npm - @contrast/agent - Versions diffs - 4.6.0 → 4.9.0 - Mend

@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/util/clean-string/concatenations.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/jsclean-string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/placeholders.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/colors.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/file-finder.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/heap-dump.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/html-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/ip-analyzer.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-agent-path.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-contrast-error.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-piped-to-dev.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/partial.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/pkg-name.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/request-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/resolve-obj.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/route-info.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/some.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/source-map.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -133,7 +133,7 @@ class SourceMapUtility {
       const { line, source } = consumer.originalPositionFor({
         line: lineNumber,
         column
-      });
+      }) || { line: undefined, source: undefined };
       if (line) lineNumber = line;
       if (source) file = this.replaceSource(file, source);

package/lib/util/static-rules.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/trace-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/traverse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/user-input-evaluator.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/xml-analyzer/external-entity-finder.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.6.0",
+  "version": "4.9.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -22,6 +22,7 @@
     "Michael Woytowitz"
   ],
   "scripts": {
+    "preinstall": "npx npm-force-resolutions",
     "docs": "jsdoc -c ../.jsdoc.json",
     "release": "scripts/make-release.js",
     "tag": "scripts/tag-release.js",
@@ -72,7 +73,7 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.2",
+    "@contrast/fn-inspect": "^2.4.3",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
     "@contrast/require-hook": "^2.0.6",
@@ -83,7 +84,7 @@
     "bluebird": "^3.5.3",
     "builtin-modules": "^3.2.0",
     "cls-hooked": "^4.2.2",
-    "commander": "^5.0.0",
+    "commander": "^8.3.0",
     "content-security-policy-parser": "^0.2.0",
     "cookie": "^0.3.1",
     "crc-32": "^1.0.0",
@@ -109,7 +110,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.5",
+    "@contrast/screener-service": "^1.12.8",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -125,8 +126,8 @@
     "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
-    "deasync": "^0.1.20",
-    "dustjs-linkedin": "^3.0.0",
+    "deasync": "^0.1.24",
+    "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
     "eslint": "^8.2.0",
@@ -152,6 +153,7 @@
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
+    "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
@@ -165,7 +167,7 @@
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",
-    "sequelize": "^6.3.3",
+    "sequelize": "^6.11.0",
     "shellcheck": "^1.0.0",
     "sinon": "^7.2.2",
     "sinon-chai": "^3.3.0",
@@ -189,5 +191,9 @@
     "winston",
     "winston-syslog",
     "winston-daily-rotate-file"
-  ]
+  ],
+  "resolutions": {
+    "markdown-it": ">=12.3.2",
+    "marked": ">=4.0.10"
+  }
 }

package/perf-logs.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/protect/rules/nosqli/no-sql-injection-rule.js DELETED Viewed

@@ -1,109 +0,0 @@
-/**
-Copyright: 2021 Contrast Security, Inc
-  Contact: support@contrastsecurity.com
-  License: Commercial
-  NOTICE: This Software and the patented inventions embodied within may only be
-  used as part of Contrast Security’s commercial offerings. Even though it is
-  made available through public repositories, use of this Software is subject to
-  the applicable End User Licensing Agreement found at
-  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
-  between Contrast Security and the End User. The Software may not be reverse
-  engineered, modified, repackaged, sold, redistributed or otherwise used in a
-  way not consistent with the End User License Agreement.
-*/
-const _ = require('lodash');
-const logger = require('../../../core/logger')('contrast:rules:protect');
-const { INPUT_TYPES, SINK_TYPES } = require('../common');
-const MONGODB = 'mongodb';
-const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
-]);
-class NoSqlInjectionRule extends require('../') {
-  constructor(policy = {}) {
-    policy.inputParseDepth = 3;
-    super(policy);
-    this._scanners = new Map();
-    this.id = 'nosql-injection';
-    this.name = 'NoSQL Injection';
-    this.applicableInputs = [
-      INPUT_TYPES.BODY,
-      INPUT_TYPES.JSON_VALUE,
-      INPUT_TYPES.JSON_ARRAYED_VALUE,
-      INPUT_TYPES.PARAMETER_NAME,
-      INPUT_TYPES.PARAMETER_VALUE,
-      INPUT_TYPES.QUERYSTRING,
-      INPUT_TYPES.XML_VALUE,
-      INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
-    ];
-    this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
-  }
-  evaluateAtSink({ event, applicableSamples }) {
-    if (_.isEmpty(applicableSamples)) {
-      return;
-    }
-    const scanner = this.getScanner(event.id);
-    for (const sample of applicableSamples) {
-      const injection = scanner.findInjection(sample.input.value, event.data);
-      if (injection) {
-        this.appendAttackDetails(sample, injection);
-        sample.captureAppContext(event);
-        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode} `);
-        this.blockRequest(sample);
-      }
-    }
-  }
-  getScanner(id) {
-    if (!ScannerKit.has(id)) {
-      throw new Error(`Unknown NoSQL scanner: ${id}`);
-    }
-    if (!this._scanners.has(id)) {
-      this._scanners.set(id, ScannerKit.get(id)());
-    }
-    return this._scanners.get(id);
-  }
-  /**
-   * Builds details for Sql Injection Attack.
-   * @param   {UserInput} inputDtm The user input that resulted in attack
-   * @param   {String}    query    The query that was analyzed
-   * @param   {Object}    results  The repsults of the sql-scanner
-   * @returns {Object}             The details
-   */
-  buildDetails(sample, findings) {
-    if (!findings) {
-      return null;
-    }
-    const { boundary, location, query } = findings;
-    const inputBoundaryIndex = boundary.previous
-      ? boundary.previous.start
-      : boundary.start;
-    return {
-      start: location[0],
-      end: location[1] + 1,
-      input: sample.input.toSerializable(),
-      boundaryOverrunIndex: boundary.stop + 1,
-      inputBoundaryIndex,
-      query
-    };
-  }
-}
-module.exports = NoSqlInjectionRule;