Node.js agent release notes

Remediated CVE-2020-7596 by removing the codecov dependency from node-agent (DEV Dependency).

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

Decrease highlighting to just tainted string when reported sink argument is a query object. (SUP-3889)

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

When Protect mode is enabled, multipart/form-data throws exception when headers are removed. (SUP-3817)

Remediated CVE-2021-43138 by updating ejs to a safe version in node-agent, this was a DEV Dependency and was not a true vulnerability. (NODE - 2352)

Removed winston-syslog from the agent's bundled dependencies, this was being flagged as having a CVE.

Fixed false-negative of Server-Side Request Forgery (SSRF) for request npm package. (SUP-3829)

Incorrect highlighting displayed for Node.js vulnerabilities under Overview in the Contrast web interface. (SUP-3717, 2927)

When running an application with pm2 on cluster mode and the CONTRAST_CONFIG_PATH provided as an environment variable, the agent reads the CONTRAST_CONFIG_PATH value from contrast_security.yaml instead of the environment variable.

Implemented support for the ref() function when Joi validation is unknown because of untracked target

The hooks for mongodb-core are “replicated” to hook mongodb from version 3.3.0 and later

Added support for PM2 running in both fork and cluster modes.

New config option assess.enable_lazy_tracking for Contrast Node.js 4.X. The default is true and must be set to false to use Fastify http/2.

Rewriter not wrapping file contents in "module wrap" IIFE. (SUP-3732)

The lib/util/trace-util getRequest always returns undefined if sampling is disabled. (NODE-2351)

Custom fastify-static allowedPath path-traversal validator.

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

__import methods can cause an error when the imported module is not yet resolved. (NODE-2341)

ESM loader hooks still operate when agent is disabled. (NODE-2340)

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Added support for DyanmoDB PartiQL (Assess only).

Fixed deadlinks in NPM agent readme. (Node-2297)

Contrast Service updated to 2.28.19. This resolves CVE-2021-38561.

Remediated CVE-2021-44906 (for minimalist npm library).

Added support for validator.matches() as a custom validator.

Upgraded to  agent-lib 2.2.4.

Added support for MySQL2 library 2.0.0 and later.

False negative occurs when SQL query template contains untrusted data. (SUP-3568)

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Path traversal false negative. (SUP-3558)

Agent tries to rewrite ESM files twice. (NODE-2217)

Remediated CVE-2022-0536 (follow-redirects to a safe version in node-agent)

Remediated CVE-2022-0686 (url-parse to a safe version in node-agent)

Added warning message to CLI-rewriter logging (or stdout)

Added support for hardcoded-key and hardcoded-password vulnerabilities when using CLI-rewriter feature.

Support for ESM syntax (import statements) for Node.js 14 and 16 LTS

New Protect native input analysis processing with:

Agent is ocassionally throwing error: TypeError: Cannot read property 'getAllParents' of null. (SUP-3611)

Rewrite cache path is built incorrectly when mode isn't explicitly set in config. (NODE-2180)

Proxy authentication information showing in logs. (SPEED-1056)

ReThinkDB results in SQLi false negative due to failed instrumentation during propagation. (NODE-2150)

False negative causing Server Side Request Forgery. (NODE-2130)

When parsing the body on the Sails framework, the agent occasionally hangs indefinitely on post requests. (NODE-2125)

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Added support for custom Assess data validation using Mongoose or Joi.

Added support for MongoDB key object expansion Protect rule.

During CLI transpilation, the Node agent no longer logs data if there is no network connectivity or connection to Contrast. (NODE-2083)

When working with large JSON objects, users experience significant Assess performance regressions introduced in Node.js agent 4.9.1. (NODE-2086)

Contrast Service version 2.28.9 is now bundled with the Node.js agent.

When the local YAML configuration and environment variables are set, the Contrast service does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

When rewrite caching is enabled, the stack trace no longer repeats and writes the correct filename. (NODE-2065)

Contrast Node.js agent version 4.9.0 was non-installable due to a build dependency that requires package-lock.json file. Version 4.9.1 is patched not to require that dependency.

Remediated CVE-2020-7596 by removing codecov dependency from the node-agent (DEV Dependency).

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Contrast service version 2.28.9 is now packaged with the Node.js agent.

When the local YAML configuration and environment variables are set, the Node.js agent does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

Contrast service version 2.28.4 packaged with the Node.js agent

Added Joi support for ref() where reference target is an object.

The stacktrace limit default was set to 10 (previously it was set to 25).

Added Joi support for ref() where reference target is an object.

Added support for Dust.js template engine.

Implicit tagging of numeric input causes false negatives. (Node-2005)

Refactored logic around sanitizers that causes wrong tags.

When an application has been rewritten with Babel and the @babel/runtime helpers have been injected, the application fails to start. (Node-1956)

Added AWS-SDK version 3 DynamoDB to the flow map.

Improved tracking of vulnerabilities through path functions.

Bluebird is causing vulnerabilities to be attributed to the incorrect route. (NODE-1892)

Support for Mustache template engine version 4.x. (version 3 and version 4 of agent)

Specify module supported versions explicitly as a WARN in logs.

Fixes to the path.normalize Assess functionality. (NODE-1830)

Node 16 LTS support.

New configuration flag for “turbo” protect performance.

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

"Propagator micro-optimizations" causes performance issue. (NODE-1913)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

XXE Assess causes false negatives with the DVNA application. (NODE-1810)

Significant Assess performance improvements for use cases where there is a large JSON body in the inbound request.

Improved reporting/UX to Contrast where there is a vulnerability identified in large JSON body in the inbound request.

The MongoDB 4.X driver is now supported along with versions 3.5.0 and later.

CVE-2021-3749 - node-agent - bump 'axios' from 0.21.1 to 0.21.2

CVE-2021-37713 bump tar dependency in 'distringuish' repo from 4.4.15 to 4.4.19

CVE-2021-37713 bump tar dependency in 'node-fn-inspect' repo from 4.4.15 to 4.4.19

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

When reporting libraries "_requiredBy" or "dependents" field not populated. (NODE-1718)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

Significant performance refactoring completed for both Protect and Assess functionality.

CLI rewriter for startup performance improvements.

Set Babel as sole rewriter - removed Esprima.

Updating Contrast Service is mandatory.

Added support for agent.logger.backups and agent.logger.roll_size properties.

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE 1643)

Koa: Router.use reported as Router.undefined. (NODE-1628)

Logger not logging all entries to debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)

Tag ranges off when Array.join is called with empty string. (NODE-1673)

Trim prerelease from reported agent version. (NODE-1693)

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

Agent maintenance version 3.x does not ship with prebuilt dependencies for Node 10. (NODE-1905)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

When reporting libraries, "_requiredBy" or "dependents" fields not populated. (NODE-1718)

Resolves a breaking change regression and reenables the agent to run on Node.js 10 LTS, even though that Node.js LTS version has reached its end-of-life (EOL). (NODE-1748)

The agent can successfully instrument any application using Bluebird. (NODE-1742)

Resolved an issue where the agent was not correctly tracking data through several Sequelize functions. (NODE-1746)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)

Addressed bug that prevented logging some entries into debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Router.use reported as Router.undefined in Koa. (NODE-1628)

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE-1643)

Logger methods called before initialization. (NODE-1625)

Mongodb collection methods not triggering post hooks. (NODE-1603)

When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

AsyncStorage loses context in mysql query operations. (SUP-2861)

Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)

To resolve a ReDoS CVE (CVE-2021-23362) we need to update the hosted-git-info library included as a dependency.

Runtime performance improvements by improving JSON stringify tracking capabilities.

Added support for the Joi validator library, version 17+.

Runtime performance improvement by disabling membrane wrapping for certain functions.

RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)

False positive Hardcoded Key finding reported. (SUP-2636)

If the Service is enabled, the application.path isn’t reported correctly. (SUP-2669)

Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.

Improved logging when an incorrect package.json is used.

Prevent a catch when an async storage object can’t be parsed. (SUP-2685)

Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)

Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)

When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)

Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).

Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).

When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)

Kraken 2.3.0 is now supported.

Loading the agent with an ESM loader produces an error. (SUP-2504)

DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)

Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)

Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)

DynamoDB hook for flowmap crashes agent when 'endpoint' is not specified in configuration. (SUP-2475, NODE-1286)

Users running esm.mjs receive an error because it is not being packaged. (SUP-2478, NODE-1288)

Loopback 4 is now supported.

Fastify 3 is now supported.

False negative path traversal finding in Express. (SUP-2412)

Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)

Highlighted text in the UI is off by one character. (SUP-2384)

The application may throw an error if the cache-controls header is an array. (SUP-2416)

Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)

Input exclusions for Assess are supported. You can exclude findings based on input type or name.

Optimized performance when sourcemaps is enabled.

Flowmaps now have better accuracy in reporting architectural components.

Certain types of XML uploads result in an XXE false negative. (SUP-2287)

Node.js 14 is now supported.

Improved accuracy of line number reporting for vulnerabilities with source mapping.

Agent fails to instrument in Node 14 running on Windows. (SUP-2230)

Added support for sequelize sql-string format methods.

Found false negative with Node.js loopback in Protect mode. (SUP-2009)

Need to add support for fs.createWriteStream as a Protect sink. (SUP-2013)

Restify 8 framework support is now available.

An Insecure Encryption Algorithm finding reports an incorrect code location. (SUP-1852)

FastifyFramework did not emit all headers in 'send' event.

The 3.X version of the agent sets the default behavior to communicate and report to Contrast using the Contrast service.

The new rewrite_cache property will cache the app code rewritten by Contrast on startup and can improve subsequent startup time. This property is disabled by default but can be enabled.

With the 3.X version of the Node.js agent, the Contrast service is enabled by default but can still be disabled. Because of this, you will need to download the new 3.X agent binary through npm (recommended) or through Contrast.. Please contact Support if you have any questions about this change.

Tracking strings which include the + operator create a performance issue. (SUP-1975)

This release sets default behavior of the Node.js agent to communicate and report to Contrast directly, without using the Contrast Service. This undoes a breaking change that was introduced in the 2.x.x branch back in February of 2020.

New performance diagnostic features are now available for Contrast Customer Success to help diagnose performance issues.

Added the capability to track untrusted data through the node.js url.domainToASCII and url.domainToUnicode functions.

The agent.node.unsafe.deadzones option will now trim whitespace around each option.

This version marks the last new release for the 2.x.x branch. Only patch releases will be provided going forward for the 2.18.x branch.

Customers will be required to upgrade to version 3.x.x (available September 2020) to gain additional capabilities in the Node.js agent. Version 3.0.0 of the Contrast Node.js agent will have potentially impactful changes which should be assessed by each customer for their specific application.

The server.path config option is not being passed to Contrast when using the Contrast service for communication. (SUP-1838)

Node agent Lodash dependency updated to 4.17.20 to resolve CVE-2020-8203. (SUP-1883)

Resolve TypeError: replacer.replace is not a function. (SUP-1888)

Agent breaks expected express-async-errors behavior. (SUP-1801)

Added multiple architecture changes and fixes that improve Assess performance.

Added support for URL Exclusions when using Assess. In Contrast, you can designate URLs that ignore selected rules or all rules. The agent now respects these settings for Assess rules in the Node.js agent.

Protect rule modes now default to OFF for best backward and forward compatibility.

Improved Fastify support to work better with GraphQL and Apollo Server.

Removed support for Protect Cross-site Request Forgery (CSRF).

Updated the version of Lodash used by the Node.js agent to 4.17.19 in response to a CVE for Lodash 4.17.15.

Version 3.0.0 of the Node.js agent will be released at the end of August and will introduce these changes:

All new features will only be available for 3.0.0 and higher. Version 2.18.0 will also be released at the end of August and will be the final version that doesn't require the Contrast service. This version will continue to be supported for patch releases.

There are two optional features that may be useful to some customers. Contact your Customer Success Representative if you would like to know more about these:

Node.js agent failed to initialize. Missing gRPC framework was resolved.

An exception occurred because of a syntax error for Fastify. This was fixed.

Crash when requiring the aws-s3 module was resolved.

Multiple architecture and performance improvements.

New gRPC communication protocol between the agent service improves performance.

Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.

Added a sensor for SQLite for Protect.

Added support for Koa version 2.12.

Reflected XSS is now not reported if Content-Type is allowlisted as safe.

A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.

Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service

Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify

Resolved a false positive issue when correctly using Sequelize to escape strings.

Resolved exception when fastify.route is called with an uppercase verb.

Resolved an issue that manifested as reporting duplicate routes when using the Express framework.

New recommendations for installing and running the Node.js agent have been released.

The customer application would fail to start when all Assess rules were disabled. This is fixed now.

The customer application would fail to start because worker threads would hang and generate multiple processes with the same pid. This is fixed now.

The agent would not output the security log to stdout (or stderr). This is fixed now.

Duplicated vulnerabilities were being reported for unique routes. This is fixed so that TeamServer displays distinct findings for each request uri.

An out-of-memory error caused by a regex match resulted in an infinite loop. This has been fixed.

Node.js agent’s migration to npm and incorrectly bundled modules made it seem like the agent was missing two dependencies. This has been resolved.

Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent.

NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository

Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.

Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax:

node-contrast<app-main>

The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.

After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:

cls.run(() => {
    ^
TypeError: Cannot read property 'run' of undefined

OR

/usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188
    if (ns.active) {

TypeError: Cannot read property 'active' of undefined