@contrast/agent 4.31.1 → 4.31.2

package/bin/VERSION

@@ -1 +1 @@
-2.28.23
+2.28.24

package/lib/assess/hapi/sinks/xss.js

@@ -118,6 +118,14 @@ class HapiXssSink {
     });
   }
 
+  hasViewEngineSource(source) {
+    if (typeof source === 'object' && source.manager && source.context) {
+      return true;
+    }
+
+    return false;
+  }
+
   /**
    * Checks the response in a `onPreResponse` hook for xss vulns
    */
@@ -140,11 +148,14 @@ class HapiXssSink {
         requiredTags
       } = this.common;
 
+      const input = this.hasViewEngineSource(source) ? source.context : source;
+
       if (
         isVulnerable({
-          input: source,
+          input,
           disallowedTags,
           requiredTags,
+          searchDepth: typeof input === 'string' ? 0 : Infinity,
           ruleId
         })
       ) {

package/lib/assess/models/base-event.js

@@ -82,12 +82,19 @@ class BaseEvent {
   getAllParents(set = new Set()) {
     this.parents = sortEvents(this.parents);
 
-    this.parents.forEach((p) => {
-      if (p && !set.has(p)) {
-        set = p.getAllParents(set);
-        set.add(p);
-      }
-    });
+    try {
+      this.parents.forEach((p) => {
+        if (p && !set.has(p)) {
+          set = p.getAllParents(set);
+          set.add(p);
+        }
+      });
+    } catch (err) {
+      logger.warn(
+        'Unable to get all parents for dataflowEvent',
+        err
+      );
+    }
 
     return set;
   }
@@ -114,14 +121,14 @@ class BaseEvent {
     if (this.source === 'P') {
       const numArgs = this.context.hasArgsTracked.length;
       if (numArgs === 1) {
-        this.source = 'P0'
+        this.source = 'P0';
       } else {
         this.source = '';
         for (let i = 0; i < numArgs; i++) {
           if (this.context.hasArgsTracked[i]) {
             this.source += `P${i},`;
           }
-        }  
+        }
       }
     }
 

package/lib/contrast.js

@@ -115,16 +115,16 @@ contrastAgent.checkNodeVersion = function(
     !semver.satisfies(version, supportedVersions) ||
     semver.major(version) % 2
   ) {
-    const minVersion = semver.minVersion(supportedVersions).toString();
-    const maxVersion = supportedVersions
-      .split('||')
-      .pop()
-      .split('<')
-      .pop();
+    let validRanges = '';
+    supportedVersions.split('||').forEach((range) => {
+      const minVersion = semver.minVersion(range).toString();
+      const maxVersion = range.split('<').pop()
+        .trim();
+      validRanges += `${minVersion} and ${maxVersion}, `;
+    });
     logger.error(
-      'Contrast only officially supports Node LTS versions between %s and %s but detected %s. Continuing without instrumentation.',
-      minVersion,
-      maxVersion,
+      'Contrast only officially supports Node LTS versions between %sbut detected %s. Continuing without instrumentation.',
+      validRanges,
       version
     );
     return false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.31.1",
+  "version": "4.31.2",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -181,7 +181,7 @@
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.11.0",
+    "sequelize": "^6.29.0",
     "serve-static": "^1.15.0",
     "shellcheck": "^1.0.0",
     "sinon": "^9.2.4",