@contrast/protect 1.28.0 → 1.29.0

package/lib/esm-loader.mjs

@@ -14,4 +14,57 @@
  */
 
 import esmHooks from '@contrast/esm-hooks';
-export const { getSource, transformSource, load } = esmHooks();
+import { createRequire } from 'node:module';
+
+const ERROR_MESSAGE = 'A fatal agent installation error has occurred. The application will be run without instrumentation.';
+
+let getSource = async function getSource(url, context, defaultGetSource) {
+  return defaultGetSource(url, context, defaultGetSource);
+};
+
+let transformSource = async function transformSource(url, context, defaultTransformSource) {
+  return defaultTransformSource(url, context, defaultTransformSource);
+};
+
+let load = async function load(url, context, defaultLoad) {
+  return defaultLoad(url, context, defaultLoad);
+};
+
+const require = createRequire(import.meta.url);
+const { name: agentName, version: agentVersion } = require('../package.json');
+const core = { agentName, agentVersion };
+try {
+  require('@contrast/core/lib/messages')(core);
+  require('@contrast/config')(core);
+  require('@contrast/logger').default(core);
+
+  // @contrast/info ?
+  require('@contrast/core/lib/agent-info')(core);
+  require('@contrast/core/lib/system-info')(core);
+  require('@contrast/core/lib/app-info')(core);
+  require('@contrast/core/lib/sensitive-data-masking')(core);
+  require('@contrast/core/lib/is-agent-path')(core);
+  require('@contrast/core/lib/capture-stacktrace')(core);
+
+  require('@contrast/patcher')(core);
+  require('@contrast/rewriter')(core); // merge contrast-methods?
+  require('@contrast/core/lib/contrast-methods')(core); // can we remove dependency on patcher?
+
+  require('@contrast/dep-hooks')(core);
+  require('@contrast/scopes')(core);
+  require('@contrast/deadzones')(core);
+  require('@contrast/reporter').default(core);
+  require('@contrast/instrumentation')(core);
+
+  // TODO: i think we still need to INSTALL components.
+  ({ getSource, transformSource, load } = esmHooks(core));
+} catch (err) {
+  // TODO: Consider proper UNINSTALLATION and normal startup w/o agent
+  if (core.logger) {
+    core.logger.error({ err }, ERROR_MESSAGE);
+  } else {
+    console.error(new Error(ERROR_MESSAGE, { cause: err }));
+  }
+}
+
+export { getSource, transformSource, load };

package/lib/index.d.ts

@@ -131,4 +131,6 @@ export interface Protect {
   version: string;
 }
 
-export default function(core: Core): ProtectMessage;
+declare function init(core: Core): ProtectMessage;
+
+export = init;

package/lib/input-analysis/handlers.js

@@ -301,7 +301,8 @@ module.exports = function(core) {
     const { policy: { rulesMask } } = sourceContext;
 
     const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
-      acc.push(key, value);
+      // things like booleans will cause agent-lib to throw
+      if (isString(value)) acc.push(key, value);
       return acc;
     }, []);
 

package/lib/input-analysis/install/express4.js

@@ -93,7 +93,7 @@ module.exports = (core) => {
             // we can exit early if
             //  the layer doesn't match the request or
             //  the layer doesn't recognize any parameters
-            if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route.path === '*') {
+            if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route?.path === '*') {
               return;
             }
 

package/lib/input-tracing/handlers/index.js

@@ -220,6 +220,11 @@ module.exports = function(core) {
         if (stringFindings) {
           const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
 
+          // don't modify ssjs-injection result items so use new exploit metadata array here
+          if (nosqlInjectionResult.idsList?.some?.((id) => id.startsWith('SSJS'))) {
+            nosqlInjectionResult.exploitMetadata = [];
+          }
+
           const nosqlInjectionResults = sourceContext.resultsMap[ruleId];
           const isAlreadyPresentInNosqlresults = result.idsList &&
             result.idsList.some(

package/lib/input-tracing/install/vm.js

@@ -18,7 +18,21 @@
 const { isString, isNonEmptyObject } = require('@contrast/common');
 const { patchType } = require('../constants');
 
-module.exports = function(core) {
+const VM_METHODS = [
+  ['Script', 1],
+  ['createContext', 1],
+  ['compileFunction', 1],
+  ['runInContext', 2],
+  ['runInNewContext', 2],
+  ['runInThisContext', 1],
+];
+
+const SCRIPT_METHODS = [
+  'runInContext',
+  'runInNewContext'
+];
+
+module.exports = function (core) {
   const {
     scopes: { instrumentation },
     patcher,
@@ -27,15 +41,15 @@ module.exports = function(core) {
     protect: { inputTracing }
   } = core;
 
-  function pre({ args, hooked, orig, name }) {
+  const createPre = (arity) => ({ args, hooked, orig, name }) => {
     if (instrumentation.isLocked()) return;
 
     const sourceContext = protect.getSourceContext(name);
     if (!sourceContext) return;
 
-    for (let i = 0; i < (name === 'vm.runInNewContext' ? 2 : 1); i++) {
+    for (let i = 0; i < arity; i++) {
       const arg = args[i];
-      if (!((arg && isString(arg)) || isNonEmptyObject(arg))) continue;
+      if (!arg || !(isString(arg) || isNonEmptyObject(arg))) continue;
 
       const sinkContext = {
         name,
@@ -44,37 +58,29 @@ module.exports = function(core) {
       };
       inputTracing.ssjsInjection(sourceContext, sinkContext);
     }
-  }
+  };
 
-  function install() {
-    depHooks.resolve({ name: 'vm' }, (vm) => {
-      [
-        'Script',
-        'createScript',
-        'runInContext',
-        'runInThisContext',
-        'createContext',
-        'runInNewContext'
-      ].forEach(
-        (method) => {
-          const name = `vm.${method}`;
+  const vmInstrumentation = inputTracing.vmInstrumentation = {
+    install() {
+      depHooks.resolve({ name: 'vm' }, (vm) => {
+        VM_METHODS.forEach(([method, arity]) => {
           patcher.patch(vm, method, {
-            name,
+            name: `vm.${method}`,
             patchType,
-            pre
+            pre: createPre(arity)
           });
-        }
-      );
+        });
 
-      patcher.patch(vm.Script.prototype, 'runInNewContext', {
-        name: 'vm.Script.prototype.runInNewContext',
-        patchType,
-        pre
+        SCRIPT_METHODS.forEach((method) => {
+          patcher.patch(vm.Script.prototype, method, {
+            name: `vm.Script.prototype.${method}`,
+            patchType,
+            pre: createPre(1)
+          });
+        });
       });
-    });
-  }
-
-  const vmInstrumentation = inputTracing.vmInstrumentation = { install };
+    }
+  };
 
   return vmInstrumentation;
 };

package/lib/policy.js

@@ -39,7 +39,7 @@ const {
     UNTRUSTED_DESERIALIZATION,
     XXE,
   },
-  Event: { SERVER_SETTINGS_UPDATE },
+  Event,
   toLowerCase,
   split,
   join
@@ -345,7 +345,7 @@ module.exports = function (core) {
     }
   }
 
-  messages.on(SERVER_SETTINGS_UPDATE, (msg) => {
+  messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
     if (!config.getEffectiveValue('protect.enable')) return;
 
     updateExclusions(msg);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.28.0",
+  "version": "1.29.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,9 +18,9 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.15.1",
-    "@contrast/core": "1.26.0",
-    "@contrast/esm-hooks": "1.22.0",
+    "@contrast/common": "1.16.0",
+    "@contrast/core": "1.27.0",
+    "@contrast/esm-hooks": "1.23.0",
     "@contrast/scopes": "1.4.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"