npm - @contrast/agent - Versions diffs - 4.5.2 → 4.8.0 - Mend

@contrast/agent 4.5.2 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/lib/assess/policy/init.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/policy/propagators.json CHANGED Viewed

@@ -40,10 +40,18 @@
       "enabled": true,
       "override": "./propagators/JSON/parse.js"
     },
+    "mongoose": {
+      "enabled": true,
+      "override": "./propagators/mongoose"
+    },
     "String": {
       "enabled": true,
       "override": "./propagators/string.js"
     },
+    "Number": {
+      "enabled": true,
+      "override": "./propagators/number.js"
+    },
     "Object": {
       "enabled": true,
       "override": "./propagators/object.js"
@@ -59,13 +67,15 @@
     },
     "mustache.escape": {
       "enabled": true,
-      "source": "P",
-      "target": "R",
-      "tags": ["html-encoded"],
-      "type": "overload",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/mustache/escape.js"
+    },
+    "dust.escapeHtml": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-html.js"
+    },
+    "dust.escapeJs": {
+      "enabled": true,
+      "provider": "./propagators/dustjs/escape-js.js"
     },
     "pug.compile": {
       "enabled": true,
@@ -329,23 +339,11 @@
     },
     "encodeURI": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["weak-url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri.js"
     },
     "encodeURIComponent": {
       "enabled": true,
-      "type": "overload",
-      "tags": ["url-encoded"],
-      "source": "P",
-      "target": "R",
-      "command": {
-        "type": "keep"
-      }
+      "provider": "./propagators/encode-uri/encode-uri-component.js"
     },
     "process.__add": {
       "enabled": true,

package/lib/assess/policy/rules.json CHANGED Viewed

@@ -1157,7 +1157,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": ["limited-chars", "alphanum-space-hyphen"],
+                "disallowedTags": ["limited-chars", "alphanum-space-hyphen", "custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1172,7 +1172,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": [],
+                "disallowedTags": ["custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1371,6 +1371,11 @@
       "type": "http",
       "provider": "./sinks/hapi-16-xss"
     },
+    "reflected-xss_dustjs-linkedin": {
+      "enabled": true,
+      "type": "http",
+      "provider": "./sinks/dustjs-linkedin-xss"
+    },
     "reflected-xss": {
       "enabled": true,
       "type": "hook",

package/lib/assess/policy/signatures.json CHANGED Viewed

@@ -20,6 +20,11 @@
       "methodName": "domainToUnicode",
       "isModule": true
     },
+    "template strings": {
+      "moduleName": "global",
+      "methodName": "ContrastMethods.__contrastTag",
+      "isModule": false
+    },
     "axios": {
       "moduleName": "axios",
       "methodName": "",
@@ -233,6 +238,16 @@
       "methodName": "escape",
       "isModule": true
     },
+    "dust.escapeHtml": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeHtml",
+      "isModule": true
+    },
+    "dust.escapeJs": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "escapeJs",
+      "isModule": true
+    },
     "express.response.send": {
       "moduleName": "express",
       "version": ">=4.0.0",
@@ -632,6 +647,11 @@
       "methodName": "toNamespacedPath",
       "isModule": true
     },
+    "path.normalize": {
+      "moduleName": "path",
+      "methodName": "normalize",
+      "isModule": true
+    },
     "util.format": {
       "moduleName": "util",
       "methodName": "format",
@@ -1130,12 +1150,6 @@
       "methodName": "isMobilePhone",
       "isModule": true
     },
-    "validator.isMongoId": {
-      "moduleName": "validator",
-      "version": ">=13.0.0",
-      "methodName": "isMongoId",
-      "isModule": true
-    },
     "validator.isNumeric": {
       "moduleName": "validator",
       "version": ">=13.0.0",
@@ -1298,6 +1312,18 @@
       "methodName": "string.domain",
       "isModule": true
     },
+    "mongoose.string.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.string.doValidateSync",
+      "isModule": true
+    },
+    "mongoose.map.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.map.doValidateSync",
+      "isModule": true
+    },
     "v8.deserialize.serialize": {
       "moduleName": "v8",
       "methodName": "deserialize.serialize",
@@ -1307,6 +1333,16 @@
       "moduleName": "node-serialize",
       "methodName": "unserialize",
       "isModule": true
+    },
+    "dustjs-linkedin": {
+      "moduleName": "dustjs-linkedin",
+      "methodName": "pipe",
+      "isModule": true
+    },
+    "Number": {
+      "moduleName": "Number",
+      "methodName": "isNaN",
+      "isModule": false
     }
   }
 }

package/lib/assess/policy/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -89,6 +89,7 @@ utils.isRuleEnabled = function(ruleId) {
  * @param {boolean} enabled	What to set the enabled property to
  */
 utils.setEnabled = function(node, enabled) {
+  /*eslint no-prototype-builtins: "warn"*/
   if (node.hasOwnProperty('enabled')) {
     node.enabled = enabled;
     return true;
@@ -236,7 +237,7 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
       }
     }
   } catch (e) {
-    logger.info(`unable to recurisvely patch ${e}`);
+    logger.info(`unable to recursively patch ${e}`);
   }
   return obj;

package/lib/assess/propagators/JSON/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ module.exports.handle = function() {
     name: ContrastJSON.name,
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
     post(data) {
-      const props = tracker.getData2(data.args[0]);
+      const props = tracker.getData(data.args[0]);
       const { result } = data;
       if (props && result) {
         const membrane = new DeserializationMembrane(data, props);

package/lib/assess/propagators/JSON/stringify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -64,7 +64,7 @@ function getUntrustedSpaceProps(space) {
   }
   // otherwise if the space string is tracked then the entire json output inherits
   // the tracked string's tags.
-  const props = tracker.getData2(space);
+  const props = tracker.getData(space);
   if (!props || props.tagRanges.length === 0) {
     return null;
   }
@@ -185,7 +185,7 @@ module.exports.handle = function() {
        */
       function contrastReplacer(key, val) {
         let isTracked = false;
-        const valProperties = tracker.getData2(val);
+        const valProperties = tracker.getData(val);
         if (valProperties && valProperties.tagRanges.length) {
           data.metadata.propagate = true;
           isTracked = true;
@@ -256,7 +256,7 @@ module.exports.handle = function() {
         }
       }
-      const tracked = tracker.track2(data.result);
+      const tracked = tracker.track(data.result);
       if (!tracked) {
         return data.result;
       }

package/lib/assess/propagators/ajv/conditionals.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/evaluator-shim.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/json-schema-type-evaluators.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/object-walk.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/refs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/ajv/schema-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/array-prototype-join.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -27,7 +27,7 @@ module.exports.handle = function handle(data) {
     return;
   }
-  // this handles join() andd join(undefined)
+  // this handles join() and join(undefined)
   const del = data.args[0] === undefined ? ',' : data.args[0];
   const parentEvents = [];
@@ -38,7 +38,7 @@ module.exports.handle = function handle(data) {
   let delimiterTracked = false;
-  if (delimiterProperties.tracked) {
+  if (delimiterProperties) {
     delimiterTracked = true;
     parentEvents.push(delimiterProperties.event);
     delimiterTagRanges.push(...delimiterProperties.tagRanges);
@@ -56,21 +56,20 @@ module.exports.handle = function handle(data) {
   if (delimiterTracked || elementTracked) {
     const tracked = tracker.track(data.result);
-    const metadata = tracker.getData(tracked);
-    if (!metadata.tracked) {
+    if (!tracked) {
       return;
     }
-    metadata.event = createEvent(
+    tracked.props.event = createEvent(
       data,
       resultTagRanges,
       parentEvents,
       delimiterTracked,
       elementTracked
     );
-    metadata.tagRanges = resultTagRanges;
+    tracked.props.tagRanges = resultTagRanges;
-    data.result = tracked;
+    data.result = tracked.str;
   }
 };
@@ -98,7 +97,7 @@ function propagateArrayData(
     const elem = array[i];
     const elemProperties = tracker.getData(elem);
-    if (elem && elemProperties.tracked) {
+    if (elem && elemProperties) {
       parentEvents.push(elemProperties.event);
       targetData.elementTracked = true;

package/lib/assess/propagators/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -62,7 +62,7 @@ const escapeRegExp = (str) => {
  */
 const addTagRangesWithOffset = (metadata, arg) => {
   const argData = tracker.getData(arg);
-  if (argData.tracked) {
+  if (argData) {
     tagRangeUtil.addAllWithOffsetInPlace(
       metadata.tagRanges,
       argData.tagRanges,
@@ -115,10 +115,12 @@ const createEvent = ({ tagRanges, method, parents }, data) => {
  */
 const trackResult = (metadata, data) => {
   if (metadata.tagRanges.length) {
-    data.result = tracker.track(data.result);
-    const trackedMeta = tracker.getData(data.result);
-    trackedMeta.tagRanges = metadata.tagRanges;
-    trackedMeta.event = createEvent(metadata, data);
+    const tracked = tracker.track(data.result);
+    if (tracked) {
+      tracked.props.tagRanges = metadata.tagRanges;
+      tracked.props.event = createEvent(metadata, data);
+      data.result = tracked.str;
+    }
   }
 };

package/lib/assess/propagators/dustjs/escape-html.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'html-encoded', 'dustjs-linkedin.escapeHtml');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/dustjs/escape-js.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'javascript-encoded', 'dustjs-linkedin.escapeJs');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/ejs-template-generate-source.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/encode-uri/encode-uri-component.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'url-encoded', 'global.encodeURIComponent');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/encode-uri/encode-uri.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const { propagate } = require('../template-escape');
+function handler(data) {
+  propagate(data, 'weak-url-encoded', 'global.encodeURI');
+}
+module.exports.handle = handler;

package/lib/assess/propagators/handlebars-compile.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/handlebars-escape-expresssion.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -48,7 +48,7 @@ function patchUtilsExport(utilsExport) {
     alwaysRun: true,
     post(data) {
       const trackData = tracker.getData(data.result);
-      if (trackData.tracked) {
+      if (trackData) {
         trackData.tagRanges = tagRangeUtil.add(
           trackData.tagRanges,
           new TagRange(0, data.result.length - 1, 'html-encoded')

package/lib/assess/propagators/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -128,8 +128,6 @@ const generateHookWrappers = (agent, policyNode, key) => {
     } else {
       ({ pre, post } = provider.handle);
     }
-    propagatorDescriptor.provider = provider.handle;
   } else {
     // generic propagator
     post = new Propagator(agent, propagatorDescriptor);

package/lib/assess/propagators/joi/boolean.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -42,7 +42,7 @@ function instrumentJoiBoolean(boolean) {
         if (
           data.result &&
           typeof data.result.value === 'boolean' &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/expression.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -32,7 +32,7 @@ function instrumentJoiExpression(expression) {
     patchType: ASSESS_PROPAGATOR,
     post(data) {
       const trackingData = tracker.getData(data.args[0]);
-      if (trackingData.tracked && data.result._template) {
+      if (trackingData && data.result._template) {
         trackingData.tagRanges = tagRangeUtil.add(
           trackingData.tagRanges,
           new TagRange(0, data.args[0].length - 1, 'html-encoded')

package/lib/assess/propagators/joi/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/joi/number.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,7 +41,7 @@ function instrumentJoiNumber(number) {
           data.result &&
           data.result.value &&
           !data.result.errors &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/string-base.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -37,7 +37,7 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
-        if (data.result === undefined && trackingData.tracked) {
+        if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,