@contrast/agent 4.6.0 → 4.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/agent-loader.js +1 -1
- package/bin/VERSION +1 -1
- package/bin/linux/contrast-service +0 -0
- package/bin/mac/contrast-service +0 -0
- package/bin/windows/contrast-service.exe +0 -0
- package/bootstrap.js +13 -3
- package/cli-rewriter.js +1 -1
- package/cli.js +1 -1
- package/esm.mjs +34 -1
- package/lib/agent-emitter.js +1 -1
- package/lib/agent.js +1 -1
- package/lib/app-info.js +1 -1
- package/lib/assess/deadzones/index.js +1 -1
- package/lib/assess/deadzones/rewrite.js +1 -1
- package/lib/assess/express/index.js +1 -1
- package/lib/assess/express/route-coverage.js +1 -1
- package/lib/assess/express/sinks/index.js +1 -1
- package/lib/assess/express/sinks/xss.js +1 -1
- package/lib/assess/express/sources.js +1 -1
- package/lib/assess/fastify/index.js +1 -1
- package/lib/assess/fastify/route-coverage.js +1 -1
- package/lib/assess/fastify/sinks/index.js +1 -1
- package/lib/assess/fastify/sinks/response-scanning.js +1 -1
- package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
- package/lib/assess/fastify/sinks/xss.js +1 -1
- package/lib/assess/fastify/sources.js +1 -1
- package/lib/assess/hapi/index.js +1 -1
- package/lib/assess/hapi/route-coverage.js +1 -1
- package/lib/assess/hapi/sinks/index.js +1 -1
- package/lib/assess/hapi/sinks/response-scanning.js +1 -1
- package/lib/assess/hapi/sinks/session.js +1 -1
- package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
- package/lib/assess/hapi/sinks/xss.js +1 -1
- package/lib/assess/hapi/sources.js +1 -1
- package/lib/assess/index.js +3 -1
- package/lib/assess/koa/index.js +1 -1
- package/lib/assess/koa/route-coverage.js +1 -1
- package/lib/assess/koa/sinks/index.js +1 -1
- package/lib/assess/koa/sinks/response-scanning.js +1 -1
- package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
- package/lib/assess/koa/sinks/xss.js +1 -1
- package/lib/assess/koa/sources.js +1 -1
- package/lib/assess/loopback4/index.js +1 -1
- package/lib/assess/loopback4/route-coverage.js +1 -1
- package/lib/assess/loopback4/sinks/index.js +1 -1
- package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
- package/lib/assess/loopback4/sinks/xss.js +1 -1
- package/lib/assess/loopback4/sources.js +1 -1
- package/lib/assess/membrane/debraner.js +1 -1
- package/lib/assess/membrane/deserialization-membrane.js +5 -6
- package/lib/assess/membrane/index.js +1 -1
- package/lib/assess/membrane/source-membrane.js +17 -34
- package/lib/assess/models/base-event.js +1 -1
- package/lib/assess/models/call-context.js +2 -2
- package/lib/assess/models/index.js +1 -1
- package/lib/assess/models/propagation-event.js +1 -1
- package/lib/assess/models/signature.js +1 -1
- package/lib/assess/models/sink-event.js +1 -1
- package/lib/assess/models/source-event.js +7 -1
- package/lib/assess/models/tag-range/index.js +1 -1
- package/lib/assess/models/tag-range/relationships.js +1 -1
- package/lib/assess/models/tag-range/util.js +1 -1
- package/lib/assess/policy/index.js +1 -1
- package/lib/assess/policy/init.js +1 -1
- package/lib/assess/policy/propagators.json +13 -35
- package/lib/assess/policy/rules.json +36 -2
- package/lib/assess/policy/signatures.json +38 -6
- package/lib/assess/policy/util.js +3 -2
- package/lib/assess/propagators/JSON/parse.js +2 -2
- package/lib/assess/propagators/JSON/stringify.js +81 -11
- package/lib/assess/propagators/ajv/conditionals.js +1 -1
- package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
- package/lib/assess/propagators/ajv/index.js +1 -1
- package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
- package/lib/assess/propagators/ajv/object-walk.js +1 -1
- package/lib/assess/propagators/ajv/refs.js +1 -1
- package/lib/assess/propagators/ajv/schema-context.js +1 -1
- package/lib/assess/propagators/array-prototype-join.js +8 -9
- package/lib/assess/propagators/common.js +8 -6
- package/lib/assess/propagators/dustjs/escape-html.js +22 -0
- package/lib/assess/propagators/dustjs/escape-js.js +22 -0
- package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
- package/lib/assess/propagators/encode-uri/encode-uri-component.js +22 -0
- package/lib/assess/propagators/encode-uri/encode-uri.js +22 -0
- package/lib/assess/propagators/handlebars-compile.js +1 -1
- package/lib/assess/propagators/handlebars-escape-expresssion.js +2 -2
- package/lib/assess/propagators/index.js +1 -3
- package/lib/assess/propagators/joi/boolean.js +2 -2
- package/lib/assess/propagators/joi/expression.js +2 -2
- package/lib/assess/propagators/joi/index.js +1 -1
- package/lib/assess/propagators/joi/number.js +2 -2
- package/lib/assess/propagators/joi/string-base.js +2 -2
- package/lib/assess/propagators/joi/string-schema.js +13 -14
- package/lib/assess/propagators/joi/values.js +38 -23
- package/lib/assess/propagators/manager.js +13 -11
- package/lib/assess/propagators/mongoose/helpers.js +20 -0
- package/lib/assess/propagators/mongoose/index.js +18 -0
- package/lib/assess/propagators/mongoose/map.js +74 -0
- package/lib/assess/propagators/mongoose/string.js +104 -0
- package/lib/assess/propagators/mustache/escape.js +22 -0
- package/lib/assess/propagators/number.js +54 -0
- package/lib/assess/propagators/object.js +7 -8
- package/lib/assess/propagators/path/basename.js +15 -14
- package/lib/assess/propagators/path/common.js +2 -2
- package/lib/assess/propagators/path/dirname.js +15 -14
- package/lib/assess/propagators/path/extname.js +15 -14
- package/lib/assess/propagators/path/format.js +1 -1
- package/lib/assess/propagators/path/join.js +1 -1
- package/lib/assess/propagators/path/normalize.js +1 -1
- package/lib/assess/propagators/path/parse.js +2 -2
- package/lib/assess/propagators/path/relative.js +8 -6
- package/lib/assess/propagators/path/resolve.js +1 -1
- package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
- package/lib/assess/propagators/pug-compile.js +1 -1
- package/lib/assess/propagators/querystring/escape.js +21 -19
- package/lib/assess/propagators/querystring/parse.js +8 -6
- package/lib/assess/propagators/querystring/stringify.js +26 -25
- package/lib/assess/propagators/querystring/unescape.js +21 -19
- package/lib/assess/propagators/querystring/utils.js +1 -1
- package/lib/assess/propagators/sequelize/sql-string-escape.js +2 -2
- package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +2 -2
- package/lib/assess/propagators/sequelize/sql-string-format.js +4 -4
- package/lib/assess/propagators/sequelize/utils.js +3 -3
- package/lib/assess/propagators/string-prototype-replace.js +31 -29
- package/lib/assess/propagators/string-prototype-split.js +37 -37
- package/lib/assess/propagators/string-prototype-trim.js +16 -18
- package/lib/assess/propagators/string.js +13 -17
- package/lib/assess/propagators/template-escape.js +87 -0
- package/lib/assess/propagators/templates.js +11 -12
- package/lib/assess/propagators/url/url-prototype-parse.js +6 -7
- package/lib/assess/propagators/url/url-url.js +52 -44
- package/lib/assess/propagators/url/utils.js +1 -1
- package/lib/assess/propagators/util/format.js +2 -2
- package/lib/assess/propagators/utils.js +1 -1
- package/lib/assess/propagators/v8/init-hooks.js +4 -4
- package/lib/assess/propagators/validator/init-hooks.js +23 -23
- package/lib/assess/propagators/validator/validator-methods.js +1 -2
- package/lib/assess/response-scanning/app-activity.js +1 -1
- package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
- package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
- package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
- package/lib/assess/response-scanning/common.js +1 -1
- package/lib/assess/response-scanning/cookies/common.js +1 -1
- package/lib/assess/response-scanning/cookies/events.js +1 -1
- package/lib/assess/response-scanning/cookies/httponly.js +1 -1
- package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
- package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
- package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
- package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
- package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
- package/lib/assess/response-scanning/headers/powered-by.js +1 -1
- package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
- package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
- package/lib/assess/response-scanning/parameter-pollution.js +1 -1
- package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
- package/lib/assess/restify/index.js +1 -1
- package/lib/assess/restify/route-coverage.js +1 -1
- package/lib/assess/restify/session.js +1 -1
- package/lib/assess/restify/sinks/index.js +1 -1
- package/lib/assess/restify/sinks/response-scanning.js +1 -1
- package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
- package/lib/assess/restify/sinks/xss.js +1 -1
- package/lib/assess/restify/sources.js +1 -1
- package/lib/assess/sinks/common.js +11 -6
- package/lib/assess/sinks/dustjs-linkedin-xss.js +131 -0
- package/lib/assess/sinks/dynamo.js +1 -1
- package/lib/assess/sinks/hapi-16-xss.js +1 -1
- package/lib/assess/sinks/index.js +1 -1
- package/lib/assess/sinks/libxmljs-xxe.js +2 -2
- package/lib/assess/sinks/mongodb.js +3 -2
- package/lib/assess/sinks/rethinkdb-nosql-injection.js +142 -0
- package/lib/assess/sinks/ssrf-url.js +2 -2
- package/lib/assess/sources/event-handler.js +307 -0
- package/lib/assess/sources/formidable.js +1 -1
- package/lib/assess/sources/index.js +94 -6
- package/lib/assess/spdy/index.js +23 -0
- package/lib/assess/spdy/sinks/index.js +23 -0
- package/lib/assess/spdy/sinks/xss.js +84 -0
- package/lib/assess/static/hardcoded.js +1 -1
- package/lib/assess/technologies/index.js +3 -2
- package/lib/assess/utils.js +1 -1
- package/lib/cli-rewriter/index.js +1 -1
- package/lib/constants.js +7 -3
- package/lib/contrast.js +7 -7
- package/lib/core/arch-components/dynamodb.js +1 -1
- package/lib/core/arch-components/dynamodbv3.js +1 -1
- package/lib/core/arch-components/index.js +2 -1
- package/lib/core/arch-components/mongodb.js +23 -19
- package/lib/core/arch-components/mysql.js +1 -1
- package/lib/core/arch-components/postgres.js +22 -4
- package/lib/core/arch-components/rethinkdb.js +53 -0
- package/lib/core/arch-components/sqlite3.js +4 -6
- package/lib/core/async-storage/context.js +1 -1
- package/lib/core/async-storage/hooks/bluebird.js +1 -1
- package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
- package/lib/core/async-storage/hooks/mysql.js +1 -1
- package/lib/core/async-storage/hooks/redis.js +1 -1
- package/lib/core/async-storage/hooks/utils.js +1 -1
- package/lib/core/async-storage/index.js +1 -1
- package/lib/core/async-storage/scopes/index.js +1 -1
- package/lib/core/common/formidable.js +1 -1
- package/lib/core/common/index.js +1 -1
- package/lib/core/config/options.js +38 -4
- package/lib/core/config/util.js +1 -1
- package/lib/core/exclusions/exclusion-factory.js +1 -1
- package/lib/core/exclusions/exclusion.js +3 -6
- package/lib/core/exclusions/input.js +1 -1
- package/lib/core/exclusions/url.js +1 -1
- package/lib/core/express/index.js +26 -3
- package/lib/core/express/utils.js +9 -4
- package/lib/core/fastify/index.js +1 -1
- package/lib/core/fastify/utils.js +1 -1
- package/lib/core/hapi/index.js +1 -1
- package/lib/core/hapi/utils.js +1 -1
- package/lib/core/index.js +1 -1
- package/lib/core/koa/index.js +1 -1
- package/lib/core/koa/utils.js +1 -1
- package/lib/core/logger/daily-rotate-file.js +1 -1
- package/lib/core/logger/dataflow-monitor.js +1 -1
- package/lib/core/logger/debug-logger.js +1 -1
- package/lib/core/logger/index.js +1 -1
- package/lib/core/logger/perf-logger.js +1 -1
- package/lib/core/logger/umbrella-logger.js +1 -1
- package/lib/core/loopback4/index.js +1 -1
- package/lib/core/metrics/index.js +1 -1
- package/lib/core/restify/index.js +1 -1
- package/lib/core/restify/utils.js +1 -1
- package/lib/core/rewrite/assignment-expression.js +1 -1
- package/lib/core/rewrite/binary-expression.js +1 -1
- package/lib/core/rewrite/call-expression.js +1 -1
- package/lib/core/rewrite/callees.js +1 -1
- package/lib/core/rewrite/catch-clause.js +1 -1
- package/lib/core/rewrite/function-wrap.js +1 -1
- package/lib/core/rewrite/index.js +1 -1
- package/lib/core/rewrite/injections.js +9 -1
- package/lib/core/rewrite/is-contrast-method.js +1 -1
- package/lib/core/rewrite/log.js +1 -1
- package/lib/core/rewrite/member-expression.js +1 -1
- package/lib/core/rewrite/object-property.js +1 -1
- package/lib/core/rewrite/prepend-globals.js +1 -1
- package/lib/core/rewrite/rewrite-log.js +1 -1
- package/lib/core/rewrite/switch-statement.js +1 -1
- package/lib/core/rewrite/template-literal.js +1 -1
- package/lib/core/stacktrace.js +1 -1
- package/lib/coverage.js +1 -1
- package/lib/feature-set.js +2 -2
- package/lib/generator-function.js +1 -1
- package/lib/hooks/array.js +1 -1
- package/lib/hooks/cluster.js +1 -1
- package/lib/hooks/dataflow-monitor.js +1 -1
- package/lib/hooks/encoding.js +1 -1
- package/lib/hooks/express-fileupload.js +1 -1
- package/lib/hooks/express-session.js +1 -1
- package/lib/hooks/fn-to-string.js +1 -1
- package/lib/hooks/frameworks/base.js +1 -1
- package/lib/hooks/frameworks/common.js +1 -1
- package/lib/hooks/frameworks/hapi16.js +1 -1
- package/lib/hooks/frameworks/http.js +1 -1
- package/lib/hooks/frameworks/http2.js +1 -1
- package/lib/hooks/frameworks/index.js +3 -1
- package/lib/hooks/frameworks/spdy.js +87 -0
- package/lib/hooks/hapi-16-reply.js +1 -1
- package/lib/hooks/hapi-16-session.js +1 -1
- package/lib/hooks/http.js +12 -1
- package/lib/hooks/module/extensions.js +1 -1
- package/lib/hooks/module/helpers.js +1 -1
- package/lib/hooks/module/index.js +1 -1
- package/lib/hooks/newrelic.js +1 -1
- package/lib/hooks/object-is.js +1 -1
- package/lib/hooks/object-to-primitive.js +7 -8
- package/lib/hooks/patcher.js +62 -39
- package/lib/hooks/require.js +1 -1
- package/lib/hooks/stealthy-require.js +1 -1
- package/lib/instrumentation.js +1 -1
- package/lib/libraries.js +1 -1
- package/lib/library-usage.js +1 -1
- package/lib/list-installed.js +1 -1
- package/lib/protect/analysis/aho-corasick.js +1 -1
- package/lib/protect/analysis/dfsa-analyzer.js +1 -1
- package/lib/protect/errors/handler.js +1 -1
- package/lib/protect/errors/security-exception.js +1 -1
- package/lib/protect/express/index.js +1 -1
- package/lib/protect/express/sinks.js +1 -1
- package/lib/protect/express/sources.js +1 -1
- package/lib/protect/fastify/index.js +1 -1
- package/lib/protect/fastify/sinks.js +1 -1
- package/lib/protect/fastify/sources.js +1 -1
- package/lib/protect/hapi/error-handler.js +1 -1
- package/lib/protect/hapi/index.js +1 -1
- package/lib/protect/hapi/sinks.js +1 -1
- package/lib/protect/hapi/sources.js +1 -1
- package/lib/protect/index.js +1 -1
- package/lib/protect/input-analysis.js +1 -1
- package/lib/protect/koa/index.js +1 -1
- package/lib/protect/koa/sinks.js +1 -1
- package/lib/protect/koa/sources.js +1 -1
- package/lib/protect/listeners.js +1 -1
- package/lib/protect/loopback4/index.js +1 -1
- package/lib/protect/loopback4/sources.js +1 -1
- package/lib/protect/models/application-context.js +1 -1
- package/lib/protect/models/sink-event.js +1 -1
- package/lib/protect/models/source-event.js +1 -1
- package/lib/protect/restify/index.js +1 -1
- package/lib/protect/restify/sinks.js +1 -1
- package/lib/protect/restify/sources.js +1 -1
- package/lib/protect/rules/assessment.js +1 -1
- package/lib/protect/rules/attack-patterns.js +1 -1
- package/lib/protect/rules/base-scanner/index.js +1 -1
- package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
- package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
- package/lib/protect/rules/base-scanner/scan-state.js +1 -1
- package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
- package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
- package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
- package/lib/protect/rules/bot-blocker/index.js +1 -1
- package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
- package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
- package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
- package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
- package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
- package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
- package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
- package/lib/protect/rules/common.js +1 -1
- package/lib/protect/rules/index.js +1 -1
- package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
- package/lib/protect/rules/method-tampering/evaluator.js +1 -1
- package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
- package/lib/protect/rules/nosqli/nosql-injection-rule.js +228 -0
- package/lib/protect/rules/nosqli/nosql-scanner/index.js +1 -1
- package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
- package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
- package/lib/protect/rules/rule-factory.js +3 -3
- package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
- package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
- package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
- package/lib/protect/rules/signatures/evaluator.js +1 -1
- package/lib/protect/rules/signatures/index.js +1 -1
- package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
- package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
- package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
- package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
- package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
- package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
- package/lib/protect/rules/signatures/signature.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
- package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
- package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
- package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
- package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
- package/lib/protect/rules/sqli/generic-complicated.js +1 -1
- package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
- package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
- package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
- package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
- package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
- package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
- package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
- package/lib/protect/rules/virtual-patch/index.js +1 -1
- package/lib/protect/rules/virtual-patch/utils.js +1 -1
- package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
- package/lib/protect/rules/xss/helpers/function-call.js +1 -1
- package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
- package/lib/protect/rules/xxe/xxerule.js +1 -1
- package/lib/protect/sample-aggregator.js +1 -1
- package/lib/protect/samples.js +1 -1
- package/lib/protect/service.js +24 -12
- package/lib/protect/sinks/child-process.js +1 -1
- package/lib/protect/sinks/eval.js +1 -1
- package/lib/protect/sinks/fs.js +1 -1
- package/lib/protect/sinks/function.js +1 -1
- package/lib/protect/sinks/index.js +1 -1
- package/lib/protect/sinks/libxmljs.js +1 -1
- package/lib/protect/sinks/mongodb.js +57 -56
- package/lib/protect/sinks/mysql.js +1 -1
- package/lib/protect/sinks/node-serialize.js +1 -1
- package/lib/protect/sinks/postgres.js +1 -1
- package/lib/protect/sinks/sequelize.js +1 -1
- package/lib/protect/sinks/sqlite3.js +1 -1
- package/lib/protect/sinks/vm.js +1 -1
- package/lib/protect/sources/busboy.js +1 -1
- package/lib/protect/sources/formidable.js +1 -1
- package/lib/protect/sources/index.js +1 -1
- package/lib/protect/validators/authorization.js +1 -1
- package/lib/protect/validators/common.js +1 -1
- package/lib/protect/validators/connection.js +1 -1
- package/lib/protect/validators/content-length.js +1 -1
- package/lib/protect/validators/host.js +1 -1
- package/lib/protect/validators/if-none-match.js +1 -1
- package/lib/protect/validators/index.js +1 -1
- package/lib/protect/validators/origin.js +1 -1
- package/lib/reporter/app-activity-queue.js +1 -1
- package/lib/reporter/grpc-client.js +1 -1
- package/lib/reporter/messages/speedracer/activity.js +1 -1
- package/lib/reporter/messages/speedracer/application-create.js +1 -1
- package/lib/reporter/messages/speedracer/application-update.js +1 -1
- package/lib/reporter/messages/speedracer/base.js +1 -1
- package/lib/reporter/messages/speedracer/index.js +1 -1
- package/lib/reporter/messages/speedracer/observed-route.js +1 -1
- package/lib/reporter/messages/speedracer/poll.js +1 -1
- package/lib/reporter/messages/speedracer/request.js +1 -1
- package/lib/reporter/messages/speedracer/startup.js +1 -1
- package/lib/reporter/messaging-router.js +1 -1
- package/lib/reporter/models/app-activity/app-activity.js +1 -1
- package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
- package/lib/reporter/models/app-activity/defend.js +1 -1
- package/lib/reporter/models/app-activity/inventory.js +1 -1
- package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
- package/lib/reporter/models/app-activity/rule-events.js +1 -1
- package/lib/reporter/models/app-activity/sample.js +1 -1
- package/lib/reporter/models/app-activity/source.js +1 -1
- package/lib/reporter/models/app-activity/user-input.js +1 -1
- package/lib/reporter/models/app-create.js +1 -1
- package/lib/reporter/models/app-update/index.js +1 -1
- package/lib/reporter/models/app-update/library-manifest.js +1 -1
- package/lib/reporter/models/app-update/library-usage.js +1 -1
- package/lib/reporter/models/app-update/library.js +1 -1
- package/lib/reporter/models/event-tag.js +1 -1
- package/lib/reporter/models/finding/event.js +1 -1
- package/lib/reporter/models/finding/finding.js +1 -1
- package/lib/reporter/models/frameworks/express-request.js +1 -1
- package/lib/reporter/models/frameworks/fastify-request.js +1 -1
- package/lib/reporter/models/frameworks/hapi-request.js +1 -1
- package/lib/reporter/models/frameworks/index.js +1 -1
- package/lib/reporter/models/frameworks/koa-request.js +1 -1
- package/lib/reporter/models/frameworks/restify-request.js +1 -1
- package/lib/reporter/models/observed-route.js +1 -1
- package/lib/reporter/models/request.js +1 -1
- package/lib/reporter/models/route-coverage.js +1 -1
- package/lib/reporter/models/startup.js +1 -1
- package/lib/reporter/models/trace-event-source.js +1 -1
- package/lib/reporter/models/utils/request-factory.js +1 -1
- package/lib/reporter/models/utils/user-input-factory.js +1 -1
- package/lib/reporter/models/utils/user-input-kit.js +1 -1
- package/lib/reporter/mq-client.js +1 -1
- package/lib/reporter/server-activity-queue.js +1 -1
- package/lib/reporter/socket-client.js +1 -1
- package/lib/reporter/speedracer/base-connection-state.js +1 -1
- package/lib/reporter/speedracer/constants.js +1 -1
- package/lib/reporter/speedracer/failure-connection-state.js +1 -1
- package/lib/reporter/speedracer/index.js +1 -1
- package/lib/reporter/speedracer/success-connection-state.js +1 -1
- package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
- package/lib/reporter/translations/enums.js +1 -1
- package/lib/reporter/translations/helpers.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/index.js +2 -2
- package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +2 -2
- package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +2 -2
- package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +5 -5
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
- package/lib/reporter/translations/to-protobuf/index.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/defend-features.js +9 -7
- package/lib/reporter/translations/to-protobuf/settings/exclusions.js +6 -5
- package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
- package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
- package/lib/reporter/ts-reporter.js +1 -1
- package/lib/tracker.js +14 -66
- package/lib/util/base64.js +1 -1
- package/lib/util/bitset.js +1 -1
- package/lib/util/block-request.js +1 -1
- package/lib/util/callback-resolver.js +1 -1
- package/lib/util/clean-stack.js +1 -1
- package/lib/util/clean-string/brackets.js +1 -1
- package/lib/util/clean-string/clean-string-base.js +1 -1
- package/lib/util/clean-string/comments.js +1 -1
- package/lib/util/clean-string/concatenations.js +1 -1
- package/lib/util/clean-string/jsclean-string.js +1 -1
- package/lib/util/clean-string/placeholders.js +1 -1
- package/lib/util/clean-string/util.js +1 -1
- package/lib/util/colors.js +1 -1
- package/lib/util/file-finder.js +1 -1
- package/lib/util/heap-dump.js +1 -1
- package/lib/util/html-util.js +1 -1
- package/lib/util/ip-analyzer.js +1 -1
- package/lib/util/is-agent-path.js +1 -1
- package/lib/util/is-contrast-error.js +1 -1
- package/lib/util/is-piped-to-dev.js +1 -1
- package/lib/util/is-string.js +1 -1
- package/lib/util/partial.js +1 -1
- package/lib/util/pkg-name.js +1 -1
- package/lib/util/request-util.js +1 -1
- package/lib/util/resolve-obj.js +1 -1
- package/lib/util/route-info.js +1 -1
- package/lib/util/some.js +1 -1
- package/lib/util/source-map.js +2 -2
- package/lib/util/static-rules.js +1 -1
- package/lib/util/trace-util.js +1 -1
- package/lib/util/traverse.js +1 -1
- package/lib/util/user-input-evaluator.js +1 -1
- package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
- package/package.json +14 -8
- package/perf-logs.js +1 -1
- package/lib/protect/rules/nosqli/no-sql-injection-rule.js +0 -109
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
/**
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
|
+
Contact: support@contrastsecurity.com
|
|
4
|
+
License: Commercial
|
|
5
|
+
|
|
6
|
+
NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
made available through public repositories, use of this Software is subject to
|
|
9
|
+
the applicable End User Licensing Agreement found at
|
|
10
|
+
https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const tracker = require('../../../tracker');
|
|
18
|
+
const patcher = require('../../../hooks/patcher');
|
|
19
|
+
const requireHook = require('../../../hooks/require');
|
|
20
|
+
const tagRangeUtil = require('../../models/tag-range/util');
|
|
21
|
+
const {
|
|
22
|
+
PATCH_TYPES: { ASSESS_PROPAGATOR }
|
|
23
|
+
} = require('../../../constants');
|
|
24
|
+
const TagRange = require('../../models/tag-range');
|
|
25
|
+
const { CallContext, PropagationEvent, Signature } = require('../../models');
|
|
26
|
+
const { hasUserDefinedValidator } = require('./helpers');
|
|
27
|
+
|
|
28
|
+
const enumPatcher = (SchemaString) => {
|
|
29
|
+
patcher.patch(SchemaString.prototype, 'enum', {
|
|
30
|
+
alwaysRun: true,
|
|
31
|
+
name: 'mongoose.string.enum',
|
|
32
|
+
patchType: ASSESS_PROPAGATOR,
|
|
33
|
+
post(data) {
|
|
34
|
+
if (!data.result) return;
|
|
35
|
+
|
|
36
|
+
const enumValidator = data.result.validators.find(
|
|
37
|
+
(validator) => validator.type === 'enum'
|
|
38
|
+
);
|
|
39
|
+
|
|
40
|
+
if (!enumValidator) return;
|
|
41
|
+
|
|
42
|
+
patcher.patch(enumValidator, 'validator', {
|
|
43
|
+
alwaysRun: true,
|
|
44
|
+
name: 'mongoose.string.enumValidator',
|
|
45
|
+
patchType: ASSESS_PROPAGATOR,
|
|
46
|
+
post(data) {
|
|
47
|
+
if (!data.result) return;
|
|
48
|
+
|
|
49
|
+
tracker.untrack(data.args[0]);
|
|
50
|
+
}
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
});
|
|
54
|
+
};
|
|
55
|
+
|
|
56
|
+
const doValidateSyncPatcher = (SchemaString) => {
|
|
57
|
+
patcher.patch(SchemaString.prototype, 'doValidateSync', {
|
|
58
|
+
alwaysRun: true,
|
|
59
|
+
name: 'mongoose.string.doValidateSync',
|
|
60
|
+
patchType: ASSESS_PROPAGATOR,
|
|
61
|
+
post(data) {
|
|
62
|
+
if (data.result) return;
|
|
63
|
+
|
|
64
|
+
if (!hasUserDefinedValidator(data)) return;
|
|
65
|
+
|
|
66
|
+
const trackingData = tracker.track(data.args[0]);
|
|
67
|
+
if (!trackingData) return;
|
|
68
|
+
|
|
69
|
+
const { props } = trackingData;
|
|
70
|
+
const incomingStringLength = data.args[0].length - 1;
|
|
71
|
+
|
|
72
|
+
props.tagRanges = tagRangeUtil.add(
|
|
73
|
+
props.tagRanges,
|
|
74
|
+
new TagRange(
|
|
75
|
+
0,
|
|
76
|
+
incomingStringLength,
|
|
77
|
+
'custom-validated-nosql-injection'
|
|
78
|
+
)
|
|
79
|
+
);
|
|
80
|
+
|
|
81
|
+
props.tagRanges = tagRangeUtil.add(
|
|
82
|
+
props.tagRanges,
|
|
83
|
+
new TagRange(0, incomingStringLength, 'string-type-checked')
|
|
84
|
+
);
|
|
85
|
+
|
|
86
|
+
props.event = new PropagationEvent({
|
|
87
|
+
context: new CallContext(data),
|
|
88
|
+
signature: new Signature('mongoose.string.doValidateSync'),
|
|
89
|
+
tagRanges: props.tagRanges,
|
|
90
|
+
source: 'P',
|
|
91
|
+
target: 'A',
|
|
92
|
+
parents: [props.event]
|
|
93
|
+
});
|
|
94
|
+
}
|
|
95
|
+
});
|
|
96
|
+
};
|
|
97
|
+
|
|
98
|
+
requireHook.resolve(
|
|
99
|
+
{ name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
|
|
100
|
+
(SchemaString) => {
|
|
101
|
+
enumPatcher(SchemaString);
|
|
102
|
+
doValidateSyncPatcher(SchemaString);
|
|
103
|
+
}
|
|
104
|
+
);
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
|
+
Contact: support@contrastsecurity.com
|
|
4
|
+
License: Commercial
|
|
5
|
+
|
|
6
|
+
NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
made available through public repositories, use of this Software is subject to
|
|
9
|
+
the applicable End User Licensing Agreement found at
|
|
10
|
+
https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
const { propagate } = require('../template-escape');
|
|
17
|
+
|
|
18
|
+
function handler(data) {
|
|
19
|
+
propagate(data, 'html-encoded', 'mustache.escape');
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
module.exports.handle = handler;
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
/**
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
|
+
Contact: support@contrastsecurity.com
|
|
4
|
+
License: Commercial
|
|
5
|
+
|
|
6
|
+
NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
made available through public repositories, use of this Software is subject to
|
|
9
|
+
the applicable End User Licensing Agreement found at
|
|
10
|
+
https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const tracker = require('../../tracker.js');
|
|
18
|
+
const patcher = require('../../hooks/patcher.js');
|
|
19
|
+
const { PATCH_TYPES } = require('../../constants');
|
|
20
|
+
const tagRangeUtil = require('../models/tag-range/util');
|
|
21
|
+
const TagRange = require('../models/tag-range');
|
|
22
|
+
const ContrastNumber = require('../../core/rewrite/injections').get('Number');
|
|
23
|
+
const { CallContext, PropagationEvent, Signature } = require('../models');
|
|
24
|
+
|
|
25
|
+
function handle() {
|
|
26
|
+
ContrastNumber.enable();
|
|
27
|
+
|
|
28
|
+
patcher.patch(ContrastNumber.value, {
|
|
29
|
+
name: 'Number',
|
|
30
|
+
patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
|
|
31
|
+
post(data) {
|
|
32
|
+
const trackingData = tracker.getData(data.args[0]);
|
|
33
|
+
|
|
34
|
+
if (!Number.isNaN(data.result) && trackingData) {
|
|
35
|
+
const { event } = trackingData;
|
|
36
|
+
trackingData.tagRanges = tagRangeUtil.add(
|
|
37
|
+
trackingData.tagRanges,
|
|
38
|
+
new TagRange(0, data.args[0].length - 1, 'limited-chars')
|
|
39
|
+
);
|
|
40
|
+
|
|
41
|
+
trackingData.event = new PropagationEvent({
|
|
42
|
+
context: new CallContext(data),
|
|
43
|
+
signature: new Signature('Number'),
|
|
44
|
+
tagRanges: trackingData.tagRanges,
|
|
45
|
+
source: 'P',
|
|
46
|
+
target: 'P',
|
|
47
|
+
parents: [event]
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
module.exports = { handle };
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -41,18 +41,17 @@ function handle() {
|
|
|
41
41
|
}
|
|
42
42
|
|
|
43
43
|
const argContrastProperties = tracker.getData(arg);
|
|
44
|
-
if (!argContrastProperties
|
|
44
|
+
if (!argContrastProperties) {
|
|
45
45
|
return;
|
|
46
46
|
}
|
|
47
47
|
|
|
48
|
-
const
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
strContrastProperties.tagRanges = strContrastProperties.tagRanges.concat(
|
|
48
|
+
const tracked = tracker.track(data.result);
|
|
49
|
+
if (tracked) {
|
|
50
|
+
tracked.props.event = argContrastProperties.event;
|
|
51
|
+
tracked.props.tagRanges = tracked.props.tagRanges.concat(
|
|
53
52
|
argContrastProperties.tagRanges
|
|
54
53
|
);
|
|
55
|
-
data.result = str;
|
|
54
|
+
data.result = tracked.str;
|
|
56
55
|
}
|
|
57
56
|
}
|
|
58
57
|
});
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -45,7 +45,7 @@ module.exports.handle = function handle() {
|
|
|
45
45
|
if (!path || !data.result) return;
|
|
46
46
|
|
|
47
47
|
const trackingData = tracker.getData(path);
|
|
48
|
-
if (!trackingData
|
|
48
|
+
if (!trackingData) return;
|
|
49
49
|
|
|
50
50
|
if (extension) {
|
|
51
51
|
const extIndex = _path.lastIndexOf(extension);
|
|
@@ -68,19 +68,20 @@ module.exports.handle = function handle() {
|
|
|
68
68
|
// no tags propagated to the result
|
|
69
69
|
if (!tagRanges.length) return;
|
|
70
70
|
|
|
71
|
-
const result = tracker.track(data.result);
|
|
72
|
-
const resultData = tracker.getData(result);
|
|
73
71
|
const parentEvent = trackingData.event;
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
72
|
+
const tracked = tracker.track(data.result);
|
|
73
|
+
if (tracked) {
|
|
74
|
+
tracked.props.tagRanges = tagRanges;
|
|
75
|
+
tracked.props.event = new PropagationEvent({
|
|
76
|
+
context: new CallContext(data),
|
|
77
|
+
parents: [parentEvent],
|
|
78
|
+
signature,
|
|
79
|
+
source: 'P',
|
|
80
|
+
tagRanges,
|
|
81
|
+
target: 'R'
|
|
82
|
+
});
|
|
83
|
+
data.result = tracked.str;
|
|
84
|
+
}
|
|
84
85
|
}
|
|
85
86
|
});
|
|
86
87
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -333,7 +333,7 @@ function propagate({ resultMeta, data, win32 }) {
|
|
|
333
333
|
evaluator: (segmentOffset) => segmentOffset > -1,
|
|
334
334
|
offset: 0,
|
|
335
335
|
str: arg,
|
|
336
|
-
tagRanges: argData
|
|
336
|
+
tagRanges: argData ? argData.tagRanges : []
|
|
337
337
|
};
|
|
338
338
|
|
|
339
339
|
const targetTagRanges = adjustTagsToPart(
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
|
|
|
42
42
|
if (!data.args[0]) return;
|
|
43
43
|
|
|
44
44
|
const trackingData = tracker.getData(data.args[0]);
|
|
45
|
-
if (!trackingData
|
|
45
|
+
if (!trackingData) return;
|
|
46
46
|
|
|
47
47
|
// path.dirname() does a slice at 0 to the calculated end separator
|
|
48
48
|
const tagRanges = createSubsetTagRanges({
|
|
@@ -57,19 +57,20 @@ module.exports.handle = function handle() {
|
|
|
57
57
|
|
|
58
58
|
if (!tagRanges.length) return;
|
|
59
59
|
|
|
60
|
-
const
|
|
61
|
-
const resultData = tracker.getData(result);
|
|
60
|
+
const tracked = tracker.track(data.result);
|
|
62
61
|
const parentEvent = trackingData.event;
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
62
|
+
if (tracked) {
|
|
63
|
+
tracked.props.tagRanges = tagRanges;
|
|
64
|
+
tracked.props.event = new PropagationEvent({
|
|
65
|
+
context: new CallContext(data),
|
|
66
|
+
parents: [parentEvent],
|
|
67
|
+
signature,
|
|
68
|
+
source: 'P',
|
|
69
|
+
tagRanges,
|
|
70
|
+
target: 'R'
|
|
71
|
+
});
|
|
72
|
+
data.result = tracked.str;
|
|
73
|
+
}
|
|
73
74
|
}
|
|
74
75
|
});
|
|
75
76
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
|
|
|
42
42
|
if (!data.args[0] || !data.result) return;
|
|
43
43
|
|
|
44
44
|
const trackingData = tracker.getData(data.args[0]);
|
|
45
|
-
if (!trackingData
|
|
45
|
+
if (!trackingData) return;
|
|
46
46
|
|
|
47
47
|
// The path.extname() implementation does a substr on the argument
|
|
48
48
|
// based on the calculated index of the last dot
|
|
@@ -62,19 +62,20 @@ module.exports.handle = function handle() {
|
|
|
62
62
|
// no tags propagated to the result
|
|
63
63
|
if (!tagRanges.length) return;
|
|
64
64
|
|
|
65
|
-
const
|
|
66
|
-
const resultData = tracker.getData(result);
|
|
65
|
+
const tracked = tracker.track(data.result);
|
|
67
66
|
const parentEvent = trackingData.event;
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
67
|
+
if (tracked) {
|
|
68
|
+
tracked.props.tagRanges = tagRanges;
|
|
69
|
+
tracked.props.event = new PropagationEvent({
|
|
70
|
+
context: new CallContext(data),
|
|
71
|
+
parents: [parentEvent],
|
|
72
|
+
signature,
|
|
73
|
+
source: 'P',
|
|
74
|
+
tagRanges,
|
|
75
|
+
target: 'R'
|
|
76
|
+
});
|
|
77
|
+
data.result = tracked.str;
|
|
78
|
+
}
|
|
78
79
|
}
|
|
79
80
|
});
|
|
80
81
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -24,7 +24,7 @@ const propagate = function propagate(data) {
|
|
|
24
24
|
const props = tracker.getData(data.args[0]);
|
|
25
25
|
const { result } = data;
|
|
26
26
|
|
|
27
|
-
if (props
|
|
27
|
+
if (props && result) {
|
|
28
28
|
const membrane = new DeserializationMembrane(data, props);
|
|
29
29
|
data.result = membrane.wrap(result);
|
|
30
30
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -35,7 +35,7 @@ const provider = {
|
|
|
35
35
|
const { args, result } = data;
|
|
36
36
|
const trackData = tracker.getData(args[1]);
|
|
37
37
|
|
|
38
|
-
if (!trackData
|
|
38
|
+
if (!trackData) {
|
|
39
39
|
return;
|
|
40
40
|
}
|
|
41
41
|
|
|
@@ -61,10 +61,12 @@ const provider = {
|
|
|
61
61
|
},
|
|
62
62
|
data
|
|
63
63
|
);
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
64
|
+
const tracked = tracker.track(data.result);
|
|
65
|
+
if (tracked) {
|
|
66
|
+
data.result = tracked.str;
|
|
67
|
+
tracked.props.tagRanges = shiftedRanges;
|
|
68
|
+
tracked.props.event = event;
|
|
69
|
+
}
|
|
68
70
|
}
|
|
69
71
|
},
|
|
70
72
|
/**
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -21,34 +21,36 @@ const qsUtils = require('./utils');
|
|
|
21
21
|
|
|
22
22
|
function handler(data) {
|
|
23
23
|
const input = data.args[0];
|
|
24
|
+
const trackedData = tracker.getData(input);
|
|
24
25
|
|
|
25
|
-
if (!input || !
|
|
26
|
+
if (!input || !trackedData) {
|
|
26
27
|
return;
|
|
27
28
|
}
|
|
28
29
|
|
|
29
30
|
// adjust tag ranges
|
|
30
31
|
const tagRanges = [];
|
|
31
|
-
|
|
32
|
+
trackedData.tagRanges.forEach((tag) => {
|
|
32
33
|
tagRanges.push(qsUtils.adjustRangeEscape(tag, 0, input));
|
|
33
34
|
});
|
|
34
35
|
tagRanges.push(new TagRange(0, data.result.length - 1, 'url-encoded'));
|
|
35
36
|
|
|
36
|
-
const
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
37
|
+
const tracked = tracker.track(data.result);
|
|
38
|
+
if (tracked) {
|
|
39
|
+
tracked.props.tagRanges = tagRanges;
|
|
40
|
+
tracked.props.event = new PropagationEvent({
|
|
41
|
+
context: new CallContext({
|
|
42
|
+
...data,
|
|
43
|
+
obj: null
|
|
44
|
+
}),
|
|
45
|
+
parents: [tracked.props.event],
|
|
46
|
+
signature: new Signature('querystring.escape'),
|
|
47
|
+
source: 'P',
|
|
48
|
+
target: 'R',
|
|
49
|
+
tagRanges,
|
|
50
|
+
tags: ['url-encoded']
|
|
51
|
+
});
|
|
52
|
+
data.result = tracked.str;
|
|
53
|
+
}
|
|
52
54
|
}
|
|
53
55
|
|
|
54
56
|
module.exports.handle = handler;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -47,9 +47,11 @@ function getUnescapeWrapper(data, unescape) {
|
|
|
47
47
|
|
|
48
48
|
// track the part w/ trimmed ranges if applicable
|
|
49
49
|
if (tagRanges.length) {
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
50
|
+
const tracked = tracker.track(part);
|
|
51
|
+
if (tracked) {
|
|
52
|
+
result = tracked.str;
|
|
53
|
+
tracked.props.tagRanges = tagRanges;
|
|
54
|
+
}
|
|
53
55
|
} else {
|
|
54
56
|
result = part;
|
|
55
57
|
}
|
|
@@ -58,7 +60,7 @@ function getUnescapeWrapper(data, unescape) {
|
|
|
58
60
|
result = Scopes.runInAllowAllScope(() => unescape(result));
|
|
59
61
|
resultData = tracker.getData(result);
|
|
60
62
|
|
|
61
|
-
if (resultData
|
|
63
|
+
if (resultData) {
|
|
62
64
|
resultData.event = new PropagationEvent({
|
|
63
65
|
context: new CallContext({
|
|
64
66
|
...data,
|
|
@@ -91,7 +93,7 @@ function pre(data) {
|
|
|
91
93
|
}
|
|
92
94
|
const trackingData = tracker.getData(input);
|
|
93
95
|
|
|
94
|
-
if (!trackingData
|
|
96
|
+
if (!trackingData) {
|
|
95
97
|
return;
|
|
96
98
|
}
|
|
97
99
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
Copyright:
|
|
2
|
+
Copyright: 2022 Contrast Security, Inc
|
|
3
3
|
Contact: support@contrastsecurity.com
|
|
4
4
|
License: Commercial
|
|
5
5
|
|
|
@@ -129,7 +129,7 @@ class OnEscapeHandler {
|
|
|
129
129
|
// set current key for reference if when array-valued
|
|
130
130
|
this.currentKey = {
|
|
131
131
|
value: escaped,
|
|
132
|
-
tagRanges: trackingData
|
|
132
|
+
tagRanges: trackingData ? trackingData.tagRanges : null
|
|
133
133
|
};
|
|
134
134
|
|
|
135
135
|
// capture track info before updating state
|
|
@@ -175,7 +175,7 @@ class OnEscapeHandler {
|
|
|
175
175
|
this.offset += this.currentKey.value.length + this.eqLen;
|
|
176
176
|
}
|
|
177
177
|
|
|
178
|
-
if (trackingData
|
|
178
|
+
if (trackingData) {
|
|
179
179
|
ret.push({
|
|
180
180
|
offset: this.offset,
|
|
181
181
|
tagRanges: trackingData.tagRanges,
|
|
@@ -279,34 +279,35 @@ function post(data) {
|
|
|
279
279
|
}
|
|
280
280
|
|
|
281
281
|
const tracked = tracker.track(data.result);
|
|
282
|
-
const trackData = tracker.getData(tracked);
|
|
283
282
|
|
|
284
283
|
if (data.state.escape === querystring.escape) {
|
|
285
284
|
data.state.tagRanges.push(
|
|
286
285
|
new TagRange(0, data.result.length - 1, 'url-encoded')
|
|
287
286
|
);
|
|
288
287
|
}
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
288
|
+
if (tracked) {
|
|
289
|
+
const sorted = _.sortBy(data.state.tagRanges, 'start');
|
|
290
|
+
tracked.props.tagRanges = [];
|
|
291
|
+
tagRangeUtil.addAllInPlace(tracked.props.tagRanges, sorted);
|
|
292
|
+
|
|
293
|
+
// stringify / encode
|
|
294
|
+
const method = data.funcKey.split('.')[1];
|
|
295
|
+
|
|
296
|
+
tracked.props.event = new PropagationEvent({
|
|
297
|
+
context: new CallContext({
|
|
298
|
+
...data,
|
|
299
|
+
args: data.state.origArgs,
|
|
300
|
+
obj: null
|
|
301
|
+
}),
|
|
302
|
+
parents: Array.from(data.state.events),
|
|
303
|
+
signature: new Signature(`querystring.${method}`),
|
|
304
|
+
source: 'P',
|
|
305
|
+
tagRanges: tracked.props.tagRanges,
|
|
306
|
+
target: 'R',
|
|
307
|
+
tags: ['url-encoded']
|
|
308
|
+
});
|
|
309
|
+
data.result = tracked.str;
|
|
310
|
+
}
|
|
310
311
|
}
|
|
311
312
|
|
|
312
313
|
module.exports.handle = { pre, post };
|