npm - @contrast/agent - Versions diffs - 4.4.1 → 4.6.0 - Mend

@contrast/agent 4.4.1 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/bin/VERSION +1 -1
package/bin/linux/contrast-service +0 -0
package/bin/mac/contrast-service +0 -0
package/bin/windows/contrast-service.exe +0 -0
package/lib/assess/hapi/route-coverage.js +3 -3
package/lib/assess/membrane/index.js +2 -8
package/lib/assess/membrane/source-membrane.js +3 -4
package/lib/assess/models/base-event.js +2 -2
package/lib/assess/models/call-context.js +0 -3
package/lib/assess/policy/propagators.json +20 -0
package/lib/assess/policy/signatures.json +103 -0
package/lib/assess/propagators/path/common.js +165 -36
package/lib/assess/propagators/path/join.js +5 -1
package/lib/assess/propagators/path/normalize.js +5 -1
package/lib/assess/propagators/path/resolve.js +11 -2
package/lib/assess/response-scanning/autocomplete-missing.js +0 -2
package/lib/assess/response-scanning/parameter-pollution.js +0 -2
package/lib/core/arch-components/dynamodb.js +1 -2
package/lib/core/arch-components/dynamodbv3.js +44 -0
package/lib/core/arch-components/index.js +1 -0
package/lib/core/async-storage/hooks/bluebird.js +20 -0
package/lib/core/config/options.js +3 -2
package/lib/core/express/utils.js +1 -1
package/lib/core/logger/debug-logger.js +15 -17
package/lib/core/stacktrace.js +3 -4
package/lib/feature-set.js +2 -1
package/lib/hooks/encoding.js +1 -1
package/lib/hooks/frameworks/base.js +8 -2
package/lib/hooks/frameworks/http.js +23 -16
package/lib/hooks/frameworks/http2.js +73 -0
package/lib/hooks/frameworks/index.js +8 -3
package/lib/hooks/http.js +112 -128
package/lib/hooks/patcher.js +10 -12
package/lib/hooks/require.js +16 -22
package/lib/instrumentation.js +0 -3
package/lib/protect/analysis/aho-corasick.js +13 -30
package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +3 -3
package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
package/lib/protect/rules/xss/helpers/function-call.js +1 -1
package/lib/util/clean-stack.js +1 -1
package/lib/util/clean-string/brackets.js +3 -3
package/lib/util/clean-string/concatenations.js +1 -1
package/lib/util/clean-string/util.js +1 -2
package/lib/util/ip-analyzer.js +1 -1
package/lib/util/some.js +27 -0
package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
package/package.json +14 -15
package/lib/hooks/frameworks/https.js +0 -42
package/node_modules/bindings/LICENSE.md +0 -22
package/node_modules/bindings/README.md +0 -98
package/node_modules/bindings/bindings.js +0 -221
package/node_modules/bindings/package.json +0 -32
package/node_modules/file-uri-to-path/.npmignore +0 -1
package/node_modules/file-uri-to-path/.travis.yml +0 -30
package/node_modules/file-uri-to-path/History.md +0 -21
package/node_modules/file-uri-to-path/LICENSE +0 -20
package/node_modules/file-uri-to-path/README.md +0 -74
package/node_modules/file-uri-to-path/index.d.ts +0 -2
package/node_modules/file-uri-to-path/index.js +0 -66
package/node_modules/file-uri-to-path/package.json +0 -36
package/node_modules/file-uri-to-path/test/test.js +0 -24
package/node_modules/file-uri-to-path/test/tests.json +0 -13
package/node_modules/glossy/LICENSE +0 -19
package/node_modules/glossy/README.md +0 -129
package/node_modules/glossy/index.js +0 -12
package/node_modules/glossy/lib/glossy/parse.js +0 -520
package/node_modules/glossy/lib/glossy/produce.js +0 -459
package/node_modules/glossy/package.json +0 -47
package/node_modules/glossy/test/decide.js +0 -7
package/node_modules/glossy/test/decode_pri.js +0 -24
package/node_modules/glossy/test/parse_3164.js +0 -104
package/node_modules/glossy/test/parse_5424.js +0 -106
package/node_modules/glossy/test/parse_5848.js +0 -40
package/node_modules/glossy/test/parse_8601.js +0 -14
package/node_modules/glossy/test/parse_rfc3339.js +0 -9
package/node_modules/glossy/test/produce.js +0 -162
package/node_modules/glossy/test/runner.js +0 -40
package/node_modules/glossy/test/structure_data.js +0 -24
package/node_modules/nan/CHANGELOG.md +0 -537
package/node_modules/nan/LICENSE.md +0 -13
package/node_modules/nan/README.md +0 -455
package/node_modules/nan/doc/asyncworker.md +0 -146
package/node_modules/nan/doc/buffers.md +0 -54
package/node_modules/nan/doc/callback.md +0 -76
package/node_modules/nan/doc/converters.md +0 -41
package/node_modules/nan/doc/errors.md +0 -226
package/node_modules/nan/doc/json.md +0 -62
package/node_modules/nan/doc/maybe_types.md +0 -583
package/node_modules/nan/doc/methods.md +0 -664
package/node_modules/nan/doc/new.md +0 -147
package/node_modules/nan/doc/node_misc.md +0 -123
package/node_modules/nan/doc/object_wrappers.md +0 -263
package/node_modules/nan/doc/persistent.md +0 -296
package/node_modules/nan/doc/scopes.md +0 -73
package/node_modules/nan/doc/script.md +0 -38
package/node_modules/nan/doc/string_bytes.md +0 -62
package/node_modules/nan/doc/v8_internals.md +0 -199
package/node_modules/nan/doc/v8_misc.md +0 -85
package/node_modules/nan/include_dirs.js +0 -1
package/node_modules/nan/nan.h +0 -2898
package/node_modules/nan/nan_callbacks.h +0 -88
package/node_modules/nan/nan_callbacks_12_inl.h +0 -514
package/node_modules/nan/nan_callbacks_pre_12_inl.h +0 -520
package/node_modules/nan/nan_converters.h +0 -72
package/node_modules/nan/nan_converters_43_inl.h +0 -68
package/node_modules/nan/nan_converters_pre_43_inl.h +0 -42
package/node_modules/nan/nan_define_own_property_helper.h +0 -29
package/node_modules/nan/nan_implementation_12_inl.h +0 -430
package/node_modules/nan/nan_implementation_pre_12_inl.h +0 -263
package/node_modules/nan/nan_json.h +0 -166
package/node_modules/nan/nan_maybe_43_inl.h +0 -356
package/node_modules/nan/nan_maybe_pre_43_inl.h +0 -268
package/node_modules/nan/nan_new.h +0 -340
package/node_modules/nan/nan_object_wrap.h +0 -156
package/node_modules/nan/nan_persistent_12_inl.h +0 -132
package/node_modules/nan/nan_persistent_pre_12_inl.h +0 -242
package/node_modules/nan/nan_private.h +0 -73
package/node_modules/nan/nan_string_bytes.h +0 -305
package/node_modules/nan/nan_typedarray_contents.h +0 -96
package/node_modules/nan/nan_weak.h +0 -437
package/node_modules/nan/package.json +0 -41
package/node_modules/nan/tools/1to2.js +0 -412
package/node_modules/nan/tools/README.md +0 -14
package/node_modules/nan/tools/package.json +0 -19
package/node_modules/unix-dgram/LICENSE +0 -13
package/node_modules/unix-dgram/README.md +0 -107
package/node_modules/unix-dgram/binding.gyp +0 -20
package/node_modules/unix-dgram/build/Makefile +0 -324
package/node_modules/unix-dgram/build/Release/.deps/Release/obj.target/unix_dgram/src/unix_dgram.o.d +0 -58
package/node_modules/unix-dgram/build/Release/.deps/Release/obj.target/unix_dgram.node.d +0 -1
package/node_modules/unix-dgram/build/Release/.deps/Release/unix_dgram.node.d +0 -1
package/node_modules/unix-dgram/build/Release/obj.target/unix_dgram/src/unix_dgram.o +0 -0
package/node_modules/unix-dgram/build/Release/obj.target/unix_dgram.node +0 -0
package/node_modules/unix-dgram/build/Release/unix_dgram.node +0 -0
package/node_modules/unix-dgram/build/binding.Makefile +0 -6
package/node_modules/unix-dgram/build/config.gypi +0 -213
package/node_modules/unix-dgram/build/unix_dgram.target.mk +0 -159
package/node_modules/unix-dgram/lib/unix_dgram.js +0 -168
package/node_modules/unix-dgram/package.json +0 -36
package/node_modules/unix-dgram/src/unix_dgram.cc +0 -404
package/node_modules/unix-dgram/src/win_dummy.cc +0 -7
package/node_modules/unix-dgram/test/test-connect-callback.js +0 -68
package/node_modules/unix-dgram/test/test-connect.js +0 -53
package/node_modules/unix-dgram/test/test-dgram-unix.js +0 -58
package/node_modules/unix-dgram/test/test-send-error.js +0 -26
package/node_modules/winston-syslog/.eslintrc +0 -7
package/node_modules/winston-syslog/.travis.yml +0 -14
package/node_modules/winston-syslog/CHANGELOG.md +0 -9
package/node_modules/winston-syslog/LICENSE +0 -20
package/node_modules/winston-syslog/README.md +0 -135
package/node_modules/winston-syslog/lib/utils.js +0 -26
package/node_modules/winston-syslog/lib/winston-syslog.js +0 -385
package/node_modules/winston-syslog/package.json +0 -56
package/node_modules/winston-syslog/test/format-test.js +0 -122
package/node_modules/winston-syslog/test/syslog-test.js +0 -95
package/node_modules/winston-syslog/test/unix-connect-test.js +0 -133

package/bin/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 2.26.0
1	+ 2.27.3

package/bin/linux/contrast-service CHANGED Viewed

Binary file

package/bin/mac/contrast-service CHANGED Viewed

Binary file

package/bin/windows/contrast-service.exe CHANGED Viewed

Binary file

package/lib/assess/hapi/route-coverage.js CHANGED Viewed

@@ -151,9 +151,9 @@ class RouteCoverage {
    */
   createSignature({ method, path }) {
     let signature = 'server.route({ method: ';
-    Array.isArray(method)
-      ? (signature += `["${method.join('", "')}"]`)
-      : (signature += `"${method}"`);
+    signature += Array.isArray(method)
+      ? `["${method.join('", "')}"]`
+      : `"${method}"`;
     signature += `, path: "${path}" })`;
     return signature;

package/lib/assess/membrane/index.js CHANGED Viewed

@@ -280,10 +280,6 @@ class Membrane {
       return this.wrapArray(target, metadata);
     }
-    // Object.defineProperty(target, util.inspect.custom, {
-    //   target: typeof target === 'string' ? () => `'${target}'` : () => target
-    // });
     return this.wrapObject(target, metadata);
   }
 }
@@ -310,12 +306,10 @@ function makeHandler(membrane, metadata) {
       // https://www.ecma-international.org/ecma-262/7.0/#sec-proxy-object-internal-methods-and-internal-slots-get-p-receiver
       // satisfy invariant
       const desc = Object.getOwnPropertyDescriptor(tar, prop);
-      // if (desc && (desc.writable || desc.set || desc.configurable)) {
       if (desc && desc.configurable) {
         r = membrane.wrap(r, copyMetadata(tar, prop, metadata));
-      } else {
-        // invariant case; can't wrap
-      }
+      } // else: invariant case; can't wrap
       return r;
     },

package/lib/assess/membrane/source-membrane.js CHANGED Viewed

@@ -294,10 +294,9 @@ module.exports = class SourceMembrane extends Membrane {
     if (!(metadata.sourceType && metadata.path)) {
       return false;
     }
-    const koaQueryString = metadata.path.match(/(\w+)=/);
-    if (koaQueryString) {
-      // get 1st capture group, fall back to `metadata.path` if for some reason this does not exist
-      metadata.path = koaQueryString[1] || metadata.path;
+    const koaQueryString = metadata.path.split('=');
+    if (koaQueryString[1]) {
+      metadata.path = koaQueryString[0];
     }
     return true;
   }

package/lib/assess/models/base-event.js CHANGED Viewed

@@ -166,7 +166,7 @@ class BaseEvent {
  * @return {BaseEvent[]} sorted list of events
  */
 function sortEvents(events) {
-  const sorted = events.sort((a, b) => {
+  events.sort((a, b) => {
     let parentsfactor = 0;
     if (a.parents.length > b.parents.length) {
       parentsfactor = -1;
@@ -184,7 +184,7 @@ function sortEvents(events) {
     return parentsfactor + timefactor;
   });
-  return sorted;
+  return events;
 }
 module.exports = BaseEvent;

package/lib/assess/models/call-context.js CHANGED Viewed

@@ -153,9 +153,6 @@ module.exports = class CallContext {
       return value.toString();
     }
-    // FIXME
-    // if value === JSON, if value === Buffer, etc to put proper constructor name for static methods?
     const constructorName = _.get(value, 'constructor.name', 'null');
     if (constructorName === 'Object' && value) {

package/lib/assess/policy/propagators.json CHANGED Viewed

@@ -67,6 +67,26 @@
         "type": "keep"
       }
     },
+    "dust.escapeHtml": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["html-encoded"],
+      "type": "overload",
+      "command": {
+        "type": "keep"
+      }
+    },
+    "dust.escapeJs": {
+      "enabled": true,
+      "source": "P",
+      "target": "R",
+      "tags": ["javascript-encoded"],
+      "type": "overload",
+      "command": {
+        "type": "keep"
+      }
+    },
     "pug.compile": {
       "enabled": true,
       "provider": "./propagators/pug-compile.js"