@contrast/route-coverage 1.51.0 → 1.53.0

package/lib/install/fastify/fastify-middie.js

@@ -0,0 +1,67 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { RouteType } = require('@contrast/common');
+const { patchType, formatHandler } = require('./../../utils/route-info');
+const isArray = (arr) => Array.isArray(arr);
+module.exports = function init(core) {
+  const { patcher, depHooks, routeCoverage } = core;
+
+  return core.routeCoverage.fastifyMiddie = {
+    install() {
+      depHooks.resolve({ name: '@fastify/middie', version: '*', file: 'lib/engine.js' }, (middie) => patcher.patch(middie, {
+        name: 'fastifyMiddie',
+        patchType,
+        post(data) {
+          patcher.patch(data.result, 'use', {
+            name: 'use',
+            patchType,
+            pre(data) {
+              const [url, fn] = data.args;
+              if (!url || !fn || !core.config.getEffectiveValue('assess.report_middleware_routes')) return;
+
+              const middleware = isArray(fn) ? fn : [fn];
+              const formattedPath = isArray(url) ? `[${url.join(', ')}]` : url;
+              const patchedMiddleware = middleware.map((f) => {
+                const formattedHandler = formatHandler(f);
+                const signature = `fastify.use(${formattedPath}, ${formattedHandler})`;
+
+                const routeInfo = {
+                  signature,
+                  url: formattedPath,
+                  method: 'use',
+                  normalizedUrl: formattedPath,
+                  type: RouteType.MIDDLEWARE,
+                  framework: 'fastify'
+                };
+                routeCoverage.discover(routeInfo);
+
+                return patcher.patch(f, {
+                  name: 'middleware',
+                  patchType,
+                  post() {
+                    routeCoverage.observe(routeInfo);
+                  }
+                });
+              });
+              data.args[1] = patchedMiddleware;
+            }
+          });
+        }
+      }));
+    }
+  };
+};

package/lib/install/{fastify.js → fastify/fastify.js}

@@ -14,12 +14,12 @@
  */
 'use strict';
 
-const { getFastifyMethods } = require('../utils/methods');
+const { getFastifyMethods } = require('../../utils/methods');
 const {
   primordials: { StringPrototypeToLowerCase, StringPrototypeSplit },
   RouteType,
 } = require('@contrast/common');
-const { patchType } = require('./../utils/route-info');
+const { patchType, formatHandler } = require('./../../utils/route-info');
 
 // Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Fastify
 module.exports = function init(core) {
@@ -38,12 +38,12 @@ module.exports = function init(core) {
     return route?.[kRoutePrefix];
   }
 
-  function createRouteInfo(method, url, fullyDeclared, type) {
+  function createRouteInfo(method, url, fullyDeclared, type, handler) {
     method = StringPrototypeToLowerCase.call(method);
 
     const signature = fullyDeclared
-      ? `fastify.route({ method: '${method}', url: '${url}', handler: [Function] })`
-      : `fastify.${method}('${url}', [Function])`;
+      ? `fastify.route({ method: ${method}, url: ${url}, handler: ${formatHandler(handler)} })`
+      : `fastify.${method}(${url}, ${formatHandler(handler)})`;
 
     const routeInfo = {
       signature,
@@ -89,30 +89,30 @@ module.exports = function init(core) {
     }
   }
 
-  function discoverAndPatch(method, path, routeObj, handle, methods, fullyDeclared) {
+  function discoverAndPatch(method, path, routeObj, handle, handler, methods, fullyDeclared) {
     const type = routeObj?.options?.websocket ? RouteType.MESSAGE_BROKER : RouteType.HTTP;
 
     if (Array.isArray(method)) {
       // If all valid methods are included in `method` then .all shorthand was most likely used
       if (methods.every(m => method.includes(m))) {
-        const routeInfo = createRouteInfo('all', path, fullyDeclared, type);
+        const routeInfo = createRouteInfo('all', path, fullyDeclared, type, handler);
         routeCoverage.discover(routeInfo);
         patchHandler(routeObj, handle, routeInfo);
       } else {
         method.forEach((verb) => {
-          const routeInfo = createRouteInfo(verb, path, fullyDeclared, type);
+          const routeInfo = createRouteInfo(verb, path, fullyDeclared, type, handler);
           routeCoverage.discover(routeInfo);
           patchHandler(routeObj, handle, routeInfo);
         });
       }
     } else {
-      const routeInfo = createRouteInfo(method, path, fullyDeclared, type);
+      const routeInfo = createRouteInfo(method, path, fullyDeclared, type, handler);
       routeCoverage.discover(routeInfo);
       patchHandler(routeObj, handle, routeInfo);
     }
   }
 
-  return core.routeCoverage.fastify = {
+  return core.routeCoverage.fastifyCore = {
     install() {
       /**
        * There are some subtle differences between fastify minor versions the instrumentation must account for
@@ -158,7 +158,7 @@ module.exports = function init(core) {
                   let handle = 'handler';
                   if (!handler && typeof options === 'function') handle = 'options';
 
-                  discoverAndPatch(method, path, routeObj ? data.args[0] : data.args, handle, fastifyMethods, false);
+                  discoverAndPatch(method, path, routeObj ? data.args[0] : data.args, handle, options || handler, fastifyMethods, false);
                 }
               });
 
@@ -175,7 +175,7 @@ module.exports = function init(core) {
 
                   const prefix = getPrefix(data.obj);
                   const path = prefix ? prefix + url : url;
-                  discoverAndPatch(method, path, routeArgs, 'handler', fastifyMethods, true);
+                  discoverAndPatch(method, path, routeArgs, 'handler', handler, fastifyMethods, true);
                 }
               });
             }

package/lib/install/{express → fastify}/index.js

@@ -18,14 +18,15 @@
 const { callChildComponentMethodsSync } = require('@contrast/common');
 
 module.exports = function(core) {
-  const expressRouteCoverage = core.routeCoverage.express = {
+  const fastifyRouteCoverage = core.routeCoverage.fastify = {
     install() {
-      callChildComponentMethodsSync(expressRouteCoverage, 'install');
+      callChildComponentMethodsSync(fastifyRouteCoverage, 'install');
     },
   };
 
-  require('./express4')(core);
-  require('./express5')(core);
+  require('./fastify')(core);
+  require('./fastify-express')(core);
+  require('./fastify-middie')(core);
 
-  return expressRouteCoverage;
+  return fastifyRouteCoverage;
 };

package/lib/install/hapi.js

@@ -12,76 +12,139 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
+// @ts-check
 'use strict';
 
-const { primordials: { StringPrototypeToLowerCase } } = require('@contrast/common');
-const { patchType } = require('./../utils/route-info');
+const { AsyncLocalStorage } = require('node:async_hooks');
+const { RouteType, set } = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+const { formatHandler, patchType } = require('../utils/route-info');
 
-// Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Hapi
-module.exports = function init(core) {
-  const { patcher, depHooks, routeCoverage } = core;
+/**
+ * The hapi `Route` class from lib/route.js is not defined or exported.
+ * @typedef {Object} Route
+ * @property {boolean} _special internal hapi property for special routes
+ * @property {string} method
+ * @property {string} path
+ * @property {Object} settings
+ * @property {(request: { method: string, path: string}) => any} settings.handler set by the Route constructor
+ */
+
+class HapiRouteCoverage {
+  /**
+   * @param {import('..').Core & {
+   *  routeCoverage: import('..').RouteCoverage;
+   * }} core
+   */
+  constructor(core) {
+    set(core, 'routeCoverage.hapi', this);
+    this.core = core;
+    this.depHooks = core.depHooks;
+    this.patcher = core.patcher;
+    this.routeCoverage = core.routeCoverage;
+    this.registerScope = new AsyncLocalStorage();
+  }
 
-  const createSignature = (method, url) => `server.route({ method: '${method}', path: '${url}', handler: [Function] })`;
-  function emitRouteCoverage(url, method) {
-    method = StringPrototypeToLowerCase.call(method);
-    const event = {
-      signature: createSignature(method, url),
-      url,
-      method,
-      normalizedUrl: url,
-      framework: 'hapi'
-    };
-    routeCoverage.discover(event);
+  install() {
+    this.depHooks.resolve(
+      { name: '@hapi/hapi', version: '>=18 <22', file: 'lib/server.js' },
+      /** @param {typeof import('@hapi/hapi').Server} Server */
+      (Server) => this.patchServer(Server),
+    );
+    this.depHooks.resolve(
+      { name: '@hapi/hapi', version: '>=18 <22', file: 'lib/route.js' },
+      /** @param {abstract new () => Route} Route */
+      (Route) => this.patchRoute(Route),
+    );
   }
 
-  return core.routeCoverage.hapi = {
-    install() {
-      return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {
-        ['server', 'Server'].forEach((server) => {
-          patcher.patch(hapi, server, {
-            name: `hapi.${server}`,
-            patchType,
-            post(data) {
-              patcher.patch(data.result._core.router, 'add', {
-                name: '_core.router.add',
-                patchType,
-                post(data) {
-                  if (!data.args[0] || !data.result) return;
+  /**
+   * Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Hapi
+   * @param {Route} route
+   */
+  createSignature(route) {
+    const handler = formatHandler(this.patcher.unwrap(route.settings.handler));
+    return `server.route({ method: '${route.method}', path: '${route.path}', handler: ${handler} })`;
+  }
+
+  /** @param {typeof import('@hapi/hapi').Server} Server */
+  patchServer(Server) {
+    const self = this;
+    return this.patcher.patch(Server, {
+      name: 'hapi.Server',
+      patchType,
+      post({ result: server }) {
+        self.patcher.patch(server, 'register', {
+          name: 'server.register',
+          patchType,
+          around(next) {
+            if (self.registerScope.getStore()) return next();
+            return self.registerScope.run({ isMiddleware: true }, next);
+          },
+        });
+      },
+    });
+  }
 
-                  const [{ method, path }] = data.args;
-                  if (!method || !path) return;
+  /**
+   * @param {Route} route
+   * @param {string} signature
+   * @param {RouteType} type
+   */
+  patchRouteHandler(route, signature, type) {
+    const self = this;
+    this.patcher.patch(route.settings, 'handler', {
+      name: 'route.settings.handler',
+      patchType,
+      // this needs to be in a pre-hook so that the route
+      // data is in the store before our dataflow hooks run
+      pre({ args: [request] }) {
+        self.routeCoverage.observe({
+          signature,
+          method: request.method,
+          url: request.path,
+          normalizedUrl: route.path, // should also be defined at `request.route.path`
+          framework: 'hapi',
+          type,
+        });
+      },
+    });
+  }
 
-                  if (Array.isArray(method)) {
-                    method.forEach((verb) => {
-                      emitRouteCoverage(path, verb);
-                    });
-                  } else {
-                    emitRouteCoverage(path, method);
-                  }
+  /**
+   * @param {abstract new () => Route} Route
+   */
+  patchRoute(Route) {
+    const self = this;
+    return this.patcher.patch(Route, {
+      name: 'hapi.Route',
+      patchType,
+      post({ result: route }) {
+        if (route._special) return; // skip special internal routes
+        const signature = self.createSignature(route);
+        const type = self.registerScope.getStore()?.isMiddleware ? RouteType.MIDDLEWARE : RouteType.HTTP;
 
-                  patcher.patch(data.result.route.settings, 'handler', {
-                    name: 'route.settings.handler',
-                    patchType,
-                    // this needs to be in a pre-hook so that the route
-                    // data is in the store before our dataflow hooks run
-                    pre({ args }) {
-                      const [{ method, path: url, route }] = args;
-                      //TODO: Will this signature always be associated with an existing route?
-                      const signature = createSignature(method, path);
-                      routeCoverage.observe({
-                        signature,
-                        url,
-                        method: StringPrototypeToLowerCase.call(method),
-                        normalizedUrl: route.path,
-                      });
-                    }
-                  });
-                }
-              });
-            }
-          });
+        self.routeCoverage.discover({
+          signature,
+          method: route.method,
+          url: route.path,
+          normalizedUrl: route.path,
+          framework: 'hapi',
+          type,
         });
-      });
-    }
-  };
-};
+
+        self.patchRouteHandler(route, signature, type);
+      },
+    });
+  }
+}
+
+module.exports = Core.makeComponent({
+  name: 'routeCoverage.hapi',
+  /**
+   * @param {import('..').Core & {
+   *  routeCoverage: import('..').RouteCoverage;
+   * }} core
+   */
+  factory: (core) => new HapiRouteCoverage(core),
+});

package/lib/install/koa.js

@@ -15,28 +15,15 @@
 'use strict';
 
 const { METHODS } = require('./../utils/methods');
-const { isString, primordials: { StringPrototypeToLowerCase, StringPrototypeSplit } } = require('@contrast/common');
-const { createSignature, patchType } = require('./../utils/route-info');
+const { isString, RouteType, primordials: { StringPrototypeToLowerCase, StringPrototypeSplit } } = require('@contrast/common');
+const { patchType, formatHandler } = require('./../utils/route-info');
 
 // Spec: https://contrast.atlassian.net/wiki/spaces/NOD/pages/3454861621/Node.js+Agent+Route+Signatures#Koa
 module.exports = function init(core) {
   const { patcher, depHooks, routeCoverage } = core;
-
-  function createRouteInfo(method, url) {
-    method = StringPrototypeToLowerCase.call(method);
-    const routeInfo = {
-      signature: createSignature(url, method),
-      url,
-      method,
-      normalizedUrl: url,
-      framework: 'koa'
-    };
-    return routeInfo;
-  }
-
   return core.routeCoverage.koa = {
     install() {
-      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
+      depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa, pkgMeta) => {
         // Koa uses its own routing library @koa/router to define routes before
         // mounting them on the app with .use so instrumenting use and traversing
         // the constructed routes is the more technically correct approach than
@@ -48,40 +35,47 @@ module.exports = function init(core) {
             if (args?.length === 0) return;
             const [router] = args;
 
-            if (!router?.router) return;
+            if (!router?.router) {
+              core.logger.debug('no routes detected in koa router stack: %s@%s', pkgMeta.name, pkgMeta.version);
+              return;
+            }
 
             router.router.stack.forEach((Layer) => {
-              const { methods, path } = Layer;
-              if (!path || !isString(path)) return;
+              const { methods, path, stack } = Layer;
+              if (!path || !isString(path) || !stack || stack.length === 0) return;
 
-              let routeInfo;
-              if (methods.length === 0) {
-                routeInfo = createRouteInfo('use', path);
-                routeCoverage.discover(routeInfo);
-              } else if (METHODS.every(m => methods.includes(m))) {
-                // If a route was defined using .all this methods property will be an
-                // array of all methods supported by Koa
-                routeInfo = createRouteInfo('all', path);
+              const patchedMiddleware = [];
+              stack.forEach((handler) => {
+                const method = methods.length === 0 ? 'use' : METHODS.every(m => methods.includes(m)) ? 'all' : StringPrototypeToLowerCase.call(methods[methods.length - 1]);
+                if (method === 'use' && !core.config.getEffectiveValue('assess.report_middleware_routes')) return;
+                const routeInfo = {
+                  signature: `Router.${method}(${path}, ${formatHandler(handler)})`,
+                  method,
+                  url: path,
+                  normalizedUrl: path,
+                  framework: 'koa',
+                  type: method === 'use' ? RouteType.MIDDLEWARE : RouteType.HTTP
+                };
                 routeCoverage.discover(routeInfo);
-              } else {
-                methods.forEach((method) => {
-                  routeInfo = createRouteInfo(method, path);
-                  routeCoverage.discover(routeInfo);
-                });
-              }
+                const patchedHandler = patcher.patch(handler, {
+                  name: 'handler',
+                  patchType,
+                  pre(data) {
+                    const { request } = data.args[0];
+                    if (!request) return;
 
-              if (!Layer.stack || Layer.stack.length === 0) return;
-              async function observationMiddleware(ctx, next) {
-                if (!ctx.request) return;
-                const { url: reqUrl, method } = ctx.request;
-                const [url] = StringPrototypeSplit.call(reqUrl, /\?/);
-                routeCoverage.observe({ ...routeInfo, url, method: StringPrototypeToLowerCase.call(method) });
-                await next();
-              }
-              // If two routes share middleware, the same stack is used
-              // To add our observation middleware without adding them to all routes
-              // we need to create a shallow copy
-              Layer.stack = [observationMiddleware, ...Layer.stack];
+                    const { method, url } = request;
+                    if (!method | !url) return;
+                    routeCoverage.observe({
+                      ...routeInfo,
+                      method: StringPrototypeToLowerCase.call(method),
+                      url: StringPrototypeSplit.call(url, /\?/)[0]
+                    });
+                  }
+                });
+                patchedMiddleware.push(patchedHandler);
+              });
+              Layer.stack = patchedMiddleware;
             });
           }
         });