@contrast/agent 4.33.3 → 4.34.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -525,6 +525,12 @@
|
|
|
525
525
|
"target": "R",
|
|
526
526
|
"override": "./propagators/sequelize/sql-string-format-named-parameters.js"
|
|
527
527
|
},
|
|
528
|
+
"sequelize.QueryGenerator.quoteIdentifier": {
|
|
529
|
+
"enabled": true,
|
|
530
|
+
"source": "P",
|
|
531
|
+
"target": "R",
|
|
532
|
+
"override": "./propagators/sequelize/query-generator.js"
|
|
533
|
+
},
|
|
528
534
|
"validator": {
|
|
529
535
|
"enabled": true,
|
|
530
536
|
"override": "./propagators/validator/init-hooks.js"
|
|
@@ -726,7 +726,8 @@
|
|
|
726
726
|
"requiredTags": ["untrusted"]
|
|
727
727
|
}
|
|
728
728
|
]
|
|
729
|
-
}
|
|
729
|
+
},
|
|
730
|
+
"stackTrustedLibs": ["i18n"]
|
|
730
731
|
},
|
|
731
732
|
"fs.createWriteStream": {
|
|
732
733
|
"type": "dataflow",
|
|
@@ -1273,7 +1274,12 @@
|
|
|
1273
1274
|
{
|
|
1274
1275
|
"index": 0,
|
|
1275
1276
|
"depth": 5,
|
|
1276
|
-
"disallowedTags": [
|
|
1277
|
+
"disallowedTags": [
|
|
1278
|
+
"alphanum-space-hyphen",
|
|
1279
|
+
"custom-validated-nosql-injection",
|
|
1280
|
+
"limited-chars",
|
|
1281
|
+
"string-type-checked"
|
|
1282
|
+
],
|
|
1277
1283
|
"requiredTags": ["untrusted"]
|
|
1278
1284
|
}
|
|
1279
1285
|
]
|
|
@@ -1289,7 +1295,12 @@
|
|
|
1289
1295
|
{
|
|
1290
1296
|
"index": 0,
|
|
1291
1297
|
"depth": 5,
|
|
1292
|
-
"disallowedTags": [
|
|
1298
|
+
"disallowedTags": [
|
|
1299
|
+
"alphanum-space-hyphen",
|
|
1300
|
+
"custom-validated-nosql-injection",
|
|
1301
|
+
"limited-chars",
|
|
1302
|
+
"string-type-checked"
|
|
1303
|
+
],
|
|
1293
1304
|
"requiredTags": ["untrusted"]
|
|
1294
1305
|
}
|
|
1295
1306
|
]
|
|
@@ -1305,13 +1316,23 @@
|
|
|
1305
1316
|
{
|
|
1306
1317
|
"index": 0,
|
|
1307
1318
|
"depth": 5,
|
|
1308
|
-
"disallowedTags": [
|
|
1319
|
+
"disallowedTags": [
|
|
1320
|
+
"alphanum-space-hyphen",
|
|
1321
|
+
"custom-validated-nosql-injection",
|
|
1322
|
+
"limited-chars",
|
|
1323
|
+
"string-type-checked"
|
|
1324
|
+
],
|
|
1309
1325
|
"requiredTags": ["untrusted"]
|
|
1310
1326
|
},
|
|
1311
1327
|
{
|
|
1312
1328
|
"index": 1,
|
|
1313
1329
|
"depth": 5,
|
|
1314
|
-
"disallowedTags": [
|
|
1330
|
+
"disallowedTags": [
|
|
1331
|
+
"alphanum-space-hyphen",
|
|
1332
|
+
"custom-validated-nosql-injection",
|
|
1333
|
+
"limited-chars",
|
|
1334
|
+
"string-type-checked"
|
|
1335
|
+
],
|
|
1315
1336
|
"requiredTags": ["untrusted"]
|
|
1316
1337
|
}
|
|
1317
1338
|
]
|
|
@@ -1327,7 +1348,12 @@
|
|
|
1327
1348
|
{
|
|
1328
1349
|
"index": 0,
|
|
1329
1350
|
"depth": 5,
|
|
1330
|
-
"disallowedTags": [
|
|
1351
|
+
"disallowedTags": [
|
|
1352
|
+
"alphanum-space-hyphen",
|
|
1353
|
+
"custom-validated-nosql-injection",
|
|
1354
|
+
"limited-chars",
|
|
1355
|
+
"string-type-checked"
|
|
1356
|
+
],
|
|
1331
1357
|
"requiredTags": ["untrusted"]
|
|
1332
1358
|
}
|
|
1333
1359
|
]
|
|
@@ -213,6 +213,30 @@
|
|
|
213
213
|
"methodName": "formatNamedParameters",
|
|
214
214
|
"isModule": true
|
|
215
215
|
},
|
|
216
|
+
"sequelize.MySQLQueryGenerator.prototype.quoteIdentifier": {
|
|
217
|
+
"moduleName": "sequelize",
|
|
218
|
+
"version": ">=5.0.0",
|
|
219
|
+
"methodName": "MySQLQueryGenerator.prototype.quoteIdentifier",
|
|
220
|
+
"isModule": true
|
|
221
|
+
},
|
|
222
|
+
"sequelize.SQLiteQueryGenerator.prototype.quoteIdentifier": {
|
|
223
|
+
"moduleName": "sequelize",
|
|
224
|
+
"version": ">=5.0.0",
|
|
225
|
+
"methodName": "SQLiteQueryGenerator.prototype.quoteIdentifier",
|
|
226
|
+
"isModule": true
|
|
227
|
+
},
|
|
228
|
+
"sequelize.MSSQLQueryGenerator.prototype.quoteIdentifier": {
|
|
229
|
+
"moduleName": "sequelize",
|
|
230
|
+
"version": ">=5.0.0",
|
|
231
|
+
"methodName": "MSSQLQueryGenerator.prototype.quoteIdentifier",
|
|
232
|
+
"isModule": true
|
|
233
|
+
},
|
|
234
|
+
"sequelize.PostgresQueryGenerator.prototype.quoteIdentifier": {
|
|
235
|
+
"moduleName": "sequelize",
|
|
236
|
+
"version": ">=5.0.0",
|
|
237
|
+
"methodName": "PostgresQueryGenerator.prototype.quoteIdentifier",
|
|
238
|
+
"isModule": true
|
|
239
|
+
},
|
|
216
240
|
"mongodb.Db.prototype.eval": {
|
|
217
241
|
"moduleName": "mongodb",
|
|
218
242
|
"version": ">=3.3.0",
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
Contact: support@contrastsecurity.com
|
|
4
|
+
License: Commercial
|
|
5
|
+
|
|
6
|
+
NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
made available through public repositories, use of this Software is subject to
|
|
9
|
+
the applicable End User Licensing Agreement found at
|
|
10
|
+
https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const logger = require('../../../core/logger')('contrast:sequelize:propagator');
|
|
18
|
+
const tracker = require('../../../tracker');
|
|
19
|
+
const patcher = require('../../../hooks/patcher');
|
|
20
|
+
const { PATCH_TYPES } = require('../../../constants');
|
|
21
|
+
const moduleHook = require('../../../hooks/require');
|
|
22
|
+
const { CallContext, PropagationEvent, Signature } = require('../../models');
|
|
23
|
+
const TagRange = require('../../models/tag-range');
|
|
24
|
+
const tagRangeUtil = require('../../models/tag-range/util');
|
|
25
|
+
|
|
26
|
+
const DIALECTS = [
|
|
27
|
+
// 'db2',
|
|
28
|
+
// 'mariadb',
|
|
29
|
+
'mssql',
|
|
30
|
+
'mysql',
|
|
31
|
+
// 'oracle',
|
|
32
|
+
'postgres',
|
|
33
|
+
// 'snowflake',
|
|
34
|
+
'sqlite',
|
|
35
|
+
];
|
|
36
|
+
|
|
37
|
+
module.exports.handle = function () {
|
|
38
|
+
for (const dialect of DIALECTS) {
|
|
39
|
+
const file = `lib/dialects/${dialect}/query-generator.js`;
|
|
40
|
+
|
|
41
|
+
moduleHook.resolve(
|
|
42
|
+
{ name: 'sequelize', file },
|
|
43
|
+
(_export) => {
|
|
44
|
+
logger.debug('hooking %s', file);
|
|
45
|
+
|
|
46
|
+
const name = `sequelize.${_export.name}.prototype.quoteIdentifier`;
|
|
47
|
+
patcher.patch(_export.prototype, 'quoteIdentifier', {
|
|
48
|
+
name,
|
|
49
|
+
patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
|
|
50
|
+
post(data) {
|
|
51
|
+
const trackingData = tracker.getData(data.result);
|
|
52
|
+
if (!trackingData) return;
|
|
53
|
+
|
|
54
|
+
tagRangeUtil.addInPlace(
|
|
55
|
+
trackingData.tagRanges,
|
|
56
|
+
new TagRange(0, data.result.length - 1, 'sql-encoded')
|
|
57
|
+
);
|
|
58
|
+
|
|
59
|
+
const event = new PropagationEvent({
|
|
60
|
+
context: CallContext.create(data),
|
|
61
|
+
parents: [trackingData.event],
|
|
62
|
+
signature: new Signature(name),
|
|
63
|
+
source: 'P',
|
|
64
|
+
tagRanges: trackingData.tagRanges,
|
|
65
|
+
target: 'R'
|
|
66
|
+
});
|
|
67
|
+
|
|
68
|
+
trackingData.event = event;
|
|
69
|
+
}
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
);
|
|
73
|
+
}
|
|
74
|
+
};
|