@contrast/protect 1.4.0 → 1.5.0

package/lib/error-handlers/index.js

@@ -18,14 +18,17 @@
 module.exports = function(core) {
   const errorHandlers = core.protect.errorHandlers = {};
 
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
 
   errorHandlers.install = function() {
-    errorHandlers.fastify3ErrorHandler.install();
-    errorHandlers.koa2ErrorHandler.install();
-    errorHandlers.express4ErrorHandler.install();
+    for (const component of Object.values(errorHandlers)) {
+      if (component.install) {
+        component.install();
+      }
+    }
   };
 
   return errorHandlers;

package/lib/error-handlers/install/{fastify3.js → fastify.js}

@@ -25,7 +25,7 @@ module.exports = function(core) {
     protect,
   } = core;
 
-  const fastify3ErrorHandler = protect.errorHandlers.fastify3ErrorHandler = {
+  const fastifyErrorHandler = protect.errorHandlers.fastifyErrorHandler = {
     _userHandler: null
   };
 
@@ -33,7 +33,7 @@ module.exports = function(core) {
    * This is the default handler from fastify's source code. If it's not a
    * Contrast error and the user didn't supply their own we should use this.
    */
-  fastify3ErrorHandler.defaultErrorHandler = function (error, request, reply) {
+  fastifyErrorHandler.defaultErrorHandler = function (error, request, reply) {
     if (reply.statusCode < 500) {
       reply.log.info({ res: reply, err: error }, error && error.message);
     } else {
@@ -47,17 +47,17 @@ module.exports = function(core) {
 
   /**
    * Check if the error being handled was thrown by Contrast. If not,
-   * use either the default fastify3 error handler or the user-defined handler
+   * use either the default fastify error handler or the user-defined handler
    * if one was specified by calling fastify.setErrorHandler(fn).
    * @param {error} err error being handled
    * @param {object} request fastify request
    * @param {object} reply fastify repoly
    */
-  fastify3ErrorHandler.handler = function(err, request, reply) {
-    const normalHandler = fastify3ErrorHandler._userHandler || fastify3ErrorHandler.defaultErrorHandler;
+  fastifyErrorHandler.handler = function(err, request, reply) {
+    const normalHandler = fastifyErrorHandler._userHandler || fastifyErrorHandler.defaultErrorHandler;
 
     if (isSecurityException(err)) {
-      const sourceContext = protect.getSourceContext('fastify3.errorHandler');
+      const sourceContext = protect.getSourceContext('fastify.errorHandler');
 
       if (!sourceContext) {
         normalHandler.call(this, err, request, reply);
@@ -73,14 +73,14 @@ module.exports = function(core) {
   /**
    * Instruments fastify in order to add our custom error handler.
    */
-  fastify3ErrorHandler.install = function() {
-    depHooks.resolve({ name: 'fastify', version: '<=4.0.0' }, (fastify) => patcher.patch(fastify, {
+  fastifyErrorHandler.install = function() {
+    depHooks.resolve({ name: 'fastify', version: '<=3 <5' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify',
       patchType,
       post(data) {
         const { result: server } = data;
         // Set our custom handler initially
-        server.setErrorHandler(fastify3ErrorHandler.handler);
+        server.setErrorHandler(fastifyErrorHandler.handler);
 
         // Patch, so that if someone sets their own, we override with ours. But,
         // we do need to keep a reference to it so we can still call it for when
@@ -89,13 +89,13 @@ module.exports = function(core) {
           name: 'fastify.setErrorHandler',
           patchType,
           pre({ args }) {
-            fastify3ErrorHandler._userHandler = args[0];
-            args[0] = fastify3ErrorHandler.handler;
+            fastifyErrorHandler._userHandler = args[0];
+            args[0] = fastifyErrorHandler.handler;
           }
         });
       }
     }));
   };
 
-  return fastify3ErrorHandler;
+  return fastifyErrorHandler;
 };

package/lib/error-handlers/install/hapi.js

@@ -0,0 +1,75 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const SecurityException = require('../../security-exception');
+const { patchType } = require('../constants');
+
+
+module.exports = function (core) {
+  const {
+    logger,
+    depHooks,
+    patcher,
+    protect,
+  } = core;
+
+  const hapiErrorHandler = protect.errorHandlers.hapiErrorHandler = {};
+
+  const registerErrorHandler = (boom, name) => {
+    patcher.patch(boom, 'boomify', {
+      name: `${name}.boomify`,
+      patchType,
+      post(data) {
+        const [err] = data.args;
+        const sourceContext = protect.getSourceContext('Hapi.boom.boomify');
+        const isSecurityException = SecurityException.isSecurityException(err);
+
+        if (isSecurityException && sourceContext && err.output.statusCode !== 403) {
+          const [mode, ruleId] = sourceContext.findings.securityException;
+          sourceContext.block('block', 'cmd-injection');
+
+          err.output.statusCode = 403;
+          err.reformat();
+          err.output.payload = undefined;
+          data.result = null;
+
+          logger.info({ mode, ruleId }, 'Request blocked');
+
+          return;
+        }
+
+        if (!sourceContext && isSecurityException) {
+          logger.info('source context not found; unable to handle response');
+        }
+      }
+    });
+  };
+
+  hapiErrorHandler.install = function () {
+    depHooks.resolve(
+      { name: 'boom' },
+      (boom) => registerErrorHandler(boom, 'boom'),
+    );
+
+    depHooks.resolve(
+      { name: '@hapi/boom' },
+      (boom) => registerErrorHandler(boom, '@hapi/boom'),
+    );
+  };
+
+  return hapiErrorHandler;
+};

package/lib/hardening/handlers.js

@@ -37,7 +37,7 @@ module.exports = function(core) {
 
   hardening.handleUntrustedDeserialization = function(sourceContext, sinkContext) {
     const ruleId = 'untrusted-deserialization';
-    const { mode } = sourceContext.rules.agentRules[ruleId];
+    const mode = sourceContext.policy[ruleId];
     const { name, value } = sinkContext;
 
     if (mode === 'off') return;

package/lib/index.js

@@ -16,20 +16,14 @@
 'use strict';
 
 const agentLib = require('@contrast/agent-lib');
+const { installChildComponentsSync } = require('@contrast/common');
 
 module.exports = function(core) {
   const protect = core.protect = {
     agentLib: module.exports.instantiateAgentLib(agentLib),
   };
 
-  const rules = instantiateRulesFromConfig(
-    core.config.protect.rules,
-    core.config.protect.disabled_rules,
-    protect.agentLib,
-  );
-
-  protect.rules = rules;
-
+  require('./policy')(core);
   require('./throw-security-exception')(core);
   require('./make-response-blocker')(core);
   require('./make-source-context')(core);
@@ -44,10 +38,7 @@ module.exports = function(core) {
   protect.version = pkj.version;
 
   protect.install = function() {
-    protect.inputAnalysis.install();
-    protect.inputTracing.install();
-    protect.hardening.install();
-    protect.errorHandlers.install();
+    installChildComponentsSync(protect)
   };
 
   return protect;
@@ -71,38 +62,3 @@ function instantiateAgentLib(lib) {
   }
   return agentLib;
 }
-
-/**
- * This function instatiates the rules as defined in the configuration into
- * some structure. I'm in no way convinced or asserting that this is the right
- * structure but it does get a usable definition of rules in place. The final
- * structure will change based on what exactly TS sends as well as what the needs
- * of the code accessing the rules, exclusions, virtual-patches, etc.
- *
- * @param {Object} rules the rules object in the config.protect object.
- * @param {string[]} disabled array of disabled rules from config.protect
- * @param {Object} agentLib the agent-lib instance
- * @returns {Object} { agentLibRules, agentLibRulesMask, agentRules }
- */
-function instantiateRulesFromConfig(rules, disabled, agentLib) {
-  const agentLibRules = {};
-  let agentLibRulesMask = 0;
-  const agentRules = {};
-
-  for (const ruleId in rules) {
-    if (disabled.indexOf(ruleId) >= 0 || rules[ruleId].mode === 'off') {
-      continue;
-    }
-    // [matt] this is awkward. we should probably make each nosql-injection-x
-    // rule separate in the config and only convert them to 'nosql-injection'
-    // for reporting.
-    if (agentLib.RuleType[ruleId]) {
-      agentLibRules[ruleId] = rules[ruleId];
-      agentLibRulesMask = agentLibRulesMask | agentLib.RuleType[ruleId];
-    } else {
-      agentRules[ruleId] = rules[ruleId];
-    }
-  }
-
-  return { agentLibRules, agentLibRulesMask, agentRules };
-}

package/lib/input-analysis/handlers.js

@@ -113,15 +113,15 @@ module.exports = function(core) {
   inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
     if (!sourceContext || sourceContext.allowed) return;
 
-    const { rules: { agentLibRules, agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
 
     inputAnalysis.handleVirtualPatches(sourceContext, { URLS: connectInputs.rawUrl, HEADERS: connectInputs.headers });
 
     // initialize findings to the basics
     let block = undefined;
-    if (mask !== 0) {
-      const findings = agentLib.scoreRequestConnect(mask, connectInputs, preferWW);
-      block = mergeFindings(agentLibRules, sourceContext.findings, findings);
+    if (rulesMask !== 0) {
+      const findings = agentLib.scoreRequestConnect(rulesMask, connectInputs, preferWW);
+      block = mergeFindings(sourceContext, findings);
     }
 
     return block;
@@ -198,7 +198,7 @@ module.exports = function(core) {
 
     inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
 
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
     const resultsList = [];
     const { UrlParameter } = agentLib.InputType;
 
@@ -207,7 +207,7 @@ module.exports = function(core) {
       if (type !== 'Value') {
         return;
       }
-      const items = agentLib.scoreAtom(mask, value, UrlParameter, preferWW);
+      const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
       if (!items) {
         return;
       }
@@ -236,7 +236,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, urlParamsFindings);
+    const block = mergeFindings(sourceContext, urlParamsFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -262,10 +262,10 @@ module.exports = function(core) {
 
     inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
 
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
-    const cookieFindings = agentLib.scoreRequestConnect(mask, { cookies: cookiesArr }, preferWW);
+    const { policy: { rulesMask } } = sourceContext;
+    const cookieFindings = agentLib.scoreRequestConnect(rulesMask, { cookies: cookiesArr }, preferWW);
 
-    const block = mergeFindings(rules.agentLibRules, sourceContext.findings, cookieFindings);
+    const block = mergeFindings(sourceContext, cookieFindings);
 
     if (block) {
       core.protect.throwSecurityException(sourceContext);
@@ -397,11 +397,12 @@ module.exports = function(core) {
    * @returns {Array | undefined} returns an array with block info if vulnerability was found.
    */
   function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-    const { rules, rules: { agentLibRulesMask: mask } } = sourceContext;
+    const { policy: { rulesMask } } = sourceContext;
+    if (!rulesMask) return;
+
     // use inputTypes to set params...
     const { keyType, inputType } = inputTypes;
     const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
-    const { Where } = agentLib.MongoQueryType;
     const resultsList = [];
 
     // it's possible to optimize this if qs (or a similar package) is not loaded
@@ -420,7 +421,7 @@ module.exports = function(core) {
     /* eslint-disable-next-line complexity */
     simpleTraverse(object, function(path, type, value) {
       let itemType;
-      let mongoQueryType;
+      let isMongoQueryType;
       // this is a bit awkward now because nosql-injection-mongo is not integrated
       // into the scoreAtom() function (or the check_input() function it uses). as
       // a result, the two rules need to be checked independently and the results
@@ -428,14 +429,14 @@ module.exports = function(core) {
       // TODO AGENT-205
       if (type === 'Key') {
         itemType = keyType;
-        if (mask & agentLib.RuleType['nosql-injection-mongo']) {
-          mongoQueryType = agentLib.getMongoQueryType(value);
+        if (rulesMask & agentLib.RuleType['nosql-injection-mongo']) {
+          isMongoQueryType = agentLib.isMongoQueryType(value);
         }
       } else {
         itemType = inputType;
       }
-      let items = agentLib.scoreAtom(mask, value, itemType, preferWW);
-      if (!items && !mongoQueryType) {
+      let items = agentLib.scoreAtom(rulesMask, value, itemType, preferWW);
+      if (!items && !isMongoQueryType) {
         return;
       }
       if (!items) {
@@ -444,18 +445,13 @@ module.exports = function(core) {
       let mongoPath;
       // if the key was a mongo query key, then add it to the items. it requires
       // that additional information is kept as well.
-      if (mongoQueryType) {
+      if (isMongoQueryType) {
         const inputToCheck = getValueAtKey(object, path, value);
         // because scoreRequestConnect() returns the query type in the value, we
         // mimic it here (where scoreAtom() was used). the actual object/string
         // to match is stored as `inputToCheck`.
-        const inputType = typeof inputToCheck;
-        // query types up to Where, inclusive, accept either string or object values. Where and above accept only string values
-        if (mongoQueryType <= Where || inputType === 'string') {
-          // the query-type/input-type combination is valid. add a synthesized item.
-          const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
-          items.push(item);
-        }
+        const item = { ruleId: 'nosql-injection-mongo', score: 10, mongoContext: { inputToCheck } };
+        items.push(item);
       }
       // make each item a complete Finding
       for (const item of items) {
@@ -464,8 +460,7 @@ module.exports = function(core) {
           inputType: `${inputTypeStr}${type}`,
           path: mongoPath || path.slice(),
           key: type === 'Key' ? value : path[path.length - 1],
-          // mimic scoreRequestConnect() returning the query type as the value
-          value: mongoQueryType || value,
+          value,
           score: item.score,
           idsList: [],
         };
@@ -488,7 +483,7 @@ module.exports = function(core) {
       resultsList,
     };
 
-    return mergeFindings(rules.agentLibRules, sourceContext.findings, findings);
+    return mergeFindings(sourceContext, findings);
   }
 
   function ipListAnalysis(reqIp, reqHeaders, list) {
@@ -543,11 +538,13 @@ module.exports = function(core) {
  * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
  * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
  */
-function mergeFindings(rules, findings, newFindings) {
+function mergeFindings(sourceContext, newFindings) {
+  const { findings, policy } = sourceContext;
+
   if (!newFindings.trackRequest) {
     return findings.securityException;
   }
-  normalizeFindings(rules, newFindings);
+  normalizeFindings(policy, newFindings);
 
   findings.trackRequest = findings.trackRequest || newFindings.trackRequest;
   findings.securityException = findings.securityException || newFindings.securityException;
@@ -566,7 +563,7 @@ function mergeFindings(rules, findings, newFindings) {
 //
 // add common fields to findings.
 //
-function normalizeFindings(rules, findings) {
+function normalizeFindings(policy, findings) {
   // now both augment the rules and check to see if any require blocking
   // at perimeter.
   for (const r of findings.resultsList) {
@@ -590,7 +587,7 @@ function normalizeFindings(rules, findings) {
     // option and that implies that there is no sink, so this is the only place at
     // which the block can occur. so at a minimum 'block' should also result in a
     // block.
-    const { mode } = rules[r.ruleId];
+    const mode = policy[r.ruleId];
     if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
       r.blocked = true;
       findings.securityException = [mode, r.ruleId];

package/lib/input-analysis/index.js

@@ -15,6 +15,8 @@
 
 'use strict';
 
+const { installChildComponentsSync } = require('@contrast/common');
+
 module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
@@ -35,20 +37,17 @@ module.exports = function(core) {
   require('./install/universal-cookie4')(core);
 
   // framework specific instrumentation
-  require('./install/fastify3')(core);
+  require('./install/fastify')(core);
   require('./install/koa2')(core);
   require('./install/express4')(core);
+  require('./install/hapi')(core);
 
   // virtual patches
   require('./virtual-patches')(core);
   require('./ip-analysis')(core);
 
   inputAnalysis.install = function() {
-    Object.values(inputAnalysis)
-      .filter((property) => property.install)
-      .forEach((library) => {
-        library.install();
-      });
+    installChildComponentsSync(inputAnalysis);
   };
 
   return inputAnalysis;

package/lib/input-analysis/install/body-parser1.js

@@ -33,8 +33,18 @@ module.exports = (core) => {
       if (sourceContext && req.body && Object.keys(req.body).length) {
         sourceContext.parsedBody = req.body;
 
+        if (fnName === 'bodyParser.text' && typeof req.body === 'string') {
+          try {
+            sourceContext.parsedBody = JSON.parse(req.body);
+          } catch (err) {
+            logger.error({ err }, 'Error parsing with bodyParser.text()');
+            origNext();
+            return;
+          }
+        }
+
         try {
-          inputAnalysis.handleParsedBody(sourceContext, req.body);
+          inputAnalysis.handleParsedBody(sourceContext, sourceContext.parsedBody);
         } catch (err) {
           if (isSecurityException(err)) {
             securityException = err;

package/lib/input-analysis/install/fastify.js

@@ -0,0 +1,86 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+/**
+ * Function that exports an install method to patch Fastify framework with our instrumentation
+ * @param {Object} core - the core Contrast object
+ * @return {Object}     object with install method and the other relative functions exported for testing purposes
+ */
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for fastify module instrumentation
+   */
+  function install() {
+    depHooks.resolve({ name: 'fastify', version: '>=3 <5' }, (fastify) => {
+      return patcher.patch(fastify, {
+        name: 'fastify.build',
+        patchType,
+        post({ result: server }) {
+          server.addHook('preValidation', function(request, reply, done) {
+            let securityException;
+            const sourceContext = protect.getSourceContext('Fastify.preValidationHook');
+
+            if (sourceContext) {
+              try {
+                if (request.params) {
+                  sourceContext.parsedParams = request.params;
+                  inputAnalysis.handleUrlParams(sourceContext, request.params);
+                }
+                if (request.cookies) {
+                  sourceContext.parsedCookies = request.cookies;
+                  inputAnalysis.handleCookies(sourceContext, request.cookies);
+                }
+                if (request.body) {
+                  sourceContext.parsedBody = request.body;
+                  inputAnalysis.handleParsedBody(sourceContext, request.body);
+                }
+
+                if (request.query) {
+                  sourceContext.parsedQuery = request.query;
+                  inputAnalysis.handleQueryParams(sourceContext, request.query);
+                }
+              } catch (err) {
+                if (isSecurityException(err)) {
+                  securityException = err;
+                } else {
+                  logger.error({ err }, 'Unexpected error during input analysis');
+                }
+              }
+            }
+
+            done(securityException);
+          });
+        },
+      });
+    });
+  }
+
+  return inputAnalysis.fastifyInstrumentation = {
+    install,
+  };
+};

package/lib/input-analysis/install/hapi.js

@@ -0,0 +1,106 @@
+/*
+ * Copyright: 2022 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { patchType } = require('../constants');
+const { isSecurityException } = require('../../security-exception');
+
+module.exports = (core) => {
+  const {
+    depHooks,
+    patcher,
+    logger,
+    protect,
+    protect: { inputAnalysis },
+  } = core;
+
+  /**
+   * registers a depHook for hapi module instrumentation
+   */
+  function install() {
+    depHooks.resolve(
+      { name: 'hapi', version: '>=18 <21' },
+      registerServerHandler
+    );
+    depHooks.resolve(
+      { name: '@hapi/hapi', version: '>=18 <21' },
+      registerServerHandler
+    );
+  }
+
+  const registerServerHandler = (hapi) => {
+    patcher.patch(hapi, 'server', {
+      name: 'hapi.server',
+      patchType,
+      post(data) {
+        const server = data.result;
+        if (server) {
+          instrumentServer(server);
+        } else {
+          logger.error('Hapi Server is called but there is no server instance!');
+        }
+      }
+    });
+  };
+
+  const instrumentServer = (server) => {
+    server.ext('onPreStart', function onPreStart(core) {
+      logger.info('hapi version %s', core.version);
+    });
+
+    server.ext('onPreHandler', function onPreHandler(req, h) {
+      const sourceContext = protect.getSourceContext('hapi.onPreHandler');
+
+      if (sourceContext) {
+        try {
+          if (req.params && Object.keys(req.params).length) {
+            sourceContext.parsedParams = req.params;
+            inputAnalysis.handleUrlParams(sourceContext, req.params);
+          }
+
+          if (req.cookies && Object.keys(req.cookies).length) {
+            sourceContext.parsedCookies = req.cookies;
+            inputAnalysis.handleCookies(sourceContext, req.cookies);
+          }
+
+          if (req.payload && Object.keys(req.payload).length) {
+            sourceContext.parsedBody = req.payload;
+            inputAnalysis.handleParsedBody(sourceContext, req.payload);
+          }
+
+          if (req.query && Object.keys(req.query).length) {
+            sourceContext.parsedQuery = req.query;
+            inputAnalysis.handleQueryParams(sourceContext, req.query);
+          }
+        } catch (err) {
+          if (isSecurityException(err)) {
+            throw err;
+          } else {
+            logger.error({ err }, 'Unexpected error during input analysis');
+          }
+        }
+      }
+
+      return h.continue;
+    });
+  };
+
+  const hapiInstrumentation = inputAnalysis.hapiInstrumentation = {
+    install
+  };
+
+  return hapiInstrumentation;
+};