@contrast/core 1.54.2 → 1.56.0

package/lib/app-info.js

@@ -20,7 +20,8 @@ const fs = require('fs');
 const path = require('path');
 const semver = require('semver');
 const process = require('process');
-const { IntentionalError, primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
+const { minimatch } = require('minimatch');
+const { IntentionalError } = require('@contrast/common');
 const { findPackageJsonSync } = require('@contrast/find-package-json');
 
 /**
@@ -35,10 +36,8 @@ module.exports = function (core) {
   const { app_root, cmd_ignore_list, exclusive_entrypoint } = config.agent.node;
 
   checkPreLoadFlag();
-  const cmd = getCommand();
   const pkgInfo = getPackageInfo();
-  const entrypoint = getEntrypoint();
-  const name = getApplicationName();
+  const { cmd, indexFile } = parseArgv();
 
   core.appInfo = {
     // dedupe this? - it's already in systemInfo
@@ -50,15 +49,15 @@ module.exports = function (core) {
     },
     cmd,
     hostname: os.hostname(),
-    indexFile: entrypoint,
+    indexFile,
     path: pkgInfo.packageFile,
     pkg: pkgInfo.packageData,
-    name,
+    name: getApplicationName(),
     app_dir: pkgInfo.dir,
-    version: config.application.version || pkgInfo.packageData.version,
+    version: config.application.version ?? pkgInfo.packageData.version,
     serverVersion: config.server.version,
     nodeVersion: process.version,
-    appPath: config.application.path || pkgInfo.dir,
+    appPath: config.application.path ?? pkgInfo.dir,
     serverName: config.server.name,
     serverType: config.server.type,
     serverEnvironment: config.server.environment,
@@ -76,13 +75,12 @@ module.exports = function (core) {
     } = process;
     [
       { range: '>=18.19.0', flags: ['--import'] },
-      { range: '>=16.17.0 <18.19.0', flags: ['--loader'] },
-      { range: '<16.17.0', flags: ['-r', '--require'] }
+      { range: '>=16.17.0 <18.19.0', flags: ['--loader'] }
     ].forEach(({ range, flags }) => {
       if (
         semver.satisfies(version, range) &&
         (execArgv.some((el, idx) => el === '@contrast/agent' && !flags.includes(execArgv[idx - 1])) ||
-        NODE_OPTIONS?.includes('@contrast/agent') && !flags.some(flag => NODE_OPTIONS.includes(flag)))
+          NODE_OPTIONS?.includes('@contrast/agent') && !flags.some(flag => NODE_OPTIONS.includes(flag)))
       ) {
         logger.warn(
           'For Node LTS %s, use %s command to run the agent. See: https://docs.contrastsecurity.com/en/install-node-js.html',
@@ -94,84 +92,69 @@ module.exports = function (core) {
   }
 
   /**
-   * Generates a command string based on ARGV and process.argv0, which will be used
-   * for the `appInfo.cmd` field. This function will throw if any of the config's
-   * cmd_ignore_list values match the command.
-   * @returns {string} the issued command that started the current node process
+   * Parse and process the process.argv array to construct `appInfo.cmd` and
+   * resolve the application entry point.
+   * Throws if the running process should not be instrumented per the
+   * `cmd_ignore_list` and `exclusive_entrypoint` config options.
    * @throws {IntentionalError} when command should be is ignored by Contrast
+   * @returns {{ cmd: string, indexFile: string }} stringified command and resolved entrypoint file
    */
-  function getCommand() {
-    const args = [process.argv0, ...process.argv].map((a) => path.basename(a));
-    const cmd = ArrayPrototypeJoin.call(Array.from(new Set(args)), ' ');
-    const message = 'application command matches cmd_ignore_list config option';
-
-    if (cmd_ignore_list) {
-      let err;
-      for (const ignoreCommand of cmd_ignore_list) {
-
-        if (ignoreCommand === 'npm*') {
-          if (cmd.includes('npm ')) err = new IntentionalError(message);
-        } else {
-          if (cmd.includes(ignoreCommand)) err = new IntentionalError(message);
-        }
-        if (err) {
-          logger.trace({ cmd_ignore_list, cmd }, message);
-          throw err;
-        }
-      }
-    }
-
-    return cmd;
-  }
-
-  /**
-   * Returns the entrypoint file. If none is found, or the one discovered doesn't match the
-   * config's `agent.node.exclusive_entrypoint` value, this will throw.
-   * @returns {string} entrypoint file name
-   * @throws {Error|IntentionalError} if no entrypoint is found or we're supposed to ignore the app
-   */
-  function getEntrypoint() {
-    let entrypoint = process.argv[1];
-    const { packageData } = pkgInfo;
+  function parseArgv() {
+    const args = new Set([process.argv0, ...process.argv]);
+    let indexFile = path.normalize(process.argv[1]);
 
     try {
-      if (entrypoint && fs.statSync(entrypoint).isDirectory()) {
-        const main = path.join(entrypoint, packageData.main || 'index.js');
+      if (indexFile && fs.statSync(indexFile).isDirectory()) {
+        const main = path.join(indexFile, pkgInfo.packageData.main ?? 'index.js');
         try {
           if (fs.statSync(main)) {
-            entrypoint = main;
+            indexFile = main;
           }
         } catch (err) {
-          entrypoint = null;
+          indexFile = null;
         }
       }
-    } catch (err) {} // eslint-disable-line no-empty
+    } catch (err) {
+      // use default process.argv[1]
+    }
 
-    if (!entrypoint) {
+    if (!indexFile) {
       logger.error('no entrypoint found for application');
       throw new Error('No entrypoint found');
     }
 
+    let isExclusiveEntrypoint = false;
     if (exclusive_entrypoint) {
-      const expectedEntrypoint = path.resolve(app_root || process.cwd(), exclusive_entrypoint);
-      if (entrypoint !== expectedEntrypoint) {
-        const message = 'application does not match exclusive_entrypoint config option';
-        logger.trace({
-          entrypoint,
-          exclusive_entrypoint: expectedEntrypoint,
-        }, message);
+      const expectedEntrypoint = path.resolve(app_root ?? process.cwd(), exclusive_entrypoint);
+      if (indexFile !== expectedEntrypoint) {
+        const message = 'Skipping instrumentation because application does not match the `exclusive_entrypoint` config option.';
+        logger.info({ entrypoint: indexFile, exclusive_entrypoint: expectedEntrypoint }, message);
         throw new IntentionalError(message);
       }
+      isExclusiveEntrypoint = true;
+    }
+
+    const cmd = process.argv.map((arg) => path.basename(arg)).join(' ');
+
+    if (!isExclusiveEntrypoint) {
+      for (const arg of args) {
+        for (const pattern of cmd_ignore_list) {
+          if (minimatch(arg, pattern, { dot: true })) {
+            const message = 'Skipping instrumentation because application command matches the `cmd_ignore_list` config option.';
+            logger.info({ cmd_ignore_list, cmd, arg, pattern }, message);
+            throw new IntentionalError(message);
+          }
+        }
+      }
     }
 
-    return entrypoint;
+    return { cmd, indexFile };
   }
 
   /**
    * Will try to read the `package.json` file of the app. This will use find-pacakge-json
    * starting first from entrypoint, then from CWD.
    * NOTE: If the `app_root` value is specified, this will check only there and then throw if not found.
-   * @param {string} entrypoint app entrypoint
    * @returns {PackageInfo} dir, packageData, and packageFile
    * @throws {Error} if package can't be found or parsed
    */
@@ -196,15 +179,14 @@ module.exports = function (core) {
         packageFile = process.env.npm_package_json ?? findPackageJsonSync({ cwd: dir });
         packageData = require(packageFile);
         break;
-      } catch (err) {} // eslint-disable-line no-empty
+      } catch (err) {
+        // packageData stays undefined, throws below.
+      }
     }
 
     if (!packageData) {
-      const message = 'unable to locate application package.json';
-      logger.error({
-        app_root,
-        paths: Array.from(dirs),
-      }, message);
+      const message = "Unable to locate application's package.json";
+      logger.error({ app_root, paths: Array.from(dirs) }, message);
       throw new Error(message);
     }
 
@@ -220,12 +202,9 @@ module.exports = function (core) {
    * @throws {Error} if there is no name identified
    */
   function getApplicationName() {
-    const name = config.application.name || pkgInfo.packageData.name;
+    const name = config.application.name ?? pkgInfo.packageData.name;
     if (!name) {
-      throw new Error(
-        'The application\'s name was not identified. ' +
-        'Please provide name in package.json field or with the agent\'s application.name config option.'
-      );
+      throw new Error("The application's name was not identified. Please provide `name` in package.json field or with the agent's `application.name` config option.");
     }
 
     return name;

package/lib/sensitive-data-masking/protect-listener.js

@@ -27,8 +27,8 @@ module.exports = function (core) {
     sensitiveDataMasking: { policy, getRedactedText, traverseAndMask },
   } = core;
 
-  messages.on(Event.PROTECT, (msg) => {
-    if (!msg.protect || !policy.keywordSets.length) {
+  messages.on(Event.PROTECT, (store) => {
+    if (!store.protect || !policy.keywordSets.length || !store.sourceInfo) {
       return;
     }
 
@@ -36,33 +36,33 @@ module.exports = function (core) {
 
     const unmasked = policy.maskAttackVector ? new Set() : undefined;
     if (policy.maskHttpBody) {
-      msg.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
+      store.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
     } else {
-      traverseAndMask(msg.protect?.parsedBody, unmasked);
+      traverseAndMask(store.protect?.parsedBody, unmasked);
     }
 
-    traverseAndMask(msg.protect?.parsedCookies, unmasked);
-    traverseAndMask(msg.protect?.parsedQuery, unmasked);
+    traverseAndMask(store.protect?.parsedCookies, unmasked);
+    traverseAndMask(store.protect?.parsedQuery, unmasked);
 
     // Do parsed URL path params and urlPath together
-    const params = msg.protect?.parsedParams;
+    const params = store.protect?.parsedParams;
     if (params) {
       for (const [key, value] of Object.entries(params)) {
         const redactedText = getRedactedText(key);
         if (redactedText) {
           const encoded = encodeURIComponent(value);
-          msg.protect.reqData.uriPath = StringPrototypeReplace.call(
-            msg.protect.reqData.uriPath,
+          store.sourceInfo.uriPath = StringPrototypeReplace.call(
+            store.sourceInfo.uriPath,
             encoded,
             redactedText
           );
-          msg.protect.parsedParams[key] = redactedText;
+          store.protect.parsedParams[key] = redactedText;
         }
       }
     }
 
     // raw headers
-    const headers = msg.protect?.reqData.headers;
+    const headers = store.sourceInfo.rawHeaders;
     for (let i = 0; i <= headers.length - 2; i += 2) {
       const key = headers[i];
 
@@ -73,20 +73,20 @@ module.exports = function (core) {
     }
 
     // raw queries
-    if (msg.protect?.reqData?.queries) {
-      const searchParams = new URLSearchParams(msg.protect.reqData.queries);
+    if (store.sourceInfo?.queries) {
+      const searchParams = new URLSearchParams(store.sourceInfo.queries);
       for (const [key] of searchParams) {
         const redactedText = getRedactedText(key);
         if (redactedText) {
           searchParams.set(key, redactedText);
         }
       }
-      msg.protect.reqData.queries = searchParams.toString();
+      store.sourceInfo.queries = searchParams.toString();
     }
 
     if (policy.maskAttackVector) {
       // attack values
-      const inputAnalysis = Object.entries(msg.protect?.resultsMap);
+      const inputAnalysis = Object.entries(store.protect?.resultsMap);
       for (const [, results] of inputAnalysis) {
         for (const result of results) {
           const redactedText = getRedactedText(result.key);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.54.2",
+  "version": "1.56.0",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -13,21 +13,22 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
+    "@contrast/common": "1.36.0",
+    "@contrast/config": "1.51.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/perf": "1.3.1",
+    "@contrast/fn-inspect": "^5.0.2",
+    "@contrast/logger": "1.29.0",
+    "@contrast/patcher": "1.28.0",
+    "@contrast/perf": "1.4.0",
     "@tsxper/crc32": "^2.1.3",
-    "axios": "^1.7.4",
+    "axios": "^1.11.0",
+    "minimatch": "^9.0.5",
     "semver": "^7.6.0"
   }
 }