@contrast/protect 1.25.1 → 1.27.0

package/lib/error-handlers/common-handler.js

@@ -17,18 +17,18 @@
 
 const { isSecurityException } = require('../security-exception');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     protect: { getSourceContext },
   } = core;
 
-  return core.protect.errorHandlers.commonHandler = function(err) {
+  return core.protect.errorHandlers.commonHandler = function (err) {
     if (!isSecurityException(err)) {
       throw err;
     }
 
-    const sourceContext = getSourceContext('protect-common-error-handler');
+    const sourceContext = getSourceContext();
     if (!sourceContext) {
       logger.info('SecurityException caught by Contrast but Protect store is unavailable for req handling');
       return;

package/lib/error-handlers/install/express4.js

@@ -19,7 +19,7 @@ const SecurityException = require('../../security-exception');
 const { patchType } = require('../constants');
 
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     depHooks,
@@ -107,7 +107,7 @@ module.exports = function(core) {
           const ret = orig();
           if (ret && ret.catch) {
             return ret.catch((err) => {
-              const sourceContext = protect.getSourceContext('express.Layer.handle_error');
+              const sourceContext = protect.getSourceContext();
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {

package/lib/error-handlers/install/fastify.js

@@ -18,7 +18,7 @@
 const { isSecurityException } = require('../../security-exception');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     depHooks,
     patcher,
@@ -53,11 +53,11 @@ module.exports = function(core) {
    * @param {object} request fastify request
    * @param {object} reply fastify repoly
    */
-  fastifyErrorHandler.handler = function(err, request, reply) {
+  fastifyErrorHandler.handler = function (err, request, reply) {
     const normalHandler = fastifyErrorHandler._userHandler || fastifyErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = protect.getSourceContext('fastify.errorHandler');
+      const sourceContext = protect.getSourceContext();
 
       if (!sourceContext) {
         normalHandler.call(this, err, request, reply);
@@ -73,7 +73,7 @@ module.exports = function(core) {
   /**
    * Instruments fastify in order to add our custom error handler.
    */
-  fastifyErrorHandler.install = function() {
+  fastifyErrorHandler.install = function () {
     depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify',
       patchType,

package/lib/error-handlers/install/hapi.js

@@ -35,7 +35,7 @@ module.exports = function (core) {
       patchType,
       post(data) {
         const [err] = data.args;
-        const sourceContext = protect.getSourceContext('Hapi.boom.boomify');
+        const sourceContext = protect.getSourceContext();
         const isSecurityException = SecurityException.isSecurityException(err);
 
         if (isSecurityException && sourceContext && err.output.statusCode !== 403) {

package/lib/error-handlers/install/koa2.js

@@ -19,7 +19,7 @@ const SecurityException = require('../../security-exception');
 const { patchType } = require('../constants');
 
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     depHooks,
@@ -41,7 +41,7 @@ module.exports = function(core) {
             patchType,
             around(orig, data) {
               const [err] = data.args;
-              const sourceContext = protect.getSourceContext('Koa.Application.handleRequest');
+              const sourceContext = protect.getSourceContext();
               const isSecurityException = SecurityException.isSecurityException(err);
 
               if (isSecurityException && sourceContext) {

package/lib/get-source-context.js

@@ -15,18 +15,12 @@
 
 'use strict';
 
-module.exports = function (core) {
-  const { scopes: { sources }, logger } = core;
+module.exports = function init(core) {
+  const { scopes: { sources } } = core;
 
-  function getSourceContext(callPoint) {
+  function getSourceContext() {
     const sourceContext = sources.getStore()?.protect;
-
-    if (!sourceContext) {
-      logger.debug('source context not available in %s', callPoint);
-      return null;
-    }
-
-    return sourceContext.allowed ? null : sourceContext;
+    return sourceContext?.allowed ? null : sourceContext;
   }
 
   core.protect.getSourceContext = getSourceContext;

package/lib/index.js

@@ -19,8 +19,6 @@ const agentLib = require('@contrast/agent-lib');
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  if (!core.config.protect.enable) return;
-
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(agentLib),
   };
@@ -37,6 +35,11 @@ module.exports = function(core) {
   require('./semantic-analysis')(core);
 
   protect.install = function() {
+    if (!core.config.getEffectiveValue('protect.enable')) {
+      core.logger.debug('protect is disabled, skipping installation');
+      return;
+    }
+
     core.rewriter.install('protect');
     callChildComponentMethodsSync(protect, 'install');
   };

package/lib/input-analysis/install/busboy1.js

@@ -32,7 +32,7 @@ module.exports = (core) => {
         name: 'busboy.prototype.emit',
         patchType,
         pre({ args }) {
-          const sourceContext = protect.getSourceContext('busboy');
+          const sourceContext = protect.getSourceContext();
 
           if (sourceContext) {
             const [eventName, , , fileName] = args;

package/lib/input-analysis/install/cookie-parser1.js

@@ -40,7 +40,7 @@ module.exports = (core) => {
             const [req, , origNext] = data.args;
 
             function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext('cookie-parser');
+              const sourceContext = protect.getSourceContext();
 
               let securityException;
 

package/lib/input-analysis/install/express4.js

@@ -49,7 +49,7 @@ module.exports = (core) => {
               const [req, , origNext] = data.args;
 
               function contrastNext(origErr) {
-                const sourceContext = protect.getSourceContext('express.query');
+                const sourceContext = protect.getSourceContext();
                 let securityException;
 
                 // It is possible for the query to be already parsed by `qs`
@@ -93,7 +93,7 @@ module.exports = (core) => {
             // we can exit early if
             //  the layer doesn't match the request or
             //  the layer doesn't recognize any parameters
-            if (!data.result || !layer.keys || layer.keys.length === 0) {
+            if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route.path === '*') {
               return;
             }
 

package/lib/input-analysis/install/fastify.js

@@ -40,9 +40,9 @@ module.exports = (core) => {
       name: 'fastify.build',
       patchType,
       post({ result: server }) {
-        server.addHook('preValidation', function(request, reply, done) {
+        server.addHook('preValidation', function (request, reply, done) {
           let securityException;
-          const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+          const sourceContext = protect.getSourceContext();
 
           if (sourceContext) {
             try {

package/lib/input-analysis/install/formidable1.js

@@ -32,7 +32,7 @@ module.exports = (core) => {
         name: 'Formidable.IncomingForm.prototype.parse',
         patchType,
         pre(data) {
-          const sourceContext = protect.getSourceContext('formidable');
+          const sourceContext = protect.getSourceContext();
 
           if (sourceContext) {
             const origCb = data.args[1];

package/lib/input-analysis/install/hapi.js

@@ -66,7 +66,7 @@ module.exports = (core) => {
     });
 
     server.ext('onPreHandler', function onPreHandler(req, h) {
-      const sourceContext = protect.getSourceContext('hapi.onPreHandler');
+      const sourceContext = protect.getSourceContext();
 
       if (sourceContext) {
         try {
@@ -107,7 +107,7 @@ module.exports = (core) => {
       name: 'Pez.Dispenser.prototype.emit',
       patchType,
       pre: ({ args }) => {
-        const sourceContext = protect.getSourceContext('hapi/pez');
+        const sourceContext = protect.getSourceContext();
 
         if (sourceContext) {
           const [eventName, part] = args;

package/lib/input-analysis/install/koa-body5.js

@@ -38,7 +38,7 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext('koa-body');
+              const sourceContext = protect.getSourceContext();
 
               if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {
                 sourceContext.parsedBody = ctx.request.body;

package/lib/input-analysis/install/koa-bodyparser4.js

@@ -38,7 +38,7 @@ module.exports = (core) => {
             const [ctx, origNext] = data.args;
 
             async function contrastNext(origErr) {
-              const sourceContext = protect.getSourceContext('koa-bodyparser');
+              const sourceContext = protect.getSourceContext();
 
 
               if (sourceContext && ctx.request.body && Object.keys(ctx.request.body).length) {

package/lib/input-analysis/install/koa2.js

@@ -37,7 +37,7 @@ module.exports = (core) => {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
       function contrastStartMiddleware(ctx, next) {
         if (ctx.query && Object.keys(ctx.query).length) {
-          const sourceContext = protect.getSourceContext('Koa startMiddleware');
+          const sourceContext = protect.getSourceContext();
 
           if (sourceContext && !('parsedQuery' in sourceContext)) {
             sourceContext.parsedQuery = ctx.query;
@@ -57,7 +57,7 @@ module.exports = (core) => {
           // if not already inserted, insert the initial middleware.
           if (
             app.middleware &&
-              (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
+            (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
           ) {
             app.middleware.splice(0, 0, contrastStartMiddleware);
           }
@@ -100,7 +100,7 @@ module.exports = (core) => {
                 const [ctx, origNext] = data.args;
 
                 async function contrastNext(origErr) {
-                  const sourceContext = protect.getSourceContext('koa-cookie');
+                  const sourceContext = protect.getSourceContext();
 
                   if (sourceContext && ctx.cookie) {
                     sourceContext.parsedCookies = ctx.cookie;

package/lib/input-analysis/install/multer1.js

@@ -42,7 +42,7 @@ module.exports = (core) => {
 
             // We are getting the sourceContext here because in the time of calling
             // the contrastNext() method the context is lost
-            const sourceContext = protect.getSourceContext('multer');
+            const sourceContext = protect.getSourceContext();
 
             if (!sourceContext) return;
 

package/lib/input-analysis/install/qs6.js

@@ -33,7 +33,7 @@ module.exports = (core) => {
         patchType,
         post({ args, result }) {
           if (result && Object.keys(result).length) {
-            const sourceContext = protect.getSourceContext('qs');
+            const sourceContext = protect.getSourceContext();
 
             // We need to run analysis for the `qs` result only when it's used as a query parser.
             // `qs` is used also for parsing bodies, but these cases we handle individually with

package/lib/input-analysis/install/universal-cookie4.js

@@ -32,7 +32,7 @@ module.exports = (core) => {
       patchType,
       post({ result }) {
         if (result && Object.keys(result).length) {
-          const sourceContext = protect.getSourceContext('universal-cookie');
+          const sourceContext = protect.getSourceContext();
 
           if (sourceContext) {
             sourceContext.parsedCookies = result;

package/lib/input-tracing/handlers/index.js

@@ -130,7 +130,7 @@ module.exports = function(core) {
     }
   };
 
-  inputTracing.nosqlInjectionMongo = function (sourceContext, sinkContext) {
+  inputTracing.nosqlInjectionMongo = function(sourceContext, sinkContext) {
     const ruleId = NOSQL_INJECTION_MONGO;
     const nosqlInjectionMongoResults =
       getResultsByRuleId(ruleId, sourceContext) || [];
@@ -155,7 +155,7 @@ module.exports = function(core) {
       }
     });
 
-    if (expansionResults) {
+    if (expansionResults.length) {
       let expansionFindings = null;
       for (const result of expansionResults) {
         expansionFindings = handleObjectValue(result, sinkContext.value);
@@ -172,14 +172,14 @@ module.exports = function(core) {
       }
     }
 
-    if (stringInjectionResults) {
+    if (stringInjectionResults.length) {
       let stringFindings = null;
 
       for (const result of stringInjectionResults) {
         if (typeof sinkContext.value === 'object') {
           traverseKeysAndValues(
             sinkContext.value,
-            function (path, type, value, obj) {
+            function(_path, type, value, obj) {
               if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
 
               if (!stringFindings && type == 'Key' && value == '$accumulator') {
@@ -221,10 +221,16 @@ module.exports = function(core) {
           const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
 
           const nosqlInjectionResults = sourceContext.resultsMap[ruleId];
+          const isAlreadyPresentInNosqlresults = result.idsList &&
+            result.idsList.some(
+              (el) =>
+                el === agentLibIDListTypes.MONGO_SLEEP ||
+                el === agentLibIDListTypes.TRUE_CLAUSE_1
+            );
           if (Array.isArray(nosqlInjectionResults)) {
-            nosqlInjectionResults.push(nosqlInjectionResult);
+            !isAlreadyPresentInNosqlresults && nosqlInjectionResults.push(nosqlInjectionResult);
           } else {
-            sourceContext.resultsMap[ruleId] = [nosqlInjectionResult];
+            !isAlreadyPresentInNosqlresults && (sourceContext.resultsMap[ruleId] = [nosqlInjectionResult]);
           }
 
           handleFindings(

package/lib/input-tracing/install/child-process.js

@@ -18,7 +18,7 @@
 const { isString } = require('@contrast/common');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     scopes: { instrumentation },
     patcher,
@@ -29,7 +29,7 @@ module.exports = function(core) {
   function pre({ args, name, hooked, orig }) {
     if (instrumentation.isLocked()) return;
 
-    const sourceContext = getSourceContext('child_process');
+    const sourceContext = getSourceContext();
     const value = args[0];
 
     if (!sourceContext || !value || !isString(value)) return;

package/lib/input-tracing/install/eval.js

@@ -18,7 +18,7 @@
 const { isString } = require('@contrast/common');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     scopes: { instrumentation },
@@ -39,7 +39,7 @@ module.exports = function(core) {
       pre: ({ args, hooked, orig }) => {
         if (instrumentation.isLocked()) return;
 
-        const sourceContext = protect.getSourceContext('eval');
+        const sourceContext = protect.getSourceContext();
         const value = args[0];
 
         if (!sourceContext || !value || !isString(value)) return;

package/lib/input-tracing/install/fs.js

@@ -34,7 +34,7 @@ module.exports = function init(core) {
     if (core.scopes.instrumentation.isLocked()) return;
 
     // obtain the Protect sourceContext
-    const sourceContext = core.protect.getSourceContext('fs');
+    const sourceContext = core.protect.getSourceContext();
 
     if (!sourceContext) return;
 

package/lib/input-tracing/install/function.js

@@ -18,7 +18,7 @@
 const { isString } = require('@contrast/common');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     scopes: { instrumentation },
@@ -40,7 +40,7 @@ module.exports = function(core) {
         pre: ({ args, hooked, orig }) => {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = protect.getSourceContext('Function');
+          const sourceContext = protect.getSourceContext();
           const fnBody = args[args.length - 1];
 
           if (!sourceContext || !fnBody || !isString(fnBody)) return;

package/lib/input-tracing/install/marsdb.js

@@ -16,7 +16,7 @@
 'use strict';
 const { patchType } = require('../constants');
 
-module.exports = function (core) {
+module.exports = function(core) {
   const {
     depHooks,
     patcher,
@@ -32,11 +32,11 @@ module.exports = function (core) {
     }
 
     if (Object.prototype.toString.call(query) === '[object String]') {
-      return query.toString();
+      return query;
     }
 
     if (query['$where']) {
-      return query['$where'].toString();
+      return query['$where'];
     }
 
     return query;

package/lib/input-tracing/install/mongodb.js

@@ -14,224 +14,219 @@
  */
 
 'use strict';
-const moduleName = 'mongodb';
-const semver = require('semver');
+const { isNonEmptyObject, isString, traverseValues, traverseKeys } = require('@contrast/common');
 const { patchType } = require('../constants');
 
-module.exports = function (core) {
+const collectionMethods = [
+  'find',
+  'findOne',
+  'findAndModify',
+  'findOneAndDelete',
+  'findOneAndReplace',
+  'findOneAndUpdate',
+  'remove',
+  'replaceOne',
+  'update',
+  'updateOne',
+  'updateMany',
+  'deleteOne',
+  'deleteMany',
+  'aggregate',
+  'mapReduce',
+  'group'
+];
+const dbMethods = [
+  'command',
+  'eval',
+  'aggregate'
+];
+// const methodsWithNestedCalls = ['findOne', 'eval', 'group'];
+
+module.exports = function(core) {
   const {
+    logger,
+    patcher,
+    depHooks,
+    scopes: { instrumentation },
     protect: { getSourceContext, inputTracing },
-    instrumentation: { instrument }
   } = core;
 
-  function getCursorQueryData(args, version) {
-    const query = semver.gte(version, '3.3.0')
-      ? args[0]?.cmd?.query || args[1]?.query
-      : args[1]?.query;
+  const instr = inputTracing.mongodbInstrumentation = {};
 
-    if (!query) {
-      return;
-    }
+  instr.getQueryVulnerabilityInfo = function getQueryVulnerabilityInfo(value, _argIdx, sourceContext, metadata) {
+    if (!isString(value) && !isNonEmptyObject(value)) return;
 
-    if (Object.prototype.toString.call(query) === '[object String]') {
-      return query.toString();
-    }
+    const { name, hooked, orig } = metadata;
+    const sinkContext = {
+      name,
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
+    };
 
-    if (query['$where']) {
-      return query['$where'].toString();
+    if (name === 'mongodb.Db.prototype.command' && value?.filter) {
+      value = value.filter;
     }
 
-    return query;
-  }
+    inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value });
+  };
+
+  instr.getAggregateVulnerabilityInfo = function getAggregateVulnerabilityInfo(aggregation, _argIdx, sourceContext, metadata) {
+    if (!isNonEmptyObject(aggregation)) return;
 
-  function getOpQueryData(op) {
-    if (!op.q) {
+    const { name, hooked, orig } = metadata;
+    const sinkContext = {
+      name,
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
+    };
+
+    traverseValues(aggregation, (path, _type, value) => {
+      const accumulatorFuncProps = [
+        'init',
+        'merge',
+        'accumulate',
+        'finalize'
+      ];
+      const lastIdx = path.length - 1;
+
+      if (
+        (path[lastIdx - 1] === '$function' && path[lastIdx] === 'body') ||
+        (path[lastIdx - 1] === '$accumulator' && accumulatorFuncProps.includes(path[lastIdx]))
+      ) {
+        inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value });
+      }
+    });
+  };
+
+  instr.getMapReduceVulnerabilityInfo = function getMapReduceVulnerabilityInfo(argToCheck, argIdx, sourceContext, metadata) {
+    const { name, hooked, orig } = metadata;
+    const sinkContext = {
+      name,
+      stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
+    };
+
+    if (argIdx !== 2 && isString(argToCheck)) {
+      inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value: argToCheck });
       return;
     }
-    if (op.q.$where) {
-      return op.q.$where;
-    }
-    return op.q;
-  }
 
-  function preHook(value, { name, hooked, orig }) {
-    const sourceContext = getSourceContext(name);
+    if (!isNonEmptyObject(argToCheck)) return;
 
-    if (!sourceContext || !value) return;
+    traverseKeys(argToCheck, (_path, _type, key) => {
+      const vulnerableProps = [
+        'query',
+        'finalize',
+      ];
+      if (vulnerableProps.includes(key)) {
+        inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value: argToCheck[key] });
+      }
+    });
+  };
 
+  instr.getGroupVulnerabilityInfo = function getGroupVulnerabilityInfo(argToCheck, argIdx, sourceContext, metadata) {
+    const { name, hooked, orig } = metadata;
     const sinkContext = {
       name,
-      value,
       stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
     };
-    inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
-  }
 
-  function CollectionVal({ args, ...ctx }) {
-    const value = typeof args[0] == 'function' ? null : args[0];
-    preHook(value, ctx);
-  }
+    if (argIdx !== 1 && isString(argToCheck)) {
+      inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value: argToCheck });
+      return;
+    }
 
-  function dbCommandVal({ args, ...ctx }) {
-    const value = args[0]?.filter;
-    preHook(value, ctx);
-  }
+    if (!isNonEmptyObject(argToCheck)) return;
 
-  function v4CursorVal({ args, ...ctx }) {
-    const value = args[2];
-    preHook(value, ctx);
-  }
+    inputTracing.nosqlInjectionMongo(sourceContext, { ...sinkContext, value: argToCheck });
+  };
 
-  function v3CursorVal({ args, ...ctx }, version) {
-    const value = getCursorQueryData(args, version);
-    preHook(value, ctx);
-  }
+  function createAroundHook(getInfoMethod, vulnerableArgIdxs) {
+    const argsIdxsToCheck = vulnerableArgIdxs || [0];
+    return function(next, data) {
+      const { args, name, hooked, orig } = data;
+      const sourceCtx = getSourceContext(name);
+
+      if (instrumentation.isLocked() || !sourceCtx) {
+        return next();
+      }
+
+      for (const argIdx of argsIdxsToCheck) {
+        getInfoMethod(args[argIdx], argIdx, sourceCtx, { name, hooked, orig });
+      }
 
-  function firstArgVal({ args, ...ctx }) {
-    const value = args[0];
-    preHook(value, ctx);
+      return next();
+      // return methodsWithNestedCalls.includes(method) ? runInActiveSink(NOSQL_INJECTION_MONGO, async () => await next()) : next();
+    };
   }
 
-  function v3TopologyVal({ args, ...ctx }) {
-    const ops = Array.isArray(args[1]) ? args[1] : [args[1]];
-    for (const op of ops) {
-      const value = op && getOpQueryData(op);
-      if (value) {
-        preHook(value, ctx);
+  instr.install = function() {
+    depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
+      patchCollection(mongodb, version);
+      patchDatabase(mongodb, version);
+    });
+  };
+
+  function patchCollection(mongodb, version) {
+    const proto = mongodb.Collection.prototype;
+    for (const method of collectionMethods) {
+      const name = `mongodb.Collection.prototype.${method}`;
+
+      if (!proto[method]) {
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getAggregateVulnerabilityInfo)
+        });
+      } else if (method === 'mapReduce') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getMapReduceVulnerabilityInfo, [0, 1, 2])
+        });
+      } else if (method === 'group') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getGroupVulnerabilityInfo, [0, 1, 3])
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getQueryVulnerabilityInfo)
+        });
       }
     }
   }
 
-  function install() {
-    [
-      {
-        moduleName,
-        version: '>=2.0.0 <3.0.0 || >=4.0.0',
-        patchObjects: [
-          {
-            name: 'Collection.prototype',
-            methods: [
-              'update',
-              'updateOne',
-              'replaceOne',
-              'updateMany',
-              'remove',
-              'deleteOne',
-              'deleteMany',
-              'findAndModify',
-              'findOneAndDelete',
-              'findOneAndReplace',
-              'findOneAndUpdate',
-              'countDocuments',
-              'count',
-              'distinct',
-              'aggregate'
-            ],
-            patchType,
-            preHookFn: CollectionVal
-          },
-          {
-            name: 'Db.prototype',
-            methods: ['command'],
-            patchType,
-            preHookFn: dbCommandVal
-          }
-        ]
-      },
-      {
-        moduleName,
-        version: '>=4.0.0',
-        file: 'lib/cursor/find_cursor',
-        patchObjects: [
-          {
-            methods: ['FindCursor'],
-            patchType,
-            preHookFn: v4CursorVal
-          }
-        ]
-      },
-      {
-        moduleName,
-        version: '<4.0.0',
-        patchObjects: [
-          {
-            name: 'CoreServer.prototype',
-            methods: ['cursor'],
-            patchType,
-            preHookFn: v3CursorVal
-          },
-          {
-            name: 'Db.prototype',
-            methods: ['command'],
-            patchType,
-            preHookFn: dbCommandVal
-          },
-          {
-            name: 'Db.prototype',
-            methods: ['eval'],
-            patchType,
-            preHookFn: firstArgVal
-          },
-          {
-            name: 'Collection.prototype',
-            methods: ['find'],
-            patchType,
-            preHookFn: firstArgVal
-          },
-        ]
-      },
-      {
-        moduleName,
-        file: 'lib/topologies/topology_base.js',
-        version: '<4.0.0 >=3.0.0',
-        patchObjects: [
-          {
-            name: 'TopologyBase.prototype',
-            methods: ['update', 'remove'],
-            patchType,
-            preHookFn: v3TopologyVal
-          },
-          {
-            name: 'TopologyBase.prototype',
-            methods: ['command'],
-            patchType,
-            preHookFn: v3CursorVal
-          }
-        ]
-      },
-      {
-        moduleName,
-        file: 'lib/topologies/native_topology.js',
-        version: '<4.0.0 >=3.0.0',
-        patchObjects: [
-          {
-            name: 'NativeTopology.prototype',
-            patchName: 'prototype',
-            methods: ['update', 'remove'],
-            patchType,
-            preHookFn: v3TopologyVal
-          },
-          {
-            name: 'NativeTopology.prototype',
-            patchName: 'prototype',
-            methods: ['command'],
-            patchType,
-            preHookFn: v3CursorVal
-          }
-        ]
-      },
-    ].forEach(({ moduleName, file, version, patchObjects }) => {
-      instrument({
-        moduleName,
-        file,
-        version,
-        patchObjects
-      });
-    });
+  function patchDatabase(mongodb, version) {
+    const proto = mongodb.Db.prototype;
+    for (const method of dbMethods) {
+      const name = `mongodb.Db.prototype.${method}`;
+
+      if (!proto[method]) {
+        logger.trace({ name, version }, 'method not found - skipping instrumentation');
+        continue;
+      }
+
+      if (method === 'aggregate') {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getAggregateVulnerabilityInfo)
+        });
+      } else {
+        patcher.patch(proto, method, {
+          name,
+          patchType,
+          around: createAroundHook(instr.getQueryVulnerabilityInfo)
+        });
+      }
+    }
   }
-  const mongodbInstr = (core.protect.inputTracing.mongodbInstrumentation = {
-    install,
-  });
 
-  return mongodbInstr;
+  return instr;
 };

package/lib/policy.js

@@ -346,6 +346,8 @@ module.exports = function (core) {
   }
 
   messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
+    if (!config.getEffectiveValue('protect.enable')) return;
+
     updateExclusions(msg);
     updateGlobalPolicy(msg);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.25.1",
+  "version": "1.27.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,8 +19,8 @@
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
     "@contrast/common": "1.15.1",
-    "@contrast/core": "1.23.1",
-    "@contrast/esm-hooks": "1.19.1",
+    "@contrast/core": "1.25.0",
+    "@contrast/esm-hooks": "1.21.0",
     "@contrast/scopes": "1.4.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"