npm - @contrast/agent - Versions diffs - 4.6.0 → 4.9.0 - Mend

@contrast/agent 4.6.0 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/propagators/url/url-url.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -71,6 +71,9 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   }
   const hostData = tracker.getData(urlObj._contrast_host);
+  if (!hostData) {
+    return;
+  }
   const hostnameTags = tagRangeUtil.trim(hostData.tagRanges, 0, splitIndex - 1);
   const portTags = tagRangeUtil.trim(
     hostData.tagRanges,
@@ -81,21 +84,25 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   if (hostnameTags.length > 0) {
     const hostnameTracked = tracker.track(hostname);
-    tracker.getData(hostnameTracked).tagRanges = hostnameTags;
-    urlObj._contrast_hostname = hostnameTracked;
-    event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = hostnameTags;
-    tracker.getData(hostnameTracked).event = event;
+    if (hostnameTracked) {
+      hostnameTracked.props.tagRanges = hostnameTags;
+      urlObj._contrast_hostname = hostnameTracked.str;
+      event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = hostnameTags;
+      hostnameTracked.props.event = event;
+    }
   }
   if (portTags.length > 0) {
     const portTracked = tracker.track(port);
-    tracker.getData(portTracked).tagRanges = portTags;
-    urlObj._contrast_port = portTracked;
-    event = createEvent('url.URL', stack, portTags, port, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = portTags;
-    tracker.getData(portTracked).event = event;
+    if (portTracked) {
+      portTracked.props.tagRanges = portTags;
+      urlObj._contrast_port = portTracked.str;
+      event = createEvent('url.URL', stack, portTags, port, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = portTags;
+      portTracked.props.event = event;
+    }
   }
 }
@@ -136,26 +143,28 @@ function joinProperties(urlObj, sourceProps, separators) {
   }
   // copy tag ranges
-  const result = tracker.track(value);
   let valIdx = 0;
   sepIdx = 0;
   let tags = [];
   for (const prop of sourceProps) {
-    if (urlObj[`_contrast_${prop}`]) {
+    const trackedPropData = tracker.getData(urlObj[`_contrast_${prop}`]);
+    if (trackedPropData) {
       tags = tagRangeUtil.addAll(
         tags,
         offsetTagRanges(
-          tracker.getData(urlObj[`_contrast_${prop}`]).tagRanges,
+          trackedPropData.tagRanges,
           valIdx
         )
       );
     }
     valIdx += urlObj[prop].length + separators[sepIdx++].length;
   }
-  tracker.getData(result).tagRanges = tags;
-  return result;
+  const tracked = tracker.track(value);
+  if (tracked) {
+    tracked.props.tagRanges = tags;
+    return tracked.str;
+  }
 }
 /**
@@ -172,7 +181,8 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   //
   const trackedOrigin = joinProperties(urlObj, SET_ORIGIN_TAGS, ['//', '']);
-  if (tracker.getData(trackedOrigin).tagRanges.length === 0) {
+  const trackedOriginData = tracker.getData(trackedOrigin);
+  if (!trackedOriginData || trackedOriginData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_origin = trackedOrigin;
@@ -180,14 +190,14 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   const event = createEvent(
     'url.URL',
     stack,
-    tracker.getData(trackedOrigin).tagRanges,
+    trackedOriginData.tagRanges,
     trackedOrigin,
     args,
     urlObj
   );
   event.parents.push(sourceEvent);
-  event.tagRanges = tracker.getData(trackedOrigin).tagRanges;
-  tracker.getData(trackedOrigin).event = event;
+  event.tagRanges = trackedOriginData.tagRanges;
+  trackedOriginData.event = event;
 }
 /**
@@ -221,7 +231,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   const joinedHref = joinProperties(urlObj, properties, separators);
   const joinedHrefData = tracker.getData(joinedHref);
-  if (joinedHrefData.tagRanges.length === 0) {
+  if (!joinedHrefData || joinedHrefData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_href = joinedHref;
@@ -235,7 +245,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   );
   event.parents.push(sourceEvent);
   event.tagRanges = joinedHrefData.tagRanges;
-  tracker.getData(urlObj._contrast_href).event = event;
+  joinedHrefData.event = event;
 }
 /**
@@ -300,21 +310,22 @@ function copyTagsSingleSource(sourceTagRanges, sourceEvent, data) {
     copied = true;
     const trackedKey = `_contrast_${key}`;
     const tracked = tracker.track(val);
-    const trackedData = tracker.getData(tracked);
-    trackedData.tagRanges = trimmed;
-    urlObj[trackedKey] = tracked;
-    // only create the stack once because stack creation is expensive
-    stack =
-      stack ||
-      stackFactory.createSnapshot({
-        constructorOpt: data.hooked
-      })();
-    event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = trimmed;
-    trackedData.event = event;
+    if (tracked) {
+      tracked.props.tagRanges = trimmed;
+      urlObj[trackedKey] = tracked.str;
+      // only create the stack once because stack creation is expensive
+      stack =
+        stack ||
+        stackFactory.createSnapshot({
+          constructorOpt: data.hooked
+        })();
+      event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = trimmed;
+      tracked.props.event = event;
+    }
   }
   if (!copied) {
@@ -351,10 +362,7 @@ function callUnwrapped(input) {
  */
 function skipTracking(inputData, baseData) {
   // if neither input or base are tracked we can just skip tracking
-  if (
-    (!inputData.tracked && baseData && !baseData.tracked) ||
-    (!inputData.tracked && !baseData)
-  ) {
+  if (!inputData && !baseData) {
     return true;
   }
   return false;

package/lib/assess/propagators/url/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/util/format.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -266,7 +266,7 @@ const propagate = function propagate(util, data) {
   };
   const fmtStrMeta = tracker.getData(fmtStr);
-  if (fmtStrMeta.tracked) {
+  if (fmtStrMeta) {
     resultMeta.fmtStrTagRanges = fmtStrMeta.tagRanges.map((tagRange) =>
       tagRangeWithOriginals(
         new TagRange(tagRange.start, tagRange.stop, tagRange.tag)

package/lib/assess/propagators/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/v8/init-hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -63,7 +63,7 @@ module.exports.handle = function handle() {
         if (tracked) {
           // it was behind a membrane
           data.result[TRACKED] = tracked;
-        } else if (tracker.getData2(data.args[0])) {
+        } else if (tracker.getData(data.args[0])) {
           // it was a tracked string
           data.result[TRACKED] = data.args[0];
         }
@@ -80,13 +80,13 @@ module.exports.handle = function handle() {
           return;
         }
-        const sTracking = tracker.getData2(tracked);
+        const sTracking = tracker.getData(tracked);
         // if the argument was a tracked string then the result should
         // have the same tags. i don't know that the length of a string
         // can change as a result of deserialize(serialize()) but best
         // to be safe.
         if (sTracking) {
-          const resultTracking = tracker.track2(data.result);
+          const resultTracking = tracker.track(data.result);
           if (!resultTracking) {
             // there's nothing to do if tracking failed on the result. it should
             // only do so on a zero-length string, but node works in mysterious ways.

package/lib/assess/propagators/validator/init-hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -90,7 +90,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(0, data.args[0].length - 1, validators[validator])
@@ -131,7 +131,7 @@ module.exports.handle = function() {
         function post(data) {
           if (data.result) {
             const trackingData = tracker.getData(data.args[0]);
-            if (trackingData.tracked) {
+            if (trackingData) {
               trackingData.tagRanges = [];
               trackingData.tracked = false;
             }
@@ -154,36 +154,36 @@ module.exports.handle = function() {
         function post(data) {
           // if not tracked then it can't be untrusted, so don't start
           // tracking this string.
-          if (!tracker.getData(data.args[0]).tracked) return;
+          const inputData = tracker.getData(data.args[0]);
+          if (!inputData) return;
           const tag = sanitizers[sanitizer];
-          // get existing tracker data
-          const inputData = tracker.getData(data.args[0]);
           // are the input and output of the sanitizer the same?
           if (data.args[0] !== data.result) {
             let needsTag = true;
             // the input and output strings are not the same. start tracking the output.
-            const result = tracker.track(data.result);
-            const resultData = tracker.getData(result);
+            const tracked = tracker.track(data.result);
             // copy the input tags to the result, adjusting the range.
-            const stop = data.result.length - 1;
-            for (let i = 0; i < inputData.tagRanges.length; i++) {
-              resultData.tagRanges[i] = new TagRange(
-                0,
-                stop,
-                inputData.tagRanges[i].tag
-              );
-              if (inputData.tagRanges[i].tag === tag) {
-                needsTag = false;
+            if (tracked) {
+              const stop = data.result.length - 1;
+              for (let i = 0; i < inputData.tagRanges.length; i++) {
+                tracked.props.tagRanges[i] = new TagRange(
+                  0,
+                  stop,
+                  inputData.tagRanges[i].tag
+                );
+                if (inputData.tagRanges[i].tag === tag) {
+                  needsTag = false;
+                }
               }
+              if (needsTag) {
+                tracked.props.tagRanges.push(
+                  new TagRange(0, stop, sanitizers[sanitizer])
+                );
+              }
+              data.result = tracked.str;
             }
-            if (needsTag) {
-              resultData.tagRanges.push(
-                new TagRange(0, stop, sanitizers[sanitizer])
-              );
-            }
-            data.result = result;
           } else {
             // the input and output strings are the same, so the output is already being
             // tracked. if the tag is already present adjust the bounds otherwise add the

package/lib/assess/propagators/validator/validator-methods.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -63,7 +63,6 @@ module.exports = {
     isMagnetURI: 'alphanum-space-hyphen',
     isMD5: 'alphanum-space-hyphen',
     isMobilePhone: 'limited-chars',
-    isMongoId: 'alphanum-space-hyphen',
     isNumeric: 'limited-chars',
     isOctal: 'alphanum-space-hyphen',
     isPassportNumber: 'limited-chars',

package/lib/assess/response-scanning/app-activity.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/autocomplete-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cache-controls-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/clickjacking-control-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/events.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/httponly.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/cookies/secure-flag-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-header-insecure.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/csp-utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/hsts-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/powered-by.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/parameter-pollution.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/response-scanning/parseable-response-emitter.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/route-coverage.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/session.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/response-scanning.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/unvalidated-redirect.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sinks/xss.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/restify/sources.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/sinks/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -78,7 +78,9 @@ module.exports = (agent) => {
     // get the tags, event from dataflow actions ONLY
     if (sinkType === DATAFLOW) {
       const contrastProps = tracker.getData(input);
-      ({ tagRanges, event } = contrastProps);
+      if (contrastProps) {
+        ({ tagRanges, event } = contrastProps);
+      }
     }
     const sink = new SinkEvent({
@@ -189,7 +191,7 @@ module.exports = (agent) => {
         ) {
           const trackData = tracker.getData(value);
-          if (!trackData.tracked) {
+          if (!trackData) {
             return;
           }
@@ -415,9 +417,12 @@ module.exports = (agent) => {
           : common.nonDataflowVulnerableCheck({ sink });
       const checkedArgs = isVulnCheck(stack, result, args);
-      return Array.isArray(checkedArgs)
-        ? reduceConditions(checkedArgs, conditions.mode)
-        : checkedArgs;
+      if (Array.isArray(checkedArgs) && checkedArgs.length > 0) {
+        const mode = conditions ? conditions.mode : 'and';
+        return reduceConditions(checkedArgs, mode);
+      } else {
+        return checkedArgs;
+      }
     };
     /**