@contrast/agent 4.9.1 → 4.10.3

package/bin/VERSION

@@ -1 +1 @@
-2.28.5
+2.28.12

package/bootstrap.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /**
 Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
@@ -13,6 +12,7 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
 
 const startTime = process.hrtime();
 
@@ -25,7 +25,7 @@ const orig = Module.runMain;
  * process before invoking the main
  * script from cli
  */
-Module.runMain = async function(...args) {
+Module.runMain = async function (...args) {
   const { isMainThread } = require('worker_threads');
 
   try {

package/lib/assess/propagators/joi/any.js

@@ -0,0 +1,48 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object._definition.rules.custom, 'validate', {
+      name: 'joi.any.custom.validate',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (data.result && typeof data.result === 'string') {
+          tracker.untrack(data.result);
+        }
+
+        if (data.args[0] && typeof data.args[0] === 'string') {
+          tracker.untrack(data.args[0]);
+        }
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/index.js

@@ -21,4 +21,6 @@ module.exports.handle = function() {
   require('./string-schema');
   require('./string-base');
   require('./expression');
+  require('./object');
+  require('./any');
 };

package/lib/assess/propagators/joi/object.js

@@ -0,0 +1,61 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+const traverseObjectAndUntrack = (object, incomingInput, result) => {
+  if (object.type === 'object' && object.$_terms.keys) {
+    object.$_terms.keys.forEach(({ key, schema }) => {
+      traverseObjectAndUntrack(schema, incomingInput[key], result[key]);
+    });
+  }
+
+  if (
+    object.type === 'string' &&
+    Array.isArray(object.$_terms.externals) &&
+    object.$_terms.externals.length
+  ) {
+    tracker.untrack(incomingInput);
+    tracker.untrack(result);
+  }
+};
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object.__proto__, 'validateAsync', {
+      name: 'joi.object.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        data.result.then((result) =>
+          traverseObjectAndUntrack(data.obj, data.args[0], result)
+        );
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/string-base.js

@@ -24,6 +24,7 @@ const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
+const agent = require('../../../agent');
 
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
@@ -54,6 +55,21 @@ function instrumentJoiString(string) {
         }
       }
     });
+
+  if (agent.config.agent.trust_custom_validators) {
+    patcher.patch(string.__proto__, 'validateAsync', {
+      name: 'joi.string.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (!data.obj.$_terms.externals.length) return;
+        data.result.then((result) => {
+          tracker.untrack(data.args[0]);
+          tracker.untrack(result);
+        });
+      }
+    });
+  }
 }
 
 requireHook.resolve(

package/lib/assess/propagators/mongoose/helpers.js

@@ -12,9 +12,44 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
 const hasUserDefinedValidator = (data) =>
   data.obj.validators.some((validator) => validator.type === 'user defined');
 
+const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
+  for (const value of values) {
+    if (typeof value !== 'string') continue;
+
+    const trackingData = tracker.track(value);
+
+    if (!trackingData) return;
+
+    const { props } = trackingData;
+    const stringLength = value.length - 1;
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+    );
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'string-type-checked')
+    );
+
+    props.event = new PropagationEvent({
+      context: new CallContext(data),
+      signature: new Signature('mongoose.mixed.doValidateSync'),
+      tagRanges: props.tagRanges,
+      source: 'P',
+      target: 'A',
+      parents: [props.event]
+    });
+  }
+};
 module.exports = {
-  hasUserDefinedValidator
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
 };

package/lib/assess/propagators/mongoose/index.js

@@ -15,4 +15,5 @@ Copyright: 2022 Contrast Security, Inc
 module.exports.handle = () => {
   require('./map');
   require('./string');
+  require('./mixed');
 };

package/lib/assess/propagators/mongoose/map.js

@@ -21,9 +21,11 @@ const tagRangeUtil = require('../../models/tag-range/util');
 const {
   PATCH_TYPES: { ASSESS_PROPAGATOR }
 } = require('../../../constants');
-const TagRange = require('../../models/tag-range');
-const { CallContext, PropagationEvent, Signature } = require('../../models');
-const { hasUserDefinedValidator } = require('./helpers');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
 
 const doValidateSyncPatcher = (SchemaMap) => {
   patcher.patch(SchemaMap.prototype, 'doValidateSync', {
@@ -31,37 +33,16 @@ const doValidateSyncPatcher = (SchemaMap) => {
     name: 'mongoose.map.doValidateSync',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (data.result) return;
 
       if (!hasUserDefinedValidator(data)) return;
 
-      for (const value of data.args[0].values()) {
-        const trackingData = tracker.track(value);
-
-        if (!trackingData) return;
-
-        const { props } = trackingData;
-        const stringLength = value.length - 1;
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
-        );
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'string-type-checked')
-        );
-
-        props.event = new PropagationEvent({
-          context: new CallContext(data),
-          signature: new Signature('mongoose.map.doValidateSync'),
-          tagRanges: props.tagRanges,
-          source: 'P',
-          target: 'A',
-          parents: [props.event]
-        });
-      }
+      tagCustomValidatedValues(
+        data.args[0].values(),
+        data,
+        tracker,
+        tagRangeUtil
+      );
     }
   });
 };
@@ -69,6 +50,13 @@ const doValidateSyncPatcher = (SchemaMap) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
   (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     doValidateSyncPatcher(SchemaMap);
   }
 );

package/lib/assess/propagators/mongoose/mixed.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
+
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.mixed.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || !hasUserDefinedValidator(data)) return;
+
+      const input = data.args[0];
+      const inputType = typeof input;
+
+      if (inputType !== 'string' && inputType !== 'object') return;
+
+      let values;
+      if (inputType === 'string') {
+        values = [input];
+      } else if (Array.isArray(input)) {
+        values = input;
+      } else if (input instanceof Map) {
+        values = input.values();
+      } else {
+        values = Object.values(input);
+      }
+
+      tagCustomValidatedValues(values, data, tracker, tagRangeUtil);
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/assess/propagators/mongoose/string.js

@@ -24,6 +24,7 @@ const {
 const TagRange = require('../../models/tag-range');
 const { CallContext, PropagationEvent, Signature } = require('../../models');
 const { hasUserDefinedValidator } = require('./helpers');
+const agent = require('../../../agent');
 
 const enumPatcher = (SchemaString) => {
   patcher.patch(SchemaString.prototype, 'enum', {
@@ -98,6 +99,13 @@ const doValidateSyncPatcher = (SchemaString) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
   (SchemaString) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     enumPatcher(SchemaString);
     doValidateSyncPatcher(SchemaString);
   }

package/lib/core/arch-components/mysql.js

@@ -19,6 +19,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve(
   { name: 'mysql', file: 'lib/Connection.js' },
@@ -28,22 +29,31 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(wrapCtx) {
-        try {
-          let url = 'mysql://';
-          if (this.config.socketPath) {
-            url += this.config.socketPath;
-          } else {
-            url += `${this.config.host}`;
-          }
-          agentEmitter.emit('architectureComponent', {
-            vendor: 'MySQL',
-            url: new URL(url).toString(),
-            remoteHost: '',
-            remotePort: !this.config.socketPath ? this.config.port : -1
+        waitToConnect(wrapCtx)
+          .then(() => {
+            try {
+              let url = 'mysql://';
+              if (this.config.socketPath) {
+                url += this.config.socketPath;
+              } else {
+                url += `${this.config.host}`;
+              }
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MySQL',
+                url: new URL(url).toString(),
+                remoteHost: '',
+                remotePort: !this.config.socketPath ? this.config.port : -1
+              });
+            } catch (err) {
+              logger.warn(
+                'unable to report MySQL architecture component\n',
+                err
+              );
+            }
+          })
+          .catch((err) => {
+            logger.warn('unable to report MySQL architecture component\n', err);
           });
-        } catch (err) {
-          logger.warn('unable to report MySQL architecture component\n', err);
-        }
       }
     });
   }

package/lib/core/arch-components/postgres.js

@@ -18,6 +18,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
   patcher.patch(pgClient, {
@@ -25,37 +26,46 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     patchType: PATCH_TYPES.ARCH_COMPONENT,
     alwaysRun: true,
     post(wrapCtx) {
-      try {
-        const {
-          host = process.env.PGHOST,
-          port = process.env.PGPORT
-        } = wrapCtx.result;
+      waitToConnect(wrapCtx)
+        .then(() => {
+          try {
+            const {
+              host = process.env.PGHOST,
+              port = process.env.PGPORT
+            } = wrapCtx.result;
 
-        if (!host) {
-          return;
-        }
+            if (!host) {
+              return;
+            }
 
-        let url = host;
+            let url = host;
 
-        // build protocol and port into url prior to parsing
-        if (url.indexOf('://') === -1) {
-          url = `postgresql://${url}`;
-        }
-        if (port !== undefined) {
-          url = `${url}:${port}`;
-        }
+            // build protocol and port into url prior to parsing
+            if (url.indexOf('://') === -1) {
+              url = `postgresql://${url}`;
+            }
+            if (port !== undefined) {
+              url = `${url}:${port}`;
+            }
 
-        agentEmitter.emit('architectureComponent', {
-          vendor: 'PostgreSQL',
-          remotePort: port || 0,
-          url: new URL(url).toString()
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'PostgreSQL',
+              remotePort: port || 0,
+              url: new URL(url).toString()
+            });
+          } catch (err) {
+            logger.warn(
+              'unable to report PostgreSQL architecture component\n%o',
+              err
+            );
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report PostgreSQL architecture component\n%o',
+            err
+          );
         });
-      } catch (err) {
-        logger.warn(
-          'unable to report PostgreSQL architecture component\n%o',
-          err
-        );
-      }
     }
   })
 );

package/lib/core/arch-components/util.js

@@ -0,0 +1,49 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const MYSQL = 'mysql.connect.arch_component';
+const POSTGRES = 'pg.Client.arch_component';
+
+module.exports = function waitToConnect(ctx, count = 0) {
+  return new Promise((resolve, reject) => {
+    const maxAttempts = 10 * 60; // i.e., 1 min.
+    const checkConnection = setInterval(
+      function(ctx, resolve, reject) {
+        if (count >= maxAttempts) {
+          clearInterval(checkConnection);
+          reject();
+        }
+        switch (ctx.name) {
+          case MYSQL:
+            if (ctx.obj.state === 'authenticated') {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+          case POSTGRES:
+            if (ctx.result._connected) {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+        }
+        count++;
+      },
+      100,
+      ctx,
+      resolve,
+      reject
+    );
+  });
+};

package/lib/core/config/options.js

@@ -487,6 +487,12 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`
+  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -977,11 +983,11 @@ if (process.env.CONTRAST_DEV) {
 const sails = [
   {
     name: 'pathToSails',
-    arg: '<path>',
+    arg: '<path>'
   },
   {
     name: 'gdsrc',
-    arg: '<path>',
+    arg: '<path>'
   }
 ];
 
@@ -1030,16 +1036,12 @@ options.forEach((option) => {
 // The agent doesn't need to do anything with these options. It just needs to not
 // throw an error when it encounters them but we also don't need them displayed on
 // the agent's config option list. The newest version of Commander lets us do exactly this.
-// This is structured so that if anything like this is discovered again, they can be 
+// This is structured so that if anything like this is discovered again, they can be
 // added in easily.
-const hiddenOptions = [].concat(
-  sails
-)
+const hiddenOptions = [].concat(sails);
 
 hiddenOptions.forEach((option) => {
-  program.addOption(
-    new Option(`--${option.name} ${option.arg}`).hideHelp()
-  )
+  program.addOption(new Option(`--${option.name} ${option.arg}`).hideHelp());
 });
 
 function getDefault(optionName) {

package/lib/core/express/index.js

@@ -397,6 +397,9 @@ class ExpressFramework {
               req[LAYER_STACK].pop();
             }
           });
+          if (req.query) {
+            decorateRequest({ query: req.query });
+          }
           const params = new Object(this.params);
           if (Object.keys(params).length) {
             agentEmitter.emit(
@@ -419,12 +422,14 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
-
-            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
-            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
+
+            // BODY_PARSED event is emitted to support Sails framework
+            if (req._sails) {
+              agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
+            }
           }
         }
       });

package/lib/core/fastify/index.js

@@ -154,7 +154,8 @@ class FastifyCore {
     agentEmitter.emit(constants.EVENTS.PRE_VALIDATION, ...data);
     decorateRequest({
       body: request.body,
-      parameters: request.params
+      parameters: request.params,
+      query: request.query
     });
     done();
   }