@contrast/esm-hooks 1.22.1 → 2.0.1

package/lib/get-file-type.mjs

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
 
@@ -12,31 +12,117 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
+import fs from 'node:fs';
+import os from 'node:os';
 import path from 'path';
-import parent from 'parent-package-json';
+import M from 'module';
 
-export default function getType(filename) {
+const isBuiltin = M.isBuiltin || function(pathname) {
+  if (pathname.startsWith('node:')) {
+    pathname = pathname.slice(5);
+  }
+  return M.builtinModules.includes(pathname);
+};
 
-  let pathname = filename.pathname || filename;
+/**
+ *
+ * @param {string} path
+ * @returns {string}
+ */
+export function fixPath(p) {
+  if (p.match(/^(\\|\/)[A-Za-z]:/)) {
+    p = p.slice(1);
+  }
+  return p;
+}
 
-  if (pathname.startsWith('node:')) {
+export function getFileType(filename) {
+  let pathname = filename.pathname || filename;
+  // presumes 16.17+
+  if (isBuiltin(pathname)) {
     return 'builtin';
   }
+
   pathname = pathname.replace('file://', '');
 
+  // if the file extension specifies the type, there's no need to do extra
+  // IO.
+  const ext = path.extname(pathname);
+  if (ext === '.mjs') {
+    return 'module';
+  } else if (ext === '.cjs') {
+    return 'commonjs';
+  }
+
+  // Node assumes `commonjs ` if there's no `type` set in package.json
   let parentType = 'commonjs';
   try {
-    parentType = parent(pathname).parse().type;
+    let pkg = parent(pathname);
+    if (pkg) {
+      pkg = pkg.parse();
+      if (pkg.type) {
+        parentType = pkg.type;
+      }
+    }
   } catch (err) {
-    // Node assumes `commonjs ` if there's no `type` set in package.json
+    // not sure what errors can occur here. should consider logging.
   }
 
-  const ext = path.extname(pathname);
-  if (ext === '.mjs' || (ext === '.js' && parentType === 'module')) {
-    return 'module';
-  } else if (ext === '.cjs' || (ext === '.js' && parentType !== 'module')) {
-    return 'commonjs';
+  if (ext === '.js') {
+    return parentType;
+  }
+
+  // should this assume commonjs?
+  return null;
+}
+
+function parent(startPath, ignore) {
+  startPath = path.resolve(fixPath(startPath) || process.cwd());
+  ignore = ignore || 0;
+
+  let searchPath = path.dirname(startPath);
+
+  let root = '/';
+  if (os.platform() === 'win32') {
+    root = path.parse(startPath).root;
   }
-  return 'unknown';
+
+  let packageDotJsonContents;
+
+  // put a limit on this though i think that for(;;) will work fine.
+  for (let i = 100; i > 0; i -= 1) {
+    try {
+      const possible = path.join(searchPath, 'package.json');
+      packageDotJsonContents = fs.readFileSync(possible, 'utf8');
+      if (ignore > 0) {
+        ignore--;
+      } else {
+        break;
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') {
+        // log?
+      }
+    }
+
+    // if root there is nothing more to check
+    if (searchPath === root) {
+      break;
+    }
+    searchPath = path.dirname(searchPath);
+  }
+
+  if (packageDotJsonContents) {
+    return {
+      read() {
+        return packageDotJsonContents;
+      },
+      parse() {
+        return JSON.parse(packageDotJsonContents);
+      },
+      path: searchPath,
+    };
+  }
+
+  return null;
 }

package/lib/index.mjs

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
 
@@ -13,75 +13,121 @@
  * way not consistent with the End User License Agreement.
  */
 
-import { promises as fs } from 'fs';
-import { fileURLToPath } from 'url';
-import getType from './get-file-type.mjs';
+//
+// this file supports agent/lib/esm-hooks.mjs.
+//
 
-export default function (core) {
-  core.esmHooks = {
-    async getSource(url, context, defaultGetSource) {
-      const filename = fileURLToPath(url);
-      core.logger.trace('getSource %s', filename);
-      return defaultGetSource(url, context, defaultGetSource);
-    },
+import { readdir } from 'node:fs/promises';
+import path from 'node:path';
 
-    async transformSource(source, context, defaultTransformSource) {
-      let result;
-      const filename = fileURLToPath(context.url);
-      core.logger.trace('transformSource %s', filename);
-      try {
-        result = core.rewriter.rewrite(source.toString(), {
-          filename,
-          isModule: true,
-          inject: true,
-          wrap: false,
-        });
-        return { source: result.code };
-      } catch (err) {
-        core.logger.error(
-          { err, result },
-          'Failed to compile rewritten code for %s. compiling original code.',
-          filename,
-        );
-        return defaultTransformSource(source, context, defaultTransformSource);
-      }
-    },
+const redirectPath = './redirects';
 
-    async load(url, context, defaultLoad) {
-      const type = getType(url);
+// why do we need to fix paths? Because windows, node, and URLs don't get
+// along very well.
+//
+// the load() hook receives an URL. When the URL is converted into an URL object,
+// the pathname property will be '/C:/Users/.../redirects' on windows. And that
+// doesn't start with a drive letter, so when fsp.readdir() gets it, node decides
+// to add a drive letter: 'C:/C:/Users/.../redirects'. So we have to strip off the
+// the leading / so the drive letter is recognized and another isn't added. it seems
+// like a node bug (or possibly windows bug) but i don't have time to research the
+// standards to figure out what URL.pathname should be in a windows file: context.
+//
+// maybe this should be in the load() hook?
+//
 
-      if (type === 'builtin' || type === 'unknown') {
-        core.logger.debug(
-          'Skipping rewrite for %s module %s, loading original code',
-          type,
-          url
-        );
-        return defaultLoad(url, context, defaultLoad);
-      }
+import { fixPath, getFileType } from './get-file-type.mjs';
+
+// useful for tests
+export { makeMappings };
+
+export default async function init(core) {
+  return {
+    mappings: await makeMappings(),
+    fixPath,
+    getFileType,
+  };
+}
 
-      const filename = fileURLToPath(url);
-      core.logger.trace('load %s', filename);
+async function makeMappings() {
+  /**
+   * @typedef { 'builtin' | 'commonjs' | 'module' } TargetType
+   * @typedef {string} RequireSpecifier
+   */
+  /**
+   * @type {Record<RequireSpecifier, {url: URL, target: TargetType}>}
+   */
+  const mappings = Object.create(null);
 
-      let result;
-      try {
-        const source = await fs.readFile(filename, 'utf8');
-        result = core.rewriter.rewrite(source, {
-          filename,
-          isModule: type !== 'commonjs',
-          inject: true,
-          wrap: false,
-        });
-        return { format: type, source: result.code, shortCircuit: true };
-      } catch (err) {
-        core.logger.error(
-          { err, result },
-          'Failed to load rewritten code for %s. loading original code.',
-          filename,
-        );
-        return defaultLoad(url, context, defaultLoad);
+  // the name of the directory is the format of the target being loaded. so "cjs"
+  // means the target is a commonjs module that will be loaded via require(),
+  // "builtin" means the target is a builtin, and "esm" (when it's added) will
+  // mean that the target is a native esm module.
+  //
+  // at this time, all "builtin" modules are "cjs" modules and can be required.
+  // and all "cjs" modules are commonjs modules that can be required. The reason
+  // they need to be here is that they might be loaded by the ESM loader in the
+  // background thread, so we need to redirect them to the commonjs loader.
+  //
+  // all files in the "redirects" directory are .mjs files.
+  //
+  // 'esm' does not currently have any redirect files; there is one example file
+  // for node-fetch, but it does not have the extension .mjs, so it won't be used.
+  // 'esm' will be needed when we have to patch an esm-native file.
+  for (const dir of ['builtin', 'cjs', 'esm']) {
+    // keep track of recursive calls to handle nested directories, e.g., fs/promises
+    const pathStack = [];
+
+    // get an absolute path because reading the redirect file is going to be executed
+    // in another context.
+    const p = path.join(redirectPath, dir);
+    const redirectDir = new URL(p, import.meta.url);
+    const dirpath = fixPath(redirectDir.pathname);
+
+    await recursiveReaddir(dirpath);
+
+    // eslint-disable-next-line no-inner-declarations
+    async function recursiveReaddir(dirpath) {
+      const dirents = await readdir(dirpath, { withFileTypes: true });
+      for (const dirent of dirents) {
+        if (dirent.isDirectory()) {
+          const { name: subdir } = dirent;
+          const subp = path.join(dirpath, subdir);
+          pathStack.push(subdir);
+          await recursiveReaddir(subp);
+          pathStack.pop();
+          continue;
+        }
+        if (!dirent.name.endsWith('.mjs')) {
+          continue;
+        }
+        // it a file that ends with .mjs, so it's a redirect file.
+        const redirectURL = new URL(path.join(p, ...pathStack, dirent.name), import.meta.url);
+
+        // all redirects point to .mjs files; the target property specifies the type of the
+        // the file that will be loaded by the .mjs. target. target is builtin, commonjs, or
+        // module.
+        // e.g., //'node-fetch': {url: new URL(`${p}/node-fetch.mjs`, import.meta.url), target: 'module'},
+        //
+        // there is a separate builtin directory because putting a colon in a filename doesn't work on windows. so
+        // that's why the mapping below adds the `node:` prefix.
+        let name = path.basename(dirent.name, '.mjs');
+        if (pathStack.length) {
+          name = `${pathStack.join('/')}/${name}`;
+        }
+        if (dir === 'builtin') {
+          mappings[name] = { url: redirectURL, target: 'builtin' };
+          mappings[`node:${name}`] = { url: redirectURL, target: 'builtin' };
+        } else if (dir === 'cjs') {
+          mappings[name] = { url: redirectURL, target: 'commonjs' };
+        } else if (dir === 'esm') {
+          mappings[name] = { url: redirectURL, target: 'module' };
+        } else {
+          throw new Error(`target type ${dir} not yet implemented`);
+        }
       }
     }
-  };
+  }
 
-  return core.esmHooks;
+  return mappings;
 }

package/lib/redirects/builtin/child_process.mjs

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const cp = require('node:child_process');
+
+export default cp;
+
+export const {
+  _forkChild,
+  ChildProcess,
+  exec,
+  execFile,
+  execFileSync,
+  execSync,
+  fork,
+  spawn,
+  spawnSync,
+} = cp;

package/lib/redirects/builtin/fs/promises.mjs

@@ -0,0 +1,53 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const promises = require('node:fs/promises');
+
+export default promises;
+
+export const {
+  access,
+  copyFile,
+  cp,
+  open,
+  opendir,
+  rename,
+  truncate,
+  rm,
+  rmdir,
+  mkdir,
+  readdir,
+  readlink,
+  symlink,
+  lstat,
+  stat,
+  statfs,
+  link,
+  unlink,
+  chmod,
+  lchmod,
+  lchown,
+  chown,
+  utimes,
+  lutimes,
+  realpath,
+  mkdtemp,
+  writeFile,
+  appendFile,
+  readFile,
+  watch,
+  constants,
+} = promises;

package/lib/redirects/builtin/fs.mjs

@@ -0,0 +1,126 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const fs = require('node:fs');
+
+export default fs;
+
+export const {
+  appendFile,
+  appendFileSync,
+  access,
+  accessSync,
+  chown,
+  chownSync,
+  chmod,
+  chmodSync,
+  close,
+  closeSync,
+  copyFile,
+  copyFileSync,
+  cp,
+  cpSync,
+  createReadStream,
+  createWriteStream,
+  exists,
+  existsSync,
+  fchown,
+  fchownSync,
+  fchmod,
+  fchmodSync,
+  fdatasync,
+  fdatasyncSync,
+  fstat,
+  fstatSync,
+  fsync,
+  fsyncSync,
+  ftruncate,
+  ftruncateSync,
+  futimes,
+  futimesSync,
+  lchown,
+  lchownSync,
+  lchmod,
+  lchmodSync,
+  link,
+  linkSync,
+  lstat,
+  lstatSync,
+  lutimes,
+  lutimesSync,
+  mkdir,
+  mkdirSync,
+  mkdtemp,
+  mkdtempSync,
+  open,
+  openSync,
+  openAsBlob,
+  readdir,
+  readdirSync,
+  read,
+  readSync,
+  readv,
+  readvSync,
+  readFile,
+  readFileSync,
+  readlink,
+  readlinkSync,
+  realpath,
+  realpathSync,
+  rename,
+  renameSync,
+  rm,
+  rmSync,
+  rmdir,
+  rmdirSync,
+  stat,
+  statfs,
+  statSync,
+  statfsSync,
+  symlink,
+  symlinkSync,
+  truncate,
+  truncateSync,
+  unwatchFile,
+  unlink,
+  unlinkSync,
+  utimes,
+  utimesSync,
+  watch,
+  watchFile,
+  writeFile,
+  writeFileSync,
+  write,
+  writeSync,
+  writev,
+  writevSync,
+  Dirent,
+  Stats,
+  ReadStream,
+  WriteStream,
+  FileReadStream,
+  FileWriteStream,
+  _toUnixTimestamp,
+  Dir,
+  opendir,
+  opendirSync,
+  F_OK,
+  R_OK,
+  W_OK,
+  X_OK,
+  constants,
+  promises,
+} = fs;

package/lib/redirects/builtin/http.mjs

@@ -0,0 +1,39 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const http = require('node:http');
+
+export default http;
+
+export const {
+  _connectionListener,
+  METHODS,
+  STATUS_CODES,
+  Agent,
+  ClientRequest,
+  IncomingMessage,
+  OutgoingMessage,
+  Server,
+  ServerResponse,
+  createServer,
+  validateHeaderName,
+  validateHeaderValue,
+  get,
+  request,
+  setMaxIdleHTTPParsers,
+  maxHeaderSize,
+  globalAgent,
+} = http;

package/lib/redirects/builtin/http2.mjs

@@ -0,0 +1,33 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+const m = await import('node:module');
+const require = m.createRequire(import.meta.url);
+// does this get patched because it's being required?
+const http2 = require('http2');
+
+export default http2;
+
+export const {
+  connect,
+  constants,
+  createServer,
+  createSecureServer,
+  getDefaultSettings,
+  getPackedSettings,
+  getUnpackedSettings,
+  sensitiveHeaders,
+  Http2ServerRequest,
+  Http2ServerResponse,
+} = http2;

package/lib/redirects/builtin/https.mjs

@@ -0,0 +1,29 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+const m = await import('node:module');
+const require = m.createRequire(import.meta.url);
+// does this get patched because it's being required?
+const https = require('https');
+
+export default https;
+
+export const {
+  Agent,
+  globalAgent,
+  Server,
+  createServer,
+  get,
+  request,
+} = https;

package/lib/redirects/builtin/path/posix.mjs

@@ -0,0 +1,38 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const path = require('node:path/posix');
+
+export default path;
+
+export const {
+  resolve,
+  normalize,
+  isAbsolute,
+  join,
+  relative,
+  toNamespacedPath,
+  dirname,
+  basename,
+  extname,
+  format,
+  parse,
+  sep,
+  delimiter,
+  win32,
+  posix,
+  _makeLong,
+} = path;