npm - @contrast/cli - Versions diffs - 1.24.0 → 1.25.0 - Mend

@contrast/cli 1.24.0 → 1.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,26 @@
+# @contrast/cli
+## Installation
+```sh
+npm install @contrast/cli # optional, `npx` will install the package otherwise.
+npx -p @contrast/cli <command>
+```
+## Commands
+### rewrite
+```
+Usage: npx -p @contrast/cli rewrite [options] <entrypoint>
+Rewrites application files, caching them so that rewriting does not need to occur when the application runs.
+Arguments:
+  entrypoint     The entrypoint for the application
+Options:
+  -V, --version  output the version number
+  -a, --assess   enable assess mode
+  -h, --help     display help for command
+```

package/lib/rewrite.js ADDED Viewed

@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+// @ts-check
+'use strict';
+const { readFile } = require('node:fs/promises');
+const { createRequire } = require('node:module');
+const path = require('node:path');
+const swc = require('@swc/core');
+const { Visitor } = require('@swc/core/Visitor');
+const { findPackageJson } = require('@contrast/find-package-json');
+const { program } = require('commander');
+const { version } = require('../package.json');
+const JS_FILE_REGEX = /\.[cm]?js$/;
+/** @type {any} */
+const core = {};
+require('@contrast/core/lib/messages')(core);
+const config = require('@contrast/config')(core);
+if (core.config._errors?.length) throw core.config._errors[0];
+const logger = require('@contrast/logger').default(core, { name: 'contrast:rewriter:cli' });
+if (!config.agent.node.rewrite.enable || !config.agent.node.rewrite.cache.enable) {
+  logger.warn({ 'config.agent.node.rewrite': config.agent.node.rewrite }, 'rewriter config');
+  throw new Error('Rewriting disabled.');
+}
+const appInfo = require('@contrast/core/lib/app-info')(core);
+if (appInfo._errors?.length) throw appInfo._errors[0];
+const rewriter = require('@contrast/rewriter')(core);
+/**
+ * Keeps track of visited files so we don't bother rewriting multiple times.
+ * @type {Set<string>}
+ */
+const visited = new Set();
+/** @param {string} filename absolute path */
+async function isModuleFile(filename) {
+  // if the file extension specifies the type, there's no need to do extra IO
+  const ext = path.extname(filename);
+  if (ext === '.mjs') {
+    return true;
+  }
+  if (ext === '.cjs') {
+    return false;
+  }
+  // check for type: 'module' in a file's package json, otherwise assume CJS.
+  try {
+    const pkg = await findPackageJson({ cwd: filename });
+    if (pkg && JSON.parse((await readFile(pkg)).toString()).type === 'module') {
+      return true;
+    }
+  } catch {
+    return false;
+  }
+  return false;
+}
+class RewriteVisitor extends Visitor {
+  /** @param {string} filename */
+  constructor(filename) {
+    super();
+    visited.add(filename);
+    /**
+     * Create a local `require` function so we can resolve relative filenames.
+     * @type {NodeRequire}
+     */
+    this.require = createRequire(filename);
+  }
+  /**
+   * Visit `import ... from 'source'`, recursively rewriting the resolved path
+   * of `source`.
+   * @param {swc.ImportDeclaration} n
+   */
+  visitImportDeclaration(n) {
+    try {
+      const filename = this.require.resolve(n.source.value);
+      if (path.isAbsolute(filename)) {
+        rewriteFile(filename);
+      }
+    } catch (err) {
+      logger.debug({ n, err }, 'unable to resolve %s', n.source.value);
+    }
+    return super.visitImportDeclaration(n);
+  }
+  /**
+   * Visits `import(...)` or `require(...)` call expressions, recursively
+   * rewriting the resolved path of the first argument if it's a string literal.
+   * @param {swc.CallExpression} n
+   */
+  visitCallExpression(n) {
+    if (n.callee.type === 'Import' || (n.callee.type === 'Identifier' && n.callee.value === 'require')) {
+      const { expression } = n.arguments[0];
+      if (expression.type === 'StringLiteral') {
+        try {
+          const filename = this.require.resolve(expression.value);
+          if (path.isAbsolute(filename)) {
+            rewriteFile(filename);
+          }
+        } catch (err) {
+          logger.debug({ n, err }, 'unable to resolve %s', expression.value);
+        }
+      }
+    }
+    return super.visitCallExpression(n);
+  }
+}
+/** @param {string} filename */
+async function rewriteFile(filename) {
+  if (!JS_FILE_REGEX.test(filename) || visited.has(filename)) return;
+  try {
+    const content = (await readFile(filename)).toString();
+    const isModule = await isModuleFile(filename);
+    const result = await rewriter.rewrite(content, {
+      filename,
+      isModule,
+      inject: true,
+      wrap: !isModule,
+      trim: false,
+    });
+    rewriter.cache.write(filename, result);
+    /** @type {swc.Module | swc.Script} */
+    const program = await swc.parse(content, {
+      // @ts-expect-error swc types expect a literal, not an arbitrary boolean.
+      isModule
+    });
+    const visitor = new RewriteVisitor(filename);
+    visitor.visitProgram(program);
+  } catch (err) {
+    logger.debug({ err }, 'unable to parse or rewrite %s', filename);
+  }
+}
+/**
+ * @param {string} filename
+ * @param {object} opts
+ * @param {boolean=} opts.assess
+ */
+async function action(filename, opts) {
+  if (config.assess.enable || opts.assess) rewriter.install('assess');
+  // If we're rewriting, we're always at least in protect mode.
+  rewriter.install('protect');
+  logger.info(
+    'Caching rewriter results to %s',
+    path.join(
+      rewriter.cache.cacheDir,
+      rewriter.modes.has('assess') ? 'assess' : 'protect'
+    ),
+  );
+  logger.debug({ config }, 'Agent configuration');
+  return rewriteFile(filename);
+}
+if (require.main === module) {
+  program
+    .name('npx -p @contrast/cli rewrite')
+    .version(version)
+    .description('Rewrites application files, caching them so that rewriting does not need to occur when the application runs.')
+    .argument('<entrypoint>', 'The entrypoint for the application', entrypoint => path.resolve(entrypoint))
+    .option('-a, --assess', 'enable assess mode')
+    .action(action)
+    .parse(process.argv);
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/cli",
-  "version": "1.24.0",
+  "version": "1.25.0",
   "description": "A collection of agent related CLI utilities",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -9,6 +9,7 @@
   ],
   "bin": {
     "config-diagnostics": "lib/config-diagnostics.js",
+    "rewrite": "lib/rewrite.js",
     "system-diagnostics": "lib/system-diagnostics.js"
   },
   "engines": {
@@ -19,11 +20,14 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
+    "@contrast/find-package-json": "^1.1.0",
+    "@contrast/rewriter": "1.7.0",
     "@contrast/config": "1.27.0",
     "@contrast/core": "1.31.0",
     "@contrast/logger": "1.8.0",
     "@contrast/reporter": "1.26.0",
     "@contrast/scopes": "^1.4.0",
+    "@swc/core": "1.3.39",
     "commander": "^9.4.1"
   }
 }