@contrast/agent 4.19.5 → 4.19.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -25,7 +25,7 @@ const {
|
|
|
25
25
|
const stackFactory = require('../../../core/stacktrace').singleton;
|
|
26
26
|
const { AsyncStorage, KEYS } = require('../../../core/async-storage');
|
|
27
27
|
const semver = require('semver');
|
|
28
|
-
const {
|
|
28
|
+
const { funcInfo } = require('@contrast/fn-inspect');
|
|
29
29
|
const { PATCH_TYPES } = require('../../../constants');
|
|
30
30
|
|
|
31
31
|
class HapiXssSink {
|
|
@@ -107,7 +107,7 @@ class HapiXssSink {
|
|
|
107
107
|
// if route coverage is enabled we put the original function
|
|
108
108
|
// on the wrap in a Symbol, use that if it exists
|
|
109
109
|
handler = handler[ORIG_FUNC] || handler;
|
|
110
|
-
const topFrame =
|
|
110
|
+
const topFrame = funcInfo(handler);
|
|
111
111
|
const stacktrace = stackFactory.createSnapshot({
|
|
112
112
|
constructorOpt: data.hooked,
|
|
113
113
|
prependFrames: [topFrame]
|
|
@@ -19,7 +19,7 @@ const agentEmitter = require('../../agent-emitter');
|
|
|
19
19
|
const patcher = require('../../hooks/patcher');
|
|
20
20
|
const moduleHook = require('../../hooks/require');
|
|
21
21
|
const { PATCH_TYPES } = require('../../constants');
|
|
22
|
-
const {
|
|
22
|
+
const { funcInfo } = require('@contrast/fn-inspect');
|
|
23
23
|
|
|
24
24
|
class RouteCoverage {
|
|
25
25
|
constructor(agent) {
|
|
@@ -54,7 +54,7 @@ class RouteCoverage {
|
|
|
54
54
|
*/
|
|
55
55
|
getSignatureFunc(route) {
|
|
56
56
|
const func = route._controllerName ? route._controllerCtor : route._handler;
|
|
57
|
-
const finfo =
|
|
57
|
+
const finfo = funcInfo(func);
|
|
58
58
|
const path = finfo.file.replace(`${this.appDir}/`, '');
|
|
59
59
|
const suffix = route._controllerName
|
|
60
60
|
? `${route._controllerName}.${route._methodName}`
|
|
@@ -110,13 +110,16 @@ module.exports = class CallContext {
|
|
|
110
110
|
|
|
111
111
|
if (arg && typeof arg === 'object') {
|
|
112
112
|
for (const key in arg) {
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
113
|
+
const trackedData = tracker.getData(arg[key]);
|
|
114
|
+
if (trackedData) {
|
|
115
|
+
const { start, stop } = trackedData.tagRanges[0];
|
|
116
|
+
const taintedString = arg[key].substring(start, stop + 1);
|
|
117
|
+
const taintRangeStart = CallContext.valueString(arg).indexOf(taintedString);
|
|
118
|
+
if (taintRangeStart === -1) {
|
|
116
119
|
// If tracked string is not in the abbreviated stringified obj, disable highlighting
|
|
117
120
|
return new TagRange(0, 0, 'disable-highlighting');
|
|
118
121
|
}
|
|
119
|
-
return new TagRange(
|
|
122
|
+
return new TagRange(taintRangeStart, taintRangeStart + taintedString.length - 1, 'untrusted');
|
|
120
123
|
}
|
|
121
124
|
}
|
|
122
125
|
}
|
|
@@ -414,7 +414,7 @@ const instrumentHandler = (layer, id, self, stack) => {
|
|
|
414
414
|
*/
|
|
415
415
|
function getLayerHandleMethod(layer) {
|
|
416
416
|
let methodName = 'handle';
|
|
417
|
-
const __handleData = fnInspect.
|
|
417
|
+
const __handleData = fnInspect.funcInfo(layer.__handle);
|
|
418
418
|
if (__handleData && __handleData.file.includes('express-async-errors')) {
|
|
419
419
|
methodName = '__handle';
|
|
420
420
|
}
|
package/lib/library-usage.js
CHANGED
|
@@ -30,7 +30,7 @@ module.exports.listen = function(evalInterval = 1) {
|
|
|
30
30
|
const handler = (codeEvent) => {
|
|
31
31
|
try {
|
|
32
32
|
if (
|
|
33
|
-
codeEvent.type !== '
|
|
33
|
+
codeEvent.type !== 'LazyCompile' ||
|
|
34
34
|
codeEvent.script.indexOf(`node_modules${path.sep}`) === -1 ||
|
|
35
35
|
reportedFiles.has(codeEvent.script)
|
|
36
36
|
) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/agent",
|
|
3
|
-
"version": "4.19.
|
|
3
|
+
"version": "4.19.6",
|
|
4
4
|
"description": "Node.js security instrumentation by Contrast Security",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"security",
|
|
@@ -77,9 +77,9 @@
|
|
|
77
77
|
"@babel/traverse": "^7.12.1",
|
|
78
78
|
"@babel/types": "^7.12.1",
|
|
79
79
|
"@contrast/agent-lib": "^4.2.0",
|
|
80
|
-
"@contrast/distringuish-prebuilt": "^
|
|
80
|
+
"@contrast/distringuish-prebuilt": "^3.0.1",
|
|
81
81
|
"@contrast/flat": "^4.1.1",
|
|
82
|
-
"@contrast/fn-inspect": "^
|
|
82
|
+
"@contrast/fn-inspect": "^3.0.0",
|
|
83
83
|
"@contrast/heapdump": "^1.1.0",
|
|
84
84
|
"@contrast/protobuf-api": "^3.2.5",
|
|
85
85
|
"@contrast/require-hook": "^3.0.0",
|