@contrast/agentify 1.40.0 → 1.42.0

package/lib/heap-snapshots.js

@@ -27,7 +27,7 @@ module.exports = function init(core) {
     logger
   } = core;
 
-  const dir = path.join(process.cwd(), heap_dump.path);
+  const dir = path.resolve(process.cwd(), heap_dump.path);
   const ext = '.heapsnapshot';
 
   const heapSnapshots = {

package/lib/heap-snapshots.test.js

@@ -30,7 +30,7 @@ describe('heap dump', function () {
     };
     delayMs = windowMs = 100;
     snapshotPath = 'contrast_heap_dumps';
-    dirname = path.join(process.cwd(), snapshotPath);
+    dirname = path.resolve(process.cwd(), snapshotPath);
 
     core = {};
     core.config = mocks.config();

package/lib/index.d.ts

@@ -15,7 +15,7 @@
 
 import { Installable } from '@contrast/common';
 import { Config } from '@contrast/config';
-import { Perf } from '@contrast/perf';
+import Perf from '@contrast/perf';
 import { Core as _Core } from '@contrast/core';
 import { Deadzones } from '@contrast/deadzones';
 import { DepHooks } from '@contrast/dep-hooks';
@@ -54,7 +54,7 @@ declare module 'node:module' {
 
 export interface Core extends _Core {
   config: Config;
-  Perf: Perf;
+  Perf: typeof Perf;
   logger: Logger;
   depHooks: DepHooks;
   patcher: Patcher

package/lib/index.js

@@ -83,7 +83,7 @@ module.exports = function init(core = {}) {
 
   let _callback;
   let _opts;
-  const _perf = new core.Perf('agentify');
+  const _perfAgentify = new core.Perf('agentify');
 
   core.agentify = async function agentify(callback, opts = {}) {
     // options are hardcoded, so if this throws it's going to be in testing/dev situation
@@ -165,6 +165,7 @@ module.exports = function init(core = {}) {
       { name: 'agent-info', spec: '@contrast/core/lib/agent-info' },
       { name: 'app-info', spec: '@contrast/core/lib/app-info' },
       { name: 'system-info', spec: '@contrast/core/lib/system-info' },
+      { name: 'build-id', spec: '@contrast/core/lib/build-id' },
       // was check for appInfo errors length and throw if found
       { name: 'telemetry', spec: '@contrast/telemetry' },
       { name: 'sensitive-data-masking', spec: '@contrast/core/lib/sensitive-data-masking' },
@@ -217,7 +218,7 @@ module.exports = function init(core = {}) {
         mod = mod.default;
       }
 
-      _perf.wrapInit(mod, spec)(core);
+      _perfAgentify.wrapInit(mod, spec)(core);
 
       // perform any validations that can take place now that this module is loaded.
       if (name === 'logger') {

package/lib/rewrite-hooks.js

@@ -17,7 +17,7 @@
 'use strict';
 
 const Module = require('node:module');
-const { rewriteIsDeadzoned } = require('./rewrite-is-deadzoned');
+const { rewriteIsDeadzoned } = require('@contrast/rewriter/lib/rewrite-is-deadzoned');
 
 /**
  * @param {import('.').Core & {
@@ -26,13 +26,18 @@ const { rewriteIsDeadzoned } = require('./rewrite-is-deadzoned');
  * @returns {import('@contrast/common').Installable}
  */
 module.exports = function init(core) {
-  const js = Module._extensions['.js'];
-  const { _compile } = Module.prototype;
+  let js;
+  let _compile;
 
   core.rewriteHooks = {
     install() {
       if (!core.config.agent.node.rewrite.enable) return;
 
+      // don't define this prior to install(), since it will interfere with other
+      // components that also need to instrument it e.g. dep-hooks.
+      _compile = Module.prototype._compile;
+      js = Module._extensions['.js'];
+
       /**
        * @see https://github.com/nodejs/node/blob/main/lib/internal/modules/cjs/loader.js
        * @param {string} content The source code of the module
@@ -93,8 +98,8 @@ module.exports = function init(core) {
     },
 
     uninstall() {
-      Module.prototype._compile = _compile;
-      Module._extensions['.js'] = js;
+      _compile && (Module.prototype._compile = _compile);
+      js && (Module._extensions['.js'] = js);
     }
   };
 

package/lib/sources.js

@@ -16,7 +16,8 @@
 'use strict';
 
 const { EventEmitter } = require('events');
-const { Event } = require('@contrast/common');
+const onFinished = require('on-finished');
+const { Event, primordials: { StringPrototypeToLowerCase } } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -48,6 +49,7 @@ module.exports = function(core) {
           protocol: serverType === 'http' ? 'http' : 'https',
           serverType,
           time: Date.now(),
+          method: StringPrototypeToLowerCase.call(req.method),
         }
       };
 
@@ -61,7 +63,7 @@ module.exports = function(core) {
         });
       }
 
-      res.on('finish', () => {
+      onFinished(res, (/* err, req */) => {
         messages.emit(Event.RESPONSE_FINISH, store);
       });
 

package/lib/sources.test.js

@@ -4,6 +4,7 @@ const EventEmitter = require('events');
 const { expect } = require('chai');
 const sinon = require('sinon');
 const { initProtectFixture } = require('@contrast/test/fixtures');
+const proxyquire = require('proxyquire');
 
 describe('agentify sources', function () {
   [
@@ -51,7 +52,7 @@ describe('agentify sources', function () {
     }
   ].forEach(({ name, method, expected }) => {
     describe(`${name} sources using ${method || 'Server'}()`, function () {
-      let core, api, ServerMock, reqMock, resMock;
+      let core, api, ServerMock, reqMock, resMock, onFinishedMock;
 
       beforeEach(function () {
         ({ core } = initProtectFixture());
@@ -83,9 +84,12 @@ describe('agentify sources', function () {
           url: 'http://localhost',
         };
         resMock = new EventEmitter();
+        onFinishedMock = sinon.stub();
 
         core.depHooks.resolve.withArgs(sinon.match({ name: 'http' })).yields(api);
-        require('./sources')(core).install();
+        proxyquire('./sources', {
+          'on-finished': onFinishedMock,
+        })(core).install();
       });
 
       it('"request" events run in scope with correct sourceInfo', function () {
@@ -103,7 +107,8 @@ describe('agentify sources', function () {
           protocol: 'http',
           serverType: 'http',
         });
-        expect(resMock._events.finish).to.be.a('function');
+
+        expect(onFinishedMock).to.have.been.calledWith(resMock);
       });
 
       it('non-"request" events do not run in scope', function () {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.40.0",
+  "version": "1.42.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,21 +17,22 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.28.0",
-    "@contrast/config": "1.38.0",
-    "@contrast/core": "1.43.0",
-    "@contrast/deadzones": "1.15.0",
-    "@contrast/dep-hooks": "1.12.0",
-    "@contrast/esm-hooks": "2.17.0",
+    "@contrast/common": "1.29.0",
+    "@contrast/config": "1.40.0",
+    "@contrast/core": "1.45.0",
+    "@contrast/deadzones": "1.17.0",
+    "@contrast/dep-hooks": "1.14.0",
+    "@contrast/esm-hooks": "2.19.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.22.0",
-    "@contrast/logger": "1.16.0",
-    "@contrast/metrics": "1.20.0",
-    "@contrast/patcher": "1.15.0",
-    "@contrast/perf": "1.2.2",
-    "@contrast/reporter": "1.39.0",
-    "@contrast/rewriter": "1.19.0",
-    "@contrast/scopes": "1.13.0",
+    "@contrast/instrumentation": "1.24.0",
+    "@contrast/logger": "1.18.0",
+    "@contrast/metrics": "1.22.0",
+    "@contrast/patcher": "1.17.0",
+    "@contrast/perf": "1.3.0",
+    "@contrast/reporter": "1.41.0",
+    "@contrast/rewriter": "1.21.0",
+    "@contrast/scopes": "1.15.0",
+    "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }
 }

package/lib/rewrite-is-deadzoned.js

@@ -1,143 +0,0 @@
-/*
- * Copyright: 2024 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const { sep } = require('path');
-
-// todo: find optimal way to do these lookups
-const DEADZONED_PATHS = [
-  'ast-types', // CONTRAST-33909: `String` injection causes this module to crash.
-  'angular',
-  'acorn',
-  'archiver',
-  'archiver-utils',
-  'bcrypt',
-  'bcrypt-nodejs',
-  'bcryptjs', // node_modules/bcryptjs/index.js, node_modules/bcryptjs/dist/bcrypt.js
-  '@babel', // this should handle all namespaced packages
-  'babel',
-  'babel-cli',
-  'babel-core',
-  'babel-traverse',
-  'babel-generator',
-  'babylon',
-  'bn.js',
-  'browserify',
-  'bson',
-  'bunyan',
-  'chai', // not sure why chai was rewritten
-  'coffeescript',
-  'compression',
-  '@cyclonedx',
-  'etag',
-  // 'cookie', // todo: verify this doesn't break sources/propagation (*)
-  // 'cookie-signature', // (*)
-  'gzippo', //  149 weekly downloads
-  // 'handlebars', // (*)
-  'handlebars-precompiler',
-  // 'hbs', // ditto
-  'html-webpack-plugin',
-  'iconv-lite',
-  'jquery',
-  'jsrsasign',
-  'less',
-  // 'dustjs-linkedin', // todo
-  'logger-console', // 2 weekly downloads
-  'loopback-datasource-juggler',
-  'moment',
-  'moment-timezone',
-  'node-forge',
-  'node-webpack',
-  'pem',
-  'react',
-  'react-dom', // doesn't this cover the next line?
-  //'react-dom/server',
-  'requirejs',
-  'semver',
-  'strong-remoting',
-  'type-is',
-  'uglify-js',
-];
-
-// maybe make the value an object for more complex strategies in the future
-// NOTE: they key should appear in the list above as well. if it's not there
-// then this object will never be checked.
-const CUSTOM_REWRITERS = {
-  'acorn': 'no-propagation',
-  'archiver': 'no-propagation',
-  'babel-core': 'no-propagation',
-  '@babel': 'no-propagation',
-  'bcryptjs': 'no-propagation',
-  'bson': 'no-propagation',
-  'coffeescript': 'no-propagation',
-  'jsrsasign': 'no-propagation',
-  'less': 'no-propagation',
-  '@cyclonedx': 'no-propagation',
-};
-
-const nodeModules = `${sep}node_modules${sep}`;
-
-function rewriteIsDeadzoned(absolutePath) {
-  // we should only match the last node_modules folder
-  const startingPoint = absolutePath.lastIndexOf(nodeModules) + nodeModules.length;
-
-  for (const path of DEADZONED_PATHS) {
-    const start = absolutePath.indexOf(path, startingPoint);
-    // we return the name of the deadzoned module if it is found
-    if (start >= 0 && (start + path.length === absolutePath.length || absolutePath[start + path.length] === sep)) {
-      return path;
-    }
-  }
-
-  return undefined;
-}
-
-// the next function is used if/when we implement custom rewrite strategies.
-// NODE-3512 implements that and this was taken from there.
-
-/**
- * Returns an array with a package name and that package's rewrite strategy.
- * The package name is only returned the package strategy is not 'default'.
- * Strategies:
- * - 'default': rewrite the module using the original, default rewriter
- * - 'deadzone': do not rewrite the module
- * - 'no-propagation': rewrite the module with the no-propagation rewriter
- *
- * why does this return the package name? mostly just because it had to extract
- * it from the path, so returning means the caller doesn't have to.
- *
- * @param {string} absolutePath
- * @returns {[string | undefined, 'default' | 'deadzone' | 'no-propagation']}
- */
-function getPackageRewriteStrategy(absolutePath) {
-  const pkg = rewriteIsDeadzoned(absolutePath);
-  if (!pkg) {
-    return [undefined, 'default'];
-  }
-
-  const strategy = CUSTOM_REWRITERS[pkg];
-  if (strategy && process.env.CSI_USE_CUSTOM_REWRITERS) {
-    return [pkg, strategy];
-  }
-
-  return [pkg, 'deadzone'];
-}
-
-module.exports = {
-  DEADZONED_PATHS,
-  CUSTOM_REWRITERS,
-  rewriteIsDeadzoned,
-  getPackageRewriteStrategy,
-};

package/lib/rewrite-is-deadzoned.test.js

@@ -1,85 +0,0 @@
-'use strict';
-
-const { normalize } = require('node:path');
-const { deepEqual } = require('node:assert').strict;
-
-const {
-  getPackageRewriteStrategy, DEADZONED_PATHS, CUSTOM_REWRITERS
-} = require('./rewrite-is-deadzoned');
-
-describe('verify getPackageRewriteStrategy()', function() {
-  before(function() {
-    process.env.CSI_USE_CUSTOM_REWRITERS = '1';
-  });
-  after(function() {
-    delete process.env.CSI_USE_CUSTOM_REWRITERS;
-  });
-
-  // test deadzoned paths and custom rewriters
-  for (const path of DEADZONED_PATHS) {
-    if (CUSTOM_REWRITERS[path]) {
-      it(`should return "${CUSTOM_REWRITERS[path]}" for ${path}`, function() {
-        const p = normalize(`/path/to/node_modules/${path}`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, CUSTOM_REWRITERS[path]]);
-      });
-      it(`should return "${CUSTOM_REWRITERS[path]}" for ${path} with additional elements`, function() {
-        const p = normalize(`/path/to/node_modules/${path}/server`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, CUSTOM_REWRITERS[path]]);
-      });
-      it(`should return "${CUSTOM_REWRITERS[path]}" for ${path} with specific .js file`, function() {
-        const p = normalize(`/path/to/node_modules/${path}/core/index.js`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, CUSTOM_REWRITERS[path]]);
-      });
-    } else {
-      it(`should return "deadzone" for ${path}`, function() {
-        const p = normalize(`/path/to/node_modules/${path}`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, 'deadzone']);
-      });
-      it(`should return "deadzone" for ${path} with additional elements`, function() {
-        const p = normalize(`/path/to/node_modules/${path}/server`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, 'deadzone']);
-      });
-      it(`should return "deadzone" for ${path} with specific .js file`, function() {
-        const p = normalize(`/path/to/node_modules/${path}/core/index.js`);
-        const result = getPackageRewriteStrategy(p);
-        deepEqual(result, [path, 'deadzone']);
-      });
-    }
-  }
-
-  // test default (not deadzoned or custom) paths
-  for (const path of ['xyzzy', 'fubar', 'seven']) {
-    it(`should return "default" for ${path}`, function() {
-      const p = normalize(`/path/to/node_modules/${path}`);
-      const result = getPackageRewriteStrategy(p);
-      deepEqual(result, [undefined, 'default']);
-    });
-    it(`should return "default" for ${path} with additional elements`, function() {
-      const p = normalize(`/path/to/node_modules/${path}/server`);
-      const result = getPackageRewriteStrategy(p);
-      deepEqual(result, [undefined, 'default']);
-    });
-    it(`should return "default" for ${path} with specific .js file`, function() {
-      const p = normalize(`/path/to/node_modules/${path}/core/index.js`);
-      const result = getPackageRewriteStrategy(p);
-      deepEqual(result, [undefined, 'default']);
-    });
-  }
-
-  const doubleCheck = [
-    '/home/bruce/github/csi/node-mono/node_modules/@cyclonedx/cyclonedx-library/dist.node/serialize/xml/types.js'
-  ];
-
-  for (let path of doubleCheck) {
-    path = normalize(path);
-    it(`should return "no-propagation" for ${path}`, function() {
-      const result = getPackageRewriteStrategy(path);
-      deepEqual(result, ['@cyclonedx', 'no-propagation']);
-    });
-  }
-});