@contrast/assess 1.63.0 → 1.65.0

package/lib/dataflow/sources/install/http.js

@@ -36,63 +36,68 @@ module.exports = function (core) {
   const logger = core.logger.child({ name: 'contrast:assess' });
 
   /**
-   * The around hook for `emit` that
-   * invokes the protect service to do analysis when appropriate.
+   * The around hook for `emit` that handles tracking URL and header values.
+   * We track those when the event is 'request' or 'upgrade'. Also, for when
+   * event is 'request', we will also patch some ServerResponse methods. We
+   * currentl don't patch the raw socket for tracking when event is 'upgrade',
+   * sources instrumentation for websocket events happens per framework.
    */
   function around(next, data) {
     const [type] = data.args;
 
-    if (type !== 'request') return next();
+    if (type !== 'request' && type !== 'upgrade') return next();
 
     try {
-      const [, req, res] = data.args;
+      const [, req, resOrSocket] = data.args;
       const sourceContext = getSourceContext();
 
       if (!sourceContext?.policy) {
         return next();
       }
 
-      patcher.patch(res, 'writeHead', {
-        name: 'write-head',
-        patchType,
-        pre(data) {
-          const obj = data.args[data.args.length - 1];
-          if (!obj) return;
+      if (type == 'request') {
+        patcher.patch(resOrSocket, 'writeHead', {
+          name: 'write-head',
+          patchType,
+          pre(data) {
+            const obj = data.args[data.args.length - 1];
+            if (!obj) return;
 
-          if (Array.isArray(obj)) {
-            for (let i = 0; i < obj.length; i += 2) {
-              const key = obj[i];
-              const value = obj[i + 1];
+            if (Array.isArray(obj)) {
+              for (let i = 0; i < obj.length; i += 2) {
+                const key = obj[i];
+                const value = obj[i + 1];
 
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
-            }
-          } else if (typeof obj === 'object') {
-            for (const [key, value] of Object.entries(obj)) {
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+            } else if (typeof obj === 'object') {
+              for (const [key, value] of Object.entries(obj)) {
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
             }
           }
-        }
-      });
+        });
 
-      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
-        patcher.patch(res, 'setHeader', {
-          name: 'set-header',
-          patchType,
-          pre(data) {
-            const [name = '', value] = data.args;
-            if (
-              value &&
-              StringPrototypeToLowerCase.call(name) === 'content-type' &&
-              getSourceContext()
-            ) {
-              sourceContext.responseData.contentType = value;
+        if (!patcher.hooks.get(resOrSocket?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+          patcher.patch(resOrSocket, 'setHeader', {
+            name: 'set-header',
+            patchType,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (
+                value &&
+                StringPrototypeToLowerCase.call(name) === 'content-type' &&
+                getSourceContext()
+              ) {
+                sourceContext.responseData.contentType = value;
+              }
             }
-          }
-        });
+          });
+        }
       }
 
       const sourceName = 'ClientRequest';
@@ -143,7 +148,6 @@ module.exports = function (core) {
         }
       });
 
-
       //
       // now track the rawHeaders. headers are complicated because they appear
       // three times: headers, headersDistinct, and rawHeaders and we want to

package/lib/dataflow/sources/install/koa/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const koaSources = core.assess.dataflow.sources.koaInstrumentation = {};
 
-  require('./koa2')(core);
+  require('./koa')(core);
   require('./koa-bodyparsers')(core);
   require('./koa-multer')(core);
   require('./koa-routers')(core);

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js

@@ -30,58 +30,86 @@ module.exports = (core) => {
     },
   } = core;
 
-  function install() {
-    [['koa-body', '<7'], ['koa-bodyparser', '<5']].forEach(([name, version]) => {
-      depHooks.resolve({ name, version }, (koaBody) => patcher.patch(koaBody, {
+  function postFn(name) {
+    return function(data) {
+      data.result = patcher.patch(data.result, {
         name,
         patchType,
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name,
-            patchType,
-            pre(data) {
-              const { funcKey } = data;
-              const [ctx, origNext] = data.args;
-              const sourceContext = getSourceContext();
-
-              if (!sourceContext) return;
-
-              if (sourceContext.parsedBody) {
-                logger.trace({ funcKey }, 'values already tracked');
-                return;
-              }
-
-              data.args[1] = async function contrastNext(origErr) {
-                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
-                const inputType = contentType?.includes?.('/json')
-                  ? InputType.JSON_VALUE
-                  : typeof ctx.request.body == 'object'
-                    ? InputType.PARAMETER_VALUE
-                    : InputType.BODY;
-
-                try {
-                  sources.handle({
-                    context: 'ctx.request.body',
-                    name,
-                    inputType,
-                    stacktraceOpts: {
-                      constructorOpt: contrastNext,
-                    },
-                    data: ctx.request.body,
-                    sourceContext
-                  });
-
-                  sourceContext.parsedBody = !!Object.keys(ctx.request.body).length;
-                } catch (err) {
-                  logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
-                }
-
-                await origNext(origErr);
-              };
+        pre(data) {
+          const { funcKey } = data;
+          const [ctx, origNext] = data.args;
+          const sourceContext = getSourceContext();
+
+          if (!sourceContext) return;
+
+          if (sourceContext.parsedBody) {
+            logger.trace({ funcKey }, 'values already tracked');
+            return;
+          }
+
+          data.args[1] = async function contrastNext(origErr) {
+            const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+            const inputType = contentType?.includes?.('/json')
+              ? InputType.JSON_VALUE
+              : typeof ctx.request.body == 'object'
+                ? InputType.PARAMETER_VALUE
+                : InputType.BODY;
+
+            try {
+              sources.handle({
+                context: 'ctx.request.body',
+                name,
+                inputType,
+                stacktraceOpts: {
+                  constructorOpt: contrastNext,
+                },
+                data: ctx.request.body,
+                sourceContext
+              });
+
+              sourceContext.parsedBody = !!Object.keys(ctx.request.body || {}).length;
+            } catch (err) {
+              logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
             }
-          });
+
+            await origNext(origErr);
+          };
         }
-      }));
+      });
+    };
+  }
+
+  function install() {
+
+    [['koa-body', '>=4 <6'], ['koa-bodyparser', '>=4 <5']].forEach(([name, version]) => {
+      depHooks.resolve({ name, version }, (koaBody) =>
+        patcher.patch(koaBody, {
+          name,
+          patchType,
+          post: postFn(name)
+        })
+      );
+    });
+
+    depHooks.resolve({ name: 'koa-body', version: '>=6 <7' }, (koaBody) =>
+      patcher.patch(koaBody, 'koaBody', {
+        name: 'koaBody',
+        patchType,
+        post: postFn('koa-body')
+      })
+    );
+
+    depHooks.resolve({ name: '@koa/bodyparser', version: '>=5 <7' }, (koaBody) => {
+      const patchedBodyParser = patcher.patch(koaBody.bodyParser, {
+        name: '@koa/bodyparser',
+        patchType,
+        post: postFn('@koa/bodyparser')
+      }
+      );
+      return {
+        default: patchedBodyParser,
+        bodyParser: patchedBodyParser
+      };
     });
   }
 

package/lib/dataflow/sources/install/koa/koa-multer.js

@@ -67,7 +67,7 @@ module.exports = (core) => {
   }
 
   function install() {
-    [['koa-multer', '<2'], ['@koa/multer', '<4']].forEach(([name, version]) => {
+    [['koa-multer', '<2'], ['@koa/multer', '>=3 <5']].forEach(([name, version]) => {
       depHooks.resolve(
         { name, version }, (_export) => {
           const origMulter = _export;

package/lib/dataflow/sources/install/koa/koa-routers.js

@@ -31,11 +31,11 @@ module.exports = (core) => {
 
   // Patch `koa-router` and `@koa/router` to handle parsed params
   function install() {
-    [['koa-router', '<14'], ['@koa/router', '<14']].forEach(([router, version]) => {
+    [['koa-router', '>=12 <15'], ['@koa/router', '>=12 <15']].forEach(([router, version]) => {
       depHooks.resolve(
         { name: router, version, file: 'lib/layer.js' },
         (layer) => {
-          layer.prototype = patcher.patch(layer.prototype, 'params', {
+          patcher.patch(layer.prototype, 'params', {
             name: `[${router}].layer.prototype`,
             patchType,
             post({ orig, hooked, result, name, funcKey }) {

package/lib/dataflow/sources/install/koa/{koa2.js → koa.js}

@@ -40,7 +40,7 @@ module.exports = (core) => {
    * registers a depHook for koa module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
       const createMiddleware = ({ name, funcKey }) => {
         const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
           const sourceContext = getSourceContext();
@@ -101,9 +101,9 @@ module.exports = (core) => {
     });
   }
 
-  const koa2Instrumentation = sources.koaInstrumentation.koa2 = {
+  const koaInstrumentation = sources.koaInstrumentation.koa = {
     install
   };
 
-  return koa2Instrumentation;
+  return koaInstrumentation;
 };

package/lib/dataflow/sources/install/socket.io.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+
+const COMPONENT_NAME = 'assess.dataflow.sources.socketIoInstrumentation';
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new SocketIOAssessSource(core),
+});
+
+class SocketIOAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+  /**
+   * Deploys socket.io instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+
+    depHooks.resolve(
+      { name: 'socket.io', version: '4' },
+      /**
+       * @param {import('socket.io-4')} xport the exported socket.io module
+       */
+      (xport) => {
+        patcher.patch(xport.Socket.prototype, 'dispatch', {
+          name: 'socket.io.Socket.prototype.dispatch',
+          patchType,
+          pre(data) {
+            if (!Array.isArray(data.args[0])) return;
+
+            const sourceContext = assess.getSourceContext();
+            if (!sourceContext) return;
+
+            const [eventName, ...params] = data.args[0];
+            assess.dataflow.sources.handle({
+              data: params,
+              name: 'socket.io.Socket.prototype.dispatch',
+              inputType: InputType.WEBSOCKET,
+              stacktraceOpts: { constructorOpt: data.hooked },
+              sourceContext,
+              onEvent(event, fieldName, pathName) {
+                event.context = `socket.io Socket.on("${eventName}", ...params)`;
+                event.args = [{
+                  tracked: true,
+                  value: `params.${pathName}`,
+                }];
+              },
+            });
+
+            data.args[0] = [eventName, ...params];
+          }
+        });
+      }
+    );
+  }
+}

package/lib/get-source-context.js

@@ -53,20 +53,11 @@ function factory(core) {
   core.assess.getPropagatorContext = function getPropagatorContext() {
     if (instrumentation.isLocked()) return null;
 
-    // the following logging used to be done by the caller, but has been moved
-    // here as opposed to overloading `ctx.policy` with a special value so the
-    // caller could determine whether no source context was available or the
-    // request is being intentionally excluded. A negative of this is that the
-    // function name is not available to be included in the log.
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
     // there is a context, but if policy is null then assess is intentionally
     // disabled (i.e., url exclusion or the request is not sampled).
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx?.policy || ctx?.policy.allowed) return null;
+    // event limits
     if (ctx.propagationEventsCount >= config.assess.max_propagation_events) return null;
 
     return ctx;
@@ -80,13 +71,13 @@ function factory(core) {
     if (instrumentation.isLocked()) return null;
 
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
-    if (!ctx.policy) {
-      return null;
-    }
+    if (!ctx?.policy || ctx.policy?.allowed) return null;
+    if (!ruleId) return ctx;
 
-    if (ruleId && !ctx.policy?.enabledRules?.has?.(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+    if (
+      !ctx.policy?.isRuleEnabled?.(ruleId) ||
+      ruleScopes.isLocked(ruleId)
+    ) return null;
 
     return ctx;
   };
@@ -105,10 +96,8 @@ function factory(core) {
       return null;
     }
 
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx.policy || ctx.policy.allowed) return null;
+    // event limits
     if (ctx.sourceEventsCount >= config.assess.max_context_source_events) return null;
 
     return ctx;

package/lib/index.d.ts

@@ -12,7 +12,7 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-import { Rule, SessionConfigurationRule } from '@contrast/common';
+import { Rule, ConfigurationRule } from '@contrast/common';
 import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';
 import { Deadzones } from '@contrast/deadzones';
@@ -61,8 +61,9 @@ export interface SessionRuleState {
 }
 
 export interface RuleState {
-  [SessionConfigurationRule.HTTPONLY]?: SessionRuleState,
-  [SessionConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.HTTPONLY]?: SessionRuleState,
+  [ConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.GRAPHQL_INTROSPECTION]?: SessionRuleState,
 }
 
 export interface Assess {

package/lib/index.js

@@ -60,7 +60,7 @@ module.exports = function assess(core) {
 
   // ancillary tools used by different features
   require('./sampler')(core);
-  require('./get-policy')(core);
+  core.initComponentSync(require('./policy'));
   core.initComponentSync(require('./make-source-context'));
   require('./rule-scopes')(core);
   core.initComponentSync(require('./get-source-context'));
@@ -70,7 +70,7 @@ module.exports = function assess(core) {
   require('./dataflow')(core);
   require('./crypto-analysis')(core);
   require('./response-scanning')(core);
-  require('./session-configuration')(core);
+  require('./configuration-analysis')(core);
 
   // append async state to sources store when request-scope sources are created
   sources.addHook('onSource', (ctx) => {

package/lib/make-source-context.js

@@ -36,24 +36,19 @@ function factory(core) {
    * @returns {import('@contrast/assess').SourceContext}
    */
   return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-
     try {
       const ctx = store.assess = {
-        // default policy to `null` until it is set later below. this will cause
-        // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-
+      // if assess is disabled or not selected for sampling, the policy will
+      // be null (assess disabled) for lifetime of connection, despite UI updates.
       if (!core.config.getEffectiveValue('assess.enable')) return ctx;
-
-      // check whether sampling allows processing
       ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
 
-      // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(store.sourceInfo);
-      if (!ctx.policy) return ctx;
-
+      // assess-enabled policy from current effective config, but
+      // policy is dynamic and will respond to settings updates
+      ctx.policy = assess.policy.getRequestPolicy(store.sourceInfo);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};