@contrast/agent 4.19.1 → 4.19.4

package/changelog.config.js

@@ -17,7 +17,7 @@ Copyright: 2022 Contrast Security, Inc
 module.exports = {
   jira: {
     baseUrl: `https://${process.env.JIRA_HOST}`,
-    ticketIDPattern: /(NODE+-?[0-9]{4})/i,
+    ticketIDPattern: /(NODE-?\s?[0-9]{4})/i,
     excludeIssueTypes: ['Sub-task', 'Release'],
     api: {
       host: process.env.JIRA_HOST,
@@ -33,7 +33,7 @@ module.exports = {
 ### Jira Tickets
 ---------------------
 <% blockTickets.forEach(ticket => { -%>
-  * <<%= ticket.fields.issuetype.name %>> - <%- ticket.fields.summary %>
+  * [<%= ticket.fields.issuetype.name %>] - <%- ticket.fields.summary %>
     [<%= ticket.key %>](<%= jira.baseUrl + '/browse/' + ticket.key %>)
 <% }); -%>
 <% if (!blockTickets.length) {%> ~ None ~ <% } %>

package/lib/assess/models/call-context.js

@@ -20,6 +20,7 @@ const tracker = require('../../tracker');
 const stackFactory = require('../../core/stacktrace').singleton;
 const distringuish = require('@contrast/distringuish-prebuilt');
 const { PROXY_TARGET } = require('../../../lib/constants');
+const TagRange = require('../models/tag-range');
 
 /**
  * Holds information about the call context of a function
@@ -102,6 +103,26 @@ module.exports = class CallContext {
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
   }
 
+  static getDisplayRange(arg) {
+    if (tracker.getData(arg)) {
+      return new TagRange(0, arg.length - 1, 'untrusted');
+    }
+
+    if (arg && typeof arg === 'object') {
+      for (const key in arg) {
+        if (tracker.getData(arg[key])) {
+          const start = CallContext.valueString(arg).indexOf(arg[key]);
+          if (start === -1) {
+            // If tracked string is not in the abbreviated stringified obj, disable highlighting
+            return new TagRange(0, 0, 'disable-highlighting');
+          }
+          return new TagRange(start, start + arg[key].length - 1, 'untrusted');
+        }
+      }
+    }
+    return {};
+  }
+
   set result(result) {
     this.__result = CallContext.valueString(result);
     this.resultTracked = CallContext.isTracked(result);
@@ -113,6 +134,7 @@ module.exports = class CallContext {
   set args(args) {
     this.__args = args.map(CallContext.valueString);
     this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
+    this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
   }
 
   get args() {

package/lib/core/async-storage/hooks/mongodb.js

@@ -25,6 +25,7 @@ const utils = require('./utils');
  * Hooks a method to properly bind to AsyncStorage
  * @param {Object} prototype to hook
  * @param {String} method to hook
+ * @param {String} patchName of the patch
  */
 function hookMethod(obj, method, patchName) {
   patcher.patch(obj, method, {
@@ -72,23 +73,24 @@ function init() {
       file: 'lib/topologies/server.js',
       version: '>=3.3.0 <4.0.0'
     },
-    (server) => patcher.patch(server, {
-      name: 'mongodb.Server',
-      patchType: ASYNC_CONTEXT,
-      alwaysRun: true,
-      post: (data) => {
-        const methods = ['command', 'insert', 'update', 'remove'];
-        for (const method of methods) {
-          hookMethod(data.result, method, 'mongodb.Server');
+    (server) =>
+      patcher.patch(server, {
+        name: 'mongodb.Server',
+        patchType: ASYNC_CONTEXT,
+        alwaysRun: true,
+        post: (data) => {
+          const methods = ['command', 'insert', 'update', 'remove'];
+          for (const method of methods) {
+            hookMethod(data.result, method, 'mongodb.Server');
+          }
         }
-      }
-    })
+      })
   );
 
   requireHook.resolve(
     { name: 'mongodb', file: 'lib/cursor.js', version: '>=3.3.0 <4.0.0' },
-    (cursor) => patcher.patch(cursor,
-      {
+    (cursor) =>
+      patcher.patch(cursor, {
         name: 'mongodb.Cursor',
         patchType: ASYNC_CONTEXT,
         alwaysRun: true,

package/lib/reporter/models/event-tag.js

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
+
 const { TAGS } = require('../../constants');
 
 /**
@@ -23,10 +25,11 @@ class EventTag {
    */
   constructor(tagRange) {
     this.tag = TAGS[tagRange.tag] || 'CUSTOM';
+    this.offset = this.tag === 'disable-highlighting' ? 0 : 1;
     // agent tracks ranges as [start,stop] (inclusive,inclusive)
     // but TS interprets as [start,stop) (inclusive,exclusive)
     // so we need to add 1 to stop
-    this.range = `${tagRange.start}:${tagRange.stop + 1}`;
+    this.range = `${tagRange.start}:${tagRange.stop + this.offset}`;
   }
 }
 

package/lib/reporter/models/finding/event.js

@@ -102,6 +102,12 @@ class Event {
       this.args.push(
         new ObjectDTM(event.context.args[i], event.context.argsTracked[i])
       );
+      if (event.tagRanges[i] 
+        && event.context.argsDisplayRanges
+        && Object.keys(event.context.argsDisplayRanges[i]).length
+        ) {
+        event.tagRanges[i] = event.context.argsDisplayRanges[i];
+      }
     }
 
     if (event.code) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.19.1",
+  "version": "4.19.4",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -81,7 +81,7 @@
     "@contrast/flat": "^4.1.1",
     "@contrast/fn-inspect": "^2.4.4",
     "@contrast/heapdump": "^1.1.0",
-    "@contrast/protobuf-api": "^3.2.3",
+    "@contrast/protobuf-api": "^3.2.5",
     "@contrast/require-hook": "^3.0.0",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
@@ -200,7 +200,6 @@
   },
   "bundleDependencies": [
     "winston",
-    "winston-syslog",
     "winston-daily-rotate-file"
   ]
 }