@contrast/agent 4.7.1 → 4.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (562) hide show
  1. package/LICENSE +1 -1
  2. package/agent-loader.js +1 -1
  3. package/bootstrap.js +13 -3
  4. package/cli-rewriter.js +1 -1
  5. package/cli.js +1 -1
  6. package/esm.mjs +34 -1
  7. package/lib/agent-emitter.js +1 -1
  8. package/lib/agent.js +1 -1
  9. package/lib/app-info.js +1 -1
  10. package/lib/assess/deadzones/index.js +1 -1
  11. package/lib/assess/deadzones/rewrite.js +1 -1
  12. package/lib/assess/express/index.js +1 -1
  13. package/lib/assess/express/route-coverage.js +1 -1
  14. package/lib/assess/express/sinks/index.js +1 -1
  15. package/lib/assess/express/sinks/xss.js +1 -1
  16. package/lib/assess/express/sources.js +1 -1
  17. package/lib/assess/fastify/index.js +1 -1
  18. package/lib/assess/fastify/route-coverage.js +1 -1
  19. package/lib/assess/fastify/sinks/index.js +1 -1
  20. package/lib/assess/fastify/sinks/response-scanning.js +1 -1
  21. package/lib/assess/fastify/sinks/unvalidated-redirect.js +1 -1
  22. package/lib/assess/fastify/sinks/xss.js +1 -1
  23. package/lib/assess/fastify/sources.js +1 -1
  24. package/lib/assess/hapi/index.js +1 -1
  25. package/lib/assess/hapi/route-coverage.js +1 -1
  26. package/lib/assess/hapi/sinks/index.js +1 -1
  27. package/lib/assess/hapi/sinks/response-scanning.js +1 -1
  28. package/lib/assess/hapi/sinks/session.js +1 -1
  29. package/lib/assess/hapi/sinks/unvalidated-redirect.js +1 -1
  30. package/lib/assess/hapi/sinks/xss.js +1 -1
  31. package/lib/assess/hapi/sources.js +1 -1
  32. package/lib/assess/index.js +3 -1
  33. package/lib/assess/koa/index.js +1 -1
  34. package/lib/assess/koa/route-coverage.js +1 -1
  35. package/lib/assess/koa/sinks/index.js +1 -1
  36. package/lib/assess/koa/sinks/response-scanning.js +1 -1
  37. package/lib/assess/koa/sinks/unvalidated-redirect.js +1 -1
  38. package/lib/assess/koa/sinks/xss.js +1 -1
  39. package/lib/assess/koa/sources.js +1 -1
  40. package/lib/assess/loopback4/index.js +1 -1
  41. package/lib/assess/loopback4/route-coverage.js +1 -1
  42. package/lib/assess/loopback4/sinks/index.js +1 -1
  43. package/lib/assess/loopback4/sinks/response-scanning.js +1 -1
  44. package/lib/assess/loopback4/sinks/xss.js +1 -1
  45. package/lib/assess/loopback4/sources.js +1 -1
  46. package/lib/assess/membrane/debraner.js +1 -1
  47. package/lib/assess/membrane/deserialization-membrane.js +1 -1
  48. package/lib/assess/membrane/index.js +1 -1
  49. package/lib/assess/membrane/source-membrane.js +1 -1
  50. package/lib/assess/models/base-event.js +1 -1
  51. package/lib/assess/models/call-context.js +1 -1
  52. package/lib/assess/models/index.js +1 -1
  53. package/lib/assess/models/propagation-event.js +1 -1
  54. package/lib/assess/models/signature.js +1 -1
  55. package/lib/assess/models/sink-event.js +1 -1
  56. package/lib/assess/models/source-event.js +7 -1
  57. package/lib/assess/models/tag-range/index.js +1 -1
  58. package/lib/assess/models/tag-range/relationships.js +1 -1
  59. package/lib/assess/models/tag-range/util.js +1 -1
  60. package/lib/assess/policy/index.js +1 -1
  61. package/lib/assess/policy/init.js +1 -1
  62. package/lib/assess/policy/rules.json +29 -0
  63. package/lib/assess/policy/signatures.json +6 -6
  64. package/lib/assess/policy/util.js +1 -1
  65. package/lib/assess/propagators/JSON/parse.js +1 -1
  66. package/lib/assess/propagators/JSON/stringify.js +78 -8
  67. package/lib/assess/propagators/ajv/conditionals.js +1 -1
  68. package/lib/assess/propagators/ajv/evaluator-shim.js +1 -1
  69. package/lib/assess/propagators/ajv/index.js +1 -1
  70. package/lib/assess/propagators/ajv/json-schema-type-evaluators.js +1 -1
  71. package/lib/assess/propagators/ajv/object-walk.js +1 -1
  72. package/lib/assess/propagators/ajv/refs.js +1 -1
  73. package/lib/assess/propagators/ajv/schema-context.js +1 -1
  74. package/lib/assess/propagators/array-prototype-join.js +1 -1
  75. package/lib/assess/propagators/common.js +1 -1
  76. package/lib/assess/propagators/dustjs/escape-html.js +1 -1
  77. package/lib/assess/propagators/dustjs/escape-js.js +1 -1
  78. package/lib/assess/propagators/ejs-template-generate-source.js +1 -1
  79. package/lib/assess/propagators/encode-uri/encode-uri-component.js +1 -1
  80. package/lib/assess/propagators/encode-uri/encode-uri.js +1 -1
  81. package/lib/assess/propagators/handlebars-compile.js +1 -1
  82. package/lib/assess/propagators/handlebars-escape-expresssion.js +1 -1
  83. package/lib/assess/propagators/index.js +1 -1
  84. package/lib/assess/propagators/joi/any.js +48 -0
  85. package/lib/assess/propagators/joi/boolean.js +1 -1
  86. package/lib/assess/propagators/joi/expression.js +1 -1
  87. package/lib/assess/propagators/joi/index.js +3 -1
  88. package/lib/assess/propagators/joi/number.js +1 -1
  89. package/lib/assess/propagators/joi/object.js +61 -0
  90. package/lib/assess/propagators/joi/string-base.js +17 -1
  91. package/lib/assess/propagators/joi/string-schema.js +1 -1
  92. package/lib/assess/propagators/joi/values.js +1 -1
  93. package/lib/assess/propagators/manager.js +1 -1
  94. package/lib/assess/propagators/mongoose/helpers.js +1 -1
  95. package/lib/assess/propagators/mongoose/index.js +1 -1
  96. package/lib/assess/propagators/mongoose/map.js +1 -1
  97. package/lib/assess/propagators/mongoose/string.js +9 -1
  98. package/lib/assess/propagators/mustache/escape.js +1 -1
  99. package/lib/assess/propagators/number.js +1 -1
  100. package/lib/assess/propagators/object.js +1 -1
  101. package/lib/assess/propagators/path/basename.js +1 -1
  102. package/lib/assess/propagators/path/common.js +1 -1
  103. package/lib/assess/propagators/path/dirname.js +1 -1
  104. package/lib/assess/propagators/path/extname.js +1 -1
  105. package/lib/assess/propagators/path/format.js +1 -1
  106. package/lib/assess/propagators/path/join.js +1 -1
  107. package/lib/assess/propagators/path/normalize.js +1 -1
  108. package/lib/assess/propagators/path/parse.js +1 -1
  109. package/lib/assess/propagators/path/relative.js +1 -1
  110. package/lib/assess/propagators/path/resolve.js +1 -1
  111. package/lib/assess/propagators/path/to-namespaced-path.js +1 -1
  112. package/lib/assess/propagators/pug-compile.js +1 -1
  113. package/lib/assess/propagators/querystring/escape.js +1 -1
  114. package/lib/assess/propagators/querystring/parse.js +1 -1
  115. package/lib/assess/propagators/querystring/stringify.js +1 -1
  116. package/lib/assess/propagators/querystring/unescape.js +1 -1
  117. package/lib/assess/propagators/querystring/utils.js +1 -1
  118. package/lib/assess/propagators/sequelize/sql-string-escape.js +1 -1
  119. package/lib/assess/propagators/sequelize/sql-string-format-named-parameters.js +1 -1
  120. package/lib/assess/propagators/sequelize/sql-string-format.js +1 -1
  121. package/lib/assess/propagators/sequelize/utils.js +1 -1
  122. package/lib/assess/propagators/string-prototype-replace.js +1 -1
  123. package/lib/assess/propagators/string-prototype-split.js +1 -1
  124. package/lib/assess/propagators/string-prototype-trim.js +1 -1
  125. package/lib/assess/propagators/string.js +1 -1
  126. package/lib/assess/propagators/template-escape.js +1 -1
  127. package/lib/assess/propagators/templates.js +1 -1
  128. package/lib/assess/propagators/url/url-prototype-parse.js +1 -1
  129. package/lib/assess/propagators/url/url-url.js +1 -1
  130. package/lib/assess/propagators/url/utils.js +1 -1
  131. package/lib/assess/propagators/util/format.js +1 -1
  132. package/lib/assess/propagators/utils.js +1 -1
  133. package/lib/assess/propagators/v8/init-hooks.js +1 -1
  134. package/lib/assess/propagators/validator/init-hooks.js +1 -1
  135. package/lib/assess/propagators/validator/validator-methods.js +1 -2
  136. package/lib/assess/response-scanning/app-activity.js +1 -1
  137. package/lib/assess/response-scanning/autocomplete-missing.js +1 -1
  138. package/lib/assess/response-scanning/cache-controls-missing.js +1 -1
  139. package/lib/assess/response-scanning/clickjacking-control-missing.js +1 -1
  140. package/lib/assess/response-scanning/common.js +1 -1
  141. package/lib/assess/response-scanning/cookies/common.js +1 -1
  142. package/lib/assess/response-scanning/cookies/events.js +1 -1
  143. package/lib/assess/response-scanning/cookies/httponly.js +1 -1
  144. package/lib/assess/response-scanning/cookies/secure-flag-missing.js +1 -1
  145. package/lib/assess/response-scanning/headers/csp-header-insecure.js +1 -1
  146. package/lib/assess/response-scanning/headers/csp-header-missing.js +1 -1
  147. package/lib/assess/response-scanning/headers/csp-utils.js +1 -1
  148. package/lib/assess/response-scanning/headers/hsts-header-missing.js +1 -1
  149. package/lib/assess/response-scanning/headers/powered-by.js +1 -1
  150. package/lib/assess/response-scanning/headers/xcontenttype-header-missing.js +1 -1
  151. package/lib/assess/response-scanning/headers/xxssprotection-header-disabled.js +1 -1
  152. package/lib/assess/response-scanning/parameter-pollution.js +1 -1
  153. package/lib/assess/response-scanning/parseable-response-emitter.js +1 -1
  154. package/lib/assess/restify/index.js +1 -1
  155. package/lib/assess/restify/route-coverage.js +1 -1
  156. package/lib/assess/restify/session.js +1 -1
  157. package/lib/assess/restify/sinks/index.js +1 -1
  158. package/lib/assess/restify/sinks/response-scanning.js +1 -1
  159. package/lib/assess/restify/sinks/unvalidated-redirect.js +1 -1
  160. package/lib/assess/restify/sinks/xss.js +1 -1
  161. package/lib/assess/restify/sources.js +1 -1
  162. package/lib/assess/sinks/common.js +1 -1
  163. package/lib/assess/sinks/dustjs-linkedin-xss.js +1 -1
  164. package/lib/assess/sinks/dynamo.js +1 -1
  165. package/lib/assess/sinks/hapi-16-xss.js +1 -1
  166. package/lib/assess/sinks/index.js +1 -1
  167. package/lib/assess/sinks/libxmljs-xxe.js +1 -1
  168. package/lib/assess/sinks/mongodb.js +1 -1
  169. package/lib/assess/sinks/rethinkdb-nosql-injection.js +142 -0
  170. package/lib/assess/sinks/ssrf-url.js +1 -1
  171. package/lib/assess/sources/event-handler.js +307 -0
  172. package/lib/assess/sources/formidable.js +1 -1
  173. package/lib/assess/sources/index.js +94 -6
  174. package/lib/assess/spdy/index.js +23 -0
  175. package/lib/assess/spdy/sinks/index.js +23 -0
  176. package/lib/assess/spdy/sinks/xss.js +84 -0
  177. package/lib/assess/static/hardcoded.js +1 -1
  178. package/lib/assess/technologies/index.js +3 -2
  179. package/lib/assess/utils.js +1 -1
  180. package/lib/cli-rewriter/index.js +1 -1
  181. package/lib/constants.js +3 -2
  182. package/lib/contrast.js +7 -7
  183. package/lib/core/arch-components/dynamodb.js +1 -1
  184. package/lib/core/arch-components/dynamodbv3.js +1 -1
  185. package/lib/core/arch-components/index.js +2 -1
  186. package/lib/core/arch-components/mongodb.js +23 -19
  187. package/lib/core/arch-components/mysql.js +1 -1
  188. package/lib/core/arch-components/postgres.js +22 -4
  189. package/lib/core/arch-components/rethinkdb.js +1 -1
  190. package/lib/core/arch-components/sqlite3.js +4 -6
  191. package/lib/core/async-storage/context.js +1 -1
  192. package/lib/core/async-storage/hooks/bluebird.js +1 -1
  193. package/lib/core/async-storage/hooks/mongodb-core.js +1 -1
  194. package/lib/core/async-storage/hooks/mysql.js +1 -1
  195. package/lib/core/async-storage/hooks/redis.js +1 -1
  196. package/lib/core/async-storage/hooks/utils.js +1 -1
  197. package/lib/core/async-storage/index.js +1 -1
  198. package/lib/core/async-storage/scopes/index.js +1 -1
  199. package/lib/core/common/formidable.js +1 -1
  200. package/lib/core/common/index.js +1 -1
  201. package/lib/core/config/options.js +38 -2
  202. package/lib/core/config/util.js +1 -1
  203. package/lib/core/exclusions/exclusion-factory.js +1 -1
  204. package/lib/core/exclusions/exclusion.js +3 -6
  205. package/lib/core/exclusions/input.js +1 -1
  206. package/lib/core/exclusions/url.js +1 -1
  207. package/lib/core/express/index.js +29 -3
  208. package/lib/core/express/utils.js +9 -4
  209. package/lib/core/fastify/index.js +3 -2
  210. package/lib/core/fastify/utils.js +1 -1
  211. package/lib/core/hapi/index.js +3 -2
  212. package/lib/core/hapi/utils.js +1 -1
  213. package/lib/core/index.js +1 -1
  214. package/lib/core/koa/index.js +10 -2
  215. package/lib/core/koa/utils.js +1 -1
  216. package/lib/core/logger/daily-rotate-file.js +1 -1
  217. package/lib/core/logger/dataflow-monitor.js +1 -1
  218. package/lib/core/logger/debug-logger.js +1 -1
  219. package/lib/core/logger/index.js +1 -1
  220. package/lib/core/logger/perf-logger.js +1 -1
  221. package/lib/core/logger/umbrella-logger.js +1 -1
  222. package/lib/core/loopback4/index.js +1 -1
  223. package/lib/core/metrics/index.js +1 -1
  224. package/lib/core/restify/index.js +1 -1
  225. package/lib/core/restify/utils.js +1 -1
  226. package/lib/core/rewrite/assignment-expression.js +1 -1
  227. package/lib/core/rewrite/binary-expression.js +1 -1
  228. package/lib/core/rewrite/call-expression.js +1 -1
  229. package/lib/core/rewrite/callees.js +17 -1
  230. package/lib/core/rewrite/catch-clause.js +1 -1
  231. package/lib/core/rewrite/function-wrap.js +1 -1
  232. package/lib/core/rewrite/import-declaration.js +71 -0
  233. package/lib/core/rewrite/index.js +10 -8
  234. package/lib/core/rewrite/injections.js +6 -2
  235. package/lib/core/rewrite/is-contrast-method.js +1 -1
  236. package/lib/core/rewrite/log.js +1 -1
  237. package/lib/core/rewrite/member-expression.js +1 -1
  238. package/lib/core/rewrite/object-property.js +1 -1
  239. package/lib/core/rewrite/prepend-globals.js +1 -1
  240. package/lib/core/rewrite/rewrite-log.js +1 -1
  241. package/lib/core/rewrite/switch-statement.js +1 -1
  242. package/lib/core/rewrite/template-literal.js +1 -1
  243. package/lib/core/stacktrace.js +1 -1
  244. package/lib/coverage.js +1 -1
  245. package/lib/feature-set.js +1 -1
  246. package/lib/generator-function.js +1 -1
  247. package/lib/hooks/array.js +1 -1
  248. package/lib/hooks/cluster.js +1 -1
  249. package/lib/hooks/dataflow-monitor.js +1 -1
  250. package/lib/hooks/encoding.js +1 -1
  251. package/lib/hooks/express-fileupload.js +1 -1
  252. package/lib/hooks/express-session.js +1 -1
  253. package/lib/hooks/fn-to-string.js +1 -1
  254. package/lib/hooks/frameworks/base.js +1 -1
  255. package/lib/hooks/frameworks/common.js +1 -1
  256. package/lib/hooks/frameworks/hapi16.js +1 -1
  257. package/lib/hooks/frameworks/http.js +1 -1
  258. package/lib/hooks/frameworks/http2.js +1 -1
  259. package/lib/hooks/frameworks/index.js +3 -1
  260. package/lib/hooks/frameworks/spdy.js +87 -0
  261. package/lib/hooks/hapi-16-reply.js +1 -1
  262. package/lib/hooks/hapi-16-session.js +1 -1
  263. package/lib/hooks/http.js +12 -1
  264. package/lib/hooks/module/extensions.js +1 -1
  265. package/lib/hooks/module/helpers.js +1 -1
  266. package/lib/hooks/module/index.js +1 -1
  267. package/lib/hooks/newrelic.js +1 -1
  268. package/lib/hooks/object-is.js +1 -1
  269. package/lib/hooks/object-to-primitive.js +1 -1
  270. package/lib/hooks/patcher.js +1 -1
  271. package/lib/hooks/require.js +1 -1
  272. package/lib/hooks/stealthy-require.js +1 -1
  273. package/lib/instrumentation.js +1 -1
  274. package/lib/libraries.js +1 -1
  275. package/lib/library-usage.js +1 -1
  276. package/lib/list-installed.js +1 -1
  277. package/lib/protect/analysis/aho-corasick.js +1 -1
  278. package/lib/protect/analysis/dfsa-analyzer.js +1 -1
  279. package/lib/protect/errors/handler.js +1 -1
  280. package/lib/protect/errors/security-exception.js +1 -1
  281. package/lib/protect/express/index.js +1 -1
  282. package/lib/protect/express/sinks.js +1 -1
  283. package/lib/protect/express/sources.js +1 -1
  284. package/lib/protect/fastify/index.js +1 -1
  285. package/lib/protect/fastify/sinks.js +1 -1
  286. package/lib/protect/fastify/sources.js +1 -1
  287. package/lib/protect/hapi/error-handler.js +1 -1
  288. package/lib/protect/hapi/index.js +1 -1
  289. package/lib/protect/hapi/sinks.js +1 -1
  290. package/lib/protect/hapi/sources.js +1 -1
  291. package/lib/protect/index.js +1 -1
  292. package/lib/protect/input-analysis.js +1 -1
  293. package/lib/protect/koa/index.js +1 -1
  294. package/lib/protect/koa/sinks.js +1 -1
  295. package/lib/protect/koa/sources.js +1 -1
  296. package/lib/protect/listeners.js +1 -1
  297. package/lib/protect/loopback4/index.js +1 -1
  298. package/lib/protect/loopback4/sources.js +1 -1
  299. package/lib/protect/models/application-context.js +1 -1
  300. package/lib/protect/models/sink-event.js +1 -1
  301. package/lib/protect/models/source-event.js +1 -1
  302. package/lib/protect/restify/index.js +1 -1
  303. package/lib/protect/restify/sinks.js +1 -1
  304. package/lib/protect/restify/sources.js +36 -1
  305. package/lib/protect/rules/assessment.js +1 -1
  306. package/lib/protect/rules/attack-patterns.js +1 -1
  307. package/lib/protect/rules/base-scanner/index.js +1 -1
  308. package/lib/protect/rules/base-scanner/java-script-scanner.js +1 -1
  309. package/lib/protect/rules/base-scanner/postgresqlscanner.js +1 -1
  310. package/lib/protect/rules/base-scanner/scan-state.js +1 -1
  311. package/lib/protect/rules/base-scanner/substring-finder.js +1 -1
  312. package/lib/protect/rules/base-scanner/token-sequence.js +1 -1
  313. package/lib/protect/rules/bot-blocker/bot-blocker-rule.js +1 -1
  314. package/lib/protect/rules/bot-blocker/index.js +1 -1
  315. package/lib/protect/rules/cmd-injection/cmdinjection-rule.js +1 -1
  316. package/lib/protect/rules/cmd-injection-command-backdoors/backdoor-detector.js +1 -1
  317. package/lib/protect/rules/cmd-injection-command-backdoors/cmd-injection-command-backdoors-rule.js +1 -1
  318. package/lib/protect/rules/cmd-injection-semantic-chained-commands/chained-command-scanner.js +1 -1
  319. package/lib/protect/rules/cmd-injection-semantic-chained-commands/cmd-injection-semantic-chained-commands-rule.js +1 -1
  320. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/cmd-injection-semantic-dangerous-paths-rule.js +1 -1
  321. package/lib/protect/rules/cmd-injection-semantic-dangerous-paths/dangerous-paths-scanner.js +1 -1
  322. package/lib/protect/rules/common.js +1 -1
  323. package/lib/protect/rules/index.js +1 -1
  324. package/lib/protect/rules/ip-denylist/ip-denylist-rule.js +1 -1
  325. package/lib/protect/rules/method-tampering/evaluator.js +1 -1
  326. package/lib/protect/rules/method-tampering/method-tampering-rule.js +1 -1
  327. package/lib/protect/rules/nosqli/nosql-injection-rule.js +31 -17
  328. package/lib/protect/rules/nosqli/nosql-scanner/index.js +2 -2
  329. package/lib/protect/rules/nosqli/nosql-scanner/mongodbscanner.js +1 -1
  330. package/lib/protect/rules/nosqli/nosql-scanner/rethinkdbscanner.js +26 -0
  331. package/lib/protect/rules/path-traversal/path-traversal-rule.js +1 -1
  332. package/lib/protect/rules/rule-factory.js +1 -1
  333. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/chained-command-searcher.js +1 -1
  334. package/lib/protect/rules/signatures/cmd-injection/custom-searchers/index.js +1 -1
  335. package/lib/protect/rules/signatures/cmd-injection/index.js +1 -1
  336. package/lib/protect/rules/signatures/evaluator.js +1 -1
  337. package/lib/protect/rules/signatures/index.js +1 -1
  338. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/index.js +1 -1
  339. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/nosql-comment-searcher.js +1 -1
  340. package/lib/protect/rules/signatures/nosql-injection/custom-searchers/simple-or-searcher.js +1 -1
  341. package/lib/protect/rules/signatures/nosql-injection/index.js +1 -1
  342. package/lib/protect/rules/signatures/path-traversal/index.js +1 -1
  343. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/behavior-url-searcher.js +1 -1
  344. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/function-definition-searcher.js +1 -1
  345. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/immediate-function-searcher.js +1 -1
  346. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/index.js +1 -1
  347. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/link-and-src-target-searcher.js +1 -1
  348. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/location-set-searcher.js +1 -1
  349. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/map-access-searcher.js +1 -1
  350. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/native-function-execution-searcher.js +1 -1
  351. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/no-alnum-searcher.js +1 -1
  352. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/redefined-function-searcher.js +1 -1
  353. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/style-url-injection-searcher.js +1 -1
  354. package/lib/protect/rules/signatures/reflected-xss/custom-searchers/variable-assignment-searcher.js +1 -1
  355. package/lib/protect/rules/signatures/reflected-xss/helpers/function-call.js +1 -1
  356. package/lib/protect/rules/signatures/reflected-xss/index.js +1 -1
  357. package/lib/protect/rules/signatures/signature.js +1 -1
  358. package/lib/protect/rules/signatures/sql-injection/custom-searchers/if-else-drop-searcher.js +1 -1
  359. package/lib/protect/rules/signatures/sql-injection/custom-searchers/index.js +1 -1
  360. package/lib/protect/rules/signatures/sql-injection/custom-searchers/simple-or-searcher.js +1 -1
  361. package/lib/protect/rules/signatures/sql-injection/custom-searchers/sql-comment-searcher.js +1 -1
  362. package/lib/protect/rules/signatures/sql-injection/custom-searchers/time-function-searcher.js +1 -1
  363. package/lib/protect/rules/signatures/sql-injection/custom-searchers/tsql-exec-searcher.js +1 -1
  364. package/lib/protect/rules/signatures/sql-injection/index.js +1 -1
  365. package/lib/protect/rules/signatures/ssjs-injection/index.js +1 -1
  366. package/lib/protect/rules/signatures/unsafe-file-upload/index.js +1 -1
  367. package/lib/protect/rules/signatures/untrusted-deserialization/index.js +1 -1
  368. package/lib/protect/rules/sqli/generic-complicated.js +1 -1
  369. package/lib/protect/rules/sqli/sql-injection-rule.js +1 -1
  370. package/lib/protect/rules/sqli/sql-scanner/index.js +1 -1
  371. package/lib/protect/rules/sqli/sql-scanner/mysql-scanner.js +1 -1
  372. package/lib/protect/rules/ssjs-injection/evaluator.js +1 -1
  373. package/lib/protect/rules/ssjs-injection/ssjsinjection-rule.js +1 -1
  374. package/lib/protect/rules/unsafe-file-upload/unsafe-file-upload-rule.js +1 -1
  375. package/lib/protect/rules/untrusted-deserialization/untrusted-deserialization-rule.js +1 -1
  376. package/lib/protect/rules/virtual-patch/index.js +1 -1
  377. package/lib/protect/rules/virtual-patch/utils.js +1 -1
  378. package/lib/protect/rules/virtual-patch/virtual-patch-rule.js +1 -1
  379. package/lib/protect/rules/xss/helpers/function-call.js +1 -1
  380. package/lib/protect/rules/xss/reflected-xss-rule.js +1 -1
  381. package/lib/protect/rules/xxe/xxerule.js +1 -1
  382. package/lib/protect/sample-aggregator.js +1 -1
  383. package/lib/protect/samples.js +1 -1
  384. package/lib/protect/service.js +1 -1
  385. package/lib/protect/sinks/child-process.js +1 -1
  386. package/lib/protect/sinks/eval.js +1 -1
  387. package/lib/protect/sinks/fs.js +1 -1
  388. package/lib/protect/sinks/function.js +1 -1
  389. package/lib/protect/sinks/index.js +3 -1
  390. package/lib/protect/sinks/libxmljs.js +1 -1
  391. package/lib/protect/sinks/mongodb.js +2 -4
  392. package/lib/protect/sinks/mysql.js +1 -1
  393. package/lib/protect/sinks/node-serialize.js +1 -1
  394. package/lib/protect/sinks/postgres.js +1 -1
  395. package/lib/protect/sinks/rethinkdb.js +47 -0
  396. package/lib/protect/sinks/sequelize.js +1 -1
  397. package/lib/protect/sinks/sqlite3.js +1 -1
  398. package/lib/protect/sinks/vm.js +1 -1
  399. package/lib/protect/sources/busboy.js +1 -1
  400. package/lib/protect/sources/formidable.js +1 -1
  401. package/lib/protect/sources/index.js +1 -1
  402. package/lib/protect/validators/authorization.js +1 -1
  403. package/lib/protect/validators/common.js +1 -1
  404. package/lib/protect/validators/connection.js +1 -1
  405. package/lib/protect/validators/content-length.js +1 -1
  406. package/lib/protect/validators/host.js +1 -1
  407. package/lib/protect/validators/if-none-match.js +1 -1
  408. package/lib/protect/validators/index.js +1 -1
  409. package/lib/protect/validators/origin.js +1 -1
  410. package/lib/reporter/app-activity-queue.js +1 -1
  411. package/lib/reporter/grpc-client.js +1 -1
  412. package/lib/reporter/messages/speedracer/activity.js +1 -1
  413. package/lib/reporter/messages/speedracer/application-create.js +1 -1
  414. package/lib/reporter/messages/speedracer/application-update.js +1 -1
  415. package/lib/reporter/messages/speedracer/base.js +1 -1
  416. package/lib/reporter/messages/speedracer/index.js +1 -1
  417. package/lib/reporter/messages/speedracer/observed-route.js +1 -1
  418. package/lib/reporter/messages/speedracer/poll.js +1 -1
  419. package/lib/reporter/messages/speedracer/request.js +1 -1
  420. package/lib/reporter/messages/speedracer/startup.js +1 -1
  421. package/lib/reporter/messaging-router.js +1 -1
  422. package/lib/reporter/models/app-activity/app-activity.js +1 -1
  423. package/lib/reporter/models/app-activity/attacker-activity.js +1 -1
  424. package/lib/reporter/models/app-activity/defend.js +1 -1
  425. package/lib/reporter/models/app-activity/inventory.js +1 -1
  426. package/lib/reporter/models/app-activity/protection-rule-activity.js +1 -1
  427. package/lib/reporter/models/app-activity/rule-events.js +1 -1
  428. package/lib/reporter/models/app-activity/sample.js +1 -1
  429. package/lib/reporter/models/app-activity/source.js +1 -1
  430. package/lib/reporter/models/app-activity/user-input.js +1 -1
  431. package/lib/reporter/models/app-create.js +1 -1
  432. package/lib/reporter/models/app-update/index.js +1 -1
  433. package/lib/reporter/models/app-update/library-manifest.js +1 -1
  434. package/lib/reporter/models/app-update/library-usage.js +1 -1
  435. package/lib/reporter/models/app-update/library.js +1 -1
  436. package/lib/reporter/models/event-tag.js +1 -1
  437. package/lib/reporter/models/finding/event.js +1 -1
  438. package/lib/reporter/models/finding/finding.js +1 -1
  439. package/lib/reporter/models/frameworks/express-request.js +1 -1
  440. package/lib/reporter/models/frameworks/fastify-request.js +1 -1
  441. package/lib/reporter/models/frameworks/hapi-request.js +1 -1
  442. package/lib/reporter/models/frameworks/index.js +1 -1
  443. package/lib/reporter/models/frameworks/koa-request.js +1 -1
  444. package/lib/reporter/models/frameworks/restify-request.js +1 -1
  445. package/lib/reporter/models/observed-route.js +1 -1
  446. package/lib/reporter/models/request.js +1 -1
  447. package/lib/reporter/models/route-coverage.js +1 -1
  448. package/lib/reporter/models/startup.js +1 -1
  449. package/lib/reporter/models/trace-event-source.js +1 -1
  450. package/lib/reporter/models/utils/request-factory.js +1 -1
  451. package/lib/reporter/models/utils/user-input-factory.js +1 -1
  452. package/lib/reporter/models/utils/user-input-kit.js +1 -1
  453. package/lib/reporter/mq-client.js +1 -1
  454. package/lib/reporter/server-activity-queue.js +1 -1
  455. package/lib/reporter/socket-client.js +1 -1
  456. package/lib/reporter/speedracer/base-connection-state.js +1 -1
  457. package/lib/reporter/speedracer/constants.js +1 -1
  458. package/lib/reporter/speedracer/failure-connection-state.js +1 -1
  459. package/lib/reporter/speedracer/index.js +1 -1
  460. package/lib/reporter/speedracer/success-connection-state.js +1 -1
  461. package/lib/reporter/speedracer/unknown-connection-state.js +1 -1
  462. package/lib/reporter/translations/enums.js +1 -1
  463. package/lib/reporter/translations/helpers.js +1 -1
  464. package/lib/reporter/translations/to-protobuf/dtm/activity.js +1 -1
  465. package/lib/reporter/translations/to-protobuf/dtm/address.js +1 -1
  466. package/lib/reporter/translations/to-protobuf/dtm/agent-startup.js +1 -1
  467. package/lib/reporter/translations/to-protobuf/dtm/application-create.js +1 -1
  468. package/lib/reporter/translations/to-protobuf/dtm/application-update.js +1 -1
  469. package/lib/reporter/translations/to-protobuf/dtm/architecture-component.js +1 -1
  470. package/lib/reporter/translations/to-protobuf/dtm/attack-result.js +1 -1
  471. package/lib/reporter/translations/to-protobuf/dtm/bot-blocker-details.js +1 -1
  472. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-details.js +1 -1
  473. package/lib/reporter/translations/to-protobuf/dtm/cmd-injection-semantic-analysis-details.js +1 -1
  474. package/lib/reporter/translations/to-protobuf/dtm/finding.js +1 -1
  475. package/lib/reporter/translations/to-protobuf/dtm/http-method-tampering-details.js +1 -1
  476. package/lib/reporter/translations/to-protobuf/dtm/http-request.js +1 -1
  477. package/lib/reporter/translations/to-protobuf/dtm/index.js +1 -1
  478. package/lib/reporter/translations/to-protobuf/dtm/ip-denylist-details.js +1 -1
  479. package/lib/reporter/translations/to-protobuf/dtm/library-usage-update.js +1 -1
  480. package/lib/reporter/translations/to-protobuf/dtm/no-sql-injection-details.js +1 -1
  481. package/lib/reporter/translations/to-protobuf/dtm/observed-route.js +1 -1
  482. package/lib/reporter/translations/to-protobuf/dtm/pair.js +1 -1
  483. package/lib/reporter/translations/to-protobuf/dtm/path-traversal-details.js +1 -1
  484. package/lib/reporter/translations/to-protobuf/dtm/poll.js +1 -1
  485. package/lib/reporter/translations/to-protobuf/dtm/rasp-rule-sample.js +1 -1
  486. package/lib/reporter/translations/to-protobuf/dtm/raw-request.js +1 -1
  487. package/lib/reporter/translations/to-protobuf/dtm/route-coverage.js +1 -1
  488. package/lib/reporter/translations/to-protobuf/dtm/simple-pair.js +1 -1
  489. package/lib/reporter/translations/to-protobuf/dtm/sql-injection-details.js +1 -1
  490. package/lib/reporter/translations/to-protobuf/dtm/ssjs-injection-details.js +1 -1
  491. package/lib/reporter/translations/to-protobuf/dtm/stack-trace-element.js +1 -1
  492. package/lib/reporter/translations/to-protobuf/dtm/trace-event/action.js +1 -1
  493. package/lib/reporter/translations/to-protobuf/dtm/trace-event/index.js +5 -5
  494. package/lib/reporter/translations/to-protobuf/dtm/trace-event/parent-object-id.js +1 -1
  495. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-object.js +1 -1
  496. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-signature.js +1 -1
  497. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-event-source.js +1 -1
  498. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-stack.js +1 -1
  499. package/lib/reporter/translations/to-protobuf/dtm/trace-event/trace-taint-range.js +1 -1
  500. package/lib/reporter/translations/to-protobuf/dtm/trace-event/type.js +1 -1
  501. package/lib/reporter/translations/to-protobuf/dtm/untrusted-deserialization-details.js +1 -1
  502. package/lib/reporter/translations/to-protobuf/dtm/user-input.js +1 -1
  503. package/lib/reporter/translations/to-protobuf/dtm/virtual-patch-details.js +1 -1
  504. package/lib/reporter/translations/to-protobuf/dtm/xss-details.js +1 -1
  505. package/lib/reporter/translations/to-protobuf/dtm/xxe-details.js +1 -1
  506. package/lib/reporter/translations/to-protobuf/index.js +1 -1
  507. package/lib/reporter/translations/to-protobuf/settings/application-settings.js +1 -1
  508. package/lib/reporter/translations/to-protobuf/settings/assess-features.js +1 -1
  509. package/lib/reporter/translations/to-protobuf/settings/auth.js +1 -1
  510. package/lib/reporter/translations/to-protobuf/settings/bot-blocker.js +1 -1
  511. package/lib/reporter/translations/to-protobuf/settings/custom-rule-feature.js +1 -1
  512. package/lib/reporter/translations/to-protobuf/settings/defend-features.js +1 -1
  513. package/lib/reporter/translations/to-protobuf/settings/exclusions.js +1 -1
  514. package/lib/reporter/translations/to-protobuf/settings/index.js +1 -1
  515. package/lib/reporter/translations/to-protobuf/settings/input-analysis-result.js +1 -1
  516. package/lib/reporter/translations/to-protobuf/settings/inventory-features.js +1 -1
  517. package/lib/reporter/translations/to-protobuf/settings/ip-filter.js +1 -1
  518. package/lib/reporter/translations/to-protobuf/settings/log-enhancer.js +1 -1
  519. package/lib/reporter/translations/to-protobuf/settings/protection-rule.js +1 -1
  520. package/lib/reporter/translations/to-protobuf/settings/reaction.js +1 -1
  521. package/lib/reporter/translations/to-protobuf/settings/rule-definition.js +1 -1
  522. package/lib/reporter/translations/to-protobuf/settings/sampling.js +1 -1
  523. package/lib/reporter/translations/to-protobuf/settings/server-features.js +1 -1
  524. package/lib/reporter/translations/to-protobuf/settings/syslog.js +1 -1
  525. package/lib/reporter/translations/to-protobuf/settings/virtual-patch.js +1 -1
  526. package/lib/reporter/ts-reporter.js +1 -1
  527. package/lib/tracker.js +1 -1
  528. package/lib/util/base64.js +1 -1
  529. package/lib/util/bitset.js +1 -1
  530. package/lib/util/block-request.js +1 -1
  531. package/lib/util/callback-resolver.js +1 -1
  532. package/lib/util/clean-stack.js +1 -1
  533. package/lib/util/clean-string/brackets.js +1 -1
  534. package/lib/util/clean-string/clean-string-base.js +1 -1
  535. package/lib/util/clean-string/comments.js +1 -1
  536. package/lib/util/clean-string/concatenations.js +1 -1
  537. package/lib/util/clean-string/jsclean-string.js +1 -1
  538. package/lib/util/clean-string/placeholders.js +1 -1
  539. package/lib/util/clean-string/util.js +1 -1
  540. package/lib/util/colors.js +1 -1
  541. package/lib/util/file-finder.js +1 -1
  542. package/lib/util/heap-dump.js +1 -1
  543. package/lib/util/html-util.js +1 -1
  544. package/lib/util/ip-analyzer.js +1 -1
  545. package/lib/util/is-agent-path.js +1 -1
  546. package/lib/util/is-contrast-error.js +1 -1
  547. package/lib/util/is-piped-to-dev.js +1 -1
  548. package/lib/util/is-string.js +1 -1
  549. package/lib/util/partial.js +1 -1
  550. package/lib/util/pkg-name.js +1 -1
  551. package/lib/util/request-util.js +1 -1
  552. package/lib/util/resolve-obj.js +1 -1
  553. package/lib/util/route-info.js +1 -1
  554. package/lib/util/some.js +1 -1
  555. package/lib/util/source-map.js +4 -4
  556. package/lib/util/static-rules.js +1 -1
  557. package/lib/util/trace-util.js +1 -1
  558. package/lib/util/traverse.js +1 -1
  559. package/lib/util/user-input-evaluator.js +1 -1
  560. package/lib/util/xml-analyzer/external-entity-finder.js +1 -1
  561. package/package.json +18 -12
  562. package/perf-logs.js +1 -1
package/lib/core/express/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -33,7 +33,7 @@ const {
33
33
 
34
34
  const EVENTS = {
35
35
  REQUEST_READY: 'Express.RequestReady',
36
- BODY_PARSED: 'Express.cookiesParsed',
36
+ BODY_PARSED: 'Express.bodyParsed',
37
37
  COOKIES_PARSED: 'Express.cookiesParsed',
38
38
  PARAMS_PARSED: 'Express.paramsParsed',
39
39
  REQUEST_SEND: 'Express.requestSend',
@@ -246,7 +246,9 @@ const captureSignature = (layer, signature) => {
246
246
  const normalizeSignatureArg = (arg) => {
247
247
  // we weave in middleware for express that is prefixed with Contrast
248
248
  // remove this from signature
249
- if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
249
+ if (arg === '') {
250
+ return null;
251
+ } else if (typeof arg === 'function' && arg.name.startsWith('Contrast')) {
250
252
  return null;
251
253
  } else if (typeof arg === 'function') {
252
254
  return getHandlerName(arg);
@@ -313,8 +315,11 @@ const updateRouterSignatures = (self, router, path) => {
313
315
  return;
314
316
  }
315
317
  const routePath = _.get(route, 'path', '');
316
- const routeHandle = _.get(route, 'stack[0].handle');
318
+ const routeHandle = _.get(route, 'stack[0].handle', '');
317
319
  const routeMethod = _.get(route, 'stack[0].method');
320
+ if (!routeMethod) {
321
+ return;
322
+ }
318
323
  const newSignature = createSignature(self, 'Router', routeMethod, [
319
324
  path,
320
325
  routePath,
package/lib/core/fastify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -154,7 +154,8 @@ class FastifyCore {
154
154
  agentEmitter.emit(constants.EVENTS.PRE_VALIDATION, ...data);
155
155
  decorateRequest({
156
156
  body: request.body,
157
- parameters: request.params
157
+ parameters: request.params,
158
+ query: request.query
158
159
  });
159
160
  done();
160
161
  }
package/lib/core/fastify/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/hapi/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -173,7 +173,8 @@ class HapiCore {
173
173
  decorateRequest({
174
174
  normalizedUri: get(request, 'route.path'),
175
175
  body: request.payload,
176
- parameters: request.params
176
+ parameters: request.params,
177
+ query: request.query
177
178
  });
178
179
  return h.continue;
179
180
  });
package/lib/core/hapi/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/koa/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -216,13 +216,21 @@ class KoaCore {
216
216
  */
217
217
  registerRequestHandler(ctx) {
218
218
  ctx.req.request = ctx.request;
219
+ const { query } = ctx.request;
219
220
  ctx.request = new Proxy(ctx.request, {
220
221
  set(...args) {
221
222
  const [obj, prop] = args;
222
223
  const result = Reflect.set(...args);
224
+ if (query) {
225
+ decorateRequest({
226
+ query
227
+ });
228
+ }
223
229
  switch (prop) {
224
230
  case 'body':
225
- decorateRequest({ body: obj[prop] });
231
+ decorateRequest({
232
+ body: obj[prop]
233
+ });
226
234
  agentEmitter.emit(constants.EVENTS.CTX_REQUEST_BODY, {
227
235
  request: obj,
228
236
  ctx
package/lib/core/koa/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/daily-rotate-file.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/dataflow-monitor.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/debug-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/perf-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/logger/umbrella-logger.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/loopback4/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/metrics/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/restify/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/restify/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/assignment-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/binary-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/call-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/callees.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -67,6 +67,22 @@ const specs = [
67
67
  token: 'eval',
68
68
  modes: { assess: true, protect: true }
69
69
  },
70
+ // Import Declaration
71
+ {
72
+ name: '__importDefault',
73
+ type: 'ImportDefaultSpecifier',
74
+ modes: { assess: true, protect: true }
75
+ },
76
+ {
77
+ name: '__importNamespace',
78
+ type: 'ImportNamespaceSpecifier',
79
+ modes: { assess: true, protect: true }
80
+ },
81
+ {
82
+ name: '__import',
83
+ type: 'ImportSpecifier',
84
+ modes: { assess: true, protect: true }
85
+ },
70
86
  // Member Expression
71
87
  {
72
88
  name: '__forceCopy',
package/lib/core/rewrite/catch-clause.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/function-wrap.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/import-declaration.js ADDED
@@ -0,0 +1,71 @@
1
+ /**
2
+ Copyright: 2022 Contrast Security, Inc
3
+ Contact: support@contrastsecurity.com
4
+ License: Commercial
5
+
6
+ NOTICE: This Software and the patented inventions embodied within may only be
7
+ used as part of Contrast Security’s commercial offerings. Even though it is
8
+ made available through public repositories, use of this Software is subject to
9
+ the applicable End User Licensing Agreement found at
10
+ https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ between Contrast Security and the End User. The Software may not be reverse
12
+ engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ way not consistent with the End User License Agreement.
14
+ */
15
+ 'use strict';
16
+
17
+ const t = require('@babel/types');
18
+ const _ = require('lodash');
19
+
20
+ const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
21
+ t.memberExpression(t.identifier('import'), t.identifier('meta')),
22
+ t.identifier('url')
23
+ );
24
+
25
+ /**
26
+ * Appends calls to our own instrumentable import methods, providing access to
27
+ * the imported modules.
28
+ * ```
29
+ * import x from 'mod';
30
+ * // becomes:
31
+ * import x from 'mod';
32
+ * ContrastMethods.__importDefault(x, 'mod', import.meta.url);
33
+ *
34
+ * import * as x from 'mod';
35
+ * // becomes:
36
+ * import x from 'mod';
37
+ * ContrastMethods.__importNamespace(x, 'mod', import.meta.url);
38
+ *
39
+ * import { foo, bar as baz } from 'mod';;
40
+ * // becomes
41
+ * ContrastMethods.__import(foo, 'foo', 'mod', import.meta.url);
42
+ * ContrastMethods.__import(baz, 'bar', 'mod', import.meta.url);
43
+ * ```
44
+ * @param {import('@babel/traverse').NodePath<import('@babel/types').ImportDeclaration>} path
45
+ * @param {import('.').State} state
46
+ */
47
+ module.exports = function ImportDeclaration(path, state) {
48
+ const { source, specifiers } = path.node;
49
+
50
+ path.insertAfter(
51
+ specifiers.map((importSpec) => {
52
+ const spec = _.find(state.specs, { type: importSpec.type });
53
+ if (!spec || !state.callees[spec.name]) return;
54
+
55
+ const args = [importSpec.local];
56
+
57
+ if (t.isImportSpecifier(importSpec)) {
58
+ args.push(
59
+ t.isIdentifier(importSpec.imported)
60
+ ? t.stringLiteral(importSpec.imported.name)
61
+ : importSpec.imported
62
+ );
63
+ }
64
+
65
+ args.push(source);
66
+ args.push(IMPORT_META_URL_MEMBER_EXPRESSION);
67
+
68
+ return t.callExpression(state.callees[spec.name], args);
69
+ })
70
+ );
71
+ };
package/lib/core/rewrite/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -18,23 +18,24 @@ const { default: generate } = require('@babel/generator');
18
18
  const { parse } = require('@babel/parser');
19
19
  const { default: traverse } = require('@babel/traverse');
20
20
 
21
+ const RewriteDeadzones = require('../../assess/deadzones/rewrite');
22
+ const { util: sourceMapUtility } = require('../../util/source-map');
21
23
  const Scopes = require('../async-storage/scopes');
22
24
  const logger = require('../logger')('contrast:rewrite');
23
- const RewriteDeadzones = require('../../assess/deadzones/rewrite');
24
- const logRewrite = require('./log');
25
- const RewriteLog = require('./rewrite-log');
26
- const isContrastMethod = require('./is-contrast-method');
27
- const functionWrap = require('./function-wrap');
28
- const prependGlobals = require('./prepend-globals');
29
25
  const AssignmentExpression = require('./assignment-expression');
30
26
  const BinaryExpression = require('./binary-expression');
31
27
  const CallExpression = require('./call-expression');
32
28
  const CatchClause = require('./catch-clause');
29
+ const functionWrap = require('./function-wrap');
30
+ const ImportDeclaration = require('./import-declaration');
31
+ const isContrastMethod = require('./is-contrast-method');
32
+ const logRewrite = require('./log');
33
33
  const MemberExpression = require('./member-expression');
34
34
  const ObjectProperty = require('./object-property');
35
+ const prependGlobals = require('./prepend-globals');
36
+ const RewriteLog = require('./rewrite-log');
35
37
  const SwitchStatement = require('./switch-statement');
36
38
  const TemplateLiteral = require('./template-literal');
37
- const sourceMapUtility = require('../../util/source-map').util;
38
39
 
39
40
  /**
40
41
  * @typedef {Object} State
@@ -105,6 +106,7 @@ class Rewriter {
105
106
  BinaryExpression,
106
107
  CallExpression,
107
108
  CatchClause,
109
+ ImportDeclaration,
108
110
  MemberExpression,
109
111
  ObjectProperty,
110
112
  SwitchStatement,
package/lib/core/rewrite/injections.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -100,7 +100,11 @@ const ContrastMethods = new Injection(null, 'ContrastMethods', {
100
100
  },
101
101
  __contrastEval: function __contrastEval(str) {
102
102
  return str;
103
- }
103
+ },
104
+ // TODO: NODE-2020
105
+ __importDefault(mod, source, url) {},
106
+ __importNamespace(mod, source, url) {},
107
+ __import(mod, spec, source, url) {}
104
108
  });
105
109
 
106
110
  ContrastMethods.enable();
package/lib/core/rewrite/is-contrast-method.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/log.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/member-expression.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/object-property.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/prepend-globals.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/rewrite-log.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/switch-statement.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/rewrite/template-literal.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/core/stacktrace.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/coverage.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/feature-set.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/generator-function.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/array.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/cluster.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/dataflow-monitor.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/encoding.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/express-fileupload.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/express-session.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/fn-to-string.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/base.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/common.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/hapi16.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/http.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/http2.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
package/lib/hooks/frameworks/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- Copyright: 2021 Contrast Security, Inc
2
+ Copyright: 2022 Contrast Security, Inc
3
3
  Contact: support@contrastsecurity.com
4
4
  License: Commercial
5
5
 
@@ -16,6 +16,7 @@ Copyright: 2021 Contrast Security, Inc
16
16
 
17
17
  const Http = require('./http');
18
18
  const Http2 = require('./http2');
19
+ const Spdy = require('./spdy');
19
20
  const Hapi16 = require('./hapi16');
20
21
 
21
22
  module.exports = function(agent) {
@@ -23,5 +24,6 @@ module.exports = function(agent) {
23
24
  new Http(agent);
24
25
  new Http(agent, 'https');
25
26
  new Http2(agent);
27
+ new Spdy(agent);
26
28
  new Hapi16(agent);
27
29
  };