@contrast/route-coverage 1.51.0 → 1.52.0

package/lib/install/fastify/fastify-middie.js

@@ -0,0 +1,67 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { RouteType } = require('@contrast/common');
+const { patchType, formatHandler } = require('./../../utils/route-info');
+const isArray = (arr) => Array.isArray(arr);
+module.exports = function init(core) {
+  const { patcher, depHooks, routeCoverage } = core;
+
+  return core.routeCoverage.fastifyMiddie = {
+    install() {
+      depHooks.resolve({ name: '@fastify/middie', version: '*', file: 'lib/engine.js' }, (middie) => patcher.patch(middie, {
+        name: 'fastifyMiddie',
+        patchType,
+        post(data) {
+          patcher.patch(data.result, 'use', {
+            name: 'use',
+            patchType,
+            pre(data) {
+              const [url, fn] = data.args;
+              if (!url || !fn || !core.config.getEffectiveValue('assess.report_middleware_routes')) return;
+
+              const middleware = isArray(fn) ? fn : [fn];
+              const formattedPath = isArray(url) ? `[${url.join(', ')}]` : url;
+              const patchedMiddleware = middleware.map((f) => {
+                const formattedHandler = formatHandler(f);
+                const signature = `fastify.use(${formattedPath}, ${formattedHandler})`;
+
+                const routeInfo = {
+                  signature,
+                  url: formattedPath,
+                  method: 'use',
+                  normalizedUrl: formattedPath,
+                  type: RouteType.MIDDLEWARE,
+                  framework: 'fastify'
+                };
+                routeCoverage.discover(routeInfo);
+
+                return patcher.patch(f, {
+                  name: 'middleware',
+                  patchType,
+                  post() {
+                    routeCoverage.observe(routeInfo);
+                  }
+                });
+              });
+              data.args[1] = patchedMiddleware;
+            }
+          });
+        }
+      }));
+    }
+  };
+};

package/lib/install/{fastify.js → fastify/fastify.js}

@@ -14,12 +14,12 @@
  */
 'use strict';
 
-const { getFastifyMethods } = require('../utils/methods');
+const { getFastifyMethods } = require('../../utils/methods');
 const {
   primordials: { StringPrototypeToLowerCase, StringPrototypeSplit },
   RouteType,
 } = require('@contrast/common');
-const { patchType } = require('./../utils/route-info');
+const { patchType, formatHandler } = require('./../../utils/route-info');
 
 // Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Fastify
 module.exports = function init(core) {
@@ -38,12 +38,12 @@ module.exports = function init(core) {
     return route?.[kRoutePrefix];
   }
 
-  function createRouteInfo(method, url, fullyDeclared, type) {
+  function createRouteInfo(method, url, fullyDeclared, type, handler) {
     method = StringPrototypeToLowerCase.call(method);
 
     const signature = fullyDeclared
-      ? `fastify.route({ method: '${method}', url: '${url}', handler: [Function] })`
-      : `fastify.${method}('${url}', [Function])`;
+      ? `fastify.route({ method: ${method}, url: ${url}, handler: ${formatHandler(handler)} })`
+      : `fastify.${method}(${url}, ${formatHandler(handler)})`;
 
     const routeInfo = {
       signature,
@@ -89,30 +89,30 @@ module.exports = function init(core) {
     }
   }
 
-  function discoverAndPatch(method, path, routeObj, handle, methods, fullyDeclared) {
+  function discoverAndPatch(method, path, routeObj, handle, handler, methods, fullyDeclared) {
     const type = routeObj?.options?.websocket ? RouteType.MESSAGE_BROKER : RouteType.HTTP;
 
     if (Array.isArray(method)) {
       // If all valid methods are included in `method` then .all shorthand was most likely used
       if (methods.every(m => method.includes(m))) {
-        const routeInfo = createRouteInfo('all', path, fullyDeclared, type);
+        const routeInfo = createRouteInfo('all', path, fullyDeclared, type, handler);
         routeCoverage.discover(routeInfo);
         patchHandler(routeObj, handle, routeInfo);
       } else {
         method.forEach((verb) => {
-          const routeInfo = createRouteInfo(verb, path, fullyDeclared, type);
+          const routeInfo = createRouteInfo(verb, path, fullyDeclared, type, handler);
           routeCoverage.discover(routeInfo);
           patchHandler(routeObj, handle, routeInfo);
         });
       }
     } else {
-      const routeInfo = createRouteInfo(method, path, fullyDeclared, type);
+      const routeInfo = createRouteInfo(method, path, fullyDeclared, type, handler);
       routeCoverage.discover(routeInfo);
       patchHandler(routeObj, handle, routeInfo);
     }
   }
 
-  return core.routeCoverage.fastify = {
+  return core.routeCoverage.fastifyCore = {
     install() {
       /**
        * There are some subtle differences between fastify minor versions the instrumentation must account for
@@ -158,7 +158,7 @@ module.exports = function init(core) {
                   let handle = 'handler';
                   if (!handler && typeof options === 'function') handle = 'options';
 
-                  discoverAndPatch(method, path, routeObj ? data.args[0] : data.args, handle, fastifyMethods, false);
+                  discoverAndPatch(method, path, routeObj ? data.args[0] : data.args, handle, options || handler, fastifyMethods, false);
                 }
               });
 
@@ -175,7 +175,7 @@ module.exports = function init(core) {
 
                   const prefix = getPrefix(data.obj);
                   const path = prefix ? prefix + url : url;
-                  discoverAndPatch(method, path, routeArgs, 'handler', fastifyMethods, true);
+                  discoverAndPatch(method, path, routeArgs, 'handler', handler, fastifyMethods, true);
                 }
               });
             }

package/lib/install/{express → fastify}/index.js

@@ -18,14 +18,15 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  const expressRouteCoverage = core.routeCoverage.express = {
+  const fastifyRouteCoverage = core.routeCoverage.fastify = {
     install() {
-      callChildComponentMethodsSync(expressRouteCoverage, 'install');
+      callChildComponentMethodsSync(fastifyRouteCoverage, 'install');
     },
   };
 
-  require('./express4')(core);
-  require('./express5')(core);
+  require('./fastify')(core);
+  require('./fastify-express')(core);
+  require('./fastify-middie')(core);
 
-  return expressRouteCoverage;
+  return fastifyRouteCoverage;
 };

package/lib/install/koa.js

@@ -15,28 +15,15 @@
 'use strict';
 
 const { METHODS } = require('./../utils/methods');
-const { isString, primordials: { StringPrototypeToLowerCase, StringPrototypeSplit } } = require('@contrast/common');
-const { createSignature, patchType } = require('./../utils/route-info');
+const { isString, RouteType, primordials: { StringPrototypeToLowerCase, StringPrototypeSplit } } = require('@contrast/common');
+const { patchType, formatHandler } = require('./../utils/route-info');
 
 // Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Koa
 module.exports = function init(core) {
   const { patcher, depHooks, routeCoverage } = core;
-
-  function createRouteInfo(method, url) {
-    method = StringPrototypeToLowerCase.call(method);
-    const routeInfo = {
-      signature: createSignature(url, method),
-      url,
-      method,
-      normalizedUrl: url,
-      framework: 'koa'
-    };
-    return routeInfo;
-  }
-
   return core.routeCoverage.koa = {
     install() {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa, pkgMeta) => {
         // Koa uses its own routing library @koa/router to define routes before
         // mounting them on the app with .use so instrumenting use and traversing
         // the constructed routes is the more technically correct approach than
@@ -48,40 +35,47 @@ module.exports = function init(core) {
             if (args?.length === 0) return;
             const [router] = args;
 
-            if (!router?.router) return;
+            if (!router?.router) {
+              core.logger.debug('no routes detected in koa router stack: %s@%s', pkgMeta.name, pkgMeta.version);
+              return;
+            }
 
             router.router.stack.forEach((Layer) => {
-              const { methods, path } = Layer;
-              if (!path || !isString(path)) return;
+              const { methods, path, stack } = Layer;
+              if (!path || !isString(path) || !stack || stack.length === 0) return;
 
-              let routeInfo;
-              if (methods.length === 0) {
-                routeInfo = createRouteInfo('use', path);
-                routeCoverage.discover(routeInfo);
-              } else if (METHODS.every(m => methods.includes(m))) {
-                // If a route was defined using .all this methods property will be an
-                // array of all methods supported by Koa
-                routeInfo = createRouteInfo('all', path);
+              const patchedMiddleware = [];
+              stack.forEach((handler) => {
+                const method = methods.length === 0 ? 'use' : METHODS.every(m => methods.includes(m)) ? 'all' : StringPrototypeToLowerCase.call(methods[methods.length - 1]);
+                if (method === 'use' && !core.config.getEffectiveValue('assess.report_middleware_routes')) return;
+                const routeInfo = {
+                  signature: `Router.${method}(${path}, ${formatHandler(handler)})`,
+                  method,
+                  url: path,
+                  normalizedUrl: path,
+                  framework: 'koa',
+                  type: method === 'use' ? RouteType.MIDDLEWARE : RouteType.HTTP
+                };
                 routeCoverage.discover(routeInfo);
-              } else {
-                methods.forEach((method) => {
-                  routeInfo = createRouteInfo(method, path);
-                  routeCoverage.discover(routeInfo);
-                });
-              }
+                const patchedHandler = patcher.patch(handler, {
+                  name: 'handler',
+                  patchType,
+                  pre(data) {
+                    const { request } = data.args[0];
+                    if (!request) return;
 
-              if (!Layer.stack || Layer.stack.length === 0) return;
-              async function observationMiddleware(ctx, next) {
-                if (!ctx.request) return;
-                const { url: reqUrl, method } = ctx.request;
-                const [url] = StringPrototypeSplit.call(reqUrl, /\?/);
-                routeCoverage.observe({ ...routeInfo, url, method: StringPrototypeToLowerCase.call(method) });
-                await next();
-              }
-              // If two routes share middleware, the same stack is used
-              // To add our observation middleware without adding them to all routes
-              // we need to create a shallow copy
-              Layer.stack = [observationMiddleware, ...Layer.stack];
+                    const { method, url } = request;
+                    if (!method | !url) return;
+                    routeCoverage.observe({
+                      ...routeInfo,
+                      method: StringPrototypeToLowerCase.call(method),
+                      url: StringPrototypeSplit.call(url, /\?/)[0]
+                    });
+                  }
+                });
+                patchedMiddleware.push(patchedHandler);
+              });
+              Layer.stack = patchedMiddleware;
             });
           }
         });

package/lib/utils/route-info.js

@@ -15,6 +15,8 @@
 'use strict';
 
 const patchType = 'route-coverage';
+const { funcInfo } = require('@contrast/fn-inspect');
+const { primordials: { StringPrototypeReplace, StringPrototypeSubstring } } = require('@contrast/common');
 
 /**
  * Creates a formatted "signature" for a route
@@ -28,4 +30,27 @@ function createSignature(path, method = '', obj = 'Router', handler = '[Function
   return `${obj}.${method}('${path}', ${handler})`;
 }
 
-module.exports = { createSignature, patchType };
+/**
+ * Creates a formatted handler signature for a route
+ * @param {function} handler
+ * @param {string} appDir
+ * @return {string} formatted handler
+ */
+function formatHandler(handler, appDir) {
+  const info = funcInfo(handler);
+  if (!info) return '[Function]';
+
+  let file = info.file ?
+    StringPrototypeReplace.call(info.file, appDir, '') :
+    '';
+  if (file.length > 30) {
+    file = `...${StringPrototypeSubstring.call(file, file.length - 40)}`;
+  }
+  const handlerName = info.method || handler.name || 'anonymous';
+  const formattedHandler = (file && Number.isFinite(info.lineNumber) && Number.isFinite(info.column)) ?
+    `[${handlerName} ${file} ${info.lineNumber}:${info.column}]` :
+    `[Function: ${handlerName}]`; // what util.inspect(handler) would return
+  return formattedHandler;
+}
+
+module.exports = { createSignature, patchType, formatHandler };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.51.0",
+  "version": "1.52.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,13 +21,13 @@
   },
   "dependencies": {
     "@contrast/common": "1.38.0",
-    "@contrast/config": "1.54.0",
-    "@contrast/core": "1.59.0",
-    "@contrast/dep-hooks": "1.28.0",
+    "@contrast/config": "1.54.1",
+    "@contrast/core": "1.59.1",
+    "@contrast/dep-hooks": "1.28.1",
     "@contrast/fn-inspect": "^5.0.2",
-    "@contrast/logger": "1.32.0",
-    "@contrast/patcher": "1.31.0",
-    "@contrast/scopes": "1.29.0",
+    "@contrast/logger": "1.32.1",
+    "@contrast/patcher": "1.31.1",
+    "@contrast/scopes": "1.29.1",
     "semver": "^7.6.0"
   }
 }

package/lib/install/express/express4.js

@@ -1,157 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const METHODS = [
-  'all',
-  'get',
-  'post',
-  'put',
-  'delete',
-  'patch',
-  'options',
-  'head',
-];
-
-const fnInspect = require('@contrast/fn-inspect');
-const { createSignature, patchType } = require('../../utils/route-info');
-const { isString, primordials: { ArrayPrototypeJoin, StringPrototypeToLowerCase, StringPrototypeReplace, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeSlice } } = require('@contrast/common');
-
-// Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Express
-module.exports = function init(core) {
-  const { patcher, depHooks, routeCoverage } = core;
-  const discover = (route) => routeCoverage.discover(route);
-  const observe = (route) => routeCoverage.observe(route);
-
-  const isRoute = (layer) => !!layer.route;
-  const isRouter = (layer) => layer.name && StringPrototypeToLowerCase.call(layer.name) === 'router';
-  const isValidPath = (path) => isString(path) || Array.isArray(path) || path instanceof RegExp;
-  const getHandleMethod = (layer) => fnInspect.funcInfo(layer.__handle)?.file.includes('express-async-errors') ? '__handle' : 'handle';
-  const getLastLayer = (router) => router?.stack[router.stack.length - 1];
-
-  function regExpToPath(regex) {
-    if (regex.source) {
-      let [path] = StringPrototypeSplit.call(regex?.source, '/?');
-      path = StringPrototypeReplaceAll.call(path, '\\', '');
-      path = StringPrototypeReplace.call(path, '^', '');
-      return path;
-    }
-  }
-
-  function format(url) {
-    if (Array.isArray(url)) {
-      return `/[${ArrayPrototypeJoin.call(url)}]`;
-    } else if (url instanceof RegExp) {
-      return `/{${StringPrototypeSlice.call(url.toString(), 1, -1)}}`;
-    } else {
-      return url;
-    }
-  }
-
-  function parseRoute(route) {
-    const { path } = route;
-    const method = route.methods._all ? 'all' : route.stack[0].method;
-    return { url: format(path), method };
-  }
-
-
-  function createRouteInfo(url, method, obj) {
-    return {
-      signature: createSignature(url, method, obj),
-      url,
-      normalizedUrl: url,
-      method,
-      framework: 'express'
-    };
-  }
-
-  function patchHandle(layer, routeInfo) {
-    const handle = getHandleMethod(layer);
-    patcher.patch(layer, handle, {
-      name: 'express.Route.handle',
-      patchType,
-      post({ args }) {
-        const [req] = args;
-        const [url] = StringPrototypeSplit.call(req.originalUrl, '?');
-        const { method } = req;
-        if (url && method) {
-          observe({ ...routeInfo, url, method: StringPrototypeToLowerCase.call(method) });
-        }
-      }
-    });
-  }
-
-  function traverse(stack, path = '', depth = 0) {
-    path = format(path);
-    stack.forEach((layer) => {
-      if (isRoute(layer)) {
-        const { url, method } = parseRoute(layer.route);
-        const routeInfo = createRouteInfo(path + url, method);
-        discover(routeInfo);
-        patchHandle(layer, routeInfo);
-      } else if (isRouter(layer)) {
-        const regexPath = regExpToPath(layer.regexp);
-        if (depth < 3) traverse(layer.handle.stack, path + regexPath, depth += 1);
-      } else {
-        const regexPath = regExpToPath(layer.regexp);
-        const routeInfo = createRouteInfo(path + regexPath, 'use');
-        discover(routeInfo);
-        patchHandle(layer, routeInfo);
-      }
-    });
-  }
-  return core.routeCoverage.express4 = {
-    install() {
-      depHooks.resolve({ name: 'express', version: '>=4 <5' }, (express) => {
-        patcher.patch(express.application, 'use', {
-          name: 'express.application.use',
-          patchType,
-          post({ args, result }) {
-            const len = args.length;
-            const fn = args[len - 1];
-            const path = len > 1 ? args[0] : undefined;
-            if (path && !isValidPath(path)) return;
-            const handlers = Array.isArray(fn) ? fn : [fn];
-            handlers.forEach((layer) => {
-              if (isRouter(layer)) {
-                traverse(layer.stack, path);
-              } else if (path) {
-                const routeInfo = createRouteInfo(format(path), 'use', 'App');
-                discover(routeInfo);
-                const lastLayer = getLastLayer(result._router);
-                if (lastLayer) patchHandle(lastLayer, routeInfo);
-              }
-            });
-          }
-        });
-
-        METHODS.forEach((method) => {
-          patcher.patch(express.application, method, {
-            name: `express.application.${method}`,
-            patchType,
-            post({ args, result }) {
-              const [url, fn] = args;
-              if (!url || !fn || !isValidPath(url)) return;
-              const routeInfo = createRouteInfo(format(url), method, 'App');
-              discover(routeInfo);
-              const lastLayer = getLastLayer(result._router);
-              if (lastLayer) patchHandle(lastLayer, routeInfo);
-            }
-          });
-        });
-      });
-    }
-  };
-};