@contrast/agent 4.33.3 → 4.35.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -525,6 +525,12 @@
|
|
|
525
525
|
"target": "R",
|
|
526
526
|
"override": "./propagators/sequelize/sql-string-format-named-parameters.js"
|
|
527
527
|
},
|
|
528
|
+
"sequelize.QueryGenerator.quoteIdentifier": {
|
|
529
|
+
"enabled": true,
|
|
530
|
+
"source": "P",
|
|
531
|
+
"target": "R",
|
|
532
|
+
"override": "./propagators/sequelize/query-generator.js"
|
|
533
|
+
},
|
|
528
534
|
"validator": {
|
|
529
535
|
"enabled": true,
|
|
530
536
|
"override": "./propagators/validator/init-hooks.js"
|
|
@@ -726,7 +726,8 @@
|
|
|
726
726
|
"requiredTags": ["untrusted"]
|
|
727
727
|
}
|
|
728
728
|
]
|
|
729
|
-
}
|
|
729
|
+
},
|
|
730
|
+
"stackTrustedLibs": ["i18n"]
|
|
730
731
|
},
|
|
731
732
|
"fs.createWriteStream": {
|
|
732
733
|
"type": "dataflow",
|
|
@@ -967,7 +968,8 @@
|
|
|
967
968
|
"requiredTags": ["untrusted"]
|
|
968
969
|
}
|
|
969
970
|
]
|
|
970
|
-
}
|
|
971
|
+
},
|
|
972
|
+
"stackTrustedLibs": ["i18n"]
|
|
971
973
|
},
|
|
972
974
|
"fs.mkdir": {
|
|
973
975
|
"enabled": true,
|
|
@@ -1273,7 +1275,12 @@
|
|
|
1273
1275
|
{
|
|
1274
1276
|
"index": 0,
|
|
1275
1277
|
"depth": 5,
|
|
1276
|
-
"disallowedTags": [
|
|
1278
|
+
"disallowedTags": [
|
|
1279
|
+
"alphanum-space-hyphen",
|
|
1280
|
+
"custom-validated-nosql-injection",
|
|
1281
|
+
"limited-chars",
|
|
1282
|
+
"string-type-checked"
|
|
1283
|
+
],
|
|
1277
1284
|
"requiredTags": ["untrusted"]
|
|
1278
1285
|
}
|
|
1279
1286
|
]
|
|
@@ -1289,7 +1296,12 @@
|
|
|
1289
1296
|
{
|
|
1290
1297
|
"index": 0,
|
|
1291
1298
|
"depth": 5,
|
|
1292
|
-
"disallowedTags": [
|
|
1299
|
+
"disallowedTags": [
|
|
1300
|
+
"alphanum-space-hyphen",
|
|
1301
|
+
"custom-validated-nosql-injection",
|
|
1302
|
+
"limited-chars",
|
|
1303
|
+
"string-type-checked"
|
|
1304
|
+
],
|
|
1293
1305
|
"requiredTags": ["untrusted"]
|
|
1294
1306
|
}
|
|
1295
1307
|
]
|
|
@@ -1305,13 +1317,23 @@
|
|
|
1305
1317
|
{
|
|
1306
1318
|
"index": 0,
|
|
1307
1319
|
"depth": 5,
|
|
1308
|
-
"disallowedTags": [
|
|
1320
|
+
"disallowedTags": [
|
|
1321
|
+
"alphanum-space-hyphen",
|
|
1322
|
+
"custom-validated-nosql-injection",
|
|
1323
|
+
"limited-chars",
|
|
1324
|
+
"string-type-checked"
|
|
1325
|
+
],
|
|
1309
1326
|
"requiredTags": ["untrusted"]
|
|
1310
1327
|
},
|
|
1311
1328
|
{
|
|
1312
1329
|
"index": 1,
|
|
1313
1330
|
"depth": 5,
|
|
1314
|
-
"disallowedTags": [
|
|
1331
|
+
"disallowedTags": [
|
|
1332
|
+
"alphanum-space-hyphen",
|
|
1333
|
+
"custom-validated-nosql-injection",
|
|
1334
|
+
"limited-chars",
|
|
1335
|
+
"string-type-checked"
|
|
1336
|
+
],
|
|
1315
1337
|
"requiredTags": ["untrusted"]
|
|
1316
1338
|
}
|
|
1317
1339
|
]
|
|
@@ -1327,7 +1349,12 @@
|
|
|
1327
1349
|
{
|
|
1328
1350
|
"index": 0,
|
|
1329
1351
|
"depth": 5,
|
|
1330
|
-
"disallowedTags": [
|
|
1352
|
+
"disallowedTags": [
|
|
1353
|
+
"alphanum-space-hyphen",
|
|
1354
|
+
"custom-validated-nosql-injection",
|
|
1355
|
+
"limited-chars",
|
|
1356
|
+
"string-type-checked"
|
|
1357
|
+
],
|
|
1331
1358
|
"requiredTags": ["untrusted"]
|
|
1332
1359
|
}
|
|
1333
1360
|
]
|
|
@@ -213,6 +213,30 @@
|
|
|
213
213
|
"methodName": "formatNamedParameters",
|
|
214
214
|
"isModule": true
|
|
215
215
|
},
|
|
216
|
+
"sequelize.MySQLQueryGenerator.prototype.quoteIdentifier": {
|
|
217
|
+
"moduleName": "sequelize",
|
|
218
|
+
"version": ">=5.0.0",
|
|
219
|
+
"methodName": "MySQLQueryGenerator.prototype.quoteIdentifier",
|
|
220
|
+
"isModule": true
|
|
221
|
+
},
|
|
222
|
+
"sequelize.SQLiteQueryGenerator.prototype.quoteIdentifier": {
|
|
223
|
+
"moduleName": "sequelize",
|
|
224
|
+
"version": ">=5.0.0",
|
|
225
|
+
"methodName": "SQLiteQueryGenerator.prototype.quoteIdentifier",
|
|
226
|
+
"isModule": true
|
|
227
|
+
},
|
|
228
|
+
"sequelize.MSSQLQueryGenerator.prototype.quoteIdentifier": {
|
|
229
|
+
"moduleName": "sequelize",
|
|
230
|
+
"version": ">=5.0.0",
|
|
231
|
+
"methodName": "MSSQLQueryGenerator.prototype.quoteIdentifier",
|
|
232
|
+
"isModule": true
|
|
233
|
+
},
|
|
234
|
+
"sequelize.PostgresQueryGenerator.prototype.quoteIdentifier": {
|
|
235
|
+
"moduleName": "sequelize",
|
|
236
|
+
"version": ">=5.0.0",
|
|
237
|
+
"methodName": "PostgresQueryGenerator.prototype.quoteIdentifier",
|
|
238
|
+
"isModule": true
|
|
239
|
+
},
|
|
216
240
|
"mongodb.Db.prototype.eval": {
|
|
217
241
|
"moduleName": "mongodb",
|
|
218
242
|
"version": ">=3.3.0",
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
Contact: support@contrastsecurity.com
|
|
4
|
+
License: Commercial
|
|
5
|
+
|
|
6
|
+
NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
made available through public repositories, use of this Software is subject to
|
|
9
|
+
the applicable End User Licensing Agreement found at
|
|
10
|
+
https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const logger = require('../../../core/logger')('contrast:sequelize:propagator');
|
|
18
|
+
const tracker = require('../../../tracker');
|
|
19
|
+
const patcher = require('../../../hooks/patcher');
|
|
20
|
+
const { PATCH_TYPES } = require('../../../constants');
|
|
21
|
+
const moduleHook = require('../../../hooks/require');
|
|
22
|
+
const { CallContext, PropagationEvent, Signature } = require('../../models');
|
|
23
|
+
const TagRange = require('../../models/tag-range');
|
|
24
|
+
const tagRangeUtil = require('../../models/tag-range/util');
|
|
25
|
+
|
|
26
|
+
const DIALECTS = [
|
|
27
|
+
// 'db2',
|
|
28
|
+
// 'mariadb',
|
|
29
|
+
'mssql',
|
|
30
|
+
'mysql',
|
|
31
|
+
// 'oracle',
|
|
32
|
+
'postgres',
|
|
33
|
+
// 'snowflake',
|
|
34
|
+
'sqlite',
|
|
35
|
+
];
|
|
36
|
+
|
|
37
|
+
module.exports.handle = function () {
|
|
38
|
+
for (const dialect of DIALECTS) {
|
|
39
|
+
const file = `lib/dialects/${dialect}/query-generator.js`;
|
|
40
|
+
|
|
41
|
+
moduleHook.resolve(
|
|
42
|
+
{ name: 'sequelize', file },
|
|
43
|
+
(_export) => {
|
|
44
|
+
logger.debug('hooking %s', file);
|
|
45
|
+
|
|
46
|
+
const name = `sequelize.${_export.name}.prototype.quoteIdentifier`;
|
|
47
|
+
patcher.patch(_export.prototype, 'quoteIdentifier', {
|
|
48
|
+
name,
|
|
49
|
+
patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
|
|
50
|
+
post(data) {
|
|
51
|
+
const trackingData = tracker.getData(data.result);
|
|
52
|
+
if (!trackingData) return;
|
|
53
|
+
|
|
54
|
+
tagRangeUtil.addInPlace(
|
|
55
|
+
trackingData.tagRanges,
|
|
56
|
+
new TagRange(0, data.result.length - 1, 'sql-encoded')
|
|
57
|
+
);
|
|
58
|
+
|
|
59
|
+
const event = new PropagationEvent({
|
|
60
|
+
context: CallContext.create(data),
|
|
61
|
+
parents: [trackingData.event],
|
|
62
|
+
signature: new Signature(name),
|
|
63
|
+
source: 'P',
|
|
64
|
+
tagRanges: trackingData.tagRanges,
|
|
65
|
+
target: 'R'
|
|
66
|
+
});
|
|
67
|
+
|
|
68
|
+
trackingData.event = event;
|
|
69
|
+
}
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
);
|
|
73
|
+
}
|
|
74
|
+
};
|