@contrast/agent 4.9.1 → 4.10.3

package/lib/core/hapi/index.js

@@ -173,7 +173,8 @@ class HapiCore {
       decorateRequest({
         normalizedUri: get(request, 'route.path'),
         body: request.payload,
-        parameters: request.params
+        parameters: request.params,
+        query: request.query
       });
       return h.continue;
     });

package/lib/core/koa/index.js

@@ -216,13 +216,21 @@ class KoaCore {
    */
   registerRequestHandler(ctx) {
     ctx.req.request = ctx.request;
+    const { query } = ctx.request;
     ctx.request = new Proxy(ctx.request, {
       set(...args) {
         const [obj, prop] = args;
         const result = Reflect.set(...args);
+        if (query) {
+          decorateRequest({
+            query
+          });
+        }
         switch (prop) {
           case 'body':
-            decorateRequest({ body: obj[prop] });
+            decorateRequest({
+              body: obj[prop]
+            });
             agentEmitter.emit(constants.EVENTS.CTX_REQUEST_BODY, {
               request: obj,
               ctx

package/lib/core/logger/debug-logger.js

@@ -108,9 +108,10 @@ class DebugLogFactory {
 
     // We always log to a file, but check whether we should log to stdout
     if (
-      !this.stdout ||
-      !process.env.DEBUG ||
-      !/(^|,\s*)contrast:.+/.test(process.env.DEBUG)
+      this.loggerPath &&
+      (!this.stdout ||
+        !process.env.DEBUG ||
+        !/(^|,\s*)contrast:.+/.test(process.env.DEBUG))
     ) {
       this.mute = true;
     }

package/lib/core/rewrite/binary-expression.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const t = require('@babel/types');
-const _ = require('lodash');
 
 /**
  * Wraps binary expressions in one of the following: `ContrastMethods.__add`,
@@ -30,7 +29,7 @@ const _ = require('lodash');
  * @param {import('.').State} state
  */
 module.exports = function BinaryExpression(path, state) {
-  const spec = _.find(state.specs, { token: path.node.operator });
+  const spec = state.specs.find(({ token }) => token === path.node.operator);
   if (
     !spec ||
     !state.callees[spec.name] ||

package/lib/core/rewrite/callees.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const { expression } = require('@babel/template');
-const _ = require('lodash');
 
 /**
  * @typedef {Object} Spec
@@ -67,6 +66,22 @@ const specs = [
     token: 'eval',
     modes: { assess: true, protect: true }
   },
+  // Import Declaration
+  {
+    name: '__importDefault',
+    type: 'ImportDefaultSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__importNamespace',
+    type: 'ImportNamespaceSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__import',
+    type: 'ImportSpecifier',
+    modes: { assess: true, protect: true }
+  },
   // Member Expression
   {
     name: '__forceCopy',
@@ -116,7 +131,9 @@ module.exports = function createCallees(agent) {
   const callees = specs.reduce(
     (memo, spec) =>
       (assessMode && spec.modes.assess) || (protectMode && spec.modes.protect)
-        ? _.set(memo, spec.name, calleeBuilder({ name: spec.name }))
+        ? Object.assign(memo, {
+            [spec.name]: calleeBuilder({ name: spec.name })
+          })
         : memo,
     {}
   );

package/lib/core/rewrite/catch-clause.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 const { statement } = require('@babel/template');
-const _ = require('lodash');
 
 const logStatementBuilder = statement(
   `if (global.CONTRAST_LOG) {
@@ -38,7 +37,10 @@ const logStatementBuilder = statement(
  * @param {import('.').State} state
  */
 module.exports = function CatchClause(path, state) {
-  if (!_.get(state.agent, 'config.agent.node.enable_catch_log')) return;
+  const { config } = state.agent;
+  if (!config || !config.agent.node.enable_catch_log) {
+    return;
+  }
 
   path.node.param = path.node.param || path.scope.generateUidIdentifier('err');
   path

package/lib/core/rewrite/import-declaration.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const t = require('@babel/types');
+
+const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
+  t.memberExpression(t.identifier('import'), t.identifier('meta')),
+  t.identifier('url')
+);
+
+/**
+ * Appends calls to our own instrumentable import methods, providing access to
+ * the imported modules.
+ * ```
+ * import x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importDefault(x, 'mod', import.meta.url);
+ *
+ * import * as x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importNamespace(x, 'mod', import.meta.url);
+ *
+ * import { foo, bar as baz } from 'mod';;
+ * // becomes
+ * ContrastMethods.__import(foo, 'foo', 'mod', import.meta.url);
+ * ContrastMethods.__import(baz, 'bar', 'mod', import.meta.url);
+ * ```
+ * @param {import('@babel/traverse').NodePath<import('@babel/types').ImportDeclaration>} path
+ * @param {import('.').State} state
+ */
+module.exports = function ImportDeclaration(path, state) {
+  const { source, specifiers } = path.node;
+
+  path.insertAfter(
+    specifiers.map((importSpec) => {
+      const spec = state.specs.find(({ type }) => type === importSpec.type);
+
+      if (!spec || !state.callees[spec.name]) return;
+
+      const args = [importSpec.local];
+
+      if (t.isImportSpecifier(importSpec)) {
+        args.push(
+          t.isIdentifier(importSpec.imported)
+            ? t.stringLiteral(importSpec.imported.name)
+            : importSpec.imported
+        );
+      }
+
+      args.push(source);
+      args.push(IMPORT_META_URL_MEMBER_EXPRESSION);
+
+      return t.callExpression(state.callees[spec.name], args);
+    })
+  );
+};

package/lib/core/rewrite/index.js

@@ -18,23 +18,24 @@ const { default: generate } = require('@babel/generator');
 const { parse } = require('@babel/parser');
 const { default: traverse } = require('@babel/traverse');
 
+const RewriteDeadzones = require('../../assess/deadzones/rewrite');
+const { util: sourceMapUtility } = require('../../util/source-map');
 const Scopes = require('../async-storage/scopes');
 const logger = require('../logger')('contrast:rewrite');
-const RewriteDeadzones = require('../../assess/deadzones/rewrite');
-const logRewrite = require('./log');
-const RewriteLog = require('./rewrite-log');
-const isContrastMethod = require('./is-contrast-method');
-const functionWrap = require('./function-wrap');
-const prependGlobals = require('./prepend-globals');
 const AssignmentExpression = require('./assignment-expression');
 const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
+const functionWrap = require('./function-wrap');
+const ImportDeclaration = require('./import-declaration');
+const isContrastMethod = require('./is-contrast-method');
+const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
 const ObjectProperty = require('./object-property');
+const prependGlobals = require('./prepend-globals');
+const RewriteLog = require('./rewrite-log');
 const SwitchStatement = require('./switch-statement');
 const TemplateLiteral = require('./template-literal');
-const sourceMapUtility = require('../../util/source-map').util;
 
 /**
  * @typedef {Object} State
@@ -105,6 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
+        ImportDeclaration,
         MemberExpression,
         ObjectProperty,
         SwitchStatement,
@@ -114,6 +116,7 @@ class Rewriter {
       null,
       initialState
     );
+    traverse.cache.clear();
   }
 
   /**

package/lib/core/rewrite/injections.js

@@ -14,7 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
 const logger = require('../logger')('contrast:rewrite:injections');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
@@ -100,7 +99,11 @@ const ContrastMethods = new Injection(null, 'ContrastMethods', {
   },
   __contrastEval: function __contrastEval(str) {
     return str;
-  }
+  },
+  // TODO: NODE-2020
+  __importDefault(mod, source, url) {},
+  __importNamespace(mod, source, url) {},
+  __import(mod, spec, source, url) {}
 });
 
 ContrastMethods.enable();
@@ -157,8 +160,7 @@ module.exports = {
    * @returns {Injection[]}
    */
   getEnabled() {
-    return _.reduce(
-      injections,
+    return Object.values(injections).reduce(
       (enabled, injection) =>
         injection.enabled() ? [...enabled, injection] : enabled,
       []

package/lib/core/rewrite/rewrite-log.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const _ = require('lodash');
 
 /**
  * Helper class that provides some means of optimizing the rewrite process.
@@ -32,11 +31,9 @@ module.exports = class RewriteLog {
     this._tokenMatches = specs.reduce(
       (matches, spec) =>
         callees[spec.name]
-          ? _.set(
-              matches,
-              spec.name,
-              !spec.token || 0 <= codeString.indexOf(spec.token)
-            )
+          ? Object.assign(matches, {
+              [spec.name]: !spec.token || 0 <= codeString.indexOf(spec.token)
+            })
           : matches,
       {}
     );
@@ -60,7 +57,7 @@ module.exports = class RewriteLog {
    * if we need to even rewrite the code at all.
    */
   foundTokens() {
-    return _.some(this._tokenMatches, _.identity);
+    return Object.values(this._tokenMatches).some(Boolean);
   }
 
   /**
@@ -72,6 +69,6 @@ module.exports = class RewriteLog {
    * make changes, we can just return original code.
    */
   rewritesOccurred() {
-    return !this.aborted && _.some(this._tokensRewritten, _.identity);
+    return !this.aborted && Object.values(this._tokensRewritten).some(Boolean);
   }
 };

package/lib/protect/restify/sources.js

@@ -21,6 +21,8 @@ const {
 } = require('../../constants');
 const { emitSourceEvent } = require('../../hooks/frameworks/common');
 const agentEmitter = require('../../agent-emitter');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
 const {
   utils,
   constants: { EVENTS }
@@ -39,6 +41,39 @@ class RestifyProtectSources {
         EVENTS.CREATE_SERVER,
         this.registerUrlParamsHandler.bind(this)
       );
+      agentEmitter.on(
+        EVENTS.RESTIFY_EXPORT,
+        this.registerQueryParamsHandler.bind(this)
+      );
+    }
+  }
+
+  /**
+   * Patches query parser middleware to wrap the callback argument. Once this
+   * wrapped callback is invoked w/out error we know we can proxy `req.query`.
+   * @param {object} restify
+   */
+  registerQueryParamsHandler(restify) {
+    const {
+      plugins: { queryParser: origQueryParser }
+    } = restify;
+
+    if (origQueryParser) {
+      patcher.patch(restify.plugins, 'queryParser', {
+        name: 'restify.plugins',
+        patchType: PATCH_TYPES.FRAMEWORK,
+        alwaysRun: true,
+        post(data) {
+          patcher.patch(data, 'result', {
+            name: 'restify.plugins.queryParser',
+            patchType: PATCH_TYPES.PROTECT_SOURCE,
+            alwaysRun: true,
+            post(data) {
+              decorateRequest({ query: get(data.args[0], 'query') });
+            }
+          });
+        }
+      });
     }
   }
 

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -26,9 +26,11 @@ const brackets = /\[(.{1,1024}?)\]/;
 const child = /\[(.{1,1024}?)\]/g;
 
 const MONGODB = 'mongodb';
+const RETHINKDB = 'rethinkdb';
 
 const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
+  [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
 const SubstringFinder = require('../base-scanner/substring-finder');
 
@@ -144,27 +146,14 @@ class NoSqlInjectionRule extends require('../') {
       _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
       _documentPath.length <= 1024
     ) {
-      let segment = brackets.exec(_documentPath);
-      const parent = segment
-        ? _documentPath.slice(0, segment.index)
-        : _documentPath;
-
-      pathArray.push('query');
-
-      if (parent) {
-        pathArray.push(parent);
-      }
-      while ((segment = child.exec(_documentPath))) {
-        pathArray.push(segment[1]);
-      }
-      pathArray.pop();
+      this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
       pathArray.push('body', ..._documentPath.split('.'));
     }
 
     let data;
-    let curr = ctx.req;
+    let curr = ctx.request;
 
     for (const path of pathArray) {
       if (curr) {
@@ -175,6 +164,31 @@ class NoSqlInjectionRule extends require('../') {
     return data;
   }
 
+  buildPathArray(documentPath, pathArray) {
+    const documentPathArray = documentPath.split('.');
+
+    pathArray.push('query');
+    documentPathArray.forEach((dotSegment) => {
+      let lastChar;
+      let bracketSegment = brackets.exec(dotSegment);
+      let parent = bracketSegment
+        ? dotSegment.slice(0, bracketSegment.index)
+        : dotSegment;
+      if (parent) {
+        lastChar = parent.slice(-1);
+        parent = lastChar === ']' ? parent.slice(0, -1) : parent;
+        pathArray.push(parent);
+      }
+      while ((bracketSegment = child.exec(dotSegment))) {
+        lastChar = bracketSegment[1].slice(-1);
+        const segment =
+          lastChar === ']' ? bracketSegment[1].slice(0, -1) : bracketSegment[1];
+        pathArray.push(segment);
+      }
+    });
+    pathArray.pop();
+  }
+
   getScanner(id) {
     if (!ScannerKit.has(id)) {
       throw new Error(`Unknown NoSQL scanner: ${id}`);

package/lib/protect/rules/nosqli/nosql-scanner/index.js

@@ -33,7 +33,7 @@ module.exports = {
 
     const databases = {
       MongoDB: () => new (require('./mongodbscanner'))(options),
-
+      RethinkDB: () => new (require('./rethinkdbscanner'))(options),
       [ERROR_KEY]: () => {
         throw new Error();
       }

package/lib/protect/rules/nosqli/nosql-scanner/rethinkdbscanner.js

@@ -0,0 +1,26 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+/**
+ * RethinkDB scanner module
+ * @module lib/protect/rules/nosql/nosql-scanner/RethinkDBScanner
+ */
+
+'use strict';
+
+const { BaseScanner } = require('../../base-scanner');
+
+class RethinkDBScanner extends BaseScanner {}
+
+module.exports = RethinkDBScanner;

package/lib/protect/sinks/index.js

@@ -29,6 +29,7 @@ const MongoDBSink = require('./mongodb');
 const MySQLSink = require('./mysql');
 const NodeSerializeSink = require('./node-serialize');
 const PostgresSink = require('./postgres');
+const RethinkDBSink = require('./rethinkdb');
 const SequelizeSink = require('./sequelize');
 const Sqlite3Sink = require('./sqlite3');
 const VMSink = require('./vm');
@@ -46,6 +47,7 @@ module.exports = function init(agent) {
   new MySQLSink(agent).install({ ModuleHook });
   new NodeSerializeSink(agent).install({ ModuleHook });
   new PostgresSink(agent).install({ ModuleHook });
+  new RethinkDBSink(agent).install({ ModuleHook });
   new SequelizeSink(agent).install({ ModuleHook });
   new VMSink(agent).install({ ModuleHook });
   new Sqlite3Sink(agent).install({ ModuleHook });

package/lib/protect/sinks/mongodb.js

@@ -21,8 +21,6 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
-const agentEmitter = require('../../agent-emitter');
-const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
@@ -37,7 +35,7 @@ function getCursorQueryData(args, version) {
   }
 
   if (_.isString(query)) {
-    return query.toString()
+    return query.toString();
   }
 
   if (query['$where']) {

package/lib/protect/sinks/rethinkdb.js

@@ -0,0 +1,47 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const constants = require('../../constants');
+const BaseSensor = require('../../hooks/frameworks/base');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const { emitSinkEvent } = require('../../hooks/frameworks/common');
+
+const { SINK_TYPES } = constants;
+const ID = 'rethinkdb';
+
+class RethinkDBSensor extends BaseSensor {
+  constructor(agent) {
+    super({ id: ID, agent });
+  }
+
+  install({ ModuleHook }) {
+    ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+      patcher.patch(rethinkdb, 'js', {
+        alwaysRun: true,
+        name: 'rethinkdb',
+        patchType: PATCH_TYPES.PROTECT_SINK,
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
+        }
+      });
+    });
+
+    return this;
+  }
+}
+
+module.exports = RethinkDBSensor;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.9.1",
+  "version": "4.10.3",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -19,7 +19,13 @@
     "Griffin Yourick",
     "Ati Ok",
     "Pat McClory",
-    "Michael Woytowitz"
+    "Michael Woytowitz",
+    "Jacob Kaplan",
+    "Yulia Tenincheva",
+    "Bruce MacNaughton",
+    "Krasen Penchev",
+    "Ivaylo Grahlyov",
+    "Yavor Stoychev"
   ],
   "scripts": {
     "docs": "jsdoc -c ../.jsdoc.json",
@@ -72,10 +78,10 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.3",
+    "@contrast/fn-inspect": "^2.4.4",
     "@contrast/heapdump": "^1.1.0",
-    "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.6",
+    "@contrast/protobuf-api": "^3.2.3",
+    "@contrast/require-hook": "^2.0.8",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
@@ -107,12 +113,14 @@
   "devDependencies": {
     "@aws-sdk/client-dynamodb": "^3.39.0",
     "@bmacnaughton/string-generator": "^1.0.0",
-    "@contrast/eslint-config": "^2.0.1",
+    "@contrast/eslint-config": "^2.2.0",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.8",
+    "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
+    "@typescript-eslint/eslint-plugin": "^5.10.2",
+    "@typescript-eslint/parser": "^5.10.2",
     "ajv": "^8.5.0",
     "ast-types": "^0.12.4",
     "aws-sdk": "file:test/mock/aws-sdk",
@@ -129,11 +137,11 @@
     "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
-    "eslint": "^8.2.0",
-    "eslint-config-prettier": "^6.11.0",
-    "eslint-plugin-mocha": "^7.0.1",
+    "eslint": "^8.8.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-mocha": "^10.0.3",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^3.1.4",
+    "eslint-plugin-prettier": "^4.0.0",
     "express": "file:test/mock/express",
     "fetch-cookie": "^0.11.0",
     "form-data": "^3.0.0",
@@ -142,13 +150,13 @@
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
     "joi": "^17.4.0",
-    "jsdoc": "^3.6.7",
+    "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",
     "libxmljs2": "file:test/mock/libxmljs2",
     "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^9.1.3",
+    "mocha": "^9.2.0",
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
@@ -156,13 +164,13 @@
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
-    "node-fetch": "^2.6.1",
+    "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
     "pg": "file:test/mock/pg",
     "pino": "^6.7.0",
-    "prettier": "^1.19.1",
+    "prettier": "^2.5.1",
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",