@contrast/agent 4.23.1 → 4.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/lib/assess/models/base-event.js +11 -1
  2. package/lib/assess/models/call-context.js +20 -0
  3. package/lib/assess/sinks/dynamo.js +1 -0
  4. package/lib/reporter/models/finding/event.js +9 -6
  5. package/package.json +1 -1
package/lib/assess/models/base-event.js CHANGED
@@ -112,7 +112,17 @@ class BaseEvent {
112
112
  this._expanded = true;
113
113
  this.thread = process.pid;
114
114
  if (this.source === 'P') {
115
- this.source = 'P0';
115
+ const numArgs = this.context.hasArgsTracked.length;
116
+ if (numArgs === 1) {
117
+ this.source = 'P0'
118
+ } else {
119
+ this.source = '';
120
+ for (let i = 0; i < numArgs; i++) {
121
+ if (this.context.hasArgsTracked[i]) {
122
+ this.source += `P${i},`;
123
+ }
124
+ }
125
+ }
116
126
  }
117
127
 
118
128
  if (this.signature) {
package/lib/assess/models/call-context.js CHANGED
@@ -103,6 +103,25 @@ module.exports = class CallContext {
103
103
  return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
104
104
  }
105
105
 
106
+ static hasTrackedArg(arg, iteration = 0) {
107
+ if (tracker.getData(arg)) {
108
+ return true;
109
+ }
110
+
111
+ if (arg && typeof arg === 'object') {
112
+
113
+ for (const key in arg) {
114
+ if (tracker.getData(arg[key])) {
115
+ return true;
116
+ }
117
+ if (arg[key] && typeof arg[key] === 'object' && iteration < 100) {
118
+ return CallContext.hasTrackedArg(arg[key], iteration += 1);
119
+ }
120
+ }
121
+ }
122
+ return false;
123
+ }
124
+
106
125
  static getDisplayRange(arg, orgArg = arg, iteration = 0) {
107
126
  if (tracker.getData(arg)) {
108
127
  return new TagRange(0, arg.length - 1, 'untrusted');
@@ -144,6 +163,7 @@ module.exports = class CallContext {
144
163
  set args(args) {
145
164
  this.__args = args.map(CallContext.valueString);
146
165
  this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
166
+ this.hasArgsTracked = args.map((arg) => CallContext.hasTrackedArg(arg));
147
167
  this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
148
168
  }
149
169
 
package/lib/assess/sinks/dynamo.js CHANGED
@@ -37,6 +37,7 @@ const requiredTags = ['untrusted'];
37
37
  const trackSchemaCommands = {
38
38
  'scan': {
39
39
  attributes: [
40
+ 'FilterExpression',
40
41
  'ExclusiveStartKey',
41
42
  'ScanFilter'
42
43
  ]
package/lib/reporter/models/finding/event.js CHANGED
@@ -102,12 +102,15 @@ class Event {
102
102
  this.args.push(
103
103
  new ObjectDTM(event.context.args[i], event.context.argsTracked[i])
104
104
  );
105
- if (event.tagRanges[i]
106
- && event.context.argsDisplayRanges
107
- && Object.keys(event.context.argsDisplayRanges[i]).length
108
- ) {
109
- event.tagRanges[i] = event.context.argsDisplayRanges[i];
110
- }
105
+ }
106
+
107
+
108
+ const displayRanges = event.context.argsDisplayRanges.filter((tagRange) => Object.keys(tagRange).length);;
109
+
110
+ if (displayRanges.length) {
111
+ // If displayRanges is non-empty (=/= [{}]), use that instead
112
+ // since it's more accurate when reporting
113
+ event.tagRanges = displayRanges;
111
114
  }
112
115
 
113
116
  if (event.code) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/agent",
3
- "version": "4.23.1",
3
+ "version": "4.24.0",
4
4
  "description": "Node.js security instrumentation by Contrast Security",
5
5
  "keywords": [
6
6
  "security",