@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (563) hide show
  1. package/LICENSE +1 -1
  2. package/agent-loader.js +1 -1
  3. package/bin/VERSION +1 -1
  4. package/bin/linux/contrast-service +0 -0
  5. package/bin/mac/contrast-service +0 -0
  6. package/bin/windows/contrast-service.exe +0 -0
  7. package/bootstrap.js +13 -3
  8. package/cli-rewriter.js +1 -1
  9. package/cli.js +1 -1
  10. package/esm.mjs +34 -1
  11. package/lib/agent-emitter.js +1 -1
  12. package/lib/agent.js +1 -1
  13. package/lib/app-info.js +1 -1
  14. package/lib/assess/deadzones/index.js +1 -1
  15. package/lib/assess/deadzones/rewrite.js +1 -1
  16. package/lib/assess/express/index.js +1 -1
  17. package/lib/assess/express/route-coverage.js +1 -1
  18. package/lib/assess/express/sinks/index.js +1 -1
  19. package/lib/assess/express/sinks/xss.js +1 -1
  20. package/lib/assess/express/sources.js +1 -1
  21. package/lib/assess/fastify/index.js +1 -1
  22. package/lib/assess/fastify/route-coverage.js +1 -1
  23. package/lib/assess/fastify/sinks/index.js +1 -1
  24. package/lib/assess/fastify/sinks/response-scanning.js +1 -1
  25. package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
  26. package/lib/assess/fastify/sinks/xss.js +1 -1
  27. package/lib/assess/fastify/sources.js +1 -1
  28. package/lib/assess/hapi/index.js +1 -1
  29. package/lib/assess/hapi/route-coverage.js +1 -1
  30. package/lib/assess/hapi/sinks/index.js +1 -1
  31. package/lib/assess/hapi/sinks/response-scanning.js +1 -1
  32. package/lib/assess/hapi/sinks/session.js +1 -1
  33. package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
  34. package/lib/assess/hapi/sinks/xss.js +1 -1
  35. package/lib/assess/hapi/sources.js +1 -1
  36. package/lib/assess/index.js +3 -1
  37. package/lib/assess/koa/index.js +1 -1
  38. package/lib/assess/koa/route-coverage.js +1 -1
  39. package/lib/assess/koa/sinks/index.js +1 -1
  40. package/lib/assess/koa/sinks/response-scanning.js +1 -1
  41. package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
  42. package/lib/assess/koa/sinks/xss.js +1 -1
  43. package/lib/assess/koa/sources.js +1 -1
  44. package/lib/assess/loopback4/index.js +1 -1
  45. package/lib/assess/loopback4/route-coverage.js +1 -1
  46. package/lib/assess/loopback4/sinks/index.js +1 -1
  47. package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
  48. package/lib/assess/loopback4/sinks/xss.js +1 -1
  49. package/lib/assess/loopback4/sources.js +1 -1
  50. package/lib/assess/membrane/debraner.js +1 -1
  51. package/lib/assess/membrane/deserialization-membrane.js +5 -6
  52. package/lib/assess/membrane/index.js +1 -1
  53. package/lib/assess/membrane/source-membrane.js +16 -20
  54. package/lib/assess/models/base-event.js +1 -1
  55. package/lib/assess/models/call-context.js +2 -2
  56. package/lib/assess/models/index.js +1 -1
  57. package/lib/assess/models/propagation-event.js +1 -1
  58. package/lib/assess/models/signature.js +1 -1
  59. package/lib/assess/models/sink-event.js +1 -1
  60. package/lib/assess/models/source-event.js +7 -1
  61. package/lib/assess/models/tag-range/index.js +1 -1
  62. package/lib/assess/models/tag-range/relationships.js +1 -1
  63. package/lib/assess/models/tag-range/util.js +1 -1
  64. package/lib/assess/policy/index.js +1 -1
  65. package/lib/assess/policy/init.js +1 -1
  66. package/lib/assess/policy/propagators.json +8 -0
  67. package/lib/assess/policy/rules.json +31 -2
  68. package/lib/assess/policy/signatures.json +33 -6
  69. package/lib/assess/policy/util.js +3 -2
  70. package/lib/assess/propagators/JSON/parse.js +2 -2
  71. package/lib/assess/propagators/JSON/stringify.js +81 -11
  72. package/lib/assess/propagators/ajv/conditionals.js +1 -1
  73. package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
  74. package/lib/assess/propagators/ajv/index.js +1 -1
  75. package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
  76. package/lib/assess/propagators/ajv/object-walk.js +1 -1
  77. package/lib/assess/propagators/ajv/refs.js +1 -1
  78. package/lib/assess/propagators/ajv/schema-context.js +1 -1
  79. package/lib/assess/propagators/array-prototype-join.js +8 -9
  80. package/lib/assess/propagators/common.js +8 -6
  81. package/lib/assess/propagators/dustjs/escape-html.js +1 -1
  82. package/lib/assess/propagators/dustjs/escape-js.js +1 -1
  83. package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
  84. package/lib/assess/propagators/encode-uri/encode-uri-component.js +1 -1
  85. package/lib/assess/propagators/encode-uri/encode-uri.js +1 -1
  86. package/lib/assess/propagators/handlebars-compile.js +1 -1
  87. package/lib/assess/propagators/handlebars-escape-expresssion.js +2 -2
  88. package/lib/assess/propagators/index.js +1 -1
  89. package/lib/assess/propagators/joi/boolean.js +2 -2
  90. package/lib/assess/propagators/joi/expression.js +2 -2
  91. package/lib/assess/propagators/joi/index.js +1 -1
  92. package/lib/assess/propagators/joi/number.js +2 -2
  93. package/lib/assess/propagators/joi/string-base.js +2 -2
  94. package/lib/assess/propagators/joi/string-schema.js +13 -14
  95. package/lib/assess/propagators/joi/values.js +12 -12
  96. package/lib/assess/propagators/manager.js +13 -11
  97. package/lib/assess/propagators/mongoose/helpers.js +20 -0
  98. package/lib/assess/propagators/mongoose/index.js +18 -0
  99. package/lib/assess/propagators/mongoose/map.js +74 -0
  100. package/lib/assess/propagators/mongoose/string.js +104 -0
  101. package/lib/assess/propagators/mustache/escape.js +1 -1
  102. package/lib/assess/propagators/number.js +54 -0
  103. package/lib/assess/propagators/object.js +7 -8
  104. package/lib/assess/propagators/path/basename.js +15 -14
  105. package/lib/assess/propagators/path/common.js +2 -2
  106. package/lib/assess/propagators/path/dirname.js +15 -14
  107. package/lib/assess/propagators/path/extname.js +15 -14
  108. package/lib/assess/propagators/path/format.js +1 -1
  109. package/lib/assess/propagators/path/join.js +1 -1
  110. package/lib/assess/propagators/path/normalize.js +1 -1
  111. package/lib/assess/propagators/path/parse.js +2 -2
  112. package/lib/assess/propagators/path/relative.js +8 -6
  113. package/lib/assess/propagators/path/resolve.js +1 -1
  114. package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
  115. package/lib/assess/propagators/pug-compile.js +1 -1
  116. package/lib/assess/propagators/querystring/escape.js +21 -19
  117. package/lib/assess/propagators/querystring/parse.js +8 -6
  118. package/lib/assess/propagators/querystring/stringify.js +26 -25
  119. package/lib/assess/propagators/querystring/unescape.js +21 -19
  120. package/lib/assess/propagators/querystring/utils.js +1 -1
  121. package/lib/assess/propagators/sequelize/sql-string-escape.js +2 -2
  122. package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +2 -2
  123. package/lib/assess/propagators/sequelize/sql-string-format.js +4 -4
  124. package/lib/assess/propagators/sequelize/utils.js +3 -3
  125. package/lib/assess/propagators/string-prototype-replace.js +31 -29
  126. package/lib/assess/propagators/string-prototype-split.js +37 -37
  127. package/lib/assess/propagators/string-prototype-trim.js +16 -18
  128. package/lib/assess/propagators/string.js +13 -17
  129. package/lib/assess/propagators/template-escape.js +22 -19
  130. package/lib/assess/propagators/templates.js +9 -9
  131. package/lib/assess/propagators/url/url-prototype-parse.js +6 -7
  132. package/lib/assess/propagators/url/url-url.js +52 -44
  133. package/lib/assess/propagators/url/utils.js +1 -1
  134. package/lib/assess/propagators/util/format.js +2 -2
  135. package/lib/assess/propagators/utils.js +1 -1
  136. package/lib/assess/propagators/v8/init-hooks.js +4 -4
  137. package/lib/assess/propagators/validator/init-hooks.js +23 -23
  138. package/lib/assess/propagators/validator/validator-methods.js +1 -2
  139. package/lib/assess/response-scanning/app-activity.js +1 -1
  140. package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
  141. package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
  142. package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
  143. package/lib/assess/response-scanning/common.js +1 -1
  144. package/lib/assess/response-scanning/cookies/common.js +1 -1
  145. package/lib/assess/response-scanning/cookies/events.js +1 -1
  146. package/lib/assess/response-scanning/cookies/httponly.js +1 -1
  147. package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
  148. package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
  149. package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
  150. package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
  151. package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
  152. package/lib/assess/response-scanning/headers/powered-by.js +1 -1
  153. package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
  154. package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
  155. package/lib/assess/response-scanning/parameter-pollution.js +1 -1
  156. package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
  157. package/lib/assess/restify/index.js +1 -1
  158. package/lib/assess/restify/route-coverage.js +1 -1
  159. package/lib/assess/restify/session.js +1 -1
  160. package/lib/assess/restify/sinks/index.js +1 -1
  161. package/lib/assess/restify/sinks/response-scanning.js +1 -1
  162. package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
  163. package/lib/assess/restify/sinks/xss.js +1 -1
  164. package/lib/assess/restify/sources.js +1 -1
  165. package/lib/assess/sinks/common.js +11 -6
  166. package/lib/assess/sinks/dustjs-linkedin-xss.js +1 -1
  167. package/lib/assess/sinks/dynamo.js +1 -1
  168. package/lib/assess/sinks/hapi-16-xss.js +1 -1
  169. package/lib/assess/sinks/index.js +1 -1
  170. package/lib/assess/sinks/libxmljs-xxe.js +2 -2
  171. package/lib/assess/sinks/mongodb.js +3 -2
  172. package/lib/assess/sinks/rethinkdb-nosql-injection.js +142 -0
  173. package/lib/assess/sinks/ssrf-url.js +2 -2
  174. package/lib/assess/sources/event-handler.js +307 -0
  175. package/lib/assess/sources/formidable.js +1 -1
  176. package/lib/assess/sources/index.js +94 -6
  177. package/lib/assess/spdy/index.js +23 -0
  178. package/lib/assess/spdy/sinks/index.js +23 -0
  179. package/lib/assess/spdy/sinks/xss.js +84 -0
  180. package/lib/assess/static/hardcoded.js +1 -1
  181. package/lib/assess/technologies/index.js +3 -2
  182. package/lib/assess/utils.js +1 -1
  183. package/lib/cli-rewriter/index.js +1 -1
  184. package/lib/constants.js +7 -3
  185. package/lib/contrast.js +7 -7
  186. package/lib/core/arch-components/dynamodb.js +1 -1
  187. package/lib/core/arch-components/dynamodbv3.js +1 -1
  188. package/lib/core/arch-components/index.js +2 -1
  189. package/lib/core/arch-components/mongodb.js +23 -19
  190. package/lib/core/arch-components/mysql.js +1 -1
  191. package/lib/core/arch-components/postgres.js +22 -4
  192. package/lib/core/arch-components/rethinkdb.js +1 -1
  193. package/lib/core/arch-components/sqlite3.js +4 -6
  194. package/lib/core/async-storage/context.js +1 -1
  195. package/lib/core/async-storage/hooks/bluebird.js +1 -1
  196. package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
  197. package/lib/core/async-storage/hooks/mysql.js +1 -1
  198. package/lib/core/async-storage/hooks/redis.js +1 -1
  199. package/lib/core/async-storage/hooks/utils.js +1 -1
  200. package/lib/core/async-storage/index.js +1 -1
  201. package/lib/core/async-storage/scopes/index.js +1 -1
  202. package/lib/core/common/formidable.js +1 -1
  203. package/lib/core/common/index.js +1 -1
  204. package/lib/core/config/options.js +37 -3
  205. package/lib/core/config/util.js +1 -1
  206. package/lib/core/exclusions/exclusion-factory.js +1 -1
  207. package/lib/core/exclusions/exclusion.js +3 -6
  208. package/lib/core/exclusions/input.js +1 -1
  209. package/lib/core/exclusions/url.js +1 -1
  210. package/lib/core/express/index.js +26 -3
  211. package/lib/core/express/utils.js +9 -4
  212. package/lib/core/fastify/index.js +1 -1
  213. package/lib/core/fastify/utils.js +1 -1
  214. package/lib/core/hapi/index.js +1 -1
  215. package/lib/core/hapi/utils.js +1 -1
  216. package/lib/core/index.js +1 -1
  217. package/lib/core/koa/index.js +1 -1
  218. package/lib/core/koa/utils.js +1 -1
  219. package/lib/core/logger/daily-rotate-file.js +1 -1
  220. package/lib/core/logger/dataflow-monitor.js +1 -1
  221. package/lib/core/logger/debug-logger.js +1 -1
  222. package/lib/core/logger/index.js +1 -1
  223. package/lib/core/logger/perf-logger.js +1 -1
  224. package/lib/core/logger/umbrella-logger.js +1 -1
  225. package/lib/core/loopback4/index.js +1 -1
  226. package/lib/core/metrics/index.js +1 -1
  227. package/lib/core/restify/index.js +1 -1
  228. package/lib/core/restify/utils.js +1 -1
  229. package/lib/core/rewrite/assignment-expression.js +1 -1
  230. package/lib/core/rewrite/binary-expression.js +1 -1
  231. package/lib/core/rewrite/call-expression.js +1 -1
  232. package/lib/core/rewrite/callees.js +1 -1
  233. package/lib/core/rewrite/catch-clause.js +1 -1
  234. package/lib/core/rewrite/function-wrap.js +1 -1
  235. package/lib/core/rewrite/index.js +1 -1
  236. package/lib/core/rewrite/injections.js +9 -1
  237. package/lib/core/rewrite/is-contrast-method.js +1 -1
  238. package/lib/core/rewrite/log.js +1 -1
  239. package/lib/core/rewrite/member-expression.js +1 -1
  240. package/lib/core/rewrite/object-property.js +1 -1
  241. package/lib/core/rewrite/prepend-globals.js +1 -1
  242. package/lib/core/rewrite/rewrite-log.js +1 -1
  243. package/lib/core/rewrite/switch-statement.js +1 -1
  244. package/lib/core/rewrite/template-literal.js +1 -1
  245. package/lib/core/stacktrace.js +1 -1
  246. package/lib/coverage.js +1 -1
  247. package/lib/feature-set.js +2 -2
  248. package/lib/generator-function.js +1 -1
  249. package/lib/hooks/array.js +1 -1
  250. package/lib/hooks/cluster.js +1 -1
  251. package/lib/hooks/dataflow-monitor.js +1 -1
  252. package/lib/hooks/encoding.js +1 -1
  253. package/lib/hooks/express-fileupload.js +1 -1
  254. package/lib/hooks/express-session.js +1 -1
  255. package/lib/hooks/fn-to-string.js +1 -1
  256. package/lib/hooks/frameworks/base.js +1 -1
  257. package/lib/hooks/frameworks/common.js +1 -1
  258. package/lib/hooks/frameworks/hapi16.js +1 -1
  259. package/lib/hooks/frameworks/http.js +1 -1
  260. package/lib/hooks/frameworks/http2.js +1 -1
  261. package/lib/hooks/frameworks/index.js +3 -1
  262. package/lib/hooks/frameworks/spdy.js +87 -0
  263. package/lib/hooks/hapi-16-reply.js +1 -1
  264. package/lib/hooks/hapi-16-session.js +1 -1
  265. package/lib/hooks/http.js +12 -1
  266. package/lib/hooks/module/extensions.js +1 -1
  267. package/lib/hooks/module/helpers.js +1 -1
  268. package/lib/hooks/module/index.js +1 -1
  269. package/lib/hooks/newrelic.js +1 -1
  270. package/lib/hooks/object-is.js +1 -1
  271. package/lib/hooks/object-to-primitive.js +7 -8
  272. package/lib/hooks/patcher.js +2 -2
  273. package/lib/hooks/require.js +1 -1
  274. package/lib/hooks/stealthy-require.js +1 -1
  275. package/lib/instrumentation.js +1 -1
  276. package/lib/libraries.js +1 -1
  277. package/lib/library-usage.js +1 -1
  278. package/lib/list-installed.js +1 -1
  279. package/lib/protect/analysis/aho-corasick.js +1 -1
  280. package/lib/protect/analysis/dfsa-analyzer.js +1 -1
  281. package/lib/protect/errors/handler.js +1 -1
  282. package/lib/protect/errors/security-exception.js +1 -1
  283. package/lib/protect/express/index.js +1 -1
  284. package/lib/protect/express/sinks.js +1 -1
  285. package/lib/protect/express/sources.js +1 -1
  286. package/lib/protect/fastify/index.js +1 -1
  287. package/lib/protect/fastify/sinks.js +1 -1
  288. package/lib/protect/fastify/sources.js +1 -1
  289. package/lib/protect/hapi/error-handler.js +1 -1
  290. package/lib/protect/hapi/index.js +1 -1
  291. package/lib/protect/hapi/sinks.js +1 -1
  292. package/lib/protect/hapi/sources.js +1 -1
  293. package/lib/protect/index.js +1 -1
  294. package/lib/protect/input-analysis.js +1 -1
  295. package/lib/protect/koa/index.js +1 -1
  296. package/lib/protect/koa/sinks.js +1 -1
  297. package/lib/protect/koa/sources.js +1 -1
  298. package/lib/protect/listeners.js +1 -1
  299. package/lib/protect/loopback4/index.js +1 -1
  300. package/lib/protect/loopback4/sources.js +1 -1
  301. package/lib/protect/models/application-context.js +1 -1
  302. package/lib/protect/models/sink-event.js +1 -1
  303. package/lib/protect/models/source-event.js +1 -1
  304. package/lib/protect/restify/index.js +1 -1
  305. package/lib/protect/restify/sinks.js +1 -1
  306. package/lib/protect/restify/sources.js +1 -1
  307. package/lib/protect/rules/assessment.js +1 -1
  308. package/lib/protect/rules/attack-patterns.js +1 -1
  309. package/lib/protect/rules/base-scanner/index.js +1 -1
  310. package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
  311. package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
  312. package/lib/protect/rules/base-scanner/scan-state.js +1 -1
  313. package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
  314. package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
  315. package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
  316. package/lib/protect/rules/bot-blocker/index.js +1 -1
  317. package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
  318. package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
  319. package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
  320. package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
  321. package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
  322. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
  323. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
  324. package/lib/protect/rules/common.js +1 -1
  325. package/lib/protect/rules/index.js +1 -1
  326. package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
  327. package/lib/protect/rules/method-tampering/evaluator.js +1 -1
  328. package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
  329. package/lib/protect/rules/nosqli/nosql-injection-rule.js +228 -0
  330. package/lib/protect/rules/nosqli/nosql-scanner/index.js +1 -1
  331. package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
  332. package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
  333. package/lib/protect/rules/rule-factory.js +3 -3
  334. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
  335. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
  336. package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
  337. package/lib/protect/rules/signatures/evaluator.js +1 -1
  338. package/lib/protect/rules/signatures/index.js +1 -1
  339. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
  340. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
  341. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
  342. package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
  343. package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
  344. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
  345. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
  346. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
  347. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
  348. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
  349. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
  350. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
  351. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
  352. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
  353. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
  354. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
  355. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
  356. package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
  357. package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
  358. package/lib/protect/rules/signatures/signature.js +1 -1
  359. package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
  360. package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
  361. package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
  362. package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
  363. package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
  364. package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
  365. package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
  366. package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
  367. package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
  368. package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
  369. package/lib/protect/rules/sqli/generic-complicated.js +1 -1
  370. package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
  371. package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
  372. package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
  373. package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
  374. package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
  375. package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
  376. package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
  377. package/lib/protect/rules/virtual-patch/index.js +1 -1
  378. package/lib/protect/rules/virtual-patch/utils.js +1 -1
  379. package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
  380. package/lib/protect/rules/xss/helpers/function-call.js +1 -1
  381. package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
  382. package/lib/protect/rules/xxe/xxerule.js +1 -1
  383. package/lib/protect/sample-aggregator.js +1 -1
  384. package/lib/protect/samples.js +1 -1
  385. package/lib/protect/service.js +24 -12
  386. package/lib/protect/sinks/child-process.js +1 -1
  387. package/lib/protect/sinks/eval.js +1 -1
  388. package/lib/protect/sinks/fs.js +1 -1
  389. package/lib/protect/sinks/function.js +1 -1
  390. package/lib/protect/sinks/index.js +1 -1
  391. package/lib/protect/sinks/libxmljs.js +1 -1
  392. package/lib/protect/sinks/mongodb.js +57 -56
  393. package/lib/protect/sinks/mysql.js +1 -1
  394. package/lib/protect/sinks/node-serialize.js +1 -1
  395. package/lib/protect/sinks/postgres.js +1 -1
  396. package/lib/protect/sinks/sequelize.js +1 -1
  397. package/lib/protect/sinks/sqlite3.js +1 -1
  398. package/lib/protect/sinks/vm.js +1 -1
  399. package/lib/protect/sources/busboy.js +1 -1
  400. package/lib/protect/sources/formidable.js +1 -1
  401. package/lib/protect/sources/index.js +1 -1
  402. package/lib/protect/validators/authorization.js +1 -1
  403. package/lib/protect/validators/common.js +1 -1
  404. package/lib/protect/validators/connection.js +1 -1
  405. package/lib/protect/validators/content-length.js +1 -1
  406. package/lib/protect/validators/host.js +1 -1
  407. package/lib/protect/validators/if-none-match.js +1 -1
  408. package/lib/protect/validators/index.js +1 -1
  409. package/lib/protect/validators/origin.js +1 -1
  410. package/lib/reporter/app-activity-queue.js +1 -1
  411. package/lib/reporter/grpc-client.js +1 -1
  412. package/lib/reporter/messages/speedracer/activity.js +1 -1
  413. package/lib/reporter/messages/speedracer/application-create.js +1 -1
  414. package/lib/reporter/messages/speedracer/application-update.js +1 -1
  415. package/lib/reporter/messages/speedracer/base.js +1 -1
  416. package/lib/reporter/messages/speedracer/index.js +1 -1
  417. package/lib/reporter/messages/speedracer/observed-route.js +1 -1
  418. package/lib/reporter/messages/speedracer/poll.js +1 -1
  419. package/lib/reporter/messages/speedracer/request.js +1 -1
  420. package/lib/reporter/messages/speedracer/startup.js +1 -1
  421. package/lib/reporter/messaging-router.js +1 -1
  422. package/lib/reporter/models/app-activity/app-activity.js +1 -1
  423. package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
  424. package/lib/reporter/models/app-activity/defend.js +1 -1
  425. package/lib/reporter/models/app-activity/inventory.js +1 -1
  426. package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
  427. package/lib/reporter/models/app-activity/rule-events.js +1 -1
  428. package/lib/reporter/models/app-activity/sample.js +1 -1
  429. package/lib/reporter/models/app-activity/source.js +1 -1
  430. package/lib/reporter/models/app-activity/user-input.js +1 -1
  431. package/lib/reporter/models/app-create.js +1 -1
  432. package/lib/reporter/models/app-update/index.js +1 -1
  433. package/lib/reporter/models/app-update/library-manifest.js +1 -1
  434. package/lib/reporter/models/app-update/library-usage.js +1 -1
  435. package/lib/reporter/models/app-update/library.js +1 -1
  436. package/lib/reporter/models/event-tag.js +1 -1
  437. package/lib/reporter/models/finding/event.js +1 -1
  438. package/lib/reporter/models/finding/finding.js +1 -1
  439. package/lib/reporter/models/frameworks/express-request.js +1 -1
  440. package/lib/reporter/models/frameworks/fastify-request.js +1 -1
  441. package/lib/reporter/models/frameworks/hapi-request.js +1 -1
  442. package/lib/reporter/models/frameworks/index.js +1 -1
  443. package/lib/reporter/models/frameworks/koa-request.js +1 -1
  444. package/lib/reporter/models/frameworks/restify-request.js +1 -1
  445. package/lib/reporter/models/observed-route.js +1 -1
  446. package/lib/reporter/models/request.js +1 -1
  447. package/lib/reporter/models/route-coverage.js +1 -1
  448. package/lib/reporter/models/startup.js +1 -1
  449. package/lib/reporter/models/trace-event-source.js +1 -1
  450. package/lib/reporter/models/utils/request-factory.js +1 -1
  451. package/lib/reporter/models/utils/user-input-factory.js +1 -1
  452. package/lib/reporter/models/utils/user-input-kit.js +1 -1
  453. package/lib/reporter/mq-client.js +1 -1
  454. package/lib/reporter/server-activity-queue.js +1 -1
  455. package/lib/reporter/socket-client.js +1 -1
  456. package/lib/reporter/speedracer/base-connection-state.js +1 -1
  457. package/lib/reporter/speedracer/constants.js +1 -1
  458. package/lib/reporter/speedracer/failure-connection-state.js +1 -1
  459. package/lib/reporter/speedracer/index.js +1 -1
  460. package/lib/reporter/speedracer/success-connection-state.js +1 -1
  461. package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
  462. package/lib/reporter/translations/enums.js +1 -1
  463. package/lib/reporter/translations/helpers.js +1 -1
  464. package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
  465. package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
  466. package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
  467. package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
  468. package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
  469. package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
  470. package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
  471. package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
  472. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
  473. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
  474. package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
  475. package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
  476. package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
  477. package/lib/reporter/translations/to-protobuf/dtm/index.js +2 -2
  478. package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +2 -2
  479. package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
  480. package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
  481. package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
  482. package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
  483. package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
  484. package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
  485. package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +2 -2
  486. package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
  487. package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
  488. package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
  489. package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
  490. package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
  491. package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
  492. package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
  493. package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +5 -5
  494. package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
  495. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
  496. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
  497. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
  498. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
  499. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
  500. package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
  501. package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
  502. package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
  503. package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
  504. package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
  505. package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
  506. package/lib/reporter/translations/to-protobuf/index.js +1 -1
  507. package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
  508. package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
  509. package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
  510. package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
  511. package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
  512. package/lib/reporter/translations/to-protobuf/settings/defend-features.js +9 -7
  513. package/lib/reporter/translations/to-protobuf/settings/exclusions.js +6 -5
  514. package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
  515. package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
  516. package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
  517. package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
  518. package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
  519. package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
  520. package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
  521. package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
  522. package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
  523. package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
  524. package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
  525. package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
  526. package/lib/reporter/ts-reporter.js +1 -1
  527. package/lib/tracker.js +14 -66
  528. package/lib/util/base64.js +1 -1
  529. package/lib/util/bitset.js +1 -1
  530. package/lib/util/block-request.js +1 -1
  531. package/lib/util/callback-resolver.js +1 -1
  532. package/lib/util/clean-stack.js +1 -1
  533. package/lib/util/clean-string/brackets.js +1 -1
  534. package/lib/util/clean-string/clean-string-base.js +1 -1
  535. package/lib/util/clean-string/comments.js +1 -1
  536. package/lib/util/clean-string/concatenations.js +1 -1
  537. package/lib/util/clean-string/jsclean-string.js +1 -1
  538. package/lib/util/clean-string/placeholders.js +1 -1
  539. package/lib/util/clean-string/util.js +1 -1
  540. package/lib/util/colors.js +1 -1
  541. package/lib/util/file-finder.js +1 -1
  542. package/lib/util/heap-dump.js +1 -1
  543. package/lib/util/html-util.js +1 -1
  544. package/lib/util/ip-analyzer.js +1 -1
  545. package/lib/util/is-agent-path.js +1 -1
  546. package/lib/util/is-contrast-error.js +1 -1
  547. package/lib/util/is-piped-to-dev.js +1 -1
  548. package/lib/util/is-string.js +1 -1
  549. package/lib/util/partial.js +1 -1
  550. package/lib/util/pkg-name.js +1 -1
  551. package/lib/util/request-util.js +1 -1
  552. package/lib/util/resolve-obj.js +1 -1
  553. package/lib/util/route-info.js +1 -1
  554. package/lib/util/some.js +1 -1
  555. package/lib/util/source-map.js +4 -4
  556. package/lib/util/static-rules.js +1 -1
  557. package/lib/util/trace-util.js +1 -1
  558. package/lib/util/traverse.js +1 -1
  559. package/lib/util/user-input-evaluator.js +1 -1
  560. package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
  561. package/package.json +7 -6
  562. package/perf-logs.js +1 -1
  563. package/lib/protect/rules/nosqli/no-sql-injection-rule.js +0 -109
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/reflected-xss/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/signature.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/sql-injection/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/ssjs-injection/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/unsafe-file-upload/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/signatures/untrusted-deserialization/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/sqli/generic-complicated.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/sqli/sql-injection-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/sqli/sql-scanner/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/ssjs-injection/evaluator.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/virtual-patch/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/virtual-patch/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/virtual-patch/virtual-patch-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/xss/helpers/function-call.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/xss/reflected-xss-rule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/rules/xxe/xxerule.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sample-aggregator.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/samples.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/service.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -20,7 +20,12 @@ Copyright: 2021 Contrast Security, Inc
20
20
 
21
21
  const _ = require('lodash');
22
22
 
23
- const { IMPORTANCE, SAFE_HEADER_VALUES, INPUT_TYPES } = require('../constants');
23
+ const {
24
+ IMPORTANCE,
25
+ SAFE_HEADER_VALUES,
26
+ INPUT_TYPES,
27
+ RULES
28
+ } = require('../constants');
24
29
  const agentEmitter = require('../agent-emitter');
25
30
  const SampleAggregator = require('./sample-aggregator');
26
31
  const RuleFactory = require('./rules/rule-factory');
@@ -203,15 +208,22 @@ class ProtectService {
203
208
  appContext.request = request;
204
209
  }
205
210
 
206
- for (const {
207
- scoreLevel,
208
- ruleId,
209
- inputType: type,
210
- path,
211
- key: name,
212
- value,
213
- idsList
214
- } of resultsList) {
211
+ for (const result of resultsList) {
212
+ // Coerce custom rule id
213
+ if (result.ruleId === RULES.NOSQL_EXPANSION) {
214
+ result.ruleId = RULES.NOSQL_INJECTION;
215
+ }
216
+
217
+ const {
218
+ scoreLevel,
219
+ ruleId,
220
+ inputType: type,
221
+ path,
222
+ key: name,
223
+ value,
224
+ idsList
225
+ } = result;
226
+
215
227
  if (scoreLevel === IMPORTANCE.NONE) {
216
228
  return;
217
229
  }
@@ -269,7 +281,7 @@ class ProtectService {
269
281
  * Loads IP analyzer for allowist analysis given TS settings.
270
282
  */
271
283
  updateIpAllowlist(settings) {
272
- const list = _.get(settings, 'defend.ipWhitelistsList');
284
+ const list = _.get(settings, 'defend.ipAllowlistsList');
273
285
  if (list && list.length) {
274
286
  this.ipAllowlist = new IpAnalyzer(list);
275
287
  this.ipAllowlist.on('expired', (dtm) => {
package/lib/protect/sinks/child-process.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/eval.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/fs.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/function.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/libxmljs.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/mongodb.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -21,47 +21,41 @@ const BaseSensor = require('../../hooks/frameworks/base');
21
21
  const patcher = require('../../hooks/patcher');
22
22
  const { PATCH_TYPES } = require('../../constants');
23
23
  const { emitSinkEvent } = require('../../hooks/frameworks/common');
24
+ const agentEmitter = require('../../agent-emitter');
25
+ const SinkEvent = require('../models/sink-event');
24
26
 
25
27
  const { SINK_TYPES } = constants;
26
28
  const ID = 'mongodb';
27
29
 
28
- /**
29
- * json.stringify(data) in try-catch
30
- * @param {any} data
31
- * @returns {string}
32
- */
33
- const safeStringify = (data) => {
34
- try {
35
- return JSON.stringify(data);
36
- } catch (e) {
37
- // ignore errors
38
- }
39
- };
40
-
41
- /**
42
- * @param {any} query `cmd.query`
43
- * @returns {string}
44
- */
45
- const getQueryAsString = (args, version) => {
30
+ function getCursorQueryData(args, version) {
46
31
  const query = semver.gte(version, '3.3.0')
47
32
  ? _.get(args, '0.cmd.query')
48
33
  : _.get(args, '1.query');
49
34
 
50
- if (_.isString(query)) return query.toString();
51
- if (!_.isObject(query)) return;
35
+ if (!query) {
36
+ return;
37
+ }
38
+
39
+ if (_.isString(query)) {
40
+ return query.toString()
41
+ }
52
42
 
53
43
  if (query['$where']) {
54
44
  return query['$where'].toString();
55
45
  }
56
46
 
57
- const keys = Object.keys(query);
58
- if (keys.length === 1 && _.isString(query[keys[0]])) {
59
- // eval: { $where : 'process.exit()' }
60
- return query[keys[0]];
47
+ return query;
48
+ }
49
+
50
+ function getOpQueryData(op) {
51
+ if (!op.q) {
52
+ return;
61
53
  }
62
- // otherwise try and look at the stringified query
63
- return safeStringify(query);
64
- };
54
+ if (op.q.$where) {
55
+ return op.q.$where;
56
+ }
57
+ return op.q;
58
+ }
65
59
 
66
60
  class MongoDBSensor extends BaseSensor {
67
61
  constructor(agent) {
@@ -76,8 +70,11 @@ class MongoDBSensor extends BaseSensor {
76
70
  name: 'mongodb.CoreServer.prototype',
77
71
  patchType: PATCH_TYPES.PROTECT_SINK,
78
72
  pre: (wrapCtx) => {
79
- const data = getQueryAsString(wrapCtx.args, version);
80
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
73
+ emitSinkEvent(
74
+ getCursorQueryData(wrapCtx.args, version),
75
+ SINK_TYPES.NOSQL_QUERY,
76
+ ID
77
+ );
81
78
  }
82
79
  });
83
80
 
@@ -86,21 +83,12 @@ class MongoDBSensor extends BaseSensor {
86
83
  alwaysRun: true,
87
84
  name: 'mongodb.CoreServer.prototype',
88
85
  patchType: PATCH_TYPES.PROTECT_SINK,
89
- pre: (wrapCtx) => {
90
- const data = getQueryAsString(wrapCtx.args, version);
91
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
92
- }
93
- });
94
-
95
- // insert(ns, opts, options, cb)
96
- patcher.patch(mongodb.CoreServer.prototype, 'insert', {
97
- alwaysRun: true,
98
- name: 'mongodb.CoreServer.prototype',
99
- patchType: PATCH_TYPES.PROTECT_SINK,
100
- pre: (wrapCtx) => {
101
- const arg = _.get(wrapCtx, 'args.1');
102
- const data = safeStringify(arg);
103
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
86
+ pre: (data) => {
87
+ emitSinkEvent(
88
+ getCursorQueryData(data.args, version),
89
+ SINK_TYPES.NOSQL_QUERY,
90
+ ID
91
+ );
104
92
  }
105
93
  });
106
94
 
@@ -109,10 +97,17 @@ class MongoDBSensor extends BaseSensor {
109
97
  alwaysRun: true,
110
98
  name: 'mongodb.CoreServer.prototype',
111
99
  patchType: PATCH_TYPES.PROTECT_SINK,
112
- pre: (wrapCtx) => {
113
- const arg = _.get(wrapCtx, 'args.1');
114
- const data = safeStringify(arg);
115
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
100
+ pre: (data) => {
101
+ const ops = Array.isArray(data.args[1])
102
+ ? data.args[1]
103
+ : [data.args[1]];
104
+
105
+ for (const op of ops) {
106
+ const eData = getOpQueryData(op);
107
+ if (eData) {
108
+ emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
109
+ }
110
+ }
116
111
  }
117
112
  });
118
113
 
@@ -121,10 +116,17 @@ class MongoDBSensor extends BaseSensor {
121
116
  alwaysRun: true,
122
117
  name: 'mongodb.CoreServer.prototype',
123
118
  patchType: PATCH_TYPES.PROTECT_SINK,
124
- pre: (wrapCtx) => {
125
- const arg = _.get(wrapCtx, 'args.1');
126
- const data = safeStringify(arg);
127
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
119
+ pre: (data) => {
120
+ const ops = Array.isArray(data.args[1])
121
+ ? data.args[1]
122
+ : [data.args[1]];
123
+
124
+ for (const op of ops) {
125
+ const eData = getOpQueryData(op);
126
+ if (eData) {
127
+ emitSinkEvent(eData, SINK_TYPES.NOSQL_QUERY, ID);
128
+ }
129
+ }
128
130
  }
129
131
  });
130
132
 
@@ -133,9 +135,8 @@ class MongoDBSensor extends BaseSensor {
133
135
  alwaysRun: true,
134
136
  name: 'mongodb.Db.prototype',
135
137
  patchType: PATCH_TYPES.PROTECT_SINK,
136
- pre: (wrapCtx) => {
137
- const data = _.get(wrapCtx, 'args.0');
138
- emitSinkEvent(data, SINK_TYPES.NOSQL_QUERY, ID);
138
+ pre: (data) => {
139
+ emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
139
140
  }
140
141
  });
141
142
  });
package/lib/protect/sinks/mysql.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/node-serialize.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/postgres.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/protect/sinks/sequelize.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5