@contrast/assess 1.64.0 → 1.66.0

package/lib/{session-configuration → configuration-analysis}/common.js

@@ -15,5 +15,5 @@
 'use strict';
 
 module.exports = {
-  patchType: 'session-configuration'
+  patchType: 'configuration'
 };

package/lib/{session-configuration → configuration-analysis}/handlers.js

@@ -17,15 +17,15 @@
 
 const {
   Event,
-  SessionConfigurationRule,
+  ConfigurationRule,
   isString,
 } = require('@contrast/common');
 
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+const { HTTPONLY, SECURE_FLAG_MISSING, GRAPHQL_INTROSPECTION } = ConfigurationRule;
 
 module.exports = function (core) {
   const {
-    assess: { sessionConfiguration },
+    assess: { configurationAnalysis },
     messages,
   } = core;
 
@@ -40,7 +40,7 @@ module.exports = function (core) {
   }
 
   /**
-   * @param {SessionConfigurationRule} ruleId
+   * @param {ConfigurationRule} ruleId
    * @param {import('@contrast/assess').SourceContext} sourceContext
    * @returns {import('@contrast/assess').SessionRuleState}
    */
@@ -76,7 +76,7 @@ module.exports = function (core) {
       if (!isVulnerable(ruleId, value)) continue;
 
       else {
-        sessionConfiguration.reportFindings({
+        configurationAnalysis.reportFindings({
           ruleId,
           sinkEvent: sessionEvent,
           properties: {
@@ -89,17 +89,30 @@ module.exports = function (core) {
     }
   }
 
-  sessionConfiguration.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleHttpOnly = function(sourceContext, cookie, sessionEvent) {
     handle(HTTPONLY, sourceContext, cookie, sessionEvent);
   };
 
-  sessionConfiguration.handleSecure = function (sourceContext, cookie, sessionEvent) {
+  configurationAnalysis.handleSecure = function (sourceContext, cookie, sessionEvent) {
     handle(SECURE_FLAG_MISSING, sourceContext, cookie, sessionEvent);
   };
 
-  sessionConfiguration.reportFindings = function (finding) {
-    messages.emit(Event.ASSESS_SESSION_CONFIGURATION_FINDING, finding);
+  configurationAnalysis.handleGraphqlIntrospection = function (sourceContext, sessionEvent, value) {
+    const ruleId = GRAPHQL_INTROSPECTION;
+    const state = ensureState(ruleId, sourceContext);
+    if (sourceContext?.policy?.disabledRules?.has?.(ruleId) || state.reported) return;
+
+    configurationAnalysis.reportFindings({
+      ruleId,
+      sinkEvent: sessionEvent,
+      evidence: value
+    });
+    state.reported = true;
+  };
+
+  configurationAnalysis.reportFindings = function (finding) {
+    messages.emit(Event.ASSESS_CONFIGURATION_FINDING, finding);
   };
 
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/lib/{session-configuration → configuration-analysis}/index.js

@@ -18,17 +18,19 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  const sessionConfiguration = core.assess.sessionConfiguration = {};
+  const configurationAnalysis = core.assess.configurationAnalysis = {};
 
   require('./handlers')(core);
+  require('./install/apollo-server')(core);
+  require('./install/graphql-yoga')(core);
   require('./install/express-session')(core);
   require('./install/fastify-cookie')(core);
   require('./install/hapi')(core);
   require('./install/koa')(core);
 
-  sessionConfiguration.install = function() {
-    callChildComponentMethodsSync(sessionConfiguration, 'install');
+  configurationAnalysis.install = function() {
+    callChildComponentMethodsSync(configurationAnalysis, 'install');
   };
 
-  return sessionConfiguration;
+  return configurationAnalysis;
 };

package/lib/configuration-analysis/install/apollo-server.js

@@ -0,0 +1,92 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  const apolloServer = core.assess.configurationAnalysis.apolloServer = {};
+
+  apolloServer.install = function () {
+    return depHooks.resolve({ name: '@apollo/server', version: '>=4' }, (xport) => {
+      if (!xport.ApolloServer) return;
+      patcher.patch(xport, 'ApolloServer', {
+        name: '@apollo/server.ApolloServer',
+        patchType,
+        post(data) {
+          if (!data.args[0]?.introspection) return;
+
+          const options = { introspection: true };
+          const optionsString = inspect(options);
+          const sessionEvent = createSessionEvent({
+            args: [{
+              tracked: false,
+              value: optionsString,
+            }],
+            context: optionsString,
+            name: '@apollo/server',
+            moduleName: 'ApolloServer',
+            methodName: '',
+            object: {
+              tracked: false,
+              value: 'ApolloServer',
+            },
+            result: {
+              tracked: false,
+            },
+            source: 'P0',
+            stacktraceOpts: {
+              constructorOpt: data.hooked,
+            },
+            framework: 'graphql',
+          });
+
+          patcher.patch(data.result, 'executeHTTPGraphQLRequest', {
+            name: 'ApolloServer.executeHTTPGraphQLRequest',
+            patchType,
+            post(data) {
+              const sourceContext = getSourceContext();
+              if (!sourceContext) return;
+
+              handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+
+            }
+          });
+        }
+      });
+    });
+  };
+
+  return apolloServer;
+};

package/lib/{session-configuration → configuration-analysis}/install/express-session.js

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  const expressSession = core.assess.sessionConfiguration.expressSession = {};
+  const expressSession = core.assess.configurationAnalysis.expressSession = {};
 
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session', version: '<2' }, (session) => {

package/lib/{session-configuration → configuration-analysis}/install/fastify-cookie.js

@@ -29,7 +29,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -38,7 +38,7 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  return core.assess.sessionConfiguration.fastifyCookie = {
+  return core.assess.configurationAnalysis.fastifyCookie = {
     install () {
       depHooks.resolve({ name: '@fastify/cookie', version: '<12' }, (_export) => {
         const patched = patcher.patch(_export, {

package/lib/configuration-analysis/install/graphql-yoga.js

@@ -0,0 +1,90 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+
+/**
+ * @param {{
+ *  assess: import('@contrast/assess').Assess,
+ *  scopes: import('@contrast/scopes').Scopes,
+ * }} core
+ */
+module.exports = function (core) {
+  const {
+    assess: {
+      inspect, // TODO NODE-3455: remove
+      getSourceContext,
+      eventFactory: { createSessionEvent },
+      configurationAnalysis: {
+        handleGraphqlIntrospection
+      },
+    },
+    depHooks,
+    patcher,
+  } = core;
+
+  const graphqlYoga = core.assess.configurationAnalysis.graphqlYoga = {};
+
+  graphqlYoga.install = function () {
+    return depHooks.resolve({ name: '@graphql-yoga/plugin-disable-introspection', version: '*' }, (xport) => patcher.patch(xport, 'useDisableIntrospection', {
+      name: '@graphql-yoga/plugin-disable-introspection.useDisableIntrospection',
+      patchType,
+      post(data) {
+        const options = data.args[0];
+        const optionsString = inspect(options);
+        patcher.patch(data.result, 'onValidate', {
+          name: 'onValidate',
+          patchType,
+          pre(data) {
+            patcher.patch(data.args[0], 'addValidationRule', {
+              name: 'addValidationRule',
+              patchType,
+              post(data) {
+                const sourceContext = getSourceContext();
+                if (!sourceContext) return;
+                const sessionEvent = createSessionEvent({
+                  args: [{
+                    tracked: false,
+                    value: optionsString,
+                  }],
+                  context: optionsString,
+                  name: '@graphql-yoga',
+                  moduleName: 'plugin-disable-introspection',
+                  methodName: 'addValidationRule',
+                  object: {
+                    tracked: false,
+                    value: 'plugin-disable-introspection',
+                  },
+                  result: {
+                    tracked: false,
+                  },
+                  source: 'P0',
+                  stacktraceOpts: {
+                    constructorOpt: data.hooked,
+                  },
+                  framework: 'graphql',
+                });
+                handleGraphqlIntrospection(sourceContext, sessionEvent, optionsString);
+              }
+            });
+          }
+        });
+      }
+    }));
+  };
+
+  return graphqlYoga;
+};

package/lib/{session-configuration → configuration-analysis}/install/hapi.js

@@ -21,7 +21,7 @@ module.exports = function (core) {
     assess: {
       inspect, // TODO NODE-3455: remove
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -31,7 +31,7 @@ module.exports = function (core) {
     scopes: { sources },
   } = core;
 
-  const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
+  const hapiSession = core.assess.configurationAnalysis.hapiSession = {};
 
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {

package/lib/{session-configuration → configuration-analysis}/install/koa.js

@@ -28,7 +28,7 @@ module.exports = function (core) {
       inspect, // TODO NODE-3455: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
-      sessionConfiguration: {
+      configurationAnalysis: {
         handleHttpOnly,
         handleSecure,
       },
@@ -37,9 +37,9 @@ module.exports = function (core) {
     patcher,
   } = core;
 
-  return core.assess.sessionConfiguration.koa = {
+  return core.assess.configurationAnalysis.koa = {
     install () {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
         patcher.patch(Koa.prototype, 'use', {
           name: 'Koa.Application',
           patchType,

package/lib/dataflow/propagation/install/string/substring.js

@@ -89,7 +89,7 @@ module.exports = function(core) {
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
-              methodName: 'prototype.substring',
+              methodName: `prototype.${method}`,
               get context() {
                 return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
               },

package/lib/dataflow/sinks/install/fs.js

@@ -41,6 +41,7 @@ module.exports = function(core) {
         tracker,
         sinks: { isVulnerable, reportFindings },
       },
+      ruleScopes
     },
   } = core;
 
@@ -60,12 +61,12 @@ module.exports = function(core) {
     }, []);
   }
 
-  const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
+  const around = (name, method, moduleName = 'fs', fullMethodName = '') => (next, data) => {
     const { name: methodName, indices } = method;
-    if (!getSinkContext(ruleId)) return;
+    if (!getSinkContext(ruleId)) return next();
 
     const values = getValues(indices, data.args);
-    if (!values.length) return;
+    if (!values.length) return next();
 
     const args = values.map((v) => {
       const strInfo = tracker.getData(v);
@@ -111,6 +112,7 @@ module.exports = function(core) {
         });
       }
     }
+    return ruleScopes.run(ruleId, next);
   };
 
   core.assess.dataflow.sinks.pathTraversal = {
@@ -123,7 +125,7 @@ module.exports = function(core) {
             patcher.patch(fs, method.name, {
               name,
               patchType,
-              pre: pre(name, method),
+              around: around(name, method),
             });
           }
 
@@ -134,19 +136,10 @@ module.exports = function(core) {
               patcher.patch(fs, syncName, {
                 name,
                 patchType,
-                pre: pre(name, method, 'fs', syncName),
+                around: around(name, method, 'fs', syncName),
               });
             }
           }
-
-          if (method.promises && fs.promises && fs.promises[method.name]) {
-            const name = `fs.promises.${method.name}`;
-            patcher.patch(fs.promises, method.name, {
-              name,
-              patchType,
-              pre: pre(name, method, 'fs.promises'),
-            });
-          }
         }
       });
 
@@ -157,7 +150,7 @@ module.exports = function(core) {
             patcher.patch(fsPromises, method.name, {
               name,
               patchType,
-              pre: pre(name, method, 'fsPromises'),
+              around: around(name, method, 'fsPromises'),
             });
           }
         }

package/lib/dataflow/sources/handler.js

@@ -76,6 +76,7 @@ module.exports = Core.makeComponent({
       stacktraceOpts,
       data,
       sourceContext,
+      onEvent,
     }) {
       if (!data) return;
 
@@ -105,7 +106,7 @@ module.exports = Core.makeComponent({
         }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
-        return eventFactory.createSourceEvent({
+        const eventData = {
           context: `${context}.${pathName}`,
           name,
           fieldName,
@@ -114,7 +115,12 @@ module.exports = Core.makeComponent({
           inputType,
           tags: sources.createTags({ inputType, fieldName, value, tagNames }),
           result: { tracked: true, value },
-        });
+        };
+
+        const event = eventFactory.createSourceEvent(eventData);;
+        if (event && onEvent) onEvent(event, fieldName, pathName);
+
+        return event;
       }
 
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
@@ -129,6 +135,7 @@ module.exports = Core.makeComponent({
 
         const event = createEvent({ pathName: 'body', value: data, fieldName: '', excludedRules });
         if (event) {
+          if (onEvent) onEvent(event);
           tracker.track(data, event);
         }
 

package/lib/dataflow/sources/index.js

@@ -29,12 +29,14 @@ module.exports = function (core) {
   require('./install/body-parser')(core);
   require('./install/busboy')(core);
   require('./install/cookie-parser1')(core);
+  core.initComponentSync(require('./install/fastify-websocket'));
   require('./install/formidable1')(core);
   require('./install/graphql-http')(core);
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
   require('./install/multer1')(core);
+  core.initComponentSync(require('./install/socket.io'));
 
   sources.install = function install() {
     callChildComponentMethodsSync(sources, 'install');

package/lib/dataflow/sources/install/fastify-websocket.js

@@ -0,0 +1,63 @@
+'use strict';
+
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+
+const COMPONENT_NAME = 'assess.dataflow.sources.fastifyWebsocketInstrumentation';
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new FastifyWebsocketAssessSource(core),
+});
+
+class FastifyWebsocketAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+
+  /**
+   * Deploys @fastify/websocket instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+
+    depHooks.resolve({ name: '@fastify/websocket', version: '*' }, (fws) => {
+      // patch exported function
+      return patcher.patch(fws, {
+        name: '@fastify/websocket',
+        patchType,
+        post(data) {
+          // the plugin decorates fastify with the ws.WebSocketServer instance.
+          // we use the connection event to get reference to connecting
+          // WebSockets, and track when they emit message buffers.
+          data.args[0].websocketServer?.on?.('connection', (socket) => {
+            socket.on('message', function handler(data) {
+              const sourceContext = assess.getSourceContext();
+              // this should be present since sources run 'upgrade' requests in request scope
+              if (!sourceContext) return;
+
+              // this will track the emitted buffer
+              assess.dataflow.sources.handle({
+                data,
+                name: 'fastify-websocket',
+                inputType: InputType.WEBSOCKET,
+                stacktraceOpts: { constructorOpt: handler },
+                sourceContext,
+                onEvent(event) {
+                  event.context = 'WebSocket.on("message", ...args)';
+                  event.args = [{ value: 'args.0', tracked: true }];
+                },
+              });
+            });
+          });
+        }
+      });
+    });
+  }
+};

package/lib/dataflow/sources/install/http.js

@@ -36,63 +36,68 @@ module.exports = function (core) {
   const logger = core.logger.child({ name: 'contrast:assess' });
 
   /**
-   * The around hook for `emit` that
-   * invokes the protect service to do analysis when appropriate.
+   * The around hook for `emit` that handles tracking URL and header values.
+   * We track those when the event is 'request' or 'upgrade'. Also, for when
+   * event is 'request', we will also patch some ServerResponse methods. We
+   * currentl don't patch the raw socket for tracking when event is 'upgrade',
+   * sources instrumentation for websocket events happens per framework.
    */
   function around(next, data) {
     const [type] = data.args;
 
-    if (type !== 'request') return next();
+    if (type !== 'request' && type !== 'upgrade') return next();
 
     try {
-      const [, req, res] = data.args;
+      const [, req, resOrSocket] = data.args;
       const sourceContext = getSourceContext();
 
       if (!sourceContext?.policy) {
         return next();
       }
 
-      patcher.patch(res, 'writeHead', {
-        name: 'write-head',
-        patchType,
-        pre(data) {
-          const obj = data.args[data.args.length - 1];
-          if (!obj) return;
+      if (type == 'request') {
+        patcher.patch(resOrSocket, 'writeHead', {
+          name: 'write-head',
+          patchType,
+          pre(data) {
+            const obj = data.args[data.args.length - 1];
+            if (!obj) return;
 
-          if (Array.isArray(obj)) {
-            for (let i = 0; i < obj.length; i += 2) {
-              const key = obj[i];
-              const value = obj[i + 1];
+            if (Array.isArray(obj)) {
+              for (let i = 0; i < obj.length; i += 2) {
+                const key = obj[i];
+                const value = obj[i + 1];
 
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
-            }
-          } else if (typeof obj === 'object') {
-            for (const [key, value] of Object.entries(obj)) {
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+            } else if (typeof obj === 'object') {
+              for (const [key, value] of Object.entries(obj)) {
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
             }
           }
-        }
-      });
+        });
 
-      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
-        patcher.patch(res, 'setHeader', {
-          name: 'set-header',
-          patchType,
-          pre(data) {
-            const [name = '', value] = data.args;
-            if (
-              value &&
-              StringPrototypeToLowerCase.call(name) === 'content-type' &&
-              getSourceContext()
-            ) {
-              sourceContext.responseData.contentType = value;
+        if (!patcher.hooks.get(resOrSocket?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+          patcher.patch(resOrSocket, 'setHeader', {
+            name: 'set-header',
+            patchType,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (
+                value &&
+                StringPrototypeToLowerCase.call(name) === 'content-type' &&
+                getSourceContext()
+              ) {
+                sourceContext.responseData.contentType = value;
+              }
             }
-          }
-        });
+          });
+        }
       }
 
       const sourceName = 'ClientRequest';
@@ -143,7 +148,6 @@ module.exports = function (core) {
         }
       });
 
-
       //
       // now track the rawHeaders. headers are complicated because they appear
       // three times: headers, headersDistinct, and rawHeaders and we want to

package/lib/dataflow/sources/install/koa/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const koaSources = core.assess.dataflow.sources.koaInstrumentation = {};
 
-  require('./koa2')(core);
+  require('./koa')(core);
   require('./koa-bodyparsers')(core);
   require('./koa-multer')(core);
   require('./koa-routers')(core);

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js

@@ -30,58 +30,86 @@ module.exports = (core) => {
     },
   } = core;
 
-  function install() {
-    [['koa-body', '<7'], ['koa-bodyparser', '<5']].forEach(([name, version]) => {
-      depHooks.resolve({ name, version }, (koaBody) => patcher.patch(koaBody, {
+  function postFn(name) {
+    return function(data) {
+      data.result = patcher.patch(data.result, {
         name,
         patchType,
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name,
-            patchType,
-            pre(data) {
-              const { funcKey } = data;
-              const [ctx, origNext] = data.args;
-              const sourceContext = getSourceContext();
-
-              if (!sourceContext) return;
-
-              if (sourceContext.parsedBody) {
-                logger.trace({ funcKey }, 'values already tracked');
-                return;
-              }
-
-              data.args[1] = async function contrastNext(origErr) {
-                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
-                const inputType = contentType?.includes?.('/json')
-                  ? InputType.JSON_VALUE
-                  : typeof ctx.request.body == 'object'
-                    ? InputType.PARAMETER_VALUE
-                    : InputType.BODY;
-
-                try {
-                  sources.handle({
-                    context: 'ctx.request.body',
-                    name,
-                    inputType,
-                    stacktraceOpts: {
-                      constructorOpt: contrastNext,
-                    },
-                    data: ctx.request.body,
-                    sourceContext
-                  });
-
-                  sourceContext.parsedBody = !!Object.keys(ctx.request.body).length;
-                } catch (err) {
-                  logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
-                }
-
-                await origNext(origErr);
-              };
+        pre(data) {
+          const { funcKey } = data;
+          const [ctx, origNext] = data.args;
+          const sourceContext = getSourceContext();
+
+          if (!sourceContext) return;
+
+          if (sourceContext.parsedBody) {
+            logger.trace({ funcKey }, 'values already tracked');
+            return;
+          }
+
+          data.args[1] = async function contrastNext(origErr) {
+            const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+            const inputType = contentType?.includes?.('/json')
+              ? InputType.JSON_VALUE
+              : typeof ctx.request.body == 'object'
+                ? InputType.PARAMETER_VALUE
+                : InputType.BODY;
+
+            try {
+              sources.handle({
+                context: 'ctx.request.body',
+                name,
+                inputType,
+                stacktraceOpts: {
+                  constructorOpt: contrastNext,
+                },
+                data: ctx.request.body,
+                sourceContext
+              });
+
+              sourceContext.parsedBody = !!Object.keys(ctx.request.body || {}).length;
+            } catch (err) {
+              logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
             }
-          });
+
+            await origNext(origErr);
+          };
         }
-      }));
+      });
+    };
+  }
+
+  function install() {
+
+    [['koa-body', '>=4 <6'], ['koa-bodyparser', '>=4 <5']].forEach(([name, version]) => {
+      depHooks.resolve({ name, version }, (koaBody) =>
+        patcher.patch(koaBody, {
+          name,
+          patchType,
+          post: postFn(name)
+        })
+      );
+    });
+
+    depHooks.resolve({ name: 'koa-body', version: '>=6 <7' }, (koaBody) =>
+      patcher.patch(koaBody, 'koaBody', {
+        name: 'koaBody',
+        patchType,
+        post: postFn('koa-body')
+      })
+    );
+
+    depHooks.resolve({ name: '@koa/bodyparser', version: '>=5 <7' }, (koaBody) => {
+      const patchedBodyParser = patcher.patch(koaBody.bodyParser, {
+        name: '@koa/bodyparser',
+        patchType,
+        post: postFn('@koa/bodyparser')
+      }
+      );
+      return {
+        default: patchedBodyParser,
+        bodyParser: patchedBodyParser
+      };
     });
   }
 

package/lib/dataflow/sources/install/koa/koa-multer.js

@@ -67,7 +67,7 @@ module.exports = (core) => {
   }
 
   function install() {
-    [['koa-multer', '<2'], ['@koa/multer', '<4']].forEach(([name, version]) => {
+    [['koa-multer', '<2'], ['@koa/multer', '>=3 <5']].forEach(([name, version]) => {
       depHooks.resolve(
         { name, version }, (_export) => {
           const origMulter = _export;

package/lib/dataflow/sources/install/koa/koa-routers.js

@@ -31,11 +31,11 @@ module.exports = (core) => {
 
   // Patch `koa-router` and `@koa/router` to handle parsed params
   function install() {
-    [['koa-router', '<14'], ['@koa/router', '<14']].forEach(([router, version]) => {
+    [['koa-router', '>=12 <15'], ['@koa/router', '>=12 <15']].forEach(([router, version]) => {
       depHooks.resolve(
         { name: router, version, file: 'lib/layer.js' },
         (layer) => {
-          layer.prototype = patcher.patch(layer.prototype, 'params', {
+          patcher.patch(layer.prototype, 'params', {
             name: `[${router}].layer.prototype`,
             patchType,
             post({ orig, hooked, result, name, funcKey }) {

package/lib/dataflow/sources/install/koa/{koa2.js → koa.js}

@@ -40,7 +40,7 @@ module.exports = (core) => {
    * registers a depHook for koa module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
       const createMiddleware = ({ name, funcKey }) => {
         const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
           const sourceContext = getSourceContext();
@@ -101,9 +101,9 @@ module.exports = (core) => {
     });
   }
 
-  const koa2Instrumentation = sources.koaInstrumentation.koa2 = {
+  const koaInstrumentation = sources.koaInstrumentation.koa = {
     install
   };
 
-  return koa2Instrumentation;
+  return koaInstrumentation;
 };

package/lib/dataflow/sources/install/socket.io.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+
+const COMPONENT_NAME = 'assess.dataflow.sources.socketIoInstrumentation';
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new SocketIOAssessSource(core),
+});
+
+class SocketIOAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+  /**
+   * Deploys socket.io instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+
+    depHooks.resolve(
+      { name: 'socket.io', version: '4' },
+      /**
+       * @param {import('socket.io-4')} xport the exported socket.io module
+       */
+      (xport) => {
+        patcher.patch(xport.Socket.prototype, 'dispatch', {
+          name: 'socket.io.Socket.prototype.dispatch',
+          patchType,
+          pre(data) {
+            if (!Array.isArray(data.args[0])) return;
+
+            const sourceContext = assess.getSourceContext();
+            if (!sourceContext) return;
+
+            const [eventName, ...params] = data.args[0];
+            assess.dataflow.sources.handle({
+              data: params,
+              name: 'socket.io.Socket.prototype.dispatch',
+              inputType: InputType.WEBSOCKET,
+              stacktraceOpts: { constructorOpt: data.hooked },
+              sourceContext,
+              onEvent(event, fieldName, pathName) {
+                event.context = `socket.io Socket.on("${eventName}", ...params)`;
+                event.args = [{
+                  tracked: true,
+                  value: `params.${pathName}`,
+                }];
+              },
+            });
+
+            data.args[0] = [eventName, ...params];
+          }
+        });
+      }
+    );
+  }
+}

package/lib/index.d.ts

@@ -12,7 +12,7 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-import { Rule, SessionConfigurationRule } from '@contrast/common';
+import { Rule, ConfigurationRule } from '@contrast/common';
 import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';
 import { Deadzones } from '@contrast/deadzones';
@@ -61,8 +61,9 @@ export interface SessionRuleState {
 }
 
 export interface RuleState {
-  [SessionConfigurationRule.HTTPONLY]?: SessionRuleState,
-  [SessionConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.HTTPONLY]?: SessionRuleState,
+  [ConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.GRAPHQL_INTROSPECTION]?: SessionRuleState,
 }
 
 export interface Assess {

package/lib/index.js

@@ -70,7 +70,7 @@ module.exports = function assess(core) {
   require('./dataflow')(core);
   require('./crypto-analysis')(core);
   require('./response-scanning')(core);
-  require('./session-configuration')(core);
+  require('./configuration-analysis')(core);
 
   // append async state to sources store when request-scope sources are created
   sources.addHook('onSource', (ctx) => {

package/lib/policy.js

@@ -21,7 +21,7 @@ const {
   InputType,
   Rule,
   ResponseScanningRule,
-  SessionConfigurationRule,
+  ConfigurationRule,
   set,
   primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
 } = require('@contrast/common');
@@ -30,7 +30,7 @@ const { Core } = require('@contrast/core/lib/ioc/core');
 const ASSESS_RULES = Object.values({
   ...Rule,
   ...ResponseScanningRule,
-  ...SessionConfigurationRule,
+  ...ConfigurationRule,
 });
 const BROAD_INPUT_EXCLUSION_TYPES = [
   ExclusionType.BODY,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.64.0",
+  "version": "1.66.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,18 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/config": "1.53.0",
-    "@contrast/core": "1.58.0",
-    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/config": "1.54.1",
+    "@contrast/core": "1.59.1",
+    "@contrast/dep-hooks": "1.28.1",
     "@contrast/distringuish": "^6.0.2",
-    "@contrast/instrumentation": "1.37.0",
-    "@contrast/logger": "1.31.0",
-    "@contrast/patcher": "1.30.0",
-    "@contrast/rewriter": "1.35.0",
-    "@contrast/route-coverage": "1.50.0",
-    "@contrast/scopes": "1.28.0",
-    "@contrast/sources": "1.4.0",
+    "@contrast/instrumentation": "1.38.1",
+    "@contrast/logger": "1.32.1",
+    "@contrast/patcher": "1.31.1",
+    "@contrast/rewriter": "1.36.1",
+    "@contrast/route-coverage": "1.52.0",
+    "@contrast/scopes": "1.29.1",
+    "@contrast/sources": "1.5.1",
     "semver": "^7.6.0"
   }
 }