@contrast/config 1.33.0 → 1.34.0

package/lib/common.js

@@ -39,8 +39,18 @@ const {
     UNTRUSTED_DESERIALIZATION,
     XXE,
   },
+  primordials: { StringPrototypeToLowerCase },
+  get,
+  isString,
 } = require('@contrast/common');
 
+function coerceLowerCase(path) {
+  return function(remoteData) {
+    const value = get(remoteData, path);
+    if (value && isString(value)) return StringPrototypeToLowerCase.call(value);
+  };
+}
+
 function protectModeReader(ruleId) {
   return function (msg) {
     const remoteSetting = msg?.protect?.rules?.[ruleId];
@@ -62,20 +72,11 @@ const ConfigSource = {
   USER_CONFIGURATION_FILE: 'USER_CONFIGURATION_FILE',
 };
 
+// these should return `undefined` if there is no remote value corresponding to the effective config name.
 const mappings = {
-  // server features
-  'agent.logger.level': (remoteData) => remoteData.logger?.level?.toLowerCase?.(),
-  'agent.logger.path': (remoteData) => remoteData.logger?.path,
-  'application.session_id': (remoteData) => remoteData?.settings?.assessment?.session_id,
-  'agent.security_logger.syslog.enable': (remoteData) => remoteData.security_logger?.syslog?.enable,
-  'agent.security_logger.syslog.ip': (remoteData) => remoteData.security_logger?.syslog?.ip,
-  'agent.security_logger.syslog.port': (remoteData) => remoteData.security_logger?.syslog?.port,
-  'agent.security_logger.syslog.facility': (remoteData) => remoteData.security_logger?.syslog?.facility,
-  'agent.security_logger.syslog.severity_exploited': (remoteData) => remoteData.security_logger?.syslog?.severity_exploited?.toLowerCase(),
-  'agent.security_logger.syslog.severity_blocked': (remoteData) => remoteData.security_logger?.syslog?.severity_blocked?.toLowerCase(),
-  'agent.security_logger.syslog.severity_probed': (remoteData) => remoteData.security_logger?.syslog?.severity_probed?.toLowerCase(),
+  // application-create
+  'application.session_id': (remoteData) => remoteData.settings?.assessment?.session_id,
   // application settings
-  'assess.enable': (remoteData) => remoteData.assess?.enable,
   'protect.enable': (remoteData) => remoteData.protect?.enable,
   'protect.rules.cmd-injection.mode': protectModeReader(CMD_INJECTION),
   'protect.rules.cmd-injection-command-backdoors.mode': protectModeReader(CMD_INJECTION_COMMAND_BACKDOORS),
@@ -92,6 +93,27 @@ const mappings = {
   'protect.rules.unsafe-file-upload.mode': protectModeReader(UNSAFE_FILE_UPLOAD),
   'protect.rules.untrusted-deserialization.mode': protectModeReader(UNTRUSTED_DESERIALIZATION),
   'protect.rules.xxe.mode': protectModeReader(XXE),
+  // server features
+  'assess.enable': (remoteData) => remoteData.assess?.enable,
+  'assess.probabilistic_sampling.enable': (remoteData) => remoteData.assess?.sampling?.enable,
+  'assess.probabilistic_sampling.base_probability': (remoteData) => {
+    const request_frequency = remoteData.assess?.sampling?.request_frequency;
+    if (request_frequency > 0) {
+      const baseProbability = 1 / request_frequency;
+      if (!isNaN(baseProbability)) return baseProbability;
+    }
+  },
+  'agent.logger.level': coerceLowerCase('logger.level'),
+  'agent.logger.path': (remoteData) => remoteData.logger?.path,
+  'agent.security_logger.syslog.enable': (remoteData) => remoteData.security_logger?.syslog?.enable,
+  'agent.security_logger.syslog.ip': (remoteData) => remoteData.security_logger?.syslog?.ip,
+  'agent.security_logger.syslog.port': (remoteData) => remoteData.security_logger?.syslog?.port,
+  'agent.security_logger.syslog.facility': (remoteData) => remoteData.security_logger?.syslog?.facility,
+  'agent.security_logger.syslog.severity_exploited': coerceLowerCase('security_logger.syslog.severity_exploited'),
+  'agent.security_logger.syslog.severity_blocked': coerceLowerCase('security_logger.syslog.severity_blocked'),
+  'agent.security_logger.syslog.severity_probed': coerceLowerCase('security_logger.syslog.severity_probed'),
+  'server.environment': (remoteData) => remoteData.environment,
+
 };
 
 /*

package/lib/common.test.js

@@ -0,0 +1,183 @@
+'use strict';
+
+const { expect } = require('chai');
+const { ProtectRuleMode } = require('@contrast/common');
+const { mappings } = require('./common');
+
+describe('config effective value mappings', function () {
+  describe('"simple" mappings', function() {
+    const simplyMappedNames = [
+      'assess.enable',
+      'agent.logger.path',
+      'agent.security_logger.syslog.enable',
+      'agent.security_logger.syslog.ip',
+      'agent.security_logger.syslog.port',
+      'agent.security_logger.syslog.facility',
+      'server.environment',
+      'protect.enable',
+    ];
+
+    it('"simple" mappings will return any value for corresponding remote setting (todo: validation for each)', function () {
+      ['', 'foo', null, 0.3, 3, {}, [], true, false].forEach((val) => {
+        const remoteData = {
+          // server
+          assess: {
+            enable: val,
+            sampling: { enable: val }
+          },
+          logger: {
+            path: val,
+          },
+          security_logger: {
+            syslog: {
+              enable: val,
+              ip: val,
+              port: val,
+              facility: val,
+              serverity_exploited: val,
+              serverity_blocked: val,
+              exploited_probed: val,
+            }
+          },
+          environment: val,
+          // app
+          protect: {
+            enable: val,
+          },
+        };
+
+        for (const name of simplyMappedNames) {
+          const result = mappings[name](remoteData);
+          expect(result).to.equal(val);
+        }
+      });
+    });
+
+    it('"simple" mappings will return `undefined` if there is no corresponding remote setting', function () {
+      for (const name of simplyMappedNames) {
+        expect(mappings[name]({})).to.equal(undefined);
+      }
+    });
+  });
+
+  describe('maps \'assess.probabilistic_sampling.base_probability\'', function() {
+    [
+      {
+        desc: 'sets value by inverting request_frequency',
+        remoteData: {
+          assess: { sampling: { request_frequency: 20 } }
+        },
+        expected: 1 / 20,
+      },
+      {
+        desc: 'ignores and returns undefined if request_frequency is 0',
+        remoteData: {
+          assess: { sampling: { request_frequency: 0 } }
+        },
+        expected: undefined,
+      },
+      {
+        desc: 'ignores and returns undefined if calculating probability gives NaN',
+        remoteData: {
+          assess: { sampling: { request_frequency: 'forty five' } }
+        },
+        expected: undefined,
+      },
+      {
+        desc: 'ignores and returns undefined if value is negative',
+        remoteData: {
+          assess: { sampling: { request_frequency: -12 } }
+        },
+        expected: undefined,
+      },
+    ].forEach(({ desc, remoteData, expected }) => {
+      it(desc, function() {
+        expect(mappings['assess.probabilistic_sampling.base_probability'](remoteData)).to.equal(expected);
+      });
+    });
+  });
+
+  describe('maps Protect rule modes', function() {
+    [
+      {
+        tsValue: 'OFF',
+        expected: ProtectRuleMode.OFF,
+      },
+      {
+        tsValue: 'MONITORING',
+        expected: ProtectRuleMode.MONITOR,
+      },
+      {
+        tsValue: 'BLOCKING',
+        expected: ProtectRuleMode.BLOCK,
+      },
+      {
+        tsValue: 'BLOCK_AT_PERIMETER',
+        expected: ProtectRuleMode.BLOCK_AT_PERIMETER,
+      },
+      {
+        tsValue: 'FOO',
+        expected: undefined
+      },
+    ].forEach(({ desc, tsValue, expected }) => {
+      [
+        'protect.rules.cmd-injection.mode',
+        'protect.rules.cmd-injection-command-backdoors.mode',
+        'protect.rules.cmd-injection-semantic-chained-commands.mode',
+        'protect.rules.cmd-injection-semantic-dangerous-paths.mode',
+        'protect.rules.method-tampering.mode',
+        'protect.rules.nosql-injection.mode',
+        'protect.rules.nosql-injection-mongo.mode',
+        'protect.rules.path-traversal.mode',
+        'protect.rules.path-traversal-semantic-file-security-bypass.mode',
+        'protect.rules.reflected-xss.mode',
+        'protect.rules.sql-injection.mode',
+        'protect.rules.ssjs-injection.mode',
+        'protect.rules.unsafe-file-upload.mode',
+        'protect.rules.untrusted-deserialization.mode',
+        'protect.rules.xxe.mode',
+      ].forEach((fullName) => {
+        const ruleName = /rules\.(.*)\.mode/.exec(fullName)[1];
+        it(`sets ${ruleName} to ${expected} when value is ${tsValue}`, function() {
+          expect(mappings[fullName]({
+            protect: {
+              rules: {
+                [ruleName]: { mode: tsValue },
+              }
+            }
+          })).to.equal(expected);
+        });
+      });
+    });
+  });
+
+  describe('maps security logger severity levels (lowercase)', function() {
+    [
+      {
+        tsValue: 'FOO',
+        expected: 'foo',
+      },
+      {
+        tsValue: '',
+        expected: undefined,
+      }
+    ].forEach(({ tsValue, expected }) => {
+      [
+        'agent.security_logger.syslog.severity_exploited',
+        'agent.security_logger.syslog.severity_blocked',
+        'agent.security_logger.syslog.severity_probed',
+      ].forEach((fullName) => {
+        const severity = fullName.substr(fullName.lastIndexOf('.') + 1);
+        it(`maps to ${expected} when tsValue is ${tsValue}`, function() {
+          expect(mappings[fullName]({
+            security_logger: {
+              syslog: {
+                [severity]: tsValue,
+              },
+            }
+          })).to.equal(expected);
+        });
+      });
+    });
+  });
+});

package/lib/config.js

@@ -20,7 +20,7 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 const yaml = require('yaml');
-const { Event, get, set } = require('@contrast/common');
+const { Event, get, set, primordials: { ArrayPrototypeJoin, BufferPrototypeToString, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const options = require('./options');
 const {
   ConfigSource: {
@@ -74,7 +74,7 @@ module.exports = class Config {
 
     // report all the errors found during initialization.
     if (this._errors.length) {
-      const errors = this._errors.map((e, ix) => `${ix + 1}) ${e.message}`).join('; ');
+      const errors = ArrayPrototypeJoin.call(this._errors.map((e, ix) => `${ix + 1}) ${e.message}`), '; ');
       throw new Error(`Errors found in configuration ${errors}`);
     }
 
@@ -104,7 +104,7 @@ module.exports = class Config {
       let parsedEnv;
 
       try {
-        parsedEnv = JSON.parse(env.pm2_env);
+        parsedEnv = JSONParse(env.pm2_env);
       } catch (_err) {
         const err = new Error(`Unable to parse pm2 environment variable: '${env.pm2_env}'`);
         err.cause = _err;
@@ -122,7 +122,7 @@ module.exports = class Config {
     }
 
     return Object.entries(env).reduce((acc, [key, val]) => {
-      const name = key.toUpperCase();
+      const name = StringPrototypeToUpperCase.call(key);
       if (name.startsWith('CONTRAST_')) {
         acc[name] = val;
       }
@@ -165,7 +165,7 @@ module.exports = class Config {
       let fileContents;
 
       try {
-        fileContents = fs.readFileSync(_filepath).toString('utf-8');
+        fileContents = BufferPrototypeToString.call(fs.readFileSync(_filepath), 'utf-8');
       } catch (e) {
         const err = new Error(`Unable to read Contrast configuration file: '${_filepath}'`);
         err.cause = e;

package/lib/index.test.js

@@ -371,11 +371,12 @@ describe('config', function () {
       // there needs to be a valid config file or env var set so config doesn't throw
       // an error.
       process.env.CONTRAST_CONFIG_PATH = path.resolve(__dirname, '../../test/fixtures/protect_contrast_security.yaml');
+      //process.env.CONTRAST__PROTECT__RULES__DISABLED_RULES = 'cmd-injection,sql-injection';
       config = require('.')(core);
 
       config.setValue('contrast_config_path', path.resolve(__dirname, '../../test/fixtures/protect_contrast_security.yaml'), ENVIRONMENT_VARIABLE);
       config.setValue('contrast__agent__stack_trace_limit', 20, ENVIRONMENT_VARIABLE);
-      config.setValue('contrast.protect.rules.disabled_rules', ['cmd-injection', 'sql-injection'], ENVIRONMENT_VARIABLE);
+      config.setValue('protect.rules.disabled_rules', ['cmd-injection', 'sql-injection'], ENVIRONMENT_VARIABLE);
       config.setValue('api.enable', true, ENVIRONMENT_VARIABLE);
       config.setValue('api.api_key', 'ABCDEFGHIJ', ENVIRONMENT_VARIABLE);
       config.setValue('api.service_key', 'KLMNOPQRST', ENVIRONMENT_VARIABLE);
@@ -407,11 +408,12 @@ describe('config', function () {
         const {
           config: {
             effective_config,
+            environment_variable,
           }
         } = result;
 
         expect(result.config).to.have.property('status', 'Success');
-        expect(effective_config).to.deep.include(
+        const expectedResults = [
           {
             canonical_name: 'api.enable',
             name: 'api.enable',
@@ -422,13 +424,13 @@ describe('config', function () {
             canonical_name: 'api.api_key',
             name: 'api.api_key',
             source: 'ENVIRONMENT_VARIABLE',
-            value: 'contrast-redacted-api.api_key',
+            value: 'ABCDEFGHIJ',
           },
           {
             canonical_name: 'api.service_key',
             name: 'api.service_key',
             source: 'ENVIRONMENT_VARIABLE',
-            value: 'contrast-redacted-api.service_key',
+            value: 'KLMNOPQRST',
           },
           {
             canonical_name: 'api.proxy.enable',
@@ -496,7 +498,37 @@ describe('config', function () {
             value: '150',
             source: 'DEFAULT_VALUE'
           }
-        );
+        ];
+
+        const failures = [];
+        let effective;
+        let envs;
+        const envFailures = [];
+
+        for (const expected of expectedResults) {
+          effective = effective_config.filter(i => i.canonical_name === expected.canonical_name);
+          expect(effective).an('array').lengthOf(1); // eslint-disable-line
+          effective = effective[0];
+          try {
+            expect(expected).to.deep.equal(effective);
+          } catch (e) {
+            failures.push({ expected, actual: effective });
+          }
+          if (expected.source !== 'ENVIRONMENT_VARIABLE') continue;
+
+          envs = environment_variable.filter(i => i.canonical_name === expected.canonical_name);
+          expect(envs).an('array')
+            .lengthOf(1, `Expected to find ${expected.name} in environment_variable`);
+          envs = envs[0];
+          try {
+            expect(expected).to.deep.equal(envs);
+          } catch (e) {
+            envFailures.push({ expected, actual: envs });
+          }
+        }
+        // this provides a useful error message
+        expect(failures).eql([]);
+        expect(envFailures).eql([]);
       });
 
       it('stringifies values and redacts api keys when `redact` is set to true', function () {
@@ -504,11 +536,13 @@ describe('config', function () {
         const {
           config: {
             effective_config,
+            environment_variable,
           }
         } = result;
 
         expect(result.config).to.have.property('status', 'Success');
-        expect(effective_config).to.deep.include(
+
+        const expectedResults = [
           {
             canonical_name: 'api.enable',
             name: 'api.enable',
@@ -593,7 +627,37 @@ describe('config', function () {
             value: '150',
             source: 'DEFAULT_VALUE'
           }
-        );
+        ];
+
+        const failures = [];
+        let effective;
+        let envs;
+        const envFailures = [];
+
+        for (const expected of expectedResults) {
+          effective = effective_config.filter(i => i.canonical_name === expected.canonical_name);
+          expect(effective).an('array').lengthOf(1); // eslint-disable-line
+          effective = effective[0];
+          try {
+            expect(expected).to.deep.equal(effective);
+          } catch (e) {
+            failures.push({ expected, actual: effective });
+          }
+          if (expected.source !== 'ENVIRONMENT_VARIABLE') continue;
+
+          envs = environment_variable.filter(i => i.canonical_name === expected.canonical_name);
+          expect(envs).an('array')
+            .lengthOf(1, `Expected to find ${expected.name} in environment_variable`);
+          envs = envs[0];
+          try {
+            expect(expected).to.deep.equal(envs);
+          } catch (e) {
+            envFailures.push({ expected, actual: envs });
+          }
+        }
+        // this provides a useful error message
+        expect(failures).eql([]);
+        expect(envFailures).eql([]);
       });
     });
   });

package/lib/options.js

@@ -20,7 +20,7 @@
 const os = require('os');
 const url = require('url');
 const path = require('path');
-const { Rule } = require('@contrast/common');
+const { Rule, primordials: { BufferFrom, BufferPrototypeToString, StringPrototypeReplace, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeToLowerCase, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const { ConfigSource: { DEFAULT_VALUE } } = require('./common');
 
 /**
@@ -33,7 +33,7 @@ function castBoolean(value) {
   if (type !== 'string' && type !== 'boolean') {
     return;
   }
-  value = value.toString().toLowerCase();
+  value = StringPrototypeToLowerCase.call(value.toString());
   return value === 'true' || value === 't'
     ? true
     : value === 'false' || value === 'f'
@@ -61,11 +61,11 @@ function clearBaseCase(val) {
 const split = (val) => {
   if (val === '') return [];
   if (val === undefined) return val;
-  return val.split(',');
+  return StringPrototypeSplit.call(val, ',');
 };
 
-const uppercase = (val = '') => clearBaseCase(`${val}`.toUpperCase());
-const lowercase = (val = '') => clearBaseCase(`${val}`.toLowerCase());
+const uppercase = (val = '') => clearBaseCase(`${StringPrototypeToUpperCase.call(val)}`);
+const lowercase = (val = '') => clearBaseCase(`${StringPrototypeToLowerCase.call(val)}`);
 const parseNum = (val) => {
   const float = parseFloat(val);
   return clearBaseCase(Math.ceil(float));
@@ -129,7 +129,7 @@ const options = [
 
       if (uri.pathname) {
         // kill trailling /
-        uri.pathname = uri.pathname.replace(/\/+$/, '');
+        uri.pathname = StringPrototypeReplace.call(uri.pathname, /\/+$/, '');
 
         if (!uri.pathname.endsWith('Contrast')) {
           uri.pathname += 'Contrast';
@@ -163,7 +163,7 @@ const options = [
     fn(value, cfg, source) {
       try {
         // parse the base64 encoded value
-        const parsed = JSON.parse(Buffer.from(value, 'base64').toString('utf8'));
+        const parsed = JSONParse(BufferPrototypeToString.call(BufferFrom(value, 'base64'), 'utf8'));
         // set the top level `api` keys only if they aren't already present.
         // since this value comes after the others, they should be set first if present in the config file or environment.
         ['url', 'api_key', 'service_key', 'user_name'].forEach(key => {
@@ -439,7 +439,7 @@ Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\`
     name: 'agent.node.cmd_ignore_list',
     arg: '<commands>',
     default: '',
-    fn: (arg) => arg.split(',').filter((v) => v),
+    fn: (arg) => StringPrototypeSplit.call(arg, ',').filter((v) => v),
     desc: 'comma-separated list of commands that will not startup the agent if agent is required; npm* will ignore all npm executables but not your application\'s scripts'
   },
   {
@@ -533,6 +533,29 @@ Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\`
     fn: castBoolean,
     desc: 'Include this property to determine if the Assess feature should be enabled. If this property is not present, the decision is delegated to the Contrast UI.',
   },
+  {
+    name: 'assess.probabilistic_sampling.enable',
+    arg: '[true]',
+    default: false,
+    fn: castBoolean,
+    desc: 'Set to true to enable sampling of requests for dataflow and other Assess features',
+  },
+  {
+    name: 'assess.probabilistic_sampling.base_probability',
+    arg: '<probability>',
+    fn: (val) => {
+      const p = parseFloat(val);
+      if (p >= 0 && p <= 1) return p;
+
+      if (val && val != 'undefined') {
+        throw new Error('Invalid option: assess.probabilistic_sampling.base_probability', {
+          cause: `${val} is not not in interval 0 <= p <= 1. value as float: ${p}`
+        });
+      }
+    },
+    default: 0.01,
+    desc: 'A value p within the interval [0, 1]. Each request will share same probability p of being sampled.',
+  },
   {
     name: 'assess.tags',
     arg: '<tags>',
@@ -686,10 +709,11 @@ Example - \`label1, label2, label3\``,
     fn: castBoolean,
     desc: 'Set to `false` to disable detection of cloud provider metadata such as resource identifiers.'
   },
-].map((opt) => Object.assign(opt, {
-  env: `CONTRAST__${opt.name.toUpperCase().replaceAll('.', '__')
-    .replaceAll('-', '_')}`
-}));
+].map((opt) => {
+  let env = StringPrototypeReplaceAll.call(StringPrototypeToUpperCase.call(opt.name), '.', '__');
+  env = StringPrototypeReplaceAll.call(env, '-', '_');
+  return Object.assign(opt, { env: `CONTRAST__${env}` });
+});
 
 module.exports = options;
 module.exports.clearBaseCase = clearBaseCase;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.33.0",
+  "version": "1.34.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.25.0",
+    "@contrast/common": "1.26.0",
     "yaml": "^2.2.2"
   }
 }