@contrast/agent 4.14.0 → 4.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/VERSION +1 -1
- package/bin/linux/contrast-service +0 -0
- package/bin/mac/contrast-service +0 -0
- package/bin/windows/contrast-service.exe +0 -0
- package/lib/assess/propagators/validator/init-hooks.js +2 -1
- package/lib/assess/propagators/validator/validator-methods.js +2 -1
- package/lib/protect/service.js +7 -12
- package/package.json +2 -2
package/bin/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.28.
|
|
1
|
+
2.28.19
|
|
Binary file
|
package/bin/mac/contrast-service
CHANGED
|
Binary file
|
|
Binary file
|
|
@@ -22,6 +22,7 @@ const moduleHook = require('../../../hooks/require');
|
|
|
22
22
|
const TagRange = require('../../models/tag-range');
|
|
23
23
|
const tagRangeUtil = require('../../models/tag-range/util');
|
|
24
24
|
const { PropagationEvent, Signature, CallContext } = require('../../models');
|
|
25
|
+
const agent = require('../../../agent');
|
|
25
26
|
|
|
26
27
|
/**
|
|
27
28
|
* this override propagator instruments each of the classes of methods
|
|
@@ -88,7 +89,7 @@ module.exports.handle = function() {
|
|
|
88
89
|
{ name: 'validator', file: `lib/${validator}` },
|
|
89
90
|
(index, meta) => {
|
|
90
91
|
function post(data) {
|
|
91
|
-
if (data.result) {
|
|
92
|
+
if (data.result && (validator !== 'matches' || (validator === 'matches' && agent.config.assess.trust_custom_validators))) {
|
|
92
93
|
const trackingData = tracker.getData(data.args[0]);
|
|
93
94
|
if (trackingData) {
|
|
94
95
|
tagRangeUtil.addInPlace(
|
|
@@ -72,7 +72,8 @@ module.exports = {
|
|
|
72
72
|
isSemVer: 'limited-chars',
|
|
73
73
|
isTaxID: 'limited-chars',
|
|
74
74
|
isUUID: 'alphanum-space-hyphen',
|
|
75
|
-
isVAT: 'alphanum-space-hyphen'
|
|
75
|
+
isVAT: 'alphanum-space-hyphen',
|
|
76
|
+
matches: 'string-type-checked'
|
|
76
77
|
},
|
|
77
78
|
untrackers: [
|
|
78
79
|
// these methods have the tag 'trusted' which the node-agent doesn't support.
|
package/lib/protect/service.js
CHANGED
|
@@ -37,6 +37,8 @@ const UserInputKit = require('../reporter/models/utils/user-input-kit');
|
|
|
37
37
|
const UserInputFactory = require('../reporter/models/utils/user-input-factory');
|
|
38
38
|
const blockRequest = require('../util/block-request');
|
|
39
39
|
|
|
40
|
+
const evalOptions = { preferWorthWatching: true };
|
|
41
|
+
|
|
40
42
|
class ProtectService {
|
|
41
43
|
/**
|
|
42
44
|
* Configures the service to use the provided agent.
|
|
@@ -197,7 +199,6 @@ class ProtectService {
|
|
|
197
199
|
|
|
198
200
|
const arg = {
|
|
199
201
|
rules,
|
|
200
|
-
preferWorthWatching: true,
|
|
201
202
|
// header names must be lowercase. should this be done in agent-lib?
|
|
202
203
|
headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
|
|
203
204
|
};
|
|
@@ -207,7 +208,7 @@ class ProtectService {
|
|
|
207
208
|
arg.queries = req.url.slice(questionMark + 1);
|
|
208
209
|
}
|
|
209
210
|
|
|
210
|
-
const findings = this.agentLib.scoreRequestConnect(arg);
|
|
211
|
+
const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
|
|
211
212
|
|
|
212
213
|
return findings;
|
|
213
214
|
}
|
|
@@ -218,14 +219,12 @@ class ProtectService {
|
|
|
218
219
|
return {};
|
|
219
220
|
}
|
|
220
221
|
// also, if content-type has multipart...
|
|
221
|
-
const options = { preferWorthWatching: true };
|
|
222
|
-
|
|
223
222
|
const bodyBuffer = Buffer.concat(chunks);
|
|
224
223
|
|
|
225
224
|
const findings = this.agentLib.scoreRequestUnknownBody(
|
|
226
225
|
rules,
|
|
227
226
|
bodyBuffer,
|
|
228
|
-
|
|
227
|
+
evalOptions
|
|
229
228
|
);
|
|
230
229
|
|
|
231
230
|
// store body buffer on findings for nosqli sink.
|
|
@@ -902,11 +901,10 @@ class ProtectService {
|
|
|
902
901
|
|
|
903
902
|
const arg = {
|
|
904
903
|
rules: rulesMask,
|
|
905
|
-
preferWorthWatching: true,
|
|
906
904
|
queries,
|
|
907
905
|
};
|
|
908
906
|
|
|
909
|
-
const findings = this.agentLib.scoreRequestConnect(arg);
|
|
907
|
+
const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
|
|
910
908
|
|
|
911
909
|
this.handleAgentLibAnalysis({
|
|
912
910
|
asyncStorageContext: event._ctxt,
|
|
@@ -922,11 +920,8 @@ class ProtectService {
|
|
|
922
920
|
acc.unshift(key, value);
|
|
923
921
|
return acc;
|
|
924
922
|
}, []);
|
|
925
|
-
const
|
|
926
|
-
|
|
927
|
-
rules: this.getRulesMask(rules),
|
|
928
|
-
cookies
|
|
929
|
-
});
|
|
923
|
+
const arg = { rules: this.getRulesMask(rules), cookies };
|
|
924
|
+
const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
|
|
930
925
|
this.handleAgentLibAnalysis({
|
|
931
926
|
asyncStorageContext: event._ctxt,
|
|
932
927
|
appContext: {},
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/agent",
|
|
3
|
-
"version": "4.
|
|
3
|
+
"version": "4.15.0",
|
|
4
4
|
"description": "Node.js security instrumentation by Contrast Security",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"security",
|
|
@@ -76,7 +76,7 @@
|
|
|
76
76
|
"@babel/template": "^7.10.4",
|
|
77
77
|
"@babel/traverse": "^7.12.1",
|
|
78
78
|
"@babel/types": "^7.12.1",
|
|
79
|
-
"@contrast/agent-lib": "^2.2.
|
|
79
|
+
"@contrast/agent-lib": "^2.2.4",
|
|
80
80
|
"@contrast/distringuish-prebuilt": "^2.2.0",
|
|
81
81
|
"@contrast/flat": "^4.1.1",
|
|
82
82
|
"@contrast/fn-inspect": "^2.4.4",
|