@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (563) hide show
  1. package/LICENSE +1 -1
  2. package/agent-loader.js +1 -1
  3. package/bin/VERSION +1 -1
  4. package/bin/linux/contrast-service +0 -0
  5. package/bin/mac/contrast-service +0 -0
  6. package/bin/windows/contrast-service.exe +0 -0
  7. package/bootstrap.js +13 -3
  8. package/cli-rewriter.js +1 -1
  9. package/cli.js +1 -1
  10. package/esm.mjs +34 -1
  11. package/lib/agent-emitter.js +1 -1
  12. package/lib/agent.js +1 -1
  13. package/lib/app-info.js +1 -1
  14. package/lib/assess/deadzones/index.js +1 -1
  15. package/lib/assess/deadzones/rewrite.js +1 -1
  16. package/lib/assess/express/index.js +1 -1
  17. package/lib/assess/express/route-coverage.js +1 -1
  18. package/lib/assess/express/sinks/index.js +1 -1
  19. package/lib/assess/express/sinks/xss.js +1 -1
  20. package/lib/assess/express/sources.js +1 -1
  21. package/lib/assess/fastify/index.js +1 -1
  22. package/lib/assess/fastify/route-coverage.js +1 -1
  23. package/lib/assess/fastify/sinks/index.js +1 -1
  24. package/lib/assess/fastify/sinks/response-scanning.js +1 -1
  25. package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
  26. package/lib/assess/fastify/sinks/xss.js +1 -1
  27. package/lib/assess/fastify/sources.js +1 -1
  28. package/lib/assess/hapi/index.js +1 -1
  29. package/lib/assess/hapi/route-coverage.js +1 -1
  30. package/lib/assess/hapi/sinks/index.js +1 -1
  31. package/lib/assess/hapi/sinks/response-scanning.js +1 -1
  32. package/lib/assess/hapi/sinks/session.js +1 -1
  33. package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
  34. package/lib/assess/hapi/sinks/xss.js +1 -1
  35. package/lib/assess/hapi/sources.js +1 -1
  36. package/lib/assess/index.js +3 -1
  37. package/lib/assess/koa/index.js +1 -1
  38. package/lib/assess/koa/route-coverage.js +1 -1
  39. package/lib/assess/koa/sinks/index.js +1 -1
  40. package/lib/assess/koa/sinks/response-scanning.js +1 -1
  41. package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
  42. package/lib/assess/koa/sinks/xss.js +1 -1
  43. package/lib/assess/koa/sources.js +1 -1
  44. package/lib/assess/loopback4/index.js +1 -1
  45. package/lib/assess/loopback4/route-coverage.js +1 -1
  46. package/lib/assess/loopback4/sinks/index.js +1 -1
  47. package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
  48. package/lib/assess/loopback4/sinks/xss.js +1 -1
  49. package/lib/assess/loopback4/sources.js +1 -1
  50. package/lib/assess/membrane/debraner.js +1 -1
  51. package/lib/assess/membrane/deserialization-membrane.js +5 -6
  52. package/lib/assess/membrane/index.js +1 -1
  53. package/lib/assess/membrane/source-membrane.js +17 -34
  54. package/lib/assess/models/base-event.js +1 -1
  55. package/lib/assess/models/call-context.js +2 -2
  56. package/lib/assess/models/index.js +1 -1
  57. package/lib/assess/models/propagation-event.js +1 -1
  58. package/lib/assess/models/signature.js +1 -1
  59. package/lib/assess/models/sink-event.js +1 -1
  60. package/lib/assess/models/source-event.js +7 -1
  61. package/lib/assess/models/tag-range/index.js +1 -1
  62. package/lib/assess/models/tag-range/relationships.js +1 -1
  63. package/lib/assess/models/tag-range/util.js +1 -1
  64. package/lib/assess/policy/index.js +1 -1
  65. package/lib/assess/policy/init.js +1 -1
  66. package/lib/assess/policy/propagators.json +13 -35
  67. package/lib/assess/policy/rules.json +36 -2
  68. package/lib/assess/policy/signatures.json +38 -6
  69. package/lib/assess/policy/util.js +3 -2
  70. package/lib/assess/propagators/JSON/parse.js +2 -2
  71. package/lib/assess/propagators/JSON/stringify.js +81 -11
  72. package/lib/assess/propagators/ajv/conditionals.js +1 -1
  73. package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
  74. package/lib/assess/propagators/ajv/index.js +1 -1
  75. package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
  76. package/lib/assess/propagators/ajv/object-walk.js +1 -1
  77. package/lib/assess/propagators/ajv/refs.js +1 -1
  78. package/lib/assess/propagators/ajv/schema-context.js +1 -1
  79. package/lib/assess/propagators/array-prototype-join.js +8 -9
  80. package/lib/assess/propagators/common.js +8 -6
  81. package/lib/assess/propagators/dustjs/escape-html.js +22 -0
  82. package/lib/assess/propagators/dustjs/escape-js.js +22 -0
  83. package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
  84. package/lib/assess/propagators/encode-uri/encode-uri-component.js +22 -0
  85. package/lib/assess/propagators/encode-uri/encode-uri.js +22 -0
  86. package/lib/assess/propagators/handlebars-compile.js +1 -1
  87. package/lib/assess/propagators/handlebars-escape-expresssion.js +2 -2
  88. package/lib/assess/propagators/index.js +1 -3
  89. package/lib/assess/propagators/joi/boolean.js +2 -2
  90. package/lib/assess/propagators/joi/expression.js +2 -2
  91. package/lib/assess/propagators/joi/index.js +1 -1
  92. package/lib/assess/propagators/joi/number.js +2 -2
  93. package/lib/assess/propagators/joi/string-base.js +2 -2
  94. package/lib/assess/propagators/joi/string-schema.js +13 -14
  95. package/lib/assess/propagators/joi/values.js +38 -23
  96. package/lib/assess/propagators/manager.js +13 -11
  97. package/lib/assess/propagators/mongoose/helpers.js +20 -0
  98. package/lib/assess/propagators/mongoose/index.js +18 -0
  99. package/lib/assess/propagators/mongoose/map.js +74 -0
  100. package/lib/assess/propagators/mongoose/string.js +104 -0
  101. package/lib/assess/propagators/mustache/escape.js +22 -0
  102. package/lib/assess/propagators/number.js +54 -0
  103. package/lib/assess/propagators/object.js +7 -8
  104. package/lib/assess/propagators/path/basename.js +15 -14
  105. package/lib/assess/propagators/path/common.js +2 -2
  106. package/lib/assess/propagators/path/dirname.js +15 -14
  107. package/lib/assess/propagators/path/extname.js +15 -14
  108. package/lib/assess/propagators/path/format.js +1 -1
  109. package/lib/assess/propagators/path/join.js +1 -1
  110. package/lib/assess/propagators/path/normalize.js +1 -1
  111. package/lib/assess/propagators/path/parse.js +2 -2
  112. package/lib/assess/propagators/path/relative.js +8 -6
  113. package/lib/assess/propagators/path/resolve.js +1 -1
  114. package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
  115. package/lib/assess/propagators/pug-compile.js +1 -1
  116. package/lib/assess/propagators/querystring/escape.js +21 -19
  117. package/lib/assess/propagators/querystring/parse.js +8 -6
  118. package/lib/assess/propagators/querystring/stringify.js +26 -25
  119. package/lib/assess/propagators/querystring/unescape.js +21 -19
  120. package/lib/assess/propagators/querystring/utils.js +1 -1
  121. package/lib/assess/propagators/sequelize/sql-string-escape.js +2 -2
  122. package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +2 -2
  123. package/lib/assess/propagators/sequelize/sql-string-format.js +4 -4
  124. package/lib/assess/propagators/sequelize/utils.js +3 -3
  125. package/lib/assess/propagators/string-prototype-replace.js +31 -29
  126. package/lib/assess/propagators/string-prototype-split.js +37 -37
  127. package/lib/assess/propagators/string-prototype-trim.js +16 -18
  128. package/lib/assess/propagators/string.js +13 -17
  129. package/lib/assess/propagators/template-escape.js +87 -0
  130. package/lib/assess/propagators/templates.js +11 -12
  131. package/lib/assess/propagators/url/url-prototype-parse.js +6 -7
  132. package/lib/assess/propagators/url/url-url.js +52 -44
  133. package/lib/assess/propagators/url/utils.js +1 -1
  134. package/lib/assess/propagators/util/format.js +2 -2
  135. package/lib/assess/propagators/utils.js +1 -1
  136. package/lib/assess/propagators/v8/init-hooks.js +4 -4
  137. package/lib/assess/propagators/validator/init-hooks.js +23 -23
  138. package/lib/assess/propagators/validator/validator-methods.js +1 -2
  139. package/lib/assess/response-scanning/app-activity.js +1 -1
  140. package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
  141. package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
  142. package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
  143. package/lib/assess/response-scanning/common.js +1 -1
  144. package/lib/assess/response-scanning/cookies/common.js +1 -1
  145. package/lib/assess/response-scanning/cookies/events.js +1 -1
  146. package/lib/assess/response-scanning/cookies/httponly.js +1 -1
  147. package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
  148. package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
  149. package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
  150. package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
  151. package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
  152. package/lib/assess/response-scanning/headers/powered-by.js +1 -1
  153. package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
  154. package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
  155. package/lib/assess/response-scanning/parameter-pollution.js +1 -1
  156. package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
  157. package/lib/assess/restify/index.js +1 -1
  158. package/lib/assess/restify/route-coverage.js +1 -1
  159. package/lib/assess/restify/session.js +1 -1
  160. package/lib/assess/restify/sinks/index.js +1 -1
  161. package/lib/assess/restify/sinks/response-scanning.js +1 -1
  162. package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
  163. package/lib/assess/restify/sinks/xss.js +1 -1
  164. package/lib/assess/restify/sources.js +1 -1
  165. package/lib/assess/sinks/common.js +11 -6
  166. package/lib/assess/sinks/dustjs-linkedin-xss.js +131 -0
  167. package/lib/assess/sinks/dynamo.js +1 -1
  168. package/lib/assess/sinks/hapi-16-xss.js +1 -1
  169. package/lib/assess/sinks/index.js +1 -1
  170. package/lib/assess/sinks/libxmljs-xxe.js +2 -2
  171. package/lib/assess/sinks/mongodb.js +3 -2
  172. package/lib/assess/sinks/rethinkdb-nosql-injection.js +142 -0
  173. package/lib/assess/sinks/ssrf-url.js +2 -2
  174. package/lib/assess/sources/event-handler.js +307 -0
  175. package/lib/assess/sources/formidable.js +1 -1
  176. package/lib/assess/sources/index.js +94 -6
  177. package/lib/assess/spdy/index.js +23 -0
  178. package/lib/assess/spdy/sinks/index.js +23 -0
  179. package/lib/assess/spdy/sinks/xss.js +84 -0
  180. package/lib/assess/static/hardcoded.js +1 -1
  181. package/lib/assess/technologies/index.js +3 -2
  182. package/lib/assess/utils.js +1 -1
  183. package/lib/cli-rewriter/index.js +1 -1
  184. package/lib/constants.js +7 -3
  185. package/lib/contrast.js +7 -7
  186. package/lib/core/arch-components/dynamodb.js +1 -1
  187. package/lib/core/arch-components/dynamodbv3.js +1 -1
  188. package/lib/core/arch-components/index.js +2 -1
  189. package/lib/core/arch-components/mongodb.js +23 -19
  190. package/lib/core/arch-components/mysql.js +1 -1
  191. package/lib/core/arch-components/postgres.js +22 -4
  192. package/lib/core/arch-components/rethinkdb.js +53 -0
  193. package/lib/core/arch-components/sqlite3.js +4 -6
  194. package/lib/core/async-storage/context.js +1 -1
  195. package/lib/core/async-storage/hooks/bluebird.js +1 -1
  196. package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
  197. package/lib/core/async-storage/hooks/mysql.js +1 -1
  198. package/lib/core/async-storage/hooks/redis.js +1 -1
  199. package/lib/core/async-storage/hooks/utils.js +1 -1
  200. package/lib/core/async-storage/index.js +1 -1
  201. package/lib/core/async-storage/scopes/index.js +1 -1
  202. package/lib/core/common/formidable.js +1 -1
  203. package/lib/core/common/index.js +1 -1
  204. package/lib/core/config/options.js +38 -4
  205. package/lib/core/config/util.js +1 -1
  206. package/lib/core/exclusions/exclusion-factory.js +1 -1
  207. package/lib/core/exclusions/exclusion.js +3 -6
  208. package/lib/core/exclusions/input.js +1 -1
  209. package/lib/core/exclusions/url.js +1 -1
  210. package/lib/core/express/index.js +26 -3
  211. package/lib/core/express/utils.js +9 -4
  212. package/lib/core/fastify/index.js +1 -1
  213. package/lib/core/fastify/utils.js +1 -1
  214. package/lib/core/hapi/index.js +1 -1
  215. package/lib/core/hapi/utils.js +1 -1
  216. package/lib/core/index.js +1 -1
  217. package/lib/core/koa/index.js +1 -1
  218. package/lib/core/koa/utils.js +1 -1
  219. package/lib/core/logger/daily-rotate-file.js +1 -1
  220. package/lib/core/logger/dataflow-monitor.js +1 -1
  221. package/lib/core/logger/debug-logger.js +1 -1
  222. package/lib/core/logger/index.js +1 -1
  223. package/lib/core/logger/perf-logger.js +1 -1
  224. package/lib/core/logger/umbrella-logger.js +1 -1
  225. package/lib/core/loopback4/index.js +1 -1
  226. package/lib/core/metrics/index.js +1 -1
  227. package/lib/core/restify/index.js +1 -1
  228. package/lib/core/restify/utils.js +1 -1
  229. package/lib/core/rewrite/assignment-expression.js +1 -1
  230. package/lib/core/rewrite/binary-expression.js +1 -1
  231. package/lib/core/rewrite/call-expression.js +1 -1
  232. package/lib/core/rewrite/callees.js +1 -1
  233. package/lib/core/rewrite/catch-clause.js +1 -1
  234. package/lib/core/rewrite/function-wrap.js +1 -1
  235. package/lib/core/rewrite/index.js +1 -1
  236. package/lib/core/rewrite/injections.js +9 -1
  237. package/lib/core/rewrite/is-contrast-method.js +1 -1
  238. package/lib/core/rewrite/log.js +1 -1
  239. package/lib/core/rewrite/member-expression.js +1 -1
  240. package/lib/core/rewrite/object-property.js +1 -1
  241. package/lib/core/rewrite/prepend-globals.js +1 -1
  242. package/lib/core/rewrite/rewrite-log.js +1 -1
  243. package/lib/core/rewrite/switch-statement.js +1 -1
  244. package/lib/core/rewrite/template-literal.js +1 -1
  245. package/lib/core/stacktrace.js +1 -1
  246. package/lib/coverage.js +1 -1
  247. package/lib/feature-set.js +2 -2
  248. package/lib/generator-function.js +1 -1
  249. package/lib/hooks/array.js +1 -1
  250. package/lib/hooks/cluster.js +1 -1
  251. package/lib/hooks/dataflow-monitor.js +1 -1
  252. package/lib/hooks/encoding.js +1 -1
  253. package/lib/hooks/express-fileupload.js +1 -1
  254. package/lib/hooks/express-session.js +1 -1
  255. package/lib/hooks/fn-to-string.js +1 -1
  256. package/lib/hooks/frameworks/base.js +1 -1
  257. package/lib/hooks/frameworks/common.js +1 -1
  258. package/lib/hooks/frameworks/hapi16.js +1 -1
  259. package/lib/hooks/frameworks/http.js +1 -1
  260. package/lib/hooks/frameworks/http2.js +1 -1
  261. package/lib/hooks/frameworks/index.js +3 -1
  262. package/lib/hooks/frameworks/spdy.js +87 -0
  263. package/lib/hooks/hapi-16-reply.js +1 -1
  264. package/lib/hooks/hapi-16-session.js +1 -1
  265. package/lib/hooks/http.js +12 -1
  266. package/lib/hooks/module/extensions.js +1 -1
  267. package/lib/hooks/module/helpers.js +1 -1
  268. package/lib/hooks/module/index.js +1 -1
  269. package/lib/hooks/newrelic.js +1 -1
  270. package/lib/hooks/object-is.js +1 -1
  271. package/lib/hooks/object-to-primitive.js +7 -8
  272. package/lib/hooks/patcher.js +62 -39
  273. package/lib/hooks/require.js +1 -1
  274. package/lib/hooks/stealthy-require.js +1 -1
  275. package/lib/instrumentation.js +1 -1
  276. package/lib/libraries.js +1 -1
  277. package/lib/library-usage.js +1 -1
  278. package/lib/list-installed.js +1 -1
  279. package/lib/protect/analysis/aho-corasick.js +1 -1
  280. package/lib/protect/analysis/dfsa-analyzer.js +1 -1
  281. package/lib/protect/errors/handler.js +1 -1
  282. package/lib/protect/errors/security-exception.js +1 -1
  283. package/lib/protect/express/index.js +1 -1
  284. package/lib/protect/express/sinks.js +1 -1
  285. package/lib/protect/express/sources.js +1 -1
  286. package/lib/protect/fastify/index.js +1 -1
  287. package/lib/protect/fastify/sinks.js +1 -1
  288. package/lib/protect/fastify/sources.js +1 -1
  289. package/lib/protect/hapi/error-handler.js +1 -1
  290. package/lib/protect/hapi/index.js +1 -1
  291. package/lib/protect/hapi/sinks.js +1 -1
  292. package/lib/protect/hapi/sources.js +1 -1
  293. package/lib/protect/index.js +1 -1
  294. package/lib/protect/input-analysis.js +1 -1
  295. package/lib/protect/koa/index.js +1 -1
  296. package/lib/protect/koa/sinks.js +1 -1
  297. package/lib/protect/koa/sources.js +1 -1
  298. package/lib/protect/listeners.js +1 -1
  299. package/lib/protect/loopback4/index.js +1 -1
  300. package/lib/protect/loopback4/sources.js +1 -1
  301. package/lib/protect/models/application-context.js +1 -1
  302. package/lib/protect/models/sink-event.js +1 -1
  303. package/lib/protect/models/source-event.js +1 -1
  304. package/lib/protect/restify/index.js +1 -1
  305. package/lib/protect/restify/sinks.js +1 -1
  306. package/lib/protect/restify/sources.js +1 -1
  307. package/lib/protect/rules/assessment.js +1 -1
  308. package/lib/protect/rules/attack-patterns.js +1 -1
  309. package/lib/protect/rules/base-scanner/index.js +1 -1
  310. package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
  311. package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
  312. package/lib/protect/rules/base-scanner/scan-state.js +1 -1
  313. package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
  314. package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
  315. package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
  316. package/lib/protect/rules/bot-blocker/index.js +1 -1
  317. package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
  318. package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
  319. package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
  320. package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
  321. package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
  322. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
  323. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
  324. package/lib/protect/rules/common.js +1 -1
  325. package/lib/protect/rules/index.js +1 -1
  326. package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
  327. package/lib/protect/rules/method-tampering/evaluator.js +1 -1
  328. package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
  329. package/lib/protect/rules/nosqli/nosql-injection-rule.js +228 -0
  330. package/lib/protect/rules/nosqli/nosql-scanner/index.js +1 -1
  331. package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
  332. package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
  333. package/lib/protect/rules/rule-factory.js +3 -3
  334. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
  335. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
  336. package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
  337. package/lib/protect/rules/signatures/evaluator.js +1 -1
  338. package/lib/protect/rules/signatures/index.js +1 -1
  339. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
  340. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
  341. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
  342. package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
  343. package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
  344. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
  345. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
  346. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
  347. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
  348. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
  349. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
  350. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
  351. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
  352. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
  353. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
  354. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
  355. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
  356. package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
  357. package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
  358. package/lib/protect/rules/signatures/signature.js +1 -1
  359. package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
  360. package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
  361. package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
  362. package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
  363. package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
  364. package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
  365. package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
  366. package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
  367. package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
  368. package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
  369. package/lib/protect/rules/sqli/generic-complicated.js +1 -1
  370. package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
  371. package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
  372. package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
  373. package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
  374. package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
  375. package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
  376. package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
  377. package/lib/protect/rules/virtual-patch/index.js +1 -1
  378. package/lib/protect/rules/virtual-patch/utils.js +1 -1
  379. package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
  380. package/lib/protect/rules/xss/helpers/function-call.js +1 -1
  381. package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
  382. package/lib/protect/rules/xxe/xxerule.js +1 -1
  383. package/lib/protect/sample-aggregator.js +1 -1
  384. package/lib/protect/samples.js +1 -1
  385. package/lib/protect/service.js +24 -12
  386. package/lib/protect/sinks/child-process.js +1 -1
  387. package/lib/protect/sinks/eval.js +1 -1
  388. package/lib/protect/sinks/fs.js +1 -1
  389. package/lib/protect/sinks/function.js +1 -1
  390. package/lib/protect/sinks/index.js +1 -1
  391. package/lib/protect/sinks/libxmljs.js +1 -1
  392. package/lib/protect/sinks/mongodb.js +57 -56
  393. package/lib/protect/sinks/mysql.js +1 -1
  394. package/lib/protect/sinks/node-serialize.js +1 -1
  395. package/lib/protect/sinks/postgres.js +1 -1
  396. package/lib/protect/sinks/sequelize.js +1 -1
  397. package/lib/protect/sinks/sqlite3.js +1 -1
  398. package/lib/protect/sinks/vm.js +1 -1
  399. package/lib/protect/sources/busboy.js +1 -1
  400. package/lib/protect/sources/formidable.js +1 -1
  401. package/lib/protect/sources/index.js +1 -1
  402. package/lib/protect/validators/authorization.js +1 -1
  403. package/lib/protect/validators/common.js +1 -1
  404. package/lib/protect/validators/connection.js +1 -1
  405. package/lib/protect/validators/content-length.js +1 -1
  406. package/lib/protect/validators/host.js +1 -1
  407. package/lib/protect/validators/if-none-match.js +1 -1
  408. package/lib/protect/validators/index.js +1 -1
  409. package/lib/protect/validators/origin.js +1 -1
  410. package/lib/reporter/app-activity-queue.js +1 -1
  411. package/lib/reporter/grpc-client.js +1 -1
  412. package/lib/reporter/messages/speedracer/activity.js +1 -1
  413. package/lib/reporter/messages/speedracer/application-create.js +1 -1
  414. package/lib/reporter/messages/speedracer/application-update.js +1 -1
  415. package/lib/reporter/messages/speedracer/base.js +1 -1
  416. package/lib/reporter/messages/speedracer/index.js +1 -1
  417. package/lib/reporter/messages/speedracer/observed-route.js +1 -1
  418. package/lib/reporter/messages/speedracer/poll.js +1 -1
  419. package/lib/reporter/messages/speedracer/request.js +1 -1
  420. package/lib/reporter/messages/speedracer/startup.js +1 -1
  421. package/lib/reporter/messaging-router.js +1 -1
  422. package/lib/reporter/models/app-activity/app-activity.js +1 -1
  423. package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
  424. package/lib/reporter/models/app-activity/defend.js +1 -1
  425. package/lib/reporter/models/app-activity/inventory.js +1 -1
  426. package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
  427. package/lib/reporter/models/app-activity/rule-events.js +1 -1
  428. package/lib/reporter/models/app-activity/sample.js +1 -1
  429. package/lib/reporter/models/app-activity/source.js +1 -1
  430. package/lib/reporter/models/app-activity/user-input.js +1 -1
  431. package/lib/reporter/models/app-create.js +1 -1
  432. package/lib/reporter/models/app-update/index.js +1 -1
  433. package/lib/reporter/models/app-update/library-manifest.js +1 -1
  434. package/lib/reporter/models/app-update/library-usage.js +1 -1
  435. package/lib/reporter/models/app-update/library.js +1 -1
  436. package/lib/reporter/models/event-tag.js +1 -1
  437. package/lib/reporter/models/finding/event.js +1 -1
  438. package/lib/reporter/models/finding/finding.js +1 -1
  439. package/lib/reporter/models/frameworks/express-request.js +1 -1
  440. package/lib/reporter/models/frameworks/fastify-request.js +1 -1
  441. package/lib/reporter/models/frameworks/hapi-request.js +1 -1
  442. package/lib/reporter/models/frameworks/index.js +1 -1
  443. package/lib/reporter/models/frameworks/koa-request.js +1 -1
  444. package/lib/reporter/models/frameworks/restify-request.js +1 -1
  445. package/lib/reporter/models/observed-route.js +1 -1
  446. package/lib/reporter/models/request.js +1 -1
  447. package/lib/reporter/models/route-coverage.js +1 -1
  448. package/lib/reporter/models/startup.js +1 -1
  449. package/lib/reporter/models/trace-event-source.js +1 -1
  450. package/lib/reporter/models/utils/request-factory.js +1 -1
  451. package/lib/reporter/models/utils/user-input-factory.js +1 -1
  452. package/lib/reporter/models/utils/user-input-kit.js +1 -1
  453. package/lib/reporter/mq-client.js +1 -1
  454. package/lib/reporter/server-activity-queue.js +1 -1
  455. package/lib/reporter/socket-client.js +1 -1
  456. package/lib/reporter/speedracer/base-connection-state.js +1 -1
  457. package/lib/reporter/speedracer/constants.js +1 -1
  458. package/lib/reporter/speedracer/failure-connection-state.js +1 -1
  459. package/lib/reporter/speedracer/index.js +1 -1
  460. package/lib/reporter/speedracer/success-connection-state.js +1 -1
  461. package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
  462. package/lib/reporter/translations/enums.js +1 -1
  463. package/lib/reporter/translations/helpers.js +1 -1
  464. package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
  465. package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
  466. package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
  467. package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
  468. package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
  469. package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
  470. package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
  471. package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
  472. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
  473. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
  474. package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
  475. package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
  476. package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
  477. package/lib/reporter/translations/to-protobuf/dtm/index.js +2 -2
  478. package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +2 -2
  479. package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
  480. package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
  481. package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
  482. package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
  483. package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
  484. package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
  485. package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +2 -2
  486. package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
  487. package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
  488. package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
  489. package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
  490. package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
  491. package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
  492. package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
  493. package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +5 -5
  494. package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
  495. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
  496. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
  497. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
  498. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
  499. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
  500. package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
  501. package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
  502. package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
  503. package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
  504. package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
  505. package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
  506. package/lib/reporter/translations/to-protobuf/index.js +1 -1
  507. package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
  508. package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
  509. package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
  510. package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
  511. package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
  512. package/lib/reporter/translations/to-protobuf/settings/defend-features.js +9 -7
  513. package/lib/reporter/translations/to-protobuf/settings/exclusions.js +6 -5
  514. package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
  515. package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
  516. package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
  517. package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
  518. package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
  519. package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
  520. package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
  521. package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
  522. package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
  523. package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
  524. package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
  525. package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
  526. package/lib/reporter/ts-reporter.js +1 -1
  527. package/lib/tracker.js +14 -66
  528. package/lib/util/base64.js +1 -1
  529. package/lib/util/bitset.js +1 -1
  530. package/lib/util/block-request.js +1 -1
  531. package/lib/util/callback-resolver.js +1 -1
  532. package/lib/util/clean-stack.js +1 -1
  533. package/lib/util/clean-string/brackets.js +1 -1
  534. package/lib/util/clean-string/clean-string-base.js +1 -1
  535. package/lib/util/clean-string/comments.js +1 -1
  536. package/lib/util/clean-string/concatenations.js +1 -1
  537. package/lib/util/clean-string/jsclean-string.js +1 -1
  538. package/lib/util/clean-string/placeholders.js +1 -1
  539. package/lib/util/clean-string/util.js +1 -1
  540. package/lib/util/colors.js +1 -1
  541. package/lib/util/file-finder.js +1 -1
  542. package/lib/util/heap-dump.js +1 -1
  543. package/lib/util/html-util.js +1 -1
  544. package/lib/util/ip-analyzer.js +1 -1
  545. package/lib/util/is-agent-path.js +1 -1
  546. package/lib/util/is-contrast-error.js +1 -1
  547. package/lib/util/is-piped-to-dev.js +1 -1
  548. package/lib/util/is-string.js +1 -1
  549. package/lib/util/partial.js +1 -1
  550. package/lib/util/pkg-name.js +1 -1
  551. package/lib/util/request-util.js +1 -1
  552. package/lib/util/resolve-obj.js +1 -1
  553. package/lib/util/route-info.js +1 -1
  554. package/lib/util/some.js +1 -1
  555. package/lib/util/source-map.js +2 -2
  556. package/lib/util/static-rules.js +1 -1
  557. package/lib/util/trace-util.js +1 -1
  558. package/lib/util/traverse.js +1 -1
  559. package/lib/util/user-input-evaluator.js +1 -1
  560. package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
  561. package/package.json +14 -8
  562. package/perf-logs.js +1 -1
  563. package/lib/protect/rules/nosqli/no-sql-injection-rule.js +0 -109
package/LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright: 2021 Contrast Security, Inc
1
+ Copyright: 2022 Contrast Security, Inc
2
2
  Contact: support@contrastsecurity.com
3
3
  License: Commercial
4
4
 
package/agent-loader.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- Copyright: 2021 Contrast Security, Inc
3
+ Copyright: 2022 Contrast Security, Inc
4
4
  Contact: support@contrastsecurity.com
5
5
  License: Commercial
6
6
 
package/bin/VERSION CHANGED
@@ -1 +1 @@
1
- 2.27.3
1
+ 2.28.5
package/bin/linux/contrast-service CHANGED
Binary file
package/bin/mac/contrast-service CHANGED
Binary file
package/bin/windows/contrast-service.exe CHANGED
Binary file
package/bootstrap.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- Copyright: 2021 Contrast Security, Inc
3
+ Copyright: 2022 Contrast Security, Inc
4
4
  Contact: support@contrastsecurity.com
5
5
  License: Commercial
6
6
 
@@ -26,7 +26,16 @@ const orig = Module.runMain;
26
26
  * script from cli
27
27
  */
28
28
  Module.runMain = async function(...args) {
29
+ const { isMainThread } = require('worker_threads');
30
+
29
31
  try {
32
+ // Skip instrumenting worker threads.
33
+ if (!isMainThread) {
34
+ orig.apply(this, args);
35
+
36
+ return;
37
+ }
38
+
30
39
  const { enabled } = await loader.init(process.argv);
31
40
  if (enabled) {
32
41
  await loader.bootstrap(process.argv);
@@ -37,9 +46,10 @@ Module.runMain = async function(...args) {
37
46
  orig.apply(this, args);
38
47
  loader.logTime(appStartTime, 'application');
39
48
  loader.logTime(startTime, 'agent & application');
40
-
41
- } catch(err) {
49
+ } catch (err) {
50
+ // eslint-disable-next-line no-console
42
51
  console.error(err);
52
+ // eslint-disable-next-line no-process-exit
43
53
  process.exit(-1);
44
54
  }
45
55
  };
package/cli-rewriter.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- Copyright: 2021 Contrast Security, Inc
3
+ Copyright: 2022 Contrast Security, Inc
4
4
  Contact: support@contrastsecurity.com
5
5
  License: Commercial
6
6
 
package/cli.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- Copyright: 2021 Contrast Security, Inc
3
+ Copyright: 2022 Contrast Security, Inc
4
4
  Contact: support@contrastsecurity.com
5
5
  License: Commercial
6
6
 
package/esm.mjs CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -22,6 +22,7 @@ if (enabled) {
22
22
  await loader.bootstrap(process.argv);
23
23
  }
24
24
  await loader.resetArgs(process.argv[0], process.argv[1]);
25
+ const { readFile } = require('fs').promises;
25
26
 
26
27
  const agent = require(`./lib/agent.js`);
27
28
  const logger = require(`./lib/core/logger/index.js`)('contrast:esm-loaders');
@@ -95,3 +96,35 @@ export async function transformSource(source, context, defaultTransformSource) {
95
96
  return defaultTransformSource(source, context, defaultTransformSource);
96
97
  }
97
98
  }
99
+
100
+ /**
101
+ * For Node 16 and above, the 'getFormat', 'getSource' and 'transformSource' have been
102
+ * consolidated into one 'load' hook. The logic is similar to that of transformSource
103
+ * except that the source is not provided and must be either read in from the file provided
104
+ * or accessed from the cache.
105
+ *
106
+ * @see https://nodejs.org/dist/latest-v16.x/docs/api/esm.html#loadurl-context-defaultload
107
+ * @param {string} url
108
+ * @param {{ format: string, url: string }} context
109
+ * @param {Function} defaultLoad
110
+ * @returns {Promise<{ format: string, source: string | SharedArrayBuffer | Uint8Array }>}
111
+ */
112
+ export async function load(url, context, defaultLoad) {
113
+ const filename = fileURLToPath(url);
114
+
115
+ try {
116
+ const cached = helpers.find(agent, filename);
117
+ const source = cached || await readFile(filename, 'utf8');
118
+ const result = rewriter.rewriteFile(source, filename, { sourceType: 'module' });
119
+ helpers.cacheWithSourceMap(agent, filename, result);
120
+ return { format: context.format, source: result.code };
121
+
122
+ } catch (err) {
123
+ logger.error(
124
+ 'Failed to load rewritten code for %s, err: %o, rewritten code %s, loading original code.',
125
+ filename,
126
+ err
127
+ );
128
+ return defaultLoad(url, context, defaultLoad);
129
+ }
130
+ }
package/lib/agent-emitter.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/agent.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/app-info.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/deadzones/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/deadzones/rewrite.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/express/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/express/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/express/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/express/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/express/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/sinks/response-scanning.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/sinks/unvalidated-redirect.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/fastify/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sinks/response-scanning.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sinks/session.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sinks/unvalidated-redirect.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/hapi/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -20,6 +20,7 @@ const KoaFrameworkInstrumentation = require('./koa');
20
20
  const HapiFrameworkInstrumentation = require('./hapi');
21
21
  const Loopback4FrameworkInstrumentation = require('./loopback4');
22
22
  const ExpressFrameworkInstrumentation = require('./express');
23
+ const SpdyFrameworkInstrumentation = require('./spdy');
23
24
  const assessSources = require('./sources');
24
25
 
25
26
  module.exports = function(agent) {
@@ -29,5 +30,6 @@ module.exports = function(agent) {
29
30
  new HapiFrameworkInstrumentation(agent);
30
31
  new Loopback4FrameworkInstrumentation(agent);
31
32
  new ExpressFrameworkInstrumentation(agent);
33
+ new SpdyFrameworkInstrumentation(agent);
32
34
  assessSources.init(agent);
33
35
  };
package/lib/assess/koa/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/sinks/response-scanning.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/sinks/unvalidated-redirect.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/koa/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/route-coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/sinks/response-scanning.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/sinks/xss.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/loopback4/sources.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/membrane/debraner.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/membrane/deserialization-membrane.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -58,19 +58,18 @@ class DeserializationMembrane extends Membrane {
58
58
  });
59
59
 
60
60
  const tracked = tracker.track(str);
61
- const strData = tracker.getData(tracked);
62
61
 
63
- if (!strData.tracked) {
62
+ if (!tracked) {
64
63
  return str;
65
64
  }
66
65
 
67
- strData.event = event;
66
+ tracked.props.event = event;
68
67
  event.parents.push(this.event);
69
- strData.tagRanges = this.tagRanges.map(
68
+ tracked.props.tagRanges = this.tagRanges.map(
70
69
  (t) => new TagRange(0, str.length - 1, t.tag)
71
70
  );
72
71
 
73
- return tracked;
72
+ return tracked.str;
74
73
  }
75
74
  }
76
75
 
package/lib/assess/membrane/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/membrane/source-membrane.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -13,7 +13,6 @@ Copyright: 2021 Contrast Security, Inc
13
13
  way not consistent with the End User License Agreement.
14
14
  */
15
15
  'use strict';
16
- const _ = require('lodash');
17
16
 
18
17
  const logger = require('../../core/logger')('contrast:source-membrane');
19
18
  const Membrane = require('./index');
@@ -39,14 +38,6 @@ const signature = new Signature({
39
38
  isModule: false
40
39
  });
41
40
 
42
- const numericCheck = /^[0-9]+$/;
43
- function isNumeric(input) {
44
- // regex from validator.js/lib/isNumeric.js:
45
- // https://github.com/validatorjs/validator.js/blob/master/lib/isNumeric.js
46
- // do we want to allow symbols (plus/minus sign, decimal point?)
47
- return numericCheck.test(input);
48
- }
49
-
50
41
  module.exports = class SourceMembrane extends Membrane {
51
42
  /**
52
43
  * @param {object} config agent config to use for array sampling.
@@ -72,9 +63,7 @@ module.exports = class SourceMembrane extends Membrane {
72
63
  if (cfg.array_request_sampling) {
73
64
  this.sample = cfg.array_request_sampling.enable;
74
65
  this.sampleThreshold = cfg.array_request_sampling.threshold;
75
- this.sampleInterval = this.sample
76
- ? cfg.array_request_sampling.interval
77
- : 1;
66
+ this.sampleInterval = cfg.array_request_sampling.interval || 1;
78
67
  }
79
68
  // used when a reqSourceEvent must be created because an entire object
80
69
  // is being stringified but individual properties are not being referenced
@@ -147,7 +136,7 @@ module.exports = class SourceMembrane extends Membrane {
147
136
  if (!this.ensureMetadata(metadata)) {
148
137
  return str;
149
138
  }
150
- const tracked = tracker.track2(str);
139
+ const tracked = tracker.track(str);
151
140
  if (!tracked) {
152
141
  return str;
153
142
  }
@@ -304,8 +293,7 @@ module.exports = class SourceMembrane extends Membrane {
304
293
  /**
305
294
  * The `TagRanges` returned will include the `untrusted` tag. There will be
306
295
  * `exclusion:${ruleId}` tags for input exclusions pertaining to specific
307
- * rules and whose name matches the property name described in metadata. And
308
- * `limited-chars` tags are included if string is numeric.
296
+ * rules and whose name matches the property name described in metadata.
309
297
  * @param {string} str string being tracked by membrane
310
298
  * @param {object} metadata metadata about source type and key name
311
299
  * @returns {TagRange[]}
@@ -342,10 +330,6 @@ module.exports = class SourceMembrane extends Membrane {
342
330
  }
343
331
  }
344
332
 
345
- if (isNumeric(str)) {
346
- tagRanges.push(new TagRange(start, stop, 'limited-chars'));
347
- }
348
-
349
333
  if (metadata.sourceType === 'header') {
350
334
  if (metadata.path.toLocaleLowerCase() !== 'referer') {
351
335
  tagRanges.push(new TagRange(start, stop, 'header'));
@@ -368,11 +352,6 @@ module.exports = class SourceMembrane extends Membrane {
368
352
  wrapArray(arr, metadata) {
369
353
  metadata.isArray = true;
370
354
 
371
- // if not sampling, treat it as any object. not sampling has 100%
372
- // accuracy.
373
- if (!this.sample) {
374
- return super.wrapArray(arr, metadata);
375
- }
376
355
  // don't sample more than once
377
356
  if (this.wrappedArrays.has(arr)) {
378
357
  return arr;
@@ -380,16 +359,20 @@ module.exports = class SourceMembrane extends Membrane {
380
359
 
381
360
  const limit = Math.min(this.sampleThreshold, arr.length);
382
361
 
383
- for (let i = 0; i < limit; i++) {
384
- if (i % this.sampleInterval === 0 && arr[i]) {
385
- const m = _.cloneDeep(metadata);
386
- if (m.path) {
387
- m.path += `[${i}]`;
388
- } else {
389
- m.path = `[${i}]`;
362
+ // if not sampling, treat it as any object. not sampling has 100% accuracy.
363
+ if (!this.sample || (limit === arr.length && this.sampleInterval === 1)) {
364
+ return super.wrapObject(arr, metadata);
365
+ } else if (!this.sampleThreshold) {
366
+ return arr;
367
+ } else {
368
+ const origPath = metadata.path;
369
+ for (let i = 0; i < limit; i += this.sampleInterval) {
370
+ if (arr[i]) {
371
+ const m = Object.assign({}, metadata);
372
+ m.path = origPath ? `${origPath}[${i}]` : `[${i}]`;
373
+ const wrapped = this.wrap(arr[i], m);
374
+ arr[i] = wrapped;
390
375
  }
391
-
392
- arr[i] = this.wrap(arr[i], m);
393
376
  }
394
377
  }
395
378
 
package/lib/assess/models/base-event.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/assess/models/call-context.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -96,7 +96,7 @@ module.exports = class CallContext {
96
96
  }
97
97
 
98
98
  static isTracked(str) {
99
- if (tracker.getData2(str)) {
99
+ if (tracker.getData(str)) {
100
100
  return true;
101
101
  }
102
102
  return !!(str && typeof str === 'object' && str[PROXY_TARGET]);