@contrast/agent 4.4.0-beta.0 → 4.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/lib/assess/models/tag-range/index.js +6 -16
  2. package/lib/assess/policy/signatures.json +2 -0
  3. package/lib/assess/policy/util.js +9 -2
  4. package/lib/assess/sinks/mongodb.js +11 -7
  5. package/node_modules/unix-dgram/build/Makefile +1 -1
  6. package/node_modules/unix-dgram/build/config.gypi +1 -1
  7. package/package.json +2 -2
package/lib/assess/models/tag-range/index.js CHANGED
@@ -14,7 +14,6 @@ Copyright: 2021 Contrast Security, Inc
14
14
  */
15
15
  'use strict';
16
16
 
17
- const _ = require('lodash');
18
17
  const logger = require('../../../core/logger')('contrast:tagRange');
19
18
 
20
19
  const Relationships = require('./relationships');
@@ -27,14 +26,13 @@ const DEFAULT_TAG = 'untrusted';
27
26
  */
28
27
  class TagRange {
29
28
  /**
30
- * Validates the arguments to the contructor call.
31
- * @param {number} start The starting index to track.
32
- * @param {number} stop The stopping index to track.
33
- * @param {string} tag The name of the tag.
29
+ * @param {number} start The starting index of string tracking on the data having the tag.
30
+ * @param {number} stop The stopping index of string tracking on the data having the tag.
31
+ * @param {string?} tag The name of the tag (default is "untrusted").
34
32
  */
35
- static validate(start, stop, tag = DEFAULT_TAG) {
36
- const bothFinite = _.isFinite(start) && _.isFinite(stop);
37
- if (start > stop || !bothFinite) {
33
+ constructor(start, stop, tag = DEFAULT_TAG) {
34
+ // Validates the arguments to the contructor call.
35
+ if (!(start <= stop && start >= 0)) {
38
36
  logger.debug(
39
37
  'could not create tag %s with invalid range start: %s, stop %s.',
40
38
  tag,
@@ -42,15 +40,7 @@ class TagRange {
42
40
  stop
43
41
  );
44
42
  }
45
- }
46
43
 
47
- /**
48
- * @param {number} start The starting index of string tracking on the data having the tag.
49
- * @param {number} stop The stopping index of string tracking on the data having the tag.
50
- * @param {string?} tag The name of the tag (default is "untrusted").
51
- */
52
- constructor(start, stop, tag = DEFAULT_TAG) {
53
- TagRange.validate(start, stop, tag);
54
44
  /** @type {string} */
55
45
  this.tag = tag;
56
46
  /** @type {number} */
package/lib/assess/policy/signatures.json CHANGED
@@ -397,11 +397,13 @@
397
397
  },
398
398
  "ejs.Template.prototype.generateSource": {
399
399
  "moduleName": "ejs",
400
+ "version": ">=2.6.2",
400
401
  "methodName": "Template.prototype.generateSource",
401
402
  "isModule": true
402
403
  },
403
404
  "ejs.utils.escapeXML": {
404
405
  "moduleName": "ejs",
406
+ "version": ">=2.6.2",
405
407
  "fileName": "lib/utils.js",
406
408
  "methodName": "escapeXML",
407
409
  "isModule": true
package/lib/assess/policy/util.js CHANGED
@@ -372,12 +372,19 @@ utils.createHookFromSignature = function(signature, options, patchType) {
372
372
  requireHook.resolve(
373
373
  {
374
374
  name: signature.moduleName,
375
- file: signature.fileName
375
+ file: signature.fileName,
376
+ version: signature.version
376
377
  },
377
378
  requireCallback
378
379
  );
379
380
  } else {
380
- requireHook.resolve({ name: signature.moduleName }, requireCallback);
381
+ requireHook.resolve(
382
+ {
383
+ name: signature.moduleName,
384
+ version: signature.version
385
+ },
386
+ requireCallback
387
+ );
381
388
  }
382
389
  } else {
383
390
  const mod = global[signature.moduleName],
package/lib/assess/sinks/mongodb.js CHANGED
@@ -33,6 +33,7 @@ const { PATCH_TYPES } = require('../../constants');
33
33
  const requireHook = require('../../hooks/require');
34
34
  const { Signature, CallContext } = require('../models');
35
35
  const policy = require('../policy');
36
+ const Scopes = require('../../core/async-storage/scopes');
36
37
 
37
38
  const ruleId = 'nosql-injection';
38
39
  const disallowedTags = [
@@ -268,13 +269,16 @@ module.exports = ({ common }) => {
268
269
  */
269
270
  mongoSink.assess = (query, context) => {
270
271
  const searchDepth = 3;
271
-
272
- const vulnerableString = common.isVulnerable({
273
- searchDepth,
274
- disallowedTags,
275
- requiredTags,
276
- input: query
277
- });
272
+ let vulnerableString;
273
+
274
+ Scopes.runInAllowAllScope(() => {
275
+ vulnerableString = common.isVulnerable({
276
+ searchDepth,
277
+ disallowedTags,
278
+ requiredTags,
279
+ input: query
280
+ });
281
+ }, 'mongodbSink.assess');
278
282
 
279
283
  if (vulnerableString) {
280
284
  mongoSink.report(vulnerableString, context);
package/node_modules/unix-dgram/build/Makefile CHANGED
@@ -309,7 +309,7 @@ endif
309
309
 
310
310
  quiet_cmd_regen_makefile = ACTION Regenerating $@
311
311
  cmd_regen_makefile = cd $(srcdir); /opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/home/runner/.cache/node-gyp/12.22.6" "-Dnode_gyp_dir=/opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/home/runner/.cache/node-gyp/12.22.6/<(target_arch)/node.lib" "-Dmodule_root_dir=/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram/build/config.gypi -I/opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/home/runner/.cache/node-gyp/12.22.6/include/node/common.gypi "--toplevel-dir=." binding.gyp
312
- Makefile: $(srcdir)/binding.gyp $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../../.cache/node-gyp/12.22.6/include/node/common.gypi $(srcdir)/build/config.gypi
312
+ Makefile: $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../../.cache/node-gyp/12.22.6/include/node/common.gypi $(srcdir)/binding.gyp $(srcdir)/build/config.gypi
313
313
  $(call do_cmd,regen_makefile)
314
314
 
315
315
  # "all" is a concatenation of the "all" targets from all the included
package/node_modules/unix-dgram/build/config.gypi CHANGED
@@ -126,7 +126,7 @@
126
126
  "progress": "",
127
127
  "https_proxy": "",
128
128
  "save_prod": "",
129
- "npm_session": "122c0d87d87563f8",
129
+ "npm_session": "fb860f4007af86fc",
130
130
  "audit": "true",
131
131
  "cidr": "",
132
132
  "onload_script": "",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/agent",
3
- "version": "4.4.0-beta.0",
3
+ "version": "4.4.1",
4
4
  "description": "Node.js security instrumentation by Contrast Security",
5
5
  "keywords": [
6
6
  "security",
@@ -74,7 +74,7 @@
74
74
  "@contrast/fn-inspect": "^2.4.2",
75
75
  "@contrast/heapdump": "^1.1.0",
76
76
  "@contrast/protobuf-api": "^3.2.0",
77
- "@contrast/require-hook": "^2.0.4",
77
+ "@contrast/require-hook": "^2.0.5",
78
78
  "@contrast/synchronous-source-maps": "^1.1.0",
79
79
  "amqp-connection-manager": "^3.2.2",
80
80
  "amqplib": "^0.8.0",