@contrast/rewriter 1.20.0 → 1.21.1

package/LICENSE

@@ -1,4 +1,4 @@
-Copyright: 2024 Contrast Security, Inc
+Copyright: 2025 Contrast Security, Inc
 Contact: support@contrastsecurity.com
 License: Commercial
 

package/lib/cache.js

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
 

package/lib/index.js

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
 

package/lib/rewrite-is-deadzoned.js

@@ -0,0 +1,143 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { sep } = require('path');
+
+// todo: find optimal way to do these lookups
+const DEADZONED_PATHS = [
+  'ast-types', // CONTRAST-33909: `String` injection causes this module to crash.
+  'angular',
+  'acorn',
+  'archiver',
+  'archiver-utils',
+  'bcrypt',
+  'bcrypt-nodejs',
+  'bcryptjs', // node_modules/bcryptjs/index.js, node_modules/bcryptjs/dist/bcrypt.js
+  '@babel', // this should handle all namespaced packages
+  'babel',
+  'babel-cli',
+  'babel-core',
+  'babel-traverse',
+  'babel-generator',
+  'babylon',
+  'bn.js',
+  'browserify',
+  'bson',
+  'bunyan',
+  'chai', // not sure why chai was rewritten
+  'coffeescript',
+  'compression',
+  '@cyclonedx',
+  'etag',
+  // 'cookie', // todo: verify this doesn't break sources/propagation (*)
+  // 'cookie-signature', // (*)
+  'gzippo', //  149 weekly downloads
+  // 'handlebars', // (*)
+  'handlebars-precompiler',
+  // 'hbs', // ditto
+  'html-webpack-plugin',
+  'iconv-lite',
+  'jquery',
+  'jsrsasign',
+  'less',
+  // 'dustjs-linkedin', // todo
+  'logger-console', // 2 weekly downloads
+  'loopback-datasource-juggler',
+  'moment',
+  'moment-timezone',
+  'node-forge',
+  'node-webpack',
+  'pem',
+  'react',
+  'react-dom', // doesn't this cover the next line?
+  //'react-dom/server',
+  'requirejs',
+  'semver',
+  'strong-remoting',
+  'type-is',
+  'uglify-js',
+];
+
+// maybe make the value an object for more complex strategies in the future
+// NOTE: they key should appear in the list above as well. if it's not there
+// then this object will never be checked.
+const CUSTOM_REWRITERS = {
+  'acorn': 'no-propagation',
+  'archiver': 'no-propagation',
+  'babel-core': 'no-propagation',
+  '@babel': 'no-propagation',
+  'bcryptjs': 'no-propagation',
+  'bson': 'no-propagation',
+  'coffeescript': 'no-propagation',
+  'jsrsasign': 'no-propagation',
+  'less': 'no-propagation',
+  '@cyclonedx': 'no-propagation',
+};
+
+const nodeModules = `${sep}node_modules${sep}`;
+
+function rewriteIsDeadzoned(absolutePath) {
+  // we should only match the last node_modules folder
+  const startingPoint = absolutePath.lastIndexOf(nodeModules) + nodeModules.length;
+
+  for (const path of DEADZONED_PATHS) {
+    const start = absolutePath.indexOf(path, startingPoint);
+    // we return the name of the deadzoned module if it is found
+    if (start >= 0 && (start + path.length === absolutePath.length || absolutePath[start + path.length] === sep)) {
+      return path;
+    }
+  }
+
+  return undefined;
+}
+
+// the next function is used if/when we implement custom rewrite strategies.
+// NODE-3512 implements that and this was taken from there.
+
+/**
+ * Returns an array with a package name and that package's rewrite strategy.
+ * The package name is only returned the package strategy is not 'default'.
+ * Strategies:
+ * - 'default': rewrite the module using the original, default rewriter
+ * - 'deadzone': do not rewrite the module
+ * - 'no-propagation': rewrite the module with the no-propagation rewriter
+ *
+ * why does this return the package name? mostly just because it had to extract
+ * it from the path, so returning means the caller doesn't have to.
+ *
+ * @param {string} absolutePath
+ * @returns {[string | undefined, 'default' | 'deadzone' | 'no-propagation']}
+ */
+function getPackageRewriteStrategy(absolutePath) {
+  const pkg = rewriteIsDeadzoned(absolutePath);
+  if (!pkg) {
+    return [undefined, 'default'];
+  }
+
+  const strategy = CUSTOM_REWRITERS[pkg];
+  if (strategy && process.env.CSI_USE_CUSTOM_REWRITERS) {
+    return [pkg, strategy];
+  }
+
+  return [pkg, 'deadzone'];
+}
+
+module.exports = {
+  DEADZONED_PATHS,
+  CUSTOM_REWRITERS,
+  rewriteIsDeadzoned,
+  getPackageRewriteStrategy,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/rewriter",
-  "version": "1.20.0",
+  "version": "1.21.1",
   "description": "A transpilation tool mainly used for instrumentation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -15,10 +15,10 @@
   },
   "dependencies": {
     "@contrast/agent-swc-plugin": "^2.0.0",
-    "@contrast/common": "1.29.0",
-    "@contrast/config": "1.39.0",
-    "@contrast/core": "1.44.0",
-    "@contrast/logger": "1.17.0",
+    "@contrast/common": "1.29.1",
+    "@contrast/config": "1.40.1",
+    "@contrast/core": "1.45.1",
+    "@contrast/logger": "1.18.1",
     "@swc/core": "1.5.29"
   }
 }