npm - @contrast/agent - Versions diffs - 4.7.0 → 4.9.1 - Mend

@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/propagators/path/dirname.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
           if (!data.args[0]) return;
           const trackingData = tracker.getData(data.args[0]);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
           // path.dirname() does a slice at 0 to the calculated end separator
           const tagRanges = createSubsetTagRanges({
@@ -57,19 +57,20 @@ module.exports.handle = function handle() {
           if (!tagRanges.length) return;
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
+          const tracked = tracker.track(data.result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;
+          }
         }
       });
     }

package/lib/assess/propagators/path/extname.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -42,7 +42,7 @@ module.exports.handle = function handle() {
           if (!data.args[0] || !data.result) return;
           const trackingData = tracker.getData(data.args[0]);
-          if (!trackingData.tracked) return;
+          if (!trackingData) return;
           // The path.extname() implementation does a substr on the argument
           // based on the calculated index of the last dot
@@ -62,19 +62,20 @@ module.exports.handle = function handle() {
           // no tags propagated to the result
           if (!tagRanges.length) return;
-          const result = tracker.track(data.result);
-          const resultData = tracker.getData(result);
+          const tracked = tracker.track(data.result);
           const parentEvent = trackingData.event;
-          resultData.tagRanges = tagRanges;
-          resultData.event = new PropagationEvent({
-            context: new CallContext(data),
-            parents: [parentEvent],
-            signature,
-            source: 'P',
-            tagRanges,
-            target: 'R'
-          });
-          data.result = result;
+          if (tracked) {
+            tracked.props.tagRanges = tagRanges;
+            tracked.props.event = new PropagationEvent({
+              context: new CallContext(data),
+              parents: [parentEvent],
+              signature,
+              source: 'P',
+              tagRanges,
+              target: 'R'
+            });
+            data.result = tracked.str;
+          }
         }
       });
     }

package/lib/assess/propagators/path/format.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/path/join.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/path/normalize.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/path/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -24,7 +24,7 @@ const propagate = function propagate(data) {
   const props = tracker.getData(data.args[0]);
   const { result } = data;
-  if (props.tracked && result) {
+  if (props && result) {
     const membrane = new DeserializationMembrane(data, props);
     data.result = membrane.wrap(result);
   }

package/lib/assess/propagators/path/relative.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -35,7 +35,7 @@ const provider = {
     const { args, result } = data;
     const trackData = tracker.getData(args[1]);
-    if (!trackData.tracked) {
+    if (!trackData) {
       return;
     }
@@ -61,10 +61,12 @@ const provider = {
         },
         data
       );
-      data.result = tracker.track(data.result);
-      const resultTrackData = tracker.getData(data.result);
-      resultTrackData.tagRanges = shiftedRanges;
-      resultTrackData.event = event;
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        data.result = tracked.str;
+        tracked.props.tagRanges = shiftedRanges;
+        tracked.props.event = event;
+      }
     }
   },
   /**

package/lib/assess/propagators/path/resolve.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/path/to-namespaced-path.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/pug-compile.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/querystring/escape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -21,34 +21,36 @@ const qsUtils = require('./utils');
 function handler(data) {
   const input = data.args[0];
+  const trackedData = tracker.getData(input);
-  if (!input || !tracker.getData(input).tracked) {
+  if (!input || !trackedData) {
     return;
   }
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((tag) => {
+  trackedData.tagRanges.forEach((tag) => {
     tagRanges.push(qsUtils.adjustRangeEscape(tag, 0, input));
   });
   tagRanges.push(new TagRange(0, data.result.length - 1, 'url-encoded'));
-  const result = tracker.track(data.result);
-  const trackData = tracker.getData(result);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature('querystring.escape'),
-    source: 'P',
-    target: 'R',
-    tagRanges,
-    tags: ['url-encoded']
-  });
-  data.result = result;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature('querystring.escape'),
+      source: 'P',
+      target: 'R',
+      tagRanges,
+      tags: ['url-encoded']
+    });
+    data.result = tracked.str;
+  }
 }
 module.exports.handle = handler;

package/lib/assess/propagators/querystring/parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -47,9 +47,11 @@ function getUnescapeWrapper(data, unescape) {
     // track the part w/ trimmed ranges if applicable
     if (tagRanges.length) {
-      result = tracker.track(part);
-      resultData = tracker.getData(result);
-      resultData.tagRanges = tagRanges;
+      const tracked = tracker.track(part);
+      if (tracked) {
+        result = tracked.str;
+        tracked.props.tagRanges = tagRanges;
+      }
     } else {
       result = part;
     }
@@ -58,7 +60,7 @@ function getUnescapeWrapper(data, unescape) {
     result = Scopes.runInAllowAllScope(() => unescape(result));
     resultData = tracker.getData(result);
-    if (resultData.tracked) {
+    if (resultData) {
       resultData.event = new PropagationEvent({
         context: new CallContext({
           ...data,
@@ -91,7 +93,7 @@ function pre(data) {
   }
   const trackingData = tracker.getData(input);
-  if (!trackingData.tracked) {
+  if (!trackingData) {
     return;
   }

package/lib/assess/propagators/querystring/stringify.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -129,7 +129,7 @@ class OnEscapeHandler {
     // set current key for reference if when array-valued
     this.currentKey = {
       value: escaped,
-      tagRanges: trackingData.tracked ? trackingData.tagRanges : null
+      tagRanges: trackingData ? trackingData.tagRanges : null
     };
     // capture track info before updating state
@@ -175,7 +175,7 @@ class OnEscapeHandler {
       this.offset += this.currentKey.value.length + this.eqLen;
     }
-    if (trackingData.tracked) {
+    if (trackingData) {
       ret.push({
         offset: this.offset,
         tagRanges: trackingData.tagRanges,
@@ -279,34 +279,35 @@ function post(data) {
   }
   const tracked = tracker.track(data.result);
-  const trackData = tracker.getData(tracked);
   if (data.state.escape === querystring.escape) {
     data.state.tagRanges.push(
       new TagRange(0, data.result.length - 1, 'url-encoded')
     );
   }
-  const sorted = _.sortBy(data.state.tagRanges, 'start');
-  trackData.tagRanges = [];
-  tagRangeUtil.addAllInPlace(trackData.tagRanges, sorted);
-  // stringify / encode
-  const method = data.funcKey.split('.')[1];
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      args: data.state.origArgs,
-      obj: null
-    }),
-    parents: Array.from(data.state.events),
-    signature: new Signature(`querystring.${method}`),
-    source: 'P',
-    tagRanges: trackData.tagRanges,
-    target: 'R',
-    tags: ['url-encoded']
-  });
-  data.result = tracked;
+  if (tracked) {
+    const sorted = _.sortBy(data.state.tagRanges, 'start');
+    tracked.props.tagRanges = [];
+    tagRangeUtil.addAllInPlace(tracked.props.tagRanges, sorted);
+    // stringify / encode
+    const method = data.funcKey.split('.')[1];
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        args: data.state.origArgs,
+        obj: null
+      }),
+      parents: Array.from(data.state.events),
+      signature: new Signature(`querystring.${method}`),
+      source: 'P',
+      tagRanges: tracked.props.tagRanges,
+      target: 'R',
+      tags: ['url-encoded']
+    });
+    data.result = tracked.str;
+  }
 }
 module.exports.handle = { pre, post };

package/lib/assess/propagators/querystring/unescape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -20,14 +20,15 @@ const qsUtils = require('./utils');
 function handler(data) {
   const input = data.args[0];
+  const trackedData = tracker.getData(input);
-  if (!input || !tracker.getData(input).tracked) {
+  if (!input || !trackedData) {
     return;
   }
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((tag) => {
+  trackedData.tagRanges.forEach((tag) => {
     if (tag.tag === 'url-encoded') {
       return;
     }
@@ -37,22 +38,23 @@ function handler(data) {
     return;
   }
-  const trackedResult = tracker.track(data.result);
-  const trackData = tracker.getData(trackedResult);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature('querystring.unescape'),
-    source: 'P',
-    tagRanges,
-    target: 'R',
-    untags: ['url-encoded']
-  });
-  data.result = trackedResult;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature('querystring.unescape'),
+      source: 'P',
+      tagRanges,
+      target: 'R',
+      untags: ['url-encoded']
+    });
+    data.result = tracked.str;
+  }
 }
 module.exports.handle = handler;

package/lib/assess/propagators/querystring/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/sequelize/sql-string-escape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -35,7 +35,7 @@ module.exports.handle = function() {
         post(data) {
           const trackingData = tracker.getData(data.result);
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }

package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -80,7 +80,7 @@ module.exports.handle = function() {
         patchType: PATCH_TYPES.ASSESS_PROPAGATOR,
         post(data) {
           const trackingData = tracker.getData(data.result);
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }

package/lib/assess/propagators/sequelize/sql-string-format.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -44,7 +44,7 @@ module.exports.handle = function() {
         post(data) {
           // else either the replacement value or a values in the array replacement is being tracked
           const trackingData = tracker.getData(data.result);
-          if (!trackingData.tracked) {
+          if (!trackingData) {
             return;
           }
@@ -59,7 +59,7 @@ module.exports.handle = function() {
           const len = positions.length; // micro optomized since used multiple times
           for (let i = 0; i < len; i++) {
-            const isTracked = tracker.getData(replacements[i]).tracked;
+            const props = tracker.getData(replacements[i]);
             // we don't need to run in a no instrumentation scope here since
             // patcher will do so automatically since we're in a post hook
             const escapedVal = getSequelizeString().escape(
@@ -69,7 +69,7 @@ module.exports.handle = function() {
               true // true is required to get format function behavior.
             );
-            if (isTracked) {
+            if (props && props.tracked) {
               tagRangeUtil.addInPlace(
                 trackingData.tagRanges,
                 new TagRange(

package/lib/assess/propagators/sequelize/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -22,8 +22,8 @@ const tracker = require('../../../tracker');
  */
 module.exports.isTracked = function isTracked(value) {
   return Array.isArray(value)
-    ? value.some((v) => typeof v === 'string' && tracker.getData(v).tracked)
-    : tracker.getData(value).tracked;
+    ? value.some((v) => typeof v === 'string' && tracker.getData(v))
+    : !!tracker.getData(value);
 };
 /**

package/lib/assess/propagators/string-prototype-replace.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -115,13 +115,13 @@ function getTrackData(callContext) {
   };
   const objData = tracker.getData(callContext.obj);
-  if (objData.tracked) {
+  if (objData) {
     trackData.objData = objData;
     trackData.resultTagRanges = objData.tagRanges.map((r) => r.clone());
   }
   const replacerData = tracker.getData(callContext.args[1]);
-  if (replacerData.tracked) {
+  if (replacerData) {
     trackData.replacerData = replacerData;
   }
@@ -243,7 +243,7 @@ function getReplacementAndCaptureDynamicTags({ callContext, args }) {
     // Allow propagation within replacer function so we can track return value.
     _replacer = invokeReplacer({ callContext, args, replacer });
     const data = tracker.getData(_replacer);
-    if (data.tracked) {
+    if (data) {
       trackData.dynamicTagRanges = data.tagRanges;
       trackData.dynamicEvents.add(data.event);
     } else {
@@ -297,7 +297,7 @@ function wrapOriginalReplacerArguments({ callContext, args }) {
   // Only wrap arguments that are used by replacer,
   for (let idx = 0; idx < replacer.length; idx++) {
     // and only track if needed
-    if (tracker.getData(args[idx]).tracked) {
+    if (tracker.getData(args[idx])) {
       continue;
     }
     trackReplacerArgAtPath({
@@ -330,20 +330,21 @@ function trackReplacerArgAtPath({ callContext, target, path, tagRanges }) {
         continue;
       }
-      const result = tracker.track(_result);
-      const trackData = tracker.getData(result);
-      // TODO: Improve accuracy here by deriving actual ranges from source,
-      // rather than applying "blanket" ranges the length of argument.
-      const tagRange = new TagRange(0, result.length - 1, tag);
-      trackData.tagRanges.push(tagRange);
-      trackData.event = createPropagationEvent({
-        callContext,
-        tagRanges: [tagRange],
-        result
-      });
-      captured.add(tag);
-      target[path] = result;
+      const tracked = tracker.track(_result);
+      if (tracked) {
+        // TODO: Improve accuracy here by deriving actual ranges from source,
+        // rather than applying "blanket" ranges the length of argument.
+        const tagRange = new TagRange(0, tracked.str.length - 1, tag);
+        tracked.props.tagRanges.push(tagRange);
+        tracked.props.event = createPropagationEvent({
+          callContext,
+          tagRanges: [tagRange],
+          result: tracked.str
+        });
+        captured.add(tag);
+        target[path] = tracked.str;
+      }
     }
   } else if (_.isObject(_result)) {
     for (const path of Object.keys(_result)) {
@@ -582,20 +583,21 @@ function trackFinalResult(callContext) {
     return;
   }
-  if (tracker.getData(callContext.result).tracked) {
+  if (tracker.getData(callContext.result)) {
     return;
   }
-  const result = tracker.track(callContext.result);
-  callContext.result = result;
+  const tracked = tracker.track(callContext.result);
-  const resultData = tracker.getData(result);
-  resultData.event = createPropagationEvent({
-    callContext,
-    tagRanges: trackData.resultTagRanges,
-    result
-  });
-  resultData.tagRanges = trackData.resultTagRanges;
+  if (tracked) {
+    tracked.props.event = createPropagationEvent({
+      callContext,
+      tagRanges: trackData.resultTagRanges,
+      result: tracked.str
+    });
+    tracked.props.tagRanges = trackData.resultTagRanges;
+    callContext.result = tracked.str;
+  }
 }
 /**