@contrast/agent 4.5.2 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/LICENSE +1 -1
  2. package/agent-loader.js +1 -1
  3. package/bin/VERSION +1 -1
  4. package/bin/linux/contrast-service +0 -0
  5. package/bin/mac/contrast-service +0 -0
  6. package/bin/windows/contrast-service.exe +0 -0
  7. package/bootstrap.js +1 -1
  8. package/cli-rewriter.js +1 -1
  9. package/cli.js +1 -1
  10. package/esm.mjs +1 -1
  11. package/lib/agent-emitter.js +1 -1
  12. package/lib/agent.js +1 -1
  13. package/lib/app-info.js +1 -1
  14. package/lib/assess/deadzones/index.js +1 -1
  15. package/lib/assess/deadzones/rewrite.js +1 -1
  16. package/lib/assess/express/index.js +1 -1
  17. package/lib/assess/express/route-coverage.js +1 -1
  18. package/lib/assess/express/sinks/index.js +1 -1
  19. package/lib/assess/express/sinks/xss.js +1 -1
  20. package/lib/assess/express/sources.js +1 -1
  21. package/lib/assess/fastify/index.js +1 -1
  22. package/lib/assess/fastify/route-coverage.js +1 -1
  23. package/lib/assess/fastify/sinks/index.js +1 -1
  24. package/lib/assess/fastify/sinks/response-scanning.js +1 -1
  25. package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
  26. package/lib/assess/fastify/sinks/xss.js +1 -1
  27. package/lib/assess/fastify/sources.js +1 -1
  28. package/lib/assess/hapi/index.js +1 -1
  29. package/lib/assess/hapi/route-coverage.js +1 -1
  30. package/lib/assess/hapi/sinks/index.js +1 -1
  31. package/lib/assess/hapi/sinks/response-scanning.js +1 -1
  32. package/lib/assess/hapi/sinks/session.js +1 -1
  33. package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
  34. package/lib/assess/hapi/sinks/xss.js +1 -1
  35. package/lib/assess/hapi/sources.js +1 -1
  36. package/lib/assess/index.js +1 -1
  37. package/lib/assess/koa/index.js +1 -1
  38. package/lib/assess/koa/route-coverage.js +1 -1
  39. package/lib/assess/koa/sinks/index.js +1 -1
  40. package/lib/assess/koa/sinks/response-scanning.js +1 -1
  41. package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
  42. package/lib/assess/koa/sinks/xss.js +1 -1
  43. package/lib/assess/koa/sources.js +1 -1
  44. package/lib/assess/loopback4/index.js +1 -1
  45. package/lib/assess/loopback4/route-coverage.js +1 -1
  46. package/lib/assess/loopback4/sinks/index.js +1 -1
  47. package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
  48. package/lib/assess/loopback4/sinks/xss.js +1 -1
  49. package/lib/assess/loopback4/sources.js +1 -1
  50. package/lib/assess/membrane/debraner.js +1 -1
  51. package/lib/assess/membrane/deserialization-membrane.js +5 -6
  52. package/lib/assess/membrane/index.js +1 -1
  53. package/lib/assess/membrane/source-membrane.js +17 -34
  54. package/lib/assess/models/base-event.js +1 -1
  55. package/lib/assess/models/call-context.js +2 -2
  56. package/lib/assess/models/index.js +1 -1
  57. package/lib/assess/models/propagation-event.js +1 -1
  58. package/lib/assess/models/signature.js +1 -1
  59. package/lib/assess/models/sink-event.js +1 -1
  60. package/lib/assess/models/source-event.js +1 -1
  61. package/lib/assess/models/tag-range/index.js +1 -1
  62. package/lib/assess/models/tag-range/relationships.js +1 -1
  63. package/lib/assess/models/tag-range/util.js +1 -1
  64. package/lib/assess/policy/index.js +1 -1
  65. package/lib/assess/policy/init.js +1 -1
  66. package/lib/assess/policy/propagators.json +19 -21
  67. package/lib/assess/policy/rules.json +7 -2
  68. package/lib/assess/policy/signatures.json +42 -6
  69. package/lib/assess/policy/util.js +3 -2
  70. package/lib/assess/propagators/JSON/parse.js +2 -2
  71. package/lib/assess/propagators/JSON/stringify.js +4 -4
  72. package/lib/assess/propagators/ajv/conditionals.js +1 -1
  73. package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
  74. package/lib/assess/propagators/ajv/index.js +1 -1
  75. package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
  76. package/lib/assess/propagators/ajv/object-walk.js +1 -1
  77. package/lib/assess/propagators/ajv/refs.js +1 -1
  78. package/lib/assess/propagators/ajv/schema-context.js +1 -1
  79. package/lib/assess/propagators/array-prototype-join.js +8 -9
  80. package/lib/assess/propagators/common.js +8 -6
  81. package/lib/assess/propagators/dustjs/escape-html.js +22 -0
  82. package/lib/assess/propagators/dustjs/escape-js.js +22 -0
  83. package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
  84. package/lib/assess/propagators/encode-uri/encode-uri-component.js +22 -0
  85. package/lib/assess/propagators/encode-uri/encode-uri.js +22 -0
  86. package/lib/assess/propagators/handlebars-compile.js +1 -1
  87. package/lib/assess/propagators/handlebars-escape-expresssion.js +2 -2
  88. package/lib/assess/propagators/index.js +1 -3
  89. package/lib/assess/propagators/joi/boolean.js +2 -2
  90. package/lib/assess/propagators/joi/expression.js +2 -2
  91. package/lib/assess/propagators/joi/index.js +1 -1
  92. package/lib/assess/propagators/joi/number.js +2 -2
  93. package/lib/assess/propagators/joi/string-base.js +2 -2
  94. package/lib/assess/propagators/joi/string-schema.js +13 -14
  95. package/lib/assess/propagators/joi/values.js +38 -23
  96. package/lib/assess/propagators/manager.js +13 -11
  97. package/lib/assess/propagators/mongoose/helpers.js +20 -0
  98. package/lib/assess/propagators/mongoose/index.js +18 -0
  99. package/lib/assess/propagators/mongoose/map.js +74 -0
  100. package/lib/assess/propagators/mongoose/string.js +104 -0
  101. package/lib/assess/propagators/mustache/escape.js +22 -0
  102. package/lib/assess/propagators/number.js +54 -0
  103. package/lib/assess/propagators/object.js +7 -8
  104. package/lib/assess/propagators/path/basename.js +15 -14
  105. package/lib/assess/propagators/path/common.js +2 -2
  106. package/lib/assess/propagators/path/dirname.js +15 -14
  107. package/lib/assess/propagators/path/extname.js +15 -14
  108. package/lib/assess/propagators/path/format.js +1 -1
  109. package/lib/assess/propagators/path/join.js +1 -1
  110. package/lib/assess/propagators/path/normalize.js +1 -1
  111. package/lib/assess/propagators/path/parse.js +2 -2
  112. package/lib/assess/propagators/path/relative.js +8 -6
  113. package/lib/assess/propagators/path/resolve.js +1 -1
  114. package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
  115. package/lib/assess/propagators/pug-compile.js +1 -1
  116. package/lib/assess/propagators/querystring/escape.js +21 -19
  117. package/lib/assess/propagators/querystring/parse.js +8 -6
  118. package/lib/assess/propagators/querystring/stringify.js +26 -25
  119. package/lib/assess/propagators/querystring/unescape.js +21 -19
  120. package/lib/assess/propagators/querystring/utils.js +1 -1
  121. package/lib/assess/propagators/sequelize/sql-string-escape.js +2 -2
  122. package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +2 -2
  123. package/lib/assess/propagators/sequelize/sql-string-format.js +4 -4
  124. package/lib/assess/propagators/sequelize/utils.js +3 -3
  125. package/lib/assess/propagators/string-prototype-replace.js +31 -29
  126. package/lib/assess/propagators/string-prototype-split.js +37 -37
  127. package/lib/assess/propagators/string-prototype-trim.js +16 -18
  128. package/lib/assess/propagators/string.js +13 -17
  129. package/lib/assess/propagators/template-escape.js +87 -0
  130. package/lib/assess/propagators/templates.js +11 -12
  131. package/lib/assess/propagators/url/url-prototype-parse.js +6 -7
  132. package/lib/assess/propagators/url/url-url.js +52 -44
  133. package/lib/assess/propagators/url/utils.js +1 -1
  134. package/lib/assess/propagators/util/format.js +2 -2
  135. package/lib/assess/propagators/utils.js +1 -1
  136. package/lib/assess/propagators/v8/init-hooks.js +4 -4
  137. package/lib/assess/propagators/validator/init-hooks.js +23 -23
  138. package/lib/assess/propagators/validator/validator-methods.js +1 -2
  139. package/lib/assess/response-scanning/app-activity.js +1 -1
  140. package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
  141. package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
  142. package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
  143. package/lib/assess/response-scanning/common.js +1 -1
  144. package/lib/assess/response-scanning/cookies/common.js +1 -1
  145. package/lib/assess/response-scanning/cookies/events.js +1 -1
  146. package/lib/assess/response-scanning/cookies/httponly.js +1 -1
  147. package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
  148. package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
  149. package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
  150. package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
  151. package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
  152. package/lib/assess/response-scanning/headers/powered-by.js +1 -1
  153. package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
  154. package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
  155. package/lib/assess/response-scanning/parameter-pollution.js +1 -1
  156. package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
  157. package/lib/assess/restify/index.js +1 -1
  158. package/lib/assess/restify/route-coverage.js +1 -1
  159. package/lib/assess/restify/session.js +1 -1
  160. package/lib/assess/restify/sinks/index.js +1 -1
  161. package/lib/assess/restify/sinks/response-scanning.js +1 -1
  162. package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
  163. package/lib/assess/restify/sinks/xss.js +1 -1
  164. package/lib/assess/restify/sources.js +1 -1
  165. package/lib/assess/sinks/common.js +11 -6
  166. package/lib/assess/sinks/dustjs-linkedin-xss.js +131 -0
  167. package/lib/assess/sinks/dynamo.js +1 -1
  168. package/lib/assess/sinks/hapi-16-xss.js +1 -1
  169. package/lib/assess/sinks/index.js +1 -1
  170. package/lib/assess/sinks/libxmljs-xxe.js +2 -2
  171. package/lib/assess/sinks/mongodb.js +3 -2
  172. package/lib/assess/sinks/ssrf-url.js +2 -2
  173. package/lib/assess/sources/formidable.js +1 -1
  174. package/lib/assess/sources/index.js +1 -1
  175. package/lib/assess/static/hardcoded.js +1 -1
  176. package/lib/assess/technologies/index.js +1 -1
  177. package/lib/assess/utils.js +1 -1
  178. package/lib/cli-rewriter/index.js +1 -1
  179. package/lib/constants.js +5 -2
  180. package/lib/contrast.js +1 -1
  181. package/lib/core/arch-components/dynamodb.js +1 -1
  182. package/lib/core/arch-components/dynamodbv3.js +1 -1
  183. package/lib/core/arch-components/index.js +1 -1
  184. package/lib/core/arch-components/mongodb.js +1 -1
  185. package/lib/core/arch-components/mysql.js +1 -1
  186. package/lib/core/arch-components/postgres.js +1 -1
  187. package/lib/core/arch-components/rethinkdb.js +53 -0
  188. package/lib/core/arch-components/sqlite3.js +1 -1
  189. package/lib/core/async-storage/context.js +1 -1
  190. package/lib/core/async-storage/hooks/bluebird.js +1 -1
  191. package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
  192. package/lib/core/async-storage/hooks/mysql.js +1 -1
  193. package/lib/core/async-storage/hooks/redis.js +1 -1
  194. package/lib/core/async-storage/hooks/utils.js +1 -1
  195. package/lib/core/async-storage/index.js +1 -1
  196. package/lib/core/async-storage/scopes/index.js +1 -1
  197. package/lib/core/common/formidable.js +1 -1
  198. package/lib/core/common/index.js +1 -1
  199. package/lib/core/config/options.js +4 -3
  200. package/lib/core/config/util.js +1 -1
  201. package/lib/core/exclusions/exclusion-factory.js +1 -1
  202. package/lib/core/exclusions/exclusion.js +1 -1
  203. package/lib/core/exclusions/input.js +1 -1
  204. package/lib/core/exclusions/url.js +1 -1
  205. package/lib/core/express/index.js +1 -1
  206. package/lib/core/express/utils.js +1 -1
  207. package/lib/core/fastify/index.js +1 -1
  208. package/lib/core/fastify/utils.js +1 -1
  209. package/lib/core/hapi/index.js +1 -1
  210. package/lib/core/hapi/utils.js +1 -1
  211. package/lib/core/index.js +1 -1
  212. package/lib/core/koa/index.js +1 -1
  213. package/lib/core/koa/utils.js +1 -1
  214. package/lib/core/logger/daily-rotate-file.js +1 -1
  215. package/lib/core/logger/dataflow-monitor.js +1 -1
  216. package/lib/core/logger/debug-logger.js +1 -1
  217. package/lib/core/logger/index.js +1 -1
  218. package/lib/core/logger/perf-logger.js +1 -1
  219. package/lib/core/logger/umbrella-logger.js +1 -1
  220. package/lib/core/loopback4/index.js +1 -1
  221. package/lib/core/metrics/index.js +1 -1
  222. package/lib/core/restify/index.js +1 -1
  223. package/lib/core/restify/utils.js +1 -1
  224. package/lib/core/rewrite/assignment-expression.js +1 -1
  225. package/lib/core/rewrite/binary-expression.js +1 -1
  226. package/lib/core/rewrite/call-expression.js +1 -1
  227. package/lib/core/rewrite/callees.js +1 -1
  228. package/lib/core/rewrite/catch-clause.js +1 -1
  229. package/lib/core/rewrite/function-wrap.js +1 -1
  230. package/lib/core/rewrite/index.js +1 -1
  231. package/lib/core/rewrite/injections.js +9 -1
  232. package/lib/core/rewrite/is-contrast-method.js +1 -1
  233. package/lib/core/rewrite/log.js +1 -1
  234. package/lib/core/rewrite/member-expression.js +1 -1
  235. package/lib/core/rewrite/object-property.js +1 -1
  236. package/lib/core/rewrite/prepend-globals.js +1 -1
  237. package/lib/core/rewrite/rewrite-log.js +1 -1
  238. package/lib/core/rewrite/switch-statement.js +1 -1
  239. package/lib/core/rewrite/template-literal.js +1 -1
  240. package/lib/core/stacktrace.js +3 -2
  241. package/lib/coverage.js +1 -1
  242. package/lib/feature-set.js +2 -2
  243. package/lib/generator-function.js +1 -1
  244. package/lib/hooks/array.js +1 -1
  245. package/lib/hooks/cluster.js +1 -1
  246. package/lib/hooks/dataflow-monitor.js +1 -1
  247. package/lib/hooks/encoding.js +1 -1
  248. package/lib/hooks/express-fileupload.js +1 -1
  249. package/lib/hooks/express-session.js +1 -1
  250. package/lib/hooks/fn-to-string.js +1 -1
  251. package/lib/hooks/frameworks/base.js +9 -3
  252. package/lib/hooks/frameworks/common.js +1 -1
  253. package/lib/hooks/frameworks/hapi16.js +1 -1
  254. package/lib/hooks/frameworks/http.js +24 -17
  255. package/lib/hooks/frameworks/http2.js +73 -0
  256. package/lib/hooks/frameworks/index.js +9 -4
  257. package/lib/hooks/hapi-16-reply.js +1 -1
  258. package/lib/hooks/hapi-16-session.js +1 -1
  259. package/lib/hooks/http.js +113 -129
  260. package/lib/hooks/module/extensions.js +1 -1
  261. package/lib/hooks/module/helpers.js +1 -1
  262. package/lib/hooks/module/index.js +1 -1
  263. package/lib/hooks/newrelic.js +1 -1
  264. package/lib/hooks/object-is.js +1 -1
  265. package/lib/hooks/object-to-primitive.js +7 -8
  266. package/lib/hooks/patcher.js +62 -39
  267. package/lib/hooks/require.js +17 -23
  268. package/lib/hooks/stealthy-require.js +1 -1
  269. package/lib/instrumentation.js +1 -4
  270. package/lib/libraries.js +1 -1
  271. package/lib/library-usage.js +1 -1
  272. package/lib/list-installed.js +1 -1
  273. package/lib/protect/analysis/aho-corasick.js +1 -1
  274. package/lib/protect/analysis/dfsa-analyzer.js +1 -1
  275. package/lib/protect/errors/handler.js +1 -1
  276. package/lib/protect/errors/security-exception.js +1 -1
  277. package/lib/protect/express/index.js +1 -1
  278. package/lib/protect/express/sinks.js +1 -1
  279. package/lib/protect/express/sources.js +1 -1
  280. package/lib/protect/fastify/index.js +1 -1
  281. package/lib/protect/fastify/sinks.js +1 -1
  282. package/lib/protect/fastify/sources.js +1 -1
  283. package/lib/protect/hapi/error-handler.js +1 -1
  284. package/lib/protect/hapi/index.js +1 -1
  285. package/lib/protect/hapi/sinks.js +1 -1
  286. package/lib/protect/hapi/sources.js +1 -1
  287. package/lib/protect/index.js +1 -1
  288. package/lib/protect/input-analysis.js +1 -1
  289. package/lib/protect/koa/index.js +1 -1
  290. package/lib/protect/koa/sinks.js +1 -1
  291. package/lib/protect/koa/sources.js +1 -1
  292. package/lib/protect/listeners.js +1 -1
  293. package/lib/protect/loopback4/index.js +1 -1
  294. package/lib/protect/loopback4/sources.js +1 -1
  295. package/lib/protect/models/application-context.js +1 -1
  296. package/lib/protect/models/sink-event.js +1 -1
  297. package/lib/protect/models/source-event.js +1 -1
  298. package/lib/protect/restify/index.js +1 -1
  299. package/lib/protect/restify/sinks.js +1 -1
  300. package/lib/protect/restify/sources.js +1 -1
  301. package/lib/protect/rules/assessment.js +1 -1
  302. package/lib/protect/rules/attack-patterns.js +1 -1
  303. package/lib/protect/rules/base-scanner/index.js +1 -1
  304. package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
  305. package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
  306. package/lib/protect/rules/base-scanner/scan-state.js +1 -1
  307. package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
  308. package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
  309. package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
  310. package/lib/protect/rules/bot-blocker/index.js +1 -1
  311. package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
  312. package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
  313. package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
  314. package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
  315. package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
  316. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
  317. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
  318. package/lib/protect/rules/common.js +1 -1
  319. package/lib/protect/rules/index.js +1 -1
  320. package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
  321. package/lib/protect/rules/method-tampering/evaluator.js +1 -1
  322. package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
  323. package/lib/protect/rules/nosqli/nosql-injection-rule.js +228 -0
  324. package/lib/protect/rules/nosqli/nosql-scanner/index.js +1 -1
  325. package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
  326. package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
  327. package/lib/protect/rules/rule-factory.js +3 -3
  328. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
  329. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
  330. package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
  331. package/lib/protect/rules/signatures/evaluator.js +1 -1
  332. package/lib/protect/rules/signatures/index.js +1 -1
  333. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
  334. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
  335. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
  336. package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
  337. package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
  338. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
  339. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
  340. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
  341. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
  342. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
  343. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
  344. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
  345. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
  346. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
  347. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
  348. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
  349. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
  350. package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
  351. package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
  352. package/lib/protect/rules/signatures/signature.js +1 -1
  353. package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
  354. package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
  355. package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
  356. package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
  357. package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
  358. package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
  359. package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
  360. package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
  361. package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
  362. package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
  363. package/lib/protect/rules/sqli/generic-complicated.js +1 -1
  364. package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
  365. package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
  366. package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
  367. package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
  368. package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
  369. package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
  370. package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
  371. package/lib/protect/rules/virtual-patch/index.js +1 -1
  372. package/lib/protect/rules/virtual-patch/utils.js +1 -1
  373. package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
  374. package/lib/protect/rules/xss/helpers/function-call.js +1 -1
  375. package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
  376. package/lib/protect/rules/xxe/xxerule.js +1 -1
  377. package/lib/protect/sample-aggregator.js +1 -1
  378. package/lib/protect/samples.js +1 -1
  379. package/lib/protect/service.js +24 -12
  380. package/lib/protect/sinks/child-process.js +1 -1
  381. package/lib/protect/sinks/eval.js +1 -1
  382. package/lib/protect/sinks/fs.js +1 -1
  383. package/lib/protect/sinks/function.js +1 -1
  384. package/lib/protect/sinks/index.js +1 -1
  385. package/lib/protect/sinks/libxmljs.js +1 -1
  386. package/lib/protect/sinks/mongodb.js +57 -56
  387. package/lib/protect/sinks/mysql.js +1 -1
  388. package/lib/protect/sinks/node-serialize.js +1 -1
  389. package/lib/protect/sinks/postgres.js +1 -1
  390. package/lib/protect/sinks/sequelize.js +1 -1
  391. package/lib/protect/sinks/sqlite3.js +1 -1
  392. package/lib/protect/sinks/vm.js +1 -1
  393. package/lib/protect/sources/busboy.js +1 -1
  394. package/lib/protect/sources/formidable.js +1 -1
  395. package/lib/protect/sources/index.js +1 -1
  396. package/lib/protect/validators/authorization.js +1 -1
  397. package/lib/protect/validators/common.js +1 -1
  398. package/lib/protect/validators/connection.js +1 -1
  399. package/lib/protect/validators/content-length.js +1 -1
  400. package/lib/protect/validators/host.js +1 -1
  401. package/lib/protect/validators/if-none-match.js +1 -1
  402. package/lib/protect/validators/index.js +1 -1
  403. package/lib/protect/validators/origin.js +1 -1
  404. package/lib/reporter/app-activity-queue.js +1 -1
  405. package/lib/reporter/grpc-client.js +1 -1
  406. package/lib/reporter/messages/speedracer/activity.js +1 -1
  407. package/lib/reporter/messages/speedracer/application-create.js +1 -1
  408. package/lib/reporter/messages/speedracer/application-update.js +1 -1
  409. package/lib/reporter/messages/speedracer/base.js +1 -1
  410. package/lib/reporter/messages/speedracer/index.js +1 -1
  411. package/lib/reporter/messages/speedracer/observed-route.js +1 -1
  412. package/lib/reporter/messages/speedracer/poll.js +1 -1
  413. package/lib/reporter/messages/speedracer/request.js +1 -1
  414. package/lib/reporter/messages/speedracer/startup.js +1 -1
  415. package/lib/reporter/messaging-router.js +1 -1
  416. package/lib/reporter/models/app-activity/app-activity.js +1 -1
  417. package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
  418. package/lib/reporter/models/app-activity/defend.js +1 -1
  419. package/lib/reporter/models/app-activity/inventory.js +1 -1
  420. package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
  421. package/lib/reporter/models/app-activity/rule-events.js +1 -1
  422. package/lib/reporter/models/app-activity/sample.js +1 -1
  423. package/lib/reporter/models/app-activity/source.js +1 -1
  424. package/lib/reporter/models/app-activity/user-input.js +1 -1
  425. package/lib/reporter/models/app-create.js +1 -1
  426. package/lib/reporter/models/app-update/index.js +1 -1
  427. package/lib/reporter/models/app-update/library-manifest.js +1 -1
  428. package/lib/reporter/models/app-update/library-usage.js +1 -1
  429. package/lib/reporter/models/app-update/library.js +1 -1
  430. package/lib/reporter/models/event-tag.js +1 -1
  431. package/lib/reporter/models/finding/event.js +1 -1
  432. package/lib/reporter/models/finding/finding.js +1 -1
  433. package/lib/reporter/models/frameworks/express-request.js +1 -1
  434. package/lib/reporter/models/frameworks/fastify-request.js +1 -1
  435. package/lib/reporter/models/frameworks/hapi-request.js +1 -1
  436. package/lib/reporter/models/frameworks/index.js +1 -1
  437. package/lib/reporter/models/frameworks/koa-request.js +1 -1
  438. package/lib/reporter/models/frameworks/restify-request.js +1 -1
  439. package/lib/reporter/models/observed-route.js +1 -1
  440. package/lib/reporter/models/request.js +1 -1
  441. package/lib/reporter/models/route-coverage.js +1 -1
  442. package/lib/reporter/models/startup.js +1 -1
  443. package/lib/reporter/models/trace-event-source.js +1 -1
  444. package/lib/reporter/models/utils/request-factory.js +1 -1
  445. package/lib/reporter/models/utils/user-input-factory.js +1 -1
  446. package/lib/reporter/models/utils/user-input-kit.js +1 -1
  447. package/lib/reporter/mq-client.js +1 -1
  448. package/lib/reporter/server-activity-queue.js +1 -1
  449. package/lib/reporter/socket-client.js +1 -1
  450. package/lib/reporter/speedracer/base-connection-state.js +1 -1
  451. package/lib/reporter/speedracer/constants.js +1 -1
  452. package/lib/reporter/speedracer/failure-connection-state.js +1 -1
  453. package/lib/reporter/speedracer/index.js +1 -1
  454. package/lib/reporter/speedracer/success-connection-state.js +1 -1
  455. package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
  456. package/lib/reporter/translations/enums.js +1 -1
  457. package/lib/reporter/translations/helpers.js +1 -1
  458. package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
  459. package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
  460. package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
  461. package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
  462. package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
  463. package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
  464. package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
  465. package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
  466. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
  467. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
  468. package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
  469. package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
  470. package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
  471. package/lib/reporter/translations/to-protobuf/dtm/index.js +2 -2
  472. package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +2 -2
  473. package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
  474. package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
  475. package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
  476. package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
  477. package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
  478. package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
  479. package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +2 -2
  480. package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
  481. package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
  482. package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
  483. package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
  484. package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
  485. package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
  486. package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
  487. package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +1 -1
  488. package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
  489. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
  490. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
  491. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
  492. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
  493. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
  494. package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
  495. package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
  496. package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
  497. package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
  498. package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
  499. package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
  500. package/lib/reporter/translations/to-protobuf/index.js +1 -1
  501. package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
  502. package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
  503. package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
  504. package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
  505. package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
  506. package/lib/reporter/translations/to-protobuf/settings/defend-features.js +9 -7
  507. package/lib/reporter/translations/to-protobuf/settings/exclusions.js +6 -5
  508. package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
  509. package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
  510. package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
  511. package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
  512. package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
  513. package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
  514. package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
  515. package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
  516. package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
  517. package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
  518. package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
  519. package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
  520. package/lib/reporter/ts-reporter.js +1 -1
  521. package/lib/tracker.js +14 -66
  522. package/lib/util/base64.js +1 -1
  523. package/lib/util/bitset.js +1 -1
  524. package/lib/util/block-request.js +1 -1
  525. package/lib/util/callback-resolver.js +1 -1
  526. package/lib/util/clean-stack.js +1 -1
  527. package/lib/util/clean-string/brackets.js +1 -1
  528. package/lib/util/clean-string/clean-string-base.js +1 -1
  529. package/lib/util/clean-string/comments.js +1 -1
  530. package/lib/util/clean-string/concatenations.js +1 -1
  531. package/lib/util/clean-string/jsclean-string.js +1 -1
  532. package/lib/util/clean-string/placeholders.js +1 -1
  533. package/lib/util/clean-string/util.js +1 -1
  534. package/lib/util/colors.js +1 -1
  535. package/lib/util/file-finder.js +1 -1
  536. package/lib/util/heap-dump.js +1 -1
  537. package/lib/util/html-util.js +1 -1
  538. package/lib/util/ip-analyzer.js +1 -1
  539. package/lib/util/is-agent-path.js +1 -1
  540. package/lib/util/is-contrast-error.js +1 -1
  541. package/lib/util/is-piped-to-dev.js +1 -1
  542. package/lib/util/is-string.js +1 -1
  543. package/lib/util/partial.js +1 -1
  544. package/lib/util/pkg-name.js +1 -1
  545. package/lib/util/request-util.js +1 -1
  546. package/lib/util/resolve-obj.js +1 -1
  547. package/lib/util/route-info.js +1 -1
  548. package/lib/util/some.js +1 -1
  549. package/lib/util/source-map.js +2 -2
  550. package/lib/util/static-rules.js +1 -1
  551. package/lib/util/trace-util.js +1 -1
  552. package/lib/util/traverse.js +1 -1
  553. package/lib/util/user-input-evaluator.js +1 -1
  554. package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
  555. package/package.json +14 -16
  556. package/perf-logs.js +1 -1
  557. package/lib/hooks/frameworks/https.js +0 -42
  558. package/lib/protect/rules/nosqli/no-sql-injection-rule.js +0 -109
  559. package/node_modules/bindings/LICENSE.md +0 -22
  560. package/node_modules/bindings/README.md +0 -98
  561. package/node_modules/bindings/bindings.js +0 -221
  562. package/node_modules/bindings/package.json +0 -32
  563. package/node_modules/file-uri-to-path/.npmignore +0 -1
  564. package/node_modules/file-uri-to-path/.travis.yml +0 -30
  565. package/node_modules/file-uri-to-path/History.md +0 -21
  566. package/node_modules/file-uri-to-path/LICENSE +0 -20
  567. package/node_modules/file-uri-to-path/README.md +0 -74
  568. package/node_modules/file-uri-to-path/index.d.ts +0 -2
  569. package/node_modules/file-uri-to-path/index.js +0 -66
  570. package/node_modules/file-uri-to-path/package.json +0 -36
  571. package/node_modules/file-uri-to-path/test/test.js +0 -24
  572. package/node_modules/file-uri-to-path/test/tests.json +0 -13
  573. package/node_modules/glossy/LICENSE +0 -19
  574. package/node_modules/glossy/README.md +0 -129
  575. package/node_modules/glossy/index.js +0 -12
  576. package/node_modules/glossy/lib/glossy/parse.js +0 -520
  577. package/node_modules/glossy/lib/glossy/produce.js +0 -459
  578. package/node_modules/glossy/package.json +0 -47
  579. package/node_modules/glossy/test/decide.js +0 -7
  580. package/node_modules/glossy/test/decode_pri.js +0 -24
  581. package/node_modules/glossy/test/parse_3164.js +0 -104
  582. package/node_modules/glossy/test/parse_5424.js +0 -106
  583. package/node_modules/glossy/test/parse_5848.js +0 -40
  584. package/node_modules/glossy/test/parse_8601.js +0 -14
  585. package/node_modules/glossy/test/parse_rfc3339.js +0 -9
  586. package/node_modules/glossy/test/produce.js +0 -162
  587. package/node_modules/glossy/test/runner.js +0 -40
  588. package/node_modules/glossy/test/structure_data.js +0 -24
  589. package/node_modules/nan/CHANGELOG.md +0 -537
  590. package/node_modules/nan/LICENSE.md +0 -13
  591. package/node_modules/nan/README.md +0 -455
  592. package/node_modules/nan/doc/asyncworker.md +0 -146
  593. package/node_modules/nan/doc/buffers.md +0 -54
  594. package/node_modules/nan/doc/callback.md +0 -76
  595. package/node_modules/nan/doc/converters.md +0 -41
  596. package/node_modules/nan/doc/errors.md +0 -226
  597. package/node_modules/nan/doc/json.md +0 -62
  598. package/node_modules/nan/doc/maybe_types.md +0 -583
  599. package/node_modules/nan/doc/methods.md +0 -664
  600. package/node_modules/nan/doc/new.md +0 -147
  601. package/node_modules/nan/doc/node_misc.md +0 -123
  602. package/node_modules/nan/doc/object_wrappers.md +0 -263
  603. package/node_modules/nan/doc/persistent.md +0 -296
  604. package/node_modules/nan/doc/scopes.md +0 -73
  605. package/node_modules/nan/doc/script.md +0 -38
  606. package/node_modules/nan/doc/string_bytes.md +0 -62
  607. package/node_modules/nan/doc/v8_internals.md +0 -199
  608. package/node_modules/nan/doc/v8_misc.md +0 -85
  609. package/node_modules/nan/include_dirs.js +0 -1
  610. package/node_modules/nan/nan.h +0 -2898
  611. package/node_modules/nan/nan_callbacks.h +0 -88
  612. package/node_modules/nan/nan_callbacks_12_inl.h +0 -514
  613. package/node_modules/nan/nan_callbacks_pre_12_inl.h +0 -520
  614. package/node_modules/nan/nan_converters.h +0 -72
  615. package/node_modules/nan/nan_converters_43_inl.h +0 -68
  616. package/node_modules/nan/nan_converters_pre_43_inl.h +0 -42
  617. package/node_modules/nan/nan_define_own_property_helper.h +0 -29
  618. package/node_modules/nan/nan_implementation_12_inl.h +0 -430
  619. package/node_modules/nan/nan_implementation_pre_12_inl.h +0 -263
  620. package/node_modules/nan/nan_json.h +0 -166
  621. package/node_modules/nan/nan_maybe_43_inl.h +0 -356
  622. package/node_modules/nan/nan_maybe_pre_43_inl.h +0 -268
  623. package/node_modules/nan/nan_new.h +0 -340
  624. package/node_modules/nan/nan_object_wrap.h +0 -156
  625. package/node_modules/nan/nan_persistent_12_inl.h +0 -132
  626. package/node_modules/nan/nan_persistent_pre_12_inl.h +0 -242
  627. package/node_modules/nan/nan_private.h +0 -73
  628. package/node_modules/nan/nan_string_bytes.h +0 -305
  629. package/node_modules/nan/nan_typedarray_contents.h +0 -96
  630. package/node_modules/nan/nan_weak.h +0 -437
  631. package/node_modules/nan/package.json +0 -41
  632. package/node_modules/nan/tools/1to2.js +0 -412
  633. package/node_modules/nan/tools/README.md +0 -14
  634. package/node_modules/nan/tools/package.json +0 -19
  635. package/node_modules/unix-dgram/LICENSE +0 -13
  636. package/node_modules/unix-dgram/README.md +0 -107
  637. package/node_modules/unix-dgram/binding.gyp +0 -20
  638. package/node_modules/unix-dgram/build/Makefile +0 -324
  639. package/node_modules/unix-dgram/build/Release/.deps/Release/obj.target/unix_dgram/src/unix_dgram.o.d +0 -58
  640. package/node_modules/unix-dgram/build/Release/.deps/Release/obj.target/unix_dgram.node.d +0 -1
  641. package/node_modules/unix-dgram/build/Release/.deps/Release/unix_dgram.node.d +0 -1
  642. package/node_modules/unix-dgram/build/Release/obj.target/unix_dgram/src/unix_dgram.o +0 -0
  643. package/node_modules/unix-dgram/build/Release/obj.target/unix_dgram.node +0 -0
  644. package/node_modules/unix-dgram/build/Release/unix_dgram.node +0 -0
  645. package/node_modules/unix-dgram/build/binding.Makefile +0 -6
  646. package/node_modules/unix-dgram/build/config.gypi +0 -213
  647. package/node_modules/unix-dgram/build/unix_dgram.target.mk +0 -159
  648. package/node_modules/unix-dgram/lib/unix_dgram.js +0 -168
  649. package/node_modules/unix-dgram/package.json +0 -36
  650. package/node_modules/unix-dgram/src/unix_dgram.cc +0 -404
  651. package/node_modules/unix-dgram/src/win_dummy.cc +0 -7
  652. package/node_modules/unix-dgram/test/test-connect-callback.js +0 -68
  653. package/node_modules/unix-dgram/test/test-connect.js +0 -53
  654. package/node_modules/unix-dgram/test/test-dgram-unix.js +0 -58
  655. package/node_modules/unix-dgram/test/test-send-error.js +0 -26
  656. package/node_modules/winston-syslog/.eslintrc +0 -7
  657. package/node_modules/winston-syslog/.travis.yml +0 -14
  658. package/node_modules/winston-syslog/CHANGELOG.md +0 -9
  659. package/node_modules/winston-syslog/LICENSE +0 -20
  660. package/node_modules/winston-syslog/README.md +0 -135
  661. package/node_modules/winston-syslog/lib/utils.js +0 -26
  662. package/node_modules/winston-syslog/lib/winston-syslog.js +0 -385
  663. package/node_modules/winston-syslog/package.json +0 -56
  664. package/node_modules/winston-syslog/test/format-test.js +0 -122
  665. package/node_modules/winston-syslog/test/syslog-test.js +0 -95
  666. package/node_modules/winston-syslog/test/unix-connect-test.js +0 -133
package/lib/assess/propagators/validator/init-hooks.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -90,7 +90,7 @@ module.exports.handle = function() {
90
90
  function post(data) {
91
91
  if (data.result) {
92
92
  const trackingData = tracker.getData(data.args[0]);
93
- if (trackingData.tracked) {
93
+ if (trackingData) {
94
94
  tagRangeUtil.addInPlace(
95
95
  trackingData.tagRanges,
96
96
  new TagRange(0, data.args[0].length - 1, validators[validator])
@@ -131,7 +131,7 @@ module.exports.handle = function() {
131
131
  function post(data) {
132
132
  if (data.result) {
133
133
  const trackingData = tracker.getData(data.args[0]);
134
- if (trackingData.tracked) {
134
+ if (trackingData) {
135
135
  trackingData.tagRanges = [];
136
136
  trackingData.tracked = false;
137
137
  }
@@ -154,36 +154,36 @@ module.exports.handle = function() {
154
154
  function post(data) {
155
155
  // if not tracked then it can't be untrusted, so don't start
156
156
  // tracking this string.
157
- if (!tracker.getData(data.args[0]).tracked) return;
157
+ const inputData = tracker.getData(data.args[0]);
158
+ if (!inputData) return;
158
159
 
159
160
  const tag = sanitizers[sanitizer];
160
- // get existing tracker data
161
- const inputData = tracker.getData(data.args[0]);
162
161
 
163
162
  // are the input and output of the sanitizer the same?
164
163
  if (data.args[0] !== data.result) {
165
164
  let needsTag = true;
166
165
  // the input and output strings are not the same. start tracking the output.
167
- const result = tracker.track(data.result);
168
- const resultData = tracker.getData(result);
166
+ const tracked = tracker.track(data.result);
169
167
  // copy the input tags to the result, adjusting the range.
170
- const stop = data.result.length - 1;
171
- for (let i = 0; i < inputData.tagRanges.length; i++) {
172
- resultData.tagRanges[i] = new TagRange(
173
- 0,
174
- stop,
175
- inputData.tagRanges[i].tag
176
- );
177
- if (inputData.tagRanges[i].tag === tag) {
178
- needsTag = false;
168
+ if (tracked) {
169
+ const stop = data.result.length - 1;
170
+ for (let i = 0; i < inputData.tagRanges.length; i++) {
171
+ tracked.props.tagRanges[i] = new TagRange(
172
+ 0,
173
+ stop,
174
+ inputData.tagRanges[i].tag
175
+ );
176
+ if (inputData.tagRanges[i].tag === tag) {
177
+ needsTag = false;
178
+ }
179
179
  }
180
+ if (needsTag) {
181
+ tracked.props.tagRanges.push(
182
+ new TagRange(0, stop, sanitizers[sanitizer])
183
+ );
184
+ }
185
+ data.result = tracked.str;
180
186
  }
181
- if (needsTag) {
182
- resultData.tagRanges.push(
183
- new TagRange(0, stop, sanitizers[sanitizer])
184
- );
185
- }
186
- data.result = result;
187
187
  } else {
188
188
  // the input and output strings are the same, so the output is already being
189
189
  // tracked. if the tag is already present adjust the bounds otherwise add the
package/lib/assess/propagators/validator/validator-methods.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -63,7 +63,6 @@ module.exports = {
63
63
  isMagnetURI: 'alphanum-space-hyphen',
64
64
  isMD5: 'alphanum-space-hyphen',
65
65
  isMobilePhone: 'limited-chars',
66
- isMongoId: 'alphanum-space-hyphen',
67
66
  isNumeric: 'limited-chars',
68
67
  isOctal: 'alphanum-space-hyphen',
69
68
  isPassportNumber: 'limited-chars',
package/lib/assess/response-scanning/app-activity.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/autocomplete-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/cache-controls-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/clickjacking-control-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/common.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/cookies/common.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/cookies/events.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/cookies/httponly.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/cookies/secure-flag-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/csp-header-insecure.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/csp-header-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/csp-utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/hsts-header-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/powered-by.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/parameter-pollution.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/response-scanning/parseable-response-emitter.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/session.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/sinks/response-scanning.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/sinks/unvalidated-redirect.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/restify/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/sinks/common.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -78,7 +78,9 @@ module.exports = (agent) => {
78
78
  // get the tags, event from dataflow actions ONLY
79
79
  if (sinkType === DATAFLOW) {
80
80
  const contrastProps = tracker.getData(input);
81
- ({ tagRanges, event } = contrastProps);
81
+ if (contrastProps) {
82
+ ({ tagRanges, event } = contrastProps);
83
+ }
82
84
  }
83
85
 
84
86
  const sink = new SinkEvent({
@@ -189,7 +191,7 @@ module.exports = (agent) => {
189
191
  ) {
190
192
  const trackData = tracker.getData(value);
191
193
 
192
- if (!trackData.tracked) {
194
+ if (!trackData) {
193
195
  return;
194
196
  }
195
197
 
@@ -415,9 +417,12 @@ module.exports = (agent) => {
415
417
  : common.nonDataflowVulnerableCheck({ sink });
416
418
 
417
419
  const checkedArgs = isVulnCheck(stack, result, args);
418
- return Array.isArray(checkedArgs)
419
- ? reduceConditions(checkedArgs, conditions.mode)
420
- : checkedArgs;
420
+ if (Array.isArray(checkedArgs) && checkedArgs.length > 0) {
421
+ const mode = conditions ? conditions.mode : 'and';
422
+ return reduceConditions(checkedArgs, mode);
423
+ } else {
424
+ return checkedArgs;
425
+ }
421
426
  };
422
427
 
423
428
  /**
package/lib/assess/sinks/dustjs-linkedin-xss.js ADDED
@@ -0,0 +1,131 @@
1
+ /**
2
+ Copyright: 2022 Contrast Security, Inc
3
+ Contact: support@contrastsecurity.com
4
+ License: Commercial
5
+
6
+ NOTICE: This Software and the patented inventions embodied within may only be
7
+ used as part of Contrast Security’s commercial offerings. Even though it is
8
+ made available through public repositories, use of this Software is subject to
9
+ the applicable End User Licensing Agreement found at
10
+ https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ between Contrast Security and the End User. The Software may not be reverse
12
+ engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ way not consistent with the End User License Agreement.
14
+ */
15
+ 'use strict';
16
+
17
+ const patcher = require('../../hooks/patcher');
18
+ const { PATCH_TYPES } = require('../../constants');
19
+ const moduleHook = require('../../hooks/require');
20
+ const { CallContext, Signature } = require('../models');
21
+ const {
22
+ RULES: { REFLECTED_XSS }
23
+ } = require('../../constants');
24
+
25
+ const signature = new Signature({
26
+ moduleName: 'http.ClientResponse',
27
+ methodName: 'write',
28
+ isModule: true
29
+ });
30
+ const moduleName = 'dustjs-linkedin';
31
+
32
+ class Handler {
33
+ constructor({ report, isVulnerable, requiredTags, xss: { disallowedTags } }) {
34
+ this._isVulnerable = isVulnerable;
35
+ this.report = report;
36
+ this.requiredTags = requiredTags;
37
+ this.disallowedTags = disallowedTags;
38
+ }
39
+
40
+ isVulnerable(input) {
41
+ const { requiredTags, disallowedTags } = this;
42
+ const ret = this._isVulnerable({
43
+ input,
44
+ ruleId: REFLECTED_XSS,
45
+ disallowedTags,
46
+ requiredTags
47
+ });
48
+ return ret;
49
+ }
50
+
51
+ handle() {
52
+ moduleHook.resolve({ name: moduleName }, (dust) =>
53
+ this.handleRequire(dust)
54
+ );
55
+ }
56
+
57
+ getType(obj) {
58
+ return obj && obj.constructor && obj.constructor.name;
59
+ }
60
+
61
+ isResponseType(typeName) {
62
+ return typeName === 'ServerResponse';
63
+ }
64
+
65
+ patchDust(dust) {
66
+ const self = this;
67
+ patcher.patch(dust, 'stream', {
68
+ name: moduleName,
69
+ patchType: PATCH_TYPES.ASSESS_SINK,
70
+ alwaysRun: true,
71
+ post(data) {
72
+ self.patchStream(data.result);
73
+ }
74
+ });
75
+ }
76
+
77
+ /**
78
+ * Patch the pipe method and check wether the stream is targeting a
79
+ * response instance. If so, add the instance to the set of streams
80
+ * we should follow.
81
+ */
82
+ patchStream(streamInstance) {
83
+ const self = this;
84
+ patcher.patch(streamInstance, 'pipe', {
85
+ name: 'dust.Stream.prototype',
86
+ patchType: PATCH_TYPES.ASSESS_SINK,
87
+ alwaysRun: true,
88
+ pre({ args: [maybeRes] }) {
89
+ self.patchStreamTarget(maybeRes);
90
+ }
91
+ });
92
+ }
93
+
94
+ patchStreamTarget(target) {
95
+ const self = this;
96
+ const typeName = self.getType(target);
97
+
98
+ if (self.isResponseType(typeName)) {
99
+ patcher.patch(target, 'write', {
100
+ name: 'dust.pipeTarget',
101
+ patchType: PATCH_TYPES.ASSESS_SINK,
102
+ alwaysRun: true,
103
+ post({ args: [str], hooked }) {
104
+ if (self.isVulnerable(str)) {
105
+ self.report({
106
+ ruleId: REFLECTED_XSS,
107
+ signature,
108
+ input: str,
109
+ ctxt: new CallContext({
110
+ obj: typeName,
111
+ args: [str],
112
+ result: str,
113
+ stackOpts: {
114
+ constructorOpt: hooked
115
+ }
116
+ })
117
+ });
118
+ }
119
+ }
120
+ });
121
+ }
122
+ }
123
+
124
+ handleRequire(dust) {
125
+ this.patchDust(dust);
126
+ return dust;
127
+ }
128
+ }
129
+
130
+ module.exports = ({ common }) => new Handler(common);
131
+ module.exports.Handler = Handler;
package/lib/assess/sinks/dynamo.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/sinks/hapi-16-xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/sinks/libxmljs-xxe.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -34,7 +34,7 @@ module.exports = ({ common, signature }) => ({
34
34
  }
35
35
 
36
36
  const contrastProps = tracker.getData(xmlString);
37
- if (!contrastProps.tracked) {
37
+ if (!contrastProps) {
38
38
  return;
39
39
  }
40
40
 
package/lib/assess/sinks/mongodb.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -39,7 +39,8 @@ const ruleId = 'nosql-injection';
39
39
  const disallowedTags = [
40
40
  'limited-chars',
41
41
  'alphanum-space-hyphen',
42
- 'string-type-checked'
42
+ 'string-type-checked',
43
+ 'custom-validated-nosql-injection'
43
44
  ];
44
45
  const requiredTags = ['untrusted'];
45
46
 
package/lib/assess/sinks/ssrf-url.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -64,7 +64,7 @@ module.exports = ({ common: { isVulnerable } }) => {
64
64
 
65
65
  const contrastProps = tracker.getData(input);
66
66
 
67
- if (!contrastProps.tracked) {
67
+ if (!contrastProps) {
68
68
  return false;
69
69
  }
70
70
 
package/lib/assess/sources/formidable.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/sources/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/static/hardcoded.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/technologies/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/cli-rewriter/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/constants.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -108,8 +108,11 @@ const RULES = {
108
108
  'cmd-injection-semantic-chained-commands',
109
109
  CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS:
110
110
  'cmd-injection-semantic-dangerous-paths',
111
- IP_DENYLIST: 'ip-blacklist',
111
+ IP_DENYLIST: 'ip-denylist',
112
112
  METHOD_TAMPERING: 'method-tampering',
113
+ // The following is not a known rule in TS and is only used by SR when
114
+ // reporting certain analysis results. We convert to nosqli before reporting
115
+ NOSQL_EXPANSION: 'nosql-expansion',
113
116
  NOSQL_INJECTION: 'nosql-injection',
114
117
  PATH_TRAVERSAL: 'path-traversal',
115
118
  REFLECTED_XSS: 'reflected-xss',
package/lib/contrast.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- Copyright: 2021 Contrast Security, Inc
3
+ Copyright: 2022 Contrast Security, Inc
4
4
  Contact: support@contrastsecurity.com
5
5
  License: Commercial
6
6
 
package/lib/core/arch-components/dynamodb.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/arch-components/dynamodbv3.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5