npm - @contrast/agent - Versions diffs - 4.25.2 → 4.25.4 - Mend

@contrast/agent 4.25.2 → 4.25.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/lib/assess/express/sinks/xss.js CHANGED Viewed

@@ -72,7 +72,7 @@ class ExpressXss {
         ruleId
       })
     ) {
-      const ctxt = new CallContext({
+      const ctxt = CallContext.create({
         obj: body,
         args: [body],
         result: body,

package/lib/assess/fastify/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -80,7 +80,7 @@ class FastifyRedirectSink {
         const url = typeof code === 'string' ? code : data.args[1];
         if (isVulnerable({ input: url, disallowedTags, requiredTags })) {
-          const ctxt = new CallContext({
+          const ctxt = CallContext.create({
             obj: Reply,
             args: [url],
             result: url

package/lib/assess/fastify/sinks/xss.js CHANGED Viewed

@@ -209,13 +209,13 @@ class FastifyXssSink {
           const replyState = AsyncStorage.get(KEYS.FASTIFY_REPLY_SEND_STATE);
           // If the handler called Reply.send with a vuln report that stack.  Otherwise just report the current stack
           const ctxt = replyState
-            ? new CallContext({
+            ? CallContext.create({
                 obj: replyState.reply,
                 args: [replyState.payload],
                 result: null,
                 stacktrace: replyState.stack
               })
-            : new CallContext({
+            : CallContext.create({
                 obj: data.obj,
                 args: [payload],
                 result: null,

package/lib/assess/hapi/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -82,7 +82,7 @@ class HapiRedirectSink {
         }
         const [url] = data.args;
         if (isVulnerable({ input: url, disallowedTags, requiredTags })) {
-          const ctxt = new CallContext({
+          const ctxt = CallContext.create({
             obj: data.obj,
             args: [url],
             result: url,

package/lib/assess/hapi/sinks/xss.js CHANGED Viewed

@@ -151,7 +151,7 @@ class HapiXssSink {
         const { handler, stack: stacktrace } = AsyncStorage.get(
           KEYS.HAPI_CALLER
         );
-        const ctxt = new CallContext({
+        const ctxt = CallContext.create({
           obj: handler,
           args: [source],
           result: source,

package/lib/assess/koa/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -78,7 +78,7 @@ class KoaRedirectSink {
         }
         const [url] = data.args;
         if (isVulnerable({ input: url, disallowedTags, requiredTags })) {
-          const ctxt = new CallContext({
+          const ctxt = CallContext.create({
             obj: data.obj,
             args: [url],
             result: url,

package/lib/assess/koa/sinks/xss.js CHANGED Viewed

@@ -98,7 +98,7 @@ class KoaXssSink {
         const { _cs_stack } = ctx;
         // The CallContext instance will use _cs_stack function if defined,
         // otherwise will generate one based on stackOpts
-        const ctxt = new CallContext({
+        const ctxt = CallContext.create({
           obj: ctx.response,
           args: [body],
           result: body,

package/lib/assess/loopback4/sinks/xss.js CHANGED Viewed

@@ -61,7 +61,7 @@ class LoopbackXss {
         ruleId
       })
     ) {
-      const ctxt = new CallContext({
+      const ctxt = CallContext.create({
         obj: body,
         args: [body],
         result: body,

package/lib/assess/membrane/deserialization-membrane.js CHANGED Viewed

@@ -41,7 +41,7 @@ class DeserializationMembrane extends Membrane {
   }
   onString(str, metadata) {
-    const context = new CallContext({
+    const context = CallContext.create({
       obj: this.obj,
       args: [this.arg],
       result: this.result,

package/lib/assess/membrane/source-membrane.js CHANGED Viewed

@@ -149,7 +149,7 @@ module.exports = class SourceMembrane extends Membrane {
   makeCallContext(object, constructorOpt) {
     // capture the source of all the properties now, not when a string is
     // referenced.
-    const context = new CallContext({
+    const context = CallContext.create({
       obj: 'IncomingMessage',
       args: [''],
       result: object,
@@ -202,7 +202,7 @@ module.exports = class SourceMembrane extends Membrane {
    */
   setTrackingData(trackResult, metadata) {
     const { str: tracked, props: trackData } = trackResult;
-    const context = new CallContext({
+    const context = CallContext.create({
       obj: 'IncomingMessage',
       args: [metadata.path],
       result: tracked,

package/lib/assess/models/call-context.js CHANGED Viewed

@@ -13,9 +13,9 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
 const _ = require('lodash');
 const util = require('util');
-const CleanStack = require('../../util/clean-stack');
 const tracker = require('../../tracker');
 const stackFactory = require('../../core/stacktrace').singleton;
 const { PROXY_TARGET } = require('../../../lib/constants');
@@ -25,147 +25,26 @@ const { toUntrackedString } = require('../utils');
 /**
  * Holds information about the call context of a function
  */
-module.exports = class CallContext {
-  /**
-   * Create a CallContext.
-   *
-   * @param {Object} obj       - the 'this' for the finding
-   * @param {Array} args       - arguments passed to the function
-   * @param {*} result         - return value
-   * @param {CallSite[]} stack - the callstack for the event
-   */
-  constructor(...rest) {
-    if (rest.length === 1 && rest[0] !== undefined) {
-      this.init(rest[0]);
-    } else {
-      this.initLegacy(...rest);
-    }
-  }
-  /**
-   * Initialize from parameterized constructor option.
-   * @param {object} data constructor params
-   */
-  init(data) {
-    const {
-      obj = {},
-      args = [],
-      result,
-      stackOpts = {
-        constructorOpt: data.hooked,
-        prependFrames: null
-      }
-    } = data;
-    const stacktrace =
-      data.stacktrace ||
-      stackFactory.createSnapshot({
-        constructorOpt: stackOpts.constructorOpt
-      });
+class CallContext {
+  constructor({ obj = {}, args = [], result }) {
     this.obj = obj;
     this.args = args;
     this.result = result;
-    Object.defineProperty(this, 'stack', {
-      get() {
-        if (!this._stack) {
-          this._stack = stacktrace();
-        }
-        return this._stack;
-      },
-      set(value) {
-        this._stack = value;
-      }
-    });
-  }
-  /**
-   * Initialize from array of constructor options. This will go away once all
-   * callers use params e.g. `ApplicaitonContext` will need conversion.
-   * @param {array} rest array of constructor args
-   */
-  initLegacy(...rest) {
-    const obj = rest[0] || {};
-    const args = rest[1] || [];
-    const result = rest[2];
-    const stack = rest[3];
-    this.obj = obj;
-    this.args = args;
-    this.result = result;
-    decorateCallContext(this, stack || new CleanStack());
-  }
-  static isTracked(str) {
-    if (tracker.getData(str)) {
-      return true;
-    }
-    return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
-  }
-  static hasTrackedArg(arg, iteration = 0) {
-    if (tracker.getData(arg)) {
-      return true;
-    }
-    if (arg && typeof arg === 'object') {
-      for (const key in arg) {
-        if (tracker.getData(arg[key])) {
-          return true;
-        }
-        if (arg[key] && typeof arg[key] === 'object' && iteration < 100) {
-          return CallContext.hasTrackedArg(arg[key], iteration += 1);
-        }
-      }
-    }
-    return false;
-  }
-  // eslint-disable-next-line complexity
-  static getDisplayRange(arg, orgArg = arg, iteration = 0) {
-    if (tracker.getData(arg)) {
-      return new TagRange(0, arg.length - 1, 'untrusted');
-    }
-    if (arg && typeof arg === 'object') {
-      for (const key in arg) {
-        if (arg[key] && typeof arg[key] === 'object' && iteration < 5) {
-          const nestedDisplayRange = CallContext.getDisplayRange(arg[key], orgArg, iteration += 1);
-          if (!_.isEmpty(nestedDisplayRange)) {
-            return nestedDisplayRange;
-          }
-        }
-        const trackedData = tracker.getData(arg[key]);
-        if (trackedData && trackedData.tagRanges.length > 0) {
-          const { start, stop } = trackedData.tagRanges[0];
-          const offset = Array.isArray(orgArg) ? 2 : 0;
-          const taintedString = arg[key].substring(start, stop + 1);
-          const taintRangeStart = CallContext.valueString(orgArg).indexOf(taintedString) + offset;
-          if (taintRangeStart === -1) {
-            // If tracked string is not in the abbreviated stringified obj, disable highlighting
-            return new TagRange(0, 0, 'disable-highlighting');
-          }
-          return new TagRange(taintRangeStart, taintRangeStart + taintedString.length - 1, 'untrusted');
-        }
-      }
-    }
-    return {};
   }
   set result(result) {
-    this.__result = CallContext.valueString(result);
-    this.resultTracked = CallContext.isTracked(result);
+    this.__result = valueString(result);
+    this.resultTracked = isTracked(result);
   }
   get result() {
     return this.__result;
   }
   set args(args) {
-    this.__args = args.map(CallContext.valueString);
-    this.argsTracked = args.map((arg) => CallContext.isTracked(arg));
-    this.hasArgsTracked = args.map((arg) => CallContext.hasTrackedArg(arg));
-    this.argsDisplayRanges = args.map((arg) => CallContext.getDisplayRange(arg));
+    this.__args = args.map(valueString);
+    this.argsTracked = args.map((arg) => isTracked(arg));
+    this.hasArgsTracked = args.map((arg) => hasTrackedArg(arg));
+    this.argsDisplayRanges = args.map((arg) => getDisplayRange(arg));
   }
   get args() {
@@ -173,53 +52,135 @@ module.exports = class CallContext {
   }
   set obj(obj) {
-    this.__obj = CallContext.valueString(obj);
-    this.objTracked = CallContext.isTracked(obj);
+    this.__obj = valueString(obj);
+    this.objTracked = isTracked(obj);
   }
   get obj() {
     return this.__obj;
   }
+}
-  /**
-   * Returns either the value of a string passed into it, or the constructor
-   * name for an object passed into it.
-   * @static
-   * @param {*} value
-   * @return {string}
-   */
-  static valueString(value) {
-    if (_.isString(value)) {
-      return toUntrackedString(value);
-    }
+function isTracked(str) {
+  if (tracker.getData(str)) {
+    return true;
+  }
+  return !!(str && typeof str === 'object' && str[PROXY_TARGET]);
+}
-    if (_.isNumber(value)) {
-      return value.toString();
-    }
+function hasTrackedArg(arg, iteration = 0) {
+  if (tracker.getData(arg)) {
+    return true;
+  }
-    const type = _.get(value, 'constructor.name', 'null');
+  if (arg && typeof arg === 'object') {
-    if ((type === 'Object' || type === 'Array') && value) {
-      // make string representation uniform with no new lines and consistent spaces
-      let str = util
-        .inspect(value)
-        .replace(/(\n|\s+)/g, (match) => (match === '\n' ? '' : ' '));
-      if (str.length > 50) {
-        str = str.substring(0, 50);
-        str += '...';
+    for (const key in arg) {
+      if (tracker.getData(arg[key])) {
+        return true;
       }
+      if (arg[key] && typeof arg[key] === 'object' && iteration < 100) {
+        return hasTrackedArg(arg[key], iteration += 1);
+      }
+    }
+  }
+  return false;
+}
+// eslint-disable-next-line complexity
+function getDisplayRange(arg, orgArg = arg, iteration = 0) {
+  if (tracker.getData(arg)) {
+    return new TagRange(0, arg.length - 1, 'untrusted');
+  }
-      return str;
+  if (arg && typeof arg === 'object') {
+    for (const key in arg) {
+      if (arg[key] && typeof arg[key] === 'object' && iteration < 5) {
+        const nestedDisplayRange = getDisplayRange(arg[key], orgArg, iteration += 1);
+        if (!_.isEmpty(nestedDisplayRange)) {
+          return nestedDisplayRange;
+        }
+      }
+      const trackedData = tracker.getData(arg[key]);
+      if (trackedData && trackedData.tagRanges.length > 0) {
+        const { start, stop } = trackedData.tagRanges[0];
+        const offset = Array.isArray(orgArg) ? 2 : 0;
+        const taintedString = arg[key].substring(start, stop + 1);
+        const taintRangeStart = valueString(orgArg).indexOf(taintedString) + offset;
+        if (taintRangeStart === -1) {
+          // If tracked string is not in the abbreviated stringified obj, disable highlighting
+          return new TagRange(0, 0, 'disable-highlighting');
+        }
+        return new TagRange(taintRangeStart, taintRangeStart + taintedString.length - 1, 'untrusted');
+      }
     }
-    return type;
   }
-};
+  return {};
+}
 /**
- *
- * @param {*} instance The instance to decorate
+ * Returns either the value of a string passed into it, or the constructor
+ * name for an object passed into it.
+ * @static
+ * @param {*} value
+ * @return {string}
  */
-const decorateCallContext = (instance, stack) => {
+function valueString(value) {
+  if (_.isString(value)) {
+    return toUntrackedString(value);
+  }
+  if (_.isNumber(value)) {
+    return value.toString();
+  }
+  const type = _.get(value, 'constructor.name', 'null');
+  if ((type === 'Object' || type === 'Array') && value) {
+    // make string representation uniform with no new lines and consistent spaces
+    let str = util
+      .inspect(value)
+      .replace(/(\n|\s+)/g, (match) => (match === '\n' ? '' : ' '));
+    if (str.length > 50) {
+      str = str.substring(0, 50);
+      str += '...';
+    }
+    return str;
+  }
+  return type;
+}
+function create(params) {
+  const instance = new CallContext(params);
+  const snapshot = params.stacktrace || stackFactory.createSnapshot({
+    constructorOpt: params.hooked
+  });
+  let stack;
+  // If this occurs within the constructor it will leak all references within
+  // the snapshot's closure.
   Object.defineProperty(instance, 'stack', {
-    value: stack.build().stack
+    enumerable: true,
+    configurable: true,
+    get() {
+      if (!stack) {
+        stack = snapshot();
+      }
+      return stack;
+    },
+    set(value) {
+      stack = value;
+    }
   });
+  return instance;
+}
+module.exports = {
+  create,
+  valueString,
+  hasTrackedArg,
+  isTracked,
+  getDisplayRange
 };

package/lib/assess/propagators/JSON/stringify.js CHANGED Viewed

@@ -250,6 +250,7 @@ module.exports.handle = function() {
       data.args = [input, contrastReplacer, space];
     },
+    // eslint-disable-next-line complexity
     post(data) {
       if (!data.metadata.propagate) {
         return data.result;
@@ -300,7 +301,7 @@ module.exports.handle = function() {
         customSources.push(
           new SourceEvent({
-            context: new CallContext({
+            context: CallContext.create({
               obj,
               args: data.args,
               result: data.result,
@@ -341,7 +342,7 @@ module.exports.handle = function() {
       }
       props.event = new PropagationEvent({
-        context: new CallContext(data),
+        context: CallContext.create(data),
         signature: sig,
         tagRanges: props.tagRanges,
         source: 'P',

package/lib/assess/propagators/array-prototype-join.js CHANGED Viewed

@@ -149,7 +149,7 @@ function createEvent(
     srcType = 'P';
   }
   const signature = new Signature('Array.prototype.join');
-  const context = new CallContext(data);
+  const context = CallContext.create(data);
   const event = new PropagationEvent({
     context,
     signature,

package/lib/assess/propagators/common.js CHANGED Viewed

@@ -94,7 +94,7 @@ const findPropagatorInPolicy = (method) => {
  */
 const createEvent = ({ tagRanges, method, parents }, data) => {
   const signature = new Signature(method);
-  const context = new CallContext(data);
+  const context = CallContext.create(data);
   const prop = findPropagatorInPolicy(method);
   return new PropagationEvent({
     context,
@@ -118,7 +118,7 @@ const trackResult = (metadata, data) => {
     const tracked = tracker.track(data.result);
     if (tracked) {
       tracked.props.tagRanges = metadata.tagRanges;
-      tracked.props.event = createEvent(metadata, data);
+      tracked.props.event = createEvent(metadata, data);
       data.result = tracked.str;
     }
   }

package/lib/assess/propagators/fastify-static/allowed-path.js CHANGED Viewed

@@ -59,7 +59,7 @@ module.exports.handle = function handle() {
                         );
                         tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
-                        const context = new CallContext(data);
+                        const context = CallContext.create(data);
                         const event = new PropagationEvent({
                           context,
                           signature: new Signature('fastify-static.allowedPath'),

package/lib/assess/propagators/handlebars-escape-expresssion.js CHANGED Viewed

@@ -55,7 +55,7 @@ function patchUtilsExport(utilsExport) {
         );
         const event = new PropagationEvent({
-          context: new CallContext(data),
+          context: CallContext.create(data),
           parents: [trackData.event],
           signature: new Signature(
             'handlebars/dist/cjs/handlebars/utils.escapeExpression'

package/lib/assess/propagators/joi/boolean.js CHANGED Viewed

@@ -50,7 +50,7 @@ function instrumentJoiBoolean(boolean) {
             new TagRange(0, data.args[0].length - 1, 'alphanum-space-hyphen')
           );
           trackingData.event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             signature: new Signature('joi.boolean.coerce'),
             tagRanges: trackingData.tagRanges,
             source: 'P',

package/lib/assess/propagators/joi/number.js CHANGED Viewed

@@ -49,7 +49,7 @@ function instrumentJoiNumber(number) {
             new TagRange(0, data.args[0].length - 1, 'limited-chars')
           );
           trackingData.event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             signature: new Signature('joi.number.coerce'),
             tagRanges: trackingData.tagRanges,
             source: 'P',

package/lib/assess/propagators/joi/string-base.js CHANGED Viewed

@@ -87,7 +87,7 @@ function instrumentJoiString(string) {
             new TagRange(0, input.length - 1, 'string-type-checked')
           );
           trackingData.event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             signature: new Signature('joi.string.validate'),
             tagRanges: trackingData.tagRanges,
             source: 'P',

package/lib/assess/propagators/joi/string-schema.js CHANGED Viewed

@@ -179,7 +179,7 @@ function createPropagationEvent({
 }) {
   const { event: lastEvent } = trackedArgsData;
-  const context = new CallContext(data);
+  const context = CallContext.create(data);
   const signature = new Signature(`joi.string.${joiMethod}`);
   const event = new PropagationEvent({

package/lib/assess/propagators/manager.js CHANGED Viewed

@@ -84,7 +84,7 @@ module.exports = function Propagator(agent, propagationDescriptor) {
     const sourceMeta = getSourcesMetadata(sources);
     const { tagRanges: sourceTagRanges, events: sourceEvents } = sourceMeta;
     const sig = new Signature(signature);
-    const ctxt = new CallContext(data);
+    const ctxt = CallContext.create(data);
     const event = new PropagationEvent({
       context: ctxt,
       signature: sig,

package/lib/assess/propagators/mongoose/helpers.js CHANGED Viewed

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
 const TagRange = require('../../models/tag-range');
 const { CallContext, PropagationEvent, Signature } = require('../../models');
@@ -40,7 +42,7 @@ const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
     );
     props.event = new PropagationEvent({
-      context: new CallContext(data),
+      context: CallContext.create(data),
       signature: new Signature('mongoose.mixed.doValidateSync'),
       tagRanges: props.tagRanges,
       source: 'P',

package/lib/assess/propagators/mongoose/string.js CHANGED Viewed

@@ -85,7 +85,7 @@ const doValidateSyncPatcher = (SchemaString) => {
       );
       props.event = new PropagationEvent({
-        context: new CallContext(data),
+        context: CallContext.create(data),
         signature: new Signature('mongoose.string.doValidateSync'),
         tagRanges: props.tagRanges,
         source: 'P',

package/lib/assess/propagators/number.js CHANGED Viewed

@@ -39,7 +39,7 @@ function handle() {
         );
         trackingData.event = new PropagationEvent({
-          context: new CallContext(data),
+          context: CallContext.create(data),
           signature: new Signature('Number'),
           tagRanges: trackingData.tagRanges,
           source: 'P',

package/lib/assess/propagators/path/basename.js CHANGED Viewed

@@ -73,14 +73,14 @@ module.exports.handle = function handle() {
           if (tracked) {
             tracked.props.tagRanges = tagRanges;
             tracked.props.event = new PropagationEvent({
-              context: new CallContext(data),
+              context: CallContext.create(data),
               parents: [parentEvent],
               signature,
               source: 'P',
               tagRanges,
               target: 'R'
             });
-            data.result = tracked.str;
+            data.result = tracked.str;
           }
         }
       });

package/lib/assess/propagators/path/dirname.js CHANGED Viewed

@@ -62,14 +62,14 @@ module.exports.handle = function handle() {
           if (tracked) {
             tracked.props.tagRanges = tagRanges;
             tracked.props.event = new PropagationEvent({
-              context: new CallContext(data),
+              context: CallContext.create(data),
               parents: [parentEvent],
               signature,
               source: 'P',
               tagRanges,
               target: 'R'
             });
-            data.result = tracked.str;
+            data.result = tracked.str;
           }
         }
       });

package/lib/assess/propagators/path/extname.js CHANGED Viewed

@@ -67,14 +67,14 @@ module.exports.handle = function handle() {
           if (tracked) {
             tracked.props.tagRanges = tagRanges;
             tracked.props.event = new PropagationEvent({
-              context: new CallContext(data),
+              context: CallContext.create(data),
               parents: [parentEvent],
               signature,
               source: 'P',
               tagRanges,
               target: 'R'
             });
-            data.result = tracked.str;
+            data.result = tracked.str;
           }
         }
       });

package/lib/assess/propagators/querystring/escape.js CHANGED Viewed

@@ -38,7 +38,7 @@ function handler(data) {
   if (tracked) {
     tracked.props.tagRanges = tagRanges;
     tracked.props.event = new PropagationEvent({
-      context: new CallContext({
+      context: CallContext.create({
         ...data,
         obj: null
       }),

package/lib/assess/propagators/querystring/parse.js CHANGED Viewed

@@ -36,7 +36,6 @@ function getUnescapeWrapper(data, unescape) {
   function unescapeWrapper(part) {
     let result;
-    let resultData;
     const start = input.indexOf(part, data.curPos);
     // any tag ranges overlapping current part?
     const tagRanges = tagRangeUtil.trim(
@@ -58,11 +57,11 @@ function getUnescapeWrapper(data, unescape) {
     // allow propagation through unescape
     result = Scopes.runInAllowAllScope(() => unescape(result));
-    resultData = tracker.getData(result);
+    const resultData = tracker.getData(result);
     if (resultData) {
       resultData.event = new PropagationEvent({
-        context: new CallContext({
+        context: CallContext.create({
           ...data,
           obj: null,
           args: data.origArgs,

package/lib/assess/propagators/querystring/stringify.js CHANGED Viewed

@@ -289,12 +289,12 @@ function post(data) {
     const sorted = _.sortBy(data.state.tagRanges, 'start');
     tracked.props.tagRanges = [];
     tagRangeUtil.addAllInPlace(tracked.props.tagRanges, sorted);
     // stringify / encode
     const method = data.funcKey.split('.')[1];
     tracked.props.event = new PropagationEvent({
-      context: new CallContext({
+      context: CallContext.create({
         ...data,
         args: data.state.origArgs,
         obj: null

package/lib/assess/propagators/querystring/unescape.js CHANGED Viewed

@@ -42,7 +42,7 @@ function handler(data) {
   if (tracked) {
     tracked.props.tagRanges = tagRanges;
     tracked.props.event = new PropagationEvent({
-      context: new CallContext({
+      context: CallContext.create({
         ...data,
         obj: null
       }),
@@ -53,7 +53,7 @@ function handler(data) {
       target: 'R',
       untags: ['url-encoded']
     });
-    data.result = tracked.str;
+    data.result = tracked.str;
   }
 }

package/lib/assess/propagators/sequelize/sql-string-escape.js CHANGED Viewed

@@ -45,7 +45,7 @@ module.exports.handle = function() {
           );
           const event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             parents: [trackingData.event],
             signature: new Signature('sequelize/lib/sql-string.escape'),
             source: 'P',

package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js CHANGED Viewed

@@ -127,7 +127,7 @@ module.exports.handle = function() {
           }
           const event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             parents: [trackingData.event],
             signature: new Signature(
               'sequelize/lib/sql-string.formatNamedParameters'

package/lib/assess/propagators/sequelize/sql-string-format.js CHANGED Viewed

@@ -88,7 +88,7 @@ module.exports.handle = function() {
           }
           const event = new PropagationEvent({
-            context: new CallContext(data),
+            context: CallContext.create(data),
             parents: [trackingData.event],
             signature: new Signature('sequelize/lib/sql-string.format'),
             source: 'P',

package/lib/assess/propagators/string-prototype-replace.js CHANGED Viewed

@@ -16,7 +16,6 @@ Copyright: 2022 Contrast Security, Inc
  * String.prototype.replace Propagation Provider module.
  * @module lib/assess/propagators/String.prototype.replace
  */
 'use strict';
 const _ = require('lodash');
@@ -183,10 +182,10 @@ function findOffset(args) {
   return _.isNumber(args[1])
     ? args[1] // no general capture groups
     : _.isNumber(args[args.length - 2])
-    ? args[args.length - 2] // no named-capture groups
-    : _.isNumber(args[args.length - 3])
-    ? args[args.length - 3] // w/ named-capture groups
-    : (() => {
+      ? args[args.length - 2] // no named-capture groups
+      : _.isNumber(args[args.length - 3])
+        ? args[args.length - 3] // w/ named-capture groups
+        : (() => {
         // Invalid call at this point though
         for (const arg of args) {
           if (_.isNumber(arg)) return arg;
@@ -595,7 +594,7 @@ function trackFinalResult(callContext) {
       tagRanges: trackData.resultTagRanges,
       result: tracked.str
     });
-    tracked.props.tagRanges = trackData.resultTagRanges;
+    tracked.props.tagRanges = trackData.resultTagRanges;
     callContext.result = tracked.str;
   }
 }
@@ -614,7 +613,7 @@ function createPropagationEvent({ callContext, tagRanges, result }) {
     }
   } = callContext;
   const signature = new Signature(PROPAGATOR_METHOD);
-  const context = new CallContext({
+  const context = CallContext.create({
     obj,
     args,
     result,
@@ -646,8 +645,8 @@ function getParentEvents(source, trackData) {
     ...(source === 'P'
       ? [trackData.replacerData.event]
       : source === 'O'
-      ? [trackData.objData.event]
-      : [trackData.replacerData.event, trackData.objData.event]),
+        ? [trackData.objData.event]
+        : [trackData.replacerData.event, trackData.objData.event]),
     ...Array.from(trackData.dynamicEvents)
   ]);
 }
@@ -661,8 +660,8 @@ function getSourceType({ objData, replacerData }) {
   return objData.tracked && !replacerData.tracked
     ? 'O'
     : !objData.tracked && replacerData.tracked
-    ? 'P'
-    : 'A';
+        ? 'P'
+        : 'A';
 }
 module.exports.coerceReplacer = coerceReplacer;

package/lib/assess/propagators/string-prototype-split.js CHANGED Viewed

@@ -86,7 +86,7 @@ module.exports.handle = {
     const oldTagRanges = getTagRanges(origString);
     const oldEvent = getEvent(origString);
-    const ctxt = new CallContext(data);
+    const ctxt = CallContext.create(data);
     if (args[0].length === 0) {
       /***
@@ -166,7 +166,7 @@ module.exports.handle = {
             const tracked = tracker.track(stringPart);
             if (tracked) {
               tracked.props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
-              result[i] = tracked.str;
+              result[i] = tracked.str;
             }
           }
         });
@@ -206,7 +206,7 @@ function handleEmptySeperator(data, oldTagRanges, oldEvent) {
   const { result } = data;
-  const ctxt = new CallContext(data);
+  const ctxt = CallContext.create(data);
   // map index --> { Event, tagRanges }, so that we can update existing properties in cases where
   // more than one tag was on the same index
@@ -233,11 +233,11 @@ function handleEmptySeperator(data, oldTagRanges, oldEvent) {
             source: 'O',
             target: 'R'
           });
           tracked.props.event = event;
           info = { event, tagRanges: tracked.props.tagRanges };
           sharedCharInfo.set(i, info);
-          result[i] = tracked.str;
+          result[i] = tracked.str;
         }
       }
@@ -259,7 +259,7 @@ function transferTracking(origString, resultArray) {
     if (tracked) {
       tracked.props.tagRanges = getTagRanges(origString);
       tracked.props.event = getEvent(origString);
-      resultArray[i] = tracked.str;
+      resultArray[i] = tracked.str;
     }
   }
   return resultArray;

package/lib/assess/propagators/string-prototype-trim.js CHANGED Viewed

@@ -45,7 +45,7 @@ function handle(data) {
   const tracked = tracker.track(result);
   if (tracked) {
     tracked.props.tagRanges = targetRanges;
-    const context = new CallContext(data);
+    const context = CallContext.create(data);
     const event = new PropagationEvent({
       context,
       signature,
@@ -55,7 +55,7 @@ function handle(data) {
     });
     event.parents.push(sourceEvent);
     tracked.props.event = event;
-    data.result = tracked.str;
+    data.result = tracked.str;
   }
 }

package/lib/assess/propagators/template-escape.js CHANGED Viewed

@@ -69,7 +69,7 @@ function propagator(data, tagName, signatureName) {
   if (tracked) {
     tracked.props.tagRanges = tagRanges;
     tracked.props.event = new PropagationEvent({
-      context: new CallContext({
+      context: CallContext.create({
         ...data,
         obj: null
       }),
@@ -80,7 +80,7 @@ function propagator(data, tagName, signatureName) {
       tagRanges,
       tags: tagName
     });
-    data.result = tracked.str;
+    data.result = tracked.str;
   }
 }

package/lib/assess/propagators/templates.js CHANGED Viewed

@@ -114,7 +114,7 @@ function buildProperties(props, tagRanges, exps, result, strings, events) {
     this,
     [strings].concat(exps.map((exp, i) => `$\{exp${i}}`))
   );
-  const ctxt = new CallContext({
+  const ctxt = CallContext.create({
     obj: raw,
     args: exps,
     result,

package/lib/assess/propagators/url/utils.js CHANGED Viewed

@@ -39,7 +39,7 @@ module.exports.createEvent = function(
   // To be 100% correct we would use result/url (should be the same)
   // for obj/result, but it's nicer to show propagation to the specific part.
   // Since the operation is P2O, we replace O with the url part.
-  const context = new CallContext({
+  const context = CallContext.create({
     obj: part,
     args,
     result

package/lib/assess/propagators/v8/init-hooks.js CHANGED Viewed

@@ -99,7 +99,7 @@ module.exports.handle = function handle() {
               tr.stop = data.result.length - 1;
             }
           }
-          const context = new CallContext(data.obj, data.args, data.result);
+          const context = CallContext.create(data);
           const event = new PropagationEvent({
             context,
             signature,

package/lib/assess/propagators/validator/init-hooks.js CHANGED Viewed

@@ -103,7 +103,7 @@ module.exports.handle = function () {
               );
               tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
-              const context = new CallContext(data);
+              const context = CallContext.create(data);
               const event = new PropagationEvent({
                 context,
                 signature,
@@ -233,7 +233,7 @@ module.exports.handle = function () {
         );
         tagRangeUtil.removeInPlace(trackingData.tagRanges, ['untrusted']);
-        const context = new CallContext(data);
+        const context = CallContext.create(data);
         const event = new PropagationEvent({
           context,
           signature,

package/lib/assess/restify/session.js CHANGED Viewed

@@ -12,6 +12,8 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
 const { get } = require('lodash');
 const { CallContext, Signature } = require('../models');
 const patcher = require('../../hooks/patcher');
@@ -30,7 +32,7 @@ module.exports = function registerSessionHandler(response) {
     patchType: PATCH_TYPES.ASSESS_SINK,
     post(data) {
       const options = { cookie: get(data, 'args[2]', {}) };
-      const context = new CallContext(data);
+      const context = CallContext.create(data);
       const signature = new Signature({
         moduleName: 'restify-cookies.Response',
         methodName: 'setCookie',

package/lib/assess/restify/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -81,7 +81,7 @@ class RestifyRedirectSink {
             report({
               signature,
               input: vulnerable,
-              ctxt: new CallContext({
+              ctxt: CallContext.create({
                 obj,
                 args: [input],
                 stackOpts: {

package/lib/assess/restify/sinks/xss.js CHANGED Viewed

@@ -70,7 +70,7 @@ class RestifyXssSink {
         report({
           signature,
           input,
-          ctxt: new CallContext({
+          ctxt: CallContext.create({
             obj: data.obj,
             args: [input],
             stackOpts: {

package/lib/assess/sinks/common.js CHANGED Viewed

@@ -441,6 +441,7 @@ module.exports = (agent) => {
       // here we will pull the method out of the fn args
       // and replace it on the signature. the assumption
       // is the string to replace is always the last position
+      // eslint-disable-next-line no-prototype-builtins
       if (signature.hasOwnProperty('userMethodPosition')) {
         const method = args.splice(signature.userMethodPosition, 1).join();
         const methodArray = signature.methodName.split('.');
@@ -461,7 +462,7 @@ module.exports = (agent) => {
       }
       if (vulnerableString) {
-        const ctxt = new CallContext(data);
+        const ctxt = CallContext.create(data);
         // If we had to create a stacktrace already, use it rather than build
         // another during reporting
         if (stack) {

package/lib/assess/sinks/dustjs-linkedin-xss.js CHANGED Viewed

@@ -106,7 +106,7 @@ class Handler {
               ruleId: REFLECTED_XSS,
               signature,
               input: str,
-              ctxt: new CallContext({
+              ctxt: CallContext.create({
                 obj: typeName,
                 args: [str],
                 result: str,

package/lib/assess/sinks/dynamo.js CHANGED Viewed

@@ -267,7 +267,7 @@ module.exports = ({ common }) => {
     );
     if (vulnerableString.length) {
-      const ctxt = new CallContext(data);
+      const ctxt = CallContext.create(data);
       const signature = new Signature({ moduleName: 'aws-sdk', methodName });
       report({ ruleId, signature, input: vulnerableString[0], ctxt });
     }

package/lib/assess/sinks/hapi-16-xss.js CHANGED Viewed

@@ -55,7 +55,7 @@ module.exports = ({
           enabled &&
           isVulnerable({ input: result, disallowedTags, requiredTags, ruleId })
         ) {
-          const ctxt = new CallContext({
+          const ctxt = CallContext.create({
             obj: reply,
             args: [result],
             result: ret,

package/lib/assess/sinks/libxmljs-xxe.js CHANGED Viewed

@@ -45,7 +45,7 @@ module.exports = ({ common, signature }) => ({
     });
     if (rv) {
-      const ctxt = new CallContext(data);
+      const ctxt = CallContext.create(data);
       common.report({
         ruleId,
         signature: new Signature(signature),

package/lib/assess/sinks/mongodb.js CHANGED Viewed

@@ -132,7 +132,7 @@ module.exports = ({ common }) => {
     if (doc && !doc.__contrastContext) {
       try {
-        const ctxt = new CallContext({
+        const ctxt = CallContext.create({
           ...data,
           result: null
         });
@@ -358,7 +358,7 @@ module.exports = ({ common }) => {
  */
 function getCallContext(ctxt, data) {
   if (!ctxt) {
-    ctxt = new CallContext(data);
+    ctxt = CallContext.create(data);
     ctxt.signature = data.name;
   }
   ctxt.result = data.result;

package/lib/assess/sinks/rethinkdb-nosql-injection.js CHANGED Viewed

@@ -96,7 +96,7 @@ class Handler {
             ruleId: NOSQL_INJECTION,
             signature: matchSignature,
             input: str,
-            ctxt: new CallContext({
+            ctxt: CallContext.create({
               obj,
               args: [str],
               result: str,
@@ -118,7 +118,7 @@ class Handler {
             ruleId: NOSQL_INJECTION,
             signature: filterSignature,
             input: str,
-            ctxt: new CallContext({
+            ctxt: CallContext.create({
               obj,
               args: [str],
               result: str,

package/lib/assess/sources/event-handler.js CHANGED Viewed

@@ -198,7 +198,7 @@ class SourceEventHandler {
     props.tagRanges = this.getTagRanges({ name, result });
     props.event = new SourceEvent({
-      context: new CallContext({
+      context: CallContext.create({
         obj: 'IncomingMessage {}',
         args: [`${this.typeKey}.${name}`],
         result,
@@ -241,7 +241,7 @@ class SourceEventHandler {
     const rules = new Set();
-    /*
+    /*
       Maybe it's pointless because we set skipEvent to true if appliesToAllAssessRules
       and we won't get here
     */

package/lib/assess/spdy/sinks/xss.js CHANGED Viewed

@@ -68,7 +68,7 @@ class SpdyXss {
         ruleId
       })
     ) {
-      const ctxt = new CallContext({
+      const ctxt = CallContext.create({
         obj: body,
         args: [body],
         result: body,

package/lib/core/hapi/utils.js CHANGED Viewed

@@ -59,6 +59,7 @@ utils.httpOnly = function(options) {
  * @return {Boolean}
  */
 utils.vulnerableOption = function({ options, key }) {
+  // eslint-disable-next-line no-prototype-builtins
   return options.hasOwnProperty(key) && options[key] !== true;
 };
@@ -81,7 +82,7 @@ utils.createSessionContext = function(obj, args, result, source, stackOpts) {
   }
   if (!opts) {
-    return new CallContext({
+    return CallContext.create({
       obj,
       args,
       result,
@@ -95,7 +96,7 @@ utils.createSessionContext = function(obj, args, result, source, stackOpts) {
   args[idx] = opts;
-  return new CallContext({ obj, args, result });
+  return CallContext.create({ obj, args, result });
 };
 /**

package/lib/core/stacktrace.js CHANGED Viewed

@@ -146,8 +146,11 @@ class Factory {
     if (callsite.isEval()) {
       evalOrigin = Factory.formatFileName(callsite.getEvalOrigin());
-      [, file, lineNumber, columnNumber] =
-        evalOrigin.match(EVAL_ORIGIN_REGEX) || evalOrigin.endsWith('.ejs');
+      const match = evalOrigin.match(EVAL_ORIGIN_REGEX);
+      if (match) {
+        [, file, lineNumber, columnNumber] = match;
+      }
     }
     file = file || callsite.getFileName();

package/lib/hooks/express-session.js CHANGED Viewed

@@ -48,7 +48,7 @@ function hook() {
           _.set(data.args, '[0].secret', '[HIDDEN]');
         }
-        const ctxt = new CallContext(data);
+        const ctxt = CallContext.create(data);
         // event of when the session was initialized that will be reused for all
         // session findings
         const sessionEvent = new SessionEvent({

package/lib/list-installed.js CHANGED Viewed

@@ -21,7 +21,7 @@ const {
   AGENT_INFO: { SUPPORTED_NPM_VERSIONS },
 } = require('./constants');
-const VERSION_REGEX = /^npm@(\S+)\s+(\S+)$/m;
+const VERSION_REGEX = /^npm@(\S+)\s+(\S+[\s\S]*)$/m;
 const isWin32 = process.platform === 'win32';
 const execFile = util.promisify(require('child_process').execFile);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.25.2",
+  "version": "4.25.4",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",