@contrast/agent-bundle 5.45.1 → 5.46.0

package/node_modules/@contrast/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.45.1",
+  "version": "5.46.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -28,15 +28,15 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.57.0",
-    "@contrast/architecture-components": "1.45.1",
-    "@contrast/assess": "1.63.0",
+    "@contrast/agentify": "1.58.0",
+    "@contrast/architecture-components": "1.46.0",
+    "@contrast/assess": "1.64.0",
     "@contrast/common": "1.37.0",
-    "@contrast/core": "1.57.1",
-    "@contrast/library-analysis": "1.47.1",
-    "@contrast/protect": "1.68.0",
-    "@contrast/route-coverage": "1.49.1",
-    "@contrast/sec-obs": "1.1.1",
-    "@contrast/telemetry": "1.32.1"
+    "@contrast/core": "1.58.0",
+    "@contrast/library-analysis": "1.48.0",
+    "@contrast/protect": "1.69.0",
+    "@contrast/route-coverage": "1.50.0",
+    "@contrast/sec-obs": "1.2.0",
+    "@contrast/telemetry": "1.33.0"
   }
 }

package/node_modules/@contrast/agentify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.57.0",
+  "version": "1.58.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,21 +21,21 @@
   },
   "dependencies": {
     "@contrast/common": "1.37.0",
-    "@contrast/config": "1.52.1",
-    "@contrast/core": "1.57.1",
-    "@contrast/deadzones": "1.29.1",
-    "@contrast/dep-hooks": "1.26.1",
-    "@contrast/esm-hooks": "2.32.0",
+    "@contrast/config": "1.53.0",
+    "@contrast/core": "1.58.0",
+    "@contrast/deadzones": "1.30.0",
+    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/esm-hooks": "2.33.0",
     "@contrast/find-package-json": "^1.1.0",
-    "@contrast/instrumentation": "1.36.1",
-    "@contrast/logger": "1.30.1",
-    "@contrast/metrics": "1.34.1",
-    "@contrast/patcher": "1.29.1",
+    "@contrast/instrumentation": "1.37.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/metrics": "1.35.0",
+    "@contrast/patcher": "1.30.0",
     "@contrast/perf": "1.4.0",
-    "@contrast/reporter": "1.55.1",
-    "@contrast/rewriter": "1.34.0",
-    "@contrast/scopes": "1.27.1",
-    "@contrast/sources": "1.3.1",
+    "@contrast/reporter": "1.56.0",
+    "@contrast/rewriter": "1.35.0",
+    "@contrast/scopes": "1.28.0",
+    "@contrast/sources": "1.4.0",
     "on-finished": "^2.4.1",
     "semver": "^7.6.0"
   }

package/node_modules/@contrast/architecture-components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/architecture-components",
-  "version": "1.45.1",
+  "version": "1.46.0",
   "description": "Detects external systems being connected to by applications.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,8 +21,8 @@
   },
   "dependencies": {
     "@contrast/common": "1.37.0",
-    "@contrast/dep-hooks": "1.26.1",
-    "@contrast/logger": "1.30.1",
-    "@contrast/patcher": "1.29.1"
+    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/logger": "1.31.0",
+    "@contrast/patcher": "1.30.0"
   }
 }

package/node_modules/@contrast/assess/lib/dataflow/sources/handler.js

@@ -45,24 +45,19 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
 
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
-      if (!value?.length) {
-        return null;
-      }
+      if (!value?.length) return null;
 
       const stop = value.length - 1;
-      const tags = {
-        [DataflowTag.UNTRUSTED]: [0, stop]
-      };
+      const tags = { [DataflowTag.UNTRUSTED]: [0, stop] };
 
-      if (tagNames) {
-        for (const tag of tagNames) {
+      if (tagNames)
+        for (const tag of tagNames)
           tags[tag] = [0, stop];
-        }
-      }
 
-      if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
-        tags[DataflowTag.HEADER] = [0, stop];
-      }
+      if (
+        inputType === InputType.HEADER &&
+        StringPrototypeToLowerCase.call(fieldName) === 'referer'
+      ) tags[DataflowTag.HEADER] = [0, stop];
 
       return tags;
     };
@@ -89,14 +84,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      // url exclusion
-      if (!sourceContext.policy) {
-        return null;
-      }
-
-      if (!context) {
-        context = inputType;
-      }
+      if (!context) context = inputType;
 
       const { policy: requestPolicy } = sourceContext;
       const max = config.assess.max_context_source_events;
@@ -111,7 +99,10 @@ module.exports = Core.makeComponent({
       }
 
       function createEvent({ fieldName, pathName, value, excludedRules }) {
-        const tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        let tagNames;
+        if (excludedRules) {
+          tagNames = Array.from(excludedRules).map((ruleId) => `excluded:${ruleId}`);
+        }
         // create the stacktrace once per call to .handle()
         stack || (stack = sources.createStacktrace(stacktraceOpts));
         return eventFactory.createSourceEvent({
@@ -127,7 +118,10 @@ module.exports = Core.makeComponent({
       }
 
       if (Buffer.isBuffer(data) && !tracker.getData(data)) {
-        const { track, excludedRules } = requestPolicy.getInputPolicy(InputType.BODY);
+        const inputPolicy = requestPolicy.getInputPolicy(InputType.BODY);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ inputType }, 'assess input exclusion disabled tracking');
           return;
@@ -149,7 +143,10 @@ module.exports = Core.makeComponent({
           return true;
         }
 
-        const { track, excludedRules } = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const inputPolicy = sourceContext.policy.getInputPolicy(inputType, fieldName);
+        const track = !!inputPolicy;
+        const excludedRules = inputPolicy?.constructor?.name == 'Set' ? inputPolicy : undefined;
+
         if (!track) {
           core.logger.debug({ fieldName, inputType }, 'assess input exclusion disabling tracking');
           return;

package/node_modules/@contrast/assess/lib/get-source-context.js

@@ -53,20 +53,11 @@ function factory(core) {
   core.assess.getPropagatorContext = function getPropagatorContext() {
     if (instrumentation.isLocked()) return null;
 
-    // the following logging used to be done by the caller, but has been moved
-    // here as opposed to overloading `ctx.policy` with a special value so the
-    // caller could determine whether no source context was available or the
-    // request is being intentionally excluded. A negative of this is that the
-    // function name is not available to be included in the log.
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
     // there is a context, but if policy is null then assess is intentionally
     // disabled (i.e., url exclusion or the request is not sampled).
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx?.policy || ctx?.policy.allowed) return null;
+    // event limits
     if (ctx.propagationEventsCount >= config.assess.max_propagation_events) return null;
 
     return ctx;
@@ -80,13 +71,13 @@ function factory(core) {
     if (instrumentation.isLocked()) return null;
 
     const ctx = sources.getStore()?.assess;
-    if (!ctx) return null;
-
-    if (!ctx.policy) {
-      return null;
-    }
+    if (!ctx?.policy || ctx.policy?.allowed) return null;
+    if (!ruleId) return ctx;
 
-    if (ruleId && !ctx.policy?.enabledRules?.has?.(ruleId) || ruleScopes.isLocked(ruleId)) return null;
+    if (
+      !ctx.policy?.isRuleEnabled?.(ruleId) ||
+      ruleScopes.isLocked(ruleId)
+    ) return null;
 
     return ctx;
   };
@@ -105,10 +96,8 @@ function factory(core) {
       return null;
     }
 
-    if (!ctx.policy) {
-      return null;
-    }
-
+    if (!ctx.policy || ctx.policy.allowed) return null;
+    // event limits
     if (ctx.sourceEventsCount >= config.assess.max_context_source_events) return null;
 
     return ctx;

package/node_modules/@contrast/assess/lib/index.js

@@ -60,7 +60,7 @@ module.exports = function assess(core) {
 
   // ancillary tools used by different features
   require('./sampler')(core);
-  require('./get-policy')(core);
+  core.initComponentSync(require('./policy'));
   core.initComponentSync(require('./make-source-context'));
   require('./rule-scopes')(core);
   core.initComponentSync(require('./get-source-context'));

package/node_modules/@contrast/assess/lib/make-source-context.js

@@ -36,24 +36,19 @@ function factory(core) {
    * @returns {import('@contrast/assess').SourceContext}
    */
   return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
-
     try {
       const ctx = store.assess = {
-        // default policy to `null` until it is set later below. this will cause
-        // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
-
+      // if assess is disabled or not selected for sampling, the policy will
+      // be null (assess disabled) for lifetime of connection, despite UI updates.
       if (!core.config.getEffectiveValue('assess.enable')) return ctx;
-
-      // check whether sampling allows processing
       ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
 
-      // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(store.sourceInfo);
-      if (!ctx.policy) return ctx;
-
+      // assess-enabled policy from current effective config, but
+      // policy is dynamic and will respond to settings updates
+      ctx.policy = assess.policy.getRequestPolicy(store.sourceInfo);
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};

package/node_modules/@contrast/assess/lib/policy.js

@@ -0,0 +1,400 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  Event,
+  ExclusionType,
+  InputType,
+  Rule,
+  ResponseScanningRule,
+  SessionConfigurationRule,
+  set,
+  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
+} = require('@contrast/common');
+const { Core } = require('@contrast/core/lib/ioc/core');
+
+const ASSESS_RULES = Object.values({
+  ...Rule,
+  ...ResponseScanningRule,
+  ...SessionConfigurationRule,
+});
+const BROAD_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.BODY,
+  ExclusionType.QUERYSTRING
+];
+const NAMED_INPUT_EXCLUSION_TYPES = [
+  ExclusionType.COOKIE,
+  ExclusionType.HEADER,
+  ExclusionType.PARAMETER
+];
+const BODY_TYPES = [
+  InputType.BODY,
+  InputType.JSON_VALUE,
+  InputType.JSON_ARRAYED_VALUE,
+  InputType.MULTIPART_CONTENT_TYPE,
+  InputType.MULTIPART_FIELD_NAME,
+  InputType.MULTIPART_NAME,
+  InputType.MULTIPART_VALUE,
+];
+const COMPONENT_NAME = 'assess.policy';
+
+class AssessPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   */
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+
+    this.version = Date.now();
+    this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+    this.exclusionMap = new Map([
+      [ExclusionType.BODY, []],
+      [ExclusionType.COOKIE, []],
+      [ExclusionType.HEADER, []],
+      [ExclusionType.PARAMETER, []],
+      [ExclusionType.QUERYSTRING, []],
+      [ExclusionType.URL, []],
+    ]);
+
+    core.messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => {
+      if (!msg.assess && !msg.exclusions) return;
+
+      this.version = Date.now();
+
+      if (msg.assess) {
+        const enabledRules = new Set();
+        this.disabledRules = new Set(core.config.getEffectiveValue('assess.rules.disabled_rules'));
+
+        for (const ruleId of ASSESS_RULES) {
+          const enable = msg.assess[ruleId]?.enable;
+          if (enable === false) {
+            this.disabledRules.add(ruleId);
+            // map to "sub-rules"
+            if (ruleId === Rule.NOSQL_INJECTION) this.disabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          } else if (enable === true) {
+            enabledRules.add(ruleId);
+            if (ruleId === Rule.NOSQL_INJECTION) enabledRules.add(Rule.NOSQL_INJECTION_MONGO);
+          }
+        }
+        this.core.logger.info({
+          enabledRules,
+          disabledRules: Array.from(this.disabledRules)
+        }, 'Assess policy rules updated');
+      }
+
+      if (msg.exclusions) {
+        for (const arr of this.exclusionMap.values()) arr.length = 0;
+
+        const rawDtmList = [
+          ...(msg?.exclusions?.input || []),
+          ...(msg?.exclusions?.url || []),
+        ].filter((exclusion) => exclusion?.modes?.includes?.('assess'));
+
+        // reset global exclusion state
+        for (const type of Object.values(ExclusionType)) {
+          this.exclusionMap.get(type).length = 0;
+        }
+
+        if (!rawDtmList.length) return;
+
+        for (const dtm of rawDtmList) {
+          // normalize different dtm types
+          dtm.type = dtm.type || 'URL';
+          const { type } = dtm;
+          const key = ExclusionType[type];
+          // defensive code against unanticipated DTM values
+          if (key) {
+            const Ctor = dtm.type === ExclusionType.URL ? UrlExclusion : InputExclusion;
+            this.exclusionMap.get(dtm.type).push(new Ctor(dtm));
+          }
+        }
+
+        this.core.logger.info({
+          exclusions: Object.fromEntries(this.exclusionMap)
+        }, 'Assess exclusions updated (%s total)', rawDtmList.length);
+      }
+    });
+  }
+
+  getRequestPolicy(sourceInfo) {
+    return new RequestPolicy(this.core, sourceInfo);
+  }
+}
+
+class RequestPolicy {
+  /**
+   * @param {{
+   *  config: import('@contrast/config').Config,
+   *  logger: import('@contrast/logger').Logger,
+   *  messages: import('@contrast/common').Messages,
+   * }} core
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   */
+  constructor(core, sourceInfo) {
+    Object.defineProperty(this, 'core', { value: core });
+    this.sourceInfo = sourceInfo;
+    this.init();
+  }
+
+  /**
+   * Used to (re)initialize the instance's exclusions, reading from current assess global policy.
+   */
+  init() {
+    const { core, sourceInfo } = this;
+    this.allowed = false;
+    this.version = core.assess.policy.version;
+    this.exclusions = {};
+
+    if (!core.config.getEffectiveValue('assess.enable')) {
+      this.allowed = true;
+      return;
+    }
+
+    // Evaluate URL exclusions.
+    // If one matches and applies to all rules, we set `allowed: true` which will
+    // disable assess for the request (via getSourceContext()). If specific rules are
+    // disabled, we remove them from the request policy's set of enabled rules.
+    for (const urlExclusion of this.core.assess.policy.exclusionMap.get(ExclusionType.URL)) {
+      if (urlExclusion.matchesUriPath(sourceInfo.uriPath)) {
+        if (!urlExclusion.rules?.size) {
+          core.logger.debug({
+            name: urlExclusion.name
+          }, 'All Assess rules have been disabled by URL exclusion');
+          this.allowed = true;
+          // no need to further process exclusions - request will be ignored
+          return;
+        } else {
+          // build as needed
+          if (!this.exclusions.disabledRules) this.exclusions.disabledRules = new Set();
+
+          for (const ruleId of urlExclusion.rules) {
+            this.exclusions.disabledRules.add(ruleId);
+          }
+          core.logger.debug({
+            name: urlExclusion.name,
+            rules: Array.from(urlExclusion.rules),
+          }, 'Assess rules disabled by URL exclusion');
+        }
+      }
+    }
+
+    // Process input exclusions that apply broadly: BODY, QUERYSTRING
+    for (const type of BROAD_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          // build as needed
+          if (!this.exclusions[type]) this.exclusions[type] = { track: true, excludedRules: new Set() };
+          const inputPolicy = this.exclusions[type];
+
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              inputPolicy.excludedRules.add(ruleId);
+            }
+          } else {
+            inputPolicy.track = false;
+            inputPolicy.excludedRules.clear();
+            break;
+          }
+        }
+      }
+    }
+
+    for (const type of NAMED_INPUT_EXCLUSION_TYPES) {
+      for (const exclusion of core.assess.policy.exclusionMap.get(type)) {
+        if (exclusion.matchesUriPath(sourceInfo.uriPath)) {
+          if (!this.exclusions[type]) this.exclusions[type] = [];
+          this.exclusions[type].push(exclusion);
+        }
+      }
+    }
+  }
+
+  /**
+   * Given input type and optional field name will give instructions on how
+   * to track based on global policy and various exclusions that may apply.
+   * @param {} inputType
+   * @param {} fieldName
+   * @returns {boolean|Set<string>} false - do not track
+   *                                true - track
+   *                                Set - track but add tags to exclude these rules
+   */
+  getInputPolicy(inputType, fieldName) {
+    if (this.version < this.core.assess.policy.version) this.init();
+    if (this.allowed) return false; // don't track - request ignored
+
+    let inputRuleExclusions;
+    let excludedRuleIds;
+
+    if (inputType === InputType.HEADER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.HEADER];
+    } else if (inputType === InputType.QUERYSTRING) {
+      if (this.exclusions[ExclusionType.QUERYSTRING]?.track === false) {
+        return false;
+      } else {
+        if (this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules)
+          excludedRuleIds = new Set(this.exclusions[ExclusionType.QUERYSTRING]?.excludedRules);
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    } else if (inputType === InputType.URL_PARAMETER) {
+      inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+    } else if ([
+      InputType.COOKIE_NAME,
+      InputType.COOKIE_VALUE
+    ].includes(inputType)) {
+      inputRuleExclusions = this.exclusions[ExclusionType.COOKIE];
+    } else if (BODY_TYPES.includes(inputType)) {
+      if (this.exclusions[ExclusionType.BODY]?.track === false) {
+        return false;
+      } else {
+        inputRuleExclusions = this.exclusions[ExclusionType.PARAMETER];
+      }
+    }
+
+    if (inputRuleExclusions) {
+      for (const exclusion of inputRuleExclusions) {
+        if (exclusion.matchesInputName(fieldName)) {
+          // disables some rules
+          if (exclusion.rules.size) {
+            for (const ruleId of exclusion.rules) {
+              if (!excludedRuleIds) excludedRuleIds = new Set();
+              excludedRuleIds.add(ruleId);
+            }
+          } else {
+            return false; // don't track - all rules disabled
+          }
+        }
+      }
+    }
+
+    if (this.exclusions.disabledRules || excludedRuleIds) {
+      // only URL Exclusions disabled these rules
+      if (!excludedRuleIds) return this.exclusions.disabledRules;
+      // only Input Exclusion disabled these
+      if (!this.exclusions.disabledRules) return excludedRuleIds;
+      // merge since URL Exclusions and Input Exclusions have disabled rules
+      return new Set([...this.exclusions.disabledRules, ...excludedRuleIds]);
+    }
+
+    return true;
+  }
+
+  isRuleEnabled(ruleId) {
+    if (this.version < this.core.assess.policy.version) this.init();
+
+    if (this.allowed) return false;
+
+    return (
+      !this.exclusions.disabledRules?.has?.(ruleId) &&
+      !this.core.assess.policy.disabledRules?.has?.(ruleId)
+    );
+  }
+}
+
+/**
+ * @typedef InputPolicy
+ * @property {boolean} track
+ * @property {Set<Rule>} excludedRules
+ */
+
+class UrlExclusion {
+  constructor(dtm) {
+    this._urlRegex = null;
+    this._urls = new Set();
+    this.name = dtm.name;
+    this.type = ExclusionType[dtm.type];
+    this.rules = new Set(dtm.assess_rules);
+
+    if (dtm.urls.length) {
+      const regexSegments = [];
+      for (const url of dtm.urls) {
+        if (shouldBeRegExp(url)) {
+          regexSegments.push(url);
+        } else {
+          this._urls.add(url);
+        }
+      }
+      if (regexSegments.length) {
+        this._urlRegex = new RegExp(`^${ArrayPrototypeJoin.call(regexSegments, '|')}$`);
+      }
+    }
+  }
+
+  /**
+   * Checks whether the current URI path matches any of the exclusion's URL values.
+   * Exclusions that don't match for the current request will not be enabled. The
+   * interpretation of the DTM is that if its urls list is empty, then that means
+   * it should match all requestss (can be the case for input exclusions).
+   * @param {string} uriPath uri to check
+   * @returns {boolean}
+   */
+  matchesUriPath(uriPath) {
+    return (!this._urlRegex && !this._urls.size) ||
+      this._urls.has(uriPath) ||
+      !!this._urlRegex?.test?.(uriPath);
+  }
+}
+
+class InputExclusion extends UrlExclusion {
+  constructor(dtm) {
+    super(dtm);
+    this._inputNameRegex = null;
+    this._inputName = null;
+
+    // dtm.name value is null for BODY and QUERYSTRING types
+    if (dtm.name) {
+      if (shouldBeRegExp(dtm.name)) {
+        this._inputNameRegex = new RegExp(`^${dtm.name}$`);
+      } else {
+        this._inputName = dtm.name;
+      }
+    }
+  }
+
+  /**
+   * Checks if the provided name matches the value from the exclusion dtm.
+   * @param {string} name field name being evaluated
+   * @returns {boolean}
+   */
+  matchesInputName(name) {
+    // BODY and QUERYSTRING always match since they apply broadly
+    if (!this._inputName && !this._inputNameRegex) return true;
+    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
+  }
+}
+
+function shouldBeRegExp(str) {
+  return str.indexOf('*') > 0 ||
+    str.indexOf('.') > 0 ||
+    str.indexOf('+') > 0 ||
+    str.indexOf('?') > 0 ||
+    str.indexOf('\\') > 0;
+}
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory(core) {
+    const policy = new AssessPolicy(core);
+    set(core, COMPONENT_NAME, policy);
+    return policy;
+  },
+});
+module.exports.AssessPolicy = AssessPolicy;
+module.exports.RequestPolicy = RequestPolicy;