Node.js agent
The Contrast Node.js agent analyzes the behavior of Node.js web applications using established techniques, such as source-to-source compilation, to add Contrast sensors to an application before execution.
Note
The latest Node.js agent supports Assess (IAST), Protect (RASP), and SCA features.
The Contrast Node.js agent follows semantic versioning (major.minor.patch). The agent works best with these supported technologies and these system requirements.
The Node.js agent rewrites the application code before startup using the Babel compiler. After starting, the agent patches the required functions for the supported frameworks and modules.
Once you install the Node.js agent, there are two primary source code transformations that it uses to monitor the behavior of your application:
AST transformation is the process by which the agent creates an abstract syntax tree of a body of code, manipulates the tree and then creates new source code based on this syntax tree. The agent undergoes this process to handle scenarios in which function hooks are not functional. For example, rewrites enable Contrast to add operator overloading to JavaScript, allowing it to properly track the flow of untrusted data.
Function hooks take over the execution of a given function, like
child_process.exec, to collect data about its arguments and its return value, and send this data to the parts of the agent responsible for analysis. As a result, the agent enables certain functions to be self-reporting.