@contrast/cli 1.23.3 → 1.25.0

package/README.md

@@ -0,0 +1,26 @@
+# @contrast/cli
+
+## Installation
+
+```sh
+npm install @contrast/cli # optional, `npx` will install the package otherwise.
+npx -p @contrast/cli <command>
+```
+
+## Commands
+
+### rewrite
+
+```
+Usage: npx -p @contrast/cli rewrite [options] <entrypoint>
+
+Rewrites application files, caching them so that rewriting does not need to occur when the application runs.
+
+Arguments:
+  entrypoint     The entrypoint for the application
+
+Options:
+  -V, --version  output the version number
+  -a, --assess   enable assess mode
+  -h, --help     display help for command
+```

package/lib/rewrite.js

@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+// @ts-check
+'use strict';
+
+const { readFile } = require('node:fs/promises');
+const { createRequire } = require('node:module');
+const path = require('node:path');
+const swc = require('@swc/core');
+const { Visitor } = require('@swc/core/Visitor');
+const { findPackageJson } = require('@contrast/find-package-json');
+const { program } = require('commander');
+const { version } = require('../package.json');
+
+const JS_FILE_REGEX = /\.[cm]?js$/;
+
+/** @type {any} */
+const core = {};
+require('@contrast/core/lib/messages')(core);
+const config = require('@contrast/config')(core);
+if (core.config._errors?.length) throw core.config._errors[0];
+
+const logger = require('@contrast/logger').default(core, { name: 'contrast:rewriter:cli' });
+
+if (!config.agent.node.rewrite.enable || !config.agent.node.rewrite.cache.enable) {
+  logger.warn({ 'config.agent.node.rewrite': config.agent.node.rewrite }, 'rewriter config');
+  throw new Error('Rewriting disabled.');
+}
+
+const appInfo = require('@contrast/core/lib/app-info')(core);
+if (appInfo._errors?.length) throw appInfo._errors[0];
+
+const rewriter = require('@contrast/rewriter')(core);
+
+/**
+ * Keeps track of visited files so we don't bother rewriting multiple times.
+ * @type {Set<string>}
+ */
+const visited = new Set();
+
+/** @param {string} filename absolute path */
+async function isModuleFile(filename) {
+  // if the file extension specifies the type, there's no need to do extra IO
+  const ext = path.extname(filename);
+  if (ext === '.mjs') {
+    return true;
+  }
+
+  if (ext === '.cjs') {
+    return false;
+  }
+
+  // check for type: 'module' in a file's package json, otherwise assume CJS.
+  try {
+    const pkg = await findPackageJson({ cwd: filename });
+    if (pkg && JSON.parse((await readFile(pkg)).toString()).type === 'module') {
+      return true;
+    }
+  } catch {
+    return false;
+  }
+
+  return false;
+}
+
+class RewriteVisitor extends Visitor {
+  /** @param {string} filename */
+  constructor(filename) {
+    super();
+    visited.add(filename);
+
+    /**
+     * Create a local `require` function so we can resolve relative filenames.
+     * @type {NodeRequire}
+     */
+    this.require = createRequire(filename);
+  }
+
+  /**
+   * Visit `import ... from 'source'`, recursively rewriting the resolved path
+   * of `source`.
+   * @param {swc.ImportDeclaration} n
+   */
+  visitImportDeclaration(n) {
+    try {
+      const filename = this.require.resolve(n.source.value);
+      if (path.isAbsolute(filename)) {
+        rewriteFile(filename);
+      }
+    } catch (err) {
+      logger.debug({ n, err }, 'unable to resolve %s', n.source.value);
+    }
+
+    return super.visitImportDeclaration(n);
+  }
+
+  /**
+   * Visits `import(...)` or `require(...)` call expressions, recursively
+   * rewriting the resolved path of the first argument if it's a string literal.
+   * @param {swc.CallExpression} n
+   */
+  visitCallExpression(n) {
+    if (n.callee.type === 'Import' || (n.callee.type === 'Identifier' && n.callee.value === 'require')) {
+      const { expression } = n.arguments[0];
+      if (expression.type === 'StringLiteral') {
+        try {
+          const filename = this.require.resolve(expression.value);
+          if (path.isAbsolute(filename)) {
+            rewriteFile(filename);
+          }
+        } catch (err) {
+          logger.debug({ n, err }, 'unable to resolve %s', expression.value);
+        }
+      }
+    }
+
+    return super.visitCallExpression(n);
+  }
+}
+
+/** @param {string} filename */
+async function rewriteFile(filename) {
+  if (!JS_FILE_REGEX.test(filename) || visited.has(filename)) return;
+
+  try {
+    const content = (await readFile(filename)).toString();
+    const isModule = await isModuleFile(filename);
+
+    const result = await rewriter.rewrite(content, {
+      filename,
+      isModule,
+      inject: true,
+      wrap: !isModule,
+      trim: false,
+    });
+    rewriter.cache.write(filename, result);
+
+    /** @type {swc.Module | swc.Script} */
+    const program = await swc.parse(content, {
+      // @ts-expect-error swc types expect a literal, not an arbitrary boolean.
+      isModule
+    });
+    const visitor = new RewriteVisitor(filename);
+    visitor.visitProgram(program);
+  } catch (err) {
+    logger.debug({ err }, 'unable to parse or rewrite %s', filename);
+  }
+}
+
+/**
+ * @param {string} filename
+ * @param {object} opts
+ * @param {boolean=} opts.assess
+ */
+async function action(filename, opts) {
+  if (config.assess.enable || opts.assess) rewriter.install('assess');
+  // If we're rewriting, we're always at least in protect mode.
+  rewriter.install('protect');
+
+  logger.info(
+    'Caching rewriter results to %s',
+    path.join(
+      rewriter.cache.cacheDir,
+      rewriter.modes.has('assess') ? 'assess' : 'protect'
+    ),
+  );
+  logger.debug({ config }, 'Agent configuration');
+  return rewriteFile(filename);
+}
+
+if (require.main === module) {
+  program
+    .name('npx -p @contrast/cli rewrite')
+    .version(version)
+    .description('Rewrites application files, caching them so that rewriting does not need to occur when the application runs.')
+    .argument('<entrypoint>', 'The entrypoint for the application', entrypoint => path.resolve(entrypoint))
+    .option('-a, --assess', 'enable assess mode')
+    .action(action)
+    .parse(process.argv);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/cli",
-  "version": "1.23.3",
+  "version": "1.25.0",
   "description": "A collection of agent related CLI utilities",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -9,6 +9,7 @@
   ],
   "bin": {
     "config-diagnostics": "lib/config-diagnostics.js",
+    "rewrite": "lib/rewrite.js",
     "system-diagnostics": "lib/system-diagnostics.js"
   },
   "engines": {
@@ -19,11 +20,14 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/config": "1.26.2",
-    "@contrast/core": "1.30.0",
+    "@contrast/find-package-json": "^1.1.0",
+    "@contrast/rewriter": "1.7.0",
+    "@contrast/config": "1.27.0",
+    "@contrast/core": "1.31.0",
     "@contrast/logger": "1.8.0",
-    "@contrast/reporter": "1.25.1",
+    "@contrast/reporter": "1.26.0",
     "@contrast/scopes": "^1.4.0",
+    "@swc/core": "1.3.39",
     "commander": "^9.4.1"
   }
 }