@contrast/core 1.2.0 → 1.3.0

package/lib/capture-stacktrace.js

@@ -142,9 +142,7 @@ class StacktraceFactory {
    * @returns {}
    */
   static makeFrame(callsite) {
-    let evalOrigin;
-    let file;
-    let lineNumber;
+    let evalOrigin, file, lineNumber, method, type;
 
     if (callsite.isEval()) {
       evalOrigin = StacktraceFactory.formatFileName(callsite.getEvalOrigin());
@@ -154,13 +152,15 @@ class StacktraceFactory {
     file = file || callsite.getFileName();
     lineNumber = lineNumber || callsite.getLineNumber();
 
-    return {
-      eval: evalOrigin,
-      file,
-      lineNumber,
-      method: callsite.getFunctionName(),
-      type: callsite.getTypeName()
-    };
+    method = callsite.getFunctionName();
+    type = callsite.getTypeName();
+
+    if (method === null && type === 'Object') {
+      method = '<anonymous>';
+      type = null;
+    }
+
+    return { eval: evalOrigin, file, lineNumber, method, type };
   }
 
   static formatFileName(fileName = '') {

package/lib/index.js

@@ -22,10 +22,10 @@ module.exports = function init(core = {}) {
 
   require('@contrast/config')(core);
   require('@contrast/logger').default(core);
+  require('./sensitive-data-masking')(core);
   require('./app-info')(core);
   require('./is-agent-path')(core);
   require('./capture-stacktrace')(core);
-  require('./cli-rewriter')(core);
   require('@contrast/patcher')(core);
   require('@contrast/rewriter')(core);
   require('@contrast/dep-hooks')(core);

package/lib/{cli-rewriter/index.js → sensitive-data-masking/constants.js}

@@ -15,25 +15,6 @@
 
 'use strict';
 
-module.exports = function(deps) {
-  const cliRewriter = deps.cliRewriter = async function (preHook) {
-    // fix this - config doesn't resolve this properly for this cli use case
-    deps.config.entrypoint = process.argv[2];
-
-    require('./dependency-rewriter')(deps);
-
-    /*
-     * Callers just need to set up their rewriter policy e.g.
-     * deps.depHooks.rewriting.install()
-     * deps.assess.rewriting.install()
-     */
-    preHook(deps);
-
-    // once clients configure their stuff
-    await deps.dependencyRewriter.rewrite();
-
-    deps.logger.info('done');
-  };
-
-  return cliRewriter;
+module.exports = {
+  CONTRAST_REDACTED: 'contrast-redacted',
 };

package/lib/sensitive-data-masking/index.js

@@ -0,0 +1,69 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event, simpleTraverse } = require('@contrast/common');
+const { CONTRAST_REDACTED } = require('./constants');
+
+module.exports = function(core) {
+  const {
+    logger,
+    messages
+  } = core;
+
+  const idMap = new Map();
+  const keywordSets = [];
+
+  function getRedactedText(key) {
+    key = key.toLowerCase();
+    for (const set of keywordSets) {
+      if (set.has(key)) {
+        return `${CONTRAST_REDACTED}-${idMap.get(set)}`;
+      }
+    }
+  }
+
+  function traverseAndMask(target) {
+    let redactedText;
+    if (!target) return;
+
+    simpleTraverse(target, (path, type, value, obj) => {
+      if (type === 'Key') {
+        redactedText = getRedactedText(value);
+        if (redactedText) {
+          obj[value] = redactedText;
+          redactedText = undefined;
+        }
+      }
+    });
+  }
+
+  const sensitiveDataMasking = core.sensitiveDataMasking = {
+    policy: {
+      idMap,
+      keywordSets,
+      maskHttpBody: false,
+      maskAttackVector: false,
+    },
+    getRedactedText,
+    traverseAndMask
+  };
+
+  require('./server-settings-listener')(core);
+  require('./protect-listener')(core);
+
+  return sensitiveDataMasking;
+};

package/lib/sensitive-data-masking/protect-listener.js

@@ -0,0 +1,99 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { URLSearchParams } = require('url');
+const { Event } = require('@contrast/common');
+
+const { CONTRAST_REDACTED } = require('./constants');
+
+module.exports = function(core) {
+  const {
+    messages,
+    logger,
+    sensitiveDataMasking: {
+      policy,
+      getRedactedText,
+      traverseAndMask
+    }
+  } =  core;
+
+  messages.on(Event.PROTECT, (msg) => {
+    if (!msg.protect || !policy.keywordSets.length) {
+      return;
+    }
+
+    logger.trace(`masking sensitive fields in ${Event.PROTECT} message`);
+
+    if (policy.maskHttpBody) {
+      msg.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
+    } else {
+      traverseAndMask(msg.protect?.parsedBody);
+    }
+
+    traverseAndMask(msg.protect?.parsedCookies);
+    traverseAndMask(msg.protect?.parsedQuery);
+
+    // Do parsed URL path params and urlPath together
+    const params = msg.protect?.parsedParams;
+    if (params) {
+      for (const [key, value] of Object.entries(params)) {
+        const redactedText = getRedactedText(key);
+        if (redactedText) {
+          const encoded = encodeURIComponent(value);
+          msg.protect.reqData.uriPath = msg.protect.reqData.uriPath.replace(encoded, redactedText);
+          msg.protect.parsedParams[key] = redactedText;
+        }
+      }
+    }
+
+    // raw headers
+    const headers = msg.protect?.reqData.headers;
+    for (let i = 0; i <= headers.length - 2; i += 2) {
+      const key = headers[i];
+
+      const redactedText = getRedactedText(key);
+      if (redactedText) {
+        headers[i + 1] = redactedText;
+      }
+    }
+
+    // raw queries
+    if (msg.protect?.reqData?.queries) {
+      const searchParams = new URLSearchParams(msg.protect.reqData.queries);
+      for (const [key, value] of searchParams) {
+        const redactedText = getRedactedText(key);
+        if (redactedText) {
+          searchParams.set(key, redactedText);
+        }
+      }
+      msg.protect.reqData.queries = searchParams.toString();
+    }
+
+    if (policy.maskAttackVector) {
+      // attack values
+      const inputAnalysis = Object.entries(msg.protect?.findings.resultsMap);
+      for (const [, results] of inputAnalysis) {
+        for (const result of results) {
+          const redactedText = getRedactedText(result.key);
+          if (redactedText) {
+            result.value = redactedText;
+          }
+        }
+      }
+    }
+  });
+};

package/lib/sensitive-data-masking/server-settings-listener.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { Event } = require('@contrast/common');
+
+module.exports = function(core) {
+  const {
+    logger,
+    messages,
+    sensitiveDataMasking: { policy },
+  } = core;
+
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (settingsMsg) => {
+    const dtm = settingsMsg?.sensitive_data_masking_policy;
+
+    if (!dtm) return;
+
+    logger.trace('updating sensitive data masking policy');
+
+    policy.maskHttpBody = dtm.mask_http_body;
+    policy.maskAttackVector = dtm.mask_attack_vector;
+    policy.keywordSets.length = 0;
+    policy.idMap.clear();
+    dtm.rules.forEach(({ id, keywords }) => {
+      const kwSet = new Set(keywords);
+      policy.keywordSets.push(kwSet);
+      policy.idMap.set(kwSet, id);
+    });
+  });
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,15 +17,15 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.0.4",
-    "@contrast/config": "1.1.3",
-    "@contrast/dep-hooks": "1.0.3",
+    "@contrast/agentify": "1.0.5",
+    "@contrast/config": "1.1.4",
+    "@contrast/dep-hooks": "1.0.4",
     "@contrast/fn-inspect": "^3.1.0",
-    "@contrast/logger": "1.0.3",
-    "@contrast/patcher": "1.0.3",
-    "@contrast/reporter": "1.1.0",
-    "@contrast/rewriter": "1.0.3",
-    "@contrast/scopes": "1.1.0",
+    "@contrast/logger": "1.0.4",
+    "@contrast/patcher": "1.0.4",
+    "@contrast/reporter": "1.2.0",
+    "@contrast/rewriter": "1.0.4",
+    "@contrast/scopes": "1.1.1",
     "builtin-modules": "^3.2.0",
     "semver": "^7.3.7"
   }

package/lib/cli-rewriter/dependency-rewriter.js

@@ -1,222 +0,0 @@
-/*
- * Copyright: 2022 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const Module = require('module');
-const process = require('process');
-const fs = require('fs');
-const path = require('path');
-const util = require('util');
-const builtins = require('builtin-modules');
-const readFile = util.promisify(fs.readFile);
-
-module.exports = function(core) {
-  const dependencyRewriter = new RecursiveDependencyRewriter(core);
-  core.dependencyRewriter = dependencyRewriter;
-  return dependencyRewriter;
-};
-
-// Ported from node agent lib/cli-rewriter/index.js
-class RecursiveDependencyRewriter {
-  /**
-   * Receives entrypoint used to initialize agent.
-   * Sets up config, logging, agent, and rewriter state.
-   * @param {string} entrypoint application's entrypoint script
-   */
-  constructor(core) {
-    this.deps = core;
-    this.logger = core.logger;
-    this.rewriter = core.rewriter;
-    this.rewriter.visitors.push(RecursiveDependencyRewriter.requireDetector);
-    // keep track of files rewritten - don't rewrite if file is required more than once
-    this.visited = new Set();
-    this.entrypoint = core.config.entrypoint;
-    this.filename = path.resolve(process.cwd(), this.entrypoint);
-    try {
-      fs.statSync(this.filename);
-    } catch (err) {
-      this.logger.error('entrypoint file not found: %s', this.filename);
-      // eslint-disable-next-line no-process-exit
-      process.exit(1);
-    }
-  }
-
-  /**
-   * Starting at the provided entrypoint will rewrite it and any dependencies
-   * detected. Recursively continues until all files are rewritten.
-   * @param {string} entrypoint provided application entrypoint script
-   */
-  async rewrite() {
-
-    const parent = RecursiveDependencyRewriter.getModuleData(this.filename);
-    const start = Date.now();
-
-    await this.traverse(this.filename, parent);
-
-    this.logger.info('rewriting complete [%ss]', (Date.now() - start) / 1000);
-  }
-
-  /**
-   * Visits the filename in order to rewrite and cache. Visitor returns found
-   * dependencies in the file. Recursively traverses the absolute file paths of
-   * dependencies found by the require detector.
-   * @param {string} filename file to rewrite
-   * @param {object} parent parent module data
-   */
-  async traverse(filename, parent) {
-    const fileDependencies = await this.visitDependency(filename);
-
-    return Promise.all(
-      fileDependencies.map((request) => {
-        try {
-          const _filename = Module._resolveFilename(request, parent);
-          if (_filename.endsWith('.js')) {
-            const _parent = RecursiveDependencyRewriter.getModuleData(_filename);
-            return this.traverse(_filename, _parent);
-          }
-        } catch (err) {
-          if (err.code === 'MODULE_NOT_FOUND') {
-            this.logger.debug(
-              `module not found. skipping ${request} required by ${filename}`
-            );
-          } else {
-            this.logger.error('error resolving filename: %o', err);
-          }
-        }
-      })
-    );
-  }
-
-  /**
-   * For each file dependency rewrite and cache it. Returns array of found
-   * dependencies.
-   * @param {string} filename name of file to rewrite / cache
-   * @returns {array[string]} list of the file's dependencies
-   */
-  async visitDependency(filename) {
-    if (this.visited.has(filename)) {
-      return [];
-    }
-
-    this.visited.add(filename);
-
-    try {
-      const content = await readFile(filename, 'utf8');
-      const rewriteData = this.rewriter.rewriteFile({
-        content,
-        filename,
-        opts: {
-          inject: true,
-          sourceType: 'script',
-          wrap: true,
-          deps: []
-        }
-      });
-
-      if (!rewriteData.deps) {
-        return [];
-      }
-
-      return rewriteData.deps.filter((dep) => !builtins.includes(dep));
-    } catch (e) {
-      console.log('visit error\n', e);
-      return;
-    }
-  }
-
-  /**
-   * Gets module data in order to resolve abs paths of deps.
-   * @param {string} filename absolute path of file being rewritten
-   * @returns {object}
-   */
-  static getModuleData(filename) {
-    return {
-      id: filename,
-      filename,
-      paths: Module._nodeModulePaths(path.dirname(filename))
-    };
-  }
-
-  /**
-   * Added to agent's static visitors. Runs during rewriting to detect require
-   * calls to discover dependencies.
-   * @param {object} node AST node being visited during rewrite
-   * @param {string} filename file being rewritten
-   * @param {object} state rewriter state
-   */
-  static requireDetector(path, state) {
-    const { node } = path;
-    if (isRequire(node)) {
-      if (isLiteralRequire(node) || isStaticTemplateRequire(node)) {
-        const request = getRequireArg(node);
-        if (request) {
-          state.deps.push(request);
-        }
-      }
-    }
-  }
-}
-
-/**
- * Whether AST node looks like a `require([request])` call.
- * @param {object} node AST node
- * @returns {boolean}
- */
-function isRequire(node) {
-  return (
-    node.type === 'CallExpression' &&
-    node.callee &&
-    node.callee.type === 'Identifier' &&
-    node.callee.name === 'require' &&
-    node.arguments &&
-    node.arguments.length === 1
-  );
-}
-
-/**
- * Whether node is static template require
- * @param {object} node AST node
- * @returns {boolean}
- */
-function isStaticTemplateRequire(node) {
-  return (
-    node.arguments[0].type === 'TemplateLiteral' &&
-    node.arguments[0].expressions.length === 0
-  );
-}
-
-/**
- * Whether node is literal require
- * @param {object} node AST node
- * @returns {boolean}
- */
-function isLiteralRequire(node) {
-  return (
-    node.arguments[0].type === 'Literal' ||
-    node.arguments[0].type === 'StringLiteral'
-  );
-}
-
-/**
- * Gets value of argument to `require([request])`
- * @param {object} node AST node
- * @returns {string}
- */
-function getRequireArg(node) {
-  return node.arguments[0].type === 'TemplateLiteral'
-    ? node.arguments[0].quasis[0].value.raw
-    : node.arguments[0].value;
-}