Node.js agent

The Contrast Node.js agent analyzes the behavior of Node.js web applications using established techniques, such as source-to-source compilation, to add Contrast sensors to an application prior to execution.

The Contrast Node.js agent follows semantic versioning (major.minor.patch). The agent works best with these supported technologies and these system requirements.

The Node.js agent rewrites the application code prior to startup. After start up the agent patches the required functions for the supported frameworks and modules.

The Contrast service is an executable which is packaged within the Node.js agent, and runs in a separate process. It enables communication between the Node.js agent and Contrast, and like the agent, can be configured with environment variables or YAML. The Service uses port 30555 as the default for HTTP communication between the agent and the service. You can configure the port and communication protocol between the agent and service. Available protocols include: HTTP, linux socket (file descriptor), and gRPC. The service can be deployed one-for-one with the agent, or shared across a group of agents on a single server hosting multiple containers.

Once you install the Node.js agent, there are two primary source code transformations that it uses to monitor the behavior of your application:

  • AST transformation is the process by which the agent creates an abstract syntax tree of a body of code, manipulates the tree and then creates new source code based on this syntax tree. The agent goes through this process to handle scenarios in which function hooks won't work. For example, rewrites allow Contrast to add operator overloading to JavaScript so that it can properly track the flow of untrusted data.

  • Function hooks take over the execution of a given function like, child_process.exec, to collect data about its arguments and its return value, and send this data to the parts of the agent responsible for analysis. As a result, the agent enables certain functions to be self reporting.