@contrast/config 1.49.2 → 1.51.0

package/lib/common.js

@@ -45,7 +45,7 @@ const {
 } = require('@contrast/common');
 
 function coerceLowerCase(path) {
-  return function(remoteData) {
+  return function (remoteData) {
     const value = get(remoteData, path);
     if (value && isString(value)) return StringPrototypeToLowerCase.call(value);
   };

package/lib/config.js

@@ -12,13 +12,14 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
+// @ts-check
 'use strict';
 
 const process = require('process');
 const path = require('path');
 const fs = require('fs');
 const os = require('os');
+const merge = require('deepmerge');
 const yaml = require('yaml');
 const { Event, get, set, primordials: { ArrayPrototypeJoin, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const options = require('./options');
@@ -42,12 +43,14 @@ const OS_CONFIG_DIR = os.platform() === 'win32'
 const REDACTED_KEYS = ['api.api_key', 'api.service_key', 'api.token'];
 const OVERRIDABLE_SOURCES = [DEFAULT_VALUE, CONTRAST_UI];
 
+// Overwrites the existing array values completely rather than concatenating them.
+const arrayMerge = (target, source, options) => source;
 const isValid = (opt) => opt !== undefined && opt !== null && opt !== '';
 
 module.exports = class Config {
   constructor(core) {
     // internals
-    this._filepath = '';
+    this._filepaths = [];
     this._errors = [];
     this._effectiveMap = new Map();
     this._status = '';
@@ -74,6 +77,7 @@ module.exports = class Config {
       disabled_rules: ''
     };
     this.server = {};
+    this.preinstrument = false;
 
     // initialize
     this._build();
@@ -138,53 +142,65 @@ module.exports = class Config {
   }
 
   /**
-   * Returns the locations to search for configuration files. Being a function
-   * allows us to stub these locations within tests.
+   * Returns the locations to search for configuration files as an array of
+   * arrays where each inner array contains a set of files to be merged in order of precedence.
+   * Being a function allows us to stub these locations within tests.
    */
   _configDirs() {
-    return [
-      process.cwd(),
+    return [[
+      process.cwd()
+    ], [
       path.resolve(OS_CONFIG_DIR, 'node'),
       OS_CONFIG_DIR,
+    ], [
       path.resolve(HOME_CONFIG_DIR, 'node'),
       HOME_CONFIG_DIR,
-    ];
+    ]];
   }
 
   _initFile() {
     let fileConfig = {};
 
-    this._filepath = process.env[CONTRAST_CONFIG_PATH];
-
-    if (!this._filepath) {
-      for (const dir of this._configDirs()) {
-        const currentPath = path.resolve(dir, 'contrast_security.yaml');
-        if (fs.existsSync(currentPath)) {
-          this._filepath = currentPath;
-          break;
+    if (process.env[CONTRAST_CONFIG_PATH]) {
+      // deliberately ignore /dev/null (linux) and \\.\\nul (windows)
+      if (process.env[CONTRAST_CONFIG_PATH] === os.devNull) return fileConfig;
+
+      this._filepaths = [process.env[CONTRAST_CONFIG_PATH]];
+    } else {
+      for (const dirs of this._configDirs()) {
+        for (const dir of dirs) {
+          const currentPath = path.resolve(dir, 'contrast_security.yaml');
+          if (fs.existsSync(currentPath)) {
+            this._filepaths.push(currentPath);
+          }
         }
+        if (this._filepaths.length > 0) break;
       }
     }
 
-    const { _filepath } = this;
-
-    // deliberately ignore /dev/null (linux) and \\.\\nul (windows)
-    if (_filepath && _filepath !== os.devNull) {
+    for (const filepath of this._filepaths) {
       let fileContents;
 
       try {
-        fileContents = fs.readFileSync(_filepath, 'utf-8');
+        fileContents = fs.readFileSync(filepath, 'utf-8');
       } catch (e) {
-        const err = new Error(`Unable to read Contrast configuration file: '${_filepath}'`);
+        const err = new Error(`Unable to read Contrast configuration file: '${filepath}'`);
         err.cause = e;
         this._errors.push(err);
       }
 
       if (fileContents) {
         try {
-          fileConfig = yaml.parse(fileContents, { prettyErrors: true });
+          const yamlConfig = yaml.parse(fileContents, { prettyErrors: true });
+
+          if (yamlConfig.root) {
+            this._filepaths = [filepath];
+            return yamlConfig;
+          } else {
+            fileConfig = merge(yamlConfig, fileConfig, { arrayMerge });
+          }
         } catch (e) {
-          const err = new Error(`Contrast configuration file is malformed: '${_filepath}'`);
+          const err = new Error(`Contrast configuration file is malformed: '${filepath}'`);
           this._errors.push(err);
           err.cause = e;
         }
@@ -229,7 +245,11 @@ module.exports = class Config {
     }
 
     // this is not a common config value
-    this.setValue('preinstrument', !!process.env.CONTRAST_PREINSTRUMENT, ConfigSource.ENVIRONMENT_VARIABLE);
+    this.setValue(
+      'preinstrument',
+      !!process.env.CONTRAST_PREINSTRUMENT,
+      process.env.CONTRAST_PREINSTRUMENT ? ConfigSource.ENVIRONMENT_VARIABLE : ConfigSource.DEFAULT_VALUE,
+    );
   }
 
   _redact(name, value) {
@@ -247,7 +267,7 @@ module.exports = class Config {
     }
   }
 
-  getReport({ redact = true }) {
+  getReport({ redact = true, stringify = true } = {}) {
     const report = {
       report_create: new Date(),
       config: {
@@ -257,10 +277,12 @@ module.exports = class Config {
     const effective_config = [], environment_variable = [], contrast_ui = [];
 
     Array.from(this._effectiveMap.values()).forEach((v) => {
-      let { value, name, canonical_name, source } = v;
+      let { value } = v;
       if (value === null) return;
+
+      const { name, canonical_name, source } = v;
       if (redact) value = this._redact(name, value);
-      value = String(value);
+      if (stringify) value = String(value);
 
       effective_config.push({ value, name, canonical_name, source });
 

package/lib/index.d.ts

@@ -52,7 +52,7 @@ export interface ConfigOption<T> {
 }
 
 export interface Config {
-  _filepath: string;
+  _filepaths: string[];
   _effectiveMap: Map<string, EffectiveEntry<any>>;
   _errors: Error[];
   _status: string,
@@ -320,7 +320,7 @@ export interface Config {
   };
   getEffectiveSource(cannonicalName: string): string;
   getEffectiveValue<T = any>(cannonicalName: string): T;
-  getReport({ redact: boolean }): any;
+  getReport(opts?: { redact?: boolean, stringify?: boolean }): any;
   setValue<T = any>(name: string, value: T, source: string): void;
 }
 

package/lib/options.js

@@ -23,6 +23,31 @@ const path = require('path');
 const { Rule, primordials: { BufferFrom, BufferPrototypeToString, StringPrototypeReplace, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeToLowerCase, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const { ConfigSource: { DEFAULT_VALUE } } = require('./common');
 
+const CMD_IGNORE_LIST_DEFAULTS = [
+  '**/npm',
+  '**/npx',
+  '**/yarn',
+  '**/pnpm',
+
+  '**/.bin/next',
+  '**/node_modules/**/next/**',
+  '**/.bin/nuxi', // nuxt
+  '**/.bin/vite',
+  '**/.bin/astro',
+  '**/.bin/sv', // svelte
+  '**/.bin/webpack',
+  '**/node_modules/**/webpack-cli/**',
+  '**/.bin/rollup',
+  '**/.bin/parcel',
+  '**/@parcel/workers/**',
+  '**/.bin/babel',
+  '**/.bin/gulp',
+  '**/.bin/grunt',
+
+  '**/Visual Studio Code*/**',
+  '**/.vscode/**',
+];
+
 /**
  * Takes strings "true"|"t" or "false"|"f" (case insensitive) and return the appropriate boolean.
  * @param {boolean | string} value passed arg; never undefined or the function isn't called
@@ -160,7 +185,7 @@ const options = [
     name: 'api.token',
     arg: '<token>',
     desc: 'base64 encoded JSON object containing the `url`, `api_key`, `service_key`, and `user_name` config options, allowing them all to be set in a single variable.',
-    fn(value, cfg, source) {
+    fn: (value, cfg, source) => {
       try {
         // parse the base64 encoded value
         const parsed = JSONParse(BufferPrototypeToString.call(BufferFrom(value, 'base64'), 'utf8'));
@@ -194,25 +219,25 @@ const options = [
   },
   {
     name: 'api.certificate.ca_file',
-    description: 'Set the absolute or relative path to a CA for communication with the Contrast UI using a self-signed certificate.',
+    desc: 'Set the absolute or relative path to a CA for communication with the Contrast UI using a self-signed certificate.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.cert_file',
-    description: 'Set the absolute or relative path to the Certificate PEM file for communication with the Contrast UI.',
+    desc: 'Set the absolute or relative path to the Certificate PEM file for communication with the Contrast UI.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.key_file',
-    description: 'Set the absolute or relative path to the Key PEM file for communication with the Contrast UI.',
+    desc: 'Set the absolute or relative path to the Key PEM file for communication with the Contrast UI.',
     arg: '<path>',
     fn: toAbsolutePath,
   },
   {
     name: 'api.certificate.ignore_cert_errors',
-    description: 'When set to `true`, the agent ignores certificate verification errors when the agent communicates with the Contrast UI.',
+    desc: 'When set to `true`, the agent ignores certificate verification errors when the agent communicates with the Contrast UI.',
     arg: '[true]',
     default: false,
   },
@@ -470,14 +495,14 @@ Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\`
     name: 'agent.node.cmd_ignore_list',
     arg: '<commands>',
     default: '',
-    fn: (arg) => StringPrototypeSplit.call(arg, ',').filter((v) => v),
-    desc: 'comma-separated list of commands that will not startup the agent if agent is required; npm* will ignore all npm executables but not your application\'s scripts'
+    fn: (arg) => [...CMD_IGNORE_LIST_DEFAULTS, ...StringPrototypeSplit.call(arg, /,(?![^{]*}|[^[]*\])/g).filter((v) => v)],
+    desc: "Comma-separated list of glob patterns that will prevent instrumentation when matched in node's arguments."
   },
   {
     // SEE NODE-2886
     name: 'agent.node.exclusive_entrypoint',
     arg: '<entrypoint.js>',
-    desc: 'an entrypoint for an application that, when specified, will prevent the agent instrumenting on anything else'
+    desc: 'An entrypoint for an application that, when specified, will force the agent to instrument and prevent the agent instrumenting anything else. Resolved relative to `app_root` if set or the current working directory otherwise.'
   },
   {
     name: 'agent.node.rewrite.enable',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.49.2",
+  "version": "1.51.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -14,14 +14,15 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/core": "1.54.2",
+    "@contrast/common": "1.36.0",
+    "@contrast/core": "1.56.0",
+    "deepmerge": "^4.3.1",
     "yaml": "^2.2.2"
   }
 }