Node.js release notes 2022

Fix issues with system-diagnostics reporting under Windows env. (NODE-2780)

Config utility reads the wrong remote value for syslog settings. (NODE-2781)

CVE-2022-24999 - qs vulnerable to Prototype Pollution.

Added support for the Microsoft SQL Server database.

New Contrast Service version - v2.28.23 is now bundled with the v4 agent.

Defensive code in system diagnostics when finding package.json. (SUP-4357)

Added defensive code around checking the express router handler's length. (SUP-4314)

System info gets output when running config-diagnostics - this was incorrect behavior.

CVE-2022-24999 (devDependency). version 4.x agent

Provide npx command to read system info and output results. (NODE-2629)

Made _contrast_toString a non-enumerable property of Function.prototype to resolve compatibility issues with @sap/cds. (NODE-2752)

Removed Fastify2 from NodeTestBenches.

Fixed contrast-diagnostics script that did not support running when not adjacent to the agent installation location. (NODE-2748)

New troubleshooting functionality to write to a file the effective configuration seen by the agent. (NODE-2632)

Memory-leak surfaced for apps running with the agent for over 12 hours. (NODE-2715)

CVE-2022-3517 upgrade dependencies with minimatch so use v3.0.5 or greater. (NODE-2717)

Memory leak introduced in 4.25.0. (NODE-2698)

"TypeError: undefined is not a function" when spawning a child process with Assess. (NODE-2694)

Memory leak being caused by Assess CallContext stacktraces. (NODE-2681)

npm not found and library not reported when the Node.js runtime is installed in the Program Files directory on Windows OS. (NODE-2691)

NPM commands used in the agent for library reporting/listing will now work on Windows machines. (NODE-2676)

Fixed an issue where the agent was not starting the Contrast Service when running on Windows OS. (NODE-2677)

Updated v4 and v5 agents to be compatible with Node 18.

The originalUrl property is now tagged in Express.

Corrected issue where req.path was not tracked and not considered untrusted data. (NODE-2637)

CVE-no-CVE-ID - Bump moment-timezone from 0.5.34 to 0.5.37.

Node agent only instruments MongoDB API methods that are susceptible to expansion or injections. (NODE-2040)

For agent v16.17 and above, we now explicitly signal a short circuit in our load hook for ESM support (NODE-2620).

Added instrumentation for the DynamoDB.scan() command and the FilterExpression key AWS v2.

Added support for MongoDB NoSQL Injection highlighting in Contrast UI when multiple arguments are present.

Improved express instrumentation by having the body-parser library and all its parsing methods directly patched/instrumented.

Added support for the mongodb v4.x driver for the agent in Protect mode.

The JSON.stringify() propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)

Autocomplete missing rule data is serialized properly into protobuf message. (NODE-2589)

CVE-2022-2564 - Bump Mongoose version to 6.4.6.

The JSON.stringify() propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)

Aws-sdk version 2 for DynamoDB does not respect abstract attribute types. (NODE-2532)

When processing large strings in docker and using node crypto module to encrypt data, the calls distringuish.getProperties were causing segmentation fault issues. (NODE-2564)

Added support for isEmail and isDate validators in ValidatorJS.

Joi validation not recognized if the schema specified in "options" for a hapi route. (NODE-2544)

Remediated CVE-2022-31129 for inefficient regular expression complexity in moment.

Add hardening to prevent app crash if NPM is not installed.

When a MongoDB update method has multiple attack vectors, the Node.js Agent accurately reports NoSQL Injections that were previously false negatives.

Remediated CVE-2020-7596 by removing the codecov dependency from node-agent (DEV Dependency).

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

Decrease highlighting to just tainted string when reported sink argument is a query object. (SUP-3889)

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

When Protect mode is enabled, multipart/form-data throws exception when headers are removed. (SUP-3817)

Remediated CVE-2021-43138 by updating ejs to a safe version in node-agent, this was a DEV Dependency and was not a true vulnerability. (NODE - 2352)

Removed winston-syslog from the agent's bundled dependencies, this was being flagged as having a CVE.

Fixed false-negative of Server-Side Request Forgery (SSRF) for request npm package. (SUP-3829)

Incorrect highlighting displayed for Node.js vulnerabilities under Overview in the Contrast web interface. (SUP-3717, 2927)

When running an application with pm2 on cluster mode and the CONTRAST_CONFIG_PATH provided as an environment variable, the agent reads the CONTRAST_CONFIG_PATH value from contrast_security.yaml instead of the environment variable.

Implemented support for the ref() function when Joi validation is unknown because of untracked target

The hooks for mongodb-core are “replicated” to hook mongodb from version 3.3.0 and later

Added support for PM2 running in both fork and cluster modes.

New config option assess.enable_lazy_tracking for Contrast Node.js 4.X. The default is true and must be set to false to use Fastify http/2.

Rewriter not wrapping file contents in "module wrap" IIFE. (SUP-3732)

The lib/util/trace-util getRequest always returns undefined if sampling is disabled. (NODE-2351)

Custom fastify-static allowedPath path-traversal validator.

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

__import methods can cause an error when the imported module is not yet resolved. (NODE-2341)

ESM loader hooks still operate when agent is disabled. (NODE-2340)

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Added support for DyanmoDB PartiQL (Assess only).

Fixed deadlinks in NPM agent readme. (Node-2297)

Contrast Service updated to 2.28.19. This resolves CVE-2021-38561.

Remediated CVE-2021-44906 (for minimalist npm library).

Added support for validator.matches() as a custom validator.

Upgraded to  agent-lib 2.2.4.

Added support for MySQL2 library 2.0.0 and later.

False negative occurs when SQL query template contains untrusted data. (SUP-3568)

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Path traversal false negative. (SUP-3558)

Agent tries to rewrite ESM files twice. (NODE-2217)

Remediated CVE-2022-0536 (follow-redirects to a safe version in node-agent)

Remediated CVE-2022-0686 (url-parse to a safe version in node-agent)

Added warning message to CLI-rewriter logging (or stdout)

Added support for hardcoded-key and hardcoded-password vulnerabilities when using CLI-rewriter feature.

Support for ESM syntax (import statements) for Node.js 14 and 16 LTS

New Protect native input analysis processing with:

Agent is ocassionally throwing error: TypeError: Cannot read property 'getAllParents' of null. (SUP-3611)

Rewrite cache path is built incorrectly when mode isn't explicitly set in config. (NODE-2180)

Proxy authentication information showing in logs. (SPEED-1056)

ReThinkDB results in SQLi false negative due to failed instrumentation during propagation. (NODE-2150)

False negative causing Server Side Request Forgery. (NODE-2130)

When parsing the body on the Sails framework, the agent occasionally hangs indefinitely on post requests. (NODE-2125)

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Added support for custom Assess data validation using Mongoose or Joi.

Added support for MongoDB key object expansion Protect rule.

During CLI transpilation, the Node agent no longer logs data if there is no network connectivity or connection to Contrast. (NODE-2083)

When working with large JSON objects, users experience significant Assess performance regressions introduced in Node.js agent 4.9.1. (NODE-2086)

Contrast Service version 2.28.9 is now bundled with the Node.js agent.

When the local YAML configuration and environment variables are set, the Contrast service does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

When rewrite caching is enabled, the stack trace no longer repeats and writes the correct filename. (NODE-2065)

Contrast Node.js agent version 4.9.0 was non-installable due to a build dependency that requires package-lock.json file. Version 4.9.1 is patched not to require that dependency.

Remediated CVE-2020-7596 by removing codecov dependency from the node-agent (DEV Dependency).

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Contrast service version 2.28.9 is now packaged with the Node.js agent.

When the local YAML configuration and environment variables are set, the Node.js agent does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

Contrast service version 2.28.4 packaged with the Node.js agent