npm - @contrast/agent - Versions diffs - 4.7.0 → 4.9.1 - Mend

@contrast/agent 4.7.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (563) hide show

package/lib/assess/propagators/string-prototype-split.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -164,28 +164,27 @@ module.exports.handle = {
           if (tagStart !== null) {
             newTagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
             const tracked = tracker.track(stringPart);
-            const props = tracker.getData(tracked);
-            if (!props.tagRanges) {
-              props.tagRanges = [];
+            if (tracked) {
+              tracked.props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
+              result[i] = tracked.str;
             }
-            props.tagRanges.push(new TagRange(tagStart, tagStop, tag.tag));
-            result[i] = tracked;
           }
         });
         if (newTagRanges.length > 0) {
           const tracked = tracker.track(stringPart);
-          const props = tracker.getData(tracked);
-          props.tagRanges = newTagRanges;
-          result[i] = tracked;
-          const event = new PropagationEvent({
-            context: ctxt,
-            signature: sig,
-            tagRanges: tracked.tagRanges,
-            source: 'O',
-            target: 'R'
-          });
-          event.parents.push(oldEvent);
-          props.event = event;
+          if (tracked) {
+            tracked.props.tagRanges = newTagRanges;
+            result[i] = tracked.str;
+            const event = new PropagationEvent({
+              context: ctxt,
+              signature: sig,
+              tagRanges: tracked.props.tagRanges,
+              source: 'O',
+              target: 'R'
+            });
+            event.parents.push(oldEvent);
+            tracked.props.event = event;
+          }
         }
       }
       data.result = result;
@@ -225,21 +224,21 @@ function handleEmptySeperator(data, oldTagRanges, oldEvent) {
       if (sharedCharInfo.has(i)) {
         info = sharedCharInfo.get(i);
       } else {
-        const trackedString = tracker.track(char);
-        const trackedProperties = tracker.getData(trackedString);
-        const event = new PropagationEvent({
-          context: ctxt,
-          signature: sig,
-          tagRanges: getTagRanges(trackedString),
-          source: 'O',
-          target: 'R'
-        });
-        trackedProperties.event = event;
-        info = { event, tagRanges: trackedProperties.tagRanges };
-        sharedCharInfo.set(i, info);
-        result[i] = trackedString;
+        const tracked = tracker.track(char);
+        if (tracked) {
+          const event = new PropagationEvent({
+            context: ctxt,
+            signature: sig,
+            tagRanges: getTagRanges(tracked.str),
+            source: 'O',
+            target: 'R'
+          });
+          tracked.props.event = event;
+          info = { event, tagRanges: tracked.props.tagRanges };
+          sharedCharInfo.set(i, info);
+          result[i] = tracked.str;
+        }
       }
       info.tagRanges.push(new TagRange(0, 0, tag.tag));
@@ -257,10 +256,11 @@ function transferTracking(origString, resultArray) {
   for (let i = 0; i < resultArray.length; i++) {
     const tracked = tracker.track(resultArray[i]);
-    const trackedProperties = tracker.getData(tracked);
-    trackedProperties.tagRanges = getTagRanges(origString);
-    trackedProperties.event = getEvent(origString);
-    resultArray[i] = tracked;
+    if (tracked) {
+      tracked.props.tagRanges = getTagRanges(origString);
+      tracked.props.event = getEvent(origString);
+      resultArray[i] = tracked.str;
+    }
   }
   return resultArray;
 }

package/lib/assess/propagators/string-prototype-trim.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -25,7 +25,7 @@ const signature = new Signature('String.prototype.trim');
 function handle(data) {
   const { obj, result } = data;
   const sourceMetadata = tracker.getData(obj);
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
@@ -43,21 +43,19 @@ function handle(data) {
   }
   const tracked = tracker.track(result);
-  const trackedData = tracker.getData(tracked);
-  if (!trackedData.tracked) {
-    return;
+  if (tracked) {
+    tracked.props.tagRanges = targetRanges;
+    const context = new CallContext(data);
+    const event = new PropagationEvent({
+      context,
+      signature,
+      tagRanges: targetRanges,
+      source: 'O',
+      target: 'R'
+    });
+    event.parents.push(sourceEvent);
+    tracked.props.event = event;
+    data.result = tracked.str;
   }
-  trackedData.tagRanges = targetRanges;
-  const context = new CallContext(data);
-  const event = new PropagationEvent({
-    context,
-    signature,
-    tagRanges: targetRanges,
-    source: 'O',
-    target: 'R'
-  });
-  event.parents.push(sourceEvent);
-  trackedData.event = event;
-  data.result = tracked;
 }

package/lib/assess/propagators/string.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -41,30 +41,26 @@ function handle() {
       // Checks if the string literal form of the new String object is tracked.
       // If so, we will want to copy the existing tag ranges below.
-      if (data.obj && !argData.tracked) {
+      if (data.obj && !argData) {
         argData = tracker.getData(data.result.toString());
       }
-      if (!arg || !argData.tracked) {
+      if (!arg || !argData) {
         return;
       }
-      const newStr = tracker.track(data.result);
-      const newStrData = tracker.getData(newStr);
+      const tracked = tracker.track(data.result);
+      if (tracked) {
+        // In a constructor context, data.obj is set to the new String object.
+        // When a new String object is instantiated we must copy the existing tag
+        // ranges from the string literal to the new String object.
+        if (data.obj) {
+          tracked.props.event = argData.event;
+          tracked.props.tagRanges = tracked.props.tagRanges.concat(argData.tagRanges);
+        }
-      if (!newStrData.tracked) {
-        return;
-      }
-      // In a constructor context, data.obj is set to the new String object.
-      // When a new String object is instantiated we must copy the existing tag
-      // ranges from the string literal to the new String object.
-      if (data.obj) {
-        newStrData.event = argData.event;
-        newStrData.tagRanges = newStrData.tagRanges.concat(argData.tagRanges);
+        data.result = tracked.str;
       }
-      data.result = newStr;
     }
   });
 }

package/lib/assess/propagators/template-escape.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -50,35 +50,38 @@ function getEscapedTagRanges(input, result, start, stop, tag) {
 function propagator(data, tagName, signatureName) {
   const input = data.args[0];
-  if (!input || !tracker.getData(input).tracked) {
+  const trackedData = tracker.getData(input);
+  if (!input || !trackedData) {
     return;
   }
   // adjust tag ranges
   const tagRanges = [];
-  tracker.getData(input).tagRanges.forEach((range) => {
+  trackedData.tagRanges.forEach((range) => {
     const { start, stop, tag } = range;
     tagRanges.push(
       ...getEscapedTagRanges(input, data.result, start, stop, tag)
     );
   });
   tagRanges.push(new TagRange(0, data.result.length - 1, tagName));
-  const result = tracker.track(data.result);
-  const trackData = tracker.getData(result);
-  trackData.tagRanges = tagRanges;
-  trackData.event = new PropagationEvent({
-    context: new CallContext({
-      ...data,
-      obj: null
-    }),
-    parents: [trackData.event],
-    signature: new Signature(signatureName),
-    source: 'P',
-    target: 'R',
-    tagRanges,
-    tags: tagName
-  });
-  data.result = result;
+  const tracked = tracker.track(data.result);
+  if (tracked) {
+    tracked.props.tagRanges = tagRanges;
+    tracked.props.event = new PropagationEvent({
+      context: new CallContext({
+        ...data,
+        obj: null
+      }),
+      parents: [tracked.props.event],
+      signature: new Signature(signatureName),
+      source: 'P',
+      target: 'R',
+      tagRanges,
+      tags: tagName
+    });
+    data.result = tracked.str;
+  }
 }
 module.exports.propagate = propagator;

package/lib/assess/propagators/templates.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -75,17 +75,17 @@ function __contrastTag(...args) {
   });
   if (tagRanges.length > 0) {
-    result = tracker.track(result);
-    const resultContrastProperties = tracker.getData(result);
-    if (resultContrastProperties.tracked) {
+    const tracked = tracker.track(result);
+    if (tracked) {
       buildProperties(
-        resultContrastProperties,
+        tracked.props,
         tagRanges,
         expressions,
-        result,
+        tracked.str,
         strings,
         sourceEvents
       );
+      result = tracked.str;
     }
   }
@@ -143,18 +143,18 @@ function buildProperties(props, tagRanges, exps, result, strings, events) {
  */
 function moveTags(exp, sourceEvents, tagRanges, offset) {
   const contrastProperties = tracker.getData(exp);
-  const tracked = contrastProperties.tracked || tagRanges.length > 0;
+  const tracked = contrastProperties || tagRanges.length > 0;
   if (!tracked) {
     return tagRanges;
   }
-  const event = contrastProperties.tracked && contrastProperties.event;
+  const event = contrastProperties && contrastProperties.event;
   if (event) {
     sourceEvents.push(event);
   }
   let newTagRanges = [];
-  if (contrastProperties.tracked) newTagRanges = contrastProperties.tagRanges;
+  if (contrastProperties) newTagRanges = contrastProperties.tagRanges;
   return tagRangeUtil.addAllWithOffset(tagRanges, newTagRanges, offset);
 }

package/lib/assess/propagators/url/url-prototype-parse.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -45,7 +45,7 @@ function handle(data) {
   const address = data.args[0];
   const sourceMetadata = tracker.getData(address);
-  if (!sourceMetadata.tracked) {
+  if (!sourceMetadata) {
     return;
   }
@@ -71,9 +71,8 @@ function propagate(sourceMetadata, address, data) {
     if (part && typeof part === 'string' && part !== '') {
       const tracked = tracker.track(part);
-      const trackedData = tracker.getData(tracked);
-      if (!trackedData.tracked) {
+      if (!tracked) {
         continue;
       }
@@ -105,10 +104,10 @@ function propagate(sourceMetadata, address, data) {
       );
       event.parents.push(sourceEvent);
-      trackedData.tagRanges = targetTagRanges;
-      trackedData.event = event;
+      tracked.props.tagRanges = targetTagRanges;
+      tracked.props.event = event;
-      url[key] = tracked;
+      url[key] = tracked.str;
     }
   }
 }

package/lib/assess/propagators/url/url-url.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -71,6 +71,9 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   }
   const hostData = tracker.getData(urlObj._contrast_host);
+  if (!hostData) {
+    return;
+  }
   const hostnameTags = tagRangeUtil.trim(hostData.tagRanges, 0, splitIndex - 1);
   const portTags = tagRangeUtil.trim(
     hostData.tagRanges,
@@ -81,21 +84,25 @@ function setHostnamePortTags(urlObj, stack, args, sourceEvent) {
   if (hostnameTags.length > 0) {
     const hostnameTracked = tracker.track(hostname);
-    tracker.getData(hostnameTracked).tagRanges = hostnameTags;
-    urlObj._contrast_hostname = hostnameTracked;
-    event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = hostnameTags;
-    tracker.getData(hostnameTracked).event = event;
+    if (hostnameTracked) {
+      hostnameTracked.props.tagRanges = hostnameTags;
+      urlObj._contrast_hostname = hostnameTracked.str;
+      event = createEvent('url.URL', stack, hostnameTags, hostname, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = hostnameTags;
+      hostnameTracked.props.event = event;
+    }
   }
   if (portTags.length > 0) {
     const portTracked = tracker.track(port);
-    tracker.getData(portTracked).tagRanges = portTags;
-    urlObj._contrast_port = portTracked;
-    event = createEvent('url.URL', stack, portTags, port, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = portTags;
-    tracker.getData(portTracked).event = event;
+    if (portTracked) {
+      portTracked.props.tagRanges = portTags;
+      urlObj._contrast_port = portTracked.str;
+      event = createEvent('url.URL', stack, portTags, port, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = portTags;
+      portTracked.props.event = event;
+    }
   }
 }
@@ -136,26 +143,28 @@ function joinProperties(urlObj, sourceProps, separators) {
   }
   // copy tag ranges
-  const result = tracker.track(value);
   let valIdx = 0;
   sepIdx = 0;
   let tags = [];
   for (const prop of sourceProps) {
-    if (urlObj[`_contrast_${prop}`]) {
+    const trackedPropData = tracker.getData(urlObj[`_contrast_${prop}`]);
+    if (trackedPropData) {
       tags = tagRangeUtil.addAll(
         tags,
         offsetTagRanges(
-          tracker.getData(urlObj[`_contrast_${prop}`]).tagRanges,
+          trackedPropData.tagRanges,
           valIdx
         )
       );
     }
     valIdx += urlObj[prop].length + separators[sepIdx++].length;
   }
-  tracker.getData(result).tagRanges = tags;
-  return result;
+  const tracked = tracker.track(value);
+  if (tracked) {
+    tracked.props.tagRanges = tags;
+    return tracked.str;
+  }
 }
 /**
@@ -172,7 +181,8 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   //
   const trackedOrigin = joinProperties(urlObj, SET_ORIGIN_TAGS, ['//', '']);
-  if (tracker.getData(trackedOrigin).tagRanges.length === 0) {
+  const trackedOriginData = tracker.getData(trackedOrigin);
+  if (!trackedOriginData || trackedOriginData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_origin = trackedOrigin;
@@ -180,14 +190,14 @@ function setOriginTags(urlObj, stack, args, sourceEvent) {
   const event = createEvent(
     'url.URL',
     stack,
-    tracker.getData(trackedOrigin).tagRanges,
+    trackedOriginData.tagRanges,
     trackedOrigin,
     args,
     urlObj
   );
   event.parents.push(sourceEvent);
-  event.tagRanges = tracker.getData(trackedOrigin).tagRanges;
-  tracker.getData(trackedOrigin).event = event;
+  event.tagRanges = trackedOriginData.tagRanges;
+  trackedOriginData.event = event;
 }
 /**
@@ -221,7 +231,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   const joinedHref = joinProperties(urlObj, properties, separators);
   const joinedHrefData = tracker.getData(joinedHref);
-  if (joinedHrefData.tagRanges.length === 0) {
+  if (!joinedHrefData || joinedHrefData.tagRanges.length === 0) {
     return;
   }
   urlObj._contrast_href = joinedHref;
@@ -235,7 +245,7 @@ function setHrefTags(urlObj, stack, args, sourceEvent) {
   );
   event.parents.push(sourceEvent);
   event.tagRanges = joinedHrefData.tagRanges;
-  tracker.getData(urlObj._contrast_href).event = event;
+  joinedHrefData.event = event;
 }
 /**
@@ -300,21 +310,22 @@ function copyTagsSingleSource(sourceTagRanges, sourceEvent, data) {
     copied = true;
     const trackedKey = `_contrast_${key}`;
     const tracked = tracker.track(val);
-    const trackedData = tracker.getData(tracked);
-    trackedData.tagRanges = trimmed;
-    urlObj[trackedKey] = tracked;
-    // only create the stack once because stack creation is expensive
-    stack =
-      stack ||
-      stackFactory.createSnapshot({
-        constructorOpt: data.hooked
-      })();
-    event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
-    event.parents.push(sourceEvent);
-    event.tagRanges = trimmed;
-    trackedData.event = event;
+    if (tracked) {
+      tracked.props.tagRanges = trimmed;
+      urlObj[trackedKey] = tracked.str;
+      // only create the stack once because stack creation is expensive
+      stack =
+        stack ||
+        stackFactory.createSnapshot({
+          constructorOpt: data.hooked
+        })();
+      event = createEvent('url.URL', stack, trimmed, val, args, urlObj);
+      event.parents.push(sourceEvent);
+      event.tagRanges = trimmed;
+      tracked.props.event = event;
+    }
   }
   if (!copied) {
@@ -351,10 +362,7 @@ function callUnwrapped(input) {
  */
 function skipTracking(inputData, baseData) {
   // if neither input or base are tracked we can just skip tracking
-  if (
-    (!inputData.tracked && baseData && !baseData.tracked) ||
-    (!inputData.tracked && !baseData)
-  ) {
+  if (!inputData && !baseData) {
     return true;
   }
   return false;

package/lib/assess/propagators/url/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/util/format.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -266,7 +266,7 @@ const propagate = function propagate(util, data) {
   };
   const fmtStrMeta = tracker.getData(fmtStr);
-  if (fmtStrMeta.tracked) {
+  if (fmtStrMeta) {
     resultMeta.fmtStrTagRanges = fmtStrMeta.tagRanges.map((tagRange) =>
       tagRangeWithOriginals(
         new TagRange(tagRange.start, tagRange.stop, tagRange.tag)

package/lib/assess/propagators/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial

package/lib/assess/propagators/v8/init-hooks.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
-Copyright: 2021 Contrast Security, Inc
+Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
   License: Commercial
@@ -63,7 +63,7 @@ module.exports.handle = function handle() {
         if (tracked) {
           // it was behind a membrane
           data.result[TRACKED] = tracked;
-        } else if (tracker.getData2(data.args[0])) {
+        } else if (tracker.getData(data.args[0])) {
           // it was a tracked string
           data.result[TRACKED] = data.args[0];
         }
@@ -80,13 +80,13 @@ module.exports.handle = function handle() {
           return;
         }
-        const sTracking = tracker.getData2(tracked);
+        const sTracking = tracker.getData(tracked);
         // if the argument was a tracked string then the result should
         // have the same tags. i don't know that the length of a string
         // can change as a result of deserialize(serialize()) but best
         // to be safe.
         if (sTracking) {
-          const resultTracking = tracker.track2(data.result);
+          const resultTracking = tracker.track(data.result);
           if (!resultTracking) {
             // there's nothing to do if tracking failed on the result. it should
             // only do so on a zero-length string, but node works in mysterious ways.