@contrast/agent 4.32.3 → 4.32.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -197,7 +197,9 @@ class FastifyXssSink {
|
|
|
197
197
|
pre(data) {
|
|
198
198
|
// Final check after handler and all hooks have ran
|
|
199
199
|
const replyState = AsyncStorage.get(KEYS.FASTIFY_REPLY_SEND_STATE);
|
|
200
|
-
const payload = data.args[0] || replyState.payload;
|
|
200
|
+
const payload = data.args[0] || replyState && replyState.payload;
|
|
201
|
+
|
|
202
|
+
if (!payload) return;
|
|
201
203
|
|
|
202
204
|
if (
|
|
203
205
|
isVulnerable({
|
|
@@ -117,7 +117,12 @@ function formatSource({
|
|
|
117
117
|
evaluator = isSrcSecure
|
|
118
118
|
}) {
|
|
119
119
|
key = _.camelCase(key);
|
|
120
|
-
|
|
120
|
+
const evaluation = evaluator(sources, defaultSources);
|
|
121
|
+
if (!evaluation && !data.insecure) {
|
|
122
|
+
data.insecure = true;
|
|
123
|
+
}
|
|
124
|
+
data[`${key}Secure`] = evaluation;
|
|
125
|
+
|
|
121
126
|
data[`${key}Value`] = sources.join(' ');
|
|
122
127
|
}
|
|
123
128
|
|
|
@@ -163,7 +168,21 @@ function check(responseHeaders) {
|
|
|
163
168
|
return false;
|
|
164
169
|
}
|
|
165
170
|
|
|
166
|
-
|
|
171
|
+
const data = checkCspSources(cspHeaders);
|
|
172
|
+
|
|
173
|
+
if (data.insecure) {
|
|
174
|
+
// The TS API is expecting this with a typo
|
|
175
|
+
// temporary we'll send it like this until it is
|
|
176
|
+
// fixed on their side
|
|
177
|
+
data.refererSecure = data.referrerSecure;
|
|
178
|
+
data.refererValue = data.referrerValue;
|
|
179
|
+
|
|
180
|
+
delete data.insecure;
|
|
181
|
+
delete data.referrerSecure;
|
|
182
|
+
delete data.referrerValue;
|
|
183
|
+
|
|
184
|
+
return data;
|
|
185
|
+
}
|
|
167
186
|
}
|
|
168
187
|
|
|
169
188
|
module.exports = ({ common }) => ({
|
|
@@ -176,7 +195,7 @@ module.exports = ({ common }) => ({
|
|
|
176
195
|
if (trigger) {
|
|
177
196
|
common.emitFinding({
|
|
178
197
|
request,
|
|
179
|
-
props: { data: trigger },
|
|
198
|
+
props: { data: JSON.stringify(trigger) },
|
|
180
199
|
ruleId: RULE_ID
|
|
181
200
|
});
|
|
182
201
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/agent",
|
|
3
|
-
"version": "4.32.
|
|
3
|
+
"version": "4.32.4",
|
|
4
4
|
"description": "Node.js security instrumentation by Contrast Security",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"security",
|
|
@@ -28,7 +28,6 @@
|
|
|
28
28
|
"Yavor Stoychev"
|
|
29
29
|
],
|
|
30
30
|
"scripts": {
|
|
31
|
-
"docs": "jsdoc -c ../.jsdoc.json",
|
|
32
31
|
"release": "node scripts/make-release.js",
|
|
33
32
|
"tag": "node scripts/tag-release.js",
|
|
34
33
|
"test:debug": "scripts/test.sh debug",
|
|
@@ -121,7 +120,7 @@
|
|
|
121
120
|
"@bmacnaughton/string-generator": "^1.0.0",
|
|
122
121
|
"@contrast/eslint-config": "^3.0.2",
|
|
123
122
|
"@contrast/fake-module": "file:test/mock/contrast-fake",
|
|
124
|
-
"@contrast/screener-service": "^1.12.
|
|
123
|
+
"@contrast/screener-service": "^1.12.13",
|
|
125
124
|
"@hapi/boom": "file:test/mock/boom",
|
|
126
125
|
"@hapi/hapi": "file:test/mock/hapi",
|
|
127
126
|
"@ls-lint/ls-lint": "^1.11.2",
|
|
@@ -156,7 +155,6 @@
|
|
|
156
155
|
"inquirer": "^8.1.2",
|
|
157
156
|
"jira-client": "^8.1.0",
|
|
158
157
|
"joi": "^17.4.0",
|
|
159
|
-
"jsdoc": "^3.6.10",
|
|
160
158
|
"libxmljs": "file:test/mock/libxmljs",
|
|
161
159
|
"libxmljs2": "file:test/mock/libxmljs2",
|
|
162
160
|
"lint-staged": "^12.0.2",
|