@contrast/agent 4.7.0 → 4.7.1

package/bin/VERSION

@@ -1 +1 @@
-2.28.0
+2.28.5

package/lib/assess/membrane/deserialization-membrane.js

@@ -58,19 +58,18 @@ class DeserializationMembrane extends Membrane {
     });
 
     const tracked = tracker.track(str);
-    const strData = tracker.getData(tracked);
 
-    if (!strData.tracked) {
+    if (!tracked) {
       return str;
     }
 
-    strData.event = event;
+    tracked.props.event = event;
     event.parents.push(this.event);
-    strData.tagRanges = this.tagRanges.map(
+    tracked.props.tagRanges = this.tagRanges.map(
       (t) => new TagRange(0, str.length - 1, t.tag)
     );
 
-    return tracked;
+    return tracked.str;
   }
 }
 

package/lib/assess/membrane/source-membrane.js

@@ -13,7 +13,6 @@ Copyright: 2021 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const _ = require('lodash');
 
 const logger = require('../../core/logger')('contrast:source-membrane');
 const Membrane = require('./index');
@@ -64,9 +63,7 @@ module.exports = class SourceMembrane extends Membrane {
     if (cfg.array_request_sampling) {
       this.sample = cfg.array_request_sampling.enable;
       this.sampleThreshold = cfg.array_request_sampling.threshold;
-      this.sampleInterval = this.sample
-        ? cfg.array_request_sampling.interval
-        : 1;
+      this.sampleInterval = cfg.array_request_sampling.interval || 1;
     }
     // used when a reqSourceEvent must be created because an entire object
     // is being stringified but individual properties are not being referenced
@@ -139,7 +136,7 @@ module.exports = class SourceMembrane extends Membrane {
     if (!this.ensureMetadata(metadata)) {
       return str;
     }
-    const tracked = tracker.track2(str);
+    const tracked = tracker.track(str);
     if (!tracked) {
       return str;
     }
@@ -355,11 +352,6 @@ module.exports = class SourceMembrane extends Membrane {
   wrapArray(arr, metadata) {
     metadata.isArray = true;
 
-    // if not sampling, treat it as any object. not sampling has 100%
-    // accuracy.
-    if (!this.sample) {
-      return super.wrapArray(arr, metadata);
-    }
     // don't sample more than once
     if (this.wrappedArrays.has(arr)) {
       return arr;
@@ -367,16 +359,20 @@ module.exports = class SourceMembrane extends Membrane {
 
     const limit = Math.min(this.sampleThreshold, arr.length);
 
-    for (let i = 0; i < limit; i++) {
-      if (i % this.sampleInterval === 0 && arr[i]) {
-        const m = _.cloneDeep(metadata);
-        if (m.path) {
-          m.path += `[${i}]`;
-        } else {
-          m.path = `[${i}]`;
+    // if not sampling, treat it as any object. not sampling has 100% accuracy.
+    if (!this.sample || (limit === arr.length && this.sampleInterval === 1)) {
+      return super.wrapObject(arr, metadata);
+    } else if (!this.sampleThreshold) {
+      return arr;
+    } else {
+      const origPath = metadata.path;
+      for (let i = 0; i < limit; i += this.sampleInterval) {
+        if (arr[i]) {
+          const m = Object.assign({}, metadata);
+          m.path = origPath ? `${origPath}[${i}]` : `[${i}]`;
+          const wrapped = this.wrap(arr[i], m);
+          arr[i] = wrapped;
         }
-
-        arr[i] = this.wrap(arr[i], m);
       }
     }
 

package/lib/assess/models/call-context.js

@@ -96,7 +96,7 @@ module.exports = class CallContext {
   }
 
   static isTracked(str) {
-    if (tracker.getData2(str)) {
+    if (tracker.getData(str)) {
       return true;
     }
     return !!(str && typeof str === 'object' && str[PROXY_TARGET]);

package/lib/assess/policy/propagators.json

@@ -40,10 +40,18 @@
       "enabled": true,
       "override": "./propagators/JSON/parse.js"
     },
+    "mongoose": {
+      "enabled": true,
+      "override": "./propagators/mongoose"
+    },
     "String": {
       "enabled": true,
       "override": "./propagators/string.js"
     },
+    "Number": {
+      "enabled": true,
+      "override": "./propagators/number.js"
+    },
     "Object": {
       "enabled": true,
       "override": "./propagators/object.js"

package/lib/assess/policy/rules.json

@@ -1157,7 +1157,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": ["limited-chars", "alphanum-space-hyphen"],
+                "disallowedTags": ["limited-chars", "alphanum-space-hyphen", "custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]
@@ -1172,7 +1172,7 @@
             "args": [
               {
                 "index": 0,
-                "disallowedTags": [],
+                "disallowedTags": ["custom-validated-nosql-injection"],
                 "requiredTags": ["untrusted"]
               }
             ]

package/lib/assess/policy/signatures.json

@@ -20,6 +20,11 @@
       "methodName": "domainToUnicode",
       "isModule": true
     },
+    "template strings": {
+      "moduleName": "global",
+      "methodName": "ContrastMethods.__contrastTag",
+      "isModule": false
+    },
     "axios": {
       "moduleName": "axios",
       "methodName": "",
@@ -642,6 +647,11 @@
       "methodName": "toNamespacedPath",
       "isModule": true
     },
+    "path.normalize": {
+      "moduleName": "path",
+      "methodName": "normalize",
+      "isModule": true
+    },
     "util.format": {
       "moduleName": "util",
       "methodName": "format",
@@ -1308,6 +1318,18 @@
       "methodName": "string.domain",
       "isModule": true
     },
+    "mongoose.string.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.string.doValidateSync",
+      "isModule": true
+    },
+    "mongoose.map.doValidateSync": {
+      "moduleName": "mongoose",
+      "version": ">=5.0.0",
+      "methodName": "mongoose.map.doValidateSync",
+      "isModule": true
+    },
     "v8.deserialize.serialize": {
       "moduleName": "v8",
       "methodName": "deserialize.serialize",
@@ -1322,6 +1344,11 @@
       "moduleName": "dustjs-linkedin",
       "methodName": "pipe",
       "isModule": true
+    },
+    "Number": {
+      "moduleName": "Number",
+      "methodName": "isNaN",
+      "isModule": false
     }
   }
 }

package/lib/assess/policy/util.js

@@ -89,6 +89,7 @@ utils.isRuleEnabled = function(ruleId) {
  * @param {boolean} enabled	What to set the enabled property to
  */
 utils.setEnabled = function(node, enabled) {
+  /*eslint no-prototype-builtins: "warn"*/
   if (node.hasOwnProperty('enabled')) {
     node.enabled = enabled;
     return true;
@@ -236,7 +237,7 @@ utils.patchRecursive = function(obj, hookOptions, depth) {
       }
     }
   } catch (e) {
-    logger.info(`unable to recurisvely patch ${e}`);
+    logger.info(`unable to recursively patch ${e}`);
   }
 
   return obj;

package/lib/assess/propagators/JSON/parse.js

@@ -41,7 +41,7 @@ module.exports.handle = function() {
     name: ContrastJSON.name,
     patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
     post(data) {
-      const props = tracker.getData2(data.args[0]);
+      const props = tracker.getData(data.args[0]);
       const { result } = data;
       if (props && result) {
         const membrane = new DeserializationMembrane(data, props);

package/lib/assess/propagators/JSON/stringify.js

@@ -64,7 +64,7 @@ function getUntrustedSpaceProps(space) {
   }
   // otherwise if the space string is tracked then the entire json output inherits
   // the tracked string's tags.
-  const props = tracker.getData2(space);
+  const props = tracker.getData(space);
   if (!props || props.tagRanges.length === 0) {
     return null;
   }
@@ -185,7 +185,7 @@ module.exports.handle = function() {
        */
       function contrastReplacer(key, val) {
         let isTracked = false;
-        const valProperties = tracker.getData2(val);
+        const valProperties = tracker.getData(val);
         if (valProperties && valProperties.tagRanges.length) {
           data.metadata.propagate = true;
           isTracked = true;
@@ -256,7 +256,7 @@ module.exports.handle = function() {
         }
       }
 
-      const tracked = tracker.track2(data.result);
+      const tracked = tracker.track(data.result);
       if (!tracked) {
         return data.result;
       }

package/lib/assess/propagators/array-prototype-join.js

@@ -27,7 +27,7 @@ module.exports.handle = function handle(data) {
     return;
   }
 
-  // this handles join() andd join(undefined)
+  // this handles join() and join(undefined)
   const del = data.args[0] === undefined ? ',' : data.args[0];
 
   const parentEvents = [];
@@ -38,7 +38,7 @@ module.exports.handle = function handle(data) {
 
   let delimiterTracked = false;
 
-  if (delimiterProperties.tracked) {
+  if (delimiterProperties) {
     delimiterTracked = true;
     parentEvents.push(delimiterProperties.event);
     delimiterTagRanges.push(...delimiterProperties.tagRanges);
@@ -56,21 +56,20 @@ module.exports.handle = function handle(data) {
 
   if (delimiterTracked || elementTracked) {
     const tracked = tracker.track(data.result);
-    const metadata = tracker.getData(tracked);
-    if (!metadata.tracked) {
+    if (!tracked) {
       return;
     }
 
-    metadata.event = createEvent(
+    tracked.props.event = createEvent(
       data,
       resultTagRanges,
       parentEvents,
       delimiterTracked,
       elementTracked
     );
-    metadata.tagRanges = resultTagRanges;
+    tracked.props.tagRanges = resultTagRanges;
 
-    data.result = tracked;
+    data.result = tracked.str;
   }
 };
 
@@ -98,7 +97,7 @@ function propagateArrayData(
     const elem = array[i];
     const elemProperties = tracker.getData(elem);
 
-    if (elem && elemProperties.tracked) {
+    if (elem && elemProperties) {
       parentEvents.push(elemProperties.event);
 
       targetData.elementTracked = true;

package/lib/assess/propagators/common.js

@@ -62,7 +62,7 @@ const escapeRegExp = (str) => {
  */
 const addTagRangesWithOffset = (metadata, arg) => {
   const argData = tracker.getData(arg);
-  if (argData.tracked) {
+  if (argData) {
     tagRangeUtil.addAllWithOffsetInPlace(
       metadata.tagRanges,
       argData.tagRanges,
@@ -115,10 +115,12 @@ const createEvent = ({ tagRanges, method, parents }, data) => {
  */
 const trackResult = (metadata, data) => {
   if (metadata.tagRanges.length) {
-    data.result = tracker.track(data.result);
-    const trackedMeta = tracker.getData(data.result);
-    trackedMeta.tagRanges = metadata.tagRanges;
-    trackedMeta.event = createEvent(metadata, data);
+    const tracked = tracker.track(data.result);
+    if (tracked) {
+      tracked.props.tagRanges = metadata.tagRanges;
+      tracked.props.event = createEvent(metadata, data);  
+      data.result = tracked.str;
+    }
   }
 };
 

package/lib/assess/propagators/handlebars-escape-expresssion.js

@@ -48,7 +48,7 @@ function patchUtilsExport(utilsExport) {
     alwaysRun: true,
     post(data) {
       const trackData = tracker.getData(data.result);
-      if (trackData.tracked) {
+      if (trackData) {
         trackData.tagRanges = tagRangeUtil.add(
           trackData.tagRanges,
           new TagRange(0, data.result.length - 1, 'html-encoded')

package/lib/assess/propagators/joi/boolean.js

@@ -42,7 +42,7 @@ function instrumentJoiBoolean(boolean) {
         if (
           data.result &&
           typeof data.result.value === 'boolean' &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/expression.js

@@ -32,7 +32,7 @@ function instrumentJoiExpression(expression) {
     patchType: ASSESS_PROPAGATOR,
     post(data) {
       const trackingData = tracker.getData(data.args[0]);
-      if (trackingData.tracked && data.result._template) {
+      if (trackingData && data.result._template) {
         trackingData.tagRanges = tagRangeUtil.add(
           trackingData.tagRanges,
           new TagRange(0, data.args[0].length - 1, 'html-encoded')

package/lib/assess/propagators/joi/number.js

@@ -41,7 +41,7 @@ function instrumentJoiNumber(number) {
           data.result &&
           data.result.value &&
           !data.result.errors &&
-          trackingData.tracked
+          trackingData
         ) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(

package/lib/assess/propagators/joi/string-base.js

@@ -37,7 +37,7 @@ function instrumentJoiString(string) {
       patchType: ASSESS_PROPAGATOR,
       post(data) {
         const trackingData = tracker.getData(data.args[0]);
-        if (data.result === undefined && trackingData.tracked) {
+        if (data.result === undefined && trackingData) {
           const { event } = trackingData;
           trackingData.tagRanges = tagRangeUtil.add(
             trackingData.tagRanges,

package/lib/assess/propagators/joi/string-schema.js

@@ -79,29 +79,28 @@ function reTrackCoercedValue(coerce, rule) {
       }
 
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
 
-      const str = tracker.track(result.value);
-      const strContrastProperties = tracker.getData(str);
+      const tracked = tracker.track(result.value);
 
-      if (strContrastProperties.tracked) {
-        strContrastProperties.tagRanges = tagRangeUtil.add(
-          strContrastProperties.tagRanges,
-          new TagRange(0, str.length - 1, 'untrusted')
+      if (tracked) {
+        tracked.props.tagRanges = tagRangeUtil.add(
+          tracked.props.tagRanges,
+          new TagRange(0, tracked.str.length - 1, 'untrusted')
         );
 
-        strContrastProperties.event = createPropagationEvent({
+        tracked.props.event = createPropagationEvent({
           data,
           trackedArgsData: argContrastProperties,
-          tagRanges: strContrastProperties.tagRanges,
+          tagRanges: tracked.props.tagRanges,
           target: 'R',
           joiMethod: rule
         });
-      }
 
-      data.result = { value: str };
+        data.result = { value: tracked.str };
+      }
     }
   });
 }
@@ -120,13 +119,13 @@ function wrapRuleAsValidator(rules, rule, tagName) {
       }
 
       const argContrastProperties = tracker.getData(args[0]);
-      if (!argContrastProperties.tracked) {
+      if (!argContrastProperties) {
         return;
       }
 
       const strContrastProperties = tracker.getData(result);
 
-      if (strContrastProperties.tracked) {
+      if (strContrastProperties) {
         strContrastProperties.tagRanges = tagRangeUtil.add(
           strContrastProperties.tagRanges,
           new TagRange(0, result.length - 1, tagName)

package/lib/assess/propagators/joi/values.js

@@ -41,7 +41,7 @@ function instrumentJoiValues(values) {
     name: 'joi.values',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      const {
+      let {
         args: [value],
         result
       } = data;
@@ -55,7 +55,7 @@ function instrumentJoiValues(values) {
         handler(result.value, value, data);
       } else if (_.isString(result.value)) {
         // use case is .valid() - safe
-        tracker.untrack(result.value);
+        result.value = tracker.untrack(result.value) || result.value;
       }
     }
   });
@@ -94,14 +94,14 @@ const handler = (resultValue, argValue, data) => {
  */
 function getRefHandler(resolvedTrackData, refTrackData) {
   // 4 Cases
-  if (!resolvedTrackData.tracked) {
-    if (!refTrackData.tracked) {
+  if (!resolvedTrackData) {
+    if (!refTrackData) {
       return null;
     } else {
       return handleRefOnlyTracked;
     }
   } else {
-    if (refTrackData.tracked) {
+    if (refTrackData) {
       return handleBothTracked;
     } else {
       return handleTargetOnlyTracked;
@@ -131,7 +131,7 @@ function handleTargetOnlyTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleBothTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -142,8 +142,8 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
   }
 
   if (result.ref.map) {
-    tracker.untrack(data.result.value);
-    tracker.untrack(value);
+    data.result.value = tracker.untrack(data.result.value) || data.result.value;
+    value = tracker.untrack(value) || value;
   } else {
     copyValidationHistory(resolvedTrackData, refTrackData);
     if (prefs.convert) {
@@ -160,7 +160,7 @@ function handleBothTracked(data, resolvedTrackData, refTrackData) {
  * @param {object} refTrackData tracking data for reference value
  */
 function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
-  const {
+  let {
     args: [value, , prefs],
     result
   } = data;
@@ -179,8 +179,8 @@ function handleRefOnlyTracked(data, resolvedTrackData, refTrackData) {
   } else {
     // if map is used we can trust - like .valid()
     if (result.ref.map) {
-      if (!tracker.getData(result.value).tracked) {
-        tracker.untrack(value);
+      if (!tracker.getData(result.value)) {
+        value = tracker.untrack(value) || value;
       }
     } else {
       logger.debug(

package/lib/assess/propagators/manager.js

@@ -112,13 +112,14 @@ module.exports = function Propagator(agent, propagationDescriptor) {
 
     // move the tags to the result of propagator
     if (event.tagRanges.length > 0 && validTarget === data.result) {
-      data.result = tracker.track(data.result);
-      const resultContrastProperties = tracker.getData(data.result);
-      resultContrastProperties.tracked = true;
-      resultContrastProperties.tagRanges = event.tagRanges;
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        tracked.props.tagRanges = event.tagRanges;
+        tracked.props.event = event;
+        data.result = tracked.str;
+      }
 
       event.parents.push(...sourceEvents);
-      resultContrastProperties.event = event;
     }
     logger.trace('%s2%s %s --> %s', source, target, sources, [validTarget]);
   };
@@ -206,7 +207,7 @@ function createAppendTagRanges(data) {
   if (isString(data.obj)) {
     offset = data.obj.length;
     const sourceProps = tracker.getData(data.obj);
-    if (sourceProps.tracked) {
+    if (sourceProps) {
       tagRangeUtil.addAllInPlace(newTags, sourceProps.tagRanges);
     }
   }
@@ -214,7 +215,7 @@ function createAppendTagRanges(data) {
   for (const arg of data.args) {
     if (arg) {
       const props = tracker.getData(arg);
-      if (props.tracked) {
+      if (props) {
         tagRangeUtil.addAllWithOffsetInPlace(newTags, props.tagRanges, offset);
       }
 
@@ -339,7 +340,7 @@ function getSourcesMetadata(sources) {
 function isSourceTracked(sourceName, source) {
   if (source) {
     const contrastProperties = tracker.getData(source);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
 
   return false;
@@ -384,7 +385,7 @@ function getTrackedSources(sources, skipNested) {
 function isTargetTracked(target, hasTags) {
   if (hasTags) {
     const contrastProperties = tracker.getData(target);
-    return contrastProperties.tracked;
+    return !!contrastProperties;
   }
 
   return false;
@@ -457,7 +458,8 @@ function getValidSources(sources) {
     const sourceContrastProperties = tracker.getData(source);
     if (
       isString(source) &&
-      !(sourceContrastProperties && sourceContrastProperties.tracked)
+      (!sourceContrastProperties ||
+        (sourceContrastProperties && !sourceContrastProperties.tracked))
     ) {
       return false;
     }

package/lib/assess/propagators/mongoose/helpers.js

@@ -0,0 +1,20 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const hasUserDefinedValidator = (data) =>
+  data.obj.validators.some((validator) => validator.type === 'user defined');
+
+module.exports = {
+  hasUserDefinedValidator
+};

package/lib/assess/propagators/mongoose/index.js

@@ -0,0 +1,18 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+module.exports.handle = () => {
+  require('./map');
+  require('./string');
+};