npm - @contrast/agent - Versions diffs - 4.5.2 → 4.8.0 - Mend

@contrast/agent 4.5.2 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/lib/assess/propagators/string-prototype-split.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -164,28 +164,27 @@ module.exports.handle = {
           if (tagStart !== null) {
             newTagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
             const tracked = tracker.track(stringPart);
-            const props = tracker.getData(tracked);
-            if (!props.tagRanges) {
-              props.tagRanges = [];
+            if (tracked) {
+              tracked.props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
+              result[i] = tracked.str;
             }
-            props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
-            result[i] = tracked;
           }
         });
         if (newTagRanges.length > 0) {
           const tracked = tracker.track(stringPart);
-          const props = tracker.getData(tracked);
-          props.tagRanges = newTagRanges;
-          result[i] = tracked;
-          const event = new PropagationEvent({
-            context: ctxt,
-            signature: sig,
-            tagRanges: tracked.tagRanges,
-            source: 'O',
-            target: 'R'
-          });
-          event.parents.push(oldEvent);
-          props.event = event;
+          if (tracked) {
+            tracked.props.tagRanges = newTagRanges;
+            result[i] = tracked.str;
+            const event = new PropagationEvent({
+              context: ctxt,
+              signature: sig,
+              tagRanges: tracked.props.tagRanges,
+              source: 'O',
+              target: 'R'
+            });
+            event.parents.push(oldEvent);
+            tracked.props.event = event;
+          }
         }
       }
       data.result = result;
@@ -225,21 +224,21 @@ function handleEmptySeperator(data, oldTagRanges, oldEvent) {
       if (sharedCharInfo.has(i)) {
         info = sharedCharInfo.get(i);
       } else {
-        const trackedString = tracker.track(char);
-        const trackedProperties = tracker.getData(trackedString);
-        const event = new PropagationEvent({
-          context: ctxt,
-          signature: sig,
-          tagRanges: getTagRanges(trackedString),
-          source: 'O',
-          target: 'R'
-        });
-        trackedProperties.event = event;
-        info = { event, tagRanges: trackedProperties.tagRanges };
-        sharedCharInfo.set(i, info);
-        result[i] = trackedString;
+        const tracked = tracker.track(char);
+        if (tracked) {
+          const event = new PropagationEvent({
+            context: ctxt,
+            signature: sig,
+            tagRanges: getTagRanges(tracked.str),
+            source: 'O',
+            target: 'R'
+          });
+          tracked.props.event = event;
+          info = { event, tagRanges: tracked.props.tagRanges };
+          sharedCharInfo.set(i, info);
+          result[i] = tracked.str;
+        }
       }
       info.tagRanges.push(new TagRange(0, 0, tag.tag));
@@ -257,10 +256,11 @@ function transferTracking(origString, resultArray) {
   for (let i = 0; i < resultArray.length; i++) {
     const tracked = tracker.track(resultArray[i]);
-    const trackedProperties = tracker.getData(tracked);
-    trackedProperties.tagRanges = getTagRanges(origString);
-    trackedProperties.event = getEvent(origString);
-    resultArray[i] = tracked;
+    if (tracked) {
+      tracked.props.tagRanges = getTagRanges(origString);
+      tracked.props.event = getEvent(origString);
+      resultArray[i] = tracked.str;
+    }
   }
   return resultArray;
 }

package/lib/assess/propagators/string-prototype-trim.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -25,7 +25,7 @@ const signature = new Signature('String.prototype.trim');
 function handle(data) {
   const { obj, result } = data;
   const sourceMetadata = tracker.getData(obj);
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
@@ -43,21 +43,19 @@ function handle(data) {
   }
   const tracked = tracker.track(result);
-  const trackedData = tracker.getData(tracked);
-  if (!trackedData.tracked) {
-    return;
+  if (tracked) {
+    tracked.props.tagRanges = targetRanges;
+    const context = new CallContext(data);
+    const event = new PropagationEvent({
+      context,
+      signature,
+      tagRanges: targetRanges,
+      source: 'O',
+      target: 'R'
+    });
+    event.parents.push(sourceEvent);
+    tracked.props.event = event;
+    data.result = tracked.str;
   }
-  trackedData.tagRanges = targetRanges;
-  const context = new CallContext(data);
-  const event = new PropagationEvent({
-    context,
-    signature,
-    tagRanges: targetRanges,
-    source: 'O',
-    target: 'R'
-  });
-  event.parents.push(sourceEvent);
-  trackedData.event = event;
-  data.result = tracked;
 }

package/lib/assess/propagators/string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,30 +41,26 @@ function handle() {
       // Checks if the string literal form of the new String object is tracked.
       // If so, we will want to copy the existing tag ranges below.
-      if (data.obj && !argData.tracked) {
+      if (data.obj && !argData) {
         argData = tracker.getData(data.result.toString());
       }
-      if (!arg || !argData.tracked) {
+      if (!arg || !argData) {
         return;
       }
-      const newStr = tracker.track(data.result);
-      const newStrData = tracker.getData(newStr);
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        // In a constructor context, data.obj is set to the new String object.
+        // When a new String object is instantiated we must copy the existing tag
+        // ranges from the string literal to the new String object.
+        if (data.obj) {
+          tracked.props.event = argData.event;
+          tracked.props.tagRanges = tracked.props.tagRanges.concat(argData.tagRanges);
+        }
-      if (!newStrData.tracked) {
-        return;
-      }
-      // In a constructor context, data.obj is set to the new String object.
-      // When a new String object is instantiated we must copy the existing tag
-      // ranges from the string literal to the new String object.
-      if (data.obj) {
-        newStrData.event = argData.event;
-        newStrData.tagRanges = newStrData.tagRanges.concat(argData.tagRanges);
+        data.result = tracked.str;
       }
-      data.result = newStr;
     }
   });
 }

package/lib/assess/propagators/template-escape.js ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+const tracker = require('../../tracker');
+const TagRange = require('../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../models');
+function getEscapedTagRanges(input, result, start, stop, tag) {
+  const textArr = input.split('').slice(start, stop + 1);
+  const escapedArr = result.split('');
+  const overlap = textArr.filter((x) => {
+    if (escapedArr.includes(x)) {
+      return x;
+    }
+  });
+  if (overlap.length === 0) {
+    return [];
+  }
+  const newTagRanges = [];
+  let firstIndex = escapedArr.indexOf(overlap[0]);
+  let currIndex = firstIndex;
+  let nextIndex;
+  for (let i = 1; i < overlap.length; i++) {
+    nextIndex = escapedArr.indexOf(overlap[i], currIndex + 1);
+    if (nextIndex !== currIndex + 1) {
+      newTagRanges.push(new TagRange(firstIndex, currIndex, tag));
+      firstIndex = nextIndex;
+    }
+    if (i === overlap.length - 1) {
+      newTagRanges.push(new TagRange(firstIndex, nextIndex, tag));
+    }
+    currIndex = nextIndex;
+  }
+  return newTagRanges;
+}
+function propagator(data, tagName, signatureName) {
+  const input = data.args[0];
+  const trackedData = tracker.getData(input);
+  if (!input || !trackedData) {
+    return;
+  }
+  // adjust tag ranges
+  const tagRanges = [];
+  trackedData.tagRanges.forEach((range) => {
+    const { start, stop, tag } = range;
+    tagRanges.push(
+      ...getEscapedTagRanges(input, data.result, start, stop, tag)
+    );
+  });
+  tagRanges.push(new TagRange(0, data.result.length - 1, tagName));
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature(signatureName),
+      source: 'P',
+      target: 'R',
+      tagRanges,
+      tags: tagName
+    });
+    data.result = tracked.str;
+  }
+}
+module.exports.propagate = propagator;

package/lib/assess/propagators/templates.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -21,10 +21,9 @@ const tracker = require('../../tracker.js');
 const { PropagationEvent, Signature, CallContext } = require('../models');
 const { isString } = require('../../util/is-string');
+const injections = require('../../core/rewrite/injections');
-const ContrastMethods = require('../../core/rewrite/injections').get(
-  'ContrastMethods'
-);
+const ContrastMethods = injections.get('ContrastMethods');
 /**
  * In order to propagate through template literals, we leverage rewriting to
@@ -76,17 +75,17 @@ function __contrastTag(...args) {
   });
   if (tagRanges.length > 0) {
-    result = tracker.track(result);
-    const resultContrastProperties = tracker.getData(result);
-    if (resultContrastProperties.tracked) {
+    const tracked = tracker.track(result);
+    if (tracked) {
       buildProperties(
-        resultContrastProperties,
+        tracked.props,
         tagRanges,
         expressions,
-        result,
+        tracked.str,
         strings,
         sourceEvents
       );
+      result = tracked.str;
     }
   }
@@ -144,18 +143,18 @@ function buildProperties(props, tagRanges, exps, result, strings, events) {
  */
 function moveTags(exp, sourceEvents, tagRanges, offset) {
   const contrastProperties = tracker.getData(exp);
-  const tracked = contrastProperties.tracked || tagRanges.length > 0;
+  const tracked = contrastProperties || tagRanges.length > 0;
   if (!tracked) {
     return tagRanges;
   }
-  const event = contrastProperties.tracked && contrastProperties.event;
+  const event = contrastProperties && contrastProperties.event;
   if (event) {
     sourceEvents.push(event);
   }
   let newTagRanges = [];
-  if (contrastProperties.tracked) newTagRanges = contrastProperties.tagRanges;
+  if (contrastProperties) newTagRanges = contrastProperties.tagRanges;
   return tagRangeUtil.addAllWithOffset(tagRanges, newTagRanges, offset);
 }

package/lib/assess/propagators/url/url-prototype-parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -45,7 +45,7 @@ function handle(data) {
   const address = data.args[0];
   const sourceMetadata = tracker.getData(address);
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
@@ -71,9 +71,8 @@ function propagate(sourceMetadata, address, data) {
     if (part && typeof part === 'string' && part !== '') {
       const tracked = tracker.track(part);
-      const trackedData = tracker.getData(tracked);
-      if (!trackedData.tracked) {
+      if (!tracked) {
         continue;
       }
@@ -105,10 +104,10 @@ function propagate(sourceMetadata, address, data) {
       );
       event.parents.push(sourceEvent);
-      trackedData.tagRanges = targetTagRanges;
-      trackedData.event = event;
+      tracked.props.tagRanges = targetTagRanges;
+      tracked.props.event = event;
-      url[key] = tracked;
+      url[key] = tracked.str;
     }
   }
 }

package/lib/assess/propagators/url/url-url.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -71,6 +71,9 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   }
   const hostData = tracker.getData(urlObj._contrast_host);
+  if (!hostData) {
+    return;
+  }
   const hostnameTags = tagRangeUtil.trim(hostData.tagRanges, 0, splitIndex - 1);
   const portTags = tagRangeUtil.trim(
     hostData.tagRanges,
@@ -81,21 +84,25 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   if (hostnameTags.length > 0) {
     const hostnameTracked = tracker.track(hostname);
-    tracker.getData(hostnameTracked).tagRanges = hostnameTags;
-    urlObj._contrast_hostname = hostnameTracked;
-    event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = hostnameTags;
-    tracker.getData(hostnameTracked).event = event;
+    if (hostnameTracked) {
+      hostnameTracked.props.tagRanges = hostnameTags;
+      urlObj._contrast_hostname = hostnameTracked.str;
+      event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = hostnameTags;
+      hostnameTracked.props.event = event;
+    }
   }
   if (portTags.length > 0) {
     const portTracked = tracker.track(port);
-    tracker.getData(portTracked).tagRanges = portTags;
-    urlObj._contrast_port = portTracked;
-    event = createEvent('url.URL', stack, portTags, port, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = portTags;
-    tracker.getData(portTracked).event = event;
+    if (portTracked) {
+      portTracked.props.tagRanges = portTags;
+      urlObj._contrast_port = portTracked.str;
+      event = createEvent('url.URL', stack, portTags, port, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = portTags;
+      portTracked.props.event = event;
+    }
   }
 }
@@ -136,26 +143,28 @@ function joinProperties(urlObj, sourceProps, separators) {
   }
   // copy tag ranges
-  const result = tracker.track(value);
   let valIdx = 0;
   sepIdx = 0;
   let tags = [];
   for (const prop of sourceProps) {
-    if (urlObj[`_contrast_${prop}`]) {
+    const trackedPropData = tracker.getData(urlObj[`_contrast_${prop}`]);
+    if (trackedPropData) {
       tags = tagRangeUtil.addAll(
         tags,
         offsetTagRanges(
-          tracker.getData(urlObj[`_contrast_${prop}`]).tagRanges,
+          trackedPropData.tagRanges,
           valIdx
         )
       );
     }
     valIdx += urlObj[prop].length + separators[sepIdx++].length;
   }
-  tracker.getData(result).tagRanges = tags;
-  return result;
+  const tracked = tracker.track(value);
+  if (tracked) {
+    tracked.props.tagRanges = tags;
+    return tracked.str;
+  }
 }
 /**
@@ -172,7 +181,8 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   //
   const trackedOrigin = joinProperties(urlObj, SET_ORIGIN_TAGS, ['//', '']);
-  if (tracker.getData(trackedOrigin).tagRanges.length === 0) {
+  const trackedOriginData = tracker.getData(trackedOrigin);
+  if (!trackedOriginData || trackedOriginData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_origin = trackedOrigin;
@@ -180,14 +190,14 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   const event = createEvent(
     'url.URL',
     stack,
-    tracker.getData(trackedOrigin).tagRanges,
+    trackedOriginData.tagRanges,
     trackedOrigin,
     args,
     urlObj
   );
   event.parents.push(sourceEvent);
-  event.tagRanges = tracker.getData(trackedOrigin).tagRanges;
-  tracker.getData(trackedOrigin).event = event;
+  event.tagRanges = trackedOriginData.tagRanges;
+  trackedOriginData.event = event;
 }
 /**
@@ -221,7 +231,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   const joinedHref = joinProperties(urlObj, properties, separators);
   const joinedHrefData = tracker.getData(joinedHref);
-  if (joinedHrefData.tagRanges.length === 0) {
+  if (!joinedHrefData || joinedHrefData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_href = joinedHref;
@@ -235,7 +245,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   );
   event.parents.push(sourceEvent);
   event.tagRanges = joinedHrefData.tagRanges;
-  tracker.getData(urlObj._contrast_href).event = event;
+  joinedHrefData.event = event;
 }
 /**
@@ -300,21 +310,22 @@ function copyTagsSingleSource(sourceTagRanges, sourceEvent, data) {
     copied = true;
     const trackedKey = `_contrast_${key}`;
     const tracked = tracker.track(val);
-    const trackedData = tracker.getData(tracked);
-    trackedData.tagRanges = trimmed;
-    urlObj[trackedKey] = tracked;
-    // only create the stack once because stack creation is expensive
-    stack =
-      stack ||
-      stackFactory.createSnapshot({
-        constructorOpt: data.hooked
-      })();
-    event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = trimmed;
-    trackedData.event = event;
+    if (tracked) {
+      tracked.props.tagRanges = trimmed;
+      urlObj[trackedKey] = tracked.str;
+      // only create the stack once because stack creation is expensive
+      stack =
+        stack ||
+        stackFactory.createSnapshot({
+          constructorOpt: data.hooked
+        })();
+      event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = trimmed;
+      tracked.props.event = event;
+    }
   }
   if (!copied) {
@@ -351,10 +362,7 @@ function callUnwrapped(input) {
  */
 function skipTracking(inputData, baseData) {
   // if neither input or base are tracked we can just skip tracking
-  if (
-    (!inputData.tracked && baseData && !baseData.tracked) ||
-    (!inputData.tracked && !baseData)
-  ) {
+  if (!inputData && !baseData) {
     return true;
   }
   return false;

package/lib/assess/propagators/url/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/util/format.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -266,7 +266,7 @@ const propagate = function propagate(util, data) {
   };
   const fmtStrMeta = tracker.getData(fmtStr);
-  if (fmtStrMeta.tracked) {
+  if (fmtStrMeta) {
     resultMeta.fmtStrTagRanges = fmtStrMeta.tagRanges.map((tagRange) =>
       tagRangeWithOriginals(
         new TagRange(tagRange.start, tagRange.stop, tagRange.tag)

package/lib/assess/propagators/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/v8/init-hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -63,7 +63,7 @@ module.exports.handle = function handle() {
         if (tracked) {
           // it was behind a membrane
           data.result[TRACKED] = tracked;
-        } else if (tracker.getData2(data.args[0])) {
+        } else if (tracker.getData(data.args[0])) {
           // it was a tracked string
           data.result[TRACKED] = data.args[0];
         }
@@ -80,13 +80,13 @@ module.exports.handle = function handle() {
           return;
         }
-        const sTracking = tracker.getData2(tracked);
+        const sTracking = tracker.getData(tracked);
         // if the argument was a tracked string then the result should
         // have the same tags. i don't know that the length of a string
         // can change as a result of deserialize(serialize()) but best
         // to be safe.
         if (sTracking) {
-          const resultTracking = tracker.track2(data.result);
+          const resultTracking = tracker.track(data.result);
           if (!resultTracking) {
             // there's nothing to do if tracking failed on the result. it should
             // only do so on a zero-length string, but node works in mysterious ways.