Skip to main content

Node.js agent

The Contrast Node.js agent analyzes the behavior of Node.js web applications using established techniques, such as source-to-source compilation, to add Contrast sensors to an application before execution.

Note

The latest Node.js agent supports Assess (IAST), Protect (RASP), and SCA features.

The Contrast Node.js agent follows semantic versioning (major.minor.patch). The agent works best with these supported technologies and these system requirements.

The Node.js agent rewrites the application code before startup using the Babel compiler. After starting up the agent patches the required functions for the supported frameworks and modules.

Once you install the Node.js agent, there are two primary source code transformations that it uses to monitor the behavior of your application:

  • AST transformation is the process by which the agent creates an abstract syntax tree of a body of code, manipulates the tree and then creates new source code based on this syntax tree. The agent goes through this process to handle scenarios in which function hooks won't work. For example, rewrites allow Contrast to add operator overloading to JavaScript so that it can properly track the flow of untrusted data.

  • Function hooks take over the execution of a given function like child_process.exec, to collect data about its arguments and its return value, and send this data to the parts of the agent responsible for analysis. As a result, the agent enables certain functions to be self-reporting.

Contrast service

Note

Contrast service is only required for the Node.js agent version 4.X.X and earlier.

The Contrast service is an executable which is packaged within the Node.js agent and runs in a separate process. With versions 4.X.X of the agent the Contrast service starts up automatically with the agent.

The service enables communication between the Node.js agent and Contrast. Like the agent, it can be configured with environment variables or a YAML configuration file. The Contrast service uses port 30555 as the default for HTTP communication between the agent and the service.

You can configure the port and communication protocol between the agent and service. Available protocols include HTTP, Linux socket (file descriptor), and gRPC. The service can be deployed one-for-one with the agent, or shared across a group of agents on a single server hosting multiple containers.