url prior to parsing
+            if (url.indexOf('://') === -1) {
+              url = `postgresql://${url}`;
+            }
+            if (port !== undefined) {
+              url = `${url}:${port}`;
+            }
 
-        agentEmitter.emit('architectureComponent', {
-          vendor: 'PostgreSQL',
-          remotePort: port || 0,
-          url: new URL(url).toString()
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'PostgreSQL',
+              remotePort: port || 0,
+              url: new URL(url).toString()
+            });
+          } catch (err) {
+            logger.warn(
+              'unable to report PostgreSQL architecture component\n%o',
+              err
+            );
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report PostgreSQL architecture component\n%o',
+            err
+          );
         });
-      } catch (err) {
-        logger.warn(
-          'unable to report PostgreSQL architecture component\n%o',
-          err
-        );
-      }
     }
   })
 );

package/lib/core/arch-components/util.js

@@ -0,0 +1,49 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const MYSQL = 'mysql.connect.arch_component';
+const POSTGRES = 'pg.Client.arch_component';
+
+module.exports = function waitToConnect(ctx, count = 0) {
+  return new Promise((resolve, reject) => {
+    const maxAttempts = 10 * 60; // i.e., 1 min.
+    const checkConnection = setInterval(
+      function(ctx, resolve, reject) {
+        if (count >= maxAttempts) {
+          clearInterval(checkConnection);
+          reject();
+        }
+        switch (ctx.name) {
+          case MYSQL:
+            if (ctx.obj.state === 'authenticated') {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+          case POSTGRES:
+            if (ctx.result._connected) {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+        }
+        count++;
+      },
+      100,
+      ctx,
+      resolve,
+      reject
+    );
+  });
+};

package/lib/core/config/options.js

@@ -487,6 +487,12 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`
+  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -977,11 +983,11 @@ if (process.env.CONTRAST_DEV) {
 const sails = [
   {
     name: 'pathToSails',
-    arg: '<path>',
+    arg: '<path>'
   },
   {
     name: 'gdsrc',
-    arg: '<path>',
+    arg: '<path>'
   }
 ];
 
@@ -1030,16 +1036,12 @@ options.forEach((option) => {
 // The agent doesn't need to do anything with these options. It just needs to not
 // throw an error when it encounters them but we also don't need them displayed on
 // the agent's config option list. The newest version of Commander lets us do exactly this.
-// This is structured so that if anything like this is discovered again, they can be 
+// This is structured so that if anything like this is discovered again, they can be
 // added in easily.
-const hiddenOptions = [].concat(
-  sails
-)
+const hiddenOptions = [].concat(sails);
 
 hiddenOptions.forEach((option) => {
-  program.addOption(
-    new Option(`--${option.name} ${option.arg}`).hideHelp()
-  )
+  program.addOption(new Option(`--${option.name} ${option.arg}`).hideHelp());
 });
 
 function getDefault(optionName) {

package/lib/core/express/index.js

@@ -397,6 +397,9 @@ class ExpressFramework {
               req[LAYER_STACK].pop();
             }
           });
+          if (req.query) {
+            decorateRequest({ query: req.query });
+          }
           const params = new Object(this.params);
           if (Object.keys(params).length) {
             agentEmitter.emit(
@@ -419,12 +422,14 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
-
-            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
-            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
+
+            // BODY_PARSED event is emitted to support Sails framework
+            if (req._sails) {
+              agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
+            }
           }
         }
       });

package/lib/core/fastify/index.js

@@ -154,7 +154,8 @@ class FastifyCore {
     agentEmitter.emit(constants.EVENTS.PRE_VALIDATION, ...data);
     decorateRequest({
       body: request.body,
-      parameters: request.params
+      parameters: request.params,
+      query: request.query
     });
     done();
   }

package/lib/core/hapi/index.js

@@ -173,7 +173,8 @@ class HapiCore {
       decorateRequest({
         normalizedUri: get(request, 'route.path'),
         body: request.payload,
-        parameters: request.params
+        parameters: request.params,
+        query: request.query
       });
       return h.continue;
     });

package/lib/core/koa/index.js

@@ -216,13 +216,21 @@ class KoaCore {
    */
   registerRequestHandler(ctx) {
     ctx.req.request = ctx.request;
+    const { query } = ctx.request;
     ctx.request = new Proxy(ctx.request, {
       set(...args) {
         const [obj, prop] = args;
         const result = Reflect.set(...args);
+        if (query) {
+          decorateRequest({
+            query
+          });
+        }
         switch (prop) {
           case 'body':
-            decorateRequest({ body: obj[prop] });
+            decorateRequest({
+              body: obj[prop]
+            });
             agentEmitter.emit(constants.EVENTS.CTX_REQUEST_BODY, {
               request: obj,
               ctx

package/lib/core/rewrite/callees.js

@@ -67,6 +67,22 @@ const specs = [
     token: 'eval',
     modes: { assess: true, protect: true }
   },
+  // Import Declaration
+  {
+    name: '__importDefault',
+    type: 'ImportDefaultSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__importNamespace',
+    type: 'ImportNamespaceSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__import',
+    type: 'ImportSpecifier',
+    modes: { assess: true, protect: true }
+  },
   // Member Expression
   {
     name: '__forceCopy',

package/lib/core/rewrite/import-declaration.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const t = require('@babel/types');
+const _ = require('lodash');
+
+const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
+  t.memberExpression(t.identifier('import'), t.identifier('meta')),
+  t.identifier('url')
+);
+
+/**
+ * Appends calls to our own instrumentable import methods, providing access to
+ * the imported modules.
+ * ```
+ * import x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importDefault(x, 'mod', import.meta.url);
+ *
+ * import * as x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importNamespace(x, 'mod', import.meta.url);
+ *
+ * import { foo, bar as baz } from 'mod';;
+ * // becomes
+ * ContrastMethods.__import(foo, 'foo', 'mod', import.meta.url);
+ * ContrastMethods.__import(baz, 'bar', 'mod', import.meta.url);
+ * ```
+ * @param {import('@babel/traverse').NodePath<import('@babel/types').ImportDeclaration>} path
+ * @param {import('.').State} state
+ */
+module.exports = function ImportDeclaration(path, state) {
+  const { source, specifiers } = path.node;
+
+  path.insertAfter(
+    specifiers.map((importSpec) => {
+      const spec = _.find(state.specs, { type: importSpec.type });
+      if (!spec || !state.callees[spec.name]) return;
+
+      const args = [importSpec.local];
+
+      if (t.isImportSpecifier(importSpec)) {
+        args.push(
+          t.isIdentifier(importSpec.imported)
+            ? t.stringLiteral(importSpec.imported.name)
+            : importSpec.imported
+        );
+      }
+
+      args.push(source);
+      args.push(IMPORT_META_URL_MEMBER_EXPRESSION);
+
+      return t.callExpression(state.callees[spec.name], args);
+    })
+  );
+};

package/lib/core/rewrite/index.js

@@ -18,23 +18,24 @@ const { default: generate } = require('@babel/generator');
 const { parse } = require('@babel/parser');
 const { default: traverse } = require('@babel/traverse');
 
+const RewriteDeadzones = require('../../assess/deadzones/rewrite');
+const { util: sourceMapUtility } = require('../../util/source-map');
 const Scopes = require('../async-storage/scopes');
 const logger = require('../logger')('contrast:rewrite');
-const RewriteDeadzones = require('../../assess/deadzones/rewrite');
-const logRewrite = require('./log');
-const RewriteLog = require('./rewrite-log');
-const isContrastMethod = require('./is-contrast-method');
-const functionWrap = require('./function-wrap');
-const prependGlobals = require('./prepend-globals');
 const AssignmentExpression = require('./assignment-expression');
 const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
+const functionWrap = require('./function-wrap');
+const ImportDeclaration = require('./import-declaration');
+const isContrastMethod = require('./is-contrast-method');
+const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
 const ObjectProperty = require('./object-property');
+const prependGlobals = require('./prepend-globals');
+const RewriteLog = require('./rewrite-log');
 const SwitchStatement = require('./switch-statement');
 const TemplateLiteral = require('./template-literal');
-const sourceMapUtility = require('../../util/source-map').util;
 
 /**
  * @typedef {Object} State
@@ -105,6 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
+        ImportDeclaration,
         MemberExpression,
         ObjectProperty,
         SwitchStatement,

package/lib/core/rewrite/injections.js

@@ -100,7 +100,11 @@ const ContrastMethods = new Injection(null, 'ContrastMethods', {
   },
   __contrastEval: function __contrastEval(str) {
     return str;
-  }
+  },
+  // TODO: NODE-2020
+  __importDefault(mod, source, url) {},
+  __importNamespace(mod, source, url) {},
+  __import(mod, spec, source, url) {}
 });
 
 ContrastMethods.enable();

package/lib/protect/restify/sources.js

@@ -21,6 +21,8 @@ const {
 } = require('../../constants');
 const { emitSourceEvent } = require('../../hooks/frameworks/common');
 const agentEmitter = require('../../agent-emitter');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
 const {
   utils,
   constants: { EVENTS }
@@ -39,6 +41,39 @@ class RestifyProtectSources {
         EVENTS.CREATE_SERVER,
         this.registerUrlParamsHandler.bind(this)
       );
+      agentEmitter.on(
+        EVENTS.RESTIFY_EXPORT,
+        this.registerQueryParamsHandler.bind(this)
+      );
+    }
+  }
+
+  /**
+   * Patches query parser middleware to wrap the callback argument. Once this
+   * wrapped callback is invoked w/out error we know we can proxy `req.query`.
+   * @param {object} restify
+   */
+  registerQueryParamsHandler(restify) {
+    const {
+      plugins: { queryParser: origQueryParser }
+    } = restify;
+
+    if (origQueryParser) {
+      patcher.patch(restify.plugins, 'queryParser', {
+        name: 'restify.plugins',
+        patchType: PATCH_TYPES.FRAMEWORK,
+        alwaysRun: true,
+        post(data) {
+          patcher.patch(data, 'result', {
+            name: 'restify.plugins.queryParser',
+            patchType: PATCH_TYPES.PROTECT_SOURCE,
+            alwaysRun: true,
+            post(data) {
+              decorateRequest({ query: get(data.args[0], 'query') });
+            }
+          });
+        }
+      });
     }
   }
 

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -26,9 +26,11 @@ const brackets = /\[(.{1,1024}?)\]/;
 const child = /\[(.{1,1024}?)\]/g;
 
 const MONGODB = 'mongodb';
+const RETHINKDB = 'rethinkdb';
 
 const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
+  [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
 const SubstringFinder = require('../base-scanner/substring-finder');
 
@@ -144,27 +146,14 @@ class NoSqlInjectionRule extends require('../') {
       _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
       _documentPath.length <= 1024
     ) {
-      let segment = brackets.exec(_documentPath);
-      const parent = segment
-        ? _documentPath.slice(0, segment.index)
-        : _documentPath;
-
-      pathArray.push('query');
-
-      if (parent) {
-        pathArray.push(parent);
-      }
-      while ((segment = child.exec(_documentPath))) {
-        pathArray.push(segment[1]);
-      }
-      pathArray.pop();
+      this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
       pathArray.push('body', ..._documentPath.split('.'));
     }
 
     let data;
-    let curr = ctx.req;
+    let curr = ctx.request;
 
     for (const path of pathArray) {
       if (curr) {
@@ -175,6 +164,31 @@ class NoSqlInjectionRule extends require('../') {
     return data;
   }
 
+  buildPathArray(documentPath, pathArray) {
+    const documentPathArray = documentPath.split('.');
+
+    pathArray.push('query');
+    documentPathArray.forEach((dotSegment) => {
+      let lastChar;
+      let bracketSegment = brackets.exec(dotSegment);
+      let parent = bracketSegment
+        ? dotSegment.slice(0, bracketSegment.index)
+        : dotSegment;
+      if (parent) {
+        lastChar = parent.slice(-1);
+        parent = lastChar === ']' ? parent.slice(0, -1) : parent;
+        pathArray.push(parent);
+      }
+      while ((bracketSegment = child.exec(dotSegment))) {
+        lastChar = bracketSegment[1].slice(-1);
+        const segment =
+          lastChar === ']' ? bracketSegment[1].slice(0, -1) : bracketSegment[1];
+        pathArray.push(segment);
+      }
+    });
+    pathArray.pop();
+  }
+
   getScanner(id) {
     if (!ScannerKit.has(id)) {
       throw new Error(`Unknown NoSQL scanner: ${id}`);

package/lib/protect/rules/nosqli/nosql-scanner/index.js

@@ -33,7 +33,7 @@ module.exports = {
 
     const databases = {
       MongoDB: () => new (require('./mongodbscanner'))(options),
-
+      RethinkDB: () => new (require('./rethinkdbscanner'))(options),
       [ERROR_KEY]: () => {
         throw new Error();
       }

package/lib/protect/rules/nosqli/nosql-scanner/rethinkdbscanner.js

@@ -0,0 +1,26 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+/**
+ * RethinkDB scanner module
+ * @module lib/protect/rules/nosql/nosql-scanner/RethinkDBScanner
+ */
+
+'use strict';
+
+const { BaseScanner } = require('../../base-scanner');
+
+class RethinkDBScanner extends BaseScanner {}
+
+module.exports = RethinkDBScanner;

package/lib/protect/sinks/index.js

@@ -29,6 +29,7 @@ const MongoDBSink = require('./mongodb');
 const MySQLSink = require('./mysql');
 const NodeSerializeSink = require('./node-serialize');
 const PostgresSink = require('./postgres');
+const RethinkDBSink = require('./rethinkdb');
 const SequelizeSink = require('./sequelize');
 const Sqlite3Sink = require('./sqlite3');
 const VMSink = require('./vm');
@@ -46,6 +47,7 @@ module.exports = function init(agent) {
   new MySQLSink(agent).install({ ModuleHook });
   new NodeSerializeSink(agent).install({ ModuleHook });
   new PostgresSink(agent).install({ ModuleHook });
+  new RethinkDBSink(agent).install({ ModuleHook });
   new SequelizeSink(agent).install({ ModuleHook });
   new VMSink(agent).install({ ModuleHook });
   new Sqlite3Sink(agent).install({ ModuleHook });

package/lib/protect/sinks/mongodb.js

@@ -21,8 +21,6 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
-const agentEmitter = require('../../agent-emitter');
-const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
@@ -37,7 +35,7 @@ function getCursorQueryData(args, version) {
   }
 
   if (_.isString(query)) {
-    return query.toString()
+    return query.toString();
   }
 
   if (query['$where']) {

package/lib/protect/sinks/rethinkdb.js

@@ -0,0 +1,47 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const constants = require('../../constants');
+const BaseSensor = require('../../hooks/frameworks/base');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const { emitSinkEvent } = require('../../hooks/frameworks/common');
+
+const { SINK_TYPES } = constants;
+const ID = 'rethinkdb';
+
+class RethinkDBSensor extends BaseSensor {
+  constructor(agent) {
+    super({ id: ID, agent });
+  }
+
+  install({ ModuleHook }) {
+    ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+      patcher.patch(rethinkdb, 'js', {
+        alwaysRun: true,
+        name: 'rethinkdb',
+        patchType: PATCH_TYPES.PROTECT_SINK,
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
+        }
+      });
+    });
+
+    return this;
+  }
+}
+
+module.exports = RethinkDBSensor;

package/lib/util/source-map.js

@@ -156,9 +156,9 @@ class SourceMapUtility {
    * @returns {string}          fixed filename with full path
    */
   replaceSource(original, source) {
-    const origName = path.basename(original);
-
-    return original.replace(origName, source);
+    return original === source
+      ? original
+      : original.replace(path.basename(original), source);
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.9.0",
+  "version": "4.10.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -19,10 +19,15 @@
     "Griffin Yourick",
     "Ati Ok",
     "Pat McClory",
-    "Michael Woytowitz"
+    "Michael Woytowitz",
+    "Jacob Kaplan",
+    "Yulia Tenincheva",
+    "Bruce MacNaughton",
+    "Krasen Penchev",
+    "Ivaylo Grahlyov",
+    "Yavor Stoychev"
   ],
   "scripts": {
-    "preinstall": "npx npm-force-resolutions",
     "docs": "jsdoc -c ../.jsdoc.json",
     "release": "scripts/make-release.js",
     "tag": "scripts/tag-release.js",
@@ -73,10 +78,10 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.3",
+    "@contrast/fn-inspect": "^2.4.4",
     "@contrast/heapdump": "^1.1.0",
-    "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.6",
+    "@contrast/protobuf-api": "^3.2.3",
+    "@contrast/require-hook": "^2.0.8",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
@@ -110,7 +115,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.8",
+    "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -143,13 +148,13 @@
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
     "joi": "^17.4.0",
-    "jsdoc": "^3.6.7",
+    "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",
     "libxmljs2": "file:test/mock/libxmljs2",
     "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^9.1.3",
+    "mocha": "^9.2.0",
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
@@ -157,7 +162,7 @@
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
-    "node-fetch": "^2.6.1",
+    "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
@@ -191,9 +196,5 @@
     "winston",
     "winston-syslog",
     "winston-daily-rotate-file"
-  ],
-  "resolutions": {
-    "markdown-it": ">=12.3.2",
-    "marked": ">=4.0.10"
-  }
+  ]
 }