@contrast/agent 4.23.1 → 4.24.2

package/esm.mjs

@@ -144,7 +144,7 @@ export async function load(url, context, defaultLoad) {
       });
       helpers.cacheWithSourceMap(agent, filename, result);
     }
-    return { format: type, source: result.code };
+    return { format: type, source: result.code, shortCircuit: true };
   } catch (err) {
     logger.error(
       'Failed to load rewritten code for %s, err: %o, rewritten code %s, loading original code.',

package/lib/assess/models/base-event.js

@@ -112,7 +112,17 @@ class BaseEvent {
     this._expanded = true;
     this.thread = process.pid;
     if (this.source === 'P') {
-      this.source = 'P0';
+      const numArgs = this.context.hasArgsTracked.length;
+      if (numArgs === 1) {
+        this.source = 'P0'
+      } else {
+        this.source = '';
+        for (let i = 0; i < numArgs; i++) {
+          if (this.context.hasArgsTracked[i]) {
+            this.source += `P${i},`;
+          }
+        }  
+      }
     }
 
     if (this.signature) {

package/lib/assess/models/call-context.js

@@ -103,6 +103,25 @@ module.exports = class CallContext {
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
   }
 
+  static hasTrackedArg(arg, iteration = 0) {
+    if (tracker.getData(arg)) {
+      return true;
+    }
+
+    if (arg && typeof arg === 'object') {
+
+      for (const key in arg) {
+        if (tracker.getData(arg[key])) {
+          return true;
+        }
+        if (arg[key] && typeof arg[key] === 'object' && iteration < 100) {
+          return CallContext.hasTrackedArg(arg[key], iteration += 1);
+        }  
+      }
+    }
+    return false;
+  }
+
   static getDisplayRange(arg, orgArg = arg, iteration = 0) {
     if (tracker.getData(arg)) {
       return new TagRange(0, arg.length - 1, 'untrusted');
@@ -144,6 +163,7 @@ module.exports = class CallContext {
   set args(args) {
     this.__args = args.map(CallContext.valueString);
     this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
+    this.hasArgsTracked = args.map((arg) => CallContext.hasTrackedArg(arg));
     this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
   }
 

package/lib/assess/sinks/dynamo.js

@@ -37,6 +37,7 @@ const requiredTags = ['untrusted'];
 const trackSchemaCommands = {
   'scan': {
     attributes: [
+      'FilterExpression',
       'ExclusiveStartKey',
       'ScanFilter'
     ]

package/lib/assess/sinks/mongodb.js

@@ -72,6 +72,9 @@ module.exports = ({ common }) => {
     // 'stats',
     // 'parallelCollectionScan',
     // 'group',
+    // 'insert',
+    // 'insertMany',
+    // 'insertOne',
 
     // related to indexes; unsure what, if anything, needs to be done with these
     // 'createIndex',
@@ -99,9 +102,6 @@ module.exports = ({ common }) => {
     'findOneAndDelete',
     'findOneAndReplace',
     'findOneAndUpdate',
-    'insert',
-    'insertMany',
-    'insertOne',
     'remove',
     'removeOne',
     'replaceOne',

package/lib/reporter/models/finding/event.js

@@ -102,12 +102,15 @@ class Event {
       this.args.push(
         new ObjectDTM(event.context.args[i], event.context.argsTracked[i])
       );
-      if (event.tagRanges[i] 
-        && event.context.argsDisplayRanges
-        && Object.keys(event.context.argsDisplayRanges[i]).length
-        ) {
-        event.tagRanges[i] = event.context.argsDisplayRanges[i];
-      }
+    }
+
+    
+    const displayRanges = event.context.argsDisplayRanges.filter((tagRange) => Object.keys(tagRange).length);;
+
+    if (displayRanges.length) {
+      // If displayRanges is non-empty (=/= [{}]), use that instead
+      // since it's more accurate when reporting
+      event.tagRanges = displayRanges;
     }
 
     if (event.code) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.23.1",
+  "version": "4.24.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",