Node.js agent release notes

Release date: July 8, 2021

Language versions currently supported: 12 and 14 LTS

New and improved:

  • Significant performance refactoring completed for both Protect and Assess functionality.

  • CLI rewriter for startup performance improvements.

  • Set Babel as sole rewriter - removed Esprima.

  • Updating Contrast Service is mandatory.

  • Added support for agent.logger.backups and agent.logger.roll_size properties.

Bug fixes:

  • Agent unable to detect installed libraries on Windows. (NODE-1622)

  • Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE 1643)

  • Koa: Router.use reported as Router.undefined. (NODE-1628)

  • Logger not logging all entries to debug file. (NODE-1654)

  • HTTP body missing for multipart/form-data POST requests. (NODE-1620)

  • Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

  • Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)

  • Tag ranges off when Array.join is called with empty string. (NODE-1673)

  • Trim prerelease from reported agent version. (NODE-1693)

Release date: July 8, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

  • Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: July 6, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Addressed bug that prevented logging some entries into debug file. (NODE-1654)

  • HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 25, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Router.use reported as Router.undefined in Koa. (NODE-1628)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 25, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Agent unable to detect installed libraries on Windows. (NODE-1622)

  • Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE-1643)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 11, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Logger methods called before initialization. (NODE-1625)

  • Mongodb collection methods not triggering post hooks. (NODE-1603)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 08, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

  • AsyncStorage loses context in mysql query operations. (SUP-2861)

  • Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)

Release date: May 21, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • To resolve a ReDoS CVE (CVE-2021-23362) we need to update the hosted-git-info library included as a dependency.

Release date: May 17, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: April 28, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Runtime performance improvements by improving JSON stringify tracking capabilities.

  • Added support for the Joi validator library, version 17+.

Release date: April 19, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: April 13, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Runtime performance improvement by disabling membrane wrapping for certain functions.

Release date: April 2, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)

Release date: March 31, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • False positive Hardcoded Key finding reported. (SUP-2636)

  • If the Service is enabled, the application.path isn’t reported correctly. (SUP-2669)

Release date: March 26, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.

  • Improved logging when an incorrect package.json is used.

Bug fixes:

  • Prevent a catch when an async storage object can’t be parsed. (SUP-2685)

  • Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)

  • Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)

Release date: March 18, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)

Release date: March 15, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: March 9, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).

  • Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).

Release date: March 8, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)

Release date: March 1, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Kraken 2.3.0 is now supported.

Bug fixes:

  • Loading the agent with an ESM loader produces an error. (SUP-2504)

  • DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)

Release date: February 26, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)

  • Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)

Release date: February 11, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • DynamoDB hook for flowmap crashes agent when 'endpoint' is not specified in configuration. (SUP-2475, NODE-1286)

  • Users running esm.mjs receive an error because it is not being packaged. (SUP-2478, NODE-1288)

Release date: January 29, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Loopback 4 is now supported.

  • Fastify 3 is now supported.

Bug fixes:

  • False negative path traversal finding in Express. (SUP-2412)

  • Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)

  • Highlighted text in the UI is off by one character. (SUP-2384)

Release date: January 28, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • The application may throw an error if the cache-controls header is an array. (SUP-2416)

  • Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)

Release date: December 18, 2020

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Input exclusions for Assess are supported. You can exclude findings based on input type or name.

  • Optimized performance when sourcemaps is enabled.

  • Flowmaps now have better accuracy in reporting architectural components.

Release date: December 7, 2020

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Certain types of XML uploads result in an XXE false negative. (SUP-2287)

Release date: November 20, 2020

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Node.js 14 is now supported.

  • Improved accuracy of line number reporting for vulnerabilities with source mapping.

Bug fixes:

  • Agent fails to instrument in Node 14 running on Windows. (SUP-2230)

Release date: October 28, 2020

Language versions currently supported: 10 and 12 LTS

Release date: October 23, 2020

Language versions currently supported: 10 LTS and 12 LTS

New and improved:

  • Added support for sequelize sql-string format methods.

Bug fixes:

  • Found false negative with Node.js loopback in Protect mode. (SUP-2009)

Release date: September 25, 2020

Language versions currently supported: 10 LTS and 12 LTS

Bug fixes:

  • Need to add support for fs.createWriteStream as a Protect sink. (SUP-2013)

Release date: September 18, 2020

Language versions currently supported: 10 LTS and 12 LTS

New and improved:

  • Restify 8 framework support is now available.

Bug fixes:

  • An Insecure Encryption Algorithm finding reports an incorrect code location. (SUP-1852)

  • FastifyFramework did not emit all headers in 'send' event.

Release date: September 10, 2020

Language versions currently supported: 10 LTS and 12 LTS

New and improved:

  • The 3.X version of the agent sets the default behavior to communicate and report to Contrast using the Contrast service.

  • The new rewrite_cache property will cache the app code rewritten by Contrast on startup and can improve subsequent startup time. This property is disabled by default but can be enabled.

Important notes:

  • With the 3.X version of the Node.js agent, the Contrast service is enabled by default but can still be disabled. Because of this, you will need to download the new 3.X agent binary through npm (recommended) or through Contrast. Please contact Support if you have any questions about this change.

Bug fixes:

  • Tracking strings which include the + operator create a performance issue. (SUP-1975)

Language versions currently supported:10 LTS and 12 LTS

New and improved:

  • This release sets default behavior of the Node.js agent to communicate and report to Contrast directly, without using the Contrast Service. This undoes a breaking change that was introduced in the 2.x.x branch back in February of 2020.

  • New performance diagnostic features are now available for Contrast Customer Success to help diagnose performance issues.

  • Added the capability to track untrusted data through the node.js url.domainToASCII and url.domainToUnicode functions.

  • The agent.node.unsafe.deadzones option will now trim whitespace around each option.

Important notes:

  • This version marks the last new release for the 2.x.x branch. Only patch releases will be provided going forward for the 2.18.x branch.

    Customers will be required to upgrade to version 3.x.x (available September 2020) to gain additional capabilities in the Node.js agent. Version 3.0.0 of the Contrast Node.js agent will have potentially impactful changes which should be assessed by each customer for their specific application.

Bug fixes:

  • The server.path config option is not being passed to Contrast when using the Contrast service for communication. (SUP-1838)

  • Node agent Lodash dependency updated to 4.17.20 to resolve CVE-2020-8203. (SUP-1883)

  • Resolve TypeError: replacer.replace is not a function. (SUP-1888)

Language versions currently supported:10 LTS and 12 LTS

Bug fixes:

  • Agent breaks expected express-async-errors behavior. (SUP-1801)

Language versions currently supported:10 LTS and 12 LTS

Language versions currently supported: 10 and 12 LTS

Agent versions released during the past month: 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.17.0

New and improved:

  • Added multiple architecture changes and fixes that improve Assess performance.

  • Added support for URL Exclusions when using Assess. In Contrast, you can designate URLs that ignore selected rules or all rules. The agent now respects these settings for Assess rules in the Node.js agent.

  • Protect rule modes now default to OFF for best backward and forward compatibility.

  • Improved Fastify support to work better with GraphQL and Apollo Server.

  • Removed support for Protect Cross-site Request Forgery (CSRF).

  • Updated the version of Lodash used by the Node.js agent to 4.17.19 in response to a CVE for Lodash 4.17.15.

Important notes:

  • Version 3.0.0 of the Node.js agent will be released at the end of August and will introduce these changes:

    • The Node.js agent will be required to run with the Contrast service enabled. Currently the service is shipped with the agent but is optional; this change will enable the service by default.

    • The service will provide multiple functional and performance benefits to the Node.js agent.

    • The legacy auto-update policy for the Node.js agent will be deprecated when running with the service enabled.

      Note

      You will need to upgrade to Version 3.0.0, because the legacy auto-update feature does not upgrade to a major version. You can update your agent to 3.x with npm (recommended), the Contrast API or by using the Contrast web interface. Using npm allows version updates by using the customer’s application’s package.json with semantic versioning.Install Node.js agent with npmInstall Node.js agent using Contrast

  • All new features will only be available for 3.0.0 and higher. Version 2.18.0 will also be released at the end of August and will be the final version that doesn't require the Contrast service. This version will continue to be supported for patch releases.

  • There are two optional features that may be useful to some customers. Contact your Customer Success Representative if you would like to know more about these:

    • Re-write caching provides faster subsequent start-up times.

    • Performance may improve when you skip (or deadzone) certain modules. For example, if you have modules passing large strings that are irrelevant to security, like logging, you can choose not to instrument them.

Bug fixes:

  • Node.js agent failed to initialize. Missing gRPC framework was resolved.

  • An exception occurred because of a syntax error for Fastify. This was fixed.

  • Crash when requiring the aws-s3 module was resolved.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.1 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4

New and improved:

  • Multiple architecture and performance improvements.

  • New gRPC communication protocol between the agent service improves performance.

  • Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.

  • Added a sensor for SQLite for Protect.

  • Added support for Koa version 2.12.

  • Reflected XSS is now not reported if Content-Type is allowlisted as safe.

Important notes:

  • A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.

Bug fixes:

  • Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service

  • Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify

  • Resolved a false positive issue when correctly using Sequelize to escape strings.

  • Resolved exception when fastify.route is called with an uppercase verb.

  • Resolved an issue that manifested as reporting duplicate routes when using the Express framework.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.0

Important notes:

Bug fixes:

  • The customer application would fail to start when all Assess rules were disabled. This is fixed now.

  • The customer application would fail to start because worker threads would hang and generate multiple processes with the same pid. This is fixed now.

  • The agent would not output the security log to stdout (or stderr). This is fixed now.

  • Duplicated vulnerabilities were being reported for unique routes. This is fixed so that TeamServer displays distinct findings for each request uri.

  • An out-of-memory error caused by a regex match resulted in an infinite loop. This has been fixed.

  • Node.js agent’s migration to npm and incorrectly bundled modules made it seem like the agent was missing two dependencies. This has been resolved.

Language versions currently supported:

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent.

  • NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository

  • Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.

Important notes:

  • Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax:

    node-contrast<app-main>

    The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.

Bug fixes:

  • After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:

    cls.run(() => {
        ^
    TypeError: Cannot read property 'run' of undefined
    
    OR
    
    /usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188
        if (ns.active) {
    
    TypeError: Cannot read property 'active' of undefined