npm - @contrast/agent - Versions diffs - 4.7.0 → 4.9.1 - Mend

@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/tracker.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -45,12 +45,6 @@ const defaultContrastProperties = {
   }
 };
-// NOTE: this function just exists for us to get a better view
-// of the module's performance while profiling
-function getExtStringProps(ext) {
-  return distringuish.getProperties(ext);
-}
 // i'm not sure why this is a class. there are no methods, and externalized
 // strings don't have an instance of the class; they have an object with the
 // same property names.
@@ -74,37 +68,6 @@ class Tracker {
     this.metadata = new WeakMap();
   }
-  /**
-   * Map lookup for metadata of a value
-   *
-   * @param {*} value Tracked value
-   * @return {ContrastProperties|undefined}
-   */
-  getData(value) {
-    if (typeof value === 'string') {
-      const props = getExtStringProps(value);
-      if (props == null) {
-        return defaultContrastProperties;
-      }
-      return props;
-    }
-    return this.metadata.get(value) || defaultContrastProperties;
-  }
-  /**
-   * Resets a string's tracking metadata to the default contrast properties.
-   * This will effectively untrack the associated string, but it will still be
-   * the externalized value.
-   * @param {object} trackingData A tracked string's metadata
-   */
-  untrack(str) {
-    const trackingData = this.getData(str);
-    if (trackingData.tracked) {
-      Object.assign(trackingData, defaultContrastProperties);
-    }
-  }
   trackString(str) {
     if (str.length === 0) {
       return str;
@@ -113,7 +76,7 @@ class Tracker {
     // XXX: this is the closest we have to a dedup.
     // it may be kind of expensive. we need to consider whether or not
     // this is worthwhile
-    if (this.getData(str).tracked) {
+    if (this.getData(str)) {
       return str;
     }
@@ -143,38 +106,15 @@ class Tracker {
     return value;
   }
-  // trackArray(value, parent, sourceType, parentKey) {}
-  /**
-   * Associate properties with a string.
-   *
-   * @param   {*} value value to track
-   * @returns {*}       the value - tracked if some type of string, otherwise untracked
-   */
-  track(value) {
-    if (typeof value === 'string') {
-      return this.trackString(value);
-    }
-    if (value instanceof String) {
-      return this.trackStringObject(value);
-    }
-    return value;
-  }
   /**
    * Associate properties with a string. Returns null if str is not a string,
    * is a zero-length string, or any internal error takes place.
    *
-   * This behavior is different than track in that it requires the caller to check
-   * the return value. track always returned properties even if the value was not a
-   * string or there were no properties associated with the string value.
-   *
    * @param {*} str a value to track.
    * @returns {Object|null} {str, props} or null on error.
    */
-  track2(str) {
+  track(str) {
     if (typeof str === 'string') {
       // is the string already tracked?
       let props = distringuish.getProperties(str);
@@ -217,7 +157,7 @@ class Tracker {
    * @param {*} str any value
    * @return {ContrastProperties|null}
    */
-  getData2(str) {
+  getData(str) {
     if (typeof str === 'string') {
       return distringuish.getProperties(str);
     }
@@ -227,12 +167,20 @@ class Tracker {
     return null;
   }
-  untrack2(str) {
+  /**
+   * Resets a string's tracking metadata to the default contrast properties.
+   * This will effectively untrack the associated string, but it will still be
+   * the externalized value.
+   * @param {object} trackingData A tracked string's metadata
+   */
+  untrack(str) {
     if (typeof str === 'string') {
-      if (!distringuish.getProperties(str)) {
+      let props = distringuish.getProperties(str);
+      if (!props) {
         return null;
       }
       // return an untracked version of the string
+      Object.assign(props, {event: null, tagRanges: [], tracked: false})
       return distringuish.internalize(str);
     }
     if (str instanceof String) {

package/lib/util/base64.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/bitset.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/block-request.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/callback-resolver.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-stack.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/brackets.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/clean-string-base.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/comments.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/concatenations.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/jsclean-string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/placeholders.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/clean-string/util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/colors.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/file-finder.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/heap-dump.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/html-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/ip-analyzer.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-agent-path.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-contrast-error.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-piped-to-dev.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/is-string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/partial.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/pkg-name.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/request-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/resolve-obj.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/route-info.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/some.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/source-map.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -156,9 +156,9 @@ class SourceMapUtility {
    * @returns {string}          fixed filename with full path
    */
   replaceSource(original, source) {
-    const origName = path.basename(original);
-    return original.replace(origName, source);
+    return original === source
+      ? original
+      : original.replace(path.basename(original), source);
   }
 }

package/lib/util/static-rules.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/trace-util.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/traverse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/user-input-evaluator.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/util/xml-analyzer/external-entity-finder.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.7.0",
+  "version": "4.9.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -72,7 +72,7 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.2",
+    "@contrast/fn-inspect": "^2.4.3",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
     "@contrast/require-hook": "^2.0.6",
@@ -83,7 +83,7 @@
     "bluebird": "^3.5.3",
     "builtin-modules": "^3.2.0",
     "cls-hooked": "^4.2.2",
-    "commander": "^5.0.0",
+    "commander": "^8.3.0",
     "content-security-policy-parser": "^0.2.0",
     "cookie": "^0.3.1",
     "crc-32": "^1.0.0",
@@ -109,7 +109,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.5",
+    "@contrast/screener-service": "^1.12.8",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -125,8 +125,8 @@
     "codecov": "^3.7.0",
     "config": "^3.3.3",
     "csv-writer": "^1.2.0",
-    "deasync": "^0.1.20",
-    "dustjs-linkedin": "^3.0.0",
+    "deasync": "^0.1.24",
+    "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
     "eslint": "^8.2.0",
@@ -152,6 +152,7 @@
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
+    "mongoose": "^6.1.1",
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",

package/perf-logs.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/protect/rules/nosqli/no-sql-injection-rule.js DELETED Viewed

@@ -1,109 +0,0 @@
-/**
-Copyright: 2021 Contrast Security, Inc
-  Contact: support@contrastsecurity.com
-  License: Commercial
-  NOTICE: This Software and the patented inventions embodied within may only be
-  used as part of Contrast Security’s commercial offerings. Even though it is
-  made available through public repositories, use of this Software is subject to
-  the applicable End User Licensing Agreement found at
-  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
-  between Contrast Security and the End User. The Software may not be reverse
-  engineered, modified, repackaged, sold, redistributed or otherwise used in a
-  way not consistent with the End User License Agreement.
-*/
-const _ = require('lodash');
-const logger = require('../../../core/logger')('contrast:rules:protect');
-const { INPUT_TYPES, SINK_TYPES } = require('../common');
-const MONGODB = 'mongodb';
-const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
-]);
-class NoSqlInjectionRule extends require('../') {
-  constructor(policy = {}) {
-    policy.inputParseDepth = 3;
-    super(policy);
-    this._scanners = new Map();
-    this.id = 'nosql-injection';
-    this.name = 'NoSQL Injection';
-    this.applicableInputs = [
-      INPUT_TYPES.BODY,
-      INPUT_TYPES.JSON_VALUE,
-      INPUT_TYPES.JSON_ARRAYED_VALUE,
-      INPUT_TYPES.PARAMETER_NAME,
-      INPUT_TYPES.PARAMETER_VALUE,
-      INPUT_TYPES.QUERYSTRING,
-      INPUT_TYPES.XML_VALUE,
-      INPUT_TYPES.URI,
-      INPUT_TYPES.URL_PARAMETER
-    ];
-    this.applicableSinks = [SINK_TYPES.NOSQL_QUERY];
-  }
-  evaluateAtSink({ event, applicableSamples }) {
-    if (_.isEmpty(applicableSamples)) {
-      return;
-    }
-    const scanner = this.getScanner(event.id);
-    for (const sample of applicableSamples) {
-      const injection = scanner.findInjection(sample.input.value, event.data);
-      if (injection) {
-        this.appendAttackDetails(sample, injection);
-        sample.captureAppContext(event);
-        logger.warn(`EFFECTIVE - rule: ${this.id}, mode: ${this.mode} `);
-        this.blockRequest(sample);
-      }
-    }
-  }
-  getScanner(id) {
-    if (!ScannerKit.has(id)) {
-      throw new Error(`Unknown NoSQL scanner: ${id}`);
-    }
-    if (!this._scanners.has(id)) {
-      this._scanners.set(id, ScannerKit.get(id)());
-    }
-    return this._scanners.get(id);
-  }
-  /**
-   * Builds details for Sql Injection Attack.
-   * @param   {UserInput} inputDtm The user input that resulted in attack
-   * @param   {String}    query    The query that was analyzed
-   * @param   {Object}    results  The repsults of the sql-scanner
-   * @returns {Object}             The details
-   */
-  buildDetails(sample, findings) {
-    if (!findings) {
-      return null;
-    }
-    const { boundary, location, query } = findings;
-    const inputBoundaryIndex = boundary.previous
-      ? boundary.previous.start
-      : boundary.start;
-    return {
-      start: location[0],
-      end: location[1] + 1,
-      input: sample.input.toSerializable(),
-      boundaryOverrunIndex: boundary.stop + 1,
-      inputBoundaryIndex,
-      query
-    };
-  }
-}
-module.exports = NoSqlInjectionRule;